Georges Gonthier Reflection, of all shapes and sizes.

Slides:



Advertisements
Similar presentations
Verifying the Four Colour Theorem Georges Gonthier Microsoft Research Cambridge.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
With examples from Number Theory
Techniques for Proving the Completeness of a Proof System Hongseok Yang Seoul National University Cristiano Calcagno Imperial College.
Formalising the structure of extremal p-groups Georges Gonthier.
Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 In this lecture  Number Theory ● Rational numbers ● Divisibility  Proofs ● Direct proofs (cont.) ● Common mistakes in proofs ● Disproof by counterexample.
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Proofs, Recursion and Analysis of Algorithms Mathematical Structures for Computer Science Chapter 2 Copyright © 2006 W.H. Freeman & Co.MSCS SlidesProofs,
Discrete Mathematics Lecture 5 Alexander Bukharovich New York University.
Lecture 21 NP-complete problems
Discussion #33 Adjacency Matrices. Topics Adjacency matrix for a directed graph Reachability Algorithmic Complexity and Correctness –Big Oh –Proofs of.
Elementary Number Theory and Methods of Proof
Math 3121 Abstract Algebra I
Discrete Mathematics Lecture 4 Harper Langston New York University.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Introduction to Proofs Goals 1.Introduce notion of proof & basic proof methods. 2.Distinguish between correct & incorrect arguments 3.Understand & construct.
Lecture 4 Discrete Mathematics Harper Langston. Algorithms Algorithm is step-by-step method for performing some action Cost of statements execution –Simple.
Sequences and Series (T) Students will know the form of an Arithmetic sequence.  Arithmetic Sequence: There exists a common difference (d) between each.
A Brief Summary for Exam 1 Subject Topics Propositional Logic (sections 1.1, 1.2) –Propositions Statement, Truth value, Proposition, Propositional symbol,
MATH 224 – Discrete Mathematics
1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.
ENM 503 Lesson 1 – Methods and Models The why’s, how’s, and what’s of mathematical modeling A model is a representation in mathematical terms of some real.
Propositional Logic Dr. Rogelio Dávila Pérez Profesor-Investigador División de Posgrado Universidad Autónoma Guadalajara
School of Computing and Engineering, University of Huddersfield CIA2326 Week 14 LECTURE: Formal Specifications. How to reason with Algebraic Specifications.
Mathematical Induction I Lecture 4: Sep 16. This Lecture Last time we have discussed different proof techniques. This time we will focus on probably the.
CSE-490 Logic in Computer Science The Coq Proof Assistant POSTECH Dec 15, 2006 박성우.
Chapter 5: Sequences, Mathematical Induction, and Recursion 5.5 Application: Correctness of Algorithms 1 [P]rogramming reliability – must be an activity.
Chap 3 –A theorem is a statement that can be shown to be true –A proof is a sequence of statements to show that a theorem is true –Axioms: statements which.
CSE Winter 2008 Introduction to Program Verification January 31 proofs through simplification.
9/30/98 Prof. Richard Fikes Inference In First Order Logic Computer Science Department Stanford University CS222 Fall 1998.
1 Introduction to Abstract Mathematics Chapter 2: The Logic of Quantified Statements. Predicate Calculus Instructor: Hayk Melikya 2.3.
Mathematical Preliminaries
THEORY OF COMPUTATION Komate AMPHAWAN 1. 2.
1 First order theories (Chapter 1, Sections 1.4 – 1.5) From the slides for the book “Decision procedures” by D.Kroening and O.Strichman.
CMSC 330: Organization of Programming Languages Operational Semantics a.k.a. “WTF is Project 4, Part 3?”
DPLL in Coq Zhuang Zhong Overview  Previous work  Stålmarck algorithm and Binary Decision Diagram  Produce traces of proof  Reconstruct.
CMSC 330: Organization of Programming Languages Operational Semantics.
MAT 4725 Numerical Analysis Section 7.1 Part I Norms of Vectors and Matrices
Mathematical Induction I Lecture 5: Sep 20 (chapter of the textbook and chapter of the course notes)
Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
June 21, Reasoning about explicit strictness in a lazy language using mixed lazy/strict semantics Marko van Eekelen Maarten de Mol Nijmegen University,
1 Section 7.1 First-Order Predicate Calculus Predicate calculus studies the internal structure of sentences where subjects are applied to predicates existentially.
Interface specifications At the core of each Larch interface language is a model of the state manipulated by the associated programming language. Each.
Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer.
1 Interactive Computer Theorem Proving CS294-9 September 7, 2006 Adam Chlipala UC Berkeley Lecture 3: Data structures and Induction.
Lecture 2: Propositional and First-Order Logic
Lecture 11: Proof by Reflection
Math 3121 Abstract Algebra I
CSCE 355 Foundations of Computation
Computer Science 210 Computer Organization
L is in NP means: There is a language L’ in P and a polynomial p so that L1 ≤ L2 means: For some polynomial time computable map r :  x: x  L1 iff.
CPSC 121: Models of Computation 2008/9 Winter Term 2
CSS 342 Data Structures, Algorithms, and Discrete Mathematics I
Verifying The Four Colour Theorem
Mathematical Induction Recursion
Chapter 5 Induction and Recursion
CSCE 355 Foundations of Computation
Chapter 10: Mathematical proofs
Elementary Metamathematics
GROUPS & THEIR REPRESENTATIONS: a card shuffling approach
ICS 353: Design and Analysis of Algorithms
Canonical Big Operators
Semantics In Text: Chapter 3.
A Brief Summary for Exam 1
Search techniques.
Introduction to Proofs
Presentation transcript:

Georges Gonthier Reflection, of all shapes and sizes

What is reflection? Computing/reasoning with text rather than mathematical objects. Add(Pow(Var “x”, 2), …)Add(Pow(Add …, 2), 1) quotation interpretation computation reflection

The many sizes of reflection Large scale: prove lemma/assertion –Computer Algebra: ring tactic, SOS –4CT reducibility, Flyspeck tame graphs, … Medium scale: perform major proof step –4CT unavoidability, coprime cycle coherence Small scale: minor proof step, notation –Peano arithmetic, Boolean evaluation –Algebraic overloading, lemma overloading

Interpretation Usually internal (interpreter in theory) Validation requires interpretation of a justification trail, except –If the output is not directly related to the input (medium-scale reflection). –If the computation is internal, and proved correct (not as hard as it is believed to be). –The output can be validated directly, e.g., algebra, linear optimization.

Computation For big-scale reflection, often external for performance reasons. Internal computation is “safer” in that it limits TCB (iterates computation). Performance can be recovered by specialized/simplified algorithms. Trust can be recovered from evidence trails.

Quotation The “essence” of reflection; often external. Generic support conflicts with abstraction. Not needed if the formal objects are syntactic (Booleans, Peano integers). Not needed if the formalization includes interpretation. Can be done with syntax overloading. Can be done with type unification.

Large-scale reflection: reducibility Setup Variable cf : config. Definition cfreducible : Prop := … Definition check_reducible : bool := … Lemma check_reducible_valid : check_reducible -> cfreducible. Usage Lemma cfred232 : cfreducible (Config H 2 H 13 Y 5 H 10 H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3 H 9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y). Proof. apply check_reducible_valid; by compute. Qed. 20,000,000 cases

Internal decision procedure Definition ktc_step closure kr := let: (ctu, gtp) := kr in if ctree_empty ctu then kr else let: GtreePair gtr gtu := gtp in if gtree_empty gtr then kr else if gtree_empty gtu then (CtreeEmpty, empty_gtree_pair) else let: CtreePair ctu' ctr := ctree_restrict h ctu (CtrCons Bstack0 gtr CtrNil) in closure ctu' (ctree_rotlr ctr) gtu. Definition ktc_step2c step (closure : ktc_fun) ctu ctr gtu := step (step (closure ctu ctr gtu)). Definition ktc_dostep2c closure := ktc_step2c (ktc_step closure) closure. Fixpoint Kempe_tree_closure d : ktc_fun := if d is d'.+1 then ktc_dostep2c (Kempe_tree_closure d') else fun ctu ctr gtu => (ctu, gtree_restrict gtu (GtrCons Bstack0 ctr GtrNil)). Theorem Kempe_tree_closure_correct d ctu ctr gtu : let ktr0 Q := Q ctu ctr GtreeEmpty gtu in let ktrp := ktr_prop (Kempe_tree_closure d ctu ctr gtu) in ktr0 Kempe_valid -> [/\ ktrp Kempe_valid & forall sz, ktr0 (Kempe_complete (3 ^ d + sz)) -> ktrp (Kempe_complete sz.+1)]. Proof. elim: d => [|d IHd] /= in ctu ctr gtu *. move Dctrr: (GtrCons _ ctr _) => ctrr [[ctu_ok Dctu] Dctr Dgtr Dgtu closedP]. move: (gtree_restrict_partition gtu ctrr) (gtree_mem0_restrict gtu ctrr). case: (gtree_restrict gtu ctrr) => gtr gtu' /= Pgt Pgtr. split=> [|sz [ctu_lt_sz ctr_closed]]. split=> // [|w gt_w | w gt_w | w gt'w Dw]; first split=> // et. … 94 lines … Qed.

Small scale reflection for Peano Set So: –0 <= m is true –m < 0 is false –m < n.+1 ≡ m.+1 <= n.+1 is m <= n. Works with if, &&, size : seq T -> nat, … Definition leq m n := m – n == 0. Notation “m <= n“ := (leq m n). Notation “m < n“ := (m.+1 <= n).

Reflection: bool vs. Prop bool concrete computable Prop abstract provable _ = true unstructured proofs truth tables structured proofs deduction rules b1 && b2 P1 /\ P2 b1 b2 b1 && b2 T T T T F F F T F F F F P1 P2 P1 /\ P2 b1 /\ b2 andP ≝ if b1 then b2 else false b1 b2 b1 /\ b2

Text to formal text Theorem Ptype_embedding : forall M K, M \in 'M_'P -> \kappa(M).-Hall(M) K -> exists2 Mstar, Mstar \in 'M_'P /\ gval Mstar \notin M :^: G & let Kstar := 'C_(M`_\sigma)(K) in let Z := K Kstar in let Zhat := Z :\: (K :|: Kstar) in [/\ (*a*) {in 'E^1(K), forall X, 'M('C(X)) = [set Mstar]}, (*b*) \kappa(Mstar).-Hall(Mstar) Kstar /\ \sigma(M).-Hall(Mstar) Kstar, (*c*) 'C_(Mstar`_\sigma)(Kstar) = K /\ \kappa(M) =i \tau1(M), (*d*) [/\ cyclic Z, M :&: Mstar = Z, {in K^#, forall x, 'C_M[x] = Z}, {in Kstar^#, forall y, 'C_Mstar[y] = Z} & {in K^# & Kstar^#, forall x y, 'C[x * y] = Z}] & [/\ (*e*) [/\ trivIset (Zhat :^: G), 'N(Zhat) = Z, {in ~: M, forall g, [disjoint Zhat & M :^ g]} & (#|G|%:R / 2%:R qnum)%R ], (*f*) M \in 'M_'P2 /\ prime #|K| \/ Mstar \in 'M_'P2 /\ prime #|Kstar|, (*g*) {in 'M_'P, forall H, gval H \in M :^: G :|: Mstar :^: G} & (*h*) M^`(1) ><| K = M]].

Parametric overloading Generic product: x * y Structure gType := GroupType { gSort : Type; mulg : gSort → gSort →gSort;...} Variables (gT : gType) (x y : gSort gT). Infix “*“ := (mulg _). mulg ? 1 x y. ≡ gSort T gSort ? 1 T T Coercion gSort : gType >-> Sortclass.

Ad hoc retrofitting Specific product coset H x * coset H y gSort ? 1 ≡ coset_of H fun gT => let: gType T _ … := gT in T Definition coset_gType H := GType (coset_of H).... Canonical coset_gType. gSort (coset_gType H) ≡ coset_of H ≡ mulg (coset_gType H) …

Algebra interface hierarchy Equality Choice Ring UnitRing ComRing Zmodule ComUnitRing Lmodule Algebra Vector Falgebra Addidive Rmorphism Linear LRmorphism

Nested class structures FinGroup.type Finite.type sort mulg,... enum,... mixin FinGroup.class sort Finite.type sort enum,... class =mixin gT ≡ FinGroup.sort gT Coercion FinGroup.finType Canonical Finroup.finType FinGroup.finType ≡ Finite.sort (FinGroup.finType gT)

Linear operator interface Encapsulate f (λv) = λ(f v) Module Linear. Section ClassDef. Variables (R : ringType) (U V : lmodType R). Definition mixin_of (f : U -> V) := forall a, {morph f : u / a *: u}. Record class_of f : Prop := Class {base : additive f; mixin : mixin_of f}. Structure map := Pack {apply :> U -> V; class : class_of apply}. Structure additive cT := Additive (base (class cT)). End Linear.

General linear operators Encapsulate f (λv) = λ σ (f v) Module Linear…. Variables (R : ringType) (U : lmodType R) (V : zmodType). Variable (s : R -> V -> V). Definition mixin_of (f : U -> V) := forall a, {morph f : u / a *: u >-> s a u}. Record class_of f : Prop := Class {base : additive f; mixin : mixin_of f}. Structure map := Pack {apply :> Type; class : class_of apply}. … (* horner_morph mulCx_nu P := (map nu P).[x] *) Fact …: scalable_for (nu \; *%R) (horner_morph mulCx_nu).

General linearity Rewrite f (λv) = λ σ (f v) in both directions Variables (R : ringType) (U : lmodType R) (V : zmodType). Variables (s : R -> V -> V) (S : ringType) (h : S -> V -> V). Variable h_law : Scale.law h. Lemma linearZ c a (h_c := Scale.op h_law c) (f : Linear.map_for U s a h_c) u : f (a *: u) = h_c (Linear.wrap f u).

Interfacing matrices bool Equality nat seq Finite 'I_n bigop  E i i ←r & P(i) Choice Zmodule Ring ComRing Field {ffun D -> R} matrix ‘M[R]_(m, n) Inductive matrix := Matrix of {ffun 'I_m * 'I_n -> R}.

In math: S = A + ∑ i B i is direct iff rank S = rank A + ∑ i rank B i In Coq: Lemma mxdirectP : forall n (S : 'M_n) (E : mxsum_expr S S), reflect (\rank E = mxsum_rank E) (mxdirect E). This is generic in the shape of S Direct sums

Circular inequalities have Bfree_if: forall ZxH, ZxH \in clPqH^# -> \rank > <= #|ZxH| ?= iff row_free (B (b ZxH)) by… have B1_if: \rank > > == mxvec 1%:M)%MS by … have rankEP: \rank (1%:M : 'A[F]_q) = (\sum_(ZxH \in clPqH) #|ZxH|)%N by... have cl1: 1%g \in clPqH by … have{B1_if Bfree_if}:= leqif_add B1_if (leqif_sum Bfree_if). case/(leqif_trans (mxrank_sum_leqif _)) => _ /=. rewrite -{1}(big_setD1 _ cl1) sumB {}rankEP (big_setD1 1%g) // cards1 eqxx. move/esym; case/and3P=> dxB; move/eqmxP=> defB1; move/forall_inP=> /= Bfree. Lemma leqif_trans : forall m1 m2 m3 c1 c2, m1 m2 m1 <= m3 ?= iff c1 && c2. Lemma leqif_add : forall m1 n1 c1 m2 n2 c2, m1 m2 m1 + m2 <= n1 + n2 ?= iff c1 && c2. Lemma mxrank_sum_leqif : forall m n (S : mxsum_expr m n), \rank (unwrap S) <= unwrap (mxsum_rank S) ?= iff mxdirect (unwrap S). Bfree_if : forall ZxH : {set coset_of Z}, ZxH \in clPqH^# -> \rank > <= #|ZxH| ?= iff row_free (B (b ZxH)) B1_if : \rank > > == mxvec 1%:M)%MS rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH ============================... rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH ============================ \rank > + \sum_(i \in clPqH^#) \rank > <= 1 + \sum_(i \in clPqH^#) #|i| ?= iff ( > == mxvec 1%:M)%MS && (forallb i, (i \in clPqH^#) ==> row_free (B (b i))) -> … rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH ============================ (\rank ( > + \sum_(i \in clPqH^#) >) == (1 + \sum_(i \in clPqH^#) #|i|)%N) = [&& mxdirect ( > + \sum_(i \in clPqH^#) >), ( > == mxvec 1%:M)%MS & forallb i, (i \in clPqH^#) ==> row_free (B (b i))] -> … rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH ============================ true = [&& mxdirect ( > + \sum_(i \in clPqH^#) >), ( > == mxvec 1%:M)%MS & forallb i, (i \in clPqH^#) ==> row_free (B (b i))] -> … rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH dxB : mxdirect ( > + \sum_(i \in clPqH^#) >) defB1 : ( > :=: mxvec 1%:M)%MS Bfree : forall x : {set coset_of Z}, x \in clPqH^# -> row_free (B (b x)) ============================ …

Presentations D 2 n ≈ Grp (x, y : x 2 n-1, y 2, x y = x -1 ) SD 2 n ≈ Grp (x, y : x 2 n-1, y 2, x y = x 2 n-2 -1 ) Q 2 n ≈ Grp (x, y : x 2 n-1, y 2 = x 2 n-2, x y = x -1 ) Lemma Grp_dihedral : 'D_m \isog Grp (x : y : (x ^+ q, y ^+ 2, x ^ y = x^-1)).... but this is not constructive (Post) !

Coprime cycle coherence

A dot product matrix puzzle

Medium scale reflection Definition sym_match s th1 th2 := let: Sym si sj sk := s in let: (ri, rj, rk) := (th_bbox th1, th_dim th1) in let is_sym r s := uniq s && all (gtn r) s in let match_cl cl2 := let: (i2, j2, kvs2) := cl2 in let ij := (nth ri si i2, nth rj sj j2) in let match_lit kvs1 kv := (nth rk sk kv.1, kv.2) \in kvs1 in let match_cl1 cl1 := let: (ij1, kvs1) := cl1 in (ij1 == ij) && all (match_lit kvs1) kvs2 in uniq (unzip1 kvs2) && has match_cl1 th1 in [&& is_sym ri si, is_sym rj sj, is_sym rk sk & all match_cl th2].

Reflection is a versatile theorem proving technique. Reflection takes different forms for different problem sizes. Internal reflection can work even at large scale. Shallow embeddings work well at small scale. Conclusions