from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · from z3 to lean,...
TRANSCRIPT
![Page 1: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/1.jpg)
From Z3 to Lean, Efficient VerificationTuring Gateway to Mathematics, 19 July 2017
Leonardo de Moura, Microsoft Research
![Page 2: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/2.jpg)
Joint work with Nikolaj Bjorner and Christoph Wintersteiger
![Page 3: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/3.jpg)
Satisfiability
unsat, Proof
Is execution path P feasible? Is assertion X violated?
SAGE
Is Formula F Satisfiable?
Solution/Model
![Page 4: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/4.jpg)
Symbolic Reasoning Engine
Test Case Generation Verifying Compilers
Model Based TestingInvariant Generation
Type Checking Model Checking
![Page 5: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/5.jpg)
Some Applications at Microsoft
HAVOCSAGE
Vigilante
![Page 6: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/6.jpg)
ImpactUsed by many research groups
Awards:
• “The most influential tool paper in the first 20 years of TACAS”(> 3500 citations) • Programming Languages Software Award from ACM SIGPLAN
Ships with many popular systems
• Isabelle, Pex, SAGE, SLAM/SDV, Visual Studio, …
Solved more than 5 billion constraints created by SAGE when checking Win8/Office
![Page 7: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/7.jpg)
Logic is “the calculus of computer science” (Z. Manna)
![Page 8: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/8.jpg)
Logic is “the calculus of computer science” (Z. Manna)
Yes, we cannot solve arbitrary problems from the “complexity ladder”, but …
![Page 9: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/9.jpg)
Logic is “the calculus of computer science” (Z. Manna)
We can try to solve the problems we find in real applications
![Page 10: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/10.jpg)
Security is critical
• Security bugs can be very expensive
• Cost of each MS security bulletin: $millions
• Cost due to worms: $billions
• Most security exploits are initiated via files or packets
• Ex: Internet browsers parse dozens of file formats
• Security testing: hunting million dollar bugs
![Page 11: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/11.jpg)
Directed Automated Random Testing
SAGE (one of the most successful Z3 applications) developed by Patrice Godefroid
![Page 12: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/12.jpg)
Software verification
• Specifications
• Methods contracts
• Invariants
• Field and type annotations
• Program logic: Dijkstra’s weakest precondition
• Verification condition generation
![Page 13: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/13.jpg)
Software verification & automated provers
• Easy to use for simple properties
• Main problems:
• Scalability issues
• Proof stability
• in many verification projects:
• Hyper-V
• Ironclad & Ironfleet (https://github.com/Microsoft/Ironclad)
• Everest (https://project-everest.github.io/)
![Page 14: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/14.jpg)
joint work with Jeremy Avigad, Mario Carneiro, Floris van Doorn, Gabriel Ebner, Johannes Hölzl, Rob Lewis, Jared Roesch, Daniel Selsam and Sebastian Ullrich
![Page 15: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/15.jpg)
Lean aims to bridge the gap between interactive and automated theorem proving
![Page 16: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/16.jpg)
Lean
• New open source theorem prover (and programming language)Soonho Kong and I started coding in the Fall of 2013
• Platform for
• Software verification
• Formalized Mathematics
• Domain specific languages
• de Bruijn’s principle: small trusted kernel
• Dependent Type Theory
• Partial constructions: automation fills the "holes"
![Page 17: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/17.jpg)
Inductive Families
![Page 18: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/18.jpg)
Recursive equations
![Page 19: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/19.jpg)
Proofs
![Page 20: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/20.jpg)
Metaprogramming
• Introduced in Lean 3 (mid 2016)
• Extend Lean using Lean
• Access Lean internals using Lean• Type inference• Unifier• Simplifier• Decision procedures• Type class resolution• …
• Proof/Program synthesis
![Page 21: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/21.jpg)
Metaprogramming
![Page 22: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/22.jpg)
Reflecting expressions
![Page 23: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/23.jpg)
• 2200 lines of code
Superposition prover
![Page 24: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/24.jpg)
dlist
![Page 25: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/25.jpg)
transfer tactic
• Developed by Johannes Hölzl (approx. 200 lines of code)
• Q
• We also use it to transfer results from nat to int.
![Page 26: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/26.jpg)
Lean to Z3
Lean
LOL
Z3
lemma n_gt_0(a : nat) : a >= 0 :=by z3
decl n : int {n >= 0}assert (not (n >= 0))
(declare-const n Int)(assert (>= n 0))(assert (not (>= n 0))
• Goal: translate a Lean local context, and goal into Z3 query.
• Recognize fragment and translate to low-order logic (LOL).
• Logic supports some higher order features, is successively lowered to FOL, finally Z3.
![Page 27: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/27.jpg)
simple expression language
![Page 28: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/28.jpg)
Writing your own search strategies
![Page 29: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/29.jpg)
simple expression language
![Page 30: from z3 to leanleanprover.github.io/talks/from_z3_to_lean.pdf · 2021. 2. 12. · From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de](https://reader036.vdocument.in/reader036/viewer/2022071413/610a5ede311a2b015138ad59/html5/thumbnails/30.jpg)
Conclusion
• SMT solvers (like Z3) are very successful in bug finding tools
• Scalability and proof stability issues
• Lean aims to bring the best of automated and interactive systems
• Users can create their on automation, extend and customize Lean
• Domain specific automation
• Internal data structures and procedures are exposed to users
• Whitebox automation