CakeML is a functional programming language and an ecosystem of proofs and tools built around the language. The ecosystem includes a proven-correct compiler that can bootstrap itself.
The CakeML project consists of the following components, all of which are free software.
Language definition. The CakeML language is based on a substantial subset of Standard ML. Its formal semantics is specified in higher-order logic (HOL) in a functional big-step style. The core of the language (its syntax and semantics) is quite stable, but the standard basis library is still undergoing development. Contributions are welcome!
Compiler backend. The CakeML compiler has many parts. The most significant part is the verified compiler backend, which transforms an untyped AST to concrete machine code for one of 5 target architectures. The compiler backend has been proved to only produce machine code that is compatible with the behaviours of the source programs. The backend passes through several intermediate languages (as this diagram illustrates) and performs some optimisations.
Compiler frontend 1. There are two frontends to the compiler. The first one is a proof-producing synthesis tool (called the translator). It generates CakeML AST from ML-like functions in HOL and proves that the generated AST has the same behaviour as the HOL function. The original version of this tool produced only pure CakeML code, but more recent versions can produce code that performs I/O and uses state, including local state.
Compiler frontend 2. The second compiler frontend consists of a traditional parser followed by a type inferencer. Both of these have been proved sound and complete with respect to declarative specifications. For the parser, this means that our PEG parser implementation finds a correct parse tree if there exists one according to a traditional grammar for CakeML concrete syntax (SML). Soundness and completeness of the type inferencer means that, if the program is can be typed, then the inferencer will find a type (which is the most general type).
Compiler bootstrapping. The CakeML compiler has been bootstrapped inside HOL. By bootstrapped we mean that the compiler has compiled itself. This was achieved by noticing that frontend 2 combined with the backend is a HOL function which we can feed into the tool-chain consisting of frontend 1 and the backend. The result is a verified binary that provably implements the compiler itself (with frontend 2). The latest bootstrapped binary is on our downloads page. The bootstrapping is described here.
Post-hoc verification of CakeML programs. We have adapted Charguéraud's CFML verification framework to CakeML. Usually, we recommend that verified CakeML code is produced via synthesis using frontend 1. However, in some cases it is more convenient to do Hoare-style reasoning in the separation logic of CFML. CakeML's version of CFML supports reasoning about references, arrays, exceptions and I/O, and is used for verification of parts of the CakeML basis library.
Verified applications built using CakeML. The CakeML tools are geared towards production of verified applications using proof-producing synthesis (frontend 1) and compilation inside HOL (in-logic evaluation of the compiler backend). To date, the largest case study is the bootstrapped CakeML compiler. Other end-to-end verified applications that have been produced using the CakeML tools are:
This website provides further details of the CakeML project, links to papers, courseware, auxiliary tools and suggestions for masters and doctoral level projects.
There is a two-year postdoc position open at Chalmers on topics related to CakeML. Application deadline: 18 May 2018.
The following CakeML related papers will appear at FLoC 2018:
Proof-Producing Synthesis of CakeML with I/O and Local State from Monadic HOL Functions, IJCAR'18
Verifying the LTL to Büchi Automata Translation via Very Weak Alternating Automata, ITP'18
Software Verification with ITPs Should Use Binary Code Extraction to Reduce the TCB (short paper), ITP'18
The following paper at PLDI'18 uses CakeML: VeriPhy: Verified Controller Executables from Verified Cyber-Physical System Models
There will be a talk about CakeML at the DeepSpec workshop at PLDI'18
Data61 is hiring proof engineers again in Sydney, Australia. Application deadline: 15 April 2018.
There will be a CakeML developers meeting on 29 May 2018 at Chalmers. It’ll be very informal and anyone interested in CakeML (both development and use) is welcome! Contact Magnus Myreen for more information.
Our paper on A Verified Generational Garbage Collector for CakeML will be presented at ITP'17.
We have bootstrapped the CakeML compiler for RISC-V. The result of bootstrapping in the logic is available (as it is for x86-64 also).
There will be CakeML tutorials at
PLDI'17 (full-day tutorial) and
ICFP'17 (half-day tutorial).
These tutorials will let participants try out the tools of the CakeML ecosystem and use them to produce
end-to-end verified binaries. The tutorials are a good way to get involved in CakeML.
We have released some previews of CakeML version 2.
There are two open PhD positions related to CakeML at Chalmers University of Technology, Sweden. Application deadline: 25 April 2017
The final publication is available here.
Our ESOP'16 paper (preprint) describes and advocates the use of functional big-step semantics for both reasoning about programming languages and compiler verification.
Paper © Springer 2016. The final publication is available at link.springer.com.
CakeML together with our formalisation of HOL in HOL is being used in research supported by the Future of Life Institute on AI safety, in particular on improving our understanding of reflective reasoning. Our ITP'15 paper on reflection precedes and supports the work on this project.
Paper © Springer 2015. The final publication is available at link.springer.com.
A new representation for pattern matching in HOL, as described in this ITP'15 paper on pattern matching, has been incorporated into the HOL-to-CakeML translator.
Paper © Springer 2015. The final publication is available at link.springer.com.
We gave a guest lecture in the Advanced Topics in Software Verification course at UNSW, about bootstrapping the verified CakeML compiler. (See the slides for Week 10, 2016, or Week 12, 2015.)
The beta (see item below) now also supports character literals.
A beta version of the verified CakeML implementation (version 1) is available here. To build and run the code: unzip, then make, and ./cake.
Note that this is a beta version with a few known issues: (1) stack overflow is checked by the OS, leads to a segfault; (2) compiling on Mac OS produces some compiler warnings. If you stumble upon other issues, let us know on email@example.com.
This is verified software. Why might it have issues? The short answer is that we might not have checked our assumptions thoroughly enough. Is our model of the x86-64 machine accurate enough? Are we interacting with the unverified C code correctly? The assumptions have been tested, but one can never be 100% sure that testing caught all possible issues.
A preliminary version of the CakeML Compiler Explorer is available. This web service lets you run the verified compiler and see the results of various stages of compilation.
We have since developed a direct semantics for all of HOL (supporting both definitions and non-definitional context extensions including new axioms). This version was presented in our ITP'14 talk. It is described in more detail in our subsequent JAR paper.
ITP Paper © Springer 2014. The final publication is available at link.springer.com. JAR Paper © the authors 2016. The definitive version was published in Journal of Automated Reasoning, Volume 56, Issue 3, 2016, and is available with open access here.
We gave an MPhil course at Cambridge on specifying, implementing, and verifying functional programming languages.
Our POPL'14 paper describes CakeML and a verified x86-64 implementation of a read-eval-print loop for CakeML, using the bootstrapped compiler below, a verified translation from bytecode to x86-64, and a mostly-synthesised verified runtime.
Paper © the authors 2014. This is the authors' version of the work. It is posted here for your personal use. Not for redistribution. The definitive version was published in Proceedings of the 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, here.
We have written, verified, and bootstrapped a compiler (including lexing, parsing, type inference, and code generation) from CakeML to CakeML Bytecode. The correctness theorem covers both terminating and diverging programs, and says that the generated code behaves according to the semantics in either case. The compiler is written in HOL; we use the translator, mentioned below, to generate a verified CakeML implementation, and then evaluate the compiler on this implementation (bootstrap) to generate verified bytecode.
One of our initial target case studies is to construct a verified CakeML version of the HOL Light theorem prover. For this case study, we extended the translation tool, mentioned below, to be able to translate into stateful CakeML code. Initial results are described in our ITP'13 short paper.
Paper © Springer 2013. The final publication is available at link.springer.com.
We have developed a tool which translates functions from higher-order logic into CakeML. This tool is proof producing: for each translation it proves a theorem which states that the generated CakeML code correctly implements the original HOL function, according to the operational semantics of CakeML. See our ICFP'12 paper, and subsequent JFP paper, for more details.
ICFP Paper © ACM 2012. This is the authors' version of the work. It is posted here for your personal use. Not for redistribution. The definitive version was published in Proceedings of the 17th ACM SIGPLAN International Conference on Functional Programming, here. JFP Paper © Cambridge University Press 2014. The definitive version was published in Journal of Functional Programming, Volume 24, Issue 2-3, 2014, and is available here.