Proof assistants as a tool for thought

Transcription

1 Proof assistants as a tool for thought Katherine Tools for thought workshop, March 16

2 circa 1700

3 Disputants unable to agree would not waste much time in futile argument... Leibniz (Harrison)

4 Calculemus!

5 1. universal language 2. calculus for reasoning

6 Proof assistant: Coq

7 1. universal language 2. calculus for reasoning

8 1. universal language 2. calculus for reasoning 3. rich environment

9 High-assurance cryptography New foundations for math Program synthesis Verifying hardware Proofs as stories Formally verifying that God exists...

10

11 Example 1: math, induction Credit to Software Foundations, Pierce et al.

12 Say we want to prove something about adding natural numbers.

13 Inductive nat : Set := O : nat S : nat - > nat. Natural number = either 0 or 1 + a nat Fixpoint plus (x y : nat) := match x with O => y S x' => S (plus x' y) end.

14 Inductive nat : Set := O : nat S : nat - > nat. Fixpoint plus (x y : nat) := match x with O => y S x' => S (plus x' y) end. 0 + y = y (1 + x ) + y = 1 + (x + y)

15 Inductive nat : Set := O : nat S : nat - > nat. Fixpoint plus (x y : nat) := match x with O => y S x' => S (plus x' y) end. Unit tests (* O = 0, S O = 1, S (S O) = 2 *) Eval compute in (plus O O). (* = 0 *)

16 Inductive nat : Set := O : nat S : nat - > nat. Fixpoint plus (x y : nat) := match x with O => y S x' => S (plus x' y) end.

17 Unit tests aren't enough. Now we want prove that our computational `plus` satisfies the properties of the mathematical +.

18 0 is a left identity Theorem add0_left_id : forall (n : nat), plus O n = n. Proof. intros n. simpl. reflexivity. Qed.

19 By definition Theorem add0_left_id : forall (n : nat), plus O n = n. Proof. intros n. simpl. reflexivity. Qed. Fixpoint plus (x y : nat) := match x with O => y S x' => S (plus x' y) end.

20 Theorem add0_left_id : forall (n : nat), plus O n = n. Proof. intros n. simpl. reflexivity. Qed. Fixpoint plus (x y : nat) := match x with O => y S x' => S (plus x' y) end.

21 0 is a right identity Fixpoint plus (x y : nat) := match x with O => y S x' => S (plus x' y) end.

22

23

24

25

26

27

28

29

30

31 Exercise for the reader: Theorem plus_commutativity : forall (n m : nat), plus n m = plus m n.

32 Example 2: large real-world verification

33

34 1. Functional correctness (logic, program analysis) 2. Security (math, probability, program analysis)

35

36 5+ months of work by 4 authors ~15,000 lines of Coq code, most of which will not be read by other people

37 Time for cognitive dissonance!

38 The house believes that Coq is an incredible tool for thought.

39 The house believes that Coq is a terrible tool for thought.

40 The house believes that Coq is an incredible tool for thought.

41 Built on top of: written notation

42 Built on top of: written notation text editors

43 Built on top of: written notation text editors Gallina

44 Built on top of: written notation text editors Gallina Ltac

45 Built on top of: written notation text editors Gallina Ltac checker

46 Built on top of: written notation text editors Gallina Ltac checker REPL/IDE

47 Started from the bottom, now we here

48 Proof entrepreneur: fail fast, minimum viable proof...

49 Proof state bookkeeping: assumptions, definitions, goals

50 Computation, evaluation, automation

51 Maybe right? Try Fail Fix Brain says: this isn t right... I think Maybe right?

52 Try Fail Fix Coq says: This is locally wrong! Wrong type / Can t prove it / Can t use tactic / Strange computation

53 Sketching with lemmas

54 Goal admitted Coq: OK! Coq: OK! Coq: OK! Lemma 1 Lemma 2 Lemma 3 admitted admitted admitted Coq: OK! Coq: OK! Lemma 4 Lemma 5 admitted admitted

55 Goal QED Coq: OK! Coq: OK! Coq: OK! Lemma 1 Lemma 2 QED QED Lemma 3 QED Coq: OK! Coq: OK! Lemma 4 Lemma 5 QED QED

56 Math as a game

57 You don t have to remember all the rules yourself.

58 x + 20 = y x = y - 20

59 x + 20 = y x = y - 20 x = y - 20

60 Civilization advances by extending the number of important operations which can be performed without thinking about them. Whitehead

61 Goal: beat the level. Proof state: inventory. Tactics: moves. Checker: walls.

62

63 We need Coq in order to keep doing math.

64 A technical argument by a trusted author... is hardly ever checked in detail. Voevodsky Fields medalist

65 The only real long-term solution to the problem is to start using computers in the verification of mathematical reasoning. Voevodsky Fields medalist

66 We need proofs that are less error-prone and more... mechanically verifiable. Bellare cryptographer

67 Many proofs in cryptography have become essentially unverifiable. Our field may be approaching a crisis of rigor. Bellare cryptographer (100+ citations!)

68 Pro-Coq: 1. Programmer affordances 2. Math as a game 3. Crisis of rigor

69 The house believes that Coq is a terrible tool for thought.

70 Calculemus?

71 Games are designed for humans to solve. Math isn t!

72 What could go wrong?

73 Your theorem is: too specific, so you need to generalize straight-up wrong, so you need a counterexample true, but you need to be creative true, but you discarded the One Ring

74 Your theorem is: too specific, so you need to generalize straight-up wrong, so you need a counterexample true, but you need to be creative true, but you discarded the One Ring

75 Your theorem is: too specific, so you need to generalize straight-up wrong, so you need a counterexample true, but you need to be creative true, but you discarded the One Ring

76 Your theorem is: too specific, so you need to generalize straight-up wrong, so you need a counterexample true, but you need to be creative true, but you discarded the One Ring

77

78 Work on paper first, then in computer :(

79 Coq blindfolds the intuition. We re not Coq natives!

80 Built on top of: written notation text editors Gallina Ltac checker IDE

81 Started from the bottom... now we re back.

82 Try Fix Coq says: This is locally wrong! Wrong type / Can t prove it / Can t use tactic / Fix Coq says: This is locally wrong! Coq says: Wrong This type is / locally wrong! Can t prove Wrong it / type / Can t use tactic Can t / prove it / Strange computation Can t use tactic / Strange computation Fail Try Coq says: This is locally wrong! Wrong type / Can t prove it / Can t use tactic / Strange computation Coq says: This is locally wrong! Wrong type / Can t prove it / Can t use tactic Coq says: / Strange This computation is locally wrong! Wrong type / Can t prove it / Can t use tactic / Coq says: This is locally wrong! Wrong type / Can t prove it / Can t use tactic / Strange computation Fix???? Fail Fail Try Try This i W Ca Can Strang

83 REPLs are alive and make us reactive

84 Try Fail Fix Brain says: this isn t right... I think.

85 Paper is calm and makes us active

86 Paper forces us to figure out what s going on, formulate a hypothesis

87 So, Coq makes proofs harder to write.

88 ...and harder to read!

89 write-only

90

91 what are we trying to prove??

92 Check fcf_oracle_eq_until_bad. Locate fcf_oracle_eq_until_bad.

93 Why applied with these arguments?

94 What are all of these subgoals?

95 What hypothesis did I use?

96 Wait, that proved the theorem???!!

97 No sense of hierarchy, importance, narrative. Where s the intuition?

98 Written by computers, for computers

99 Proof Intuition Intuition

100 Proof Ok Intuition Ok Intuition???

101 The role of the human is not to understand, but to trust.

102 Text is a double-edged sword.

103 Powerful ways to manipulate and search text...

104 ...but not pictures.

105 Machine Checkable Pictorial Mathematics Proof by ASCII art

106 The house believes that Coq is an incredible tool for thought.

107 Programmers affordances: precise language, instant feedback (correctness checking, REPL)

108 You don t have to know all the rules.

109 Our only hope.

110 The house believes that Coq is a terrible tool for thought.

111 By computers, for computers.

112 Destroys intuition.

113 Built on top of: written notation text editors Gallina Ltac checker IDE

114 How can we make proof assistants intuition assistants?

115 Incremental improvements

116 Visualize theorem dependency tree

117

118 Explanatory, human-readable proofs: diff proof states

119 Translate proofs into English or a better tactic language

120 A Declarative Language For The Coq Proof Assistant, Corbineau

121 Different interfaces for different areas of math

122 One visual interface: Ancient Greek Geometry

123 Calculemus is necessary but not sufficient!

124 Thanks! Katherine

125 Appendix

126 Example 3: program equivalence

127

128

129

130

131

132

133

134

135

136

137

138