Abstract
We present the design, implementation, and foundation of a verifier for higher-order functional programs with generics and recursive data types. Our system supports proving safety and termination using preconditions, postconditions and assertions. It supports writing proof hints using assertions and recursive calls. To formalize the soundness of the system we introduce System FR, a calculus supporting System F polymorphism, dependent refinement types, and recursive types (including recursion through contravariant positions of function types). Through the use of sized types, System FR supports reasoning about termination of lazy data structures such as streams. We formalize a reducibility argument using the Coq proof assistant and prove the soundness of a type-checker with respect to call-by-value semantics, ensuring type safety and normalization for typeable programs. Our program verifier is implemented as an alternative verification-condition generator for the Stainless tool, which relies on the Inox SMT-based solver backend for automation. We demonstrate the efficiency of our approach by verifying a collection of higher-order functional programs comprising around 14000 lines of polymorphic higher-order Scala code, including graph search algorithms, basic number theory, monad laws, functional data structures, and assignments from popular Functional Programming MOOCs.
Supplemental Material
Available for Download
* Stainless benchmarks * Stainless sources for release 0.4.0 * Coq proofs
- Andreas Abel. 2004. Termination checking with types. ITA 38, 4 (2004), 277–319. Google Scholar
Cross Ref
- Andreas Abel. 2007. Type-based termination: a polymorphic lambda-calculus with sized higher-order types. Ph.D. Dissertation. Ludwig Maximilians University Munich. http://d- nb.info/984765581Google Scholar
- Andreas Abel. 2008. Semi-Continuous Sized Types and Termination. Logical Methods in Computer Science 4, 2 (2008). Google Scholar
Cross Ref
- Andreas Abel. 2010. MiniAgda: Integrating Sized and Dependent Types. In Partiality and Recursion in Interactive Theorem Provers, [email protected] 2010, Edinburgh, UK, July 15, 2010 (EPiC Series), Ekaterina Komendantskaya, Ana Bove, and Milad Niqui (Eds.), Vol. 5. EasyChair, 18–32. Google Scholar
Cross Ref
- Andreas Abel. 2012. Type-Based Termination, Inflationary Fixed-Points, and Mixed Inductive-Coinductive Types. In Proceedings 8th Workshop on Fixed Points in Computer Science, FICS 2012, Tallinn, Estonia, 24th March 2012. (EPTCS), Dale Miller and Zoltán Ésik (Eds.), Vol. 77. 1–11. Google Scholar
Cross Ref
- Andreas Abel and Brigitte Pientka. 2013. Wellfounded recursion with copatterns: a unified approach to termination and productivity. In ACM SIGPLAN International Conference on Functional Programming, ICFP’13, Boston, MA, USA - September 25 - 27, 2013, Greg Morrisett and Tarmo Uustalu (Eds.). ACM, 185–196. Google Scholar
Digital Library
- Danel Ahman, Catalin Hritcu, Kenji Maillard, Guido Martínez, Gordon D. Plotkin, Jonathan Protzenko, Aseem Rastogi, and Nikhil Swamy. 2017. Dijkstra monads for free. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2017, Paris, France, January 18-20, 2017, Giuseppe Castagna and Andrew D. Gordon (Eds.). ACM, 515–529. http://dl.acm.org/citation.cfm?id=3009878Google Scholar
Digital Library
- Amal J. Ahmed. 2006. Step-Indexed Syntactic Logical Relations for Recursive and Quantified Types. In Programming Languages and Systems, 15th European Symposium on Programming, ESOP 2006, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2006, Vienna, Austria, March 27-28, 2006, Proceedings (Lecture Notes in Computer Science), Peter Sestoft (Ed.), Vol. 3924. Springer, 69–83. Google Scholar
Digital Library
- Nada Amin. 2016. Dependent Object Types. Ph.D. Dissertation. EPFL. Google Scholar
Cross Ref
- Abhishek Anand and Vincent Rahli. 2014. Towards a Formally Verified Proof Assistant. In Interactive Theorem Proving, Gerwin Klein and Ruben Gamboa (Eds.). Springer International Publishing, Cham, 27–44. Google Scholar
Cross Ref
- Mike Barnett, K. Rustan M. Leino, and Wolfram Schulte. 2004. The Spec# Programming System: An Overview. In Construction and Analysis of Safe, Secure, and Interoperable Smart Devices, International Workshop, CASSIS 2004, Marseille, France, March 10-14, 2004, Revised Selected Papers (Lecture Notes in Computer Science), Gilles Barthe, Lilian Burdy, Marieke Huisman, Jean-Louis Lanet, and Traian Muntean (Eds.), Vol. 3362. Springer, 49–69. Google Scholar
Digital Library
- Bruno Barras. 2010. Sets in Coq, Coq in Sets. J. Formalized Reasoning 3, 1 (2010), 29–48. Google Scholar
Cross Ref
- Gilles Barthe, Maria João Frade, Eduardo Giménez, Luís Pinto, and Tarmo Uustalu. 2004. Type-based termination of recursive definitions. Mathematical Structures in Computer Science 14, 1 (2004), 97–141. Google Scholar
Digital Library
- Gilles Barthe, Benjamin Grégoire, and Colin Riba. 2008. A Tutorial on Type-Based Termination. In Language Engineering and Rigorous Software Development, International LerNet ALFA Summer School 2008, Piriapolis, Uruguay, February 24 -March 1, 2008, Revised Tutorial Lectures. 100–152. Google Scholar
Digital Library
- Yves Bertot and Pierre Castéran. 2004a. Interactive Theorem Proving and Program Development - Coq’Art: The Calculus of Inductive Constructions. Springer. Google Scholar
- Yves Bertot and Pierre Castéran. 2004b. Interactive Theorem Proving and Program Development - Coq’Art: The Calculus of Inductive Constructions. Springer. Google Scholar
- Régis Blanc and Viktor Kuncak. 2015. Sound reasoning about integral data types with a reusable SMT solver interface. In Proceedings of the 6th ACM SIGPLAN Symposium on Scala, [email protected] 2015, Portland, OR, USA, June 15-17, 2015. 35–40. Google Scholar
Digital Library
- Edwin Brady. 2013. Idris: general purpose programming with dependent types. In Proceedings of the 7th Workshop on Programming languages meets program verification, PLPV 2013, Rome, Italy, January 22, 2013, Matthew Might, David Van Horn, Andreas Abel, and Tim Sheard (Eds.). ACM, 1–2. Google Scholar
Digital Library
- Chris Casinghino, Vilhelm Sjöberg, and Stephanie Weirich. 2014. Combining proofs and programs in a dependently typed language. In The 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’14, San Diego, CA, USA, January 20-21, 2014, Suresh Jagannathan and Peter Sewell (Eds.). ACM, 33–46. Google Scholar
Digital Library
- Arthur Charguéraud. 2012. The Locally Nameless Representation. J. Autom. Reasoning 49, 3 (2012), 363–408. Google Scholar
Cross Ref
- Robert L. Constable, Stuart F. Allen, Mark Bromley, Rance Cleaveland, J. F. Cremer, R. W. Harper, Douglas J. Howe, Todd B. Knoblock, N. P. Mendler, Prakash Panangaden, James T. Sasaki, and Scott F. Smith. 1986. Implementing mathematics with the Nuprl proof development system. Prentice Hall. http://dl.acm.org/citation.cfm?id=10510Google Scholar
- Leonardo de Moura. 2016. Formalizing Mathematics using the Lean Theorem Prover. In International Symposium on Artificial Intelligence and Mathematics, ISAIM 2016, Fort Lauderdale, Florida, USA, January 4-6, 2016. http://isaim2016.cs.virginia. edu/papers/ISAIM2016_Proofs_DeMoura.pdfGoogle Scholar
- David L. Detlefs, K. Rustan M. Leino, Greg Nelson, and James B. Saxe. 1998. Extended Static Checking. Technical Report 159. COMPAQ Systems Research Center.Google Scholar
- Pietro Di Gianantonio and Marino Miculan. 2002. A Unifying Approach to Recursive and Co-recursive Definitions. In Types for Proofs and Programs, Second International Workshop, TYPES 2002, Berg en Dal, The Netherlands, April 24-28, 2002, Selected Papers (Lecture Notes in Computer Science), Herman Geuvers and Freek Wiedijk (Eds.), Vol. 2646. Springer, 148–161. Google Scholar
Cross Ref
- Jürgen Giesl, Matthias Raffelsieper, Peter Schneider-Kamp, Stephan Swiderski, and René Thiemann. 2011. Automated Termination Proofs for Haskell by Term Rewriting. ACM Trans. Program. Lang. Syst. 33, 2 (Feb. 2011), 7:1–7:39. Google Scholar
Digital Library
- J Giesl, S Swiderski, P Schneider-Kamp, and R Thiemann. 2006. Automated termination analysis for Haskell: From term rewriting to programming languages. In Rewriting techniques and Applications, Vol. 4098. 297–312.Google Scholar
- Jürgen Giesl, René Thiemann, Peter Schneider-Kamp, and Stephan Falke. 2004. Automated Termination Proofs with AProVE. In Rewriting Techniques and Applications, 15th International Conference, RTA 2004, Aachen, Germany, June 3-5, 2004, Proceedings. 210–220. Google Scholar
Cross Ref
- Jean-Yves Girard. 1971. Une Extension De L’Interpretation De Gödel a L’Analyse, Et Son Application a L’Elimination Des Coupures Dans L’Analyse Et La Theorie Des Types. Studies in Logic and the Foundations of Mathematics 63 (1971), 63–92.Google Scholar
Cross Ref
- Jean-Yves Girard. 1990. Proofs and types. Cambridge University Press. http://www.paultaylor.eu/stable/prot.pdfGoogle Scholar
Digital Library
- M. J. C. Gordon and T. F. Melham. 1993. Introduction to HOL, a theorem proving environment for higher-order logic. Cambridge University Press, Cambridge, England.Google Scholar
- William T. Hallahan, Anton Xue, Maxwell Troy Bland, Ranjit Jhala, and Ruzica Piskac. 2019. Lazy counterfactual symbolic execution. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019, Phoenix, AZ, USA, June 22-26, 2019., Kathryn S. McKinley and Kathleen Fisher (Eds.). ACM, 411–424. Google Scholar
Digital Library
- Jad Hamza, Nicolas Voirol, and Viktor Kunčak. 2019. System FR as Foundations for Stainless. arXiv: cs.LO/1904.03482Google Scholar
- Robert Harper. 2016. Practical foundations for programming languages. Cambridge University Press.Google Scholar
Digital Library
- John Harrison. 2009. Handbook of Practical Logic and Automated Reasoning. Cambridge University Press.Google Scholar
Digital Library
- John Harrison. 2017. HOL Light Tutorial. https://www.cl.cam.ac.uk/~jrh13/hol- light/tutorial.pdf . Retrieved 19 July 2019.Google Scholar
- Lars Hupel and Viktor Kuncak. 2016. Translating Scala Programs to Isabelle/HOL (System Description). In International Joint Conference on Automated Reasoning (IJCAR).Google Scholar
Digital Library
- Rohan Jacob-Rao, Brigitte Pientka, and David Thibodeau. 2018. Index-Stratified Types. In 3rd International Conference on Formal Structures for Computation and Deduction, FSCD 2018, July 9-12, 2018, Oxford, UK (LIPIcs), Hélène Kirchner (Ed.), Vol. 108. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 19:1–19:17. Google Scholar
Cross Ref
- EPFL IC LARA. 2019. Stainles: Formal Verification for Scala. http://stainless.epfl.ch/ .Google Scholar
- K Rustan M Leino. 2010. Dafny: An Automatic Program Verifier for Functional Correctness. In Logic for Programming, Artificial Intelligence, and Reasoning. 348–370. Google Scholar
Cross Ref
- Rodolphe Lepigre. 2017. Semantics and Implementation of an Extension of ML for Proving Programs. (Sémantique et Implantation d’une Extension de ML pour la Preuve de Programmes). Ph.D. Dissertation. Grenoble Alpes University, France. https: //tel.archives- ouvertes.fr/tel- 01590363Google Scholar
- Alexandre Miquel. 2001. The Implicit Calculus of Constructions. In TLCA. 344–359. Google Scholar
Cross Ref
- Phuc C. Nguyen, Sam Tobin-Hochstadt, and David Van Horn. 2017. Higher order symbolic execution for contract verification and refutation. J. Funct. Program. 27 (2017), e3. Google Scholar
Cross Ref
- Tobias Nipkow, Lawrence C. Paulson, and Markus Wenzel. 2002a. Isabelle/HOL - A Proof Assistant for Higher-Order Logic. Lecture Notes in Computer Science, Vol. 2283. Springer. Google Scholar
Cross Ref
- Tobias Nipkow, Lawrence C. Paulson, and Markus Wenzel. 2002b. Isabelle/HOL - A Proof Assistant for Higher-Order Logic. Lecture Notes in Computer Science, Vol. 2283. Springer. Google Scholar
Cross Ref
- Ulf Norell. 2007. Towards a practical programming language based on dependent type theory. Ph.D. Dissertation. Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96 Göteborg, Sweden.Google Scholar
- Martin Odersky, Olivier Blanvillain, Fengyun Liu, Aggelos Biboudis, Heather Miller, and Sandro Stucki. 2018. Simplicitly: foundations and applications of implicit function types. PACMPL 2, POPL (2018), 42:1–42:29.Google Scholar
Digital Library
- Martin Odersky, Lex Spoon, and Bill Venners. 2008. Programming in Scala: a comprehensive step-by-step guide. Artima Press.Google Scholar
- Chris Okasaki. 1998. Purely Functional Data Structures. Cambridge University Press.Google Scholar
Digital Library
- Aleksandar Prokopec and Martin Odersky. 2015. Conc-Trees for Functional and Parallel Programming. In Languages and Compilers for Parallel Computing, LCPC. 254–268. Google Scholar
Digital Library
- Jorge Luis Sacchini. 2013. Type-Based Productivity of Stream Definitions in the Calculus of Constructions. In 28th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2013, New Orleans, LA, USA, June 25-28, 2013. IEEE Computer Society, 233–242. Google Scholar
Digital Library
- Georg Stefan Schmid and Viktor Kunčak. 2016. SMT-Based Checking of Predicate-Qualified Types for Scala. In Scala Symposium.Google Scholar
- Matthieu Sozeau. 2010. Equations: A Dependent Pattern-Matching Compiler. In Interactive Theorem Proving, First International Conference, ITP 2010, Edinburgh, UK, July 11-14, 2010. Proceedings (Lecture Notes in Computer Science), Matt Kaufmann and Lawrence C. Paulson (Eds.), Vol. 6172. Springer, 419–434. Google Scholar
Digital Library
- Matthieu Sozeau, Abhishek Anand, Simon Boulier, Cyril Cohen, Yannick Forster, Fabian Kunze, Gregory Malecha, Nicolas Tabareau, and Théo Winterhalter. 2019. The MetaCoq Project. (June 2019). https://hal.inria.fr/hal- 02167423 working paper or preprint.Google Scholar
- Philippe Suter, Ali Sinan Köksal, and Viktor Kuncak. 2011. Satisfiability Modulo Recursive Programs. In Static Analysis Symposium (SAS).Google Scholar
- Nikhil Swamy, Joel Weinberger, Cole Schlesinger, Juan Chen, and Benjamin Livshits. 2013. Verifying higher-order programs with the dijkstra monad. ACM SIGPLAN Conference on Programming Language Design and Implementation (2013), 387. Google Scholar
Digital Library
- W. W. Tait. 1967. Intensional interpretations of functionals of finite type I. Journal of Symbolic Logic 32, 2 (1967), 198–212. Google Scholar
Cross Ref
- Niki Vazou, Patrick Maxim Rondon, and Ranjit Jhala. 2013. Abstract Refinement Types. In European Symposium on Programming, ESOP. Google Scholar
Digital Library
- Niki Vazou, Eric L. Seidel, Ranjit Jhala, Dimitrios Vytiniotis, and Simon Peyton-Jones. 2014. Refinement Types for Haskell. In International Conference on Functional Programming, ICFP. 269–282. Google Scholar
Digital Library
- Niki Vazou, Anish Tondwalkar, Vikraman Choudhury, Ryan G. Scott, Ryan R. Newton, Philip Wadler, and Ranjit Jhala. 2018. Refinement reflection: complete verification with SMT. PACMPL 2, POPL (2018), 53:1–53:31. Google Scholar
Digital Library
- Nicolas Voirol. 2019. Verifying Functional Programs. Ph.D. Dissertation. EPFL.Google Scholar
- Nicolas Voirol, Etienne Kneuss, and Viktor Kuncak. 2015. Counter-example complete verification for higher-order functions. In Symposium on Scala, Scala 2015. 18–29. Google Scholar
Digital Library
- Hongwei Xi. 2001. Dependent Types for Program Termination Verification. In 16th Annual IEEE Symposium on Logic in Computer Science, Boston, Massachusetts, USA, June 16-19, 2001, Proceedings. 231–242. Google Scholar
Cross Ref
Index Terms
System FR: formalized foundations for the stainless verifier
Recommendations
System F with coercion constraints
CSL-LICS '14: Proceedings of the Joint Meeting of the Twenty-Third EACSL Annual Conference on Computer Science Logic (CSL) and the Twenty-Ninth Annual ACM/IEEE Symposium on Logic in Computer Science (LICS)We present a second-order λ-calculus with coercion constraints that generalizes a previous extension of System F with parametric coercion abstractions by allowing multiple but simultaneous type and coercion abstractions, as well as recursive coercions ...
Programming with binders and indexed data-types
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesWe show how to combine a general purpose type system for an existing language with support for programming with binders and contexts by refining the type system of ML with a restricted form of dependent types where index objects are drawn from ...
Refinement types for Haskell
PLPV '14: Proceedings of the ACM SIGPLAN 2014 Workshop on Programming Languages meets Program VerificationWe present LiquidHaskell (http://goto.ucsd.edu/liquid), an automatic verifier for Haskell. LiquidHaskell uses Refinement types, a restricted form of dependent types where relationships between values are encoded by decorating types with logical ...






Comments