Meta-F $$^\star $$ : Proof Automation with SMT, Tactics, and Metaprograms

Martínez, Guido; Ahman, Danel; Dumitrescu, Victor; Giannarakis, Nick; Hawblitzel, Chris; Hriţcu, Cătălin; Narasimhamurthy, Monal; Paraskevopoulou, Zoe; Pit-Claudel, Clément; Protzenko, Jonathan; Ramananandro, Tahina; Rastogi, Aseem; Swamy, Nikhil

doi:10.1007/978-3-030-17184-1_2

Cited by 22 publications

(10 citation statements)

References 61 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To aid language creators in writing down and carrying out proofs about structural semantics, many tools exist. [26][27][28] Coq, 27 for example, is an interactive proof assistant. The tool allows language designers to write a mathematically rigorous definition of their language.…”

Section: Semantics Engineering Toolsmentioning

confidence: 99%

GraphRedex: Look at your research

Singh

Scholliers

2021

Softw Pract Exp

View full text Add to dashboard Cite

A significant aspect of designing new programming languages is to define their operational semantics. Working with a pen and paper version of such a semantics is notoriously difficult. For this reason, tools for computer aided semantics engineering were created. Many of these tools allow programmers to execute their language's operational semantics. An executable semantics makes it easier to verify whether the execution of a program leads to the desired result. When a program exhibits unexpected behavior, the programmer can consult the reduction graph to see what went wrong. Unfortunately, visualization of these graphs is currently not well-supported by most tools. Consequently, the comprehension of errors remains challenging. In this article, we present GraphRedex an open-source tool that empowers language designers to interactively explore their reduction graphs, offering three main benefits. First, a global exploration mode allows users to obtain a bird's-eye overview of the reduction graph and learn its high level workings. Second, a local exploration mode lets the programmer closely interact with the individual reduction rules. Third, our query interface allows the programmer to filter out and highlight specific regions of the reduction graph. We evaluated our tool by carrying out a user study showing that participants comprehend programs on average twice as fast while being able to answer questions more accurately. Finally, we demonstrate how GraphRedex helps to understand the semantics of two published works. Exploration of the semantics with GraphRedex unveiled an issue in one of the implementations of these works, which the author confirmed.

show abstract

Section: Semantics Engineering Toolsmentioning

confidence: 99%

GraphRedex: Look at your research

Singh

Scholliers

2021

Softw Pract Exp

View full text Add to dashboard Cite

show abstract

“…This section defines lattices and abstract domains. Such structures are a natural fit for typeclasses [12], which allow for ad hoc polymorphism. In our case, it means that we can have one abstraction for lattices for instance, and then instantiate this abstraction with implementations for, say, sets of integers, then intervals, etc.…”

Section: Abstract Domainsmentioning

confidence: 99%

Verified Functional Programming of an Abstract Interpreter

Franceschino,

Pichardie,

Talpin

2021

Preprint

View full text Add to dashboard Cite

interpreters are complex pieces of software: even if the abstract interpretation theory and companion algorithms are well understood, their implementations are subject to bugs, that might question the soundness of their computations. While some formally verified abstract interpreters have been written in the past, writing and understanding them requires expertise in the use of proof assistants, and requires a non-trivial amount of interactive proofs. This paper presents a formally verified abstract interpreter fully programmed and proved correct in the F* verified programming environment. Thanks to F* refinement types and SMT prover capabilities we demonstrate a substantial saving in proof effort compared to previous works based on interactive proof assistants. Almost all the code of our implementation, proofs included, written in a functional style, are presented directly in the paper.

show abstract

“…Meta-F ★ is a recent extension of F ★ [26] that allows the programmer to script the F ★ compiler using user-written F ★ programs, an approach known as elaborator reflection and pioneered by Lean [17] and Idris [15]. Meta-F ★ offers, by design, a safe API for term manipulation, meaning it re-checks the results of meta-program execution: if a meta-program attempts to synthesize an ill-typed term, F ★ aborts.…”

Section: Scaling Cryptographic Verificationmentioning

confidence: 99%

“…Tactics are not part of the trusted computing base ( §2); unlike, say, MTac2 [23], Meta-F ★ [26] does not allow the user to prove properties about tactics, trading provable correctness for ease-of-use and programmer productivity.…”

Section: Usability Of Tacticsmentioning

confidence: 99%

Zero-cost meta-programmed stateful functors in F*

Ho¹,

Fromherz²,

Protzenko³

2021

Preprint

Self Cite

View full text Add to dashboard Cite

We present zero-cost, high-level F ★ functors and their compilation to low-level, efficient C code. Thanks to a combination of partial evaluation, fine-grained control of reduction, and tactic-driven C++ template-like metaprogramming, we provide the programmer with a toolkit that dramatically reduces the proof-to-code ratio, brings out the essence of algorithmic and implementation agility, and allows substantial code reuse while remaining at a very high-level of abstraction. None of our techniques require modifying the F ★ compiler.We describe a systematic process to develop functors, and illustrate it with the streaming functor, which wraps an errorprone, cryptographic block API by hiding internal buffering and state machine management to prevent C programmer mistakes. We apply this functor to 10 implementations from the HACL ★ [31] cryptographic library. We then write a tactic to automate the functor encoding, allowing the programmer to author multi-argument functors with a deeply nested call graph without any syntactic overhead. We apply this general tactic on 5 algorithms from HACL ★ , yielding over 30 specialized functor applications. We use as an example Curve25519, a complex algorithm whose final, specialized version we express as nested functor applications.

show abstract

Meta-F $$^\star $$ : Proof Automation with SMT, Tactics, and Metaprograms

Cited by 22 publications

References 61 publications

GraphRedex: Look at your research

GraphRedex: Look at your research

Verified Functional Programming of an Abstract Interpreter

Zero-cost meta-programmed stateful functors in F*

Contact Info

Product

Resources

About