VeriML: Typed Computation of Logical Terms inside a Language with Effects

Size: px

Start display at page:

Download "VeriML: Typed Computation of Logical Terms inside a Language with Effects"

Angelica Amelia Austin
6 years ago
Views:

1 VeriML: Typed Computation of Logical Terms inside a Language with Effects Antonis Stampoulis Zhong Shao Department of Computer Science, Yale University ICFP 2010

2 Proof assistants are becoming popular in the PL community!

3 Proof assistants are becoming popular in the PL community! Anything from metatheory proofs

4 Proof assistants are becoming popular in the PL community! Anything from metatheory proofs... to verified compilers (CompCert by Leroy et al.)

5 Proof assistants are becoming popular in the PL community! Anything from metatheory proofs... to verified compilers (CompCert by Leroy et al.)... and verified operating systems (sel4 verification by Klein et al.)

6 How to go to the next step?

7 How to go to the next step? Manual proof effort needs to be reduced

8 How to go to the next step? Manual proof effort needs to be reduced CompCert: proofs are 44% of the development (executable code 1045 lines, proofs 16543)

9 How to go to the next step? Manual proof effort needs to be reduced CompCert: proofs are 44% of the development (executable code 1045 lines, proofs 16543) proof to executable code ratio is about 16 to 1 sel4: about 11 to 1

10 Maybe inherrent complexity of proofs?

11 Maybe inherrent complexity of proofs? Not necessarily e.g. Chlipala (POPL 2010): verified compiler where only 25% of development is proofs

12 What s the trick? Focus less on writing proof scripts, focus more on writing tactics.

13 Proof scripts? A series of applications of tactics.

14 Proof scripts? A series of applications of tactics. Tactics? No clear definition Very informally: functions that generate (part of a) proof for specific kinds of goals Reality much more complicated (Asperti et al. A New Type for Tactics)

15 More liberal definition: tactics are functions that operate on propositions and proofs and produce other proofs

16 More liberal definition: tactics are functions that operate on propositions and proofs (in general: on logical terms) and produce other proofs

17 More liberal definition: tactics are functions that operate on propositions and proofs (in general: on logical terms) (and potentially on other things as well) and produce other proofs (and potentially other things as well)

18 So the motto? instead of scripts with lots of general-purpose tactics develop domain-specific tactics thus smaller scripts

19 So the motto? instead of scripts with lots of general-purpose tactics develop domain-specific tactics thus smaller scripts more reusable than proof scripts more modular thus more scalable e.g. to prove Hoare triples {P } c {Q}: tactic to decide arithmetic formulas tactic to do VC gen compose one with the other for Hoare triples tactic

20 Why not more popular? Claim: Language support for writing tactics relatively poor!

21 Why not more popular? Claim: Language support for writing tactics relatively poor! no good way to specify what tactics do: arguments? goals they operate on? etc. rely on documentation hurts composability of tactics! OR trade expressivity for being able to specify them

22 Need language to specify and implement tactics!

23 Sounds familiar...

24 Sounds familiar... Robin Milner, circa 1973 : ML (originally to write tactics for LCF)

25 But programming language theory has evolved!

26 But programming language theory has evolved! Leverage dependent types as a step towards more detailed specifications

27 Our contribution: VeriML ML core calculus (keep expressivity) extended with dependent types for logical terms but can still operate on logical terms use a logic similar to CIC (no dependent types!) with explicit proof objects type system that guarantees validity of logical terms and safe handling of binding proof of type safety prototype implementation

28 An example: equality tactic Based on a list of equations like x = y, y = z, w = q, w = z decide whether e.g. x = q

29 Type for this tactic? Based on a list of equations like x = y, y = z, w = q, w = z decide whether e.g. x = q equality : list ( term term proof ) term term option proof

30 Type for this tactic? Based on a list of equations like x = y, y = z, w = q, w = z decide whether e.g. x = q equality : list ( term term proof ) term term option proof But

31 Type for this tactic? Based on a list of equations like x = y, y = z, w = q, w = z decide whether e.g. x = q But equality : list ( T : Set a : T b : T proof ) T : Set x : T y : T option proof terms should be of the same type T ( = Nat, List,...)

32 Type for this tactic? Based on a list of equations like x = y, y = z, w = q, w = z decide whether e.g. x = q equality : list ( T : Set a : T b : T pf : a = b ) T : Set x : T y : T option ( pf : x = y ) But terms should be of the same type T ( = Nat, List,...) the proof should prove that they re equal

33 equality : list ( T : Set a : T b : T pf : a = b ) T : Set x : T y : T option ( pf : x = y ) Better specification means more composable (know input/outputs precisely) more errors can be caught at compile time

34 How to implement? Union-find data structure each equivalence class has a representative each term has a parent term if parent term equal to term, it s the representative merge representatives on new equality

35 How to implement? Union-find data structure each equivalence class has a representative each term has a parent term if parent term equal to term, it s the representative merge representatives on new equality Assume: uftype type for union-find data structure ufget : uftype ( base : T ) option ( parent : T pf : base = parent ) ufset : uftype ( base : T parent : T pf : base = parent ) unit

36 Implementation of find Find the representative of the equiv. class of a term find : uftype ( base : T ) ( rep : T ) find uf base = match ufget uf base with None ufset ( base )( base ); ( base ) Some ( parent ) holcase parent with base ( base ) let rep = find uf parent in ( rep )

37 Implementation of find Find the representative of the equiv. class of a term find : uftype ( base : T ) ( rep : T pf : base = rep ) find uf base = match ufget uf base with None ufset ( base )( base, reflexivity base ); ( base, reflexivity base ) Some ( parent, pf ) holcase parent with base ( base, reflexivity base ) let rep, pf = find uf parent in ( rep, transitivity pf pf )

38 Implementation of find Find the representative of the equiv. class of a term find : uftype ( base : T ) ( rep : T pf : base = rep ) find uf base = match ufget uf base with None ufset ( base )( base, reflexivity base : base = base ); ( base, reflexivity base : base = base ) Some ( parent, pf ) holcase parent with base ( base, reflexivity base ) let rep, pf = find uf parent in ( rep, transitivity pf pf ) ufset : uftype ( base : T parent : T pf : base = parent ) unit

39 Implementation of find Find the representative of the equiv. class of a term find : uftype ( base : T ) ( rep : T pf : base = rep ) find uf base = match ufget uf base with None ufset ( base )( base, reflexivity base : base = base ); ( base, reflexivity base : base = base ) Some ( parent, pf : base = parent ) holcase parent with base ( base, reflexivity base ) let rep, pf = find uf parent in ( rep, transitivity pf pf ) ufget : uftype ( base : T ) option ( parent : T pf : base = parent )

40 Implementation of find Find the representative of the equiv. class of a term find : uftype ( base : T ) ( rep : T pf : base = rep ) find uf base = match ufget uf base with None ufset ( base )( base, reflexivity base : base = base ); ( base, reflexivity base : base = base ) Some ( parent, pf : base = parent ) holcase parent with base ( base, reflexivity base : base = base ) let rep, pf = find uf parent in ( rep, transitivity pf pf )

41 Implementation of find Find the representative of the equiv. class of a term find : uftype ( base : T ) ( rep : T pf : base = rep ) find uf base = match ufget uf base with None ufset ( base )( base, reflexivity base : base = base ); ( base, reflexivity base : base = base ) Some ( parent, pf : base = parent ) holcase parent with base ( base, reflexivity base : base = base ) let rep, pf : parent = rep = find uf parent in ( rep, transitivity pf pf )

42 Implementation of find Find the representative of the equiv. class of a term find : uftype ( base : T ) ( rep : T pf : base = rep ) find uf base = match ufget uf base with None ufset ( base )( base, reflexivity base : base = base ); ( base, reflexivity base : base = base ) Some ( parent, pf : base = parent ) holcase parent with base ( base, reflexivity base : base = base ) let rep, pf : parent = rep = find uf parent in ( rep, transitivity pf pf : base = rep ) type checker would not allow to switch arguments to transitivity!

43 Another example simplify : A tactic that simplifies propositions like P True to P, recursively.

44 Implementation simplify : ( P : Prop ) ( P : Prop pf : P P ) simplify P = holcase P with P 1 True let P 1, pf = simplify P 1 in ( P 1, ) P 1 P 2 let P 1, pf 1 = simplify P 1 in let P 2, pf 2 = simplify P 2 in ( P 1 P 2, ) x : Nat.P 1 let P 1, pf = simplify P 1 in ( P 1, ) ( P, )

45 Implementation simplify : ( P : Prop ) ( P : Prop pf : P P ) simplify P = holcase P with P 1 True let P 1, pf = simplify P 1 in ( P 1, ) P 1 P 2 let P 1, pf 1 = simplify P 1 in let P 2, pf 2 = simplify P 2 in ( P 1 P 2, ) x : Nat.P 1 let P 1, pf = simplify P 1 in ( P 1, ) ( P, ) oops: what if we could apply it to x : Nat.x = 3 variable x escapes into ill-formed x = 3

46 Solution Type system should keep track of free variables environment of logical terms! Provide substitution for free variables a term depends on, in the current environment

47 Solution simplify : ( Φ : context ) ( P : [Φ]Prop ) ( P : [Φ]Prop pf : [Φ](P P ) ) simplify Φ P = holcase P with P 1 True let P 1, pf = simplify Φ P 1 in ( P 1, ) P 1 P 2 let P 1, pf 1 = simplify Φ P 1 in let P 2, pf 2 = simplify Φ P 2 in ( P 1 P 2, ) x : Nat.P 1 let P 1, pf = simplify (Φ, x : Nat) P 1 in ( P 1, ) ( P, )

48 Solution simplify : ( Φ : context ) ( P : [Φ]Prop ) ( P : [Φ]Prop pf : [Φ](P P ) ) simplify Φ P = holcase P with P 1 True let P 1, pf = simplify Φ P 1 in ( P 1, ) P 1 P 2 let P 1, pf 1 = simplify Φ P 1 in let P 2, pf 2 = simplify Φ P 2 in ( P 1 P 2, ) x : Nat.P 1 let P 1, pf = simplify (Φ, x : Nat) P 1 in ( P 1, ) ( P, ) P 1 : [Φ, x : Nat]Prop needs a substitution into [Φ]Prop

49 Behind the scenes τ ::= int unit τ 1 τ 2 τ 1 + τ 2 µα.τ α.τ ref τ

50 Behind the scenes τ ::= int unit τ 1 τ 2 τ 1 + τ 2 µα.τ α.τ ref τ Π Φ : context.τ

51 Behind the scenes τ ::= int unit τ 1 τ 2 τ 1 + τ 2 µα.τ α.τ ref τ Π Φ : context.τ Π X : [Φ]T.τ

52 Behind the scenes τ ::= int unit τ 1 τ 2 τ 1 + τ 2 µα.τ α.τ ref τ Π Φ : context.τ Π X : [Φ]T.τ Σ X : [Φ]T.τ

53 Behind the scenes τ ::= int unit τ 1 τ 2 τ 1 + τ 2 µα.τ α.τ ref τ Π Φ : context.τ Π X : [Φ]T.τ Σ X : [Φ]T.τ e ::=

54 Behind the scenes τ ::= int unit τ 1 τ 2 τ 1 + τ 2 µα.τ α.τ ref τ Π Φ : context.τ Π X : [Φ]T.τ Σ X : [Φ]T.τ e ::= λ Φ : context.e e Φ

55 Behind the scenes τ ::= int unit τ 1 τ 2 τ 1 + τ 2 µα.τ α.τ ref τ Π Φ : context.τ Π X : [Φ]T.τ Σ X : [Φ]T.τ e ::= λ Φ : context.e e Φ λ X : [Φ]T.e e [Φ]T

56 Behind the scenes τ ::= int unit τ 1 τ 2 τ 1 + τ 2 µα.τ α.τ ref τ Π Φ : context.τ Π X : [Φ]T.τ Σ X : [Φ]T.τ e ::= λ Φ : context.e e Φ λ X : [Φ]T.e e [Φ]T [Φ]T, e let X, y = e in e

57 Behind the scenes τ ::= int unit τ 1 τ 2 τ 1 + τ 2 µα.τ α.τ ref τ Π Φ : context.τ Π X : [Φ]T.τ Σ X : [Φ]T.τ e ::= λ Φ : context.e e Φ λ X : [Φ]T.e e [Φ]T [Φ]T, e let X, y = e in e holcase [Φ]T with ( T 1 e 1 ) ( T n e n )

58 Behind the scenes τ ::= int unit τ 1 τ 2 τ 1 + τ 2 µα.τ α.τ ref τ Π Φ : context.τ Π X : [Φ]T.τ Σ X : [Φ]T.τ e ::= λ Φ : context.e e Φ λ X : [Φ]T.e e [Φ]T [Φ]T, e let X, y = e in e holcase [Φ]T with ( T 1 e 1 ) ( T n e n ) Full details of type system and metatheory in the paper and TR!

59 Implementation prototype in OCaml about 5k lines, trusted base is 800 lines examples: first-order tautologies prover conversion to NNF equality with uninterpreted functions download from

60 Comparison with Coq Three ways to write tactics: ML LTac proof-by-reflection

61 Comparison with Coq Three ways to write tactics: ML (untyped tactics, high barrier: requires knowledge of implementation internals) LTac proof-by-reflection

62 Comparison with Coq Three ways to write tactics: ML (untyped tactics, high barrier: requires knowledge of implementation internals) LTac (untyped tactics, somewhat limited programming model) proof-by-reflection

63 Comparison with Coq Three ways to write tactics: ML (untyped tactics, high barrier: requires knowledge of implementation internals) LTac (untyped tactics, somewhat limited programming model) proof-by-reflection (strong static guarantees but very limited programming model)

64 Comparison with Coq Three ways to write tactics: ML (untyped tactics, high barrier: requires knowledge of implementation internals) LTac (untyped tactics, somewhat limited programming model) proof-by-reflection (strong static guarantees but very limited programming model) VeriML enables all points between no static guarantees to strong ones, yet with full ML programming model

65 Conclusion new language design with first-class support for rich logical framework enables more modular development of tactics type safety guarantees valid terms are generated Future work type reconstruction, implicit parameters interactive proof support SAT-solving

66 Thank you!

67 Backup slides

68 Implementation of union union : uftype ( a : T b : T ) unit union uf ( a, b ) = let repa = find uf a in let repb = find uf B in holcase repa with repb () ufset repa ( repb )

69 Implementation of union union : uftype ( a : T b : T pf : a = b ) unit union uf ( a, b, pf ) = let repa, pfa = find uf a in let repb, pfb = find uf B in holcase repa with repb () ufset repa ( repb, )

70 Implementation of union union : uftype ( a : T b : T pf : a = b ) unit union uf ( a, b, pf ) = let repa, pfa : a = repa = find uf a in let repb, pfb : b = repb = find uf B in holcase repa with repb () ufset repa ( repb, )

71 Implementation of union union : uftype ( a : T b : T pf : a = b ) unit union uf ( a, b, pf ) = let repa, pfa : a = repa = find uf a in let repb, pfb : b = repb = find uf B in holcase repa with repb () ufset repa ( repb, : repa = repb )

72 What about uftype? implemented as a hash table mapping base terms to their parents should also store proofs uftype = array ( option ( base : T parent : T pf : base = parent ))

73 Solution Provide instantiation of free variables a term depends on, in the current environment x : Nat.P 1 let P 1, pf = simplify (Φ, x : Nat) P 1 in ( [Φ](P 1 /(Φ id Φ, x??)), )

74 Solution Provide instantiation of free variables a term depends on, in the current environment x : Nat.P 1 let P 1 : [Φ, x : Nat]Prop, pf = simplify (Φ, x : Nat) P 1 in ( [Φ](P 1 /(Φ id Φ, x??)), )

Interactive Theorem Provers

Interactive Theorem Provers from the perspective of Isabelle/Isar Makarius Wenzel Univ. Paris-Sud, LRI July 2014 = Isabelle λ β Isar α 1 Introduction Notable ITP systems LISP based: ACL2 http://www.cs.utexas.edu/users/moore/acl2