Congruence Closure in Intensional Type Theory

Similar documents
Lost in translation. Leonardo de Moura Microsoft Research. how easy problems become hard due to bad encodings. Vampire Workshop 2015

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories. ACSys Seminar

Provably Correct Software

Leonardo de Moura and Nikolaj Bjorner Microsoft Research

Coq, a formal proof development environment combining logic and programming. Hugo Herbelin

Static and User-Extensible Proof Checking. Antonis Stampoulis Zhong Shao Yale University POPL 2012

Yices 1.0: An Efficient SMT Solver

Introduction to Homotopy Type Theory

Foundations of AI. 9. Predicate Logic. Syntax and Semantics, Normal Forms, Herbrand Expansion, Resolution

Improving Coq Propositional Reasoning Using a Lazy CNF Conversion

has developed a specication of portions of the IEEE 854 oating-point standard in PVS [7]. In PVS, the injective function space injection can be dened

Decision Procedures in the Theory of Bit-Vectors

DPLL(Γ+T): a new style of reasoning for program checking

Foundations of Computer Science Spring Mathematical Preliminaries

From Z3 to Lean, Efficient Verification

Towards Coq Formalisation of {log} Set Constraints Resolution

Decision Procedures for Recursive Data Structures with Integer Constraints

The problem of minimizing the elimination tree height for general graphs is N P-hard. However, there exist classes of graphs for which the problem can

Tree Interpolation in Vampire

Lecture Notes on Real-world SMT

Chapter 1. Introduction

LP attracted two kinds of enthousiasts engineers/programmers \Never had I experienced such ease in getting a complex program coded and running" D.H.D.

Introduction to Coq Proof Assistant

STABILITY AND PARADOX IN ALGORITHMIC LOGIC

Formally Certified Satisfiability Solving

Lecture 3: Recursion; Structural Induction

Yices 1.0: An Efficient SMT Solver

Lee Pike. June 3, 2005

Reasoning About Set Comprehensions

Translation Validation for a Verified OS Kernel

Automated verification of termination certificates

LECTURE 16. Functional Programming

Lecture 9 - Matrix Multiplication Equivalences and Spectral Graph Theory 1

A CSP Search Algorithm with Reduced Branching Factor

Decision Procedures in First Order Logic

A heuristic method for formally verifying real inequalities

Math 170- Graph Theory Notes

Types Summer School Gothenburg Sweden August Dogma oftype Theory. Everything has a type

Alive: Provably Correct InstCombine Optimizations

Case-Analysis for Rippling and Inductive Proof

SOFTWARE VERIFICATION RESEARCH CENTRE DEPARTMENT OF COMPUTER SCIENCE THE UNIVERSITY OF QUEENSLAND. Queensland 4072 Australia TECHNICAL REPORT

ArgoExpression: SMT-LIB 2.0 compliant expression library

Lecture 2 - Graph Theory Fundamentals - Reachability and Exploration 1

Department of Computer Science. a vertex can communicate with a particular neighbor. succeeds if it shares no edge with other calls during

An Interactive Desk Calculator. Project P2 of. Common Lisp: An Interactive Approach. Stuart C. Shapiro. Department of Computer Science

Program Design in PVS. Eindhoven University of Technology. Abstract. Hoare triples (precondition, program, postcondition) have

Taxonomic Syntax for First Order Inference. Abstract: We identify a new polynomial time decidable fragment of rst order

Overview. CS389L: Automated Logical Reasoning. Lecture 6: First Order Logic Syntax and Semantics. Constants in First-Order Logic.

CIS 1.5 Course Objectives. a. Understand the concept of a program (i.e., a computer following a series of instructions)

Numerical Computations and Formal Methods

An Annotated Language

The Dierence All-Dierence Makes. Kostas Stergiou and Toby Walsh. Glasgow, Scotland. 2 Formal background

Encoding First Order Proofs in SMT

Operational Semantics 1 / 13

argo-lib: A Generic Platform for Decision Procedures

Interactive Theorem Proving in Higher-Order Logics

VS 3 : SMT Solvers for Program Verification

Dynamic Logic David Harel, The Weizmann Institute Dexter Kozen, Cornell University Jerzy Tiuryn, University of Warsaw The MIT Press, Cambridge, Massac

Inductive Definitions, continued

time using O( n log n ) processors on the EREW PRAM. Thus, our algorithm improves on the previous results, either in time complexity or in the model o

SMT Solvers for Verification and Synthesis. Andrew Reynolds VTSA Summer School August 1 and 3, 2017

Chapter 2 The Language PCF

Chapter 2 & 3: Representations & Reasoning Systems (2.2)

Induction and Recursion. CMPS/MATH 2170: Discrete Mathematics

Chordal graphs and the characteristic polynomial

.Math 0450 Honors intro to analysis Spring, 2009 Notes #4 corrected (as of Monday evening, 1/12) some changes on page 6, as in .

Refinement Types as Proof Irrelevance. William Lovas with Frank Pfenning

Inductive data types

Algebraic Processors

Laboratory of Computer Science Research Technical Report LCSR-TR-259, March Program Decomposition for Pointer-induced Aliasing Analysis

type classes & locales

Part 2: Balanced Trees

Uncurrying for Termination

Definition: A context-free grammar (CFG) is a 4- tuple. variables = nonterminals, terminals, rules = productions,,

Rethinking Automated Theorem Provers?

COMPUTABILITY THEORY AND RECURSIVELY ENUMERABLE SETS

MAX-PLANCK-INSTITUT F UR. Ordered Semantic Hyper-Linking. David A. Plaisted. MPI{I{94{235 August 1994 INFORMATIK. Im Stadtwald. D Saarbrucken

Decision Procedures for Equality Logic. Daniel Kroening and Ofer Strichman 1

Evaluation of a new recursion induction principle for automated induction

Heap-on-Top Priority Queues. March Abstract. We introduce the heap-on-top (hot) priority queue data structure that combines the

The Use of Proof Plans for. Normalization. Alan Bundy. DAI Research Paper No. July 7, 1992

Rigidity, connectivity and graph decompositions

Universes. Universes for Data. Peter Morris. University of Nottingham. November 12, 2009

Univalent fibrations in type theory and topology

Inadequacy of Computable Loop Invariants ANDREAS BLASS University of Michigan and YURI GUREVICH Microsoft Research Hoare logic is a widely recommended

Verification Condition Generation

Column Generation and its applications

ABriefOverviewofAgda A Functional Language with Dependent Types

Pretty-Big-Step Semantics

Bases of topologies. 1 Motivation

the application rule M : x:a: B N : A M N : (x:a: B) N and the reduction rule (x: A: B) N! Bfx := Ng. Their algorithm is not fully satisfactory in the

Substitution in Structural Operational Semantics and value-passing process calculi

1KOd17RMoURxjn2 CSE 20 DISCRETE MATH Fall

Idris: Implementing a Dependently Typed Programming Language

Introduction to Matlab/Octave

Proof-Pattern Recognition and Lemma Discovery in ACL2

Calculus I (part 1): Limits and Continuity (by Evan Dummit, 2016, v. 2.01)

Idris, a language with dependent types Extended Abstract

Why. an intermediate language for deductive program verification

Warmup Problem. Describe how structural induction differs from our MATH 135 notion of induction. 1/25

Transcription:

Congruence Closure in Intensional Type Theory Daniel Selsam 1 Leonardo de Moura 2 1 Stanford University 2 Microsoft Research June 30, 2016

Goal Intensional type theory (ITT) Coq, Lean, Agda, Epigram, Idris Many striking successes. CompCert, FSCQ, Odd-order theorem Major ongoing work. MIT, Princeton, UPenn, Yale, Cornell, CMU, Tulane, others All this despite very little automation. Workarounds: manual proving, custom tactic scripts, restricting to limited subsets of ITT. Goal: an automated theorem prover for ITT. 2

Congruence Closure The most glaring limitation: no algorithm for congruence closure. Congruence closure (CC) is fundamental to SMT. link between SAT and theory solvers part of other theory solvers guides heuristic instantiation models We want CC to be a core component of our prover for ITT. 3

Outline Review Congruence closure Intensional type theory (ITT) Equality in ITT: the source of the problem Homogeneous equality Heterogeneous equality Congruence in ITT Heterogeneous equality is not a congruence relation New notion of congruence for heterogeneous equality Congruence Closure in ITT Congruence closure template New congruence closure procedure for ITT First steps to a prover Review 4

What is congruence closure? Congruence closure is an ecient decision procedure for equality. Examples: Input: a = b f a f b Output: UNSAT Input: a = b f a = g b f b g b Output: UNSAT Functions and constants uninterpreted. Curry notation: f a means f(a) Review 5

Review of standard congruence closure Inputs: a = b, f a = g b, f b g b Review 6

Review of standard congruence closure Inputs: a = b, f a = g b, f b g b 0 initial equivalence classes: {a} {b} {f a} {f b} {g b} Review 6

Review of standard congruence closure Inputs: a = b, f a = g b, f b g b 0 initial equivalence classes: {a} {b} {f a} {f b} {g b} 1 merge(a, b): {a, b} {f a} {f b} {g b} Review 6

Review of standard congruence closure Inputs: a = b, f a = g b, f b g b 0 initial equivalence classes: {a} {b} {f a} {f b} {g b} 1 merge(a, b): {a, b} {f a} {f b} {g b} 2 check terms that use a for new congruences f a is now congruent to f b merge(f a, f b): {a, b} {f a, f b} {g b} Review 6

Review of standard congruence closure Inputs: a = b, f a = g b, f b g b 0 initial equivalence classes: {a} {b} {f a} {f b} {g b} 1 merge(a, b): {a, b} {f a} {f b} {g b} 2 check terms that use a for new congruences f a is now congruent to f b merge(f a, f b): {a, b} {f a, f b} {g b} 3 merge(f a, g b): {a, b} {f a, f b, g b} Review 6

Review of standard congruence closure Inputs: a = b, f a = g b, f b g b 0 initial equivalence classes: {a} {b} {f a} {f b} {g b} 1 merge(a, b): {a, b} {f a} {f b} {g b} 2 check terms that use a for new congruences f a is now congruent to f b merge(f a, f b): {a, b} {f a, f b} {g b} 3 merge(f a, g b): {a, b} {f a, f b, g b} Conclude UNSAT, since f b = g b and f b g b Review 6

What is ITT? The main feature of ITT: dependent types. New construct: Π (x : A), B x Like A B, but can refer to argument x in return type Simply-typed lists list.all_zeros : N list N list.all_zeros 0 : list N list.tail (list.all_zeros 0) : list N runtime error Dependently-typed lists ilist.all_zeros : Π n : N, ilist N n ilist.all_zeros 0 : ilist N 0 ilist.tail (ilist.all_zeros 0) gives a type error Review 7

Dependent types Deceptively powerful idea: get theorems for free. ilist A n prevents list index out of range rbtree color n type guarantees red-black tree is well-formed f : Π a:a, Pre f a B a prevents invalid input prog : HoareState Pre Post bundle stateful computation as a Hoare triple Methodology: correct by construction Cost: some complications most notably: equality is no longer a congruence relation! Review 8

Our contribution A weaker notion of congruence that holds in ITT. An ecient and proof-producing congruence closure procedure built on it. First step towards a prover. Review 9

Outline Review Congruence closure Intensional type theory (ITT) Equality in ITT: the source of the problem Homogeneous equality Heterogeneous equality Congruence in ITT Heterogeneous equality is not a congruence relation New notion of congruence for heterogeneous equality Congruence Closure in ITT Congruence closure template New congruence closure procedure for ITT First steps to a prover Equality in ITT: the source of the problem 10

Equality is subtle in ITT Congruence is subtle because equality is subtle. Dierent kinds of equality. 1 homogeneous equality: congruence relation but no dependent types 2 heterogeneous equality: dependent types but no longer a congruence relation Warning: may be confusing at rst. Equality in ITT: the source of the problem 11

1. Homogeneous equality eq A a 1 a 2 means a 1 : A and a 2 : A are (homogeneously) equal. notation: a 1 = a 2 homogeneous since a 1 and a 2 must have the same type. eq behaves as you would expect. P a 1 and a 1 = a 2 implies P a 2. Equality in ITT: the source of the problem 12

Limitations of homogeneous equality Given: f : Π a:a, B a Cannot even state the congruence property for f: eq A a 1 a 2 eq? (f a 1 ) (f a 2 ) Problem: f a 1 : B a 1 f a 2 : B a 2 Equality in ITT: the source of the problem 13

3. Heterogeneous equality heq A B a b means a : A and b : B are (heterogenously) equal. notation: a == b Can always state a == b. Meaning is subtle: pf : (A = B), cast a pf = b heq hides the casts when types are the same: a 1 == a 2 a 1 = a 2 heq is weaker than eq no longer a congruence relation Equality in ITT: the source of the problem 14

Outline Review Congruence closure Intensional type theory (ITT) Equality in ITT: the source of the problem Homogeneous equality Heterogeneous equality Congruence in ITT Heterogeneous equality is not a congruence relation New notion of congruence for heterogeneous equality Congruence Closure in ITT Congruence closure template New congruence closure procedure for ITT First steps to a prover Congruence in ITT 15

Congruence in ITT Homogeneous equality is a congruence relation: f = f a = a --------------- f a = f a Heterogeneous equality is not a congruence relation: f == f a == a --------------- f a == f a Our approach: nd a weaker notion of congruence for heq. Congruence in ITT 16

n-ary congruence by repeated binary congruence Suppose we want to prove: f = f a 1 = a 1 a 2 = a 2 --------------- f a 1 a 2 = f a 1 a 2 Congruence in ITT 17

n-ary congruence by repeated binary congruence Suppose we want to prove: f = f a 1 = a 1 a 2 = a 2 --------------- f a 1 a 2 = f a 1 a 2 Step 1: f a 1 = f a 1 Congruence in ITT 17

n-ary congruence by repeated binary congruence Suppose we want to prove: f = f a 1 = a 1 a 2 = a 2 --------------- f a 1 a 2 = f a 1 a 2 Step 1: f a 1 = f a 1 Step 2: (f a 1 ) a 2 = (f a 1 ) a 2 Congruence in ITT 17

n-ary congruence lemmas No binary congruence rule for heterogeneous equality. f == f a 1 == a 1 a 2 == a 2 --------------- f a 1 a 2 == f a 1 a 2 Congruence in ITT 18

n-ary congruence lemmas No binary congruence rule for heterogeneous equality. f == f a 1 == a 1 a 2 == a 2 --------------- f a 1 a 2 == f a 1 a 2 Consolation: new atomic rule for arity 2 (hcongr 2 ) f = f a 1 == a 1 a 2 == a 2 --------------- f a 1 a 2 == f a 1 a 2 Congruence in ITT 18

New notion of congruence for heterogeneous equality Idea: prove custom congruence lemmas for every arity Example (hcongr 3 ): f = f a 1 == a 1 a 2 == a 2 a 3 == a 3 --------------- f a 1 a 2 a 3 == f a 1 a 2 a 3 General rule: hcongr k proves that two terms are heq provided: 1 the nal k arguments are each heq, and 2 the remaining prexes are eq, Congruence in ITT 19

New notion of congruence for heterogeneous equality Reminder: hcongr k proves that two terms are heq provided: 1 the nal k arguments are each heq, and 2 the remaining prexes are eq, New denition: two terms are congruent if they can be proved heq by hcongr k for some k. Example: f a 1 a 2 a 3 =?= g b 1 b 2 b 3 b 4 congruent by hcongr 1 if f a 1 a 2 a 3 =?= g b 1 b 2 b 3 b 4 hcongr 2 if f a 1 a 2 a 3 =?= g b 1 b 2 b 3 b 4 hcongr 3 if f a 1 a 2 a 3 =?= g b 1 b 2 b 3 b 4 prefixes= args== Congruence in ITT 20

Outline Review Congruence closure Intensional type theory (ITT) Equality in ITT: the source of the problem Homogeneous equality Heterogeneous equality Congruence in ITT Heterogeneous equality is not a congruence relation New notion of congruence for heterogeneous equality Congruence Closure in ITT Congruence closure template New congruence closure procedure for ITT First steps to a prover Congruence Closure in ITT 21

Congruence closure template Want: a CC procedure for our new notion of congruence. Two main requirements: 1 tell if two terms are congruent 2 parents(t): enumerate terms that might trigger a new congruence for t Congruence Closure in ITT 22

Traditional congruence closure 1 tell if two terms are congruent f a and g b are congruent i f = g and a = b. 2 parents(t): enumerate terms that might trigger a new congruence for t parents of f a are f and a Congruence Closure in ITT 23

Congruence closure over heterogeneous equality [1] tell if two terms are congruent Reminder: two terms are congruent i there is some k such that: 1 the nal k arguments are each heq, and 2 the remaining prexes are eq, Running example: f a 1 a 2 a 3 =?= g b 1 b 2 b 3 b 4 congruent by hcongr 1 if f a 1 a 2 a 3 =?= g b 1 b 2 b 3 b 4 hcongr 2 if f a 1 a 2 a 3 =?= g b 1 b 2 b 3 b 4 hcongr 3 if f a 1 a 2 a 3 =?= g b 1 b 2 b 3 b 4 prefixes= args== Recursive algorithm: f a and g b are congruent if and only if a == b and either f = g (hcongr 1) f and g are congruent recursively (hcongr k+1 ) Congruence Closure in ITT 24

Congruence closure over heterogeneous equality [2] parents(t): enumerate terms that might trigger a new congruence for t Running example: f a 1 a 2 a 3 =?= g b 1 b 2 b 3 b 4 congruent by hcongr 1 if f a 1 a 2 a 3 =?= g b 1 b 2 b 3 b 4 hcongr 2 if f a 1 a 2 a 3 =?= g b 1 b 2 b 3 b 4 hcongr 3 if f a 1 a 2 a 3 =?= g b 1 b 2 b 3 b 4 prefixes= args== parents of f a 1 arguments).... a n : all of its strict subterms (i.e. prexes and Congruence Closure in ITT 25

Outline Review Congruence closure Intensional type theory (ITT) Equality in ITT: the source of the problem Homogeneous equality Heterogeneous equality Congruence in ITT Heterogeneous equality is not a congruence relation New notion of congruence for heterogeneous equality Congruence Closure in ITT Congruence closure template New congruence closure procedure for ITT First steps to a prover First steps to a prover 26

Heuristic instantiation Congruence closure on its own is of limited value. Only operates on ground facts, no quantiers CC cannot prove: ( x, f x = x) g (f a) = g a solution: instantiate at a CC can prove: f a = a g (f a) = g a Congruence closure + heuristic instantiation is already very powerful. E-matching simple idea but details out of scope First steps to a prover 27

Congruence closure for length-indexed lists Length-indexed lists (ilist A n) often avoided in big projects. lack of automation has outweighed benets Our CC procedure works just as well on ilists. Induction + E-matching + congruence closure can prove: lemma rev_app : (A : Type) (n 1 n 2 : N) (l 1 : ilist A n 1 ) (l 2 : ilist A n 2 ), rev (l 1 ++ l 2 ) == (rev l 2 ) ++ (rev l 1 ) First steps to a prover 28

Congruence closure for safe arithmetic Another use of dependent types: safe arithmetic safe_log : Π (x : R), x > 0 R safe_inv : Π (x : R), x 0 R Dene log x := safe_log x p y 1 := safe_inv y q E-matching + CC can solve: (x y z w : R), x > 0 y > 0 z > 0 w > 0 x * y = exp z + w log (2 * w * exp z + w 2 + exp (2 * z)) / -2 = log y 1 - log x First steps to a prover 29

Summary New notion of congruence for heterogeneous equality in ITT. New ecient and proof-producing congruence closure procedure for ITT that supports dependent types. CC is the core of our new prover for ITT. long-term eort led by Leonardo de Moura at MSR built into Lean CC + E-matching: very useful already First steps to a prover 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback