Higher-Order Encodings with Constructors - PowerPoint PPT Presentation

1 / 55

About This Presentation

Title:

Higher-Order Encodings with Constructors

Description:

mk-fun2 (var (succ (succ zero))) There is no name for 2! 27 ... var has type Name = expr. encoded as. 35. Consistency by Translation ... – PowerPoint PPT presentation

Number of Views:77

Avg rating:3.0/5.0

Slides: 56

Provided by: edwinwe

Category:

more less

Transcript and Presenter's Notes

Title: Higher-Order Encodings with Constructors

1
Higher-Order Encodings with Constructors

Edwin Westbrook
advisors
Aaron Stump and Robert Pless

2
Software Verification

Growing call to ensure software is correct
59.5 billion annually NIST 02
Correct-by-construction languages
Eliminate certain classes of problems
ML and Haskell no type errors
Locking types Boyapati et al. 02 no deadlock
Question how to trust these guarantees?

3
Proving Languages Correct

Intensional Constructive Type Theory
Write programs and proofs in one language
Proofs are checked by computer
Can now trust guarantees
Implement compilers, etc. in ICTT
Write proofs of correctness
Check proofs by computer

4
Problem

Hard to represent PLs in ICTT
Key obstacle is name binding

f(x) x 2
name binding
bound name
5
Higher-Order Encodings with Constructors (HOEC)

New construct to represent name binding
Behaves like a name binding
Name binding for free
Formalized once in definition of HOEC
Proved correct once
Can then be used off the shelf

6
Outline

Representing data and proofs in ICTT
Difficulties with name binding
HOEC
Consistency of ICTT limited HOEC
Related Work

7
Encodings

Need to encode objects in ICTT
Want adequate encoding objects ? ICTT data

O1
O2

Objects
ICTT data
D1
D2

8
Data in ICTT

Algebraic Datatypes (ADTs)
Set of function symbols called constructors
Constructors have types give arities
Encodings objects ? ADTs

9
Data in ICTT

Example natural numbers
Adequate encoding

nat is an ADT
nat Type zero nat succ nat gt nat
nullary constructor for nat
unary constructor for nat
0
zero
1
succ zero
etc.
10
Functions on Data

Functions defined by pattern-matching
Specifies what to do for each constructor
Example add function
Function names written here in bold

add x zero x add x (succ y) succ (add x
y)
11
Example Arithmetic Expressions

Simple programming language of and ?

n is an expression, called a literal E1 E2 is
an expression E1 ? E2 is an expression
12
Encoding Expressions in ICTT

Make constructors for each case

n E1 E2 E1 ? E2
lit n plus e1 e2 mult e1 e2
Example 1 1 plus (lit (succ zero)) (lit (succ
zero))
13
Encoding Expressions in ICTT

Constructor definitions
plus e has type expr gt expr, so plus is binary
This is called Currying
Abbreviated as expr gt expr gt expr

expr Type lit nat gt expr plus expr gt
(expr gt expr) times expr gt (expr gt expr)
14
Evaluating Expressions

Running a program
add as above, mult performs multiplication

eval (lit n) n eval (plus m n) add (eval m)
(eval n) eval (times m n) mult (eval m) (eval n)
Example eval (plus (lit (succ zero)) (lit (succ
zero)) succ (succ zero)
15
Curry-Howard Isomorphism

Can encode proofs as ADTs
Propositions --gt Types
Proofs --gt Elements of types
Can build an element of type T iff T is true
Requires indexed types types contain data

16
Example Equality

Constructor definitions
eq M N is an ADT for any nats M and N
eq-refl M is an element of type eq M M
?xA . B is dependent function type
Adequate encoding of equality

eq nat gt nat gt Type eq-refl ?xnat . eq x
x
M N
element of type eq m n
17
Proving Implications

Function types are implications
Function of type A gt B builds B proof from A
Example symmetry of equality
Want type ?xnat . ?ynat . eq x y gt eq y x

eq-symm x x (eq-refl x) eq-refl x
only constructor is eq-refl, ensures args 1 and 2
are the same
18
Can Do Non-Trivial Proofs

Verified insertion sort Altenkirch 96
Primality testing with elliptical curves Théry
and Hanrot 07
These do not use PLs as data

19
Encoding Name Binding

How to encode name binding?
E.g. want to encode
First we define name binding

f(x) x 2
20
Properties of Name Binding

Freshness
Bound name is a new, distinct object

f(x) x 2
different from
f(x) 3 2
21
Properties of Name Binding

?-equivalence
Name of the name is irrelevant

f(x) x 2
syntactically equivalent to
f(y) y 2
22
Properties of Name Binding

Scoping
Names not allowed outside a binding

f(x) x y
malformed y is not bound
23
Properties of Name Binding

Typing
Names are new objects of a specific type

f(x) x 2
x is a number
24
Properties of Name Binding

Note typing is optional
Encodings with typing are called Higher-order
Without typing, names all have one type Name

25
A Straightforward Approach

deBruijn indices use numbers for names
mk-fun2 encodes binary functions
(var n) encodes variable number n

f(x,y) x y
mk-fun2 (times (var zero) (var (succ zero)))
26
Problem with deBruijn Indicies

deBruijn indices violate scoping

mk-fun2 (var (succ (succ zero)))
There is no name for 2!
27
Higher-Order Encodings with Constructors

HOEC ADTs ?-abstractions
Written ?cA.M
From Schürmann et al. 05, use here is novel
Binds a local constructor c of type A in M
Can use to encode name bindings
Has 4 name binding properties by definition
Name binding for free

28
Example Arithmetic Functions
f (x) x 2
encoded as
mk-fun (?xexpr.times x (lit (succ (succ zero))))
x is a new constructor
29
? Adds to Set of Constructors
lit nat gt expr plus expr gt expr gt
expr times expr gt expr gt expr
?x expr
lit nat gt expr plus expr gt expr gt
expr times expr gt expr gt expr x expr
x is new
30
Name Binding for Free

Properties defined once in definition of ?
E.g. ?-equivalence

mk-fun (?xexpr.times x (lit (succ (succ zero))))
equivalent by definition of ?-abstraction to
mk-fun (?yexpr.times y (lit (succ (succ zero))))
31
Name Binding and Functions

Can pattern-match inside ?-abstractions
Example substitution
Can be written with subst function

1 / x (x 2) 1 2
subst (succ zero) (?xexpr.times x (lit (succ
(succ zero)))) times (succ zero) (succ (succ
zero))
32
Consistency

For a theory to be useful, need consistency
Cannot prove false
Future work for ICTT full HOEC
Did prove for ICTT a restricted HOEC

33
Restricted HOEC

Typing property is removed
Local constructors all have type Name
Omit type from ?-abstractions, written ?c.M
Calculus of Nominal Inductive Constructions
CNIC ICTT restricted HOEC
Similar to Nominal Logic Gabbay Pitts 02

34
Example of Restricted HOEC
f (x) x 2
encoded as
mk-fun (?x.times (var x) (succ (succ zero))
var has type Name gt expr
35
Consistency by Translation

CNIC ? language known to be consistent
E.g. Calculus of Inductive Constructions (CIC)

False proved in CNIC
False proved in CIC
Impossible
36
Worlds

Translation is relative to a world
World local constructors bound by ?
Example

?x.?y.plus (var x) (var y)
world here is x,y
37
Two Pieces of Translation

M is translation of M in world ?
M is proof that above is correct
Valid translation
Only uses names in ?
Similar to adequate encoding
All and only valid translations have proofs

38
Translation as Adequate Encoding

Pf part exists for all and only valid
translations

CNIC terms
M, ?
CIC Terms
M , M
39
But Theres One Small Problem

I could not get equal terms ? equal terms

CNIC terms
M1, ?
M2, ?
CIC Terms
?
M , M
M , M
40
CIC T

Solution more equalities in target theory
Target language is now CIC T
T Category of trees
Category functions over some set of objects
Modification of Kelly Laplaza 80
Combination is an instance of CCIC
Consistent by Blanqui et al. 08

41
Related Work

Higher-Order Abstract Syntax (HOAS)
Introduced in Pfenning Elliot 88
?Prolog Miller 91
Twelf Pfenning Schürmann 99
Modal calculus of Schürmann et al. 01
?-calculus Schürmann et al. 05
Contextual Modal Type Theory Nanevski
et al. 05, Pientka 08

42
Related Work HOAS

Name bindings --gt meta-language functions
Names --gt meta-language variables
Name properties binding for free
No constructs (like ?-abstractions) are added
Cannot pattern-match directly on variables
Violates substitution principle
Not integrated with full ICTT
Partial attempts on previous slide

43
Related Work

Nominal Logic
Introduced in Pitts 01, Gabbay Pitts 02
Implementations Urban Tasson 05, Aydemir et
al. 06
Name binding --gt ?-equivalence classes
Not easily integrated with ICTT
Partial attempts Cheney 08

44
Conclusion

Higher-Order Encodings with Constructors
Encode programming languages in ICTT
Prove properties about them
Consistency of ICTT restricted HOEC
First full ICTT with name binding features

45
Questions?
46
Encoding Name Binding

Constructor definitions

fun-expr Type expr Type lit nat gt
expr plus expr gt expr gt expr mult expr gt
expr gt expr mk-fun (?cexpr . expr) gt
fun-expr
Type of ?-abstractions
47
Name Binding in CNIC

Arithmetic functions in CNIC

fun-expr Type expr Type lit nat gt
expr var Name gt expr plus expr gt expr gt
expr mult expr gt expr gt expr mk-fun (??.
expr) gt fun-expr
vars encoded as (var ?)
Binds ? of type Name
48
Note On Totality

Note all functions must be total
Otherwise type A gt B is not an implication
Totality also required for consistency
Nonterminating recursion unsound induction
Totality ensured with syntactic conditions

Recursive call on subterm of input
add x zero x add x (succ y) succ (add x
y)
49
Pattern-Matching with Bindings

Can pattern-match inside name bindings
BUT must be limited to maintain scoping
The following breaks scoping
foo (?cexpr . c) removes c from its scope!

foo (?cexpr . x) x
50
Pattern-Matching with Bindings

Pattern variables must occur as xltc1,cngt
The ci are constructors bound in pattern
Wraps the scrutinee in ?c1?cn.
Example let foo be defined as
Then we have foo (?c.(f M)) ?c.M

foo (?cexpr . (f xltcgt)) x
51
Pattern-Matching with Bindings

Example substitution

subst M (?cexpr.lit nltcgt) lit (liftnat
n) subst M (?cexpr. c) M subst M (?cexpr.
d) d subst M (?cexpr. plus xltcgt yltcgt)
plus (subst M x) (subst M y) subst M (?cexpr.
times xltcgt yltcgt) times (subst M x) (subst M y)
52
The Category T