Static and User-Extensible Proof Checking. Antonis Stampoulis Zhong Shao Yale University POPL 2012

Similar documents
Adam Chlipala University of California, Berkeley ICFP 2006

Beluga: A Framework for Programming and Reasoning with Deductive Systems (System Description)

Introduction to Coq Proof Assistant

An Industrially Useful Prover

VeriML: A dependently-typed, user-extensible and language-centric approach to proof assistants

VeriML: A dependently-typed, user-extensible and language-centric approach to proof assistants

Lecture 13: Subtyping

An experiment with variable binding, denotational semantics, and logical relations in Coq. Adam Chlipala University of California, Berkeley

VeriML: Typed Computation of Logical Terms inside a Language with Effects

Goal. CS152: Programming Languages. Lecture 15 Parametric Polymorphism. What the Library Likes. What The Client Likes. Start simpler.

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

Programming Languages Fall 2014

Functional Programming in Coq. Nate Foster Spring 2018

Operational Semantics 1 / 13

Assistant for Language Theory. SASyLF: An Educational Proof. Corporation. Microsoft. Key Shin. Workshop on Mechanizing Metatheory

Combining Proofs and Programs in a Dependently Typed Language. Certification of High-level and Low-level Programs

Turning proof assistants into programming assistants

Consistent Subtyping for All

Induction in Coq. Nate Foster Spring 2018

Programming Up-to-Congruence, Again. WG 2.8 Estes Park

Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214

Lost in translation. Leonardo de Moura Microsoft Research. how easy problems become hard due to bad encodings. Vampire Workshop 2015

MPRI course 2-4 Functional programming languages Exercises

An ACL2 Tutorial. Matt Kaufmann and J Strother Moore

Coq with Classes. Matthieu Sozeau. Journées PPS 2011 September 5th 2011 Trouville, France. Project Team πr 2 INRIA Paris

Eta-equivalence in Core Dependent Haskell

A NEW PROOF-ASSISTANT THAT REVISITS HOMOTOPY TYPE THEORY THE THEORETICAL FOUNDATIONS OF COQ USING NICOLAS TABAREAU

Mtac: A Monad for Typed Tactic Programming in Coq

Isabelle/HOL:Selected Features and Recent Improvements

CS 565: Programming Languages. Spring 2008 Tu, Th: 16:30-17:45 Room LWSN 1106

Coq, a formal proof development environment combining logic and programming. Hugo Herbelin

A Certified Implementation of a Distributed Security Logic

Automated verification of termination certificates

Coq projects for type theory 2018

c constructor P, Q terms used as propositions G, H hypotheses scope identifier for a notation scope M, module identifiers t, u arbitrary terms

Coq quick reference. Category Example Description. Inductive type with instances defined by constructors, including y of type Y. Inductive X : Univ :=

Functional Programming

Typed Lambda Calculus and Exception Handling

picoq: Parallel Regression Proving for Large-Scale Verification Projects

Subtyping. Lecture 13 CS 565 3/27/06

Dependent types and program equivalence. Stephanie Weirich, University of Pennsylvania with Limin Jia, Jianzhou Zhao, and Vilhelm Sjöberg

Dependent types and program equivalence. Stephanie Weirich, University of Pennsylvania with Limin Jia, Jianzhou Zhao, and Vilhelm Sjöberg

Embedding logics in Dedukti

Tradeoffs. CSE 505: Programming Languages. Lecture 15 Subtyping. Where shall we add useful completeness? Where shall we add completeness?

Types Summer School Gothenburg Sweden August Dogma oftype Theory. Everything has a type

Simply-Typed Lambda Calculus

Analysis of dependent types in Coq through the deletion of the largest node of a binary search tree

ABriefOverviewofAgda A Functional Language with Dependent Types

Handling Environments in a Nested Relational Algebra with Combinators and an Implementation in a Verified Query Compiler

CS 456 (Fall 2018) Scribe Notes: 2

CIS 500 Software Foundations Fall October 2

SMTCoq: A plug-in for integrating SMT solvers into Coq

A Formally-Verified C static analyzer

Code BEAM SF Hype For Types. Using Dialyzer to bring type checking to your Elixir code

Improving Coq Propositional Reasoning Using a Lazy CNF Conversion

Equations: a tool for dependent pattern-matching

Heq: a Coq library for Heterogeneous Equality

A NEW PROOF-ASSISTANT THAT REVISITS HOMOTOPY TYPE THEORY THE THEORETICAL FOUNDATIONS OF COQ USING NICOLAS TABAREAU

Provably Correct Software

Certificates for incremental type checking

GADTs meet Subtyping

Outline. Introduction Concepts and terminology The case for static typing. Implementing a static type system Basic typing relations Adding context

Let Arguments Go First

Blockchains: new home for proven-correct software. Paris, Yoichi Hirai formal verification engineer, the Ethereum Foundation

Type Soundness and Race Freedom for Mezzo

The design of a programming language for provably correct programs: success and failure

Toward explicit rewrite rules in the λπ-calculus modulo

Formal Verification of a Floating-Point Elementary Function

COS 320. Compiling Techniques

A Type System for Functional Traversal-Based Aspects

Autosubst Manual. May 20, 2016

Inductive Definitions, continued

Introduction to dependent types in Coq

Univalent fibrations in type theory and topology

Interactive Theorem Proving in Higher-Order Logics

A heuristic method for formally verifying real inequalities

Verification in Coq. Prof. Clarkson Fall Today s music: Check Yo Self by Ice Cube

Introduction to Co-Induction in Coq

type classes & locales

CS-XXX: Graduate Programming Languages. Lecture 9 Simply Typed Lambda Calculus. Dan Grossman 2012

Introduction to Homotopy Type Theory

Runtime Behavior of Conversion Interpretation of Subtyping

3 Pairs and Lists. 3.1 Formal vs. Informal Proofs

Browser Security Guarantees through Formal Shim Verification

A Dependently Typed Programming Language, with applications to Foundational Certified Code Systems

Ideas over terms generalization in Coq

Meta-programming with Names and Necessity p.1

Refinement Types as Proof Irrelevance. William Lovas with Frank Pfenning

Subsumption. Principle of safe substitution

Reasoning About Programs Panagiotis Manolios

Fall 2013 Midterm Exam 10/22/13. This is a closed-book, closed-notes exam. Problem Points Score. Various definitions are provided in the exam.

Machine-checked proofs of program correctness

CSCI-GA Scripting Languages

Congruence Closure in Intensional Type Theory

Verifying Uniqueness in a Logical Framework

Towards Coq Formalisation of {log} Set Constraints Resolution

LOGIC AND DISCRETE MATHEMATICS

A Certified Reduction Strategy for Homological Image Processing

Lecture slides & distribution files:

λ calculus Function application Untyped λ-calculus - Basic Idea Terms, Variables, Syntax β reduction Advanced Formal Methods

Transcription:

Static and User-Extensible Proof Checking Antonis Stampoulis Zhong Shao Yale University POPL 2012

Proof assistants are becoming popular in our community CompCert [Leroy et al.] sel4 [Klein et al.] Four-color theorem [Gonthier et al.] but they re still hard to use 1 to 1.5 weeks per paper proof page 4 pages of formal proof per 1 page of paper proof [Asperti and Coen 10]

Formal proofs communicated to a fixed proof checker must spell out all details use domain-specific lemmas Informal proofs communicated to a person rely on domainspecific intuition use obviously

Formal proofs communicated to a fixed proof checker must spell out all details use domain-specific lemmas Informal proofs calculus linear algebra arithmetic communicated to a person rely on domainspecific intuition use obviously

We need tactics to omit details procedures that produce proofs domain-specific tactics good in large developments but difficult to write!

We need tactics to omit details procedures that produce proofs domain-specific tactics good in large developments but difficult to write! - untyped - proofs within tactics can be wrong!

Proof assistants are hard to use because 1. cannot extend proof checker lots of details 2. no checking for tactics lots of potential errors These are architectural issues

Our contribution: A new architecture for proof assistants 1. cannot extend proof checker lots of details 2. no checking for tactics lots of potential errors

Our contribution: A new architecture for proof assistants 1. extensible proof checker omit lots of details 1. cannot extend proof checker lots of details 2. no checking for tactics lots of potential errors

full programming model soundness guaranteed Our contribution: A new architecture for proof assistants 1. extensible proof checker omit lots of details 1. cannot extend proof checker lots of details 2. no checking for tactics lots of potential errors

Our contribution: A new architecture for proof assistants 1. extensible proof checker omit lots of details 1. cannot extend proof checker lots of details 2. no checking for tactics lots of potential errors 2. extensible checking for tactics lots of errors avoided

Our contribution: A new architecture for proof assistants 1. extensible proof checker omit lots of details 1. cannot extend proof checker lots of details 2. no checking for tactics lots of potential errors 2. extensible checking for tactics lots of errors avoided static checking of contained proofs

Our contribution: A new architecture for proof assistants 1. extensible proof checker omit lots of details 1. cannot extend proof checker lots of details 2. no checking for tactics lots of potential errors 2. extensible checking for tactics lots of errors avoided

Our contribution: intuition stack arithmetic congruence βιconversion A new architecture for proof assistants 1. extensible proof checker omit lots of details 1. cannot extend proof checker lots of details 2. no checking for tactics lots of potential errors 2. extensible checking for tactics lots of errors avoided

Our contribution: A new architecture for proof assistants 1. extensible proof checker omit lots of details 1. cannot extend proof checker lots of details 2. no checking for tactics lots of potential errors 2. extensible checking for tactics lots of errors avoided More specifically: - a new language design - a new implementation - and a new metatheory based on VeriML [ICFP 10]

Architecture of proof assistants

Architecture of proof assistants: main notions Proof object Proof checker Tactic Proof script Derivation in a logic Checks proof objects Function producing proof objects Combination of tactics; program producing a proof object

Architecture of proof assistants: Checking proof objects Proof object Proof checker

Architecture of proof assistants: Checking proof objects Proof object Proof checker Conversion rule Implicitly check equivalences (proof omitted)

Architecture of proof assistants: Checking proof objects Proof object Coq Proof checker βι-conversion

Architecture of proof assistants: Checking proof objects Proof object CoqMT Proof checker βι-conversion + linear arithmetic

Architecture of proof assistants: Checking proof objects Proof object Proof checker - rich static information - (de)composable - checking not extensible

Architecture of proof assistants: Validating proof scripts - extensible through tactics - rich programming model - no static information - not (de)composable - hidden proof state Proof script evaluation Proof object Arithmetic tactic User tactic Other tactic Proof checker

Architecture of proof assistants: Validating proof scripts - extensible through tactics - rich programming model - no static information - not (de)composable - hidden proof state Proof script evaluation Proof object Arithmetic tactic User tactic Other tactic use conversion for more robust scripts Proof checker

Moving to typed proof scripts Proof script Arithmetic tactic User tactic Other tactic evaluation Proof object Proof checker

Moving to typed proof scripts Proof script Arithmetic tactic User tactic Other tactic evaluation Proof object Proof checker

Moving to typed proof scripts Proof script Arithmetic tactic User tactic Other tactic evaluation Proof object Proof checker Proof checker evaluation

Moving to typed proof scripts Proof script Arithmetic tactic User tactic evaluation Proof object Other tactic Type checker Proof checker Proof checker evaluation

Moving to typed proof scripts Proof script evaluation Proof object Proof checker Arithmetic tactic User tactic Other tactic Typed proof script Type checker Proof checker Arithmetic tactic User tactic Other tactic evaluation

Moving to typed proof scripts + extensible conversion Typed proof script Arithmetic tactic User tactic Other tactic Type checker Proof checker evaluation

Moving to typed proof scripts + Key insight: conversion is just a hardcoded trusted tactic extensible conversion Typed proof script Type checker Arithmetic tactic User tactic Other tactic Proof checker evaluation

Moving to typed proof scripts + Key insight: conversion is just a hardcoded trusted tactic extensible conversion Typed proof script Type checker Arithmetic tactic User tactic Other tactic but we can trust other tactics too if they have the right type Proof checker evaluation

Moving to typed proof scripts + extensible conversion Key insight: conversion is just a hardcoded trusted tactic but we can trust other tactics too if they have the right type Typed proof script Type checker Proof checker Other tactic none of them needs to be hardcoded! evaluation

Typed proof scripts + extensible conversion Typed proof script - rich static information - user chooses conversion - extensible static checking - smaller proof checker - can generate proof objects Type checker Proof checker evaluation

Type checking tactics: an example - check propositions for equivalence - return a proof if they are - raise an exception otherwise

Metatheory result 1. Type safety Type If checking evaluation succeeds, tactics: an example the returned proof object is valid - check propositions for equivalence - return a proof if they are - raise an exception otherwise

Metatheory result 1. Type safety Type If checking evaluation succeeds, tactics: an example the returned proof object is valid Metatheory result 2. Proof erasure If evaluation succeeds, a valid proof object exists even if it s not generated - check propositions for equivalence - return a proof if they are - raise an exception otherwise

Two modes of evaluation Typed proof script Type checker Proof checker

Two modes of evaluation Typed proof script Type checker Proof checker evaluation proof object

Two modes of evaluation Typed proof script Type checker Proof checker evaluation proof object proof erasure evaluation

Two modes of evaluation Typed proof script Type checker Proof checker evaluation proof object proof erasure evaluation mode controlled per function

Static checking = type checking + staging under proof-erasure Typed proof script Type checker Proof checker evaluation

Static checking = type checking + staging under proof-erasure Typed proof script typechecking Type checker Proof checker evaluation

Static checking = type checking + staging under proof-erasure Typed proof script typechecking Type checker Proof checker stage-one evaluation with proof erasure evaluation

Static checking = type checking + staging under proof-erasure Typed proof script typechecking Type checker Proof checker stage-one evaluation with proof erasure evaluation of residual program evaluation

A stack of conversion rules arithmetic simplification congruence closure βι-conversion

A stack of conversion rules arithmetic simplification congruence closure conversion in Coq removed from trusted base βι-conversion

A stack of conversion rules arithmetic simplification congruence closure βι-conversion makes most uses of rewrite/autorewrite unnecessary

A stack of conversion rules arithmetic simplification ring_simplify for Nat close to CoqMT congruence closure βι-conversion

A stack of conversion rules arithmetic simplification congruence closure βι-conversion no additions to logic metatheory actually, with reductions no proof by reflection or translation validation leveraging static proof scripts

A stack of conversion rules arithmetic simplification congruence closure βι-conversion

A stack of conversion rules arithmetic simplification naïve arithmetic conversion congruence closure naïve equality conversion βιconversion

A stack of conversion rules arithmetic simplification naïve arithmetic conversion potentially nonterminating reduce proving for real versions congruence closure naïve equality conversion βιconversion

Static proof scripts in tactics

Motivating Coq Example Require Import Arith. Variable x : Nat. Theorem test1 : 0 + x = x. trivial. Qed. Theorem test2 : x + 0 = x. trivial. Qed.

Motivating Coq Example Require Import Arith. Variable x : Nat. Theorem test1 : 0 + x = x. trivial. Qed. Theorem test2 : x + 0 = x. trivial. Qed. Proof completed

Motivating Coq Example Require Import Arith. Variable x : Nat. Theorem test1 : 0 + x = x. trivial. Qed. Theorem test2 : x + 0 = x. trivial. Qed. Attempt to save an incomplete proof

Motivating Coq Example Require Import Arith. Variable x : Nat. Theorem test1 : 0 + x = x. trivial. Qed. Conversion rule can prove this but can t prove this Theorem test2 : x + 0 = x. trivial. Qed.

Let s add this to our conversion rule! - write a rewriter based on these lemmas - register it with conversion - now it s trivial; lemmas used implicitly

similar to trivial uses conversion P and P inferred

not checked statically recomputed many times

checked at definition time computed once transformation of runtime arguments to constant arguments

How does it work?

How does it work?

How does it work?

How does it work?

Implementation http://www.cs.yale.edu/homes/stampoulis/ type inferencing and implicit arguments compiler to OCaml rewriter code generation inductive types Talk to me for a demo!

What s in the paper and TR Static and dynamic semantics Metatheory: Type-safety theorem Proof erasure theorem Static proof script transformation Implementation details and examples implemented Typed proof scripts as flexible proof certificates

Related work proof-by-reflection restricted programming model (total functions) tedious to set up here: no need for termination proofs automation through canonical structures / unification hints restricted programming model (logic programming) very hard to debug

Summary a new architecture for proof assistants user-extensible checking of proofs and tactics minimal trusted core reduce required effort for formal proofs Thanks! http://www.cs.yale.edu/homes/stampoulis/

Backup slides

Type checking proofs and tactics -manipulate proofs and propositions in a type-safe manner -dependent pattern matching on logical terms -logic and computation are kept separate -Beluga [Pientka & Dunfield 08] -Delphin [Poswolsky & Schürmann 08] -VeriML [Stampoulis & Shao 10] Type checker Proof checker

Related work LCF family of proof assistants no information while writing proof scripts/tactics Coq / CoqMT conversion rule is fixed changing it requires re-engineering NuPRL extensional type theory and sophisticated conversion here: user decides conversion (level of undecidability) Beluga / Delphin use as metalogic for LF here: the logic is fixed; the language is the proof assistant

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback