Lightweight proof by reflection using a posteriori simulation of - - PowerPoint PPT Presentation

Lightweight proof by reflection using a posteriori simulation of effectful computation

Guillaume Claret 1 Lourdes del Carmen González Huesca 1 Yann Régis-Gianas 1 Beta Ziliani 2

lgonzale@pps.univ-paris-diderot.fr

1PPS, team πr2 (University Paris Diderot, CNRS, and INRIA) 2Max Planck Institute for Software Systems (MPI-SWS)

TYPES April 24, 2013

1 / 25

Lightweight proof by reflection using a posteriori simulation of effectful computation

2 / 25

Lightweight proof by reflection using a posteriori simulation of effectful computation

3 / 25

Running example

How should we prove the following equivalence?

H1 : A11 „ A12 H2 : A21 „ A22 . . . Hn : An1 „ An2 A „ A1

4 / 25

Running example

How should we prove the following equivalence? Manually using a script?

H1 : A11 „ A12 H2 : A21 „ A22 . . . Hn : An1 „ An2 A „ A1

4 / 25

Running example

How should we prove the following equivalence? Using a decision procedure?

H1 : A11 „ A12 H2 : A21 „ A22 . . . Hn : An1 „ An2 A „ A1

4 / 25

Running example : A decision procedure in pseudo-code

let is_equivalent (hs, (i, j)) : bool = iter (fun (i,j) -> union i j) hs; return (find i == find j) where " union i j merges the equivalence classes of i and j find i returns the unique representative of i

5 / 25

How can we put this decision procedure in work?

6 / 25

Recipe for a proof by reflection

RpPq : B DpRpPqq : bool P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D ”

Original Proof by Reflection

7 / 25

Recipe for a proof by reflection

RpPq : B DpRpPqq : bool P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D ”

Original Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.

7 / 25

Recipe for a proof by reflection

RpPq : B DpRpPqq : bool P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D ”

Original Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.

phs, pi, jqq : listpatom ˆ atomq ˆ patom ˆ atomq

where atom is a type with decidable equality

7 / 25

Recipe for a proof by reflection

RpPq : B DpRpPqq : bool P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D ”

Original Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.
• 2. Write an interpretation function I : B Ñ Prop.

7 / 25

Recipe for a proof by reflection

RpPq : B DpRpPqq : bool P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D ”

Original Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.
• 2. Write an interpretation function I : B Ñ Prop.

I (hs, (i, j)) : Prop.

7 / 25

Recipe for a proof by reflection

RpPq : B DpRpPqq : bool P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D ”

Original Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.
• 2. Write an interpretation function I : B Ñ Prop.
• 3. Write the decision procedure D : B Ñ bool in Coq.

7 / 25

Recipe for a proof by reflection

RpPq : B DpRpPqq : bool P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D ”

Original Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.
• 2. Write an interpretation function I : B Ñ Prop.
• 3. Write the decision procedure D : B Ñ bool in Coq.

D phs, pi, jqq : bool.

Critical: How should we implement union and find?

7 / 25

Recipe for a proof by reflection

RpPq : B DpRpPqq : bool P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D ”

Original Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.
• 2. Write an interpretation function I : B Ñ Prop.
• 3. Write the decision procedure D : B Ñ bool in Coq.
• 4. Prove the soundness of D

7 / 25

Recipe for a proof by reflection

RpPq : B DpRpPqq : bool P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D ”

Original Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.
• 2. Write an interpretation function I : B Ñ Prop.
• 3. Write the decision procedure D : B Ñ bool in Coq.
• 4. Prove the soundness of D

sound : @x : B, D x “ true Ñ I x.

if Dphs, pi, jqq “ true then a „ a1 Critical: The development cost of this proof depends on the implementation choice for union and find.

7 / 25

Recipe for a proof by reflection

RpPq : B DpRpPqq : bool P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D sound ”

Original Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.
• 2. Write an interpretation function I : B Ñ Prop.
• 3. Write the decision procedure D : B Ñ bool in Coq.
• 4. Prove the soundness of D

For a specific instance b “ RpPq, the proof-term for I b has the form:

sound b ` refl_eq ` Dpbq ˘˘

7 / 25

Recipe for a proof by reflection

RpPq : B DpRpPqq : bool P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D sound ”

Original Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.
• 2. Write an interpretation function I : B Ñ Prop.
• 3. Write the decision procedure D : B Ñ bool in Coq.
• 4. Prove the soundness of D

For a specific instance b “ RpPq, the proof-term for I b has the form:

sound b ` refl_eq ` Dpbq ˘˘

This term has type I b only if D b is convertible to true.

7 / 25

Original proof by reflection A certified decision procedure written in a total language is a robust tool for the proof developer. But, it has a high cost of development,

• ften leading to simplifications

destroying efficiency.

8 / 25

Recipe for a proof by reflection with an untrusted oracle

RpPq : B DpRpPqq : C P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D in OCaml ”

Oracle Proof by Reflection

9 / 25

Recipe for a proof by reflection with an untrusted oracle

RpPq : B DpRpPqq : C P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D in OCaml ”

Oracle Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.

9 / 25

Recipe for a proof by reflection with an untrusted oracle

RpPq : B DpRpPqq : C P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D in OCaml ”

Oracle Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.
• 2. Write an interpretation function I : B Ñ Prop.

9 / 25

Recipe for a proof by reflection with an untrusted oracle

RpPq : B DpRpPqq : C P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D in OCaml ”

Oracle Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.
• 2. Write an interpretation function I : B Ñ Prop.
• 3. Write an (untrusted) oracle D in ML.

9 / 25

Recipe for a proof by reflection with an untrusted oracle

RpPq : B DpRpPqq : C P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D in OCaml ”

Oracle Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.
• 2. Write an interpretation function I : B Ñ Prop.
• 3. Write an (untrusted) oracle D in ML.

D : B Ñ C

Critical: D gives a certificate that must be checked.

9 / 25

Recipe for a proof by reflection with an untrusted oracle

RpPq : B DpRpPqq : C P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D in OCaml ”

Oracle Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.
• 2. Write an interpretation function I : B Ñ Prop.
• 3. Write an (untrusted) oracle D in ML.
• 4. Write a simple certificate checker in Coq.

9 / 25

Recipe for a proof by reflection with an untrusted oracle

RpPq : B DpRpPqq : C P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D in OCaml ”

Oracle Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.
• 2. Write an interpretation function I : B Ñ Prop.
• 3. Write an (untrusted) oracle D in ML.
• 4. Write a simple certificate checker in Coq.

check : @x : B, C Ñ bool

9 / 25

Recipe for a proof by reflection with an untrusted oracle

RpPq : B DpRpPqq : C P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D in OCaml ”

Oracle Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.
• 2. Write an interpretation function I : B Ñ Prop.
• 3. Write an (untrusted) oracle D in ML.
• 4. Write a simple certificate checker in Coq.
• 5. Prove the soundness of the checker

9 / 25

Recipe for a proof by reflection with an untrusted oracle

RpPq : B DpRpPqq : C P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D in OCaml

soundcheck.check

”

Oracle Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.
• 2. Write an interpretation function I : B Ñ Prop.
• 3. Write an (untrusted) oracle D in ML.
• 4. Write a simple certificate checker in Coq.
• 5. Prove the soundness of the checker

soundcheck : @x : B, y : C, check x y “ true Ñ I x

9 / 25

Recipe for a proof by reflection with an untrusted oracle

RpPq : B DpRpPqq : C P : Prop ? : P IpRpPqq : Prop ∆ : P

conv

R D in OCaml

soundcheck.check

”

Oracle Proof by Reflection

• 1. Define a type B for the targeted class of problems in Coq.
• 2. Write an interpretation function I : B Ñ Prop.
• 3. Write an (untrusted) oracle D in ML.
• 4. Write a simple certificate checker in Coq.
• 5. Prove the soundness of the checker

For a specific instance b “ RpPq, a proof-term for I b has the form:

soundcheck b Dpbq ` refl_eq ` check Dpbq ˘˘

9 / 25

Proof by reflection using an untrusted oracle The oracle implementation is very efficient. The checker is usually simple to prove. But, we get only weak guarantees about the oracle implementation.

10 / 25

How to implement total and efficient decision procedures?

Efficiency Correctness

total partial

Original Proof by Reflection Oracle Proof by Reflection

11 / 25

How to implement total and efficient decision procedures?

Efficiency Correctness

total partial

Original Proof by Reflection Oracle Proof by Reflection

?

12 / 25

How to implement total and efficient decision procedures?

Efficiency Correctness

total partial

Original Proof by Reflection Effectful

?

13 / 25

Listen to the old wisdom of Haskell’s programmers

14 / 25

Listen to the old wisdom of Haskell’s programmers We can represent inside Coq effectful and partial computations

14 / 25

Listen to the old wisdom of Haskell’s programmers We can represent inside Coq effectful and partial computations thanks to monads!

14 / 25

Running example: using a monad à la Haskell

Definition is_equivalent (hs,(i, j)) : M bool:= iterM (fun (i, j) -> union i j) hs >> let! x = find i in let! y = find j in return (x == y)

15 / 25

Running example: using a monad à la Coq

Definition is_equivalent (hs,(i, j)) : M (I (hs,(i,j))):= iterM (fun (i, j) -> union i j) hs >> let! x = find i in let! y = find j in return (x == y)

16 / 25

Drama

17 / 25

Drama

There is no total function of type M T Ñ T

17 / 25

Lightweight proof by reflection using a posteriori simulation of effectful computation

18 / 25

A posteriori simulation of effectful computation

Coq OCaml

19 / 25

A posteriori simulation of effectful computation

Coq OCaml

Reify the goal as b Define a decision procedure

D : @x : B, M pI xq

19 / 25

A posteriori simulation of effectful computation

Coq OCaml

Reify the goal as b Define a decision procedure

D : @x : B, M pI xq CpD bq

compile & instrument D b

19 / 25

A posteriori simulation of effectful computation

Coq OCaml

Reify the goal as b Define a decision procedure

D : @x : B, M pI xq CpD bq

compile & instrument D b No proof of I b in time allocated The evaluation converges by the user and gives a prophecy p

19 / 25

A posteriori simulation of effectful computation

Coq OCaml

Reify the goal as b Define a decision procedure

D : @x : B, M pI xq CpD bq

compile & instrument D b No proof of I b in time allocated The evaluation converges by the user and gives a prophecy p

Typecheck the proof-term for I b sound prefl_eq pis_unit pópD bqqq

19 / 25

A posteriori simulation of effectful computation

Coq OCaml

Reify the goal as b Define a decision procedure

D : @x : B, M pI xq CpD bq

compile & instrument D b No proof of I b in time allocated The evaluation converges by the user and gives a prophecy p

Typecheck the proof-term for I b sound prefl_eq pis_unit pópD bqqq

ó: MA Ñ C Ñ MA is_unit : MA Ñ bool sound : @x : Mb, is_unit x “ true Ñ b

19 / 25

What is a simulable monad?

20 / 25

What is a simulable monad? It is a monad with

20 / 25

What is a simulable monad? It is a monad with

p : C, a type for prophecies equipped with a order ă

20 / 25

What is a simulable monad? It is a monad with

p : C, a type for prophecies equipped with a order ă ó: MA Ñ C Ñ MA, an operator to simulate an effectful computation using a prophecy

20 / 25

What is a simulable monad? It is a monad with

p : C, a type for prophecies equipped with a order ă ó: MA Ñ C Ñ MA, an operator to simulate an effectful computation using a prophecy

such that:

20 / 25

What is a simulable monad? It is a monad with

p : C, a type for prophecies equipped with a order ă ó: MA Ñ C Ñ MA, an operator to simulate an effectful computation using a prophecy

such that:

If a computation converges in the effectful computational model then there exists a prophecy to simulate this computation in the monad.

20 / 25

What is a simulable monad? It is a monad with

p : C, a type for prophecies equipped with a order ă ó: MA Ñ C Ñ MA, an operator to simulate an effectful computation using a prophecy

such that:

If a computation converges in the effectful computational model then there exists a prophecy to simulate this computation in the monad. (The instrumentation computes an over approximation of this prophecy.)

20 / 25

Simulable monads: Examples

Effect M T Prophecy non-termination nat Ñ option T the maximal recursion depth non-determinism list T a list of success choices state S Ñ S ˆ T an initial state

21 / 25

Simulable monads: Examples

Effect M T Prophecy non-termination nat Ñ option T the maximal recursion depth non-determinism list T a list of success choices state S Ñ S ˆ T an initial state

Simulating does not necessarily mean recomputing!

21 / 25

Programming with dependent types and partial functions

Program Definition Find hash u : { M Σ u’: Index.t | u == u’ } := dependentfix (fun i => { j: Index.t | i == j }) (fun find i => let! eq_proof := MHash.Read hash i in let (i’, j, Hij) := eq_proof in if i == i’ then (* case i = i’: should always be the case. *) if i == j then (* case i = j: we find it. *) return (exist _ j Hij) else (* case i <> j: we have to continue from j. *) let! r := find j in let (k, Hjk) := r in do! MHash.Write hash i (EqProof.Make (i := i) (j := k) _) in return (exist _ k _) else (* case i <> i’: unexpected *) error "Find: i <> i’") u.

22 / 25

Experiments

“Possible future work is to turn our current implementation [...] into one that uses dynamic programming to memoize the recursive calls. However, this is not a trivial task. Coq’s programming language is purely functional [...], so any data-structure that we use for memoization must be purely functional and operations on that data-structure must all be proved terminating.”

A Reflection-based Proof Tactic for Lattices in COQ

[James & Hinze 2009]

23 / 25

Benefits in terms of efficiency

24 / 25

Final remarks

A plugin for Coq is available and provides a simulable monad that includes partiality, non-termination, state, and non-determinism.

25 / 25

Final remarks

A plugin for Coq is available and provides a simulable monad that includes partiality, non-termination, state, and non-determinism. We invite the audience to try it and give us feedback! http://cybele.gforge.inria.fr/

25 / 25