Ready, set, verify! applying hs-to-coq to real-world Haskell code (experience report)

@article{Breitner2018ReadySV,
  title={Ready, set, verify! applying hs-to-coq to real-world Haskell code (experience report)},
  author={Joachim Breitner and Antal Spector-Zabusky and Yao Li and Christine Rizkallah and John Wiegley and Stephanie Weirich},
  journal={Proceedings of the ACM on Programming Languages},
  year={2018},
  volume={2},
  pages={1 - 16}
}
Good tools can bring mechanical verification to programs written in mainstream functional languages. We use hs-to-coq to translate significant portions of Haskell’s containers library into Coq, and verify it against specifications that we derive from a variety of sources including type class laws, the library’s test suite, and interfaces from Coq’s standard library. Our work shows that it is feasible to verify mature, widely-used, highly optimized, and unmodified Haskell code. We also learn… 

Figures from this paper

Quickstrom: property-based acceptance testing with LTL specifications
TLDR
Quickstrom is a property-based testing system for acceptance testing of interactive applications that formally specify and test many implementations of the popular TodoMVC benchmark, used for evaluation and comparison across various web frontend frameworks and languages.
Embracing a mechanized formalization gap
TLDR
Core parts of the Haskell compiler GHC are translated into Coq, using hs-to-coq, and invariants related to the use of term variables are verified, to shrink and simplify the model until it is manageable, while still retaining a meaningful, declaratively documented connection to the original, unmodified source code.
A Multipurpose Formal RISC-V Specification
TLDR
This work sets out to identify the commonalities between projects and to represent the RISC-V specification as a program with holes that can be instantiated differently by different projects, and to serve as the interface between a processor-correctness proof and a compiler-Correctness proof.
An approach to translating Haskell programs to Agda and reasoning about them
TLDR
A library is developed that enables the translated Agda implementation to closely mirror the Haskell code on which it is based, thereby reducing the risk of translation errors and making it easier and more e-cient to review the translation for accu-racy.
Verifying effectful Haskell programs in Coq
TLDR
This paper considers ambient effects that may occur in Haskell, namely partiality, errors, and tracing, in detail and identifies a specific class of effects for which it cannot observe a difference between call-by-name and call- by-need.
Generic and flexible defaults for verified, law-abiding type-class instances
TLDR
It is observed that any algebraic data type has an equivalent representation type that is composed of simpler, smaller types that are simpler to prove theorems over and derived proofs for the original datatype by reusing the corresponding proof over the representation type.
Integration verification across software and hardware for a simple embedded system
TLDR
This work reports on the first verification of a realistic embedded system, with its application software, device drivers, compiler, and RISC-V processor represented inside the Coq proof assistant as one mathematical object, with a machine-checked proof of functional correctness.
Postcondition-preserving fusion of postorder tree transformations
TLDR
This work uses postconditions to define a more useful formal notion of successful fusion, namely postcondition-preserving fusion, and presents criteria that are sufficient to ensure post condition-preservation and facilitate modular reasoning about the success of fusion.
Experimenting with Monadic Equational Reasoning in Coq Reynald Affeldt
TLDR
This paper mechanize in the Coq proof-assistant an approach by Gibbons and Hinze for monadic equational reasoning, and gives a denotational semantics to a small imperative programming language with a combination of the state and trace monads.
A reasonably exceptional type theory
TLDR
RETT is the first full dependent type theory to support consistent reasoning about exceptional terms, and the CoqRETT plugin readily brings this ability to Coq programmers.
...
...

References

SHOWING 1-10 OF 80 REFERENCES
Total Haskell is reasonable Coq
TLDR
A tool is presented, named hs-to-coq, that translates total Haskell programs into Coq programs via a shallow embedding and proves that this approach is viable: both that it applies to existing Haskell code, and that the output it produces is amenable to verification.
Œuf: minimizing the Coq extraction TCB
Verifying systems by implementing them in the programming language of a proof assistant (e.g., Gallina for Coq) lets us directly leverage the full power of the proof assistant for verifying the
QuickCheck: a lightweight tool for random testing of Haskell programs
TLDR
Quick Check is a tool which aids the Haskell programmer in formulating and testing properties of programs, and can be automatically tested on random input, but it is also possible to define custom test data generators.
Proof-producing translation of higher-order logic into pure and stateful ML
TLDR
This paper extends the previous conference publication with new material that shows how functions defined in terms of a state-and-exception monad can be translated, with proofs, into stateful ML code.
Refinement types for Haskell
TLDR
A stratified type system that labels binders as potentially diverging or not, and that (circularly) uses refinement types to verify the labeling, that is able to prove 96% of all recursive functions terminating, while requiring a modest 1.7 lines of termination-annotations per 100 lines of code.
Refinement through restraint: bringing down the cost of verification
TLDR
A framework aimed at significantly reducing the cost of verifying certain classes of systems software, such as file systems, and allowing for equational reasoning about systems code written in Cogent, a restricted, polymorphic, higher-order, and purely functional language with linear types.
Verified low-level programming embedded in F*
TLDR
Low* is a shallow embedding of a small, sequential, well-behaved subset of C in F*, a dependently- typed variant of ML aimed at program verification, and its application to high-assurance optimized cryptographic libraries.
An overview of the Leon verification system: verification by translation to recursive functions
TLDR
A generational unrolling strategy for recursive templates that yields smaller satisfiable formulas and ensures completeness for counterexamples is described and it is shown that Leon successfully finds bugs or proves completeness of pattern matching as well as validity of function postconditions.
seL4: formal verification of an OS kernel
TLDR
To the knowledge, this is the first formal proof of functional correctness of a complete, general-purpose operating-system kernel.
Dependent types and multi-monadic effects in F*
TLDR
A new, completely redesigned, version of F*, a language that works both as a proof assistant as well as a general-purpose, verification-oriented, effectful programming language that confirms F*'s pay-as-you-go cost model.
...
...