Mining Maple Code for Contracts

Proceedings of the 13th Acm Sigplan International Conference, 2008

We describe an axiomatic extension to the Coq proof assistant, that supports writing, reasoning about, and extracting higher-order, dependently-typed programs with side-effects. Coq already includes a powerful functional language that supports dependent types, but that language is limited to pure, total functions. The key contribution of our extension, which we call Ynot, is the added support for computations that may have effects such as non-termination, accessing a mutable store, and throwing/catching exceptions. The axioms of Ynot form a small trusted computing base which has been formally justified in our previous work on Hoare Type Theory (HTT). We show how these axioms can be combined with the powerful type and abstraction mechanisms of Coq to build higher-level reasoning mechanisms which in turn can be used to build realistic, verified software components. To substantiate this claim, we describe here a representative series of modules that implement imperative finite maps, including support for a higherorder (effectful) iterator. The implementations range from simple (e.g., association lists) to complex (e.g., hash tables) but share a common interface which abstracts the implementation details and ensures that the modules properly implement the finite map abstraction.

Proceedings of the 2007 SIGPLAN workshop on Erlang Workshop - Erlang '07, 2007

We propose a small extension of the ERLANG language that allows programmers to specify contracts with type information at the level of individual functions. Such contracts are optional and they document the intended uses of functions. Contracts allow automatic documentation tools such as Edoc to generate better documentation and defect detection tools such as Dialyzer to detect more type clashes. Since the Erlang/OTP system already contains components which perform automatic type inference of success typings, we also describe how contracts interact with success typings and can often provide some key information to the inference process.

We describe an application of Prolog: a type checking tool for the Q functional language. Q is a terse vector processing language, a descendant of APL, which is getting more and more popular, especially in financial applications. Q is a dynamically typed language, much like Prolog. Extending Q with static typing improves both the readability of programs and programmer productivity, as type errors are discovered by the tool at compile time, rather than through debugging the program execution. The type checker uses constraints that are handled by Prolog Constraint Handling Rules. During the analysis, we determine the possible type values for each program expression and detect inconsistencies. As most built-in function names of Q are overloaded, i.e. their meaning depends on the argument types, a quite complex system of constraints had to be implemented.

From 3 February to 8 February 2008, the Dagstuhl Seminar 08061 Types, Logics and Semantics for State was held in the International Conference and Research Center (IBFI), Schloss Dagstuhl. During the seminar, several participants presented their current research, and ongoing work and open problems were discussed. Abstracts of the presentations given during the seminar as well as abstracts of seminar results and ideas are put together in this paper. The rst section describes the seminar topics and goals in general. Links to extended abstracts or full papers are provided, if available. and Semantics for State was held in the International Conference and Research Center (IBFI), Schloss Dagstuhl. 45 researchers, with interests and expertise in many dierent aspects of modelling and reasoning about mutable state, met to present their current work and discuss ongoing projects and open problems.

The Journal of Logic Programming, 1998

Let Func be a set of function symbols, Pred be a set of predicate symbols, Vars be a denumerable set of variables. f /n denotes an arbitrary function symbol, and capital letters denote variables. Term denotes the set of terms that can be constructed from Func and Vars. t, t i and f (t 1 , • • • , t n) denote arbitrary terms. Atom denotes the set of atoms constructible from Pred, Func and Vars. a 1 and a 2 denote arbitrary atoms. θ and θ i denote substitutions. Let θ be a substitution and V ⊆ Vars. dom(θ) denotes the domain of θ. θ| \ V denotes the restriction of θ to V. As a convention, the function composition operator • binds stronger than | \. For instance, θ 1 • θ 2 | \ V is equal to (θ 1 • θ 2)| \ V. An expression O is a term, an atom, a literal, a clause, a goal etc. vars(O) denotes the set of variables in O. An equation is a formula of the form l = r where either l, r ∈ Term or l, r ∈ Atom. The set of all equations is denoted as Eqn. Let E ∈ ℘(Eqn). E is in solved form if, for each equation l = r in E, l is a variable that does not occur on the right side of any equation in E. For a set of equations E ∈ ℘(Eqn), mgu : ℘(Eqn) → Sub ∪ {fail } returns either a most general unifier for E if E is unifiable or fail otherwise, where Sub is the set of substitutions. mgu({l = r}) is sometimes written as mgu(l, r). Let θ•fail def = fail and fail •θ def = fail for any θ ∈ Sub∪{fail }. There is a natural bijection between substitutions and the sets of equations in solved form. eq(θ) denotes the set of equations in solved form corresponding to a substitution θ. eq(fail) def = fail. We will use a renaming substitution Ψ which renames a variable into a variable that has not been encountered before. Let F : D → ℘(E) be a function. F : ℘(D) → ℘(E) is defined as F (X) def = x∈X F (x).

Theoretical Computer Science, 2002

Casl is an expressive specification language that has been designed to supersede many existing algebraic specification languages and provide a standard. Casl consists of several layers, including basic (unstructured) specifications, structured specifications and architectural specifications; the latter are used to prescribe the modular structure of implementations.

Proceedings of the 21st International Symposium on Principles and Practice of Declarative Programming, 2019

Energy, Time and Security (ETS) properties of programs are becoming increasingly prioritised by developers, especially where applications are running on ETS sensitive systems, such as embedded devices or the Internet of Things. Moreover, developers currently lack tools and language properties to allow them to reason about ETS. In this paper, we introduce a new contract specification framework, called Drive, which allows a developer to reason about ETS or other non-functional properties of their programs as first-class properties of the language. Furthermore, we introduce a contract specification language, allowing developers to reason about these first-class ETS properties by expressing contracts that are proved correct by an underlying formal type system. Finally, we show our contract framework over a number of representable examples, demonstrating provable worst-case ETS properties. CCS CONCEPTS • Software and its engineering → Formal software verification; Imperative languages; Software maintenance tools; • Security and privacy → Software security engineering.

Lecture Notes in Computer Science, 2000

We present a method using an extended logical system for obtaining \correct" programs from speci cations written in a sublanguage of CASL. By \correct" we mean programs that satisfy their speci cations. The technique we use is to extract programs from proofs in formal logic by techniques due to Curry and Howard. The logical calculus, however, has the novel feature that as well as the conventional logical rules it includes structural rules corresponding to the standard ways of modifying speci cations: translating (renaming), taking unions of speci cations and hiding signatures. Although programs extracted by the Curry-Howard process can be very cumbersome, we use a number of simpli cations that ensure that the programs extracted are in a language close to a standard high-level programming language. We use this to produce an executable re nement of a given speci cation and we then provide a method for producing a program module which respects the original structure of the speci cation as much as possible. Throughout the paper we demonstrate the technique with a simple example. ? Research partly supported by ARC grant A 49230989. 1 We shall call these \lambda-terms" for brevity. 2 Note that, in combination with the structuring mechanisms, this simple notion of re nement is su cient for expressing all the interesting notions of re nement of algebraic speci cations provided one interprets the equality predicate symbol as a congruence relation instead of the standard equality (see e.g. 17]).

Assume-guarantee reasoning is a popular and expressive paradigm for modular and compositional specification of programs. It is becoming a fundamental concept in some computer-aided design tools for embedded system design. In this paper, we elaborate foundations for contract-based embedded system design by proposing a general-purpose module language based on a Boolean algebra allowing to define contracts. In this framework, contracts are used to negociate the correctness of assumptions made on the definition of a component at the point where it is used and provides guarantees to its environment. We illustrate this presentation with the specification of a simplified 4-stroke engine model.