Tool Support for proof Engineering
description
Transcript of Tool Support for proof Engineering
![Page 1: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/1.jpg)
Tool Support for proof Engineering
Anne MulhernComputer Sciences DepartmentUniversity of Wisconsin-Madison
Madison, WI [email protected]
www.cs.wisc.edu/~mulhern
Anne Mulhern Charles Fischer Ben Liblit
![Page 2: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/2.jpg)
UITP 2006 Tool Support for Proof Engineering 2
Size of Proofs
• Certified C compiler in Coq [Leroy et al]– Compiler + proof that compiler preserves
semantics– Back-end
• One man-year• 35,000 lines of Coq scripts, definitions, and tactics
– Front-end• 3/4 man-year• 6,000 lines of Coq scripts, definitions, and tactics
![Page 3: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/3.jpg)
UITP 2006 Tool Support for Proof Engineering 3
Proof Material/DefinitionsRelative Proportion of Lines in Proof
13%
8%
22%
50%
7%
87%
Compiler Definitions
Specifications
Statements ofTheorems andLemmasProof Scripts
Directives and CustomTactics
Formal Certification of a Compiler Back-end or: Programming a Compiler with a Proof Assistant [Xavier Leroy, POPL 2006]
![Page 4: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/4.jpg)
UITP 2006 Tool Support for Proof Engineering 4
Proof Objects/Proof Scripts
• Proof objects can be an order of magnitude larger than proof scripts
• Factors– Down
• Good modularization
– Up• Powerful tactics
• Good use of hints
![Page 5: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/5.jpg)
UITP 2006 Tool Support for Proof Engineering 5
Size of Linux Kernel
• 1991 - 10,000 lines
• 1996 - 800,000 lines
• 2001 - 3 million lines
• 2006 - 7 million lines
![Page 6: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/6.jpg)
UITP 2006 Tool Support for Proof Engineering 6
Integrated Proof Environment
• Abbreviated as IPE
• Similar to an IDE (Integrated Development Environment)
• Uncommon
![Page 7: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/7.jpg)
UITP 2006 Tool Support for Proof Engineering 7
This is a position paper
tools and techniques from IDEs can be transferred to IPEs
tools and techniques from IDEs should be transferred to IPEs
![Page 8: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/8.jpg)
UITP 2006 Tool Support for Proof Engineering 8
Outline
• Motivation
• Tools and Techniques
• Mechanisms
![Page 9: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/9.jpg)
UITP 2006 Tool Support for Proof Engineering 9
Outline
• Motivation
• Tools and Techniques
• Mechanisms
![Page 10: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/10.jpg)
UITP 2006 Tool Support for Proof Engineering 10
Motivation
• Programming languages are my specialty– Formal proofs of programming language
properties• The POPLmark challenge
– Generation of certified programs by extraction• Formal Certification of a Compiler Back-end or:
Programming a Compiler with a Proof Assistant [Xavier Leroy, POPL 2006]
![Page 11: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/11.jpg)
UITP 2006 Tool Support for Proof Engineering 11
PL Proofs are different
• Proofs should be easy to modify and reuse• For certified programs: structure of the
generated proof matters• Proofs frequently proceed by induction
– Inductive theorems are particularly challenging• On Strategies for Inductive Theorem Proving
[Bernhard Gramlich, Strategies 2004 Invited Talk]
![Page 12: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/12.jpg)
UITP 2006 Tool Support for Proof Engineering 12
Proofs are Programs
• Theory– Curry-Howard isomorphism
• Practice– Extend– Refactor – Debug
• We can tackle similar problems with similar techniques
![Page 13: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/13.jpg)
UITP 2006 Tool Support for Proof Engineering 13
“The Seventeen Provers of the World” [Wiedjik]
HOL
Mizar
PVS
Otter/Ivy
Isabelle/Isar
Alfa/Agda
ACL2
PhoX
IMPS
Metamath
Theorema
LegoNupr
l Omega
B method
Minlog
Coq
![Page 14: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/14.jpg)
UITP 2006 Tool Support for Proof Engineering 14
Outline
• Motivation
• Tools and Techniques
• Mechanisms
![Page 15: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/15.jpg)
UITP 2006 Tool Support for Proof Engineering 15
Tools and Techniques
• Common Conveniences
• Proof Visualization in the Large
• Navigation by Derivation
![Page 16: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/16.jpg)
UITP 2006 Tool Support for Proof Engineering 16
Common Conveniences in IDEs
• Multiple Views for understanding and navigation– Collapsed and expanded text– Outline Views– And so forth
• Automatic Refactoring– Rewriting while preserving meaning or
behavior
![Page 17: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/17.jpg)
UITP 2006 Tool Support for Proof Engineering 17
Legend
![Page 18: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/18.jpg)
UITP 2006 Tool Support for Proof Engineering 18
![Page 19: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/19.jpg)
UITP 2006 Tool Support for Proof Engineering 20
Common Conveniences in IPEs
![Page 20: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/20.jpg)
UITP 2006 Tool Support for Proof Engineering 21
Make Variable Implicit
• Variables whose value can be inferred from the type of other variables may be made implicit
• If a variable is implicit its value must not be given
• To make a variable implicit– Make implicit in definition– Change all uses of definition
![Page 21: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/21.jpg)
UITP 2006 Tool Support for Proof Engineering 22
Tools and Techniques
• Common Conveniences
• Proof Visualization in the Large
• Navigation by Derivation
![Page 22: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/22.jpg)
UITP 2006 Tool Support for Proof Engineering 23
Software Visualization in the Large
• Ball and Eick, 1996
• Unary properties
• Color
• Large projects
• Multiple files
![Page 23: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/23.jpg)
UITP 2006 Tool Support for Proof Engineering 24Software Visualization in the Large [Ball and Eick, 1996]
![Page 24: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/24.jpg)
UITP 2006 Tool Support for Proof Engineering 25
Proof Visualization in the Large
• Lemma “hot spots”
• Revision information
• Proportion of proofs to definitions
• Goal depth
![Page 25: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/25.jpg)
UITP 2006 Tool Support for Proof Engineering 26
Goal depth
{
![Page 26: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/26.jpg)
UITP 2006 Tool Support for Proof Engineering 27
Tools and Techniques
• Common Conveniences
• Proof Visualization in the Large
• Navigation by Derivation
![Page 27: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/27.jpg)
UITP 2006 Tool Support for Proof Engineering 28
![Page 28: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/28.jpg)
UITP 2006 Tool Support for Proof Engineering 29
Navigation by Derivation
• No obvious analog currently in IDEs but…– Numerous instances where original line
numbering is preserved• Parsers map to grammar file line numbers
• gcc maps to source file line numbers
– Source/assembly navigation tool desirable
![Page 29: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/29.jpg)
UITP 2006 Tool Support for Proof Engineering 30
Outline
• Motivation
• Tools and Techniques
• Mechanisms
![Page 30: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/30.jpg)
UITP 2006 Tool Support for Proof Engineering 31
Mechanisms
• Textual Analysis on proofs or scripts– Multiple Views
• Compiler/Debugger techniques– Navigation by derivation
• Both– Refactoring– Proof visualization in the large
![Page 31: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/31.jpg)
UITP 2006 Tool Support for Proof Engineering 32
Summary
• IPEs non-existent
• Proofs must be managed
• Technology already exists
• Considerable theoretical possibilities
![Page 32: Tool Support for proof Engineering](https://reader035.fdocuments.net/reader035/viewer/2022062803/568146c6550346895db4025e/html5/thumbnails/32.jpg)
Tool Support for proof Engineering
Anne MulhernComputer Sciences DepartmentUniversity of Wisconsin-Madison
Madison, WI [email protected]
www.cs.wisc.edu/~mulhern
Anne Mulhern Charles Fischer Ben Liblit