SLIDE 1
The Role of Human Creativity in Mechanized Verification
J Strother Moore Department of Computer Science University of Texas at Austin
1
2
The Role of Human Creativity in Mechanized Verification J Strother - - PowerPoint PPT Presentation
The Role of Human Creativity in Mechanized Verification J Strother - - PowerPoint PPT Presentation
The Role of Human Creativity in Mechanized Verification J Strother Moore Department of Computer Science University of Texas at Austin 1 2 Delusion Mouse Trap (1876) 3 Royal Number 1 Trap (1879) 4 Hotchkiss 5-hole Choker (1890?) 5 US
SLIDE 2
SLIDE 3
Delusion Mouse Trap (1876)
3
SLIDE 4
Royal Number 1 Trap (1879)
4
SLIDE 5
Hotchkiss 5-hole Choker (1890?)
5
SLIDE 6
US Patent Office has issued 4,400 patents for mousetraps since opening in 1838. The Patent Office has 39 official categories
- f mousetraps, including choking,
squeezing, impaling, trapping, killer bar, explosive, shock, etc. (Aside: If you’re into this sort of thing, see the Bunny Suicides books by Andy Riley.)
6
SLIDE 7
7
SLIDE 8
8
SLIDE 9
9
SLIDE 10
10
SLIDE 11
11
SLIDE 12
12
SLIDE 13
Mathematicians Do It Too Virtually every textbook proof has been cleaned up, sometimes to the point where the original proof (or even the original theorem) is completely absent.
13
SLIDE 14
Probably every theorem of analysis proved in the 17th and 18th centuries was proved again more cleanly and rigorously in the 19th century using the “epsilon-delta” approach.
14
SLIDE 15
“The original proof of CRT [the Church–Rosser theorem] was fairly long and very complicated. . . . Newman generalized the universe of discourse . . . . He proved a result similar to CRT by topological arguments. Curry . . . generalized the Newman result . . . .
15
SLIDE 16
Unfortunately, it turned out that neither the Newman result nor the Curry generalization entailed CRT. . . . This was discovered by Schroer . . . . Schroer derived still further generalizations of the Newman and Curry results, which indeed do entail CRT. . . . Schroer 1965 is 627 typed pages . . . .
16
SLIDE 17
Chapter 4 of Curry and Feys 1958 is devoted to a proof of CRT for λ-calculus and . . . is not recommended for light
- reading. . . . Meanwhile a genuine
simplification of the proof of CRT had come in sight. See Martin-L¨
- f 1972.
17
SLIDE 18
It is agreed that Martin-L¨
- f got some of his
ideas from lectures by Tait. An exposition
- f the proof of CRT according to Tait and
Martin-L¨
- f appears in Appendix I of
Hindley, Lercher and Seldin 1972.” – J.B. Rosser
18
SLIDE 19
It is (apparently) in our natures to polish
- ur work to make it more beautiful,
elegant, and understandable.
19
SLIDE 20
It is (apparently) in our natures to polish
- ur work to make it more beautiful,
elegant, and understandable. This is great if your only concern is the beauty/elegance/clarity of the final product.
20
SLIDE 21
It is (apparently) in our natures to polish
- ur work to make it more beautiful,
elegant, and understandable. This is great if your only concern is the beauty/elegance/clarity of the final product. But it is harmful in our business!
21
SLIDE 22
Our Business Formal methods research is not about proving hardware and software correct. Formal methods research is about mechanizing creativity. By polishing our results we obscure the problems we’re really trying to solve.
22
SLIDE 23
A Trivial Example from My Class
- (endp x) — determines if x is empty
- (car x) — first element of x (when x is
non-empty)
- (cdr x) — rest of x (when x is
non-empty)
23
SLIDE 24
- (member e x) — determines whether e
- ccurs as an element of list x
- (rm! e x) — deletes every occurrence
- f e as a element from x
24
SLIDE 25
A Student’s Definition (defun set-equal (x y) (if (endp x) (endp y) (and (member (car x) y) (set-equal (rm! (car x) x) (rm! (car x) y)))) This function determines whether x and y have the same elements, ignoring order and duplication.
25
SLIDE 26
The Student’s Goal Theorem (set-equal (append a a) a)
26
SLIDE 27
The Student’s Goal Theorem (set-equal (append a a) a) (defun append (x y) (if (endp x) y (cons (car x) (append (cdr x) y))))
27
SLIDE 28
The Student’s Goal Theorem (set-equal (append a a) a) “Inductive proofs require general theorems. Many theorems you’ll want to prove are actually too specific to admit inductive proofs.” — J Moore
28
SLIDE 29
We tackled this interactively in class. Here is our more general theorem: (defthm crux (implies (subset b a) (set-equal (append a b) a))) (defthm goal (set-equal (append a a) a))
29
SLIDE 30
The Definition of Subset (defun subset (x y) (if (endp x) t (and (member (car x) y) (subset (cdr x) y))))
30
SLIDE 31
In class we proved several beautiful and helpful lemmas, e.g., (rm! e (append a b)) = (append (rm! e a) (rm! e b)) But with no time remaining in class our still unproved crux looked like this:
31
SLIDE 32
(defthm crux (implies (subset b a) (set-equal (append a b) a)) :hints (("Goal" :induct (set-equal a b)) ("Subgoal *1/2’’" :use (:instance subset-rm! (x b) (y a) (e (car a)))) ("Subgoal *1/3’" :expand ((set-equal (append a b) a)))))
32
SLIDE 33
(defthm crux (implies (subset b a) (set-equal (append a b) a)) :hints (("Goal" :induct (set-equal a b)) ("Subgoal *1/2’’" :use (:instance subset-rm! (x b) (y a) (e (car a)))) ("Subgoal *1/3’" :expand ((set-equal (append a b) a)))))
33
SLIDE 34
Class ended. I went home. I ate, watched TV, read, showered, slept.
34
SLIDE 35
About Induction To prove φ(x, y) by induction on x: Base: (endp x) → φ(x, y) Induction Step: (¬(endp x) ∧ φ(x′, y′)) → φ(x, y) where x′ is “shorter than” x.
35
SLIDE 36
About Induction To prove φ(x, y) by induction on x: Base: (endp x) → φ(x, y) Induction Step: (¬(endp x) ∧ φ(x′, y′)) → φ(x, y) where x′ is “shorter than” x.
36
SLIDE 37
About Induction To prove φ(x, y) by induction on x: Base: (endp x) → φ(x, y) Induction Step: (¬(endp x) ∧ φ(x′, y′)) → . . . φ(x′, y′) . . . where x′ is “shorter than” x.
37
SLIDE 38
So the key to proving φ(x, y) by induction is finding a φ with the property that it can be rewritten to something involving a “smaller” instance of itself. So, our story resumes. . .
38
SLIDE 39
Class ended. I went home. I ate, watched TV, read, showered, slept. I woke up at the usual time and knew I should change the class’ approach in two ways.
39
SLIDE 40
Insight 1: Redefine subset (defun subset (x y) (if (endp x) t (and (member (car x) y) (subset (cdr x) y))))
40
SLIDE 41
Insight 1: Redefine subset (defun subset (x y) (if (endp x) t (and (member (car x) y) (subset (cdr x) y))))
41
SLIDE 42
Insight 1: Redefine subset (defun subset (x y) (if (endp x) t (and (member (car x) y) (subset (rm! (car x) x) (rm! (car x) y)))))
42
SLIDE 43
Two Questions (a) Is it fair to redefine subset? After all, it means we’re not trying to prove the same crux anymore! (b) Why might redefining subset help?
43
SLIDE 44
(a) Yes, It is Fair! Crux is not the goal. Subset is not involved in the goal. The definitional principle is conservative. So how subset is defined doesn’t matter – except to the proof.
44
SLIDE 45
The Proof Plan (defthm crux (implies (subset b a) (set-equal (append a b) a))) (defthm goal (set-equal (append a a) a))
45
SLIDE 46
(b) Redefining Subset Helps because...
(defun subset (x y) (if (endp x) t (and (member (car x) y) (subset (rm! (car x) x) (rm! (car x) y))))) (defun set-equal (x y) (if (endp x) (endp y) (and (member (car x) y) (set-equal (rm! (car x) x) (rm! (car x) y)))))
Both remove elements of x from y.
46
SLIDE 47
Insight 2: Re-state crux (defthm crux ; Old (implies (subset b a) (set-equal (append a b) a))) Note: The hypothesis is removing elements
- f b from a, but the conclusion is removing
elements of a from a.
47
SLIDE 48
Insight 2: Re-state crux (defthm crux ; Old (implies (subset b a) (set-equal (append a b) a)))
48
SLIDE 49
Insight 2: Re-state crux (defthm crux ; New (implies (subset b a) (set-equal (append b a) a))) Note: Both the hypothesis and the conclusion are removing elements of b from a.
49
SLIDE 50
The Proof Plan Still “Works” (defthm crux ; New (implies (subset b a) (set-equal (append b a) a))) (defthm goal (set-equal (append a a) a))
50
SLIDE 51
But the New Crux is Easier to Prove (defthm crux ; Old (implies (subset b a) (set-equal (append a b) a))) (defthm crux ; New (implies (subset b a) (set-equal (append b a) a)))
51
SLIDE 52
Rewrite to an Instance? (defthm crux ; Old (implies (subset b a) (set-equal (append a b) a))) (defthm crux ; New (implies (subset b a) (set-equal (append b a) a)))
52
SLIDE 53
The Old Crux: Rewrite to an Instance? (implies (subset b a) (set-equal (append a b) a))
53
SLIDE 54
The Old Crux: Rewrite to an Instance? (implies (subset b a) (set-equal (append a b) a))
54
SLIDE 55
The Old Crux: Rewrite to an Instance? (implies (subset b a) (set-equal (append a b) a))
55
SLIDE 56
The Old Crux: Rewrite to an Instance? (implies (subset (rm! (car b) b) (rm! (car b) a)) (set-equal (append a b) a))
56
SLIDE 57
The Old Crux: Rewrite to an Instance? (implies (subset (rm! (car b) b) (rm! (car b) a)) (set-equal (append a b) a))
57
SLIDE 58
The Old Crux: Rewrite to an Instance? (implies (subset (rm! (car b) b) (rm! (car b) a)) (set-equal (rm! (car a) (append a b)) (rm! (car a) a)))
58
SLIDE 59
The Old Crux: Rewrite to an Instance? (implies (subset (rm! (car b) b) (rm! (car b) a)) (set-equal (append (rm! (car a) a) (rm! (car a) b)) (rm! (car a) a)))
59
SLIDE 60
The Old Crux: Rewrite to an Instance? (implies (subset (rm! (car b) b) (rm! (car b) a)) (set-equal (append (rm! (car a) a) (rm! (car a) b)) (rm! (car a) a)))
60
SLIDE 61
The Old Crux: (implies (subset b a) (set-equal (append a b) a))
61
SLIDE 62
The Old Rewritten Crux: Not an Instance! (implies (subset (rm! (car b) b) (rm! (car b) a)) (set-equal (append (rm! (car a) a) (rm! (car a) b)) (rm! (car a) a)))
62
SLIDE 63
The Old Rewritten Crux: Not an Instance! (implies (subset (rm! (car b) b) (rm! (car b) a)) (set-equal (append (rm! (car a) a) (rm! (car a) b)) (rm! (car a) a)))
63
SLIDE 64
The Old Crux... is hard to prove by induction because some
- f its subterms remove (car b) but others
remove (car a), so we need “inconsistent instantiations”, sometimes replacing b by
- ne term, (rm! (car b) b), and
sometimes by another, (rm! (car a) b).
64
SLIDE 65
The New Crux: Rewrite to an Instance? (implies (subset b a) (set-equal (append b a) a))
65
SLIDE 66
The New Crux: Rewrite to an Instance? (implies (subset b a) (set-equal (append b a) a))
66
SLIDE 67
The New Crux: Rewrite to an Instance? (implies (subset b a) (set-equal (append b a) a))
67
SLIDE 68
The New Crux: Rewrite to an Instance? (implies (subset (rm! (car b) b) (rm! (car b) a)) (set-equal (append b a) a))
68
SLIDE 69
The New Crux: Rewrite to an Instance? (implies (subset (rm! (car b) b) (rm! (car b) a)) (set-equal (append b a) a))
69
SLIDE 70
The New Crux: Rewrite to an Instance? (implies (subset (rm! (car b) b) (rm! (car b) a)) (set-equal (rm! (car b) (append b a)) (rm! (car b) a)))
70
SLIDE 71
The New Crux: Rewrite to an Instance? (implies (subset (rm! (car b) b) (rm! (car b) a)) (set-equal (append (rm! (car b) b) (rm! (car b) a)) (rm! (car b) a)))
71
SLIDE 72
The New Crux: Rewrite to an Instance? (implies (subset (rm! (car b) b) (rm! (car b) a)) (set-equal (append (rm! (car b) b) (rm! (car b) a)) (rm! (car b) a)))
72
SLIDE 73
The New Crux (implies (subset b a) (set-equal (append b a) a))
73
SLIDE 74
The New Rewritten Crux: an Instance! (implies (subset (rm! (car b) b) (rm! (car b) a)) (set-equal (append (rm! (car b) b) (rm! (car b) a)) (rm! (car b) a)))
74
SLIDE 75
The New Crux The improved formulation is easy to prove because we remove (car b) uniformly from b and from a everywhere.
75
SLIDE 76
So after breakfast, I typed in the new formulation of subset and crux and the proof was done. Then, while driving to campus...
76
SLIDE 77
Insight 3: No Generalization Needed (defthm goal (set-equal (append a a) a))
77
SLIDE 78
Insight 3: No Generalization Needed (defthm goal (set-equal (rm! (car a) (append a a)) (rm! (car a) a)))
78
SLIDE 79
Insight 3: No Generalization Needed (defthm goal (set-equal (append (rm! (car a) a) (rm! (car a) a)) (rm! (car a) a)))
79
SLIDE 80
Insight 3: No Generalization Needed Using the rules already developed, we can prove (defthm goal (set-equal (append a a) a)) directly by induction on a by (rm! (car a) a). There is no need for subset or crux!
80
SLIDE 81
A Good Story Ruined Before proceeding I should say that much
- f the thought process just described is
codified by Rippling: a heuristic for guiding inductive proofs, Alan Bundy, Andrew Stevens, Frank van Harmelen, Andrew Ireland, and Alan Smaill, AI Journal, 62, pp. 188–253, 1993.
81
SLIDE 82
A Tale of Two Papers Which is the better paper to write? Which might get published? An Automatic Proof of Goal
- r
How Not to Prove Goal, and Why Which paper might lead somebody to breakthrough research?
82
SLIDE 83
Other Examples
- How do you model the system in
question? Should you include the behavior of resource x in your model? Why not?
- What is the right specification?
83
SLIDE 84
- How do you define the concepts used in
the specification? What “goes wrong” if you adopt some equally obvious alternative?
- What “obvious” variable orderings did
you try before the one that worked? Why were they “wrong?”
84
SLIDE 85
- What “obvious” canonical forms did you
adopt before finding the ones that worked? Why were they “wrong?”
- What modeling/testing/proof debugging
tools did you use? By highlighting such issues we facilitate automation.
85
SLIDE 86
Summary Our industrial customers just care about finding a proof, any proof. Our research funders want to see published papers. But we should be showing each other the failures and false starts.
86
SLIDE 87
87