Verifying higher-order programs with the dijkstra monad

Modern programming languages, ranging from Haskell and ML, to JavaScript, C# and Java, all make extensive use of higher-order state. This paper advocates a new verification methodology for higher-order stateful programs, based on a new monad of predicate transformers called the Dijkstra monad. Using the Dijkstra monad has a number of benefits. First, the monad naturally yields a weakest pre-condition calculus. Second, the computed specifications are structurally simpler in several ways, e.g., single-state post-conditions are sufficient (rather than the more complex two-state post-conditions). Finally, the monad can easily be varied to handle features like exceptions and heap invariants, while retaining the same type inference algorithm. We implement the Dijkstra monad and its type inference algorithm for the F* programming language. Our most extensive case study evaluates the Dijkstra monad and its F* implementation by using it to verify JavaScript programs. Specifically, we describe a tool chain that translates programs in a subset of JavaScript decorated with assertions and loop invariants to F*. Once in F*, our type inference algorithm computes verification conditions and automatically discharges their proofs using an SMT solver. We use our tools to prove that a core model of the JavaScript runtime in F* respects various invariants and that a suite of JavaScript source programs are free of runtime errors.

[1]  John McCarthy,et al.  Towards a Mathematical Science of Computation , 1962, IFIP Congress.

[2]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[3]  Robert Cartwright,et al.  A Practical Formal Semantic Definition and Verification System for TYPED LISP , 1976, Outstanding Dissertations in the Computer Sciences.

[4]  Fritz Henglein,et al.  Dynamic Typing: Syntax and Proof Theory , 1994, Sci. Comput. Program..

[5]  Fritz Henglein,et al.  Safe Polymorphic Type Inference for Scheme: Translating Scheme to ML. , 1995 .

[6]  Fritz Henglein,et al.  Safe polymorphic type inference for a dynamically typed language: translating Scheme to ML , 1995, FPCA '95.

[7]  Peter W. O'Hearn,et al.  Separation and information hiding , 2004, POPL.

[8]  K. Rustan M. Leino,et al.  Verification of Object-Oriented Programs with Invariants , 2003, J. Object Technol..

[9]  Robert Cartwright,et al.  Soft typing , 2004, SIGP.

[10]  Gavin M. Bierman,et al.  Separation logic and abstraction , 2005, POPL '05.

[11]  Claude Marché,et al.  The Why/Krakatoa/Caduceus Platform for Deductive Program Verification , 2007, CAV.

[12]  Lars Birkedal,et al.  Abstract Predicates and Mutable ADTs in Hoare Type Theory , 2007, ESOP.

[13]  Patrick Maxim Rondon,et al.  Liquid types , 2008, PLDI '08.

[14]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[15]  J. G. Morrisett,et al.  Ynot: dependent types for imperative programs , 2008, ICFP.

[16]  Philippa Gardner,et al.  Local Hoare reasoning about DOM , 2008, PODS.

[17]  Lars Birkedal,et al.  Hoare type theory, polymorphism and separation1 , 2008, Journal of Functional Programming.

[18]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[19]  Peter Thiemann,et al.  Type Analysis for JavaScript , 2009, SAS.

[20]  Catalin Hritcu,et al.  Semantic subtyping with an SMT solver , 2010, ICFP '10.

[21]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[22]  K. Rustan M. Leino,et al.  A Polymorphic Intermediate Verification Language: Design and Logical Encoding , 2010, TACAS.

[23]  Nataliya Guts,et al.  Typechecking Higher-Order Security Libraries , 2010, APLAS.

[24]  Olin Shivers,et al.  CFA2: A Context-Free Approach to Control-Flow Analysis , 2010, ESOP.

[25]  Shriram Krishnamurthi,et al.  The Essence of JavaScript , 2010, ECOOP.

[26]  Andrew D. Gordon,et al.  Roles, Stacks, Histories: A Triple for Hoare , 2010, Reflections on the Work of C. A. R. Hoare.

[27]  Juan Chen,et al.  Type-preserving compilation of end-to-end verification of security enforcement , 2010, PLDI '10.

[28]  N. Swamy,et al.  Type-preserving compilation of end-to-end verification of security enforcement , 2010, PLDI '10.

[29]  Sam Tobin-Hochstadt,et al.  Logical types for untyped languages , 2010, ICFP '10.

[30]  Benjamin Livshits,et al.  Verified Security for Browser Extensions , 2011, 2011 IEEE Symposium on Security and Privacy.

[31]  Arthur Charguéraud,et al.  Characteristic formulae for the verification of imperative programs , 2011, ICFP.

[32]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2011, Journal of Functional Programming.

[33]  Michael Hicks,et al.  Lightweight monadic programming in ML , 2011, ICFP.

[34]  Olin Shivers,et al.  CFA2: A Context-Free Approach to Control-Flow Analysis , 2010, ESOP.

[35]  Juan Chen,et al.  Verifying stateful programs with substructural state and hoare types , 2011, PLPV '11.

[36]  Naoki Kobayashi,et al.  Predicate abstraction and CEGAR for higher-order model checking , 2011, PLDI '11.

[37]  Philippa Gardner,et al.  Towards a program logic for JavaScript , 2012, POPL '12.

[38]  Ravi Chugh,et al.  Nested refinements: a logic for duck typing , 2012, POPL '12.

[39]  Ravi Chugh,et al.  Dependent types for JavaScript , 2012, OOPSLA '12.

[40]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.