coq-club AT inria.fr
Subject: The Coq mailing list
List archive
- From: Xavier Leroy <Xavier.Leroy AT inria.fr>
- To: coq-club AT inria.fr
- Subject: Re: [Coq-Club] VM/native mode within Coq
- Date: Tue, 6 Oct 2015 19:09:55 +0200
- Authentication-results: mail3-smtp-sop.national.inria.fr; spf=None smtp.pra=xavier.leroy AT gmail.com; spf=Pass smtp.mailfrom=xavier.leroy AT gmail.com; spf=None smtp.helo=postmaster AT mail-wi0-f172.google.com
- Ironport-phdr: 9a23:dWXsLhU22iTyZxAS9y7H43PkwufV8LGtZVwlr6E/grcLSJyIuqrYZheAt8tkgFKBZ4jH8fUM07OQ6PC8HzNZqs3Q+Fk5M7VyFDY9wf0MmAIhBMPXQWbaF9XNKxIAIcJZSVV+9Gu6O0UGUOz3ZlnVv2HgpWVKQka3CwN5K6zPF5LIiIzvjqbpq8GVPFwD32v1SIgxBSv1hD2ZjtMRj4pmJ/R54TryiVwMRd5rw3h1L0mYhRf265T41pdi9yNNp6BprJYYAu2pN5g/GLdfFXEtN30/zMztrxjKCwWVtVUGVWBDohNWAgXfpDX3RJDg+n/Kv/R81TPcGcDsSqEcWDK47q4tRgW+23RPDCIw7GyC0p84t6lcuh/0/xE=
On 30/09/15 17:44, Freek Wiedijk wrote:
> On the CakeML developers mailing list, there was a mention of:
> <http://gallium.inria.fr/blog/coq-eval/>
> Then Magnus wrote;
> [...]
> I wonder what the trust issues are when computing with the
> VM/native mode within Coq. The jumps into and out of the VM/native
> mode sound scary regarding the trust story of the prover. Are
> these VM/native-mechanisms in fact not trusted and somehow
> cleanly separated from the trusted part of Coq's kernel?
Normally, I'd let the authors of vm_compute and native_compute reply,
but they are probably busy pumping water off their basements...
(Big floods near Sophia-Antipolis recently.)
The principles underlying vm_compute (the strong reduction strategy
and the compilation scheme to VM code) were formalized and verified in
Coq by Benjamin Grégoire in his PhD thesis. The actual implementation
of vm_compute is not formally verified, though, and, yes, it is part
of the trusted kernel. Empirically, based on the rate of discovery of
proofs of False, it looks as reliable as the rest of the Coq
implementation.
This said, the experiment I mentioned in my blog post (execute
CompCert within Coq using vm_compute) doesn't aim at 100% formal
confidence of the CakeML kind. Instead, it just aims at an alternate
execution mechanism for CompCert that is independent from Coq's
extraction and OCaml's compilation of the extracted code. In the
context of software certification using a combination of tests and
formal methods, the existence of two independent implementations that
produce the same results already has some certification value, not as
high as a full formal verification, but not negligible either.
(Motto: "if something is true for two independent reasons, that makes
it more true!").
Bas Spitters adds:
> There are at least to projects trying to improve the level of trust:
> http://www.maximedenes.fr/download/coqonut.pdf
> https://www.cs.princeton.edu/~appel/certicoq/
The Coqonut project (by Maxime Dénès and I) aims at equipping Coq with
an evaluation mechanism that is both more efficient and more
trustworthy than vm_compute and native_compute, via a
formally-verified JIT compiler from Gallina to x86-64. The project is
at an early stage and we're lacking time and manpower to make it
progress as fast as we'd like, so don't hold your breath.
- Xavier Leroy
- Re: [Coq-Club] VM/native mode within Coq, Andrew W. Appel, 09/30/2015
- <Possible follow-up(s)>
- Re: [Coq-Club] VM/native mode within Coq, Xavier Leroy, 10/06/2015
- Re: [Coq-Club] VM/native mode within Coq, Maxime Dénès, 10/08/2015
- Re: [Coq-Club] VM/native mode within Coq, Epiphanie, 10/08/2015
- Re: [Coq-Club] VM/native mode within Coq, Enrico Tassi, 10/08/2015
- Re: [Coq-Club] VM/native mode within Coq, Epiphanie, 10/08/2015
- Re: [Coq-Club] VM/native mode within Coq, Maxime Dénès, 10/08/2015
Archive powered by MHonArc 2.6.18.