Automated functional program verification using fixpoint fusionWilliam SonnexUniversity of Cambridge(Imperial College at heart)

Proof by simplification

Start with:

Simplify:

Properties provable

Properties proven by current implementation:

Properties hopefully provable soon:

Functional language used

Simply typed lambda calculus with general recursion, absurdity and algebraic data-types (constructors and pattern matching).

Functional language used

Simply typed lambda calculus with general recursion, absurdity and algebraic data-types (constructors and pattern matching).

Contents• What is fixpoint fusion?

• New technique “fixpoint fission”allows for

• How do we prove implications?e.g.

• New technique “fold-fix fission”allows us to prove

Fixpoint fusion

Turns a context containing a recursive functioninto just a recursive function:

Fixpoint fusion

Three steps to find :1. Unwrap the recursive function

2. Simplify

3. Replace occurrences of with to get

Fails if occurrences of remain in

Fusing reverse and append

Let’s run fusion on:

Fix-fix fusion

First type/usage of fusion is “fix-fix fusion” (my name)fusing the composition of two fixpointsso will be a fixpoint/recursive function

So in we are fusing and

So is and is

we’ll call , so we are discovering

Fusing

1. Unwrap

2. Simplify

3. Replace with

Fusing

So we have discovered:

Big deal. This example is done

in Wadler’s deforestation paper from 1990.

Let’s add some more uses of fusion… (the next stuff is mine.)

Contents• What is fixpoint fusion?

• New technique “fixpoint fission”allows for

• How do we prove implications?e.g.

• New technique “fold-fix fission”allows us to prove

Fixpoint fission

This next technique is “fixpoint fission”it is the reverse of fusion:

Fusion starts with and and derives

Fission starts with and and derives

Fixpoint fission

Backwards three steps of fusion:

1. Start with and replace with

2. Simplify

3. Drop to get

Fails if not of the form for some

Fissioning

Earlier we fused

Using simple code analysis we can conjecture that for some

Fissioning

We can use “constructor fission” on where and

1. Start with

… and replace with , i.e.

1. Start with and replace with

2. Simplify

3. Drop to get

Fissioning

Fissioning

We fissioned from

which is -equivalent to so we have found:

Woo, lemma discovery using simplification

Fusing

With the sub-simplification:

We can use fix-fix fusion on:

This is a fixpoint fission stepwhere which I don’t have time to explain

Contents• What is fixpoint fusion?

• New technique “fixpoint fission”allows for

• How do we prove implications?e.g.

• New technique “fold-fix fission”allows us to prove

What about implication?

So far we have seen simplificationsequivalent to equational lemma discovery.

Some lemmas feature implicatione.g.

how do we reason like this within simplification?

What about implication?Some lemmas feature implicatione.g. how do we reason like this within simplification?

My interpretation of is:

If we are down a branch where is pattern matched to

then

Definition of

What about implication?

We want:

Since we have an inner recursive function ()and an outer context (the pattern match)

we can use fusion!

What about implication?

We want:

First we express the pattern matchat the location of the recursive function:

Now we can run fusion on

What about implication?

Now we can run fusion on

whereand

What about implication?

1. Unwrap

2. Simplify

𝜆 𝑥 𝜆 𝑦 . 𝑦≤ 𝑥 { ⊥𝑥≤ 𝑦

What about implication?

1. Unwrap

2. Simplify

𝜆 𝑥 𝜆 𝑦 . 𝑦≤ 𝑥 { ⊥𝑥≤ 𝑦

What about implication?

1. Unwrap

2. Simplify

𝜆 𝑥 𝜆 𝑦 . 𝑦≤ 𝑥 { ⊥𝑥≤ 𝑦

What about implication?

1. Unwrap

2. Simplify

What about implication?

2. Simplify

3. Replace occurrences of with

𝜆 𝑥 𝜆 𝑦 . 𝑦≤ 𝑥 { ⊥𝑥≤ 𝑦

What about implication?

We have fused with yielding:

which simplifies to just:

Recap of match-fix fusion

We had:

We expressed where was:

We ran fusion:

I call this match-fix fusion

Match-fix fusion

But what about properties with multiple antecedents?

This corresponds to multiple pattern matches:

We could run one big fusion step…

Match-fix fusion

We could run one big fusion step:

But there is no need,we can fuse each match in one by one:

Match-fix fusion

We can always fuse matches in one by onewith no loss of simplifiability (proven)

Consider:

Certain definitions of here will block inductionhence ACL2 has heuristics for dropping antecedents

Fusion of just fails and we move on

no heuristics needed!

Compositionality of fusion

Fusion is a compositional approacheach step can be run one by one, e.g.

Compositionality of fusion

Fusion is a compositional approacheach step can be run one by one, e.g.

Compositionality of fusion

Fusion is a compositional approacheach step can be run one by one, e.g.

Compositionality of fusion

Fusion is a compositional approacheach step can be run one by one, e.g.

Compositionality of fusion

Fusion is a compositional approacheach step can be run one by one, e.g.

Compositionality of fusion

Fusion is a compositional approacheach step can be run one by one, e.g.

Compositionality of fusion

Fusion is a compositional approacheach step can be run one by one, e.g.

Fusion doesn’t require search

Simplifications are fully automatic.

If they happen in isolationthey’ll happen in a larger proof/simplification.

If a proof needs

we don’t need to provide the lemma

we don’t need rules to guide rewriting (like rippling).

So far…

Fix-fix fusion, constructor fission and match-fix fusioncan solve almost all of the properties

I tested Zeno on.

Notably

All of the above has been implemented.

Now I will demonstrate the next phase of my workwhich simplifies

Contents• What is fixpoint fusion?

• New technique “fixpoint fission”allows for

• How do we prove implications?e.g.

• New technique “fold-fix fission”allows us to prove

Verifying

Verifying

Proving requires the lemma:

This lemma is not a generalisation of a sub-goal (sorry ACL2).This lemma contains functions

which are not in the original definition, (sorry HipSpec).

Verifying

We start with:

Mathematically impossibleto fuse with

Verifying

We start with:

Let’s fuse with

Verifying

1. Unwrap

2. Simplify

3. No instances of to replace

Verifying

The problem is we have:

And we want:

We need to discover the definition of .

So we can rewrite

Fold-fix fission

We have

First the algorithm will fix-fix fuse

into some new function

Fold-fix fission

Now we want

Fold-fix fission

Now we want

This is just fission!

But this time instead of knowing and , and discovering

we know and , and must discover

Discovering

The trick is to assume is a fold function

A fold function over two booleans is two nested pattern matches

So we assume, for some , , , and

Discovering

Give us:

when when when when

and 𝐹 𝑥 (𝑏1 ,𝑏2 )=𝑏1 {𝑏2 {𝐸1

𝐸2

𝑏2 {𝐸3

𝐸4

Discovering

Discovering

Discovering

Discovering

Discovering

Discovering

Discovering

𝐹 𝑥(𝑏¿¿1 ,𝑏2)=𝑏1 {𝑏2 {𝐸1

𝐸2

𝑏2 {𝐸3

𝐸4

¿

Discovering

𝐹 𝑥 (𝑏¿¿1 ,𝑏2)=𝑏1 {𝑏2 {   ≤ ≤ h   𝑙𝑎𝑠𝑡 𝑥𝑠 𝑥 ∧ 𝑥 𝑒𝑎𝑑 𝑦𝑠𝐹𝑎𝑙𝑠𝑒

𝑏2 {𝐹𝑎𝑙𝑠𝑒𝐹𝑎𝑙𝑠𝑒

¿

Discovering

We have discovered

Hence

Discovering

We have discovered

Hence

Back to

1. Unwrap

2. Simplify

Use fold-fission on

Back to

2. … use fold-fission on

3. Replace with

Back to

Put the definition of back in(remember is the uninterpreted form of ):

Back to

Back to

Fix-fix fusion will fuse

If we recall our lemma…

This is the definition we get from fusing !

Verifying

Verifying

Verifying

Fold-fix fission

I demonstrated fold-fix fissionover a non-recursive datatype ()

But it generalises to recursive datatypes too!

I didn’t use the fission process much with it becomes necessary for recursive datatypes

No time to explain though

Conclusion• Fix-fix fusion and constructor fission

will do automated inductive proof for equational properties.

• Match-fix fusion will do automated inductive prooffor implication properties.

• Fusion is compositionaland requires no search space.

• Fold-fix fission is awesome.

Future work• Finish implementation

• Proofs of completeness w.r.t. proof by induction

• Dependently typed fusion