automated functional program verification using fixpoint fusion
DESCRIPTION
Automated functional program verification using fixpoint fusion. William Sonnex University of Cambridge (Imperial College at heart). Proof by simplification. Start with: Simplify:. Properties provable. Properties proven by current implementation: Properties hopefully provable soon:. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/1.jpg)
Automated functional program verification using fixpoint fusionWilliam SonnexUniversity of Cambridge(Imperial College at heart)
![Page 2: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/2.jpg)
Proof by simplification
Start with:
Simplify:
![Page 3: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/3.jpg)
Properties provable
Properties proven by current implementation:
Properties hopefully provable soon:
![Page 4: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/4.jpg)
Functional language used
Simply typed lambda calculus with general recursion, absurdity and algebraic data-types (constructors and pattern matching).
![Page 5: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/5.jpg)
Functional language used
Simply typed lambda calculus with general recursion, absurdity and algebraic data-types (constructors and pattern matching).
![Page 6: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/6.jpg)
Contents• What is fixpoint fusion?
• New technique “fixpoint fission”allows for
• How do we prove implications?e.g.
• New technique “fold-fix fission”allows us to prove
![Page 7: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/7.jpg)
Fixpoint fusion
Turns a context containing a recursive functioninto just a recursive function:
![Page 8: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/8.jpg)
Fixpoint fusion
Three steps to find :1. Unwrap the recursive function
2. Simplify
3. Replace occurrences of with to get
Fails if occurrences of remain in
![Page 9: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/9.jpg)
Fusing reverse and append
Let’s run fusion on:
![Page 10: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/10.jpg)
Fix-fix fusion
First type/usage of fusion is “fix-fix fusion” (my name)fusing the composition of two fixpointsso will be a fixpoint/recursive function
So in we are fusing and
So is and is
we’ll call , so we are discovering
![Page 11: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/11.jpg)
Fusing
1. Unwrap
2. Simplify
3. Replace with
![Page 12: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/12.jpg)
Fusing
So we have discovered:
Big deal. This example is done
in Wadler’s deforestation paper from 1990.
Let’s add some more uses of fusion… (the next stuff is mine.)
![Page 13: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/13.jpg)
Contents• What is fixpoint fusion?
• New technique “fixpoint fission”allows for
• How do we prove implications?e.g.
• New technique “fold-fix fission”allows us to prove
![Page 14: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/14.jpg)
Fixpoint fission
This next technique is “fixpoint fission”it is the reverse of fusion:
Fusion starts with and and derives
Fission starts with and and derives
![Page 15: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/15.jpg)
Fixpoint fission
Backwards three steps of fusion:
1. Start with and replace with
2. Simplify
3. Drop to get
Fails if not of the form for some
![Page 16: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/16.jpg)
Fissioning
Earlier we fused
Using simple code analysis we can conjecture that for some
![Page 17: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/17.jpg)
Fissioning
We can use “constructor fission” on where and
1. Start with
… and replace with , i.e.
![Page 18: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/18.jpg)
1. Start with and replace with
2. Simplify
3. Drop to get
Fissioning
![Page 19: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/19.jpg)
Fissioning
We fissioned from
which is -equivalent to so we have found:
Woo, lemma discovery using simplification
![Page 20: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/20.jpg)
Fusing
With the sub-simplification:
We can use fix-fix fusion on:
This is a fixpoint fission stepwhere which I don’t have time to explain
![Page 21: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/21.jpg)
Contents• What is fixpoint fusion?
• New technique “fixpoint fission”allows for
• How do we prove implications?e.g.
• New technique “fold-fix fission”allows us to prove
![Page 22: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/22.jpg)
What about implication?
So far we have seen simplificationsequivalent to equational lemma discovery.
Some lemmas feature implicatione.g.
how do we reason like this within simplification?
![Page 23: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/23.jpg)
What about implication?Some lemmas feature implicatione.g. how do we reason like this within simplification?
My interpretation of is:
If we are down a branch where is pattern matched to
then
![Page 24: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/24.jpg)
Definition of
![Page 25: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/25.jpg)
What about implication?
We want:
Since we have an inner recursive function ()and an outer context (the pattern match)
we can use fusion!
![Page 26: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/26.jpg)
What about implication?
We want:
First we express the pattern matchat the location of the recursive function:
Now we can run fusion on
![Page 27: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/27.jpg)
What about implication?
Now we can run fusion on
whereand
![Page 28: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/28.jpg)
What about implication?
1. Unwrap
2. Simplify
𝜆 𝑥 𝜆 𝑦 . 𝑦≤ 𝑥 { ⊥𝑥≤ 𝑦
![Page 29: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/29.jpg)
What about implication?
1. Unwrap
2. Simplify
𝜆 𝑥 𝜆 𝑦 . 𝑦≤ 𝑥 { ⊥𝑥≤ 𝑦
![Page 30: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/30.jpg)
What about implication?
1. Unwrap
2. Simplify
𝜆 𝑥 𝜆 𝑦 . 𝑦≤ 𝑥 { ⊥𝑥≤ 𝑦
![Page 31: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/31.jpg)
What about implication?
1. Unwrap
2. Simplify
![Page 32: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/32.jpg)
What about implication?
2. Simplify
3. Replace occurrences of with
𝜆 𝑥 𝜆 𝑦 . 𝑦≤ 𝑥 { ⊥𝑥≤ 𝑦
![Page 33: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/33.jpg)
What about implication?
We have fused with yielding:
which simplifies to just:
![Page 34: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/34.jpg)
Recap of match-fix fusion
We had:
We expressed where was:
We ran fusion:
I call this match-fix fusion
![Page 35: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/35.jpg)
Match-fix fusion
But what about properties with multiple antecedents?
This corresponds to multiple pattern matches:
We could run one big fusion step…
![Page 36: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/36.jpg)
Match-fix fusion
We could run one big fusion step:
But there is no need,we can fuse each match in one by one:
![Page 37: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/37.jpg)
Match-fix fusion
We can always fuse matches in one by onewith no loss of simplifiability (proven)
Consider:
Certain definitions of here will block inductionhence ACL2 has heuristics for dropping antecedents
Fusion of just fails and we move on
no heuristics needed!
![Page 38: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/38.jpg)
Compositionality of fusion
Fusion is a compositional approacheach step can be run one by one, e.g.
![Page 39: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/39.jpg)
Compositionality of fusion
Fusion is a compositional approacheach step can be run one by one, e.g.
![Page 40: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/40.jpg)
Compositionality of fusion
Fusion is a compositional approacheach step can be run one by one, e.g.
![Page 41: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/41.jpg)
Compositionality of fusion
Fusion is a compositional approacheach step can be run one by one, e.g.
![Page 42: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/42.jpg)
Compositionality of fusion
Fusion is a compositional approacheach step can be run one by one, e.g.
![Page 43: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/43.jpg)
Compositionality of fusion
Fusion is a compositional approacheach step can be run one by one, e.g.
![Page 44: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/44.jpg)
Compositionality of fusion
Fusion is a compositional approacheach step can be run one by one, e.g.
![Page 45: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/45.jpg)
Fusion doesn’t require search
Simplifications are fully automatic.
If they happen in isolationthey’ll happen in a larger proof/simplification.
If a proof needs
we don’t need to provide the lemma
we don’t need rules to guide rewriting (like rippling).
![Page 46: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/46.jpg)
So far…
Fix-fix fusion, constructor fission and match-fix fusioncan solve almost all of the properties
I tested Zeno on.
Notably
All of the above has been implemented.
Now I will demonstrate the next phase of my workwhich simplifies
![Page 47: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/47.jpg)
Contents• What is fixpoint fusion?
• New technique “fixpoint fission”allows for
• How do we prove implications?e.g.
• New technique “fold-fix fission”allows us to prove
![Page 48: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/48.jpg)
Verifying
![Page 49: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/49.jpg)
Verifying
Proving requires the lemma:
This lemma is not a generalisation of a sub-goal (sorry ACL2).This lemma contains functions
which are not in the original definition, (sorry HipSpec).
![Page 50: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/50.jpg)
Verifying
We start with:
Mathematically impossibleto fuse with
![Page 51: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/51.jpg)
Verifying
We start with:
Let’s fuse with
![Page 52: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/52.jpg)
Verifying
1. Unwrap
2. Simplify
3. No instances of to replace
![Page 53: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/53.jpg)
Verifying
The problem is we have:
And we want:
We need to discover the definition of .
So we can rewrite
![Page 54: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/54.jpg)
Fold-fix fission
We have
First the algorithm will fix-fix fuse
into some new function
![Page 55: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/55.jpg)
Fold-fix fission
Now we want
![Page 56: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/56.jpg)
Fold-fix fission
Now we want
This is just fission!
But this time instead of knowing and , and discovering
we know and , and must discover
![Page 57: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/57.jpg)
Discovering
The trick is to assume is a fold function
A fold function over two booleans is two nested pattern matches
So we assume, for some , , , and
![Page 58: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/58.jpg)
Discovering
Give us:
when when when when
and 𝐹 𝑥 (𝑏1 ,𝑏2 )=𝑏1 {𝑏2 {𝐸1
𝐸2
𝑏2 {𝐸3
𝐸4
![Page 59: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/59.jpg)
Discovering
![Page 60: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/60.jpg)
Discovering
![Page 61: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/61.jpg)
Discovering
![Page 62: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/62.jpg)
Discovering
![Page 63: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/63.jpg)
Discovering
![Page 64: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/64.jpg)
Discovering
![Page 65: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/65.jpg)
Discovering
𝐹 𝑥(𝑏¿¿1 ,𝑏2)=𝑏1 {𝑏2 {𝐸1
𝐸2
𝑏2 {𝐸3
𝐸4
¿
![Page 66: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/66.jpg)
Discovering
𝐹 𝑥 (𝑏¿¿1 ,𝑏2)=𝑏1 {𝑏2 { ≤ ≤ h 𝑙𝑎𝑠𝑡 𝑥𝑠 𝑥 ∧ 𝑥 𝑒𝑎𝑑 𝑦𝑠𝐹𝑎𝑙𝑠𝑒
𝑏2 {𝐹𝑎𝑙𝑠𝑒𝐹𝑎𝑙𝑠𝑒
¿
![Page 67: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/67.jpg)
Discovering
We have discovered
Hence
![Page 68: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/68.jpg)
Discovering
We have discovered
Hence
![Page 69: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/69.jpg)
Back to
1. Unwrap
2. Simplify
Use fold-fission on
![Page 70: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/70.jpg)
Back to
2. … use fold-fission on
3. Replace with
![Page 71: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/71.jpg)
Back to
Put the definition of back in(remember is the uninterpreted form of ):
![Page 72: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/72.jpg)
Back to
![Page 73: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/73.jpg)
Back to
Fix-fix fusion will fuse
![Page 74: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/74.jpg)
If we recall our lemma…
This is the definition we get from fusing !
![Page 75: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/75.jpg)
Verifying
![Page 76: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/76.jpg)
Verifying
![Page 77: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/77.jpg)
Verifying
![Page 78: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/78.jpg)
Fold-fix fission
I demonstrated fold-fix fissionover a non-recursive datatype ()
But it generalises to recursive datatypes too!
I didn’t use the fission process much with it becomes necessary for recursive datatypes
No time to explain though
![Page 79: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/79.jpg)
Conclusion• Fix-fix fusion and constructor fission
will do automated inductive proof for equational properties.
• Match-fix fusion will do automated inductive prooffor implication properties.
• Fusion is compositionaland requires no search space.
• Fold-fix fission is awesome.
![Page 80: Automated functional program verification using fixpoint fusion](https://reader035.vdocument.in/reader035/viewer/2022070421/5681614b550346895dd0cb7f/html5/thumbnails/80.jpg)
Future work• Finish implementation
• Proofs of completeness w.r.t. proof by induction
• Dependently typed fusion