## Ynot: Dependent types for imperative programs (2008)

### Cached

### Download Links

- [www.it-c.dk]
- [www.itu.dk]
- [www.itu.dk]
- [software.imdea.org]
- [software.imdea.org]
- DBLP

### Other Repositories/Bibliography

Venue: | In Proceedings of ICFP 2008 |

Citations: | 36 - 10 self |

### BibTeX

@INPROCEEDINGS{Nanevski08ynot:dependent,

author = {Aleksandar Nanevski and Greg Morrisett and Avi Shinnar and Paul Govereau and Lars Birkedal},

title = {Ynot: Dependent types for imperative programs},

booktitle = {In Proceedings of ICFP 2008},

year = {2008}

}

### OpenURL

### Abstract

We describe an axiomatic extension to the Coq proof assistant, that supports writing, reasoning about, and extracting higher-order, dependently-typed programs with side-effects. Coq already includes a powerful functional language that supports dependent types, but that language is limited to pure, total functions. The key contribution of our extension, which we call Ynot, is the added support for computations that may have effects such as non-termination, accessing a mutable store, and throwing/catching exceptions. The axioms of Ynot form a small trusted computing base which has been formally justified in our previous work on Hoare Type Theory (HTT). We show how these axioms can be combined with the powerful type and abstraction mechanisms of Coq to build higher-level reasoning mechanisms which in turn can be used to build realistic, verified software components. To substantiate this claim, we describe here a representative series of modules that implement imperative finite maps, including support for a higherorder (effectful) iterator. The implementations range from simple (e.g., association lists) to complex (e.g., hash tables) but share a common interface which abstracts the implementation details and ensures that the modules properly implement the finite map abstraction.

### Citations

448 | The Spec# Programming System: An Overview
- Barnett, Leino, et al.
- 2004
(Show Context)
Citation Context ...inter arithmetic or explicit memory management. Static verification can be somewhat extended by refining types with annotations from more expressive logics, as implemented in ESC [26], JML [7], Spec# =-=[2]-=-, Cyclone [21], Sage [14], DML [52], Deputy [8] and Liquid types [40]. However, because of the undecidability of the annotation logics, these systems still have trouble automatically discharging all b... |

440 | Computational lambda-calculus and monads
- Moggi
- 1989
(Show Context)
Citation Context ...ver the finite map, that supports effectful computations. 2.1 Formalism The design of Ynot is a generalization of the well-known ideas from type-and-effect systems [16] and their monadic counterparts =-=[31, 46]-=-. Our monadic type ST p A q classifies programs that return values of type A, but that may also perform stateful side effects. The effect annotations p and q take the role of a precondition and a post... |

413 |
Guarded commands, nondeterminacy and formal derivation of programs
- Dijkstra
- 1975
(Show Context)
Citation Context ... the rules manually in verification, but to infer the principle specification of monadic programs (up to loop invariants). In this sense, Ynot is really more closely related to predicate transformers =-=[11]-=- than to Hoare Logic. The annotation inference essentially compiles the program into a Coq proposition whose validity implies the program’s correctness, thereby reducing verification to theorem provin... |

318 | Cyclone: A Safe Dialect of C
- Jim, Morrisett, et al.
(Show Context)
Citation Context ...tic or explicit memory management. Static verification can be somewhat extended by refining types with annotations from more expressive logics, as implemented in ESC [26], JML [7], Spec# [2], Cyclone =-=[21]-=-, Sage [14], DML [52], Deputy [8] and Liquid types [40]. However, because of the undecidability of the annotation logics, these systems still have trouble automatically discharging all but the most sh... |

292 | Extended static checking
- Detlefs, Leino, et al.
- 1998
(Show Context)
Citation Context ...tifiers. However, uniqueness eliminates the need for backtracking, and leads to a particularly compact way to arrange and verify the search process itself. In related verification systems such as ESC =-=[10]-=-, WHY [13], Spec#[2] or Sage [14], this would correspond to verifying the verification condition generator – a step that, to the best of our knowledge, none of the above systems undertake. Another imp... |

287 | An overview of JML tools and applications
- Burdy, Cheon, et al.
- 2003
(Show Context)
Citation Context ... such as pointer arithmetic or explicit memory management. Static verification can be somewhat extended by refining types with annotations from more expressive logics, as implemented in ESC [26], JML =-=[7]-=-, Spec# [2], Cyclone [21], Sage [14], DML [52], Deputy [8] and Liquid types [40]. However, because of the undecidability of the annotation logics, these systems still have trouble automatically discha... |

257 |
Refinement Calculus: A Systematic Introduction
- Back, Wright
- 1998
(Show Context)
Citation Context ...ns for their treatment. This is not so in Ynot where well-typed programs do not produce errors, and thus errors do not show up during verification. Another related approach is the refinement calculus =-=[1]-=- which has recently been adapted to Coq [6]. Here, correctness is established by showing that one program refines another: the abstract program serves as specification for the concrete one. In Ynot, s... |

226 | Formal certification of a compiler back-end or: programming a compiler with a proof assistant
- Leroy
- 2006
(Show Context)
Citation Context ...o aggregate structures. The programmer can thus implement his or her own verified algorithms for automation of certain reasoning patterns [17] and scale the verification to programs of realistic size =-=[27]-=-. Many proposals for formal reasoning about stateful programs have been studied before, and even implemented in Coq. For example, Shao et al. [41, 35, 12], Benton and Zarfati [4] and Hobor et al. [18]... |

118 |
Hybrid type checking
- Flanagan
- 2006
(Show Context)
Citation Context ...icit memory management. Static verification can be somewhat extended by refining types with annotations from more expressive logics, as implemented in ESC [26], JML [7], Spec# [2], Cyclone [21], Sage =-=[14]-=-, DML [52], Deputy [8] and Liquid types [40]. However, because of the undecidability of the annotation logics, these systems still have trouble automatically discharging all but the most shallow speci... |

106 | Data abstraction and information hiding
- Leino, Nelson
- 2000
(Show Context)
Citation Context ...reak when the program is considered in a larger context. In most other languages, this kind of modular soundness is nontrivial to achieve (if even possible), as argued for example by Leino and Nelson =-=[25]-=-. In particular, it implies that one can build libraries of certified code, thus reusing both the code and its correctness proof. Third, the high-level structure of a proof for a stateful program beco... |

90 |
ESC/Java user’s manual
- Leino, Nelson, et al.
- 2000
(Show Context)
Citation Context ...operations such as pointer arithmetic or explicit memory management. Static verification can be somewhat extended by refining types with annotations from more expressive logics, as implemented in ESC =-=[26]-=-, JML [7], Spec# [2], Cyclone [21], Sage [14], DML [52], Deputy [8] and Liquid types [40]. However, because of the undecidability of the annotation logics, these systems still have trouble automatical... |

85 |
Integrating functional and imperative programming
- Gifford, Lucassen
- 1986
(Show Context)
Citation Context ...r-order operations, such as a fold over the finite map, that supports effectful computations. 2.1 Formalism The design of Ynot is a generalization of the well-known ideas from type-and-effect systems =-=[16]-=- and their monadic counterparts [31, 46]. Our monadic type ST p A q classifies programs that return values of type A, but that may also perform stateful side effects. The effect annotations p and q ta... |

63 |
A computer-checked proof of the four-colour theorem. Available at http://research.microsoft.com/~gonthier/4colproof.pdf
- Gonthier
- 2011
(Show Context)
Citation Context ...objects, which one can abstract, compute with, and compose into aggregate structures. The programmer can thus implement his or her own verified algorithms for automation of certain reasoning patterns =-=[17]-=- and scale the verification to programs of realistic size [27]. Many proposals for formal reasoning about stateful programs have been studied before, and even implemented in Coq. For example, Shao et ... |

58 | Oracle semantics for concurrent separation logic
- Hobor, Appel, et al.
- 2008
(Show Context)
Citation Context ...[27]. Many proposals for formal reasoning about stateful programs have been studied before, and even implemented in Coq. For example, Shao et al. [41, 35, 12], Benton and Zarfati [4] and Hobor et al. =-=[18]-=- consider simple imperative or low-level languages with a number of important features such as code pointers or concurrency, and formalize deep embeddings of Hoare and Separation Logics for such langu... |

57 | Dependent types for low-level programming
- Condit, Harren, et al.
- 2007
(Show Context)
Citation Context ... Static verification can be somewhat extended by refining types with annotations from more expressive logics, as implemented in ESC [26], JML [7], Spec# [2], Cyclone [21], Sage [14], DML [52], Deputy =-=[8]-=- and Liquid types [40]. However, because of the undecidability of the annotation logics, these systems still have trouble automatically discharging all but the most shallow specifications, and do not ... |

52 | Verification of non-functional programs using interpretations in type theory
- Filliâtre
- 2003
(Show Context)
Citation Context ...owever, uniqueness eliminates the need for backtracking, and leads to a particularly compact way to arrange and verify the search process itself. In related verification systems such as ESC [10], WHY =-=[13]-=-, Spec#[2] or Sage [14], this would correspond to verifying the verification condition generator – a step that, to the best of our knowledge, none of the above systems undertake. Another important pro... |

47 |
A New Extraction for Coq
- Letouzey
- 2002
(Show Context)
Citation Context ...ny of the Ynot terms cannot be typed by GHC’s internal type system, since GHC’s type system is too weak, but so far this has not been a problem. The Coq system already has a code extraction mechanism =-=[28]-=-. However, the Haskell extraction, which we wanted to use both for improved performance and a more advanced run-time system, isn’t able to handle the entire Coq language. Also, we are eager to do expe... |

43 | Abstract Predicates and Mutable ADTs in Hoare Type Theory
- Nanevski, Ahmed, et al.
- 2007
(Show Context)
Citation Context ...cify only some of the result’s properties. Ynot differs from the above approaches in that it axiomatically extends Coq with selected monadic primitives. Of course, we have proved in the previous work =-=[33, 32, 38]-=- that these axioms do not cause unsoundness, and moreover, that the operational semantics of Ynot respects the ST specifications. Ynot differs from most of these systems in that it supports Hoare and ... |

39 | An observationally complete program logic for imperative higher-order frame rules
- Honda, Yoshida, et al.
- 2005
(Show Context)
Citation Context ...about the pure subset. Higher-order Hoare Logics, models, and implementations. There are a number of recent extensions of Hoare and Separation Logic to higher-order functional languages. Honda et al. =-=[20]-=- give a total correctness logic for PCF with references, and Krishnaswami et al. [24] formalize higher-order Separation Logic for a higher-order language and prove the correctness of a subject-observe... |

29 | Relational parametricity and separation logic
- Birkedal, Yang
- 2007
(Show Context)
Citation Context ... definition of STsep therefore directly formalizes the intuition behind separation logic and the frame property. In this sense, it is closely related to the recent semantic models of Separation Logic =-=[5]-=- in which the frame rule is “baked in” to the interpretation of triples. The fact that STsep could be defined in terms of ST may be surprising, because it shows that even in the large footprint semant... |

23 | Certifying low-level programs with hardware interrupts and preemptive threads
- Feng, Shao, et al.
- 2008
(Show Context)
Citation Context ... scale the verification to programs of realistic size [27]. Many proposals for formal reasoning about stateful programs have been studied before, and even implemented in Coq. For example, Shao et al. =-=[41, 35, 12]-=-, Benton and Zarfati [4] and Hobor et al. [18] consider simple imperative or low-level languages with a number of important features such as code pointers or concurrency, and formalize deep embeddings... |

20 |
Exceptional syntax
- Benton, Kennedy
(Show Context)
Citation Context ...e raises an exception, but instead of falling through in case e returns a value, try actually proceeds with executing e1. The utility of this monadic form of try has been argued by Benton and Kennedy =-=[3]-=- in compiler optimizations, where it facilitates code motion. We adopt this form for similar reasons, as rearranging code in semantic-preserving way can sometimes make proofs about programs much easie... |

19 | A mechanically verified verification condition generator
- Homeier, Martin
- 1995
(Show Context)
Citation Context ... is an external program that is usually not verified itself. This is not to say that external generators have not been verified before. For example, several such projects have been carried out in HOL =-=[19]-=- and Isabelle [50, 49]. The latter implement the verifier in the internal language of the prover, and then extract a corresponding ML program which can be compiled and executed to produce the verifica... |

13 | Amodular verification of the subjectobserver pattern via higher-order separation logic
- Krishnaswami, Aldrich, et al.
- 2007
(Show Context)
Citation Context ...are a number of recent extensions of Hoare and Separation Logic to higher-order functional languages. Honda et al. [20] give a total correctness logic for PCF with references, and Krishnaswami et al. =-=[24]-=- formalize higher-order Separation Logic for a higher-order language and prove the correctness of a subject-observer pattern. Weber [47] implements a first-order separation logic for a simple while-la... |

12 | Formalizing and verifying semantic type soundness of a simple compiler
- Benton, Zarfaty
- 2007
(Show Context)
Citation Context ...ms of realistic size [27]. Many proposals for formal reasoning about stateful programs have been studied before, and even implemented in Coq. For example, Shao et al. [41, 35, 12], Benton and Zarfati =-=[4]-=- and Hobor et al. [18] consider simple imperative or low-level languages with a number of important features such as code pointers or concurrency, and formalize deep embeddings of Hoare and Separation... |

7 | A Large-Scale Experiment in Executing Extracted Programs
- Cruz-Filipe, Letouzey
- 2005
(Show Context)
Citation Context ...Haskell, while still getting the benefits of GHC’s optimizer and run-time system 1 . In addition, since many Ynot terms have computationally irrelevant sub-terms, the laziness of Haskell is a benefit =-=[9]-=-. 1 Many of the Ynot terms cannot be typed by GHC’s internal type system, since GHC’s type system is too weak, but so far this has not been a problem. The Coq system already has a code extraction mech... |

7 | A certified verifier for a fragment of separation logic
- Marti, Affeldt
(Show Context)
Citation Context ...al. [15] is an effectful language whose types embed Coq propositions so as to reason precisely about program values, but cannot currently support reasoning about program effects. Marti and Affeldt in =-=[29]-=- present a deep embedding of Separation Logic in Coq, and certify the verification procedures for it. Swierstra and Altenkirch in [44] axiomatize Haskell monads for IO, state and concurrency using pur... |

3 |
Intuitionistic refinement calculus
- Boulmé
- 2007
(Show Context)
Citation Context ... [13] presents a tool for generating verification conditions in the form of Coq propositions, but the programs supported by the tool do not admit higher-order abstractions or pointer aliasing. Boulme =-=[6]-=- shallowly embeds refinement theory into Coq, where one can reason about the refinement relation between two effectful programs, but does not seem to currently support adequate reasoning about pointer... |

3 |
Some mistakes I have made and what I have learned from them
- Jones
- 1998
(Show Context)
Citation Context ...c postconditions usually range only over the ending state, but formulations that range over both states are not uncommon, and date back at least to the classical work on the Vienna Development Method =-=[22]-=-. It is well-known that the latter obviates the need for ghost variables, which scope over precondition and postcondition and serve to relate the old with the new state. Ghost variables are unwieldy i... |

2 | Metatheory of verification calculi in LEGO: To what extent does syntax matter
- Kleymann
- 1999
(Show Context)
Citation Context ...Coq, where one can reason about the refinement relation between two effectful programs, but does not seem to currently support adequate reasoning about pointer aliasing or locality of state. Kleymann =-=[23]-=- shows a shallow embedding of Hoare Logic in the related type theory of LEGO. Concoqtion by Fogarty et al. [15] is an effectful language whose types embed Coq propositions so as to reason precisely ab... |