Download
# Static and User-Extensible PowerPoint Presentation, PPT - DocSlides

briana-ranney | 2018-10-20 | General

** Tags : **
static-and-user-extensible-1414868
conversion proof
type checker
proof
conversion
checker
type
checking
evaluation
tactics
assistants
user
trivial
static
scripts
typed
script
architecture
theorem
extensible
qed
### Presentations text content in Static and User-Extensible

Show

Proof Checking. Antonis. . Stampoulis. . Zhong. Shao. Yale University. POPL 2012. Proof assistants are becoming popular in our community. CompCert. [Leroy et al.]. seL4 [Klein et al.]. Four-color theorem [. ID: 690942

- Views :
**4**

**Direct Link:**- Link:https://www.docslides.com/briana-ranney/static-and-user-extensible-1414868
**Embed code:**

Download this presentation

DownloadNote - The PPT/PDF document "Static and User-Extensible" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Slide1

Slide30

Slide31

Slide39

Static and User-ExtensibleProof Checking

Antonis

Stampoulis

Zhong

Shao

Yale University

POPL 2012

Slide2Proof assistants are becoming popular in our community

CompCert

[Leroy et al.]

seL4 [Klein et al.]Four-color theorem [Gonthier et al.]

1 to 1.5 weeks per paper proof page4 pages of formal proof per 1 page of paper proof

… but they’re still hard to use

[

Asperti

and

Coen

‘10]

Slide3communicated to a fixed proof checkermust spell out all details

use domain-specific lemmas

Formal proofs

communicated to a person

rely on

domain-specific intuitionuse “obviously”

Informal proofs

Slide4procedures that produce proofsdomain-specific tactics good in large developments

but difficult to write!

We need tactics to omit details

u

ntypedproofs within tactics can be wrong!

Slide5Proof assistants are hard to use because

1.

c

annot extend proof checker → lots of details

2. no checking for tactics → lots of potential errorsThese are architectural issues

Slide6Our contribution:

A new architecture for proof assistants

1.

c

annot extend proof checker → lots of details2. no checking for tactics → lots of potential errors1. extensible proof checker → omit lots of details2. extensible checking for tactics → lots of errors avoided

static checking of contained proofs

full programming model

soundness guaranteed

More specifically:

a

new language

design

a

new

implementation

and a new

metatheory

based on

VeriML

[ICFP’10

]

“intuition” stack

Slide7Architecture of proof assistants

Slide8Architecture of proof assistants:

main notions

Slide9Architecture of proof assistants:

Checking proof objects

Proof object

Proof checker

Conversion ruleImplicitly check equivalences(proof omitted)

Conversion

Slide10Architecture of proof assistants:

Checking proof objects

Proof object

Proof checker

Coqβι-conversion

Conversion

Slide11Architecture of proof assistants:

Checking proof objects

Proof object

Proof checker

CoqMTβι-conversion +linear arithmetic

Conversion

Slide12Architecture of proof assistants:

Checking proof objects

Proof object

Proof checker

rich static information(de)composablechecking not extensible

Conversion

Slide13Architecture of proof assistants:

Validating proof scripts

Proof script

Proof checker

Proof objectConversion

evaluation

e

xtensible through tactics

rich programming model

no static information

not (de)

composable

hidden proof state

use conversion for more robust scripts

Slide14Moving to typed proof scripts

Typed proof script

Type checker

Proof script

Proof object

Proof checker

Conversion

evaluation

Proof checker

Conversion

evaluation

Slide15Moving to typed proof scripts +extensible conversion

Typed proof script

Type checker

Proof checker

Conversion

evaluation

Arithmetic tactic

User tactic

Other tactic

Key insight:

conversion is just a hardcoded trusted tactic

but we can trust other tactics too if they have the right type

User-defined Conversion

Slide16Moving to typed proof scripts +extensible conversion

Typed proof script

evaluation

Key insight:

conversion is just a hardcoded trusted tacticbut we can trust other tactics too if they have the right type

Type checker

Proof checker

Conversion

User-defined Conversion

none of them needs to be hardcoded!

Type checker

User-specified Conversion

Proof checker

Other tactic

Slide17Typed proof scripts +extensible conversion

Typed proof script

evaluation

Type checker

User-specified Conversion

Proof checker

rich static information

user chooses conversion

extensible static checking

smaller proof checker

can generate

proof

objects

Slide18Type checking tactics: an example

c

heck propositions for equivalence

return a proof if they are

raise an exception otherwiseMetatheory result 1. Type safetyIf evaluation succeeds,the returned proof object is validMetatheory result 2. Proof erasureIf evaluation succeeds, a valid proof object exists even if it’s not generated

Slide19Two modes of

evaluation

evaluation

proof

objectproof erasureevaluationmode controlled per functionTyped proof script

User-specified Conversion

Type checker

Proof checker

Slide20Typed proof script

Type checker

User-specified Conversion

evaluation

Proof checker

Static checking = type checking + staging under proof-erasure

typechecking

stage-one

evaluation

w

ith proof erasure

evaluation of residual

program

Slide21A stack of conversion rules

conversion in Coq

removed from trusted base

makes most uses of rewrite/

autorewrite unnecessaryring_simplify for Natclose to CoqMTno additions to logic metatheoryactually, with reductionsno proof by reflection or translation validationleveraging static proof scripts

Slide22A stack of conversion rules

potentially non-terminating

reduce proving for “real” versions

Slide23Static proof scripts in tactics

Slide24Require Import Arith.Variable

x : Nat.

Theorem

test1 : 0 + x = x.trivial.Qed

.Theorem test2 : x + 0 = x.trivial.Qed.Motivating Coq Example

Slide25Require Import

Arith

.

Variable x : Nat.

Theorem test1 : 0 + x = x.trivial.Qed.Theorem test2 : x + 0 = x.trivial.Qed.Motivating Coq ExampleProof completed

Slide26Require Import

Arith

.

Variable x : Nat.

Theorem test1 : 0 + x = x.trivial.Qed.Theorem test2 : x + 0 = x.trivial.Qed.Motivating Coq ExampleAttempt to save an incomplete proof

Slide27Require Import Arith.Variable

x : Nat.

Theorem

test1 : 0 + x = x.trivial.Qed

.Theorem test2 : x + 0 = x.trivial.Qed.Motivating Coq ExampleConversion rule can prove thisbut can’t prove this

Slide28Let’s add this to our conversion rule!

write a rewriter based on these lemmas

register it with conversion

now it’s

trivial; lemmas used implicitly

Slide29Slide30

Slide31

not checked statically

recomputed many times

similar to trivial

uses conversion

P and P’ inferred

Slide32checked at definition time

computed once

transformation of runtime arguments to constant arguments

Slide33How does it work?

Slide34Implementation

http://www.cs.yale.edu/homes/stampoulis/

type

inferencing

and implicit argumentscompiler to OCamlrewriter code generationinductive typesTalk to me for a demo!

Slide35What’s in the paper and TR

Static and dynamic semantics

Metatheory

:Type-safety theoremProof erasure theoremStatic proof script transformation

Implementation details andexamples implementedTyped proof scripts as flexible proof certificates

Slide36Related workproof-by-reflection

restricted programming model (total functions)

tedious to set up

here: no need for termination proofsautomation through canonical structures / unification hintsrestricted programming model (logic programming)very hard to debug

Slide37Summary

a

new architecture for proof assistants

user-extensible checking of proofs and tacticsminimal trusted corereduce required effort for formal proofs

Thanks!

http://www.cs.yale.edu/homes/stampoulis/

Slide38Slide39

Backup slides

Slide40Type checking proofs and tactics

Type checker

Proof checker

manipulate proofs and propositions in a type-safe manner

dependent pattern matching on logical termslogic and computation are kept separateBeluga [Pientka & Dunfield ‘08]

Delphin [Poswolsky & Schürmann ‘08]VeriML [

Stampoulis

& Shao ‘10]

Slide41Related workLCF family of proof assistants

no information while writing proof scripts/tactics

Coq /

CoqMTconversion rule is fixedchanging it requires re-engineeringNuPRLextensional type theory and sophisticated conversion

here: user decides conversion (level of undecidability)Beluga / Delphinuse as metalogic for LFhere: the logic is fixed; the language is the proof assistant

Today's Top Docs

Related Slides