Static Analysis and Interactive Theorem Proving - A Match Made in - - PowerPoint PPT Presentation

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

Static Analysis and Interactive Theorem Proving - A Match Made in Heaven ?

Jael E. Kriener University of Kent, Canterbury November 18, 2011

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

The Point of this ...

• ... to express amazement and gratitude for

logic(ians) in the old century

• ... to express hopes and dreams for the new century

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

Overview

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

Static Analysis

Sometimes one wants to know that a program will behave in a certain way before running it.

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

Static Analysis

A Static Analyser is a program, that

• takes as input a program, and
• returns information about its behaviour.

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

(Non-) Determinacy in Prolog

Relational Prolog is relational (as opposed to functional). Predicates A Prolog program defines a sets of predicates in Horn clauses (P( x) ← B). Modes Computationally these predicates can be used differently, depending on which arguments are given and which are expected back. Determinism The same predicate may behave deterministically in some modes and non-deterministically in others.

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

... for example:

Example (append)

append( [], Y, Y). append( [A | X], Y, [A | Z]) :- append( X, Y, Z). demo

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

... for example:

Example (append)

append( [], Y, Y). append( [A | X], Y, [A | Z]) :- append( X, Y, Z). deterministic in: x ∨ (y ∧ z)

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

How does it work?

1.1. Define a formal syntax for your language: Program ::= ǫ | Predicate.Program Predicate ::= Head ← Goal ; Goal , ! , Goal ; Goal Head ::= p( x) Goal ::= post(θ) | Head | Goal, Goal where x is a vector of distinct variables and θ is some constraint over some y

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

How does it work?

1.2. Define a semantics over that syntax:

For a given stratified program P, its semantics - µP - is defined as a fixpoint of FP : FP :: Program → Env → Env FP ǫµ = µ FP P.Psµ = FP Ps(µ[p( y) → (FHPµ)(p( y))]) where P = p( y) ← B FH :: Predicate → Env → Env FHp( y) ← Bµ = µ[p( y) → λ Θ. ↓ ∃

y (FG G1µ

Θ : Ψ)] where Ψ =

• FG G3µ[Φ]

if FG G2µ Θ = Φ : Φ FG G4µ Θ

• therwise

and B = G1; G2, !, G3; G4 FG :: Goal → Env → Con↓

seq → Con↓ seq

FG Gµ[] = [] FG post(φ)µ(Θ : Θ) = trim(↓ {φ} ∩ Θ : FG post(φ)µ Θ) FG p( x)µ(Θ : Θ) = (↓ ρ

y,

• x ( µ p(

y) (↓ ρ

• x,

y ([Θ]))))∩Θ : FG p(

x)µ Θ where p( y) ∈ dom(µ) and vars( x) ∩ vars( y) = ∅ FG G1, G2µ(Θ : Θ) = FG G2µ(FG G1µ(Θ : Θ))

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

How does it work?

• 2. Define a map from your syntax to deterministic modes:

The determinacy semantics - δP - of a program P is the greatest fixpoint of DP P: DP :: Program → DEnv → DEnv DP ǫδ = δ DP P.Psδ = DP Ps(δ[p( y) → (DH Pδ)(p( y))]) where P = p( y) ← B DH :: Predicate → DEnv → DEnv DHp( y) ← Bδ = δ[p( y) →↓ ∀

y (DG G1δ

∩ (SG G2 → DG G3δ) ∩ DG G4δ ∩ Θ1 ∩ Θ2)] where Θ1 = mux(SG G1, SG G4) and Θ2 = mux(SG G1, SG G2, G3) and p( y) ← G1 ; G2 , ! , G3 ; G4 ∈ P DG :: Goal → DEnv → Con↓ DG post(φ)δ = ↓ {true} DG p( x)δ = ↓ ρ

y,

• x ∀

y (δ(p(

y))) where p( y) ∈ dom(δ) DG G1, G2δ = (SG G2 → DG G1δ) ∩ (SG G1 → DG G2δ)

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

How does it work?

• 3. Implement that to get your analyser !

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

Let’s think about the dialectic here...

Problem: Say you have a program P, and say you care very much that P behaves in a certain way. Solution: You use my analyser A. You will want some sort of guarantee that A is correct ...

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

Let’s think about the dialectic here...

Q: “Why should I trust A to be correct?” A: “Because D is correct, and A implements D.”

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

Let’s think about the dialectic here...

Q1: “How do I know D is correct?” Q2: “How do I know A implements D?”

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

Let’s think about the dialectic here...

Q1: “How do I know D is correct?” A1: “Because I proved Theorem 2:”

Theorem (DG is correct w.r.t. FG)

If Θ ⊆ DGGδP then |FGGµP[Θ]| ≤ 1 for stratified P. That’s not really an answer...

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

Let’s think about the dialectic here...

Q2: “How do I know A implements D?” A2: “???”

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

It would be great...

... if I could do my analysis, such that at this point, you have these two guarantees, and you don’t have to trust me on either one, and you don’t understand where they come from either.

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

This is what Coq can do for us:

I can:

• write (and maintain) proofs, and
• give them to you.

You can believe it’s a proof without:

• understanding it, or
• trusting me on it.

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

Ideally Coq should do this, too:

I can:

• write these formal proofs over these semantics, and
• get out an implementation of these semantics,
• plus a guarantee that the implementation does the right thing.

They are working on it ...

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

Awesome !

This is Curry-Howard come true! And it means, I can be “a logician, not a hacker” (RD) and still be programming!

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

Bliss? - Not Quite Yet...

This is programming “Principia-style”... ... and the pain is still great!

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

Some of the pain:

Dependent types are painful... !

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

Some of the pain:

Coq’s strict termination requirement is painful... !

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet...

But we’re getting there, so

Thank You!