robbert krebbers, tu delft - groups.inf.ed.ac.uk · iris [jung, krebbers et al.;...
TRANSCRIPT
![Page 1: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/1.jpg)
1
Verifying functional correctnessof message-passing programs in Coq
Robbert Krebbers, TU Delft
Joint work withJonas Kastberg Hinrichsen, ITU
Jesper Bengtson, ITU
4 June 2020 @ VEST Workshop, Online
![Page 2: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/2.jpg)
2
Type checking message-passing programs using session types
Example program:
let (c , c ′) = new chan () infork {let x = recv c ′ in send c ′ (x + 2)} ;send c 40; recv c
Session types:c : !N.?N.end and c ′ : ?N.!N.end
Properties obtained:
�3 Type safety / session fidelity
�7 Functional correctness
![Page 3: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/3.jpg)
3
How to prove functional correctness of message-passing programs
CombineI Session Types [ Honda et al., ESOP’98 ]
I Type system for channelsI Example: !N.?N.endI Ensures safety automatically through static type checking
I Concurrent Separation Logic [ O’Hearn & Brooks, CONCUR’04 ]I Logic for reasoning about concurrent programs with mutable state.I Example: {x 7→ a ∗ y 7→ b} swap x y {x 7→ b ∗ y 7→ a}I Establish functional correctness through interactive or semi-automated proofs
![Page 4: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/4.jpg)
4
Actris [Kastberg Hinrichsen, Bengtson, Krebbers; POPL’20]
A concurrent separation logic for proving functional correctness of programs thatcombine message passing with other programming and concurrency paradigms
I New notion of dependent separation protocols for reasoning about messagepassing in separation logic
I Integration with Iris and its existing concurrency mechanisms
I Verification of feature-complete programs including a variant of map-reduce
I A full mechanization of all of the above in Coq with tactics for interactiveprogram proofs
![Page 5: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/5.jpg)
5
Dependent separation protocolsDependent separation protocols:
Example:
! (x : N) 〈x〉{10 < x}. ? 〈x + 2〉{True}. end
Protocols:
prot , ! ~x :~τ 〈v〉{P}. prot| ? ~x :~τ 〈v〉{P}. prot| end
Duality:
! ~x :~τ 〈v〉{P}. prot = ? ~x :~τ 〈v〉{P}. prot? ~x :~τ 〈v〉{P}. prot = ! ~x :~τ 〈v〉{P}. prot
end = end
Session types:
Example:
!N.?N.end
Protocols:
st , !T .st
| ?T .st| end
Duality:
!T .st = ?T .st
?T .st = !T .st
end = end
![Page 6: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/6.jpg)
5
Dependent separation protocolsDependent separation protocols:
Example:
! (x : N) 〈x〉{10 < x}. ? 〈x + 2〉{True}. end
Protocols:
prot , ! ~x :~τ 〈v〉{P}. prot| ? ~x :~τ 〈v〉{P}. prot| end
Duality:
! ~x :~τ 〈v〉{P}. prot = ? ~x :~τ 〈v〉{P}. prot? ~x :~τ 〈v〉{P}. prot = ! ~x :~τ 〈v〉{P}. prot
end = end
Session types:
Example:
!N.?N.end
Protocols:
st , !T .st
| ?T .st| end
Duality:
!T .st = ?T .st
?T .st = !T .st
end = end
![Page 7: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/7.jpg)
5
Dependent separation protocolsDependent separation protocols:
Example:
! (x : N) 〈x〉{10 < x}. ? 〈x + 2〉{True}. end
Protocols:
prot , ! ~x :~τ 〈v〉{P}. prot| ? ~x :~τ 〈v〉{P}. prot| end
Duality:
! ~x :~τ 〈v〉{P}. prot = ? ~x :~τ 〈v〉{P}. prot? ~x :~τ 〈v〉{P}. prot = ! ~x :~τ 〈v〉{P}. prot
end = end
Session types:
Example:
!N.?N.end
Protocols:
st , !T .st
| ?T .st| end
Duality:
!T .st = ?T .st
?T .st = !T .st
end = end
![Page 8: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/8.jpg)
6
Proof rules for dependent separation protocols
Dependent separation protocols: Session types:
{True}new chan ()
{(c, c ′). c � prot ∗ c ′� prot}newchan () : st ⊗ st
{c � ! ~x :~τ 〈v〉{P}. prot ∗ P[~t/~x ]}send c (v [~t/~x ])
{c � prot[~t/~x ]}send : (!T .st ⊗ T )( st
{c � ? ~x :~τ 〈v〉{P}. prot}recv c
{w . ∃~t. (w =v [~t/~x ]) ∗ c � prot[~t/~x ] ∗ P[~t/~x ]}recv : ?T .st ( (T ⊗ st)
![Page 9: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/9.jpg)
7
Example – Dependency between messages
Example program:
{True}let (c, c ′) = new chan () infork {let x = recv c ′ in send c ′ (x + 2)} ;send c 40; recv c
{w .w = 42}
Dependent separation protocols:
c � ! (x : N) 〈x〉{True}. ? 〈x + 2〉{True}. end
c ′� ? (x : N) 〈x〉{True}. ! 〈x + 2〉{True}. end
Properties obtained:
�3 Type safety / session fidelity
�3 Functional correctness
![Page 10: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/10.jpg)
7
Example – Dependency between messages
Example program:
{True}let (c, c ′) = new chan () infork {let x = recv c ′ in send c ′ (x + 2)} ;send c 40; recv c
{w .w = 42}
Dependent separation protocols:
c � ! (x : N) 〈x〉{True}. ? 〈x + 2〉{True}. end
c ′� ? (x : N) 〈x〉{True}. ! 〈x + 2〉{True}. end
Properties obtained:
�3 Type safety / session fidelity
�3 Functional correctness
![Page 11: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/11.jpg)
7
Example – Dependency between messages
Example program:
{True}let (c, c ′) = new chan () infork {let x = recv c ′ in send c ′ (x + 2)} ;send c 40; recv c
{w .w = 42}
Dependent separation protocols:
c � ! (x : N) 〈x〉{True}. ? 〈x + 2〉{True}. end
c ′� ? (x : N) 〈x〉{True}. ! 〈x + 2〉{True}. end
Properties obtained:
�3 Type safety / session fidelity
�3 Functional correctness
![Page 12: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/12.jpg)
8
Example – References
Example program:
{True}let (c , c ′) = new chan () infork {let x = recv c ′ in x ← (! x + 2); send c ′ ()} ;let y = ref (40) in send c y ; recv c ; ! y
{w .w = 42}
Dependent separation protocols:
c � ! (` : Loc)(x : N) 〈`〉{` 7→ n}. ? 〈()〉{` 7→ (x + 2)}. end
c ′� ? (` : Loc)(x : N) 〈`〉{` 7→ n}. ! 〈()〉{` 7→ (x + 2)}. end
Properties obtained:
�3 Type safety / session fidelity
�3 Functional correctness
![Page 13: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/13.jpg)
8
Example – References
Example program:
{True}let (c , c ′) = new chan () infork {let x = recv c ′ in x ← (! x + 2); send c ′ ()} ;let y = ref (40) in send c y ; recv c ; ! y
{w .w = 42}
Dependent separation protocols:
c � ! (` : Loc)(x : N) 〈`〉{` 7→ n}. ? 〈()〉{` 7→ (x + 2)}. end
c ′� ? (` : Loc)(x : N) 〈`〉{` 7→ n}. ! 〈()〉{` 7→ (x + 2)}. end
Properties obtained:
�3 Type safety / session fidelity
�3 Functional correctness
![Page 14: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/14.jpg)
8
Example – References
Example program:
{True}let (c , c ′) = new chan () infork {let x = recv c ′ in x ← (! x + 2); send c ′ ()} ;let y = ref (40) in send c y ; recv c ; ! y
{w .w = 42}
Dependent separation protocols:
c � ! (` : Loc)(x : N) 〈`〉{` 7→ n}. ? 〈()〉{` 7→ (x + 2)}. end
c ′� ? (` : Loc)(x : N) 〈`〉{` 7→ n}. ! 〈()〉{` 7→ (x + 2)}. end
Properties obtained:
�3 Type safety / session fidelity
�3 Functional correctness
![Page 15: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/15.jpg)
9
Soundness of Actris
If {True} e {v . φ(v)} is provable in Actris then:
�3 Type safety/session fidelity: e will not crash and not send wrong messages
�3 Functional correctness: If e terminates with v , the postcondition φ(v) holds
Obtained by modeling Actris as an embedded domain-specific logic in Iris
![Page 16: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/16.jpg)
9
Soundness of Actris
If {True} e {v . φ(v)} is provable in Actris then:
�3 Type safety/session fidelity: e will not crash and not send wrong messages
�3 Functional correctness: If e terminates with v , the postcondition φ(v) holds
Obtained by modeling Actris as an embedded domain-specific logic in Iris
![Page 17: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/17.jpg)
10
Iris [Jung, Krebbers et al.; POPL’15, ICFP’16, ESOP’17, JFP’18]
A powerful, general, language-independent, framework for modelingyour own domain specific higher-order separation logics withpowerful tactics in Coq
I Powerful: supports reasoning about intricate concurrentprograms
I General: unifies the reasoning principles in many other logics
I Language-independent: parameterized by the language
I Modeling logics: can be used to model domain-specific logics
I Tactics in Coq: for interactive correctness proofs of programs
![Page 18: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/18.jpg)
10
Iris [Jung, Krebbers et al.; POPL’15, ICFP’16, ESOP’17, JFP’18]
A powerful, general, language-independent, framework for modelingyour own domain specific higher-order separation logics withpowerful tactics in Coq
I Powerful: supports reasoning about intricate concurrentprograms
I General: unifies the reasoning principles in many other logics
I Language-independent: parameterized by the language
I Modeling logics: can be used to model domain-specific logics
I Tactics in Coq: for interactive correctness proofs of programs
![Page 19: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/19.jpg)
10
Iris [Jung, Krebbers et al.; POPL’15, ICFP’16, ESOP’17, JFP’18]
A powerful, general, language-independent, framework for modelingyour own domain specific higher-order separation logics withpowerful tactics in Coq
I Powerful: supports reasoning about intricate concurrentprograms
I General: unifies the reasoning principles in many other logics
I Language-independent: parameterized by the language
I Modeling logics: can be used to model domain-specific logics
I Tactics in Coq: for interactive correctness proofs of programs
![Page 20: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/20.jpg)
10
Iris [Jung, Krebbers et al.; POPL’15, ICFP’16, ESOP’17, JFP’18]
A powerful, general, language-independent, framework for modelingyour own domain specific higher-order separation logics withpowerful tactics in Coq
I Powerful: supports reasoning about intricate concurrentprograms
I General: unifies the reasoning principles in many other logics
I Language-independent: parameterized by the language
I Modeling logics: can be used to model domain-specific logics
I Tactics in Coq: for interactive correctness proofs of programs
![Page 21: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/21.jpg)
10
Iris [Jung, Krebbers et al.; POPL’15, ICFP’16, ESOP’17, JFP’18]
A powerful, general, language-independent, framework for modelingyour own domain specific higher-order separation logics withpowerful tactics in Coq
I Powerful: supports reasoning about intricate concurrentprograms
I General: unifies the reasoning principles in many other logics
I Language-independent: parameterized by the language
I Modeling logics: can be used to model domain-specific logics
I Tactics in Coq: for interactive correctness proofs of programs
![Page 22: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/22.jpg)
10
Iris [Jung, Krebbers et al.; POPL’15, ICFP’16, ESOP’17, JFP’18]
A powerful, general, language-independent, framework for modelingyour own domain specific higher-order separation logics withpowerful tactics in Coq
I Powerful: supports reasoning about intricate concurrentprograms
I General: unifies the reasoning principles in many other logics
I Language-independent: parameterized by the language
I Modeling logics: can be used to model domain-specific logics
I Tactics in Coq: for interactive correctness proofs of programs
![Page 23: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/23.jpg)
11
Implementation and model of Actris in Iris
Approach:
I Implement new chan, send, and recv as a library using lock-protected buffers
I Define c � prot using Iris’s invariant and ghost state machinery
I Prove Actris’s proof rules as lemmas in Iris
Benefits:
�3 Can readily reuse all powerful reasoning mechanisms of Iris
�3 Can readily reuse Iris’s support for interactive proofs in Coq
�3 Actris’s soundness result is a corollary of Iris’s soundness
�3 Very small Coq mechanization(200 lines for channel implementation and proofs, 1000 lines for the definition and proof
rules of c � prot, 450 lines for Coq tactics specific for message passing)
![Page 24: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/24.jpg)
11
Implementation and model of Actris in Iris
Approach:
I Implement new chan, send, and recv as a library using lock-protected buffers
I Define c � prot using Iris’s invariant and ghost state machinery
I Prove Actris’s proof rules as lemmas in Iris
Benefits:
�3 Can readily reuse all powerful reasoning mechanisms of Iris
�3 Can readily reuse Iris’s support for interactive proofs in Coq
�3 Actris’s soundness result is a corollary of Iris’s soundness
�3 Very small Coq mechanization(200 lines for channel implementation and proofs, 1000 lines for the definition and proof
rules of c � prot, 450 lines for Coq tactics specific for message passing)
![Page 25: Robbert Krebbers, TU Delft - groups.inf.ed.ac.uk · Iris [Jung, Krebbers et al.; POPL’15,ICFP’16,ESOP’17,JFP’18] Apowerful,general,language-independent, framework formodeling](https://reader034.vdocuments.site/reader034/viewer/2022050213/5f5f98b6f869ea1e905082ca/html5/thumbnails/25.jpg)
12
Demo in Coq