Program certification with computational

Similar documents
Certified proofs in programs involving exceptions

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

Goals: Define the syntax of a simple imperative language Define a semantics using natural deduction 1

axiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.

Calculating Correct Compilers

CVO103: Programming Languages. Lecture 5 Design and Implementation of PLs (1) Expressions

Formal Semantics of Programming Languages

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS422 Programming Language Design

Formal Semantics of Programming Languages

1 Elementary number theory

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

Denotational Semantics

CS 242. Fundamentals. Reading: See last slide

Mosig M1 - PLSCD Written exam

1 Elementary number theory

Application: Programming Language Semantics

Computing Fundamentals 2 Introduction to CafeOBJ

COMP 507: Computer-Aided Program Design

A CRASH COURSE IN SEMANTICS

Formal semantics of loosely typed languages. Joep Verkoelen Vincent Driessen

3.7 Denotational Semantics

Abstract Interpretation

n n Try tutorial on front page to get started! n spring13/ n Stack Overflow!

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Lecture 5 - Axiomatic semantics

In Our Last Exciting Episode

CIS 500 Software Foundations. Final Exam. May 3, Answer key

Denotational Semantics. Domain Theory

Proving Properties on Programs From the Coq Tutorial at ITP 2015

Functional Programming. Pure Functional Languages

COMP80 Lambda Calculus Programming Languages Slides Courtesy of Prof. Sam Guyer Tufts University Computer Science History Big ideas Examples:

Denotational Semantics

Comp 411 Principles of Programming Languages Lecture 7 Meta-interpreters. Corky Cartwright January 26, 2018

Semantics. A. Demers Jan This material is primarily from Ch. 2 of the text. We present an imperative

Contents. Chapter 1 SPECIFYING SYNTAX 1

Programming Languages Third Edition

COP4020 Programming Languages. Functional Programming Prof. Robert van Engelen

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Lecture slides & distribution files:

Scheme Tutorial. Introduction. The Structure of Scheme Programs. Syntax

1.3. Conditional expressions To express case distinctions like

Symmetry in Type Theory

36 Modular Arithmetic

Functional Programming. Pure Functional Languages

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS522 Programming Language Semantics

Type Systems. Today. 1. Organizational Matters. 1. Organizational Matters. Lecture 1 Oct. 20th, 2004 Sebastian Maneth. 1. Organizational Matters

Formal Systems II: Applications

7. Introduction to Denotational Semantics. Oscar Nierstrasz

Types for References, Exceptions and Continuations. Review of Subtyping. Γ e:τ τ <:σ Γ e:σ. Annoucements. How s the midterm going?

Programming Languages

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS422 Programming Language Semantics

More Untyped Lambda Calculus & Simply Typed Lambda Calculus

Lambda Calculus. CS 550 Programming Languages Jeremy Johnson

CS-XXX: Graduate Programming Languages. Lecture 9 Simply Typed Lambda Calculus. Dan Grossman 2012

CS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011

An experiment with variable binding, denotational semantics, and logical relations in Coq. Adam Chlipala University of California, Berkeley

1 Introduction. 3 Syntax

The Programming Language Core

Functional Programming. Big Picture. Design of Programming Languages

Proofs-Programs correspondance and Security

Compositional Software Model Checking

Inductive Definitions, continued

Big-step Operational Semantics (aka Natural Semantics)

Math Introduction to Advanced Mathematics

Homework 3 COSE212, Fall 2018

Embedding logics in Dedukti

Exercises on Semantics of Programming Languages

Introduction to Denotational Semantics. Class Likes/Dislikes Survey. Dueling Semantics. Denotational Semantics Learning Goals. You re On Jeopardy!

Induction and Semantics in Dafny

CMSC 330: Organization of Programming Languages. Operational Semantics

Introduction to Axiomatic Semantics

Chapter 3 (part 3) Describing Syntax and Semantics

Lectures 20, 21: Axiomatic Semantics

Where is ML type inference headed?

Modular dependent induction in Coq, Mendler-style. Paolo Torrini

COSC252: Programming Languages: Semantic Specification. Jeremy Bolton, PhD Adjunct Professor

Lambda Calculus. Concepts in Programming Languages Recitation 6:

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

LECTURE 16. Functional Programming

Lambda Calculus. Type Systems, Lectures 3. Jevgeni Kabanov Tartu,

Foundations. Yu Zhang. Acknowledgement: modified from Stanford CS242

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

1 Delimited continuations in Haskell

Introduction. chapter Functions

The Untyped Lambda Calculus

Introduction to Denotational Semantics. Brutus Is An Honorable Man. Class Likes/Dislikes Survey. Dueling Semantics

CSCC24 Functional Programming Scheme Part 2

COS 320. Compiling Techniques

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Polymorphism and Type Inference

CSE505, Fall 2012, Midterm Examination October 30, 2012

CSE-321 Programming Languages 2011 Final

Coq projects for type theory 2018

Functional Programming. Pure Functional Programming

Formal Semantics of Programming Languages

Adam Chlipala University of California, Berkeley ICFP 2006

(Refer Slide Time: 4:00)

Recursive Types and Subtyping

COMP 382: Reasoning about algorithms

Formally Certified Satisfiability Solving

Transcription:

Program certification with computational effects Burak Ekici j.w.w. Jean-Guillaume Dumas, Dominique Duval, Damien Pous y LJK, University Joseph Fourier, Grenoble y LIP, ENS-Lyon November 5, 2014 JNCF 14, Marseille-France B. Ekici (LJK) Effect certification November 5, 2014 1 / 30

Contents 1 Dynamic evaluation through exceptions 2 Proofs with side effects 3 Coq in play B. Ekici (LJK) Effect certification November 5, 2014 2 / 30

Contents 1 Dynamic evaluation through exceptions 2 Proofs with side effects 3 Coq in play B. Ekici (LJK) Effect certification November 5, 2014 3 / 30

Dynamic evaluation Dynamic evaluation := automatic case distinction process... B. Ekici (LJK) Effect certification November 5, 2014 4 / 30

Dynamic evaluation Dynamic evaluation := automatic case distinction process... Code re-usability: B. Ekici (LJK) Effect certification November 5, 2014 4 / 30

Dynamic evaluation Dynamic evaluation := automatic case distinction process... Code re-usability: E.g. Reusing codes made for fields over rings. B. Ekici (LJK) Effect certification November 5, 2014 4 / 30

Dynamic evaluation Dynamic evaluation := automatic case distinction process... Code re-usability: E.g. Reusing codes made for fields over rings. Gaussian elimination modulo prime p for Gaussian elimination modulo composite m. B. Ekici (LJK) Effect certification November 5, 2014 4 / 30

Dynamic evaluation for modular Gaussian Elimination pivoting ( ): not only non-zero but also invertible if any is non-zero but non-invertible then SPLIT the computation for modulo m 1 and m 2 by gcd computation. [m = m 1 m 2] & [m 1 and m 2 are gcd-free] [ is invertible modulo m 1 ] & [ is zero modulo m 2] 1 Gaussian elimination modulo m 1 2 Gaussian elimination modulo m 2 B. Ekici (LJK) Effect certification November 5, 2014 5 / 30

Dynamic evaluation for modular Gaussian Elimination B. Ekici (LJK) Effect certification November 5, 2014 6 / 30

Dynamic evaluation via exceptions 1/2 arithmetic level exception: preventing zero divisors also i n l i n e I n t e g e r invmod ( const I n t e g e r& a, const I n t e g e r& m) { I n t e g e r gcd, u, v ; E x t e n d e d E u c l i d e a n A l g o r i t h m ( gcd, u, v, a,m) ; i f ( gcd!= 1 ) throw ZmzInvByZero ( gcd ) ; r e t u r n v>0?v : v=+m; } exception at split location t r y { i n v p i v = zmz ( 1 ) / A [ k ] [ k ] ; } catch ( ZmzInvByZero e ) { throw G a u s s N o n I n v P i v o t ( e. getgcd ( ), k, c u r r e n t r a n k ) ; } B. Ekici (LJK) Effect certification November 5, 2014 7 / 30

Dynamic evaluation via exceptions 2/2 deal with split: recursive continuation t r y { // i n p l a c e m o d i f i c a t i o n s o f l o w e r n`k p a r t o f m a t r i x A i n t r a n k = g a u s s r a n k (A, k ) ; c o u t << r a n k : << r a n k + u p p e r r a n k << modulo << m; } catch ( GaussNonInvPivot e ) { // r e c u r s i v e c o n t i n u a t i o n modulo m1 AND modulo m2 // a t c u r r e n t s t e p } B. Ekici (LJK) Effect certification November 5, 2014 8 / 30

Contents 1 Dynamic evaluation through exceptions 2 Proofs with side effects 3 Coq in play B. Ekici (LJK) Effect certification November 5, 2014 9 / 30

Programs with side effects 1/2 Side effect := the mismatch between syntax and semantics... E.g. The exceptions effect: Considering the exception thrower: f l o a t f u n c t i o n ( i n t a ) throw ( E x c e p t i o n ) {... } ; ) Syntactically; function: int! float ) w.r.t. an interpretation (denotational semantics); function: int! float + Exception B. Ekici (LJK) Effect certification November 5, 2014 10 / 30

Programs with side effects 2/2 E.g. The state effect: Considering the state modifier: c l a s s S { f l o a t method ( i n t a ) {... } ; }... S t ; t. method ( 1 0 ) ; ) Syntactically; method: int! float ) w.r.t. an interpretation (denotational semantics); method: int ˆ S! float ˆ S B. Ekici (LJK) Effect certification November 5, 2014 11 / 30

Decorated logic [Dominguez & Duval 08] tools for modeling computations with effects: monads: [Moggi 91] decorated logic: based on the framework by [Dominguez & Duval 08] provides equivalence proofs among programs with effects B. Ekici (LJK) Effect certification November 5, 2014 12 / 30

Decorated logic [Dominguez & Duval 08] tools for modeling computations with effects: monads: [Moggi 91] decorated logic: based on the framework by [Dominguez & Duval 08] provides equivalence proofs among programs with effects ) Equivalence proofs are aimed to be verified by Coq. B. Ekici (LJK) Effect certification November 5, 2014 12 / 30

Decorated logic: exceptions 1/2 f (0) : X! Y pure f (1) : X! Y thrower=propagator f (2) : X! Y catcher specify explain the decoration % & the decoration f : X! Y f : X! Y f : X! Y+E f : X+E! Y+E ) Ease of composition: exceptional behaviors are kept implicit. I.e., Given f (2) : X! Y and g (1) : Y! Z, (g f) (2) : X! Z B. Ekici (LJK) Effect certification November 5, 2014 13 / 30

Decorated logic: exceptions 2/2 strong equality (on ordinary and exceptional arguments) f g weak equality (on ordinary arguments only) f g f g : X! Y f g : X! Y specify explain the decoration % & the decoration f = g : X! Y f = g : X+E! Y+E f inl X = g inl X : X! Y+E [inl X is the inclusion of X into X+E] ) More precise equational proofs of programs: w.r.t. effects and ordinary cases. B. Ekici (LJK) Effect certification November 5, 2014 14 / 30

Core exceptional operations: tag/untag tag t : P t! 0 untag t : 0! P t ordinary value (normal) a a exceptional value (abrupt) tag t a t untag t a t ) throwing and catching exceptions := core operations + pattern matching. B. Ekici (LJK) Effect certification November 5, 2014 15 / 30

throwing & handling exceptions ) Throwing an exception := tag t and some glue for the continuation. throw (1) t,y := [ ](0) Y tag (1) t : Pt! 0! 0 + Y = Y : P t! Y ) Exception handling := untag t with pattern matching. Considering the handler g (1) : P t! Y : catch(t ) g) (2) := [id (0) Y j g (1) untag (2) t ] : Y+0 = Y! Y B. Ekici (LJK) Effect certification November 5, 2014 16 / 30

try-catch block ) try ` catch block can be expressed by compositions of decorated terms: For any f (1) : X! Y : tryffg catch(t ) g) (1) := # ([id (0) Y j g (1) untag (2) t ] f(1) ) : X! Y = Y+0 = Y! Y ) try bounds the scope of catch B. Ekici (LJK) Effect certification November 5, 2014 17 / 30

Decorated logic: exceptions - rules The given logic is enriched with some number of rules: Conversion rules f (0) f (1) f (1) f (2) f (d) g (d0) f g f (d) g (d0 ) f g if max(d; d 0 )» 1 Equivalence rules Rules on monadic equational logic Categorical coproduct rules Observational properties: tag & untag (ax 1) t : Excn untag (2) t tag (1) t id Pt (0) (ax 2) t; r : Excn t 6= r untag (2) r tag (1) t [ ] (0) P r tag (1) t B. Ekici (LJK) Effect certification November 5, 2014 18 / 30

Soundness of the inference system Axioms/rules allow us to prove: 1 propagator propagates: g (1) [ ] (0) X [ ] (0) Y 2 annihilation untag-tag: tag (1) t untag (2) t id (0) 0 3 annihilation catch-raise: tryffg catch(t ) throw t;y) (1) f (1) 4 commutation untag-untag: given s 6= t (untag (2) t +id(0) s ) untag (2) s (id (0) t 5 commutation catch-catch: given s 6= t +untag(2) s ) untag (2) t tryffg catch(t ) g j s ) h) (1) tryffg catch(s ) h j t ) g) (1) B. Ekici (LJK) Effect certification November 5, 2014 19 / 30

Contents 1 Dynamic evaluation through exceptions 2 Proofs with side effects 3 Coq in play B. Ekici (LJK) Effect certification November 5, 2014 20 / 30

Coq in one slide Coq: proof assistant strongly typed, purely functional programming language not Turing complete: non-termination avoided B. Ekici (LJK) Effect certification November 5, 2014 21 / 30

Coq in one slide Coq: proof assistant strongly typed, purely functional programming language not Turing complete: non-termination avoided ) Underlying type theory: Calculus of Inductive Constructions (CIC) [Coquand et al 89]. B. Ekici (LJK) Effect certification November 5, 2014 21 / 30

Coq in one slide Coq: proof assistant strongly typed, purely functional programming language not Turing complete: non-termination avoided ) Underlying type theory: Calculus of Inductive Constructions (CIC) [Coquand et al 89]. CIC: extension to simply typed lambda calculus with polymorphism: terms depending on types type operators: types depending on types dependent types: types depending on terms inductive definitions Type predicativity (hierarchy): to avoid Russell-like paradoxes. B. Ekici (LJK) Effect certification November 5, 2014 21 / 30

Coq formalization of exceptions 1/3 Every function f : X! Y becomes f : term Y X in decorated settings which is inductively defined: Inductive term: Type! Type! Type := j comp: 8 {X Y Z: Type}, term X Y! term Y Z! term X Z j copair : 8 {X Y Z: Type}, term Z X! term Z Y! term Z (X +Y ) j tpure: 8 {X Y : Type}, (X! Y )! term Y X j tag: 8 t:exn, term Empty set (P t) j untag: 8 t:exn, term (P t) Empty set. B. Ekici (LJK) Effect certification November 5, 2014 22 / 30

Coq formalization of exceptions 2/3 and decorated as follows: 0 = pure 1 = propagator 2 = catcher Inductive kind := pure j propagator j catcher. Inductive is: kind! 8 X Y, term X Y! Prop := j is tpure: 8 X Y (f : X! Y ), is pure (@tpure X Y f ) j is comp: 8 k X Y Z (f : term X Y ) (g: term Y Z), is k f! is k g! is k (f o g) j is copair : 8 k X Y Z (f : term Z X ) (g: term Z Y ), is k f! is k g! is k (copair f g) j is tag: 8 t, is propagator (tag t) j is untag: 8 t, is catcher (untag t) j is pure propagator : 8 X Y (f : term X Y ), is pure f! is propagator f j is propagator catcher : 8 X Y (f : term X Y ), is propagator f! is catcher f. B. Ekici (LJK) Effect certification November 5, 2014 23 / 30

Coq formalization of exceptions 3/3 rules are inductively defined, too: Reserved Notation "x == y" (at level 80). Reserved Notation "x y" (at level 80). Inductive strong: 8 X Y, relation (term X Y ) := j effect rule: 8 X Y (f g: term Y X ), f o [ ] == g o [ ]! f g! f == g. with weak: 8 X Y, relation (term X Y ) := j ax 1: 8 t, untag t o tag t id. B. Ekici (LJK) Effect certification November 5, 2014 24 / 30

IMP-STATES-EXCEPTIONS: the library IMP+EXC is an imperative language enriched with exceptions: B. Ekici (LJK) Effect certification November 5, 2014 25 / 30

IMP-STATES-EXCEPTIONS: the library IMP+EXC is an imperative language enriched with exceptions: IMP+EXC Syntax: aexp: a 1 a 2 ::= n j x j a 1 + a 2 j a 1 ˆ a 2 bexp: b 1 b 2 ::= tt j ff j a 1 = a 2 j a 1 6= a 2 j a 1 > a 2 j a 1 < a 2 j b 1 ^ b 2 j b 1 _ b 2 cmd: c 1 c 2 ::= skip j x := e j c 1; c 2 j if b then c 1 else c 2 j while b do c 1 j throw exc j try c 1 catch exc ) c 2 B. Ekici (LJK) Effect certification November 5, 2014 25 / 30

IMP-STATES-EXCEPTIONS: the library IMP+EXC is an imperative language enriched with exceptions: IMP+EXC Syntax: aexp: a 1 a 2 ::= n j x j a 1 + a 2 j a 1 ˆ a 2 bexp: b 1 b 2 ::= tt j ff j a 1 = a 2 j a 1 6= a 2 j a 1 > a 2 j a 1 < a 2 j b 1 ^ b 2 j b 1 _ b 2 cmd: c 1 c 2 ::= skip j x := e j c 1; c 2 j if b then c 1 else c 2 j while b do c 1 j throw exc j try c 1 catch exc ) c 2 ) Operational semantics of IMP+EXC: IMP-STATES-EXCEPTIONS source code (IMP-STATES-EXCEPTIONS) B. Ekici (LJK) Effect certification November 5, 2014 25 / 30

Verified programs 1/2 E.g., prog_1 = ( var x, y ; x := 1 ; y := 23 ; try( while(tt) do ( if(x <= 0) then(throw e) else(x := x - 1) ) ) catch e => (y := 7) ; y := 45 ; ). == prog_2 = ( var x, y ; x := 0 ; y := 45 ; ). B. Ekici (LJK) Effect certification November 5, 2014 26 / 30

Verified programs 2/2 prog_3= ( var a, b, c, d, m ; var r ; var t, u, u1, q, g, g1 ; a := 2; b := 1 ; c := 3 ; d := 4 ; m := 6 ; if(a = 0) then( t := a ; a := b ; b := t ; t := c ; c := d ; d := t ; ) else skip ; if(a = 0) then( t := a ; a := c ; c := t ; t := b ; b := d ; d := t ; ) else skip ; if(a = 0) then( if(b = 0) then r := 0 ; else r := 1 ; ) else( try( u := 0 ; u1 := 1 ; g1 := a; g := m ; while(g1 > 0) do( q := g / g1 ; t := u - q * u1 ; u := u1 ; u1 := t ; t := g - q * g1 ; g := g1 ; g1 := t ; ) ) if not (g = 1) then throw e ; else skip ; catch e => ( m := m / g ; u := 0 ; u1 := 1 ; g1 := a ; g := m ; while(g1 > 0) do( q := g / g1 ; t := u - q * u1 ; u := u1 ; u1 := t ; t := g - q * g1 ; g := g1 ; g1 := t ; ) ) d := (d - u * c * b) % m ; if(d = 0) then r := 1 ; else r := 2 ; ) ). prog_4= ( var a, b, c, d, m ; var r ; var t, u, u1, q, g, g1 ; a := 2 ; u1 := 3 ; q := 2 ; g := 1 ; t := 0 ; g1 := 0 ; c := 3 ; u := -1 ; b := 1 ; m := 3 ; d := 1 ; r := 2 ; ). == B. Ekici (LJK) Effect certification November 5, 2014 27 / 30

Verified programs 2/2 prog_3= ( var a, b, c, d, m ; var r ; var t, u, u1, q, g, g1 ; a := 2; b := 1 ; c := 3 ; d := 4 ; m := 6 ; if(a = 0) then( t := a ; a := b ; b := t ; t := c ; c := d ; d := t ; ) else skip ; if(a = 0) then( t := a ; a := c ; c := t ; t := b ; b := d ; d := t ; ) else skip ; if(a = 0) then( if(b = 0) then r := 0 ; else r := 1 ; ) else( try( u := 0 ; u1 := 1 ; g1 := a; g := m ; while(g1 > 0) do( q := g / g1 ; t := u - q * u1 ; u := u1 ; u1 := t ; t := g - q * g1 ; g := g1 ; g1 := t ; ) ) if not (g = 1) then throw e ; else skip ; catch e => ( m := m / g ; u := 0 ; u1 := 1 ; g1 := a ; g := m ; while(g1 > 0) do( q := g / g1 ; t := u - q * u1 ; u := u1 ; u1 := t ; t := g - q * g1 ; g := g1 ; g1 := t ; ) ) d := (d - u * c * b) % m ; if(d = 0) then r := 1 ; else r := 2 ; ) ). prog_4= ( var a, b, c, d, m ; var r ; var t, u, u1, q, g, g1 ; a := 2 ; u1 := 3 ; q := 2 ; g := 1 ; t := 0 ; g1 := 0 ; c := 3 ; u := -1 ; b := 1 ; m := 3 ; d := 1 ; r := 2 ; ). == Program calculating the rank of a (2ˆ2) matrix modulo composite numbers. Consider: / is the integer division % is the modulo reduction B. Ekici (LJK) Effect certification November 5, 2014 27 / 30

self-evaluation + open questions + aspect: having verified proofs of programs with effects - aspect: not so good benchmarks ) different orders of magnitude to have better performances B. Ekici (LJK) Effect certification November 5, 2014 28 / 30

self-evaluation + open questions + aspect: having verified proofs of programs with effects - aspect: not so good benchmarks ) different orders of magnitude to have better performances - aspect: proofs of real-valued programs (where all variables are initialized) + aspect: decorated logic w.r.t. weak equality corresponds to Hoare logic (formal system to reason about partial correctness of programs) B. Ekici (LJK) Effect certification November 5, 2014 28 / 30

So far & future work So far: A Coq library for the global states: with Hilbert-Post Completeness proof A Coq library for exceptions A Coq library for combined states and exceptions IMP specifications: IMP-STATES IMP-STATES-EXCEPTIONS All sources on http://coqeffects.forge.imag.fr B. Ekici (LJK) Effect certification November 5, 2014 29 / 30

So far & future work So far: A Coq library for the global states: with Hilbert-Post Completeness proof A Coq library for exceptions A Coq library for combined states and exceptions IMP specifications: IMP-STATES IMP-STATES-EXCEPTIONS All sources on http://coqeffects.forge.imag.fr Future: Hilbert-Post Completeness proof for exceptions systematic way to compose effects + generalization B. Ekici (LJK) Effect certification November 5, 2014 29 / 30

The end! Many thanks for your kind attention! Questions? B. Ekici (LJK) Effect certification November 5, 2014 30 / 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback