This artifact is the ECOOP submission, Interaction Tree Specifications: A Framework for Specifying Recursive, Effectful Computations that Supports Auto-active Verification, submission #10.
It contains a Coq library containing formalized versions of all definitions and proofs contained in the paper relating to ITree Specifications.
It also contains code for typechecking and extraction for Heapster types, as part of the saw tool
Finally, it contains the C source code for the mbox examples, with Heapster types already included, as well as Coq proofs of the correctness of the output specifications.
We have included the source code, relevant build scripts, as well as a Docker image (to quickly verify that the code builds without needing to install dependencies).
We claim this artifact deserves the reusable badge (and therefore functional and available as well). This document provides a mapping from definitions and proofs in the paper to formalized versions in the artifact, as well as all of the code needed to run all examples.
A research team could apply the techniques we used to verify the mbox examples to other C programs.
This would involve giving correct Heapster types to the program, extracting functional specifications, writing correctness specifications as ITree Specs, and running the prove_refinement tactic and solving all goals that it provides.
A research team could also use ITree Specifications as a target semantics for another programming language.
This would enable them towrite similar specifications, and use the prove_refinement tactic to help verify them.
- ghc 8.10.7
- cabal 3.8.1.0
- z3
- coq 8.15.2
- coq-paco >= 4.1.2
- coq-ext-lib >= 0.11.7
- coq-itree >= 5.0.0
To build saw, which includes the heapster tool, navigate to the saw-script directory and run cabal build saw. This will produce the saw executable
To build the ITree Specification library, navigate to the entree_specs directory, and run make && make install.
To run the mbox examples, first navigate to saw-script/saw-core-coq/coq and run make. Then navigate to saw-script/heapster-saw/examples and run make.
Heapster can be run using the saw executible installed in the Docker image.
For example, running saw mbox.saw as discussed below.
The mbox example is located in /home/coq/saw-script/heapster-saw/examples in the Docker image. The relevant files are:
mbox.c– the source C filembox.saw– the saw-script file which, when executed usingsaw mbox.saw, instructs Heapster to generatembox_gen.vmbox_gen.v– contains the Heaspter-generated Coq specifications extracted from the C functions inmbox.cmbox_proofs.v– contains proofs of correctness of most of the functions above
The Docker image comes with mbox_gen.v generated and mbox_proofs.v verified.
However, you can also generate and verify these files yourself as follows:
$ rm -rf mbox_gen.v
$ make
Instead of calling make, you can also go through each step individually by running: saw mbox.saw (or make mbox_gen.v), make mbox_gen.vo, and make mbox_proofs.vo.
paper_name->repo_nameatfilpath:line#- Notes
server_impl->server_implattheories/Rel/SortEx.v:600server_spec->server_specattheories/Rel/SortEx.v:608EncodingType->EncodingTypeattheories/Basics/HeterogeneousRelations.v:13- While in the paper, the
EncodingTypeclass requires a function namedresponse_type, in the code it is calledencodes
- While in the paper, the
ReSum->ReSumattheories/Core/SubEvent.v:18andtheories/Core/SubEvent.v:19- While in the paper,
ReSumis presented as a single typeclass requiring two functions, in the code it is presented as two typeclasses each requiring one function
- While in the paper,
trigger->triggerattheories/Core/SubEvent.v:30itree->entreeattheories/Core/EnTreeDefinition.v:9-21- The paper presents
itreewith a positive type coinductive definition, while the code repository uses negative types. This causes minor differences in many definitions related to ITrees
- The paper presents
spin->spinattheories/Core/EnTreeDefinition.v:77euttF->eqitFattheories/Eq/Eqit.v:37eqitFis more general thaneuttF, containing boolean parameters that control whether inductiveTausteps can be made, as well as thevcloparameter which can be useful for certain interactions with thepacolibrary, but to understand this code you can assume it is always set to the identity function and can be ignored
eutt->euttattheories/Eq/Eqit.v:78- While
euttis defined on line78, the application of thepacolibraries greatest fixpoint combinator occurs on line74
- While
bind->bindattheories/Core/EnTreeDefinition.v:46-61- In the code,
bindis defined in terms ofsubst, which performs an identical computation with the continuation and the tree swapped
- In the code,
interp_mrec->interp_mrecattheories/Ref/MRecSpec.v:26-37mrec->mrecattheories/Ref/MRecSpec.v:38evenodd->evenoddattheories/Ref/Example.v:24-44Rel->Relattheories/Basics/HeterogeneousRelations.v:20PostRel->PostRelattheories/Basics/HeterogeneousRelations.v:21RComposePostRel->RComposePostRelattheories/Basics/HeterogeneousRelations.v:31CoveredType->QuantTypeattheories/Basics/QuantType.v:33forall_spec->forall_specattheories/Ref/EnTreeSpecDefinition.v:99exists_spec->exists_specattheories/Ref/EnTreeSpecDefinition.v:101assume_spec->assume_specattheories/Ref/EnTreeSpecDefinition.v:104assert_spec->assert_specattheories/Ref/EnTreeSpecDefinition.v:107SpecEvent->SpecEventattheories/Ref/EnTreeSpecDefinition.v:26itree_spec->entree_specattheories/Ref/EnTreeSpecDefinition.v:51refinesF->refinesFattheories/Ref/EnTreeSpecDefinition.v:65refines->refinesattheories/Ref/EnTreeSpecDefinition.v:95padded_refines->padded_refinesattheories/Ref/EnTreeSpecFacts.v:838interp_mrec_spec->interp_mrec_specattheories/Ref/MRecSpec.v:43-55mrec_spec->mrec_specattheories/Ref/MRecSpec.v:56concreteF->isConcreteFattheories/Ref/Concrete.v:29rec_fix_spec->rec_fix_specattheories/Ref/RecSpecFix.v:50total_spec->total_spec'attheories/Ref/RecFixSpecTotal.v:43total_spec_fix->total_spec_fixattheories/Ref/RecFixSpecTotal.v:53merge->mergeattheories/Ref/SortEx.v:241merge_pre->merge_preattheories/Ref/SortEx.v:261merge_post->merge_postattheories/Ref/SortEx.v:264rdec_merge->rdec_mergeattheories/Ref/SortEx.v:107
padded_refines_bind->padded_refines_bindattheories/Ref/EnTreeSpecCombinatorFacts.v:110padded_refines_trans->padded_refines_transattheories/Ref/EnTreeSpecFacts/v:872padded_refines_mrec->padded_refine_mrecattheories/Ref/EnTreeSpecCombinatorFacts.v:423total_spec_fix_correct->total_spec_fix_refines_total_spec'attheories/Ref/RecFixSpecTotal.v:66merge_correct->merge_correctattheories/Ref/SortEx.v:423server_correct->server_correctattheories/Ref/RecFixSpecTotal.v:619