Tool Support for proof
Engineering
Anne Mulhern
Charles Fischer
Anne Mulhern
Computer Sciences Department
University of Wisconsin-Madison
Madison, WI USA
mulhern@cs.wisc.edu
www.cs.wisc.edu/~mulhern
Ben Liblit
Size of Proofs
• Certified C compiler in Coq [Leroy et al]
– Compiler + proof that compiler preserves
semantics
– Back-end
• One man-year
• 35,000 lines of Coq scripts, definitions, and tactics
– Front-end
• 3/4 man-year
• 6,000 lines of Coq scripts, definitions, and tactics
UITP 2006
Tool Support for Proof Engineering
2
Proof Material/Definitions
Relative Proportion of Lines in Proof
Compiler Definitions
8%
22%
13%
87%
50%
7%
Specifications
Statements of
Theorems and
Lemmas
Proof Scripts
Directives and Custom
Tactics
Formal Certification of a Compiler Back-end or:
Programming a Compiler with a Proof Assistant [Xavier Leroy, POPL 2006]
UITP 2006
Tool Support for Proof Engineering
3
Proof Objects/Proof Scripts
• Proof objects can be an order of magnitude
larger than proof scripts
• Factors
– Down
• Good modularization
– Up
• Powerful tactics
• Good use of hints
UITP 2006
Tool Support for Proof Engineering
4
Size of Linux Kernel
•
•
•
•
1991 - 10,000 lines
1996 - 800,000 lines
2001 - 3 million lines
2006 - 7 million lines
UITP 2006
Tool Support for Proof Engineering
5
Integrated Proof Environment
• Abbreviated as
IPE
• Similar to an IDE
(Integrated
Development
Environment)
• Uncommon
UITP 2006
Tool Support for Proof Engineering
6
This is a position paper
tools and techniques from IDEs
can be transferred to IPEs
tools and techniques from IDEs
should be transferred to IPEs
UITP 2006
Tool Support for Proof Engineering
7
Outline
• Motivation
• Tools and Techniques
• Mechanisms
UITP 2006
Tool Support for Proof Engineering
8
Outline
• Motivation
• Tools and Techniques
• Mechanisms
UITP 2006
Tool Support for Proof Engineering
9
Motivation
• Programming languages are my specialty
– Formal proofs of programming language
properties
• The POPLmark challenge
– Generation of certified programs by extraction
• Formal Certification of a Compiler Back-end or:
Programming a Compiler with a Proof Assistant
[Xavier Leroy, POPL 2006]
UITP 2006
Tool Support for Proof Engineering
10
PL Proofs are different
• Proofs should be easy to modify and reuse
• For certified programs: structure of the
generated proof matters
• Proofs frequently proceed by induction
– Inductive theorems are particularly challenging
• On Strategies for Inductive Theorem Proving
[Bernhard Gramlich, Strategies 2004 Invited Talk]
UITP 2006
Tool Support for Proof Engineering
11
Proofs are Programs
• Theory
– Curry-Howard isomorphism
• Practice
– Extend
– Refactor
– Debug
• We can tackle similar problems with similar
techniques
UITP 2006
Tool Support for Proof Engineering
12
HOL
B method
Pho
X
Minlog
Miza
r
Coq
Theorem
a
PVS
Otter
/Ivy
Alfa/
Agda
Isabelle
/Isar
Lego
Nupr
l
ACL
2
IMPS
Metamat
h
Omega
“The Seventeen Provers of the World” [Wiedjik]
UITP 2006
Tool Support for Proof Engineering
13
Outline
• Motivation
• Tools and Techniques
• Mechanisms
UITP 2006
Tool Support for Proof Engineering
14
Tools and Techniques
• Common Conveniences
• Proof Visualization in the Large
• Navigation by Derivation
UITP 2006
Tool Support for Proof Engineering
15
Common Conveniences in IDEs
• Multiple Views for understanding and
navigation
– Collapsed and expanded text
– Outline Views
– And so forth
• Automatic Refactoring
– Rewriting while preserving meaning or
behavior
UITP 2006
Tool Support for Proof Engineering
16
Legend
UITP 2006
Tool Support for Proof Engineering
17
UITP 2006
Tool Support for Proof Engineering
18
Common Conveniences in IPEs
UITP 2006
Tool Support for Proof Engineering
20
Make Variable Implicit
• Variables whose value can be inferred from
the type of other variables may be made
implicit
• If a variable is implicit its value must not
be given
• To make a variable implicit
– Make implicit in definition
– Change all uses of definition
UITP 2006
Tool Support for Proof Engineering
21
Tools and Techniques
• Common Conveniences
• Proof Visualization in the Large
• Navigation by Derivation
UITP 2006
Tool Support for Proof Engineering
22
Software Visualization in the
Large
•
•
•
•
•
Ball and Eick, 1996
Unary properties
Color
Large projects
Multiple files
UITP 2006
Tool Support for Proof Engineering
23
Software Visualization in the Large [Ball and Eick, 1996]
UITP 2006
Tool Support for Proof Engineering
24
Proof Visualization in the Large
•
•
•
•
Lemma “hot spots”
Revision information
Proportion of proofs to definitions
Goal depth
UITP 2006
Tool Support for Proof Engineering
25
Goal depth
{


UITP 2006



Tool Support for Proof Engineering
26
Tools and Techniques
• Common Conveniences
• Proof Visualization in the Large
• Navigation by Derivation
UITP 2006
Tool Support for Proof Engineering
27
UITP 2006
Tool Support for Proof Engineering
28
Navigation by Derivation
• No obvious analog currently in IDEs but…
– Numerous instances where original line
numbering is preserved
• Parsers map to grammar file line numbers
• gcc maps to source file line numbers
– Source/assembly navigation tool desirable
UITP 2006
Tool Support for Proof Engineering
29
Outline
• Motivation
• Tools and Techniques
• Mechanisms
UITP 2006
Tool Support for Proof Engineering
30
Mechanisms
• Textual Analysis on proofs or scripts
– Multiple Views
• Compiler/Debugger techniques
– Navigation by derivation
• Both
– Refactoring
– Proof visualization in the large
UITP 2006
Tool Support for Proof Engineering
31
Summary
•
•
•
•
IPEs non-existent
Proofs must be managed
Technology already exists
Considerable theoretical possibilities
UITP 2006
Tool Support for Proof Engineering
32
Tool Support for proof
Engineering
Anne Mulhern
Charles Fischer
Anne Mulhern
Computer Sciences Department
University of Wisconsin-Madison
Madison, WI USA
mulhern@cs.wisc.edu
www.cs.wisc.edu/~mulhern
Ben Liblit