Past, Present and Future of Nuprl Vincent Rahli http://www.nuprl.org http://www.cs.cornell.edu/~rahli/ May 30, 2017 Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 1/72
My collaborators PRL group Abhishek Anand Mark Bickford Robert L. Constable Richard Eaton Vincent Rahli ATC-NY David Guaspari Matt Stillerman System group Robbert van Renesse Nicolas Schiper Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 2/72
Nuprl Environment Distributed Runs in the cloud Structure editor Tactic language: Classic ML Shared library Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 3/72
Nuprl Stack Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 4/72
Nuprl Types Based on Martin-L¨ of’s extensional type theory Equality : a = b ∈ T Dependent product : a : A → B [ a ] Dependent sum : a : A × B [ a ] Universe : U i Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 5/72
Nuprl Types Less “conventional types” Partial : A Domain : Base Disjoint union : A + B Simulation : t 1 � t 2 Intersection : ∩ a : A . B [ a ] Bisimulation : t 1 ∼ t 2 Union : ∪ a : A . B [ a ] Image : Img ( A , f ) Subset : { a : A | B [ a ] } PER : per ( R ) Quotient : T // E Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 6/72
Nuprl Types Image type (Nogin & Kopylov) Subset: { a : A | B [ a ] } � Img ( a : A × B [ a ] , π 1 ) Union: ∪ a : A . B [ a ] � Img ( a : A × B [ a ] , π 2 ) Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 7/72
Nuprl Types PER type (extensional) Void = per ( λ , . 1 � 0) Top = per ( λ , . 0 � 0) Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 8/72
Nuprl Types PER type (extensional) Void = per ( λ , . 1 � 0) Top = per ( λ , . 0 � 0) halts ( t ) = Ax � ( let x := t in Ax ) A ⊓ B = ∩ x : Base . ∩ y : halts ( x ) . isaxiom ( x , A , B ) T // E = per ( λ x , y . ( x ∈ T ) ⊓ ( y ∈ T ) ⊓ ( E x y )) Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 9/72
Nuprl Types Squashing { Unit | T } per ( λ x .λ y . Ax � x ⊓ Ax � y ⊓ T ) Img ( T , λ . Ax ) T // True per ( λ x .λ y . x ∈ T ⊓ y ∈ T ) ∩ x : ¬ T . Void per ( λ .λ . T ) Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 10/72
Nuprl Types Recursive types { Used to have Mendler’s recursive types . { Still consistent? { Indexed W types from bar induction . Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 11/72
Nuprl Types Rich type language facilitates specification Makes type-checking harder Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 12/72
Refinements Nuprl’s proof engine is called a refiner A generic goal directed reasoner: { a rule interpreter { a proof manager Example of a rule H ⊢ a : A → B [ a ] ⌊ ext λ x . b ⌋ BY [lambdaFormation] H , x : A ⊢ B [ x ] ⌊ ext b ⌋ H ⊢ A ∈ U i ⌊ ext Ax ⌋ Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 13/72
Recent projects What evidence do we have that (distributed) systems are correct? What evidence do we have that our proofs are correct? Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 14/72
Recent projects What evidence do we have that (distributed) systems are correct? Platform to develop and reason about distributed systems. What evidence do we have that our proofs are correct? Building and verifying Nuprl in Coq. Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 15/72
Distributed systems are ubiquitous Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 16/72
Distributed Systems What evidence do we have that these systems are correct? Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 17/72
Distributed Systems What evidence do we have that these systems are correct? Type checking Testing Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 18/72
Distributed Systems What evidence do we have that these systems are correct? Type checking Testing Model checking Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 19/72
Distributed Systems What evidence do we have that these systems are correct? Type checking Testing Model checking Theorem proving Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 20/72
Distributed Systems Distributed systems are hard to specify, implement and verify. We need to tolerate failures. It is hard to test all possible scenarios. State space explosion using model checking. Model checking often done on abstractions of the code rather than on the code itself. Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 21/72
Distributed Systems We use Nuprl as a specification, programming and verification language. Programming interface: a constructive specification language called EventML Verification methodology Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 22/72
Distributed Systems A logic of events implemented in Nuprl. Specified, verified, and generated consensus protocols (e.g., Paxos) using EventML . Aneris : a total ordered broadcast service. ShadowDB : a replicated database with 2 parametrizable replication protocols (PBR & SMR) built on top of Aneris. Improved performance without introducing bugs. We get decent performance . Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 23/72
Distributed Systems — Big picture Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 24/72
Distributed Systems — Message sequence diagram See: Paxos Made Moderately Complex Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 25/72
Distributed Systems — Combinators Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 26/72
Distributed Systems — Combinators Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 27/72
Distributed Systems — Combinators Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 28/72
Distributed Systems — Combinators Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 29/72
Distributed Systems — Combinators Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 30/72
Distributed Systems — Verification We use causal induction + inductive logical forms (ILFs) + state machine invariants Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 31/72
Distributed Systems — Verification We use causal induction + inductive logical forms (ILFs) + state machine invariants Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 32/72
Distributed Systems — EventML EventML for Paxos Synod: . . . agent Leader = SpawnFirstSc out | | (( LeaderPropose | | LeaderAdopted ) > > = Commander ) | | ( LeaderPreempted > > = Scout ) ; ; main Leader @ l d r s | | Acceptor @ ac c pts Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 33/72
Distributed Systems — Code generation Efficiency? January 2012: 2 seconds per transaction Revamped the whole system. June 2012: 500 milliseconds per transaction Optimization/compilation to Lisp. End of 2012: 60 milliseconds per transaction (interpreted), 9 milliseconds per transaction (compiled) Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 34/72
Distributed Systems — What next? Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 35/72
Correctness What evidence do we have that these distributed systems are correct? What evidence do we have that our proofs are correct? Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 36/72
Correctness What evidence do we have that these distributed systems are correct? Platform to develop and reason about distributed systems. What evidence do we have that our proofs are correct? Building and verifying Nuprl in Coq. Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 37/72
Nuprl in Coq — Our initial motivation We build theorem provers to prove programs’ correctness Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 38/72
Nuprl in Coq — Our initial motivation We build theorem provers to prove programs’ correctness . . . but don’t use them to prove their own correctness Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 39/72
Nuprl in Coq — Our initial motivation How do we know that our systems are sound? How do we safely extend them? ◮ Proofs mostly carried out on paper. ◮ Not carried out in full detail. ◮ Spread over several papers/PhD theses. ◮ Precise metatheory, precise account of Nuprl. Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 40/72
Nuprl in Coq — Our initial motivation Agda & Coq { 2013/2014: bug in their termination checker Nuprl { Invalid rules Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 41/72
Nuprl in Coq — Our initial motivation Agda & Coq { 2013/2014: bug in their termination checker Nuprl { Invalid rules How can we be sure that these rules are valid? Nuprl’s PER semantics (where types are defined as partial equivalence relations on terms) in Coq and Agda. Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 42/72
Recommend
More recommend