## Imperative functional programming with isabelle/hol (2008)

### Cached

### Download Links

- [www4.informatik.tu-muenchen.de]
- [www4.in.tum.de]
- [www4.in.tum.de]
- [www21.in.tum.de]
- [web.cecs.pdx.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In TPHOLs ’08: Proceedings of the 21st International Conference on Theorem Proving in Higher Order Logics |

Citations: | 12 - 2 self |

### BibTeX

@INPROCEEDINGS{Bulwahn08imperativefunctional,

author = {Lukas Bulwahn and Er Krauss and Florian Haftmann and Levent Erkök and John Matthews and Technische Universität München},

title = {Imperative functional programming with isabelle/hol},

booktitle = {In TPHOLs ’08: Proceedings of the 21st International Conference on Theorem Proving in Higher Order Logics},

year = {2008},

pages = {134--149}

}

### OpenURL

### Abstract

Abstract. We introduce a lightweight approach for reasoning about programs involving imperative data structures using the proof assistant Isabelle/HOL. It is based on shallow embedding of programs, a polymorphic heap model using enumeration encodings and type classes, and a state-exception monad similar to known counterparts from Haskell. Existing proof automation tools are easily adapted to provide a verification environment. The framework immediately allows for correct code generation to ML and Haskell. Two case studies demonstrate our approach: An array-based checker for resolution proofs, and a more efficient bytecode verifier. 1

### Citations

1309 | Monads for Functional Programming
- Wadler
- 1995
(Show Context)
Citation Context ...nadic programs (§5). 4. Two case studies (§6): an imperative MiniSat proof replay oracle and an imperative Jinja bytecode verifier. 1.1 Related Work Since the seminal paper by Peyton Jones and Wadler =-=[12]-=-, the use of monads to incorporate effects in purely functional programs is standard. However, up to now, no practically usable verification framework for such monadic programs exists. For imperative ... |

718 |
Isabelle/HOL — A Proof Assistant for HigherOrder Logic
- Nipkow, Paulson, et al.
- 2002
(Show Context)
Citation Context ...any examples where for efficiency’s sake imperative data structures are unavoidable to obtain performant executable programs. We aim to permit Haskell’s imperative specification style in Isabelle/HOL =-=[10]-=-, where local state references and mutable arrays can be dynamically allocated without having to add their types to the enclosing function’s type signature [5]. From such specifications we then genera... |

462 |
N.: An extensible SAT-solver
- Eén, Sörensson
- 2003
(Show Context)
Citation Context ...and store it in the array, or (c) delete a clause from the array, to free some memory. The root clauses are the initial clauses from which a contradiction is derived. It is a specialty of the MiniSAT =-=[2]-=- proof format that root clauses may be added any time during the proof, hence our checker must accumulate all root clauses it encounters in a list. Then, if the checker succeeds in deriving the empty ... |

97 | A machine-checked model for a Java-like language, virtual machine and compiler
- Klein, Nipkow
- 2006
(Show Context)
Citation Context ...n particular, nothing in our particular development of the SAT checker needs to be trusted. 6.2 A Jinja Bytecode verifier Our second case study is a modification of the Jinja bytecode verifier. Jinja =-=[6]-=- is a complete formal model of a Java-like language, which includes a formal semantics, type system, virtual machine model, compiler, and bytecode verifier. Essentially, the bytecode verifier performs... |

83 | The Why/Krakatoa/Caduceus Platform for Deductive Program Verification
- Filliâtre, Marché
- 2007
(Show Context)
Citation Context ...ograms is standard. However, up to now, no practically usable verification framework for such monadic programs exists. For imperative programs, there are such tools: The Why/Krakatoa/Caduceus toolset =-=[2]-=- works by translating the source language into an intermediate language and using a verification condition generator to generate proof obligations. Schirmer [13] proposes a similar method, which is cl... |

64 | Polymorphism and separation in Hoare Type Theory
- Nanevski, Morrisett, et al.
- 2006
(Show Context)
Citation Context ...ncodings. On the other hand, our model is slightly more abstract, since we are only dealing with functional languages instead of low level C code. 3 in its two flavors SML and OCaml 2Nanevski et al. =-=[9]-=- describe how Hoare logic can be integrated in dependent type theory, yielding Hoare Type Theory, with a sophisticated type system and program logic. However, it seems that this requires significant m... |

61 |
Types, bytes, and separation logic
- Tuch, Klein, et al.
- 2007
(Show Context)
Citation Context ... allocate new references or mutable arrays, or to compose monadic specifications that work over different state types. Our heap model has some similarities to the one used by Tuch, Klein, and Norrish =-=[15]-=-, especially concerning the use of type classes and phantom types to manage encodings. On the other hand, our model is slightly more abstract, since we are only dealing with functional languages inste... |

21 | A verification environment for sequential imperative programs in Isabelle/HOL
- Schirmer
- 2005
(Show Context)
Citation Context ...ools: The Why/Krakatoa/Caduceus toolset [2] works by translating the source language into an intermediate language and using a verification condition generator to generate proof obligations. Schirmer =-=[13]-=- proposes a similar method, which is closely integrated with Isabelle/HOL, and whose metatheory is formally verified. These approaches rely on Hoare logic and a verification condition generator. The a... |

18 |
Lazy functional state threads
- Jones
- 1994
(Show Context)
Citation Context ...ive specification style in Isabelle/HOL [10], where local state references and mutable arrays can be dynamically allocated without having to add their types to the enclosing function’s type signature =-=[5]-=-. From such specifications we then generate efficient imperative functional code. Currently we need to restrict the contents of references and mutable arrays to first order values, but this is still s... |

16 | Axiomatic constructor classes in Isabelle/HOLCF
- Huffman, Matthews, et al.
- 2005
(Show Context)
Citation Context ..., for this we would need type constructor polymorphism, which is not supported in HOL. We must be satisfied with the possibility of defining concrete instances of monads. Huffman, Matthews, and White =-=[4]-=- describe how to simulate constructor classes in an extension of HOL, but their embedding does not seem practical for our application. 137.2 Heap model Our simple heap model prohibits storing any kin... |

12 |
Efficiently checking propositional refutations in HOL theorem provers
- Weber, Amjad
- 2007
(Show Context)
Citation Context ...itional proof obligations. We aim at a compromise between performing a full replay of the proof within Isabelle and trusting the SAT solver completely. The first approach was taken by Weber and Amjad =-=[16]-=- and gives the usual high assurance of the LCF principle, but is computationally expensive. On the other end of the spectrum, trusting the external tool is obviously cheap but unsatisfactory. A reason... |

11 | Verifying BDD algorithms through monadic interpretation
- Krstic, Matthews
- 2002
(Show Context)
Citation Context ...ys and references, whereas in ACL2 imperative fields must be statically declared in a single record. Imperative language features have previously been embedded in higher order logic via a state monad =-=[7, 14]-=-. As long as the monad primitives do not duplicate the state, the resulting programs are single threaded and can be safely transformed to monadic Haskell or imperative ML code. However, just like sing... |

10 | Single-threaded objects in ACL2
- Boyer, Moore
(Show Context)
Citation Context ...ractive use. Proof principles are similar to those used for purely functional programs, i.e. induction and equational reasoning. Probably closest to our work is the concept of single-threaded objects =-=[1]-=- in the ACL2 prover. By declaring an object as single-threaded (and obeying rigorous syntactic restrictions), one instructs the prover to replace non-destructive updates by destructive ones. The rules... |

10 | A code generator framework for Isabelle/HOL
- Haftmann, Nipkow
(Show Context)
Citation Context ... :: xs) end | traverse A_ Empty = []; 4 Technical details on the definition of traverse can be found in §7.3 5 The A argument denotes the dictionary, which is not used in this particular example. See =-=[3]-=- 42 Modeling a polymorphic heap In the following two sections we present our definitional model of a typed heap and the monad we are using. We present the theory in a bottom-up manner, and explain th... |

4 | A monad-based modeling and verification toolbox with application to security protocols
- Sprenger, Basin
(Show Context)
Citation Context ...ys and references, whereas in ACL2 imperative fields must be statically declared in a single record. Imperative language features have previously been embedded in higher order logic via a state monad =-=[7, 14]-=-. As long as the monad primitives do not duplicate the state, the resulting programs are single threaded and can be safely transformed to monadic Haskell or imperative ML code. However, just like sing... |

1 | Partizan games in Isabelle/HOLZF
- Obua
- 2006
(Show Context)
Citation Context ...encodings, and represent heap values as a dependent pair of a type and a value. In such a system, the type heap would live in some higher universe than the types used in a program. ZF extension HOLZF =-=[11]-=- is a consistent extension of HOL which declares a settheoretic universe Z, in which all HOL types can be embedded. In such a system we could store the full tower of (pure, monomorphic) higher order f... |