Sparkle a functional theorem prover

1
Sparklea functional theorem prover

• Maarten de Mol,
• Marko van Eekelen,
• Rinus Plasmeijer
• September 2001
• University of Nijmegen

2
Overview

• Design goals make it possible to formally reason
  about programs written in Clean
• Introduction to Sparkle
• implementation
• characterization specification language, logic,
  tactical language, user interface
• Towards the realization of design goals
• feasibility of specification language
• proving styles (hint mechanism)
• Preliminary results and conclusions

3
Overview (1)

• Design goals make it possible to formally reason
  about programs written in Clean
• Introduction to Sparkle
• implementation
• characterization specification language, logic,
  tactical language, user interface
• Towards the realization of design goals
• feasibility of specification language
• proving styles (hint mechanism)
• Preliminary results and conclusions

4
Design goals (1)

• Make it possible to formally prove properties of
  programs written in Clean
• should be easier than with existing provers
• should be possible for both smaller programs
  (certificates) and larger programs (partial
  correctness)
• Make it possible for programmers to formally
  reason about Clean-programs
• focus on proofs of small programs
• should be possible to do in short time
• should require little expertise

5
Design goals (2)

• Integrate Sparkle in the Clean system

code generator
editor
compiler
IDE
theorem prover
linker
profilers
6
Overview (2)

• Design goals make it possible to formally reason
  about programs written in Clean
• Introduction to Sparkle
• implementation
• characterization specification language, logic,
  tactical language, user interface
• Towards the realization of design goals
• feasibility of specification language
• proving styles (hint mechanism)
• Preliminary results and conclusions

7
Implementation of Sparkle

• Programming language
• Clean 1.3 (will be upgraded to 2.0)
• Libraries used
• Object I/O Library
• Clean 2.0 Compiler (frontend only)
• Size (counted in lines of source code)
• theorem prover ? 55.000
• compiler frontend ? 40.000
• Object I/O ? 40.000
• total ? 135.000

8
Specification of programs (1)

• Specification language Core-Clean
• subset of Clean 2.0 (and Haskell)
• basic functional programming language
• lazy evaluation, strictness, sharing, basic
  values
• no syntactical sugar (functions case let)
• translation of Clean to Core-Clean is possible
• overloading is translated to dictionaries
• ZF/dotdot-expressions are translated to functions
• pattern matching is translated to case
  distinction
• local functions are translated to global
  functions
• .

9
Specification of programs (2)

• Reasoning takes place in Core-Clean
• richness of Clean makes it difficult to reason
• Translation of Clean to Core-Clean is performed
  by the compiler

frontend of Clean 2.0 Compiler
programming language (Clean)
reasoning language (Core-Clean)
10
Specification of properties

• Specification language Core-Logic
• equalities on expressions
• logical connectives
• not (?), and (?), or (?), implies (?), iff (?)
• logical quantors
• universal (?)
• over propositions
• over arbitrary expressions
• existential (?)
• over propositions
• over arbitrary expressions

11
Semantics of Core-Logic

• Semantics for (operational, bisimilar)
• E F
• ?E ? E?F ? FE ? F ?
• ?F ? F?E ? EF ? E
• Rules for ?
• (C x1xn) is only smaller-equal than something of
  the form (C y1yn) where x1 ? y1 ? ? xn ? yn
• a basic value is only smaller-equal than itself
• __ is only smaller-equal than itself
• any other E is smaller-equal than anything else
• Semantics for other constructs standard

12
Tactical language

• Tactics
• currently a total of 42 different tactics
• logic tactics
• Introduce, Split, Witness, .
• programming tactics
• Induction, Reduce, SplitCase, .
• similar to well-known theorem provers
• Composition of tactics
• repeat
• compose ()

13
User interface proving styles

• Three different ways of applying tactics
• select from displayed list of tactics and
  manually choose arguments in the tactic dialog
• use the command prompt (keyboard only)
• select from suggestion list (hint mechanism)
• suggestions are based on the current goal
• suggestions are sorted by a probability score
  (hard-coded in Sparkle and based on personal
  experience with proving properties of functional
  programs)
• suggestions can be applied with a hot-key
• suggestions with a high enough probability score
  can be applied automatically

14
Overview (3)

• Design goals make it possible to formally reason
  about programs written in Clean
• Introduction to Sparkle
• implementation
• characterization specification language, logic,
  tactical language, user interface
• Towards the realization of design goals
• feasibility of specification language
• proving styles (hint mechanism)
• Preliminary results and conclusions

15
Realization of design goals

• Similar programming and reasoning language
• same semantics (and syntax)
• translation preserves program structure
• Specialized tactics
• Three different proving styles
• hint mechanism fast, no expertise needed
• prompt powerful
• tactic dialogs in between
• Sophisticated user interface

16
Overview (4)

• Design goals make it possible to formally reason
  about programs written in Clean
• Introduction to Sparkle
• implementation
• characterization specification language, logic,
  tactical language, user interface
• Towards the realization of design goals
• feasibility of specification language
• proving styles (hint mechanism)
• Preliminary results and conclusions

17
Preliminary results

• No final results available yet
• not tested on bigger examples yet
• Tested on 49 basic theorems
• basic theorems on lists
• many inspired by Introduction to Functional
  Programming (Bird)
• Proving effort (biased)
• little expertise needed (except for basic values)
• little time needed (several hours for an expert)
• many can be proved automatically

18
Conclusions

• A working implementation is available.
• Not tested enough for definite conclusions.
• Proving properties of smaller programs seems very
  easy using Sparkle
• Usable by programmers probably.
• Better than existing systems yes.
• Proving properties of larger programs to be done.

19
Examples of proved theorems
1. map f (xsys) map f xs map f ys 2. foldr
() 0 sum 3. (n __) -gt take n xs
drop n xs xs 4. (map f) o reverse reverse o
(map f) 5. length (reverse xs) length xs 6.
infinite xs False -gt reverse (xsys)
reverse ys reverse xs 7. n gt 0 -gt m gt 0
-gt (take m) o (drop n) (drop n) o (take
(mn))