Certifying and Synthesizing Membership Equational Proofs Patrick Lincoln (SRI) joint work with Steven Eker (SRI), Jose Meseguer (Urbana) and Grigore Rosu (Urbana)
Overview Motivation –Our approach to certification Membership Equational Logic (MEL) –Maude Formalizing MEL Proof Objects Certifying MEL Proof Objects Synthesizing MEL Proof Objects –Handling decision procedures (AC matching) Conclusion
Motivation Software certification –In order to trust the result of a verification task, one should first trust the theorem prover Heterogeneous formalisms and proofs –Practice showed there is no silver-bullet logic –Each feature can be best expressed in a specific formalism –Efficient equational engines: ELAN, Maude How can one trust them in heterogeneous settings?
Our Approach to Certification I Provers or decision procedures synthesize correctness certificates (proofs) Independent and straightforward checkers certify the generated proofs Product-oriented certification approach –Avoid verifying the theorem provers or the decission procedures involved Hard tasks, because they are big and changing –Check each correctness proof separately
Our Approach to Certification II To be trusted, easily validated, effective and general, certifiers must be –Straightforward and small Preferably less than 1,000 lines of C –Fast Linear in the size of the certificate Which implies that –Proof objects need to be very detailed Can be quite large –Proof object synthesizers should follow the logic not the particular prover, which is typically complex Go down to axioms and inference rules only –Decision procedures need to output proofs
Equational Logics For now, we focus on equational logics –Simple and used by other more general provers Few inference rules –Very fast engines: ELAN, Maude Millions of rewrites per second Specialized decision procedures –A,C,I (and combinations) matching, etc. Why would a general prover accept their equational computations? Why would a certifying authority trust such systems?
Membership Equational Logic A very general variant of equational logic Adds membership assertions t : s Sentences are Horn clauses over –Equations –Membership assertions Generalizes –Order sorted equational logics –Partial equational logics Adds one more inference rule: membership Γ |- t : s and Γ |- t = t’ implies Γ |- t’ : s
Maude MEL engine –Based on a fast implementation of rewriting Can output execution traces –Series of axiom applications with corresponding substitutions –Contain gaps Decision procedures –A,C,I matching and combinations –Least sort computations –Memoization –Sharing of subterms (right-hand-side of equations)
Formalizing MEL Proof Objects Introduced a formalization of MEL proofs Proof object = series of labeled proof steps Proof step = application of one of the six complete inference rules of MEL –Reflexivity, Symmetry, Transitivity, Congruence, Substitution, Membership –Can contain references to previous steps... (18 transitivity +(a,b) = *(c,d) follows by 15 13)...
Certifying MEL Proof Objects Designed and implemented a prototype MEL proof certifier (~ 200 lines in PERL) Checks each proof step –Based entirely on string comparison –No parsing needed Very simple –Does not do anything intelligent –Proof object contains any needed piece of information; certifier only makes trivial checks This is exactly what a certifying authority wants –As opposed to trusting a complex, highly optimized rewriting engine like Maude
Synthesizing MEL Proof Objects In order for the certifier to be simple, the proof object must be very low level The following are considered too high-level to be recognized by a certifier –Proofs by replacement or by rewriting –A, C, I matching and combinations –Sharing of subterms –Memoization –Least sort calculation So we provide solutions on how to push these down to MEL axioms and inference rules
Replacement Proofs Most usual “equational proofs” The problem is that replacements can be applied anywhere in the term Lots of congruences, transitivities and potentially one symmetry are implicit Procedure is given to generate all these applications of rules formally in a proof object Theorem: Γ |- t = t’ iff t ( Γ Γ )* t’
Rewriting Proofs Special case of replacements proofs Most rewritings are done in depth-first order This allows to obtain much smaller proofs by delaying the applications of congruences Γ |- t = t’ when t ( Γ )*;( Γ )* t’
Matching Modulo Matching modulo A, C, I, or any of their combinations is typically implemented via highly specialized decision procedures One does not want a simple and trusted certifier to know about these Therefore, one has to generate proofs making concrete use of A, C, I axioms In Maude, e.g., matchings modulo appear as gaps in the rewriting traces
AC Matching The most complicated one Nguyen and Kirchner 2002 gave a solution, where the proof has size O(| | 2 ) We have sorting-based solutions generating proofs of size O(| | log(| |)) Given two AC-equivalent terms and , generate a proof of their equality using the A and C axioms
High-Level Idea Put and in right associative forms r and r by AC equational proofs of size O(| |) Pick a special term b, which is a balanced version of , and put it in right associative form, i.e., the same r,in proof size O(| |) Generate a proof of size O(| | log(| |)) for the AC equivalence between b and r
Right Associativity in Linear Proof Size Apply right associativity in a bottom-up fashion, until we get a right associative term Delay congruences as much as possible
From Balanced to any Right Associative Permutation in O(n log(n)) Order the elements as they appear in r The goal now is, given some ordering on element, to sort any balanced tree into a right associative list We have two methods, based on –Merge sort –Selection sort
Sorting a Balanced Tree by Merge Sort Step 1: Sort recursively the left and right subtrees 11 22 11 11 r 22 22 r 11 r 22 r
Sorting a Balanced Tree by Merge Sort Step 2: Merging the left and right sorted subtrees 11 r ’1’1 r a1a1 22 r ’2’2 r a2a2 a2a2 a1a1 ’1’1 r ’2’2 r Suppose a 2 < a 1 We can do the above in a small, constant number of applications of AC. So we can merge the two right associative lists in a linear number of proof steps.
The size of the AC proof generated by the merge-sort procedure is O(| | log(| |)) More precisely, it is 5 | | log(| |) Similar numbers are obtained for a selection-sort based procedure These procedures can be easily extended to handle multiple A,C,I (and combinations) operators Sorting a Balanced Tree
Maude Specific Issues Maude has several other decision procedures, for which we also developed proof synthesis algorithms, such as –Memoization and subterm sharing –Least sort calculation Also, due to overloaded operations, mix-fix notation, and syntactic sugar conventions, specialized procedures are also needed for –Desugaring –Disambiguation
Conclusion and Future Work A MEL proof formalization, certification and synthesis has been presented Had Maude as a test case, but the ideas work for any equational engine Hardest part was to deal with decision procedures The proof synthesis algorithms will be soon implemented for Maude, probably within its ITP tool (a theorem prover)