static contract checking for haskell
play

Static Contract Checking for Haskell Dana N. Xu INRIA France Work - PowerPoint PPT Presentation

Jul 16, 2023 •549 likes •1.11k views

Static Contract Checking for Haskell Dana N. Xu INRIA France Work done at University of Cambridge Joint work with Simon Peyton Jones Koen Claessen Microsoft Research Cambridge Chalmers University of Technology 1 Program Errors Give

  1. Static Contract Checking for Haskell Dana N. Xu INRIA France Work done at University of Cambridge Joint work with Simon Peyton Jones Koen Claessen Microsoft Research Cambridge Chalmers University of Technology 1

  2. Program Errors Give Headache! Module UserPgm where f :: [Int] -> Int f xs = head xs `max` 0 : … f [] … Module Prelude where head :: [a] -> a head (x:xs) = x head [] = error “empty list” Glasgow Haskell Compiler (GHC) gives at run-time Exception: Prelude.head: empty list 2

  3. From Types to Contracts head (x:xs) = x not :: Bool -> Bool Type not True = False not False = True head :: [Int] -> Int null :: [a] -> Bool …(head 1)… null [] = True null (x:xs) = False Bug! head 2 {xs | not (null xs)} -> {r | True} Contract Bug! (original Haskell …(head [])… boolean expression) 3

  4. What we want? Haskell Contract Program Glasgow Haskell Compiler (GHC) Where the bug is Why it is a bug 4

  5. Contract Checking head 2 {xs | not (null xs)} -> {r | True} head (x:xs’) = x f xs = head xs `max` 0 Warning: f [] calls head which may fail head’s precondition! f_ok xs = if null xs then 0 else head xs `max` 0 No more warnings from the compiler! 5

  6. Satisfying a Predicate Contract Arbitrary boolean-valued Haskell expression e 2 {x | p} if (1) p[e/x] gives True and (2) e is crash-free. Recursive function, higher-order function, partial function can be called! 6

  7. Expressiveness of the Specification Language data T = T1 Bool | T2 Int | T3 T T sumT :: T -> Int sumT 2 {x | noT1 x} -> {r | True} sumT (T2 a) = a sumT (T3 t1 t2) = sumT t1 + sumT t2 noT1 :: T -> Bool noT1 (T1 _) = False noT1 (T2 _) = True noT1 (T3 t1 t2) = noT1 t1 && noT1 t2 7

  8. Expressiveness of the Specification Language sumT :: T -> Int sumT 2 {x | noT1 x} -> {r | True} sumT (T2 a) = a sumT (T3 t1 t2) = sumT t1 + sumT t2 rmT1 :: T -> T rmT1 2 {x | True} -> {r | noT1 r} rmT1 (T1 a) = if a then T2 1 else T2 0 rmT1 (T2 a) = T2 a rmT1 (T3 t1 t2) = T3 (rmT1 t1) (rmT1 t2) For all crash-free t::T , sumT (rmT1 t) will not crash. 8

  9. Higher Order Functions all :: (a -> Bool) -> [a] -> Bool all f [] = True all f (x:xs) = f x && all f xs filter :: (a -> Bool) -> [a] -> [a] filter 2 {f | True} -> {xs | True} -> {r | all f r} filter f [] = [] filter f (x:xs’) = case (f x) of True - > x : filter f xs’ False - > filter f xs’ 9

  10. Contracts for Higher-order Function’s Parameter f1 :: (Int -> Int) -> Int f1 2 ({x | True} -> {y | y >= 0}) -> {r | r >= 0} f1 g = (g 1) - 1 f2 :: {r | True} f2 = f1 (\x -> x – 1) Error: f1’s postcondition fails when (g 1) >= 0 holds (g 1) – 1 >= 0 does not hold Error: f2 calls f1 which fails f1’s precondition 10 [Findler&Felleisen:ICFP’02, Blume&McAllester:ICFP’04]

  11. Various Examples zip :: [a] -> [b] -> [(a,b)] zip 2 {xs | True} -> {ys | sameLen xs ys} -> {rs | sameLen rs xs } sameLen [] [] = True sameLen (x:xs) (y:ys) = sameLen xs ys sameLen _ _ = False f91 :: Int -> Int f91 2 {n | True} -> {r | (n<=100 && r==91) || r==n-10} f91 n = case (n <= 100) of True -> f91 (f91 (n + 11)) False -> n – 10 11

  12. Sorting (==>) True x = x (==>) False x = True sorted [] = True sorted (x:[]) = True sorted (x:y:xs) = x <= y && sorted (y : xs) insert :: Int -> [Int] -> [Int] insert 2 {i | True} -> {xs | sorted xs} -> {r | sorted r} merge :: [Int] -> [Int] -> [Int] merge 2 {xs | sorted xs}->{ys | sorted ys}->{r | sorted r} bubbleHelper :: [Int] -> ([Int], Bool) bubbleHelper 2 {xs | True} -> {r | not (snd r) ==> sorted (fst r)} insertsort, mergesort, bubblesort 2 {xs | True} -> {r | sorted r} 12

  13. (&&) True x = x AVL Tree (&&) False x = False balanced :: AVL -> Bool balanced L = True balanced (N t u) = balanced t && balanced u && abs (depth t - depth u) <= 1 data AVL = L | N Int AVL AVL insert, delete :: AVL -> Int -> AVL insert 2 {x | balanced x} -> {y | True} -> {r | notLeaf r && balanced r && 0 <= depth r - depth x && depth r - depth x <= 1 } delete 2 {x | balanced x} -> {y | True} -> {r | balanced r && 0 <= depth x - depth r && depth x - depth r <= 1}

  14. Functions without Contracts data T = T1 Bool | T2 Int | T3 T T noT1 :: T -> Bool noT1 (T1 _) = False noT1 (T2 _) = True noT1 (T3 t1 t2) = noT1 t1 && noT1 t2 (&&) True x = x (&&) False x = False No abstraction is more compact than the function definition itself! 14

  15. Lots of Questions  What does “crash” mean?  What is “a contract”?  What does it mean to “satisfy a contract”?  How can we verify that a function does satisfy a contract?  What if the contract itself diverges? Or crashes? It’s time to get precise... 15

  16. What is the Language?  Programmer sees Haskell  Translated (by GHC) into Core language Lambda calculus  Plus algebraic data types, and case expressions  BAD and UNR are (exceptional) values  Standard reduction semantics e 1 ! e 2  16

  17. Two Exceptional Values Real Haskell Program BAD is an expression that crashes .  error :: String -> a error s = BAD div x y = case y == 0 of True - > error “divide by zero” False -> x / y head (x:xs) = x head [] = BAD head (x:xs) = x UNR (short for “unreachable”) is an expression that gets  stuck. This is not a crash, although execution comes to a halt without delivering a result. (identifiable infinite loop) 17

  18. Crashing Definition (Crash). A closed term e crashes iff e ! * BAD Definition (Crash-free Expression) An expression e is crash-free iff 8 C. BAD 2 s C, ` C[[e]] :: (), C[[e]] ! * BAD Non-termination is not a crash (i.e. partial correctness).

  19. Crash-free Examples Crash-free? (1,BAD) NO (1, True) YES \x -> x YES \x -> if x > 0 then x else (BAD, x) NO \x -> if x*x >= 0 then x + 1 else BAD Hmm.. YES Lemma: For all closed e , e is syntactically safe ) e is crash-free.

  20. What is a Contract (related to [Findler:ICFP02,Blume:ICFP04,Hinze:FLOPS06,Flanagan:POPL06]) t 2 Contract t ::= {x | p} Predicate Contract | x:t 1 ! t 2 Dependent Function Contract | (t 1 , t 2 ) Tuple Contract | Any Polymorphic Any Contract Full version: x’:{x | x >0} - > {r | r > x’} Short hand: {x | x > 0} -> {r | r > x} k:({x | x > 0} -> {y | y > 0}) -> {r | r > k 5} 20

  21. Questions on e 2 t 3 2 2 {x | x > 0} 5 2 2 {x | True} (True, 2) 2 {x | (snd x) > 0} ? (head [], 3) 2 {x | (snd x) > 0} ? BAD 2 ? 2 {x | False} ? 2 {x | BAD} ? \x-> BAD 2 {x | False} -> {r | True} ? \x-> BAD 2 {x | True} -> ? \x-> x 2 {x | True} ? 21

  22. What exactly does it mean to say that e “satisfies” contract t? e 2 t 22

  23. Contract Satisfaction (related to [Findler:ICFP02,Blume:ICFP04,Hinze:FLOPS06]) Given ` e ::  and ` c t ::  , we define e 2 t as follows: e 2 {x | p} , e " or (e is crash-free and p[e/x] ! * {BAD, False} [A1] e " or (e ! * ¸ x.e’ and e 2 x:t 1 ! t 2 , [A2] 8 e 1 2 t 1 . (e e 1 ) 2 t 2 [e 1 /x]) e " or (e ! * (e 1 ,e 2 ) and e 2 (t 1 , t 2 ) , [A3] e 1 2 t 1 and e 2 2 t 2 ) e 2 Any , True [A4] e " means e diverges or e ! * UNR 23

  24. Only Crash-free Expression Satisfies a Predicate Contract e " or (e is crash-free and p[e/x] ! * {BAD, False} e 2 {x | p} , e " or (e ! * ¸ x.e’ and 8 e 1 2 t 1 . (e e 1 ) 2 t 2 [e 1 /x] ) e 2 x:t 1 ! t 2 , e 2 (t 1 , t 2 ) , e " or (e ! * (e 1 ,e 2 ) and e 1 2 t 1 and e 2 2 t 2 ) e 2 Any , True YES or NO? (True, 2) 2 {x | (snd x) > 0} YES (head [], 3) 2 {x | (snd x) > 0} NO \x-> x 2 {x | True} YES \x-> x 2 {x | loop} YES 5 2 {x | BAD} NO loop 2 {x | False} YES loop 2 {x | BAD} YES

  25. All Expressions Satisfy Any fst 2 ({x | True}, Any) -> {r | True} fst (a,b) = a Inlining may help, but breaks down when function g x = fst (x, BAD) definition is big or recursive YES or NO? 2 Any 5 YES BAD 2 Any YES (head [], 3) 2 ( Any, {x | x> 0}) YES \x -> x 2 Any YES BAD 2 Any -> Any NO BAD 2 (Any, Any) 2 NO 25

  26. All Contracts are Inhabited e " or (e is crash-free and p[e/x] ! * {BAD, False} e 2 {x | p} , e " or (e ! * ¸ x.e’ and 8 e 1 2 t 1 . (e e 1 ) 2 t 2 [e 1 /x]) e 2 x:t 1 ! t 2 , e 2 (t 1 , t 2 ) , e " or (e ! * (e 1 ,e 2 ) and e 1 2 t 1 and e 2 2 t 2 ) e 2 Any , True YES or NO? \x-> BAD 2 Any -> Any YES \x-> BAD 2 {x | True} -> Any YES \x-> BAD 2 {x | False} -> {r | True} NO Blume&McAllester [JFP’06] say YES

  27. What to Check? Does function f satisfy its contract t (written f 2 t )? At the definition of each function f , Check f 2 t assuming all functions called in f satisfy their contracts. Goal: main 2 {x | True} ( main is crash-free , hence the program cannot crash) 27

  28. How to Check? Part I Define e 2 t Grand Theorem e B t is crash-free e 2 t , (related to Blume&McAllester:JFP’06) Construct e B t Part II (e “ensures” t) Simplify (e B t) some e’ If e’ is syntactically safe, then Done!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex

Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex

Types Micro-Haskell: crash course MH Types &amp; Abstract Syntax Type Checking Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex Simpson School of Informatics University of Edinburgh

574 views • 26 slides
Haskell Contract Checking via First-Order Logic Nathan Collins 1 Department of Computer Science

Haskell Contract Checking via First-Order Logic Nathan Collins 1 Department of Computer Science

Haskell Contract Checking via First-Order Logic Nathan Collins 1 Department of Computer Science Portland State University RPE Presentation, 11 May 2012 1 Joint work with Charles-Pierre Astolfi, Koen Claessen, Simon Peyton-Jones, and Dimitrios

270 views • 23 slides
Combining Static and Dynamic Contract Checking for Curry Michael Hanus University of Kiel

Combining Static and Dynamic Contract Checking for Curry Michael Hanus University of Kiel

Combining Static and Dynamic Contract Checking for Curry Michael Hanus University of Kiel Programming Languages and Compiler Construction LOPSTR 2017 Michael Hanus (CAU Kiel) Combining Static and Dynamic Contract Checking for Curry LOPSTR

463 views • 20 slides
Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6

Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6

Authors Authors Author Defn. Num.* K. Rustan M. Leino MJS 13 Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6 Wolfram Schulte S 3 David Detlefs M 2 Raymie Stata J 2 Mike Barnett S 2

239 views • 5 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Static code checking In the Linux kernel Presented by Arnd Bergmann Date April 6, 2016 Event

Static code checking In the Linux kernel Presented by Arnd Bergmann Date April 6, 2016 Event

Static code checking In the Linux kernel Presented by Arnd Bergmann Date April 6, 2016 Event Embedded Linux Conference Static code checking in the Linux kernel 1. Overview 2. Randconfig issues 3. Checking tools 4. Automated checking

586 views • 48 slides
1 : Case and Termination CATCH Checking for Haskell Neil Mitchell (supervised by Colin

1 : Case and Termination CATCH Checking for Haskell Neil Mitchell (supervised by Colin

1 : Case and Termination CATCH Checking for Haskell Neil Mitchell (supervised by Colin Runciman) 1 Name courtesy of Mike Dodds Termination Checkers Q) Does function f terminate? A) { Yes, Dont know} Typically look for decreasing size

315 views • 14 slides
Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker Types Transform Check safety and

681 views • 67 slides
Type Checking General properties of type systems Types in programming languages

Type Checking General properties of type systems Types in programming languages

Outline Type Checking General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Static Checking (Cont.) Refers to

896 views • 10 slides
Software Model Checking Software Model Checking via Static and Dynamic via Static and Dynamic

Software Model Checking Software Model Checking via Static and Dynamic via Static and Dynamic

Software Model Checking Software Model Checking via Static and Dynamic via Static and Dynamic Program Analysis Program Analysis Patrice Godefroid Godefroid Patrice Bell Laboratories, Lucent Technologies Bell Laboratories, Lucent

1.05k views • 56 slides
The Mobius Program Verification Environment Recent Advances in Extended Static Checking Joe

The Mobius Program Verification Environment Recent Advances in Extended Static Checking Joe

The Mobius Program Verification Environment Recent Advances in Extended Static Checking Joe Kiniry, University College Dublin Joe Kiniry, University College Dublin http://mobius.inria.fr/ http://mobius.inria.fr/ Contract n IST 015905

534 views • 21 slides
Static Analysis and Code Optimizations in Glasgow Haskell Compiler Ilya Sergey

Static Analysis and Code Optimizations in Glasgow Haskell Compiler Ilya Sergey

Static Analysis and Code Optimizations in Glasgow Haskell Compiler Ilya Sergey ilya.sergey@gmail.com 12.12.12 1 The Goal Discuss what happens when we run ghc -O MyProgram.hs 2 The Plan Recall how laziness is implemented in GHC and

987 views • 74 slides
Dependent types in Idris Lukasz Hanuszczak April 02, 2015 Why? Static typing If it

Dependent types in Idris Lukasz Hanuszczak April 02, 2015 Why? Static typing If it

Dependent types in Idris Lukasz Hanuszczak April 02, 2015 Why? Static typing If it compiles, it runs. some Haskell guy Static typing If it compiles, it runs. some Haskell guy Its a lie. The night is dark and full of

1.24k views • 110 slides
ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company Erik Poll - JML p.1/17 ESC/Java Extended static checker by Rustan Leino et.al. [Compaq]. tries to prove

334 views • 22 slides
Haskell-RL An Equational Specification of Haskell in Maude Andrew Bennett Presented on 24 April

Haskell-RL An Equational Specification of Haskell in Maude Andrew Bennett Presented on 24 April

Haskell-RL An Equational Specification of Haskell in Maude Andrew Bennett Presented on 24 April 2006 Summary Haskell / Haskell-RL Examples Supported Features Haskell-RL State Implementation Functions Data Types

631 views • 14 slides
Static program checking and verification Correctness class ArraySet implements Set { class

Static program checking and verification Correctness class ArraySet implements Set { class

Chair of Softw are Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Mller Static program checking and verification Correctness class ArraySet

445 views • 18 slides
DEADLOCK BY VIRTUAL CHANNEL ADDRESS/DATA FIFO DECOUPLING Ka-Ming Keung, Akhilesh Tyagi Iowa

DEADLOCK BY VIRTUAL CHANNEL ADDRESS/DATA FIFO DECOUPLING Ka-Ming Keung, Akhilesh Tyagi Iowa

BREAKING MULTICAST DEADLOCK BY VIRTUAL CHANNEL ADDRESS/DATA FIFO DECOUPLING Ka-Ming Keung, Akhilesh Tyagi Iowa State University On-Chip System with On-Chip Network Many tiles on a chip Communication among Tiles is supported by 2D

961 views • 42 slides
Topology monitoring implementation of network management system in TWAREN hybrid network

Topology monitoring implementation of network management system in TWAREN hybrid network

Topology monitoring implementation of network management system in TWAREN hybrid network National Center for High-Performance Computing 1 ABSTRACT TWAREN (TaiWan Advanced Research and Education Network) is a hybrid network composed of

532 views • 16 slides
Maintenance, Repair, and Construction of Facilities and Infrastructure RAFB Construction Program

Maintenance, Repair, and Construction of Facilities and Infrastructure RAFB Construction Program

Maintenance, Repair, and Construction of Facilities and Infrastructure RAFB Construction Program Robins AFB, GA August 2014 The Installation of Excellence The Place to Live, Learn, Work and Play Overview Robins Air Force Base

539 views • 23 slides
Some aspects of the Fisher-KPP equation and the branching Brownian motion ric Brunet November

Some aspects of the Fisher-KPP equation and the branching Brownian motion ric Brunet November

Some aspects of the Fisher-KPP equation and the branching Brownian motion ric Brunet November the 3 rd , 2016, Paris Examiners M. Jean Brard (Universit de Strasbourg) M. Victor Dotsenko (UPMC) M. Giulio Biroli M. Robi Peschanski (CEA

1.65k views • 147 slides
Differential VCO and Differential VCO and Frequency Tripler using SiGe SiGe Frequency Tripler

Differential VCO and Differential VCO and Frequency Tripler using SiGe SiGe Frequency Tripler

Differential VCO and Differential VCO and Frequency Tripler using SiGe SiGe Frequency Tripler using HBTs for the 24 GHz ISM Band for the 24 GHz ISM Band HBTs Mina Danesh*, Frank Gruson, Peter Abele, Hermann Schumacher * -

326 views • 21 slides
From the Coulomb breakup of halo nuclei to neutron radiative capture Pierre Capel , Yvan Nollet

From the Coulomb breakup of halo nuclei to neutron radiative capture Pierre Capel , Yvan Nollet

From the Coulomb breakup of halo nuclei to neutron radiative capture Pierre Capel , Yvan Nollet 28th January 2016 Radiative capture Radiative capture : reaction in which two nuclei fuse by emitting a : b + c a + also noted c ( b ,

489 views • 22 slides
rt s r s P

rt s r s P

rt s r s P s sttt r rst rr

2.13k views • 163 slides
Universal vanishing corrections on the position of fronts in the Fisher-KPP class ric Brunet

Universal vanishing corrections on the position of fronts in the Fisher-KPP class ric Brunet

Universal vanishing corrections on the position of fronts in the Fisher-KPP class ric Brunet May the 3 rd , 2017, Paris May the 3 rd , 2017, Paris ric Brunet Vanishing corrections for FKPP 1 / 19 The Fisher-KPP equation a model for

1.51k views • 112 slides

More recommend