Automated Theorem Proving: A Retrospection & Applications of

advertisement
Automated Theorem Proving:
A Retrospection
&
Applications of Formal Methods
CS3234
Aquinas Hobor and Martin Henz
Outline
• Reflections on Coq
• Applications of Formal Methods
• How to study for the Final
2
A proverb
“Only those who have been bitten by the snake
can understand how it feels.”
3
Why are theorem provers used?
Very high assurance due to mechanical checking
• Checkers are very through: don’t get tired, don’t
get bored, don’t make mistakes
• If anything, the problem is the opposite – trying
to convince a checker that a true thing is true
can be frustrating.
4
In our class…
• Many times I helped students who were sure
that something was true, and just needed a
little help to understand how to convince Coq.
• Usually it was not more than a line or two…
5
In our class…
• Many times I helped students who were sure
that something was true, and just needed a
little help to understand how to convince Coq.
• Usually it was not more than a line or two…
• … several times the difficulty was that the
thing that they were sure was true was
actually false. (e.g., n – 1 + 1 = n : Not true!)
6
There are some contexts where bugs
have enormous cost.
• Proofs about real software are hard to get right;
Coq found a previously unknown bug in the proof
in the (widely-used, second-edition) textbook.
7
Disadvantages of
Automated Theorem Proving
• Developing the hints / proof by hand can be
very labor-intensive
• It can be very difficult to formalize correctness
– “correct” operating system?
– “correct” web browser?
– “correct” compiler?
• Learning curve to use systems can be steep
8
Disadvantages of
Automated Theorem Proving
• Developing the hints / proof by hand can be
very labor-intensive
• It can be very difficult to formalize correctness
– “correct” operating system?
– “correct” web browser?
– “correct” compiler?
Now you
understand…
• Learning curve to use systems can be steep
9
One more advantage…
they are fun to use!
• A bit like writing software in a scripting language
“Building such scripts is surprisingly addictive,
in a videogame kind of way…”
- Xavier Leroy
• The advantage of never having to worry about bugs
in the finished product
• Can work on math at 3 AM without fear
10
One more advantage…
they are fun to use!
• A bit like writing software in a scripting language
“Building such scripts is surprisingly addictive,
in a videogame kind of way…”
Unclear if this is
- Xavier Leroy
an advantage 
• The advantage of never having to worry about bugs
in the finished product
• Can work on math at 3 AM without fear
11
In your own words…
• “I found COQ is really an amazing tool. I like to play
with it now. haha!”
• “I love video games. Coq is the first programming
language I use as a game. I really enjoy it haha!”
• “[Proof completed.] is the best feeling in the world!”
• (and many others)
• Of course, it’s harder to give negative feedback, so…
12
In the words of Nick Benton
Senior Researcher, Microsoft Research, Cambridge UK
Wrote a paper in 2006 titled,
“Machine Obstructed Proof”
http://research.microsoft.com/
en-us/um/people/nick/mop.pdf
13
In the words of Nick Benton
“After years doing programming language theory without
going near a proof assistant, I was finally convinced by the
POPLmark ‘buzz’ and conversations at ICFP’05 that it was time
to try one.”
… [there was a workshop giving an introduction to Coq] …
“The workshop description says “the available tools are [...]
difficult to learn, inadequately documented, and lacking in
specific library facilities required for work in programming
languages”. I can confirm that I have rarely felt as stupid and
frustrated as I did during my first few weeks using Coq.”
14
In the words of Nick Benton
“Scripts are unreadable by themselves, as one has no idea what
the tactics are doing to the proof state, and the documentation for
them is incomprehensible to the novice. The only thing that works
is lots and lots of trial and error in an interactive environment, and
I still couldn’t give a coherent general description of what some of
the tactics I’ve used many times actually do, or how they differ
from half a dozen apparently similar ones. And basic ones are still
missing; I spent days fighting with elim, case, destruct and
variations on induction and still kept finding myself having done
case splits without the information about which branch I was in.
This was so frustrating I gave up on Coq (and spent a week playing
with HOL Light) until Georges Gonthier showed me the magic, and
frankly bizarre, incantation
generalize (refl_equal x); pattern x at -1; case x.”
15
In the words of Nick Benton
“There are bugs. On Windows, CoqIDE falls over,
whilst Proof General only works with the original
2004 version of Coq 8. I spent ages defining
Setoid structures on everything, only to find
Setoid rewriting throws an ‘anomaly’ exception
in interesting contexts.”
(you may recall a HW assignment (hw5) where I
said to use “generalize” instead of “spec”)
16
In the words of Nick Benton
“I had many similar difficulties, but then started to make
progress. Just having intermediate stages of the work in a
computerized form rather than on many pages of paper
proved a major benefit. Far more often than I’d expected,
one can alter definitions and then mildly tweak the
previous version of a proof to keep it up to date. On
paper, I tend to keep going back to the top and doing
everything from scratch to be sure everything is still
consistent.”
17
In the words of Nick Benton
“Automated proving is not just a slightly more fussy version
of paper proving and neither (Curry-Howard notwithstanding)
is it really like programming. It’s a strange new skill, much
harder to learn than a new programming language or
application, or even many bits of mathematics. I’m resistant
to investing significant effort in tools (I don’t write clever TeX or
Emacs macros), but the payoff really came the second time I
used Coq: I was able to prove some elementary but delicate
results for a different paper in just a day or so. Coq is worth
the bother and it, or something like it, is the future, if only we
could make the initial learning experience a few thousand
times less painful.”
18
Of note
• There is a somewhat similar course being
offered in the past year to undergraduates
– Using Coq to examine program semantics
– University of Pennsylvania
– Princeton University
– Harvard University (a bit different)
– Probably others
• For good or evil, you have been on the
bleeding edge of formal methods teaching…
19
So…
• Well done for getting through it!
• Hopefully you have learned a lot (we noticed that
your pen-and-paper induction proofs improved
significantly), and had some fun as well.
• With a bit of luck you don’t hate your Profs (too
much!) for putting it in the course… If you have
suggestions for making the process easier in future
years, please let us know.
20
Outline
• Reflections on Coq
• Applications of Formal Methods
• How to study for the Final
21
How do people use formal methods?
1. Type theory
2. Program Analysis
3. Proof-Carrying Code
4. Certified compilation
22
Type Theory
• You are familiar with languages like Java, where your
variables (& function parameters, etc.) have a
declared type.
– int myInt;
– List<List<Int>> myListofListofInts;
– Object myObject;
• The idea is to classify values into sets. During
compilation, there is a phase called type-checking,
where the compiler looks for type errors, such as
– myListofListofInts := 5; // Oops… what does this mean?
23
Type Theory
• Why do we do this? Because type errors almost always
are mistakes in the program.
– Analogy is to units in science (e.g., a Newton of force is 1
kilogram-meter per second squared).
– You check your units when you do science for the same
reason that it is a good idea to do type checking when
programming.
• We can (usually) do type-checking in ~ linear time, and
can discover many bugs much faster than testing.
– This is a form of proof generation (which we have only
explained very little of in this course, but have used a lot,
e.g., “auto”, “omega”, etc.)
– The idea with a type system is to trade off expressivity for
automatic generation.
24
Type Theory
• The field that studies program typing is called Type Theory.
• It turns out that there is a deep connection between formal
logic and type theory, called the Curry-Howard Isomorphism.
• Languages with strong type systems include
– Java / C#
– SML / oCaml
– Haskell
• Languages with weak type systems include
– C / C++
• Languages without any type systems include
– Python/JavaScript
– Assembly (some have weak typing)
25
Program Analysis
• Another use for formal methods is automatic
program analysis; e.g., bounds checking.
• Lots of code uses integers that are supposed to
stay within certain bounds
– Arrays
– Overflow (max_int + 1 – bad idea)
• It is possible to develop software that examines
source code and automatically proves that (for
example) an array access is always in-bounds.
26
Bounds Checking
• These automatic tools usually require a bit of
help from the programmer.
• But they are very effective: can catch many bugs
long before they would have been caught
through testing.
• Companies that use this kind of technology:
– Airbus
– Microsoft
– etc.
27
Bounds Checking
How it works (one choice)
• Programmer puts annotations in his code
– int x __inrange(0,10);
– int n __lessthan(sizeof(myArray));
• The tool then uses a form of Hoare logic to
propagate these bounds in the code
• If it is unable to prove that the invariant is
obeyed, it complains
• To run on real code, tools must be very complex
– Pointer arithmetic, aliasing, etc. etc.
28
Proof-Carrying Code
• Problem: we would like to have a way to get
code from an untrusted source, which we
then want to run on our computer
– e.g., Web Browser
• This sounds like a bad idea…
• But (it turns out) people really want to do it.
29
Proof-Carrying Code
• So, we will require that the untrusted code
provider sends us both
– The code, which we will run only after checking
– A proof that the code obeys some safety policy
• Simplest version you are familiar with:
– Java web applets
30
Proof-Carrying Code
• How it works:
– Modify compiler to take a proof at the source
code level (maybe just a proof that the source
program is well-typed) and transform that proof
as it compiles into a proof at the machine level.
– Modify runtime system to accept both code and
proof; it must check proof, then run code
31
Certified Compilation
• Bugs in a program that are due to a mistake in
the compiler (“compiler bugs”) are some of
the most difficult to find – can take weeks or
months.
• The problem is, the source code is right.
• Compilers are some of the most complicated
pieces of software there are.
– Hundreds of thousands of lines, highly
complicated algorithms
32
Certified Compilation
• The goal of a certified compiler is to have a
compiler with no bugs.
– That is, the source program is always correctly
translated into the target language.
• We have seen in lecture 12 some of the tools
used: you give both the source and target
languages a formal semantics, and then prove:
– ¾  ¾’
)
C(¾) * C(¾’)
– That is, that the compiler C preserves the
semantics of the program.
33
Outline
• Reflections on Coq
• Applications of Formal Methods
• How to study for the Final
34
Final
• There is a paper part and a Coq part
– Total: 90 points
– Paper: 50 points, 60%
– Coq: 40 points, 40%
• You will have two hours (combined) to do
both parts.
– You can switch back and forth if you like.
35
Paper part: Format
• Fair game topics:
– Everything covered in lectures 1-12, midterm, quizzes
1-3, homework 1-10
• Not multiple choice; instead:
36
Paper part: Format
• Fair game topics:
– Everything covered in lectures 1-12, midterm, quizzes
1-3, homework 1-10
• Not multiple choice; instead:
• Proofs! (Oh boy!)
– Natural deduction
– Induction
– Semantic proofs
– Hoare proofs
– etc.
37
Coq part: Format
• Five Questions
1.
2.
3.
4.
5.
First-order logic *
Induction
Modal logic
Modal logic *
Hoare logic
* Similar to questions 1 and 2 on the Coq quiz
38
Coq part: Format
• Each problem is worth 9 points (out of 90, so 40%)
• Maximum 36 points: pick 4 out of the 5
– Skip one if you get stuck!
• No extra credit
– Spend the extra time on the paper part
• We are assuming that it will take about an hour
– Around 15 minutes per question
– Quiz: 2 questions, 23 minutes (11.5 minutes each)
39
Coq part: study strategy
• Make sure that you can do the quiz in a reasonable
amount of time (again, two questions on the final are
similar to the two quiz questions. If you get them
done quickly then you have 20% of the points already.)
• Review major frameworks (Modal logic in HW5 and
Hoare logic in HW10). You will not have enough time
to figure them out again during the exam.
• You can redo some problems to remind yourself how
those parts work.
40
Test strategy
• Remember: you can skip one Coq problem
– If you get stuck, move on: maybe another one is easier.
– Don’t Panic! If you get stuck then do paper part for
awhile, maybe an idea for Coq part will occur.
• Watch the time. It’s not a short exam.
• Don’t get so absorbed with the Coq part that you
neglect paper part, or vise versa.
41
Last but not least…
Good Luck on your finals
(including ours)
and
Thanks for taking CS3234!
– Martin and Aquinas
42
Download