p r o v e r s
play

P R O V E R S by Niki Vazou, Leonidas Lampropoulos and Jeff - PowerPoint PPT Presentation

Jul 22, 2023 •19 likes •349 views

A TALE of TWO P R O V E R S by Niki Vazou, Leonidas Lampropoulos and Jeff Polakow Haskell take :: Int [a] [a] Haskell Liquid take :: i:{Int|0 i} xs:{[a]|i len xs} [a] Int [a] [a] Liquid Haskell take ::

  1. A TALE of TWO P R O V E R S by Niki Vazou, Leonidas Lampropoulos and Jeff Polakow

  2. Haskell take :: Int � [a] � [a]

  3. Haskell Liquid take :: i:{Int|0 ≤ i} � xs:{[a]|i ≤ len xs} � [a] Int � [a] � [a]

  4. Liquid Haskell take :: i:{Int|0 ≤ i} � xs:{[a]|i ≤ len xs} � [a] Int � [a] � take 2 [1,2,3] OK take 9 [1,2,3] Error

  5. Liquid Haskell take :: i:{Int|0 ≤ i} � xs:{[a]|i ≤ len xs} � [a] Int � [a] take 2 [1,2,3] 0 ≤ 2 ≤ 3 OK SMT take 9 [1,2,3] 0 ≤ 9 ≤ 3 Error

  6. Is Liquid Haskell a Theorem Prover?

  7. Is Liquid Haskell a Theorem Prover? Theorem: Parallelism Equivalence If f is a morphism*between two lists, * then f can be applied in parallel. * f is a morphism when f []=[] ∧ f (x<>y) = f x <> f y

  8. Is Liquid Haskell a Theorem Prover? Theorem: Parallelism Equivalence If f is a morphism*between two lists, * then . f x = concat (pmap f (chunk i x)) * f is a morphism when f []=[] ∧ f (x<>y) = f x <> f y

  9. Is Liquid Haskell a Theorem Prover? pEquiv :: f:([a] -> [b]) -> Morphism [a] [b] f -> x:[a] -> i:Pos -> { f x = concat (pmap f (chunk i x)) } f x = concat (pmap f (chunk i x)) * f is a morphism when f []=[] ∧ f (x<>y) = f x <> f y

  10. Is Liquid Haskell a Theorem Prover? pEquiv :: f:([a] -> [b]) -> Morphism [a] [b] f -> x:[a] -> i:Pos -> { f x = concat (pmap f (chunk i x)) } f x = concat (pmap f (chunk i x)) * type Morphism a b f = x:a -> y:b -> { f []=[] ∧ f (x<>y) = f x <> f y }

  11. Is Liquid Haskell a Theorem Prover? Yes! pEquiv :: f:([a] -> [b]) -> Morphism [a] [b] f -> x:[a] -> i:Pos -> { f x = concat (pmap f (chunk i x)) } f x = concat (pmap f (chunk i x)) Theorems: Refinement Types Proofs: (Terminating) Haskell Terms Correctness: Liquid Type Checking

  12. Is Liquid Haskell a Theorem Prover? Yes! pEquiv :: f:([a] -> [b]) -> Morphism [a] [b] f -> x:[a] -> i:Pos -> { f x = concat (pmap f (chunk i x)) } f x = concat (pmap f (chunk i x)) Demo

  13. Morphism Parallelism Equivalence (Chunkable n, Monoid m) (Monoid m) pEquiv :: RightId [b] -> f:([a] -> [b]) => f:(n -> m) => f:([a] -> m) -> Morphism n m f -> Morphism [a] [b] f -> Morphism [a] m f -> x:[a] -> i:Pos -> x:n -> i:Pos -> { f x = concat (pmap f (chunk i x)) } -> { f x = mconcat (pmap f (chunk i x)) } Application: String Matching

  14. Application: String Matching Find all the occurrences of a target string in an input string.

  15. Application: String Matching Find all the occurrences of a target string in an input string. “the best of times”

  16. Application: String Matching Find all the occurrences of a target string in an input string. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 “the best of times” Target “es” matches at [6, 16] .

  17. Application: String Matching 800 669LoC 600 400 285LoC 200 180LoC 0 Exec Spec Proof LoC (Proofs/Exec): 5x Verification Time: 20 min Human Effort: 2 months

  18. VS. 800 766LoC 669LoC 600 400 285LoC 200 248LoC 180LoC 122LoC 0 Exec Spec Proof 5x 8x LoC (Proofs/Exec): Verification Time: 20 min 38 sec Human Effort: 2 months 2 weeks

  19. VS. Haskell VS. Non-Haskell Proofs

  20. VS. Haskell VS. Non-Haskell Proofs SMT- VS. Tactic- Based Automations

  21. VS. Haskell VS. Non-Haskell Proofs SMT- VS. Tactic- Based Automations Intrinsic VS. Extrinsic Verification

  22. Intrinsic VS. Extrinsic Verification take :: i:Nat � xs:{i ≤ len xs} � {v|len v=i} take 0 _ = [] take i xs = x:take (i-1) xs

  23. Intrinsic VS. Extrinsic Verification take :: i:Nat � xs:{i ≤ len xs} � {v|len v=i} take 0 _ = [] take i xs = x:take (i-1) xs Definition take := seq.take. Theorem take_spec: ∀ i x, i ≤ length x � length (take i x) = i.

  24. VS. Haskell VS. Non-Haskell Proofs SMT- VS. Tactic- Based Automations Intrinsic VS. Extrinsic Verification

  25. VS. Haskell VS. Non-Haskell Proofs SMT- VS. Tactic- Based Automations Intrinsic VS. Extrinsic Verification Semantic VS. Syntactic Termination

  26. Semantic VS. Syntactic Termination chunk :: i:Pos � xs:[a] � [[a]] / [len xs]

  27. Semantic VS. Syntactic Termination chunk :: i:Pos � xs:[a] � [[a]] / [len xs] Fixpoint chunk {M: Type} (fuel: nat) (i: nat) (x: M) : option (list M)

  28. Big VS. Tiny Trusted Code Base chunk :: i:Pos � xs:[a] � [[a]] / [len xs] OK / ghc SMT Error

  29. Big VS. Tiny Trusted Code Base OK / .hs ghc SMT Error

  30. VS. Haskell VS. Non-Haskell Proofs SMT- VS. Tactic- Based Automations Intrinsic VS. Extrinsic Verification Semantic VS. Syntactic Termination Big VS. Tiny Trusted Code Base

  31. VS. Haskell VS. Non-Haskell Proofs SMT- VS. Tactic- Based Automations Intrinsic VS. Extrinsic Verification Semantic VS. Syntactic Termination Big VS. Tiny Trusted Code Base Proof Verifier VS. Assistant

  32. A Tale of Two Provers Conclusion Liquid Haskell is a promising prover, but needs a lot of Coq -inspired future work.

  33. A Tale of Two Provers Conclusion Liquid Haskell is a promising prover, but needs a lot of Coq -inspired future work. Fast “tactics” Liquid GUI Proof Assistant Hackage Sharing Proofs Thanks!

Recommend

More recommend