1 / 80

Automated functional program verification using fixpoint fusion

Automated functional program verification using fixpoint fusion. William Sonnex University of Cambridge (Imperial College at heart). Proof by simplification. Start with: Simplify:. Properties provable. Properties proven by current implementation: Properties hopefully provable soon:.

duncan
Download Presentation

Automated functional program verification using fixpoint fusion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automated functional program verification using fixpoint fusion William Sonnex University of Cambridge (Imperial College at heart)

  2. Proof by simplification Start with: Simplify:

  3. Properties provable Properties proven by current implementation: Properties hopefully provable soon:

  4. Functional language used Simply typed lambda calculus with general recursion, absurdityand algebraic data-types (constructors and pattern matching).

  5. Functional language used Simply typed lambda calculus with general recursion, absurdityand algebraic data-types (constructors and pattern matching).

  6. Contents • What is fixpoint fusion? • New technique “fixpoint fission” allows for • How do we prove implications? e.g. • New technique “fold-fix fission” allows us to prove

  7. Fixpoint fusion Turns a context containing a recursive function into just a recursive function:

  8. Fixpoint fusion Three steps to find : • Unwrap the recursive function • Simplify • Replace occurrences of with to get Fails if occurrences of remain in

  9. Fusing reverse and append Let’s run fusion on:

  10. Fix-fix fusion First type/usage of fusion is “fix-fix fusion” (my name) fusing the composition of two fixpoints so will be a fixpoint/recursive function So in we are fusing and So is and is we’ll call , so we are discovering

  11. Fusing • Unwrap • Simplify • Replace with

  12. Fusing So we have discovered: Big deal. This example is done in Wadler’s deforestation paper from 1990. Let’s add some more uses of fusion… (the next stuff is mine.)

  13. Contents • What is fixpoint fusion? • New technique “fixpoint fission” allows for • How do we prove implications? e.g. • New technique “fold-fix fission” allows us to prove

  14. Fixpoint fission This next technique is “fixpoint fission” it is the reverse of fusion: Fusion starts with and and derives Fission starts with and and derives

  15. Fixpoint fission Backwards three steps of fusion: • Start with and replace with • Simplify • Drop to get Fails if not of the form for some

  16. Fissioning Earlier we fused Using simple code analysis we can conjecture that for some

  17. Fissioning We can use “constructor fission” on where and • Start with … and replace with , i.e.

  18. Fissioning • Start with and replace with • Simplify • Drop to get

  19. Fissioning We fissioned from which is -equivalent to so we have found: Woo, lemma discovery using simplification 

  20. Fusing With the sub-simplification: We can use fix-fix fusion on: This is a fixpoint fission stepwhere which I don’t have time to explain 

  21. Contents • What is fixpoint fusion? • New technique “fixpoint fission” allows for • How do we prove implications? e.g. • New technique “fold-fix fission” allows us to prove

  22. What about implication? So far we have seen simplifications equivalent to equational lemma discovery. Some lemmas feature implication e.g. how do we reason like this within simplification?

  23. What about implication? Some lemmas feature implication e.g. how do we reason like this within simplification? My interpretation of is: If we are down a branch where is pattern matched to then

  24. Definition of

  25. What about implication? We want: Since we have an inner recursive function () and an outer context (the pattern match) we can use fusion!

  26. What about implication? We want: First we express the pattern match at the location of the recursive function: Now we can run fusion on

  27. What about implication? Now we can run fusion on where and

  28. What about implication? • Unwrap • Simplify

  29. What about implication? • Unwrap • Simplify

  30. What about implication? • Unwrap • Simplify

  31. What about implication? • Unwrap • Simplify

  32. What about implication? • Simplify • Replace occurrences of with

  33. What about implication? We have fused with yielding: which simplifies to just:

  34. Recap of match-fix fusion We had: We expressed where was:We ran fusion:I call this match-fix fusion 

  35. Match-fix fusion But what about properties with multiple antecedents?This corresponds to multiple pattern matches: We could run one big fusion step…

  36. Match-fix fusion We could run one big fusion step: But there is no need, we can fuse each match in one by one:

  37. Match-fix fusion We can always fuse matches in one by one with no loss of simplifiability(proven) Consider:Certain definitions of here will block induction hence ACL2 has heuristics for dropping antecedentsFusion of just fails and we move on no heuristics needed!

  38. Compositionality of fusion Fusion is a compositional approach each step can be run one by one, e.g.

  39. Compositionality of fusion Fusion is a compositional approach each step can be run one by one, e.g.

  40. Compositionality of fusion Fusion is a compositional approach each step can be run one by one, e.g.

  41. Compositionality of fusion Fusion is a compositional approach each step can be run one by one, e.g.

  42. Compositionality of fusion Fusion is a compositional approach each step can be run one by one, e.g.

  43. Compositionality of fusion Fusion is a compositional approach each step can be run one by one, e.g.

  44. Compositionality of fusion Fusion is a compositional approach each step can be run one by one, e.g.

  45. Fusion doesn’t require search Simplifications are fully automatic. If they happen in isolation they’ll happen in a larger proof/simplification.If a proof needs we don’t need to provide the lemma we don’t need rules to guide rewriting (like rippling).

  46. So far… Fix-fix fusion, constructor fission and match-fix fusion can solve almost all of the properties I tested Zeno on. Notably All of the above has been implemented. Now I will demonstrate the next phase of my work which simplifies

  47. Contents • What is fixpoint fusion? • New technique “fixpoint fission” allows for • How do we prove implications? e.g. • New technique “fold-fix fission” allows us to prove

  48. Verifying

  49. Verifying Proving requires the lemma: This lemma is not a generalisation of a sub-goal (sorry ACL2). This lemma contains functions which are not in the original definition, (sorry HipSpec).

  50. Verifying We start with: Mathematically impossibleto fuse with

More Related