Higher-order Constrained Horn Clauses: A New Approach to Verifying Higher-order Programs
Lead Research Organisation:
University of Oxford
Department Name: Computer Science
Abstract
The construction of bug-free programs is a challenging research problem of international importance and huge potential impact. Yet the traditional approaches to achieving confidence in software, such as testing and debugging, are not effective, often accounting for 50-75% of the total development cost.
This project is about a new approach to the verification of higher-order functional programs. Functional programs have long been applied to real-world tasks. Programmers use functional languages because they can build more robust code more quickly and with fewer errors than they could before, thereby boosting reliability and cutting costs. Others turn to functional languages because of the advantages they offer in data parallelism, concurrency, GPGPU and cloud programming.
Thus by making functional programming safer and more robust and productive, techniques and tool support for the formal analysis of functional programs will bring significant benefits to the digital economy as a whole, but especially to financial modelling, scientific applications, computing and telecommunications, which are vital to current and future UK economic success.
Higher-order model checking and refinement type inference are currently the two leading approaches to fully automatic verification of higher-order programs. However, the technologies are rather different and their relative strengths are not well understood.
This project aims to develop a new approach to the verification of higher-order programs based on HIGHER-ORDER CONSTRAINED HORN CLAUSES. A recent innovation in symbolic model checking, Horn constraints exploit the successful combination of automated deduction technologies with the satisfiability checking of formulas. Our verification method will be automatic and programming-language independent.
In contrast to model checking and refinement type inference, by adopting higher-order constrained Horn clauses--a fragment of higher-order logic--as the common formalism for expressing verification problems, this approach to verification has a number of ADVANTAGES:
(i) It enables a separation of concerns: verification engineers (users of the verification framework) need only concern themselves with generating verification conditions and the attendant specificities of programming languages, whilst the "symbolic model checking" is kept purely logical and hence generic; the implementation of the backend engine is left to the experts in automated deduction and algorithmic verification.
(ii) It promotes benchmarking of software model checking tools.
(iii) It fosters extensibility and retargetability of tool chains.
Our HYPOTHESIS is that the higher-order Horn constraint framework is well-founded, expressive, efficient, and convenient to use.
Building on our recent and preliminary work, our OBJECTIVES are as follows.
(i) Establish HoCHC as a robust fragment of higher-order logic, algorithmically and semantically.
(ii) Develop HoCHC into a comprehensive verification framework to rival established approaches.
(iii) Design efficient algorithms for solving HoCHC decision problems.
To evaluate the ease-of-use and efficiency of the approach, we will conduct case studies involving Haskell libraries and Wolfram Mathematica code.
This project is about a new approach to the verification of higher-order functional programs. Functional programs have long been applied to real-world tasks. Programmers use functional languages because they can build more robust code more quickly and with fewer errors than they could before, thereby boosting reliability and cutting costs. Others turn to functional languages because of the advantages they offer in data parallelism, concurrency, GPGPU and cloud programming.
Thus by making functional programming safer and more robust and productive, techniques and tool support for the formal analysis of functional programs will bring significant benefits to the digital economy as a whole, but especially to financial modelling, scientific applications, computing and telecommunications, which are vital to current and future UK economic success.
Higher-order model checking and refinement type inference are currently the two leading approaches to fully automatic verification of higher-order programs. However, the technologies are rather different and their relative strengths are not well understood.
This project aims to develop a new approach to the verification of higher-order programs based on HIGHER-ORDER CONSTRAINED HORN CLAUSES. A recent innovation in symbolic model checking, Horn constraints exploit the successful combination of automated deduction technologies with the satisfiability checking of formulas. Our verification method will be automatic and programming-language independent.
In contrast to model checking and refinement type inference, by adopting higher-order constrained Horn clauses--a fragment of higher-order logic--as the common formalism for expressing verification problems, this approach to verification has a number of ADVANTAGES:
(i) It enables a separation of concerns: verification engineers (users of the verification framework) need only concern themselves with generating verification conditions and the attendant specificities of programming languages, whilst the "symbolic model checking" is kept purely logical and hence generic; the implementation of the backend engine is left to the experts in automated deduction and algorithmic verification.
(ii) It promotes benchmarking of software model checking tools.
(iii) It fosters extensibility and retargetability of tool chains.
Our HYPOTHESIS is that the higher-order Horn constraint framework is well-founded, expressive, efficient, and convenient to use.
Building on our recent and preliminary work, our OBJECTIVES are as follows.
(i) Establish HoCHC as a robust fragment of higher-order logic, algorithmically and semantically.
(ii) Develop HoCHC into a comprehensive verification framework to rival established approaches.
(iii) Design efficient algorithms for solving HoCHC decision problems.
To evaluate the ease-of-use and efficiency of the approach, we will conduct case studies involving Haskell libraries and Wolfram Mathematica code.
Planned Impact
SCIENTIFIC COMMUNITY: KNOWLEDGE CREATION
The proposed research concerns new foundations, algorithms and tools for finding bugs in functional programs (such as F#, Haskell, OCaml, Scala and Erlang) or otherwise showing their absence. The work will impact the scientific community because of the new knowledge that will be created. It will impact on and benefit the academics and researchers working in the following areas:
A. Verification and Correctness
B. Programming Languages
C. Theory of Computing, especially Logic and Algorithms, Games, and Lambda Calculus and Types
In the medium term, there is a clear path from the proposed research to industrial-strength tooling that helps to manage the safety and security risks posed by implementation bugs - a path which has, in part, already been followed successfully for underpinning work on first-order imperative programs (such as C). Consequently, the research directly addresses the cross-ICT priority Safe and Secure ICT and makes potentially strong contributions towards the prosperity outcomes Resilient Nation (Ambition R3) and Connected Nation (Ambition C4).
FINANCIAL MODELLING, SCIENTIFIC APPLICATIONS, COMPUTING AND TELECOMMUNICATIONS: SAFER AND MORE ROBUST CODE
In terms of the strategic themes identified by EPSRC, this proposal sits most naturally with the DIGITAL ECONOMY theme (in particular, with the CLOUD COMPUTING, and VALUE CREATION AND CAPTURE subthemes - see (ii) and (iii) below, respectively).
The construction of bug-free programs is a challenging research problem of international importance and huge potential impact. In a National Institute of Standards and Technology report of 2002, the cost to the US economy of faulty software was estimated at $60 billion. It is vitally important to transfer the benefits of automatic verification techniques to higher-order functional languages such as F#, OCaml, Haskell and Erlang.
(i) Higher-order constructs such as first-class functions, lambda-expressions and closures are now basic features of the most widely-used languages such as Javascript, Perl5, Python, C# and C++0x, which are standard in web programming, hardware and embedded systems design.
(ii) Because functional languages support domain-specific languages and are good for organising data parallelism, they are widely used in scientific applications and financial modelling.
(iii) The absence of mutable variables and the use of monadic structuring principle to encapsulate side-effects make functional languages attractive for concurrent programming, which has become extremely important thanks to the rapid growth of multi-core and GPGPU processing and cloud computing.
Thus, by making functional programming safer and more robust and productive, techniques and tool support for the formal analysis of functional programs will bring significant benefits to financial modelling, scientific applications, and the computing and telecommunications industries, which are vital to current and future UK economic success.
WEALTH CREATION
The development of verification techniques and tools is an important precursor to wealth creation because of the opportunities for licensing and spin-offs. Indirectly all of society will benefit because they give rise to safe and reliable software. Our daily lives rely on software infrastructure for banking, communications, travel, shopping, and many other necessities. Ultimately better verification techniques and tools for software will lead to better quality of life in the digital world.
The proposed research concerns new foundations, algorithms and tools for finding bugs in functional programs (such as F#, Haskell, OCaml, Scala and Erlang) or otherwise showing their absence. The work will impact the scientific community because of the new knowledge that will be created. It will impact on and benefit the academics and researchers working in the following areas:
A. Verification and Correctness
B. Programming Languages
C. Theory of Computing, especially Logic and Algorithms, Games, and Lambda Calculus and Types
In the medium term, there is a clear path from the proposed research to industrial-strength tooling that helps to manage the safety and security risks posed by implementation bugs - a path which has, in part, already been followed successfully for underpinning work on first-order imperative programs (such as C). Consequently, the research directly addresses the cross-ICT priority Safe and Secure ICT and makes potentially strong contributions towards the prosperity outcomes Resilient Nation (Ambition R3) and Connected Nation (Ambition C4).
FINANCIAL MODELLING, SCIENTIFIC APPLICATIONS, COMPUTING AND TELECOMMUNICATIONS: SAFER AND MORE ROBUST CODE
In terms of the strategic themes identified by EPSRC, this proposal sits most naturally with the DIGITAL ECONOMY theme (in particular, with the CLOUD COMPUTING, and VALUE CREATION AND CAPTURE subthemes - see (ii) and (iii) below, respectively).
The construction of bug-free programs is a challenging research problem of international importance and huge potential impact. In a National Institute of Standards and Technology report of 2002, the cost to the US economy of faulty software was estimated at $60 billion. It is vitally important to transfer the benefits of automatic verification techniques to higher-order functional languages such as F#, OCaml, Haskell and Erlang.
(i) Higher-order constructs such as first-class functions, lambda-expressions and closures are now basic features of the most widely-used languages such as Javascript, Perl5, Python, C# and C++0x, which are standard in web programming, hardware and embedded systems design.
(ii) Because functional languages support domain-specific languages and are good for organising data parallelism, they are widely used in scientific applications and financial modelling.
(iii) The absence of mutable variables and the use of monadic structuring principle to encapsulate side-effects make functional languages attractive for concurrent programming, which has become extremely important thanks to the rapid growth of multi-core and GPGPU processing and cloud computing.
Thus, by making functional programming safer and more robust and productive, techniques and tool support for the formal analysis of functional programs will bring significant benefits to financial modelling, scientific applications, and the computing and telecommunications industries, which are vital to current and future UK economic success.
WEALTH CREATION
The development of verification techniques and tools is an important precursor to wealth creation because of the opportunities for licensing and spin-offs. Indirectly all of society will benefit because they give rise to safe and reliable software. Our daily lives rely on software infrastructure for banking, communications, travel, shopping, and many other necessities. Ultimately better verification techniques and tools for software will lead to better quality of life in the digital world.
Organisations
Publications
Broadbent C
(2021)
Higher-order Recursion Schemes and Collapsible Pushdown Automata: Logical Properties
in ACM Transactions on Computational Logic
Broadbent C
(2021)
Collapsible Pushdown Parity Games
in ACM Transactions on Computational Logic
Bunting B
(2023)
Operational Algorithmic Game Semantics
Dixon A
(2023)
Saturating automata for game semantics
in Electronic Notes in Theoretical Informatics and Computer Science
Jochems J
(2023)
Higher-Order MSL Horn Constraints
in Proceedings of the ACM on Programming Languages
Jones E
(2021)
Intensional datatype refinement: with application to scalable verification of pattern-match safety
in Proceedings of the ACM on Programming Languages
Jones E
(2022)
CycleQ: an efficient basis for cyclic equational reasoning
Description | This work has established a new theoretical foundation for higher-order program verification based on higher-order logic. Algorithms and other techniques for automatically verifying the absence of certain classes of bugs in higher-order programs (such as functional programs written in Haskell, OCaml, Scala, F#, Elixir, Clojure and Erlang) have been disparate and disconnected, but fell mainly into three categories: (i) bespoke type systems, (ii) higher-order grammars and automata, (iii) higher-order fixpoint logic. Whilst the relationship between (iii) and higher-order logic is straightforward, our work has shown how to understand (i) and (ii) also in the setting of higher-order logic. This gives a conceptual way to understand e.g. different kinds of types as a means for expressing program invariants quite directly. |
Exploitation Route | Those who are involved in automated program verification, in industry and academia, may put our results to use. There are a large number of program verifiers used today in industry that are based on first-order Horn clauses, and consequently do not have the ability to verify higher-order programming. Our results show how these verifiers could in principle be extended to verify higher-order features, whilst still fundamentally being rooted in logic and the establishment of invariants expressed as logical formulae. In academia, we anticipate our results being the start of a taxonomy of higher-order program invariants, in which specific type systems are given a logical semantics according to the techniques developed in our work. |
Sectors | Digital/Communication/Information Technologies (including Software) |
Description | EPSRC DTP Studentship (Diptarko Roy) |
Amount | £80,000 (GBP) |
Organisation | Engineering and Physical Sciences Research Council (EPSRC) |
Sector | Public |
Country | United Kingdom |
Start | 10/2020 |
End | 03/2024 |
Description | EPSRC DTP Studentship (Oliver Goldstein) |
Amount | £80,000 (GBP) |
Organisation | Engineering and Physical Sciences Research Council (EPSRC) |
Sector | Public |
Country | United Kingdom |
Start | 10/2020 |
End | 03/2024 |
Description | Higher-order Program Invariants and Higher-order Constrained Horn Clauses |
Amount | £81,532 (GBP) |
Organisation | The Research Institute on Verified Trustworthy Software Systems |
Sector | Academic/University |
Country | United Kingdom |
Start | 10/2019 |
End | 03/2023 |
Title | ASTNAR: Almost sure termination of non-affine recursive functional programs |
Description | The theoretical results presented in the PLDI 2021 paper by Beutner and Ong give a sound (but incomplete) method for proving a program to be almost surely terminating (AST). This tool implements the algorithm extracted from the soundness proof. The goal is to verify a fixpoint abstraction to be AST on every possible input. The only argument passed to our tool is therefore the fixpoint term in question. The tool analyses the term by counting the number of recursive calls along each branch and computes the probability of individual branches by computing the volume of a convex polytope using the external tool vinci. |
Type Of Material | Improvements to research infrastructure |
Year Produced | 2021 |
Provided To Others? | Yes |
Impact | This is the first tool that can prove almost sure termination of non-affine recursive functional programs with continuous distributions. |
URL | https://drive.google.com/drive/folders/1sFpIqPuVyoA6uobVWEm55w-FzMo-BrRZ?usp=sharing |
Title | Intensional Datatypes GHC Plugin with Accompanying Benchmark Datasets |
Description | A virtual machine image containing the version of the Intensional Datatypes GHC plugin and all associated benchmark data, whose versions are exactly those used to produce the empirical results contained in the paper Intensional Datatype Refinement which is conditionally accepted for publication in the journal Proceedings of the ACM on Programming Languages (POPL'21). To get started, log into the virtual machine using the account "aeval" with password "popl21". The software and all relevant benchmark data and tooling is located in the artifact subdirectory of the home directory. Follow the instructions in artifact/README.md to recreate the benchmarking. The virtual machine image is a standard Ubuntu 20.04.1 LTS minimal install, to which we have added ghc-8.8.3 and cabal-install-3.0 (for compiling and running the artifact) and python3-tabulate (for pretty printing the benchmark results) and visual studio code (for convenience). The virtual machine image was created using Virtual Box 6.0.24 on a Windows 10 host. |
Type Of Technology | Software |
Year Produced | 2020 |
Open Source License? | Yes |
Impact | N/A |
URL | https://zenodo.org/record/4072906 |