This thesis has been submitted in fulfilment of the requirements for a postgraduate degree (e.g. PhD, MPhil, DClinPsychol) at the University of Edinburgh. Please note the following terms and conditions of use: • This work is protected by copyright and other intellectual property rights, which are retained by the thesis author, unless otherwise stated. • A copy can be downloaded for personal non-commercial research or study, without prior permission or charge. • This thesis cannot be reproduced or quoted extensively from without first obtaining permission in writing from the author. • The content must not be changed in any way or sold commercially in any format or medium without the formal permission of the author. • When referring to this work, full bibliographic details including the author, title, awarding institution and date of the thesis must be given. REFACTORINGPROOFS iain johnston whiteside Doctor of Philosophy School of Informatics University of Edinburgh 2013 Iain Johnston Whiteside: Refactoring Proofs, Doctor of Philosophy © 2013 ABSTRACT Refactoring is an important Software Engineering technique for improving the struc- ture of a program after it has been written. Refactorings improve the maintainability, readability, and design of a program without affecting its external behaviour. In anal- ogy, this thesis introduces proof refactoring to make structured, semantics preserving changes to the proof documents constructed by interactive theorem provers as part of a formal proof development. In order to formally study proof refactoring, the first part of this thesis constructs a proof language framework, Hiscript. The Hiscript framework consists of a procedural tactic language, a declarative proof language, and a modular theory language. Each level of this framework is equipped with a formal semantics based on a hierarchical notion of proof trees. Furthermore, this framework is generic as it does not prescribe an underlying logical kernel. This part contributes an investigation of semantics for formal proof documents, which is proved to construct valid proofs. Moreover, in anal- ogy with type-checking, static well-formedness checks of proof documents are sepa- rated from evaluation of the proof. Furthermore, a subset of the SSReflect language for Coq, called eSSence, is also encoded using hierarchical proofs. Both Hiscript and eSSence are shown to have language elements with a natural hierarchical representa- tion. In the second part, proof refactoring is put on a formal footing with a definition using the Hiscript framework. Over thirty refactorings are formally specified and proved to preserve the semantics in a precise way for the Hiscript language, including traditional structural refactorings, such as rename item, and proof specific refactorings such as backwards proof to forwards proof and declarative to procedural. Finally, a concrete, generic refactoring framework, called Polar, is introduced. Polar is based on graph rewriting and has been implemented with over ten refactorings and for two proof languages, including Hiscript. Finally, the third part concludes with some wishes for the future. iii ACKNOWLEDGEMENTS Writing this thesis has been the final part of the wonderful adventure that has been my PhD. Like all adventurers, I’ve needed a lot of help and support along the way. I’d like to take this opportunity to say thanks. First and foremost I am deeply indebted to my supervisors David Aspinall, Lucas Dixon, and Gudmund Grov enough for their guidance, enthusiasm, and patient ex- planation when I so often needed it. When Lucas moved across the Atlantic to work for Google — I was a very difficult student — Gudmund was kind enough to step into the breach as my second supervisor. A decision perhaps regretted by Gudmund but much appreciated by me. This thesis has benefitted considerably from their care- ful proof reading, which has eliminated as much of my writing ‘style’ as possible. I’d like to also thank Georges Gonthier and Microsoft Research for sponsoring this work. Georges’ unrivalled experience in formal proof and his enthusiasm for refactoring have been a great source of inspiration. My fellow DReaMers helped create a wonderful environment for research and for providing me with an understanding of the clarity of mind, rigour, and objectivity that are crucial for doing science. Thank you. Dominik, you instilled in me a love of parsing and I am profoundly thankful to have had a chance to work with you. I’m sorry we never did have that table tennis match, but let’s face it, you would have beaten me and I don’t like losing. I am enormously grateful to Ewen Denney for giving me the dream opportunity of working with the Intelligent Systems Division at NASA Ames Research Center in sunny California. Aside from the stimulating chats and walks with Ewen and the enlightening conversations over burritos, the discovery of Anchor Steam, Sierra Nevada, sweet potato fries, and running in Yosemite with Matthias and David remain especially vibrant in my mind. Outside of research, I must thank all my running friends from the Haries and Carnethy. I’ve had too many memorable experiences with you all to count. Running keeps me sane — approx. 1150 miles ran writing this — and I’ve been privileged to have such wonderful people to run with. Football thursday was a fantastic way to spend one afternoon from the working week with great friends. I will miss the fun, though perhaps not the barbarity of the ‘cage’ more than I can say. To my flatmates and officemates: thank you for putting up with me and sorry about all the muddy shoes. Megan, you are an inspiration. Life without you is like a broken pencil. Pointless. Last but by no means least, I’d like to thank my family whose unconditional faith and encouragement have kept me going. My mum is used to taking the brunt of my frustrations, so this is the perfect place to say thank you. For everything. iv DECLARATION I declare that this thesis was composed by myself, that the work contained herein is my own except where explicitly stated otherwise in the text, and that this work has not been submitted for any other degree or professional qualification except as specified. Edinburgh, 2013 Iain Johnston Whiteside, May 31, 2013 CONTENTS 1 preliminaries1 1.1 The origin of the thesis . 1 1.2 Thesis roadmap . 2 1.3 How to read this thesis . 5 i proof language framework7 2 proof languages and hierarchy8 2.1 Introduction . 8 2.2 Hierarchical proof . 9 2.3 Proof languages . 11 2.3.1 Procedural proofs . 11 2.3.2 Declarative languages . 12 2.3.3 SSReflect . 13 2.4 Summary . 14 3 hiproofs and hitacs 15 3.1 Introduction . 15 3.2 Hierarchical proof . 15 3.2.1 A hiproof term language . 16 3.2.2 Hiproof validation . 17 3.2.3 A hiproof normal form . 19 3.2.4 Hiproof examples . 28 3.3 Hierarchical Tactics . 33 3.3.1 A Hitac term language . 33 3.3.2 Big step evaluation semantics . 36 3.3.3 Well-formed tactics . 38 3.3.4 Minimal environments . 40 3.3.5 Examples . 41 3.4 Summary . 44 4 the hiscript proof language 45 4.1 Introduction . 45 4.2 The Hiscript proof language . 46 4.3 Hiscript semantics . 49 4.4 Gap-free proofs . 53 4.5 Static checks on proofs and minimal environments . 54 4.5.1 Well-formedness checking . 54 4.5.2 Minimal environments . 56 4.5.3 Environment extension . 56 4.6 Discussion . 57 4.6.1 Comparison with other declarative languages . 58 5 proof documents 59 5.1 Introduction . 59 5.2 Theories and their semantics . 60 vi contents vii 5.2.1 Theory syntax . 60 5.2.2 Semantics for theories . 61 5.2.3 Correctness of evaluation . 63 5.2.4 Example theory . 64 5.3 Proof documents . 66 5.3.1 Proof document syntax . 69 5.3.2 Evaluating theories in a document . 70 5.3.3 Properties of theory evaluation . 75 5.3.4 Evaluating a proof document . 76 5.3.5 Example document . 76 5.4 Discussion . 79 6 an essence of ssreflect 81 6.1 Introduction . 81 6.2 Introducing the language . 81 6.3 SSReflect style . 83 6.4 Syntax of the language . 85 6.5 Sentence semantics . 89 6.5.1 A direct translation to Hitac . 93 6.6 Semantics for scripts . 95 6.7 Example. 97 6.8 Summary . 98 ii refactoring proofs 99 7 improving the design of existing code 100 7.1 Introduction . 100 7.2 Introducing refactoring . 100 7.3 Why refactor proof? . 102 7.4 Semantics preservation . 103 7.5 A survey of refactoring . 104 7.5.1 Informal refactoring presentations . 104 7.5.2 Formal programming language refactoring . 106 7.5.3 Refactoring tools . 108 7.5.4 Generic and language independent refactorings . 109 7.5.5 Refactoring in other paradigms . 109 7.6 Approach . 110 8 a catalogue of proof refactorings 111 8.1 Introduction . 111 8.2 Rename an item . 111 8.3 Copy an item . 113 8.4 Move item . 115 8.5 Flatten a subproof . 117 8.6 Fold a tactic . 119 8.7 Unfold a tactic . 121 8.8 Generalise a tactic . 123 8.9 Summary . 124 9 refactoring proofs 125 9.1 Introduction . 125 contents viii 9.2 A formal definition of refactoring . 126 9.3 Copy a have statement . 129 9.4 Delete unused have statement . ..