VeriML DARPA CRASH Project Progress Report Antonis Stampoulis October 5 th, 2012 A language-based, dependently-typed, user-extensible approach to proof assistants

Software certification —CompCert [Leroy et al] —seL4 microkernel [Klein et al] Mathematical theorems —Four-color theorem [Gonthier et al] —Feit-Thompson (Odd Order Theorem) [same team] Proof – to – code size ratio: ~ 8 lines – to p.y. of proof for 2 p.y. of development Started May 2006 Finished last week! ~1.3 weeks per page Large formal proofs are possible and useful! require huge manual effort

—can use domain- specific automation —yet automation reconstructs full details —validity fixed —proofs and automation hard to write Informal proofs —use “trivially”, “similarly”, omit unnecessary details —require domain-specific intuition —validity extensible calculus reals basic reasoning Formal proofs

VeriML -easy to develop new automation and extend background reasoning -extensible notion of formal proof (no trivial details!) -novel programming language -focus on writing automation procedures -more generally: programs that construct proofs -serves as a novel proof assistant Rich types Rich programming model First-class support for logic Safety Expressiveness Convenience

Comparison of Architecture “ proof by juxtaposition ” Traditional proof assistants ML type- checking Tactic definition Tactic invocation Proof object Proof checking ? HOL4, HOL-Light Isabelle Coq NuPRL PVS, ACL2 don’t do that! (unsafe) Proof scripts invoke tactics Tactics contain proof scripts Every invocation can fail! Proof scripts invoke tactics Tactics contain proof scripts Every invocation can fail!

Comparison of Architecture Traditional proof assistants VeriML ML type- checking Tactic definition Tactic invocation Proof object Proof checking ?

Comparison of Architecture “ proof by juxtaposition ” Traditional proof assistants VeriML ML type- checking Tactic definition Tactic invocation Proof object Proof checking ? VeriML type checking Proof checking Tactic definition Tactic invocation Proof object OK! -Reduce possibility of error -Leverage information to help user while writing tactic -Extend traditional interactivity model -Don’t need to produce proof objects

Normal type-checking Stage one evaluation without producing proof objects Stage one evaluation without producing proof objects Normal evaluation Normal evaluation Background reasoning in VeriML VeriML proofs, tactics, etc. VeriML Type- & Proof- checking -smaller proof checker -can still generate full proof objects -soundness guaranteed -extensions to background reasoning are cheap -extensible static checking for proofs and tactics as well! arithmetic simplification equational reasoning normal conversion base VeriML typing

Recent progress -main milestone: wrote my dissertation on VeriML and defended it! (400 pages and counting…) -implementation milestones: VeriML 0.5 -completed new compilation-based backend for VeriML -proper staging support -separate compilation of VeriML modules -cleaned up various features in the implementation and the examples -technical milestones -cleaned-up presentation of metatheory -initial investigation of user-defined representations for VeriML pattern matching

VeriML proofs, tactics, etc. VeriML Type- & Proof- checking Recent progress: Compilation VeriML proofs, tactics, etc. VeriML Type- & Proof- checking VeriML to OCaml Residual program ~6mins ~15 sec

Example: Arithmetic simplification

Further extensions to type inference Figure out user-defined representations for pattern matching Pattern matching for inductive definitions SMT-like cooperating decision procedures Future work