Verified programming with explicit coercions

Type systems have proved to be a powerful means of specifying and proving important program invariants. In dependently typed programming languages types can depend on values and hence express arbitrarily complicated propositions and their machine checkable proofs. The type-based approach to program specification allows for the programmer to not only transcribe their intentions, but arranges for their direct involvement in the proving process, thus aiding the machine in its attempt to satisfy difficult obligations. In this thesis we develop a series of patterns for programming in a correct-by-construction style making use of constraints and coercions to prove properties within a dependently typed host. This allows for the development of a verified, kernel which can be built upon using the host system features. In particular this should allow for the development of “tactics” or semiautomated solvers invoked when coercing types all within a single language. The efficacy of this approach is given by the development of a system of expressions indexed by their, exposing a case analysis feature serving to generate value constraints. These constraints are directly reflected into the host allowing for their involvement in the type-checking process. A motivating use case of this design shows how a term’s semantic index information admits an exact, formalized cost analysis amenable to reasoning within the host. Finally we show how such a system is used to identify unreachable dead-code, trivially admitting the design and verification of an SSA style compiler with this optimization. We think such a design of explicitly proving the local correctness of type-transformations in the presence of accumulated constraints can form the basis of a flexible language in concert with a variety of trusted solver

On Induction, Coinduction and Equality in Martin-L\uf6f and Homotopy Type Theory

Martin L\uf6f Type Theory, having put computation at the center of logicalreasoning, has been shown to be an effective foundation for proof assistants,with applications both in computer science and constructive mathematics. Oneambition though is for MLTT to also double as a practical general purposeprogramming language. Datatypes in type theory come with an induction orcoinduction principle which gives a precise and concise specification of theirinterface. However, such principles can interfere with how we would like toexpress our programs. In this thesis, we investigate more flexible alternativesto direct uses of the (co)induction principles.As a first contribution, we consider the n-truncation of a type in Homo-topy Type Theory. We derive in HoTT an eliminator into (n+1)-truncatedtypes instead of n-truncated ones, assuming extra conditions on the underlyingfunction.As a second contribution, we improve on type-based criteria for terminationand productivity. By augmenting the types with well-foundedness information,such criteria allow function definitions in a style closer to general recursion.We consider two criteria: guarded types, and sized types.Guarded types introduce a modality ”later” to guard the availability ofrecursive calls provided by a general fixed-point combinator. In Guarded Cu-bical Type Theory we equip the fixed-point combinator with a propositionalequality to its one-step unfolding, instead of a definitional equality that wouldbreak normalization. The notion of path from Cubical Type Theory allows usto do so without losing canonicity or decidability of conversion.Sized types, on the other hand, explicitly index datatypes with size boundson the height or depth of their elements. The sizes however can get in theway of the reasoning principles we expect. Our approach is to introduce newquantifiers for ”irrelevant” size quantification. We present a type theory withparametric quantifiers where irrelevance arises as a “free theorem”. We alsodevelop a conversion checking algorithm for a more specific theory where thenew quantifiers are restricted to sizes.Finally, our third contribution is about the operational semantics of typetheory. For the extensions above we would like to devise a practical conversionchecking algorithm suitable for integration into a proof assistant. We formal-ized the correctness of such an algorithm for a small but challenging corecalculus, proving that conversion is decidable. We expect this development toform a good basis to verify more complex theories.The ideas discussed in this thesis are already influencing the developmentof Agda, a proof assistant based on type theory

A TYPE ANALYSIS OF REWRITE STRATEGIES

Rewrite strategies provide an algorithmic rewriting of terms using strategic compositions of rewrite rules. Due to the programmability of rewrites, errors are often made due to incorrect compositions of rewrites or incorrect application of rewrites to a term within a strategic rewriting program. In practical applications of strategic rewriting, testing and debugging becomes substantially time-intensive for large programs applied to large inputs derived from large term grammars. In essence, determining which rewrite in what position in a term did or did not re comes down to logging, tracing and/or di -like comparison of inputs to outputs. In this thesis, we explore type-enabled analysis of strategic rewriting programs to detect errors statically. In particular, we introduce high-precision types to closely approximate the dynamic behavior of rewriting. We also use union types to track sets of types due to presence of strategic compositions. In this framework of high-precision strategic typing, we develop and implement an expressive type system for a representative strategic rewriting language TL. The results of this research are sufficiently broad to be adapted to other strategic rewriting languages. In particular, the type-inferencing algorithm does not require explicit type annotations for minimal impact on an existing language. Based on our experience with the implementation, the type system significantly reduces the time and effort to program correct rewrite strategies while performing the analysis on the order of thousands of source lines of code per second

Generación de monitores C embebidos para especificaciones Lola

En las últimas décadas se ha experimentado un gran crecimiento en el desarrollo de sistemas embebidos para diversas áreas de aplicación, muchas de las cuales involucran sistemas críticos donde resulta imprescindible proveer garantías de correctitud. Las técnicas de verificación formal clásicas, que permiten demostrar matemáticamente propiedades de correctitud de un modelo, si bien proveen garantías fuertes, pueden resultar imprácticas o incluso imposibles de aplicar en sistemas completos de escala industrial. Como respuesta a este problema, el área de Runtime Verification estudia cómo generar monitores a partir de especificaciones declarativas, con el objetivo de analizar la traza de una (única) ejecución para verificar su correctitud. Con el tiempo, fueron surgiendo enfoques más expresivos que permiten realizar análisis más complejos, como es el caso de Lola, un lenguaje de especificación junto con algoritmos para el monitoreo de sistemas síncronos. Desde su publicación en 2005, han surgido numerosos trabajos basados en este lenguaje. Uno de los más recientes es hLola, un lenguaje de dominio específico embebido en Haskell para escribir especificaciones junto con un motor para ejecutar los monitores. Esta implementación presenta varias características atractivas, entre las que se destaca la extensibilidad del lenguaje a nuevos tipos de datos, algo no muy habitual en la mayoría de los lenguajes de Runtime Verification. A partir de estos antecedentes y de la experiencia de uso del lenguaje C en sistemas críticos, esta tesina presenta un lenguaje de dominio específico embebido en Haskell, llamado MCLola, para la síntesis de monitores C a partir de especificaciones de alto nivel basadas en el lenguaje Lola