Formal verification has been gaining the attention and resources of both the academic and the industrial world since it prevents critical software bugs. Yet, software development and formal verification are usually decoupled. Haskell is a unique programming language in that it is a general purpose, a functional language used for industrial development, but simultaneously it stands at the leading edge of research and teaching welcoming new, experimental, yet useful features. This talk presents Liquid Haskell, a refinement type checker in which formal specifications are expressed as a combination of Haskell’s types and expressions and are automatically checked against real Haskell code. This natural integration of specifications in the language, combined with automatic checking, established Liquid Haskell as a usable verifier, enthusiastically accepted by both industrial and academic Haskell users. Recently, Liquid Haskell has been turned into a theorem prover, in which arbitrary theorems about Haskell functions would be proved within the language. As a consequence, Liquid Haskell can be used to prove theorems about Haskell functions by all Haskell programmers.

1. Theorem Proving for All
Niki Vazou

2. +
Haskell
Refinement Types
=

3. take :: [a] -> Int -> [a]
> take [1,2,3] 2
> [1,2]
Haskell

4. > take [1,2,3] 500
> ???
take :: [a] -> Int -> [a]
Haskell

5. Refinement Types
take :: xs:[a] -> {i:Int | i < len xs} -> [a]

6. > take [1,2,3] 500
> Refinement Type Error!
take :: xs:[a] -> {i:Int | i < len xs} -> [a]

7. II. Application: Speed up Parsing
III. Expressiveness: Theorem Proving
I. Static Checks: Fast & Safe CodeStatic Checks
Expressiveness

8. I. Static Checks: Fast & Safe CodeStatic Checks

9. Buffer overread in OpenSSL. 2015
The Heartbleed Bug

10. in

11. module Data.Text where
take :: t:Text -> i:Int -> Text
> take "hat" 500
> *** Exception: Out Of Bounds!

12. take :: t:Text -> i:Int -> Text
take i t | i < len t
= Unsafe.takeWord16 i t
take i t
= error “Out Of Bounds!”
take :: t:Text -> i:Int -> Text
take t i | i < len t
= Unsafe.take t i
take t i
= error “Out Of Bounds!”
Runtime Checks
Safe, but slow!

13. take :: t:Text -> i:Int -> Text
take i t | i < len t
= Unsafe.takeWord16 i t
take i t
= error “Out Of Bounds!”
take :: t:Text -> i:Int -> Text
take t i | i < len t
= Unsafe.take t i
take t i
= error “Out Of Bounds!”
No Checks
Fast, but unsafe!

14. No Checks
> take "hat" 500
> “hat584562594SOHNUL…
Overread
take :: t:Text -> i:Int -> Text
take i t | i < len t
= Unsafe.takeWord16 i t
take i t
= error “Out Of Bounds!”
take :: t:Text -> i:Int -> Text
take t i | i < len t
= Unsafe.take t i
take t i
= error “Out Of Bounds!”

15. take :: t:Text -> i:Int -> Text
take i t | i < len t
= Unsafe.takeWord16 i t
take i t
= error “Out Of Bounds!”
take :: t:Text -> i:Int -> Text
take t i | i < len t
= Unsafe.take t i
take t i
= error “Out Of Bounds!”
i < len t
Static Checks

16. take :: t:Text -> i:Int -> Text
take i t | i < len t
= Unsafe.takeWord16 i t
take i t
= error “Out Of Bounds!”
take :: t:Text -> i:Int -> Text
take t i | i < len t
= Unsafe.take t i
take t i
= error “Out Of Bounds!”
Static Checks
take :: t:Text -> i:{i < len t} -> Texti < len t

17. take :: t:Text -> i:Int -> Text
take i t | i < len t
= Unsafe.takeWord16 i t
take i t
= error “Out Of Bounds!”
take :: t:Text -> i:Int -> Text
take t i | i < len t
= Unsafe.take t i
take t i
= error “Out Of Bounds!”
Static Checks
take :: t:Text -> i:{i < len t} -> Texti < len t

18. Static Checks
take :: t:Text -> i:Int -> Text
take i t | i < len t
= Unsafe. = error “Out Of Bounds!”
take :: t:Text -> i:{i < len t} -> Text
take t i
= Unsafe.take t i

19. take :: t:Text -> i:Int -> Text
take i t | i < len t
= Unsafe. = error “Out Of Bounds!”
take :: t:Text -> i:{i < len t} -> Text
take t i
= Unsafe.take t i
Static Checks
> take "hat" 500
Type Error

20. OK
Error
Code
Checks valid arguments, under facts.
Refinement Types

21. take :: t:Text -> {v | v < len t} -> Text
heartbleed = let x = "hat"
in take x 500
Checks valid arguments, under facts.
len x = 3 => v = 500 => v < len x

22. len x = 3 => v = 500 => v < len x
take :: t:Text -> {v | v < len t} -> Text
heartbleed = let x = "hat"
in take x 500
Checks valid arguments, under facts.

23. len x = 3 => v = 500 => v < len x
take :: t:Text -> {v | v < len t} -> Text
heartbleed = let x = "hat"
in take x 500
Checks valid arguments, under facts.

24. len x = 3 => v = 500 => v < len x
take :: t:Text -> {v | v < len t} -> Text
heartbleed = let x = "hat"
in take x 500
Checks valid arguments, under facts.

25. len x = 3 => v = 500 => v < len x
take :: t:Text -> {v | v < len t} -> Text
heartbleed = let x = "hat"
in take x 500
Checks valid arguments, under facts.

26. len x = 3 => v = 500 => v < len x
take :: t:Text -> {v | v < len t} -> Text
heartbleed = let x = "hat"
in take x 500
Checks valid arguments, under facts.

27. len x = 3 => v = 500 => v < len x
take :: t:Text -> {v | v < len t} -> Text
heartbleed = let x = "hat"
in take x 500
Checks valid arguments, under facts.
SMT-
query

28. len x = 3 => v = 500 => v < len x
take :: t:Text -> {v | v < len t} -> Text
heartbleed = let x = "hat"
in take x 500
Checks valid arguments, under facts.
SMT-
invalid

29. len x = 3 => v = 500 => v < len x
take :: t:Text -> {v | v < len t} -> Text
heartbleed = let x = "hat"
in take x 500
Checks valid arguments, under facts.
Checker reports Error

30. len x = 3 => v = 500 => v < len x
take :: t:Text -> {v | v < len t} -> Text
heartbleed = let x = "hat"
in take x 500
Checks valid arguments, under facts.
Checker reports Error

31. Checker reports Error
len x = 3 => v = 500 => v < len x
take :: t:Text -> {v | v < len t} -> Text
heartbleed = let x = "hat"
in take x 500
Checks valid arguments, under facts.
2
2
OK SMT-
valid

32. Checks valid arguments, under facts.
Static Checks
OK
Error
Code

33. I. Static Checks: Fast & Safe Code
II. Application: Speed up Parsing
III. Expressiveness: Theorem Proving
Static Checks

34. II. Application: Speed up Parsing
III. Expressiveness: Theorem Proving
I. Static Checks: Fast & Safe CodeStatic Checks
Application: Speed up Parsing

35. II. Application: Speed up ParsingApplication: Speed up Parsing
DEMO

36. Provably Correct & Faster Code!
Application: Speed up Parsing
SMT-Automatic Verification

37. SMT-Automatic Verification
How expressive can we get?

38. II. Application: Speed up Parsing
III. Expressiveness: Theorem Proving
I. Static Checks: Fast & Safe CodeStatic Checks
Expressiveness

39. III. Expressiveness: Theorem ProvingExpressiveness

40. Proof is in pen-and-paper :(
reverse [x]
— applying reverse on [x]
= reverse [] ++ [x]
— applying reverse on []
= [] ++ [x]
— applying ++ on [] and [x]
= [x]
QED
Theorem: For any x,
Proof.
reverse [x] = [x]

41. reverse [x]
— applying reverse on [x]
= reverse [] ++ [x]
— applying reverse on []
= [] ++ [x]
— applying ++ on [] and [x]
= [x]
QED
Proof is not machine checked.
Theorem: For any x, reverse [x] = [x]
Proof.

42. reverse [x]
— obviously!
= [x]
QED
Proof is not machine checked.
Theorem: For any x, reverse [x] = [x]
Proof.

43. Proof is not machine checked.
reverse [x]
— applying reverse on [x]
= reverse [] ++ [x]
— applying reverse on []
= [] ++ [x]
— applying ++ on [] and [x]
= [x]
QED
Theorem: For any x, reverse [x] = [x]
Check it with Liquid Haskell!
Proof.

44. Theorems as Refinement Types
Theorem:
For any x, reverse [x] = [x]
x:a ! { v:() | reverse [x] = [x] }
Refinement Type:
SMT equality

45. x:a ! { reverse [x] = [x] }
Theorems as Refinement Types
Theorem:
For any x, reverse [x] = [x]
Refinement Type:

46. Proof.
reverse [x]
— applying reverse on [x]
= reverse [] ++ [x]
— applying reverse on []
= [] ++ [x]
— applying ++ on [] and [x]
= [x]
QED
x:a ! { reverse [x] = [x] }
How to connect theorem with proof?

47. Proofs are programs
Theorems are types
— Curry & Howard

48. reverse [x]
— applying reverse on [x]
= reverse [] ++ [x]
— applying reverse on []
= [] ++ [x]
— applying ++ on [] and [x]
= [x]
QED
Proof as a Haskell function
singletonP :: x:a ! { reverse [x] = [x] }x:a ! { reverse [x] = [x] }
singletonP x
=
— applying ++ on [] and [x]
==. [x]
*** QED

49. reverse [x]
— applying reverse on [x]
= reverse [] ++ [x]
— applying reverse on []
= [] ++ [x]
— applying ++ on [] and [x]
= [x]
QED
singletonP x
= reverse [x]
— applying reverse on [x]
==. reverse [] ++ [x]
— applying reverse on []
==. [] ++ [x]
— applying ++ on [] and [x]
==. [x]
*** QED
Proof as a Haskell function
singletonP :: x:a ! { reverse [x] = [x] }x:a ! { reverse [x] = [x] }

50. reverse [x]
— applying reverse on [x]
= reverse [] ++ [x]
— applying reverse on []
= [] ++ [x]
— applying ++ on [] and [x]
= [x]
QED
singletonP x
= reverse [x]
— applying reverse on [x]
==. reverse [] ++ [x]
— applying reverse on []
==. [] ++ [x]
— applying ++ on [] and [x]
==. [x]
*** QED
singletonP :: x:a ! { reverse [x] = [x] }
How to encode equality?
x:a ! { reverse [x] = [x] }

51. Equational Operator in (Liquid) Haskell
(==.) :: x:a -> y:{ a | x = y }
-> {v:a | v = x && v = y }
x ==. y = y
checks both arguments are equal
returns 2nd argument,
to continue the proof!

52. reverse [x]
— applying reverse on [x]
= reverse [] ++ [x]
— applying reverse on []
= [] ++ [x]
— applying ++ on [] and [x]
= [x]
QED
singletonP x
= reverse [x]
— applying reverse on [x]
===. reverse [] ++ [x]
— applying reverse on []
==. [] ++ [x]
— applying ++ on [] and [x]
==. [x]
*** QED
singletonP :: x:a ! { reverse [x] = [x] }x:a ! { reverse [x] = [x] }

53. reverse [x]
— applying reverse on [x]
= reverse [] ++ [x]
— applying reverse on []
= [] ++ [x]
— applying ++ on [] and [x]
= [x]
QED
singletonP x
= reverse [x]
— applying reverse on [x]
===. reverse [] ++ [x]
— applying reverse on []
==. [] ++ [x]
— applying ++ on [] and [x]
==. [x]
*** QED
singletonP :: x:a ! { reverse [x] = [x] }x:a ! { reverse [x] = [x] }

54. reverse [x]
— applying reverse on [x]
= reverse [] ++ [x]
— applying reverse on []
= [] ++ [x]
— applying ++ on [] and [x]
= [x]
QED
singletonP x
= reverse [x]
— applying reverse on [x]
===. reverse [] ++ [x]
— applying reverse on []
==. [] ++ [x]
— applying ++ on [] and [x]
==. [x]
*** QED
singletonP :: x:a ! { reverse [x] = [x] }
How to encode QED?
x:a ! { reverse [x] = [x] }

55. Define QED as data constuctor…
(***) :: a -> QED -> ()
_ *** QED = ()
data QED = QED
… that casts anything into a proof
(i.e., a unit value).

56. reverse [x]
— applying reverse on [x]
= reverse [] ++ [x]
— applying reverse on []
= [] ++ [x]
— applying ++ on [] and [x]
= [x]
QED
singletonP x
= reverse [x]
— applying reverse on [x]
===. reverse [] ++ [x]
— applying reverse on []
==. [] ++ [x]
— applying ++ on [] and [x]
==. [x]
*** QED
singletonP :: x:a ! { reverse [x] = [x] }
Theorem Proving in Haskell
x:a ! { reverse [x] = [x] }

57. singletonP :: x:a ! { reverse [x] = [x] }
Theorems are Types
Theorem Application is Function Call
singletonP 1 :: { reverse [1] = [1] }
x:a ! { reverse [x] = [x] }

58. singletonP1 :: { reverse [1] = [1] }
singletonP1
= reverse [1]
? singletonP 1
==. [1]
*** QED
Theorem Application is Function Call
(?) :: a -> () -> a
x ? _ = x

59. Reasoning about Haskell Programs in Haskell!
Equational operators (==., ?, QED, ***)
Theorem Proving for All
let us encode proofs as Haskell functions
checked by Liquid Haskell.

60. How to encode inductive proofs?
Theorem Proving for All
Reasoning about Haskell Programs in Haskell!

61. Theorem: For any list x, reverse (reverse x) = x.
Proof.
involutionP []
= reverse (reverse [])
— applying inner reverse
= reverse []
— applying reverse
= []
QED
involutionP (x:xs)
= reverse (reverse (x:xs))
— applying inner reverse
= reverse (reverse xs ++ [x])
— distributivity on (reverse xs) [x]
= reverse [x] ++ reverse (reverse xs)
— involution on xs
= reverse [x] ++ xs
— singleton on x
= [x] ++ xs
— applying ++
= x:([] ++ xs)
— applying ++
= (x:xs)
QED
Base Case: Inductive Case:

62. Theorem: For any list x, reverse (reverse x) = x.
Proof.
involutionP []
= reverse (reverse [])
— applying inner reverse
= reverse []
— applying reverse
= []
QED
involutionP (x:xs)
= reverse (reverse (x:xs))
— applying inner reverse
= reverse (reverse xs ++ [x])
— distributivity on (reverse xs) [x]
= reverse [x] ++ reverse (reverse xs)
— involution on xs
= reverse [x] ++ xs
— singleton on x
= [x] ++ xs
— applying ++
= x:([] ++ xs)
— applying ++
= (x:xs)
QED
Base Case: Inductive Case:
Step 1: Define a recursive function!

63. Step 1: Define a recursive function!
Proof.
involutionP []
== reverse (reverse [])
— applying inner reverse
= reverse []
— applying reverse
= []
QED
involutionP (x:xs)
== reverse (reverse (x:xs))
— applying inner reverse
= reverse (reverse xs ++ [x])
— distributivity on (reverse xs) [x]
= reverse [x] ++ reverse (reverse xs)
— involution on xs
= reverse [x] ++ xs
— singleton on x
= [x] ++ xs
— applying ++
= x:([] ++ xs)
— applying ++
= (x:xs)
QED
Step 2: Use equational operators
Theorem: For any list x, reverse (reverse x) = x.

64. Proof.
involutionP []
==.=reverse (reverse [])
— applying inner reverse
==. reverse []
— applying reverse
==. []
*** QED
involutionP (x:xs)
==. reverse (reverse (x:xs))
— applying inner reverse
==. reverse (reverse xs ++ [x])
— distributivity on (reverse xs) [x]
==. reverse [x] ++ reverse (reverse xs)
— involution on xs
==. reverse [x] ++ xs
— singleton on x
==. [x] ++ xs
— applying ++
==. x:([] ++ xs)
— applying ++
==. (x:xs)
*** QED
Step 3: Lemmata are function calls!Step 2: Use equational operators
Theorem: For any list x, reverse (reverse x) = x.

65. Proof.
Step 3: Lemmata are function calls!
involutionP []
==.=reverse (reverse [])
— applying inner reverse
==. reverse []
— applying reverse
==. []
*** QED
involutionP (x:xs)
==. reverse (reverse (x:xs))
— applying inner reverse
==. reverse (reverse xs ++ [x])
? distributivityP (reverse xs) [x]
==. reverse [x] ++ reverse (reverse xs)
? involutionP xs
==. reverse [x] ++ xs
? singletonP x
==. [x] ++ xs
— applying ++
==. x:([] ++ xs)
— applying ++
==. (x:xs)
*** QED
Theorem: For any list x, reverse (reverse x) = x.

66. Proof.
involutionP []
==.=reverse (reverse [])
— applying inner reverse
==. reverse []
— applying reverse
==. []
*** QED
involutionP (x:xs)
==. reverse (reverse (x:xs))
— applying inner reverse
==. reverse (reverse xs ++ [x])
? distributivityP (reverse xs) [x]
==. reverse [x] ++ reverse (reverse xs)
? involutionP xs
==. reverse [x] ++ xs
? singletonP x
==. [x] ++ xs
— applying ++
==. x:([] ++ xs)
— applying ++
==. (x:xs)
*** QED
Note: Inductive hypothesis is recursive call!
Theorem: For any list x, reverse (reverse x) = x.

67. Proof.
involutionP []
==.=reverse (reverse [])
— applying inner reverse
==. reverse []
— applying reverse
==. []
*** QED
involutionP (x:xs)
==. reverse (reverse (x:xs))
— applying inner reverse
==. reverse (reverse xs ++ [x])
? distributivityP (reverse xs) [x]
==. reverse [x] ++ reverse (reverse xs)
? involutionP xs
==. reverse [x] ++ xs
? singletonP x
==. [x] ++ xs
— applying ++
==. x:([] ++ xs)
— applying ++
==. (x:xs)
*** QED
Question: Is the proof well founded?
Theorem: For any list x, reverse (reverse x) = x.

68. Used to encode pen-and-pencil proofs
https://bit.ly/2yjvJo3
“Theorem Proving for All”, Haskell’18
and function optimizations.

69. “LWeb: Information Flow Security for
Multi-Tier Web Applications”, POPL’19
https://bit.ly/2EcyDAh
Used to encode pen-and-pencil proofs
or even sophisticated security proofs.

70. “Liquidate your assets”
https://bit.ly/2Ht3uIG
Used to encode pen-and-pencil proofs
or encode resource analysis.
To be presented at IMDEA:
by Martin Handley
Tue March 19 @10.45

71. Used to encode pen-and-pencil proofs
But, proof interaction is missing.

72. II. Application: Speed up Parsing
III. Expressiveness: Theorem Proving
I. Static Checks: Fast & Safe Code
Thanks!
Theorem Proving for All
@nikivazou