Slide 1

Slide 1 text

Refine your types! Romain Ruetschi 31.05.2018 Romain Ruetschi Refine your types! 31.05.2018 1 / 30

Slide 2

Slide 2 text

Two words about me Hi, my name is Romain Ruetschi, but you can also call me Romac. I am usually found online under various spellings of “romac”. Twitter: https://twitter.com/_romac GitHub: https://github.com/romac Homepage: https://romac.me Romain Ruetschi Refine your types! 31.05.2018 2 / 30

Slide 3

Slide 3 text

Refinement types Romain Ruetschi Refine your types! 31.05.2018 3 / 30

Slide 4

Slide 4 text

Outline Refinement types 1 A quick introduction 2 Under the hood 3 In the wild Romain Ruetschi Refine your types! 31.05.2018 4 / 30

Slide 5

Slide 5 text

A quick introduction A quick introduction Romain Ruetschi Refine your types! 31.05.2018 5 / 30

Slide 6

Slide 6 text

A quick introduction Types Int Romain Ruetschi Refine your types! 31.05.2018 6 / 30

Slide 7

Slide 7 text

A quick introduction Types Int Boolean Romain Ruetschi Refine your types! 31.05.2018 6 / 30

Slide 8

Slide 8 text

A quick introduction Types Int Boolean List[Int] Romain Ruetschi Refine your types! 31.05.2018 6 / 30

Slide 9

Slide 9 text

A quick introduction Types Int Boolean List[Int] List[A] → Int Romain Ruetschi Refine your types! 31.05.2018 6 / 30

Slide 10

Slide 10 text

A quick introduction Types 3 : Int Romain Ruetschi Refine your types! 31.05.2018 7 / 30

Slide 11

Slide 11 text

A quick introduction Types 3 : Int true : Boolean Romain Ruetschi Refine your types! 31.05.2018 7 / 30

Slide 12

Slide 12 text

A quick introduction Types 3 : Int true : Boolean List(1, 2, 3) : List[Int] Romain Ruetschi Refine your types! 31.05.2018 7 / 30

Slide 13

Slide 13 text

A quick introduction Types 3 : Int true : Boolean List(1, 2, 3) : List[Int] (xs: List[A]) => xs.length : List[A] → Int Romain Ruetschi Refine your types! 31.05.2018 7 / 30

Slide 14

Slide 14 text

A quick introduction Refinement types { x : T | p } Romain Ruetschi Refine your types! 31.05.2018 8 / 30

Slide 15

Slide 15 text

A quick introduction Refinement types { n : Int | n > 0 } Romain Ruetschi Refine your types! 31.05.2018 9 / 30

Slide 16

Slide 16 text

A quick introduction Refinement types { n : Int | n > 0 } { xs : List[A] | !xs.isEmpty } Romain Ruetschi Refine your types! 31.05.2018 9 / 30

Slide 17

Slide 17 text

A quick introduction Refinement types { n : Int | n > 0 } { xs : List[A] | !xs.isEmpty } { t : Tree | isBalanced(t) } Romain Ruetschi Refine your types! 31.05.2018 9 / 30

Slide 18

Slide 18 text

A quick introduction Refinement types { xs : List[A] | xs.length = 0} → A Romain Ruetschi Refine your types! 31.05.2018 10 / 30

Slide 19

Slide 19 text

A quick introduction Refinement types { xs : List[A] | xs.length = 0} → A List[A] → { n : Int | n ≥ 0} Romain Ruetschi Refine your types! 31.05.2018 10 / 30

Slide 20

Slide 20 text

A quick introduction Refinement types A → { n : Int | x ≥ 0} → { xs : List[A] | xs.length = n } Romain Ruetschi Refine your types! 31.05.2018 11 / 30

Slide 21

Slide 21 text

A quick introduction Relation with dependent types Not easy to precisely define either system. One view is that: With dependent types, types can refer to terms, the calculus is normalizing. With refinement types, types don’t necessarily need to be able to refer to terms, and the calculus does not need to be normalizing, because proofs are discharged to a solver. In practice, it is natural to allow refinement types to refer to terms. Romain Ruetschi Refine your types! 31.05.2018 12 / 30

Slide 22

Slide 22 text

A quick introduction Relation with dependent types, continued If we restrict ourselves to the view that dependent types ≈ Coq and refinement types ≈ LiquidHaskell, then: Dependent types are more expressive than refinement types, ie. one can model pretty much any kind of mathematics using dependent types, tactics, and manual proofs. Refinement types are more suited for automation, as predicates are drawn from a decidable logic, and proof obligations can thus be discharged to an SMT solver. Romain Ruetschi Refine your types! 31.05.2018 13 / 30

Slide 23

Slide 23 text

Under the hood Under the hood Romain Ruetschi Refine your types! 31.05.2018 14 / 30

Slide 24

Slide 24 text

Under the hood Subtyping Refinement types rest on the following notion of subtyping: Γ { x : A | p } { y : A | q } ⇔ Valid Γ ∧ p ⇒ q ⇔ CheckSat ¬( Γ ∧ p ⇒ q ) = UNSAT Romain Ruetschi Refine your types! 31.05.2018 15 / 30

Slide 25

Slide 25 text

Under the hood Subtyping (example) { val x: Int = 42 } { y: Int | y > x } { z: Int | z > 0 } ⇔ Valid (x = 42 ∧ y > x ∧ z = y) ⇒ z > 0) ⇔ CheckSat ¬((x = 42 ∧ y > x ∧ z = y) ⇒ z > 0) = UNSAT Romain Ruetschi Refine your types! 31.05.2018 16 / 30

Slide 26

Slide 26 text

Under the hood Contracts This function def f(x: Int { x > 0 }): { y: Int | y < 0 } = 0 - x is correct if { x: Int | x > 0 } { z: Int | z = 0 - x } { y: Int | y < 0 } ⇔ Valid (x > 0 ∧ (z = 0 − x) ∧ (y = z)) ⇒ y < 0 Romain Ruetschi Refine your types! 31.05.2018 17 / 30

Slide 27

Slide 27 text

Under the hood Solving constraints with SMT solvers Satisfiability Modulo Theories: Akin to a SAT solver with support for additional theories: algebraic data types, integer arithmetic, real arithmetic, bitvectors, sets, etc. Can choose from Z3, CVC4, Yices, Princess, and others. In practice, cannot just translate from the host language into SMT because of quantifiers, recursive functions, polymorphism, etc. Lots of work, difficult to get right (ie. sound and complete). Romain Ruetschi Refine your types! 31.05.2018 18 / 30

Slide 28

Slide 28 text

Under the hood Solving constraints with Inox2 1 Solver for higher-order functional programs which provides first-class support for features such as: 1 Recursive and first-class functions 2 ADTs, integers, bitvectors, strings, set-multiset-map abstractions 3 Quantifiers 4 ADT invariants 2 Implements a very involved unfolding strategy to deal with all of the above [1, 2, 3] 3 Interfaces with various SMT solvers (Z3, CVC4, Princess) 4 Powers Stainless, a verification system for Scala1 1https://github.com/epfl-lara/stainless 2https://github.com/epfl-lara/inox Romain Ruetschi Refine your types! 31.05.2018 19 / 30

Slide 29

Slide 29 text

Under the hood Write your own language with refinement types Demo Romain Ruetschi Refine your types! 31.05.2018 20 / 30

Slide 30

Slide 30 text

In the wild In the wild Romain Ruetschi Refine your types! 31.05.2018 21 / 30

Slide 31

Slide 31 text

In the wild LiquidHaskell Modern incarnation of refinement types for Haskell, ie. Liquid types [4] Refinement are quantifier-free predicates drawn from a decidable logic. [4] Type refinement are specified as comments in the source code. Romain Ruetschi Refine your types! 31.05.2018 22 / 30

Slide 32

Slide 32 text

In the wild LiquidHaskell Demo Romain Ruetschi Refine your types! 31.05.2018 23 / 30

Slide 33

Slide 33 text

In the wild F∗ General-purpose dialect of ML with effects aimed at program verification. Dependently-typed language with refinements, type checking done via an SMT solver. Can be extracted to efficient OCaml, F, or C code. Initially developed at Microsoft Research. Romain Ruetschi Refine your types! 31.05.2018 24 / 30

Slide 34

Slide 34 text

In the wild F∗ Part of Project Everest, an in-progress verified implementation of HTTPS, TLS, X.509, and cryptographic algorithms.3 3https://project-everest.github.io Romain Ruetschi Refine your types! 31.05.2018 25 / 30

Slide 35

Slide 35 text

In the wild Scala 3 (one day?) Ongoing effort by Georg Schmid to add refinement types to Dotty/Scala 3[5] Romain Ruetschi Refine your types! 31.05.2018 26 / 30

Slide 36

Slide 36 text

In the wild Acknowledgement Many thanks to Georg Schmid for his insights and for taking time to answer my questions. Go check out his work! [5] Romain Ruetschi Refine your types! 31.05.2018 27 / 30

Slide 37

Slide 37 text

In the wild Thanks! Romain Ruetschi Refine your types! 31.05.2018 28 / 30

Slide 38

Slide 38 text

In the wild References I [1] P. Suter, A. S. Köksal, and V. Kuncak, “Satisfiability modulo recursive programs,” in Proceedings of the 18th International Conference on Static Analysis, SAS’11, Springer-Verlag, 2011. [2] N. Voirol and V. Kuncak, “Automating verification of functional programs with quantified invariants,” p. 17, 2016. [3] N. Voirol and V. Kuncak, “On satisfiability for quantified formulas in instantiation-based procedures,” 2016. [4] R. Jhala, “Refinement types for haskell,” in Proceedings of the ACM SIGPLAN 2014 Workshop on Programming Languages Meets Program Verification, PLPV ’14, pp. 27–27, ACM, 2014. Romain Ruetschi Refine your types! 31.05.2018 29 / 30

Slide 39

Slide 39 text

In the wild References II [5] G. S. Schmid and V. Kuncak, “Smt-based checking of predicate-qualified types for scala,” in Proceedings of the 2016 7th ACM SIGPLAN Symposium on Scala, SCALA 2016, pp. 31–40, ACM, 2016. Romain Ruetschi Refine your types! 31.05.2018 30 / 30