haskell contract checking via first order logic
play

Haskell Contract Checking via First-Order Logic Nathan Collins 1 - PowerPoint PPT Presentation

Oct 05, 2023 •40 likes •270 views

Haskell Contract Checking via First-Order Logic Nathan Collins 1 Department of Computer Science Portland State University RPE Presentation, 11 May 2012 1 Joint work with Charles-Pierre Astolfi, Koen Claessen, Simon Peyton-Jones, and Dimitrios

  1. Haskell Contract Checking via First-Order Logic Nathan Collins 1 Department of Computer Science Portland State University RPE Presentation, 11 May 2012 1 Joint work with Charles-Pierre Astolfi, Koen Claessen, Simon Peyton-Jones, and Dimitrios Vytiniotis Nathan Collins 1 / 17

  2. Introduction The Haskell type system is powerful: head :: forall t. List t -> t head xs = case xs of Nil -> error "Empty list !" Cons x _ -> x head 42 -- Rejected. But it doesn’t prohibit exceptions: head Nil :: forall t. t -- Accepted. Uh oh! Contracts to the rescue! Contracts are fancy types: head ::: CF&&{xs | not (null xs)} -> CF Great! But how to check these fancy types? First-order logic to the rescue ... sort of. Nathan Collins 2 / 17

  3. Introduction The Haskell type system is powerful: head :: forall t. List t -> t head xs = case xs of Nil -> error "Empty list !" Cons x _ -> x head 42 -- Rejected. But it doesn’t prohibit exceptions: head Nil :: forall t. t -- Accepted. Uh oh! Contracts to the rescue! Contracts are fancy types: head ::: CF&&{xs | not (null xs)} -> CF Great! But how to check these fancy types? First-order logic to the rescue ... sort of. Nathan Collins 2 / 17

  4. Introduction The Haskell type system is powerful: head :: forall t. List t -> t head xs = case xs of Nil -> error "Empty list !" Cons x _ -> x head 42 -- Rejected. But it doesn’t prohibit exceptions: head Nil :: forall t. t -- Accepted. Uh oh! Contracts to the rescue! Contracts are fancy types: head ::: CF&&{xs | not (null xs)} -> CF Great! But how to check these fancy types? First-order logic to the rescue ... sort of. Nathan Collins 2 / 17

  5. Introduction The Haskell type system is powerful: head :: forall t. List t -> t head xs = case xs of Nil -> error "Empty list !" Cons x _ -> x head 42 -- Rejected. But it doesn’t prohibit exceptions: head Nil :: forall t. t -- Accepted. Uh oh! Contracts to the rescue! Contracts are fancy types: head ::: CF&&{xs | not (null xs)} -> CF Great! But how to check these fancy types? First-order logic to the rescue ... sort of. Nathan Collins 2 / 17

  6. Introduction The Haskell type system is powerful: head :: forall t. List t -> t head xs = case xs of Nil -> error "Empty list !" Cons x _ -> x head 42 -- Rejected. But it doesn’t prohibit exceptions: head Nil :: forall t. t -- Accepted. Uh oh! Contracts to the rescue! Contracts are fancy types: head ::: CF&&{xs | not (null xs)} -> CF Great! But how to check these fancy types? First-order logic to the rescue ... sort of. Nathan Collins 2 / 17

  7. Outline Goal: effective static contract checking. Overview of Contracts Checking Contracts: Translating Haskell to FOL Experiments Conclusions/Future Work Nathan Collins 3 / 17

  8. My Contributions ◮ Rewrote the contract checker and added many features. ◮ Designed and implemented the Min -translation. ◮ Wrote many examples, including the first use of lemmas. ◮ Designed and implemented a type checker for contracts. ◮ . . . and now: documented the research in an RPE paper. Nathan Collins 4 / 17

  9. Notation Data: [0,1,2] = Cons 0 (Cons 1 (Cons 2 Nil)) = Cons Z (Cons (S Z) (Cons (S (S Z)) Nil)) Judgments: ◮ Has type: e :: t ◮ Has contract: e ::: c Nathan Collins Overview of Contracts 5 / 17

  10. An Example Contract c ::= CF -- Crash free | c&&c -- Conjunction | c||c -- Disjunction | x:c -> c -- Implication | {x|p} -- Refinement Example: CF is not a syntactic property: fst (x,_) = x snd (_,y) = y 1. CF . fst (Z, error "Oh no!") ::: 2. But not (Z, error "Oh no!") ::: CF , because snd (Z, error "Oh no!") is a crash. Nathan Collins Overview of Contracts 6 / 17

  11. An Example Contract c ::= CF -- Crash free | c&&c -- Conjunction | c||c -- Disjunction | x:c -> c -- Implication | {x|p} -- Refinement Example: CF is not a syntactic property: fst (x,_) = x snd (_,y) = y 1. CF . fst (Z, error "Oh no!") ::: 2. But not (Z, error "Oh no!") ::: CF , because snd (Z, error "Oh no!") is a crash. Nathan Collins Overview of Contracts 6 / 17

  12. Another Example Contract c ::= CF -- Crash free | c&&c -- Conjunction | c||c -- Disjunction | x:c -> c -- Implication | {x|p} -- Refinement Example: refinement, implication, and conjunction: lookUp :: forall t. Nat -> List t -> t lookUp n xs = case xs of Nil -> error "List is too short !" Cons x xs ’ -> case n of Z -> x S n’ -> lookUp n’ xs ’ lookUp ::: n:CF -> ({xs|n < length xs}&&CF) -> CF Nathan Collins Overview of Contracts 7 / 17

  13. Contracts Are Useful ◮ Static type checking = compile-time approximation to run-time program behavior. ◮ Contracts + types = better approximation. sort :: forall t. List t -> List t sort ::: CF -> CF&&{xs|sorted xs} Nathan Collins Overview of Contracts 8 / 17

  14. Contracts Are Useful . . . But Difficult to Check Statically error :: forall t. String -> t head xs = case xs of Nil -> error "Empty list !" Cons x _ -> x Type checking is path insensitive (easy): head :: forall t. List t -> t Contract checking is path sensitive : head ::: CF&&{xs | not (null xs)} -> CF And must reason about arbitrary computations (undecidable): not (null xs) = True = xs � = Nil ⇒ Nathan Collins Overview of Contracts 9 / 17

  15. Contracts Are Useful . . . But Difficult to Check Statically error :: forall t. String -> t head xs = case xs of Nil -> error "Empty list !" Cons x _ -> x Type checking is path insensitive (easy): head :: forall t. List t -> t Contract checking is path sensitive : head ::: CF&&{xs | not (null xs)} -> CF And must reason about arbitrary computations (undecidable): not (null xs) = True = xs � = Nil ⇒ Nathan Collins Overview of Contracts 9 / 17

  16. Contract Checking Process Nathan Collins Checking Contracts: Translating Haskell to FOL 10 / 17

  17. The Naive Translation map ::: (CF -> CF) -> CF -> CF map :: forall s t. (s -> t) -> List s -> List t map f xs = case xs of Nil -> Nil Cons x xs ’ -> Cons (f x) (map f xs ’) Naive translation of map ’s definition: ∀ f xs . ( xs = Nil ) → ( map f xs = Nil ) ∧ ∀ x xs’ . ( xs = Cons x xs’ ) → ( map f xs = Cons (f x) (map f xs’) ) . . . ∧ ( xs = Nil ) ∨ ( ∃ x xs’ . xs = Cons x xs’ ) ∨ · · · Nathan Collins Checking Contracts: Translating Haskell to FOL 11 / 17

  18. The Naive Translation . . . is Naive ◮ Problem: prover wastes time on pointless instantiations. Naive translation of map ’s definition (unchanged): ∀ f xs . ( xs = Nil ) → ( map f xs = Nil ) ∧ ∀ x xs’ . ( xs = Cons x xs’ ) → ( map f xs = Cons (f x) (map f xs’) ) . . . ∧ ( xs = Nil ) ∨ ( ∃ x xs’ . xs = Cons x xs’ ) ∨ · · · Nathan Collins Checking Contracts: Translating Haskell to FOL 12 / 17

  19. The Less-Naive Translation ◮ Problem: prover wastes time on pointless instantiations. ◮ Solution: ◮ Idea: restrict instantiation to “interesting” terms. ◮ Implementation: “ Min(e) ” means “ e is interesting”. Less-naive translation of map ’s definition: � Min ( map f xs ) → ∀ f xs . ( xs = Nil ) → ( map f xs = Nil ) ∧ ∀ x xs’ . ( xs = Cons x xs’ ) → ( map f xs = Cons (f x) (map f xs’) ) . . . ( xs = Nil ) ∨ ( ∃ x xs’ . xs = Cons x xs’ ) ∨ · · · ∧ � ∧ Min ( xs ) Nathan Collins Checking Contracts: Translating Haskell to FOL 13 / 17

  20. How to Design a Less-Naive Translation ◮ Restrict prover’s search space using Min . ◮ Evaluation semantics + axiom/goal distinction motivate Min placement. See paper for details. Nathan Collins Checking Contracts: Translating Haskell to FOL 14 / 17

  21. Experiments: Running-time Comparison Nathan Collins Experiments 15 / 17

  22. Conclusion Progress made: ◮ Adding Min significantly improves performance. But lots of room for improvement: ◮ Debugging failed proofs is hard: ◮ Is the contract wrong? ◮ Or are the axioms insufficient? ◮ Need better feedback from contract checker: ◮ Which part of which contract is violated? ◮ What execution path leads to violation? ◮ Need better lemma support: ◮ Lemma use shouldn’t affect run-time behavior. ◮ Equational reasoning would help. Nathan Collins Conclusions/Future Work 16 / 17

  23. Future Work Improve contract checker: ◮ Better feedback on failure by making goals: ◮ Smaller: ( φ → � i φ i ) ≡ � i ( φ → φ i ) ◮ Path-based. ◮ More expressive proof system: ◮ Real lemmas? ◮ Structural (co-)induction? ◮ More expressive contract system: ◮ Equality? ◮ Contract polymorphism. ◮ Constructor contracts. ◮ Recursive contract definitions. data List t = Nil | Cons t (List t) contract ListC c = Nil || Cons c (ListC c) map:: forall s t. (s -> t) -> List s -> List t map ::: forall c d. (c -> d) -> ListC c -> ListC d Nathan Collins Conclusions/Future Work 17 / 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Static Contract Checking for Haskell Dana N. Xu INRIA France Work done at University of

Static Contract Checking for Haskell Dana N. Xu INRIA France Work done at University of

Static Contract Checking for Haskell Dana N. Xu INRIA France Work done at University of Cambridge Joint work with Simon Peyton Jones Koen Claessen Microsoft Research Cambridge Chalmers University of Technology 1 Program Errors Give

1.11k views • 54 slides
The Complexity of First-Order and Monadic Second-Order Logic Revisited Martin Grohe University

The Complexity of First-Order and Monadic Second-Order Logic Revisited Martin Grohe University

The Complexity of First-Order and Monadic Second-Order Logic Revisited Martin Grohe University of Edinburgh (Joint work with Markus Frick) The model-checking problem Model-Checking for a logic L on a class C of structures: Structure A C ,

211 views • 18 slides
Reducing CTL-Live Model Checking to First-Order Logic Validity Checking Amirhossein Vakili and

Reducing CTL-Live Model Checking to First-Order Logic Validity Checking Amirhossein Vakili and

Reducing CTL-Live Model Checking to First-Order Logic Validity Checking Amirhossein Vakili and Nancy A. Day Cheriton School of Computer Science 24 October 2014 Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 1

535 views • 28 slides
Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree Logic Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge

402 views • 25 slides
Validity Checking Propositional and First-Order Logic Carlos Bacelar Almeida Departmento de

Validity Checking Propositional and First-Order Logic Carlos Bacelar Almeida Departmento de

Validity Checking Propositional and First-Order Logic Carlos Bacelar Almeida Departmento de Informtica Universidade do Minho MAP/i 2010/11 Carlos Bacelar Almeida, DIUM Validity Checking- Propositional and First-Order Logic 1/43

493 views • 22 slides
Proof Engineering of Higher Order Logic Wang) Collaboration, Translation, Checking and Retrieval

Proof Engineering of Higher Order Logic Wang) Collaboration, Translation, Checking and Retrieval

Proof Engineering of Higher Order Logic Robert White (Shuai Proof Engineering of Higher Order Logic Wang) Collaboration, Translation, Checking and Retrieval Introduction Higher Order Logic HOL Kernel Inference Rules Robert White

539 views • 29 slides
Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic

Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic

Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge Academic year

1.15k views • 48 slides
Logic as a Tool Chapter 3: Understanding First-order Logic 3.2 Semantics of first-order logic

Logic as a Tool Chapter 3: Understanding First-order Logic 3.2 Semantics of first-order logic

Logic as a Tool Chapter 3: Understanding First-order Logic 3.2 Semantics of first-order logic Valentin Goranko Stockholm University October 2016 Goranko Translation from first-order logic to natural language: examples in the structure of real

994 views • 20 slides
Linear logic and higher-order model checking Joint work with Charles Grellois Paul-Andr

Linear logic and higher-order model checking Joint work with Charles Grellois Paul-Andr

Linear logic and higher-order model checking Joint work with Charles Grellois Paul-Andr Mellis CNRS &amp; Universit Paris Diderot Abstraction and Verification in Semantics 23 27 June 2014 Institut Henri Poincar Purpose of this

818 views • 46 slides
First-order logic Whereas propositional logic assumes world contains facts , first-order logic

First-order logic Whereas propositional logic assumes world contains facts , first-order logic

First-order logic Whereas propositional logic assumes world contains facts , first-order logic (like natural language) assumes the world contains First-order logic Objects: people, houses, numbers, theories, Ronald McDonald, colors, baseball

245 views • 6 slides
Using first order logic (Ch. 8-9) Review: First order logic In first order logic, we have objects

Using first order logic (Ch. 8-9) Review: First order logic In first order logic, we have objects

Using first order logic (Ch. 8-9) Review: First order logic In first order logic, we have objects and relations between objects The relations are basically a list of all valid tuples that satisfy the relation We can also have variables that

382 views • 24 slides
Using first order logic (Ch. 8-9) Review: First order logic In first order logic, we have objects

Using first order logic (Ch. 8-9) Review: First order logic In first order logic, we have objects

Using first order logic (Ch. 8-9) Review: First order logic In first order logic, we have objects and relations between objects The relations are basically a list of all valid tuples that satisfy the relation We can also have variables that

451 views • 26 slides
Colored intersection types: a bridge between linear logic and higher-order model-checking Charles

Colored intersection types: a bridge between linear logic and higher-order model-checking Charles

Colored intersection types: a bridge between linear logic and higher-order model-checking Charles Grellois (joint work with Paul-Andr e Melli` es) PPS &amp; LIAFA Universit e Paris 7 TYPES conference May 18th, 2015 Charles

549 views • 35 slides
Logic as a Tool Chapter 3: Understanding First-order Logic 3.1 First-order structures and

Logic as a Tool Chapter 3: Understanding First-order Logic 3.1 First-order structures and

Logic as a Tool Chapter 3: Understanding First-order Logic 3.1 First-order structures and languages. Terms and formulae of first-order logic. Valentin Goranko Stockholm University October 2016 Goranko Propositional logic is too weak

188 views • 14 slides
Semantics of linear logic and higher-order model-checking Charles Grellois Thse dirige par

Semantics of linear logic and higher-order model-checking Charles Grellois Thse dirige par

Semantics of linear logic and higher-order model-checking Charles Grellois Thse dirige par Paul-Andr Mellis et Olivier Serre IRIF Universit Paris Diderot - Paris 7 8 avril 2016 Charles Grellois (IRIF) Semantics of linear logic

710 views • 59 slides
Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex

Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex

Types Micro-Haskell: crash course MH Types &amp; Abstract Syntax Type Checking Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex Simpson School of Informatics University of Edinburgh

574 views • 26 slides
Chapter 13: Early Roman Theatre The Phases of Roman Theatre and Drama Native Italian drama

Chapter 13: Early Roman Theatre The Phases of Roman Theatre and Drama Native Italian drama

Chapter 13: Early Roman Theatre The Phases of Roman Theatre and Drama Native Italian drama (pre-240 BCE ) Native Italian drama Fescennine verses, phlyaces , Atellan farce Literary Drama (240-100 BCE ) Literary Drama

291 views • 27 slides
CF Computing Facilities CERN Computer Facilities Evolution Wayne Salter / Vincent Dor HEPiX

CF Computing Facilities CERN Computer Facilities Evolution Wayne Salter / Vincent Dor HEPiX

CF Computing Facilities CERN Computer Facilities Evolution Wayne Salter / Vincent Dor HEPiX October 2011 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t CF Overview Reminder of the various evolution projects

666 views • 39 slides
Language Contact Linguistics 203 Languages of the World Major Language Families Source: Comrie

Language Contact Linguistics 203 Languages of the World Major Language Families Source: Comrie

Language Contact Linguistics 203 Languages of the World Major Language Families Source: Comrie et al. (2003) Lack of Language Contact leads to greater differences in related languages/dialects Reasons for lack of contact migration

435 views • 40 slides
Planning III-A: Planning III-A: Estimating Software Size - Estimating Software Size -

Planning III-A: Planning III-A: Estimating Software Size - Estimating Software Size -

Planning III-A: Planning III-A: Estimating Software Size - Estimating Software Size - Estimating Methods, Proxies Estimating Methods, Proxies AU INSY 560, Singapore 1997, Dan Turk Humphrey Ch. 5A - slide 1 Outline Outline I Review of PSP

272 views • 11 slides
1 2/14/2020 Reading Condition Codes x86-64 Integer Registers %rax %r8 %al %r8b SetX

1 2/14/2020 Reading Condition Codes x86-64 Integer Registers %rax %r8 %al %r8b SetX

2/14/2020 These Slides Control: Condition codes Conditional branches Machine-Level Programming II: Control Loops Switch Statements CSci 2021: Machine Architecture and Organization February 17th-19th, 2020 Your instructor: Stephen

371 views • 8 slides
CS356 Unit 5 x86 Control Flow 5.2 JUMP/BRANCHING OVERVIEW 5.3 Concept of Jumps/Branches

CS356 Unit 5 x86 Control Flow 5.2 JUMP/BRANCHING OVERVIEW 5.3 Concept of Jumps/Branches

5.1 CS356 Unit 5 x86 Control Flow 5.2 JUMP/BRANCHING OVERVIEW 5.3 Concept of Jumps/Branches Assembly is executed in sequential movq addq order by default ---- Jump instruction (aka &quot;branches&quot;) ---- ---- cause execution

649 views • 32 slides
On the conditioning of subensembles Dustin G. Mixon Jubilee of Fourier Analysis and Applications

On the conditioning of subensembles Dustin G. Mixon Jubilee of Fourier Analysis and Applications

On the conditioning of subensembles Dustin G. Mixon Jubilee of Fourier Analysis and Applications September 20, 2019 1/27 Conditioning Notions of conditioning for vectors ( f i ) i I in a Hilbert space H : 1/27 Conditioning Notions of

1.38k views • 62 slides
Asum.ys ----Changes to memory and registers Ruiqin Tian 5.init: irmovl Stack, %esp # Set up stack

Asum.ys ----Changes to memory and registers Ruiqin Tian 5.init: irmovl Stack, %esp # Set up stack

Asum.ys ----Changes to memory and registers Ruiqin Tian 5.init: irmovl Stack, %esp # Set up stack pointer ZF SF CF PC 6. irmovl Stack, %ebp # Set up base pointer 1 0 0 0xc address stack register 0X100 %esp, %ebp %eax 0Xfc

1.04k views • 36 slides

More recommend