A Relational Logic for Higher-Order Programs Alejandro Aguirre 1 - - PowerPoint PPT Presentation

a relational logic for higher order programs
SMART_READER_LITE
LIVE PREVIEW

A Relational Logic for Higher-Order Programs Alejandro Aguirre 1 - - PowerPoint PPT Presentation

Jan 04, 2024 19 likes •474 views

A Relational Logic for Higher-Order Programs Alejandro Aguirre 1 Gilles Barthe 1 Marco Gaboardi 2 Deepak Garg 3 Pierre-Yves Strub 4 ICFP, Sep 5 2017 1 Imdea Software; 2 University at Buffalo, SUNY; 3 MPI-SWS; 4 cole Polytechnique 1 Relational

slide-1
SLIDE 1

A Relational Logic for Higher-Order Programs

Alejandro Aguirre1 Gilles Barthe1 Marco Gaboardi2 Deepak Garg3 Pierre-Yves Strub4 ICFP, Sep 5 2017

1Imdea Software; 2University at Buffalo, SUNY; 3MPI-SWS; 4École Polytechnique

1

slide-2
SLIDE 2

Relational properties a.k.a. 2-properties (I)

Two runs of two programs, e.g. equivalence...

2

slide-3
SLIDE 3

Relational properties a.k.a. 2-properties (II)

...or two runs of the same program, e.g. non-interference

3

slide-4
SLIDE 4

Relational refinement types (I)

Refinement types extend types with logical properties: Γ ⊢ t : {x : N | ∃z.x = 2 ∗ z} Relational refinement types 1 generalize them to a relational setting: Γ ⊢ t1 ∼ t2 : {x : N | x1 = x2}

1Gilles Barthe, Cédric Fournet, Benjamin Grégoire, Pierre-Yves Strub, Nikhil Swamy, and Santiago Zanella Béguelin. Probabilistic relational verification for cryptographic implementations (POPL ’14)

4

slide-5
SLIDE 5

Relational refinement types (II)

Pros:

  • Very intuitive (e.g. {x : N | x1 ≤ x2} → {y : N | y1 ≤ y2}

types monotonic functions)

  • Syntax directed
  • Exploit structural similarities

if b then 2∗x else x+1 ∼ if b then 2∗x else x−1

  • Lots of theoretical and practical developments for unary

refinements could be reused

5

slide-6
SLIDE 6

Limits of RRT

We want to prove: take n (map f l) = map f (take n l)

6

slide-7
SLIDE 7

Limits of RRT

We want to prove: take n (map f l) = map f (take n l) Which type to give it? take n (map f l) ∼ map f (take n l) : {x : listN | x1 = x2}

6

slide-8
SLIDE 8

Limits of RRT

We want to prove: take n (map f l) = map f (take n l) Which type to give it? take n (map f l) ∼ map f (take n l) : {x : listN | x1 = x2} We apply [APP] rule... take ∼ map : {x :? |?}

6

slide-9
SLIDE 9

Our contributions

  • A foundational system to prove relational properties
  • in a syntax directed way
  • not restricted by types or structure

7

slide-10
SLIDE 10

Base logic: HOL

  • λ-terms over simple + inductive types
  • (Axiomatically defined) Predicates: P(t1, . . . , tn)

∀l.prefix([], l) ∀xtl.prefix(t, l) ⇒ prefix(x :: t, x :: l)

  • Propositional connectives: ∧, ∨, ⇒
  • Quantification over simple/inductive types: ∀(x : τ), ∃(x : τ)

8

slide-11
SLIDE 11

Base logic: HOL

  • λ-terms over simple + inductive types
  • (Axiomatically defined) Predicates: P(t1, . . . , tn)

∀l.prefix([], l) ∀xtl.prefix(t, l) ⇒ prefix(x :: t, x :: l)

  • Propositional connectives: ∧, ∨, ⇒
  • Quantification over simple/inductive types: ∀(x : τ), ∃(x : τ)

Why not just use this?

8

slide-12
SLIDE 12

Base logic: HOL

  • λ-terms over simple + inductive types
  • (Axiomatically defined) Predicates: P(t1, . . . , tn)

∀l.prefix([], l) ∀xtl.prefix(t, l) ⇒ prefix(x :: t, x :: l)

  • Propositional connectives: ∧, ∨, ⇒
  • Quantification over simple/inductive types: ∀(x : τ), ∃(x : τ)

Why not just use this?

No syntax directedness or structural reasoning

8

slide-13
SLIDE 13

Relational HOL

Judgements combine types and logic:

HOL: Γ | Ψ ⊢ φ

Context Assertions over Γ Predicate

UHOL: Γ | Ψ ⊢ t1 : τ1 | φ(r)

Term Predicate

RHOL: Γ | Ψ ⊢ t1 : τ1 ∼ t2 : τ2 | φ(r1, r2)

1st term 2nd term Predicate

9

slide-14
SLIDE 14

Relational HOL

Judgements combine types and logic:

HOL: Γ | Ψ ⊢ φ

Context Assertions over Γ Predicate

UHOL: Γ | Ψ ⊢ t1 : τ1 | φ(r)

Term Predicate

RHOL: Γ | Ψ ⊢ t1 : τ1 ∼ t2 : τ2 | φ(r1, r2)

1st term 2nd term Predicate

9

slide-15
SLIDE 15

Relational HOL

Judgements combine types and logic:

HOL: Γ | Ψ ⊢ φ

Context Assertions over Γ Predicate

UHOL: Γ | Ψ ⊢ t1 : τ1 | φ(r)

Term Predicate

RHOL: Γ | Ψ ⊢ t1 : τ1 ∼ t2 : τ2 | φ(r1, r2)

1st term 2nd term Predicate

9

slide-16
SLIDE 16

Relational HOL

Judgements combine types and logic:

HOL: Γ | Ψ ⊢ φ

Context Assertions over Γ Predicate

UHOL: Γ | Ψ ⊢ t1 : τ1 | φ(r)

Term Predicate

RHOL: Γ | Ψ ⊢ t1 : τ1 ∼ t2 : τ2 | φ(r1, r2)

1st term 2nd term Predicate

9

slide-17
SLIDE 17

Relational HOL

Judgements combine types and logic:

HOL: Γ | Ψ ⊢ φ

Context Assertions over Γ Predicate

UHOL: Γ | Ψ ⊢ t1 : τ1 | φ(r)

Term Predicate

RHOL: Γ | Ψ ⊢ t1 : τ1 ∼ t2 : τ2 | φ(r1, r2)

1st term 2nd term Predicate

9

slide-18
SLIDE 18

Relational HOL

Judgements combine types and logic:

HOL: Γ | Ψ ⊢ φ

Context Assertions over Γ Predicate

UHOL: Γ | Ψ ⊢ t1 : τ1 | φ(r)

Term Predicate

RHOL: Γ | Ψ ⊢ t1 : τ1 ∼ t2 : τ2 | φ(r1, r2)

1st term 2nd term Predicate

9

slide-19
SLIDE 19

Relational HOL

Judgements combine types and logic:

HOL: Γ | Ψ ⊢ φ

Context Assertions over Γ Predicate

UHOL: Γ | Ψ ⊢ t1 : τ1 | φ(r)

Term Predicate

RHOL: Γ | Ψ ⊢ t1 : τ1 ∼ t2 : τ2 | φ(r1, r2)

1st term 2nd term Predicate

9

slide-20
SLIDE 20

Relational HOL

Judgements combine types and logic:

HOL: Γ | Ψ ⊢ φ

Context Assertions over Γ Predicate

UHOL: Γ | Ψ ⊢ t1 : τ1 | φ(r)

Term Predicate

RHOL: Γ | Ψ ⊢ t1 : τ1 ∼ t2 : τ2 | φ(r1, r2)

1st term 2nd term Predicate

9

slide-21
SLIDE 21

Relational HOL

Judgements combine types and logic:

HOL: Γ | Ψ ⊢ φ

Context Assertions over Γ Predicate

UHOL: Γ | Ψ ⊢ t1 : τ1 | φ(r)

Term Predicate

RHOL: Γ | Ψ ⊢ t1 : τ1 ∼ t2 : τ2 | φ(r1, r2)

1st term 2nd term Predicate

9

slide-22
SLIDE 22

Refinement types vs RHOL

Key Idea: separation of concerns between types and assertions

  • Unary

⊢ t : {x : τ | φ(x)} − → t : τ | φ(r)

  • Relational

t1 ∼ t2 : {x : τ | φ(x1, x2)} − → t1 : τ ∼ t2 : τ | φ(r1, r2)

10

slide-23
SLIDE 23

Two-sided and one-sided rules

Two-sided rules relate two terms with the same top term former λx1.t1 ∼ λx2.t2 One-sided rules relate two terms with different top term former λx1.t1 ∼ t2 u2

11

slide-24
SLIDE 24

Two-sided rules

Judgements combine types and logic: Abstraction

Γ, x1 : τ1, x2 : τ2 | Ψ, φ′ ⊢ t1 : σ1 ∼ t2 : σ2 | φ Γ | Ψ ⊢ λx1.t1 : τ1 → σ1 ∼ λx2.t2 : τ2 → σ2 | ∀x1, x2.φ′ ⇒ φ[r1 x1/r1][r2 x2/r2]

12

slide-25
SLIDE 25

Two-sided rules

Judgements combine types and logic: Abstraction

Γ, x1 : τ1, x2 : τ2 | Ψ, φ′ ⊢ t1 : σ1 ∼ t2 : σ2 | φ Γ | Ψ ⊢ λx1.t1 : τ1 → σ1 ∼ λx2.t2 : τ2 → σ2 | ∀x1, x2.φ′ ⇒ φ[r1 x1/r1][r2 x2/r2]

12

slide-26
SLIDE 26

Two-sided rules

Judgements combine types and logic: Abstraction

Γ, x1 : τ1, x2 : τ2 | Ψ, φ′ ⊢ t1 : σ1 ∼ t2 : σ2 | φ Γ | Ψ ⊢ λx1.t1 : τ1 → σ1 ∼ λx2.t2 : τ2 → σ2 | ∀x1, x2.φ′ ⇒ φ[r1 x1/r1][r2 x2/r2]

12

slide-27
SLIDE 27

Two-sided rules

Judgements combine types and logic: Abstraction

Γ, x1 : τ1, x2 : τ2 | Ψ, φ′ ⊢ t1 : σ1 ∼ t2 : σ2 | φ Γ | Ψ ⊢ λx1.t1 : τ1 → σ1 ∼ λx2.t2 : τ2 → σ2 | ∀x1, x2.φ′ ⇒ φ[r1 x1/r1][r2 x2/r2]

12

slide-28
SLIDE 28

Two-sided rules

Judgements combine types and logic: Abstraction

Γ, x1 : τ1, x2 : τ2 | Ψ, φ′ ⊢ t1 : σ1 ∼ t2 : σ2 | φ Γ | Ψ ⊢ λx1.t1 : τ1 → σ1 ∼ λx2.t2 : τ2 → σ2 | ∀x1, x2.φ′ ⇒ φ[r1 x1/r1][r2 x2/r2]

Application

Γ | Ψ ⊢ t1 : τ1 → σ1 ∼ t2 : τ2 → σ2 | ∀x1, x2.φ′[x1/r1][x2/r2] ⇒ φ[r1 x1/r1][r2 x2/r2] Γ | Ψ ⊢ u1 : τ1 ∼ u2 : τ2 | φ′ Γ | Ψ ⊢ t1u1 : σ1 ∼ t2u2 : σ2 | φ[u1/x1][u2/x2]

12

slide-29
SLIDE 29

One-sided rules

Abstraction Γ, x1 : τ1 | Ψ, φ′ ⊢ t1 : σ1 ∼ t2 : σ2 | φ Γ | Ψ ⊢ λx1.t1 : τ1 → σ1 ∼ t2 : σ2 | ∀x1.φ′ ⇒ φ[r1 x1/r1] Application Γ | Ψ ⊢ t1 : τ1 → σ1 ∼ u2 : σ2 | ∀x1.φ′[x1/r1] ⇒ φ[r1 x1/r1] Γ | Ψ ⊢ u1 : σ1 | φ′ Γ | Ψ ⊢ t1u1 : σ1 ∼ u2 : σ2 | φ[u1/x1]

13

slide-30
SLIDE 30

One-sided rules

Abstraction Γ, x1 : τ1 | Ψ, φ′ ⊢ t1 : σ1 ∼ t2 : σ2 | φ Γ | Ψ ⊢ λx1.t1 : τ1 → σ1 ∼ t2 : σ2 | ∀x1.φ′ ⇒ φ[r1 x1/r1] Application Γ | Ψ ⊢ t1 : τ1 → σ1 ∼ u2 : σ2 | ∀x1.φ′[x1/r1] ⇒ φ[r1 x1/r1] Γ | Ψ ⊢ u1 : σ1 | φ′ Γ | Ψ ⊢ t1u1 : σ1 ∼ u2 : σ2 | φ[u1/x1]

13

slide-31
SLIDE 31

One-sided rules

Abstraction Γ, x1 : τ1 | Ψ, φ′ ⊢ t1 : σ1 ∼ t2 : σ2 | φ Γ | Ψ ⊢ λx1.t1 : τ1 → σ1 ∼ t2 : σ2 | ∀x1.φ′ ⇒ φ[r1 x1/r1] Application Γ | Ψ ⊢ t1 : τ1 → σ1 ∼ u2 : σ2 | ∀x1.φ′[x1/r1] ⇒ φ[r1 x1/r1] Γ | Ψ ⊢ u1 : σ1 | φ′ Γ | Ψ ⊢ t1u1 : σ1 ∼ u2 : σ2 | φ[u1/x1]

13

slide-32
SLIDE 32

One-sided rules

Abstraction Γ, x1 : τ1 | Ψ, φ′ ⊢ t1 : σ1 ∼ t2 : σ2 | φ Γ | Ψ ⊢ λx1.t1 : τ1 → σ1 ∼ t2 : σ2 | ∀x1.φ′ ⇒ φ[r1 x1/r1] Application Γ | Ψ ⊢ t1 : τ1 → σ1 ∼ u2 : σ2 | ∀x1.φ′[x1/r1] ⇒ φ[r1 x1/r1] Γ | Ψ ⊢ u1 : σ1 | φ′ Γ | Ψ ⊢ t1u1 : σ1 ∼ u2 : σ2 | φ[u1/x1]

13

slide-33
SLIDE 33

The SUB rule

Allows us to fall back to HOL:

Γ | Ψ ⊢ t1 : σ1 ∼ t2 : σ2 | φ′ Γ | Ψ ⊢HOL φ′[t1/r1][t2/r2] ⇒ φ[t1/r1][t2/r2] Γ | Ψ ⊢ t1 : σ1 ∼ t2 : σ2 | φ

14

slide-34
SLIDE 34

Equivalence between HOL and RHOL

Γ | Ψ ⊢ t1 : σ1 ∼ t2 : σ2 | φ

  • Γ | Ψ ⊢ φ[t1/r1][t2/r2]

Plus: subject reduction, soundness, . . .

15

slide-35
SLIDE 35

Embeddings

RHOL is also useful as a framework in which to embed other relational typing systems:

  • Relational Refinement Types
  • DCC (dependency)
  • RelCost (relational cost)

We get “for free” proofs of soundness. Since RHOL is more expressive, we can verify new examples.

|s| = |t|, sorted(s) ⊢ isort s ∼ isort t | cost r1 ≤ cost r2

16

slide-36
SLIDE 36

Conclusions

  • Relational refinement types have limited one-sided reasoning
  • HOL is expressive but does not exploit structural similarities
  • RHOL combines the best of both worlds in a lossless way:

expressiveness + two-sided reasoning + 1 sided-reasoning

  • This makes RHOL a foundational system
  • Future work: extension with effects & implementation

17

slide-37
SLIDE 37

Conclusions

  • Relational refinement types have limited one-sided reasoning
  • HOL is expressive but does not exploit structural similarities
  • RHOL combines the best of both worlds in a lossless way:

expressiveness + two-sided reasoning + 1 sided-reasoning

  • This makes RHOL a foundational system
  • Future work: extension with effects & implementation

Thanks!

17

slide-38
SLIDE 38

Questions?

18

slide-39
SLIDE 39

Embedding refinement types

We can embed refinement types into our system: {y : τ | φ}(x1, x2)

  • i∈{1,2}

⌊τ⌋(xi) ∧ φ[xi/y] {y :: T | φ}(x1, x2) T(x1, x2) ∧ φ[x1/y1][x2/y2] Π(y : τ).σ(x)

  • i∈{1,2}

∀y.⌊τ⌋(y) ⇒ ⌊σ⌋(xy) Π(y :: T). U(x1, x2) ∀y1y2.T(y1, y2) ⇒ σ(x1y1, x2y2)

19

slide-40
SLIDE 40

Example: factorial (I)

We can implement factorial without and with accumulator: fact1 ≡ letrec f1 x1 = case x1 of [0 → 1; Sy1 → (Sy1) ∗ (f1y1)] fact2 ≡ letrec f2 x2 = λa.case x2 of [0 → a; Sy2 → f2 y2 (a∗(Sy2))] We want to prove: ∅ | ∅ ⊢ fact1 ∼ fact2 | ∀x1x2a. x1 = x2 ⇒ (r1 x1) ∗ a = r2 x2 a Notice that the two programs have different types: N → N and N → N → N

20

slide-41
SLIDE 41

Example: factorial (II)

Proof reduces to: Γ | ψ ⊢ case x1 of [0 → 1; Sy1 → (Sy1) ∗ (f1y1)] ∼ case x2 of [0 → a; Sy2 → f2 y2 (a ∗ (Sy2))] | r1 ∗ a = r2 where ψ is the “inductive hypothesis”

21

slide-42
SLIDE 42

Example: factorial (II)

Proof reduces to: Γ | ψ ⊢ case x1 of [0 → 1; Sy1 → (Sy1) ∗ (f1y1)] ∼ case x2 of [0 → a; Sy2 → f2 y2 (a ∗ (Sy2))] | r1 ∗ a = r2 where ψ is the “inductive hypothesis” Proof obligations:

  • Γ | ψ ⊢ 1 ∼ a | r1 ∗ a = r2

21

slide-43
SLIDE 43

Example: factorial (II)

Proof reduces to: Γ | ψ ⊢ case x1 of [0 → 1; Sy1 → (Sy1) ∗ (f1y1)] ∼ case x2 of [0 → a; Sy2 → f2 y2 (a ∗ (Sy2))] | r1 ∗ a = r2 where ψ is the “inductive hypothesis” Proof obligations:

  • Γ | ψ ⊢ 1 ∼ a | r1 ∗ a = r2

Trivial

21

slide-44
SLIDE 44

Example: factorial (II)

Proof reduces to: Γ | ψ ⊢ case x1 of [0 → 1; Sy1 → (Sy1) ∗ (f1y1)] ∼ case x2 of [0 → a; Sy2 → f2 y2 (a ∗ (Sy2))] | r1 ∗ a = r2 where ψ is the “inductive hypothesis” Proof obligations:

  • Γ | ψ ⊢ 1 ∼ a | r1 ∗ a = r2
  • Γ | ψ, x1 = Sy2, x2 = Sy2 ⊢ (Sy1) ∗ (f1y1) ∼ f2 y2 (a ∗ (Sy2)) |

(r1 y1) ∗ a = (r2 y2)

22

slide-45
SLIDE 45

Example: factorial (II)

Proof reduces to: Γ | ψ ⊢ case x1 of [0 → 1; Sy1 → (Sy1) ∗ (f1y1)] ∼ case x2 of [0 → a; Sy2 → f2 y2 (a ∗ (Sy2))] | r1 ∗ a = r2 where ψ is the “inductive hypothesis” Proof obligations:

  • Γ | ψ ⊢ 1 ∼ a | r1 ∗ a = r2
  • Γ | ψ, x1 = Sy2, x2 = Sy2 ⊢ (Sy1) ∗ (f1y1) ∼ f2 y2 (a ∗ (Sy2)) |

(r1 y1) ∗ a = (r2 y2) By instantiating ψ

22