V1 Logical Foundations

References:

Preface

Source of Knowledge

Source of Knowledge [Mechanizing Proof. MacKenzie 2001]

  • Authority
  • Inductive reasoning
  • Deductive reasoning

Inductive vs. Deductive

cite: https://www.voxco.com/blog/inductive-vs-deductive-reasoning/

Inductive reasoning

Inductive reasoning is a logical thinking process that integrates observations with experiential information to draw a conclusion. You are employing the use of inductive reasoning every time you look at a set of data and then form general conclusions on knowledge from past experiences.

Inductive research is usually used when there is a lack of existing literature on a topic. This is because there is no existing theory that can be tested on the concept. The inductive training approach can be categorized into the following three stages:

  1. Observation
  2. Observe a Pattern
  3. Develop a Theory

e.g. Use history data, observe a pattern, and to predict the future: Given $6, 9, 12, 15, …$, then what is $n$th number?

cite: https://www.khanacademy.org/math/algebra-home/alg-series-and-induction/alg-deductive-and-inductive-reasoning/v/u12-l1-t3-we1-inductive-reasoning-1

Weakness:

A drawback of inductive reasoning is that inferences are made from specific situations that may not have significance in the real world.

Deductive reasoning

When employing deductive reasoning in research, you begin with a theory. This theory is then narrowed down into more specific hypotheses that can be tested. These are further narrowed down into observations that allow us to test the hypothesis to confirm whether the data supports or rejects the hypothesis.

The deductive training approach can therefore be categorized into the following four stages:

  1. Begin with an Existing Theory
  2. Formulate a Hypothesis based on the Existing Theory
  3. Collect Data to Test the Hypothesis
  4. Analyze the results to see whether the Data Supports or Rejects the Hypothesis

Weakness:

Relies on initial premises being correct. Deductive reasoning heavily relies on the initial premises being correct. The final argument is invalid if even one premise is found to be incorrect.

e.g. Mathematic equation solving in the class: $5+\sqrt{(x+14)} = x + 7$

Type Theory

(Static) Type System.

  • Compiler: deductive reasoning to check types.
  • Not strong enough:
    • strong enough to express that a function takes an integer as input, and produces an integer as output;
    • not strong enough to express that the function computes, say, a factorial.
  • Sound: well-typed programs don’t go wrong.
  • Might not complete: there could be programs that would never go wrong and yet cannot be typed with it.
  • Type casts might need to be inserted that cann’t be statically checked and could fail at runtime.

Usage Example of type system:

  • Python -> Dropbox.

  • Martin-Lof

  • ? Cornell. NuPRL [Robert Constable] – extract verified programs from proof of correctness.

  • 1980s. France. Calculus of Constructions [Gerard Huet and Thierry Coquand]

  • 1990s. Calculus of Inductive Constructions [Coquand and Christine PaulinMohring]

    • 2003. Coq 8.0.

The software crisis

– The begining of formal methods

Formal Methods

  • Formal Specifications.
    • Z notations
  • Formal Spec + Proofs about programs
    • “The Science of Programming”, David Gries.
  • Formal SPec + Proofs about programs + Machine checking.
    • with some defeats:
      • Godel: (1931)
      • Turing: Halting problem is undecidable.
      • Rice: every property of a software program is undecidable, unless is trivial (eg. compilers do).
    • TLA+

Foundations of Mathematics – incomplete/undedidable

@1931. Godel. Incompleteness theorem.

  • Any logic strong enough to reason about arithmetic must be incomplete.
  • Arithmetic
  • There will be propositions that can neither be proved nor disproved.

==> We have to admit a certain amount of defeat: if the correctness of our program involves such a proposition, we cannot succeed.

@ 1936. Turing. Halting – Undecidable.

  • No computer program can perfectly deterime whether another program will either terminate or run forever in an infinite loop on a given input.

@1951, Henry Gordon Rice. Syracuse University.

  • It is not just the halting problem that is undecidable: every property of a program is undecidable, unless that property is in some way he called trivial.
    • Trivial property: For example, it’s true of all programs, or it’s a property of the syntax of the program rather than its semantics. – Compilers, based on syntax;
    • Truely interesting semantic properties of programs are undecidable.

Overview

这一卷介绍三个内容:

  • 用于阐述和判定程序特性的基本的逻辑工具
  • 如何使用推理辅助器来构造严密的逻辑语句
  • 函数式编程(既作为一个简化程序分析的编程工具,也是一个计算机编程与逻辑学之间的桥梁)

This volume weaves together three conceptual threads:

  • basic tools from logic for making and justifying precise claims about programs;
  • the use of proof assistants to construct rigorous logical arguments;
  • functional programming, both as a method of programming that simplifies reasoning about programs and as a bridge between programming and logic.

Logic

事实发现,逻辑学对于计算机的作用效果,远远大于在数学领域所起的作用。这个发现起到了标志性的作用,因为近100年来所有的关于逻辑的研究都是来自数学领域。

在计算机领域,归纳证明几乎无处不在。你肯定在以前的离散数学或者算法分析的课程上见到过归纳证明,但是在这个课程中,我们将更为深入的探讨这个方法。

“As a matter of fact, logic has turned out to be siginicantly more effective in computer science than it has been in mathematics. This is quite remarkable, especially since much of the impetus for the development of logic during the past one hundred years came from mathematics.”

“In particular, the fundamental tools of inductive proof are ubiquitous in all of computer science. You have surely seen them before, perhaps in a course on discrete math or analysis of algorithms, but in this course we will examine them more deeply than you have probably done so far.”

Proof Assistants

逻辑学与计算机科学是互补的学科:计算机学科对逻辑学也是有贡献的。其中一个贡献便是用计算机开发出的用于构造证明的软件工具。这些软件工具包括两大类。

两大类证明器:

  1. 自动定理证明器提供了一个按钮式的功能:你给他一个断言(proposition),他给你一个结果(对、错或者不知道–超时)。这些工具的应用仍然局限在特定领域中,但是近几年已经取得了较好的发展,其应用范围有所扩大。
    • 比如 SAT求解器;SMT求解器(Z3);模型检测工具等。
  2. 辅助证明器是一种混合的工具:它把相对规范而容易自动化的特性证明用机器来做,而较难以自动化的证明采用人工诱导的方式。
    • 应用较广的辅助证明器有:Isabelle, Agda, Twelf, ACL2, PVS, Coq等。

Two broad categories of proof assistants:

  • Automated theorem provers provide “push-button” operation: you give them a proposition and they return either true or false (or, sometimes, don’t know: ran out of time).
    • Examples: SAT solvers, SMT solvers, and model checkers.
  • Proof assistants are hybrid tools that automate the more routine aspects of building proofs while depending on human guidance for more difficult aspects.
    • Examples: Isabelle, Agda, Twelf, ACL2, PVS, and Coq.

本教程基于Coq。

Coq

Coq的开发开始于1983年,并在近几年获得了学术界和产业界诸多用户的关注。 Coq为机器检查的形式化推理提供了一个丰富的交互式环境。

Coq的核心(kernel)是一个简单的证明检查器(Proof-checker),这个检查器能够保证,只有当推理(deduction)步骤完全正确,才能通过检查。

在核心之外,Coq提供了多种高级手段来辅助证明的构造,包括:

  • 一个汇聚了诸多公共定义和定理的证明库
  • 各种可以辅助构造复杂证明的证明策略(Tactics)
  • 一个可以用于构造新的证明策略的定制语言。

Kernel of Coq:

a simple proof-checker, guarantees that only correct deduction steps are ever performed.

Facilities in Coq:

  • A large library of common definitions and lemmas
  • Powerful tactics for constructing complex proofs semi-automatically
  • A special-purpose programming language for defining new proof-automation tactics for specific situations

Coq 在计算机科学和数学领域中的应用有很多方面:

  • 作为一个构造编程语言模型的平台。Coq已经成为编程语言设计人员的标准工具,用于分析复杂的语言定义。比如,Coq曾经被用于JavaCard平台的安全性

Usages of Coq:

  • As a platform for modeling programming languages. Examples:

    • check the security of the JavaCard platform
    • formal specifications of the X86 and LLVM instruction sets and programming languages such as C.

  • As an environment for developing formally certified software and hardware. Examples:

    • CompCert, a fully-verified optimizing compiler for C.
    • CertiKOS, a fully verified hypervisor.
    • Proving the correctness of subtle algorithms involving floating point numbers.
    • As basis for CertiCrypt, an environment for reasoning about the security of cryptographic algorithms.
    • Build verified implementations of the open-source RISC-V processor architecture.

  • As a realistic environment for functional programming with dependent types. Examples:

    • “Relational Hoare reasoning” embeded in Ynot system.

  • As a proof assistant for higher-order logic. Examples:

    • Proof of 4-color theorem.
    • Proof of Feit-Thompson Theorem.

Functional programming

Functional programming is:

  • a collection of programming idioms that can be used in almost any programming language

  • a family of programming languages designed to emphasize these idioms, including

    • Haskell, Ocaml, Standard ML, F#, Scala, Scheme, Racket, Common Lisp, Clojure, Erlang, and Coq.

  • Its roots go back to Church’s lambda-calculus, invented in 1930s, well before the first electronic computers.

  • Playing a key role in high-value systems at companies like Jane Street Capital, Microsoft, Facebook, Twitter, and Ericsson.

Most basic tenet: computation should be pure:

  • the only effect of execution should be to produce a result;
  • It should be free from side effects such as I/O, assignments to mutable variables, redirecting pointers, etc.

  • For example:

    • an imperative sorting function might take a list of numbers and rearrange its pointers to put the list in order;
    • a pure sorting function would take the original list and return a new list containing the same numbers in sorted order.
    • (A relative pure??? Numbers in the original list can semantically ‘point’ to some information??? Like, 127 means the ID of a car, and 128 another car?).

  • Benefits of pure functional programming

    • It makes programs easier to understand and reason about. If every operation on a data structure yields a new data structure, leaving the old one intact, then there is no need to worry about how that data structure is being shared and whether a change by one part of the program might break an invariant relied on by another part of the program. These considerations are particularly critical for concurrent systems, where every piece of mutable state that is shared between threads is a potential source of pernicious bugs. Indeed, a large part of the recent interest in functional programming in industry is due to its simpler behavior in the presence of concurrency.
    • Functional programs are often much easier to parallelize and physically distribute than their imperative counterparts.
    • If running a computation has no effect other than producing a result, then it does not matter where it is run.
    • Similary, if a data structure is never modified destructively, then it can be copied freely, across cores or across the network.
    • The “Map-Reduce” idiom, which lies at the heart of massively distributed query processors like Hadoop and is used by Google to index the entire web is a classic example of functional programming.
    • Functional programming serves as a bridge between logic and computer science.
    • Coq itself can be viewed as a comnbination of a small but extremely expressive functional programming language plus a set of tools for stating and proving logical assertions.
      • These two side of Coq are actually aspects of the very same underlying machinery – i.e., proofs are programs.

More

  • Coq

    • References: Basics: Functional Programming in Coq Functional style of programming is founded on simple, everyday mathematical intuition: If a procedure or method has no side effects, then (ignoring efficiency) all we need to understand about it is how it maps input to outputs. The direct connection between programs and simple mathematical objects supports both formal correctness proofs and sound informal reasoning about program behavior. Features of functional programming in Coq:

Created Apr 29, 2021 // Last Updated Feb 8, 2023

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?