A proof-theoretical journey through programming, model checking and - PowerPoint PPT Presentation

A proof-theoretical journey through programming, model checking and theorem proving David Baelde IT University of Copenhagen ASL Meeting, Structural Proof Theory Session Madison, Wisconsin, April 2012 1 / 26

Logic programming A specification ( Γ ) ∀ k . app nil k k app l k m ⊃ app ( x :: l ) k ( x :: m ) ∀ x ∀ l ∀ k ∀ m . Messy sequent calculus proofs . . . Γ , ∀ k ∀ m . app [ 4 ] k m ⊃ app [ 3 ; 4 ] k ( 3 :: m ) ⊢ app [ 0 ] nil [ 0 ] Γ ⊢ app [ 0 ] nil [ 0 ] Γ , app nil [ 1 ; 2 ; 3 ] [ 1 ; 2 ; 3 ] ⊢ app [ 0 ] nil [ 0 ] Γ ⊢ app [ 0 ] nil [ 0 ] 2 / 26

Logic programming A specification ( Γ ) ∀ k . app nil k k ∀ x ∀ l ∀ k ∀ m . app l k m ⊃ app ( x :: l ) k ( x :: m ) Focused proofs Γ , app nil nil nil ⊢ app nil nil nil Γ , ∀ k . app nil k k ⊢ app nil nil nil Γ , app [ 0 ] nil [ 0 ] ⊢ app [ 0 ] nil [ 0 ] Γ ⊢ app nil nil nil Γ , app nil nil nil ⊃ app [ 0 ] nil [ 0 ] ⊢ app [ 0 ] nil [ 0 ] Γ , ∀ x ∀ k ∀ l ∀ m . . . . ⊢ app [ 0 ] nil [ 0 ] Γ ⊢ app [ 0 ] nil [ 0 ] 3 / 26

Logic programming A specification ( Γ ) ∀ k . app nil k k ∀ x ∀ l ∀ k ∀ m . app l k m ⊃ app ( x :: l ) k ( x :: m ) Focused proofs Γ ⊢ app nil nil nil ∀ L , init Γ ⊢ app [ 0 ] nil [ 0 ] ∀ L , ⊃ L , init 4 / 26

Fixed Points 5 / 26

Computation Rules Γ ⊢ B ( µ B ) � t Γ ⊢ µ B � t Specification def = µ ( λ A λ l λ k λ m . ( l = nil ∧ k = m ) app ( ∃ x ∃ l ′ ∃ m ′ . l = x :: l ′ ∧ m = x :: m ′ ∧ A l ′ k m ′ )) ∨ Computing ⊢ [ 0 ] = [ 0 ] = R ⊢ [ 0 ] = [ 0 ] = R ⊢ app nil nil nil µ R , ∨ R , = R ∧ R ⊢ [ 0 ] = [ 0 ] ∧ [ 0 ] = [ 0 ] ∧ app nil nil nil µ R , ∨ R , ∃ R ⊢ app [ 0 ] nil [ 0 ] 6 / 26

Computation Rules Γ ⊢ B ( µ B ) � t Γ ⊢ µ B � t Specification def = µ ( λ A λ l λ k λ m . ( l = nil ∧ k = m ) app ( ∃ x ∃ l ′ ∃ m ′ . l = x :: l ′ ∧ m = x :: m ′ ∧ A l ′ k m ′ )) ∨ Computing ⊢ app [ 0 ] nil [ 0 ] µ R , ∨ R , ∃ R , = R 7 / 26

Finite reasoning Rules Γ , B ( µ B ) � Γ ⊢ B ( µ B ) � t ⊢ P t Γ , µ B � Γ ⊢ µ B � t ⊢ P t Reasoning by computing x :: l = x :: l ′ , nil = x :: m ′ , app l ′ k m ′ ⊢⊥ x :: l = nil , k = nil ⊢⊥ app ( x :: l ) k nil ⊢ ⊥ ⊢ ∀ x , l , k . app ( x :: l ) k nil ⊃ ⊥ More examples: connectedness, path unicity, (bi)simulation. . . for finite systems. 8 / 26

Finite reasoning Rules Γ , B ( µ B ) � Γ ⊢ B ( µ B ) � t ⊢ P t Γ , µ B � Γ ⊢ µ B � t ⊢ P t Reasoning by computing . . . . . . . . ⊢ path C N i . . . . ⊢ node C ⊢ ∀ N . node N ⊃ path C N ⊢ ∃ C . node C ∧ ∀ N . node N ⊃ path C N More examples: connectedness, path unicity, (bi)simulation. . . for finite systems. 9 / 26

Infinity (identity) Rules Γ , B ( µ B ) � Γ ⊢ B ( µ B ) � t ⊢ P t Γ , µ B � Γ ⊢ µ B � t ⊢ P t Γ , µ B � t ⊢ µ B � t 10 / 26

Infinity (identity) Rules Γ , B ( µ B ) � Γ ⊢ B ( µ B ) � t ⊢ P t Γ , µ B � Γ ⊢ µ B � t ⊢ P t Γ , µ B � t ⊢ P Γ , µ B � Γ , µ B � t ⊢ µ B � t ⊢ P t 11 / 26

Infinity (identity) Rules Γ , B ( µ B ) � Γ ⊢ B ( µ B ) � t ⊢ P t Γ , µ B � Γ ⊢ µ B � t ⊢ P t Γ , µ B � t ⊢ P Γ , µ B � Γ , µ B � t ⊢ µ B � t ⊢ P t Example nat x ⊢ nat x nat x ⊢ nat ( s 10 x ) nat x ⊢ nat ( s 10 x ) nat ( s 3 x ) ⊢ nat ( s 10 x ) 12 / 26

Infinity (induction) Rules Γ ⊢ B ( µ B ) � Γ , S � t t ⊢ P BS � x ⊢ S � x Γ , µ B � Γ ⊢ µ B � t ⊢ P t Γ , µ B � t ⊢ P Γ , µ B � Γ , µ B � t ⊢ µ B � t ⊢ P t Example (Derived rules for nat ) def nat x = µ ( λ N λ x . x = 0 ∨ ∃ y . x = s y ∧ N y ) x Γ ⊢ nat x Γ ⊢ nat 0 Γ ⊢ nat ( s x ) ⊢ P 0 P y ⊢ P ( s y ) Γ , P x ⊢ G Γ , nat x ⊢ G 13 / 26

Infinity (coinduction) Rules Γ , B ( ν B ) � Γ ⊢ S � t ⊢ P S � x ⊢ BS � t x Γ ⊢ ν B � Γ , ν B � t t ⊢ P Γ ⊢ ν B � t Γ ⊢ ν B � Γ , ν B � t ⊢ ν B � t t Example (Derived rules for sim ) def = ν ( λ S λ p λ q . ∀ α ∀ p ′ . step p α p ′ ⊃ ∃ q ′ . step q α q ′ ∧ S p ′ q ′ ) sim Γ , step q α q ′ , sim p ′ q ′ ⊢ P Γ ⊢ step p α p ′ Γ , sim p q ⊢ P R p q , step p α p ′ ⊢ ∃ q ′ . step q α q ′ ∧ R p ′ q ′ Γ ⊢ R p q Γ ⊢ sim p q 14 / 26

Fixed Points in Proof Theory Foundations ◮ Natural generic rules, various ambient calculi ◮ Completeness of focused systems [Baelde & Miller ’07] ◮ Cut elimination [Baelde ’10] ◮ Game semantics for µ LJ proofs [Clairambault ’09] Related Work ◮ Definitions (SH 93, MM 00, MT 03) ◮ Type theory (Mendler 91, Matthes 99, Paulin) ◮ Cyclic proofs (. . . Santocanale 01, Brotherston 05) ◮ µ -calculus, Kleene algebras. . . 15 / 26

Applications Abella & Tac ◮ Interactive theorem provers for µ LJ ◮ Extensions for reasoning about binding (esp. Abella) ◮ Tac: automated focused (co)inductive theorem proving Bedwyr ◮ “model checking” over syntactic specifications ◮ finite behavior proofs, “prolog + exhaustive case analyses” ◮ example: bisimulation checker for π , spi (Miller & Tiu, Tiu) ◮ tabling and cyclic proofs 16 / 26

Proof & Verification . . . not “proof ⊗ verification”. 17 / 26

Motivations Practical ◮ Independently checkable certificates ◮ Not too ad-hoc, composable: proofs ◮ Compute: run a certificate on examples (synthesis) ◮ Interoperate: mix automatic and interactive theorem proving, certify abstraction and verify it, combine partial correctness and termination. . . Fundamental ◮ Completeness, decidability results, proof structures ◮ More algebraic viewpoint on automata techniques 18 / 26

Model-checking Verification ◮ Does a system satisfy a specification? ◮ M | = S ◮ Often translated to automata inclusion [ M ] ⊆ [ S ] How do you prove an inclusion? [ M ] x ⊢ [ S ] x What is the structure of inclusion? 19 / 26

NFA: Definitions Non-deterministic finite automata ◮ Alphabet Σ = { α, β, γ, . . . } ◮ Finite set of states ◮ Distinguished initial and final states ◮ Transition relation s → α q Definition If Q is a set of states, Q → α Q ′ iff each state of Q ′ is reachable from Q . In other words, Q ′ ⊆ α − 1 Q . 20 / 26

Structure of inclusion Definition (Multi-simulation) A multi-simulation between two automata ( A , T , I , F ) and ( B , T ′ , I ′ , F ′ ) is a relation ℜ ⊆ A × ℘ ( B ) such that whenever p ℜ Q : ◮ if p is final, then there must be a final state in Q ; ◮ for any α and p ′ such that p → α p ′ there exists Q ′ such that Q → α Q ′ and p ′ ℜ Q ′ . Multi-simulations are post-fixed points. There is a greatest one: call it multi-similarity. Proposition (Multi-similarity is inclusion) L ( p ) ⊆ L ( Q ) if and only if p ℜ Q for some multi-simulation ℜ . 21 / 26

� � Example: ∀ x . nat x ⊃ even x ∨ odd x Consider the following two automata: ���� ���� α � ���� ���� ���� ���� ���� ���� ���� ���� ���� ���� α � ���� ���� ���� ���� α � α � p 0 p 1 p 2 q 0 q 1 q 2 � β � � � ���� ���� β β � � � α � q ′ 1 State p 0 is included in q 0 . Proof: ℜ = { ( p 0 , { q 0 } ) , ( p 1 , { q 1 , q ′ 1 } ) , ( p 2 , { q 2 } ) } 22 / 26

� � Example: ∀ x . nat x ⊃ ∃ h . half x h ���� ���� ���� ���� ���� ���� ���� ���� ���� ���� ���� ���� z � z � p s p z q s q z � s � � s � ���� ���� s s � ���� ���� z � ���� ���� ���� ���� � � � q ′′ q ′ q ′ s s z Proof of L ( p s ) ⊆ L ( q s ) : ℜ = { ( p s , { q s } ) , ( p s , { q ′ s , q ′′ s } ) , ( p z , { q z } ) , ( p z , { q ′ z } ) } 23 / 26

Extended cyclic proofs / tabled search ∞ ∞ nat y ⊢ even y nat y ⊢ odd y ⊥ ⊢ even 0 nat y ⊢ even ( sy ) ⊢ odd 0 nat y ⊢ odd ( sy ) nat x ⊢ even x ⊕ nat x ⊢ odd x nat x ⊢ even x ⊕ odd x 24 / 26

� � � � � Extended cyclic proofs / tabled search ∞ ∞ nat y ⊢ even y nat y ⊢ odd y ⊥ ⊢ even 0 nat y ⊢ even ( sy ) ⊢ odd 0 nat y ⊢ odd ( sy ) nat x ⊢ even x ⊕ nat x ⊢ odd x nat x ⊢ even x ⊕ odd x This is not quite a proof but realizes one: the underlying automata covers all cases, i.e., contains nat . nat y ⊢ odd y nat y ⊢ even y ⊤ ⊥ � ������������ � � � 0 � � s s � � � 0 � � � � nat x ⊢ even x nat x ⊢ odd x Semi-decidability, generating invariants and µ LJ proofs 25 / 26

Conclusion Proof theory of fixed points ◮ Very rich logics ◮ Precise proof theoretical analysis ◮ Wider range of applications, supported by focusing More proof & verification ◮ Extend: B¨ uchi, tree and alternating automata ◮ Automated (co)inductive reasoning, loop schemes in Bedwyr 26 / 26