Logosphere A Digital Library of Formal Proof
Carsten Schürmann Processor Verification
• INTEL (HOL/HOL light). [John Harrison] • $500mio Pentium bug.
• AMD (ACL2, Nqthm). [Matt Kaufmann] • Siemens, Microsoft (ASM). [Yuri Gurevich] Newton-Raphson iteration or power series expansion, and it Yet since the error bounds are necessarily pessimistic, as- culminates in a final fma that rounds a ‘result before the fi- suming worst-case rounding errors reinforcing each other nal rounding’ . In general, may be irrational, whereas on all the previous operations, it seems quite likely that the the final is of the form for some floating-point algorithm is in fact correct. How can we bridge the gap? numbers , and and is therefore always rational. This One solution is to utilize more refined theorems [32], shows that in general we cannot expect . However but this is complicated and may still fail to justify several we do require that they always round in the same way. How algorithms that are intuitively believed to work correctly. might this be proved? An ingenious alternative [11] is to observe that there are On general grounds we note that cannot be exactly relatively few cases like whose square roots the midpoint between two floating-point numbers, because come close enough to render the simple theorem inappli- in a floating-point format with bits of precision, a mid- cable, and these can be isolated by fairly straightforward point value has significant digits and therefore its number-theoretic methods. We can therefore: square more than . This is a useful observation. We’ll never be in the tricky case where theNreewatroen-tRwapohseoqn uitearlaltiyoncolropsoewer series expanIssionl,aatned itthe sYpeet csinacle cthaeseerrsor bounds are nectehssaatrilyhapvesesimsiqstuica, raes- floating-point numbers (resolved bcyulmtihneates‘rinoaufinndal ftomaethvaet nro’unds a ‘result berfoooretsthewfii-thin stuhmeincgriwtoicrsat-lcadsiesrtoaunncdiengoefrraorms riedinpfoorciinntg. each other rule.) So in round-to-nearest, anndal roundcinogu’ ld.oInngleynerroalu, ndmay be irrational, whereas on all the previous operations, it seems quite likely that the the final is of the form for some floCatoinng-cplouindte froalmgortithhem issiimn fpaclet cothrrecot.rHemow cthanawt ethbreidagelgthoergiatph?m in different ways if there were a midpnuominbetrsbe,twaenedn tahnedmis,thfeorerfore always rational. This One solution is to utilize more refined theorems [32], will give correct results except possibly for . only then could the closest floating-shpoowisntthant uinmgebneerrasl wtoe ctahnneomt expect . However but this is complicated and may still fail to justify several we do require that they always round in the same way. How algorithms that are intuitively believed to work correctly. differ. For example in the followinmgigdhtiathgisrbaemprowvehde? re large Explicitly shAonwingthenatiousthaleteranalgtivoer[ith11]mis tios ocboserrectrve thatfothrerethaere lines indicate floating-point numbers aOnndgesnmeraallglerorunodns ewse rneopte-that cannot be exactly relatively few cases like whose square roots the midpoint between two floating-point numbers, because (ecofmfeecctliovseleynobuyghrtuonrennidnegr tihteosinmpthleotsheorienmpuintasp)p.li- resent midpoints, would round ‘indoa wflona’tinwg-hpoilinet formawt owuithld bits of precision, a mid- cable, and these can be isolated by fairly straightforward round ‘up’: FormalpoinVt erificationvalue hasat Intel significant digits andBtyhesreofomreeitsstraignhutmfboerrw-thaerodretmic amtehtheomds.aWtiecsca[n1t1he]reffoorem: alized in Newton-Raphson iteration or power series expansion, and it Yet since the esrqrour aboruendms aorerenectehsasanrily p.essTimhisitsic,iass-a useful observation. We’ll culminates in a final fma that rounds a ‘result before the fi- suming worst-case rounding errors reinforcing each other HOL without particular difficulty, one can show that the dif- nal rounding’ . In general, may be irrational, whereas on all the previnoeusvoepJreorbhatneioHninas,rritithssoenemtrsicqukitye lcikaeslyethwaththeere there are two equally close Isolate the special cases that have square the final is of the form for some floating-point algorithm is inflfIanoctetalctoCirnorergpc-to.prHaotoioiwnn,ctaJnFn1wu-1em3brbidegresthe(graeps?olved by thefic‘ruoultndcatoseesvefno’ r squarerorootsowtisthhinatvheecsriitgicnalidfiisctanncde sof a,mcidopnosinitd. ered numbers , and and is therefore always rational. This One solution 2is11to1 NutEiliz2e5tmh oArveenreufiened theorems [32], rule.) So in round-to-nearest, and could only round shows that in general we cannot expect . However but this is complicatedHillsbanordomOayR, stillUSAfail to justify several as -bit integers, suchCotnhcalutdoenfreomofthtehseimfpolelltoheworienmgthdaitothpehaalgnotriinthem we do require that they always round in the same way. How algorithms jthoaihtnnarhde@iiifnftcuehitrievpenslyt.wbienlaiteyveseld.iftcotohwmeorrkecworreerctelya. midpoint between them, for might this be proved? An ingenious alternative [11] is to observe that there are equations has a solutiwoilnl givefcoorrrseoctmreseulitns etxecgeeptrpossibly for , where. On general gWhat’rounds we note that cannot besexactly Intelrelatively few coanselsyl iktehupen could t hwehto?ocselosqsuearsetroflootsating-point numbers to them the midpointAbetlwtehenotwuo gflohating-paoinntanulmybezrsi,nbegcause tAhbsictsroamcet ccloosenenddouiigfthfietor.rnenFdoer ctrheocextlsyamimomnpbapllelliptehonsesioainbreltemotinhpirneuatisp.afpoTllhil-illsoyinwvolivnesgfordmiinaggmraathimes- wroheureghlalrygethe factoExrpblicitlyy whshiocwh ththate thgeualgraonrithtemedisrceolrrectativfoe retrh-e in a floating-point format with bits of precision, a mid- cable, and thelseinceans biendisoiclaatemtdeatbicflyalofmaaiortdliyenlssgotrf-atpihgeohstyifsnotretwmnaarnuddmitsbineternsdedabnedhavsiomr anadller ones rep- point value has significant digits aAnsddethsiegrnesfobreecoimtse morencuommbpleerx-,thfoeromreatlicvemrifiecthatoiodns. Welcinaknintghethre ftworoe:: ror is excessive: (effectively by running it on those inputs). squarewmooreuthland . bTehis ics oa umsefpul loteibccshenraiqvuatetiesonadr.e,Wbeetc’ohlml iengriencreaissinglyaimpmorretausntecninhtthme sidimpoipnltse,r suwfofiucldieronutnd ‘down’ while would never be in the tricky case where there arheatrwdwoaerequinadlulystrcyl.oMseany different Imseotlhaotdestahree usspeedc,iraalngc-ases that havAectusqaluraerqeuirements condition. One cinag fnrom eproapossiitilonyal tasuteoloegy ctrhhoeockatisntwg uitiphrtitnowtuheneuocdsreiut‘oiucflapldd’i:sstanucefofif acmeidptooint.show By some straightforward mathematics [11] formalized in floating-point numbers (resolved by thinete‘rraocutinvedhtigoheerv-oernd’er theorem provers. Our own work is rule.) SoHOLin round-to-ne ar es t, an d co u ld o nl y ro un d [Harrison’03] mainly concerned with the formalCvoernificcluadtioenfroofmflotahtiengs-imple theorem that the algorithm HOL without particular difficulty, one can show that the dif- in diffetrehntawtayfs iof trherae wneyre ammidipdoinpptoboientwimneaethntetmhaetmica,:lfofurnctions. As this paper aims to illus- Mathematical specification will give correct results except possibly for . only then could the closest floating-pointrtanteu,msubcherasptpolictahteiomns require a rather general mathemat- ficult cases for square roots have significands , considered ical framework and the ability to automate special-purpose differ. For example in the following diagram where large Explicitly show that the algorithm is correct for the as -bit integers, such that one of the following diophantine lines indiFloatingcate floating-point num bPersointanpdrosomf aallge orroarithmeticitnhmess rienpa- reliable way. Our w.ork uses the Mathematical model We consider the equations separately for each chosen public-domain interactive theorem prover HOL(Lefigfehct,tiavnedly by running it on those inputs). equations has a solution for some integer , where resent midpoints, would round ‘dowwne’cwlahimilethat thwisoaunld similar ‘LCF-style’ theorem provers round ‘up’: . For example, we might be interested in whether are a good choice for such applicBaytiosnosm. e straighAtfolrtwhaordumgahthemaatnicasl[y11z]ifnorgmalActuitzhedialsinsystemcondition combinatorially is roughly the factor by which the guaranteed relative er- HOL without particular difficulty, one can show that the dif- ror is excessive: In that case and coficuullt dcasnes’fotrwlsqioueaurelodronobtsehoacvpoe spmigonpilfisicciaantdetseds,,ciodtnhseiedreseredoisfa much simpler sufficient has a solution. If so, the possible value(s) 1 Formal Verificationas -bit integercs,osnucdhitthiaot non.e Oof ntThheeeffcoalcaltosnwthieantag(sid)igolepythtiansngetaienmetahthaemtaititcawl prooouflrdighst uisffice to show . Here is the formal theorem in HOL in aalso dmifficoultr[e13], ganed (nii)ecorrraecltness of formaol mfodels are added to the set of difficult cases. It’s quite easy equations has athsoaluttifoonr afonrysomeiidnpteogeirnt : , where Although analyzing this condition Acsomobsitnpartoogrriaamllmy ers knowistorothuegirhRoundclyostth, ewfriatcintgorpbroy- wh icdhtheoethsenogtunaer caensamesstaereidlyriemlaptlyivceoerr re-cwatness of tyhe actifual system [15], were called on to denigrate the idea of formal verifi- would fboe crompl:icated, there is a muchgrsaimmsptlheart sfunffictcioiennctorrectlryorinisaellxciercsusimvset:ances — or to program HOL to enumerate all the solutions of such dio- sometimes even saying precisely what that means — is dif- cation in the 70s. However, these objections seem to have We consider the equations separately for each chosen condition. One can easily see that it wofiucludlts.ufMfiocset tloarsgheopwrograms contain ‘bugs’. In the past, little intellectual force and have largely been swept away. that for any midpoint : hardware has been substantially simpler than software, but It is now widely accepted that formal verification,pwihth athentine equations, retu. rFnoirnegxamapdlei,swjue nmcigthivt ebetihnteeroersteemd inowfhtehtheer |- (precision fmt = 0) proof itself checked by machine, gives a much greater de- this difference is eroding, and cuWrrenct olenasdiidnegr-edthgeInmeqicturhoa-taiotncs asespearately afonr deach chcooseunldn’t lie on opposite sides of processors are also extremely complex and usually contain gree of confidence than traditional testing and sifmoulartiomn : has a solution. If so, the possible value(s) ( m. m IN midpoints fmt . For example, we might be interested in whether errors. It has often been noted that mere testing., evHeneorne istetchneiqufeos. rTmheamlainthimepoedriemment toingreHateOr uLse oifnformaalmore general of are added to the set of difficult cases. It’s quite easy In that case and couldn’t lieaocnbaroesfpupl(loysxsietelecsti-eddeseotysfo)f test
4
!"#$%%&'()*+#,+-.%+/0-.+1((234+5666+789:#*'29+#(+;#)'$+'(+<#9:2-%"+7$'%($%+=;5<7>?@A+ /?B@CD0E/F?@+G/EH??+I+J??@+5666+
!"#$%%&'()*+#,+-.%+/0-.+1((234+5666+789:#*'29+#(+;#)'$+'(+<#9:2-%"+7$'%($%+=;5<7>?@A+ /?B@CD0E/F?@+G/EH??+I+J??@+5666+ — in one real application we needed to derive a few hundred The principal difficulty in implementing trigonometric special cases [24]. An additional requirement is to prove range reduction is that the input argument may be large that the prime factors are indeed prime, otherwise we will and yet the reduced argument very small, because is not be able to complete the requisite chain of logical infer- unusually close to a multiple of . In such cases, the —enicneosn.eSreinalcaeptphliecaptrioimn wesecnaenedbede tqoudieterivlearagfeew(ahruonudnrded in The pcroinmcpipuatlatdiioffincouflty nineeimdsplteombeentpinegrfotrrimgoendomveertyriccarefully. As- sappecpilailcactaisoenss[2s4o].faAr,nanaddcitoionncaelivreaqbuliyreamselnatrgisetoasprove in fura-nge resduumctionng iws ethhatavtheecianlpcuutlaatregdumen, twemneayedbetolaervgaeluate: thtuartet)h,enpariivmeeaflagcotroirtshamres binadseeeddopnritmeest,iontghearlwl fisaectwoerswairlel out oafnd yet the reduced argument very small, because is ntohtebqeuabesletioton.complete the requisite chain of logical infer- unusually close to a multiple of . In such cases, the enceWs.eSeinxcpelothiet tphreimfeasctcatnhabteaqluthitoeulgarhgew(earhouanvde to prionducecaomputation of needs to be performed very carefully. As- afinpplalicaptrioonosfsooffpar,imanalityd conbcyeivstrictably aHOLs largperaims itiveininfferenu- ces,suming we Hhaovwe ecavlecru,lateids irr,awtieonnaeeldantodesvoalcuaanten:ot be represented ex- tuwre)m, naayiveusaelgaorrbitihtmrasrybamseedaonnstteostfiinngdaltlhfaatcptorrosoafr,eeovuetnofinclud- actly by any finite sum of floating point numbers. So how- thinegquthesetiuonse. of an external ‘oracle’ (cf. [25]). We use the ever the above is computed, it must in fact calculate We exploit the fact that although we have to produce a factorization software included in the the PARI / GP sys- However, is irrational and so cannot be represented ex- final 3proof of primality by strict HOL primitive inferences, wteme maytousheealprbcitoranrsytrmuecatnosutor pfinrodothfsatopfroporfi,meavleintyi.ncOlurdi-ginallyac, tly by any finite sum of floating point numbers. So how- inthgethveeruisfiecaotfioan ewxatesrnbaalse‘odraocnleL’ u(ccfa. s’[s25t]h)e. oWreemu[s3e7th],ebut ine-ver thefaobrosvoemisecaopmppruotxedim, iat tmiounst in fact calc.uTlahtee relative error spired by similar work in [35] we later modified it to use factorization software included in the the PARI / GP sys- is then which is of the order . Therefore, to keep temPoc3 ktolinhgeltponc’osntshtreuocrteomur, wprhoiocfhs ocfanprbimeasliigtyn.ifiOcraignitnlayllmy,ore ef- thficiene verit.fi4cation was based on Lucas’s theorem [37], but in- for somethaipsprroexlaimtivateioenrror within. Tahcecerepltaatibvleeebrroournds (say ) the spired by similar work in [35] we later modified it to use accuracy required in the approximation depends on how is then which is of the order . Therefore, to keep P|o-ck2lingtonn’s theorem, which can be significantly more ef- small the (true) reduced argument can be relative to the in- ficien(t.n4 - 1 = q * r) this relaptiuvet aerrgourmweitnhti.n Ianccoeprdtaebrletobofuonrmdsa(lslayyverify) tthhee accuracy of accuracy required in the approximation depends on how n q EXP 2 the algorithm, we need to answer the purely mathematical |- 2(a EnXP (n - 1) == 1) (mod n) small the (true) reduced argument can be relative to the in- question: how close can a floating-point number of given — in one real application we needed to derive a few hundred ((n -pT.1hep=rpriqinmce*i(prapl))difficpultydiinviimdeplsemqenting trigonometric put argument. In order to formally verify the accuracy of n q EXP 2 special cases [24]. An additional requirement is to prove range reductcionprisitmheat(taheEinXpPut(a(rgnum-en1t) mDIayV bpe)lar-ge 1,n))the algoprirthecmi,siwoen naeneddstpoeacnisfiweedrrtahnegpeubreelytomaatnhoemnzaetircoalinteger multi- (a EXPpr(inme-(n1) == 1) (mod n) that the prime factors are indeed prime, otherwise we will ( apn.d pyreit mthee(pre)ducepd adrigvuimdeenst qvery small, because is questionp:lehoowf cl?ose can a floating-point number of given not be able to complete the requisite chain of logical infer- unusuallyccolporseimteo(aa mEuXlPtip(le(nof- 1). DInIVsupc)h c-as1e,s,nt)h)e precision anTdospaencsiwfieedr rtahnisgeqbueestotioann,ownzeerfiorisnttengeeerdmtuoltbi-e able to pro- ences. Since the primes can be quite large (around in Tocoumpsrpeiumttaehti(ionsn)tohfeonreeemds ttoobve epreirfoyrmperdimvearlyitcyareoffully,. Awse- find pale of d?uce accurate approximations to by formal proof. This is applications so far, and conceivably as large as in fu- suming we have calculated , we need to evaluate: primitive root modulo (there are plenty of them, and we To anaswsterraithgihstqfourewstaiornd,awpepfilircsattnioeendotfotbheeatbelcehtnoiqpruoe-s for comput- ture), naive algorithms based on testing all factors are out ofjusTtosuesaercthhisbtlhinedorleym) atnodveariffaycptorirmaliotyf of , wwe ifitnhd a d,uce accurate approximations to by formal proof. This is the question. ing with computable reals described in [22]. It is encapsu- pfinrimditaivlle throeotprimmoeduflactoo (rsthereoafre palnedntythoefnthveemri,fayndthwate all thaestraightforward application of the techniques for comput- We exploit the fact that although we have to produce ajust search blindly) and a factor of with , lated as a HOL function PI APPROX RULE which given a hypothHesoewseovefr,theisaibrroatvioentahl eanodresomcahnonlodt ,behreenpcreeseanltleodwexin- g us tiong with computable reals described in [22]. It is encapsu- final proof of primality by strict HOL primitive inferences,find all the prime factors of and then verify that all the required accuracy returns a theorem asserting that a suit- we may use arbitrary means to find that proof, even includ-verifayctlhyabty anisy pfirniimte esu.mAollf fflaocationrgizpaotiniot nuims bdeorsn.eSboyhocwa-lling olnated as a HOL function PI APPROX RULE which given a hypotheveesretshoefatbhoeveabisocvoemthpuetoerde,mit mhoulsdt,inhefancctecallcloulwatieng us to able rational approximation is within of , e.g. ing the use of an external ‘oracle’ (cf. [25]). We use thePARI/GP, and of course to dispose of the side-conditions orefquired accuracy returns a theorem asserting that a suit- factorization software included in the the PARI / GP sysv- erify that is prime. All factorization is done by calling on able rational approximation is within of , e.g. #let pth = PI_APPROX_RULE 5;; tem3 to help construct our proofs of primality. OriginallyP,tAhRe It/hGePo,raenmd owfeconueresde ttooduisspeotsheeosfathmeesipdreo-ccoendduirtieornescoufrsively pth : thm = the verification was based on Lucas’s theorem [37], but int-htoe tvheeroirfeymthwaet neeaecdhtooufstehtehefasacmtoersprroecteudrunreedrebcyurPsiAveRlyI/GP i#slet pth = PI_APPROX_RULE 5;; for some approximation . The relative error |- abs(pi - &26696452523 / &8498136384) spired by similar work in [35] we later modified it to useto verify that each of the factors returned by PARI/GP is pth : thm = itselfisathpenrime. which is of the order . Therefore, to keep <= inv (&2 pow 5) Pocklington’s theorem, which can be significantly more ef- |- abs(pi - &26696452523 / &8498136384) itself a prime. <= inv (&2 pow 5) ficient.4 this relative error within acceptable bounds (say ) the Trigaoccnuoramcyerterquicirerdainntghe arpepdrouxicmtaitoionn depends on how Armed with the ability to find arbitrarily good rational Armed with the ability to find arbitrarily good rational |- 2 n TrigWhat’osnmoamll tehter(itcrurea) nregdseucre eddIntelaurgcutmioent can b e rupelative to tto?he in- approximations to , we can now tackle the main problem. (n - 1 = q * r) approximations to , we can now tackle the main problem. put argument. In order to formally verify the accuracy of For the algorithm we have been concerned with, we can n q EXP 2 Atlhgeoarligtohrmithsmf,owrethneeetdritgooannoswmeer ttrhiecpfuurnelcytimoanthse(matic,al anFdor the algorithm we have been concerned with, we can (a EXP (n - 1) == 1) (mod n) Algorithms for the trigonometric functions ( , and assume that that is a floating-point number with bits ( p. prime(p) p divides q ) )oqfoutefstnetinostnas:rtthaorwwtitwhclioatshne iacnanintiianlifltroiaaantlignrega-rnpegodieuntcrtneiuodmnubcsetreioponfwgshitveerpne wheraessume that that is a floating-point number with bits of precision and . (For larger arguments a more coprime(a EXP ((n - 1) DIV p) - 1,n))tThthrigeeiniinponometrictrieaticlaiislnioipnupat nudtisspbeicrs oifibrangekeredonrkadenongwed nbroeaweduction.stonfaoalnlsonwfzosel:rloowintse:ger multi- of precision and . (For larger arguments a more prime(n) ple of ? elaboratelaanbdoeraxtpeenasnivdeerxapnegnesrievdeucratinogneisruesdeudc.)tiAonnyissuucshed.) Any such To answer this question, we first need to be able to pro- can be wcraitntebne written To use this theorem to verify primality of , we find aHOLduce accurate approximations to by formal proof. This is primitive root modulo (there are plenty of them, and we a straightforward application of the techniques for comput- just search blindly) and a factor of with w,whhereerieng wiisthitshcoetmhiepnuteitnagbteelregrceelraolsscedlsoetscteorsibtetdoin [2a2n]d. Itains dencapsu-. . find all the prime factors of and then verify that all the(In practical implementations, might not be precisely the (In plraatecdtiacsaal HimOpLlfeumncetinotnaPtiIonAsP,PROmX iRgUhLtEnwothibceh gpirveecniasely thfeor some integers and ; assuming the hypotheses of the above theorem hold, hence allowing us toclosest integer, so the bound on is a little greater than for some integers and ; assuming the closerseqt uiinretdegaeccru, rsaocytheretburonusnadthoeonrem asisseratinlittleg that garseateruit- thannumber is normalized, is simply its significand consid- verify that is prime. All factorization is done by calling onWhat.) abWlee haratiocanppensnthaleanpepvroax luifima ta etiox nclose is w ith toa inn da /o multiple r o f , e .g ofa. s πe i/t h2 e r ? number is normalized, is simply its significand consid- .) We can then evaluate and/or as eitheerred as an integer. We are then interested in bounding: PARI/GP, and of course to dispose of the side-conditions of , , or depending on mod- #let pth = PI_APPROX_RULE 5;; ered as an integer. We are then interested in bounding: the theorem we need to use the same procedure recursivelyulo , an,d since , is of modeorarte size, the dcoerpeecnodminpgutoatnion mod- to verify that each of the factors returned by PARI/GP is pth : thm = ulo , an|-d asbins(cpei -is&2o6f69m64o5d2e5r2a3te/ s&i8z4e9,8t1h3e63c8o4)re computation itself a prime. is now fairly straightforward. is now fair
7
!"#$%%&'()*+#,+-.%+/0-.+1((234+5666+789:#*'29+#(+;#)'$+'(+<#9:2-%"+7$'%($%+=;5<7>?@A+ /?B@CD0E/F?@+G/EH??+I+J??@+5666+ What’s Intel up to?
Large HOL libraries of mathematical knowledge and proofs. Example: Reals library. Years of development effort. Little sharing with the community. Not surprising: Intel intellectual property. NASA Space Shuttle
Langely Research Center. [Butler ‘98] PVS (Prototype Verification System). [Owre] Example: GPS Receiver State Processing. GPS Reference Sate Processing. Result: 86 issues or minor discrepancies were discovered. NASA Space Shuttle
Huge PVS libraries developed at NASA. Algebra, Real analysis, Complex numbers, Directed graphs, Graph theory, Integer division, Abstract orders, Lattices, Fixed Points, Power sets, Trigonometry, Series, Taylor’s theorem etc. Sharing ok, but how? Mathematics
Four-Color theorem [Appel, Haken 1976]
Kepler’s Conjecture 2D [Thue 1890] 3D [Hales 1989] 2.2 Weight Assignments A weight assignment of a plane graph G is a function w : G R taking values in the set of We call the constant 14.8, which arises repeatedly non-negative real→numbers. A weight assignment is in this section, the target. admissible if the following properties hold: Define a : N R by → 1. If the face F has length n, then w(F ) d(n) ≥ 14.8 n = 0, 1, 2, 2. If v has type (p, q), then 1.4 n = 3, a = w(F ) b(p, q). 1.5 n = 4, ≥ v∈F 0 otherwise. % Define b : N N R by b(p, q) = 14.8, except for 3. Let V be any set of vertices of type (5, 0). If the values in×the→following table (with the under- the cardinality of V is k 4, then ≤ standing that x = 14.8): w(F ) 0.55k. ≥ q = 0 1 2 3 4 V ∩%F =# ∅ p = 0 x x x 7.135 10.649 4. Let V be any separated set of vertices. Then A weight assignment of a pl1ane xgrapxh G6.95 is 7.a135 x 2.2 Weight Assignments 2 x 8.5 4.756 12.981 x (w(F ) d(len(F ))) a(tri(v)). 3 x 3.642 8.334 x x − ≥ function w : G R taking values in the set of V ∩F =# ∅ v∈V → 4 4.139 3.781 x x x % % We call the constant 14.8, which arises repeatedly non-negative real numbers. A we5igh0t.55ass11i.g22nmxent ixs x The sum w(F ) is called the total weight of w. in this section, the target. admissible if the following prope6rtie6s.33h9 oldx: x x x F Define c : N R by & N R → 2.3 Plane Graph Properties Define a : by 1 n = 3, → 1. If the face F has length n, then w(F ) d(n) We say that a plane graph is tame if it satisfies the 0 ≥ n = 4, following conditions. c = 1.03 n = 5, 14.8 n = 0, 1, 2, − 2. If v has type (p, q), then 2.06 n = 6, − 1. The length of each face is (at least 3 and) at 1.4 n = 3, 3.03 otherwise. most 8. − a = w(F ) Debfi(nepd, :qN). Rby 2. Every 3-circuit is a face or the opposite of a 1.5 n = 4, ≥ → v∈F face. 0 n = 3, 0 otherwise. % 3. Every 4-circuit surrounds one of the cases il- 2.378 n = 4, lustrated in Figure 4. 4.896 n = 5, 4. The degree of every vertex is (at least 2 and) Define b : N N R by b(p, q) = 14.8, except for 3. Let V be any set of vertices of dty=pe7.41(45, 0n )=.6, If at most 6. × → 9.932 n = 7, the values in the following table (with the under- the cardinality of V is k 4, then 5. If a vertex is contained in an exceptional face, ≤ 10.916 n = 8, then the degree of the vertex is at most 5. standing that x = 14.8): 14.8 otherwise. w(F ) 0.55k. 6. ≥A set V of vertices is called a separated set of c(len(F )) 8, ∩ # ∅ ≥ q = 0 1 2 3 4 V F = F % vertices if the following four conditions hold. % p = 0 x x x 7.135 10.649 4. Let V be any separated se1t. Forfevereyrvteircteex sin. VTthereenis an exceptional 7. There exists an admissible weight assignment 1 x x 6.95 7.135 x face containing it. of total weight less than the target, 14.8. 2 x 8.5 4.756 12.981 x (w(F ) d(len(F )2). )No two verticaes(intrVia(rve )ad)j.acent. It follows from the definitions that the abstract − 3. No≥two vertices in V lie on a common quadri- vertex-edge graph of G has no loops or multiple 3 x 3.642 8.334 x x V ∩F =# ∅ lateralv. ∈V joins. Also, by construction, every vertex lies in at % % least two faces. Property 6 asserts that the graph 4 4.139 3.781 x x x 4. Each vertex in V has degree 5. has at least eight triangles. 5 0.55 11.22 x x x 5 6 6.339 x x x x The sum F w(F ) is called the total weight of w. Define c : N R by & The→ Flyspeck2.3 PPrlane Grojectaph Properties 1 n = 3, We say that a plane graph is tame if it satisfies the 0 n = 4, following conditions. c = 1.03 n = 5, − 2.06 n = 6, Formal proof− of Kepler’s 1. The length of each face is (at least 3 and) at • 3.03 otherwise. most 8. − conjecture. Define d : N Rby 2. Every 3-circuit is a face or the opposite of a → face. 0 n = 3, 3. Every 4-circuit surrounds one of the cases il- ETA: 20 years.2.378 n = 4, • lustrated in Figure 4. 4.896 n = 5, 4. The degree of every vertex is (at least 2 and) d = 7.414 n = 6, at most 6. HOL light.9.932 n = 7, • 5. If a vertex is contained in an exceptional face, 10.916 n = 8, then the degree of the vertex is at most 5. 14.8 otherwise. 6. Hopes for access to Coq, • A set V of vertices is called a separated set of c(len(F )) 8, ≥ veIsabelle/HOL.rtices if the following four conditions hold. %F 1. For every vertex in V there is an exceptional 7. There exists an admissible weight assignment • Tameface co nPlanartaining it. Graphs. of total weight less than the target, 14.8. 2. No two vertices in V are adjacent. It follows from the definitions that the abstract 3. No two vertices in V lie on a common quadri- vertex-edge graph of G has no loops or multiple [Hales,lateral. Nipkow, MacLaughlin] joins. Also, by construction, every vertex lies in at least two faces. Property 6 asserts that the graph 4. Each vertex in V has degree 5. has at least eight triangles.
5 MIZAR [Trybulec’72]
• Reconstruct mathematical vernacular. • Proof verifier. • Large body of mathematical knowledge. • No explicit proof objects. • Journal of formalized mathematics. • On the Hausdorff distance between compact subsets. [Adam Grabowski] • Chains on a grating in Euclidean space. [Freek Wiedijk] Logic Diversification
Tempor SMV SPIN Vampire Nqthm PVS al logic
Proposi First- Chaff tional order Otter ACL2 logic logic
Higher- Modal order OMEGA MIZAR logic logic
Martin Löf's AGDA NUPRL type theory
Automath LCF HOL HOL light
Calculus of COQ Constructions Library Growth
Tempor SMV SPIN Vampire Nqthm PVS al logic
Proposi First- Chaff tional order Otter ACL2 logic logic
Higher- MIZAR Modal order OMEGA logic logic
Martin Löf's AGDA NUPRL type theory
Automath LCF HOL HOL light
Calculus of COQ Constructions Digital Libraries
FDL library. [Constable 2000] • Storage, retrieval of mathematical facts. • Logic dependent. Logosphere. [Schürmann 2002] • Logical framework. • Foundationally uncommitted. • Theory morphisms. • Currently under development. What shall we store?
Semantic meaning of a theorem! Formulas alone insufficient. • Logics vary in proof-theoretic strength. • Example: First-order logic vs. impredicative type theory. • Semantics-preserving transformations. = F = = F | L1 1 ⇒ | L2 2 Meaning of theorems ...
... are mathematical entities expressed as • Denotations (Domain theory). • Objects (Category theory). • {0,1} (Model theory). • Strategies (Game theory). • Syntactic Proofs (Proof Theory). Large proofs but small trustworthy checkers. Proofs are important
Although the Annals will publish Dr Hales's paper, Peter Sarnak, an editor of the Annals, whose own work does not involve the use of computers, says that the paper will be accompanied by an unusual disclaimer, stating that the computer programs accompanying the paper have not undergone peer review. There is a simple reason for that, Dr Sarnak says—it is impossible to find peers who are willing to review the computer code. [The Economist, May 2005] Rest of this talk joint work with Mark-Oliver Stehr
• The logic HOL. • Logical framework LF. • Nuprl type theory. • HOL - Nuprl connection. • Open questions.
HOL
• Higher-order logic [Church ‘40] • HOL theorem prover [Gordon ‘85] •HFlaOvLor(: TIsabelle/HOLyping) [Paulson, Gordon ‘92]
Terms: e1, e2 ::= x |=|⊃| e1 e2 | λx : τ.e Types: τ ::= o | τ1 → τ2 Judgments: e : τ Rules: imp eq ⊃: o → o → o =: τ → τ → o
u x : τ1 . .
e : τ2 e1 : τ2 → τ1 e2 : τ2 u app lam e1 e2 : τ1 λx : τ1.e : τ1 → τ2
Proofs “R” Us – p.22/48 HOL (Typing)
Terms: HOLe1, e 2(T::=yping)x |=|⊃| e1 e2 | λx : τ.e Types: τ ::= o | τ1 → τ2 Judgments: e : τ Rules: imp eq ⊃: o → o → o =: τ → τ → o
u x : τ1 . .
e : τ2 e1 : τ2 → τ1 e2 : τ2 u app lam e1 e2 : τ1 λx : τ1.e : τ1 → τ2
Proofs “R” Us – p.22/48 HOL (PHOLroofs) (Proofs)
Judgments: ! P Rules: ! P . .
! P ! P ⊃ Q ! Q mp disch ! Q ! P ⊃ Q
refl beta ! P = P ! (λx : τ.P )Q = [Q/x]P
Proofs “R” Us – p.23/48 HOL (HOLBoolea n(Booleans)s)
bool =ˆ o true =ˆ λx : bool.x = λx : bool. x all P =ˆ P = λx : τ. true false =ˆ all (λx : bool.x) neg P =ˆ P ⊃ false P and Q =ˆ all (λR : bool.(P ⊃ Q ⊃ R) ⊃ R) the P (newly declared) ex P =ˆ P (the P )
Proofs “R” Us – p.24/49
Twelf
• Logical framework LF. [Harper ‘93] • Meta-language for deductive systems. • Judgments-as-types, derivations-as-objects. • Representation methodology. • Higher-order abstract syntax. • Captures variable binding. Twelf (cont’d)
Reprsentation ReprTesentinghe Logi cnaumbersl Fram einw BSor k(binarLF y strings). The Logical Framework LF Representa!7ti9o"n=pa∗r,a1d,i0g,m0,. 1, 1, 1, 1 Represe•nJtautdiognmpeanrtasd-aigsm-ty. pes. Representing judgments in LF. • Judgments-as-types!.! P ":type=! !P " !! P " : type = ! !P " Representing• Derivatio derivationsns-as-objects. in LF. • Der!ivations-as-objects. " H1 H2 ! " ! " H1 ! P ⊃ HQ2 ! P : ! Q mp !=" mp !P " !Q" !H1" !H2" ! P ⊃ Q !!PQ : ! Q Proofs “R” Us – p.27/49 mp Proofs “R” Us – p.30/49 ! Q = mp !P " !Q" !H1" !H2" Proofs “R” Us – p.30/49 Reprsentation Twelf’s Strength !79" = ∗, 1, 0, 0, 1, 1, 1, 1 Adequacy Theorem: Every HOL derivation D of P1, . . . , Pn " Q can be represented in LF as a canonical object !D" : !Q" in context u1 :" !P1", . . . un :" !Pn".
HOL Terms Logical Framework LF Types Typing Derivability Proofs “R” Us – p.27/49 Canonical Definitions objects Twelf (cont’d)
Edinburgh Logical Framework. • The Logical Framework LF • Signature declares object/type constants. • λΠ [Harper, Honsell, Plotkin] • Dependent• Edinburgh L types.ogical Framework. K ::= type | Πx : A. K | A → K A ::= a | A M | Πx : A1. A2 | A1 → A2 M ::= c | λx : A. M | M1 M2 • Dependently-typed λ-c[Pfalcenning,ulus. Schürmann ‘98] • Signature: declares c : A and a : K. • Implementation: Twelf (www.twelf.org).
Proofs “R” Us – p.34/49 Twelf Encoding of HOL tp : type. %name tp (A B). bool = o. --> : tp -> tp -> tp. %infix right 10 -->. true : tm bool = (\ [x : tm bool] x) === (\ [x: tm bool] x). o : tp. all| : tm ((A --> bool) --> bool) = \ [P:tm (A --> bool)] P === \ [x] true. tm : tp -> type. %name tm (H G) (x y P Q R). all = [P] all| @ P. =>: tm (o --> o --> o). false : tm bool = all (\ [P] P). == : tm (A --> A --> o). neg : tm (bool --> bool) = \ [P:tm bool] P ==> false. @ : tm (A --> B) -> tm A -> tm B. %infix left 15 @. /|\ : tm (bool --> bool --> bool) \ : (tm A -> tm B) -> tm (A --> B). = \ [P:tm bool] \ [Q:tm bool] ==> = [H:tm o] [G:tm o] => @ H @ G. %infix right 13 ==>. all (\ [R:tm bool] (P ==> Q ==> R) ==> R). === = [H:tm A] [G:tm A] == @ H @ G. %infix left 14 ===. /\ = [P] [Q] /|\ @ P @ Q. %infix right 12 /\. \|/ : tm (bool --> bool --> bool) = \ [P:tm bool] \ [Q:tm bool] |- : tm o -> type. %prefix 10 |-. %name |- D u. all (\ [R:tm bool] (P ==> R) ==> (Q ==> R) ==> R). mp : |- H -> |- H ==> G -> |- G. \/ = [P] [Q] \|/ @ P @ Q. %infix right 11 \/. disch : (|- H -> |- G) -> |- H ==> G. the| : tm ((A --> bool) --> A). refl : |- H === H. the = [P] the| @ P. beta : |- (\ H) @ G === (H G). ex| : tm ((A --> bool) --> bool) sub : {G:tm A -> tm o} |- H1 === H2 -> |- G H1 -> |- G H2. = \ [P:tm (A --> bool)] P @ (the (\ [x] P @ x)). abs : |- \ H === \ G ex = [P] ex| @ P. <- ({x} |- H x === G x). Applications of Twelf
• Foundational Proof-Carrying Code. [Appel ‘99] • Typed Assembly Language. [Crary ‘02] • POPLmark Challenge. [UPenn ... ‘05] • Logosphere Digital Library. Alternative Logical Frameworks
Hereditary Harrop Formulas. [Isabelle, λProlog] Substructural logical frameworks. [LLF, OLF] Equational logic, rewrite logic. [Maude, Elan] Constructive type theory. [AGDA, Coq, Nuprl]
Nuprl
• Polymorphic extensional type theory. [Constable ‘86] • Judgments establishes equality among terms. • A type is true iff it is inhabited. • Many applications. • Ensemble (TCP/IP stack). [Kreitz ‘04] • Protocol Verification. [Felty et al ‘98] RefinemNuprlent Rules f oFunctionsr Function Spaces
H S T type funR ! → H S type ! H T type !
H λx.e = λx!.e! S T lamR ! ∈ → H, x:S e = e![x/x!] T ! ∈ H S type !
H f e = f ! e! T appR S T ! ∈ → H f=f ! S T ! ∈ → H e=e! S ! ∈
H (λx.e) e! = e∗ T compute 1 ! ∈ H e![e/x] = e∗ T ! ∈ [Courtesy Kreitz] Note: e=e T is usually abbreviated by e T ∈ ∈
CS 671 Automated Reasoning 6 Introduction to NuPRL Nuprl (cont’d)
• Also: Dependent Sums, Functions, Quotient types, Universes, Substitution principles. • Judgments, rules form deductive system. • Variable binding and hypotheses modeled using higher-order abstract syntax. • Implemented in Twelf. • Details omitted here.
Translation
• Original idea. [Howe ‘98] • Syntactic argument. [Meseguer, Stehr ‘01] • Implemented in Nuprl, replay of proof scripts. [Naumov ‘01] • Formalized and executable specification. [Schürmann, Stehr ‘05] Nuprl’s Boolean domains Nuprl’s Boolean domains Translation• Booleans: (cont’d) • Booleans: boolean = unit + unit tt = inl bullet Booleans. boolean = unit + unit • ff = inr bullet tt = inl bullet if e e1 e2 = decide e (λz. e1) (λz. e2) ff = inr bullet if e e1 e2 = decide e (λz. e1) (λz. e2) • Proposition-as-types:
• Pr•opositions-as-types.Proposition-as-types: BOOLEAN = U1 TRUE = unit BOOLEAN uni 1 =FALSE = void TRUE = AuLnLit = Π FALSE ==nv=o>id = Π Proofs “R” Us – p.3/14 ALL = pi =n=> pi = Proofs “R” Us – p.3/14 Nuprl’s Classical Extension NuHoprl’ws Ce’lasss iObsercal Extenvationsion • AxioNm uofpthrele’sxcCludleadsmsidcdalel. Extension • Axiom of the excluded middle. inhI • AxiomAxiomof!thineh eof#xΠc ltheuxd:eB dexcludedOmOiLdEdAleN.. x +mid(xdle→ v.oindh)I • ! inh # Πx : BOOLEAN. x + (x → void) inhI ! inh # Πx : BOOLEAN. x + (x → void) • Lift Booleans to Propositions. • Lift BooLiftlean sBooleansto Propos toitio nprs.opositions. • Li•ft Booleans to P↑r(oep)o=sitiifoensT.RUE FALSE. ↑ (e) = if e TRUE FALSE. ↑ M = if M TRUE FALSE. • Lower Propositions to Booleans. λ • Lo↓wPerLo=Prwdoepercois dpriteioopositionsn(saptopBionohle aPton)s .Booleans.( x:n-tm. tt) • Lowe•r Propositions to Booleans. (λy:n-tm. ff). ↓ (P ) = decide (inh P ) (λx. tt) (λy. ff). ↓ (P ) = decide (inh P ) (λx. tt) (λy. ff). • All important laws verifiable within Nuprl.
Proofs “R” Us – p.4/14 Proofs “R” Us – p.4/14
Proofs “R” Us – p.4/14 Translation (cont’d)
NuprlBBOOLEANS
Sentences Proofs
HOLBBooleans NuprlBBooleans
Types HOL Nuprl Terms Translations-as-RelationsTranslation (Terms) • Relations in Twelf. trans-tp : tp → nuprlterm → type trans-tm : tm A → nuprlterm → type trans-sentence : tm o → nuprlterm → type trans-proof : " P → trans-sentence P T → " M#T → type • Defining declarations omitted. tExtmecutable: tm A within→ n-t mTw→elf.type. • t=> : ttm => =p=>. • tW==e :cantt transfp A Norm→ t tHOLm == pr(=oofsp= N )into. Nuprl. where =p=> = lam (λx:n-tm. lam (λy:n-tm. if x y tt)).
=p= N = lam (λx:n-tm. lam (λy:n-tm. Proofs “R” Us – p.9/14 ↓ (eq x y N))).
Conclusion
• There is a true need to share mathematical knowledge in form of proofs. • Proof-theory: syntax instead semantics. • Logical framework technology important. • Proof conversion between HOL and Nuprl. • For other systems (PVS), work in progress. Open Questions
• Design of a query language. • Design of the database. • Shared domains, integers, natural numbers, complex numbers. • Partial transformations. • Connection to OMDOC. [Kohlhase 2001] • Formalization of other logics. www.logosphere.org
Thank you!