Meta-F*: Proof Automation with SMT, Tactics, and Metaprograms

We introduce Meta-F*, a tactics and metaprogramming framework for the F* program verifier. The main novelty of Meta-F* is allowing the use of tactics and metaprogramming to discharge assertions not solvable by SMT, or to just simplify them into well-behaved SMT fragments. Plus, Meta-F* can be used to generate verified code automatically. Meta-F* is implemented as an F* effect, which, given the powerful effect system of F*, heavily increases code reuse and even enables the lightweight verification of metaprograms. Metaprograms can be either interpreted, or compiled to efficient native code that can be dynamically loaded into the F* type-checker and can interoperate with interpreted code. Evaluation on realistic case studies shows that Meta-F* provides substantial gains in proof development, efficiency, and robustness.Comment: Full version of ESOP'19 pape

Pascal’s Theorem in Real Projective Plane

SummaryIn this article we check, with the Mizar system [2], Pascal’s theorem in the real projective plane (in projective geometry Pascal’s theorem is also known as the Hexagrammum Mysticum Theorem)1. Pappus’ theorem is a special case of a degenerate conic of two lines. For proving Pascal’s theorem, we use the techniques developed in the section “Projective Proofs of Pappus’ Theorem” in the chapter “Pappus’ Theorem: Nine proofs and three variations” [11]. We also follow some ideas from Harrison’s work. With HOL Light, he has the proof of Pascal’s theorem2. For a lemma, we use PROVER93 and OTT2MIZ by Josef Urban4 [12, 6, 7]. We note, that we don’t use Skolem/Herbrand functions (see “Skolemization” in [1]).Rue de la Brasserie 5, 7100 La Louvière, BelgiumJesse Alama. Escape to Mizar for ATPs. arXiv preprint arXiv:1204.6615, 2012.Grzegorz Bancerek, Czesław Byliński, Adam Grabowski, Artur Korniłowicz, Roman Matuszewski, Adam Naumowicz, Karol Pąk, and Josef Urban. Mizar: State-of-the-art and beyond. In Manfred Kerber, Jacques Carette, Cezary Kaliszyk, Florian Rabe, and Volker Sorge, editors, Intelligent Computer Mathematics, volume 9150 of Lecture Notes in Computer Science, pages 261–279. Springer International Publishing, 2015. ISBN 978-3-319-20614-1. doi: 10.1007/978-3-319-20615-817.Roland Coghetto. Homography in ℝ ℙ2. Formalized Mathematics, 24(4):239–251, 2016. doi: 10.1515/forma-2016-0020.Roland Coghetto. Group of homography in real projective plane. Formalized Mathematics, 25(1):55–62, 2017. doi: 10.1515/forma-2017-0005.Agata Darmochwał. The Euclidean space. Formalized Mathematics, 2(4):599–603, 1991.Adam Grabowski. Solving two problems in general topology via types. In Types for Proofs and Programs, International Workshop, TYPES 2004, Jouy-en-Josas, France, December 15-18, 2004, Revised Selected Papers, pages 138–153, 2004. doi: 10.1007/116179909.Adam Grabowski. Mechanizing complemented lattices within Mizar system. Journal of Automated Reasoning, 55:211–221, 2015. doi: 10.1007/s10817-015-9333-5.Kanchun, Hiroshi Yamazaki, and Yatsuka Nakamura. Cross products and tripple vector products in 3-dimensional Euclidean space. Formalized Mathematics, 11(4):381–383, 2003.Wojciech Leończuk and Krzysztof Prażmowski. A construction of analytical projective space. Formalized Mathematics, 1(4):761–766, 1990.Wojciech Leończuk and Krzysztof Prażmowski. Projective spaces – part I. Formalized Mathematics, 1(4):767–776, 1990.Jürgen Richter-Gebert. Pappos’s Theorem: Nine Proofs and Three Variations, pages 3–31. Springer Berlin Heidelberg, 2011. ISBN 978-3-642-17286-1. doi: 10.1007/978-3-642-17286-11.Piotr Rudnicki and Josef Urban. Escape to ATP for Mizar. In First International Workshop on Proof eXchange for Theorem Proving-PxTP 2011, 2011.Wojciech Skaba. The collinearity structure. Formalized Mathematics, 1(4):657–659, 1990.Nobuyuki Tamura and Yatsuka Nakamura. Determinant and inverse of matrices of real elements. Formalized Mathematics, 15(3):127–136, 2007. doi: 10.2478/v10037-007-0014-7.25210711

A Tool for Producing Verified, Explainable Proofs

Mathematicians are reluctant to use interactive theorem provers. In this thesis I argue that this is because proof assistants don't emphasise explanations of proofs; and that in order to produce good explanations, the system must create proofs in a manner that mimics how humans would create proofs. My research goals are to determine what constitutes a human-like proof and to represent human-like reasoning within an interactive theorem prover to create formalised, understandable proofs. Another goal is to produce a framework to visualise the goal states of this system. To demonstrate this, I present HumanProof: a piece of software built for the Lean 3 theorem prover. It is used for interactively creating proofs that resemble how human mathematicians reason. The system provides a visual, hierarchical representation of the goal and a system for suggesting available inference rules. The system produces output in the form of both natural language and formal proof terms which are checked by Lean's kernel. This is made possible with the use of a structured goal state system which interfaces with Lean's tactic system which is detailed in Chapter 3. In Chapter 4, I present the subtasks automation planning subsystem, which is used to produce equality proofs in a human-like fashion. The basic strategy of the subtasks system is break a given equality problem in to a hierarchy of tasks and then maintain a stack of these tasks in order to determine the order in which to apply equational rewriting moves. This process produces equality chains for simple problems without having to resort to brute force or specialised procedures such as normalisation. This makes proofs more human-like by breaking the problem into a hierarchical set of tasks in the same way that a human would. To produce the interface for this software, I also created the ProofWidgets system for Lean 3. This system is detailed in Chapter 5. The ProofWidgets system uses Lean's metaprogramming framework to allow users to write their own interactive, web-based user interfaces to display within the VSCode editor and in an online web-editor. The entire tactic state is available to the rendering engine, and hence expression structure and types of subexpressions can be explored interactively. The ProofWidgets system also allows the user interface to interactively edit the proof document, enabling a truly interactive modality for creating proofs; human-like or not. In Chapter 6, the system is evaluated by asking real mathematicians about the output of the system, and what it means for a proof to be understandable to them. The user group study asks participants to rank and comment on proofs created by HumanProof alongside natural language and pure Lean proofs. The study finds that participants generally prefer the HumanProof format over the Lean format. The verbal responses collected during the study indicate that providing intuition and signposting are the most important properties of a proof that aid understanding.EPSR

Proof-theoretic Semantics for Intuitionistic Multiplicative Linear Logic

This work is the first exploration of proof-theoretic semantics for a substructural logic. It focuses on the base-extension semantics (B-eS) for intuitionistic multiplicative linear logic (IMLL). The starting point is a review of Sandqvist’s B-eS for intuitionistic propositional logic (IPL), for which we propose an alternative treatment of conjunction that takes the form of the generalized elimination rule for the connective. The resulting semantics is shown to be sound and complete. This motivates our main contribution, a B-eS for IMLL , in which the definitions of the logical constants all take the form of their elimination rule and for which soundness and completeness are established

Mécanismes Orientés-Objets pour l'Interopérabilité entre Systèmes de Preuve

Dedukti is a Logical Framework resulting from the combination ofdependent typing and rewriting. It can be used to encode many logicalsystems using shallow embeddings preserving their notion of reduction.These translations of logical systems in a common format are anecessary first step for exchanging proofs between systems. Thisobjective of interoperability of proof systems is the main motivationof this thesis.To achieve it, we take inspiration from the world of programminglanguages and more specifically from object-oriented languages becausethey feature advanced mechanisms for encapsulation, modularity, anddefault definitions. For this reason we start by a shallowtranslation of an object calculus to Dedukti. The most interestingpoint in this translation is the treatment of subtyping.Unfortunately, it seems very hard to incorporate logic in this objectcalculus. To proceed, object-oriented mechanisms should be restrictedto static ones which seem enough for interoperability. Such acombination of static object-oriented mechanisms and logic is alreadypresent in the FoCaLiZe environment so we propose a shallow embeddingof FoCaLiZe in Dedukti. The main difficulties arise from theintegration of FoCaLiZe automatic theorem prover Zenon and from thetranslation of FoCaLiZe functional implementation language featuringtwo constructs which have no simple counterparts in Dedukti: localpattern matching and recursion.We then demonstrate how this embedding of FoCaLiZe to Dedukti can beused in practice for achieving interoperability of proof systemsthrough FoCaLiZe, Zenon, and Dedukti. In order to avoid strengtheningto much the theory in which the final proof is expressed, we useDedukti as a meta-language for eliminating unnecessary axioms.Dedukti est un cadre logique résultant de la combinaison du typagedépendant et de la réécriture. Il permet d'encoder de nombreuxsystèmes logiques au moyen de plongements superficiels qui préserventla notion de réduction.Ces traductions de systèmes logiques dans un format commun sont unepremière étape nécessaire à l'échange de preuves entre cessystèmes. Cet objectif d'interopérabilité des systèmes de preuve estla motivation principale de cette thèse.Pour y parvenir, nous nous inspirons du monde des langages deprogrammation et plus particulièrement des langages orientés-objetparce qu'ils mettent en œuvre des mécanismes avancés d'encapsulation,de modularité et de définitions par défaut. Pour cette raison, nouscommençons par une traduction superficielle d'un calcul orienté-objeten Dedukti. L'aspect le plus intéressant de cette traduction est letraitement du sous-typage.Malheureusement, ce calcul orienté-objet ne semble pas adapté àl'incorporation de traits logiques. Afin de continuer, nous devonsrestreindre les mécanismes orientés-objet à des mécanismes statiques,plus faciles à combiner avec la logique et apparemment suffisant pournotre objectif d'interopérabilité. Une telle combinaison de mécanismesorientés-objet et de logique est présente dans l'environnementFoCaLiZe donc nous proposons un encodage superficiel de FoCaLiZe dansDedukti. Les difficultés principales proviennent de l'intégration deZenon, le prouveur automatique de théorèmes sur lequel FoCaLiZerepose, et de la traduction du langage d'implantation fonctionnel deFoCaLiZe qui présente deux constructions qui n'ont pas decorrespondance simple en Dedukti : le filtrage de motif local et larécursivité.Nous démontrons finalement comment notre encodage de FoCaLiZe dansDedukti peut servir en pratique à l'interopérabilité entre dessystèmes de preuve à l'aide de FoCaLiZe, Zenon et Dedukti. Pour éviterde trop renforcer la théorie dans laquelle la preuve finale estobtenue, nous proposons d'utiliser Dedukti en tant que méta-langagepour éliminer des axiomes superflus

Programming Languages and Systems

This open access book constitutes the proceedings of the 28th European Symposium on Programming, ESOP 2019, which took place in Prague, Czech Republic, in April 2019, held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2019