Tool Support for proof Engineering

Anne MulhernComputer Sciences DepartmentUniversity of Wisconsin-Madison

Madison, WI USAmulhern@cs.wisc.edu

www.cs.wisc.edu/~mulhern

Anne Mulhern Charles Fischer Ben Liblit

UITP 2006 Tool Support for Proof Engineering 2

Size of Proofs

• Certified C compiler in Coq [Leroy et al]– Compiler + proof that compiler preserves

semantics– Back-end

• One man-year• 35,000 lines of Coq scripts, definitions, and tactics

– Front-end• 3/4 man-year• 6,000 lines of Coq scripts, definitions, and tactics

UITP 2006 Tool Support for Proof Engineering 3

Proof Material/DefinitionsRelative Proportion of Lines in Proof

13%

8%

22%

50%

7%

87%

Compiler Definitions

Specifications

Statements ofTheorems andLemmasProof Scripts

Directives and CustomTactics

Formal Certification of a Compiler Back-end or: Programming a Compiler with a Proof Assistant [Xavier Leroy, POPL 2006]

UITP 2006 Tool Support for Proof Engineering 4

Proof Objects/Proof Scripts

• Proof objects can be an order of magnitude larger than proof scripts

• Factors– Down

• Good modularization

– Up• Powerful tactics

• Good use of hints

UITP 2006 Tool Support for Proof Engineering 5

Size of Linux Kernel

• 1991 - 10,000 lines

• 1996 - 800,000 lines

• 2001 - 3 million lines

• 2006 - 7 million lines

UITP 2006 Tool Support for Proof Engineering 6

Integrated Proof Environment

• Abbreviated as IPE

• Similar to an IDE (Integrated Development Environment)

• Uncommon

UITP 2006 Tool Support for Proof Engineering 7

This is a position paper

tools and techniques from IDEs can be transferred to IPEs

tools and techniques from IDEs should be transferred to IPEs

UITP 2006 Tool Support for Proof Engineering 8

Outline

• Motivation

• Tools and Techniques

• Mechanisms

UITP 2006 Tool Support for Proof Engineering 9

Outline

• Motivation

• Tools and Techniques

• Mechanisms

UITP 2006 Tool Support for Proof Engineering 10

Motivation

• Programming languages are my specialty– Formal proofs of programming language

properties• The POPLmark challenge

– Generation of certified programs by extraction• Formal Certification of a Compiler Back-end or:

Programming a Compiler with a Proof Assistant [Xavier Leroy, POPL 2006]

UITP 2006 Tool Support for Proof Engineering 11

PL Proofs are different

• Proofs should be easy to modify and reuse• For certified programs: structure of the

generated proof matters• Proofs frequently proceed by induction

– Inductive theorems are particularly challenging• On Strategies for Inductive Theorem Proving

[Bernhard Gramlich, Strategies 2004 Invited Talk]

UITP 2006 Tool Support for Proof Engineering 12

Proofs are Programs

• Theory– Curry-Howard isomorphism

• Practice– Extend– Refactor – Debug

• We can tackle similar problems with similar techniques

UITP 2006 Tool Support for Proof Engineering 13

“The Seventeen Provers of the World” [Wiedjik]

HOL

Mizar

PVS

Otter/Ivy

Isabelle/Isar

Alfa/Agda

ACL2

PhoX

IMPS

Metamath

Theorema

LegoNupr

l Omega

B method

Minlog

Coq

UITP 2006 Tool Support for Proof Engineering 14

Outline

• Motivation

• Tools and Techniques

• Mechanisms

UITP 2006 Tool Support for Proof Engineering 15

Tools and Techniques

• Common Conveniences

• Proof Visualization in the Large

• Navigation by Derivation

UITP 2006 Tool Support for Proof Engineering 16

Common Conveniences in IDEs

• Multiple Views for understanding and navigation– Collapsed and expanded text– Outline Views– And so forth

• Automatic Refactoring– Rewriting while preserving meaning or

behavior

UITP 2006 Tool Support for Proof Engineering 17

Legend

UITP 2006 Tool Support for Proof Engineering 18

UITP 2006 Tool Support for Proof Engineering 20

Common Conveniences in IPEs

UITP 2006 Tool Support for Proof Engineering 21

Make Variable Implicit

• Variables whose value can be inferred from the type of other variables may be made implicit

• If a variable is implicit its value must not be given

• To make a variable implicit– Make implicit in definition– Change all uses of definition

UITP 2006 Tool Support for Proof Engineering 22

Tools and Techniques

• Common Conveniences

• Proof Visualization in the Large

• Navigation by Derivation

UITP 2006 Tool Support for Proof Engineering 23

Software Visualization in the Large

• Ball and Eick, 1996

• Unary properties

• Color

• Large projects

• Multiple files

UITP 2006 Tool Support for Proof Engineering 24Software Visualization in the Large [Ball and Eick, 1996]

UITP 2006 Tool Support for Proof Engineering 25

Proof Visualization in the Large

• Lemma “hot spots”

• Revision information

• Proportion of proofs to definitions

• Goal depth

UITP 2006 Tool Support for Proof Engineering 26

Goal depth

{

UITP 2006 Tool Support for Proof Engineering 27

Tools and Techniques

• Common Conveniences

• Proof Visualization in the Large

• Navigation by Derivation

UITP 2006 Tool Support for Proof Engineering 28

UITP 2006 Tool Support for Proof Engineering 29

Navigation by Derivation

• No obvious analog currently in IDEs but…– Numerous instances where original line

numbering is preserved• Parsers map to grammar file line numbers

• gcc maps to source file line numbers

– Source/assembly navigation tool desirable

UITP 2006 Tool Support for Proof Engineering 30

Outline

• Motivation

• Tools and Techniques

• Mechanisms

UITP 2006 Tool Support for Proof Engineering 31

Mechanisms

• Textual Analysis on proofs or scripts– Multiple Views

• Compiler/Debugger techniques– Navigation by derivation

• Both– Refactoring– Proof visualization in the large

UITP 2006 Tool Support for Proof Engineering 32

Summary

• IPEs non-existent

• Proofs must be managed

• Technology already exists

• Considerable theoretical possibilities

Tool Support for proof Engineering

Anne MulhernComputer Sciences DepartmentUniversity of Wisconsin-Madison

Madison, WI USAmulhern@cs.wisc.edu

www.cs.wisc.edu/~mulhern

Anne Mulhern Charles Fischer Ben Liblit