mechanized type soundness proofs using definitional
play

Mechanized Type Soundness Proofs using Definitional Interpreters - PowerPoint PPT Presentation

Oct 15, 2022 •628 likes •1.03k views

Masters Thesis Mechanized Type Soundness Proofs using Definitional Interpreters Hannes Saffrich University of Freiburg Department of Computer Science Programming Languages Chair September 1, 2019 Hannes Saffrich Mechanized Type

  1. Master’s Thesis Mechanized Type Soundness Proofs using Definitional Interpreters Hannes Saffrich University of Freiburg Department of Computer Science Programming Languages Chair September 1, 2019 Hannes Saffrich Mechanized Type Soundness Proofs using Definitional Interpreters Master’s Thesis 1 / 39

  2. Motivation ◮ A type system of a statically typed language has two purposes: ◮ it rules out certain classes of ill-formed programs, allowing implementations to avoid unnecessary runtime checks without risking undefined behavior; and ◮ it classifies the well-formed programs by certain aspects of their runtime behavior, allowing the programmer to rule out programs that exhibit well-defined but unintended behavior. ◮ For both purposes it is crucial that well-typed programs only exhibit the runtime behavior expected of their types. ◮ Languages that have this property are called type sound . ◮ Proving type soundness can be difficult ◮ Proof structure strongly depends on the features of the programming language and how the runtime behavior is formalized. Hannes Saffrich Mechanized Type Soundness Proofs using Definitional Interpreters Master’s Thesis 2 / 39

  3. Overview ◮ Part I: Introduction ◮ Type Soundness ◮ Small-Step Semantics ◮ Big-Step Semantics ◮ Definitional Interpreters ◮ Part II: A Proof in Detail ◮ Type Soundness of the Simply Typed Lambda Calculus ◮ Part III: Extensions ◮ Mutable References ◮ Substructural Types ◮ Subtyping ◮ Parametric Polymorphism ◮ Bounded Quantification ◮ Part IV: Conclusion Hannes Saffrich Mechanized Type Soundness Proofs using Definitional Interpreters Master’s Thesis 3 / 39

  4. Part I Introduction Hannes Saffrich Mechanized Type Soundness Proofs using Definitional Interpreters Master’s Thesis 4 / 39

  5. Type Soundness ◮ Semantics given by partial evaluation function eval : Programs → Answers ∪ { wrong } ◮ returns wrong for erroneous programs (“type errors”); ◮ undefined for non-terminating programs. ◮ Typing relation given by ⊲ e : t ◮ Two forms of Type Soundness WeakSoundness StrongSoundness ⊲ e : t ⊲ e : t eval( e ) = v v ∈ V t eval( e ) � = wrong ◮ Concise formulation of type soundness, but assumes that the semantics is specified as eval function. Hannes Saffrich Mechanized Type Soundness Proofs using Definitional Interpreters Master’s Thesis 5 / 39

  6. Small-Step Semantics ◮ Used in most soundness formalizations today ◮ Closely related to Term Rewrite Systems ◮ Defined as binary relation ֒ → between programs, and a notion of when a program is considered a value. ◮ e 1 ֒ → e 2 denotes, that e 1 can be evaluated in a single step to e 2 . ◮ Evaluation of a program corresponds to repeated step-evaluation e 1 ֒ → e 2 ֒ → e 3 ֒ → . . . ◮ The evaluation is considered ◮ non-terminating, if the chain is infinite; ◮ successfull, if the chain stops at some e n , such that e n is a value; and ◮ erroneous, otherwise. Hannes Saffrich Mechanized Type Soundness Proofs using Definitional Interpreters Master’s Thesis 6 / 39

  7. Small-Step Semantics & Type Soundness ◮ Standard approach for soundness proofs with small-step semantics introduced by Wright and Felleisen in 1994 ◮ Based on two lemmas Preservation Progress ⊲ e 1 : t e 1 ֒ → e 2 ⊲ e 1 : t ⊲ e 2 : t IsValue e 1 ∨ ∃ e 2 . e 1 ֒ → e 2 ◮ Syntactic Soundness ⊲ e 1 : t → ∗ e 2 ∧ IsValue e 2 ∧ ⊲ e 2 : t e 1 ⇑ ∨ ∃ e 2 . e 1 ֒ ◮ Proofs are “lengthy but simple, requiring only basic inductive techniques”. Hannes Saffrich Mechanized Type Soundness Proofs using Definitional Interpreters Master’s Thesis 7 / 39

  8. Big-Step Semantics ◮ Defined as binary relation ⇓ between programs and their values ◮ e ⇓ v denotes, that expression e successfully evaluates to value v . ◮ The relation is undefined for both non-termination and errors ◮ Two ideas for describing type soundness e : t e : t e ⇓ v ∃ v e ⇓ v v : t v : t ◮ Left theorem is too strong: it forces any typed program to terminate. ◮ Right theorem is too weak: only states soundness for terminating programs. Hannes Saffrich Mechanized Type Soundness Proofs using Definitional Interpreters Master’s Thesis 8 / 39

  9. Definitional Interpreters ◮ The problem with big-step semantics is, that to state a type soundness theorem of the right strength, we need to distinguish between non-termination and errors. ◮ We could extend the big-step semantics, such that it ◮ remains undefined for non-terminating programs; ◮ relates erroneous programs to a special error value; and state type soundness as e : t e ⇓ mv ∃ v mv = noerr v v : t ◮ But this would require auxilliary rules for each regular rule, just to propagate errors through subexpressions. ◮ Instead, we formulate the big-step semantics not as a relation, but as a definitional interpreter function. ◮ This allows us to hide the error propagation behind an error monad of the host language. Hannes Saffrich Mechanized Type Soundness Proofs using Definitional Interpreters Master’s Thesis 9 / 39

  10. Definitional Interpreters ◮ As the host languages are intended for theorem proving, they have to be total, so we cannot directly state the definitional interpreter for a language that isn’t total itself. ◮ A simple workaround is to reformulate the partial interpreter, such that it trys to evaluate the program in some number of steps, and returns a special timeout value, if the number was insufficient. ◮ The definitional interpreter can then be defined as eval : N → Exp → CanTimeout (CanErr Val) and returns either ◮ timeout if the number of steps n was too small; ◮ done error if the evaluation caused a type error; and ◮ done (noerr v) if the evaluation succeeded with value v. ◮ The type soundness theorem of the right strength is then stated as e : t eval n e = done mv ∃ v mv = noerr v v : t Hannes Saffrich Mechanized Type Soundness Proofs using Definitional Interpreters Master’s Thesis 10 / 39

  11. Part II Simply Typed Lambda Calculus Hannes Saffrich Mechanized Type Soundness Proofs using Definitional Interpreters Master’s Thesis 11 / 39

  12. Simply Typed Lambda Calculus Syntax ◮ Single base type: t_void ◮ Variables represented as DeBruijn Levels ◮ No type annotations in abstractions Inductive Typ : Type := | t_void : Typ | t_arr : Typ → Typ → Typ. Inductive Exp : Type := | e_var : N → Exp | e_app : Exp → Exp → Exp | e_abs : Exp → Exp. Hannes Saffrich Mechanized Type Soundness Proofs using Definitional Interpreters Master’s Thesis 12 / 39

  13. Simply Typed Lambda Calculus Type System Definition TypEnv := List Typ. Inductive ExpTyp : TypEnv → Exp → Typ → Prop := | et_var : ∀ x te t, indexr x te = some t → ExpTyp te (e_var x) t | et_app : ∀ te e1 e2 t1 t2, ExpTyp te e1 (t_arr t1 t2) → ExpTyp te e2 t1 → ExpTyp te (e_app e1 e2) t2 | et_abs : ∀ te e t1 t2, ExpTyp (t1 :: te) e t2 → ExpTyp te (e_abs e) (t_arr t1 t2). Hannes Saffrich Mechanized Type Soundness Proofs using Definitional Interpreters Master’s Thesis 13 / 39

  14. Simply Typed Lambda Calculus Semantics Definition ValEnv := List Val. Inductive Val := | v_abs (ve : ValEnv) (e : Exp). Fixpoint eval (n : N ) (ve : ValEnv) (e : Exp) : CanTimeout (CanErr Val) := match n with | 0 ⇒ timeout | S n ⇒ match e with | e_var x ⇒ done (indexr x ve) | e_abs e ⇒ done (noerr (v_abs ve e)) | e_app e1 e2 ⇒ ’ v_abs ve1’ e1’ ← eval n ve e1; ’ v2 ← eval n ve e2; eval n (v2 :: ve1’) e1’ end end . Hannes Saffrich Mechanized Type Soundness Proofs using Definitional Interpreters Master’s Thesis 14 / 39

  15. Simply Typed Lambda Calculus Type Soundness Definition WfEnv : ValEnv → TypEnv → Prop := Forall2 ValTyp. Inductive ValTyp : Val → Typ → Prop := | vt_abs : ∀ ve te e t1 t2, WfEnv ve te → ExpTyp (t1 :: te) e t2 → ValTyp (v_abs ve e) (t_arr t1 t2). Theorem (Type Soundness). ExpTyp te e t eval n ve e = done mv WfEnv ve te ∃ v, mv = noerr v ∧ ValTyp v t Hannes Saffrich Mechanized Type Soundness Proofs using Definitional Interpreters Master’s Thesis 15 / 39

  16. Simply Typed Lambda Calculus Type Soundness Proof Theorem (Type Soundness) . ExpTyp te e t eval n ve e = done mv WfEnv ve te ∃ v, mv = noerr v ∧ ValTyp v t Proof . Induction over n: ◮ Case 0 . By definition of eval, the assumption eval 0 ve e = done mv reduces to timeout = done mv so we can discard this case by contradiction. ◮ Case n+1 . [. . . ] Hannes Saffrich Mechanized Type Soundness Proofs using Definitional Interpreters Master’s Thesis 16 / 39

  17. Simply Typed Lambda Calculus Type Soundness Proof Theorem (Type Soundness) . ExpTyp te e t eval n ve e = done mv WfEnv ve te ∃ v, mv = noerr v ∧ ValTyp v t Proof . Induction over n: ◮ Case n+1 . Case analysis on ExpTyp te e t: ◮ Case et_var . By definition of et_var, we have some x such that e = e_var x indexr x te = noerr t . By definition of eval, the assumption eval (n + 1) ve (e_var x) = done mv reduces to done (indexr x ve) = done mv Thus, by substituting indexr x ve for mv, we are left to prove WfEnv ve te indexr x te = noerr t ∃ v, indexr x ve = noerr v ∧ ValTyp v t Hannes Saffrich Mechanized Type Soundness Proofs using Definitional Interpreters Master’s Thesis 17 / 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ON THE COST OF TYPE-TAG SOUNDNESS Ben Greenman Zeina Migeed ON THE COST OF TYPE-TAG SOUNDNESS

ON THE COST OF TYPE-TAG SOUNDNESS Ben Greenman Zeina Migeed ON THE COST OF TYPE-TAG SOUNDNESS

ON THE COST OF TYPE-TAG SOUNDNESS Ben Greenman Zeina Migeed ON THE COST OF TYPE-TAG SOUNDNESS 1. Tag soundness 2. Performance cost of soundness 3. Evaluation method 4. Conclusions TYPE-TAG SOUNDNESS Type Soundness e : If

1.28k views • 64 slides
Definitional CNF 1 Definitional CNF The definitional CNF of a formula is obtained in 2 steps: 1.

Definitional CNF 1 Definitional CNF The definitional CNF of a formula is obtained in 2 steps: 1.

Propositional Logic Definitional CNF 1 Definitional CNF The definitional CNF of a formula is obtained in 2 steps: 1. Repeatedly replace a subformula G of the form A , A B or A B by a new atom A and conjoin A G . This replacement

503 views • 10 slides
Mechanized proofs in higher-order separation logic Robbert Krebbers Delft University of

Mechanized proofs in higher-order separation logic Robbert Krebbers Delft University of

Mechanized proofs in higher-order separation logic Robbert Krebbers Delft University of Technology, The Netherlands February 5, 2019 @ Vrije Universiteit, Amsterdam, The Netherlands 1 Tactic-style proofs (as in LCF/Coq/HOL/ etc. ) have shown to

978 views • 97 slides
Multi-Linear Strategy Extraction for QBF Expansion Proofs via Local Soundness Matthias Schlaipfer

Multi-Linear Strategy Extraction for QBF Expansion Proofs via Local Soundness Matthias Schlaipfer

Multi-Linear Strategy Extraction for QBF Expansion Proofs via Local Soundness Matthias Schlaipfer Friedrich Slivovsky Georg Weissenbacher Florian Zuleger July 6, 2020 Outline 1. Motivation 2. QBF: Semantics and expansion proofs 3. Local

582 views • 41 slides
Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack Ronald Cramer (CWI) Ivan Damgrd (AU) Chaoping Xing (NTU) ChenYuan (NTU) Eprint 2016/681 Integer One-Way Function (iOWF) maps integers to finite

582 views • 32 slides
FastLane is Opaque A Case Study in Mechanized Proofs of Opacity Gerhard Schellhorn

FastLane is Opaque A Case Study in Mechanized Proofs of Opacity Gerhard Schellhorn

FastLane is Opaque A Case Study in Mechanized Proofs of Opacity Gerhard Schellhorn Universit at Augsburg, Germany Monika Wedel Oleg Travkin J urgen K onig Heike Wehrheim Universit at Paderborn, Germany Overview Software

419 views • 23 slides
A Mechanized Proof of Type Safety for the Polymorphic -Calculus with References Michalis A.

A Mechanized Proof of Type Safety for the Polymorphic -Calculus with References Michalis A.

A Mechanized Proof of Type Safety for the Polymorphic -Calculus with References Michalis A. Papakyriakou Prodromos E. Gerakios Nikolaos S. Papaspyrou National Technical University of Athens School of Electrical and Computer Engineering

613 views • 39 slides
GraphCoQL A mechanized formalization of GraphQL in Coq Toms Daz Federico Olmedo ric

GraphCoQL A mechanized formalization of GraphQL in Coq Toms Daz Federico Olmedo ric

GraphCoQL A mechanized formalization of GraphQL in Coq Toms Daz Federico Olmedo ric Tanter Millennium Institute Foundational Research on Data Certified Programs and Proofs New Orleans, USA January 2020 GraphQL Clases de ctedra

640 views • 52 slides
The Relative Consistency of the Axiom of Choice Mechanized Using Isabelle/ZF Lawrence C. Paulson

The Relative Consistency of the Axiom of Choice Mechanized Using Isabelle/ZF Lawrence C. Paulson

The Relative Consistency of the Axiom of Choice Mechanized Using Isabelle/ZF Lawrence C. Paulson Computer Laboratory Why Do Proofs By Machine? Too many been done already! Gdels incompleteness theorem ( Shankar ) thousands of

327 views • 19 slides
Mechanized Proofs for a Recursive Authentication Protocol Lawrence C. Paulson Computer

Mechanized Proofs for a Recursive Authentication Protocol Lawrence C. Paulson Computer

Recursive Authentication Protocol 1 L. C. Paulson Mechanized Proofs for a Recursive Authentication Protocol Lawrence C. Paulson Computer Laboratory University of Cambridge Recursive Authentication Protocol 2 L. C. Paulson Overview of the

363 views • 20 slides
Constructive Proofs and Program Extraction Christoph Kreitz 1. Type Theory vs. Set Theory 2.

Constructive Proofs and Program Extraction Christoph Kreitz 1. Type Theory vs. Set Theory 2.

Constructive Proofs and Program Extraction Christoph Kreitz 1. Type Theory vs. Set Theory 2. Overview of the Nuprl System 3. Proofs of the Integer Square Root Problem What distinguishes Type Theory from Set Theory? n r r 2 n

800 views • 42 slides
Mechanized semantics for Clight Sandrine Blaxy, Xavier Leroy Pim Jager - Type Theory and Coq The

Mechanized semantics for Clight Sandrine Blaxy, Xavier Leroy Pim Jager - Type Theory and Coq The

Mechanized semantics for Clight Sandrine Blaxy, Xavier Leroy Pim Jager - Type Theory and Coq The CompCert C project Formally proving a compiler The CompCert project investigates the formal verification of realistic compilers usable

948 views • 26 slides
Type Soundness for DOT ( D ependent O bject T ypes) Tiark Rompf Nada Amin OOPSLA November 3,

Type Soundness for DOT ( D ependent O bject T ypes) Tiark Rompf Nada Amin OOPSLA November 3,

Type Soundness for DOT ( D ependent O bject T ypes) Tiark Rompf Nada Amin OOPSLA November 3, 2016 1 DOT Syntax S , T , U ::= types : x ::= variables : top y concrete var. bot. z abstract var. T T inter. t ::= terms : T

423 views • 30 slides
A Sound Type System for Secure Flow Analysis Dennis Volpano, Geoffrey Smith, Cynthia Irvine

A Sound Type System for Secure Flow Analysis Dennis Volpano, Geoffrey Smith, Cynthia Irvine

A Sound Type System for Secure Flow Analysis Dennis Volpano, Geoffrey Smith, Cynthia Irvine Presenter: Lantian Zheng CS 711 September 29, 2003 Soundness of Denings Program Certification Mechanism Define the soundness property: S ( P )

819 views • 24 slides
On 1 -soundness and Soundness of Workflow Nets Lu Ping, Hu Hao and L Jian Department of

On 1 -soundness and Soundness of Workflow Nets Lu Ping, Hu Hao and L Jian Department of

On 1 -soundness and Soundness of Workflow Nets Lu Ping, Hu Hao and L Jian Department of Computer Science Nanjing University luping@ics.nju.edu.cn, myou@ics.nju.edu.cn Contents Introduction to Workflow Nets Basic Properties of Workflow

558 views • 27 slides
A (quick) tour of MLF (Graphic) Types (Type) Constraints Solving constraints Type

A (quick) tour of MLF (Graphic) Types (Type) Constraints Solving constraints Type

A (quick) tour of MLF (Graphic) Types (Type) Constraints Solving constraints Type inference Type Soundness Didier R emy A Fully Graphical & Presentation of MLF Boris Yakobowski INRIA Didier Rocquencourt Le Botlan A

1.16k views • 103 slides
Intro to Mathematical Reasoning via Discrete Mathematics CMSC-37115 Instructor: Laszlo Babai

Intro to Mathematical Reasoning via Discrete Mathematics CMSC-37115 Instructor: Laszlo Babai

Intro to Mathematical Reasoning via Discrete Mathematics CMSC-37115 Instructor: Laszlo Babai University of Chicago Week 1, Tuesday, September 29, 2020 CMSC-37115 Mathematical Reasoning Sets, functions, numbers Sets of numbers: N = { 1 , 2

849 views • 57 slides
Turning ternary relations into antisymmetric betweenness relations Jorge Bruno, Aisling

Turning ternary relations into antisymmetric betweenness relations Jorge Bruno, Aisling

Turning ternary relations into antisymmetric betweenness relations Jorge Bruno, Aisling McCluskey, Paul Szeptycki University of Bath, NUI Galway, York University Toronto TOPOSYM 2016 The concept of betweenness Given a linearly ordered set (

786 views • 60 slides
Optimal Sensor Placement in General Case Limitations of the . . . Scale Invariance: . . .

Optimal Sensor Placement in General Case Limitations of the . . . Scale Invariance: . . .

Outline Case Study Optimal Sensor Placement in General Case Limitations of the . . . Scale Invariance: . . . Environmental Research: Main Result Proof: Part 1 Designing a Sensor Network under Uncertainty Title Page Aline

484 views • 20 slides
Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is

Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is

Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is semantics? 2 / 14 What is the meaning of a program? Recall: aspects of a language syntax : the structure of its programs semantics : the meaning of

588 views • 14 slides
The impact of lockdown on employment at the V&A Waterfront Preliminary results of a snap

The impact of lockdown on employment at the V&A Waterfront Preliminary results of a snap

The impact of lockdown on employment at the V&A Waterfront Preliminary results of a snap survey of V&A tenants during the third week of lockdown Andrew Donaldson & Grant Smith SALDRU and GMTplus.co.za 20 April 2020 Highlights

466 views • 15 slides
4Q15 Earnings Teleconference February 12, 2016 One of North Americas largest electric utilities

4Q15 Earnings Teleconference February 12, 2016 One of North Americas largest electric utilities

4Q15 Earnings Teleconference February 12, 2016 One of North Americas largest electric utilities TSX: H Hydro One Limited - Financial Summary ($ millions) 4Q15 4Q14 Change FY15 FY14 Change Revenue Transmission $361 $382 (5)% $1,536

143 views • 10 slides
Granting Silence to Avoid Wireless Collisions Jung Il Choi, Mayank Jain, Maria A. Kazandjieva,

Granting Silence to Avoid Wireless Collisions Jung Il Choi, Mayank Jain, Maria A. Kazandjieva,

Granting Silence to Avoid Wireless Collisions Jung Il Choi, Mayank Jain, Maria A. Kazandjieva, and Philip Levis October 6, 2010 ICNP 2010 Wireless Mesh and CSMA One UDP flow along a static 4-hop route in 802.11b mesh testbed 2 Wireless

653 views • 49 slides
Annalisa Frigo ` Eric Roca Fern andez IRES/IMMAQ Universit e catholique de Louvain 19th

Annalisa Frigo ` Eric Roca Fern andez IRES/IMMAQ Universit e catholique de Louvain 19th

Roots of Gender Equality: the Persistent Effect of Beguinages on Attitudes Toward Women Annalisa Frigo ` Eric Roca Fern andez IRES/IMMAQ Universit e catholique de Louvain 19th June, 2018 Motivation and Research Question Gender

687 views • 41 slides

More recommend