1 / 68

Metatheoretic Approaches to Programming Language Specification & Verification Rob Simmons Princeton University

Metatheoretic Approaches to Programming Language Specification & Verification Rob Simmons Princeton University. Introduction. “A precise description of a programming language is a prerequisite for its implementation and its use” (The Definition of Standard ML, 1990) . Introduction.

duman
Download Presentation

Metatheoretic Approaches to Programming Language Specification & Verification Rob Simmons Princeton University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Metatheoretic Approaches to Programming Language Specification & Verification Rob Simmons Princeton University

  2. Introduction • “A precise description of a programming language is a prerequisite for its implementation and its use” (The Definition of Standard ML, 1990)

  3. Introduction • “A precise description of a programming language is a prerequisite for its implementation and its use” (The Definition of Standard ML, 1990) • “We hold that ‘formal’ means ‘admits logical reasoning’” (C formalised in HOL, 1998)

  4. Introduction • “A precise description of a programming language is a prerequisite for its implementation and its use” (The Definition of Standard ML, 1990) • “We hold that ‘formal’ means ‘admits logical reasoning’” (C formalised in HOL, 1998) • “Use computers to check your proof. Note that [this] task is not trivial. A whole new scientific discipline may be needed. Let me call it Pedantics.” (Yuri Gurevich)

  5. Introduction • Lots of theorem proving systems! • ACL2 • Coq • HOL • Isabelle • Nuprl • LEGO • PVS • Twelf • Twelf can do things others can’t

  6. Outline of Talk • Introduction to Twelf • Semantics in Twelf • Denotational semantics • Axiomatic semantics • Proofs as programs • Metalogic proofs • Safety for the simply typed lambda calculus

  7. Introduction to Twelf syntax • Define new categories nat : type. exp : type. tp : type. animal : type. _

  8. Introduction to Twelf syntax • Define new categories nat : type. exp : type. tp : type. animal : type. _

  9. Introduction to Twelf syntax • Define new categories nat : type. • Define elements in the categories z : nat. % datatype nat = Z s : nat -> nat. % | S of nat four : nat = % val four = S (S (S (S Z)))s (s (s (s z))). n : nat -> exp. int : tp. plus : exp -> exp -> exp. test : exp = plus (n four) (n (s z)).

  10. Introduction to Twelf syntax • Define new categories nat : type. • Define elements in the categories z : nat. % datatype nat = Z s : nat -> nat. % | S of nat four : nat = % val four = S (S (S (S Z)))s (s (s (s z))). n : nat -> exp. int : tp. plus : exp -> exp -> exp. test : exp = plus (n four) (n (s z)).

  11. Introduction to Twelf syntax • Define new categories nat : type. • Define elements in the categories z : nat. % datatype nat = Z s : nat -> nat. % | S of nat four : nat = % val four = S (S (S (S Z)))s (s (s (s z))). • Define relationships between categories sum : nat -> nat -> nat -> type. sum : {a: nat}{b: nat}{c: nat} type. % Equivalent

  12. Introduction to Twelf syntax • Define new categories nat : type. • Define elements in the categories z : nat. % datatype nat = Z s : nat -> nat. % | S of nat four : nat = % val four = S (S (S (S Z)))s (s (s (s z))). • Define relationships between categories sum : nat -> nat -> nat -> type. sum : {a: nat}{b: nat}{c: nat} type. % Equivalent typed : exp -> tp -> type. steps : exp -> exp -> type.

  13. What does a judgment ‘mean’? • Right now, we know nothing about sum, other than that it is a three-part relation. • I called it “sum,” so I apparently have some expected meaning for it.

  14. What does a judgment ‘mean’? • Right now, we know nothing about sum, other than that it is a three-part relation. • I called it “sum,” so I apparently have some expected meaning for it. • How do we specify that 2 + 1 = 3 ? i.e. sum (s (s z)) (s z) (s (s (s z))) • How do we specify that addition is commutative?

  15. What does a judgment ‘mean’? • Right now, we know nothing about sum, other than that it is a three-part relation. • I called it “sum,” so I apparently have some expected meaning for it. • How do we specify that 2 + 1 = 3 ? i.e. sum (s (s z)) (s z) (s (s (s z))) • How do we specify that addition is commutative? • (At least) two ways of looking at this • Assign an underlying semantic meaning, write a proof (denotational semantics, object logic) • Write an inductive definition, write an inductive proof (operational semantics, metalogic)

  16. Assigning semantic meaning nat : type = tm num. z : nat = const 0. s : nat -> nat = [x] const 1 + x.

  17. Assigning semantic meaning nat : type = tm num. z : nat = const 0. s : nat -> nat = [x] const 1 + x. sum : nat -> nat -> nat -> type = [a][b][c] pf (a + b == c).

  18. Assigning semantic meaning nat : type = tm num. z : nat = const 0. s : nat -> nat = [x] const 1 + x. sum : nat -> nat -> nat -> type = [a][b][c] pf (a + b == c). sum1+1 : sum (s z) (s z) (s (s z)) = cut (plus_cong plus_zero plus_zero) [p1]trans3 p1 (symm plus_zero) plus_assoc. sum_comm : sum N1 N2 N3 -> sum N2 N1 N3 = [p1 : pf (N1 + N2 == N3)] trans comm_add p1.

  19. Assigning semantic meaning nat : type = tm num. z : nat = const 0. s : nat -> nat = [x] const 1 + x. sum : nat -> nat -> nat -> type = [a][b][c] pf (a + b == c). sum1+1 : sum (s z) (s z) (s (s z)) = cut (plus_cong plus_zero plus_zero) [p1]trans3 p1 (symm plus_zero) plus_assoc. sum_comm : sum N1 N2 N3 -> sum N2 N1 N3 = [p1 : pf (N1 + N2 == N3)] trans comm_add p1. This Has Been Checked By A Computer This Has Been Checked By A Computer

  20. Assigning axiomatic meaning nat : type. z : nat. s : nat -> nat. sum : nat -> nat -> nat -> type.

  21. sum N1 N2 N3 sum (s N1) N2 (s N3) sum z N N Assigning axiomatic meaning nat : type. z : nat. s : nat -> nat. sum : nat -> nat -> nat -> type. sum_z : sum z N N. sum_s : sum (s N1) N2 (s N3)<-sum N1 N2 N3. sum_s sum_z

  22. sum (s (s z)) (s z) (s (s (s z))) Assigning axiomatic meaning 1 = s z. 2 = s 1. 3 = s 2. sum2+1 : sum 2 1 3 = ???. 2 1 3

  23. sum z (s z) (s z) sum (s z) (s z) (s (s z)) sum (s (s z)) (s z) (s (s (s z))) Assigning axiomatic meaning 1 = s z. 2 = s 1. 3 = s 2. sum2+1 : sum 2 1 3 = sum_s (sum_s sum_z). sum_z sum_s sum_s 2 1 3

  24. sum z (s z) (s z) sum (s z) (s z) (s (s z)) sum (s (s z)) (s z) (s (s (s z))) Assigning axiomatic meaning 1 = s z. 2 = s 1. 3 = s 2. sum2+1 : sum 2 1 3 = sum_s (sum_s sum_z). Both of these represent an OBJECT sum_z sum_s sum_s 2 1 3

  25. Axiomatic Relations Relations (which represent judgments or proofs) sum, mul, typed, steps, etc…

  26. Axiomatic Relations Relations (which represent judgments or proofs) sum, mul, typed, steps, etc… Relations ABOUT relations representing proofs

  27. Axiomatic Relations Relations (which represent judgments or proofs) sum, mul, typed, steps, etc… Relations ABOUT relations representing proofs Relations AS PROGRAMS

  28. Proofs as programs • The input to Twelf %solve sum2+1 : sum 2 1 _.

  29. Proofs as programs • The input to Twelf %solve sum2+1 : sum 2 1 _. • Twelf’s response sum2+1 : sum 2 1 (s (s 1)) = sum_s (sum_s sum_z). %% OK %%

  30. Proofs as programs • The input to Twelf %solve sum2+1 : sum 2 1 _. • Twelf’s response sum2+1 : sum 2 1 (s (s 1)) = sum_s (sum_s sum_z). %% OK %% • The input to Twelf %solve sum2+1 : sum _ 1 _. • Twelf’s response sum2+1 : sum z 11 = sum_z. %% OK %%

  31. Proofs as programs • It is sometimes useful to think at these definitions as a function that recursively calls itself - so the second line (the subgoal) acts like a recursive call to sum. sum_s : sum (s N1) N2 (s N3) <- sum N1 N2 N3.

  32. Reasoning about programs • Mode declarations %mode sum +N1 +N2 –N3. • “If the first two positions contain well-defined (i.e. ground, without metavariables) inputs, then IF the search succeeds in a finite amount of time, the search will generate well-defined outputs”

  33. Reasoning about programs • Mode declarations %mode sum +N1 +N2 –N3. • “If the first two positions contain well-defined (i.e. ground, without metavariables) inputs, then IF the search succeeds in a finite amount of time, the search will generate well-defined outputs” sum_z_bad : sum z N N'. Occurrence of variable N' in output (-) argument not necessarily ground %% ABORT %%

  34. Reasoning about programs • World declarations %mode sum +N1 +N2 –N3. %worlds () (sum _ _ _). • The program is using the “closed worlds assumption” - no new things (a new natural number, or a new rule for sum) will appear during execution.

  35. Reasoning about programs • World declarations %mode sum +N1 +N2 –N3. %worlds () (sum _ _ _). • The program is using the “closed worlds assumption” - no new things (a new natural number, or a new rule for sum) will appear during execution. sum_s_bad : sum (s N1) N2 (s N3) <- {n: nat} sum N1 n N3. Constant sum_s_bad World violation %% ABORT %%

  36. Reasoning about programs • Totality declarations %mode sum +N1 +N2 –N3. %worlds () (sum _ _ _). %total N1 (sum N1 N2 N3). • The program acts like a total function • This involves three things: • Termination • Input coverage • Output coverage

  37. Reasoning about programs • Totality declarations & termination %mode sum +N1 +N2 –N3. %worlds () (sum _ _ _). %total N1 (sum N1 N2 N3). • The program always terminates (has a term which always strictly decreases in size) sum_bad : sum N1 N2 N3 <- sum N2 N1 N3.

  38. Reasoning about programs • Totality declarations & termination %mode sum +N1 +N2 –N3. %worlds () (sum _ _ _). %total N1 (sum N1 N2 N3). • The program always terminates (has a term which always strictly decreases in size) sum_bad : sum N1 N2 N3 <- sum N2 N1 N3. Termination violation: ---> (N2) < (N1) %% ABORT %%

  39. Reasoning about programs • Totality declarations & input coverage %mode sum +N1 +N2 –N3. %worlds () (sum _ _ _). %total N1 (sum N1 N2 N3). • All possible inputs are covered (case analysis)

  40. Reasoning about programs • Totality declarations & input coverage %mode sum +N1 +N2 –N3. %worlds () (sum _ _ _). %total N1 (sum N1 N2 N3). • All possible inputs are covered (case analysis) • If we remove the sum_z rule, Twelf will complain Coverage error --- missing cases: {X1:nat} {X2:nat} |- sum z X1 X2. %% ABORT %%

  41. Reasoning about programs • Totality declarations & output coverage %mode sum +N1 +N2 –N3. %worlds () (sum _ _ _). %total N1 (sum N1 N2 N3). • All possible OUTPUTS are covered

  42. Reasoning about programs • Totality declarations & output coverage %mode sum +N1 +N2 –N3. %worlds () (sum _ _ _). %total N1 (sum N1 N2 N3). • All possible OUTPUTS are covered sum_s_bad : sum (s N1) N2 (s N3) <- sum N1 N2 (s N3). Totality: Output of subgoal not covered Output coverage error --- missing cases: {X1:nat} {X2:nat} |- sum X1 X2 z. %% ABORT %%

  43. Reasoning about programs • Totality declarations %mode sum +N1 +N2 –N3. %worlds () (sum _ _ _). %total N1 (sum N1 N2 N3). • The sum function is TOTAL • It has clearly defined inputs and outputs • No new terms will be defined during execution • It always terminates • It will always be able to handle any inputs • Recursive calls place no constraints on outputs

  44. Metatheorems in Twelf Relations (which represent judgments or proofs) sum, mul, typed, steps, etc… Relations ABOUT relations representing proofs Relations AS PROGRAMS

  45. Metatheorems in Twelf • Addition is commutative

  46. Metatheorems in Twelf • Addition is commutative • If N1 + N2 = N3, then N2 + N1 = N3

  47. Metatheorems in Twelf • Addition is commutative • If N1 + N2 = N3, then N2 + N1 = N3 • If I can derive “sum N1 N2 N3,” then “sum N2 N1 N3” should also be derivable

  48. Metatheorems in Twelf • Addition is commutative • If N1 + N2 = N3, then N2 + N1 = N3 • If I can derive “sum N1 N2 N3,” then “sum N2 N1 N3” should also be derivable sum_comm: sum N1 N2 N3 -> sum N2 N1 N3-> type. %mode sum_comm +SUM -SUM'. • Can we show this is total?

  49. Metatheorems in Twelf sum_comm: sum N1 N2 N3 -> sum N2 N1 N3 -> type. %mode sum_comm +SUM -SUM'. sum_ident : {N: nat} sum N z N -> type. %mode sum_ident +N -SUM. sum_ident_z : sum_ident z (sum_z : sum z z z). sum_ident_s : sum_ident (s N) ((sum_s SUM): sum (s N) z (s N))<- sum_ident N (SUM: sum N z N). %worlds () (sum_ident _ _). %total N (sum_ident N _). sum_inc : sum A B C -> sum A (s B) (s C) -> type. %mode sum_inc +SUM -SUM'. sum_inc_z : sum_inc (sum_z : sum z N N) (sum_z : sum z (s N) (s N)). sum_inc_s : sum_inc (sum_s D) (sum_s D')<- sum_inc D D'. %worlds () (sum_inc _ _). %total SUM (sum_inc SUM _). & : sum_comm (sum_z : sum z N N) SUM<- sum_ident N SUM. & : sum_comm (sum_s SUM) SUM'‘<- sum_comm SUM SUM‘<- sum_inc SUM' SUM''. %worlds () (sum_comm _ _). %total SUM (sum_comm SUM SUM').

  50. Metatheorems in Twelf sum_comm: sum N1 N2 N3 -> sum N2 N1 N3 -> type. %mode sum_comm +SUM -SUM'. sum_ident : {N: nat} sum N z N -> type. %mode sum_ident +N -SUM. sum_ident_z : sum_ident z (sum_z : sum z z z). sum_ident_s : sum_ident (s N) ((sum_s SUM): sum (s N) z (s N))<- sum_ident N (SUM: sum N z N). %worlds () (sum_ident _ _). %total N (sum_ident N _). sum_inc : sum A B C -> sum A (s B) (s C) -> type. %mode sum_inc +SUM -SUM'. sum_inc_z : sum_inc (sum_z : sum z N N) (sum_z : sum z (s N) (s N)). sum_inc_s : sum_inc (sum_s D) (sum_s D')<- sum_inc D D'. %worlds () (sum_inc _ _). %total SUM (sum_inc SUM _). & : sum_comm (sum_z : sum z N N) SUM<- sum_ident N SUM. & : sum_comm (sum_s SUM) SUM'‘<- sum_comm SUM SUM‘<- sum_inc SUM' SUM''. %worlds () (sum_comm _ _). %total SUM (sum_comm SUM SUM'). This Has Been Checked By A Computer

More Related