Graph Coloring and Machine Proofs in Computer Science, 1977-2017 Andrew W. Appel Princeton University Hales60 conference, Pittsburgh, PA, June 2018 1 National Science Foundation Expedition in Computing Andrew Lennart Stephanie Benjamin Steve Adam Zhong Appel Beringer Weirich Pierce Zdancewic Chlipala Shao Princeton Penn MIT Yale Deep Specifications are RICH, FORMAL, 2-SIDED, and LIVE describe complex RICH behaviors in detail in notation with a FORMAL clear semantics connected to both 2-SIDED implementations & clients machine-checked LIVE connection to implementations 3 Verifiable C a foundationally sound higher-order impredicative concurrent separation logic in Coq with Andrew W. Appel Lennart Beringer Qinxiang Cao Josiah Dodds Aquinas Hobor William Mansky et alia Let’s prove programs correct! Let’s prove C programs correct! That’s preposterous! Surely, one should write pure functional programs in a language with a clean proof theory, and prove those correct! True, for most applications. But some applications have specific demands (latency, performance, API compatibility) that require an industry-compatible low-level language. And how do you implement the runtime system for your beautiful pure functional language? Let’s prove C programs correct! Need Hoare logic or abstract interp. We choose Hoare logic. 7 Our Hoare logic should be Separation Logic. Need higher-order logic that use pointer modular data structures Let’s prove C programs correct! Need Hoare logic or abstract interp. Not just “safe.” We choose So we need to reason Hoare logic. in the mathematics of the application domain. ∴ Assertion language must be an expressive general-purpose logic; we choose Coq. 8 Higher-order logic First-order logic: quantification at base types ∀ x : ℕ . x>3 → x>2 Higher-order logic: quantification over predicates ∀ 푃 : (ℕ →Prop) . 푃(x+2) → 푃(1+x+1) 9 Our Hoare logic should be Separation Logic. Need impredicative higher-order logic object- oriented that use pointer modular data structures Let’s prove C programs correct! Need Hoare logic or abstract interp. Not just “safe.” We choose So we need to reason Hoare logic. in the mathematics of the application domain. ∴ Assertion language must be an expressive general-purpose logic; we choose Coq. 10 Impredicative quantification First-order logic: quantification at base types ∀ x : ℕ . x>3 → x>2 Higher-order logic: quantification over predicates ∀ 푃 : (ℕ →Prop) . 푃(x+2) → 푃(1+x+1) Impredicative: when 푃 can be instantiated by quantified formulas 11 Impredicative quantification with contravariance C programs have: A program logic for C • function pointers needs higher-order • Pthreads lock pointers features such as impredicative • data abstraction quantification • dynamic alloc/dealloc • void * 12 Function pointers To specify this in logic: struct object { void (*move) (void *self); } contravariant quantification over a predicate void make (void (*f)(void *self); which might itself struct object *p) be instantiated by { But this leads to paradoxes! a quantified predicate. p->move =Impredicativity f; with } contravariance is not sound! That’s so 20th-century! In the 21st century, just use a logic of approximation with the Löb operator, which we call “later” ⊳. Prove soundness with a step-indexed model. An Indexed Model of Recursive Types for Foundational Proof-Carrying Code, by Appel & McAllester, TOPLAS 2001. A Stratified Semantics of General References Embeddable in Higher-Order Logic, by Ahmed, Appel, & Virga, LICS 2002. An Indexed Model of Impredicative Polymorphism and Mutable References, by Ahmed, Appel, & Virga, 2003. Semantics of Types for Mutable State, by Amal Ahmed, Ph.D. Thesis 2004. A Very Modal Model of a Modern, Major, General Type System, by Appel, Melliès, Richards, & Vouillon, POPL 2007. Logical Step-Indexed Logical Relations, by Dreyer, Ahmed, & Birkedal, LICS 2009. A Theory of Indirection via Approximation, by Hobor, Dockins, & Appel, POPL 2010. Step-indexed Kripke models over recursive worlds, by Birkedal, Reus, Schwinghammer, Støvring, Thamsborg, & Yang, POPL 2011. ... and many more: just google-scholar “step-indexed author:Birkedal” 13 Our Hoare logic should be Separation Logic. Need impredicative higher-order logic object- oriented that use pointer modular data structures Let’s prove C programs correct! concurrent Need Hoare logic or abstract interp. Not just “safe.” need Concurrent We choose So we need to reason Separation Logic Hoare logic. in the mathematics of the application domain. ∴ Assertion language must be an expressive general-purpose logic; we choose Coq. 14 Let’s prove concurrent, modular, object-oriented C programs that use pointers, correct! ∴ Use a higher-order impredicative concurrent separation logic embedded in Coq. But such a logic would be far too complex to trust its soundness! ∴ Prove it sound, in Coq, with respect to the operational semantics of C, But the operational using step-indexed semantic model. semantics of C is far too complex to trust ∴ Prove sound w.r.t. the CompCert as a definition! Clight operational semantics, with respect to which CompCert is proved correct. 15 Let’s prove concurrent, modular, object-oriented C programs that use pointers, correct! ∴ Use a foundationally sound higher-order impredicative concurrent separation logic embedded in Coq. But such a logic would be too complex for users to actually use! ∴ Provide a proof automation system, in Coq’s lemma and tactic language, to help users apply the program logic to their programs. 16 VST-Floyd interactive prover Verifiable C program logic sound- ness proof CompCert verified C compiler 17 Conclusion Let’s prove C programs correct! Oh, all right. 1955, in Michigan . Kenneth Appel finishes his two-year army service, starts PhD in mathematics at the University of Michigan . takes a computer programming course, gets summer job at Douglas Aircraft programming air defense simulations 1972, Urbana, Illinois . teaches his 12-year-old son how to program a computer (and how to prove by diagonalization that there are more reals than integers) 19 Graph Coloring and Machine Proofs in Computer Science, 1977-2017 Kenneth Appel 1932-2013 Wolfgang Haken 1928- 20 Photo 1976 Can it really be a proof if you can’t check it by machine? 21 Alfred B. Kempe, 1849-1922 Barrister of ecclesiastical law; mathematician In 1876, Kempe’s Universality Theorem: for an arbitrary algebraic plane curve, a linkage can be constructed that draws the curve. Oops! There was a bug in the proof. Finally proved in 2002 by Michael Kapovich and John J. Millson 22 Alfred B. Kempe, 1849-1922 Barrister of ecclesiastical law; mathematician In 1879, proof of the 4-color theorem: every planar graph can be colored using at most 4 colors. (Any nodes connected f by an edge must have different colors.) e j k b m h d c g 23 Alfred B. Kempe 1879 6-color theorem: Every planar graph is 6-colorable. 5-color theorem: Every planar graph is 5-colorable. 4-color theorem: Every planar graph is 4-colorable. Percy J. Heawood found a bug in the proof, 1890 24 Alfred B. Kempe 1879 6-color theorem: Every planar graph is 6-colorable. Proof: 1. Every planar graph has at least one node of degree <6 (by Euler’s polyhedron formula): V−E+F = 2, average degree < 6 2. If you remove one node from a planar graph, what remains is a planar graph. 3. This leads to an algorithm for coloring graphs . 25 Kempe’s graph-coloring algorithm To 6-color a planar graph: 1. Every planar graph has at least one vertex of degree ≤ 5. 2. Remove this vertex. 3. Color the rest of the graph with a recursive call to Kempe’s algorithm. 4. Put the vertex back. It is adjacent to at most 5 vertices, which use up at most 5 colors from your “palette.” Use the 6th color for this vertex. 26 Example: 6-color this graph f e j b m k d h c g 27 Example: 6-color this graph f e j b m k d h c g This node has degree < 6 ; remove it! 28 Example: 6-color this graph Now, by induction, suppose we could color the rest of the graph f e j b m k d h c g 29 Now, color the residual graph Now, by induction, suppose we could color the rest of the graph f We can surely e find a color for c j b m k d h c g Find a color for this node that’s not already used in an adjacent node 30 Put back the node c, and color it Why did this work? Because when we removed each node, at that time it had degree < 6. f So when we put it back, it’s adjacent to at most 5 already-colored nodes. e j b m k d h c g 31 Kempe’s 4-coloring algorithm To 4-color a planar graph: 1. Find a vertex of degree ≤ 5 (there must be one) 2. Remove this vertex. 3. Color the rest of the graph with a recursive call to Kempe’s algorithm. 4. Put the vertex back. These cases: easy; you can find a color not used by an adjacent node. This case: use the method of “Kempe chains” This case . 32 Kempe chains Suppose you are 4-coloring this graph: b f u j d k k g h ? 33 Kempe’s 4-coloring algorithm To 4-color a planar graph: 1. Find a vertex of degree ≤ 5 (there must be one) 2. Remove this vertex. 3. Color the rest of the graph with a recursive call to Kempe’s algorithm. 4. Put the vertex back. These cases: easy This case: use “Kempe chains” This case: use “simultaneous Kempe chains” 34 Kempe’s 4-coloring algorithm To 4-color a planar graph: 1. Find a vertex of degree ≤ 5 (there must be one) 2.