Vector Clocks in Coq

Similar documents
Coq Summer School, Session 2 : Basic programming with numbers and lists. Pierre Letouzey

Induction in Coq. Nate Foster Spring 2018

CIS 500 Software Foundations. Midterm I. (Standard and advanced versions together) October 1, 2013 Answer key

CIS 500: Software Foundations

CIS 500: Software Foundations

Functional Programming with Isabelle/HOL

SOFTWARE VERIFICATION AND COMPUTER PROOF (lesson 1) Enrico Tassi Inria Sophia-Antipolis

Inductive data types

Introduction to dependent types in Coq

CIS 500: Software Foundations

August 5-10, 2013, Tsinghua University, Beijing, China. Polymorphic types

CIS 500 Software Foundations Midterm II

A Simple Supercompiler Formally Verified in Coq

4 Programming with Types

What Came First? The Ordering of Events in

CPM: A Declarative Package Manager with Semantic Versioning

Verification in Coq. Prof. Clarkson Fall Today s music: Check Yo Self by Ice Cube

Coq, a formal proof development environment combining logic and programming. Hugo Herbelin

Ruby Extension Library Verified using Coq Proof-assistant

CSCI-GA Scripting Languages

Eventually Consistent HTTP with Statebox and Riak

Equations: a tool for dependent pattern-matching

Inductive prod (A B : Set) : Set := pair : A -> B -> prod A B. Inductive sum (A B : Set) : Set := inl : A -> sum A B inr : B -> sum A B.

An experiment with variable binding, denotational semantics, and logical relations in Coq. Adam Chlipala University of California, Berkeley

Coq. LASER 2011 Summerschool Elba Island, Italy. Christine Paulin-Mohring

Coq Summer School. Yves Bertot

Defining the Ethereum Virtual Machine for Interactive Theorem Provers

Ready, Set, Verify! Applying hs-to-coq to Real-World Haskell Code (Experience Report)

MoreIntro_annotated.v. MoreIntro_annotated.v. Printed by Zach Tatlock. Oct 04, 16 21:55 Page 1/10

Generation of Code from COQ for Succinct Data Structures

CS Lecture 6: Map and Fold. Prof. Clarkson Spring Today s music: Selections from the soundtrack to 2001: A Space Odyssey

Intrinsically Typed Reflection of a Gallina Subset Supporting Dependent Types for Non-structural Recursion of Coq

Theorem Proving Principles, Techniques, Applications Recursion

Synthesis of distributed mobile programs using monadic types in Coq

Advanced Databases ( CIS 6930) Fall Instructor: Dr. Markus Schneider. Group 17 Anirudh Sarma Bhaskara Sreeharsha Poluru Ameya Devbhankar

λ calculus is inconsistent

Embedding logics in Dedukti

Programs and Proofs in Isabelle/HOL

Inductive Definitions, continued

Testing. Wouter Swierstra and Alejandro Serrano. Advanced functional programming - Lecture 2. [Faculty of Science Information and Computing Sciences]

3 Pairs and Lists. 3.1 Formal vs. Informal Proofs

Numerical Computations and Formal Methods

Integration of SMT Solvers with ITPs There and Back Again

Preuves Interactives et Applications

Work-in-progress: "Verifying" the Glasgow Haskell Compiler Core language

From natural numbers to the lambda calculus

Logic - CM0845 Introduction to Haskell

Improving Coq Propositional Reasoning Using a Lazy CNF Conversion

Using Erlang, Riak and the ORSWOT CRDT at bet365 for Scalability and Performance. Michael Owen Research and Development Engineer

Bidirectional Certified Programming

Optimization of Executable Formal Interpreters developed in Higher-order Theorem Proving Systems

COMP 4161 NICTA Advanced Course. Advanced Topics in Software Verification. Toby Murray, June Andronick, Gerwin Klein

Natural Numbers. We will use natural numbers to illustrate several ideas that will apply to Haskell data types in general.

Inductive datatypes in HOL. lessons learned in Formal-Logic Engineering

Dependent Polymorphism. Makoto Hamana

Runtime Checking for Program Verification Systems

Provably Correct Software

Dependent Types and Irrelevance

Exercise 1 (2+2+2 points)

The pitfalls of protocol design

c constructor P, Q terms used as propositions G, H hypotheses scope identifier for a notation scope M, module identifiers t, u arbitrary terms

Coq quick reference. Category Example Description. Inductive type with instances defined by constructors, including y of type Y. Inductive X : Univ :=

Inductive data types (I)

What am I? Bryan Hunt Basho Client Services Engineer Erlang neophyte JVM refugee Be gentle

A Coq tutorial for confirmed Proof system users

Coordination-Free Computations. Christopher Meiklejohn

Generic Programming With Dependent Types: II

MoreIntro.v. MoreIntro.v. Printed by Zach Tatlock. Oct 07, 16 18:11 Page 1/10. Oct 07, 16 18:11 Page 2/10. Monday October 10, 2016 lec02/moreintro.

How Efficient Can Fully Verified Functional Programs Be - A Case Study of Graph Traversal Algorithms

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter 11 p. 1/38

Recursion. Tjark Weber. Functional Programming 1. Based on notes by Sven-Olof Nyström. Tjark Weber (UU) Recursion 1 / 37

On Agda JAIST/AIST WS CVS/AIST Yoshiki Kinoshita, Yoriyuki Yamagata. Agenda

Lecture 14: Recursive Types

Work-in-progress: Verifying the Glasgow Haskell Compiler Core language

Verifying type soundness in HOL for OCaml: the core language

A formal derivation of an executable Krivine machine

Lesson 4 Typed Arithmetic Typed Lambda Calculus

MLW. Henk Barendregt and Freek Wiedijk assisted by Andrew Polonsky. March 26, Radboud University Nijmegen

Functional Programming

Combining Static and Dynamic Contract Checking for Curry

Programming with dependent types: passing fad or useful tool?

Programming with (co-)inductive types in Coq

Safe Smart Contract Programming with Scilla

Functional Programming and Modeling

Certified Programming with Dependent Types

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Extended Static Checking for Haskell (ESC/Haskell)

An Algebra of Dependent Data Types

A Coq Framework For Verified Property-Based Testing (part of QuickChick)

Ornaments in ML. Thomas Williams, Didier Rémy. April 18, Inria - Gallium

Mathematics for Computer Scientists 2 (G52MC2)

Mathematics for Computer Scientists 2 (G52MC2)

Introduction to ML. Mooly Sagiv. Cornell CS 3110 Data Structures and Functional Programming

A Certified Implementation of a Distributed Security Logic

Certified Password Quality

10 Years of Partiality and General Recursion in Type Theory

Translation Validation for a Verified OS Kernel

Lecture 11 Lecture 11 Nov 5, 2014

Graphical Untyped Lambda Calculus Interactive Interpreter

Topics Covered Thus Far CMSC 330: Organization of Programming Languages

Transcription:

Vector Clocks in Coq An Experience Report Christopher Meiklejohn Basho Technologies, Inc. Cambridge, MA 02139 cmeiklejohn@basho.com March 6, 2014

Outline of the talk Introduction Background Implementation Evaluation Future Work

Introduction Goals of the project Goals of the talk Contributions Out of scope

Goals of the project Distributed data structures (RICON West, 2012) Explore applicability of code extraction from Coq Attempt to provide an alternative to rigorous testing Prevent flaws in building QuickCheck models

Goals of the talk Introduction to Coq Introduction to Core Erlang Introduction of vector clocks Overall experience report of implementation

Contributions Coq model providing vector clock implementation Extracted Erlang model from the Coq proof assistant Erlang glue-code support module Detailed experience report Rebar extension

Out of scope Verification of the actual model Proofs, theorems, lemmas, axioms, etc... Efficiency

Background Coq Core Erlang verlang Vector clocks

Coq Interactive theorem prover Dependently typed programming language Code extraction; Scheme, Haskell, OCaml, Core Erlang

Example Coq Inductive Data Type Inductive nat : Type := O : nat S : nat nat.

Example Coq Function Fixpoint ble nat (n m : nat) {struct n} : bool := match n with O => true S n => match m with O => false S m => ble nat n m end end.

Core Erlang Intermediate representation of Erlang Designed for programatic manipulation Simple grammar c(module name, [to core]), c(module name, [from core]).

Example Core Erlang Function ble_nat /2 = fun (_n, _m) -> case _n of O when true -> True { S, _n@} when true -> case _m of O when true -> False { S, _m@} when true -> call vvclock : ble_nat ( _n@, _m@ ) end end

verlang Experimental extraction module for Coq Extracts to Core Erlang from MiniML Number of caveats

verlang caveats Lack of module nesting No currying Intra- vs. inter-module calls receieve

Vector clocks Method for reasoning about events in a distributed system. Identifying causal vs. concurrent events. List of pairs; made of up actors and operation counts. Structurally the same as version vectors; different semantics.

Implementation Vector clocks in Coq Code extraction to Core Erlang Adapter layer

Vector clocks in Coq Provide compatible API for use with Riak Core fresh, increment, equal, descends, merge, get counter, get timestamp, all nodes, prune

Vector clocks in Coq Definition actor := nat. Definition count := nat. Definition timestamp := nat. Definition clock := prod actor (prod count timestamp). Definition vclock := (list clock)%type.

Vector clocks in Coq: increment Definition increment (actor : actor) (vclock : vclock) := match find (fun clock => match clock with pair x _ => beq_nat actor x end) vclock with None => cons (pair actor (pair init_count init_timestamp)) vclock Some (pair x (pair count timestamp)) => cons (pair x (pair (incr_count count) (incr_timestamp timestamp))) (filter (fun clock => match clock with pair x _ => negb (beq_nat actor x) end) vclock)

Vector clocks in Coq: merge Definition max (vclock : vclock) (clock : clock) := match clock with pair actor (pair count timestamp) => match find (fun clock => match clock with pair x _ => beq_nat actor x end) vclock with None => cons (pair actor (pair count timestamp)) vclock Some (pair _ (pair y z)) => cons (pair actor (pair (max count y) (max timestamp z))) (filter (fun clock => match clock with pair x _ => negb (beq_nat actor x) end) vclock) end end. Definition merge (vc1 vc2 : vclock) := fold_left max vc1 vc2.

Vector clocks in Coq: prune Fixpoint prune (vclock : vclock) (small large : nat) (young old : timestamp) := match vclock with nil => vclock pair actor (pair count timestamp) :: clocks => match (ble_nat (length vclock) small) with true => vclock false => match (ble_nat timestamp young) with true => vclock

Vector clocks in Coq: descends Definition descends (vc1 vc2 : vclock) := match fold_left descends vc2 (pair true vc1) with pair false _ => false pair true _ => true end.

Code extraction to Core Erlang Missing data constructors Incorrectly qualified calls Lack of currying

Missing data constructors fresh /0 = fun () -> []

Incorrectly qualified calls call vvclock.vvclock : ble_nat ( _actor, _a )

Missing arity descends /2 = fun (_vc1, _vc2) -> case call Coq.Lists.List : fold_left ( descends@, _vc2, { Pair, True, _vc1 } ) of

Lack of currying Definition find (actor : actor) := fun clock : clock => match clock with pair x _ => negb (beq_nat actor x) end. find@ /2 = fun (_actor, _clock) -> case _clock of { Pair, _c, _x } when true -> call Coq.Arith.EqNat : beq_nat ( _actor, _c ) end

Adapter layer Type conversions Timestamps; model as Peano numbers Actors; model as Peano numbers or Strings Environment variables API normalization Circular dependencies

Type conversions natural_to_peano(0) -> O ; natural_to_peano(natural) -> { S, natural_to_peano(natural - 1)}. peano_to_natural( O ) -> 0; peano_to_natural({ S, Peano}) -> 1 + Peano.

Type conversions equal(vclock1, VClock2) -> case vvclock:equal(vclock1, VClock2) of True -> true; False -> false end. descends(vclock1, VClock2) -> case vvclock:descends(vclock1, VClock2) of True -> true; False -> false end.

Timestamps timestamp() -> calendar:datetime_to_gregorian_seconds(erlang:universaltime()). peano_timestamp() -> term_to_peano(timestamp()).

Actors Inductive string : Set := EmptyString : string String : ascii -> string -> string. Definition zero := Ascii false false false false false false false false.

Environment variables prune(vclock, _Timestamp, BProps) -> Old = term_to_peano(get_property(old_vclock, BProps)), Young = term_to_peano(get_property(young_vclock, BProps)), Large = term_to_peano(get_property(large_vclock, BProps)), Small = term_to_peano(get_property(small_vclock, BProps)), vvclock:prune(vclock, Small, Large, Young, Old).

API normalization merge([vclock1,vclock2 VClocks]) -> merge([vvclock:merge(vclock1, VClock2) VClocks]); merge([vclock]) -> VClock; merge([]) -> []. increment(actor, VClock) -> vvclock:increment(term_to_peano(actor), VClock).

Circular dependencies %% Call into vvclock.core from vclock.erl increment(actor, VClock) -> vvclock:increment(term_to_peano(actor), VClock). %% Calls back out to vclock for Riak/Erlang specifics init_timestamp /0 = fun () -> call vclock : peano_timestamp ()

Evaluation Passing test suite Performance problems Inefficient implementations Use of naturals, strings or other inductive types Testability; type conversion to/from

Future Work Fixing bugs in verlang Explore other applications; CRDTs Adapter layer; performance, testability QuickCheck or PropEr integration

Thanks! Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback