Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | scot-oneal |
View: | 218 times |
Download: | 3 times |
VeriML
DARPA CRASH ProjectProgress Report
Antonis StampoulisOctober 5th, 2012
A language-based, dependently-typed,user-extensible approach to proof
assistants
Software certification— CompCert [Leroy et al]— seL4 microkernel [Klein et al]
Mathematical theorems— Four-color theorem [Gonthier et al]— Feit-Thompson (Odd Order Theorem) [same team]
Proof – to – code size ratio:
~ 8 lines – to - 1
20 p.y. of proof for2 p.y. of development
Started May 2006Finished last week!
~1.3 weeks per page
Large formal proofsare possible and useful!require huge manual
effort
—can use domain-specific automation
—yet automation reconstructs full details
—validity fixed—proofs and automation
hard to write
Informal proofs—use “trivially”, “similarly”,
omit unnecessary details—require domain-specific
intuition—validity extensible
calculus
reals
basic reasoning
Formal proofs
VeriML- easy to develop new automation and extend background
reasoning- extensible notion of formal proof (no trivial details!)- novel programming language- focus on writing automation procedures- more generally: programs that construct proofs- serves as a novel proof assistant
Rich typesRich programming modelFirst-class support for logic
Safety
Expressiveness
Convenience
Comparison of Architecture“proof by juxtaposition”
Traditional proof assistants
ML type- checking
Tactic definition
Tactic invocation
RunProof object
Proof checking
?
HOL4, HOL-LightIsabelle
CoqNuPRL
PVS, ACL2don’t do that!
(unsafe)
Proof scripts invoke tactics
Tactics contain proof scripts
Every invocation can fail!
Comparison of ArchitectureTraditional proof assistants VeriML
ML type-checking
Tactic definition
Tactic invocation
RunProof object
Proof checking
?Proof
checking
Comparison of Architecture“proof by juxtaposition”
Traditional proof assistants VeriML
ML type-checking
Tactic definition
Tactic invocation
RunProof object
Proof checking
?
VeriML type checking
Proof checking
Tactic definition
Tactic invocation
RunProof object
OK!
- Reduce possibility of error
- Leverage information to help user while writing tactic
- Extend traditional interactivity model
- Don’t need to produce proof objects
Normal type-checking
Stage oneevaluationwithout producingproof objects
Normalevaluation
Background reasoning in VeriMLVeriML proofs, tactics,
etc.
VeriML Type- &
Proof- checking
user-defined“intuition” tactics
Run
- smaller proof checker- can still generate full proof objects- soundness guaranteed- extensions to background reasoning are
cheap- extensible static checking for proofs
and tactics as well!
arithmetic simplification
equational reasoning
normal conversionbase VeriML
typing
Recent progress- main milestone: wrote my dissertation
on VeriML and defended it! (400 pages and counting…)
- implementation milestones: VeriML 0.5- completed new compilation-based backend
for VeriML- proper staging support- separate compilation of VeriML modules- cleaned up various features in the
implementation and the examples- technical milestones
- cleaned-up presentation of metatheory- initial investigation of user-defined
representations for VeriML pattern matching
VeriML proofs, tactics, etc.
VeriML Type- &
Proof- checking
VeriML interpreter
VeriML interpreter
Recent progress: CompilationVeriML proofs, tactics,
etc.VeriML Type-
&Proof-
checking
OCamlinterpreter/compiler/JIT
OCamlinterpreter/compiler/JIT
VeriML to OCaml
Residual program
~6mins
~15 sec
Example: Arithmetic simplification
Example: Arithmetic simplification
• Further extensions to type inference• Figure out user-defined
representations for pattern matching• Pattern matching for inductive
definitions• SMT-like cooperating decision
procedures
Future work