termination before a function is admitted. On admission, the functional induction tactic ... recursive call. Similar to
A Machine Checked Model of Idempotent MGU Axioms For a List of Equational Constraints Presented by Prof. Ruben Gamboa Authors: Sunil Kothari and Prof. James Caldwell Department of Computer Science, University of Wyoming, USA
24th International Workshop on Unification
Outline
1
Overview Machine Checked Correctness Proofs of Type Inference Algorithms
2
Introduction Coq Substitutions as Finite Maps in Coq
3
Proof of Idempotent MGU axioms Functional Induction Axiom v Axiom vi Axiom vii
4
Conclusions
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
2 / 30
Outline
1
Overview Machine Checked Correctness Proofs of Type Inference Algorithms
2
Introduction Coq Substitutions as Finite Maps in Coq
3
Proof of Idempotent MGU axioms Functional Induction Axiom v Axiom vi Axiom vii
4
Conclusions
Type Inference Algorithms
Highlights Essential feature of many functional programming languages (ML, Haskell, OCaml, etc.). Substitution-based algorithms. Intermittent constraint generation and constraint solving.
Constraint-based algorithms. Two distinct phases: constraint generation and constraint solving.
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
3 / 30
Machine Checked Correctness Proofs
Some Examples Many proofs for correctness of Algorithm W (substitution-based) in Coq, Isabelle/HOL [DM99, NN99, NN96, UN09]. We want to machine-check the correctness proof of Wand’s type inference algorithm [Wan87]. POPLMark challenge [ABF+ 05] also aims at mechanizing meta-theory of programming languages.
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
4 / 30
Machine Checked Correctness Proofs
Modeling MGU In machine-checked correctness proofs, the most general unifier(MGU) is modeled as a set of four axioms: c
c
mgu ρ (τ1 = τ2 ) ⇒ ρ |= (τ1 = τ2 ) c c mgu ρ (τ1 = τ2 ) ∧ ρ0 |= (τ1 = τ2 ) ⇒ ∃ρ00 .ρ0 ≈ ρ ◦ ρ00 c c mgu ρ (τ1 = τ2 ) ⇒ FTV (ρ) ⊆ FTV (τ1 = τ2 ) c c ρ |= (τ1 = τ2 ) ⇒ ∃ρ0 . mgu ρ0 (τ1 = τ2 )
(i) (ii) (iii) (iv )
Notations used c
def
ρ |= (τ1 = τ2 ) = ρ(τ1 ) = ρ(τ2 ) def ρ ≈ ρ0 = ∀α : TyVar .ρ(α) = ρ0 (α)
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
5 / 30
Modeling MGU
Axioms Generalized To a List of Constraints (i) (ii) (iii) (iv )
mgu ρ C ⇒ ρ |= C mgu ρ C ∧ ρ0 |= C ⇒ ∃ρ00 . ρ0 ≈ ρ ◦ ρ00 mgu ρ C ⇒ FTV (ρ) ⊆ FTV (C) ρ |= C ⇒ ∃ρ0 . mgu ρ0 C
Notations used def
c
ρ |= C = ∀(τ1 = τ2 ) ∈ C.ρ(τ1 ) = ρ(τ2 )
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
6 / 30
Modeling Idempotent MGU
Extending the MGU Axiom Set In machine checking the correctness of Wand’s algorithm, we needed more axioms: An axiom to characterize idempotency. Domain and range elements of ρ are disjoint. mgu ρ C ⇒ ρ ◦ ρ ≈ ρ
To combine MGUs (idempotent) from two sub-lists mgu ρ [ ] ⇒ ρ = Id mgu ρ0 C0 ∧ mgu ρ00 (ρ0 (C00 )) ∧ mgu ρ (C0 ++ C00 ) ⇒ ρ ≈ ρ0 ◦ ρ00
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
7 / 30
Idempotent MGU Axioms
The Complete Picture (i) (ii) (iii) (iv ) (v ) (vi) (vii)
mgu ρ C ⇒ ρ |= C mgu ρ C ∧ ρ0 |= C ⇒ ∃ρ00 . ρ0 ≈ ρ ◦ ρ00 mgu ρ C ⇒ FTV (ρ) ⊆ FTV (C) ρ |= C ⇒ ∃ρ0 . mgu ρ0 C mgu ρ C ⇒ ρ ◦ ρ ≈ ρ mgu ρ [ ] ⇒ ρ = Id mgu ρ0 C0 ∧ mgu ρ00 (ρ0 (C00 )) ∧ mgu ρ (C0 ++ C00 ) ⇒ ρ ≈ ρ0 ◦ ρ00
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
8 / 30
Idempotent MGU Axioms
A Model UNIF 0 09
Today
(i) (ii) (iii) (iv ) (v ) (vi) (vii)
(U. of Wyoming)
unify C = σ ⇒ σ |= C (unify C = σ ∧ σ 0 |= C) ⇒ ∃σ 00 . σ 0 ≈ σ ◦ σ 00 unify C = σ ⇒ FTV(σ) ⊆ FTV (C) σ |= C ⇒ ∃σ 0 . unify C = σ 0 unify C = σ ⇒ σ ◦ σ ≈ σ unify [ ] = σ ⇒ σ = σE (unify C0 = σ 0 ∧ unify (σ 0 (C00 )) = σ 00 ∧ unify (C0 ++ C00 ) = σ) ⇒ σ ≈ σ 0 ◦ σ 00
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
9 / 30
Outline
1
Overview Machine Checked Correctness Proofs of Type Inference Algorithms
2
Introduction Coq Substitutions as Finite Maps in Coq
3
Proof of Idempotent MGU axioms Functional Induction Axiom v Axiom vi Axiom vii
4
Conclusions
Coq
Overview of Coq Based on the Calculus of Constructions. System F (polymorphic lambda calculus) extended with dependent types. Support for inductive datatypes. Lots of libraries.
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
10 / 30
Syntax
Type Terms τ ::= α | τ 0 → τ 00 Atomic types are denoted by α, β, α0 , compound types by τ, τ1 etc. Constraints c
A constraint is of the form τ = τ 0 , where τ and τ 0 are type terms.
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
11 / 30
Subtitutions as Finite Maps in Coq
Representing Substitutions We represent a substitution as a finite function and is denoted by σ, σ 0 , σ1 etc. An empty finite map is denoted by σE . Small finite maps are denoted by usual set (enumerative) notation. For example, {α1 7→ τ1 , α2 7→ τ2 }.
Used the Coq’s finite maps library Coq.FSets.FMapInterface. Note our formalization is not tied to any particular implementation of finite maps. Axiomatic presentation of finite maps.
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
12 / 30
Subtitutions as Finite Maps in Coq
Extensional equality Substitutions are equal if they behave the same on all type variables. def
σ ≈ σ 0 = ∀α. σ(α) = σ 0 (α) Lemma 1 ∀σ. ∀σ 0 . ∀α. σ(α) = σ 0 (α) ⇔ ∀τ. σ(τ ) = σ 0 (τ )
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
13 / 30
Subtitution Related Concepts
Definitions Substitution application�to a type: τ α
def
σ (α)
=
σ (τ1 → τ2 )
def
=
if hα, τ i ∈ σ otherwise
σ(τ1 ) → σ(τ2 )
Substitution application to a constraint: c
def
c
σ(τ1 = τ2 ) = σ(τ1 ) = σ(τ2 )
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
14 / 30
Substitution Related Concepts
Composition of Substitutions We use the following theorem on substitution composition in our proofs. Theorem 2 (Composition apply) ∀σ, σ 0 .∀τ.(σ ◦ σ 0 )τ = σ 0 (σ(τ ))
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
15 / 30
Some Definitions
Free Type Variables Types FTV (α)
def
=
[α]
FTV (τ → τ 0 )
def
FTV (τ ) ++ FTV (τ 0 )
=
Constraint List
def
FTV [ ] c
FTV ((τ1 = τ2 ) :: C)
=
[]
def
FTV (τ1 ) ++ FTV (τ2 ) ++ FTV (C)
=
Substitution FTV (σ)
(U. of Wyoming)
def
=
dom (σ) ++ FTV(range (σ))
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
16 / 30
First-Order Unification
def
=
Id
c
def
=
unify C
c
def
=
{α 7→ β} ◦ unify ({α 7→ β}C)
c
def
=
if α occurs in τ then Fail else {α 7→ τ } ◦ unify ({α 7→ τ }C)
c
def
=
if α occurs in τ then Fail else {α 7→ τ } ◦ unify ({α 7→ τ }C)
def
unify (τ1 = τ3 :: τ2 = τ4 :: C)
unify [ ] unify (α = α) :: C unify (α = β) :: C unify (α = τ ) :: C
unify (τ = α) :: C
c
unify (τ1 → τ2 = τ3 → τ4 ) :: C
(U. of Wyoming)
=
c
A Machine Checked Model of Idempotent MGU Axioms
c
UNIF’10
17 / 30
Outline
1
Overview Machine Checked Correctness Proofs of Type Inference Algorithms
2
Introduction Coq Substitutions as Finite Maps in Coq
3
Proof of Idempotent MGU axioms Functional Induction Axiom v Axiom vi Axiom vii
4
Conclusions
Functional Induction in Coq
Technique used to reason about functional (general recursive) definitions in Coq [BC02]. For general recursive functions, users are required to prove termination before a function is admitted. On admission, the functional induction tactic supports a symbolic unfolding of the definition adding induction hypotheses for each recursive call. Similar to the induction process defined by Boyer and Moore [BM88]. Important first step in proof of the axioms.
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
18 / 30
Supporting Lemmas for Axiom v
Lemma 3 ∀σ. ∀α. ∀τ. α ∈ / FTV(τ ) ∧ α ∈ / FTV(σ) ⇒ α ∈ / FTV (σ(τ )) Proof. By induction on the structure of the type τ . Lemma 4 ∀α. ∀τ, τ 0 . α ∈ / FTV(τ ) ⇒ {α 7→ τ 0 }(τ ) = τ Proof. By induction on the structure of the type τ .
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
19 / 30
Axiom v ... Contd
Lemma 5 ∀α. ∀τ. ∀C. α ∈ / FTV(τ ) ⇒ α ∈ / FTV({α 7→ τ }(C)) Proof. By induction on the constraint list C. Theorem 6 ∀C. ∀σ. unify C = σ ⇒ ∀α. (σ ◦ σ)(α) = σ(α). Proof. By functional induction on unify C. There will be 11 main cases. The proof follows from the induction hypotheses and by Lemma 1, Lemma 2, Lemma 3 , Lemma 4, and Lemma 5.
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
20 / 30
Axiom vi
Theorem 7 ∀σ.unify [ ] = σ ⇒ σ = σE Proof. Choose an arbitrary σ. Assume unify [ ] = σ. Unfold the definition of unify. Then we have σ = σE .
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
21 / 30
Supporting Lemmas For Axiom vii
Lemma 8 ∀C. ∀σ. ∀α. ∀τ. σ({α 7→ τ }(C)) = ({α 7→ τ } ◦ σ)(C) Proof. By induction on the constraint list C. Lemma 9 ∀C, C0 . ∀α. ∀τ. {α 7→ τ }(C) ++ {α 7→ τ }(C0 ) = {α 7→ τ }(C ++ C0 ) Proof. By induction on the constraint list C.
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
22 / 30
Axiom vii
Theorem 10 ∀C, C0 . ∀σ, σ 0 , σ 00 . (unify C = σ 0 ∧ unify σ 0 (C0 ) = σ 00 ∧ unify (C ++ C0 ) = σ) ⇒ ∀β 0 . σ(β 0 ) = (σ 0 ◦ σ 00 )(β 0 ) Proof. By functional induction on unify C. This leads to 11 cases. The proof follows from the induction hypotheses and by Lemma 1, Lemma 2, Lemma 8 and Lemma 9.
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
23 / 30
Outline
1
Overview Machine Checked Correctness Proofs of Type Inference Algorithms
2
Introduction Coq Substitutions as Finite Maps in Coq
3
Proof of Idempotent MGU axioms Functional Induction Axiom v Axiom vi Axiom vii
4
Conclusions
Conclusions
Functional induction, considered as experimental technique until last year, was very useful in our proofs. Many of the proofs of MGU axioms have almost similar structure. The theorem prover really helps in managing the large number of cases involved in the proofs. The proof script for all the axioms mentioned in the paper is available online at http://www.cs.uwyo.edu/~skothari.
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
24 / 30
Thank you!!!!!
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
25 / 30
Axiom v ... Contd
Theorem 11 ∀C. ∀σ. unify C = σ ⇒ ∀α. (σ ◦ σ)(α) = σ(α). Proof. Choose an arbitrary C. By Lemma 2, we must show: ∀σ. unify C = σ ⇒ ∀α. σ(σ(α)) = σ(α). By functional induction on unify C, we have two main cases: Case C = [ ]. This case follows since ∀α. σE (α) = α. Case C 6= [ ].
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
26 / 30
Axiom v
Proof. Case C = [ ]. Case C 6= [ ]. We will have the following sub cases depending on the head of the constraint list: 1
2 3 4
5
(U. of Wyoming)
c
Case (α = α) :: C. Apply the induction hypothesis and then this case is trivial. c Case (α = β) :: C. Similar to the case below. c Case (α = τ1 → τ2 ) :: C and α ∈ / FTV(τ1 → τ2 ). Next slide. c Case (τ1 → τ2 = α) :: C and α ∈ / FTV(τ1 → τ2 ). Same as above. c Case (τ1 → τ2 = τ3 → τ4 ) :: C. Apply the induction hypothesis and then this case is trivial.
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
27 / 30
Axiom v... Contd 1
c
Case (α = τ1 → τ2 ) :: C and α ∈ / FTV(τ1 → τ2 ). We know unify ({α 7→ τ1 → τ2 }(C)) = σ 0 and the induction hypothesis reads as : ∀σ 0 .unify {α 7→ τ1 → τ2 }(C) = σ 0 ⇒ ∀α0 .σ 0 (α0 ) = σ 0 (σ 0 (α0 )) And we must show σ({α 7→ τ1 → τ2 }(α00 )) = (σ({α 7→ τ1 → τ2 }(σ({α 7→ τ1 → τ2 }(α00 ))))). There are two cases: 1
2
Case α = α00 . Then we must show σ(τ1 → τ2 ) = σ({α 7→ τ1 → τ2 }(σ(τ1 → τ2 ))). From Lemma 5 and Axiom iii, we know that α ∈ / FTV(σ). Since α ∈ / FTV(τ1 → τ2 ) and α∈ / FTV(σ), so by Lemma 3, α ∈ / FTV(σ(τ1 → τ2 )). By Lemma 4 and using τ 0 to be τ1 → τ2 we get σ(τ1 → τ2 ) = ({α 7→ τ1 → τ2 }(σ(τ1 → τ2 ))). So now we must show σ(τ1 → τ2 ) = σ(σ(τ1 → τ2 )). Then, by Lemma 1, we must show ∀β. σ(β) = σ(σ(β)) . Choose an arbitrary β and show σ(β) = σ(σ(β)), but that follows from the induction hypothesis by choosing σ 0 to be σ and α0 to be β. Case α 6= α00 .
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
28 / 30
Axiom vii ... Contd.
Proof. Case C = [ ]. Case C 6= [ ]. We will have the following sub cases depending on the head of the constraint list: 1
2 3 4
5
(U. of Wyoming)
c
Case (α = α) :: C. Apply the induction hypothesis and then this case is trivial. c Case (α = β) :: C. Similar to the case below. c Case (α = τ1 → τ2 ) :: C and α ∈ / FTV(τ1 → τ2 ). Next slide. c Case (τ1 → τ2 = α) :: C and α ∈ / FTV(τ1 → τ2 ). Same as above. c Case (τ1 → τ2 = τ3 → τ4 ) :: C. Apply the induction hypothesis and then this case is trivial.
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
29 / 30
Axiom vii... Contd. 1
c
Case (α = τ1 → τ2 ) :: C and α ∈ / FTV(τ1 → τ2 ). Assume unify({α 7→ τ1 → τ2 }(C)) = σ 0 , unify({α 7→ τ1 → τ2 } ◦ σ 0 )(C0 ) = σ 00 and c unify(((α = τ1 → τ2 ) :: C)++C0 ) = σ. By Lemma ??, the last assumption c is unify((α = τ1 → τ2 ) :: (C++C0 )) = σ. Unfolding the unify definition once, assume unify({α 7→ τ1 → τ2 }(C ++ C0 )) = σT . Then σ = {α 7→ τ1 → τ2 } ◦ σT . We must show ({α 7→ τ1 → τ2 } ◦ σT )(β 0 ) = σ 00 (σ 0 ({α 7→ τ1 → τ2 }(β 0 ))). By Lemma 2, σT ({α 7→ τ1 → τ2 }(β 0 )) = σ 00 (σ 0 ({α 7→ τ1 → τ2 }(β 0 ))). We have two cases: 1 Case α = β 0 . The induction hypothesis is: ∀C1 . ∀σ1 , σ2 , σ3 . (unify({α 7→ τ1 → τ2 }(C)) = σ1 ∧ unify σ1 (C1 ) = σ2 ∧ unify({α 7→ τ1 → τ2 }(C++C1 )) = σ3 ) ⇒ ∀β 00 . σ3 (β 00 ) = σ2 (σ1 (β 00 )) Then we must show σT (τ1 → τ2 ) = σ 00 (σ 0 (τ1 → τ2 )). But by Lemma 1, ∀γ. σT (γ) = σ 00 (σ 0 (γ)). Choose an arbitrary γ and so we must show σT (γ) = σ 00 (σ 0 (γ)). But that follows from the induction hypothesis and Lemma 8 and Lemma 9 and the assumptions. 2 Case α 6= β 0 . Similar to the case above. (U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
30 / 30
Brian E. Aydemir, Aaron Bohannon, Matthew Fairbairn, J. Nathan Foster, Benjamin C. Pierce, Peter Sewell, Dimitrios Vytiniotis, Geoffrey Washburn, Stephanie Weirich, and Steve Zdancewic. Mechanized metatheory for the masses: The POPLMARK challenge. In Joe Hurd and Tom Melham, editors, Theorem Proving in Higher Order Logics: 18th International Conference, volume 3603 of Lecture Notes in Computer Science, pages 50–65. Springer, 2005. Gilles Barthe and Pierre Courtieu. Efficient reasoning about executable specifications in coq. In TPHOLs ’02: Proceedings of the 15th International Conference on Theorem Proving in Higher Order Logics, pages 31–46, London, UK, 2002. Springer-Verlag. Robert S. Boyer and J. Strother Moore. A computational logic handbook. Academic Press Professional, Inc., San Diego, CA, USA, 1988. Catherine Dubois and Valerie M. Morain. (U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
30 / 30
Certification of a type inference tool for ml: Damas–milner within coq. J. Autom. Reason., 23(3):319–346, 1999. Dieter Nazareth and Tobias Nipkow. Theorem Proving in Higher Order Logics, volume 1125, chapter Formal Verification of Alg. W: The Monomorphic Case, pages 331–345. Springer Berlin / Heidelberg, 1996. Wolfgang Naraschewski and Tobias Nipkow. Type Inference Verified: Algorithm W in Isabelle/HOL. Journal of Automated Reasoning, 23(3-4):299–318, 1999. Christian Urban and Tobias Nipkow. From Semantics to Computer Science, chapter Nominal verification of algorithm W. Cambridge University Press, 2009. Mitchell Wand. A simple algorithm and proof for type inference. (U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
30 / 30
Fundamenta Informaticae, 10:115–122, 1987.
(U. of Wyoming)
A Machine Checked Model of Idempotent MGU Axioms
UNIF’10
30 / 30
