Abstract
We present a new approach for constructing and verifying higher-order, imperative programs using the Coq proof assistant. We build on the past work on the Ynot system, which is based on Hoare Type Theory. That original system was a proof of concept, where every program verification was accomplished via laborious manual proofs, with much code devoted to uninteresting low-level details. In this paper, we present a re-implementation of Ynot which makes it possible to implement fully-verified, higher-order imperative programs with reasonable proof burden. At the same time, our new system is implemented entirely in Coq source files, showcasing the versatility of that proof assistant as a platform for research on language design and verification. Both versions of the system have been evaluated with case studies in the verification of imperative data structures, such as hash tables with higher-order iterators. The verification burden in our new system is reduced by at least an order of magnitude compared to the old system, by replacing manual proof with automation. The core of the automation is a simplification procedure for implications in higher-order separation logic, with hooks that allow programmers to add domain-specific simplification rules. We argue for the effectiveness of our infrastructure by verifying a number of data structures and a packrat parser, and we compare to similar efforts within other projects. Compared to competing approaches to data structure verification, our system includes much less code that must be trusted; namely, about a hundred lines of Coq code defining a program logic. All of our theorems and decision procedures have or build machine-checkable correctness proofs from first principles, removing opportunities for tool bugs to create faulty verifications.
Highlights
A key goal of type systems is to prevent “bad states” from arising in the execution of programs
For safety- and securitycritical code, a type system should ideally let the programmer assign types to libraries such that client code cannot suffer from these problems, and, in the limit, the type system should make it possible for programmers to verify that their code is correct
The embedding in Coq provides much more expressive formulas than in most systems based on separation logic
Summary
A key goal of type systems is to prevent “bad states” from arising in the execution of programs. Representative examples include ESC/Java (Flanagan et al 2002), Epigram (McBride and McKinna 2004), Spec# (Barnett et al 2004), ATS (Chen and Xi 2005), Concoqtion (Pasalic et al 2007), Sage (Gronski et al 2006), Agda (Norell 2007), and Ynot (Nanevski et al 2008) Each of these systems integrates some form of specification logic into the type system in order to rule out a wider range of truly bad states. The careful design of these procedures makes it possible for programmers to teach the prover about new domains as they arise We describe this new implementation of Ynot and report on our experience implementing and verifying various imperative data structures including stacks, queues, hash tables, binomial trees, and binary search trees. We describe the automation tactics that we built, report on further evaluation of our system via case studies, compare with related work, and conclude
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have