Professional Documents
Culture Documents
A Metalanguage For Interactive Proof in LCF
A Metalanguage For Interactive Proof in LCF
M. Gordon, R. Milner
University of Fdinburgh
L. Morris
Syracuse University
M. Newey
Australian National University
C. Wadsworth
University of Edinburgh
semantics and iq?lementations of many prqrcmming The need for and design of ML is based on
languages. PPI is an enrichment (in respect of experience with an earlier system at Stanford
type structure and expressive pcwer) of an extended [17, 181 . In that system, beyond the ability to
a-calculus due to Dana Scott and is fully discussed direct it to execute a basic inference (e.g. beta
elsewhere [ 22 I . The puxposes of this paper are conversion, or transitivity of equivalence) , the
it of general interest in language design (a) invoke .s@lif ication with respect to a set
(c) to convey a methodology for controlled semi- (c) use theorems previously proved.
automatic proof.
These facilities were enough to enable several
We avoid formal descrj ption; we hope that our non-trivial case studies to be tackled [1,23,24,34]
qles and discussion will achieve these purposes but further use of the systein hecam increasingly
mme clearly. A qlete description of ML, and limited by the fixed, and rather primitive, nature
its use with PPA, exists as a techriical reprt [91. of its repertoire of ccmnands (rather like using
W’his work was supprted by the Science I@search one is working all the t- at top-level) . Prcnfs
Council of Great Britain under grant n-
oft.em contained many instances of a few patterns of
B/RG/48175.
inference which one would like to express as
119
derived inference rules or - in the goal-directed prcofs, the following ingredients in ML were soon
single steps of proof (where he needs to) . We We are indebted to Dana Scmtt for providing
believe also that, although formal proofs are @?- a large part of the theoretical basis for oux vmrk:
ortant and should be retrievable, it is pragmatic- to John McCarthy for encmrcaging the forerunner of
ally more convincing to achieve clear expression of this project at Stanford: to Richard Weyhrauch who
p~f strategy; the latter entails that the way in contributed greatly to that project: to Tony Hoare
which the strategy is built from sub-stratqies and Jexry Schwarz for help with the notion of
should be evident in its expressicm. abstract -s in ML : to Avra Cohn for help in
perform faulty proofs (it may not prove the theorem ML is a higher-crder functional programing
expected but the result ~ be a theorem!) . If language in the tradition of ISWIM [15], PAL [8],
extra security or formal prcof -checking is desired, POP2 [6] and @DANKEN [26 1, but differs princip-
full proofs are easily generated - only minor ally in its handling of failure and, more so, of
changes in the implementation of the abstract t~
typ2s . It is an expression-based language,
for theorems wmld be required. though expressions may have side-effects because
The principal aims then in designing ML were of the presence of assignment (the expression
to make it impossible to prove non-theorems yet “X: =e” has as value the value of e , and also
easy to prcgram strategies for performing pnmfs. gives x this value) . An @mrtant expression
assuning antecedents and doing case analysis, all forms of declaration are “let f (x,y,. ..) = e“
interleaved with sinplif ication”. This is for def irdng functions, “letrec f (x,y,.. . ) = e“
inprecise - analysis of what cases? - what kind of for defining functions recursively, “letref x = e”
induction, etc, etc. - but these in turn may well for declaring and initializing assignable variables,
be given by further recipes, still in the sam and generalizations of these forms for s~taneous
to be built frcm sinpler ones (which we call Another imprtant expression construct is
tactics rather than strategies) by a number of ‘Ie ? evtp (read “e or else e’”), whose value is the
general operations in fairly regular ways; we value of e unless e generates a failure, in which
call these operations tacticals by analcgy w’ith case it is the value of e’. The systen generates
functional.
certain failures autcnnatically, and the user may
For progr arming tactics and tacticals, and generate his own with the expression “fail”, or
mre generally for manipulation of PP1 in f ind.ing the expression “failwith e“ where the value of e
120
is a token which identifies the kind of failure; Notes: (1) “letrec f(x,y, z)(urv) = - - -“
to trap only certain failure tokens (kinds of “letrec f = l(x,y, z).l(u,v). - - -“.
failure) . The type token is one of ML’s basic (Similarly, let . ..). That is, scala.r-
types; tokens are just synbol strings. In our prod and”itscalarprod are defined here
dynamic escqe and escape-trapping mechanism facil- is the style in functional progrann.ing.
itates a natural programing style for caqosing The separation of argments into two
tactics and strategies which are usually inapplic- groups allows scalarprcxi to be
declarations and expressions, separated by “;;” . letrec scalarprcx3($*, $+, zero) (kl,12) =
ML is a “static binding” language, like ISWIM, PAL - - -scalaqrod ($*, $+, zero) (11’, ~2’)- -
and on a zero (for null vectors) . Two ways - the (3) Infixed “.” is the cons function. Use
first recursive and the second iterative - of on the left of a declaration, as here,
writing this in ML, with vectors represented as binds xl and kl’ to the head and tail,
lists and failure for vectors of unequal length, respectively, of !1, with failure when
letrec scalarprod ($*, $+, zero) (.U,~2) = (1,2) (4) The failure trappd by “?” here is that
( —
let xl. il’ = L1 —
and x2. L2’ = ~2 (.3) of the declaration when one of R1, L2
let itscalaqxod ($*, $+, zero) (U, i2) = (1) of either are well-typed provided their arguments
letref ace, 11, i2 = zero, 11, P2 have types which are instances of
in
— $* : (cl x B)+y
( Q ace, 11, Q2 := (5)
$+ : (y x 6)+ 6
( (~*X2)+acc, ilr, ~2J
where x1.%1’ = !/1 —
and X2. !?,2’ = 12) Zero:a
instance of (a ——
list x 6 list)+ 6 as its type.
((aX&Y)X(yX6-M)X6) + (a ——
list x f3 list + 6)
121
is generic for scalarprod (or itscalarprcd); mer will impose upn himself in using a typeless
this means that these functions may be used at any language such as LISP. It is remarkably conven-
type which is a substitution instance of the ient in interactive prcgr amring to be relieved of
generic type, in which a,$’, y,d are type the need to specify types, with assurance that
variables. Thus, since $*,$+ : ~ x ~+ ~ badly-typed phrases will be caught, re~rted, and
are arithmetic functions predeclared in MG, and not evaluated. Of course, for off-line program-
using the ML notation “Eel; . . . ;enl” for lists, we ming it is oftw advisable to specify the types in
scakrprcd($*,$+,O) ([1;2;31, [4;5;61) eters, and we are aware that many prefer to adopt
[bl; . . ..bnl , [cl; ...; cm] of truth values, will letrec scalarprcd ($*: (.xf3 .+ y),
count the number of times that Wzh bi and ci are $+: (yxa + 6),
(U: a=,
let botlltinecount = scalarprcd (bothtrue, $+, O)
!,2: ~list) : 6= .. . .
where bothtrue (bl ,b2) = —
if bl & b2 then 1
definition is
The typechecking method may be illustrated by
let mapconsappend = scalarprod ($. ,$@,nil) a sinple exanple. Consider the following function
possess a type which contains type variables; they else f(hd(lis)). map(f,tl(lis);
are plynn rphic functions. The polynmrphism of MG
The generic type of map should be (Y+8) x y list
should not be confused with the plyrmrphism
+ 8 list. How may we infer this type frcm the
present in the object language PPl ; we will allude
bare declaration? First, the generic types of
briefly to the latter in a later section.
the identifiers occurring free in the declaration
122
(in its declaration) of a recursively defined iden- ML also includes a facility for defining
tifier must be given the same type. Third, if we abstract types, including simultaneous and\or
denote by Uid the type to be given to each iden- recursive and/or parmnetric ones. In ML these are
tifier in the declaration, then besides the above- not “really abstract” in the sense of the algebraic
msntioned constraints on ondl etc, the follcwing abstract types of, e.g., Guttag [101 or Zilles [361
equations must hold for some types T1JT2J. . . : but rather are analogous to SIMUIA classes [71,
NON if we chcose distinct type variables normal declaration (but with let
— replaced by with) ,
~ l...t~ and set u =allist+~, and defines the operations or other objects availa-
1 5 null —
= a2 list , etc , the equations may be solved ble at the new types; the essence of ~
‘nil —
for the variables Ul,...a5, T1,...,T6 and abstraction is that one may get at the represent-
using Robinsons unification algor- ation of the new types only in the with-part, and
‘map ‘ ‘f’ ‘lis
ithm [271 . It turns out, as the reader may like this representation is provided by two halves of
to heck, that for sane distinct pair of variables the iscmmrphism (denotedby “absid” and “repid”
yr8 we obtain for each type identifier “id”) between each type
by the type of the formal parameter .L1, and the absrectype a list = . + (a x a list)
123
(~: we have underlined types and reserved words predicate calculus built by conjunction, implication
in this paper, for clarity, but our implementation and universal quantification frcxn atomic ones;
requires no underlining; we have ncw abandoned it atcanic formulae are equivalences and inequivalences
mkinequiv term
: —— x teml + .form
FIX : (( B+y)+(D+y))+(B+y)
(to build an atcmic formula)
can be defined so that “let
— f = FIX(.lf .e) “ is
mkquant tem
: —. x fom + —
form
exact ly equivalent to “ letiec f = e“ ; the reader
(the term must be a variable)
may like to puzzle out how the f olluwing does the
trick:
and to each constructor corresponds a destructor
with FIX (f) = F (absf ixty F) Destructors fail if their argument is not a tenm or
where F y = f(lx. repfixty(y) (Y) (x)) form of the right sort - e.g. destvar (ink@ (..))
provide concrete syntax for other syntactic systems .in mkquant (x,nkinequiv (x,x) )
The fomulae of PPl are those of a f irst-ord~ following is also equivalent to the above:
124
let
— x = ‘X:integer7 in
— ‘V~xJ. ~n_kinequiv(x,x)J1 Goals tactics and tacticals
Now a sequmt of PPA is an object (rrw) of As a simple example to illustrate our method-
~ form list x —
form. PPA is a sequent calculus, ology, consider an obvious fact abut conditionals
——
so a PPl theorem is a sequmt which follows frcm (for “T => XIY” read “if T then X else Y“ ) , namsly
with ASSUME w = absthm( [w] ,w) (Infer w +- w) AS a first approximation, a tactic should take
many of the axicms are presented tistead as infer- and we call the proaf oaqmnent of a tactic’s
ence rules, of ihich there are about thirty (mre result a validation. We!! a ccmpsite tactic has
than strictly necessary, again for ocnvenience) . scxnehow generated an eqty goal list, the valid-
ations of the ccqonmts can be ccanpsed to yield
125
Hcxvever, not all tactics will be very useful. tactics. Consider for exa@e the heuristic tac-
lie shall call the useful ones valid (related but tic for proving Vn. f (n) < g(n) by finding SClne
not identical with lqicians’ use of the word) : function h for which W. f (n) < h(n) s g(n); in
T is a valid tactic if, whenever particular, we find that Vh. n <2n+ lis true
T(g) = ([gI; . . .;gnl,p) and whenever thi achieves (and achievable ! ) over the non-negative integers,
9i (1 s i s n) , then P[thl; . . ..thnl evaluates but Vn. n<2n<2n+l is false (not achievable) .
successfully to a th~rem which achieves g . In Nbre relevant is that various induction rules,
particular, when n = O - i.e. T reduces g to an Ussd in reverse, yield tactics which are not
qty subgoal list - then p[ 1 achieves g and we strongly valid. It is good practice to use
say that T solves g (e.g. the s~lification tactic strongly valid tactics when pxssible, and always to
manages this when tie gcal simplifies to an obvious use valid tactics.
tautology) .
Tacticals are fmctions on tactics, building
TO illustrate, here is a tactic for quantifier simple tactics into ccnpsite ones. Wee obvious
stripping (yielding one s~oal) which is “inverse” exanples are: binary tacticals THEN (apply a
to the basic inference rule W, where we write in secnnd tactic to all subgoals produced by a first)
sane types explicitly as an aid to the reader: and ORELSE (try one tactic, or if it fails try
variable clashes causing the validation function to Isolating useful tactics and tacticals, and
fail unexpectedly (when applied to a singleton enccding them in ML, is a sbj ect of ongoing study
theorem list [thl where th achieves the one subgoal in the various applications to do with formal
produced by GENTAC) . Note that at worst an senmntics which we mentioned in the introduction.
126
and axicms, is called a tkory, and all work with nothing to do with amnpilation; for exanple, there
ICF consists in setting up theories, extending them are many interesting results to be proved concerning
or joining them to form larger theories, or (nm.t meantig-preserving transformations of programs.
But AIGOL itself will be a ccmpsite theory. by remarkimg that it appears @mssible to exploit
One of its parent theories will be AISYN - the the full power of an interactive proof system with-
theory of ALCDL syntax; the types in this th~ry out sane discipltied f rmework, such as theories
will be such as ALprcg, ALblock, ALstatmt, ALexpn provide, within which to work incranentally.
operations such as
Relations with other systems
mkassignment : ALVar ~ ALexpn + ALstatmt, and the
axiars will characterise these operations. Further There are several dimensions along which LCF’
mnstants and axicms will be concerned with auxiliary can be crqared with other proof systems;
127
to guide the search for a prmf (e.g. this is one theories. Note however that PPi itself is oriented
of the aims of the GOLUX project [11]) . Our aim tcwm.rds reasming about universes of recursively
is to construct a system which can be used at any defined objects of various t~s (viz. -ins of
point on this continuum - for S- problem areas Scotts TFEOry of Computation [281) and so reasoning
there already exists useful prcof strategies (e.g. about other obj etis may be indirect. The Stanford
Aubin [21, Eoyer & Moore [3 I for induction on Lists, ML system of Wehyrauch [331 is based on a mre
Brown [41 for integer arithmetic) and we would like general lcgic, and it r amains to be established
to be able to cede them up straightforwardly. In whether this extra generality is needed (e.g. for
other less explored areas we want to experiment with reasoning about applications of programs to the
manual prcofs to isolate ccnmmn patterns of inf ex- ‘real world’ ) ; there is a delicate trade off
ence. Once these are fomd they can be prqranmed between g&nerality and specialization - PPA is
Von Henke and Luckhan [121 which is based on Hoare’s [ 2] Aubin, R., Mechanizing structural induction,
inference system [14 1) there may still be a risk Ph.D. thesis, University of Fdinburgh, 1976.
which does not achieve the desired goal) . [53 de Bruijn, N. G., AU’IWATH, a language for
128
[91 Ckmdon, M., Milner, R. & Wadsworth, C. ations of Ccmpter Science, Amagi, Japan,
[ 101 Guttag, J.V., The specification and applic- Science Internal Reprk CSR-9-77,
[ 111 Hayes, P.J., The language G3LUX. University reflexive and polymorphic types, Proc.
Arc-et-Senams, 1975.
[ 121 von Henke, F.N.& Luckhan, D.C., Amethcdobgy
for verifying prcqramsr Proceedings of the [231 Milner, R. & Weyhrauch, R., Proving ccmpiler
ating ndels and proving theorems in a [241 Newey. M., Formal semantics of LISP with
rolxt, AI i%mo 168, Project MAC, M.I.T., applications to prcgram correctness, Ph.D.
[ 141 Hoare, C.A.R., An Axiomatic Basis for [25] Rekoh, R., Sacerdoti, E.r A Preliminaq
Ccmputer Programing, CACM VO1.12, No.1O, QLISP Manual, Technical note 81,
languages, Ccmn. ACM9,3 (Ech 1966), [261 Reynolds, J.C., GERMWIN: a s~le typeless
Notices 9,4 (April 1974), 50-59. based on the resolution principle, JACM
of Scott’s logic for omputable functions, [281 Scott, D.S. & Strachey, C., Tbward a Math-
Proc. ACM Conf. on Proving Assertions about ematical Semantics for Ccq?uter Languages,
AI Memo 169, Cc.q?uter Science Department, [29] SUSman, G., Winogradr T. & Charniak, E.
proof, Proc. 2ndAdvanced Course in Found- [ 301 Tennent, R.D., PASQUAL: a propsed general-
[ 201 Milner, R., ICF: a methodology for perform- [311 Topr, R. Interactive Progran Verification
ing rigorous prcofs abut prugramsr Proc. using Virtual Prograns., Ph.D. Thesis,
129
[321 Waldinger, R.J. & Levittr C.r Reasoning
VO1.5 No.3.
Tokyo, 1972.
130