Adam Chlipala

Cambridge, MA USA adamc@csail.mit.edu http://adam.chlipala.net/

Cambridge, MA adam@chlipala.net; http://adam.chlipala.net/ http://adam.chlipala.net/cv.html Not currently seeking employment Program verification (verifying low-level programs, verifying programming language tools, reducing the human costs of interactive theorem-proving and formal verification) Design and implementation of programming languages (functional and declarative programming languages, dependent types and other very expressive type systems, safe low-level programming, Web programming, domain-specific languages) Computer theorem proving Certified type-preserving compilers http://ltamer.sf.net/ Verifying imperative programs http://ynot.cs.harvard.edu/ Design, implementation, and analysis of functional programming languages Statically-typed metaprogramming for web apps http://www.impredicative.com/ur/ Static types for system configuration http://wiki.hcoop.net/DomTool American citizen January February March April May June July August September October November December Adam Chlipala http://adam.chlipala.net/ Evan Chang Bor-Yuh Evan Chang http://www.cs.colorado.edu/~bec/ Dirk Beyer http://www.sosy-lab.org/~dbeyer/ Karl Crary http://www.cs.cmu.edu/~crary/ Gregory Malecha http://www.people.fas.harvard.edu/~gmalecha/ Greg Morrisett http://www.eecs.harvard.edu/~greg/ Ranjit Jhala http://www.cse.ucsd.edu/~rjhala/ Leaf Petersen http://www.cs.cmu.edu/~leaf/ Brian Lucena http://www.aucegypt.edu/faculty/lucena/ Manuel Fahndrich http://research.microsoft.com/~maf/ Michael Erdmann http://www.cs.cmu.edu/~me/ George Necula George C. Necula http://www.cs.berkeley.edu/~necula/ Rupak Majumdar http://www.cs.ucla.edu/~rupak/ Robert Harper http://www.cs.cmu.edu/~rwh/ Robert Schneck Robert R. Schneck http://tupelo-schneck.org/robert/ Avraham Shinnar http://www.eecs.harvard.edu/~shinnar/ Thomas Henzinger http://mtc.epfl.ch/~tah/ Jeannette Wing http://www.cs.cmu.edu/~wing/ Ryan Wisnesky http://wisnesky.net/ Avaya Communication Avaya Holmdel NJ http://www.avaya.com/ Carnegie Mellon University Pittsburgh PA http://www.cmu.edu/ Computer Science Department http://www.cs.cmu.edu/ 15-212: Principles of Programming (introduction to formal reasoning about programs and functional programming with Standard ML) 15-212 http://www.cs.cmu.edu/~me/courses/212/ The TILT type-directed Standard ML compiler project TILT http://www.cs.cornell.edu/home/jgm/tilt.html IEEE Computer Society Press IEEE http://www.ieee.org/ Cambridge University Press CUP http://www.cambridge.org/ Harvard University Harvard Cambridge MA http://www.harvard.edu/ School of Engineering and Applied Sciences http://www.seas.harvard.edu/ COMPSCI 252: Certified Programming with Dependent Types CS252 http://www.cs.harvard.edu/~adamc/cpdt/ Microsoft Research MSR http://research.microsoft.com/ Software Productivity Tools group Redmond WA SPT The Singularity project Singularity http://research.microsoft.com/os/singularity/ IBM Research IBM http://research.ibm.com/ IBM Watson Research Center Hawthorne NY IBM Watson University of Oregon http://www.uoregon.edu/ Trifecta Technologies Trifecta Allentown PA http://www.trifecta.com/ University of California, Berkeley Berkeley http://www.berkeley.edu/ Electrical Engineering and Computer Science Department EECS http://www.eecs.berkeley.edu/ Computer Science Division CS http://www.cs.berkeley.edu/ The BLAST project http://www.cs.ucla.edu/~rupak/blast/ BLAST CS172: Computability and Complexity http://inst.eecs.berkeley.edu/~cs172/sp05/ CS172 The Open Verifier project Open Verifier CS294-9: Interactive Computer Theorem Proving CS294-9 http://adam.chlipala.net/itp/ UC Berkeley EECS Department http://www.eecs.berkeley.edu/ Massachusetts Institute of Technology MIT http://www.mit.edu/ Department of Electrical Engineering and Computer Science EECS http://www.eecs.mit.edu/ Computer Science and Artificial Intelligence Laboratory CSAIL http://www.csail.mit.edu/ Emmaus High School Emmaus, PA http://www.eastpenn.k12.pa.us/ehs/ ACM http://www.acm.org/ IEEE http://www.ieee.org/ Springer-Verlag http://www.springer.de/comp/lncs Elsevier http://www.elsevier.com/ Jane Street Capital Jane Street Capital http://www.janestreet.com/ 26th International Conference on Software Engineering ICSE'04 http://www.icse-conferences.org/2004/index.html 2004 Edinburgh, Scotland 11th Static Analysis Symposium SAS'04 http://profs.sci.univr.it/~sas04/ 2004 Verona, Italy 9th ACM SIGPLAN International Conference on Functional Programming ICFP'04 http://www.cs.indiana.edu/icfp04/ Snowbird, Utah, USA 2004 2nd ACM SIGPLAN Workshop on Types in Language Design and Implementation TLDI'05 http://research.microsoft.com/~maf/tldi05/ 2005 Long Beach, California, USA 12th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning http://www.lpar.net/2005/ LPAR'05 Montego Bay, Jamaica 2005 7th International Conference on Verification, Model Checking, and Abstract Interpretation http://www.informatik.uni-trier.de/~ley/db/conf/vmcai/vmcai2006.html VMCAI'06 2006 Charleston, South Carolina, USA 21st Annual IEEE Symposium on Logic in Computer Science http://www.easychair.org/FLoC-06/LICS.html LICS'06 2006 Seattle, Washington, USA 11th ACM SIGPLAN International Conference on Functional Programming http://icfp06.cs.uchicago.edu/ ICFP'06 2006 Portland, Oregon, USA 4th ASIAN Symposium on Programming Languages and Systems http://www.kb.ecei.tohoku.ac.jp/aplas2006/ APLAS'06 2006 Sydney, Australia International Workshop on Proof-Carrying Code http://www.cs.stevens.edu/~abc/PCC-Workshop.html PCC'06 2006 Seattle, Washington, USA 6th International Workshop on Strategies in Automated Deduction http://www.easychair.org/FLoC-06/Strategies.html STRATEGIES'06 2006 Seattle, Washington, USA Programming Languages meets Program Verification Workshop http://www.easychair.org/FLoC-06/PLPV.html PLPV'06 2006 Seattle, Washington, USA 3nd ACM SIGPLAN Workshop on Types in Language Design and Implementation TLDI'07 http://www.cs.berkeley.edu/~necula/tldi07/ 2007 Nice, France ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation PLDI'07 http://ties.ucsd.edu/PLDI/ 2007 San Diego, California, USA 2005 Open Source Quality Project Retreat Open Source Quality Project Retreat http://www.cs.berkeley.edu/~bodik/OSQ05.htm 2005 2006 Open Source Quality Project Retreat Open Source Quality Project Retreat http://www.cs.berkeley.edu/~bodik/OSQ06.htm 2006 2007 Open Source Quality Project Retreat Open Source Quality Project Retreat http://www.eecs.berkeley.edu/~sseshia/OSQ07.htm 2007 Projet Gallium seminar http://www-c.inria.fr/Internet/rendez-vous/seminaires-des-equipes-de-recherche/a-certified-type-preserving-compiler-from-lambda-calculus-to-assembly-language 2007 18th International Conference on Term Rewriting and Applications RTA'07 http://www.lsv.ens-cachan.fr/rdp07/rta.html 2007 Paris, France 2nd Informal ACM SIGPLAN Workshop on Mechanizing Metatheory WMM'07 http://www.cis.upenn.edu/~sweirich/wmm/wmm07.html Freiburg, Germany 2007 35th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'08 http://www.cs.ucsd.edu/popl/08/ 2008 San Francisco, California, USA 9th International Conference on Verification, Model Checking and Abstract Interpretation VMCAI'08 http://www.cs.uic.edu/vmcai08/ 2008 San Francisco, California, USA ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation PLDI'08 http://pldi2008.cs.ucr.edu/ 2008 Tucson, Arizona, USA 3rd Informal ACM SIGPLAN Workshop on Mechanizing Metatheory WMM'08 http://www.cis.upenn.edu/~sweirich/wmm/wmm08.html 2008 Victoria, British Columbia, Canada 13th ACM SIGPLAN International Conference on Functional Programming ICFP'08 http://www.icfpconference.org/icfp2008/ 2008 Victoria, British Columbia, Canada 36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'09 http://www.cs.ucsd.edu/popl/09/ 2009 Savannah, Georgia, USA 4th ACM SIGPLAN Workshop on Types in Language Design and Implementation TLDI'09 http://ttic.uchicago.edu/~amal/tldi2009/ 2009 Savannah, Georgia, USA 18th European Symposium on Programming ESOP'09 http://esop09.pps.jussieu.fr/ 2009 York, United Kingdom 21st New England Programming Languages and Systems Symposium NEPLS 21 http://www.nepls.org/Events/21/ 2008 Cambridge, MA, USA 2008 TYPES Meeting TYPES'08 http://types2008.di.unito.it/ 2008 Torino, Italy ACM SIGPLAN 2009 Conference on Programming Language Design and Implementation PLDI'09 http://www-plan.cs.colorado.edu/~pldi09/ 2009 Dublin, Ireland 4th International Workshop on Logical Frameworks and Meta-languages: Theory and Practice LFMTP'09 http://workshops.inf.ed.ac.uk/lfmtp/ 2009 Montreal, Canada Boston University Programming Languages Reading Group http://www.church-project.org/reading-group/reading-group.html 2009 Northeastern University Programming Languages Seminar http://www.ccs.neu.edu/home/wand/pl-seminar/ 2009 Microsoft Research Redmond http://research.microsoft.com/ 2009 14th ACM SIGPLAN International Conference on Functional Programming ICFP'09 http://www.cs.nott.ac.uk/~gmh/icfp09.html 2009 Edinburgh, Scotland 4th Informal ACM SIGPLAN Workshop on Mechanizing Metatheory WMM'09 http://www.cis.upenn.edu/~sweirich/wmm/wmm09.html 2009 Edinburgh, Scotland ACM SIGPLAN Developer Tracks on Functional Programming DEFUN'09 http://www.defun2009.info/ 2009 Edinburgh, Scotland New Jersey Programming Languages and Systems Seminar NJPLS http://www.njpls.org/oct09.html 2009 Bethlehem, PA, USA New England F# User Group New England F# User Group http://www.fsug.org/ 2009 Cambridge, MA, USA 37th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'10 http://www.cse.psu.edu/popl/10/ 2010 Madrid, Spain Programming Languages meets Program Verification Workshop http://slang.soe.ucsc.edu/plpv10/ PLPV'10 2010 Madrid, Spain Boston Lisp Boston Lisp http://common-lisp.net/project/boston-lisp/ 2010 Cambridge, MA, USA 13th International Conference on Foundations of Software Science and Computation Structures FoSSaCS'10 http://users.comlab.ox.ac.uk/luke.ong/FoSSaCS2010/ 2010 Paphos, Cyprus Sixteenth International Conference on Tools and Algorithms for the Construction and Analysis of Systems TACAS'10 http://tacas10.in.tum.de/ 2010 Paphos, Cyprus ACM SIGPLAN 2010 Conference on Programming Language Design and Implementation PLDI'10 http://cs.stanford.edu/pldi10/ 2010 Toronto, Canada The Second Coq Workshop Coq-2 http://coq.inria.fr/coq-workshop/2010 2010 Edinburgh, Scotland Dependently Typed Programming 2010 DTP'10 http://sneezy.cs.nott.ac.uk/darcs/dtp10/ 2010 Edinburgh, Scotland 2nd Workshop on Module Systems and Libraries for Proof Assistants MLPA'10 http://kwarc.info/frabe/events/mlpa-10.html 2010 Edinburgh, Scotland Emerging Languages Camp 2010 Emerging Languages Camp 2010 http://emerginglangs.com/ 2010 Portland, OR, USA Mathematically Structured Functional Programming 2010 MSFP'10 http://cs.ioc.ee/msfp/msfp2010/ 2010 Baltimore, MD, USA 9th USENIX Symposium on Operating Systems Design and Implementation OSDI'10 http://www.usenix.org/event/osdi10/ 2010 Vancouver, BC, Canada 5th International Workshop on Systems Software Verification SSV'10 http://usenix.org/events/ssv10/ 2010 Vancouver, BC, Canada Twenty-sixth Conference on the Mathematical Foundations of Programming Semantics MFPS'10 http://www.math.tulane.edu/~mfps/mfps26/MFPS_XXVI.html 2010 Ottawa, Ontario, Canada 12th International Symposium on Principles and Practice of Declarative Programming PPDP'10 http://www.risc.uni-linz.ac.at/about/conferences/ppdp2010/ 2010 Hagenberg, Austria 5th International Workshop on Higher-Order Rewriting HOR'10 http://hor.pps.jussieu.fr/10/ 2010 Edinburgh, Scotland COPLAS, ITU Copenhagen http://www.coplas.org/ 2010 Dagstuhl Seminar #10351 http://www.dagstuhl.de/10351/ 2010 15th ACM SIGPLAN International Conference on Functional Programming ICFP'10 http://www.icfpconference.org/icfp2010/ 2010 Baltimore, MD, USA First International Workshop on Relations and Data Integrity Constraints and Languages RADICAL'10 http://research.microsoft.com/en-us/um/people/adg/RADICAL2010/ 2010 Cambridge, England MIT PL Working Group MIT PL Working Group http://people.csail.mit.edu/jeanyang/pl/ 2010 Cambridge, MA, USA Third International Workshop on Graph Computation Models GCM'10 http://gcm-events.org/gcm2010/ 2010 Enschede, The Netherlands 38th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'11 http://www.cse.psu.edu/popl/11/ 2011 Austin, TX, USA Twelfth International Conference on Verification, Model Checking, and Abstract Interpretation VMCAI'11 http://vmcai11.cis.ksu.edu/ 2011 Austin, TX, USA 20th European Symposium on Programming ESOP'11 http://software.imdea.org/~gbarthe/esop11/ 2011 Saarbrücken, Germany 22nd International Conference on Rewriting Techniques and Applications RTA'11 http://www.rdp2011.uns.ac.rs/rta/ 2011 ACM SIGPLAN 2011 Conference on Programming Language Design and Implementation PLDI'11 http://pldi11.cs.utah.edu/ 2011 San Jose, CA, USA UC Berkeley UC Berkeley 2011 Berkeley, CA, USA Workshop on Foundations of Computer Security FCS'11 http://www.di.ens.fr/~blanchet/fcs11/ 2011 Toronto, ON, Canada Syntax and Semantics of Low-Level Languages LOLA'11 http://flint.cs.yale.edu/lola2011/ 2011 Toronto, ON, Canada IBM Watson Research Center IBM Watson Research Center 2011 Hawthorne, NY, USA CSAIL Student Workshop CSAIL Student Workshop http://projects.csail.mit.edu/csw/2011/ 2011 Beverly, MA, USA The Third Coq Workshop Coq-3 http://www.cs.ru.nl/~spitters/coqw.html 2011 Nijmegen, Holland 6th International Workshop on Systems Software Verification SSV'11 https://es.fbk.eu/events/ssv2011/ 2011 Nijmegen, Holland 16th ACM SIGPLAN International Conference on Functional Programming ICFP'11 http://www.icfpconference.org/icfp2011/ 2011 Tokyo, Japan 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'12 http://www.cse.psu.edu/popl/12/ 2012 Philadelphia, PA, USA 7th ACM SIGPLAN Workshop on Types in Language Design and Implementation TLDI'12 http://www.cis.upenn.edu/~bcpierce/tldi12/ 2012 Philadelphia, PA, USA Fourth International Conference on Verified Software: Theories, Tools, and Experiments VSTTE'12 https://sites.google.com/site/vstte2012/ 2012 Philadelphia, PA, USA 24th International Conference on Computer Aided Verification CAV'12 http://cav12.cs.illinois.edu/ 2012 Berkeley, CA, USA The Fourth Coq Workshop Coq-4 http://coq.inria.fr/coq-workshop/2012 2012 Princeton, NJ, USA 15th International Conference on Foundations of Software Science and Computation Structures FoSSaCS'12 http://www.itu.dk/research/fossacs-2012/ 2012 Tallinn, Estonia Interactive Theorem Proving - Third International Conference ITP'12 http://www.cs.princeton.edu/~eberinge/itp12/web/Home.html 2012 Princeton, NJ, USA 7th International Workshop on Logical Frameworks and Meta-languages: Theory and Practice LFMTP'12 http://people.csail.mit.edu/adamc/lfmtp12/ 2012 Copenhagen, Denmark 16th International Conference on Foundations of Software Science and Computation Structures FoSSaCS'13 http://www.informatik.uni-trier.de/~ley/db/conf/fossacs/ 2013 ? Journal of the ACM JACM http://jacm.acm.org/ Journal of Functional Programming JFP http://journals.cambridge.org/jid_JFP Journal of Formalized Reasoning JFR http://jfr.cib.unibo.it/ ACM Transactions on Programming Languages and Systems TOPLAS http://www.cs.utexas.edu/toplas/ IEEE Embedded Systems Letters ESL http://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=4563995 Journal of Automated Reasoning JAR http://www.springerlink.com/content/100280/ Information Processing Letters IPL http://www.elsevier.com/locate/ipl Higher-Order and Symbolic Computation HOSC http://cs.au.dk/~hosc/ Science of Computer Programming SCP http://www.journals.elsevier.com/science-of-computer-programming/ http://adam.chlipala.net/cpdt/ To appear from MIT Press. Available online under a Creative Commons license.

Excerpts from CPDT

Excerpts from CPDT Computer proof assistants vary along many dimensions. Among the mature implementations, the Coq system is distinguished by two key features. First, we have support for programming with dependent types in the tradition of type theory, based on dependent function types and inductive type families. Second, we have a domain-specific language for coding correct-by-construction proof automation. Though the Coq user community has grown quite large, neither of the aspects I highlight is widely used. In this tutorial, I aim to provide a pragmatic introduction to both, showing how they can bring significant improvements in productivity.

Extended version of my ICFP'06 paper

Extended version of my ICFP'06 paper I report on an experience using the Coq proof assistant to develop a program verification tool with a machine-checked proof of full correctness. The verifier is able to prove memory safety of x86 machine code programs compiled from code that uses algebraic datatypes. The tool's soundness theorem is expressed in terms of the bit-level semantics of x86 programs, so its correctness depends on very few assumptions. I take advantage of Coq's support for programming with dependent types and modules in the structure of the development. The approach is based on developing a library of reusable functors for transforming a verifier at one level of abstraction into a verifier at a lower level. Using this library, it's possible to prototype a verifier based on a new type system with a minimal amount of work, while obtaining a very strong soundness theorem about the final product.

A constructive proof that automating separation logic proofs for systems code is easy, despite claims to the contrary coming from SMT solver-centric perspectives. ;-) Specifically, this paper introduced Bedrock, a Coq library for foundational verification of code at the assembly level of abstraction. A mostly-automated separation logic prover uses a modest amount of programmer annotation to drive verification of examples like imperative data structures and a cooperative threading library.

Several recent projects have shown the feasibility of verifying low-level systems software. Verifications based on automated theorem-proving have omitted reasoning about first-class code pointers, which is critical for tasks like certifying implementations of threads and processes. Conversely, verifications that deal with first-class code pointers have featured long, complex, manual proofs. In this paper, we introduce the Bedrock framework, which supports mostly-automated proofs about programs with the full range of features needed to implement, e.g., language runtime systems. The heart of our approach is in mostly-automated discharge of verification conditions inspired by separation logic. Our take on separation logic is computational, in the sense that function specifications are usually written in terms of reference implementations in a purely functional language. Logical quantifiers are the most challenging feature for most automated verifiers; by relying on functional programs (written in the expressive language of the Coq proof assistant), we are able to avoid quantifiers almost entirely. This leads to some dramatic improvements compared to both the state of the art in classical verification, which we compare against with implementations of data structures like binary search trees and hash tables; and the state of the art in verified programming with code pointers, which we compare against with examples like function memoization and a cooperative threading library. Software/proof source code Slides are available from my talk at PLDI'11 [OpenOffice, PDF].

Static analysis for security policies for Ur/Web applications, based on the key new idea of representing policies as SQL queries. The analysis follows the well-trod path of symbolic evaluation and automated first-order-logic theorem-proving.

We present a system for sound static checking of security policies for database-backed Web applications. Our tool checks a combination of access control and information flow policies, where the policies vary based on database contents. For instance, one or more database tables may represent an access control matrix, controlling who may read or write which cells of these and other tables. Using symbolic evaluation and automated theorem-proving, our tool checks these policies statically, requiring no program annotations (beyond the policies themselves) and adding no run-time overhead. Specifications come in the form of SQL queries as policies: for instance, an application's confidentiality policy is a fixed set of queries, whose results provide an upper bound on what information may be released to the user. To provide user-dependent policies, we allow queries to depend on what secrets the user knows. We have used our prototype implementation to check several programs representative of the data-centric Web applications that are common today. From the OSDI'10 talk: slides in OpenOffice and PDF formats; video Project web site

A first paper about Ur, focusing on the metaprogramming aspect: we can write generic programs that write programs, based on inputs like database schemas, summaries of HTML form configurations, etc., and we can type-check our generators statically without needing to write any proof terms.

Dependent types provide a strong foundation for specifying and verifying rich properties of programs through type-checking. The earliest implementations combined dependency, which allows types to mention program variables; with type-level computation, which facilitates expressive specifications that compute with recursive functions over types. While many recent applications of dependent types omit the latter facility, we argue in this paper that it deserves more attention, even when implemented without dependency. In particular, the ability to use functional programs as specifications enables statically-typed metaprogramming: programs write programs, and static type-checking guarantees that the generating process never produces invalid code. Since our focus is on generic validity properties rather than full correctness verification, it is possible to engineer type inference systems that are very effective in narrow domains. As a demonstration, we present Ur, a programming language designed to facilitate metaprogramming with first-class records and names. On top of Ur, we implement Ur/Web, a special standard library that enables the development of modern web applications. Ad-hoc code generation is already in wide use in the popular web application frameworks, and we show how that generation may be tamed using types, without forcing metaprogram authors to write proofs or forcing metaprogram users to write any fancy types. Project web site Slides are available from my talk at PLDI'10 [OpenOffice, PDF].

A case study in verifying a compiler to an idealized assembly language from an untyped source language with most of the key dynamic features of ML: functions, products, sums, mutable references, and value-carrying exceptions. Syntax is encoded with parametric higher-order abstract syntax (PHOAS), which makes it possible to avoid almost all bookkeeping having to do with binders and fresh name generation. The semantics of the object languages are encoded in a new substitution-free style. All of the proofs are automated with tactic programs that can keep working even after changing the definitions of the languages.

We present a verified compiler to an idealized assembly language from a small, untyped functional language with mutable references and exceptions. The compiler is programmed in the Coq proof assistant and has a proof of total correctness with respect to big-step operational semantics for the source and target languages. Compilation is staged and includes standard phases like translation to continuation-passing style and closure conversion, as well as a common subexpression elimination optimization. In this work, our focus has been on discovering and using techniques that make our proofs easy to engineer and maintain. While most programming language work with proof assistants uses very manual proof styles, all of our proofs are implemented as adaptive programs in Coq's tactic language, making it possible to reuse proofs unchanged as new language features are added. In this paper, we focus especially on phases of compilation that rearrange the structure of syntax with nested variable binders. That aspect has been a key challenge area in past compiler verification projects, with much more effort expended in the statement and proof of binder-related lemmas than is found in standard pencil-and-paper proofs. We show how to exploit the representation technique of parametric higher-order abstract syntax to avoid the need to prove any of the usual lemmas about binder manipulation, often leading to proofs that are actually shorter than their pencil-and-paper analogues. Our strategy is based on a new approach to encoding operational semantics which delegates all concerns about substitution to the meta language, without using features incompatible with general-purpose type theories like Coq's logic. Software/proof source code and documentation Slides are available from my talks at POPL'10 [OpenOffice, PDF] and WMM'09 [OpenOffice, PDF].

An approach to automating correctness proofs about higher-order, imperative programs in Coq, based on an extensible simplifier for separation logic formulas

We present a new approach for constructing and verifying higher-order, imperative programs using the Coq proof assistant. We build on the past work on the Ynot system, which is based on Hoare Type Theory. That original system was a proof of concept, where every program verification was accomplished via laborious manual proofs, with much code devoted to uninteresting low-level details. In this paper, we present a re-implementation of Ynot where verified imperative programming need not be much harder than programming in Haskell. At the same time, our new system is implemented entirely in Coq source files, showcasing the versatility of that proof assistant as a platform for research on language design and verification. Both versions of the system have been evaluated with case studies in the verification of imperative data structures, such as hash tables with higher-order iterators. The verification burden in our new system is reduced by at least an order of magnitude compared to the old system, by replacing manual proof with automation. The core of the automation is a simplification procedure for implications in higher-order separation logic, with hooks that allow programmers to add domain-specific simplification rules. We argue for the effectiveness of our infrastructure by verifying a number of data structures and a packrat parser, and we compare to similar efforts within other projects. Compared to competing approaches to data structure verification, our system includes much less code that must be trusted; namely, about a hundred lines of Coq code defining a program logic. All of our theorems and decision procedures have or build machine-checkable correctness proofs from first principles, removing opportunities for tool bugs to create faulty verifications. From the ICFP'09 talk: slides in OpenOffice and PDF formats; skeleton and final solution for the demo; video Project web site

A new trick for encoding variable binders in Coq, along with an exploration of its consequences: almost trivial syntax and type-theoretic semantics for languages including such features as polymorphism and complicated binding structure (e.g., ML-style pattern matching); almost trivial type preservation proofs for compiler passes that don't need intensional analysis of variables; mostly-automated semantic correctness proofs about those passes, by way of adding an axiom to make the parametricity of CIC usable explicitly in proofs; and the ability to drop down to more traditional syntactic representations for more arduous but feasible proofs of the same properties, when intensional variable analysis is needed.

We present parametric higher-order abstract syntax (PHOAS), a new approach to formalizing the syntax of programming languages in computer proof assistants based on type theory. Like higher-order abstract syntax (HOAS), PHOAS uses the meta language's binding constructs to represent the object language's binding constructs. Unlike HOAS, PHOAS types are definable in general-purpose type theories that support traditional functional programming, like Coq's Calculus of Inductive Constructions. We walk through how Coq can be used to develop certified, executable program transformations over several statically-typed functional programming languages formalized with PHOAS; that is, each transformation has a machine-checked proof of type preservation and semantic preservation. Our examples include CPS translation and closure conversion for simply-typed lambda calculus, CPS translation for System F, and translation from a language with ML-style pattern matching to a simpler language with no variable-arity binding constructs. By avoiding the syntactic hassle associated with first-order representation techniques, we achieve a very high degree of proof automation. Software/proof source code and documentation Slides are available from my ICFP talk in OpenOffice and PDF formats.

A compiler for a tiny statically-typed functional programming language, implemented in Coq with a proof of correctness. The main interesting bits are my use of dependently-typed abstract syntax and denotational semantics, along with some engineering tricks for making the task manageable.

We present a certified compiler from the simply-typed lambda calculus to assembly language. The compiler is certified in the sense that it comes with a machine-checked proof of semantics preservation, performed with the Coq proof assistant. The compiler and the terms of its several intermediate languages are given dependent types that guarantee that only well-typed programs are representable. Thus, type preservation for each compiler pass follows without any significant "proofs" of the usual kind. Semantics preservation is proved based on denotational semantics assigned to the intermediate languages. We demonstrate how working with a type-preserving compiler enables type-directed proof search to discharge large parts of our proof obligations automatically. Software/proof source code and documentation Slides are available from my PLDI talk in OpenOffice and PDF formats. Slides are also available from a talk I gave at the Projet Gallium seminar at INRIA Rocquencourt, in OpenOffice and PDF formats.

I report on an experience using the Coq proof assistant to develop a program verification tool with a machine-checkable proof of full correctness. The verifier is able to prove memory safety of x86 machine code programs compiled from code that uses algebraic datatypes. The tool's soundness theorem is expressed in terms of the bit-level semantics of x86 programs, so its correctness depends on very few assumptions. I take advantage of Coq's support for programming with dependent types and modules in the structure of my development. The approach is based on developing a library of reusable functors for transforming a verifier at one level of abstraction into a verifier at a lower level. Using this library, it's possible to prototype a verifier based on a new type system with a minimal amount of work, while obtaining a very strong soundness theorem about the final product.

I report on an experience using the Coq proof assistant to develop a program verification tool with a machine-checkable proof of full correctness. The verifier is able to prove memory safety of x86 machine code programs compiled from code that uses algebraic datatypes. The tool's soundness theorem is expressed in terms of the bit-level semantics of x86 programs, so its correctness depends on very few assumptions. I take advantage of Coq's support for programming with dependent types and modules in the structure of my development. The approach is based on developing a library of reusable functors for transforming a verifier at one level of abstraction into a verifier at a lower level. Using this library, it's possible to prototype a verifier based on a new type system with a minimal amount of work, while obtaining a very strong soundness theorem about the final product. Software/proof source code and documentation Talk slides available in OpenOffice and PDF formats.

We propose a new technique in support of the construction of efficient Foundational Proof-Carrying Code systems. Instead of suggesting that pieces of mobile code come with proofs of their safety, we instead suggest that they come with executable verifiers that can attest to their safety, as in our previous work on the Open Verifier. However, in contrast to that previous work, here we do away with any runtime proof generation by these verifiers. Instead, we require that the verifier itself is proved sound. To support this, we present a novel technique for extracting proof obligations about ML programs. Using this approach, we are able to demonstrate the first foundational verification technique for Typed Assembly Language with performance comparable to that of the traditional, uncertified TAL type checker.

A certified program analysis is an analysis whose implementation is accompanied by a checkable proof of soundness. We present a framework whose purpose is to simplify the development of certified program analyses without compromising the run-time efficiency of the analyses. At the core of the framework is a novel technique for automatically extracting Coq proof-assistant specifications from ML implementations of program analyses, while preserving to a large extent the structure of the implementation. We show that this framework allows developers of mobile code to provide to the code receivers untrusted code verifiers in the form of certified program analyses. We demonstrate efficient implementations in this framework of bytecode verification, typed assembly language, and proof-carrying code. Talk slides available in OpenOffice and PDF formats.

We describe how to use the BLAST model checker to generate program test suites that achieve full coverage with respect to a given set of predicates.

We have extended the software model checker Blast to automatically generate test suites that guarantee full coverage with respect to a given predicate. More precisely, given a C program and a target predicate p, Blast determines the set L of program locations which program execution can reach with p true, and automatically generates a set of test vectors that exhibit the truth of p at all locations in L. We have used Blast to generate test suites and to detect dead code in C programs with up to 30K lines of code. The analysis and test-vector generation is fully automatic (no user intervention) and exact (no false positives).

Some thoughts on how Coq is actually in pretty good shape to use today for non-trivial programming with dependent types

Today the reigning opinion about computer proof assistants based on constructive logic (even from some of the developers of these tools!) is that, while they are very helpful for doing math, they are an absurdly heavy-weight solution to use for practical programming. Yet the Curry-Howard isomorphism foundation of proof assistants like Coq gives them clear interpretations as programming environments. My purpose in this position paper is to make the general claim that Coq is already quite useful today for non-trivial certified programming tasks, as well as to highlight some reasons why you might want to consider using it as a base for your next project in dependently-typed programming. Talk slides available in OpenOffice and PDF formats.

We show how to combine the interactive proof assistant Coq and the Nelson-Oppen-style automated first-order theorem prover Kettle in a synergistic way. We do this with a Kettle tactic for Coq that uses theory-specific reasoning to simplify goals based on automatically chosen case analyses, returning to the user as subgoals the cases it couldn't prove automatically. The process can then be repeated recursively, using Coq's tactical language as a very expressive extension of the matching strategies found in provers like Simplify. We also discuss how to encode specialized first-order proofs efficiently in Coq using proof by reflection.

We propose a mechanism for semi-automated proving of theorems, using a tactic for the Coq proof assistant that consults a proof-generating Nelson-Oppen-style automated prover. Instead of simply proving or failing to prove a goal, our tactic decides on relevant case splits using theory-specific axioms, proves some of the resulting cases, and returns the remainder to the Coq user as subgoals. These subgoals can then be proved using inductions and lemma instantiations that are beyond the capabilities of the automated prover. We show that the Coq tactic language provides an excellent way to script this process to an extent not supported by current Nelson-Oppen provers. Like with any Coq proof, a separately checkable proof term in a core calculus is produced at the end of any successful proving session where our method is used, and we take advantage of the ``proof by reflection'' technique to translate the specialized first-order proofs of the automated prover into compact Coq representations. Talk slides available in OpenOffice and PDF formats.

We propose a new framework for the construction of trustworthy program verifiers. The Open Verifier architecture can be viewed as an optimized Foundational Proof-Carrying Code toolkit. Instead of proposing that code producers send proofs of safety with all of their programs, we instead suggest that they send re-usable proof-generating verifiers. The proofs are generated in an online fashion via a novel interaction scheme between the untrusted verifier and the trusted core of the system.

We present the Open Verifier approach for verifying untrusted code using customized verifiers. This approach can be viewed as an instance of foundational proof-carrying code where an untrusted program can be checked using the verifier most natural for it instead of using a single generic type system. In this paper we focus on a specialized architecture designed to reduce the burden of expressing both type-based and Hoare-style verifiers. A new verifier is created by providing an untrusted executable extension module, which can incorporate directly pre-existing non-foundational verifiers based on dataflow analysis or type checking. The extensions control virtually all aspects of the verification by carrying on a dialogue with the Open Verifier using a language designed both to correspond closely to common verification actions and to carry simple adequacy proofs for those actions. We prove the soundness of the framework, and we describe our experience implementing proof-carrying code, typed assembly language, and dataflow or abstract interpretation based verifiers in this unified setting.

A new approach to checking assembly programs in a way similar to that used in the Java Bytecode Verifier. We introduce a novel mixed type/value technique that makes it tractable to deal with some of the "dependent typing" issues that come up. We also present results on using this technique to help students in an undergraduate compilers class debug their class projects.

It is a common belief that certifying compilation, which typically verifies the well-typedness of compiler output, can be an effective mechanism for compiler debugging, in addition to ensuring basic safety properties. Bytecode verification is a fairly simple example of this approach and derives its simplicity in part by compiling to carefully crafted high-level bytecodes. In this paper, we seek to push this method to native assembly code, while maintaining much of the simplicity of bytecode verification. Furthermore, we wish to provide experimental confirmation that such a tool can be accessible and effective for compiler debugging. To achieve these goals, we present a type-based data-flow analysis or abstract interpretation for assembly code compiled from a Java-like language, and evaluate its bug-finding efficacy on a large set of student compilers.

We present a type system that is useful in saving type annotation space in intermediate language terms expressed in the restricted form called "A-normal form" or "one-half CPS." Our approach imports ideas from strict logic, which is based on the idea of hypotheses that must be used at least once. The resulting system is relevant to the efficiency of type-preserving compilers.

Completely annotated lambda terms (such as are arrived at via the straightforward encodings of various types from System F) contain much redundant type information. Consequently, the completely annotated forms are almost never used in practice, since partially annotated forms can be defined which still allow syntax directed typechecking. An additional optimization that is used in some proof and type systems is to take advantage of the context of occurrence of terms to further elide type information using bi-directional typechecking rules. While this technique is generally effective, we show that there exist bi-directional terms which exhibit asymptotic increases in the size of their type decorations when sequentialized into a named-form calculus (a common first step in compilation). In this paper, we introduce a refinement of the bi-directional type system based on strict logic which allows additional type decorations to be eliminated, and show that it is well-behaved under sequentialization.

A poster about certified program verifiers in Coq

Abstract about a poster on certified program verifiers in Coq You can download the poster in OpenOffice or PDF format.

We describe a system that combines security automaton-based program specification with a facility for relational-style queries about the possible execution paths of a program.

Blast is an automatic verification tool for checking temporal safety properties of C programs. Blast is based on lazy predicate abstraction driven by interpolation-based predicate discovery. In this paper, we present the Blast specification language. The language specifies program properties at two levels of precision. At the lower level, monitor automata are used to specify temporal safety properties of program executions (traces). At the higher level, relational reachability queries over program locations are used to combine lower-level trace properties. The two-level specification language can be used to break down a verification task into several independent calls of the model-checking engine. In this way, each call to the model checker may have to analyze only part of the program, or part of the specification, and may thus succeed in a reduction of the number of predicates needed for the analysis. In addition, the two-level specification language provides a means for structuring and maintaining specifications. UCB/EECS-2007-147 2007

How to do dependently-typed generation of proofs about programming language syntax and semantics

We present a system for both the generic programming of operations that work over classes of tree-structured data types and the automatic generation of formal type-theoretical proofs about such operations. The system is implemented in the Coq proof assistant, using dependent types to validate code and proof generation statically, quantified over all possible input data types. We focus on generic programming of variable-manipulating operations, such as substitution and free variable set calculation, over abstract syntax tree types implemented as GADTs that combine syntax and typing rules. By accompanying these operations with generic lemmas about their interactions, we significantly ease the burden of formalizing programming language metatheory. Our implementation strategy, based on proof by reflection, requires users to trust none of its associated code to be able to trust in the validity of theorems derived with it. Slides are available from a talk I gave at WMM'07, in OpenOffice and PDF formats. UCB/EECS-2007-113 2007

My PhD dissertation, re-presenting the work on certified program verifiers (from ICFP'06) and certified compilers (from PLDI'07)

I present two case studies supporting the assertion that type-based methods enable effective certified programming. By certified programming, I mean the development of software with formal, machine-checked total correctness proofs. While the classical formal methods domain is most commonly concerned with after-the-fact verification of programs written in a traditional way, I explore an alternative technique, based on using dependent types to integrate correctness proving with programming. I have chosen the Coq proof assistant as the vehicle for these experiments. Throughout this dissertation, I draw attention to features of formal theorem proving tools based on dependent type theory that make such tools superior choices for certified programming, compared to their competition. In the first case study, I present techniques for constructing certified program verifiers. I present a Coq toolkit for building foundational memory safety verifiers for x86 machine code. The implementation uses rich specification types to mix behavioral requirements with the traditional types of functions, and I mix standard programming practice with tactic-based interactive theorem proving to implement programs of these types. I decompose verifier implementations into libraries of components, where each component is implemented as a functor that transforms a verifier at one level of abstraction into a verifier at a lower level. I use the toolkit to assemble a verifier for programs that use algebraic datatypes using only several hundred lines of code specific to its type system. The second case study presents work in certified compilers. I focus in particular on type-preserving compilation, where source-level type information is preserved through several statically-typed intermediate languages and used at runtime for such purposes as guiding a garbage collector. I suggest a novel approach to mechanizing the semantics of programming languages, based on dependently-typed abstract syntax and denotational semantics. I use this approach to certify a compiler from simply-typed lambda calculus to an idealized assembly language that interfaces with a garbage collector through tables listing the appropriate root registers for different program points. Significant parts of the proof effort are automated using type-driven heuristics. I also present a generic programming system for automating construction of syntactic helper functions and their correctness proofs, based on an implementation technique called proof by reflection. UCB/EECS-2006-120 2006

An overview of a work-in-progress functional programming language that puts dependent types and theorem proving to work to make it easier to write concise and maintainable web applications

I introduce a new functional programming language, called Laconic/Web, for rapid development of web applications. Its strong static type system guarantees that entire sequences of interaction with these applications ``can't go wrong.'' Moreover, a higher-order dependent type system is used to enable statically-checked metaprogramming. In contrast to most dependently-typed programming languages, Laconic/Web can be used by programmers with no knowledge of proof theory. Instead, more expert developers develop libraries that extend the Laconic/Web type checker with type rewrite rules that have proofs of soundness. I compare Laconic/Web against Ruby on Rails, the most well-known representative of a popular class of Web application frameworks based around dynamic languages and runtime reflection, and show that my approach leads both to more concise programs and to better runtime efficiency. Project web site UCB/ERL M05/32 2005

This is an extended version of our VMCAI'06 paper, containing a formalization of our model extraction procedure and additional examples.

A certified program analysis is an analysis whose implementation is accompanied by a checkable proof of soundness. We present a framework whose purpose is to simplify the development of certified program analyses without compromising the run-time efficiency of the analyses. At the core of the framework is a novel technique for automatically extracting Coq proof-assistant specifications from ML implementations of program analyses, while preserving to a large extent the structure of the implementation. We show that this framework allows developers of mobile code to provide to the code receivers untrusted code verifiers in the form of certified program analyses. We demonstrate efficient implementations in this framework of bytecode verification, typed assembly language, and proof-carrying code. This is an extended version of our VMCAI'06 paper, containing a formalization of our model extraction procedure and additional examples. MS Project Report UCB/ERL M04/41 2004

A summary of my experiences developing a proof-generating TAL type checker within the Open Verifier framework. In the style of Foundational PCC, the soundness of this verifier and the proofs it generates is based on no assumptions about the TAL type system. This was one of the first projects to consider the runtime performance of Foundational PCC-style verification.

I present the results of constructing a fully untrusted verifier for memory safety of Typed Assembly Language programs, using the Open Verifier architecture. The verifier is untrusted in the sense that its soundness depends only on axioms about the semantics of a concrete machine architecture, not on any axioms specific to a type system. This experiment served to evaluate both the expressiveness of the Open Verifier architecture and the quality of its support for simplifying the construction of verifiers. I discuss issues of proof generation that are generally not the focus of previous efforts for foundational checking of TAL, and I contrast with these past approaches the sort of logical formalization that is natural in the context of the Open Verifier. My approach is novel in that it uses direct reasoning about concrete machine states where past approaches have formalized typed abstract machines and proved their correspondence with concrete machines. I also describe a new approach to modeling higher-order functions that uses only first-order logic. 10 papers published at peer-reviewed scholarly conferences; 5 at workshops; 2 journal articles invited talk invited tutorial http://adam.chlipala.net/msfp10/ invited talk invited talk invited talk http://www.impredicative.com/ur/defun09/ invited talk Doctor of Philosophy (PhD) in Computer Science PhD, MS, Computer Science 8 2003 9 2007 4.0 Master of Science (MS) in Computer Science MS, Computer Science 12 2004 Bachelor of Science (BS) in Computer Science with a minor in Mathematical Sciences and University Honors BS, Computer Science 8 2000 5 2003 4.0 High school diploma 9 1996 6 2000 MIT 7 2011 Harvard University 6 2008 6 2011 Led a reimplementation of the Ynot system, with a focus on proof automation Research on cost-effective program verification certified programming class, Harvard University 9 2008 1 2009 Jane Street Capital 9 2007 4 2008 UC Berkeley CS Division 9 2003 8 2007 Investigated implementation of program verification tools with proofs of correctness, using dependent types in the Coq proof assistant Implemented infrastructure for the Open Verifier and Certified Program Verifiers systems Developed untrusted plug-ins for memory safety of x86 Typed Assembly Language for those systems, including soundness proofs in the Coq proof assistant computer theorem proving class, UC Berkeley CS Division 8 2006 12 2006 Microsoft Research Redmond 6 2005 8 2005 Designed and implemented an extensible bytecode verifier based on linear logic, and used this verifier to check properties such as manual memory management and message-passing protocols for untrusted process code in the Singularity operating system 1 2005 5 2005 Ran discussion sections Graded weekly homework assignments Held office hours 6 2003 8 2003 Implemented processing for an intuitive language for specifying safety properties of C programs to be verified by the BLAST model checker Implemented context-free reachability to extend BLAST to verify recursive programs CMU CS Department 6 2002 5 2003 Implemented improvements to the mid-level intermediate language of the TILT compiler, along with assorted optimizations Studied the problem of efficient type-checking of ML-like intermediate languages in flattened forms analogous to traditional compiler intermediate languages ML programming class, CMU CS Department 1 2002 5 2002 Taught a weekly recitation section Created homework assignments and exam questions Held weekly office hours Graded assignments and exams 6 2001 8 2001 Developed a database-driven intranet web site to facilitate technology transfer between research and development Trifecta Technologies 1998 2000 Designed and coded business and presentation logic for electronic commerce web sites using IBM WebSphere Commerce Suite National Defense Science and Engineering Graduate Fellowship http://ndseg.asee.org/ 2004 National Science Foundation Graduate Research Fellowship http://www.nsfgrfp.org/ 2004 California Microelectronics Fellowship 8 2003 5 2004 Phi Kappa Phi http://www.phikappaphi.org/ Phi Beta Kappa http://www.pbk.org/ National Science Foundation Graduate Research Fellowship http://www.nsfgrfp.org/ 2003 Andrew Carnegie Scholarship http://my.cmu.edu/site/admission/menuitem.18c40008673813c019300710d4a02008/ 8 2000 5 2003 Summer School on Software Security: Theory to Practice http://www.cs.uoregon.edu/Activities/summerschool/summer04/ 6 2004 Ur/Web, a domain-specific programming language design and implementation supporting metaprogramming of web applications with strong static guarantees Cooperative Internet hosting tools, including DomTool, a domain-specific language in support of shared UNIX system configuration by mutually-untrusting users Dynamic web site tools for Standard ML, including separately usable libraries for accessing SQL databases Founder of HCoop, Inc., a democratically-run Internet hosting cooperative Main administrator and organizer, Teen Programmers Unite, 1997-2001 ML, Coq, C F#, Java, SQL, x86 and Z80 assembly languages Haskell, C++, XSLT Twelf, Scheme, Common Lisp, Prolog, C#, Visual Basic, UNIX shell scripting, Perl Apache, djbdns, Courier IMAP, Exim, Mailman, SpamAssassin