Presentation is loading. Please wait.

Presentation is loading. Please wait.

VeriML: Revisiting the Foundations of Proof Assistants Zhong Shao Yale University MacQueen Fest May 13, 2012 (Joint work with Antonis Stampoulis)

Published bySimon Fisher Modified over 9 years ago

Similar presentations

Presentation on theme: "VeriML: Revisiting the Foundations of Proof Assistants Zhong Shao Yale University MacQueen Fest May 13, 2012 (Joint work with Antonis Stampoulis)"— Presentation transcript:

1 VeriML: Revisiting the Foundations of Proof Assistants Zhong Shao Yale University MacQueen Fest May 13, 2012 (Joint work with Antonis Stampoulis)

2 Dave’s influence on my career Summer 1989 Princeton Grad Student Spring 1990 Advanced Topics on PL taught by Dave “Summer intern” at Bell Labs, 1991 – ML modules vs separate compilation PhD thesis work on SML/NJ, 1992-1994 Research on FLINT, 1995-1999 – Compiling ML modules into Fomega – This is how I learned dependent types & CiC 2000 – now: move onto Certified Code (in Coq) New problem: engineering large proofs  VeriML

3 Proof assistants are becoming popular in our community —CompCert [Leroy et al.] —seL4 [Klein et al.] —Four-color theorem [Gonthier et al.] —1 to 1.5 weeks per paper proof page —4 pages of formal proof per 1 page of paper proof … but they’re still hard to use [Asperti and Cohen ‘10]

4 —communicated to a fixed proof checker —must spell out all details —use domain-specific lemmas Formal proofs —communicated to a person —rely on domain- specific intuition —use “obviously” Informal proofs calculus linear algebra arithmetic

5 —procedures that produce proofs —domain-specific tactics good in large developments —but difficult to write! We need tactics to omit details -untyped -proofs within tactics can be wrong! -untyped -proofs within tactics can be wrong!

6 Proof assistants are hard to use because 1. cannot extend proof checker → lots of details 2. no checking for tactics → lots of potential errors These are architectural issues

7 VeriML: a new architecture for proof assistants 1. cannot extend proof checker → lots of details 2. no checking for tactics → lots of potential errors 1. extensible proof checker → omit lots of details 2. extensible checking for tactics → lots of errors avoided static checking of contained proofs full programming model soundness guaranteed full programming model soundness guaranteed More specifically: -a new language design -a new implementation -and a new metatheory See [ICFP’10, POPL’12, upcoming PhD thesis by Stampoulis] “intuition” stack arithmetic congruence βι- conversion

8 Architecture of proof assistants

9 Architecture of proof assistants: main notions Derivation in a logic Proof object Checks proof objects Proof checker Function producing proof objects Tactic Combination of tactics; program producing a proof object Proof script

10 Architecture of proof assistants: Checking proof objects Proof object Proof checker Conversion rule Implicitly check equivalences (proof omitted) Conversion rule Implicitly check equivalences (proof omitted)

11 Architecture of proof assistants: Checking proof objects Proof object Proof checker Coq βι-conversion Coq βι-conversion

12 Architecture of proof assistants: Checking proof objects Proof object Proof checker CoqMT βι-conversion + linear arithmetic CoqMT βι-conversion + linear arithmetic

13 Architecture of proof assistants: Checking proof objects Proof object Proof checker -rich static information -(de)composable -checking not extensible

14 Architecture of proof assistants: Validating proof scripts Proof script Proof checker Proof object evaluation -extensible through tactics -rich programming model -no static information -not (de)composable -hidden proof state use conversion for more robust scripts Arithmetic tactic User tacticOther tactic

15 Moving to typed proof scripts Typed proof script Type checker Proof script Proof object Proof checker evaluation Proof checker Arithmetic tactic User tacticOther tactic Arithmetic tactic User tacticOther tactic evaluation

16 Moving to typed proof scripts + extensible conversion Typed proof script Type checker Proof checker evaluation Arithmetic tactic User tactic Other tactic Key insight: conversion is just a hardcoded trusted tactic Key insight: conversion is just a hardcoded trusted tactic but we can trust other tactics too if they have the right type

17 Moving to typed proof scripts + extensible conversion Typed proof script evaluation Key insight: conversion is just a hardcoded trusted tactic Key insight: conversion is just a hardcoded trusted tactic but we can trust other tactics too if they have the right type Type checker Proof checker none of them needs to be hardcoded! Type checker Proof checker Other tactic

18 Typed proof scripts + extensible conversion Typed proof script evaluation Type checker Proof checker -rich static information -user chooses conversion -extensible static checking -smaller proof checker -can generate proof objects

19 Type checking tactics: an example -check propositions for equivalence -return a proof if they are -raise an exception otherwise Metatheory result 1. Type safety If evaluation succeeds, the returned proof object is valid Metatheory result 1. Type safety If evaluation succeeds, the returned proof object is valid Metatheory result 2. Proof erasure If evaluation succeeds, a valid proof object exists even if it’s not generated Metatheory result 2. Proof erasure If evaluation succeeds, a valid proof object exists even if it’s not generated

20 Two modes of evaluation evaluation proof object proof object proof erasure evaluation proof erasure evaluation mode controlled per function Typed proof script Type checker Proof checker

21 Typed proof script Type checker evaluation Proof checker Static checking = type checking + staging under proof-erasure typechecking stage-one evaluation with proof erasure evaluation of residual program

22 A stack of conversion rules arithmetic simplification congruence closure βι-conversion conversion in Coq removed from trusted base conversion in Coq removed from trusted base makes most uses of rewrite/autorewrite unnecessary ring_simplify for Nat close to CoqMT ring_simplify for Nat close to CoqMT no additions to logic metatheory actually, with reductions no proof by reflection or translation validation leveraging static proof scripts no additions to logic metatheory actually, with reductions no proof by reflection or translation validation leveraging static proof scripts

23 A stack of conversion rules arithmetic simplification naïve arithmetic conversion congruence closure naïve equality conversion βι- conversion potentially non- terminating reduce proving for “real” versions potentially non- terminating reduce proving for “real” versions

24 Summary a new architecture for proof assistants user-extensible checking of proofs and tactics minimal trusted core reduce required effort for formal proofs Future work: – need a simpler surface language (ML-module?) – need a production-quality implementation (SML/NJ?) – time to work on ML2020?

Download ppt "VeriML: Revisiting the Foundations of Proof Assistants Zhong Shao Yale University MacQueen Fest May 13, 2012 (Joint work with Antonis Stampoulis)"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Static and User-Extensible Proof Checking Antonis StampoulisZhong Shao Yale University POPL 2012.

Static and User-Extensible Proof Checking Antonis StampoulisZhong Shao Yale University POPL 2012.
11.1 11. Computational Models The exam. Models of computation. –The Turing machine. –The Von Neumann machine. –The calculus. –The predicate calculus. Turing.

Computational Models The exam. Models of computation. –The Turing machine. –The Von Neumann machine. –The calculus. –The predicate calculus. Turing.
Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.

Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.
Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.

Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.

March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.
VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.

VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.
Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules Sorin Lerner* Todd Millstein** Erika Rice* Craig Chambers* * University.

Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules Sorin Lerner* Todd Millstein** Erika Rice* Craig Chambers* * University.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Principal Type Schemes for Modular Programs Derek Dreyer and Matthias Blume Toyota Technological Institute at Chicago ESOP 2007 Braga, Portugal.

Principal Type Schemes for Modular Programs Derek Dreyer and Matthias Blume Toyota Technological Institute at Chicago ESOP 2007 Braga, Portugal.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
PROOF TRANSLATION AND SMT LIB CERTIFICATION Yeting Ge Clark Barrett SMT 2008 July 7 Princeton.

PROOF TRANSLATION AND SMT LIB CERTIFICATION Yeting Ge Clark Barrett SMT 2008 July 7 Princeton.
Denotational vs Operational Approaches COS 441 Princeton University Fall 2004.

Denotational vs Operational Approaches COS 441 Princeton University Fall 2004.
Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.

Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.
Strict Bidirectional Type Checking Adam Chlipala, Leaf Petersen, and Robert Harper.

Strict Bidirectional Type Checking Adam Chlipala, Leaf Petersen, and Robert Harper.
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.

Similar presentations

Ads by Google