proof weaving

PROOF WEAVING

Anne MulhernComputer Sciences DepartmentUniversity of Wisconsin-Madison

Madison, WI [email protected]

www.cs.wisc.edu/~mulhern

MM 2006 Proof Weaving 2

Modifying Proofs

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

must add new constructor

must fix brokenscripts

Done!I’ll use tacticals tomake my scripts morerobust

must add new,dissimilar constructorI’ll write a specialpurpose tacticI will not evergraduate doing this

I could modifythe proof objects

But they are very big and complex

and structured


Mutual Antagonism

• Modular and incremental approaches are ubiquitous in computer science

• Theorem provers do not readily support certain kinds of modular or incremental proof development– Transparent dependencies invalidate existing

proofs when underlying structures are changed


Proof Weaving

• A technique for combining – Separate proof objects– Of the same theorem– On different underlying structures

• And forming– A single proof object– Of the same theorem– On a combination of the underlying structures


Disclaimer

• There is no implementation

• Demo: me typing


Dependencies

• If L1 and L2 are two identifiers denoting definitions, lemmas, functions, or types, a dependency between L1 and L2 exists when L1 is a free identifier occurring in the -term associated with L2.

[Proof Reuse with Extended Inductive Types, Boite, 2004]


Dependencies on term

• Forall lists of terms, either the length of the list is zero or the length of the list is greater than zero

• TmTrue, which is a term, is a value

• Equality on terms is decidable


Dependencies

• An object L has a transparent dependency with an inductive type I, if L has a dependency with an induction principle of I, or if a case analysis on type I is performed in the -term representing L.

• An object L has an opaque dependency with an inductive type I, if its dependency with I is not transparent.

[Proof Reuse with Extended Inductive Types, Boite, 2004]


Transparent Dependencies Bad

• If a constructor C is added to an inductive type I, wherever there is a transparent dependency on I the object that contains the transparent dependency must be updated to accommodate C. – Match case added– Additional argument passed to induction

principle


Quiz: Transparent or Opaque?

Forall lists of terms, either the length of the list is zero or the length of the list is greater than zero

Opaque!



TmTrue, which is a term, is a value

Opaque!



Equality on terms is decidable

Transparent!


Inductive term : Set := | TmTrue : term | TmFalse : term.

Lemma eq_dec : forall (t t’ : term), {t = t’} + {t <> t’}.


Lemma eq_dec : forall (t t’ : term), {t = t’} + {t <> t’}.decide equality.Qed.


induction t. intro t’.case t’. left. reflexivity. right. discriminate. intro t’. case t’. right. discriminate. left. reflexivity.Qed.


Transparent Dependency on term


Transparent dependency on term


Transparent dependency on term

induction t. intro t’.case t’. left. reflexivity. right. discriminate. intro t’. case t’. right.discriminate. left. reflexivity.Qed.

induction t. intro t’.case t’. left. reflexivity. right. discriminate. intro t’. case t’. right.discriminate. left. reflexivity.Qed.

induction t. intro t’.case t’. left. reflexivity. right. discriminate. right. discriminate. intro t’. case t’. right. discriminate. left. reflexivity.Qed.


False Transparent Dependencies

• Some transparent dependencies are false transparent dependencies– A case analysis is performed– Most constructors are irrelevant

• False transparent dependencies are removable


Outline

• False Transparent Dependencies

• True Transparent Dependencies


Outline




Transparent Dependency


Transparent Dependencies


False Transparent Dependencies(@eq_ind term TmTrue

(fun e : term => match e with | TmTrue => True | TmFalse => False | TmIf _ _ _ => False end) I (TmIf tm1 tm2 tm3) H1)

eq_ind : forall (A : Type) (x : A) (P : A -> Prop), P x -> forall y : A, x = y -> P yterm : SetTmTrue : termTmFalse : termTmIf : term -> term -> term -> termTrue : PropFalse : PropI : TrueH1 : TmTrue = TmIf tm1 tm2 tm3

(Type Environment)


False Transparent Dependencies(@eq_ind term TmTrue

(fun e : term => match e with | TmTrue => True | TmFalse => False | TmIf _ _ _ => False end) I (TmIf tm1 tm2 tm3) H1)

forall (A : Type) (x : A) (P : A -> Prop), P x -> forall y : A, x = y -> P yforall (x : term) (P : term -> Prop), P x -> forall y : term, x = y -> P yforall (P : term -> Prop), P TmTrue -> forall y : term, TmTrue = y -> P y

F

F TmTrue -> forall y : term, TmTrue = y -> F y

forall y : term, TmTrue = y -> F yTmTrue = (TmIf tm1 tm2 tm3) -> F (TmIf tm1 tm2 tm3)

F (TmIf tm1 tm2 tm3)False



• Easily identified

• Fixable


Outline




Outline


• True Transparent Dependencies– Syntactically similar subterms


Syntactically Similar Subterms


Template Extractionmatch H0 in (typeof t t0) return (t = TmIf tm1 tm2 tm3 -> t0 = x -> exists x0 : term, eval (TmIf tm1 tm2 tm3) x0) with | TTrue => fun (H1 : TmTrue = TmIf tm1 tm2 tm3) (H2 : TyBool = x) => False_ind (TyBool = x -> exists x0 : term, eval (TmIf tm1 tm2 tm3) x0) (@eq_ind term TmTrue (fun e : term => match e with | TmTrue => True | TmIf _ _ _ => False | _ => 0 = 1 end) I (TmIf tm1 tm2 tm3) H1) H2


Template Extractiontemplate (H0 : typeof t t0) => H0 => fun (H1 : t = TmIf tm1 tm2 tm3) (H2 : t0 = x) => False_ind (t0 = x -> exists x0 : term, eval (TmIf tm1 tm2 tm3) x0) (@eq_ind term t (fun e : term => match e with | t => True | TmIf _ _ _ => False | _ => 0 = 1 end) I (TmIf tm1 tm2 tm3) H1) H2


Term Reconstruction


Example: if

true : Bool

false : Bool

t1 : Bool t2 : T t3 : T

if t1 then t2 else t3 : T

If an if statement is well typed then it can be further evaluated.

FalseThe if statement can be further evaluated.

FalseThe if statement can be further evaluated.

The if statement can be further evaluated.


Observation

• False transparent dependencies and true transparent dependencies with syntactically similar subterms– Arise frequently– Are easily identified– Are tractable


To Weave Proof Objects…

• Remove false dependencies in each proof object

• For each proof object– Reconstruct proof subterms corresponding to

the constructors in the other proof object• Reject those terms that are not well-typed

• Weave subterms from each proof together


How is this technique working?

• Algorithm performed by hand

• Numerous small examples

• References + if statements– Each separate proof has several hundred lines

of code– Six subgoals presented to refine tactic

• Must move to implementation


Could this technique be useful?

• Yes– Size of proof is roughly polynomial in number

of constructors– “Developer effort” linear?


Related Work

• Proof Reuse with Extended Inductive Types [Olivier Boite, TPHOLS 2004]

• Generating Generic Functions [Johan Jeuring, Alexey Rodrigues, Gideon Smeding, WGP 2006]

• Plagiator - A learning prover [Thomas Kolbe and Jurgen Brauburger, CADE-14 1997]


Topics Not Covered

• Mapping generated proof to proof script

• Simplifying proof terms for easier template extraction

• Removing or changing (rather than adding) constructors

• Changing the proof statement


Future Work

• Implementation– Requires Coq infrastructure

• Typechecker

• Tools for manipulating AST

• Supporting refactorings


Conclusion

• Proof Weaving– Addresses the drawbacks of tactic reuse and

specialized tactics– Is a general technique– Especially suitable for proofs of programming

language properties– Preliminary results are encouraging

PROOF WEAVING

Anne MulhernComputer Sciences DepartmentUniversity of Wisconsin-Madison

Madison, WI [email protected]

www.cs.wisc.edu/~mulhern

proof weaving

Documents

proof weavinginductive

forall t t

term tmfalse

intro t

proof reuse

opaque dependency

separate proof objectsof

modifythe proof objectsbut