35 research outputs found
Type classes for efficient exact real arithmetic in Coq
Floating point operations are fast, but require continuous effort on the part
of the user in order to ensure that the results are correct. This burden can be
shifted away from the user by providing a library of exact analysis in which
the computer handles the error estimates. Previously, we [Krebbers/Spitters
2011] provided a fast implementation of the exact real numbers in the Coq proof
assistant. Our implementation improved on an earlier implementation by O'Connor
by using type classes to describe an abstract specification of the underlying
dense set from which the real numbers are built. In particular, we used dyadic
rationals built from Coq's machine integers to obtain a 100 times speed up of
the basic operations already. This article is a substantially expanded version
of [Krebbers/Spitters 2011] in which the implementation is extended in the
various ways. First, we implement and verify the sine and cosine function.
Secondly, we create an additional implementation of the dense set based on
Coq's fast rational numbers. Thirdly, we extend the hierarchy to capture order
on undecidable structures, while it was limited to decidable structures before.
This hierarchy, based on type classes, allows us to share theory on the
naturals, integers, rationals, dyadics, and reals in a convenient way. Finally,
we obtain another dramatic speed-up by avoiding evaluation of termination
proofs at runtime.Comment: arXiv admin note: text overlap with arXiv:1105.275
A Formal C Memory Model for Separation Logic
The core of a formal semantics of an imperative programming language is a
memory model that describes the behavior of operations on the memory. Defining
a memory model that matches the description of C in the C11 standard is
challenging because C allows both high-level (by means of typed expressions)
and low-level (by means of bit manipulation) memory accesses. The C11 standard
has restricted the interaction between these two levels to make more effective
compiler optimizations possible, on the expense of making the memory model
complicated.
We describe a formal memory model of the (non-concurrent part of the) C11
standard that incorporates these restrictions, and at the same time describes
low-level memory operations. This formal memory model includes a rich
permission model to make it usable in separation logic and supports reasoning
about program transformations. The memory model and essential properties of it
have been fully formalized using the Coq proof assistant
ReLoC Reloaded:A Mechanized Relational Logic for Fine-Grained Concurrency and Logical Atomicity
We present a new version of ReLoC: a relational separation logic for proving
refinements of programs with higher-order state, fine-grained concurrency,
polymorphism and recursive types. The core of ReLoC is its refinement judgment
, which states that a program refines a program
at type . ReLoC provides type-directed structural rules and symbolic
execution rules in separation-logic style for manipulating the judgment,
whereas in prior work on refinements for languages with higher-order state and
concurrency, such proofs were carried out by unfolding the judgment into its
definition in the model. ReLoC's abstract proof rules make it simpler to carry
out refinement proofs, and enable us to generalize the notion of logically
atomic specifications to the relational case, which we call logically atomic
relational specifications.
We build ReLoC on top of the Iris framework for separation logic in Coq,
allowing us to leverage features of Iris to prove soundness of ReLoC, and to
carry out refinement proofs in ReLoC. We implement tactics for interactive
proofs in ReLoC, allowing us to mechanize several case studies in Coq, and
thereby demonstrate the practicality of ReLoC.
ReLoC Reloaded extends ReLoC (LICS'18) with various technical improvements, a
new Coq mechanization, and support for Iris's prophecy variables. The latter
allows us to carry out refinement proofs that involve reasoning about the
program's future. We also expand ReLoC's notion of logically atomic relational
specifications with a new flavor based on the HOCAP pattern by Svendsen et al
Actris 2.0: Asynchronous Session-Type Based Reasoning in Separation Logic
Message passing is a useful abstraction for implementing concurrent programs.
For real-world systems, however, it is often combined with other programming
and concurrency paradigms, such as higher-order functions, mutable state,
shared-memory concurrency, and locks. We present Actris: a logic for proving
functional correctness of programs that use a combination of the aforementioned
features. Actris combines the power of modern concurrent separation logics with
a first-class protocol mechanism -- based on session types -- for reasoning
about message passing in the presence of other concurrency paradigms. We show
that Actris provides a suitable level of abstraction by proving functional
correctness of a variety of examples, including a channel-based merge sort, a
channel-based load-balancing mapper, and a variant of the map-reduce model,
using concise specifications. While Actris was already presented in a
conference paper (POPL'20), this paper expands the prior presentation
significantly. Moreover, it extends Actris to Actris 2.0 with a notion of
subprotocols -- based on session-type subtyping -- that permits additional
flexibility when composing channel endpoints, and that takes full advantage of
the asynchronous semantics of message passing in Actris. Soundness of Actris
2.0 is proven using a model of its protocol mechanism in the Iris framework. We
have mechanised the theory of Actris, together with custom tactics, as well as
all examples in the paper, in the Coq proof assistant.Comment: 60 pages, 24 figure
Actris: session-type based reasoning in separation logic
Message passing is a useful abstraction to implement concurrent programs. For real-world systems, however, it is often combined with other programming and concurrency paradigms, such as higher-order functions, mutable state, shared-memory concurrency, and locks. We present Actris: a logic for proving functional correctness of programs that use a combination of the aforementioned features. Actris combines the power of modern concurrent separation logics with a first-class protocol mechanism - based on session types - for reasoning about message passing in the presence of other concurrency paradigms. We show that Actris provides a suitable level of abstraction by proving functional correctness of a variety of examples, including a distributed merge sort, a distributed load-balancing mapper, and a variant of the map-reduce model, using relatively simple specifications. Soundness of Actris is proved using a model of its protocol mechanism in the Iris framework. We mechanised the theory of Actris, together with tactics for symbolic execution of programs, as well as all examples in the paper, in the Coq proof assistant.Programming Language
ReLoC Reloaded: A Mechanized Relational Logic for Fine-Grained Concurrency and Logical Atomicity
We present a new version of ReLoC: a relational separation logic for proving
refinements of programs with higher-order state, fine-grained concurrency,
polymorphism and recursive types. The core of ReLoC is its refinement judgment
, which states that a program refines a program
at type . ReLoC provides type-directed structural rules and symbolic
execution rules in separation-logic style for manipulating the judgment,
whereas in prior work on refinements for languages with higher-order state and
concurrency, such proofs were carried out by unfolding the judgment into its
definition in the model. ReLoC's abstract proof rules make it simpler to carry
out refinement proofs, and enable us to generalize the notion of logically
atomic specifications to the relational case, which we call logically atomic
relational specifications.
We build ReLoC on top of the Iris framework for separation logic in Coq,
allowing us to leverage features of Iris to prove soundness of ReLoC, and to
carry out refinement proofs in ReLoC. We implement tactics for interactive
proofs in ReLoC, allowing us to mechanize several case studies in Coq, and
thereby demonstrate the practicality of ReLoC.
ReLoC Reloaded extends ReLoC (LICS'18) with various technical improvements, a
new Coq mechanization, and support for Iris's prophecy variables. The latter
allows us to carry out refinement proofs that involve reasoning about the
program's future. We also expand ReLoC's notion of logically atomic relational
specifications with a new flavor based on the HOCAP pattern by Svendsen et al
Actris 2.0: Asynchronous Session-Type Based Reasoning in Separation Logic
Message passing is a useful abstraction for implementing concurrent programs.
For real-world systems, however, it is often combined with other programming
and concurrency paradigms, such as higher-order functions, mutable state,
shared-memory concurrency, and locks. We present Actris: a logic for proving
functional correctness of programs that use a combination of the aforementioned
features. Actris combines the power of modern concurrent separation logics with
a first-class protocol mechanism -- based on session types -- for reasoning
about message passing in the presence of other concurrency paradigms. We show
that Actris provides a suitable level of abstraction by proving functional
correctness of a variety of examples, including a channel-based merge sort, a
channel-based load-balancing mapper, and a variant of the map-reduce model,
using concise specifications. While Actris was already presented in a
conference paper (POPL'20), this paper expands the prior presentation
significantly. Moreover, it extends Actris to Actris 2.0 with a notion of
subprotocols -- based on session-type subtyping -- that permits additional
flexibility when composing channel endpoints, and that takes full advantage of
the asynchronous semantics of message passing in Actris. Soundness of Actris
2.0 is proven using a model of its protocol mechanism in the Iris framework. We
have mechanised the theory of Actris, together with custom tactics, as well as
all examples in the paper, in the Coq proof assistant