Lecture17:Hoareconcluded,
BlastthroughTheoremProving
15-819O:ProgramAnalysis
ClaireLeGoues
(c)2016,ClaireLeGoues
1
Provearraysumcorrect
1.
2.
3.
4.
5.
6.
7.
{N≥0, j = 0}
s := 0;
while (j < N) do
j := j + 1;
s := s + a[j];
end
{ s = (Σi | 0≤i<N • a[i]) }
(c)2016,ClaireLeGoues
2
Invariantsarenoteasy
• ConsiderQuickSort:
int partition(int *a, int L0, int H0, int pivot) {
int L = L0, H = H0;
while(L < H) {
while(a[L] < pivot) L ++;
while(a[H] > pivot) H --;
if(L < H) { swap a[L] and a[H] }
}
return L;
}
• Considerverifyingonlymemorysafety.
RhetoricalquesLon:Whatistheloopinvariant
fortheouterloop?
(c)2016,ClaireLeGoues
3
Thoreau,Thoreau,Thoreau
$ ./Simplify > (AND (EQ (+ 0 2) 2) (FORALL ( x y ) (IMPLIES (EQ (+ x y) 2) (AND (IMPLIES (> y 0) (EQ (+ (+ x 1)(- y 1)) 2))
(IMPLIES (<= y 0) (NEQ x 0))))))
1: Valid.
• Huzzah!
• (Z3ismorestandardthesedays;moreon
theoremprovingnext)
(c)2016,ClaireLeGoues
4
Emerson,Emerson,Emerson
$ ./Simplify > (AND TRUE
(FORALL ( x y ) (IMPLIES TRUE
(AND (IMPLIES (> y 0) TRUE)
(IMPLIES (<= y 0) (NEQ x 0))))))
Counterexample: context:
(AND
(EQ x 0)
(<= y 0)
)
1: Invalid.
• OK,sowewon’tbefooled.
(c)2016,ClaireLeGoues
5
Automateddeduc?on
• Logicaldeduc,onperformedbyamachine.
• Oneoftheoldestandtechnicallydeepest
fieldsofcomputerscience;someresultsare
75yearsold.
– AutomaLoneffortsabout40yearsold.
– Floyd-HoareaxiomaLcsemanLcsfitrightin.
• SLllmakingprogress(evena`er40years).
(c)2016,ClaireLeGoues
6
Whybother?
• “Constraintsolvers”or“SMTsolvers”or“automated
theoremprovers”areendemicinanalysis(andPL,
SE,Security…).
• Manyanalyses/transformaLonscallChaff,Z3or
Simplify(etc.)asablackbox.Examples:
– ruleouttheexploraLonofinfeasiblepaths(model
checking,dataflowanalysis,symbolicexecuLon)
– reasonabouttheheap(McCarthy,symbolicexecuLon)
– automaLcallysynthesizeprogramsfromspecificaLons
• WehavewholecoursesonthisstuffatCMU;Iwill
skimaggressively,justsothatyouhavesomeideaof
whattheblackboxisdoing.
(c)2016,ClaireLeGoues
7
Theory
• Atheory:setoffuncLonsandpredicatesymbols(sentences,or
syntax)anddefiniLonsforsymbolmeanings(semanLcs,ora
deducLvesystemthatdeterminessaLsfiability).
– Usually,sentencesformallydefinedbyagrammaroftermsover
atoms.
• ConsiderprimarilytheoriesreasoningaboutconjuncLonsof
literals,like:
– 0,1,-1,2,-3,…,+,-,=,<(usualmeanings;“theoryofintegerswith
arithmeLc”or“PresburgerarithmeLc”)
– =,·(axiomsoftransiLvity,anL-symmetry,and8x.8y.x·y_y·x;
“theoryoftotalorders”)
– sel,upd(McCarthy’s“theoryoflists”)
• AsaLsfyingassignment(model,interpretaLon)mapsliterals
(terms/negatedterms)tobooleans.
(c)2016,ClaireLeGoues
8
Wecan’thavenicethings
• Theorem(Godel,1931):Noconsistent
systemofaxiomswhosetheoremscan
belistedbyanalgorithmiscapableof
provingalltruthsaboutrelaLonsofthe
naturalnumbers.
• ButwecanprofitablyrestrictaqenLonto
somerelaLonsaboutnumbers.
(c)2016,ClaireLeGoues
9
DecisionproceduresforTheories
• TheDecisionProblem:Decidewhethera
formulainatheorywithfirst-orderlogic
istrue.
• Example:Decide“8x.x>0) (9y.x=y+1)”in{N,+,=,>}
• Atheoryisdecidablewhenthereisan
algorithmthatsolvesthedecisionproblem.
• Thisalgorithmisthedecisionprocedureforthat
theory.
(c)2016,ClaireLeGoues
10
TheSa?sfiabilityProblem
• DecidewhetheraconjuncLonofliteralsinthe
theoryissaLsfiable
– Factorsoutthefirst-orderlogicpart
• Thedecisionproblemcanbereducedtothe
saLsfiabilityproblem
– Parametersfor8,skolemfuncLonsfor9,negate
andconverttoDNF(sorry;Iwon’texplainthishere)
• “Easiest”Theory=ProposiLonalLogic=SAT
– Adecisionprocedureforitisa“SATsolver”
(c)2016,ClaireLeGoues
11
Conjunc?veNormalForm
• Aliteralis“variable”or“negatedvariable”:x , ¬y
• AclauseisadisjuncLonofliterals:(x _ y _ ¬z)
• Conjunc?venormalform(CNF)isaconjuncLon
ofclauses:(x _ y _ ¬z) ^ (¬x _ ¬y) ^ (z)
• MustsaLsfyallclausesatonce
• Goal:Givenaformula,say“SAT”orgivea
counterexample
(c)2016,ClaireLeGoues
12
Sa?sfyingassignment
• AsaLsfyingassignmentmapsboolean
variablestobooleanvalues.
• Supposeσ(x)=trueandσ(y)=false
– σ²x //²=“models”or“makes
– σ²x_y //true”or“saLsfies”
– σ²y) ¬x
– σ²x)(x)y)
– σ²¬x_y
(c)2016,ClaireLeGoues
13
Cook-LevinTheorem
• Theorem(Cook-Levin).ThebooleansaLsfiability
problemisNP-complete.
– Cook'71,“Thecomplexityoftheoremproving
procedures”.
– Karp'72with“Reducibilityamongcombinatorial
problems”.
– Combo:TuringAwards.
• SATisinNP:verifythesaLsfyingassignment
• SATisNP-Hard:wecanbuildabooleanexpression
thatissaLsfiableiffagivennondeterminisLcTuring
machineacceptsitsgiveninputinpolynomialLme
(c)2016,ClaireLeGoues
14
SATSolvingalgorithms
9σ. σ ² (x _ y _ ¬z) ^ (¬x _ ¬y) ^ (z)
• Sohowdowesolveit?
• Ex:σ(x)=σ(z)=true,σ(y)=false
• ExpectedrunningLme?
(c)2016,ClaireLeGoues
15
Thinkfast:Par?alAnswer?
(¬a _ ¬b _ ¬c _ d _ e _ ¬f _ g _ ¬h _ ¬i)
^ (¬a _ b _ ¬c _ d _ ¬e _ f _ ¬g _ h _ ¬i)
^ (a _ ¬b _ ¬c _ ¬d _ e _ ¬f _ ¬g _ ¬h _ i)
^ (¬b) ^ (a _ ¬b _ c _ ¬d _ e _ ¬f _ ¬g _ ¬h _ i)
^ (¬a _ b _ ¬c _ d _ ¬e _ f _ ¬g _ h _ ¬i)
• IfthisissaLsfiable,whatmustpartofthe
saLsfyingassignmentbe?
(c)2016,ClaireLeGoues
16
Thinkfast:Par?alAnswer?
(¬a _ ¬b _ ¬c _ d _ e _ ¬f _ g _ ¬h _ ¬i)
^ (¬a _ b _ ¬c _ d _ ¬e _ f _ ¬g _ h _ ¬i)
^ (a _ ¬b _ ¬c _ ¬d _ e _ ¬f _ ¬g _ ¬h _ i)
^ (¬b) ^ (a _ ¬b _ c _ ¬d _ e _ ¬f _ ¬g _ ¬h _ i)
^ (¬a _ b _ ¬c _ d _ ¬e _ f _ ¬g _ h _ ¬i)
• IfthisissaLsfiable,whatmustpartofthe
saLsfyingassignmentbe?b=false
(c)2016,ClaireLeGoues
17
Thinkfastagain
(¬a _ c _ ¬d _ e _ f _ ¬g _ ¬h _ ¬i)
^ (¬a _ b _ ¬c _ d _ ¬e _ f _ g _ h _ i)
^ (¬a _ ¬b _ c _ e _ f _ g _ ¬h _ i)
^ (¬a _ b _ c _ d _ e _ ¬f _ ¬g _ h _ ¬i)
^ (b _ ¬c _ ¬d _ e _ ¬f _ g _ h _ ¬i)
^ (¬a _ b _ c _ d _ ¬g _ ¬h _ ¬i)
• IfthisinstanceissaLsfiable,whatmustpart
ofthesaLsfyingassignmentbe?
(c)2016,ClaireLeGoues
18
Thinkfastagain
(¬a _ c _ ¬d _ e _ f _ ¬g _ ¬h _ ¬i)
^ (¬a _ b _ ¬c _ d _ ¬e _ f _ g _ h _ i)
^ (¬a _ ¬b _ c _ e _ f _ g _ ¬h _ i)
^ (¬a _ b _ c _ d _ e _ ¬f _ ¬g _ h _ ¬i)
^ (b _ ¬c _ ¬d _ e _ ¬f _ g _ h _ ¬i)
^ (¬a _ b _ c _ d _ ¬g _ ¬h _ ¬i)
• IfthisinstanceissaLsfiable,whatmustpart
ofthesaLsfyingassignmentbe?a=false
(c)2016,ClaireLeGoues
19
UnitandPure
• A unit clause contains only a single literal.
– Ex:
(x)
(¬y)
– Can only be satisfied by making that literal true.
– Thus, there is no choice: just do it!
• A pure variable is either “always ¬
negated” or “never ¬ negated”.
– Ex: (¬x _ y _ ¬z) ^ (¬x _ ¬y) ^ (z)
– Can only be satisfied by making that literal true.
– Thus, there is no choice: just do it!
(c)2016,ClaireLeGoues
20
UnitPropaga?on
• IfXisaliteralinaunitclause,addXtothat
saLsfyingassignmentandreplaceXwith
“true”intheinput,thensimplify:
1.
2.
3.
4.
(¬x _ y _ ¬z) ^ (¬x _ ¬z) ^ (z)
idenLfy“z”asaunitclause
σ += “z = true”
(¬x _ y _ ¬true) ^ (¬x _ ¬true) ^
(true)
5. (¬x _ y)
^ (¬x)
• Profit!Let'skeepgoing...
(c)2016,ClaireLeGoues
21
UnitPropaga?onFTW
5. (¬x _ y)
^ (¬x)
6. IdenLfy“¬x”asaunitclause
7. σ += “¬x = true”
8. (true _ y)
^ (true)
• Done! {z,¬x} ² (¬x _ y _ ¬z) ^ (¬x
or ¬z) ^ (z)
(c)2016,ClaireLeGoues
22
PureVariableElimina?on
IfVisavariablethatisalwaysusedwith
onepolarity,addittothesaLsfying
assignmentandreplaceVwith“true”,then
simplify.
1. (¬x _ ¬y _ ¬z) ^ (x _ ¬y _ z) 2. idenLfy“¬y” asapureliteral
3. (¬x _ true _ ¬z) ^ (x _ true _ z) 4. Done.
(c)2016,ClaireLeGoues
23
DPLL
• TheDavis-Putnam-Logemann-Loveland(DPLL)
algorithmisacompletedecisionprocedureforCNF
SATbasedon:
– IdenLfyandpropagateunitclauses
– IdenLfyandpropagatepureliterals
– Ifallelsefails,exhausLvebacktrackingsearch
• BuildsupaparLalsaLsfyingassignmentoverLme.
• DP'60:“ACompuLngProcedureforQuanLficaLon
Theory”
• DLL'62:“AMachineProgramforTheoremProving”
(c)2016,ClaireLeGoues
24
DPLLAlgorithm
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
letrecdpll(c:CNF)(σ:model):modelopLon=
ifσ² cthen (*polyLme*)
returnSome(σ)
(*wewin!*)
elseif()incthen (*emptyclause*)
returnNone (*unsat*)
letu=unit_clauses_ofcin
letc,σ=foldunit_propagate(c,σ)uin
letp=pure_literals_ofcin
letc,σ=foldpure_literal_elim(c,σ)pin
letx=choose((literals_ofc)–(literals_ofσ))in
return(dpll(c^x)σ)or(dpll(c^ ¬x)σ)
(c)2016,ClaireLeGoues
25
DPLLexample
•
•
•
•
•
(x _ ¬z) ^ (¬x _ ¬y _ z) ^ (w) ^ (w _ y) Unit clauses: (w)
(x _ ¬z) ^ (¬x _ ¬y _ z)
Pure literals: ¬y
(x _ ¬z)
Choose unassigned: x
(recursive call)
(x _ ¬z) ^ (x) Unit clauses: (x)
Done: σ={w, ¬y, x}
(c)2016,ClaireLeGoues
26
Othertheories
• We’veseenhowtohandlearbitrarybooleanexpressions
ofbooleanvariables.
• Therearemanyothertheories,like:
– LinearInequaliLes:GivenafinitesetofvariablesVandafinite
setofreal-valuedconstantsC:
» Term::=C1V1+…+CnVn<=Cn+1
» CanbedecidedviaSimplex
– EqualityanduninterpretedfuncLons:Givenafinitesetof
predicatesymbolsP(eachofwhichhasanassociatedarity)
» Predicate::=Pi(Predicate1,…Predicaten)
» Term::= Predicate|Predicate1=Predicate2
(c)2016,ClaireLeGoues
27
SAT-basedTheoremProvers
• Recall separation of concerns: – #1 Prover handles connectives (8, ^, ))
– #2 Sat procs handle literals (+, ·, 0, head)
• Idea: reduce proof obligation into
propositional logic, feed to SAT solver (CVC)
– To Prove: 3*x=9 ) (x = 7 ^ x · 4)
– Becomes Prove: A ) (B ^ C)
– Becomes Unsat: A ^ ¬(B ^ C)
– Becomes Unsat: A ^ (¬B _ ¬C)
(c)2016,ClaireLeGoues
28
Mo?va?on:Mixedtheories
• Whatabout:(strlen(x)+y<=5)=>(strcat(x,x)!=
“abba”)
– SaLsfiedby{x=“abc”,y=3},forexample
• Wemayhaveasatprocedureforeachtheory
involvedinatheorem,butcombinaLonismuch
harder.
• Wecan’tjustseparateoutthetermsfromeachto
seeiftheyareseparatelysaLsfiable,becauseit’s
unsound:equi-sat≠equivalent.
• TheproblemisthatthetwosaLsfyingassignments
maybeincompaLble
(c)2016,ClaireLeGoues
29
HighLevelApproach
• Beyond basic logic, we want to reason about
– Strings: strlen(x), regexp_match(x, “[0-9]+”), ...
– Equality: a = b => f(a) = f(b), ...
– Linear Arithmetic: 2x+3y <= 10, …
– Bitvectors: (x >> 2) | y == 0xff, …
– Lists: head(cons(p,q)) = p • Allatthesame?me!
• Handleeachdomainseparately(asatheory)and
thencombinethemalltogetherusingDPLLand
SATasthe“glue”.
(c)2016,ClaireLeGoues
30
Sa?sfiabilityModuloTheories
• AsaLsfiabilitymodulotheories(SMT)solver
operatesonproposiLonsinvolvingbothlogical
termsandtermsfromtheories.
• ModernSMTsolverscanuseanytheorythat
saLsfiesaparLcularinterface.
– ReplaceTheoryclauseswithspecialproposiLonal
variables.
– UseapureSATsolver.IfthesoluLoninvolvessome
theoryclauses,asktheTheoryiftheycanallbe
true.Ifnot,addconstraintsandrestart.
(c)2016,ClaireLeGoues
31
Basicidea
• Given a query like(x > 5) && (p || (x < 4)) && !p
• Almost everything can be handled by SAT:
– (x > 5) && (p || (x < 4)) && !p
– Only the highlighted parts require a Theory.
• So ask SAT to consider:
– T1 && (p || T2) && !p
• And then whenever SAT gives a model, ask
the theories if that model makes sense.
(c)2016,ClaireLeGoues
32
SMT Architecture
(Reduction)
Input Instance
Mixed Constraints
Conversion
via Mapping
Black-Box
Oracle
DPLL
SAT Solver
Final
Answer
UNSAT
Unsat
Sat Model
Unsat
Theory:
Linear Arith
equality, etc.
Black-Box
Oracle
(c)2016,ClaireLeGoues
Sat
Model
Output
Conversion
33
Final
Answer
SAT
TheoryInterface
• Ini?alize(universe:LiteralSet)
• SetTrue(l:Literal):LiteralSet
– RaiseexcepLoniflisinconsistent.Otherwise,addlto
setofknownfacts.Returnnewlyimpliedsetoftrue
facts(e.g.,“a=c”a`er“a=b”and“b=c”)
• Backtrack(n:Nat)
– Forgetlastnfactsfrom“SetTrue”.
• IsDefinitelyTrue(l:Literal):Bool
• Explana?on(l:Literal):LiteralSet
– Iflistrue,returnamodel(proof)ofit.
(c)2016,ClaireLeGoues
34
SimpleSMTExample
• Input: (x > 5) && (p || (x < 4)) && !p
• Rewrite: T1 && (p || T2) && !p
– T1 = “x > 5”
// mapping
– T2 = “x < 4”
• SAT solver returns {T1, T2, !p}
• Ask Theory about T2 && T2
– Theory Query: (x > 5) && (x < 4)
– Theory Result: Unsatisfiable!
• T1 && (p || T2) && !p && !(T1 && T2)
(c)2016,ClaireLeGoues
35
DPLL(T)
• DPLL(T):SMTalgorithmbasedontheDPLLSAT
solverbutparameterizedwithrespecttoasetof
TheoriesT.
• Algorithm:
– Convertmixedconstraintstobooleanconstraints
– RunDPLL,butwithtwochanges:
• NoPureVariableEliminaLonopLmizaLon
• UnitPropagaLonusesT.setTrue,mayaddclauses
– WheneverT.setTrueraisesanexcepLon,addthe
negaLonoftheexplanaLontotheconstraints.
(c)2016,ClaireLeGoues
36
Changes: No Pure Variable
Elimination
• InpureproposiLonallogic,variablesare
necessarilyindependent.
– SoifPonlyappearsposiLvely,youcansetP=true
withoutlossandsaveLme.
• WithTheories,variablesmaybedependent.
• Consider:
– (x>10||x<3)&&(x>10||x<9)&&(x<7)
• “x>10”isalwaysusedposiLvely
– Butjustskippingto“x>10”=trueaspartofthe
modelleadsyouastray(makestheothersfalse)!
(c)2016,ClaireLeGoues
37
Changes:UnitPropaga?on
• Consider:
– (A=B)&&(B=C)&&(A!=C||X)
• Convert:
– P1&&P2&&(!P3||X)
• UnitPropagaLon:addP1(A=B)tomodel
• Now:P2&&(!P3||X)
• UnitPropagaLon:addP2(B=C)tomodel
– ButWait!Theoryreports:P3(A=C)nowtrue
• Now:(!P3||X)&&P3…
(c)2016,ClaireLeGoues
38
DPLL(T) Example
• Input Clauses:
–
–
–
–
–
(f(a)!=f(b) || d!=e) && // T1 = f(a)=f(b)
(a=b || a!=c) &&
// T2 = d=e
(a=b || c=b) &&
// T3 = a=b
(a=c || X) &&
// T4 = a=c
(c!=b || !X)
// T5 = c=b
• Converted:
– (!T1 || !T2) (T3 || !T4) (T3 || T5) (T4 || X) (!T5 || !X)
• No Unit Clauses
• Heuristically choose T1 = False, add to model
(c)2016,ClaireLeGoues
39
DPLL(T) Example
• Input Clauses:
–
–
–
–
–
(f(a)!=f(b) || d!=e) && // T1 = f(a)=f(b)
(a=b || a!=c) &&
// T2 = d=e
(a=b || c=b) &&
// T3 = a=b
(a=c || X) &&
// T4 = a=c
(c!=b || !X)
// T5 = c=b
• Converted:
– (!T1 || !T2) (T3 || !T4) (T3 || T5) (T4 || X) (!T5 || !X)
• No Unit Clauses
• Heuristically choose T1 = False, add to model
– Theory returns: !T3
(c)2016,ClaireLeGoues
40
DPLL(T) Example
• Input Clauses:
–
–
–
–
–
(f(a)!=f(b) || d!=e) && // T1 = f(a)=f(b)
(a=b || a!=c) &&
// T2 = d=e
(a=b || c=b) &&
// T3 = a=b
(a=c || X) &&
// T4 = a=c
(c!=b || !X)
// T5 = c=b
• Converted:
– (!T4) (T5) (T4 || X) (!T5 || !X)
• Model: !T1, !T3
(c)2016,ClaireLeGoues
41
DPLL(T) Example
• Input Clauses:
–
–
–
–
–
(f(a)!=f(b) || d!=e) && // T1 = f(a)=f(b)
(a=b || a!=c) &&
// T2 = d=e
(a=b || c=b) &&
// T3 = a=b
(a=c || X) &&
// T4 = a=c
(c!=b || !X)
// T5 = c=b
• Converted:
– (!T4) (T5) (T4 || X) (!T5 || !X)
• Model: !T1, !T3
• Unit Clauses: !T4, !T5, add to model
(c)2016,ClaireLeGoues
42
DPLL(T) Example
• Input Clauses:
–
–
–
–
–
(f(a)!=f(b) || d!=e) && // T1 = f(a)=f(b)
(a=b || a!=c) &&
// T2 = d=e
(a=b || c=b) &&
// T3 = a=b
(a=c || X) &&
// T4 = a=c
(c!=b || !X)
// T5 = c=b
• Converted:
– (X) (!X)
• Model: !T1, !T3, !T4, !T5
• Unit Clause: (X), add to model
(c)2016,ClaireLeGoues
43
DPLL(T) Example
• Input Clauses:
–
–
–
–
–
(f(a)!=f(b) || d!=e) && // T1 = f(a)=f(b)
(a=b || a!=c) &&
// T2 = d=e
(a=b || c=b) &&
// T3 = a=b
(a=c || X) &&
// T4 = a=c
(c!=b || !X)
// T5 = c=b
• Converted:
– (X) (!X)
• Model: !T1, !T3, !T4, !T5
• Unit Clause: (X), add to model, contradiction!
– Original input is not satisfiable!
(c)2016,ClaireLeGoues
44
DPLL(T)Conclusion
• DPLL(T)iswidelyusedasabasisformodern
SMTsolving.
– Typicallymuchfasterthaneagerlyencodingallof
thevariablesintobits
– General:allowsmanytypesoftheories.
• Microso`'spopularandpowerfulZ3automated
theoremproverhandlesmanytheories,but
usesDPLL(T)+SimplexforlinearinequaliLes.
– “AFastLinear-ArithmeLcSolverforDPLL(T)”,2006
(c)2016,ClaireLeGoues
45
Oneslidesummary
• Anautomatedtheoremproverisanalgorithmthatdetermines
whetheramathemaLcalorlogicalproposiLonisvalid
(sa?sfiable).AtheoryisasetofsentenceswithadeducLve
systemthatcandeterminesaLsfiability.
• Theoremproversarebuiltatopdecisionproceduresfor
individualtheories(e.g.,ofarithmeLc,uninterpretedfuncLons).
• SAT-BasedTheoremProversuseSATsolverstodecomposethe
problem.DPLLusesefficientheurisLcstosolveBoolean
Sa?sfiability(SAT)quicklyinpracLce.
• Asa?sfiabilitymodulotheories(SMT)instanceisaproposiLon
thatcanincludelogicalconnecLves,equality,andtermsfrom
varioustheories.DPLL(T)isanSMTalgorithmbuiltonDPLL,a
well-definedinterfaceforTheories,andamappingbetween
proposiLonalvariablesandTheoryliterals.
(c)2016,ClaireLeGoues
46
Proof Generation
• We want our theorem prover to emit proofs
– No need to trust the prover
– Can find bugs in the prover
– Can be used for proof-carrying code
– Can be used to extract invariants – Can be used to extract models (e.g., in SLAM)
• Implements the soundness argument
– On every run, a soundness proof is constructed
(c)2016,ClaireLeGoues
47
Proof Representation
• Proofs are trees
– Leaves are hypotheses/axioms
– Internal nodes are inference rules
• Axiom: “true introduction”
– Constant:
truei : pf
– pf is the type of proofs
` true
• Inference: “conjunction introduction” ` A
truei
andi
• Inference: “conjunction elimination”
` B
` A ^ B
• Problem:
` A ^ B
` A
andel
– Constant:
andi : pf ! pf ! pf
– Constant:
andel : pf ! Pf
– “andel truei : pf” but does not represent a valid proof
– Need a more powerful type system that checks content
Dependent Types
• Make pf a family of types indexed by formulas
– f : Type
(type of encodings of formulas)
– e : Type(type of encodings of expressions)
– pf : f ! Type (the type of proofs indexed by formulas: it
is a proof that f is true)
• Examples:
–
–
–
–
–
true :
and :
truei
andi :
andi :
f
f ! f ! f
: pf true pf A ! pf B ! pf (and A B)
ΠA:f. ΠB:f. pf A ! pf B ! pf (and A B)
– (ΠA:f.X means “forall A of type f, dependent type X”, see next lecture)
(c)2016,ClaireLeGoues
49
Proof Checking
•
•
•
•
Validate proof trees by type-checking them
Given a proof tree X claiming to prove A ^ B
Must check X : pf (and A B)
We use “expression tree equality”, so – andel (andi “1+2=3” “x=y”) does not have type pf (3=3)
– This is already a proof system! If the proof-supplier wants
to use the fact that 1+2=3 , 3=3, she can include a proof
of it somewhere!
• Thus Type Checking = Proof Checking
– And it’s quite easily decidable! ¤
(c)2016,ClaireLeGoues
50
Proof Inference Rules
• What are some rules of inference and function
types for:
– Or introduction
• Hint: or_introduction_left : pf A → pf (or A B)
– Or elimination
– Not introduction
– Not elimination
– Implies introduction
– Implies elimination
– False elimination
(c)2016,ClaireLeGoues
51
© Copyright 2026 Paperzz