Turning proof assistants into programming assistants

Similar documents
Verified compilers. Guest lecture for Compiler Construction, Spring Magnus Myréen. Chalmers University of Technology

Verification of an ML compiler. Lecture 1: An introduction to compiler verification

Background. From my PhD (2009): Verified Lisp interpreter in ARM, x86 and PowerPC machine code

Translation Validation for a Verified OS Kernel

CakeML. A verified implementation of ML. LFCS seminar, Edinburgh, May Magnus Myreen Chalmers University of Technology & University of Cambridge

Applied Theorem Proving: Modelling Instruction Sets and Decompiling Machine Code. Anthony Fox University of Cambridge, Computer Laboratory

A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture. Anthony Fox and Magnus O. Myreen University of Cambridge

Software Testing CS 408. Lecture 10: Compiler Testing 2/15/18

Certified compilers. Do you trust your compiler? Testing is immune to this problem, since it is applied to target code

Verified Characteristic Formulae for CakeML. Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 27, 2017

Blockchains: new home for proven-correct software. Paris, Yoichi Hirai formal verification engineer, the Ethereum Foundation

A New Verified Compiler Backend for CakeML. Yong Kiam Tan* Magnus O. Myreen Ramana Kumar Anthony Fox Scott Owens Michael Norrish

Software Verification with ITPs Should Use Binary Code Extraction to Reduce the TCB

Machine-checked proofs of program correctness

Automated verification of termination certificates

Directions in ISA Specification. Anthony Fox. Computer Laboratory, University of Cambridge, UK

Directions in ISA Specification

Towards a Practical, Verified Kernel

Functional Programming in Coq. Nate Foster Spring 2018

Formal C semantics: CompCert and the C standard

How much is a mechanized proof worth, certification-wise?

Formal methods for software security

Static and User-Extensible Proof Checking. Antonis Stampoulis Zhong Shao Yale University POPL 2012

CAKEML. A Verified Implementation of ML. S-REPLS 6 UCL 25 May, Ramana Kumar. Magnus Myreen. Yong Kiam Tan

Hardening LLVM with Random Testing

COMP 4161 Data61 Advanced Course. Advanced Topics in Software Verification. Gerwin Klein, June Andronick, Christine Rizkallah, Miki Tanaka

Unit- and Sequence Test Generation with HOL-TestGen

Browser Security Guarantees through Formal Shim Verification

Industrial Hardware and Software Verification with ACL2

How Efficient Can Fully Verified Functional Programs Be - A Case Study of Graph Traversal Algorithms

A Certified Reduction Strategy for Homological Image Processing

Typed Functional Programming In OCaml

CSCI-GA Scripting Languages

Written Presentation: JoCaml, a Language for Concurrent Distributed and Mobile Programming

Automated proof-producing abstraction of C code

Type Theory meets Effects. Greg Morrisett

Behavioral Equivalence

SJTU SUMMER 2014 SOFTWARE FOUNDATIONS. Dr. Michael Clarkson

Packaging Theories of Higher Order Logic

Verification of an ML compiler. Lecture 3: Closures, closure conversion and call optimisations

Formal proofs of code generation and verification tools

The reflective Milawa theorem prover is sound

The Verified CakeML Compiler Backend

Translation Validation for a Verified OS Kernel

Code BEAM SF Hype For Types. Using Dialyzer to bring type checking to your Elixir code

A verified runtime for a verified theorem prover

Organisatorials. About us. Binary Search (java.util.arrays) When Tue 9:00 10:30 Thu 9:00 10:30. COMP 4161 NICTA Advanced Course

Research Statement. Daniel R. Licata

Matching Logic. Grigore Rosu University of Illinois at Urbana-Champaign

Randomized Stress-Testing of Link-Time Optimizers

Extensible proof-producing compilation

Behavioral Equivalence

CS 6371: Advanced Programming Languages

Proof-Producing Synthesis of ML from Higher-Order Logic

Coq, a formal proof development environment combining logic and programming. Hugo Herbelin

Rockwell Collins Evolving FM Methodology

Programs and Proofs in Isabelle/HOL

Verification of the GCC-generated binary of the sel4 microkernel

Adam Chlipala University of California, Berkeley ICFP 2006

G Programming Languages - Fall 2012

Push-Button Verification of File Systems

Closures. Mooly Sagiv. Michael Clarkson, Cornell CS 3110 Data Structures and Functional Programming

Isabelle/HOL:Selected Features and Recent Improvements

Verified compilation of a first-order Lisp language

Creating Formally Verified Components for Layered Assurance with an LLVM-to-ACL2 Translator

Bidirectional Certified Programming

Verification Condition Generation via Theorem Proving

Chapter 11 :: Functional Languages

CSE413: Programming Languages and Implementation Racket structs Implementing languages with interpreters Implementing closures

Assuring Software Protection in Virtual Machines

Securing Complex Software Systems Using Formal Verification and Specification

Transforming Programs into Recursive Functions

Xkcd.com. September 27, 2013

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Scope and Introduction to Functional Languages. Review and Finish Scoping. Announcements. Assignment 3 due Thu at 11:55pm. Website has SML resources

A Verifying Core for a Cryptographic Language Compiler

Formalization of Incremental Simplex Algorithm by Stepwise Refinement

CS457/557 Functional Languages

Reasoning About LLVM Code Using Codewalker

Proof Carrying Code(PCC)

An OCaml-based automated theorem-proving textbook

Pierce Ch. 3, 8, 11, 15. Type Systems

Trickle: Automated Infeasible Path

A Robust Machine Code Proof Framework for Highly Secure Applications

Formal verification of an optimizing compiler

History overview Critical discussion What next (includes cool ideas from Matt)

Provably Correct Software

CS 11 Haskell track: lecture 1

DEFINING A LANGUAGE. Robert Harper. Friday, April 27, 12

Extensible Proof-Producing Compilation

LYREBIRD David Cock

Push-Button Verification of File Systems

Synchronous Specification

CSE341: Programming Languages Lecture 17 Implementing Languages Including Closures. Dan Grossman Autumn 2018

Certified Merger for C Programs Using a Theorem Prover: A First Step

Functional Programming

Finding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar

Functional Programming in Hardware Design

Formal Verification of Programs and Their Transformations

Language Techniques for Provably Safe Mobile Code

Transcription:

Turning proof assistants into programming assistants ST Winter Meeting, 3 Feb 2015 Magnus Myréen

Why? Why combine proof- and programming assistants? Why proofs? Testing cannot show absence of bugs. Some care very much about bugs. (Applicable to specialist code only ) What is the specification of Microsoft Word? But what about bugs in compilers, library routines, OS?

Why? Why combine proof- and programming assistants? If proof assistants were convenient programming environments, then proofs might become more commonplace. Unit proofs, instead of unit tests? Proving some key properties of algorithm implementations? Not necessarily full functional correctness

Trusting your toolchain Every compiler we tested was found to crash and also to silently generate wrong code when presented with valid input. PLDI 11 Abstract Finding and Understanding Bugs in C Compilers Xuejun Yang Yang Chen Eric Eide John Regehr Compilers should be correct. To improve the quality of C compilers, we created Csmith, a randomized test-case generation tool, and spent three years using it to find compiler bugs. During this period University of Utah, School of Computing { jxyang, chenyang, eeide, regehr }@cs.utah.edu [The verified part of] CompCert is the only compiler we have tested for which Csmith cannot find wrong-code we reported more than 325 previously unknown bugs to compiler developers. Every compiler we tested was found to crash and also to silently generate wrong code when presented with valid input. In this paper we present our compiler-testing tool and the results of our bug-hunting study. Our first contribution is to advance the state of the art in compiler testing. Unlike previous tools, Csmith generates programs that cover a large subset of C while avoiding the s that would destroy its ability 1 int foo (void) { 2 signed char x = 1; 3 unsigned char y = 255; 4 return x > y; 5 } errors. This is not for lack of trying: we have devoted about six CPU-years to the task. Figure 1. We found a bug in the version of GCC that shipped with Ubuntu Linux 8.04.1 for x86. At all optimization levels it compiles this function to return 1; the correct result is 0. The Ubuntu compiler was heavily patched; the base version of GCC did not have this bug. d Csmith, a randomized test-case generator that sup- -

Programming assistants Visual Studio, Xcode, Eclipse a helpful program editor helps test and refactor code debugger some can even do complex static analysis

Programming assistants Visual Studio, Xcode, Eclipse not designed for strong semantic guarantees High-assurance code development? can be used: 1. write code in programming assistant 2. verify code using other tools what about development life cycle?

Producing high-assurance code Approaches: Source code verification (traditional) e.g. annotate code with assertions and (automatically) prove that program respects the assertions, i.e. never fails Verification of compiler output (bottom up) e.g. translation of low-level code (e.g. machine code) into higher-level representation (functions in logic). Correct-by-constriction (top down) synthesis of implementations from high-level specifications (e.g. functions in logic)

Trustworthy code But is the source code good enough for expressing the specification and implementation strategy in the same text? but that s what compilers do! Correct-by-constriction (top down) synthesis of implementations from high-level specifications (e.g. functions in logic)

Proof assistants General-purpose proof assistants: HOL4, Isabelle/HOL, Coq, ACL2 What are they? proof scripts editors clear name spaces type definitions function definitions proof statements goal-oriented proofs important feature: proof assistants are programmable (not shown)

Trustworthy? Proof assistants are designed to be trustworthy. HOL4 is a fully expansive theorem prover: HOL4 theorem prover HOL4 kernel All proofs expand at runtime into primitive inferences in the HOL4 kernel. The kernel implements the axioms and inference rules of higher-order logic. Thus all HOL4 proofs are formal proofs.

Landmarks Modern provers are scale well: Major maths proofs Odd Order Theorem, Gonthier et al. Kepler Conjecture, Hales et al. Four-Colour Theorem, Gonthier Major code verification proofs Correctness of OS microkernel, Klein et al. (NICTA) CompCert optimising C compiler, Leroy et al. (INRIA) These proofs are 100,000+ lines of proof script. compositional development!

Proof assistants bottom up-ish A closer look: Correctness of OS microkernel, Klein et al. (NICTA) Verified a deep embedding of 10,000 C code w.r.t. a very detailed semantics of C and a high-level functional specification. Proofs also extended down to machine code (I helped). top down CompCert optimising C compiler Compiler written as function in logic (not a deep embedding) Correctness theorems proved about this function. Function exported to Ocaml using an unverified code generator.

Proof assistants Used as generators of code inside the prover: functions in logic theorem about functions no proof Ocaml code no formal semantics top down CompCert optimising C compiler Compiler written as function in logic (not a deep embedding) Correctness theorems proved about this function. Function exported to Ocaml using an unverified code generator.

Proof assistants Are they programming assistants? Comparison proof scripts contain functional programs that can be exported to programming languages (Ocaml, SML, Haskell, Scala) But here: code and spec not necessarily the same. Code can be abstract, non-executable. (Isabelle/HOL has nice automation for finding counter examples.)

Trustworthy? Not to the high standards of fully expansive provers inside the prover: functions in logic theorem about functions no proof FP code no formal semantics A better solution: inside the prover: functions in logic theorem about functions with proof FP code with formal semantics very simple translation ASCII for FP code

Code generation as a trustworthy step At ICFP 12 (and a JFP 14 paper): Showed that we can automate proof-producing code generation for FP programs written in HOL4. The target is CakeML, a (large) subset of Standard ML. A better solution: but do we trust Poly/ML to implement CakeML according to our semantics? inside the prover: functions in logic theorem about functions with proof FP code with formal semantics very simple translation ASCII for FP code

Going to machine code Code generation from functions in logic directly to concrete machine code. From my PhD thesis: Synthesis often more practical. Given function f, f (r 1 ) = if r 1 < 10 then r 1 else let r 1 = r 1 10 in f (r 1 ) our compiler generates ARM machine code: E351000A L: cmp r1,#10 2241100A subcs r1,r1,#10 2AFFFFFC bcs L and automatically proves a certificate HOL theorem: ` { R1 r 1 PC p s } p : E351000A 2241100A 2AFFFFFC { R1 f (r 1 ) PC (p+12) s }

Going to machine code Code generation from functions in logic directly to concrete machine code. Has been used to build non-trivial applications: e.g. a fully verified machine-code implementation of a Lisp read-eval-print loop (with dynamic compilation) Disadvantage of the approach: The source functions in logic must be stated in a very constrained format (only tail-rec, only specific types etc.).

Better: going via ML and compilation We can be less restrictive using our verified compiler (POPL 14) inside the prover: functions in logic theorem about functions with proof FP code with formal semantics i.e. we can use the compiler s correctness theorem applying a verified compilation function ARM, x86, MIPS machine code with formal semantics very simple translation binary

Interest We are getting closer to a reality of using proof assistants as program development platforms Rockwell Collins large avionics/defence contractor in the US keen to use this technology two concrete projects in mind NICTA developers of the sel4 verified OS microkernel keen to build verified user code connect everything up to produce complete system with formal guarantees

I/O needed Problem: real applications need I/O CakeML has only very basic putc and getc char I/O Solution (my current work): the next version of the compiler will have I/O through a simple foreign function interface (FFI) works through mutable byte arrays that are shared with C formally: in the semantics, I/O is modelled by an oracle function (oracle state = rest of the world) the new version will also include optimisations (proper register allocation, better closure conversion, multi-argument function opt)

Going via ML and compilation (revisited) using I/O monad stateful inside the prover: functions in logic with proof FP code with formal semantics theorem about functions applying a verified compilation function ARM, x86, MIPS machine code with formal semantics interactive very simple translation binary

but still not good enough CakeML has automatic memory management The correctness theorem allows it to always exit with not enough memory. Execution time unpredictable In the long run: need language without a GC. Go? or sublanguage of CakeML

Summary State-of-the-art: Proof scripts contain functional programs. Proof automation for data refinement, testing etc. Can generate (without proofs) FP code. I ve showed that this can be done with proofs. Verified compilation from FP to machine code. Future vision: Proof assistants should be able to automatically produce verified binaries from FP-style definitions. Usable in real high-assurance applications. Collaborators: Ramana Kumar (Uni. Cambridge) Scott Owens (Uni. Kent) Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback