Verifying Stateful Programs with Substructural State and Hoare Types Johannes Borgstr¨ om ∗ Department of Information Technology, Uppsala University, Sweden borgstrom@acm.org Juan Chen Microsoft Research, Redmond juanchen@microsoft.com Nikhil Swamy Microsoft Research, Redmond nswamy@microsoft.com Abstract A variety of techniques have been proposed to verify stateful func- tional programs by developing Hoare logics for the state monad. For better automation, we explore a different point in the design space: we propose using affine types to model state, while relying on refinement type checking to prove assertion safety. Our technique is based on verification by translation, starting from FX, an imperative object-based surface language with speci- fications including object invariants and Hoare triple computation types, and translating into FINE, a functional language with depen- dent refinements and affine types. The core idea of the translation is the division of a stateful object into a pure value and an affine to- ken whose type mentions the current state of the object. We prove our methodology sound via a simulation between imperative FX programs and their functional FINE translation. Our approach enables modular verification of FX programs sup- ported by an SMT solver. We demonstrate its versatility by several examples, including verifying clients of stateful APIs, even in the presence of aliasing, and tracking information flow through side- effecting computations. Categories and Subject Descriptors D.3.1 [Programming Lan- guages]: Formal Definitions and Theory General Terms Security, Verification, Languages, Theory Keywords Security type systems, dependent types, affine types 1. Introduction Several recent papers propose a verification methodology for state- ful functional programs by developing Hoare logics for the state monad (Borgstr¨ om et al. 2010; Nanevski et al. 2006; Swierstra 2009). Tools based on this approach are known to be powerful. For example, the Ynot tool has been used to carry out interactive proofs of correctness for programs that manipulate B+ trees (Malecha et al. 2010), a pointer structure with tricky sharing properties. While such successes make a good case for interactive machine- assisted proofs in a Hoare logic for the state monad, this paper ex- ∗ The first author was employed by Microsoft Research, Cambridge, for the duration of his work on this paper. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. PLPV’11, January 29, 2011, Austin, Texas, USA. Copyright c  2011 ACM 978-1-4503-0487-0/11/01. . . $10.00 plores a different point in the design space of a program logic for stateful functional programs. Our primary motivation is to auto- mate verification of functional programs that use local state, such that program components can be verified independently. We aim to develop a verification methodology based on classical first-order logic, for which powerful off-the-shelf solvers already exist. (In contrast, tools like Ynot work with separation logic to recover mod- ularity. Although the situation is improving (Chlipala et al. 2009), automation for separation logic remains a significant challenge.) Our work considers a well-known alternative to monadic state as the basis of a verification methodology: substructural state, by which we mean state modeled using linear (use-once) or affine (use-at-most-once) types (Wadler 1990). Our insight is that the problem of verifying stateful functional programs can be factored into two pieces. First, we can use an affine type system to model the stateful behavior of the program in a purely functional style. Then, to prove the safety of assertions in the program, we can rely on automated refinement type checking for a first-order classical logic. Affine types partition the state of the program into a number of disjoint pieces, thus yielding a modular verification procedure without necessitating the use of the separation logic connectives. In addition to improved automation, modeling state using affine types is attractive since it enables combinations of Hoare logic with other program verification disciplines. We work out one such example in detail in §5.1, where we combine our basic approach with a discipline of fractional capabilities to control aliasing. Concretely, our work is based on FINE (Swamy et al. 2010a), a purely functional language with a type system containing depen- dent refinements and affine types. Our contributions include: • We present FX (§3), an extension of the term syntax of FINE with stateful commands including object allocation, deletion and mutation. We also extend the type language with Hoare types (Nanevski et al. 2006) to give specifications (in the style of Hoare triples) to stateful code in FX. • We show how to translate FX programs to FINE (§4), using FINE’s affine types to model state, and dependent refinements for the translation of Hoare types. The core idea is to divide a stateful object into a pure value and an affine token whose type mentions the current state of the object. We prove that our translation is a simulation, which implies that refinement type checking in FINE guarantees assertion safety for FX. • We demonstrate the effectiveness of our approach on a variety of examples (§5), which, although simpler than the B+ trees verified interactively in Ynot, are still known to be challeng- ing. Our examples include a conference management program previously verified for authorization properties by Swamy et al. (2010a); a client of a stateful API of collections and iterators studied by Bierhoff and Aldrich (2007); and an encoding of in-