Post on 17-Jan-2016
Tool Support for proof Engineering
Anne MulhernComputer Sciences DepartmentUniversity of Wisconsin-Madison
Madison, WI USAmulhern@cs.wisc.edu
www.cs.wisc.edu/~mulhern
Anne Mulhern Charles Fischer Ben Liblit
UITP 2006 Tool Support for Proof Engineering 2
Size of Proofs
• Certified C compiler in Coq [Leroy et al]– Compiler + proof that compiler preserves
semantics– Back-end
• One man-year• 35,000 lines of Coq scripts, definitions, and tactics
– Front-end• 3/4 man-year• 6,000 lines of Coq scripts, definitions, and tactics
UITP 2006 Tool Support for Proof Engineering 3
Proof Material/DefinitionsRelative Proportion of Lines in Proof
13%
8%
22%
50%
7%
87%
Compiler Definitions
Specifications
Statements ofTheorems andLemmasProof Scripts
Directives and CustomTactics
Formal Certification of a Compiler Back-end or: Programming a Compiler with a Proof Assistant [Xavier Leroy, POPL 2006]
UITP 2006 Tool Support for Proof Engineering 4
Proof Objects/Proof Scripts
• Proof objects can be an order of magnitude larger than proof scripts
• Factors– Down
• Good modularization
– Up• Powerful tactics
• Good use of hints
UITP 2006 Tool Support for Proof Engineering 5
Size of Linux Kernel
• 1991 - 10,000 lines
• 1996 - 800,000 lines
• 2001 - 3 million lines
• 2006 - 7 million lines
UITP 2006 Tool Support for Proof Engineering 6
Integrated Proof Environment
• Abbreviated as IPE
• Similar to an IDE (Integrated Development Environment)
• Uncommon
UITP 2006 Tool Support for Proof Engineering 7
This is a position paper
tools and techniques from IDEs can be transferred to IPEs
tools and techniques from IDEs should be transferred to IPEs
UITP 2006 Tool Support for Proof Engineering 8
Outline
• Motivation
• Tools and Techniques
• Mechanisms
UITP 2006 Tool Support for Proof Engineering 9
Outline
• Motivation
• Tools and Techniques
• Mechanisms
UITP 2006 Tool Support for Proof Engineering 10
Motivation
• Programming languages are my specialty– Formal proofs of programming language
properties• The POPLmark challenge
– Generation of certified programs by extraction• Formal Certification of a Compiler Back-end or:
Programming a Compiler with a Proof Assistant [Xavier Leroy, POPL 2006]
UITP 2006 Tool Support for Proof Engineering 11
PL Proofs are different
• Proofs should be easy to modify and reuse• For certified programs: structure of the
generated proof matters• Proofs frequently proceed by induction
– Inductive theorems are particularly challenging• On Strategies for Inductive Theorem Proving
[Bernhard Gramlich, Strategies 2004 Invited Talk]
UITP 2006 Tool Support for Proof Engineering 12
Proofs are Programs
• Theory– Curry-Howard isomorphism
• Practice– Extend– Refactor – Debug
• We can tackle similar problems with similar techniques
UITP 2006 Tool Support for Proof Engineering 13
“The Seventeen Provers of the World” [Wiedjik]
HOL
Mizar
PVS
Otter/Ivy
Isabelle/Isar
Alfa/Agda
ACL2
PhoX
IMPS
Metamath
Theorema
LegoNupr
l Omega
B method
Minlog
Coq
UITP 2006 Tool Support for Proof Engineering 14
Outline
• Motivation
• Tools and Techniques
• Mechanisms
UITP 2006 Tool Support for Proof Engineering 15
Tools and Techniques
• Common Conveniences
• Proof Visualization in the Large
• Navigation by Derivation
UITP 2006 Tool Support for Proof Engineering 16
Common Conveniences in IDEs
• Multiple Views for understanding and navigation– Collapsed and expanded text– Outline Views– And so forth
• Automatic Refactoring– Rewriting while preserving meaning or
behavior
UITP 2006 Tool Support for Proof Engineering 17
Legend
UITP 2006 Tool Support for Proof Engineering 18
UITP 2006 Tool Support for Proof Engineering 20
Common Conveniences in IPEs
UITP 2006 Tool Support for Proof Engineering 21
Make Variable Implicit
• Variables whose value can be inferred from the type of other variables may be made implicit
• If a variable is implicit its value must not be given
• To make a variable implicit– Make implicit in definition– Change all uses of definition
UITP 2006 Tool Support for Proof Engineering 22
Tools and Techniques
• Common Conveniences
• Proof Visualization in the Large
• Navigation by Derivation
UITP 2006 Tool Support for Proof Engineering 23
Software Visualization in the Large
• Ball and Eick, 1996
• Unary properties
• Color
• Large projects
• Multiple files
UITP 2006 Tool Support for Proof Engineering 24Software Visualization in the Large [Ball and Eick, 1996]
UITP 2006 Tool Support for Proof Engineering 25
Proof Visualization in the Large
• Lemma “hot spots”
• Revision information
• Proportion of proofs to definitions
• Goal depth
UITP 2006 Tool Support for Proof Engineering 26
Goal depth
{
UITP 2006 Tool Support for Proof Engineering 27
Tools and Techniques
• Common Conveniences
• Proof Visualization in the Large
• Navigation by Derivation
UITP 2006 Tool Support for Proof Engineering 28
UITP 2006 Tool Support for Proof Engineering 29
Navigation by Derivation
• No obvious analog currently in IDEs but…– Numerous instances where original line
numbering is preserved• Parsers map to grammar file line numbers
• gcc maps to source file line numbers
– Source/assembly navigation tool desirable
UITP 2006 Tool Support for Proof Engineering 30
Outline
• Motivation
• Tools and Techniques
• Mechanisms
UITP 2006 Tool Support for Proof Engineering 31
Mechanisms
• Textual Analysis on proofs or scripts– Multiple Views
• Compiler/Debugger techniques– Navigation by derivation
• Both– Refactoring– Proof visualization in the large
UITP 2006 Tool Support for Proof Engineering 32
Summary
• IPEs non-existent
• Proofs must be managed
• Technology already exists
• Considerable theoretical possibilities
Tool Support for proof Engineering
Anne MulhernComputer Sciences DepartmentUniversity of Wisconsin-Madison
Madison, WI USAmulhern@cs.wisc.edu
www.cs.wisc.edu/~mulhern
Anne Mulhern Charles Fischer Ben Liblit