Automated functional program verification using - PowerPoint Presentation

Automated functional program verification using fixpoint fusion William Sonnex University of Cambridge (Imperial College at heart)

Proof by simplification Start with: Simplify:  

Properties provable Properties proven by current implementation: Properties hopefully provable soon:  

Functional language used Simply typed lambda calculus with general recursion, absurdity and algebraic data-types (constructors and pattern matching).  

Functional language used Simply typed lambda calculus with general recursion, absurdity and algebraic data-types (constructors and pattern matching).  

Contents What is fixpoint fusion?New technique “fixpoint fission” allows for How do we prove implications? e.g. New technique “fold-fix fission” allows us to prove  

Fixpoint fusion Turns a context containing a recursive function into just a recursive function:  

Fixpoint fusion Three steps to find : Unwrap the recursive function Simplify Replace occurrences of with to get   Fails if occurrences of remain in  

Fixpoint fusion if Sidenote : This is the free theorem (a la Wadler ) of the type of the Y- combinator  

Fusing reverse and append Let’s run fusion on:  

Fix-fix fusion First type/usage of fusion is “fix-fix fusion” (my name) fusing the composition of two fixpoints so will be a fixpoint/recursive functionSo in we are fusing and So is and is we’ll call , so we are discovering  

Fusing   Unwrap Simplify Replace with  

Fusing   So we have discovered: Big deal. This example is done in Wadler’s deforestation paper from 1990.Let’s add some more uses of fusion… (the next stuff is mine.) 

Contents What is fixpoint fusion?New technique “fixpoint fission” allows for How do we prove implications? e.g. New technique “fold-fix fission” allows us to prove  

Fixpoint fission This next technique is “ fixpoint fission” it is the reverse of fusion:Fusion starts with and and derives Fission starts with and and derives  

Fixpoint fission Backwards three steps of fusion: Start with and replace with Simplify Drop to get  Fails if not of the form for some  

Fissioning   Earlier we fused Using simple code analysis we can conjecture that for some  

Fissioning   We can use “constructor fission” on where and Start with … and replace with , i.e.  

Start with and replace with Simplify Drop to get   Fissioning  

Fissioning   We fissioned from which is -equivalent to so we have found:   Woo, lemma discovery using simplification 

Fusing   With the sub-simplification: We can use fix-fix fusion on:  This is a fixpoint fission stepwhere which I don’t have time to explain  

Contents What is fixpoint fusion?New technique “fixpoint fission” allows for How do we prove implications? e.g. New technique “fold-fix fission” allows us to prove  

What about implication? So far we have seen simplifications equivalent to equational lemma discovery.Some lemmas feature implication e.g. how do we reason like this within simplification? 

What about implication? Some lemmas feature implication e.g. how do we reason like this within simplification?My interpretation of is: If we are down a branch where is pattern matched to then  

Definition of    

What about implication? We want: Since we have an inner recursive function () and an outer context (the pattern match) we can use fusion!  

What about implication? We want: First we express the pattern match at the location of the recursive function: Now we can run fusion on  

What about implication? Now we can run fusion on where and  

What about implication? Unwrap Simplify    

What about implication? Unwrap Simplify    

What about implication? Unwrap Simplify    

What about implication? Unwrap Simplify  

What about implication? Simplify Replace occurrences of with    

What about implication? We have fused with yielding: which simplifies to just:  

Recap of match-fix fusion We had: We expressed where was: We ran fusion: I call this match-fix fusion   

Match-fix fusion But what about properties with multiple antecedents? This corresponds to multiple pattern matches: We could run one big fusion step…  

Match-fix fusion We could run one big fusion step: But there is no need, we can fuse each match in one by one:  

Match-fix fusion We can always fuse matches in one by one with no loss of simplifiability (proven) Consider:Certain definitions of here will block induction hence ACL2 has heuristics for dropping antecedentsFusion of just fails and we move on no heuristics needed!  

Compositionality of fusion Fusion is a compositional approach each step can be run one by one, e.g.  

Compositionality of fusion Fusion is a compositional approach each step can be run one by one, e.g.  

Compositionality of fusion Fusion is a compositional approach each step can be run one by one, e.g.  

Compositionality of fusion Fusion is a compositional approach each step can be run one by one, e.g.  

Compositionality of fusion Fusion is a compositional approach each step can be run one by one, e.g.  

Compositionality of fusion Fusion is a compositional approach each step can be run one by one, e.g.  

Compositionality of fusion Fusion is a compositional approach each step can be run one by one, e.g.  

Fusion doesn’t require search Simplifications are fully automatic. If they happen in isolation they’ll happen in a larger proof/simplification.If a proof needs we don’t need to provide the lemma we don’t need rules to guide rewriting (like rippling). 

So far… Fix-fix fusion, constructor fission and match-fix fusion can solve almost all of the properties I tested Zeno on.Notably All of the above has been implemented.Now I will demonstrate the next phase of my work which simplifies  

Contents What is fixpoint fusion?New technique “fixpoint fission” allows for How do we prove implications? e.g. New technique “fold-fix fission” allows us to prove  

Verifying    

Verifying   Proving requires the lemma: This lemma is not a generalisation of a sub-goal (sorry ACL2). This lemma contains functions which are not in the original definition , (sorry HipSpec). 

Verifying   We start with:   Mathematically impossible to fuse with  

Verifying   We start with:   Let’s fuse with  

Verifying   Unwrap Simplify No instances of to replace   

Verifying   The problem is we have: And we want: We need to discover the definition of .  So we can rewrite  

Fold-fix fission We have First the algorithm will fix-fix fuse into some new function  

Fold-fix fission Now we want  

Fold-fix fission Now we want This is just fission! But this time instead of knowing and , and discovering we know and , and must discover  

Discovering   The trick is to assume is a fold functionA fold function over two booleans is two nested pattern matchesSo we assume, for some , , , and  

Discovering   Give us: when when when when   and  

Discovering    

Discovering    

Discovering    

Discovering    

Discovering    

Discovering    

Discovering      

Discovering      

Discovering   We have discovered Hence  

Discovering   We have discovered Hence  

Back to   Unwrap Simplify Use fold-fission on  

Back to   … use fold-fission on Replace with  

Back to   Put the definition of back in (remember is the uninterpreted form of ):  

Back to    

Back to   Fix-fix fusion will fuse  

If we recall our lemma… This is the definition we get from fusing !  

Verifying    

Verifying    

Verifying    

Fold-fix fission I demonstrated fold-fix fission over a non-recursive datatype ()But it generalises to recursive datatypes too! I didn’t use the fission process much with it becomes necessary for recursive datatypes No time to explain though  

ConclusionFix-fix fusion and constructor fission will do automated inductive proof for equational properties.Match-fix fusion will do automated inductive proof for implication properties.Fusion is compositional and requires no search space.Fold-fix fission is awesome.

Future workFinish implementation Proofs of completeness w.r.t. proof by induction Dependently typed fusion