Showing a CakeML program is safe CakeML A verified implementation - - PowerPoint PPT Presentation

▶

Aug 30, 2023 137 likes •430 views

First steps towards a semantic type system for CakeML Hrutvik Kanabar 1 January 23, 2020 University of Kent 1 Supervised by Scott Owens. Supported by the UK Research Institute in Verified Trustworthy Software Systems (VeTSS). Showing a CakeML

SLIDE 1

Showing a CakeML program is safe

First steps towards a semantic type system for CakeML

Hrutvik Kanabar1 January 23, 2020

University of Kent

1Supervised by Scott Owens.

Supported by the UK Research Institute in Verified Trustworthy Software Systems (VeTSS).

SLIDE 2

CakeML

SLIDE 3

Introduction to CakeML

A verified implementation of ML
Formally specified
Implemented using HOL4
Verified, bootstrappable compiler

Showing a CakeML program is safe – Hrutvik Kanabar 1

SLIDE 4

Compiler Correctness

∀ . semantics ( ) ̸= Error = ⇒ semantics ( ) = semantics_x86 (compile ( ))

Showing a CakeML program is safe – Hrutvik Kanabar 2

SLIDE 5

Guaranteeing Well-defined Semantics

semantics ( ) ̸= Error?

Showing a CakeML program is safe – Hrutvik Kanabar 3

SLIDE 6

Guaranteeing Well-defined Semantics

Γ ⊢ e : ? + sound (_ ⊢ _ : _)
HOL

translate CakeML + proof

cf e v Q

Showing a CakeML program is safe – Hrutvik Kanabar 3

SLIDE 7

Guaranteeing Well-defined Semantics

Γ ⊢ e : ? + sound (_ ⊢ _ : _)
HOL

translate

− − − − − → CakeML + proof

cf e v Q

Showing a CakeML program is safe – Hrutvik Kanabar 3

SLIDE 8

Guaranteeing Well-defined Semantics

Γ ⊢ e : ? + sound (_ ⊢ _ : _)
HOL

translate

− − − − − → CakeML + proof

{P} cf (e) {λv . Q}

Showing a CakeML program is safe – Hrutvik Kanabar 3

SLIDE 9

Guaranteeing Well-defined Semantics

Γ ⊢ e : ? + sound (_ ⊢ _ : _)

Fast imperative code?

translate

− − − − − → CakeML + proof

{P} cf (e) {λv . Q}

Showing a CakeML program is safe – Hrutvik Kanabar 3

SLIDE 10

Guaranteeing Well-defined Semantics

Γ ⊢ e : ? + sound (_ ⊢ _ : _)

Fast imperative code?

translate

− − − − − → CakeML + proof Non-termination?

{P} cf (e) {λv . Q}

Showing a CakeML program is safe – Hrutvik Kanabar 3

SLIDE 11

Guaranteeing Well-defined Semantics

Γ ⊢ e : ? + sound (_ ⊢ _ : _)

Fast imperative code?

translate

− − − − − → CakeML + proof Non-termination?

{P} cf (e) {λv . Q} Proof effort?

Showing a CakeML program is safe – Hrutvik Kanabar 3

SLIDE 12

Semantic typing

SLIDE 13

Syntactic. . .

Γ ⊢ e : τ

e “looks like” it has type τ

Showing a CakeML program is safe – Hrutvik Kanabar 4

SLIDE 14

. . .Becomes Semantic

Γ ⊨ e : τ

e “behaves like” it has type τ

Showing a CakeML program is safe – Hrutvik Kanabar 5

SLIDE 15

. . .Becomes Semantic

Γ ⊨ e : τ

e is safe to use as if it has type τ

Showing a CakeML program is safe – Hrutvik Kanabar 5

SLIDE 16

Logical Relations

Type-indexed family of predicates on terms
Step-indexed (“fuelled”) for impredicativity
Compositional:

Rτ1 → τ2 (e1) ∧ Rτ1 (e2) = ⇒ Rτ2(e1 e2).

We use unary relations so far

Showing a CakeML program is safe – Hrutvik Kanabar 6

SLIDE 17

The Story So Far. . .

System F with:

∃α . τ, µα . τ (iso), τ1 × τ2, τ1 + τ2, crash

e.g. if i ≤ a.length then a[i] else crash

CakeML-like semantics, formalised in HOL4
A model for our use cases!

Next steps: ref

Showing a CakeML program is safe – Hrutvik Kanabar 7

SLIDE 18

The Story So Far. . .

System F with:

∃α . τ, µα . τ (iso), τ1 × τ2, τ1 + τ2, crash

e.g. if i ≤ a.length then a[i] else crash

CakeML-like semantics, formalised in HOL4
A model for our use cases!

Next steps: ref τ

Showing a CakeML program is safe – Hrutvik Kanabar 7

SLIDE 19

Use cases

SLIDE 20

Composing Safe and Unsafe code

Showing a CakeML program is safe – Hrutvik Kanabar 8

SLIDE 21

Composing Safe and Unsafe code

First prove compatibility lemmas. . . ⊢ · · · ⊢ ⊢ = ⇒ ⊨ · · · ⊨ ⊨ then compose safe and unsafe code, e.g. user lib user lib

Showing a CakeML program is safe – Hrutvik Kanabar 8

SLIDE 22

Composing Safe and Unsafe code

First prove compatibility lemmas. . . ⊢ · · · ⊢ ⊢ = ⇒ ⊨ · · · ⊨ ⊨ . . . then compose safe and unsafe code, e.g. user ⊢ · · · ⊢ lib ⊬ ⊬ − → user ⊢ · · · ⊢ lib ⊨ ⊨ ⊨ ⊨ ⊨ ⊨

Showing a CakeML program is safe – Hrutvik Kanabar 8

SLIDE 23

Reasoning about Module Invariants

Showing a CakeML program is safe – Hrutvik Kanabar 9

SLIDE 24

Reasoning about Module Invariants

We can express invariants as semantic types, and so prove they are preserved. Candle A HOL kernel implemented in CakeML. LCF-style – relies on type abstraction for soundness!

Showing a CakeML program is safe – Hrutvik Kanabar 9

SLIDE 25

Extracting Coq to CakeML

Current unverified extraction to OCaml: Coq

extract

OCaml Obj.magic Proposed verified extraction to CakeML: Coq

extract

CakeML + Obj.magic

Showing a CakeML program is safe – Hrutvik Kanabar 10

SLIDE 26

Extracting Coq to CakeML

Current unverified extraction to OCaml: Coq

extract

− − − → OCaml + Obj.magic Proposed verified extraction to CakeML: Coq

extract

CakeML + Obj.magic

Showing a CakeML program is safe – Hrutvik Kanabar 10

SLIDE 27

Extracting Coq to CakeML

Current unverified extraction to OCaml: Coq

extract

− − − → OCaml + Obj.magic Proposed verified extraction to CakeML: Coq

extract

− − − → CakeML + Obj.magic

Showing a CakeML program is safe – Hrutvik Kanabar 10

SLIDE 28

Thanks for listening!

Showing a CakeML program is safe – Hrutvik Kanabar 11