VeriML

DARPA CRASH ProjectProgress Report

Antonis StampoulisOctober 5th, 2012

A language-based, dependently-typed,user-extensible approach to proof

assistants

Software certification— CompCert [Leroy et al]— seL4 microkernel [Klein et al]

Mathematical theorems— Four-color theorem [Gonthier et al]— Feit-Thompson (Odd Order Theorem) [same team]

Proof – to – code size ratio:

~ 8 lines – to - 1

20 p.y. of proof for2 p.y. of development

Started May 2006Finished last week!

~1.3 weeks per page

Large formal proofsare possible and useful!require huge manual

effort

—can use domain-specific automation

—yet automation reconstructs full details

—validity fixed—proofs and automation

hard to write

Informal proofs—use “trivially”, “similarly”,

omit unnecessary details—require domain-specific

intuition—validity extensible

calculus

reals

basic reasoning

Formal proofs

VeriML- easy to develop new automation and extend background

reasoning- extensible notion of formal proof (no trivial details!)- novel programming language- focus on writing automation procedures- more generally: programs that construct proofs- serves as a novel proof assistant

Rich typesRich programming modelFirst-class support for logic

Safety

Expressiveness

Convenience

Comparison of Architecture“proof by juxtaposition”

Traditional proof assistants

ML type- checking

Tactic definition

Tactic invocation

RunProof object

Proof checking

?

HOL4, HOL-LightIsabelle

CoqNuPRL

PVS, ACL2don’t do that!

(unsafe)

Proof scripts invoke tactics

Tactics contain proof scripts

Every invocation can fail!

Comparison of ArchitectureTraditional proof assistants VeriML

ML type-checking

Tactic definition

Tactic invocation

RunProof object

Proof checking

?Proof

checking

Comparison of Architecture“proof by juxtaposition”

Traditional proof assistants VeriML

ML type-checking

Tactic definition

Tactic invocation

RunProof object

Proof checking

?

VeriML type checking

Proof checking

Tactic definition

Tactic invocation

RunProof object

OK!

- Reduce possibility of error

- Leverage information to help user while writing tactic

- Extend traditional interactivity model

- Don’t need to produce proof objects

Normal type-checking

Stage oneevaluationwithout producingproof objects

Normalevaluation

Background reasoning in VeriMLVeriML proofs, tactics,

etc.

VeriML Type- &

Proof- checking

user-defined“intuition” tactics

Run

- smaller proof checker- can still generate full proof objects- soundness guaranteed- extensions to background reasoning are

cheap- extensible static checking for proofs

and tactics as well!

arithmetic simplification

equational reasoning

normal conversionbase VeriML

typing

Recent progress- main milestone: wrote my dissertation

on VeriML and defended it! (400 pages and counting…)

- implementation milestones: VeriML 0.5- completed new compilation-based backend

for VeriML- proper staging support- separate compilation of VeriML modules- cleaned up various features in the

implementation and the examples- technical milestones

- cleaned-up presentation of metatheory- initial investigation of user-defined

representations for VeriML pattern matching

VeriML proofs, tactics, etc.

VeriML Type- &

Proof- checking

VeriML interpreter

VeriML interpreter

Recent progress: CompilationVeriML proofs, tactics,

etc.VeriML Type-

&Proof-

checking

OCamlinterpreter/compiler/JIT

OCamlinterpreter/compiler/JIT

VeriML to OCaml

Residual program

~6mins

~15 sec

Example: Arithmetic simplification

Example: Arithmetic simplification

• Further extensions to type inference• Figure out user-defined

representations for pattern matching• Pattern matching for inductive

definitions• SMT-like cooperating decision

procedures

Future work