Encoding Induction in Correctness Proofs of Program Transformations - - PowerPoint PPT Presentation

1

Encoding Induction in Correctness Proofs

• f Program Transformations as a

Termination Problem

Conrad Rau, David Sabel and Manfred Schmidt-Schauß

Goethe-University, Frankfurt am Main, Germany

WST 2012, Obergurgl, Austria

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Introduction and Motivation

Motivation: Automate correctness proofs of program transformations Programming language: Core language, modelled as extended λ-calculus Correctness of program transformations: Based on contextual equivalence Correctness proof uses: Diagrams (already automated) Induction (automate through a termination proof)

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 2/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Related and Own Work

Schmidt-Schauß, Sch¨ utz, Sabel, 2008 Extended λ-calculus LR and correctness of program transformations via diagrams; manual proofs Wells, Plump and Kamareddine, 2003 Diagrams to show meaning preservation R., Schmidt-Schauß, 2010, 2011 Compute diagrams in extended λ-calculi Fuhs, Giesl, Pl¨ ucker, Schneider-Kamp, Falke, 2009 Termination of integer term rewriting

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 3/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Program Calculus, Contextual Equivalence

Definition (Program calculus (E, C, sr − →, A)) E: Set of expressions C: Set of contexts

sr

− →⊆ E × E: Reduction relation, usually labeled

sr,l

− − → A ⊆ E: Set of answers Example (Extended λ-calculus: LR) call-by-need λ-calculus, core language of pure Haskell Convergence: e⇓ iff e

sr,∗

− − → a where a ∈ A (also called termination) Definition (Contextual Equivalence for (E, C, sr − →, A)) Contextual approximation: e1 ≤c e0 ⇐ ⇒ ∀C ∈ C : C[e1]⇓ = ⇒ C[e0]⇓ Contextual equivalence: e1 ∼c e0 ⇐ ⇒ e1 ≤c e0 ∧ e0 ≤c e1

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 4/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Program Transformations

Definition (Program Transformation, Correctness) A Program transformation:

T

− → ⊆ (E × E) is correct iff e1

T

− → e0 = ⇒ e1 ∼c e0 Focus on ≤c, since ∼c=≤c ∩ ≥c

T

− → is called convergence preserving iff e1

T

− → e0 ∧ e1⇓ = ⇒ e0⇓ context-closed for T ′ − → iff convergence preservation of T − → implies T ′ − → ⊆ ≤c (e.g.

R(T)

− − − → := {(R[e1], R[e0]) | e1

T

− → e0, R ∈ R}) Focus on c. p., since T − → can easily be context-closed

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 5/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Proving Convergence Preservation

Prove convergence preservation for T − →, i.e. e1

T

− → e0 ∧ e1⇓ = ⇒ e0⇓: e1

sr,l1

• T

e0

sr,l′

1

• e2

sr,l2

• e′

2 sr,l′

2

• .

. .

sr,ln

• .

. .

sr,l′

m

• a1

a0 Outline of Convergence Preservation Proof for

T

− →

∀e1, e0 ∈ E with e1

T

− → e0

1 Determine all overlaps e2

sr,l

← − − e1

T

− → e0 and join them into: Sets of diagrams

2 Construct converging reduction sequence for e0

using the diagram sets

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 6/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Forking and Answer Diagrams

Diagram for

T

− →: Rewrite rule SL SR on abstract reduction sequences (ARSs) concrete sequence: a en

sr,ln

• . . .

sr,ln−1

• e1

sr,l1

• T

e0

abstract sequence: A en

sr,ln

• . . .

sr,ln−1

• e1

sr,l1

• T

e0

“+” denotes transitive closure of reductions Forking diagram:

sr,ln

← − − − . . .

sr,l1

← − − − T − → T − → . . . T − →

sr,l′

m

← − − − . . .

sr,l′

1

← − − − Finite representation of overlaps and joining sequences Represent set of rewrite rules on concrete sequences Answer diagram: A T − → A

sr,ln

← − − − . . .

sr,l1

← − − − DF( T − →), DA( T − →): Sets of diagrams (i.e. rewriting systems)

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 7/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Complete Sets of Diagrams

Example (Diagrams for

iS,llet

− − − − →)

DF ·

iS,llet sr,a

• ·

sr,a

· ·

iS,llet sr,lll,+

• ·

sr,lll,+

· ·

iS,llet sr,a

·

sr,a

·

sr,llet ·

·

iS,llet sr,a

• ·

sr,a

• ·

iS,llet

• ·

·

iS,llet sr,lll,+

• ·

sr,lll,+

• ·

iS,llet

• ·

DF A

iS,llet

− − − − → A

Definition (Complete Diagram Set for

T

− →)

DF( T − →) is complete, if every ARS of the form A

sr,ln

← − − − . . .

sr,l1

← − − − T − → is rewritable by a diagram in DF( T − →) DA( T − →) is complete, if every sequence A T − → is rewritable by a diagram in DA( T − →)

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 8/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Proving Correctness through Induction

Construct an evaluation through diagram application and induction

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 9/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Proving Correctness through Induction

Construct an evaluation through diagram application and induction

a1

iS,llet e0

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 9/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Proving Correctness through Induction

Construct an evaluation through diagram application and induction

a1

iS,llet e0

A

iS,llet

− − − − → A

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 9/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Proving Correctness through Induction

Construct an evaluation through diagram application and induction

a1

iS,llet e0

A

iS,llet

− − − − → A e1

sr,l1

• iS,llet e0

e2

sr,l2

• .

. .

sr,ln

• a1

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 9/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Proving Correctness through Induction

Construct an evaluation through diagram application and induction

a1

iS,llet e0

A

iS,llet

− − − − → A e1

sr,l1

• iS,llet e0

e2

sr,l2

• .

. .

sr,ln

• a1

·

iS,llet sr,a

• ·

sr,a

·

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 9/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Proving Correctness through Induction

Construct an evaluation through diagram application and induction

a1

iS,llet e0

A

iS,llet

− − − − → A e1

sr,l1

• iS,llet e0

sr,l1

• e2

sr,l2

• .

. .

sr,ln

• a1

·

iS,llet sr,a

• ·

sr,a

·

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 9/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Proving Correctness through Induction

Construct an evaluation through diagram application and induction

a1

iS,llet e0

A

iS,llet

− − − − → A e1

sr,l1

• iS,llet e0

sr,l1

• e2

sr,l2

• .

. .

sr,ln

• a1

·

iS,llet sr,a

• ·

sr,a

· e1

sr,l1

• iS,llet e0

e2

sr,l2

• .

. .

sr,ln

• a1

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 9/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Proving Correctness through Induction

Construct an evaluation through diagram application and induction

a1

iS,llet e0

A

iS,llet

− − − − → A e1

sr,l1

• iS,llet e0

sr,l1

• e2

sr,l2

• .

. .

sr,ln

• a1

·

iS,llet sr,a

• ·

sr,a

· e1

sr,l1

• iS,llet e0

e2

sr,l2

• .

. .

sr,ln

• a1

·

iS,llet sr,a

• ·

sr,a

• ·

iS,llet

• ·

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 9/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Proving Correctness through Induction

Construct an evaluation through diagram application and induction

a1

iS,llet e0

A

iS,llet

− − − − → A e1

sr,l1

• iS,llet e0

sr,l1

• e2

sr,l2

• .

. .

sr,ln

• a1

·

iS,llet sr,a

• ·

sr,a

· e1

sr,l1

• iS,llet e0

sr,l1

• e2

sr,l2

• iS,llet
• e′

2

. . .

sr,ln

• a1

·

iS,llet sr,a

• ·

sr,a

• ·

iS,llet

• ·

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 9/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Proving Correctness through Induction

Construct an evaluation through diagram application and induction

a1

iS,llet e0

A

iS,llet

− − − − → A e1

sr,l1

• iS,llet e0

sr,l1

• e2

sr,l2

• .

. .

sr,ln

• a1

·

iS,llet sr,a

• ·

sr,a

· e1

sr,l1

• iS,llet e0

sr,l1

• e2

sr,l2

• iS,llet
• e′

2

I.H.

• .

. .

sr,ln

• a1

a0 ·

iS,llet sr,a

• ·

sr,a

• ·

iS,llet

• ·

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 9/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Proving Correctness through Induction

Construct an evaluation through diagram application and induction

a1

iS,llet e0

A

iS,llet

− − − − → A e1

sr,l1

• iS,llet e0

sr,l1

• e2

sr,l2

• .

. .

sr,ln

• a1

·

iS,llet sr,a

• ·

sr,a

· e1

sr,l1

• iS,llet e0

sr,l1

• e2

sr,l2

• iS,llet
• e′

2

I.H.

• .

. .

sr,ln

• a1

a0 ·

iS,llet sr,a

• ·

sr,a

• ·

iS,llet

• ·

Rewriting by diagrams, termination by induction

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 9/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Proving Correctness by Termination

Lemma Let DF( T − →) and DA( T − →) be complete sets of diagrams for T − →. If DF( T − →) ∪ DA( T − →) terminates, then T − → is convergence preserving. Theorem Let T ′ − → be context-closed for T − → and DF( T ′ − →), DA( T ′ − →) be complete sets of diagrams. Let

T ′′

← − − be context-closed for

T

← − and DF(

T ′′

← − −), DA(

T ′′

← − −) be complete sets of diagrams. If DF( T ′ − →) ∪ DA( T ′ − →) and DF(

T ′′

← − −) ∪ DA(

T ′′

← − −) terminate, then

T

− →⊆∼c.

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 10/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Automation of Correctness Proof

DF( T − →) ∪ DA( T − →) is a rewriting system on ARSs that characterizes the convergence preservation of T − → Encode complete sets of diagrams into TRSs Those TRSs can be automatically tested for termination (e.g. by AProVE) Thus automating a critical part of the correctness proof

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 11/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Example: Encoding DF(iS,seq

− − − − →) ∪ DA(iS,seq − − − − →)

DF(

iS,seq

− − − − →) TRS ·

iS,seq sr,a

• ·

sr,a

· iSseq(sra(x)) → sra(x) iSseq(srseq(x)) → srseq(x) iSseq(srcp(x)) → srcp(x) ·

iS,seq sr,a

·

sr,a

·

sr,seq ·

iSseq(sra(srseq(x))) → sra(x) iSseq(srseq(srseq(x))) → srseq(x) iSseq(srcp(srseq(x))) → srcp(x) ·

iS,seq sr,a

• ·

sr,a

• ·

iS,seq

• ·

iSseq(sra(x)) → sra(iSseq(x)) iSseq(srseq(x)) → srseq(iSseq(x)) iSseq(srcp(x)) → srcp(iSseq(x)) ·

iS,seq

• sr,cp
• ·

sr,cp

• ·

iS,seq

• ·

iS,seq

• ·

iSseq(srcp(x)) → srcp(iSseq(iSseq(x))) DA(

iS,seq

− − − − →) TRS A

iS,seq

− − − − → A iSseq(A) → A

Termination of DF(

iS,seq

− − − − →) ∪ DA(

iS,seq

− − − − →) was shown using AProVE

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 12/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Example: Encoding Transitive Closure of Reductions

·

iS,llet sr,lll,+

• ·

sr,lll,+

·

iSllet(D(x)) → E(x) Transitive closure of reductions: Infinite sets of diagrams

Contract sequence of lll-reductions into the transitive closure

srlll(x) → D(x) srlll(D(x)) → D(x)

Expand transitive closure into sequence of lll-reductions

E(x) → srlll(x) E(x) → E(srlll(x))

iSllet(srlll(srlll(A))) ∗ − → iSllet(D(A)) → E(A) → E(srlll(A)) → . . .

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 13/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Example: Encoding Transitive Closure of Reductions

·

iS,llet sr,lll,+

• ·

sr,lll,+

·

iSllet(D(x)) → E(x) Transitive closure of reductions: Infinite sets of diagrams

Contract sequence of lll-reductions into the transitive closure

srlll(x) → D(x) srlll(D(x)) → D(x)

Expand transitive closure into sequence of lll-reductions

E(x) → srlll(x) E(x) → E(srlll(x)) Naive approach introduces non-termination

iSllet(srlll(srlll(A))) ∗ − → iSllet(D(A)) → E(A) → E(srlll(A)) → . . .

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 13/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Example: Encoding Transitive Closure of Reductions

·

iS,llet sr,lll,+

• ·

sr,lll,+

·

✭✭✭✭✭✭✭✭✭✭ ✭

iSllet(D(x)) → E(x) iSllet(D(x)) → E(k, x) Transitive closure of reductions: Infinite sets of diagrams

Contract sequence of lll-reductions into the transitive closure

srlll(x) → D(x) srlll(D(x)) → D(x)

Expand transitive closure into sequence of lll-reductions ✭✭✭✭✭✭✭ ✭

E(x) → srlll(x)

✭✭✭✭✭✭✭✭✭ ✭

E(x) → E(srlll(x)) Naive approach introduces non-termination E(0, x) → x E(k, x) → E(k − 1, srlll(x)) if k > 0 CITRS approach

iSllet(srlll(srlll(A))) ∗ − → E(k, A) → E(k − 1, srlll(A)) → . . . srlllk(A)

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 13/14

Introduction Calculus & Program Transformations Proving Correctness Encoding Conclusion

Results and Further Work

Results Automation of a critical part in correctness proofs: Manual induction is replaced by automatic termination proofs All diagrams from Schmidt-Schauß, Sch¨ utz, Sabel, 2008 (LR-calculus) could be shown as terminating by AProVE Method is independent of program calculus Future Work Extend the method to diagrams in other program calculi Connect an automated termination prover with the diagram calculator to complete the tool for automated correctness proofs of program transformations

David Sabel Correctness Proofs of Program Transformations as a Termination Problem C. Rau, D. Sabel, M. Schmidt-Schauß 14/14