1 / 43

PROOF WEAVING

PROOF WEAVING. Anne Mulhern Computer Sciences Department University of Wisconsin-Madison Madison, WI USA mulhern@cs.wisc.edu www.cs.wisc.edu/~mulhern. Modifying Proofs. I’ll use tacticals to make my scripts more robust. must add new, dissimilar constructor. I could modify

april
Download Presentation

PROOF WEAVING

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PROOF WEAVING Anne Mulhern Computer Sciences Department University of Wisconsin-Madison Madison, WI USA mulhern@cs.wisc.edu www.cs.wisc.edu/~mulhern

  2. Modifying Proofs I’ll use tacticals to make my scripts more robust must add new, dissimilar constructor I could modify the proof objects I will not ever graduate doing this I’ll write a special purpose tactic But they are very big and complex and structured must fix broken scripts must add new constructor Done! Proof Weaving

  3. Mutual Antagonism • Modular and incremental approaches are ubiquitous in computer science • Theorem provers do not readily support certain kinds of modular or incremental proof development • Transparent dependencies invalidate existing proofs when underlying structures are changed Proof Weaving

  4. Proof Weaving • A technique for combining • Separate proof objects • Of the same theorem • On different underlying structures • And forming • A single proof object • Of the same theorem • On a combination of the underlying structures Proof Weaving

  5. Disclaimer • There is no implementation • Demo: me typing Proof Weaving

  6. Dependencies • If L1 and L2 are two identifiers denoting definitions, lemmas, functions, or types, a dependency between L1 and L2 exists when L1 is a free identifier occurring in the -term associated with L2. [Proof Reuse with Extended Inductive Types, Boite, 2004] Proof Weaving

  7. Dependencies on term • Forall lists of terms, either the length of the list is zero or the length of the list is greater than zero • TmTrue, which is a term, is a value • Equality on terms is decidable Proof Weaving

  8. Dependencies • An object L has a transparent dependency with an inductive type I, if L has a dependency with an induction principle of I, or if a case analysis on type I is performed in the -term representing L. • An object L has an opaque dependency with an inductive type I, if its dependency with I is not transparent. [Proof Reuse with Extended Inductive Types, Boite, 2004] Proof Weaving

  9. Transparent Dependencies Bad • If a constructor C is added to an inductive type I, wherever there is a transparent dependency on I the object that contains the transparent dependency must be updated to accommodate C. • Match case added • Additional argument passed to induction principle Proof Weaving

  10. Quiz: Transparent or Opaque? Forall lists of terms, either the length of the list is zero or the length of the list is greater than zero Opaque! Proof Weaving

  11. Quiz: Transparent or Opaque? TmTrue, which is a term, is a value Opaque! Proof Weaving

  12. Quiz: Transparent or Opaque? Equality on terms is decidable Transparent! Proof Weaving

  13. Inductive term : Set := | TmTrue : term | TmFalse : term . Lemma eq_dec : forall (t t’ : term), {t = t’} + {t <> t’}. Inductive term : Set := | TmTrue : term | TmFalse : term . Lemma eq_dec : forall (t t’ : term), {t = t’} + {t <> t’}. decide equality. Qed. Inductive term : Set := | TmTrue : term | TmFalse : term . induction t. intro t’.case t’. left. reflexivity. right. discriminate. intro t’. case t’. right. discriminate. left. reflexivity. Qed. Proof Weaving

  14. Transparent Dependency on term Proof Weaving

  15. Transparent Dependency on term Proof Weaving

  16. Transparent dependency on term      Proof Weaving

  17. Transparent dependency on term induction t. intro t’.case t’. left. reflexivity. right. discriminate. intro t’. case t’. right.discriminate. left. reflexivity. Qed. induction t. intro t’.case t’. left. reflexivity. right. discriminate. right. discriminate. intro t’. case t’. right. discriminate. left. reflexivity. Qed. induction t. intro t’.case t’. left. reflexivity. right. discriminate. intro t’. case t’. right.discriminate. left. reflexivity. Qed. Proof Weaving

  18. False Transparent Dependencies • Some transparent dependencies are false transparent dependencies • A case analysis is performed • Most constructors are irrelevant • False transparent dependencies are removable Proof Weaving

  19. Outline • False Transparent Dependencies • True Transparent Dependencies Proof Weaving

  20. Outline • False Transparent Dependencies • True Transparent Dependencies Proof Weaving

  21. Transparent Dependency Proof Weaving

  22. Transparent Dependencies Proof Weaving

  23.  (Type Environment) eq_ind : forall (A : Type) (x : A) (P : A -> Prop), P x -> forall y : A, x = y -> P y term : Set TmTrue : term TmFalse : term TmIf : term -> term -> term -> term True : Prop False : Prop I : True H1 : TmTrue = TmIf tm1 tm2 tm3 False Transparent Dependencies (@eq_ind term TmTrue (fun e : term => match e with | TmTrue => True | TmFalse => False | TmIf _ _ _ => False end) I (TmIf tm1 tm2 tm3) H1) Proof Weaving

  24. forall (A : Type) (x : A) (P : A -> Prop), P x -> forall y : A, x = y -> P y forall (x : term) (P : term -> Prop), P x -> forall y : term, x = y -> P y F TmTrue -> forall y : term, TmTrue = y -> F y forall y : term, TmTrue = y -> F y TmTrue = (TmIf tm1 tm2 tm3) -> F (TmIf tm1 tm2 tm3) forall (P : term -> Prop), P TmTrue -> forall y : term, TmTrue = y -> P y F F (TmIf tm1 tm2 tm3) False False Transparent Dependencies (@eq_ind term TmTrue (fun e : term => match e with | TmTrue => True | TmFalse => False | TmIf _ _ _ => False end) I (TmIf tm1 tm2 tm3) H1)   Proof Weaving

  25. False Transparent Dependencies (fun e : term => match e with | TmTrue => True | TmFalse => False | TmIf _ _ _ => False end) (fun e : term => match e with | TmTrue => True | TmIf _ _ _ => False | _ => 0 = 1 end) (fun e : term => match e with | TmTrue => True (fun e : term => match e with | TmTrue => True | TmIf _ _ _ => False  Proof Weaving

  26. False Transparent Dependencies Proof Weaving

  27. False Transparent Dependencies • Easily identified • Fixable Proof Weaving

  28. Outline • False Transparent Dependencies • True Transparent Dependencies Proof Weaving

  29. Outline • False Transparent Dependencies • True Transparent Dependencies • Syntactically similar subterms Proof Weaving

  30. Syntactically Similar Subterms Proof Weaving

  31. Template Extraction match H0 in (typeof t t0) return (t = TmIf tm1 tm2 tm3 -> t0 = x -> exists x0 : term, eval (TmIf tm1 tm2 tm3) x0) with | TTrue => fun (H1 : TmTrue = TmIf tm1 tm2 tm3) (H2 : TyBool = x) => False_ind (TyBool = x -> exists x0 : term, eval (TmIf tm1 tm2 tm3) x0) (@eq_ind term TmTrue (fun e : term => match e with | TmTrue => True | TmIf _ _ _ => False | _ => 0 = 1 end) I (TmIf tm1 tm2 tm3) H1) H2 Proof Weaving

  32. Template Extraction template (H0 : typeof t t0) => H0 => fun (H1 : t = TmIf tm1 tm2 tm3) (H2 : t0 = x) => False_ind (t0 = x -> exists x0 : term, eval (TmIf tm1 tm2 tm3) x0) (@eq_ind term t (fun e : term => match e with | t => True | TmIf _ _ _ => False | _ => 0 = 1 end) I (TmIf tm1 tm2 tm3) H1) H2 Proof Weaving

  33. Term Reconstruction Proof Weaving

  34. The if statement can be further evaluated. False The if statement can be further evaluated. False t1 : Bool t2 : T t3 : T if t1 then t2 else t3 : T The if statement can be further evaluated. Example: if If an if statement is well typed then it can be further evaluated. true : Bool false : Bool Proof Weaving

  35. Observation • Falsetransparent dependencies and truetransparent dependencies withsyntactically similarsubterms • Arise frequently • Are easily identified • Are tractable Proof Weaving

  36. To Weave Proof Objects… • Remove false dependencies in each proof object • For each proof object • Reconstruct proof subterms corresponding to the constructors in the other proof object • Reject those terms that are not well-typed • Weave subterms from each proof together Proof Weaving

  37. How is this technique working? • Algorithm performed by hand • Numerous small examples • References + if statements • Each separate proof has several hundred lines of code • Six subgoals presented to refine tactic • Must move to implementation Proof Weaving

  38. Could this technique be useful? • Yes • Size of proof is roughly polynomial in number of constructors • “Developer effort” linear? Proof Weaving

  39. Related Work • Proof Reuse with Extended Inductive Types [Olivier Boite, TPHOLS 2004] • Generating Generic Functions [Johan Jeuring, Alexey Rodrigues, Gideon Smeding, WGP 2006] • Plagiator - A learning prover [Thomas Kolbe and Jurgen Brauburger, CADE-14 1997] Proof Weaving

  40. Topics Not Covered • Mapping generated proof to proof script • Simplifying proof terms for easier template extraction • Removing or changing (rather than adding) constructors • Changing the proof statement Proof Weaving

  41. Future Work • Implementation • Requires Coq infrastructure • Typechecker • Tools for manipulating AST • Supporting refactorings Proof Weaving

  42. Conclusion • Proof Weaving • Addresses the drawbacks of tactic reuse and specialized tactics • Is a general technique • Especially suitable for proofs of programming language properties • Preliminary results are encouraging Proof Weaving

  43. PROOF WEAVING Anne Mulhern Computer Sciences Department University of Wisconsin-Madison Madison, WI USA mulhern@cs.wisc.edu www.cs.wisc.edu/~mulhern

More Related