VIEWS: 2 PAGES: 43 POSTED ON: 9/30/2011
PROOF WEAVING Anne Mulhern Computer Sciences Department University of Wisconsin-Madison Madison, WI USA mulhern@cs.wisc.edu www.cs.wisc.edu/~mulhern Modifying Proofs I’ll use tacticals to mustand modify Butwrite new, I add are very II’llcouldaddspecial must fixabroken not new willthey ever must scripts more the my objects makestructuredthis Done! proof dissimilar constructor purpose tactic big and doing graduate complex constructor scripts robust QuickTime™ and a TIF F (Uncompressed) decompressor are needed to see this picture. MM 2006 Proof Weaving 2 Mutual Antagonism • Modular and incremental approaches are ubiquitous in computer science • Theorem provers do not readily support certain kinds of modular or incremental proof development – Transparent dependencies invalidate existing proofs when underlying structures are changed MM 2006 Proof Weaving 3 Proof Weaving • A technique for combining – Separate proof objects – Of the same theorem – On different underlying structures • And forming – A single proof object – Of the same theorem – On a combination of the underlying structures MM 2006 Proof Weaving 4 Disclaimer • There is no implementation • Demo: me typing MM 2006 Proof Weaving 5 Dependencies • If L1 and L2 are two identifiers denoting definitions, lemmas, functions, or types, a dependency between L1 and L2 exists when L1 is a free identifier occurring in the -term associated with L2. [Proof Reuse with Extended Inductive Types, Boite, 2004] MM 2006 Proof Weaving 6 Dependencies on term • Forall lists of terms, either the length of the list is zero or the length of the list is greater than zero • TmTrue, which is a term, is a value • Equality on terms is decidable MM 2006 Proof Weaving 7 Dependencies • An object L has a transparent dependency with an inductive type I, if L has a dependency with an induction principle of I, or if a case analysis on type I is performed in the -term representing L. • An object L has an opaque dependency with an inductive type I, if its dependency with I is not transparent. [Proof Reuse with Extended Inductive Types, Boite, 2004] MM 2006 Proof Weaving 8 Transparent Dependencies Bad • If a constructor C is added to an inductive type I, wherever there is a transparent dependency on I the object that contains the transparent dependency must be updated to accommodate C. – Match case added – Additional argument passed to induction principle MM 2006 Proof Weaving 9 Quiz: Transparent or Opaque? Forall lists of terms, either the length of the list is zero or the length of the list is greater than zero Opaque! MM 2006 Proof Weaving 10 Quiz: Transparent or Opaque? TmTrue, which is a term, is a value Opaque! MM 2006 Proof Weaving 11 Quiz: Transparent or Opaque? Equality on terms is decidable Transparent! MM 2006 Proof Weaving 12 Inductive term : Set := | TmTrue : term | TmFalse : term . Lemma eq_dec : forall (t t’ : term), {t = t’} + {t <> t’}. decide equality. induction t. intro Qed. t’.case t’. left. reflexivity. right. discriminate. intro t’. case t’. right. discriminate. left. reflexivity. Qed. MM 2006 Proof Weaving 13 Transparent Dependency on term MM 2006 Proof Weaving 14 Transparent Dependency on term MM 2006 Proof Weaving 15 Transparent dependency on term MM 2006 Proof Weaving 16 Transparent dependency on term induction t. induction t. intro t’.case t’. intro t’.case t’. left. reflexivity. left. reflexivity. right. discriminate. right. discriminate. intro t’. discriminate. right. case t’. intro t’. case t’. intro t’. case t’. right.discriminate. right.discriminate. right.reflexivity. left. discriminate. left. reflexivity. Qed. Qed. reflexivity. left. Qed. MM 2006 Proof Weaving 17 False Transparent Dependencies • Some transparent dependencies are false transparent dependencies – A case analysis is performed – Most constructors are irrelevant • False transparent dependencies are removable MM 2006 Proof Weaving 18 Outline • False Transparent Dependencies • True Transparent Dependencies MM 2006 Proof Weaving 19 Outline • False Transparent Dependencies • True Transparent Dependencies MM 2006 Proof Weaving 20 Transparent Dependency MM 2006 Proof Weaving 21 Transparent Dependencies MM 2006 Proof Weaving 22 False Transparent Dependencies (@eq_ind (Type Environment) term eq_ind : forall (A : Type) (x : A) (P : A -> Prop), P x -> forall y : A, x = y -> P y TmTrue term : Set (fun e : term => TmTrue : term match e with TmFalse : term | TmTrue => True TmIf : term -> term -> term -> term | TmFalse => False True : Prop | TmIf _ _ _ => False end) False : Prop I : True I H1 : TmTrue = TmIf tm1 tm2 tm3 (TmIf tm1 tm2 tm3) H1) MM 2006 Proof Weaving 23 False Transparent Dependencies forall (A : Type) (x : A) (P : A -> Prop), (@eq_ind P term) (P term x Prop), forall (x : x -> forall: y : A, ->= y -> P y P term -> Prop), forall (P :x -> forall y : term, x = y -> P y term P TmTrue -> forall y : term, TmTrue = y -> P y TmTrue (fun e : term => F TmTrue -> forall y : term, TmTrue = y -> F y match e with forall y : = (TmIf tm1 tm2 y -> F-> TmTrue term, TmTrue = tm3) y | TmTrue => True F F (TmIf tm1 tm2 tm3) | TmFalse => False F (TmIf False tm1 tm2 tm3) | TmIf _ _ _ => False end) I (TmIf tm1 tm2 tm3) H1) MM 2006 Proof Weaving 24 False Transparent Dependencies (fun e : term => (fun e term => (fun e :: term => match e with match e with match e with | TmTrue => True TmTrue => True || TmTrue => True | TmFalse => False TmIf _ _ _ => False || TmIf _ _ _ => False | TmIf _ _ _ => False | _ => 0 = 1 end) end) MM 2006 Proof Weaving 25 False Transparent Dependencies MM 2006 Proof Weaving 26 False Transparent Dependencies • Easily identified • Fixable MM 2006 Proof Weaving 27 Outline • False Transparent Dependencies • True Transparent Dependencies MM 2006 Proof Weaving 28 Outline • False Transparent Dependencies • True Transparent Dependencies – Syntactically similar subterms MM 2006 Proof Weaving 29 Syntactically Similar Subterms MM 2006 Proof Weaving 30 Template Extraction match H0 in (typeof t t0) return (t = TmIf tm1 tm2 tm3 -> t0 = x -> exists x0 : term, eval (TmIf tm1 tm2 tm3) x0) with | TTrue => fun (H1 : TmTrue = TmIf tm1 tm2 tm3) (H2 : TyBool = x) => False_ind (TyBool = x -> exists x0 : term, eval (TmIf tm1 tm2 tm3) x0) (@eq_ind term TmTrue (fun e : term => match e with | TmTrue => True | TmIf _ _ _ => False | _ => 0 = 1 end) I (TmIf tm1 tm2 tm3) H1) H2 MM 2006 Proof Weaving 31 Template Extraction template (H0 : typeof t t0) => H0 => fun (H1 : t = TmIf tm1 tm2 tm3) (H2 : t0 = x) => False_ind (t0 = x -> exists x0 : term, eval (TmIf tm1 tm2 tm3) x0) (@eq_ind term t (fun e : term => match e with | t => True | TmIf _ _ _ => False | _ => 0 = 1 end) I (TmIf tm1 tm2 tm3) H1) H2 MM 2006 Proof Weaving 32 Term Reconstruction MM 2006 Proof Weaving 33 Example: if If an if statement is well typed then it can be further evaluated. The if statement can true : Bool False be further evaluated. The if statement can false : Bool False be further evaluated. t1 : Bool t2 : T t3 : T The if statement can if t1 then t2 else t3 : T be further evaluated. MM 2006 Proof Weaving 34 Observation • False transparent dependencies and true transparent dependencies with syntactically similar subterms – Arise frequently – Are easily identified – Are tractable MM 2006 Proof Weaving 35 To Weave Proof Objects… • Remove false dependencies in each proof object • For each proof object – Reconstruct proof subterms corresponding to the constructors in the other proof object • Reject those terms that are not well-typed • Weave subterms from each proof together MM 2006 Proof Weaving 36 How is this technique working? • Algorithm performed by hand • Numerous small examples • References + if statements – Each separate proof has several hundred lines of code – Six subgoals presented to refine tactic • Must move to implementation MM 2006 Proof Weaving 37 Could this technique be useful? • Yes – Size of proof is roughly polynomial in number of constructors – “Developer effort” linear? MM 2006 Proof Weaving 38 Related Work • Proof Reuse with Extended Inductive Types [Olivier Boite, TPHOLS 2004] • Generating Generic Functions [Johan Jeuring, Alexey Rodrigues, Gideon Smeding, WGP 2006] • Plagiator - A learning prover [Thomas Kolbe and Jurgen Brauburger, CADE-14 1997] MM 2006 Proof Weaving 39 Topics Not Covered • Mapping generated proof to proof script • Simplifying proof terms for easier template extraction • Removing or changing (rather than adding) constructors • Changing the proof statement MM 2006 Proof Weaving 40 Future Work • Implementation – Requires Coq infrastructure • Typechecker • Tools for manipulating AST • Supporting refactorings MM 2006 Proof Weaving 41 Conclusion • Proof Weaving – Addresses the drawbacks of tactic reuse and specialized tactics – Is a general technique – Especially suitable for proofs of programming language properties – Preliminary results are encouraging MM 2006 Proof Weaving 42 PROOF WEAVING Anne Mulhern Computer Sciences Department University of Wisconsin-Madison Madison, WI USA mulhern@cs.wisc.edu www.cs.wisc.edu/~mulhern