Administrative stuff

1
Administrative stuff

• On Thursday, we will start class at 1110, and
  finish at 1155
• This means that each project will get a 10 minute
  presentation 5 minutes of questions and answers

2
Pred. abstraction for software verification

• Wont go into details of paper
• This work is interesting from the perspective of
  this class because it ties together two
  techniques weve already seen
• ESC/Java style checking
• Predicate abstraction (BLAST lecture given by
  Ranjit)

3
Curry-Howard Isomorphism
4
But before Type systems 101
5
Simply typed lambda calculus

• Consider the simply typed lambda calculus
• e n (integers)
• x (variables)
• ? x? . e (function definition)
• e1 e2 (function application)
• ? int (integer type)
• ?1 ! ?2 (function type)

6
Typing rules

• Typing judgment ? e?
• Is read as in context ?, e has type ?
• The context tells us what the type of the free
  variables in e are
• Example xint , fint ! int (f x)int
• Typing rules

Judgment1
Judgment2
7
Rules for lambda terms
? (f x)?2
8
Rules for lambda terms
? (? x?1 . b)
9
What other rules do we need?
10
What other rules do we need?
x? 2 ?
? n int
? x?
11
Summary so far
x? 2 ?
? n int
? x?
?, x?1 b?2
? f?1 ! ?2
? x?1
? (? x?1 . b)?1 ! ?2
? (f x)?2
12
Adding pairs

• e n x ? x? . e e1 e2
• ? int ?1 ! ?2

13
Adding pairs

• e n x ? x? . e e1 e2
• (e1,e2) (pair construction)
• fst e (select first element of a pair)
• snd e (select second element of a pair)
• ? int ?1 ! ?2
• ?1 ?2 (pair type)

14
Rules for pairs
? (x,y)?1 ?2
15
Rules for pairs
? fst x?1
? snd x?2
16
Rules for pairs (summary)
? x?1
? y?2
? x?1 ?2
? x?1 ?2
? (x,y)?1 ?2
? fst x?1
? snd x?2
17
Adding unions

• e n x ? x? . e e1 e2 (e1,e2) fst
  e snd e
• ? int ?1 ! ?2 ?1 ?2

18
Adding unions

• e n x ? x? . e e1 e2 (e1,e2) fst
  e snd e
• inl e (create a union of the left case)
• inr e (create a union of the right case)
• case e of inl x ) e1 inr y ) e2
• (perform case analysis on union)
• ? int ?1 ! ?2 ?1 ?2
• ?1 ?2 (sum (aka union) type)

19
Rules for unions
? inl x ?1 ?2
? inr x ?1 ?2
20
Rules for unions
? z?1 ?2
? (case z of inl x ) b1 inr y ) b2) ?
21
Rules for unions (summary)
? y?2
? x?1
? inl x ?1 ?2
? inr x ?1 ?2
? z?1 ?2
?, x?1 b1 ?
?, y?2 b2 ?
? (case z of inl x ) b1 inr y ) b2) ?
22
Curry-Howard Isomorphism
23
Typing rules for lambda terms
?, x?1 b?2
? f?1 ! ?2
? x?1
? (? x?1 . b)?1 ! ?2
? (f x)?2
Where have we seen these rules before?
24
Typing rules for lambda terms
?, x?1 b?2
? f?1 ! ?2
? x?1
? (? x?1 . b)?1 ! ?2
? (f x)?2
Erase terms
? ?1 ! ?2
? ?1
?, ?1 ?2
? ?1 ! ?2
? ?2
Convert to logic
? A ) B ? A
?, A B
)E
)I
? B
? A ) B
25
Typing rules for pairs
? x?1
? y?2
? x?1 ?2
? x?1 ?2
? (x,y)?1 ?2
? fst x?1
? snd x?2
Where have we seen these rules before?
26
Typing rules for pairs
? x?1
? y?2
? x?1 ?2
? x?1 ?2
? (x,y)?1 ?2
? fst x?1
? snd x?2
Erase terms
? ?1
? ?2
? ?1 ?2
? ?1 ?2
? ?1 ?2
? ?1
? ?2
Convert to logic
? A Æ B
? A Æ B
? A ? B
ÆI
ÆE1
ÆE2
? A
? B
? A Æ B
27
Typing rules for unions
? y?2
? x?1
? inl x ?1 ?2
? inr x ?1 ?2
Where have we seen these rules before?
28
Typing rules for unions
? y?2
? x?1
? inl x ?1 ?2
? inr x ?1 ?2
Erase terms
? ?1
? ?2
? ?1 ?2
? ?1 ?2
Convert to logic
? A
? B
ÇI1
ÇI2
? A Ç B
? A Ç B
29
Typing rules for unions (contd)
? z?1 ?2
?, x?1 b1 ?
?, y?2 b2 ?
? (case z of inl x ) b1 inr y ) b2) ?
Where have we seen this rule before?
30
Typing rules for unions (contd)
? z?1 ?2
?, x?1 b1 ?
?, y?2 b2 ?
? (case z of inl x ) b1 inr y ) b2) ?
Erase terms
? ?1 ?2
?, ?1 ?
?, ?2 ?
? ?
Convert to logic
? A Ç B
?, A C
?, B C
ÇE
? C
31
Curry-Howard isomorphism

• Propositions-as-types
• ? int ?1 ! ?2 ?1 ?2 ?1 ?2
• A p A1 ) A2 A1 Æ A2 A1 Ç A2
• If types are propositions, then what are lambda
  terms?

32
Typing rules using logic for types
?, x A y B
? f A ) B
? x A
)I
)E
? (? x A . y) A ) B
? (f x) B
? x A
? y B
? x A Æ B
? x A Æ B
ÆE2
ÆI
ÆE1
? (x,y) A Æ B
? fst x A
? snd x B
? y B
? x A
ÇI1
ÇI2
? inl x A Ç B
? inr x A Ç B
? z A Ç B
?, x A e1 C
?, y B e2 C
ÇE
? (case z of inl x ) e1 inr y ) e2) C
33
Curry-Howard isomorphism

• If types are propositions, then what are lambda
  terms?
• Answer terms are proofs
• Programs-as-proofs
• ? eA means that under assumptions ?, A holds
  and has proof e

34
Example
?, x A y B
)I
? (? x A . y) A ) B

• A proof of A ) B is a function that takes a
  parameter x of type A (that is to say, a proof of
  A), and returns something of type B (that is to
  say, a proof of B)

35
Another example
? f A ) B
? x A
)E
? (f x) B

• Suppose we have a proof of A ) B. This is a
  function f that, given a proof of A, returns a
  proof of B.
• Suppose also that we have a proof of A, call it
  x.
• Then applying f to x gives us a proof of B.

36
Another example
? x A
? y B
ÆI
? (x,y) A Æ B

• A proof of A Æ B is just a pair containing the
  proof of A and the proof of B

37
Another example
? x A
ÇI1
? inl x A Ç B

• Given a proof of A, a proof of A Ç B is a union
  in the left case, which records that we attained
  the disjunction through the left of the Ç
• There is a problem though

38
Another example
? x A
ÇI1
? inl x A Ç B

• Given a proof of A, a proof of A Ç B is a union
  in the left case, which records that we attained
  the disjunction through the left of the Ç
• Unfortunately, the proof does not record what the
  right type of the union is.
• Given that x is a proof of A, what is inl x a
  proof of?
• Ideally, we would like the proof (lambda term) to
  determine the formula (type). Whats the fix?

39
The fix for Ç proofs (union terms)

• Ideally, we would like the proof (lambda term) to
  determine the formula (type). Whats the fix?

? y B
? x A
ÇI1
ÇI2
? inl x A Ç B
? inr x A Ç B
40
The fix for Ç proofs (union terms)

• Ideally, we would like the proof (lambda term) to
  determine the formula (type). Whats the fix?
• We add the other type to the Ç proof (union term)

? y B
? x A
ÇI1
ÇI2
? inlB x A Ç B
? inrA x A Ç B
41
Intuition for quantifiers

• A proof of 8 x?. P(x) is a function that, given
  a parameter x of type ?, returns a proof of P(x)
• A proof of 9 x?. P(x) is a function that
  computes a value of type ? for which P(x) holds
• Note that 8 x?.P(x) and 9 x?. P(x) are
  formulas, and so they are types. But they also
  contain a type ? inside of them.

42
Programs-as-proofs

• The programs-as-proofs paradigm is operational
  to prove something, we have to provide a program
• This program, when run, produces a computational
  artifact that represents a proof of the formula
• the program itself is also a representation of
  the proof, but so is the final result computed by
  the program

43
Curry-Howard breaking down

• Because of the operational nature of the
  programs-as-proofs paradigm, the paradigm only
  works for proofs that are constructive
• Consider the formula 9 x. P(x)
• A constructive proof must show how to compute the
  x that makes the formula valid
• A proof by contradiction would assume 8 x.
  P(x), and then derive false.
• But this does not give us a way to compute x,
  which means it doesnt give us a
  program-as-proofs proof.

44
Curry-Howard breaking down

• Curry-Howard isomorphism only holds for
  constructive logics
• Like classical logic, except that we do not allow
  proofs by contradiction
• The rule that you remove depends on the calculus
  youre using
• In our natural deduction calculus, remove the
  following rule

? A
E
? A
45
Constructive logic

• In other calculii, it may be the following rule
• Or it may be the law of the excluded middle

?, A F
? A
? A Ç A
46
Constructive logic example

• Consider the task of constructing an algorithm
  that prints 0 if Riemanns Hypothesis holds and
  prints 1 otherwise.
• Riemanns Hypothesis has not been proved or
  disproved (Fermats last theorem was previously
  used, until it was proven)
• Does such an algorithm exists?

47
Constructive logic example

• Consider the task of constructing an algorithm
  that prints 0 if Riemanns Hypothesis holds and
  prints 1 otherwise.
• Riemanns Hypothesis has not been proved or
  disproved (Fermats last theorem was previously
  used, until it was proven)
• Does such an algorithm exists?
• Classicists yes
• Constructivists dont know yet. Need to wait
  until Riemanns Hypothesis is proven or disproven

48
Constructive logic

• It may seem that using constructive logic is like
  tying your hands behind your back before starting
  a proof. So why use it?
• Several arguments for it, including philosophical
  ones
• One of the concrete arguments in favor of
  constructive logic is the Curry-Howard
  isomorphism, which leads to the so-called
  specifications-as-programs paradigm.

49
Specifications as programs

• Suppose we want to program an algorithm that
  given a natural number x produces a natural
  number y so that a decidable condition P(x,y) is
  satisfied
• A proof of 8 x. 9 y. P(x,y) in constructive logic
  yields a program for computing y from x, which is
  a provably correct implementation of the
  specification.
• Programs and specifications are the same!

50
Specifications as programs

• This idea has been used in various contexts,
  including two widely know theorem provers
• Coq
• NuPRL
• One of the main challenges in these systems is
  extracting efficient programs from the proofs

51
Conclusion
52
The course in a nutshell

• Logics
• Techniques
• Applications

53
Logics

• Propositional, first-order, higher-order
• Expressiveness, level of automation, human
  friendliness
• Constructive logic

54
Techniques
Applying induction based on recursive structures

• Natural deduction
• Sequents
• Tactics Tacticals
• Resolution

Matching

• DPLL
• Backtracking
• Incremental SAT

• E-graph
• Rewrite rules

Communication between decision procedures and
between prover and decision procedures
55
Applications

• Rhodium
• ESC/Java
• Blast
• Proof Carrying Code

56
What have we learned?