Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Interactive Computer Theorem Proving CS294-9 November 30, 2006 Adam Chlipala UC Berkeley Lecture 14: Twelf.

Published byNaomi Judith Lester Modified over 7 years ago

Similar presentations

Presentation on theme: "1 Interactive Computer Theorem Proving CS294-9 November 30, 2006 Adam Chlipala UC Berkeley Lecture 14: Twelf."— Presentation transcript:

1 1 Interactive Computer Theorem Proving CS294-9 November 30, 2006 Adam Chlipala UC Berkeley Lecture 14: Twelf

2 2 “Proof Assistants” Coq Isabelle PVS.... Proof Assistants “I'm going to help you construct formal proofs of all sorts of things.” Logical Frameworks “I'm going to help you represent logics and programming languages.” LF.... Twelf : a system for proving meta-theorems about LF formalizations

3 3 Comparison ● Specialized to definition of logics, languages, and their metatheories. ● A theorem is proved by a typed functional program. ● A meta-theorem is proved by a typed logic program. ● Designed with representation of variable binding, assumption contexts, etc., in mind. ● Approximately zero proof automation. ● Supports theorem proving in general. ● A theorem is proved by a typed functional program. ● No distinction between theorems and meta-theorems. ● No special support for those concepts. ● As much proof automation as you are willing to code.

4 4 What's All This “Meta” Business? ● An object language is one that you are formalizing. – e.g., first-order logic, lambda calculus ● A meta language is what you are using to formalize the object language. – e.g., LF, Calculus of Inductive Constructions ● A meta-theorem is a theorem about theorems. – We think of PL typing, evaluation, etc., derivations as theorems.

5 5 LF Style, Part I: A very syntactic approach to definitions nat : type. O : nat. S : nat -> nat. prop : type. true : prop. false : prop. not : prop -> prop. and : prop -> prop -> prop. or : prop -> prop -> prop. imp : prop -> prop -> prop. An LF signature The values of each type are precisely those you can build using the specified constant symbols, application, and function abstraction (lambda). But what about the induction principles you need to reason about these types? All in good time. :-)

6 6 LF/Elf Style, Part II: Relational definitions of everything plus : nat -> nat -> nat -> type. plus_O : plus O M M. plus_Sn : plus N M R -> plus (S N) M (S R). valid : prop -> type. trueI : valid true. falseE : valid false -> valid P. andI : valid P -> valid Q -> valid (and P Q). LF doesn't allow recursive function definitions. Rather, we use inference rules to define a relation that happens to be a function. So derivations of “plus” and “valid” are examples of what we'll be calling “theorems.” That's right.

7 7 LF/Elf Style, Part III: Meta-theorems as relations over theorems O_id : {N : nat} plus N O N -> type. O_id_O : O_id O plus_O. O_id_Sn : O_id N PF -> O_id (S N) (plus_Sn PF). self_imp : {P : prop} valid (imp P P) -> type. self_imp_pf : self_imp P (impI ([H] H)). At last, these are the meta-theorems. :-) Curly braces are used for universal quantifiers / dependent function types. For both meta-theorems, we are proving that, for any value of the quantified variable, there exists a proof of the resulting theorem. 8 8 9 9 These are the different cases of inductive proofs. The names of the cases don't matter, and we'll usually keep them anonymous. You can think of these meta-theorems as logic programs for building theorems. OK, let's try running O_id on 1. Goal: plus (S O) O (S O) Apply O_id_Sn... Goal: plus O O O Apply O_id_O. Result: O_id_Sn O_id_O

8 8 LF/Elf/Twelf Style, Part IV: Proof checking as totality checking That seems like a pretty free-form proof format! How do you know a proof is believable? (fix F (x : A) : B := F x) I have to be on guard for devious “proofs” like this one! You've hit on the main issue: Since we follow the proofs-as-programs paradigm, it's critical that we admit only terminating programs, be they functional or logic programs....and I have a bit more work to do than you do to get there, since notions like functions, recursion, and case analysis are implicit in my logic programs.

9 9 Totality Checking, Prologue: Explain input-output behavior O_id : {N : nat} plus N O N -> type. O_id_O : O_id O plus_O. O_id_Sn : O_id N PF -> O_id (S N) (plus_Sn PF). Input Output “Interpret this as a logic program computing the outputs from the inputs. I guarantee that, for any input values with no free variables, any outputs of the logic program will also have no free variables.” This is related to a basic property of Coq functions.

10 10 Totality Checking, Part I: Termination O_id : {N : nat} plus N O N -> type. O_id_O : O_id O plus_O. O_id_Sn : O_id N PF -> O_id (S N) (plus_Sn PF). “Every recursive call decreases N, so any execution terminates.” This is like the syntactic checks performed on fixes. User-provided argument

11 11 Totality Checking, Part II: Input Coverage O_id : {N : nat} plus N O N -> type. O_id_O : O_id O plus_O. O_id_Sn : O_id N PF -> O_id (S N) (plus_Sn PF). An input of O is matched here...... and any S input is matched here. All part of the rules for using match in Coq!

12 12 Totality Checking, Part III: Output Coverage O_id : {N : nat} plus N O N -> type. O_id_O : O_id O plus_O. O_id_Sn : O_id N PF -> O_id (S N) (plus_Sn PF). This variable will match anything returned by the recursive call. In Coq, you must match on recursive results and explicitly handle all cases.

13 13 Interlude [Demo of natural numbers in Twelf]

14 14 LF Style, Part V: Higher-order abstract syntax formula : type. symbol : type. object : type. atomic : symbol -> object -> formula. and : formula -> formula -> formula. imply : formula -> formula -> formula. forall : (object -> formula) -> formula. Higher-order abstract syntax: Use the meta language binder to encode object language binders. 8 x, P(x) forall (fun x => atomic P x) forall ([x] atomic P x) In Twelf notation....

15 15 HOAS for Inference Rules valid : formula -> type. impI : (valid P -> valid Q) -> valid (imp P Q). impE : valid (imp P Q) -> valid P -> valid Q. forallI : ({X} valid (P X)) -> valid (forall P). forallE : valid (forall P) -> valid (P X). First thing to notice: we don't need to include “contexts” for our validity judgment!By using nested functions, we use the LF context to encode the FOL context. H : P ` Q FOL: H : valid P ` valid Q LF: encode We also use the LF context to track bound first-order variables. X; H : P ` Q FOL: X : object, H : valid P ` valid Q LF: encode Finally, we also encode substitution using the LF substitution associated with functions. H : 8 x, P(x) ` P(x)[v/x] H : forall ([x] atomic P x) ` ([x] atomic P x) v encode atomic P v reduce

16 16 Negative Occurrences term : type. app : term -> term -> term. lam : (term -> term) -> term. Here's the syntax of untyped lambda calculus. Note that we don't need a variable case, because we encode them with LF variables as for “forall” on the last slide! I don't allow inductive type definitions like this. Inductive term : Set := | App : term -> term -> term | Lam : (term -> term) -> term. Inductive L : Set := | Lam : (L -> L) -> L. Definition App : L -> L -> L := fun x => match x with | Lam f => f end. Definition delta : L := Lam (fun x => App x x). Eval compute in (App delta delta). No such problems for me because LF is a very restricted language that can't express such things. In particular, there are no case analysis expressions!

17 17 Regular Worlds size : term -> nat -> type. size_app : size E1 N1 -> size E2 N2 -> plus N1 N2 N3 -> size (app E1 E2) (S N3). size_lam : ({X : term} size X O -> size (E X) N) -> size (lam E) (S N). Let's say we want to verify that “size” is a total function. Using the LF context to encode the object language context isn't a magic bullet. Identifying patterns in the bindings we introduce is critical to proof-checking. ¡ ::=. | ¡ {X : term} {PF : size X N} The idea of regular worlds is used to describe contexts similarly to how regular expressions describe strings. The big difference is that we consider variables up to alpha equivalence in the usual way.

18 18 Canonical Forms Result #1: For a fixed LF signature, any term whose type is some constant defined like “T : type” is equivalent to some application of some constant “C : T1 ->... -> Tn -> T”. This doesn't hold in Coq, because the expression might be an irreducible match. Result #2: For a fixed LF signature, any term of type “T1 -> T2” is equivalent to some “[x : T1] E” where E has type T2. In Coq, the term might be a fix.

19 19 Full Totality Checking size : term -> nat -> type. size_app : size E1 N1 -> size E2 N2 -> plus N1 N2 N3 -> size (app E1 E2) (S N3). size_lam : ({X : term} size X O -> size (E X) N) -> size (lam E) (S N). The user needs to provide me with a few ingredients to explain how the proof of totality should look, and I'll do the rest. ● The first argument of size is an input and the second an output. ● The contexts that will come up in the proof are described by ({X : term} {PF : size X N})*. ● Prove totality by induction on the term. Proving termination for size E N First apply canonical forms to normalize E completely, then induct on the result. E = app E1 E2: Only size_app applies, and recursive calls use syntactic subterms. E = lam E': Only size_lam applies. E' must be some [Y] E''. E'' X is as large as E' and strictly smaller than E, so the recursive call is OK. E is a variable X: The regular world spec guarantees that X has a twinned size hypothesis to use. ({X : term} {PF : size X N})*

20 20 Wrap-Up (before going to code demo) ● LF: a language for encoding languages – Supports higher-order abstract syntax – Minimal enough to admit a canonical forms property that facilitates simple induction over term structure ● Twelf: tool support for checking LF meta-theorems – Proof checking as totality checking of logic programs

Download ppt "1 Interactive Computer Theorem Proving CS294-9 November 30, 2006 Adam Chlipala UC Berkeley Lecture 14: Twelf."

Similar presentations

Substitution & Evaluation Order cos 441 David Walker.

Substitution & Evaluation Order cos 441 David Walker.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Situation Calculus for Action Descriptions We talked about STRIPS representations for actions. Another common representation is called the Situation Calculus.

Situation Calculus for Action Descriptions We talked about STRIPS representations for actions. Another common representation is called the Situation Calculus.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Functional Design and Programming Lecture 11: Functional reasoning.

Functional Design and Programming Lecture 11: Functional reasoning.
Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.

Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.
What’s left in the course. The course in a nutshell Logics Techniques Applications.

What’s left in the course. The course in a nutshell Logics Techniques Applications.
Katz2004 236386--Formal Specifications Larch 1 Algebraic Specification and Larch Formal Specifications of Complex Systems 236368 Shmuel Katz The Technion.

Katz Formal Specifications Larch 1 Algebraic Specification and Larch Formal Specifications of Complex Systems Shmuel Katz The Technion.
Twelf: The Quintessential Proof Assistant for Language Metatheory Karl Crary Carnegie Mellon University Joint work with Robert Harper and Michael Ashley-Rollman.

Twelf: The Quintessential Proof Assistant for Language Metatheory Karl Crary Carnegie Mellon University Joint work with Robert Harper and Michael Ashley-Rollman.
CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.
Administrative stuff On Thursday, we will start class at 11:10, and finish at 11:55 This means that each project will get a 10 minute presentation + 5.

Administrative stuff On Thursday, we will start class at 11:10, and finish at 11:55 This means that each project will get a 10 minute presentation + 5.
CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.
After today Week 9 –Tu: Pat Rondon –Th: Ravi/Nathan Week 10 –Tu: Nathan/Ravi –Th: Class canceled Finals week –Th: Zach, John.

After today Week 9 –Tu: Pat Rondon –Th: Ravi/Nathan Week 10 –Tu: Nathan/Ravi –Th: Class canceled Finals week –Th: Zach, John.
EE1J2 - Slide 1 EE1J2 – Discrete Maths Lecture 6 Limitations of propositional logic Introduction to predicate logic Symbols, terms and formulae, Parse.

EE1J2 - Slide 1 EE1J2 – Discrete Maths Lecture 6 Limitations of propositional logic Introduction to predicate logic Symbols, terms and formulae, Parse.
1 Program Correctness CIS 375 Bruce R. Maxim UM-Dearborn.

1 Program Correctness CIS 375 Bruce R. Maxim UM-Dearborn.
Lecture 1 Computation and Languages CS311 Fall 2012.

Lecture 1 Computation and Languages CS311 Fall 2012.
15-251 Great Theoretical Ideas in Computer Science about AWESOME Some Generating Functions Probability Infinity MATH Some Formal Logic (which is really.

Great Theoretical Ideas in Computer Science about AWESOME Some Generating Functions Probability Infinity MATH Some Formal Logic (which is really.
Reading and Writing Mathematical Proofs Spring 2015 Lecture 4: Beyond Basic Induction.

Reading and Writing Mathematical Proofs Spring 2015 Lecture 4: Beyond Basic Induction.
© Kenneth C. Louden, 20031 Chapter 11 - Functional Programming, Part III: Theory Programming Languages: Principles and Practice, 2nd Ed. Kenneth C. Louden.

© Kenneth C. Louden, Chapter 11 - Functional Programming, Part III: Theory Programming Languages: Principles and Practice, 2nd Ed. Kenneth C. Louden.

Similar presentations

Ads by Google