Inferring Accumulative Effects of Higher Order Programs

Abstract

Many temporal safety properties of higher-order programs go beyond simple event sequencing and require an automaton register (or "accumulator") to express, such as input-dependency, event summation, resource usage, ensuring equal event magnitude, computation cost, etc. Some steps have been made towards verifying more basic temporal event sequences via reductions to fair termination [Murase et al. 2016] or some input-dependent properties through deductive proof systems [Nanjo et al. 2018]. However, there are currently no automated techniques to verify the more general class of register-automaton safety properties of higher-order programs. We introduce an abstract interpretation-based analysis to compute dependent, register-automata effects of recursive, higher-order programs. We capture properties of a program's effects in terms of automata that summarizes the history of observed effects using an accumulator register. The key novelty is a new abstract domain for context-dependent effects, capable of abstracting relations between the program environment, the automaton control state, and the accumulator value. The upshot is a dataflow type and effect system that computes context-sensitive effect summaries. We demonstrate our work via a prototype implementation that computes dependent effect summaries (and validates assertions) for OCaml-like recursive higher order programs. As a basis of comparison, we describe reductions to assertion checking for effect-free programs, and demonstrate that our approach outperforms prior tools Drift and RCaml/PCSat. Overall, across a set of 21 new benchmarks, RCaml/PCSat could not verify any, Drift verified 9 benchmarks, and evDrift verified 19; evDrift also had a 30.5x over Drift on those benchmarks that both tools could solve.