Docstoc

PROOF WEAVING

Document Sample
PROOF WEAVING Powered By Docstoc
					PROOF WEAVING


           Anne Mulhern
  Computer Sciences Department
  University of Wisconsin-Madison
          Madison, WI USA
       mulhern@cs.wisc.edu
    www.cs.wisc.edu/~mulhern
                                 Modifying Proofs
                                               I’ll use tacticals to
                                                mustand modify
                                                 Butwrite new,
                                                  I add are very
                                                II’llcouldaddspecial
                                                  must fixabroken
                                                       not new
                                                  willthey ever
                                                    must scripts more
                                                  the my objects
                                               makestructuredthis
                                                       Done!
                                                       proof
                                                dissimilar constructor
                                                 purpose tactic
                                                 big and doing
                                                graduate complex
                                                    constructor
                                                  scripts
                                               robust



                    QuickTime™ and a
          TIF F (Uncompressed) decompressor
             are needed to see this picture.




MM 2006                                           Proof Weaving          2
           Mutual Antagonism
• Modular and incremental approaches are
  ubiquitous in computer science
• Theorem provers do not readily support
  certain kinds of modular or incremental
  proof development
    – Transparent dependencies invalidate existing
      proofs when underlying structures are changed


MM 2006               Proof Weaving                   3
               Proof Weaving
• A technique for combining
    – Separate proof objects
    – Of the same theorem
    – On different underlying structures
• And forming
    – A single proof object
    – Of the same theorem
    – On a combination of the underlying structures

MM 2006                Proof Weaving                  4
              Disclaimer
• There is no implementation
• Demo: me typing




MM 2006           Proof Weaving   5
              Dependencies
• If L1 and L2 are two identifiers denoting
  definitions, lemmas, functions, or types, a
  dependency between L1 and L2 exists when
  L1 is a free identifier occurring in the -term
  associated with L2.



                    [Proof Reuse with Extended Inductive Types, Boite, 2004]
MM 2006              Proof Weaving                                     6
          Dependencies on term
• Forall lists of terms, either the length of
  the list is zero or the length of the list is
  greater than zero
• TmTrue, which is a term, is a value
• Equality on terms is decidable



MM 2006             Proof Weaving                 7
             Dependencies
• An object L has a transparent dependency
  with an inductive type I, if L has a
  dependency with an induction principle of I,
  or if a case analysis on type I is performed
  in the -term representing L.
• An object L has an opaque dependency
  with an inductive type I, if its dependency
  with I is not transparent.
                  [Proof Reuse with Extended Inductive Types, Boite, 2004]
MM 2006            Proof Weaving                                     8
  Transparent Dependencies Bad
• If a constructor C is added to an inductive
  type I, wherever there is a transparent
  dependency on I the object that contains the
  transparent dependency must be updated to
  accommodate C.
    – Match case added
    – Additional argument passed to induction
      principle
MM 2006               Proof Weaving              9
   Quiz: Transparent or Opaque?

Forall lists of terms, either the length of
the list is zero or the length of the list is
greater than zero


                   Opaque!


MM 2006             Proof Weaving               10
   Quiz: Transparent or Opaque?
     TmTrue, which is a term, is a value




                  Opaque!



MM 2006            Proof Weaving           11
   Quiz: Transparent or Opaque?
          Equality on terms is decidable




                  Transparent!



MM 2006               Proof Weaving        12
          Inductive term : Set :=
            | TmTrue : term
            | TmFalse : term
          .

          Lemma eq_dec : forall (t t’ : term),
            {t = t’} + {t <> t’}.
          decide equality.
          induction t.
            intro
          Qed. t’.case t’.
               left. reflexivity.
               right. discriminate.
            intro t’. case t’.
               right. discriminate.
               left. reflexivity.
          Qed.
MM 2006                 Proof Weaving            13
Transparent Dependency on term




MM 2006     Proof Weaving    14
Transparent Dependency on term




MM 2006     Proof Weaving    15
Transparent dependency on term




                                  
                     
                 


MM 2006           Proof Weaving       16
Transparent dependency on term
           induction t.
          induction t.
             intro t’.case t’.
            intro t’.case t’.
                left. reflexivity.
              left. reflexivity.
                right. discriminate.
              right. discriminate.
             intro t’. discriminate.
               right. case t’.
            intro t’. case t’.
            intro t’. case t’.
                right.discriminate.
              right.discriminate.
               right.reflexivity.
                left. discriminate.
              left. reflexivity.
           Qed.
          Qed. reflexivity.
               left.
          Qed.


MM 2006                  Proof Weaving   17
 False Transparent Dependencies
• Some transparent dependencies are false
  transparent dependencies
    – A case analysis is performed
    – Most constructors are irrelevant
• False transparent dependencies are
  removable


MM 2006                Proof Weaving        18
                Outline
• False Transparent Dependencies
• True Transparent Dependencies




MM 2006           Proof Weaving    19
               Outline
• False Transparent Dependencies
• True Transparent Dependencies




MM 2006          Proof Weaving     20
          Transparent Dependency




MM 2006           Proof Weaving    21
          Transparent Dependencies




MM 2006            Proof Weaving     22
      False Transparent Dependencies
(@eq_ind                           (Type Environment)
 term                    eq_ind : forall (A : Type) (x : A) (P : A -> Prop),
                               P x -> forall y : A, x = y -> P y
TmTrue                   term : Set
 (fun e : term =>        TmTrue : term
 match e with            TmFalse : term
 | TmTrue => True        TmIf : term -> term -> term -> term
 | TmFalse => False      True : Prop
 | TmIf _ _ _ => False
 end)                    False : Prop
                         I : True
 I                       H1 : TmTrue = TmIf tm1 tm2 tm3
 (TmIf tm1 tm2 tm3)
 H1)


     MM 2006                Proof Weaving                                23
      False Transparent Dependencies
                             forall (A : Type) (x : A) (P : A -> Prop),
(@eq_ind                              P term) (P term x Prop),
                             forall (x : x -> forall: y : A, ->= y -> P y
                                      P term -> Prop),
                             forall (P :x -> forall y : term, x = y -> P y
 term                         P TmTrue -> forall y : term, TmTrue = y -> P y
 TmTrue
 (fun e : term =>            F TmTrue -> forall y : term, TmTrue = y -> F y
 match e with
                             forall y : = (TmIf tm1 tm2 y -> F->
                             TmTrue term, TmTrue = tm3) y
| TmTrue => True        F    F (TmIf tm1 tm2 tm3)
 | TmFalse => False           F (TmIf
                             False tm1 tm2 tm3)
| TmIf _ _ _ => False
 end)
 I
 (TmIf tm1 tm2 tm3)
 H1)


     MM 2006                  Proof Weaving                            24
  False Transparent Dependencies

  (fun e : term =>                         (fun e term =>
                                          (fun e :: term =>
  match e with                             match e with
                                          match e with
  | TmTrue => True                           TmTrue => True
                                          || TmTrue => True
 | TmFalse => False                         TmIf _ _ _ => False
                                          || TmIf _ _ _ => False
  | TmIf _ _ _ => False                   | _ => 0 = 1
  end)                                    end)




 MM 2006                  Proof Weaving                            25
 False Transparent Dependencies




MM 2006      Proof Weaving    26
 False Transparent Dependencies
• Easily identified
• Fixable




MM 2006               Proof Weaving   27
               Outline
• False Transparent Dependencies
• True Transparent Dependencies




MM 2006          Proof Weaving     28
                    Outline
• False Transparent Dependencies
• True Transparent Dependencies
    – Syntactically similar subterms




MM 2006               Proof Weaving    29
   Syntactically Similar Subterms




MM 2006        Proof Weaving        30
              Template Extraction
   match
    H0 in (typeof t t0)
    return
     (t = TmIf tm1 tm2 tm3 ->
       t0 = x -> exists x0 : term, eval (TmIf tm1 tm2 tm3) x0)
    with
     | TTrue =>
          fun (H1 : TmTrue = TmIf tm1 tm2 tm3) (H2 : TyBool = x) =>
          False_ind
            (TyBool = x -> exists x0 : term, eval (TmIf tm1 tm2 tm3) x0)
             (@eq_ind term TmTrue
               (fun e : term =>
                match e with
                | TmTrue => True
                | TmIf _ _ _ => False
                | _ => 0 = 1
                end) I (TmIf tm1 tm2 tm3) H1) H2
MM 2006                         Proof Weaving                              31
               Template Extraction
      template (H0 : typeof t t0) =>
          H0 =>
            fun (H1 : t = TmIf tm1 tm2 tm3) (H2 : t0 = x) =>
            False_ind
              (t0 = x -> exists x0 : term, eval (TmIf tm1 tm2 tm3) x0)
               (@eq_ind term t
                 (fun e : term =>
                  match e with
                  | t => True
                  | TmIf _ _ _ => False
                  | _ => 0 = 1
                  end) I (TmIf tm1 tm2 tm3) H1) H2




MM 2006                         Proof Weaving                            32
          Term Reconstruction




MM 2006          Proof Weaving   33
                                Example: if
            If an if statement is well typed then it can be further evaluated.


                                                           The if statement can
       true : Bool                       False
                                                           be further evaluated.

                                                           The if statement can
      false : Bool                       False
                                                           be further evaluated.


t1 : Bool     t2 : T   t3 : T                    The if statement can
 if t1 then t2 else t3 : T                       be further evaluated.



   MM 2006                             Proof Weaving                             34
                  Observation
• False transparent dependencies and true
  transparent dependencies with
  syntactically similar subterms
    – Arise frequently
    – Are easily identified
    – Are tractable



MM 2006                 Proof Weaving       35
          To Weave Proof Objects…
• Remove false dependencies in each proof
  object
• For each proof object
    – Reconstruct proof subterms corresponding to
      the constructors in the other proof object
          • Reject those terms that are not well-typed
• Weave subterms from each proof together


MM 2006                      Proof Weaving               36
  How is this technique working?
• Algorithm performed by hand
• Numerous small examples
• References + if statements
    – Each separate proof has several hundred lines
      of code
    – Six subgoals presented to refine tactic
• Must move to implementation

MM 2006                Proof Weaving                  37
  Could this technique be useful?
• Yes
    – Size of proof is roughly polynomial in number
      of constructors
    – “Developer effort” linear?




MM 2006                Proof Weaving                  38
            Related Work
• Proof Reuse with Extended Inductive Types
  [Olivier Boite, TPHOLS 2004]
• Generating Generic Functions [Johan
  Jeuring, Alexey Rodrigues, Gideon
  Smeding, WGP 2006]
• Plagiator - A learning prover [Thomas
  Kolbe and Jurgen Brauburger, CADE-14
  1997]

MM 2006           Proof Weaving           39
          Topics Not Covered
• Mapping generated proof to proof script
• Simplifying proof terms for easier template
  extraction
• Removing or changing (rather than adding)
  constructors
• Changing the proof statement


MM 2006            Proof Weaving                40
                    Future Work
• Implementation
    – Requires Coq infrastructure
          • Typechecker
          • Tools for manipulating AST
• Supporting refactorings




MM 2006                    Proof Weaving   41
                  Conclusion
• Proof Weaving
    – Addresses the drawbacks of tactic reuse and
      specialized tactics
    – Is a general technique
    – Especially suitable for proofs of programming
      language properties
    – Preliminary results are encouraging


MM 2006                Proof Weaving                  42
PROOF WEAVING


           Anne Mulhern
  Computer Sciences Department
  University of Wisconsin-Madison
          Madison, WI USA
       mulhern@cs.wisc.edu
    www.cs.wisc.edu/~mulhern

				
DOCUMENT INFO
Categories:
Tags:
Stats:
views:2
posted:9/30/2011
language:English
pages:43