Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Interactive Computer Theorem Proving CS294-9 October 5, 2006 Adam Chlipala UC Berkeley Lecture 7: Programming with Proofs.

Published byAlannah Hood Modified over 7 years ago

Similar presentations

Presentation on theme: "1 Interactive Computer Theorem Proving CS294-9 October 5, 2006 Adam Chlipala UC Berkeley Lecture 7: Programming with Proofs."— Presentation transcript:

1 1 Interactive Computer Theorem Proving CS294-9 October 5, 2006 Adam Chlipala UC Berkeley Lecture 7: Programming with Proofs

2 2 Classical Program Verification Verification Condition Generator Automated Provers (Simplify, etc.) Interactive Provers (Coq, Isabelle, PVS, etc.)

3 3 Problem #1: Error diagnosis during evolution Definition foo :=.... Definition bar :=.... Lemma L : forall x, P (foo x) (bar x). tactic1. tactic2. Qed. Theorem T : forall x, Q (foo x) (bar x). tactic1. tactic2.... tactic3253. Qed.....' Error: In environment bound : nat fm : formula bound' : nat _ : True s0 : {fm' : formula & {l : lit | (forall a : asgn, satFormula fm a -> satLit l a) /\ (forall a : asgn, (satFormula fm (upd a l) -> satFormula fm' a) /\ (satFormula fm' a -> satFormula fm (upd a l)))}} fm' : formula s1 : {l : lit | (forall a : asgn, satFormula fm a -> satLit l a) /\ (forall a : asgn, (satFormula fm (upd a l) -> satFormula fm' a) /\ (satFormula fm' a -> satFormula fm (upd a l)))} l : lit n : forall a : asgn, satFormula fm' a -> False a0 : asgn H : satFormula fm a0 H0 : forall a : asgn, satFormula fm a -> satLit l a H1 : forall a : asgn, (satFormula fm (upd a l) -> satFormula fm' a) /\ (satFormula fm' a -> satFormula fm (upd a l)) a : {fm' : formula & {l : lit | (forall a : asgn, satFormula fm a -> satLit l a) /\ (forall a : asgn, (satFormula fm (upd a l) -> satFormula fm' a) /\ (satFormula fm' a -> satFormula fm (upd a l)))}} a1 : {al : alist | satFormula fm' (interp_alist al)} H2 : forall fm : formula, option ({al : alist | satFormula fm (interp_alist al)} + {(forall a : asgn, satFormula fm a -> False)}) The term "0" has type "nat" while it is expected to have type "asgn"

4 4 Problem #2: Effective Modular Development Definition foo :=.... Definition bar :=.... Import BeppoLib. Definition baz :=... foo... bar.... Definition baz' :=... foo... bar... beppo.... Theorem foo_correct..... Qed. Theorem bar_correct..... Qed. Theorem baz_correct..... apply foo_correct..... apply bar_correct..... Qed. ?

5 5 h Internal Verification f x y Proof of precondition Proof of postcondition g u Proof of precondition Proof of postcondition... Precondition and postcondition Proof of precondition Proof of postcondition

6 6 h Problem #1: Verbosity f x y Proof of precondition Proof of postcondition g u Proof of precondition Proof of postcondition... Proof of precondition Proof of postcondition Proof of precondition ? Proof added as a subgoal for tactic- based proving....

7 7 Problem #2: Runtime Inefficiency ● Manipulating proof objects at runtime will slow programs down a lot. ● Some simple algorithms have much larger and more complicated proofs, so proof processing would dominate performance. ● Your computer probably doesn't have enough RAM to store explicit proof objects arising from large inputs to interesting programs.

8 8 Program Extraction The Big Idea: Proofs are a technical device for establishing program soundness statically. There's no reason to include them in the final programs to execute! We want some kind of proof-erasing compiler. Challenges: ● What do we cut and what do we keep? ● How can we ensure compilation soundness?

9 9 Prop vs. Set ● We've come to the sole reason for distinguishing between types in Prop and Set: Prop values are erased during compilation, while Set values are kept. ● If we didn't want extraction, we could collapse them into a single domain. With the default flags, Set and Prop are also differentiated by predicativity.

10 10 A Tale of Two Sorts Inductive unit : Set := tt : unit. Inductive True : Prop := I : True. Inductive Empty_set : Set :=. Inductive False : Prop :=. Inductive prod (A B : Set) : Set := pair : A -> B -> prod A B. Inductive and (A B : Prop) : Prop := conj : A -> B -> and A B. Inductive sum (A B : Set) : Set := inl : A -> sum A B | inr : B -> sum A B. Inductive or (A B : Prop) : Prop := or_introl : A -> or A B | or_intror : B -> or A B.

11 11 The Coq Type Hierarchy SetProp nat bool... True False... Type 0 Type 1...

12 12 What Coq Extraction Does ● Translate Coq code to OCaml, Haskell, or Scheme (straightforward part) ● Systematically replace all Props with unit, so that their values carry no usable information (tricky part) Example: Definition f : forall (n : nat), n > 0 -> nat :=.... Definition f : forall (n : nat), unit -> nat :=.... Erase Prop Definition f : forall (n : nat), nat :=.... Simplify types involving unit let f : nat -> nat :=... Drop dependent typing and translate to OCaml syntax

13 13 Related Problem: Secure Information Flow TOP SECRET Public Ensure that no public output depends on a secret input.

14 14 Related Problem: Taint Analysis Input from network printf format string Ensure that no printf format string depends on a user input.

15 15 The Essence of Coq's Type System Support for Extraction Prop Set Ensure that no Set value depends on a Prop value. In a particular way that makes erasure impossible....

16 16 Preventing Bad Dependencies by Limiting Eliminations match n with | O => O | S n' => n' end Type: natSort: Set Body type: nat Sort: Set We are eliminating a value of sort Set to produce a value of sort Set.

17 17 Elimination Restrictions Set Prop Set Prop Eliminate a... Producing a... Set -> Set example: Adding natural numbers Set -> Prop example: Proving properties of addition Prop -> Prop example: “If there exists x satisfying P, then there exists y satisfying Q.” Prop -> Set example: From a proof that there exists x satisfying P, compute x.

Download ppt "1 Interactive Computer Theorem Proving CS294-9 October 5, 2006 Adam Chlipala UC Berkeley Lecture 7: Programming with Proofs."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Static Contract Checking for Haskell Dana N. Xu University of Cambridge Ph.D. Supervisor: Simon Peyton Jones Microsoft Research Cambridge.

Static Contract Checking for Haskell Dana N. Xu University of Cambridge Ph.D. Supervisor: Simon Peyton Jones Microsoft Research Cambridge.
Static and User-Extensible Proof Checking Antonis StampoulisZhong Shao Yale University POPL 2012.

Static and User-Extensible Proof Checking Antonis StampoulisZhong Shao Yale University POPL 2012.
Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.

Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.
Extended Static Checking for Haskell (ESC/Haskell) Dana N. Xu University of Cambridge advised by Simon Peyton Jones Microsoft Research, Cambridge.

Extended Static Checking for Haskell (ESC/Haskell) Dana N. Xu University of Cambridge advised by Simon Peyton Jones Microsoft Research, Cambridge.
Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.

Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Type checking © Marcelo d’Amorim 2010.

Type checking © Marcelo d’Amorim 2010.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
What’s left in the course. The course in a nutshell Logics Techniques Applications.

What’s left in the course. The course in a nutshell Logics Techniques Applications.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
CS 536 Spring 20011 Global Optimizations Lecture 23.

CS 536 Spring Global Optimizations Lecture 23.
Discrete Mathematics Lecture 4 Harper Langston New York University.

Discrete Mathematics Lecture 4 Harper Langston New York University.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Some administrative stuff Class mailing list: –send to with the command “subscribe”

Some administrative stuff Class mailing list: –send to with the command “subscribe”
Administrative stuff On Thursday, we will start class at 11:10, and finish at 11:55 This means that each project will get a 10 minute presentation + 5.

Administrative stuff On Thursday, we will start class at 11:10, and finish at 11:55 This means that each project will get a 10 minute presentation + 5.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Prof. Fateman CS 164 Lecture 221 Global Optimization Lecture 22.

Prof. Fateman CS 164 Lecture 221 Global Optimization Lecture 22.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Similar presentations

Ads by Google