Comments on: Introduction to Automated Proof Verification with SASyLF http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf (permanently in beta) Sun, 29 Aug 2010 20:01:44 -0700 http://wordpress.org/?v=2.9.2 hourly 1 By: Daniel Spiewak http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf/comment-page-1#comment-4374 Daniel Spiewak Sat, 06 Dec 2008 05:31:44 +0000 http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf#comment-4374 @Dr. Boyland Thanks for the clarification on Twelf! I had planned on re-reading your introduction to the system but never got around to it. I'll insert a note in the article to avoid leading too many people astray. Regarding forall/exists: it occurs to me that I never showed an example with multiple forall(s). This makes the motivation for exists a little bit more apparent. A simple example would be the header for the preservation theorem for the simply-typed lambda calculus: <pre>theorem preservation: forall d: Gamma |- t : T forall e: t -> t' exists Gamma |- t' : T . ... end theorem</pre> @Dr. Boyland

Thanks for the clarification on Twelf! I had planned on re-reading your introduction to the system but never got around to it. I’ll insert a note in the article to avoid leading too many people astray.

Regarding forall/exists: it occurs to me that I never showed an example with multiple forall(s). This makes the motivation for exists a little bit more apparent. A simple example would be the header for the preservation theorem for the simply-typed lambda calculus:

theorem preservation:
    forall d: Gamma |- t : T
    forall e: t -> t'
    exists Gamma |- t' : T .

    ...
end theorem
]]> By: John Tang Boyland http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf/comment-page-1#comment-4373 John Tang Boyland Sat, 06 Dec 2008 04:35:55 +0000 http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf#comment-4373 Nice post. I'm glad to see SASyLF is being appreciated. Regarding Twelf: you're right to have a disclaimer. Twelf works with (higher-order!) unification and types for logic programs (not functional programs). Twelf is closer to Prolog than even SASyLF. On the other hand, you're absolutely right that SASyLF is massively more readable. Regarding alloy: I think (and now I'm out of my depth) that Alloy can only declare the absence of counter-examples up to a particular size. So it would be less useful for verifying type systems. Regarding forall vs exists: "forall" are the "inputs" to the theorem, and "exists" are the outputs. Hence the extra keyword/marker. Nice post. I’m glad to see SASyLF is being appreciated. Regarding Twelf: you’re right to have a disclaimer. Twelf works with (higher-order!) unification and types for logic programs (not functional programs). Twelf is closer to Prolog than even SASyLF. On the other hand, you’re absolutely right that SASyLF is massively more readable.

Regarding alloy: I think (and now I’m out of my depth) that Alloy can only declare the absence of counter-examples up to a particular size. So it would be less useful for verifying type systems.

Regarding forall vs exists: “forall” are the “inputs” to the theorem, and “exists” are the outputs. Hence the extra keyword/marker.

]]> By: Alexey Romanov http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf/comment-page-1#comment-4371 Alexey Romanov Wed, 03 Dec 2008 22:20:24 +0000 http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf#comment-4371 Actually, I'd make a distinction between natural language and logical language. SASyLF looks like it's trying to approach the logical language and succeeds. There are just two things that look wrong from your examples: 1) Having to explicitly say "_:" for "I won't name this"; 2) This extra "exists". Anyway, I clearly need to read the papers :) Actually, I’d make a distinction between natural language and logical language. SASyLF looks like it’s trying to approach the logical language and succeeds.

There are just two things that look wrong from your examples:
1) Having to explicitly say “_:” for “I won’t name this”;
2) This extra “exists”.
Anyway, I clearly need to read the papers :)

]]> By: Daniel Spiewak http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf/comment-page-1#comment-4370 Daniel Spiewak Tue, 02 Dec 2008 19:25:56 +0000 http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf#comment-4370 > What I don’t understand is why do you need “exists” in all > the theorems and lemmas :-S Like many things in SASyLF, it's there to bring the syntax more in line with natural-language. I didn't show it, but if you wanted to prove something using a theorem or lemma, the syntax looks like this: <pre>_: ... by theorem my-cool-theorem</pre> In more complicated proofs, things get very, *very* verbose. > What I don’t understand is why do you need “exists” in all
> the theorems and lemmas

:-S Like many things in SASyLF, it’s there to bring the syntax more in line with natural-language. I didn’t show it, but if you wanted to prove something using a theorem or lemma, the syntax looks like this:

_: ... by theorem my-cool-theorem

In more complicated proofs, things get very, *very* verbose.

]]> By: Alexey Romanov http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf/comment-page-1#comment-4369 Alexey Romanov Tue, 02 Dec 2008 19:18:43 +0000 http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf#comment-4369 Cool! (Both SASyLF and Alloy.) What I don't understand is why do you need "exists" in all the theorems and lemmas you present and why couldn't you just say something like theorem gt-implies-gt-succ: forall g: n1 > n2 . s n1 > s n2 ? Cool! (Both SASyLF and Alloy.) What I don’t understand is why do you need “exists” in all the theorems and lemmas you present and why couldn’t you just say something like
theorem gt-implies-gt-succ:
forall g: n1 > n2 . s n1 > s n2
?

]]> By: Andrew McVeigh http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf/comment-page-1#comment-4368 Andrew McVeigh Tue, 02 Dec 2008 08:50:06 +0000 http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf#comment-4368 @Daniel "I assume you mean “inference” and not “reconstruction”?" It's simpler really than what you mean by both. My system is a hierarchical component model (i.e. a component contains instances of other components wired in using connectors). My "inference" allows the required and provided interfaces of ports of composite components (made up of other components) to be determined automatically. You can also represent relationships between ports on implementation components which bear on the composite case. Whilst not trivial, it's a long way from specifying something like the Hindley-Milner type equations. Andrew @Daniel
“I assume you mean “inference” and not “reconstruction”?”

It’s simpler really than what you mean by both. My system is a hierarchical component model (i.e. a component contains instances of other components wired in using connectors). My “inference” allows the required and provided interfaces of ports of composite components (made up of other components) to be determined automatically. You can also represent relationships between ports on implementation components which bear on the composite case.

Whilst not trivial, it’s a long way from specifying something like the Hindley-Milner type equations.

Andrew

]]> By: Daniel Spiewak http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf/comment-page-1#comment-4365 Daniel Spiewak Mon, 01 Dec 2008 21:44:00 +0000 http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf#comment-4365 @Andrew Cool! I don't really understand everything that's going on in the linked Alloy proof, but to prove a system with full type inference is an impressive feat (I assume you mean "inference" and not "reconstruction"?). SASyLF is nice, but things get horribly ugly if you try to prove the soundness of things involving unification at the type level. For example, you could probably prove the soundness of a Prolog type system (if it had one) in SASyLF, but it would be nasty in the extreme. Alloy looks like it may not suffer from that shortcoming. @Andrew

Cool! I don’t really understand everything that’s going on in the linked Alloy proof, but to prove a system with full type inference is an impressive feat (I assume you mean “inference” and not “reconstruction”?). SASyLF is nice, but things get horribly ugly if you try to prove the soundness of things involving unification at the type level. For example, you could probably prove the soundness of a Prolog type system (if it had one) in SASyLF, but it would be nasty in the extreme. Alloy looks like it may not suffer from that shortcoming.

]]> By: Andrew McVeigh http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf/comment-page-1#comment-4364 Andrew McVeigh Mon, 01 Dec 2008 20:53:17 +0000 http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf#comment-4364 @Daniel Alloy works off structure -- i.e. you define sigs (signatures) which loosely correspond to classes. The model checker (finder?) will then look for solutions to your logical specification. If it doesn't find any, you have only really verified your logic within the specified state space. One of the key things it doesn't have is recursive functions -- you have to use recursive structures for that. As for proving the soundness of a type system -- i'm not so sure. It can be used for large and complex examples if needed. I used Alloy to formally specify a fairly large and intense component system with full type inference: http://www.doc.ic.ac.uk/~amcveigh/papers/transfer/alloy.pdf Cheers, Andrew @Daniel
Alloy works off structure — i.e. you define sigs (signatures) which loosely correspond to classes. The model checker (finder?) will then look for solutions to your logical specification. If it doesn’t find any, you have only really verified your logic within the specified state space. One of the key things it doesn’t have is recursive functions — you have to use recursive structures for that.

As for proving the soundness of a type system — i’m not so sure. It can be used for large and complex examples if needed. I used Alloy to formally specify a fairly large and intense component system with full type inference: http://www.doc.ic.ac.uk/~amcveigh/papers/transfer/alloy.pdf

Cheers,
Andrew

]]> By: Daniel Spiewak http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf/comment-page-1#comment-4363 Daniel Spiewak Mon, 01 Dec 2008 17:52:47 +0000 http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf#comment-4363 Very interesting! It looks like Alloy is more geared toward program proving than SASyLF. On the inverse, it doesn't look like I could prove the soundness of a type system in Alloy. Different tools for different jobs I suppose. Very interesting! It looks like Alloy is more geared toward program proving than SASyLF. On the inverse, it doesn’t look like I could prove the soundness of a type system in Alloy. Different tools for different jobs I suppose.

]]> By: jherber http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf/comment-page-1#comment-4362 jherber Mon, 01 Dec 2008 17:42:04 +0000 http://www.codecommit.com/blog/scala/introduction-to-automated-proof-verification-with-sasylf#comment-4362 Alloy is another interesting software analysis/modeling tool for reasoning about systems: http://alloy.mit.edu/alloy4/tutorial4/ Alloy is another interesting software analysis/modeling tool for reasoning about systems: http://alloy.mit.edu/alloy4/tutorial4/

]]>