Upload
april
View
43
Download
0
Tags:
Embed Size (px)
DESCRIPTION
PROOF WEAVING. Anne Mulhern Computer Sciences Department University of Wisconsin-Madison Madison, WI USA [email protected] www.cs.wisc.edu/~mulhern. Modifying Proofs. I’ll use tacticals to make my scripts more robust. must add new, dissimilar constructor. I could modify - PowerPoint PPT Presentation
Citation preview
PROOF WEAVING
Anne MulhernComputer Sciences DepartmentUniversity of Wisconsin-Madison
Madison, WI [email protected]
www.cs.wisc.edu/~mulhern
MM 2006 Proof Weaving 2
Modifying Proofs
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
must add new constructor
must fix brokenscripts
Done!I’ll use tacticals tomake my scripts morerobust
must add new,dissimilar constructorI’ll write a specialpurpose tacticI will not evergraduate doing this
I could modifythe proof objects
But they are very big and complex
and structured
MM 2006 Proof Weaving 3
Mutual Antagonism
• Modular and incremental approaches are ubiquitous in computer science
• Theorem provers do not readily support certain kinds of modular or incremental proof development– Transparent dependencies invalidate existing
proofs when underlying structures are changed
MM 2006 Proof Weaving 4
Proof Weaving
• A technique for combining – Separate proof objects– Of the same theorem– On different underlying structures
• And forming– A single proof object– Of the same theorem– On a combination of the underlying structures
MM 2006 Proof Weaving 5
Disclaimer
• There is no implementation
• Demo: me typing
MM 2006 Proof Weaving 6
Dependencies
• If L1 and L2 are two identifiers denoting definitions, lemmas, functions, or types, a dependency between L1 and L2 exists when L1 is a free identifier occurring in the -term associated with L2.
[Proof Reuse with Extended Inductive Types, Boite, 2004]
MM 2006 Proof Weaving 7
Dependencies on term
• Forall lists of terms, either the length of the list is zero or the length of the list is greater than zero
• TmTrue, which is a term, is a value
• Equality on terms is decidable
MM 2006 Proof Weaving 8
Dependencies
• An object L has a transparent dependency with an inductive type I, if L has a dependency with an induction principle of I, or if a case analysis on type I is performed in the -term representing L.
• An object L has an opaque dependency with an inductive type I, if its dependency with I is not transparent.
[Proof Reuse with Extended Inductive Types, Boite, 2004]
MM 2006 Proof Weaving 9
Transparent Dependencies Bad
• If a constructor C is added to an inductive type I, wherever there is a transparent dependency on I the object that contains the transparent dependency must be updated to accommodate C. – Match case added– Additional argument passed to induction
principle
MM 2006 Proof Weaving 10
Quiz: Transparent or Opaque?
Forall lists of terms, either the length of the list is zero or the length of the list is greater than zero
Opaque!
MM 2006 Proof Weaving 11
Quiz: Transparent or Opaque?
TmTrue, which is a term, is a value
Opaque!
MM 2006 Proof Weaving 12
Quiz: Transparent or Opaque?
Equality on terms is decidable
Transparent!
MM 2006 Proof Weaving 13
Inductive term : Set := | TmTrue : term | TmFalse : term.
Lemma eq_dec : forall (t t’ : term), {t = t’} + {t <> t’}.
Inductive term : Set := | TmTrue : term | TmFalse : term.
Lemma eq_dec : forall (t t’ : term), {t = t’} + {t <> t’}.decide equality.Qed.
Inductive term : Set := | TmTrue : term | TmFalse : term.
induction t. intro t’.case t’. left. reflexivity. right. discriminate. intro t’. case t’. right. discriminate. left. reflexivity.Qed.
MM 2006 Proof Weaving 14
Transparent Dependency on term
MM 2006 Proof Weaving 15
Transparent Dependency on term
MM 2006 Proof Weaving 16
Transparent dependency on term
MM 2006 Proof Weaving 17
Transparent dependency on term
induction t. intro t’.case t’. left. reflexivity. right. discriminate. intro t’. case t’. right.discriminate. left. reflexivity.Qed.
induction t. intro t’.case t’. left. reflexivity. right. discriminate. intro t’. case t’. right.discriminate. left. reflexivity.Qed.
induction t. intro t’.case t’. left. reflexivity. right. discriminate. right. discriminate. intro t’. case t’. right. discriminate. left. reflexivity.Qed.
MM 2006 Proof Weaving 18
False Transparent Dependencies
• Some transparent dependencies are false transparent dependencies– A case analysis is performed– Most constructors are irrelevant
• False transparent dependencies are removable
MM 2006 Proof Weaving 19
Outline
• False Transparent Dependencies
• True Transparent Dependencies
MM 2006 Proof Weaving 20
Outline
• False Transparent Dependencies
• True Transparent Dependencies
MM 2006 Proof Weaving 21
Transparent Dependency
MM 2006 Proof Weaving 22
Transparent Dependencies
MM 2006 Proof Weaving 23
False Transparent Dependencies(@eq_ind term TmTrue
(fun e : term => match e with | TmTrue => True | TmFalse => False | TmIf _ _ _ => False end) I (TmIf tm1 tm2 tm3) H1)
eq_ind : forall (A : Type) (x : A) (P : A -> Prop), P x -> forall y : A, x = y -> P yterm : SetTmTrue : termTmFalse : termTmIf : term -> term -> term -> termTrue : PropFalse : PropI : TrueH1 : TmTrue = TmIf tm1 tm2 tm3
(Type Environment)
MM 2006 Proof Weaving 24
False Transparent Dependencies(@eq_ind term TmTrue
(fun e : term => match e with | TmTrue => True | TmFalse => False | TmIf _ _ _ => False end) I (TmIf tm1 tm2 tm3) H1)
forall (A : Type) (x : A) (P : A -> Prop), P x -> forall y : A, x = y -> P yforall (x : term) (P : term -> Prop), P x -> forall y : term, x = y -> P yforall (P : term -> Prop), P TmTrue -> forall y : term, TmTrue = y -> P y
F
F TmTrue -> forall y : term, TmTrue = y -> F y
forall y : term, TmTrue = y -> F yTmTrue = (TmIf tm1 tm2 tm3) -> F (TmIf tm1 tm2 tm3)
F (TmIf tm1 tm2 tm3)False
MM 2006 Proof Weaving 25
(fun e : term =>match e with| TmTrue => True
(fun e : term =>match e with| TmTrue => True| TmIf _ _ _ => False
False Transparent Dependencies
(fun e : term =>match e with| TmTrue => True| TmFalse => False| TmIf _ _ _ => Falseend)
(fun e : term =>match e with| TmTrue => True| TmIf _ _ _ => False| _ => 0 = 1end)
MM 2006 Proof Weaving 26
False Transparent Dependencies
MM 2006 Proof Weaving 27
False Transparent Dependencies
• Easily identified
• Fixable
MM 2006 Proof Weaving 28
Outline
• False Transparent Dependencies
• True Transparent Dependencies
MM 2006 Proof Weaving 29
Outline
• False Transparent Dependencies
• True Transparent Dependencies– Syntactically similar subterms
MM 2006 Proof Weaving 30
Syntactically Similar Subterms
MM 2006 Proof Weaving 31
Template Extractionmatch H0 in (typeof t t0) return (t = TmIf tm1 tm2 tm3 -> t0 = x -> exists x0 : term, eval (TmIf tm1 tm2 tm3) x0) with | TTrue => fun (H1 : TmTrue = TmIf tm1 tm2 tm3) (H2 : TyBool = x) => False_ind (TyBool = x -> exists x0 : term, eval (TmIf tm1 tm2 tm3) x0) (@eq_ind term TmTrue (fun e : term => match e with | TmTrue => True | TmIf _ _ _ => False | _ => 0 = 1 end) I (TmIf tm1 tm2 tm3) H1) H2
MM 2006 Proof Weaving 32
Template Extractiontemplate (H0 : typeof t t0) => H0 => fun (H1 : t = TmIf tm1 tm2 tm3) (H2 : t0 = x) => False_ind (t0 = x -> exists x0 : term, eval (TmIf tm1 tm2 tm3) x0) (@eq_ind term t (fun e : term => match e with | t => True | TmIf _ _ _ => False | _ => 0 = 1 end) I (TmIf tm1 tm2 tm3) H1) H2
MM 2006 Proof Weaving 33
Term Reconstruction
MM 2006 Proof Weaving 34
Example: if
true : Bool
false : Bool
t1 : Bool t2 : T t3 : T
if t1 then t2 else t3 : T
If an if statement is well typed then it can be further evaluated.
FalseThe if statement can be further evaluated.
FalseThe if statement can be further evaluated.
The if statement can be further evaluated.
MM 2006 Proof Weaving 35
Observation
• False transparent dependencies and true transparent dependencies with syntactically similar subterms– Arise frequently– Are easily identified– Are tractable
MM 2006 Proof Weaving 36
To Weave Proof Objects…
• Remove false dependencies in each proof object
• For each proof object– Reconstruct proof subterms corresponding to
the constructors in the other proof object• Reject those terms that are not well-typed
• Weave subterms from each proof together
MM 2006 Proof Weaving 37
How is this technique working?
• Algorithm performed by hand
• Numerous small examples
• References + if statements– Each separate proof has several hundred lines
of code– Six subgoals presented to refine tactic
• Must move to implementation
MM 2006 Proof Weaving 38
Could this technique be useful?
• Yes– Size of proof is roughly polynomial in number
of constructors– “Developer effort” linear?
MM 2006 Proof Weaving 39
Related Work
• Proof Reuse with Extended Inductive Types [Olivier Boite, TPHOLS 2004]
• Generating Generic Functions [Johan Jeuring, Alexey Rodrigues, Gideon Smeding, WGP 2006]
• Plagiator - A learning prover [Thomas Kolbe and Jurgen Brauburger, CADE-14 1997]
MM 2006 Proof Weaving 40
Topics Not Covered
• Mapping generated proof to proof script
• Simplifying proof terms for easier template extraction
• Removing or changing (rather than adding) constructors
• Changing the proof statement
MM 2006 Proof Weaving 41
Future Work
• Implementation– Requires Coq infrastructure
• Typechecker
• Tools for manipulating AST
• Supporting refactorings
MM 2006 Proof Weaving 42
Conclusion
• Proof Weaving– Addresses the drawbacks of tactic reuse and
specialized tactics– Is a general technique– Especially suitable for proofs of programming
language properties– Preliminary results are encouraging
PROOF WEAVING
Anne MulhernComputer Sciences DepartmentUniversity of Wisconsin-Madison
Madison, WI [email protected]
www.cs.wisc.edu/~mulhern