A proof checking kernel for the -calculus modulo Mathieu - PowerPoint PPT Presentation

A proof checking kernel for the λΠ-calculus modulo Mathieu Boespflug, École Polytechnique PhD defense, 18 january 2011 Funded by ☙ ☙

Pythia of Delphi

Pythia of Delphi True False

Proof implies truth. 1 1 For any reasonable notion of proof.

Formal systems Example words (concat) ☙ The language of formulae ☙ The set of axioms (or assumptions ) a-z, ǫ P is an axiom (ax) P is a palindrome P is a palindrome ☙ The language of proofs (ext) xP x is a palindrome P is a palindrome Q is a palindrome QP Q is a palindrome ☙ Theorems are formulae that have proofs.

Palindromes: example d is an axiom (ax) t is a palindrome (ext) rtr is a palindrome (ext) artra is a palindrome (ext) tartrat is a palindrome (ext) etartrate is a palindrome (ext) detartrated is a palindrome

(concat) Palindromes: example t ∈ Γ (ax) Γ ⊢ t (ext) Γ ⊢ rtr (ext) Γ ⊢ artra d ∈ Γ (ext) Γ ⊢ tartrat (ax) Γ ⊢ d (ext) Γ ⊢ etartrate (ext) Γ ⊢ ada (ext) Γ ⊢ detartrated (ext) Γ ⊢ radar Γ ⊢ radardetartratedradar

Tree of proofs ...

Tree of proofs ...

Proof reduction (concat) (concat) − → Γ ⊢ P Γ ⊢ Q (ext) Γ ⊢ xP x Γ ⊢ Q Γ ⊢ P (ext) Γ ⊢ xQx Γ ⊢ QxP xQ Γ ⊢ xQxP xQx (ext) Γ ⊢ xQxP xQx

(concat) Proof reduction: example t ∈ Γ (ax) Γ ⊢ t (ext) Γ ⊢ rtr (ext) Γ ⊢ artra d ∈ Γ (ext) Γ ⊢ tartrat (ax) Γ ⊢ d (ext) Γ ⊢ etartrate (ext) Γ ⊢ ada (ext) Γ ⊢ detartrated (ext) Γ ⊢ radar Γ ⊢ radardetartratedradar

(concat) Proof reduction: example t ∈ Γ (ax) Γ ⊢ t (ext) Γ ⊢ rtr (ext) Γ ⊢ artra (ext) Γ ⊢ tartrat (ext) Γ ⊢ etartrate d ∈ Γ (ext) Γ ⊢ detartrated (ax) Γ ⊢ d (ext) Γ ⊢ rdetartratedr (ext) Γ ⊢ ada Γ ⊢ adardetartratedrada (ext) Γ ⊢ radardetartratedradar

(concat) Proof reduction: example t ∈ Γ (ax) Γ ⊢ t (ext) Γ ⊢ rtr (ext) Γ ⊢ artra (ext) Γ ⊢ tartrat (ext) Γ ⊢ etartrate (ext) Γ ⊢ detartrated (ext) Γ ⊢ rdetartratedr d ∈ Γ (ext) Γ ⊢ ardetartratedra (ax) Γ ⊢ d Γ ⊢ dardetartratedrad (ext) Γ ⊢ adardetartratedrada (ext) Γ ⊢ radardetartratedradar

Proof reduction: example t ∈ Γ (ax) Γ ⊢ t (ext) Γ ⊢ rtr (ext) Γ ⊢ artra (ext) Γ ⊢ tartrat (ext) Γ ⊢ etartrate (ext) Γ ⊢ detartrated (ext) Γ ⊢ rdetartratedr (ext) Γ ⊢ ardetartratedra (ext) Γ ⊢ dardetartratedrad (ext) Γ ⊢ adardetartratedrada (ext) Γ ⊢ radardetartratedradar

or (ext) rule. Proof reduction: example t ∈ Γ (ax) Γ ⊢ t ☙ Proof in normal form. (ext) Γ ⊢ rtr ☙ Proof always ends with an (ax) (ext) Γ ⊢ artra (ext) Γ ⊢ tartrat ☙ Can compute with proofs. (ext) Γ ⊢ etartrate n (ext) Γ ⊢ detartrated (ext) Γ ⊢ rdetartratedr (ext) Γ ⊢ ardetartratedra Γ , radar ⊢ radar (ext) Γ ⊢ dardetartratedrad (ext) Γ ⊢ adardetartratedrada (ext) Γ ⊢ radardetartratedradar 2 n + 1

Modus Ponens Γ ⊢ A ⇒ B Γ ⊢ A Γ ⊢ B

Computation Rule: Computation with proofs of logical formulae Γ ,A ⊢ B Γ ⊢ A ⇒ B Γ ⊢ A Γ ⊢ B Γ ⊢ A ⇒ B − → Γ ,A ⊢ B Γ ⊢ B Γ ⊢ A ⇒ B Γ ⊢ A Γ ⊢ B

Modulo --- formula rewriting inside formulae. reflexive tactics). Proofs ← → Programs Formulae ← → Types ☙ Want to reason on proofs / programs . ☙ If we can write proofs inside formulae then we should be able to compute ☙ Computation is a means to reduce proof effort (e.g. Four Colour Theorem,

Dedukti Dedukti ( λ Π modulo)

Dedukti Coq HOL PVS Epigram Isabelle Agda ... ... Dedukti ( λ Π modulo)

Thesis Analysis, transformation and compilation of programs is a simple and effective method for checking proofs.

Conversion test Γ ⊢ A A ≡ β R B Γ ⊢ B

Normalization by Evaluation terms model 1. 2. interpretation ⟦ · ⟧ reification ↓ · ∀ M . ∀ N . M ≡ N ⇒ ⟦ M ⟧ = ⟦ N ⟧ (soundness), ∀ M . ↓ ⟦ M ⟧ = M if M is in normal form (reproduction).

From program to data � x � = B x � λx . M � = Lam ( λx . � M � ) � M · N � = App � M � � N �

Data evaluation � x � = B x � λx . M � = Lam ( λx . � M � ) � M · N � = App � M � � N � eval ( B x ) = x eval ( Lam f ) = λx . eval ( f x ) eval ( App M N ) = app ( eval M ) ( eval N ) app f N = f N

Evaluation to a residualizing semantics � x � = B x � λx . M � = Lam ( λx . � M � ) � M · N � = App � M � � N � eval ( B x ) = x eval ( Lam f ) = Lam ( λx . eval ( f x )) eval ( App M N ) = app ( eval M ) ( eval N ) app ( Lam f ) N = f N app M N = App M N

Interpretation � x � = B x � λx . M � = Lam ( λx . � M � ) � M · N � = App � M � � N � eval ( B x ) = x eval ( Lam f ) = Lam ( λx . eval ( f x )) eval ( App M N ) = app ( eval M ) ( eval N ) app ( Lam f ) N = f N app M N = App M N ⟦ M ⟧ = eval � M � .

Partial evaluation of eval ◦ � · � ⟦ x ⟧ = x ⟦ λx . M ⟧ = Lam ( λx . ⟦ M ⟧) ⟦ M · N ⟧ = app ⟦ M ⟧ ⟦ N ⟧

Reification ⟦ x ⟧ = x ⟦ λx . M ⟧ = Lam ( λx . ⟦ M ⟧) ⟦ M · N ⟧ = app ⟦ M ⟧ ⟦ N ⟧ ↓ n F m = m ↓ n Lam f = λn . ↓ n +1 ( f ( F n )) ↓ n App M N = ( ↓ n M ) · ( ↓ n N )

Rewrite Rules and extensions . App (. . .( App ( Con ˆ default . . . . . . ⟦ _ ⟧ = _ . . . . the Calculus of Constructions. . ⟦ x ⟧ = x ⟦ c P 1 . . . P n ⟧ = App (. . .( App ( Con ˆ c ) ⟦ P 1 ⟧). . .) ⟦ P n ⟧ fix ( λc . λx 1 . · · · λx n . case ( x 1 , . . . , x n ) of     − → → c P 11 . . . P 1 n M 1 (⟦ P 11 ⟧ , . . . , ⟦ P 1 n ⟧) ⟦ M 1 ⟧         = − → → c P m 1 . . . P mn M m (⟦ P m 1 ⟧ , . . . , ⟦ P mn ⟧) ⟦ M m ⟧ → c ) x 1 ). . .) x n ) ☙ Untyped NbE extends naturally to residual forms and reduction rules of

Optimizations eval/apply transformation. constructors. ☙ Removal of intermediate closure allocation by standard ☙ Constructors of object-level datatypes interpreted as metalevel ☙ Native pattern matching.

Micro benchmarks 3 2 1 0 append even sort exp38 queens ucea ahn singlearity evalapply constructors whnf

Synthetic benchmark 100 50 n/a 0 Cooper n = 5 Standard VM NbE NbE accu

Context-free typing

An alternative interpretation ⟦ x ⟧ = x ⟦ λx . M ⟧ = Lam ( λx . ⟦ M ⟧) ⟦ M · N ⟧ = App ⟦ M ⟧ ⟦ N ⟧

Dependent product elimination (app) Γ ⊢ M : Π x : A . B Γ ⊢ N : A Γ ⊢ M N : { N / x } B

Dependent product elimination (app) (app-ho) Γ ⊢ M : Π x : A . B Γ ⊢ N : A Γ ⊢ M N : { N / x } B Γ ⊢ M : Pi A f Γ ⊢ N : A Γ ⊢ M N : f N ☙ Easy implementation of capture avoiding substitution.

Dependent product introduction ⟦ λx . M ⟧ = Lam ( λx . ⟦ M ⟧) � �� � f

Dependent product introduction ⟦ λx . M ⟧ = Lam ( λx . ⟦ M ⟧) � �� � f

Dependent product introduction f ( Var n )

Dependent product introduction f [ n : A ]

Dependent product introduction Γ ,x : A ⊢ M : B (abs) Γ ⊢ λx : A . M : Π x : A . B

Dependent product introduction Γ ,x : A ⊢ M : B (abs) Γ ⊢ λx : A . M : Π x : A . B ⊢ M : f [ n : A ] (abs-ho) ⊢ Lam A f : Pi A f ☙ Drop explicit context in judgements.

Towards a LCF style proof checker for dependently typed theories Example: ☙ Type decorated variable occurrences in HOL. ☙ Proofs checked by construction. ☙ Allows cheap combination of proofs. ☙ No context — no checking that contexts are compatible. Γ ′ ⊢ N : A ′ Γ ⊢ M : Π x : A . B Γ ⊢ { N / x } B

Towards a LCF style proof checker for dependently typed theories Example: ☙ Type decorated variable occurrences in HOL. ☙ Proofs checked by construction. ☙ Allows cheap combination of proofs. ☙ No context — no checking that contexts are compatible. Γ ′ ⊢ N : A ′ Γ ⊢ M : Π x : A . B Γ ⊢ { N / x } B

A purely functional kernel checked proofs. ☙ Proof checked by construction means no need for global registry of ☙ No state during proof checking.

A purely functional kernel checked proofs. ☙ Proof checked by construction means no need for global registry of ☙ No state during proof checking. ◦ ◦ ◦ ◦ ◦ t t t = ◦ ◦ ◦

A purely functional kernel checked proofs. ☙ Proof checked by construction means no need for global registry of ☙ No state during proof checking. ◦ ◦ ◦ ◦ ◦ ◦ ◦ [ ◦ : A ] ◦ ◦

Managing dual interpretations

Code explosion: example a 1 ( a 2 ( a 3 ( a 4 ( a 5 ( a 6 ( a 7 a 8 ))))))

Recuperating sharing [ ] [ [ [ [ ] ] ] [ [ ] [ ] [ ] [ ] ] [ [ ] ] [ [ [ [ si x ∈ dom ( ρ ) . [ x ] ] ρ = ρ ( x ) ] ρ = � s, s � [ s ] [ λx : A . M ] [ A ] ] ρ ( λy . � Lam ˆ y ( λx . [ [ M ] ] ρ [ x �→ x ] ) , Lam ( λx . ⟦ M ⟧) � ) ] ρ = Let [ ] ρ ( λy . � Pi ˆ y ( λx . ⟦ B ⟧) � ) [Π x : A . B ] [ A ] y ( λx . [ [ B ] ] ρ [ x �→ x ] ) , Pi ˇ ] ρ = Let [ ] ρ ( λy . � App ˆ y � )) [ M N ] [ N ] ] ρ ( λx . Let [ [ M ] x ˆ y, app ˇ x ˇ ] ρ = Let [

Connecting subterms to their code