Formal Program Optimization in Nuprl Using Computational Equivalence - - PowerPoint PPT Presentation

Formal Program Optimization in Nuprl Using Computational Equivalence and Partial Types

Vincent Rahli, Mark Bickford, Abhishek Anand July 25, 2013

Vincent Rahli Formal Optimization July 25, 2013 1/31

Goals

Long term goal: Develop provably correct code. Current Goals:

◮ Domain specific programming. ◮ Generate efficient code.

Work done as part of the CRASH project (Correct-by-Construction Attack-Tolerant Systems) funded by DARPA (Defense Advanced Research Projects Agency).

Vincent Rahli Formal Optimization July 25, 2013 2/31

Motivation

implementation of asynchronous fault-tolerant systems.

Vincent Rahli Formal Optimization July 25, 2013 3/31

Motivation

implementation of asynchronous fault-tolerant systems.

Vincent Rahli Formal Optimization July 25, 2013 4/31

Motivation

implementation of asynchronous fault-tolerant systems.

Vincent Rahli Formal Optimization July 25, 2013 5/31

Motivation

implementation of asynchronous fault-tolerant systems.

Vincent Rahli Formal Optimization July 25, 2013 6/31

Nuprl

Computation System

A constructive type theory: CTT13 an evolution of CTT84 closely related to ITT82 [CAB+86, Kre02, ABC+06]. Untyped, deterministic, lazy, applied λ-calculus with: natural numbers, pairs, injections, fix operator, ⊥, call-by-value operator,. . . .

Vincent Rahli Formal Optimization July 25, 2013 7/31

Nuprl

Computation System

2 meta-relations defined on top of the evaluation function [How96]:

◮ approximation ◮ computational equivalence ∼ (a congruence).

a ∼ b a b ∧ b a.

Vincent Rahli Formal Optimization July 25, 2013 8/31

Nuprl

Computation System

2 meta-relations defined on top of the evaluation function [How96]:

◮ approximation ◮ computational equivalence ∼ (a congruence).

a ∼ b a b ∧ b a.

CoInductive approx: term -> term -> Prop := | approxc : forall t1 t2, (forall op terms1, computes_to t1 (Value op terms1)

• > exists terms2,

computes_to t2 (Value op terms2) /\ forall a b, In (a,b) (combine terms1 terms2)

• > approx a b)
• > approx t1 t2.

Vincent Rahli Formal Optimization July 25, 2013 9/31

Nuprl

Computation System

For all terms t, ⊥ t. ⊥, 1 2, 1 (λx.x + 1) 2 ∼ 3. ⊥ ∼ fix(λx.x). halts(t) 0 (let x := t in 0)

Vincent Rahli Formal Optimization July 25, 2013 10/31

Nuprl

Constructive evidence

Type system built on top of the untyped computation system. A type is a partial equivalence relation on λ-terms [All87a, All87b].

Computational semantics: applied λ-terms provide evidence for the truth of propositions. A sequent H ⊢ C ⌊ext t⌋ means that C has computational evidence (extract) t in context H.

Vincent Rahli Formal Optimization July 25, 2013 11/31

Nuprl

Environment

Distributed. Runs in the cloud. Structured editor. Shared library. Tactic language: Classic ML. Replay tool.

Vincent Rahli Formal Optimization July 25, 2013 12/31

Nuprl

ITT82 Types

Equality: a = b ∈ T members: Ax. Dependent function: a:A → B[a]

• members: f such that ∀a ∈ A, f (a) ∈ B[a]

(Extensional function equality.) Dependent product: a : A × B[a]

• members: a, b

Disjoint union: A + B members: inl(a), inr(b) Universe: Ui A hierarchy of universes to avoid Girard’s paradox

Vincent Rahli Formal Optimization July 25, 2013 13/31

Nuprl

Types

Subtype: A ⊑ B Quotient: T//E Intersection: ∩a : A.B[a] ⋆Image: Img(T, f ) Subset: {a : A | B[a]} Img(a : A × B[a], π1) Union: ∪ a : A.B[a] Img(a : A × B[a], π2) Recursive type: rec(F) where F is a monotone function on types [Men88].

Vincent Rahli Formal Optimization July 25, 2013 14/31

Nuprl

Types

Constructive domain theory: Domain: Base closed terms of the computation system quotiented by ∼ ⋆Approximation: a b members: Ax Computational equivalence: a ∼ b members: Ax ⋆Partial types: T contains all members of T as well as all divergent terms

Vincent Rahli Formal Optimization July 25, 2013 15/31

Nuprl

Types

True 0 0 Void False 0 1 Top ∩a : Void.Void (Type, ⊑, ∩, ∪, Top, Void) is a complete bounded lattice.

Vincent Rahli Formal Optimization July 25, 2013 16/31

Computational equivalence

A simple example: let x, y = ⊥ in x ∼ ⊥?

Vincent Rahli Formal Optimization July 25, 2013 17/31

Computational equivalence

A simple example: let x, y = ⊥ in x ∼ ⊥? They have the same observable behavior. How can we prove this equivalence?

Vincent Rahli Formal Optimization July 25, 2013 18/31

Computational equivalence

A simple example: let x, y = ⊥ in x ∼ ⊥? They have the same observable behavior. How can we prove this equivalence? We have to prove: let x, y = ⊥ in x ⊥ ⊥ let x, y = ⊥ in x

Vincent Rahli Formal Optimization July 25, 2013 19/31

Computational equivalence

⊥ let x, y = ⊥ in x is trivial. How about: let x, y = ⊥ in x ⊥ By definition of we can assume: halts(let x, y = ⊥ in x) We added a rule that says: if halts(let x, y = t in F) then t ∼ π1(t), π2(t) (And similarly for all destructors.)

Vincent Rahli Formal Optimization July 25, 2013 20/31

Computational equivalence

system

Vincent Rahli Formal Optimization July 25, 2013 21/31

Computational equivalence

∀t : Top. map(f , map(g, t)) ∼ map(f ◦ g, t)?

Vincent Rahli Formal Optimization July 25, 2013 22/31

Computational equivalence

∀t : Top. map(f , map(g, t)) ∼ map(f ◦ g, t)? map(f , t) = fix  λR.λt.ispair   t, let x, y = t in (f x) • R y, isaxiom(t, nil, ⊥)     t List(T) = rec(L.Unit ∪ T × L) a list: 1, 2, 3, Ax

Vincent Rahli Formal Optimization July 25, 2013 23/31

Computational equivalence

property [Cra98] H ⊢ G[fix(f )/x] t BY [least-upper-bound] H, n : N ⊢ G[f n(⊥)/x] t We prove map(f ◦ g, t) map(f , map(g, t)) using [least-upper-bound] and then by induction on n.

Vincent Rahli Formal Optimization July 25, 2013 24/31

Computational equivalence

In the induction case, we end up with: ispair   t, let x, y = t in (f x) • R y, isaxiom(t, nil, ⊥)   X

H ⊢ C ⌊ext ispair(t, a, b)[x\Ax]⌋ BY [ispairCases] H ⊢ halts(t) H ⊢ t ∈ Base H, x : t ∼ π1(t), π2(t) ⊢ C ⌊ext a⌋ H, x : (∀[u, v : Base]. ispair(z, u, v) ∼ v)[z\t] ⊢ C ⌊ext b⌋

Vincent Rahli Formal Optimization July 25, 2013 25/31

Computational equivalence

Process type: corec(λP.A → P × Bag(B)) where corec(G) = ∩n : N.fix λP.λn.if n =Z 0 then Top else G (P (n − 1))

• n

P = buffer((λn.λbuf .{n + buf }) o base(λm.{m}), {0}) ⇓ P′ = fix(λF.λs.λm.let x ::= m + s in F x, {x}) 0

Vincent Rahli Formal Optimization July 25, 2013 26/31

Computational equivalence

◮ 100/200 computation steps for P ◮ less than 10 computation steps for P′

Vincent Rahli Formal Optimization July 25, 2013 27/31

Computational equivalence

◮ 100/200 computation steps for P ◮ less than 10 computation steps for P′

Schiper):

◮ non-optimized code: 127 milliseconds ◮ optimized code: 60 milliseconds ◮ Lisp code: 5 milliseconds ◮ reference implementation: 1 millisecond

Vincent Rahli Formal Optimization July 25, 2013 28/31

Current and future work

◮ Identify more optimizations. ◮ Prove that our optimizations improve the runtime.

◮ Prove that our new types and rules are valid.

Vincent Rahli Formal Optimization July 25, 2013 29/31

References I

Stuart F. Allen, Mark Bickford, Robert L. Constable, Richard Eaton, Christoph Kreitz, Lori Lorigo, and Evan Moran. Innovations in computational type theory using Nuprl.

• J. Applied Logic, 4(4):428–469, 2006.

http://www.nuprl.org/. Stuart F. Allen. A non-type-theoretic definition of martin-l¨

• f’s types.

In LICS, pages 215–221. IEEE Computer Society, 1987. Stuart F. Allen. A Non-Type-Theoretic Semantics for Type-Theoretic Language. PhD thesis, Cornell University, 1987.

• R. L. Constable, S. F. Allen, H. M. Bromley, W. R. Cleaveland, J. F. Cremer, R. W. Harper, D. J. Howe,
• T. B. Knoblock, N. P. Mendler, P. Panangaden, J. T. Sasaki, and S. F. Smith.

Implementing mathematics with the Nuprl proof development system. Prentice-Hall, Inc., Upper Saddle River, NJ, USA, 1986. Karl Crary. Type-Theoretic Methodology for Practical Programming Languages. PhD thesis, Cornell University, Ithaca, NY, August 1998. Douglas J. Howe. Proving congruence of bisimulation in functional programming languages.

• Inf. Comput., 124(2):103–112, 1996.

Vincent Rahli Formal Optimization July 25, 2013 30/31

References II

Christoph Kreitz. The Nuprl Proof Development System, Version 5, Reference Manual and User’s Guide. Cornell University, Ithaca, NY, 2002. www.nuprl.org/html/02cucs-NuprlManual.pdf. P.F. Mendler. Inductive Definition in Type Theory. PhD thesis, Cornell University, Ithaca, NY, 1988. Vincent Rahli Formal Optimization July 25, 2013 31/31