Abstract
Correctness and performance are often at odds in the field of systems engineering, either because correct programs are too costly to write or impractical to execute, or because well-performing code involves so many tricks of the trade that formal analysis is unable to isolate the main properties of the algorithm.
As a prime example of this tension, Coq is an established proof environment that allows writing correct, dependently-typed code, but it has been criticized for exorbitant development times, forcing the developer to choose between optimal code or tractable proofs. On the other side of the divide, Haskell has proven itself to be a capable, well-typed programming environment, yet easy-to-read, straightforward code must all too often be replaced by highly optimized variants that obscure the author's original intention.
This paper builds on the existing Fiat refinement framework to bridge this divide, demonstrating how to derive a correct-by-construction implementation that meets (or exceeds) the performance characteristics of highly optimized Haskell, starting from a high-level Coq specification. To achieve this goal, we extend Fiat with a stateful notion of refinement of abstract data types and add support for extracting stateful code via a free monad equipped with an algebra of heap-manipulating operations. As a case study, we reimplement a subset of the popular bytestring library, with little to no loss of performance, while retaining a high guarantee of program correctness.
Supplemental Material
Available for Download
- Andreas Abel, Marcin Benke, Ana Bove, John Hughes, and Ulf Norell. 2005. Verifying Haskell Programs Using Constructive Type Theory. In Proceedings of the 2005 ACM SIGPLAN Workshop on Haskell (Haskell ’05). ACM, New York, NY, USA, 62–73. DOI: Google Scholar
Digital Library
- S. Awodey. 2006. Category Theory. Ebsco Publishing. https://books.google.com/ books?id=IK_sIDI2TCwCGoogle Scholar
- Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, M. Frans Kaashoek, and Nickolai Zeldovich. 2015. Using Crash Hoare Logic for Certifying the FSCQ File System. In Proceedings of the 25th Symposium on Operating Systems Principles (SOSP ’15). ACM, New York, NY, USA, 18–37. DOI: Google Scholar
Digital Library
- Cyril Cohen, Maxime DÃľnÃĺs, and Anders MÃűrtberg. 2013. Refinements for Free! In Certified Programs and Proofs. Springer International Publishing. Google Scholar
Digital Library
- Benjamin Delaware, Clément Pit-Claudel, Jason Gross, and Adam Chlipala. 2015. Fiat: Deductive Synthesis of Abstract Data Types in a Proof Assistant. Association for Computing Machinery. http://dspace.mit.edu/handle/1721.1/91993Google Scholar
- Edsger W. Dijkstra. 1967. A constructive approach to the problem of program correctness. (Aug. 1967). http://www.cs.utexas.edu/users/EWD/ewd02xx/EWD209. PDF Circulated privately.Google Scholar
- Richard A. Eisenberg. 2016. Dependent Types in Haskell: Theory and Practice. CoRR abs/1610.07978 (2016). https://www.cis.upenn.edu/~sweirich/papers/ eisenberg-thesis.pdfGoogle Scholar
- Peter Hawkins, Alex Aiken, Kathleen Fisher, Martin Rinard, and Mooly Sagiv. 2011. Data Representation Synthesis. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM. Google Scholar
Digital Library
- J. He, C.A.R. Hoare, and J.W. Sanders. 1986. Data refinement refined. In ESOP 86, Bernard Robinet and Reinhard Wilhelm (Eds.). Lecture Notes in Computer Science, Vol. 213. Springer Berlin Heidelberg, 187–196. Google Scholar
Digital Library
- C.A.R. Hoare. 1972. Proof of correctness of data representations. Acta Informatica 1, 4 (1972), 271–281. Google Scholar
Digital Library
- Peter Lammich. 2013. Automatic Data Refinement. In Interactive Theorem Proving. Springer Berlin Heidelberg. Google Scholar
Digital Library
- Peter Lammich. 2015. Refinement to Imperative/HOL. In Interactive Theorem Proving, Christian Urban and Xingyuan Zhang (Eds.). Lecture Notes in Computer Science, Vol. 9236. Springer International Publishing, 253–269. DOI:Google Scholar
- Peter Lammich and Thomas Tuerk. 2012. Applying Data Refinement for Monadic Programs to HopcroftâĂŹs Algorithm. In Interactive Theorem Proving, Lennart Beringer and Amy Felty (Eds.). Lecture Notes in Computer Science, Vol. 7406. Springer Berlin Heidelberg, 166–182.Google Scholar
- Xavier Leroy. 2009. Formal Verification of a Realistic Compiler. Commun. ACM 52, 7 (July 2009), 107–115. DOI: Google Scholar
Digital Library
- Pierre Letouzey. 2003. A New Extraction for Coq. In Proc. TYPES. Springer-Verlag. Google Scholar
Digital Library
- Calvin Loncaric, Emina Torlak, and Michael D. Ernst. 2016. Fast Synthesis of Fast Collections. SIGPLAN Not. 51, 6 (June 2016), 355–368. DOI: Google Scholar
Digital Library
- Robert Paige and Shaye Koenig. 1982. Finite Differencing of Computable Expressions. ACM Trans. Program. Lang. Syst. 4, 3 (July 1982). Google Scholar
Digital Library
- Ohad Shacham, Martin Vechev, and Eran Yahav. 2009. Chameleon: Adaptive Selection of Collections. SIGPLAN Not. 44, 6 (June 2009), 408–418. Google Scholar
Digital Library
- Yong Kiam Tan, Magnus O. Myreen, Ramana Kumar, Anthony Fox, Scott Owens, and Michael Norrish. 2016. A New Verified Compiler Backend for CakeML. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming (ICFP 2016). ACM, New York, NY, USA, 60–73. DOI: Google Scholar
Digital Library
- Niki Vazou, Eric L. Seidel, and Ranjit Jhala. 2014. LiquidHaskell: Experience with Refinement Types in the Real World. SIGPLAN Not. 49, 12 (Sept. 2014), 39–51. DOI: Google Scholar
Digital Library
- Konstantin Weitz, Steven S. Lyubomirsky, Stefan Heule, Emina Torlak, Michael D. Ernst, and Zachary Tatlock. 2017. SpaceSearch: A Library for Building and Verifying Solver-Aided Tools. In Proc. of the ACM Program. Lang. (ICFP ’17), Vol. 1. ACM. Google Scholar
Digital Library
- Edward Yang. 2010. How to pick your string library in Haskell. http://blog. ezyang.com/2010/08/strings-in-haskell/ . (2010).Google Scholar
Index Terms
Using Coq to write fast and correct Haskell
Recommendations
Using Coq to write fast and correct Haskell
Haskell 2017: Proceedings of the 10th ACM SIGPLAN International Symposium on HaskellCorrectness and performance are often at odds in the field of systems engineering, either because correct programs are too costly to write or impractical to execute, or because well-performing code involves so many tricks of the trade that formal ...
Coq Coq correct! verification of type checking and erasure for Coq, in Coq
Coq is built around a well-delimited kernel that perfoms typechecking for definitions in a variant of the Calculus of Inductive Constructions (CIC). Although the metatheory of CIC is very stable and reliable, the correctness of its implementation in Coq ...
Correct Architecture Refinement
Special issue on software architectureA method is presented for the stepwise refinement of an abstract architecture into a relatively correct lower level architecture that is intended to implement it. A refinement step involves the application of a predefined refinement pattern that ...







Comments