VeriML: Revisiting the Foundations of Proof Assistants Zhong Shao Yale University MacQueen Fest May 13, 2012 (Joint work with Antonis Stampoulis)

Slides:

Advertisements

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Advertisements

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

Static and User-Extensible Proof Checking Antonis StampoulisZhong Shao Yale University POPL 2012.

Computational Models The exam. Models of computation. –The Turing machine. –The Von Neumann machine. –The calculus. –The predicate calculus. Turing.

Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.

Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.

VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.

Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules Sorin Lerner* Todd Millstein** Erika Rice* Craig Chambers* * University.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI

Principal Type Schemes for Modular Programs Derek Dreyer and Matthias Blume Toyota Technological Institute at Chicago ESOP 2007 Braga, Portugal.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

PROOF TRANSLATION AND SMT LIB CERTIFICATION Yeting Ge Clark Barrett SMT 2008 July 7 Princeton.

Denotational vs Operational Approaches COS 441 Princeton University Fall 2004.

Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.

Strict Bidirectional Type Checking Adam Chlipala, Leaf Petersen, and Robert Harper.

A Type System for Expressive Security Policies David Walker Cornell University.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.

CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.

Semantics for MinML COS 441 Princeton University Fall 2004.

Mechanized Metatheory for User- Defined Type Extensions Dan Marino, Brian Chin, Todd Millstein UCLA Gang Tan Boston College Robert J. Simmons, David Walker.

Extensible Untrusted Code Verification Robert Schneck with George Necula and Bor-Yuh Evan Chang May 14, 2003 OSQ Retreat.

Foundations of Programming Languages – Course Overview Xinyu Feng Acknowledgments: some slides taken or adapted from lecture notes of Stanford CS242

Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.

CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.

EECS 262a Advanced Topics in Computer Systems Lecture 26 seL4 Kernel verification December 3rd, 2014 John Kubiatowicz Electrical Engineering and Computer.

Have Your Verified Compiler And Extend It Too Zachary Tatlock Sorin Lerner UC San Diego.

VeriML DARPA CRASH Project Progress Report Antonis Stampoulis October 5 th, 2012 A language-based, dependently-typed, user-extensible approach to proof.

Secure Compiler Seminar 11/7 Survey: Modular Development of Certified Program Verifiers with a Proof Assistant Toshihiro YOSHINO (D1, Yonezawa Lab.)

Types for Programs and Proofs Lecture 1. What are types? int, float, char, …, arrays types of procedures, functions, references, records, objects,...

Introduction to Our Research on Certifying Compiler Zhaopeng Li (In Chinese: 李兆鹏 ) Certifying Compiler Group USTC-Yale Joint.

Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.

My talk describes how the detailed error diagnosis and the automatic solution procedure of problem solving environment T-algebra can be used for automatic.

NummSquared Coercion make it so! Samuel Howse poohbist.com November 29, 2006 Copyright © 2006 Samuel Howse. All rights reserved.

1 New Development Techniques: New Challenges for Verification and Validation Mats Heimdahl Critical Systems Research Group Department of Computer Science.

Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.

Typed Lambda Calculus Chapter 9 Benjamin Pierce Types and Programming Languages.

Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.

1 MVD 2010 University of Iowa New York University Comparing Proof Systems for Linear Real Arithmetic Using LFSC Andrew Reynolds September 17, 2010.

Checking Reachability using Matching Logic Grigore Rosu and Andrei Stefanescu University of Illinois, USA.

An overview of Coq Xinyu Feng USTC Erasmus Mundus NordSecMob Scholar at DTU.

Logic in Computer Science - Overview Sep 1, 2009 박성우.

1 Formal Semantics. 2 Why formalize? ML is tricky, particularly in corner cases generalizable type variables? polymorphic references? exceptions? Some.

Formal Methods.

Tool Support for proof Engineering Anne Mulhern Computer Sciences Department University of Wisconsin-Madison Madison, WI USA

From Hoare Logic to Matching Logic Reachability Grigore Rosu and Andrei Stefanescu University of Illinois, USA.

Automated tactics for separation logic VeriML Reconstruct Z3 Proof Safe incremental type checker Certifying code transformation Proof carrying hardware.

Advanced Formal Methods Lecture 3: Simply Typed Lambda calculus Mads Dam KTH/CSC Course 2D1453, Some material from B. Pierce: TAPL + some from.

All-Path Reachability Logic Andrei Stefanescu 1, Stefan Ciobaca 2, Radu Mereuta 1,2, Brandon Moore 1, Traian Serbanuta 3, Grigore Rosu 1 1 University of.

CMSC 330: Organization of Programming Languages Lambda Calculus and Types.

SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.

1 Propositional Logic Limits The expressive power of propositional logic is limited. The assumption is that everything can be expressed by simple facts.

Getting Started in PL Design Research Stephanie Weirich University of Pennsylvania.

Lectures 2 & 3: Software Process Models Neelam Gupta.

Certifying and Synthesizing Membership Equational Proofs Patrick Lincoln (SRI) joint work with Steven Eker (SRI), Jose Meseguer (Urbana) and Grigore Rosu.

Thoughts on Programming with Proof Assistants Adam Chlipala University of California, Berkeley PLPV Workshop.

Lecture 11: Proof by Reflection

Types for Programs and Proofs

Jared Davis The University of Texas at Austin April 6, 2006

Jared Davis CyberTrust Meeting March 1, 2006

Program Verification Using

Engineering Aspects of Formal Metatheory

An overview of Coq Xinyu Feng USTC.

Types and Type Checking (What is it good for?)

Department of Computer Science Abdul Wali Khan University Mardan

Drew Wyborski Programming Languages

An overview of Coq.

Presentation transcript:

VeriML: Revisiting the Foundations of Proof Assistants Zhong Shao Yale University MacQueen Fest May 13, 2012 (Joint work with Antonis Stampoulis)

Dave’s influence on my career Summer 1989 Princeton Grad Student Spring 1990 Advanced Topics on PL taught by Dave “Summer intern” at Bell Labs, 1991 – ML modules vs separate compilation PhD thesis work on SML/NJ, Research on FLINT, – Compiling ML modules into Fomega – This is how I learned dependent types & CiC 2000 – now: move onto Certified Code (in Coq) New problem: engineering large proofs  VeriML

Proof assistants are becoming popular in our community —CompCert [Leroy et al.] —seL4 [Klein et al.] —Four-color theorem [Gonthier et al.] —1 to 1.5 weeks per paper proof page —4 pages of formal proof per 1 page of paper proof … but they’re still hard to use [Asperti and Cohen ‘10]

—communicated to a fixed proof checker —must spell out all details —use domain-specific lemmas Formal proofs —communicated to a person —rely on domain- specific intuition —use “obviously” Informal proofs calculus linear algebra arithmetic

—procedures that produce proofs —domain-specific tactics good in large developments —but difficult to write! We need tactics to omit details -untyped -proofs within tactics can be wrong! -untyped -proofs within tactics can be wrong!

Proof assistants are hard to use because 1. cannot extend proof checker → lots of details 2. no checking for tactics → lots of potential errors These are architectural issues

VeriML: a new architecture for proof assistants 1. cannot extend proof checker → lots of details 2. no checking for tactics → lots of potential errors 1. extensible proof checker → omit lots of details 2. extensible checking for tactics → lots of errors avoided static checking of contained proofs full programming model soundness guaranteed full programming model soundness guaranteed More specifically: -a new language design -a new implementation -and a new metatheory See [ICFP’10, POPL’12, upcoming PhD thesis by Stampoulis] “intuition” stack arithmetic congruence βι- conversion

Architecture of proof assistants

Architecture of proof assistants: main notions Derivation in a logic Proof object Checks proof objects Proof checker Function producing proof objects Tactic Combination of tactics; program producing a proof object Proof script

Architecture of proof assistants: Checking proof objects Proof object Proof checker Conversion rule Implicitly check equivalences (proof omitted) Conversion rule Implicitly check equivalences (proof omitted)

Architecture of proof assistants: Checking proof objects Proof object Proof checker Coq βι-conversion Coq βι-conversion

Architecture of proof assistants: Checking proof objects Proof object Proof checker CoqMT βι-conversion + linear arithmetic CoqMT βι-conversion + linear arithmetic

Architecture of proof assistants: Checking proof objects Proof object Proof checker -rich static information -(de)composable -checking not extensible

Architecture of proof assistants: Validating proof scripts Proof script Proof checker Proof object evaluation -extensible through tactics -rich programming model -no static information -not (de)composable -hidden proof state use conversion for more robust scripts Arithmetic tactic User tacticOther tactic

Moving to typed proof scripts Typed proof script Type checker Proof script Proof object Proof checker evaluation Proof checker Arithmetic tactic User tacticOther tactic Arithmetic tactic User tacticOther tactic evaluation

Moving to typed proof scripts + extensible conversion Typed proof script Type checker Proof checker evaluation Arithmetic tactic User tactic Other tactic Key insight: conversion is just a hardcoded trusted tactic Key insight: conversion is just a hardcoded trusted tactic but we can trust other tactics too if they have the right type

Moving to typed proof scripts + extensible conversion Typed proof script evaluation Key insight: conversion is just a hardcoded trusted tactic Key insight: conversion is just a hardcoded trusted tactic but we can trust other tactics too if they have the right type Type checker Proof checker none of them needs to be hardcoded! Type checker Proof checker Other tactic

Typed proof scripts + extensible conversion Typed proof script evaluation Type checker Proof checker -rich static information -user chooses conversion -extensible static checking -smaller proof checker -can generate proof objects

Type checking tactics: an example -check propositions for equivalence -return a proof if they are -raise an exception otherwise Metatheory result 1. Type safety If evaluation succeeds, the returned proof object is valid Metatheory result 1. Type safety If evaluation succeeds, the returned proof object is valid Metatheory result 2. Proof erasure If evaluation succeeds, a valid proof object exists even if it’s not generated Metatheory result 2. Proof erasure If evaluation succeeds, a valid proof object exists even if it’s not generated

Two modes of evaluation evaluation proof object proof object proof erasure evaluation proof erasure evaluation mode controlled per function Typed proof script Type checker Proof checker

Typed proof script Type checker evaluation Proof checker Static checking = type checking + staging under proof-erasure typechecking stage-one evaluation with proof erasure evaluation of residual program

A stack of conversion rules arithmetic simplification congruence closure βι-conversion conversion in Coq removed from trusted base conversion in Coq removed from trusted base makes most uses of rewrite/autorewrite unnecessary ring_simplify for Nat close to CoqMT ring_simplify for Nat close to CoqMT no additions to logic metatheory actually, with reductions no proof by reflection or translation validation leveraging static proof scripts no additions to logic metatheory actually, with reductions no proof by reflection or translation validation leveraging static proof scripts

A stack of conversion rules arithmetic simplification naïve arithmetic conversion congruence closure naïve equality conversion βι- conversion potentially non- terminating reduce proving for “real” versions potentially non- terminating reduce proving for “real” versions

Summary a new architecture for proof assistants user-extensible checking of proofs and tactics minimal trusted core reduce required effort for formal proofs Future work: – need a simpler surface language (ML-module?) – need a production-quality implementation (SML/NJ?) – time to work on ML2020?