Types, Proofs, and Safe Mobile Code The unusual effectiveness of logic in programming language research Peter Lee Carnegie Mellon University

1
Types, Proofs, andSafe Mobile CodeThe unusual
effectiveness of logic in programming language
researchPeter LeeCarnegie Mellon University

• January 22, 2001

NSF/CISE Workshop on The Unusual Effectiveness of
Logic in Computer Science
2
Logic in PL research
Type-directed compiling
Logic programming
Abstract Interpretation
Formal verification
?-calculus
Category theory
Domain theory
Term rewriting systems
Operational semantics
Logic frameworks
Type theory
Denotational semantics
Proof-carrying code
Logic is the foundation of modern PL research.
3
This talk

• A somewhat personal account, by necessity a
  rather narrow slice.
• But similar stories can be found in almost all
  areas of PL research.

4
Logic as Language
5
Logic and languages

• To PL researchers, logics and languages are often
  interchangeable.
• A vivid example of this is in formal proofs.
• Consider
• Write x is a proof of P as xP.

6
Formal proofs

• We can write formal proofs by application of
  inference rules.
• An example
• If we have a proof x of P and a proof y of Q,
  then x and y together constitute a proof of P ?
  Q.
• Or, more compactly
• Given xP, yQ then (x,y)PQ.

7
Formal proofs

• Another familiar example
• Assume we have a proof x of P. If we can then
  obtain a proof b of Q, then we have a proof of P
  ? Q.
• Given xP bQ then fn (xP)
  gt b P ? Q.
• More
• Given xPQ then fst(x)P
• Given yPQ then snd(y)Q

8
Proofs and types

• So, for example
• fn (xPQ) gt (snd(x), fst(x)) PQ ? QP
• We can develop full metalanguages based on this
  principle of proofs as programs, propositions as
  types.
• Typechecking gives us proofchecking!
• Codified in languages such as ML.

9
Applications

• This isomorphism has had many applications in
  logic and in CS.
• Proof development systems.
• NuPrl, Coq, LCF,
• Advanced programming languages.
• ?Prolog.
• Logical framework languages.
• Edinburgh Logical Framework.

10
Logical frameworks

• The Edinburgh Logical Framework (LF) is a
  particularly useful language for specifying
  logics.

11
LF example
Fragment of first-order logic, Pfennings Elf
syntax.
exp type pred type pf pred -gt type true
pred /\ pred -gt pred -gt pred gt pred -gt
pred -gt pred all (exp -gt pred) -gt pred truei
pf true andi Ppred Rpred pf P -gt pf R
-gt pf (/\ P R) andel Ppred Rpred pf (/\ P
R) -gt pf P impi Ppred Rpred (pf P -gt pf
R) -gt pf (gt P R) alli Pexp -gt pred
(Xexp pf (P X)) -gt pf (all P) alle Pexp
-gt pred Eexp pf (all P) -gt pf (P E)
12
LF example

• The representation of P ? P ? P for some
  predicate P
• The proof of this predicate has the following Elf
  representation

(gt P (/\ P P))
(impi P (/\ P P) (Xpf P andi P P x x))
13
Language as Logic
14
Languages and logic

• To PL researchers, languages and logics are often
  interchangeable.
• A vivid example of this is in type theory.

15
Type theory

• A standard application of type theory involves
  the following
• Operational (run-time) semantics is defined by an
  inference system.
• Type system is also defined by an inference
  system.
• Logic is used to prove the soundness of the type
  system wrt the semantics.
• A programming language is a logic.

16
Soundness

• Soundness
• Well-typed programs are guaranteed to stay within
  the boundaries defined by the operational
  semantics.
• Well-typed programs wont go wrong.

17
Practical benefits

• Soundness can be hard to prove.
• But it essentially converts the very difficult
  negative property (program wont go wrong) into a
  positive property (program is well-typed).
• Only need to prove soundness once.

18
Applications

• Current research often involves defining the
  logical core of a language and then studying its
  properties.
• Existing languages.
• ML, Haskell, JVML,
• New design and implementation features.
• Type-directed compiling, region inference, linear
  typing,

19
Proofs, Types, and Safe Mobile Code
20
The code safety problem
Please install and execute this.
Full cartoon
21
Code Safety
Code
Trusted Host
22
Formal verification
Code
But really really really hard and must be correct.
Trusted Host
23
A Key Idea Explicit Proofs
Code
Certifying Prover
Proof Checker
Proof
Trusted Host
24
Proof-Carrying CodeNecula Lee, OSDI96
A
rlrrllrrllrlrlrllrlrrllrrll
B
25
Proof-Carrying Code
Code
Certifying Prover
Proof
Proof Checker
26
The Role of Languages and Logic

• Civilized programming languages can provide
  safety for free.
• Well-formed/well-typed ? safe.
• Idea Arrange for the compiler to explain why
  the target code it generates preserves the safety
  properties of the source program.

27
Automation viaCertifying Compilation
Certifying Compiler
Certifying Prover
Proof Checker
28
Safety Policies in LF
Fragment of rules for the Java type system.
jfloat exp. jinstof exp -gt exp. of exp -gt
exp -gt pred. faddf Eexp E'exp pf
(of E jfloat) -gt pf (of E' jfloat) -gt
pf (of (fadd E E') jfloat). ext Eexp
Cexp Dexp pf (jextends C D) -gt pf
(of E (jinstof C)) -gt pf (of E (jinstof D)).
29
Program checking
A proof for
(saferd4 (add src_1 (add (imul edx_1 4) 8)))
in the Java specification looks like this
(excerpt)
(rdArray4 A0 A2 (sub0chk A3) szint (aidxi 4
(below1 A7)))
This proof can be easily validated via LF type
checking.
30
Themes and Conclusions
31
Coherence
Main Entry coherencePronunciation
kO-'hir-n(t)s, -'her-Function nounDate
15801 the quality or state of cohering as a
systematic or logical connection or consistency b
integration of diverse elements, relationships,
or values2 the property of being coherent

• Research in programming languages is largely
  directed towards achieving coherence in software
  systems.

32
Coherence

• Coherence requires
• ability to analyze/verify components, and
• communicate descriptions of components.
• Logic is canonical, in the sense of being the
  only foundation for this.

33
Esthetics vs. pragmatics

• Many of the methods and results are motivated as
  much by esthetic as they are by pragmatic
  concerns.
• Practical engineering consequences
• Minimality and clarity of expression.
• Scaling up by study of core logics.
• Can sometimes be divorced from real-world
  problems, but hard to predict.

34
Practicality

• In recent years, a trend towards picking the
  low-hanging fruit.
• Eliminate simple errors.
• Exposed by the Web, plug-ins, embedded systems,
  etc.
• Even machine languages!
• Small theorems about big programs.

35
Conclusions

• For much of the history of CS, PL research meant
  design of languages and compiler technology.
• Today, PL technology and concepts advance logic
  and are applied directly to software artifacts.
• LF in the Unix kernel.

36
(No Transcript)
37
A logical approach
OK, but let me quickly look over the instructions
first.
Please install and execute this.
Code producer
Host
38
A logical approach
Code producer
Host
39
A logical approach
This store instruction is dangerous!
Code producer
Host
40
A logical approach
Can you prove that it is always safe?
Code producer
Host
41
A logical approach
Yes! Heres the proof I got from my certifying
Java compiler!
Can you prove that it is always safe?
?
Code producer
Host
42
A logical approach
Your proof checks out. I believe you because I
believe in logic.
?
Code producer
Host
return