Citation Context

...lated bugs per version, according to its change-log. The Ynot extension to Coq was designed to support writing and proving correct this kind of pointer-based code, using a variant of separation logic =-=[18, 22]-=-. Separation logic makes it particularly easy to reason about data structures with “local” pointer structure, such as trees. However, in the case of B+ trees, the pointer structure does not directly f...

Citation Context

...tion size. In our system optimization is a distinct phase before execution. We have implemented a number of optimizations, including the following three from a standard introductory database textbook =-=[6]-=-: • Selection fusion. The query select P2 (select P1 Q) can be transformed to a single selection: select (P1 and P2) Q. • Projection fusion. The query proj l2 (proj l1 Q) can be transformed to use a s...

Citation Context

...es beyond the now successful domains of verified compilers and theorem provers. As a step towards this goal, we have constructed a verified, lightweight, in-memory RDBMS using the Coq proof assistant =-=[2]-=-. Currently, our RDBMS supports queries, written in a stylized subset of SQL, over an in-memory relational store that can be [de]serialized to disk. As such, it provides much of the functionality need...

Citation Context

...lated bugs per version, according to its change-log. The Ynot extension to Coq was designed to support writing and proving correct this kind of pointer-based code, using a variant of separation logic =-=[18, 22]-=-. Separation logic makes it particularly easy to reason about data structures with “local” pointer structure, such as trees. However, in the case of B+ trees, the pointer structure does not directly f...

Citation Context

...transformations, such as the optimization to fuse adjacent projections, requires tedious arguments and coercions to ensure that the output is well-typed. Newer languages such as Epigram [11] and Agda =-=[16]-=- provide better support for programming with dependent types, and Matthieu Sozeau is working to adapt many of these ideas to the Coq setting [26], so we are hopeful that this frustration will diminish...

Citation Context

...g Hoare-style proofs. An alternative to packaging the B+ tree with its model is to simply show that there is at most one ptree that a given pointer and heap can satisfy (i.e., that repTree is precise =-=[4, 17]-=-). However, this is complicated by the fact that the types of ptrees are indexed by height, and thus comparison (and substitution) demand the use of heterogenous, “John Major” equality [10]. 6.2 Imple...

Citation Context

...hand, writing transformations, such as the optimization to fuse adjacent projections, requires tedious arguments and coercions to ensure that the output is well-typed. Newer languages such as Epigram =-=[11]-=- and Agda [16] provide better support for programming with dependent types, and Matthieu Sozeau is working to adapt many of these ideas to the Coq setting [26], so we are hopeful that this frustration...

Citation Context

...g Hoare-style proofs. An alternative to packaging the B+ tree with its model is to simply show that there is at most one ptree that a given pointer and heap can satisfy (i.e., that repTree is precise =-=[4, 17]-=-). However, this is complicated by the fact that the types of ptrees are indexed by height, and thus comparison (and substitution) demand the use of heterogenous, “John Major” equality [10]. 6.2 Imple...

Citation Context

... first is a functional specification that describes finite maps as simple association lists that map keys to values. The second is an imperative specification, in the style of Hoare Type Theory (HTT) =-=[14]-=- and realized by the Ynot extension to Coq [15]. In an HTT specification, we describe operations over an imperative Abstract Data Type (ADT) using commands indexed by pre- and post-conditions. We use ...

Citation Context

...h behavior using modules, we modified the FSet library to be first-class using Coq’s type class mechanism. Type classes are a recent addition to Coq and behave similarly to their Haskell counterparts =-=[27]-=-. They allow the user to overload a set of operations across a class of types. We have a class of types FSetInterface that is parameterized by a type elt of elements and a total ordering E over elt th...

Citation Context

...transformed by a simple and provably semantics-preserving optimizer. The resulting optimized query is then mapped to a sequence of low-level operations over B+ trees. We implement B+ trees using Ynot =-=[15]-=-, an axiomatic extension to Coq that provides facilities for writing and reasoning about imperative, pointer-based code. The design and implementation are highly modularized to support code (and proof...

Citation Context

...precise [4, 17]). However, this is complicated by the fact that the types of ptrees are indexed by height, and thus comparison (and substitution) demand the use of heterogenous, “John Major” equality =-=[10]-=-. 6.2 Implementation of B+ Tree Operations In order to meet the finite map specification, we must provide the five operations given in Figure 2. The implementations of new and free are relatively stra...

Citation Context

...eExp I | compareLt ... Inductive whereExp I := | compExp: compareExp I -> whereExp I | andExp : whereExp I -> whereExp I -> whereExp I | orExp ... 4.2 Parsing The RDBMS uses Ynot’s packrat PEG parser =-=[5]-=- to parse user input. The parser is implemented as a verified compiler [12]: given a specification consisting of a PEG grammar and semantic actions, the parser creates an imperative computation that, ...

Citation Context

... operations for splitting a relation in half. Although in principle the two models are equivalent, certain operations possible in SQL, like swapping two columns, are easier to encode in our basis. In =-=[19]-=-, Oury and Swierstra give a dependently-typed relational algebra syntax that is similar to ours, but that uses column names instead of numbers. Their approach leads to a different proof burden; for in...

Citation Context

...l-typed. Newer languages such as Epigram [11] and Agda [16] provide better support for programming with dependent types, and Matthieu Sozeau is working to adapt many of these ideas to the Coq setting =-=[26]-=-, so we are hopeful that this frustration will diminish over time. Another lesson we have learned is the value of automation, both through hints and custom tactics. This insulates proofs against code ...

Citation Context

...whereExp I | andExp : whereExp I -> whereExp I -> whereExp I | orExp ... 4.2 Parsing The RDBMS uses Ynot’s packrat PEG parser [5] to parse user input. The parser is implemented as a verified compiler =-=[12]-=-: given a specification consisting of a PEG grammar and semantic actions, the parser creates an imperative computation that, when run over an arbitrary imperative character stream, returns a result th...

Citation Context

...each with different tradeoffs. For example, previous work encoding relational algebra in Agda suggests that schemas should be represented as functions from a finite set of column names to basic types =-=[9]-=-, but in practice, we found that a concrete encoding using a list of type names yields a more workable representation. • Another choice was how to represent finite sets. Finite sets are a common abstr...

Citation Context

... example, Ynot does not yet support writing or reasoning about concurrent programs, though we have done some preliminary work extending Hoare Type Theory with support for concurrency and transactions =-=[13]-=- based on the ideas of concurrent separation logic [4]. We expect that implementing and verifying the correctness of high-performance, concurrent B+ trees will be a particularly challenging problem. A...

Citation Context

... used to index data and are crucial for query execution performance. However, they are tricky to get right. BerkeleyDB, a high-performance embedded RDBMS that has hosted Google’s accounts information =-=[20]-=-, experiences around two dozen B+ tree-related bugs per version, according to its change-log. The Ynot extension to Coq was designed to support writing and proving correct this kind of pointer-based c...

Citation Context

...east one corresponding fused tuple in the product of A and B, provided B is non-empty. We constructed proofs manually, but it may be possible to adapt an automated theorem prover for relations (e.g., =-=[25]-=-) to Coq to reduce the proof burden. 4. The SQL Compiler In the previous section we described our Coq encoding of a model for relational data and algebraic operations on relations. In this section we ...

Citation Context

...y of relations. However, even using this simple model we can still show that some of our optimizations, like selection fusion, do not increase cost. 4.4.2 Semantic Optimization Semantic optimizations =-=[8]-=- are rewrites that are semantics-preserving only because of the specific constraints on the particular database instance at hand. Our “proj-prod” equivalence for relations A and B of schemas I and J w...

Citation Context

...sible. 8.2 Related Formalization A final lesson regards the formalization of relational algebra. The idea of mechanizing (data models more general than) relational algebra goes back to at least NuPrl =-=[21]-=-. The inspiration for our work, however, is the formalization of the relational algebra in Agda found in Carlos Gonzalia’s Ph.D. thesis [9]. Like that thesis, we use axiomatic finite sets; however, we...

Citation Context

... example, Ynot does not yet support writing or reasoning about concurrent programs, though we have done some preliminary work extending Hoare Type Theory with support for concurrency and transactions =-=[13]-=- based on the ideas of concurrent separation logic [4]. We expect that implementing and verifying the correctness of high-performance, concurrent B+ trees will be a particularly challenging problem. A...

Citation Context

...t determine the type parameter at run-time. • Finally, we found formalizing correctness proofs for complicated, pointer-based data structures particularly difficult despite previous work in this area =-=[3, 23]-=-. B+ trees, which are gener-alized binary search trees with leaves connected by a linkedlist “skirt” for rapid traversal, are often used to index data and are crucial for query execution performance....

Citation Context

...)-tuple that can be formed by concatenating a tuple in A with a tuple in B. This basis is relationally complete, and equal in expressive power to other relational formalisms, like relational calculus =-=[1]-=-. However, the choice of basis is somewhat arbitrary; for example, we could have chosen to use join and recovered cartesian product as a degenerate case. The ordered, nameless schema representation is...