Periodic Reporting for period 1 - TypeSynth (Synthetic Methods in Program Verification)
Reporting period: 2022-07-01 to 2024-06-30
Software systems mediate a growing proportion of human activity, e.g. communication, transport, medicine, industrial and agricultural production, etc. As a result, it is urgent to understand and better control both the correctness and security properties of these increasingly complex software systems. The diversity of verification requirements speaks to a need for models of program execution that smoothly interpolate between many different levels of abstraction. Models of program execution vary in expressiveness along the spectrum of possible programming languages and specification logics. At one extreme, dependent type theory is a language for mathematically-inspired functional programming that is sufficiently expressive to serve as its own specification logic. Dependent type theory has struggled, however, to incorporate several computational effects that are common in every-day programming languages, such as state and concurrency. One of the most extreme forms of computational effect is "higher-order mutable state", which is when programs can read and write data as well as entire subroutines to the computer's memory during execution. Programming languages that support these features require very sophisticated specification logics due to the myriad details that must be surfaced in their semantic models.
Recently there have been several significant technical advances in mathematical semantics for programming languages that have been ripe for exploitation. For instance, in my doctoral thesis I developed a new technique called Synthetic Tait Computability or “STC” that smoothly combines multiple levels of abstraction into a single language. Inspired by sophisticated mathematical techniques invented in topos theory and category theory for entirely different purposes, STC enables low-level details (even down to execution steps) to be manipulated in a simpler and more abstract way than ever before, making them easier to control mathematically. Perhaps more importantly, the STC method makes it possible to import ideas and techniques from other mathematical fields that are comparatively more developed than programming languages. Another related advance is the use of Synthetic Guarded Domain Theory or "SGDT" as a mathematical language in which to describe and reason about the behavior of computer programs, potentially exhibiting complex interactions with their environment and with other programs. A third advance setting the stage for this project is the development of Univalent Foundations and Homotopy Type Theory, a new and backwards-compatible foundation of mathematics that places symmetries and reversible transformations of mathematical structures in the forefront.
The goal of the TypeSynth project has been to combine these three ideas to break a long-standing logjam in the mathematical understanding of computer programming: the denotational semantics and equational separation logic of higher-order mutable state.
Recently there have been several significant technical advances in mathematical semantics for programming languages that have been ripe for exploitation. For instance, in my doctoral thesis I developed a new technique called Synthetic Tait Computability or “STC” that smoothly combines multiple levels of abstraction into a single language. Inspired by sophisticated mathematical techniques invented in topos theory and category theory for entirely different purposes, STC enables low-level details (even down to execution steps) to be manipulated in a simpler and more abstract way than ever before, making them easier to control mathematically. Perhaps more importantly, the STC method makes it possible to import ideas and techniques from other mathematical fields that are comparatively more developed than programming languages. Another related advance is the use of Synthetic Guarded Domain Theory or "SGDT" as a mathematical language in which to describe and reason about the behavior of computer programs, potentially exhibiting complex interactions with their environment and with other programs. A third advance setting the stage for this project is the development of Univalent Foundations and Homotopy Type Theory, a new and backwards-compatible foundation of mathematics that places symmetries and reversible transformations of mathematical structures in the forefront.
The goal of the TypeSynth project has been to combine these three ideas to break a long-standing logjam in the mathematical understanding of computer programming: the denotational semantics and equational separation logic of higher-order mutable state.
I highlight the three main achievements of the TypeSynth project below:
1. a new denotational semantics of higher-order store
2. an equational higher-order separation logic based on the above denotational semantics
3. the extension of synthetic Tait computability to support computational effects including guarded recursion and higher-order store
DENOTATIONAL SEMANTICS OF HIGHER-ORDER STORE. The TypeSynth plan to develop denotational semantics of higher-order store had two components: the first was to develop a practical semantic model of polymorphic higher-order store without garbage collection, and the second was to extend this model to support the equational theory of garbage collection. For the former, the results have greatly outstripped expectations: I have succeeded in constructing not only the indended model of store with polymorphism, but in fact a model of full dependent type theory with higher-order store — posing the prospect for being able to write and verify the correctness of programs in the same language. This result is the first of its kind for higher-order store, and is a significant advance. In the final months of the project, we have also gone further beyond this result in a different direction, and constructed a version of the model of higher-order store satisfying a new gamut of compelling representation independence equations which I refer to as the theory of "univalent reference types": in short, two programs can be considered equal even if they allocate memory cells of different types, so long as the two types are in bijection and programs' interaction with the memory cell respects this bijection.
I have begun to extend these results to include the equational theory of garbage collection, but as the TypeSynth project has been terminated nearly one year early (due to my recent appointment as Associate Professor at University of Cambridge), this further exploitation of the TypeSynth methodology will continue beyond the conclusion of the project.
EQUATIONAL HIGHER-ORDER SEPARATION LOGIC FOR HIGHER-ORDER STORE. In collaboration with my colleagues Frederik Ljerbjerg Aagaard and Professor Lars Birkedal, I have developed a guarded higher-order separation logic called TULIP over the TypeSynth denotational model of higher-order store. This logic represents a significant step forward in the march toward simple, abstract, and compositional reasoning about higher-order stateful programs. Prior program logics (such as Iris and the Verified Software Toolchain) interact with computer programs only indirectly, by verifying properties of a specific "transition function" that simulates the steps that a (highly idealized) computer would take when executing a program; this style is called "operational". Unfortunately, the important structural properties of programs are highly unnatural to express at the level of transition steps, and as such, existing operationally-based program logics impose a great deal of bureaucracy by forcing those verifying programs to manually mediate the mismatch between the viewpoint of the machine (which cannot see program structure), and the viewpoint of the programmer (which is entirely based on program structure). An equational, or "denotationally-based", program logic like TULIP instead treats programs directly without needing to pass through an encoding in terms of machine transitions. An immediate benefit of the equational approach is that program equivalences can be glued together directly in any context, a kind of practical compositionality that is unique to equational and denotationally-based program logics. Our development of the TULIP logic is a strong first step in this direction.
EFFECTFUL SYNTHETIC TAIT COMPUTABILITY. A third achievement of the Typesynth project was to extend the highly successful "Synthetic Tait Computability" method, developed in my doctoral thesis, to the case of realistic programming languages with computational effects. The purpose of this extension was to achieve strong representation independence results, by which we can show the computational indistinguishability of even two programs that allocate memory cells of different types that are linked not by a bijection but by a mere relation, in contrast to univalent reference types. We have gone quite a bit beyond our expectations, as our account of STC for higher-order store applies not only to the simple polymorphic store model, but also to the full dependent type theory. This allows many classic results from the literature that previously required very complicated reasoning with the semantic model to be reconstructed in a simpler and more direct fashion.
1. a new denotational semantics of higher-order store
2. an equational higher-order separation logic based on the above denotational semantics
3. the extension of synthetic Tait computability to support computational effects including guarded recursion and higher-order store
DENOTATIONAL SEMANTICS OF HIGHER-ORDER STORE. The TypeSynth plan to develop denotational semantics of higher-order store had two components: the first was to develop a practical semantic model of polymorphic higher-order store without garbage collection, and the second was to extend this model to support the equational theory of garbage collection. For the former, the results have greatly outstripped expectations: I have succeeded in constructing not only the indended model of store with polymorphism, but in fact a model of full dependent type theory with higher-order store — posing the prospect for being able to write and verify the correctness of programs in the same language. This result is the first of its kind for higher-order store, and is a significant advance. In the final months of the project, we have also gone further beyond this result in a different direction, and constructed a version of the model of higher-order store satisfying a new gamut of compelling representation independence equations which I refer to as the theory of "univalent reference types": in short, two programs can be considered equal even if they allocate memory cells of different types, so long as the two types are in bijection and programs' interaction with the memory cell respects this bijection.
I have begun to extend these results to include the equational theory of garbage collection, but as the TypeSynth project has been terminated nearly one year early (due to my recent appointment as Associate Professor at University of Cambridge), this further exploitation of the TypeSynth methodology will continue beyond the conclusion of the project.
EQUATIONAL HIGHER-ORDER SEPARATION LOGIC FOR HIGHER-ORDER STORE. In collaboration with my colleagues Frederik Ljerbjerg Aagaard and Professor Lars Birkedal, I have developed a guarded higher-order separation logic called TULIP over the TypeSynth denotational model of higher-order store. This logic represents a significant step forward in the march toward simple, abstract, and compositional reasoning about higher-order stateful programs. Prior program logics (such as Iris and the Verified Software Toolchain) interact with computer programs only indirectly, by verifying properties of a specific "transition function" that simulates the steps that a (highly idealized) computer would take when executing a program; this style is called "operational". Unfortunately, the important structural properties of programs are highly unnatural to express at the level of transition steps, and as such, existing operationally-based program logics impose a great deal of bureaucracy by forcing those verifying programs to manually mediate the mismatch between the viewpoint of the machine (which cannot see program structure), and the viewpoint of the programmer (which is entirely based on program structure). An equational, or "denotationally-based", program logic like TULIP instead treats programs directly without needing to pass through an encoding in terms of machine transitions. An immediate benefit of the equational approach is that program equivalences can be glued together directly in any context, a kind of practical compositionality that is unique to equational and denotationally-based program logics. Our development of the TULIP logic is a strong first step in this direction.
EFFECTFUL SYNTHETIC TAIT COMPUTABILITY. A third achievement of the Typesynth project was to extend the highly successful "Synthetic Tait Computability" method, developed in my doctoral thesis, to the case of realistic programming languages with computational effects. The purpose of this extension was to achieve strong representation independence results, by which we can show the computational indistinguishability of even two programs that allocate memory cells of different types that are linked not by a bijection but by a mere relation, in contrast to univalent reference types. We have gone quite a bit beyond our expectations, as our account of STC for higher-order store applies not only to the simple polymorphic store model, but also to the full dependent type theory. This allows many classic results from the literature that previously required very complicated reasoning with the semantic model to be reconstructed in a simpler and more direct fashion.
The results of the TypeSynth project have gone significantly beyond the state of the art in denotational semantics for computational effects: not only is ours the first typed denotational model of higher-order store compatible with parametric polymorphism, but we have shown that the same construction also gives rise to a model of full dependent type theory with higher-order store — a long sought-after result whose implications we have not yet fully exploited. Our model of "univalent reference types" is also a significant break with the state of the art, and points the way to a new and more fruitful interaction between the fields of programming languages on the one hand, and homotopy type theory and algebraic topology on the other hand.
The technical achievements of TypeSynth point to healthy growth in the long-neglected area of denotational semantics and equational program logics, but there is an urgent need for further research to bring these superior but comparatively less-developed methods to practical parity with the more established operational paradigm, which currently achieves stronger results in program verification — which we believe can be accounted for by the twenty-year headstart enjoyed by teams favoring operational methods during the relative dormancy of semantic and categorical methods in programming languages.
The technical achievements of TypeSynth point to healthy growth in the long-neglected area of denotational semantics and equational program logics, but there is an urgent need for further research to bring these superior but comparatively less-developed methods to practical parity with the more established operational paradigm, which currently achieves stronger results in program verification — which we believe can be accounted for by the twenty-year headstart enjoyed by teams favoring operational methods during the relative dormancy of semantic and categorical methods in programming languages.