Liquid Haskell: Theorem Proving for All

Theorem Proving for All
Niki Vazou

take :: [a] -> Int -> [a]
> take [1,2,3] 2
> [1,2]
Haskell

> take [1,2,3] 500
> ???
take :: [a] -> Int -> [a]
Haskell

Reﬁnement Types
take :: xs:[a] -> {i:Int | i < len xs} -> [a]

> take [1,2,3] 500
> Refinement Type Error!
take :: xs:[a] -> {i:Int | i < len xs} -> [a]

II. Application: Speed up Parsing
III. Expressiveness: Theorem Proving
I. Static Checks: Fast & Safe CodeStatic Checks
Expressiveness

Buffer overread in OpenSSL. 2015
The Heartbleed Bug

module Data.Text where
take :: t:Text -> i:Int -> Text
> take "hat" 500
> *** Exception: Out Of Bounds!

take i t | i < len t
= Unsafe.takeWord16 i t
take i t
= error “Out Of Bounds!”
take t i | i < len t
= Unsafe.take t i
take t i
Runtime Checks
Safe, but slow!

take i t
= Unsafe.take t i
take t i
No Checks
Fast, but unsafe!

No Checks
> take "hat" 500
> “hat584562594SOHNUL…
Overread
take i t
= Unsafe.take t i
take t i

take i t
= Unsafe.take t i
take t i
i < len t
Static Checks

take i t
= Unsafe.take t i
take t i
Static Checks
take :: t:Text -> i:{i < len t} -> Texti < len t

Static Checks
= Unsafe. = error “Out Of Bounds!”
take :: t:Text -> i:{i < len t} -> Text
take t i
= Unsafe.take t i

= Unsafe. = error “Out Of Bounds!”
take :: t:Text -> i:{i < len t} -> Text
take t i
= Unsafe.take t i
Static Checks
> take "hat" 500
Type Error

OK
Error
Code
Checks valid arguments, under facts.
Reﬁnement Types

take :: t:Text -> {v | v < len t} -> Text
heartbleed = let x = "hat"
in take x 500
len x = 3 => v = 500 => v < len x

len x = 3 => v = 500 => v < len x
in take x 500

len x = 3 => v = 500 => v < len x
in take x 500
SMT-
query

len x = 3 => v = 500 => v < len x
in take x 500
SMT-
invalid

len x = 3 => v = 500 => v < len x
in take x 500
Checker reports Error

Checker reports Error
len x = 3 => v = 500 => v < len x
in take x 500
2
2
OK SMT-
valid

Static Checks
OK
Error
Code

I. Static Checks: Fast & Safe Code
Static Checks

Application: Speed up Parsing

II. Application: Speed up ParsingApplication: Speed up Parsing
DEMO

Provably Correct & Faster Code!
Application: Speed up Parsing
SMT-Automatic Veriﬁcation

SMT-Automatic Veriﬁcation
How expressive can we get?

III. Expressiveness: Theorem ProvingExpressiveness

Proof is in pen-and-paper :(
reverse [x]
— applying reverse on [x]
= reverse [] ++ [x]
— applying reverse on []
= [] ++ [x]
— applying ++ on [] and [x]
= [x]
QED
Theorem: For any x,
Proof.
reverse [x] = [x]

reverse [x]
= reverse [] ++ [x]
= [] ++ [x]
= [x]
QED
Proof is not machine checked.
Theorem: For any x, reverse [x] = [x]
Proof.

reverse [x]
— obviously!
= [x]
QED
Proof.

reverse [x]
= reverse [] ++ [x]
= [] ++ [x]
= [x]
QED
Check it with Liquid Haskell!
Proof.

Theorems as Reﬁnement Types
Theorem:
For any x, reverse [x] = [x]
x:a ! { v:() | reverse [x] = [x] }
Reﬁnement Type:
SMT equality

x:a ! { reverse [x] = [x] }
Theorems as Reﬁnement Types
Theorem:
For any x, reverse [x] = [x]
Reﬁnement Type:

Proof.
reverse [x]
= reverse [] ++ [x]
= [] ++ [x]
= [x]
QED
How to connect theorem with proof?

Proofs are programs
Theorems are types
— Curry & Howard

reverse [x]
= reverse [] ++ [x]
= [] ++ [x]
= [x]
QED
Proof as a Haskell function
singletonP :: x:a ! { reverse [x] = [x] }x:a ! { reverse [x] = [x] }
singletonP x
=
==. [x]
*** QED

reverse [x]
= reverse [] ++ [x]
= [] ++ [x]
= [x]
QED
singletonP x
= reverse [x]
==. reverse [] ++ [x]
==. [] ++ [x]
==. [x]
*** QED
Proof as a Haskell function

reverse [x]
= reverse [] ++ [x]
= [] ++ [x]
= [x]
QED
singletonP x
= reverse [x]
==. reverse [] ++ [x]
==. [] ++ [x]
==. [x]
*** QED
singletonP :: x:a ! { reverse [x] = [x] }
How to encode equality?

Equational Operator in (Liquid) Haskell
(==.) :: x:a -> y:{ a | x = y }
-> {v:a | v = x && v = y }
x ==. y = y
checks both arguments are equal
returns 2nd argument,
to continue the proof!

reverse [x]
= reverse [] ++ [x]
= [] ++ [x]
= [x]
QED
singletonP x
= reverse [x]
===. reverse [] ++ [x]
==. [] ++ [x]
==. [x]
*** QED

reverse [x]
= reverse [] ++ [x]
= [] ++ [x]
= [x]
QED
singletonP x
= reverse [x]
===. reverse [] ++ [x]
==. [] ++ [x]
==. [x]
*** QED
How to encode QED?

Deﬁne QED as data constuctor…
(***) :: a -> QED -> ()
_ *** QED = ()
data QED = QED
… that casts anything into a proof
(i.e., a unit value).

reverse [x]
= reverse [] ++ [x]
= [] ++ [x]
= [x]
QED
singletonP x
= reverse [x]
===. reverse [] ++ [x]
==. [] ++ [x]
==. [x]
*** QED
Theorem Proving in Haskell

Theorems are Types
Theorem Application is Function Call
singletonP 1 :: { reverse [1] = [1] }

singletonP1 :: { reverse [1] = [1] }
singletonP1
= reverse [1]
? singletonP 1
==. [1]
*** QED
Theorem Application is Function Call
(?) :: a -> () -> a
x ? _ = x

Reasoning about Haskell Programs in Haskell!
Equational operators (==., ?, QED, ***)
let us encode proofs as Haskell functions
checked by Liquid Haskell.

How to encode inductive proofs?
Reasoning about Haskell Programs in Haskell!

Theorem: For any list x, reverse (reverse x) = x.
Proof.
involutionP []
= reverse (reverse [])
— applying inner reverse
= reverse []
— applying reverse
= []
QED
involutionP (x:xs)
= reverse (reverse (x:xs))
= reverse (reverse xs ++ [x])
— distributivity on (reverse xs) [x]
= reverse [x] ++ reverse (reverse xs)
— involution on xs
= reverse [x] ++ xs
— singleton on x
= [x] ++ xs
— applying ++
= x:([] ++ xs)
— applying ++
= (x:xs)
QED
Base Case: Inductive Case:

Proof.
involutionP []
= reverse (reverse [])
= reverse []
= []
QED
involutionP (x:xs)
= reverse (reverse (x:xs))
= reverse [x] ++ xs
— singleton on x
= [x] ++ xs
— applying ++
= x:([] ++ xs)
— applying ++
= (x:xs)
QED
Base Case: Inductive Case:
Step 1: Deﬁne a recursive function!

Step 1: Deﬁne a recursive function!
Proof.
involutionP []
== reverse (reverse [])
= reverse []
= []
QED
involutionP (x:xs)
== reverse (reverse (x:xs))
= reverse [x] ++ xs
— singleton on x
= [x] ++ xs
— applying ++
= x:([] ++ xs)
— applying ++
= (x:xs)
QED
Step 2: Use equational operators

Proof.
involutionP []
==.=reverse (reverse [])
==. reverse []
==. []
*** QED
involutionP (x:xs)
==. reverse (reverse (x:xs))
==. reverse (reverse xs ++ [x])
==. reverse [x] ++ reverse (reverse xs)
==. reverse [x] ++ xs
— singleton on x
==. [x] ++ xs
— applying ++
==. x:([] ++ xs)
— applying ++
==. (x:xs)
*** QED
Step 3: Lemmata are function calls!Step 2: Use equational operators

Proof.
Step 3: Lemmata are function calls!
involutionP []
==. reverse []
==. []
*** QED
involutionP (x:xs)
? distributivityP (reverse xs) [x]
? involutionP xs
? singletonP x
==. [x] ++ xs
— applying ++
==. x:([] ++ xs)
— applying ++
==. (x:xs)
*** QED

Proof.
involutionP []
==. reverse []
==. []
*** QED
involutionP (x:xs)
? involutionP xs
? singletonP x
==. [x] ++ xs
— applying ++
==. x:([] ++ xs)
— applying ++
==. (x:xs)
*** QED
Note: Inductive hypothesis is recursive call!

Proof.
involutionP []
==. reverse []
==. []
*** QED
involutionP (x:xs)
? involutionP xs
? singletonP x
==. [x] ++ xs
— applying ++
==. x:([] ++ xs)
— applying ++
==. (x:xs)
*** QED
Question: Is the proof well founded?

Used to encode pen-and-pencil proofs
https://bit.ly/2yjvJo3
“Theorem Proving for All”, Haskell’18
and function optimizations.

“LWeb: Information Flow Security for
Multi-Tier Web Applications”, POPL’19
https://bit.ly/2EcyDAh
or even sophisticated security proofs.

“Liquidate your assets”
https://bit.ly/2Ht3uIG
or encode resource analysis.
To be presented at IMDEA:
by Martin Handley
Tue March 19 @10.45

But, proof interaction is missing.

I. Static Checks: Fast & Safe Code
Thanks!
@nikivazou

Liquid Haskell: Theorem Proving for All

More Related Content

What's hot (20)

Similar to Liquid Haskell: Theorem Proving for All (20)

More from Facultad de Informática UCM (20)

Recently uploaded (20)

Liquid Haskell: Theorem Proving for All