Thoughts on Programming with Proof Assistants Adam Chlipala University of California, Berkeley PLPV Workshop.

Slides:

Advertisements

Similar presentations

xUnit Test Patterns (Some) xUnit Test Patterns (in practice) by Adam Czepil.

Advertisements

Type Inference David Walker COS 320. Criticisms of Typed Languages Types overly constrain functions & data polymorphism makes typed constructs useful.

Static and User-Extensible Proof Checking Antonis StampoulisZhong Shao Yale University POPL 2012.

Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.

CSE 331 SOFTWARE DESIGN & IMPLEMENTATION DEBUGGING Autumn 2011 Bug-Date: Sept 9, 1947.

Simplified Gated Assignment Surinder Jain Supervisor : Bernhard Scholz Assignment 3 – INFO5993.

1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.

CSE341: Programming Languages Lecture 16 Datatype-Style Programming With Lists or Structs Dan Grossman Winter 2013.

LIFE CYCLE MODELS FORMAL TRANSFORMATION

Lightweight Abstraction for Mathematical Computation in Java 1 Pavel Bourdykine and Stephen M. Watt Department of Computer Science Western University London.

VeriML: Revisiting the Foundations of Proof Assistants Zhong Shao Yale University MacQueen Fest May 13, 2012 (Joint work with Antonis Stampoulis)

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

May 11, ACL2 Panel: What is the Future of Theorem Proving? Arvind Computer Science & Artificial Intelligence Laboratory.

1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

Proof Points Key ideas when proving mathematical ideas.

What’s left in the course. The course in a nutshell Logics Techniques Applications.

Administrative stuff On Thursday, we will start class at 11:10, and finish at 11:55 This means that each project will get a 10 minute presentation + 5.

Recursion Chapter 7. Chapter 7: Recursion2 Chapter Objectives To understand how to think recursively To learn how to trace a recursive method To learn.

Recursion Chapter 7. Chapter 7: Recursion2 Chapter Objectives To understand how to think recursively To learn how to trace a recursive method To learn.

VeriML DARPA CRASH Project Progress Report Antonis Stampoulis October 5 th, 2012 A language-based, dependently-typed, user-extensible approach to proof.

Secure Compiler Seminar 11/7 Survey: Modular Development of Certified Program Verifiers with a Proof Assistant Toshihiro YOSHINO (D1, Yonezawa Lab.)

Types for Programs and Proofs Lecture 1. What are types? int, float, char, …, arrays types of procedures, functions, references, records, objects,...

Recursion Chapter 7. Chapter Objectives  To understand how to think recursively  To learn how to trace a recursive method  To learn how to write recursive.

Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.

ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.

ALGORITHM CHAPTER 8. Chapter Outlines and Objectives  Define an algorithm and relate it to problem solving.  Define three construct and describe their.

Mathematical Induction I Lecture 4: Sep 16. This Lecture Last time we have discussed different proof techniques. This time we will focus on probably the.

1 CSCD 326 Data Structures I Software Design. 2 The Software Life Cycle 1. Specification 2. Design 3. Risk Analysis 4. Verification 5. Coding 6. Testing.

Automated tactics for separation logic VeriML Reconstruct Z3 Proof Safe incremental type checker Certifying code transformation Proof carrying hardware.

Basic Scheme February 8, 2007 Compound expressions Rules of evaluation Creating procedures by capturing common patterns.

1/32 This Lecture Substitution model An example using the substitution model Designing recursive procedures Designing iterative procedures Proving that.

1/33 Basic Scheme February 8, 2007 Compound expressions Rules of evaluation Creating procedures by capturing common patterns.

SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.

From Natural Language to LTL: Difficulties Capturing Natural Language Specification in Formal Languages for Automatic Analysis Elsa L Gunter NJIT.

Sorting by placement and Shift Sergi Elizalde Peter Winkler By 資工四 B 周于荃.

1 Interactive Computer Theorem Proving CS294-9 September 28, 2006 Adam Chlipala UC Berkeley Lecture 6: A Crash Course on Proof Automation.

Lambda: The Ultimate Specification a talk/demo on Fiat, a Coq library for program synthesis Adam Chlipala IFIP WG 2.18 meeting August 2014 Joint work with.

Cooperative Integration of an Interactive Proof Assistant and an Automated Prover Adam Chlipala and George C. Necula University of California, Berkeley.

Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic Adam Chlipala Harvard University PLDI 2011.

1 Interactive Computer Theorem Proving CS294-9 October 5, 2006 Adam Chlipala UC Berkeley Lecture 7: Programming with Proofs.

1 Interactive Computer Theorem Proving CS294-9 November 30, 2006 Adam Chlipala UC Berkeley Lecture 14: Twelf.

1 Interactive Computer Theorem Proving CS294-9 October 19, 2006 Adam Chlipala UC Berkeley Lecture 9: Beyond Primitive Recursion.

1 Interactive Computer Theorem Proving CS294-9 September 7, 2006 Adam Chlipala UC Berkeley Lecture 3: Data structures and Induction.

The Bedrock Structured Programming System Combining Generative Metaprogramming and Hoare Logic in an Extensible Program Verifier Adam Chlipala MIT CSAIL.

1 Interactive Computer Theorem Proving CS294-9 September 14, 2006 Adam Chlipala UC Berkeley Lecture 4: Inductively- Defined Predicates.

Lecture 2: Propositional and First-Order Logic

Lecture 11: Proof by Reflection

CoqPIE: A Better IDE for Coq

Functional Programming

Recursion Topic 5.

Basic Scheme February 8, 2007 Compound expressions Rules of evaluation

Types for Programs and Proofs

Sparkle a functional theorem prover

Object-Oriented Software Engineering Using UML, Patterns, and Java,

Unit 1. Sorting and Divide and Conquer

PROGRAMMING IN HASKELL

Decision Teamwork In Uncertain Meeting Environments Using

Aspect Validation: Connecting Aspects and Formal Methods

IS 2935: Developing Secure Systems

Lecture 23 Pages : Separating Syntactic Analysis from Execution. We omit many details so you have to read the section in the book. The halting.

This Lecture Substitution model

PROGRAMMING IN HASKELL

What would be our focus ? Geometry deals with Declarative or “What is” knowledge. Computer Science deals with Imperative or “How to” knowledge 12/25/2018.

CSE 311: Foundations of Computing

What would be our focus ? Geometry deals with Declarative or “What is” knowledge. Computer Science deals with Imperative or “How to” knowledge 2/23/2019.

Calculus Pitfalls By Jordan D. White.

This Lecture Substitution model

6.001 SICP Interpretation Parts of an interpreter

This Lecture Substitution model

Presentation transcript:

Thoughts on Programming with Proof Assistants Adam Chlipala University of California, Berkeley PLPV Workshop

Not Ready for Prime Time? Proof assistants like Coq are useful for doing math, but they're far too inconvenient for serious dependently typed programming! Or are they? Cons ● No imperativity, general recursion, or exceptions ● Very primitive dependent pattern matching Pros ● Easy to combine programming with tactic-based proving ● A mature set of tools for proof organization and automation Program analysis goes well with language purity in general. Just using “refinement types” already brings a lot of advantage without the complexities of dependent types in general. This Talk: Capsule summary of my experiences implementing Proof-Carrying Code-style program verifiers in Coq using dependent types to guarantee total correctness. Dealing with machine code, so there are lots of details that we don't want to worry about!Need to span many levels of abstraction, so good modularization is key to feasibility

Mixing Programming with Tactics Definition isEven : forall n, [even(n)]. refine (fix isEven (n : nat) : [even(n)] := match n return [even(n)] with O -> Yes | S O -> No | S (S n) -> proof <- isEven n; Yes); auto. Qed. Step 1. Declare the function we mean to write as a proof search goal. Step 2. Give the “program part” of the implementation. The type of an optional proof of a proposition Step 3. Generate the “proof part” of the implementation using tactics. Generate a proof obligation Monadic notation: fail if the recursive call fails; otherwise, bind proof in the body. Result: A term in the Calculus of Inductive Constructions

Missing? Imperativity?Pure functional data structures worked well for all of the situations I encountered. Non-termination and general recursion? The kinds of program analysis algorithms I needed were naturally primitive recursive. Exceptions? Failure monads provide a cleaner alternative to “exceptional” uses of exceptions. Fancy dependent pattern matching? Sticking to refinement types, vanilla pattern matching is good enough.

Reflective Proofs Theorem check : forall (p : program), verify p = true -> safe p. check p (refl_equal (verify p)) Typecheck verify p = verify p verify p = true Computational reduction via definitional equality safe p

Other Benefits ● Module system ● Lots of pre-written proof-generating decision procedures ● Expressive tactical language ● Extensible goal-directed proof search mechanism ● Extraction to OCaml (and from there to fast native code)

Conclusion ● Consider using Coq for your next dependently typed program if large non-syntax-directed proofs are a large part of it. ● It seems worthwhile to keep in mind potential overlaps between programming environments and proof assistants in developing new PLPV tools. For more info: See my talk at ICFP next month!