Refinement through restraint: bringing down the cost of verification

O'ConnorLiam,; ChenZilin,; RizkallahChristine,; AmaniSidney,; LimJapheth,; MurrayToby,; Nagashima, Yutaka; SewellThomas,; Klein, Gerwin

doi:10.1145/3022670.2951940

Cited by 4 publications

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

Programming Language Foundations in Agda

Wadler

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

One of the leading textbooks for formal methods is Software Foundations (SF), written by Benjamin Pierce in collaboration with others, and based on Coq. After five years using SF in the classroom, I have come to the conclusion that Coq is not the best vehicle for this purpose, as too much of the course needs to focus on learning tactics for proof derivation, to the cost of learning programming language theory. Accordingly, I have written a new textbook, Programming Language Foundations in Agda (PLFA). PLFA covers much of the same ground as SF, although it is not a slavish imitation. What did I learn from writing PLFA? First, that it is possible. One might expect that without proof tactics that the proofs become too long, but in fact proofs in PLFA are about the same length as those in SF. Proofs in Coq require an interactive environment to be understood, while proofs in Agda can be read on the page. Second, that constructive proofs of preservation and progress give immediate rise to a prototype evaluator. This fact is obvious in retrospect but it is not exploited in SF (which instead provides a separate normalise tactic) nor can I find it in the literature. Third, that using raw terms with a separate typing relation is far less perspicuous than using inherently-typed terms. SF uses the former presentation, while PLFA presents both; the former uses about 1.6 as many lines of Agda code as the latter, roughly the golden ratio. The textbook is written as a literate Agda script, and can be found here: http://plfa.inf.ed.ac.uk

show abstract

Programming Language Foundations in Agda

Wadler

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

Formalising Executable Specifications of Low-Level Systems

Torrini

Nowak

Jomaa

et al. 2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Formal models of low-level applications rely often on the distinction between executable layer and underlying hardware abstraction. This is also the case for the model of Pip, a separation kernel formalised and verified in Coq using a shallow embedding. DEC is a deeply embedded imperative typed language with primitive recursion and specified in terms of small-step semantics, which we developed in Coq as a reified counterpart of the shallow embedding used for Pip. In this paper, we introduce DEC and its semantics, we present its interpreter based on the type soundness proof and extracted to Haskell, we introduce a Hoare logic to reason about DEC code, and we use this logic to verify properties of Pip as a case study, comparing the new proofs with those based on the shallow embedding. Notably DEC can import shallow specifications as external functions, thus allowing for reuse of the abstract hardware model. 1 2

show abstract