Results 1  10
of
56
Nested Hoare triples and frame rules for higherorder store
 In Proceedings of the 18th EACSL Annual Conference on Computer Science Logic
, 2009
"... Abstract. Separation logic is a Hoarestyle logic for reasoning about programs with heapallocated mutable data structures. As a step toward extending separation logic to highlevel languages with MLstyle general (higherorder) storage, we investigate the compatibility of nested Hoare triples with ..."
Abstract

Cited by 35 (17 self)
 Add to MetaCart
(Show Context)
Abstract. Separation logic is a Hoarestyle logic for reasoning about programs with heapallocated mutable data structures. As a step toward extending separation logic to highlevel languages with MLstyle general (higherorder) storage, we investigate the compatibility of nested Hoare triples with several variations of higherorder frame rules. The interaction of nested triples and frame rules can be subtle, and the inclusion of certain frame rules is in fact unsound. A particular combination of rules can be shown consistent by means of a Kripke model where worlds live in a recursively defined ultrametric space. The resulting logic allows us to elegantly prove programs involving stored code. In particular, it leads to natural specifications and proofs of invariants required for dealing with recursion through the store. Keywords. Higherorder store, Hoare logic, separation logic, semantics. 1
An integrated proof language for imperative programs
 In PLDI’09
"... We present an integrated proof language for guiding the actions of multiple reasoning systems as they work together to prove complex correctness properties of imperative programs. The language operates in the context of a program verification system that uses multiple reasoning systems to discharge ..."
Abstract

Cited by 28 (5 self)
 Add to MetaCart
(Show Context)
We present an integrated proof language for guiding the actions of multiple reasoning systems as they work together to prove complex correctness properties of imperative programs. The language operates in the context of a program verification system that uses multiple reasoning systems to discharge generated proof obligations. It is designed to 1) enable developers to resolve key choice points in complex program correctness proofs, thereby enabling automated reasoning systems to successfully prove the desired correctness properties; 2) allow developers to identify key lemmas for the reasoning systems to prove, thereby guiding the reasoning systems to find an effective proof decomposition; 3) enable multiple reasoning systems to work together productively to prove a single correctness property by providing a mechanism that developers can use to divide the property into lemmas, each of which is suitable for
Toward a Verified Relational Database Management System ∗
"... We report on our experience implementing a lightweight, fully verified relational database management system (RDBMS). The functional specification of RDBMS behavior, RDBMS implementation, and proof that the implementation meets the specification are all written and verified in Coq. Our contributions ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
(Show Context)
We report on our experience implementing a lightweight, fully verified relational database management system (RDBMS). The functional specification of RDBMS behavior, RDBMS implementation, and proof that the implementation meets the specification are all written and verified in Coq. Our contributions include: (1) a complete specification of the relational algebra in Coq; (2) an efficient realization of that model (B+ trees) implemented with the Ynot extension to Coq; and (3) a set of simple query optimizations proven to respect both semantics and runtime cost. In addition to describing the design and implementation of these artifacts, we highlight the challenges we encountered formalizing them, including the choice of representation for finite relations of typed tuples and the challenges of reasoning about data structures with complex sharing. Our experience shows that though many challenges remain, building fullyverified systems software in Coq is within reach. Categories and Subject Descriptors F.3.1 [Logics and meanings of programs]: Mechanical verification; D.2.4 [Software Engineering]:
Verification of information flow and access control policies with dependent types
, 2011
"... We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can a ..."
Abstract

Cited by 22 (4 self)
 Add to MetaCart
We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard typetheoretic types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and statedependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic. The system, theorems and examples have all been formalized in Coq.
Programming and Reasoning with Algebraic Effects and Dependent Types
"... One often cited benefit of pure functional programming is that pure code is easier to test and reason about, both formally and informally. However, real programs have sideeffects including state management, exceptions and interactions with the outside world. Haskell solves this problem using monads ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
(Show Context)
One often cited benefit of pure functional programming is that pure code is easier to test and reason about, both formally and informally. However, real programs have sideeffects including state management, exceptions and interactions with the outside world. Haskell solves this problem using monads to capture details of possibly sideeffecting computations — it provides monads for capturing State, I/O, exceptions, nondeterminism, libraries for practical purposes such as CGI and parsing, and many others, as well as monad transformers for combining multiple effects. Unfortunately, useful as monads are, they do not compose very well. Monad transformers can quickly become unwieldy when there are lots of effects to manage, leading to a temptation in larger programs to combine everything into one coarsegrained state and exception monad. In this paper I describe an alternative approach based on handling algebraic effects, implemented in the IDRIS programming language. I show how to describe side effecting computations, how to write programs which compose multiple finegrained effects, and how, using dependent types, we can use this approach to reason about states in effectful programs. 1.
Just do it: Simple monadic equational reasoning
 In Proceedings of the 16th International Conference on Functional Programming (ICFP’11
, 2011
"... One of the appeals of pure functional programming is that it is so amenable to equational reasoning. One of the problems of pure functional programming is that it rules out computational effects. Moggi and Wadler showed how to get round this problem by using monads to encapsulate the effects, leadin ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
(Show Context)
One of the appeals of pure functional programming is that it is so amenable to equational reasoning. One of the problems of pure functional programming is that it rules out computational effects. Moggi and Wadler showed how to get round this problem by using monads to encapsulate the effects, leading in essence to a phase distinction—a pure functional evaluation yielding an impure imperative computation. Still, it has not been clear how to reconcile that phase distinction with the continuing appeal of functional programming; does the impure imperative part become inaccessible to equational reasoning? We think not; and to back that up, we present a simple axiomatic approach to reasoning about programs with computational effects.
Verifying Higherorder Programs with the Dijkstra Monad
"... Modern programming languages, ranging from Haskell and ML, to JavaScript, C # and Java, all make extensive use of higherorder state. This paper advocates a new verification methodology for higherorder stateful programs, based on a new monad of predicate transformers called the Dijkstra monad. Usin ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
Modern programming languages, ranging from Haskell and ML, to JavaScript, C # and Java, all make extensive use of higherorder state. This paper advocates a new verification methodology for higherorder stateful programs, based on a new monad of predicate transformers called the Dijkstra monad. Using the Dijkstra monad has a number of benefits. First, the monad naturally yields a weakest precondition calculus. Second, the computed specifications are structurally simpler in several ways, e.g., singlestate postconditions are sufficient (rather than the more complex twostate postconditions). Finally, the monad can easily be varied to handle features like exceptions and heap invariants, while retaining the same type inference algorithm. We implement the Dijkstra monad and its type inference algorithm for the F ⋆ programming language. Our most extensive case study evaluates the Dijkstra monad and its F ⋆ implementation by using it to verify JavaScript programs. Specifically, we describe a tool chain that translates programs in a subset of JavaScript decorated with assertions and loop invariants to F ⋆. Once in F ⋆ , our type inference algorithm computes verification conditions and automatically discharges their proofs using an SMT solver. We use our tools to prove that a core model of the JavaScript runtime in F ⋆ respects various invariants and that a suite of JavaScript source programs are free of runtime errors.
Selfcertification: Bootstrapping certified typecheckers in F* with Coq
 In POPL
, 2012
"... Wellestablished dependentlytyped languages like Agda and Coq provide reliable ways to build and check formal proofs. Several other dependentlytyped languages such as Aura, ATS, Cayenne, Epigram, F ⋆ , F7, Fine, Guru, PCML5, and Ur also explore reliable ways to develop and verify programs. All the ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
Wellestablished dependentlytyped languages like Agda and Coq provide reliable ways to build and check formal proofs. Several other dependentlytyped languages such as Aura, ATS, Cayenne, Epigram, F ⋆ , F7, Fine, Guru, PCML5, and Ur also explore reliable ways to develop and verify programs. All these languages shine in their own regard, but their implementations do not themselves enjoy the degree of safety provided by machinechecked verification. We propose a general technique called selfcertification that allows a typechecker for a suitably expressive language to be certified for correctness. We have implemented this technique for F ⋆ , a dependently typed language on the.NET platform. Selfcertification involves implementing a typechecker for F ⋆ in F ⋆ , while using all the conveniences F ⋆ provides for the compilerwriter (e.g., partiality, effects, implicit conversions, proof automation, libraries). This typechecker is given a specification (in F ⋆ ) strong enough to ensure that it computes valid typing derivations. We obtain a typing derivation for the core typechecker by running it on itself, and we export it to Coq as a typederivation certificate. By typechecking this derivation (in Coq) and applying the F ⋆ metatheory (also mechanized in Coq), we conclude that our type checker is correct. Once certified in this manner, the F ⋆ typechecker is emancipated from Coq. Selfcertification leads to an efficient certification scheme—we no longer depend on verifying certificates in Coq—as well as a more broadly applicable one. For instance, the selfcertified F ⋆ checker is suitable for use in adversarial settings where Coq is not intended for use, such as runtime certification of mobile code.