new brigitte pientka mcgill university montreal, canadabpientka/talks/popl19.pdf · 2019. 1....
TRANSCRIPT
![Page 1: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/1.jpg)
Mechanizing Metatheory – The Next Chapter
Brigitte Pientka
McGill University
Montreal, Canada
![Page 2: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/2.jpg)
What is mechanized metatheory?
![Page 3: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/3.jpg)
Theory Def.
Operational Semantics
Type System Model
Type Theory
...
Logic
Type Inference Algorithm
Program Transformations
![Page 4: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/4.jpg)
Theory Def.
Operational Semantics
Type System Model
Type Theory
...
Logic
Type Inference Algorithm
Program Transformations
Bisimulation
Program Equivalence
Completeness
Consistency
Soundness of Prog. Transform.
Decidability of Type Checking
Type Safety
Metatheory
![Page 5: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/5.jpg)
Theory Def.
Operational Semantics
Type System Model
Type Theory
...
Logic
Type Inference Algorithm
Program Transformations
Bisimulation
Program Equivalence
Completeness
Consistency
Soundness of Prog. Transform.
Decidability of Type Checking
Type Safety
Metatheory
Mechanized
Metatheory
implemented
in a proof assistant
![Page 6: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/6.jpg)
1. Mechanizing formal systems
together with proofs about them is
the talk of the town.
![Page 7: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/7.jpg)
Everybody talks about it.
2
![Page 8: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/8.jpg)
From Simple Types To Dependent Types
3
![Page 9: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/9.jpg)
2. Mechanizing formal systems
together with proofs about them
establishes trust.
![Page 10: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/10.jpg)
2. Mechanizing formal systems
together with proofs about them
establishes trust. . . and avoids flaws.
![Page 11: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/11.jpg)
Programs go wrong.
Testing correctness of C compilers [Vu et al. PLDI’14]:
• GCC and LLVM had over 195 bugs
• Compcert the only compiler where no bugs were found
“This is a strong testimony to the promise and quality of
verified compilers.”
[Vu et al. PLDI’14]
4
![Page 12: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/12.jpg)
Programs go wrong.
Testing correctness of C compilers [Vu et al. PLDI’14]:
• GCC and LLVM had over 195 bugs
• Compcert the only compiler where no bugs were found
“This is a strong testimony to the promise and quality of
verified compilers.”
[Vu et al. PLDI’14]
4
![Page 13: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/13.jpg)
Programming lang. designs and implementations go wrong.
Type Safety of Java (20 years ago)
5
![Page 14: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/14.jpg)
Programming lang. designs and implementations go wrong.
Type Safety of Java (20 years ago)
5
![Page 15: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/15.jpg)
Programming lang. designs and implementations go wrong.
Type Safety of Java and Scala (20 years later)
5
![Page 16: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/16.jpg)
Programming lang. designs and implementations go wrong.
Type Safety of Java and Scala (20 years later)
5
![Page 17: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/17.jpg)
Why is it hard to get theories and
implementations right?
![Page 18: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/18.jpg)
It’s a tricky business.
“The truth of the matter is that
putting languages together is a
very tricky business. When one
attempts to combine language con-
cepts, unexpected and counterin-
tuitive interactions arise.”
- J. Reynolds
6
![Page 19: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/19.jpg)
Correct proofs are tricky to write.
On paper:
• Challenging to keep track of all the details
• Easy to skip over details
• Difficult to understand interaction between different features
• Difficulties increase with size
In a proof assistant:
• A lot of overhead in building basic infrastructure
• May get lost in the technical, low-level details
• Time consuming
• Experience, experience, experience
7
![Page 20: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/20.jpg)
Mechanizing Normalization for STLC
“To those that doubted de Bruijn, I wished
to prove them wrong, or discover why they
were right. Now, after some years and
many hundred hours of labor, I can say
with some authority: they were right. De
Bruijn indices are foolishly difficult for this
kind of proof. [. . .] The full proof runs
to 3500 lines, although that relies on a
further library of 1900 lines of basic facts
about lists and sets. [. . .] the cost of de
Bruijn is partly reflected in the painful
1600 lines that are used to prove facts
about “shifting” and “substitution”.”
Ezra Cooper (PhD Student)
https://github.com/ezrakilty/sn-stlc-de-bruijn-coq 8
![Page 21: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/21.jpg)
What are good high-level proof
languages that make it easier to
mechanize metatheory?
![Page 22: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/22.jpg)
Abstraction, Abstraction, Abstraction
“The motivation behind the work in very-high-level languages is
to ease the programming task by providing the programmer
with a language containing primitives or abstractions suitable to
his problem area. The programmer is then able to spend his
effort in the right place; he concentrates on solving his problem,
and the resulting program will be more reliable as a result.
Clearly, this is a worthwhile goal.” B. Liskov [1974]
9
![Page 23: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/23.jpg)
“To know your future you must
know your past.” – G. Santayana
![Page 24: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/24.jpg)
Back in the 80s...
1987 • R. Harper, F. Honsell, G. Plotkin: A Framework for
Defining Logics, LICS’87
1988 • F. Pfenning and C. Elliott: Higher-Order Abstract
Syntax, PLDI’88
• LF = Dependently Typed Lambda Calculus (λΠ) serves as
a Meta-Language for representing formal systems
• Higher-order Abstract Syntax (HOAS) :
Uniformly model binding structures in Object Language with
(intensional) functions in LF
10
![Page 25: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/25.jpg)
Back in the 80s...
1987 • R. Harper, F. Honsell, G. Plotkin: A Framework for
Defining Logics, LICS’87
1988 • F. Pfenning and C. Elliott: Higher-Order Abstract
Syntax, PLDI’88
• LF = Dependently Typed Lambda Calculus (λΠ) serves as
a Meta-Language for representing formal systems
• Higher-order Abstract Syntax (HOAS) :
Uniformly model binding structures in Object Language with
(intensional) functions in LF
10
![Page 26: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/26.jpg)
Representing Types and Terms in LF – In a Nutshell
Types A,B ::= nat | A ⇒ B Terms M ::= x | lam x :A.M | app M N
LF Representation
obj: type.
nat: obj.
arr: obj → obj → obj.
tm: type.
lam: obj → (tm → tm) → tm.
app: tm → tm → tm.
On Paper (Object Language) In LF (Meta Language)
lam x :nat.x lam nat λx.x
lam x :nat. (lam x :nat⇒nat.x) lam nat λx.(lam (arr nat nat) λx.x)
lam x :nat. (lam f :nat⇒nat.app f x) lam nat λx.(lam (arr nat nat) λf.app f x)
Higher-order Abstract Syntax (HOAS):
• Uniformly model bindings with (intensional) functions in LF
• Inherit α-renaming and single substitutions
Model
11
![Page 27: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/27.jpg)
Representing Types and Terms in LF – In a Nutshell
Types A,B ::= nat | A ⇒ B Terms M ::= x | lam x :A.M | app M N
LF Representation
obj: type.
nat: obj.
arr: obj → obj → obj.
tm: type.
lam: obj → (tm → tm) → tm.
app: tm → tm → tm.
On Paper (Object Language) In LF (Meta Language)
lam x :nat.x lam nat λx.x
lam x :nat. (lam x :nat⇒nat.x) lam nat λx.(lam (arr nat nat) λx.x)
lam x :nat. (lam f :nat⇒nat.app f x) lam nat λx.(lam (arr nat nat) λf.app f x)
Higher-order Abstract Syntax (HOAS):
• Uniformly model bindings with (intensional) functions in LF
• Inherit α-renaming and single substitutions
Model
11
![Page 28: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/28.jpg)
Uniformly Model Binding Structures using LF Functions
Types A,B ::= nat | A ⇒ B |α | ∀α.A
Terms M ::= x | lam x :A.M | app M N |let x = M in N | tlam α.M | . . .
LF Representation
obj: type.
nat: obj.
arr: obj → obj → obj.
all: (obj → obj) → obj.
tm: type.
lam: obj → (tm → tm) → tm.
app: tm → tm → tm.
let: tm → (tm → tm) → tm.
tlam: (obj → tm) → tm.
On Paper (Object Language) In LF (Meta Language)
tlam α. (lam x :α.x) tlam λa.(lam a λx.x)
∀α.∀β.α⇒ β all λa.all λb.arr a b
12
![Page 29: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/29.jpg)
Uniformly Model Binding Structures using LF Functions
Types A,B ::= nat | A ⇒ B |α | ∀α.A
Terms M ::= x | lam x :A.M | app M N |let x = M in N | tlam α.M | . . .
LF Representation
obj: type.
nat: obj.
arr: obj → obj → obj.
all: (obj → obj) → obj.
tm: type.
lam: obj → (tm → tm) → tm.
app: tm → tm → tm.
let: tm → (tm → tm) → tm.
tlam: (obj → tm) → tm.
On Paper (Object Language) In LF (Meta Language)
tlam α. (lam x :α.x) tlam λa.(lam a λx.x)
∀α.∀β.α⇒ β all λa.all λb.arr a b
12
![Page 30: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/30.jpg)
Uniformly Model Binding Structures using LF Functions
Types A,B ::= nat | A ⇒ B |α | ∀α.A
Terms M ::= x | lam x :A.M | app M N |let x = M in N | tlam α.M | . . .
LF Representation
obj: type.
nat: obj.
arr: obj → obj → obj.
all: (obj → obj) → obj.
tm: type.
lam: obj → (tm → tm) → tm.
app: tm → tm → tm.
let: tm → (tm → tm) → tm.
tlam: (obj → tm) → tm.
On Paper (Object Language) In LF (Meta Language)
tlam α. (lam x :α.x) tlam λa.(lam a λx.x)
∀α.∀β.α⇒ β all λa.all λb.arr a b
LF = Dependently Typed Lambda Calculus λΠ
• LF functions only encode variable scope
no recursion, no pattern matching, etc.
• HOAS trees = Syntax trees with binders
• Benefit: α-renaming and substitution principles
• Scales: Model derivation trees
- Hypothetical derivations as LF functions
- Parametric derivations as LF functions
12
![Page 31: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/31.jpg)
Sounds cool. . . can I do this in
OCaml or Agda?
![Page 32: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/32.jpg)
An Attempt in OCaml
and Agda
OCaml
1 type tm = Lam of (tm -> tm)
2 let apply = function (Lam f) -> f
3 let omega = Lam (function x -> apply x x)
What happens, when we try to evaluate apply omega omega?
It will loop.
Agda
data tm : type = lam : (tm → tm) → tm
Violates positivity restriction
Functions in OCaml and Agda are opaque (black box).
• We can observe the result that a function computes
• We cannot pattern match to inspect the function body
13
![Page 33: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/33.jpg)
An Attempt in OCaml
and Agda
OCaml
1 type tm = Lam of (tm -> tm)
2 let apply = function (Lam f) -> f
3 let omega = Lam (function x -> apply x x)
What happens, when we try to evaluate apply omega omega?
It will loop.
Agda
data tm : type = lam : (tm → tm) → tm
Violates positivity restriction
Functions in OCaml and Agda are opaque (black box).
• We can observe the result that a function computes
• We cannot pattern match to inspect the function body
13
![Page 34: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/34.jpg)
An Attempt in OCaml and Agda
OCaml
1 type tm = Lam of (tm -> tm)
2 let apply = function (Lam f) -> f
3 let omega = Lam (function x -> apply x x)
What happens, when we try to evaluate apply omega omega?
It will loop.
Agda
data tm : type = lam : (tm → tm) → tm
Violates positivity restriction
Functions in OCaml and Agda are opaque (black box).
• We can observe the result that a function computes
• We cannot pattern match to inspect the function body
13
![Page 35: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/35.jpg)
An Attempt in OCaml and Agda
OCaml
1 type tm = Lam of (tm -> tm)
2 let apply = function (Lam f) -> f
3 let omega = Lam (function x -> apply x x)
What happens, when we try to evaluate apply omega omega?
It will loop.
Agda
data tm : type = lam : (tm → tm) → tm
Violates positivity restriction
Functions in OCaml and Agda are opaque (black box).
• We can observe the result that a function computes
• We cannot pattern match to inspect the function body
13
![Page 36: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/36.jpg)
OK. . . so, how do we write recursive
programs over with HOAS trees?
We clearly want pattern matching, since
a HOAS tree is a data structure.
![Page 37: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/37.jpg)
An Attempt to Compute the Size of a Term
size (lam λx.lam λf. app f x)
=⇒ size (lam λf. app f x) + 1
=⇒ size (app f x) + 1 + 1
=⇒ size f + size x + 1 + 1 + 1
=⇒ 0 + 0 + 1 + 1 + 1
“the whole HOAS approach by its very nature disallows a
feature that we regard of key practical importance: the ability
to manipulate names of bound variables explicitly in
computation and proof. ” [Pitts, Gabbay’97]
14
![Page 38: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/38.jpg)
Back in 2008. . .
![Page 39: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/39.jpg)
LF and Holes in HOAS trees – Revisited
In LF (Meta Lang.)
lam λx. lam λf.app f x
lam λx. lam λf. app f x
LF Typing Judgment:
Ψ
LF Context
` M
LF Term
: A
LF Type
15
![Page 40: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/40.jpg)
LF and Holes in HOAS trees – Revisited
In LF (Meta Lang.)
lam λx. lam λf.app f x
lam λx. lam λf. app f x
LF Typing Judgment:
x:tm
LF Context
` lam λf.app f x
LF Term
: tm
LF Type
15
![Page 41: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/41.jpg)
LF and Holes in HOAS trees – Revisited
In LF (Meta Lang.)
lam λx. lam λf.app f x
lam λx. lam λf. app f x
LF Typing Judgment:
x:tm
LF Context
` lam λf. app f x
LF Term
: tm
LF Type
What is the type of app f x ? – Its type is dx:tm, f:tm ` tme.
16
![Page 42: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/42.jpg)
LF and Holes in HOAS trees – Revisited
In LF (Meta Lang.) Contextual Type
lam λx. lam λf.app f x dx:tm ` tme
lam λx. lam λf. app f x dx:tm, f:tm ` tme
LF Typing Judgment:
x:tm
LF Context
` lam λf. app f x
LF Term
: tm
LF Type
What is the type of app f x ? – Its type is dx:tm, f:tm ` tme.
16
![Page 43: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/43.jpg)
Contextual Types [Nanevski, Pfenning, Pientka’08]
Meta Context
h: dx:tm, f:tm ` tme ; x:tm
LF Context
` lam λf . h︸ ︷︷ ︸LF Term
: tm
LF Type
• h is a contextual variable
• It has the contextual type dx:tm, f:tm ` tme• It can be instantiated with a contextual term dx,f` app f xe• Contextual types (` ) reify LF typing derivations (`)
WAIT! . . . whatever we plug in for h may contain free LF variables?
and we want it to be stable under α-renaming . . .
Solution: Contextual variables are associated with LF substitutions
17
![Page 44: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/44.jpg)
Contextual Types [Nanevski, Pfenning, Pientka’08]
Meta Context
h: dx:tm, f:tm ` tme ; x:tm
LF Context
` lam λf . h︸ ︷︷ ︸LF Term
: tm
LF Type
• h is a contextual variable
• It has the contextual type dx:tm, f:tm ` tme• It can be instantiated with a contextual term dx,f` app f xe• Contextual types (` ) reify LF typing derivations (`)
WAIT! . . . whatever we plug in for h may contain free LF variables?
and we want it to be stable under α-renaming . . .
Solution: Contextual variables are associated with LF substitutions
17
![Page 45: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/45.jpg)
Contextual Types [Nanevski, Pfenning, Pientka’08]
Meta Context
h: dy:tm, g:tm ` tme ; x:tm
LF Context
` lam λf . h︸ ︷︷ ︸LF Term
: tm
LF Type
• h is a contextual variable
• It has the contextual type dy:tm, g:tm ` tme• It can be instantiated with a contextual term dy,g` app g ye• Contextual types (` ) reify LF typing derivations (`)
WAIT! . . . whatever we plug in for h may contain free LF variables?
and we want it to be stable under α-renaming . . .
Solution: Contextual variables are associated with LF substitutions
17
![Page 46: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/46.jpg)
Contextual Types [Nanevski, Pfenning, Pientka’08]
Meta Context
h: dy:tm, g:tm ` tme ; x:tm
LF Context
` lam λf . h[x/y, f/g]︸ ︷︷ ︸LF Term
: tm
LF Type
• h is a contextual variable
• It has the contextual type dy:tm, g:tm ` tme• It can be instantiated with a contextual term dy,g` app g ye• Contextual types (` ) reify LF typing derivations (`)
WAIT! . . . whatever we plug in for h may contain free LF variables?
and we want it to be stable under α-renaming . . .
Solution: Contextual variables are associated with LF substitutions
17
![Page 47: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/47.jpg)
Contextual Type Theory1 (CTT) [Nanevski, Pfenning, Pientka’08]
Meta Context
(global)
Γ ; Ψ
LF Context
(local)
` M
LF Term
: A
LF Type
LF Variable Contextual Variable
x :A ∈ ΨΓ; Ψ ` x : A
x : dΦ ` Ae ∈ Γ Γ; Ψ ` σ : Φ
Γ; Ψ ` x [σ]︸︷︷︸Closure
: [σ]A︸︷︷︸Apply subst. σ
1Footnote for nerds: CTT is a generalization of modal S4.
18
![Page 48: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/48.jpg)
The Tip of the Iceberg: Beluga [POPL’08, POPL’12, ICFP’16,. . .]
Main Proof
Eigenvariables
HypothesisContext
VariablesRenaming
Derivation Tree
Substitution
Scope Binding
ContextualLogical Framework LF Γ; Ψ ` M : A
Proofsas Functional Programs
Γ ` t : T
Terms t ::= dΨ ` Me | . . .Types T ::= dΨ ` Ae | . . .
19
![Page 49: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/49.jpg)
Revisiting the program size
size d ` lam λx.lam λf. app f xe=⇒ size dx ` lam λf. app f xe + 1
=⇒ size dx,f ` app f xe + 1 + 1
=⇒ size dx,f ` fe + size dx,f ` xe + 1 + 1 + 1
=⇒ 0 + 0 + 1 + 1 + 1
Corresponding program:
size : Πγ:ctx. dγ ` tme → int
size dγ ` #pe = 0
size dγ ` lam λx. Me = size dγ,x ` Me + 1
size dγ ` app M Ne = size dγ ` Me + size dγ ` Ne + 1;
• Abstract over context γ and introduce special variable pattern #p
• Higher-order pattern matching [Miller’91]
20
![Page 50: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/50.jpg)
Revisiting the program size
size d ` lam λx.lam λf. app f xe=⇒ size dx ` lam λf. app f xe + 1
=⇒ size dx,f ` app f xe + 1 + 1
=⇒ size dx,f ` fe + size dx,f ` xe + 1 + 1 + 1
=⇒ 0 + 0 + 1 + 1 + 1
Corresponding program:
size : Πγ:ctx. dγ ` tme → int
size dγ ` #pe = 0
size dγ ` lam λx. Me = size dγ,x ` Me + 1
size dγ ` app M Ne = size dγ ` Me + size dγ ` Ne + 1;
• Abstract over context γ and introduce special variable pattern #p
• Higher-order pattern matching [Miller’91]
20
![Page 51: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/51.jpg)
What Programs / Proofs Can We Write?
• Certified programs:
Type-preserving closure conversion and hoisting [CPP’13]
Joint work with O. Savary-Belanger, S. Monnier
• Inductive proofs:
Logical relations proofs (Kripke-style) [MSCS’18]
Joint work with A. Cave
• Coinductive proofs:
Bisimulation proof using Howe’s Method [MSCS’18]
Joint work with D. Thibodeau and A. Momigliano
21
![Page 52: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/52.jpg)
Remember the PhD student who
mechanized strong normalization for
STLC in Coq using de Bruijn?
![Page 53: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/53.jpg)
POPLMark Reloaded
Strong Normalization for STLC using Kripke-style Logical
Relations Joint work with A. Abel, G. Allais, A. Hameer, A. Momigliano,
S. Schafer, K. Stark
• Easily accessible problem, while still being worthwhile
• Survey the state of the art
• Compare proof assistants
• Encourage development to make them more robust
22
![Page 54: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/54.jpg)
What I Learned
Lesson 1: Choosing an inductive definition for SN makes proofs
modular and simpler – on paper and in mechanizations.
Lesson 2: Beluga exploits high-level abstractions and primitives
(HOAS, contexts, substitutions, renamings, etc.) leading to a
compact implementation (416 LOC).
Lesson 3: Contextual types provide an abstract, conceptual view of
syntax trees within a context of assumptions.
23
![Page 55: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/55.jpg)
Sounds cool. . . but how can we get
this into type theories (like Agda)?
![Page 56: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/56.jpg)
A Type Theory for Defining Logics and Proofs
Meta Context
(global)
Γ ; Ψ
LF Context
(local)
` M
LF Term
: A
LF Type
The strict separation between contextual LF and computations
means we cannot embed computation terms directly.
Contextual Variable Rule
x : dΦ ` Ae ∈ Γ Γ; Ψ ` σ : Φ
Γ; Ψ ` x [σ]︸︷︷︸Closure
: [σ]A︸︷︷︸Apply subst. σ
24
![Page 57: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/57.jpg)
A Type Theory for Defining Logics and Proofs
Meta Context
(global)
Γ ; Ψ
LF Context
(local)
` M
LF Term
: A
LF Type
What if we did?
Rule for Embedding Computations
Γ ` t : dΦ ` Ae Γ; Ψ ` σ : Φ
Γ; Ψ ` btcσ︸︷︷︸Closure
: [σ]A︸︷︷︸Apply subst. σ
24
![Page 58: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/58.jpg)
Cocon: A Type Theory for Defining Logics
Joint work with A. Abel, F. Ferreira, D. Thibodeau, R. Zucchini
• Hierarchy of universes
• Type-level computation
• Writing proofs about functions (such as size)
LF (intensional) Computation (extensional)
quote / box dΨ ` Me
unquote / unbox btcσ
25
![Page 59: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/59.jpg)
Sketch: Translation Between STLC and CCC
STLC
tm: obj → type.
Cartesian Closed Categories (CCC)
mor:obj → obj → type
itm
Translate an LF context γ to cross product: ictx:Πγ:ctx.d ` obje
Example: ictx (x1:A1, x2:A2) =⇒ (cross (cross unit A1) A2)
Translate STLC to CCC
itm:Πγ:ctx.ΠA:d ` obje.dγ ` tm bAce → d ` mor bictx γc bAce
26
![Page 60: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/60.jpg)
Bridging the Gap between LF and Martin Lof Type Theory
27
![Page 61: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/61.jpg)
What’s Next?
Theory
• Decidable equality
• Categorical semantics
• . . .
Implementation and Case Studies
• Build an extension to Coq/Agda/Beluga
• Case studies: Equivalence of STLC and CCC
• Meta-Programming (Tactics)
• Compilation
• Proof Search
• . . .
28
![Page 62: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/62.jpg)
Towards More Civilized High-Level Proof Languages
Lesson 1: Contextual types provide a type-theoretic framework to
think about syntax trees within a context of assumptions.
Lesson 2: Abstractions for variable binding, contexts, and
substitution, etc. are useful when we mechanize metatheory.
Last but not least: There are many other abstractions and
primitives we should explore: heaps, linearity, resources, . . .
29
![Page 63: New Brigitte Pientka McGill University Montreal, Canadabpientka/talks/popl19.pdf · 2019. 1. 18. · Testing correctness of C compilers [Vu et al. PLDI’14]: GCC and LLVM had over](https://reader034.vdocuments.net/reader034/viewer/2022051909/5ffe0da619c3f4476868b6d8/html5/thumbnails/63.jpg)
Towards More Civilized High-Level Proof Languages
Lesson 1: Contextual types provide a type-theoretic framework to
think about syntax trees within a context of assumptions.
Lesson 2: Abstractions for variable binding, contexts, and
substitution, etc. are useful when we mechanize metatheory.
Last but not least: There are many other abstractions and
primitives we should explore: heaps, linearity, resources, . . .
29