Sparkle

1
Sparkle

• A theorem prover for the functional language
  Clean
• Maarten de Mol
• University of Nijmegen
• February 2002

2
Introduction

• Sparkle Yet Another Theorem Prover
• Design goals.
• Why build a new theorem prover?
• Short description of Sparkle
• Specification language (Clean).
• Logic and semantics.
• Tactic language.
• Support for building proofs.
• User interface.
• Current status.

3
Design goals

• Basic idea integrate theorem prover with a
  programming language.
• Use theorem prover to annotate written programs
  with useful properties.
• Goal enhance programs.
• Intended users mainly programmers.
• Program and Prove same person.
• Proving is side activity.
• Important small proofs should be easy.

4
Why own theorem prover?

• Integration with Clean
• Reason on source code level
• Semantics.
• Syntax.
• Project structure.
• Store properties and proofs in programs.
• Link theorem prover to existing tools, such as
  editor.
• Distribute with Clean.

5
Specification language

• Clean
• Functional programming language.
• Referential transparency allows equational
  reasoning.
• Developed at University of Nijmegen.
• Very similar to Haskell.
• Some concepts
• Higher-order, curried and partial functions.
• Lazy evaluation.
• User-defined strict evaluation.
• Sharing / Overloading / Comprehensions /
  Uniqueness.

6
Example program
map (a ? b) a ? b map f xxs f x
map f xs map f increase Int ?
Int increase list map ( 1) list
7
Partial functions
hd a ? a hd xxs x

• If in a program the expression hd is
  evaluated, the program will terminate immediately
  (and an error message will be shown).

8
Lazy evaluation
nats Int ? Int nats n n nats (n1)

• Only parts of expressions that are really needed
  will actually be built.
• Allows for infinite intermediate results
• Nothing wrong with using hd (nats 7).
• The evaluation of last (nats 7) will either
  hang a program or halt it with an error message
  (out of resources).

9
Strictness annotations
hd !a ? a hd xxs x K !a b ? a K x
y y

• Strictness annotations argument must be reduced
  before function is entered.
• Only changes reduction order.
• May change termination properties.

10
Logic

• First-order propositional logic
• Basic units True, False, e1 e2, x.
• Operators ?, ?, ?, ?, ?.
• Quantors ?, ?.
• No predicates allowed.
• Quantification allowed over
• Expressions of arbitrary type.
• Propositions.

11
Semantics (1)

• Total semantics
• The constant expression ? is used to represent
  error values.
• Reduction may have ? as result
• The erronous application of a partial function
  leads to ?.
• hd reduces to ?
• Error values propagate stepwise to the outermost
  level
• (hd ) 7 reduces to ? 7 reduces to ?.

12
Semantics (2)

• Semantics of equality
• Based on reduction, but not dependent on
  reduction strategy.
• Based on observations
• The observation of an expression is obtained by
  replacing all its redexes by ?.
• e1 e2 is true iff
• for all (e1 reduces to r1)
• there exists (e2 reduces to r2)
• such that r1 and r2 are observationally equal
• (and vice-versa)

13
Semantics (3)

• Properties of equality
• Copes with finite equalities.
• Copes with infinite equalities.
• Copes with infinite reductions (equal to ?).
• Semantics of quantors
• All expressions of valid type may be substituted,
  including
• infinite expressions.
• the error value ?.

14
Semantics examples

• xs (ys zs) (xs ys) zs
• True for all values of xs, ys and zs, including
  all finite values, all infinite values and ?.
• reverse (reverse xs) xs
• True for all finite values of xs.
• True for xs ?.
• Not true for any infinite values of xs.
• xs ones ? last xs 1 (ones
  1ones)
• True for all values of xs, except
• Not true for xs ones!!

15
Tactics

• Standard, borrowed from logic and other theorem
  provers
• Intros Split Apply Rewrite
• Special for Clean
• Induction.
• Reduce SplitCase Case ChooseCase
• Only 42 in total no high-level automated tactics
  available.

16
Proving support

• Command prompt.
• Tactic list (prove by clicking).
• Hint mechanism
• Sparkle automatically searches for applicable
  tactics.
• A score is assigned to each hint.
• Hints are displayed and can be applied
• Manually.
• Automatically (with threshold).

17
Current status

• Alpha-version, but fully operational.
• Released in Clean distribution
• http//www.cs.kun.nl/clean
• Tested on examples found in the book
  Introduction to Functional Programming
• Promising results
• Proofs were easily made in Sparkle.
• Many proofs were found automatically by Sparkle.
• Not tested yet by programmers.
• Not tested yet on larger examples.
• Largest program 8Queens

18
Future plans

• Development on Sparkle continues.
• User interface.
• Tactical language.
• Hint mechanism.
• Enhance integration with Clean
• Allow properties to be specified in programs.
• Allow proofs to be stored in programs.
• Prove the (partial) correctness of a large
  application written in Clean.
• Scalability?