skip to main content
research-article
Open Access

System FR: formalized foundations for the stainless verifier

Published:10 October 2019Publication History
Skip Abstract Section

Abstract

We present the design, implementation, and foundation of a verifier for higher-order functional programs with generics and recursive data types. Our system supports proving safety and termination using preconditions, postconditions and assertions. It supports writing proof hints using assertions and recursive calls. To formalize the soundness of the system we introduce System FR, a calculus supporting System F polymorphism, dependent refinement types, and recursive types (including recursion through contravariant positions of function types). Through the use of sized types, System FR supports reasoning about termination of lazy data structures such as streams. We formalize a reducibility argument using the Coq proof assistant and prove the soundness of a type-checker with respect to call-by-value semantics, ensuring type safety and normalization for typeable programs. Our program verifier is implemented as an alternative verification-condition generator for the Stainless tool, which relies on the Inox SMT-based solver backend for automation. We demonstrate the efficiency of our approach by verifying a collection of higher-order functional programs comprising around 14000 lines of polymorphic higher-order Scala code, including graph search algorithms, basic number theory, monad laws, functional data structures, and assignments from popular Functional Programming MOOCs.

Skip Supplemental Material Section

Supplemental Material

a166-hamza

Presentation at OOPSLA '19

References

  1. Andreas Abel. 2004. Termination checking with types. ITA 38, 4 (2004), 277–319. Google ScholarGoogle ScholarCross RefCross Ref
  2. Andreas Abel. 2007. Type-based termination: a polymorphic lambda-calculus with sized higher-order types. Ph.D. Dissertation. Ludwig Maximilians University Munich. http://d- nb.info/984765581Google ScholarGoogle Scholar
  3. Andreas Abel. 2008. Semi-Continuous Sized Types and Termination. Logical Methods in Computer Science 4, 2 (2008). Google ScholarGoogle ScholarCross RefCross Ref
  4. Andreas Abel. 2010. MiniAgda: Integrating Sized and Dependent Types. In Partiality and Recursion in Interactive Theorem Provers, [email protected] 2010, Edinburgh, UK, July 15, 2010 (EPiC Series), Ekaterina Komendantskaya, Ana Bove, and Milad Niqui (Eds.), Vol. 5. EasyChair, 18–32. Google ScholarGoogle ScholarCross RefCross Ref
  5. Andreas Abel. 2012. Type-Based Termination, Inflationary Fixed-Points, and Mixed Inductive-Coinductive Types. In Proceedings 8th Workshop on Fixed Points in Computer Science, FICS 2012, Tallinn, Estonia, 24th March 2012. (EPTCS), Dale Miller and Zoltán Ésik (Eds.), Vol. 77. 1–11. Google ScholarGoogle ScholarCross RefCross Ref
  6. Andreas Abel and Brigitte Pientka. 2013. Wellfounded recursion with copatterns: a unified approach to termination and productivity. In ACM SIGPLAN International Conference on Functional Programming, ICFP’13, Boston, MA, USA - September 25 - 27, 2013, Greg Morrisett and Tarmo Uustalu (Eds.). ACM, 185–196. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Danel Ahman, Catalin Hritcu, Kenji Maillard, Guido Martínez, Gordon D. Plotkin, Jonathan Protzenko, Aseem Rastogi, and Nikhil Swamy. 2017. Dijkstra monads for free. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2017, Paris, France, January 18-20, 2017, Giuseppe Castagna and Andrew D. Gordon (Eds.). ACM, 515–529. http://dl.acm.org/citation.cfm?id=3009878Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Amal J. Ahmed. 2006. Step-Indexed Syntactic Logical Relations for Recursive and Quantified Types. In Programming Languages and Systems, 15th European Symposium on Programming, ESOP 2006, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2006, Vienna, Austria, March 27-28, 2006, Proceedings (Lecture Notes in Computer Science), Peter Sestoft (Ed.), Vol. 3924. Springer, 69–83. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Nada Amin. 2016. Dependent Object Types. Ph.D. Dissertation. EPFL. Google ScholarGoogle ScholarCross RefCross Ref
  10. Abhishek Anand and Vincent Rahli. 2014. Towards a Formally Verified Proof Assistant. In Interactive Theorem Proving, Gerwin Klein and Ruben Gamboa (Eds.). Springer International Publishing, Cham, 27–44. Google ScholarGoogle ScholarCross RefCross Ref
  11. Mike Barnett, K. Rustan M. Leino, and Wolfram Schulte. 2004. The Spec# Programming System: An Overview. In Construction and Analysis of Safe, Secure, and Interoperable Smart Devices, International Workshop, CASSIS 2004, Marseille, France, March 10-14, 2004, Revised Selected Papers (Lecture Notes in Computer Science), Gilles Barthe, Lilian Burdy, Marieke Huisman, Jean-Louis Lanet, and Traian Muntean (Eds.), Vol. 3362. Springer, 49–69. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Bruno Barras. 2010. Sets in Coq, Coq in Sets. J. Formalized Reasoning 3, 1 (2010), 29–48. Google ScholarGoogle ScholarCross RefCross Ref
  13. Gilles Barthe, Maria João Frade, Eduardo Giménez, Luís Pinto, and Tarmo Uustalu. 2004. Type-based termination of recursive definitions. Mathematical Structures in Computer Science 14, 1 (2004), 97–141. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Gilles Barthe, Benjamin Grégoire, and Colin Riba. 2008. A Tutorial on Type-Based Termination. In Language Engineering and Rigorous Software Development, International LerNet ALFA Summer School 2008, Piriapolis, Uruguay, February 24 -March 1, 2008, Revised Tutorial Lectures. 100–152. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Yves Bertot and Pierre Castéran. 2004a. Interactive Theorem Proving and Program Development - Coq’Art: The Calculus of Inductive Constructions. Springer. Google ScholarGoogle Scholar
  16. Yves Bertot and Pierre Castéran. 2004b. Interactive Theorem Proving and Program Development - Coq’Art: The Calculus of Inductive Constructions. Springer. Google ScholarGoogle Scholar
  17. Régis Blanc and Viktor Kuncak. 2015. Sound reasoning about integral data types with a reusable SMT solver interface. In Proceedings of the 6th ACM SIGPLAN Symposium on Scala, [email protected] 2015, Portland, OR, USA, June 15-17, 2015. 35–40. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Edwin Brady. 2013. Idris: general purpose programming with dependent types. In Proceedings of the 7th Workshop on Programming languages meets program verification, PLPV 2013, Rome, Italy, January 22, 2013, Matthew Might, David Van Horn, Andreas Abel, and Tim Sheard (Eds.). ACM, 1–2. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Chris Casinghino, Vilhelm Sjöberg, and Stephanie Weirich. 2014. Combining proofs and programs in a dependently typed language. In The 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’14, San Diego, CA, USA, January 20-21, 2014, Suresh Jagannathan and Peter Sewell (Eds.). ACM, 33–46. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Arthur Charguéraud. 2012. The Locally Nameless Representation. J. Autom. Reasoning 49, 3 (2012), 363–408. Google ScholarGoogle ScholarCross RefCross Ref
  21. Robert L. Constable, Stuart F. Allen, Mark Bromley, Rance Cleaveland, J. F. Cremer, R. W. Harper, Douglas J. Howe, Todd B. Knoblock, N. P. Mendler, Prakash Panangaden, James T. Sasaki, and Scott F. Smith. 1986. Implementing mathematics with the Nuprl proof development system. Prentice Hall. http://dl.acm.org/citation.cfm?id=10510Google ScholarGoogle Scholar
  22. Leonardo de Moura. 2016. Formalizing Mathematics using the Lean Theorem Prover. In International Symposium on Artificial Intelligence and Mathematics, ISAIM 2016, Fort Lauderdale, Florida, USA, January 4-6, 2016. http://isaim2016.cs.virginia. edu/papers/ISAIM2016_Proofs_DeMoura.pdfGoogle ScholarGoogle Scholar
  23. David L. Detlefs, K. Rustan M. Leino, Greg Nelson, and James B. Saxe. 1998. Extended Static Checking. Technical Report 159. COMPAQ Systems Research Center.Google ScholarGoogle Scholar
  24. Pietro Di Gianantonio and Marino Miculan. 2002. A Unifying Approach to Recursive and Co-recursive Definitions. In Types for Proofs and Programs, Second International Workshop, TYPES 2002, Berg en Dal, The Netherlands, April 24-28, 2002, Selected Papers (Lecture Notes in Computer Science), Herman Geuvers and Freek Wiedijk (Eds.), Vol. 2646. Springer, 148–161. Google ScholarGoogle ScholarCross RefCross Ref
  25. Jürgen Giesl, Matthias Raffelsieper, Peter Schneider-Kamp, Stephan Swiderski, and René Thiemann. 2011. Automated Termination Proofs for Haskell by Term Rewriting. ACM Trans. Program. Lang. Syst. 33, 2 (Feb. 2011), 7:1–7:39. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. J Giesl, S Swiderski, P Schneider-Kamp, and R Thiemann. 2006. Automated termination analysis for Haskell: From term rewriting to programming languages. In Rewriting techniques and Applications, Vol. 4098. 297–312.Google ScholarGoogle Scholar
  27. Jürgen Giesl, René Thiemann, Peter Schneider-Kamp, and Stephan Falke. 2004. Automated Termination Proofs with AProVE. In Rewriting Techniques and Applications, 15th International Conference, RTA 2004, Aachen, Germany, June 3-5, 2004, Proceedings. 210–220. Google ScholarGoogle ScholarCross RefCross Ref
  28. Jean-Yves Girard. 1971. Une Extension De L’Interpretation De Gödel a L’Analyse, Et Son Application a L’Elimination Des Coupures Dans L’Analyse Et La Theorie Des Types. Studies in Logic and the Foundations of Mathematics 63 (1971), 63–92.Google ScholarGoogle ScholarCross RefCross Ref
  29. Jean-Yves Girard. 1990. Proofs and types. Cambridge University Press. http://www.paultaylor.eu/stable/prot.pdfGoogle ScholarGoogle ScholarDigital LibraryDigital Library
  30. M. J. C. Gordon and T. F. Melham. 1993. Introduction to HOL, a theorem proving environment for higher-order logic. Cambridge University Press, Cambridge, England.Google ScholarGoogle Scholar
  31. William T. Hallahan, Anton Xue, Maxwell Troy Bland, Ranjit Jhala, and Ruzica Piskac. 2019. Lazy counterfactual symbolic execution. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019, Phoenix, AZ, USA, June 22-26, 2019., Kathryn S. McKinley and Kathleen Fisher (Eds.). ACM, 411–424. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Jad Hamza, Nicolas Voirol, and Viktor Kunčak. 2019. System FR as Foundations for Stainless. arXiv: cs.LO/1904.03482Google ScholarGoogle Scholar
  33. Robert Harper. 2016. Practical foundations for programming languages. Cambridge University Press.Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. John Harrison. 2009. Handbook of Practical Logic and Automated Reasoning. Cambridge University Press.Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. John Harrison. 2017. HOL Light Tutorial. https://www.cl.cam.ac.uk/~jrh13/hol- light/tutorial.pdf . Retrieved 19 July 2019.Google ScholarGoogle Scholar
  36. Lars Hupel and Viktor Kuncak. 2016. Translating Scala Programs to Isabelle/HOL (System Description). In International Joint Conference on Automated Reasoning (IJCAR).Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Rohan Jacob-Rao, Brigitte Pientka, and David Thibodeau. 2018. Index-Stratified Types. In 3rd International Conference on Formal Structures for Computation and Deduction, FSCD 2018, July 9-12, 2018, Oxford, UK (LIPIcs), Hélène Kirchner (Ed.), Vol. 108. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 19:1–19:17. Google ScholarGoogle ScholarCross RefCross Ref
  38. EPFL IC LARA. 2019. Stainles: Formal Verification for Scala. http://stainless.epfl.ch/ .Google ScholarGoogle Scholar
  39. K Rustan M Leino. 2010. Dafny: An Automatic Program Verifier for Functional Correctness. In Logic for Programming, Artificial Intelligence, and Reasoning. 348–370. Google ScholarGoogle ScholarCross RefCross Ref
  40. Rodolphe Lepigre. 2017. Semantics and Implementation of an Extension of ML for Proving Programs. (Sémantique et Implantation d’une Extension de ML pour la Preuve de Programmes). Ph.D. Dissertation. Grenoble Alpes University, France. https: //tel.archives- ouvertes.fr/tel- 01590363Google ScholarGoogle Scholar
  41. Alexandre Miquel. 2001. The Implicit Calculus of Constructions. In TLCA. 344–359. Google ScholarGoogle ScholarCross RefCross Ref
  42. Phuc C. Nguyen, Sam Tobin-Hochstadt, and David Van Horn. 2017. Higher order symbolic execution for contract verification and refutation. J. Funct. Program. 27 (2017), e3. Google ScholarGoogle ScholarCross RefCross Ref
  43. Tobias Nipkow, Lawrence C. Paulson, and Markus Wenzel. 2002a. Isabelle/HOL - A Proof Assistant for Higher-Order Logic. Lecture Notes in Computer Science, Vol. 2283. Springer. Google ScholarGoogle ScholarCross RefCross Ref
  44. Tobias Nipkow, Lawrence C. Paulson, and Markus Wenzel. 2002b. Isabelle/HOL - A Proof Assistant for Higher-Order Logic. Lecture Notes in Computer Science, Vol. 2283. Springer. Google ScholarGoogle ScholarCross RefCross Ref
  45. Ulf Norell. 2007. Towards a practical programming language based on dependent type theory. Ph.D. Dissertation. Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96 Göteborg, Sweden.Google ScholarGoogle Scholar
  46. Martin Odersky, Olivier Blanvillain, Fengyun Liu, Aggelos Biboudis, Heather Miller, and Sandro Stucki. 2018. Simplicitly: foundations and applications of implicit function types. PACMPL 2, POPL (2018), 42:1–42:29.Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Martin Odersky, Lex Spoon, and Bill Venners. 2008. Programming in Scala: a comprehensive step-by-step guide. Artima Press.Google ScholarGoogle Scholar
  48. Chris Okasaki. 1998. Purely Functional Data Structures. Cambridge University Press.Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Aleksandar Prokopec and Martin Odersky. 2015. Conc-Trees for Functional and Parallel Programming. In Languages and Compilers for Parallel Computing, LCPC. 254–268. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Jorge Luis Sacchini. 2013. Type-Based Productivity of Stream Definitions in the Calculus of Constructions. In 28th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2013, New Orleans, LA, USA, June 25-28, 2013. IEEE Computer Society, 233–242. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Georg Stefan Schmid and Viktor Kunčak. 2016. SMT-Based Checking of Predicate-Qualified Types for Scala. In Scala Symposium.Google ScholarGoogle Scholar
  52. Matthieu Sozeau. 2010. Equations: A Dependent Pattern-Matching Compiler. In Interactive Theorem Proving, First International Conference, ITP 2010, Edinburgh, UK, July 11-14, 2010. Proceedings (Lecture Notes in Computer Science), Matt Kaufmann and Lawrence C. Paulson (Eds.), Vol. 6172. Springer, 419–434. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Matthieu Sozeau, Abhishek Anand, Simon Boulier, Cyril Cohen, Yannick Forster, Fabian Kunze, Gregory Malecha, Nicolas Tabareau, and Théo Winterhalter. 2019. The MetaCoq Project. (June 2019). https://hal.inria.fr/hal- 02167423 working paper or preprint.Google ScholarGoogle Scholar
  54. Philippe Suter, Ali Sinan Köksal, and Viktor Kuncak. 2011. Satisfiability Modulo Recursive Programs. In Static Analysis Symposium (SAS).Google ScholarGoogle Scholar
  55. Nikhil Swamy, Joel Weinberger, Cole Schlesinger, Juan Chen, and Benjamin Livshits. 2013. Verifying higher-order programs with the dijkstra monad. ACM SIGPLAN Conference on Programming Language Design and Implementation (2013), 387. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. W. W. Tait. 1967. Intensional interpretations of functionals of finite type I. Journal of Symbolic Logic 32, 2 (1967), 198–212. Google ScholarGoogle ScholarCross RefCross Ref
  57. Niki Vazou, Patrick Maxim Rondon, and Ranjit Jhala. 2013. Abstract Refinement Types. In European Symposium on Programming, ESOP. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Niki Vazou, Eric L. Seidel, Ranjit Jhala, Dimitrios Vytiniotis, and Simon Peyton-Jones. 2014. Refinement Types for Haskell. In International Conference on Functional Programming, ICFP. 269–282. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Niki Vazou, Anish Tondwalkar, Vikraman Choudhury, Ryan G. Scott, Ryan R. Newton, Philip Wadler, and Ranjit Jhala. 2018. Refinement reflection: complete verification with SMT. PACMPL 2, POPL (2018), 53:1–53:31. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Nicolas Voirol. 2019. Verifying Functional Programs. Ph.D. Dissertation. EPFL.Google ScholarGoogle Scholar
  61. Nicolas Voirol, Etienne Kneuss, and Viktor Kuncak. 2015. Counter-example complete verification for higher-order functions. In Symposium on Scala, Scala 2015. 18–29. Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. Hongwei Xi. 2001. Dependent Types for Program Termination Verification. In 16th Annual IEEE Symposium on Logic in Computer Science, Boston, Massachusetts, USA, June 16-19, 2001, Proceedings. 231–242. Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. System FR: formalized foundations for the stainless verifier

            Recommendations

            Comments

            Login options

            Check if you have access through your login credentials or your institution to get full access on this article.

            Sign in

            Full Access

            PDF Format

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader
            About Cookies On This Site

            We use cookies to ensure that we give you the best experience on our website.

            Learn more

            Got it!