Showing a CakeML program is safe CakeML A verified implementation - PowerPoint PPT Presentation

First steps towards a semantic type system for CakeML Hrutvik Kanabar 1 January 23, 2020 University of Kent 1 Supervised by Scott Owens. Supported by the UK Research Institute in Verified Trustworthy Software Systems (VeTSS). Showing a CakeML program is safe

CakeML

• A verified implementation of ML • Formally specified • Implemented using HOL4 • Verified, bootstrappable compiler Showing a CakeML program is safe – Hrutvik Kanabar 1 Introduction to CakeML

Showing a CakeML program is safe – Hrutvik Kanabar 2 Compiler Correctness ∀ . semantics ( ) ̸ = Error = ⇒ semantics ( ) = semantics_x86 ( compile ( ))

Showing a CakeML program is safe – Hrutvik Kanabar 3 Guaranteeing Well-defined Semantics semantics ( ) ̸ = Error ?

translate CakeML + proof • HOL • P cf e v Q Showing a CakeML program is safe – Hrutvik Kanabar 3 Guaranteeing Well-defined Semantics • Γ ⊢ e : ? + sound ( _ ⊢ _ : _ )

3 • • HOL translate Showing a CakeML program is safe – Hrutvik Kanabar Q v cf e P Guaranteeing Well-defined Semantics • Γ ⊢ e : ? + sound ( _ ⊢ _ : _ ) − − − − − → CakeML + proof

• HOL translate Showing a CakeML program is safe – Hrutvik Kanabar 3 Guaranteeing Well-defined Semantics • Γ ⊢ e : ? + sound ( _ ⊢ _ : _ ) − − − − − → CakeML + proof • { P } cf ( e ) { λ v . Q }

Fast imperative code? • HOL translate Showing a CakeML program is safe – Hrutvik Kanabar 3 Guaranteeing Well-defined Semantics • Γ ⊢ e : ? + sound ( _ ⊢ _ : _ ) − − − − − → CakeML + proof • { P } cf ( e ) { λ v . Q }

Fast imperative code? • HOL translate Non-termination? Showing a CakeML program is safe – Hrutvik Kanabar 3 Guaranteeing Well-defined Semantics • Γ ⊢ e : ? + sound ( _ ⊢ _ : _ ) − − − − − → CakeML + proof • { P } cf ( e ) { λ v . Q }

Fast imperative code? • HOL translate Non-termination? Showing a CakeML program is safe – Hrutvik Kanabar 3 Guaranteeing Well-defined Semantics • Γ ⊢ e : ? + sound ( _ ⊢ _ : _ ) − − − − − → CakeML + proof • { P } cf ( e ) { λ v . Q } Proof effort?

Semantic typing

Showing a CakeML program is safe – Hrutvik Kanabar 4 Syntactic . . . Γ ⊢ e : τ e “looks like” it has type τ

Showing a CakeML program is safe – Hrutvik Kanabar 5 . . . Becomes Semantic Γ ⊨ e : τ e “behaves like” it has type τ

Showing a CakeML program is safe – Hrutvik Kanabar 5 . . . Becomes Semantic Γ ⊨ e : τ e is safe to use as if it has type τ

• Type-indexed family of predicates on terms • Step-indexed (“fuelled”) for impredicativity • Compositional: • We use unary relations so far Showing a CakeML program is safe – Hrutvik Kanabar 6 Logical Relations R τ 1 → τ 2 ( e 1 ) ∧ R τ 1 ( e 2 ) = ⇒ R τ 2 ( e 1 e 2 ) .

Next steps: ref • System F with: • CakeML-like semantics, formalised in HOL4 • A model for our use cases! Showing a CakeML program is safe – Hrutvik Kanabar 7 The Story So Far . . . ∃ α . τ , µα . τ (iso) , τ 1 × τ 2 , τ 1 + τ 2 , crash e.g. if i ≤ a . length then a [ i ] else crash

• System F with: • CakeML-like semantics, formalised in HOL4 • A model for our use cases! Showing a CakeML program is safe – Hrutvik Kanabar 7 The Story So Far . . . ∃ α . τ , µα . τ (iso) , τ 1 × τ 2 , τ 1 + τ 2 , crash e.g. if i ≤ a . length then a [ i ] else crash Next steps: ref τ

Use cases

8 Showing a CakeML program is safe – Hrutvik Kanabar Composing Safe and Unsafe code

then compose safe and unsafe code, e.g. user lib user lib Showing a CakeML program is safe – Hrutvik Kanabar 8 Composing Safe and Unsafe code First prove compatibility lemmas . . . ⊢ · · · ⊢ ⊨ · · · ⊨ = ⇒ ⊢ ⊨

8 user Showing a CakeML program is safe – Hrutvik Kanabar lib user lib Composing Safe and Unsafe code First prove compatibility lemmas . . . ⊢ · · · ⊢ ⊨ · · · ⊨ = ⇒ ⊢ ⊨ . . . then compose safe and unsafe code, e.g. ⊢ · · · ⊢ ⊢ · · · ⊢ ⊬ ⊨ ⊨ ⊨ − → ⊨ ⊬ ⊨ ⊨

9 Showing a CakeML program is safe – Hrutvik Kanabar Reasoning about Module Invariants

We can express invariants as semantic types, and so prove they are preserved. A HOL kernel implemented in CakeML. LCF-style – relies on type abstraction for soundness! Showing a CakeML program is safe – Hrutvik Kanabar 9 Reasoning about Module Invariants Candle

Obj.magic + Obj.magic Current unverified extraction to OCaml: Coq extract OCaml Proposed verified extraction to CakeML: Coq extract CakeML Showing a CakeML program is safe – Hrutvik Kanabar 10 Extracting Coq to CakeML

+ Obj.magic 10 Proposed verified extraction to CakeML: Showing a CakeML program is safe – Hrutvik Kanabar CakeML extract Coq OCaml extract Current unverified extraction to OCaml: Coq Extracting Coq to CakeML + Obj.magic − − − →

10 OCaml Showing a CakeML program is safe – Hrutvik Kanabar CakeML extract Coq Current unverified extraction to OCaml: Proposed verified extraction to CakeML: extract Coq Extracting Coq to CakeML + Obj.magic − − − → + Obj.magic − − − →

Thanks for listening! Showing a CakeML program is safe – Hrutvik Kanabar 11