## Implementing Certified Programming Language Tools Dependent Type Theory (2007)

Citations: | 1 - 0 self |

### BibTeX

@TECHREPORT{Chlipala07implementingcertified,

author = {Adam James Chlipala},

title = {Implementing Certified Programming Language Tools Dependent Type Theory},

institution = {},

year = {2007}

}

### OpenURL

### Abstract

### Citations

1359 | An Axiomatic Basis for Computer Programming
- Hoare
- 1969
(Show Context)
Citation Context ... from other engineering disciplines. In the 1970's and 1980's, there was a mood of optimism about the power of mathematical methods to solve this problem. In the previous decade, Floyd [36] and Hoare =-=[46]-=- had set out one of the most practically attractive mathematical accounts of program be2 havior. Not only did their work result in a clear formulation of what a program means, but this meaning was gi... |

1091 | Proof-Carrying Code
- Necula
- 1997
(Show Context)
Citation Context ...ted correctly. In today's networked world of computing, we prefer to minimize the amount of code that we need to trust to obtain suitable security guarantees. In applications like proof-carrying code =-=[67]-=-, which is the setting for Part I of this dissertation, any bug in proof-checking machinery opens opportunities for attackers to run malicious code.s6 There are also many benefits associated with type... |

794 |
Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic
- CLARKE, EMERSON
- 1982
(Show Context)
Citation Context ...g symbolic programs with subtle correctness arguments, I will abandon the ESC approach here.s8 1.2.4 Model Checking A very different approach that first appeared in the early 1980's is model checking =-=[18, 80]-=-, which traditionally has been centered around temporal logic specifications and verification of finite-state systems by exhaustive enumeration. Brute force search is obvious enough when designing alg... |

704 |
Types and Programming Languages
- Pierce
- 2002
(Show Context)
Citation Context ... : E2 Figure 2.2: Typing rules for CoC 2.1 The Calculus of Constructions Figure 2.1 presents the abstract syntax of CoC. We can recognize the elements of the simply-typed lambda calculus and System F =-=[77]-=-, but CoC has an important difference from these systems. "Terms" and "types" are collapsed into a single syntactic class. Thus, alongside variables and function abstraction and application, we find t... |

694 | A framework for defining logics
- Harper, Honsell, et al.
- 1993
(Show Context)
Citation Context ... "logical frameworks" has been proposed for distilling the essential features required for formalization of programming languages, logics, and their metatheories. The Edinburgh Logical Framework (LF) =-=[41]-=- is the most well-known of these, and its most popular tool implementation today is Twelf [76]. LF provides a tiny dependently-typed lambda calculus that is parameterized on a signature that lists, fo... |

587 | From system F to typed assembly language
- Morrisett, Walker, et al.
- 1999
(Show Context)
Citation Context ...s experience with FPCC. Our paper [13] presents performance results showing an order of magnitude improvement over all published verification time figures for FPCC systems for Typed Assembly Language =-=[66]-=- programs, by using a certified verifier. The verifier had a complete soundness proof, so no formal guarantees were sacrificed to win this performance. The main problem that we encountered was in the ... |

573 | Symbolic model checking: 10 20 states and beyond
- Burch, Clarke, et al.
- 1990
(Show Context)
Citation Context ... in theory, but many innovations have been necessary to make such search practical on real machines, with milestones including the use of ordered binary decision diagrams in "symbolic model checking" =-=[11]-=-. More recently, the early 2000's saw the expansion of model checking for software beyond finite-state programs, through integration with automated first-order theorem provers, especially using the te... |

563 |
Assigning meanings to programs
- Floyd
- 1967
(Show Context)
Citation Context ... what we expect from other engineering disciplines. In the 1970's and 1980's, there was a mood of optimism about the power of mathematical methods to solve this problem. In the previous decade, Floyd =-=[36]-=- and Hoare [46] had set out one of the most practically attractive mathematical accounts of program be2 havior. Not only did their work result in a clear formulation of what a program means, but this... |

533 | PVS: A Prototype Verification System
- Shankar
- 1992
(Show Context)
Citation Context ...section. The most common LCF-style provers today are Isabelle [73], a direct descendants5 retaining the historical association of the LCF approach with the ML family of programming languages; and PVS =-=[70]-=-, a Lisp-based proof assistant developed at SRI. Isabelle is a framework for supporting new proof systems, though it is most often used in its "Isabelle/HOL" guise, which uses a classical higher-order... |

468 |
Interactive Theorem Proving and Program Development, Coq’Art:the Calculus of Inductive Constructions
- Bertot, Castéran
- 2004
(Show Context)
Citation Context ...roof assistant. In the next section, I will briefly survey which sorts of tools are available today. I will critique the approaches and motivate why I chose a particular tool, the Coq proof assistant =-=[8]-=-, for this thesis work. 1.2 The Verification Landscape Formal verification has been a part of computer science from the field's early days. As such, it's not surprising that many different tools have ... |

420 | Isabelle: A generic theorem prover
- Paulson
- 1994
(Show Context)
Citation Context ...ith the aid of tactics. Type-theoretical provers are the subject of Section 1.2.6, and I elaborate on LCFstyle provers in rest of this subsection. The most common LCF-style provers today are Isabelle =-=[73]-=-, a direct descendants5 retaining the historical association of the LCF approach with the ML family of programming languages; and PVS [70], a Lisp-based proof assistant developed at SRI. Isabelle is a... |

392 | Simplification by cooperating decision procedures
- Nelson, Oppen
- 1982
(Show Context)
Citation Context ...is called to fill in the blanks. The traditional theorem prover of choice has been Simplify [30], developed by the same group of authors and evolved in parallel. It uses the Nelson-Oppen architecture =-=[69]-=- for cooperating decision procedures, which was designed specifically to handle the kinds of proof obligations arising from ESC-style verification. This approach has been successful at what I'll call ... |

386 | Automatically validating temporal safety properties of interfaces
- Ball, Rajamani
- 2001
(Show Context)
Citation Context ...beyond finite-state programs, through integration with automated first-order theorem provers, especially using the techniques of predicate abstraction and counterexample-guided abstraction refinement =-=[5, 43]-=-. While this kind of tool has traditionally only been effective for verification of safety properties describable by finite-state monitors over sequential programs, recent work has branched into concu... |

355 |
Cousot and Radhia Cousot. Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints
- Patrick
- 1977
(Show Context)
Citation Context ...interfaces. Second, there are well-established, rigorous standards of what it means for various programming language tools to be correct. We have the standard methodologies of abstract interpretation =-=[23]-=- and structured operational semantics [77], for instance. The promise of formal verification is often challenged with the canonical "But how do you write a specification for Microsoft Word?" objection... |

352 | Simplify: A theorem prover for program checking
- Detlefs, Nelson, et al.
- 2003
(Show Context)
Citation Context .... This burden is light compared to interactive theorem proving, as an automated, first-order theorem prover is called to fill in the blanks. The traditional theorem prover of choice has been Simplify =-=[30]-=-, developed by the same group of authors and evolved in parallel. It uses the Nelson-Oppen architecture [69] for cooperating decision procedures, which was designed specifically to handle the kinds of... |

313 | System description: Twelf — a meta-logical framework for deductive systems
- Pfenning, Schürmann
- 1999
(Show Context)
Citation Context ...malization of programming languages, logics, and their metatheories. The Edinburgh Logical Framework (LF) [41] is the most well-known of these, and its most popular tool implementation today is Twelf =-=[76]-=-. LF provides a tiny dependently-typed lambda calculus that is parameterized on a signature that lists, for instance, the logical constants used to describe the syntax and semantics of a programming l... |

302 | Lambda calculus notation with nameless dummies, a tool for automatic formula manipulation, with application to the Church-Rosser theorem
- Bruijn
- 1972
(Show Context)
Citation Context ... definition of dynamic semantics. On that note, I move on to the next standard first-order representation technique.s114 6.1.2 De Bruijn Index Representation This technique, that of de Bruijn indices =-=[28]-=-, is also called a nameless representation. Instead of giving variables names, a variable is represented as a natural number addressing a binder in terms of how many binders "upward" it appears in lex... |

301 |
Higher-Order Abstract Syntax
- Pfenning, Elliot
- 1988
(Show Context)
Citation Context ... that has been formalized, otherwise known as the object language, in contrast to the meta language LF. LF is a simple enough language that it supports the idea of higher-order abstract syntax (HOAS) =-=[75]-=- soundly, in contrast to the languages we will meet in the next subsection. As Part II will highlight, dealing with variable binding is one of the most pervasive challenges in proving theorems about h... |

268 | The design and implementation of a certifying compiler
- Necula, Lee
- 1998
(Show Context)
Citation Context ...ty. He might construct this proof manually, but more likely he codes in a high-level language that enforces the specification at the source level through static checks, allowing a certifying compiler =-=[68]-=- for that language to translate the proofs (explicit or implicit) that hold at the source level into proofs about the resulting binaries. The original PCC systems were very specialized. A particular s... |

228 | Foundational proof-carrying code
- Appel
- 2001
(Show Context)
Citation Context ...rmer deserves some discussion here. 5.1.1 Applications to Proof-Carrying Code The idea of certified program verifiers has important practical ramifications for foundational proof-carrying code (FPCC) =-=[2]-=-. Like traditional proof-carrying code (PCC) [67], FPCC is primarily a technique for allowing software consumers to obtain strong formal guarantees about programs before running them. The author of a ... |

227 | TIL: A TypeDirected Optimizing Compiler for ML
- Tarditi, Morrisett, et al.
- 1996
(Show Context)
Citation Context ...ues that I developed, based on the foundation laid in the previous chapter. One interesting compiler paradigm is type-directed compilation, embodied in, fors128 instance, the TIL Standard ML compiler =-=[85]-=-. Where traditional compilers use relatively type-impoverished intermediate languages, TIL employed typed intermediate languages such that every intermediate program had a typing derivation witnessing... |

198 | Modules for Standard ML
- MacQueen
- 1984
(Show Context)
Citation Context ...e new proof inputs. It is beneficial to seek out reusable idioms for soliciting these proofs. Analogous problems in traditional programming have been solved quite elegantly by ML-style module systems =-=[58]-=-. Coq features a natural extension of such systems to its dependently-typed setting, and I make essential use of modules for structuring certified components. As an example, we can revisit the standar... |

174 | PolyP – a polytypic programming language extension
- Jansson, Jeuring
- 1997
(Show Context)
Citation Context ...yped languages that convert to untyped form and back around generic function invocations, but they retain most of the same deficiency. Several language designs exist that embody polytypic programming =-=[49, 44]-=-, where functions can be defined over the structure of types. None of these systems permit functions generic in definitions of GADTs, let alone the dependent inductive types I use in AutoSyntax. They ... |

168 | Alias types
- Smith, Walker, et al.
- 2000
(Show Context)
Citation Context ...programs that use pointers that might be null, general sum types, or any of a large variety of type system features. FlagTypes would be a reasonable starting point for a verifier based on alias types =-=[82]-=- or some other way of supporting manual memory management...s61 * ...but with automatic memory management, WeakUpdate provides a much more convenient starting point. WeakUpdate is used with type syste... |

154 | Typed closure conversion
- Minamide, Morrisett, et al.
- 1996
(Show Context)
Citation Context ... issues reported here related to type-preserving compilation. Semantics preservation proofs have been published before for individual phases of type-preserving compilers, including closure conversion =-=[62]-=-. All of these proofs that I am aware of use operational semantics, forfeiting the advantages of denotational semantics for mechanization that I have shown here. The CompCert project [57] has used Coq... |

152 |
The view from the left
- McBride, McKinna
- 2004
(Show Context)
Citation Context ...ystems like the one demonstrated here are subtle enough that human control of the proving process seems necessary, justifying our choice of a much richer analysis development environment. The Epigram =-=[59]-=-, ATS [15], and RSP [91] languages attempt to inject elements of the approach behind Coq program extraction into a more practical programming setting. I believe I have taken good advantage of many of ... |

145 | Stack-Based Typed Assembly Language
- Morrisett, Crary, et al.
- 1998
(Show Context)
Citation Context ...king where the primary component of an abstract state is an assignment of a type to every general purpose machine register. This would be a good starting point for traditional Typed Assembly Language =-=[66, 65]-=-, which handles stack and calling conventions with its own kind of stack types... * ...but for most verifiers, StackTypes would be the module to use next. It takes as input a type system ignorant of s... |

136 | Mechanized metatheory for the masses: The POPLmark challenge
- Aydemir, Bohannon, et al.
- 2005
(Show Context)
Citation Context ...ply have more to learn before they can appreciate these examples. Rather, today's idiomatic techniques for mechanizing programming language metatheory are just too heavyweight. The POPLmark Challenge =-=[4]-=- addresses these problems through proposing a series of formalization benchmarks and evaluating different solutions to them. The field of solutions submitted to the first challenge shows that we have ... |

121 | Derivable type classes
- Hinze, Jones
(Show Context)
Citation Context ...f these systems permit functions generic in definitions of GADTs, let alone the dependent inductive types I use in AutoSyntax. They also provide no support for theorem proving. Derivable type classes =-=[45]-=- is a polytypic programming extension to Haskell, designed to tackle the practical issues of extending a production language. The same limitations apply as in the last paragraph. Recent tools designed... |

97 | Type Theory and Functional Programming
- Thompson
- 1991
(Show Context)
Citation Context ...ming and theorem proving as two distinct tasks, motivating the development of separate mechanisms in support of each. An alternative philosophy is based on the so-called "Curry-Howard correspondence" =-=[86]-=-, an idea quite popular in the functional programming community. The original correspondence provided a precise connection between propositional constructive logic and a simply-typed lambda calculus. ... |

94 | A new approach to generic functional programming
- Hinze
- 2000
(Show Context)
Citation Context ...yped languages that convert to untyped form and back around generic function invocations, but they retain most of the same deficiency. Several language designs exist that embody polytypic programming =-=[49, 44]-=-, where functions can be defined over the structure of types. None of these systems permit functions generic in definitions of GADTs, let alone the dependent inductive types I use in AutoSyntax. They ... |

93 | A syntactic approach to foundational proof-carrying code
- Hamid, Shao, et al.
- 2002
(Show Context)
Citation Context ...mma 's return pointer. We define the state abstraction relation `S to enforce that every memory location really does have the type assigned to it. Here we are following the syntactic approach to FPCC =-=[40]-=- by using these type maps in place of potentially-complicated recursive conditions in typing rules. We can also define a simple subtyping relation: o/ <=T int o/ <=T o/ This is "semantic" subtyping in... |

93 |
Ranjit Jhala, Rupak Majumdar, and Grégoire Sutre. Lazy abstraction
- Henzinger
- 2002
(Show Context)
Citation Context ...beyond finite-state programs, through integration with automated first-order theorem provers, especially using the techniques of predicate abstraction and counterexample-guided abstraction refinement =-=[5, 43]-=-. While this kind of tool has traditionally only been effective for verification of safety properties describable by finite-state monitors over sequential programs, recent work has branched into concu... |

87 | Toward a foundational typed assembly language
- Crary
(Show Context)
Citation Context ...ions about more traditional programs; and second, to report on experience in the effective construction of such verifiers through the use of dependent types and re-usable components. Several projects =-=[2, 40, 25]-=- consider in a PCC setting proofs about machine code from first principles, but they focus on proof theoretical issues rather than the prag104 matics of constructing proofs and verifying programs und... |

83 | Combining Programming with Theorem Proving
- Chen, Xi
- 2005
(Show Context)
Citation Context ...e the one demonstrated here are subtle enough that human control of the proving process seems necessary, justifying our choice of a much richer analysis development environment. The Epigram [59], ATS =-=[15]-=-, and RSP [91] languages attempt to inject elements of the approach behind Coq program extraction into a more practical programming setting. I believe I have taken good advantage of many of Coq's matu... |

74 | Towards a mechanized metatheory of Standard ML
- Lee, Crary, et al.
- 2007
(Show Context)
Citation Context ...ork Crary proposed the method of type theoretical semantics [24], giving a noncomputer-formalized embedding of an expressive typed lambda calculus into the type theory of the Nuprl system. Lee et al. =-=[55]-=- mechanize the semantics of Standard ML operationally in Twelf. The POPLmark Challenge [4] is a benchmark initiative for language formalization that has prompted many interesting solutions to its firs... |

72 |
Constructions: A Higher Order Proof System for Mechanizing Mathematics
- Coquand, Huet
- 1985
(Show Context)
Citation Context ...language's mathematical capabilities to express strong specifications through typing. In this chapter, I give an overview of CIC, starting with its simpler subset, the Calculus of Constructions (CoC) =-=[21]-=-, in Section 2.1. CIC builds on CoC by adding a primitive inductive type definition facility, which I describe less formally in Section 2.2. 1I write "approximately" not to indicate formal incompleten... |

71 |
Codifying guarded definitions with recursive schemes
- Giménez
- 1994
(Show Context)
Citation Context ... approaches. We can define what it means for a machine state to be safe with this co-inductive inference rule: S 7! S0 safe(S0) safe(S) This is defined using Coq's facility for co-inductive judgments =-=[37]-=-, which may have infinite derivations that are well-formed in a particular sense. Infinite derivations are important here for non-terminating programs. The last ingredient is a means to connect a prog... |

69 | Languages of the future
- Sheard
- 2004
(Show Context)
Citation Context ...cursive functions over them:s20 length = fix f (T : Type0) (` : list T ) : nat. match ` with| nil ) O| cons `0 ) S (f T `0) Inductive types also generalize the generalized algebraic datatypes (GADTs) =-=[81]-=- that have recently crept into reasonably wide use through a popular extension to Haskell. For example, consider this definition of a list-like type family indexed by natural numbers providing strict ... |

63 | HOL — A machine oriented formulation of higher order logic
- Gordon
- 1985
(Show Context)
Citation Context ...sed proof assistant developed at SRI. Isabelle is a framework for supporting new proof systems, though it is most often used in its "Isabelle/HOL" guise, which uses a classical higher-order logic HOL =-=[38]-=-. The dedicated user communities of Isabelle/HOL and PVS may grumble at my lumping them together, as HOL features a much smaller and simpler set of primitive tactics than PVS does, but they are more s... |

61 | Automated soundness proofs for dataflow analyses and transformations via local rules
- Lerner, Millstein, et al.
(Show Context)
Citation Context ...ed C compiler developed in Coq. The main differences are my use of dependent types to structure the "program" part of a development and my emphasis on reusable library components. The Rhodium project =-=[56]-=- also deals with the construction of certified program analyses. By requiring that analyses be stated in a very limited Prolog-like language, Rhodium makes it possible to use an automated first-order ... |

59 |
A Discipline of Programming (Prentice-Hall
- Dijkstra
- 1976
(Show Context)
Citation Context ...rectness proofs. That is, what came to be called Hoare logic is a tool ready to use in certifying real programs. Building on these ideas, Edsger Dijkstra advocated the technique of program derivation =-=[32]-=-, where software programs are always developed in concert with their mathematical specifications and correctness proofs. If a programmer starts with an adequate specification for his program, then the... |

59 | Scrap more boilerplate: reflection, zips, and generalised casts
- Lämmel, Jones
- 2004
(Show Context)
Citation Context ...s many usable approaches to writing code that is polymorphic in the structure of data types. One of the most popular of these approaches today is the scrap your boilerplate (SYB) family of techniques =-=[52, 53]-=-, which has the advantage of being usable in popular Haskell compilers with no new language extensions. SYB achieves genericity through a combination of ad-hoc code generation at compile time and "uns... |

53 |
Scrap your boilerplate: a practical approach to generic programming
- Lämmel, Jones
- 2003
(Show Context)
Citation Context ...s many usable approaches to writing code that is polymorphic in the structure of data types. One of the most popular of these approaches today is the scrap your boilerplate (SYB) family of techniques =-=[52, 53]-=-, which has the advantage of being usable in popular Haskell compilers with no new language extensions. SYB achieves genericity through a combination of ad-hoc code generation at compile time and "uns... |

53 | Tagless staged interpreters for typed languages
- Pasalic, Taha, et al.
- 2002
(Show Context)
Citation Context ... has prompted many interesting solutions to its first challenge problem. None of these projects involve formalizations of compiler correctness proofs. Recent work has implemented tagless interpreters =-=[71]-=- using generalized algebraic datatypes and other features related to dependent typing. Tagless interpreters have much in common with my approach to denotational semantics in Coq, but I am not aware of... |

52 | Generic programming within dependently typed programming
- Altenkirch, McBride
- 2003
(Show Context)
Citation Context ...e theorybased theorem prover like Coq is unclear; they are given using language constructs that permit non-termination, which is incompatible with type theoretical consistency. Altenkirch and McBride =-=[1]-=- consider an approach reminiscent of what we presented in Section 8.3 (minus the generic proving) for the Oleg proof assistant. Pfeifer and Ruess [74] and Benke et al. [6] go further and add (in diffe... |

51 | Typed Combinators for Generic Traversal
- Lämmel, Visser
- 2002
(Show Context)
Citation Context ... Lisp family, simple reflective capabilities make it clear how to write generic functions, but the lack of static validation can make it difficult to get their implementations right. Approaches exist =-=[54]-=- for statically211 typed languages that convert to untyped form and back around generic function invocations, but they retain most of the same deficiency. Several language designs exist that embody p... |

49 | A Mechanically Verified Language Implementation
- Moore
- 1989
(Show Context)
Citation Context ...uage for wider domains. These tools have been used to accomplish some impressive certifications, including the verification of a stack from a high-level programming language to a machine architecture =-=[63]-=-. Nonetheless, the drawbacks I listed for LCF-style provers apply only more strongly here. Since proofs are expected to be much more automatic, there are only more fundamental reasoning steps whose im... |

48 | Proving theorems about LISP functions
- BOYER, MOORE
- 1975
(Show Context)
Citation Context ...grams by type-checking them. 1.2.2 Automated Theorem Proving A competing theorem proving tradition is that of automated provers, perhaps most widely associated with Nqthm, or "the Boyer-Moore prover" =-=[10]-=-. The system was designed for the verification of Lisp programs, but it and its modern successor ACL2 [50] have come to be used as general-purpose theorem proving tools, with applicative Common Lisp s... |

45 | Using reflection to build efficient and certified decision procedures
- Boutin
- 1997
(Show Context)
Citation Context ...types"? We have already seen how this definitional equality can model the denotational dynamic semantics of object languages. Another compelling answer comes from the technique of proof by reflection =-=[9]-=-. It is a subtle approach to efficient encoding of proofs, best introduced by example. Let us consider families of proofs for this (tautological) class of formulas: F ::= True | F ^ F The Coq proof te... |