
A blog engine written and proven in Coq - jcurbo
http://coq-blog.clarus.me/a-blog-engine-written-and-proven-in-coq.html
======
wereHamster
> The purity of Coq ensures that each request is answered exactly once in
> finite time.

How does Coq ensure that the request completes in finite time?

~~~
seanwilson
I haven't looked at the code but you can prove many functions in Coq terminate
by showing they are structurally recursive. Concisely, you show a function
only calls itself on smaller versions of the originally parameters so there
must be a limit to how many recursive calls you can make.

For example, a function F to find the item X in the the list L might look like
this:

1\. If L is empty, return false.

2\. If the front of L is X, return true.

3\. Otherwise return the result of calling F on L with its front item removed.

The list must get smaller every recursive call so there's a limit to the
recursion. Lots of functions recurse in this way (e.g. map, filter, reduce,
max) and Coq can detect these automatically usually.

For more complicated cases, you can provide some numeric metric to Coq and
write a proof that this metric must eventually reach some limit. For example,
to prove quicksort terminates, you usually show the length of the lists called
in the recursive calls are smaller each time.

So, in general, there's no procedure to show an arbitrary function terminates,
but for the kind of functions people usually write, there are practical ways
to prove termination.

~~~
more_original
In Coq _all_ functions terminate.

Coq's correctness depends on termination. In Coq the propositions are types.
To prove a proposition is to construct a program of this type. If one allowed
non-termination, then it would be easy to construct a program of any type
(like in OCaml let rec f() = f() has type () -> 'a), so you could prove
anything.

~~~
seanwilson
I didn't say anything that disagrees with that...I was simply trying to give
an easy to understand example for how you justify to a computer that a
function will always terminate from the perspective of someone who has never
used Coq or another theorem prover.

In this context, it's isn't very illuminating to tell a non-Coq user that all
Coq functions terminate; formulating your function definition into something
that Coq will accept is the difficult part.

~~~
more_original
I see. You said "you can prove many functions in Coq terminate", so it seemed
you were talking about functions written in Coq.

~~~
seanwilson
Ah, I meant that in the sense of, think of an algorithm you want to write,
many of them are structurally recursive and they're straightforward to
implement in Coq.

------
brudgers
Not to diminish the accomplishment, I think it is really cool, but I won't say
"I'd buy that for a dollar." A blog engine with provably correct posts and
comments though? That's a real kickstarter. Although the use case might not be
the internet as we know it.

But require the comments to be provably correct and assume the post as premise
and I think we're onto a winner.

~~~
leoc
> require the comments to be provably correct and assume the post as premise
> and I think we're onto a winner

It's trivial: proof is by EFQ. ;)

------
hrjet
The last line threw me off:

> an unauthenticated user cannot access private pages (like edit) or modify
> the file system with system calls.

System calls? How do they come into the picture? And wouldn't reasoning about
system calls require proofs about the kernel itself?

~~~
kriro
Without reading the sourcecode/proof (bookmarked for later) my guess is that
it simply means something along the lines of "the user cannot execute code a
la eval". So basically the user can do exactly the specified actions and
nothing more.

~~~
clarus
By "system call", we do not mean "kernel call" but more "call to the system"
in a broader sense, that is from the program to its environment (it could be
the OS or other libraries). We should probably use another word since this is
confusing.

More exactly, we check that the only calls when the user is not logged in are:
ReadFile, ListPosts or Log: [https://github.com/clarus/coq-chick-
blog/blob/master/Spec.v#...](https://github.com/clarus/coq-chick-
blog/blob/master/Spec.v#l208)

------
legulere
Is it also proven that no cross-site-scripting attacks are possible?

~~~
clarus
No, nothing is done about it, the post contents are not even escaped to
generate safe HTML.

------
mcmancini
Is there a good practical resource for learning about applying formal proof
systems like Coq or Spin, but for those without a CS background? I'm
interested in provably correct systems, but a lot of the material seems to be
heavy on the theoretical side. I guess you could say I'm searching for the
_Art of Electronics_ , but for formal proofs.

~~~
adultSwim
Software Foundations
[http://www.cis.upenn.edu/~bcpierce/sf/current/index.html](http://www.cis.upenn.edu/~bcpierce/sf/current/index.html)

To my knowledge it's the most accessible book/class/tutorial on Coq. Starts
off slowly and has a lot of interactive examples. Suitable for self-study.
Comparing with what else is out there, really shows how refined and well-
tested it is.

Highly recommend.

~~~
mcmancini
Winner winner chicken dinner.

I read the preface and this sounds exactly like what I was looking for. Many
thanks!

~~~
eli_gottlieb
I worked through it last year and had a great time. Enjoy!

------
pjmlp
This is great, as more real life examples are needed.

------
allan_s
disclaimer: outside of a quick understanding of what "formal proof system" is,
I have no deep understanding of how it works.

It is written there's a Coq->OCaml compilation step. Would it be easily
possible to have any Coq->other language (I'm mostly thinking about Rust)
compiler ? Or do some properties of OCaml make it much easier (I mean "several
order of magnitude") to implement than more 'common' dynamic languages like
Php/Python/ruby ?

~~~
adultSwim
It's definitely possible. The hand wavy version is that basically you just
throw out all the fancy types, throw out all the proofs, and just leave the
data and functions.

So let's say in Coq I write a sorting function. In Coq it could have a type
where it takes a list and returns the same list sorted (i.e. proven that it
works). I can extract to OCaml and be just left with a function which a type
that takes a list and returns a list. However the computation being done is
still the same.

The target language doesn't even need types. I don't know if it's still
maintained but there used to be an extraction back-end to Scheme (also one for
Haskell).

Being a functional language makes things much easier. Need to have something
to map algebraic data types, functions, and function application.

~~~
pseudonom-
My understanding is that, after translation, Agda's Haskell makes rather
liberal use of unsafeCoerce :: a -> b (it's already been type checked by Agda,
after all).

~~~
vilhelm_s
Yes, that's true for Coq extraction also. You can choose to extract to ML,
Haskell or Scheme, but whichever one you pick the target language is basically
treated as an untyped language. (Of course, it tries to avoid
unsafeCoerce/Obj.magic if possible; if the program can be typed with just
simple types, the extracted code should not have any unsafe coercions in it.)

------
skybrian
This quite cool but for an HTTP server, most requests should complete within a
few seconds and the average should be in milliseconds. Proving that requests
are handled in finite time is useful (some kinds of bugs are eliminated) but
it's not really the performance guarantee that's needed in this domain. We
will probably be using performance testing rather than proofs for a long time.

~~~
ocharles
There's no reason a proof has to take _any_ time - propositions as types is a
tool to guide us to correct information flow, it doesn't mean we literally run
the proof at every step. If we trust the core, we can erase the proof checking
at the point of compilation and we're left with identical machine code that
has been proven to do exactly what we expect and specify.

~~~
CompleteSkeptic
I think he was referring to the fact that the request completes in finite time
isn't a tight enough bound.

------
teddyuk
This is such a terribly badly named language for anyone in the UK!

~~~
hme
The name has an history, but the fact that UK (and US) have a problem with it
is probably the very reason why it's been kept like this. After all "bit" in
french has exactly the same meaning as "cock" in english. french devs deal
with it. I guess it's some kind or revenge...

~~~
tpaksoy
It's not just that "Coq" might sound like "cock", but a "Coq blog" just sounds
even funnier...

~~~
wernercd
I just hate to think of the poor girl/woman who decides she loves the
framework...

~~~
smadge
Why does it have to be a girl/woman? Why would it be any different for a
boy/man to say they love Coq?

This actually happened to me. A classmate said something about Coq, and I did
a double take. He explained it was a language, but for a second he got my
hopes up.

