Periodic Reporting for period 1 - Coqaml (Verified Extraction from Coq to OCaml with GADTs)
Berichtszeitraum: 2021-12-01 bis 2023-11-30
Problem and Societal Impact:
The Coqaml project addresses critical challenges in the utilization of Coq's extraction mechanism, particularly the fact that unsafe casts are inserted even though they are unwanted for industrial applications. The project has identified that extraction guarantees can only be given for a well-defined subset of Coq code. Present applications, such as the CompCert C compiler, have been shown to fall into this fragment, enabling to prove that their extracted code is indeed guaranteed to be correct. By enhancing the extraction process, Coqaml aimed to make verified components more applicable, ultimately contributing to the broader goal of ensuring correctness and trustworthiness in security-critical applications, including cryptographic primitives and smart contracts.
Regarding the three main objectives of the project, all central goals were reached.
Verification of Coq's Extraction:
We used the MetaCoq ecosystem to provide a machine checked proof that translation from the Coq proof assistant into OCaml is correct. We proved that the OCaml code behaves just like the original Coq program. We reached our main goal to ensure that both researcher and industry trust Coq's extraction process more, so important applications (like CompCert and Fiat-Crypto) can rely on it.
Industrial Applicability Enhancement:
We improved how Coq's extraction works for real-world projects by providing precise conditions when guarantees can be provided. We observed that targeting untyped code both gets rid of unsafe casts and eliminates the need to implement optimizations, which historically were there for readability reasons.
Documentation and Accessibility:
We implemented extraction as a MetaCoq program for easier adaptation by third parties, and improved the MetaCoq ecosystem, addressing the high entrance barrier. We established. MetaCoq and Coqaml as accessible open-source projects in the Coq ecosystem. MetaCoq is now part of the Coq platform and thus by default installed for every user installing Coq, and Coqaml will be included into Coq soon. We organized scientific events to enhance the visibility of MetaCoq and verified extraction, most notably a tutorial at the POPL '24 conference.
The Coqaml project addresses critical challenges in the utilization of Coq's extraction mechanism, particularly the fact that unsafe casts are inserted even though they are unwanted for industrial applications. The project has identified that extraction guarantees can only be given for a well-defined subset of Coq code. Present applications, such as the CompCert C compiler, have been shown to fall into this fragment, enabling to prove that their extracted code is indeed guaranteed to be correct. By enhancing the extraction process, Coqaml aimed to make verified components more applicable, ultimately contributing to the broader goal of ensuring correctness and trustworthiness in security-critical applications, including cryptographic primitives and smart contracts.
Regarding the three main objectives of the project, all central goals were reached.
Verification of Coq's Extraction:
We used the MetaCoq ecosystem to provide a machine checked proof that translation from the Coq proof assistant into OCaml is correct. We proved that the OCaml code behaves just like the original Coq program. We reached our main goal to ensure that both researcher and industry trust Coq's extraction process more, so important applications (like CompCert and Fiat-Crypto) can rely on it.
Industrial Applicability Enhancement:
We improved how Coq's extraction works for real-world projects by providing precise conditions when guarantees can be provided. We observed that targeting untyped code both gets rid of unsafe casts and eliminates the need to implement optimizations, which historically were there for readability reasons.
Documentation and Accessibility:
We implemented extraction as a MetaCoq program for easier adaptation by third parties, and improved the MetaCoq ecosystem, addressing the high entrance barrier. We established. MetaCoq and Coqaml as accessible open-source projects in the Coq ecosystem. MetaCoq is now part of the Coq platform and thus by default installed for every user installing Coq, and Coqaml will be included into Coq soon. We organized scientific events to enhance the visibility of MetaCoq and verified extraction, most notably a tutorial at the POPL '24 conference.
As outcomes of the project, the semantics of OCaml was formalised based on the “Malfunction” specification of the intermediate language of the OCaml compiler. This way, the task to actually capture the behaviour of OCaml, which is a complicated language, was circumvented while maintaining all goals of this task. By mainly targeting an untyped language, the problem of inserting type casts becomes completely free. Only the top-level function, which is simply-typed and first-order is exposed through a typed interface. This function was proved correct w.r.t. its operational behaviour. The final correctness theorem proves that even when interacting with effectful OCaml code, no problems such as segmentation faults can arise - whereas already simple extracted higher-order programs can lead to such.
The results of the project have been disseminated at various scientific events, but most notably:
- the ER has submitted an extended abstract on " Aspects of a machine-checked intermediate language for extraction from Coq, in MetaCoq" which was peer-reviewed an accepted at the 28th International Conference on Types for Proofs and Programs
- the ER has reported on "Verified extraction to OCaml for Coq, in Coq" at the ML family workshop affiliated with the 27th ACM SIGPLAN International Conference on Functional Programming
- the ER has been given the opportunity to give an invited keynote talk at the 29th International Conference on Types for Proofs and Programs, presenting the Coqaml project
- the ER and his collaborators have submitted a paper reporting on the whole project to the ACM conference on programming languages design and implementation (PLDI)
- the ER has given a tutorial about parts of the Coqaml project at POPL '24 and was invited to give a lecture series at the Autumn school "Proof and Computation", 10th to 16th September 2023
The code developed in this project is open source and freely available at https://github.com/yforster/coq-malfunction/(öffnet in neuem Fenster).
The results of the project have been disseminated at various scientific events, but most notably:
- the ER has submitted an extended abstract on " Aspects of a machine-checked intermediate language for extraction from Coq, in MetaCoq" which was peer-reviewed an accepted at the 28th International Conference on Types for Proofs and Programs
- the ER has reported on "Verified extraction to OCaml for Coq, in Coq" at the ML family workshop affiliated with the 27th ACM SIGPLAN International Conference on Functional Programming
- the ER has been given the opportunity to give an invited keynote talk at the 29th International Conference on Types for Proofs and Programs, presenting the Coqaml project
- the ER and his collaborators have submitted a paper reporting on the whole project to the ACM conference on programming languages design and implementation (PLDI)
- the ER has given a tutorial about parts of the Coqaml project at POPL '24 and was invited to give a lecture series at the Autumn school "Proof and Computation", 10th to 16th September 2023
The code developed in this project is open source and freely available at https://github.com/yforster/coq-malfunction/(öffnet in neuem Fenster).
The state of the art of extraction from proof assistants was evolved significantly as part of the Coqaml project.
By observing that correctness guarantees can only be provided for a much narrower subset of types than previously identified, the project has contributed to preventing interaction of seemingly safe software components coming from extraction with unverified OCaml code leading to segmentation faults.
The inclusion of the verified extraction pipeline as part of a release of the Coq proof assistant is a priority on Coq's development roadmap (https://github.com/coq/ceps/blob/coq-roadmap/text/069-coq-roadmap.md(öffnet in neuem Fenster)).
Consequently, the Coqaml project has contributed significantly to ensuring that programs extracted from Coq behave correctly and as the user expects, in particular helping the user to identify cases where no guarantees can be given.
As socio-economic impact, we hope to have contributed to the possibility of obtaining software with the highest possible correctness guarantees, with the social implications of increasing the trust in critical software systems.
By observing that correctness guarantees can only be provided for a much narrower subset of types than previously identified, the project has contributed to preventing interaction of seemingly safe software components coming from extraction with unverified OCaml code leading to segmentation faults.
The inclusion of the verified extraction pipeline as part of a release of the Coq proof assistant is a priority on Coq's development roadmap (https://github.com/coq/ceps/blob/coq-roadmap/text/069-coq-roadmap.md(öffnet in neuem Fenster)).
Consequently, the Coqaml project has contributed significantly to ensuring that programs extracted from Coq behave correctly and as the user expects, in particular helping the user to identify cases where no guarantees can be given.
As socio-economic impact, we hope to have contributed to the possibility of obtaining software with the highest possible correctness guarantees, with the social implications of increasing the trust in critical software systems.