Proof assistants: History, ideas and future

More documents

Recommendations

Info

10 H Geuvers The De Bruijn criterion means that there is a notion of ‘proof object’ and that a skeptical user can (relatively easily) write a program to proof check these proof objects. 2.1b Logical framework: Another important idea that first appears in Automath is that of a Logical framework. De Bruijn emphasized the idea that his system would only provide the basic mathematical mechanisms of substitution, variable binding, creating and unfolding definitions, etc. and that a user would be free to add the logical rules he/she desires. Following the formulas-as-types principle, this amounts to Ɣ ⊢ L ϕ if and only if Ɣ L , Ɣ ⊢ type theory M : T(ϕ), where L is a logic and Ɣ L is a context declaring the constructions of the logic L in type theory. It is a choice which logical constructions one puts in the type theory and which constructions one declares axiomatically in the context: there have been various Automath systems that represented weaker or stronger type theories. The idea of a rather weak type theory, which is then used as a logical framework has been further developed in Edinburgh LF (Harper et al 1993) and in the system Twelf (Twelf). 2.2 Martin–löf type theory The Curry–Howard formulas-as-types isomorphism gives a connection between proofs in constructive logic and typed λ-terms. (In constructive logic, one does not use the double negation law ¬¬A → A.) Martin-Löf has extended these ideas, developing constructive type theory as a foundation for mathematics, where inductive types and functions defined by well-founded recursion are the basic principles (Martin-Löf 1984, Nordström et al 1990). (This goes also back to work of Scott (Scott 1970), who had noticed that the Curry–Howard isomorphism could be extended to incorporate induction principles.) Martin-Löf has developed several type theories over the years. The first one has been implemented in the proof assistant NuPrl (Constable et al 1986). This was an extensional type theory. Later systems were intensional and have been implemented in ALF (Magnusson & Nordström 1994) and Agda (Agda). But many of the ideas underlying Martin-Löf type theory have also found their way in other proof assistants, like LF, Lego and Coq. 2.2a Proofs as programs: In a constructive logic, if one has a proof of ∀x ∃y R(x, y), then there is a computable function f such that ∀x R(x, f (x)). The function (construction) f is ‘hidden’ in the proof. In constructive type theory, this is extended to incorporate arbitrary algebraic data types and we have the phenomenon of program extraction: from a proof (term) p : ∀x : A.∃y : B.R(x,y) we can extract a functional program f : A → B and a proof of ∀x : A.R(x,f(x)). So we can see ∀x : A.∃y : B.R(x,y) as a specification that, once ‘realized’ (i.e. proven) produces a program that satisfies it. As an example, we show the specification of a sorting algorithm. The goal is to obtain a program sort : List N → List N that sorts a list of natural numbers. So, given a list l, we want to produce as output a sorted list k such that the elements of k are a permutation of the ones of l. So we have to define the predicates Sorted(x) and Permutation(x, y), denoting, respectively that x is sorted and that x is a permutation of y. (For example, we can define Sorted(x) := ∀i
Proof assistants: History, ideas and future 11 functional language. But also one can program a lot of functions as programs within the proof assistant, because the system includes a (small) functional language itself, with abstract data types, etc. 2.2b Checking the checker: In a type theory based system that includes a functional programming language, like Coq, one can program and verify the type checker within the system itself. This has been done in the ‘Coq in Coq’ project (Barras 1999). What one verifies (inside Coq) is the following statement: Ɣ ⊢ M : A ⇔ TC(Ɣ, M) = A, where TC is the type checking algorithm that takes as input a context and a term and produces a type, if it exists, and otherwise produces ‘fail’. As this statement implies the consistency of Coq as a logic, this cannot be proved inside Coq without extra assumption, so the statement is proved from the assumption that all terms are strongly normalizing (i.e. all functions definable in Coq are total; this is a meta-theoretic property one can prove about Coq). The statement above is proved inside Coq, so the type theory is coded inside Coq. The program TC is also written inside Coq, but it can be extracted and be used as the type checking algorithm of a new version of Coq. 2.3 LCF LCF stands for ‘Logic for Computable Functions’, the name Milner gave to a formal theory defined by Scott in 1969 (Scott 1993) to prove properties of recursively defined functions, using methods from denotational semantics. It is a predicate logic over the terms of typed λ- calculus. The first system was developed at Stanford in 1972 and later systems were developed at Edinburgh and Cambridge. The systems Isabelle (Isabelle, Wenzel et al 2008), HOL (HOL, Gordon & Melham 1993) and HOL-light (HOL light) are descendants from LCF, using the ‘LCF approach’. The first system that Milner developed in Stanford was a goal-directed system that had special tactics to break down goals into smaller ones and a simplifier that would solve simple goals. To be able to safely add new proof commands and to not have to store proofs in memory (but only the fact that a result had been proven), Milner developed what is now know as the LCF approach. 2.3a LCF approach: The basic ideas of Milner’s LCF approach (Gordon et al 1979, Gordon 2006) is to have an abstract data type of theorems thm, where the only constants of this data type are the axioms and the only functions to this data type are the inference rules. Milner has developed the language ML (Meta Language) specifically to program LCF in. In LCF, the only terms of type thm are derivable sequents Ɣ ⊢ ϕ, because there is no other way to construct a term of type thm then via the inference rules. (For example, one of the operators of this type would be assume: form -> thm with assume phi representing the derivable sequent ϕ ⊢ ϕ.) The LCF approach gives soundness by construction: if we want to prove a goal ϕ and we only apply operators of the abstract data type, we can never go wrong. Another advantage of LCF is that a user can write tactics by writing more sophisticated functions. This enhances the power without jeopardizing the system, because in the end everything can be translated to the small kernel, which is the abstract data type thm. So LCF very much satisfies the ‘small kernel’ criterion: every proof can be written out completely in terms of a small kernel, which represents exactly the inference rules of the logic. One of the reasons Milner invented this mechanism was to suppress the rechecking of large
Page 1 and 2: Sādhanā Vol. 34, Part 1, February
Page 3 and 4: Proof assistants: History, ideas an
Page 7: Proof assistants: History, ideas an
Page 23: Proof assistants: History, ideas an

Proof assistants: History, ideas and future

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?