Logical Step-Indexed Logical Relations

Relational program veri cation is a variant of program veri cation where one can reason about two programs and as a special case about two executions of a single program on di erent inputs. Relational program veri cation can be used for reasoning about a broad range of properties, including equivalence and re nement, and specialized notions such as continuity, information ow security or relative cost. In a higher-order se ing, relational program veri cation can be achieved using relational re nement type systems, a form of re nement types where assertions have a relational interpretation. Relational re nement type systems excel at relating structurally equivalent terms but provide limited support for relating terms with very di erent structures.We present a logic, called Relational Higher Order Logic (RHOL), for proving relational properties of a simply typed λ-calculus with inductive types and recursive de nitions. RHOL retains the type-directed avour of relational re nement type systems but achieves greater expressivity through rules which simultaneously reason about the two terms as well as rules which only contemplate one of the two terms. We show that RHOL has strong foundations, by proving an equivalence with higher-order logic (HOL), and leverage this equivalence to derive key meta-theoretical properties: subject reduction, admissibility of a transitivity rule and set-theoretical soundness. Moreover, we de ne sound embeddings for several existing relational type systems such as relational re nement types and type systems for dependency analysis and relative cost, and we verify examples that were out of reach of prior work. ACM Reference format:Contributions. We present a new logic, called Relational Higher Order Logic (RHOL, § 5), for reasoning about relational properties of higher-order programs wri en in a variant of Plotkin's PCF ( § 2). e logic manipulates judgments of the form:where Γ is a simply typed context, σ 1 and σ 2 are (possibly di erent) simple types, t 1 and t 2 are terms, Ψ is a set of assertions, and ϕ is an assertion. Our logic retains the type-directed nature of (relational) re nement type systems, and features typing rules for reasoning about structurally similar terms. However, disentangling types from assertions also makes it possible to de ne type-directed rules operating on a single term (le or right) of the judgment. is confers great expressivity to the logic, without signi cantly a ecting its type-directed nature, and opens the possibility to alternate freely between two-sided and one-sided reasoning, as done in rst-order imperative languages. e validity of judgments is expressed relative to a set-theoretical semantics-our variant of PCF is restricted to terms which admit a set-theoretical semantics, including strongly normalizing terms. More precisely, a judgment Γ | Ψ ⊢ t 1 : σ 1 ∼ t 2 : σ 2 | ϕ is valid if for every valuation ρ (mapping variables in the context Γ to elements in the interpretation of their types), the interpretation of ϕ is true whenever the interpretation of (a...

Section: Introductionmentioning

confidence: 93%

A relational logic for higher-order programs

Aguirre

Barthe

Gaboardi

et al. 2017

“…Here, we follow the style of recent łlogicalž accounts of step-indexed logical relations [Dreyer et al 2011[Dreyer et al , 2010Krogh-Jespersen et al 2017;Turon et al 2013], interpreting λ Rust types as predicates on values expressed in a rich program logic (see ğ4 and Challenge #1 below), and interpreting λ Rust typing judgments as logical entailments between these predicates (see ğ7). With our semantic modelÐwhich we call RustBeltÐin hand, the proof of safety of λ Rust divides into three parts:…”

Section: Rustbelt: An Extensible Semantic Approach To Proving Soundnmentioning

confidence: 99%

RustBelt: securing the foundations of the Rust programming language

Jung

Jourdan

Krebbers

et al. 2017

Self Cite

241

170

Rust is a new systems programming language that promises to overcome the seemingly fundamental tradeoff between high-level safety guarantees and low-level control over resource management. Unfortunately, none of Rust's safety claims have been formally proven, and there is good reason to question whether they actually hold. Specifically, Rust employs a strong, ownership-based type system, but then extends the expressive power of this core type system through libraries that internally use unsafe features. In this paper, we give the first formal (and machine-checked) safety proof for a language representing a realistic subset of Rust. Our proof is extensible in the sense that, for each new Rust library that uses unsafe features, we can say what verification condition it must satisfy in order for it to be deemed a safe extension to the language. We have carried out this verification for some of the most important libraries that are used throughout the Rust ecosystem.

“…Logical relations and bisimulations. Many semantic techniques have been proposed for reasoning about relational properties such as observational equivalence, including techniques based on binary logical relations [Ahmed et al 2009;Benton et al 2009Benton et al , 2013Benton et al , 2014Dreyer et al 2010Dreyer et al , 2011Dreyer et al , 2012Mitchell 1986], bisimulations [Dal Lago et al 2017;Koutavas and Wand 2006;Sangiorgi et al 2011;Sumii 2009] and combinations thereof [Hur et al 2012[Hur et al , 2014. While these powerful techniques are often not directly automated, they can still be used for verification [Timany and Birkedal 2019] and for providing semantic correctness proofs for relational program logics [Dreyer et al 2010[Dreyer et al , 2011 and other verification tools [Benton et al 2016;Gavazzo 2018].…”

Section: Related Workmentioning

confidence: 99%

The next 700 relational program logics

Maillard

Hriţcu

Rivas

et al. 2019

We propose the first framework for defining relational program logics for arbitrary monadic effects. The framework is embedded within a relational dependent type theory and is highly expressive. At the semantic level, we provide an algebraic characterization for relational specifications as a class of relative monads, and link computations and specifications by introducing relational effect observations, which map pairs of monadic computations to relational specifications in a way that respects the algebraic structure. For an arbitrary relational effect observation, we generically define the core of a sound relational program logic, and explain how to complete it to a full-fledged logic for the monadic effect at hand. We show that by instantiating our framework with state and unbounded iteration we can embed a variant of Benton's Relational Hoare Logic, and also sketch how to reconstruct Relational Hoare Type Theory. Finally, we identify and overcome conceptual challenges that prevented previous relational program logics from properly dealing with effects such as exceptions, and are the first to provide a proper semantic foundation and a relational program logic for exceptions.