The aim of the Parsifal team is to develop and exploit proof theory and type theory in the specification and verification of computational systems.
Expertise: the team conducts basic research in proof theory and type theory. In particular, the team is developing results that help with automated deduction and with the manipulation and communication of formal proofs.
Design: based on experience with computational systems and theoretical results, the team develops new logical principles, new proof systems, and new theorem proving environments.
Implementation: the team builds prototype systems to help validate basic research results.
Examples: the design and implementation efforts are guided by examples of specification and verification problems. These examples not only test the success of the tools but also drive investigations into new principles and new areas of proof theory and type theory.
The foundational work of the team focuses on structural and analytic proof theory, i.e., the study of formal proofs as algebraic and combinatorial structures and the study of proof systems as deductive and computational formalisms. The main focus in recent years has been the study of the sequent calculus and of the deep inference formalisms.
An important research question is how to reason about computational specifications that are written in a relational style. To this end, the team has been developing new approaches to dealing with induction, co-induction, and generic quantification. A second important question is of canonicity in deductive systems, i.e., when are two derivations “essentially the same”? This crucial question is important not only for proof search, because it gives an insight into the structure and an ability to manipulate the proof search space, but also for the communication of proof objects between different reasoning agents such as automated theorem provers and proof checkers.
Important application areas currently include:
Meta-theoretic reasoning on functional programs, such as terms
in the
Reasoning about behaviors in systems with concurrency and
communication, such as the
Combining interactive and automated reasoning methods for induction and co-induction
Verification of distributed, reactive, and real-time algorithms that are often specified using modal and temporal logics
Representing proofs as documents that can be printed, communicated, and checked by a wide range of computational logic systems.
Stefan Hetzl received his Habilitation 5 November 2012 from the Technical University of Vienna.
Kaustuv Chaudhuri and Stefan Hetzl organized "Collegium Logicum 2012: Structural Proof Theory" at Inria-Saclay.
Dale Miller and Gopalan Nadathur (Professor at the University of Minnesota) published a book title "Programming with higher-order logic" (June 2012, Cambridge University Press).
There are two broad approaches for computational specifications. In the computation as model approach, computations are encoded as mathematical structures containing nodes, transitions, and state. Logic is used to describe these structures, that is, the computations are used as models for logical expressions. Intensional operators, such as the modals of temporal and dynamic logics or the triples of Hoare logic, are often employed to express propositions about the change in state.
The computation as deduction approach, in contrast, expresses computations logically, using formulas, terms, types, and proofs as computational elements. Unlike the model approach, general logical apparatus such as cut-elimination or automated deduction becomes directly applicable as tools for defining, analyzing, and animating computations. Indeed, we can identify two main aspects of logical specifications that have been very fruitful:
Proof normalization, which treats the state of a
computation as a proof term and computation as normalization of the
proof terms. General reduction principles such as
Proof search, which views the state of a computation as a a structured collection of formulas, known as a sequent, and proof search in a suitable sequent calculus as encoding the dynamics of the computation. Logic programming is based on proof search , and different proof search strategies can be used to justify the design of new and different logic programming languages .
While the distinction between these two aspects is somewhat informal, it helps to identify and classify different concerns that arise in computational semantics. For instance, confluence and termination of reductions are crucial considerations for normalization, while unification and strategies are important for search. A key challenge of computational logic is to find means of uniting or reorganizing these apparently disjoint concerns.
An important organizational principle is structural proof theory, that is, the study of proofs as syntactic, algebraic and combinatorial objects. Formal proofs often have equivalences in their syntactic representations, leading to an important research question about canonicity in proofs – when are two proofs “essentially the same?” The syntactic equivalences can be used to derive normal forms for proofs that illuminate not only the proofs of a given formula, but also its entire proof search space. The celebrated focusing theorem of Andreoli identifies one such normal form for derivations in the sequent calculus that has many important consequences both for search and for computation. The combinatorial structure of proofs can be further explored with the use of deep inference; in particular, deep inference allows access to simple and manifestly correct cut-elimination procedures with precise complexity bounds.
Type theory is another important organizational principle, but most popular type systems are generally designed for either search or for normalization. To give some examples, the Coq system that implements the Calculus of Inductive Constructions (CIC) is designed to facilitate the expression of computational features of proofs directly as executable functional programs, but general proof search techniques for Coq are rather primitive. In contrast, the Twelf system that is based on the LF type theory (a subsystem of the CIC), is based on relational specifications in canonical form (i.e., without redexes) for which there are sophisticated automated reasoning systems such as meta-theoretic analysis tools, logic programming engines, and inductive theorem provers. In recent years, there has been a push towards combining search and normalization in the same type-theoretic framework. The Beluga system , for example, is an extension of the LF type theory with a purely computational meta-framework where operations on inductively defined LF objects can be expressed as functional programs.
The Parsifal team investigates both the search and the normalization aspects of computational specifications using the concepts, results, and insights from proof theory and type theory.
The team has spent a number of years in designing a strong new logic
that can be used to reason (inductively and co-inductively) on
syntactic expressions containing bindings. This work has been
published is a series of papers by McDowell and Miller
, Tiu and Miller
, and Gacek, Miller, and
Nadathur . Besides presenting
formal properties of these logic, these papers also documented a
number of examples where this logic demonstrated superior approaches
to reasoning about a number of complex formal systems, ranging from
programming languages to the
The team has also been working on three different prototype theorem proving system that are all related to this stronger logic. These systems are the following.
Abella, which is an interactive theorem prover for the full logic.
Bedwyr, which is a model checker for the “finite” part of the logic.
Tac, which is a sophisticate tactic for automatically completing simple proofs involving induction and unfolding.
We are now in the process of attempting to make all of these system communicate properly. Given that these systems have been authored by different team members at different times and for different reasons, they do not formally share the same notions of syntax and proof. We are now working to revisit all of these systems and revise them so that they all work on the same logic and so that they can share their proofs with each other.
Currently, Chaudhuri, Miller, and Accattoli are working with our technical staff member, Heath, to redesign and restructure these systems so that they can cooperate in building proofs.
The team has been considering how it might be possible to define a universal format for proofs so that any existing theorem provers can have its proofs trusted by any other prover. This is a rather ambitious project and involves a great deal of work at the infrastructure level of computational logic. As a result, we have put significant energies into considering the high-level objectives and consequences of deploying such proof certificates.
Our current thinking on this point is roughly the following. Proofs, both formal and informal, are documents that are intended to circulate within societies of humans and machines distributed across time and space in order to provide trust. Such trust might lead a mathematician to accept a certain statement as true or it might help convince a consumer that a certain software system is secure. Using this general definition of proof, we have re-examined a range of perspectives about proofs and their roles within mathematics and computer science that often appears contradictory.
Given this view of proofs as both document and object, that need to be communicated and checked, we have attempted to define a particular approach to a broad spectrum proof certificate format that is intended as a universal language for communicating formal proofs among computational logic systems. We identify four desiderata for such proof certificates: they must be
checkable by simple proof checkers,
flexible enough that existing provers can conveniently produce such certificates from their internal evidence of proof,
directly related to proof formalisms used within the structural proof theory literature, and
permit certificates to elide some proof information with the expectation that a proof checker can reconstruct the missing information using bounded and structured proof search.
We consider various consequences of these desiderata, including how they can mix computation and deduction and what they mean for the establishment of marketplaces and libraries of proofs. More specifics can be found in Miller's papers and .
In order to develop an approach to proof certificates that is as comprehensive as possible, one needs to handle theorems and proofs in both classical logic and intuitionistic logic. Yet, building two separate libraries, one for each logic, can be inconvenient and error-prone. An ideal approach would be to design a single proof system in which both classical and intuitionistic proofs can exist together. Such a proof system should allow cut-elimination to take place and should have a sensible semantic framework.
Liang and Miller have recently been working on exactly that problem. In their paper , they showed how to describe a general setting for specifying proofs in intuitionistic and classical logic and to achieve one framework for describing initial-elimination and cut-elimination for such these two logics. That framework allowed for some mixing of classical and intuitionistic features in one logic. A more ambitious merging of these logics was provided in their work on “polarized intuitionistic logic” in which classical and intuitionistic connectives can be used within the same formulas .
Deep inference , is a novel methodology for presenting deductive systems. Unlike traditional formalisms like the sequent calculus, it allows rewriting of formulas deep inside arbitrary contexts. The new freedom for designing inference rules creates a richer proof theory. For example, for systems using deep inference, we have a greater variety of normal forms for proofs than in sequent calculus or natural deduction systems. Another advantage of deep inference systems is the close relationship to categorical proof theory. Due to the deep inference design one can directly read off the morphism from the derivations. There is no need for a counter-intuitive translation.
The following research problems are investigated by members of the Parsifal team:
Find deep inference system for richer logics. This is necessary for making the proof theoretic results of deep inference accessible to applications as they are described in the previous sections of this report.
Investigate the possibility of focusing proofs in deep inference. As described before, focusing is a way to reduce the non-determinism in proof search. However, it is well investigated only for the sequent calculus. In order to apply deep inference in proof search, we need to develop a theory of focusing for deep inference.
Proof nets and atomic flows are abstract (graph-like) presentations of proofs such that all "trivial rule permutations" are quotiented away. Ideally the notion of proof net should be independent from any syntactic formalism, but most notions of proof nets proposed in the past were formulated in terms of their relation to the sequent calculus. Consequently we could observe features like “boxes” and explicit “contraction links”. The latter appeared not only in Girard's proof nets for linear logic but also in Robinson's proof nets for classical logic. In this kind of proof nets every link in the net corresponds to a rule application in the sequent calculus.
Only recently, due to the rise of deep inference, new kinds of proof nets have been introduced that take the formula trees of the conclusions and add additional “flow-graph” information (see e.g., , and . On one side, this gives new insights in the essence of proofs and their normalization. But on the other side, all the known correctness criteria are no longer available.
This directly leads to the following research questions investigated by members of the parsifal team:
Finding (for classical logic) a notion of proof nets that is deductive, i.e., can effectively be used for doing proof search. An important property of deductive proof nets must be that the correctness can be checked in linear time. For the classical logic proof nets by Lamarche and Straßburger this takes exponential time (in the size of the net).
Studying the normalization of proofs in classical logic using atomic flows. Although there is no correctness criterion they allow to simplify the normalization procedure for proofs in deep inference, and additionally allow to get new insights in the complexity of the normalization.
Automated theorem proving has traditionally focused on classical first-order logic, but non-classical logics are increasingly becoming important in the specification and analysis of software. Most type systems are based on (possibly second-order) propositional intuitionistic logic, for example, while resource-sensitive and concurrent systems are most naturally expressed in linear logic.
The members of the Parsifal team have a strong expertise in the design and implementation of performant automated reasoning systems for such non-classical logics. In particular, the Linprover suite of provers continue to be the fastest automated theorem provers for propositional and first-order linear logic.
Any non-trivial specification, of course, will involve theorems that are simply too complicated to prove automatically. It is therefore important to design semi-automated systems that allow the user to give high level guidance, while at the same time not having to write every detail of the formal proofs. High level proof languages in fact serve a dual function – they are more readily comprehended by human readers, and they tend to be more robust with respect to maintenance and continued evolution of the systems. Members of the Parsifal team, in association with other Inria teams and Microsoft Research, have been building a heterogeneous semi-automatic proof system for verifying distributed algorithms .
On a more foundational level, the team has been developing many new insights into the structure of proofs and the proof search spaces. Two directions, in particular, present tantalizing possibilities:
The concept of multi-focusing can be used to expose concurrency in computational behavior, which can in turn be exploited to prune areas of the proof search space that explore irrelevant interleavings of concurrent actions.
The use of bounded search, where the bounds can be shown to be complete by meta-theoretic analysis, can be used to circumvent much of the non-determinism inherent in resource-sensitive logics such as linear logic. The lack of proofs of a certain bound can then be used to justify the presence or absence of properties of the encoded computations.
Much of the theoretical work on automated reasoning has been motivated by examples and implementations, and the Parsifal team intends to continue to devote significant effort in these directions.
There has been increasing interest in the use of formal methods to provide proofs of properties of programs and programming languages. Tony Hoare's Grand Challenge titled “Verified Software: Theories, Tools, Experiments” has as a goal the construction of “verifying compilers” for a world where programs would only be produced with machine-verified guarantees of adherence to specified behavior. Guarantees could be given in a number of ways: proof certificates being one possibility.
The POPLMark challenge envisions “a world in which mechanically verified software is commonplace: a world in which theorem proving technology is used routinely by both software developers and programming language researchers alike.” The proposers of this challenge go on to say that a “crucial step towards achieving these goals is mechanized reasoning about language metatheory.”
The Parsifal team has developed several tools and techniques for
reasoning about the meta-theory of programming languages. One of the
most important requirements for programming languages is the ability
to reason about data structures with binding constructs up to
Now that the Abella system has been in circulation among colleagues during the past couple of years, there are many aspects of the methodology that now need to be addressed. During the summer of 2011, the team employed three interns Carnegie Mellon University and McGill University to work on different aspects of Abella. Particular focus was given to better ways to manipulate specification-logic contexts in the reasoning-logic and with finding ways to have Abella output a proper proof object (different from the scripts that are used to find a proof).
Our colleague Alwen Tiu from the Australian National University has also been building on our Bedwyr model checking tool so that we can build on top of it his SPEC system for doing model checking of spi-calculus expressions. We have adopted his enhancements to Bedwyr and are developing further improvements within the context of the BATT project (see Section ).
Members of the Parsifal team have shown how to specify a large variety of proof systems—including natural deduction, the sequent calculus, and various tableau and free deduction systems—uniformly using either focused linear logic , or focused intuitionistic logic as the meta-language. In the presence of induction and co-induction, arbitrary finite computations can be embedded into single synthetic steps . Additional work shows that this same framework can also capture resolution refutations as well as Pratt primality certificates.
An important application then of this work in designing synthetic inference systems based on classical and intuitionistic logic is that of designing a broad spectrum proof certificate. The definition of proof certificates can be remarkably flexible within the simple setting of focused proofs.
The most important implications of such a certificate format would be that most of the worlds theorem provers should be able to print out their proofs and communication them to other provers: these other provers could then check such certificates by expanding the synthetic connectives they contain down into a small and fixed set of “micro” inference rules.
Automated reasoning uses a broad range of techniques whose soundness and completeness relate to the existence of proofs. The research programme of the ANR PSI project at Parsifal is to build a finer-grained connection by specifying automated reasoning techniques as the step-by-step construction of proofs, as we know it from proof theory and logic programming. The goal is to do this in a unifying framework, namely proof-search in a polarized and focussed logic. One of the advantages of this is to combine those techniques more easily. Another one is to envisage extending those techniques.
For instance, SAT-modulo-Theory problems require the combination of logical reasoning with domain-specific decision procedures. So in the PSI project we study how to incorporate the call to decision procedures in proof-theoretical framework like the focussed sequent calculus, and the proof-search mechanisms that are related to it.
In the same spirit we also study how to handle existential variables and equality, for which specific automated reasoning techniques have been designed (superposition / paramodulation calculi).
Abella is an interactive theorem prover based on the two-level logic logic approach. It consists of a sophisticated reasoning logic that supports induction, co-induction, and generic reasoning, and a specification logic that is based on logic programming. Abella was initially designed to reason about simple second-order Lambda Prolog programs, which is sufficient for the computational specifications.
During 2012, as part of the RAPT Associated Team, Chaudhuri and Yuting Wang (intern from Univ. Minnesota) have been working on extending the expressive power of both levels of the Abella system. The following modifications have been made.
We have extended the specification logic to support the full Lambda Prolog, which can be used to provide succinct higher-order specifications that tend to be unnatural and difficult to reason about with only second-order Lambda Prolog programs.
We have extended the type system of Abella from simple types to parametrically polymorphic types. This is a significant improvement in the user-friendliness of the system as a lot of code does not have to be manually monomorphised and duplicated any more.
We have experimented with extending the type system of Abella even further to higher-order predicate quantification. The theoretical basis of this work is a part of ongoing research, although we already have a number of examples of practical benefits of this extension.
Finally, several improvements have been made to Abella's proof language to make the proofs more robust and reusable. We intend to make a more drastic change to the proof language in the future that will make proofs more declarative and high level.
The core development of Abella has also been centralized, with a
single canonical repository and a new web-page:
http://
The next version of Abella, version 2.0, is in beta testing with expected release early in 2013.
During 2012, Quentin Heath has made the following important improvements to the Bedwyr model checking system.
The concrete syntaxs for Bedwyr and Abella have been unified. Now, both systems can load the definitions and theorems developed in the other system. Eventually, we expect to have our model checker (Bedwyr) and interactive theorem prover (Abella) share theories and proofs.
The documentation, distribution, and testing of Bedwyr were all improved, greatly increasing the usability of this system.
The underlying support for logic has also been increased. In particular, the Bedwyr system contains a tabling mechanism which is capable of remembering past successful proofs (it can even support a finite failure as a successful proof of a negation). The most recent version of Bedwyr allows one to actually program the table in rather sophisticated ways. For example, simple lemmas can be loaded into the table and these lemmas can be used to greatly extend the range of what is tabled (remembered). We are currently examining different trade-offs between different styles of reasoning in the table (backchaining vs forwardchaining).
The work of Heath is being done in the context of the BATT ADJ project funded by Inria.
See also the web page http://
Psyche (Proof-Search factorY for Collaborative HEuristics) is a modular programme for universal proof-search in classical logic. The motivation is twofold:
On the one hand, prove some mathematics of the broadest range while making the most of problem-specific techniques; On the other hand, gain high confidence about the correctness of the proofs produced without having to rely on a proof-checker.
The architecture is that of an interaction between a trusted universal kernel and smart plugins that are meant be efficient at solving certain kinds of problems:
The kernel contains the mechanisms for exploring the proof-search space in a sound and complete way, taking into account branching and backtracking. The output of Psyche comes from the (trusted) kernel and is therefore correct by construction. The plugins then drive the kernel by specifying how the branches of the search space should be explored, depending on the kind of problem that is being treated. The quality of the plugin is then measured by how fast it drives the kernel towards the final answer.
Version 1.0 of Psyche (released 4/9/2012) handles classical propositional logic, and its proof-search mechanism is simply the incremental construction of proof-trees in the polarised and focussed sequent calculus. The mechanism is driven by a plugin that emulates the behaviour of a SAT-solver (DPLL), with non-trivial features such as the eager application of the Unit Propagation rule, conflict analysis, backjumping and clause learning.
Psyche's input for that kind of SAT-problem is a file given in the standard DIMACS format.
See also the web page http://
The sequent calculus is often criticized as a proof syntax because it contains a lot of noise. It records the precise minute sequence of operations that was used to construct a proof, even when the order of some proof steps in the sequence is irrelevant and when some of the steps are unnecessary or involve detours. These features lead to several technical problems: for example, cut-elimination in the classical sequent calculus LK, as originally developed by Gentzen, is not confluent, and hence proof composition in LK is not associative. Many people choose to discard the sequent calculus when attempting to design a better proof syntax with the desired properties.
In recent years, there has been a project at Parsifal to recover some of these alternative proof syntaxes by imposing a certain abstraction over sequent proofs. The earliest example of this was in , where we showed a class of sequent proofs that were isomorphic to proof nets for multiplicative linear logic. In 2012, we were able to obtain a similar result for first-order classical logic, wherein we defined a class of sequent proofs that are isomorphic to expansion trees, a generalization of Herbrand disjunctions that is in some sense a minimalistic notion of proof for classical logic. This result was published at the CSL 2012 conference and a journal version is in preparation.
Our technique for recovering these dramatically different proof structures directly in the sequent calculus involves the use of maximal multi-focusing which gives a syntactic characterization of those sequent proofs that: (1) have a “don't care” ordering of proof steps where the order does not matter, and (2) groups larger logical steps, called actions, into a maximally parallel form where only important orderings of actions are recorded. This technique was pioneered at Parsifal, and we have barely scratched the surface of its applications.
An important engineering question in the ProofCert project is that of communicating, manipulating, and storing formal proof certificates. A fully detailed proof certificate, especially one generated by proof search, can be very large. Using such proofs would require a high bandwidth interface between the proof producer and consumer, which limits the scalability of the ensemble of proving systems approach. It is therefore natural to ask if there are more compact formats for proof certificates. The ideal format would have a tunable level of detail, so that the size of the certificates can be tailored to the application domain.
Suppose the proof consumer is equipped with some proof search capabilities. What then needs to be transmitted to the consumer to guarantee that it can check a proof within desired complexity bounds? It turns out that there is a systematic and general answer to this problem: use focusing and record only the “decision” rules of focusing in the proof certificate. From a high level perspective, this answer is equivalent to designing a proof system where the contraction rules are carefully bounded.
A proposal along these lines was published at the CPP 2012 conference . In fact, this paper solves a harder than necessary problem by building proof certificates for linear logic, where unconstrained proof search has very high complexity even in the propositional fragment. The proposed solution is a spectrum of certificates that trades off the size of the certificate for the complexity of checking the certificate. At one end we have a very compact certificate that essentially amounts to a maximum depth of the proof, but reconstructing a proof with only a depth bound tends to be infeasible as the search space grows super-exponentially with the depth. Certificates at other end of the spectrum contain information about all the contractions in the proof; these certificates can be checked deterministically, in time proportional to the size of the certificate. Moreover, there is a simple abstraction mechanism between different levels of detail in this spectrum that allows for a proof elaborator to alter the level of detail in the certificate.
In a paper that appeared in the J. of Automated Reasoning, Gacek,
Miller, and Nadathur described the foundations and
architecture of a new interactive theorem prover capable of reasoning
with rich collections of inductive and coinductive relations. This
prover, called Abella, also contains the “generic” quantifier
A novel aspect of Abella is that it can define provability in various
simple logics and can also reason about provability in such logics.
The current system includes a specification logic that is a
(restricted) intuitionistic logic programming language (a sublanguage
of
This approach to reasoning about computation has interesting applications. For example, the reasoning logic is aware of the fact that the cut and substitution rules can be eliminated in the specification logic. As a consequence, the notoriously difficult "substitution lemmas" that occur repeated in the study of operational semantics are proved essentially for free (that is, they are an immediate consequence of cut-elimination).
In , Accattoli showed that when one reasons about
the untyped
Programs that must deal with floating point programs and their associate errors can have erratic behavior. In particular, a program that yields outputs that depend continuously on their inputs (in an idealized arithmetic setting) can behave non-continuously when using floating point arithmetic. There are few tools for reasoning about program correctness in a setting that allows for such discontinuous operators.
In , Gazeau, Miller, and Palamidessi provide an approach to reason about some programs that are not continuous. In that paper, they introduce the notion of “robustness”, which intuitively means that if the input to the program changes less than a fixed small amount then the output changes only slightly. This notion is useful in the analysis of rounding error for floating point programs because it helps to establish bounds on output errors introduced by both measurement errors and by floating point computation. Compositional methods often do not work since key constructs—like the conditional and the while-loop—are not robust. The authors proposed a method for proving the robustness of a while-loop. This method is non-local in the sense that instead of breaking the analysis down to single lines of code, it checks certain global properties of its structure. This paper shows that both the CORDIC computation of the cosine and Dijkstra's shortest path algorithm are robust.
It is well-known that cut-elimination in the sequent calculus for classical first-order logic is in its most general form, is neither confluent nor strongly normalizing. But if one takes a coarser (and mathematically more realistic) look at cut-free proofs, one can analyze which witnesses they choose for which quantifiers, or in other words: one can only consider the Herbrand-disjunction of a cut-free proof. This yields a surprising confluence result for a natural class of proofs: all (possibly infinitely many) normal forms of the non-erasing cut reduction lead to the same Herbrand-disjunction. This result has been presented at CSL 2012 .
A curious aspect of Girard's proof nets for multiplicative linear logic without units is that, despite being a canonical representation of proof, their categorical semantics is not obvious—this in contrast to the situation with units, where star-autonomous categories form a natural semantics, but no canonical proof nets are known.
In the middle of the past decade several proposals for a categorical semantics of proof nets, a notion of semi-star-autonomous categories, were investigated: by Robin Houston and Dominic Hughes, by Kosta Došen, and by François Lamarche and Lutz Straßburger.
The present effort by Willem Heijltjes and Lutz Straßburger completes the notion in such a way that proof nets constitute the free semi-star-autonomous category.
Starting from the study of Linear Logic proof nets, a new approach to explicit substitutions for ł-calculus has recently been introduced by Accattoli and D. Kesner . This approach has been systematically explored by Accattoli and his co-authors.
The rewriting theory of these new explicit substitutions at a
distance has been studied in and
. In Accattoli and Kesner
study the preservation of
In it is shown how to prove this theorem in an uniform way for many explicit subsitutions calculi. The technique emerged as a generalization of the proofs for explicit substitutions at a distance, which are simpler than usual explicit substitutions and thus lead to cleaner and more compact arguments, easier to generalize.
Applications of explicit substitutions at a distance have been studied in , , . In Accattoli and Dal Lago show that the length of the head reduction in calculi at a distance is a measure of time complexity. More precisely, they show that such a quantity is polynomially related (in both directions) to the cost of evaluating with Turing Machines. This result is an important step forward towards the solution of the long-standing open problem of finding a time cost model for ł-calculus.
In Accattoli and Paolini apply substitutions
at a distance in a call-by-value setting. They show that in this new
framework there is a natural characterization of solvability,
an important notion related to denotational semantics and the
representation of partial recursive functions. In
(a work presented to a workshop and currently
submitted to the post-proceedings of the workshop) Accattoli shows the
tight relations between the framework in and
linear logic proof nets, providing a new characterization of the proof
nets representing the call-by-value
Finally, in Accattoli and Kesner introduce a
calculus generalizing many different extensions of
In the PSI project, we have designed a version of the focussed sequent calculus (for first-order classical logic) that can call external decision procedures. Since the last Activity Report, we have finished proving the essential meta-theory for it: soundness, invertibility of asynchronous rules, cut-elimination, the fact that polarities do not affect provability but only the shape of proofs, and finally completeness.
The first properties are the object of , while the latter ones have been obtained later in 2012.
A side-product of this meta-theory is a technical device that could be used to encode other techniques from automated reasoning like connection tableaux.
Secondly, we have encoded the SMT-solving algorithm DPLL(T) as the incremental construction of proof-trees in that sequent calculus , . A very interesting aspect of the encodings is that the basic rules of DPLL(T) makes use of cuts on atoms in sequent calculus, while the advanced jrules (e.g. backjumping) makes use of general cuts. This sheds a new light on the computational speed-ups that those advanced rules provide.
We have done the encoding for two distinct presentations of DPLL(T) in the literature, and we have formalised the connection between those two descriptions .
For the last five or six years there has been a surge of interest in finding models for the identity type in Martin-Löf type theory, and it has been clear for some time that there was a tight connection with path objects in abstract homotopy theory. A lot of proposals have been made, but there are very few semantics that fit the necessary requirements of having dependent products and also an identity type which is fully stable under substitution. The most famous model of the sort is the one proposed by Voevodsky, in his Univalent Foundations project, which uses for base category the category of simplicial sets and models dependent types by the means of Kan Fibrations. In François Lamarche proposes another such model, where the base category is the category of small categories, and dependent types are modelled with Grothendieck bifibrations (maps between categories that are Grothendieck fibrations as well as their duals between the opposite categories). The full requirements of modelling Martin-Löf type theory are met. Calculations show that the model shows some amount of degeneracy “in dimensions above 2” for the associativity of equality (which should not be strict in any dimension), which is a great improvement over the models on strict groupoids and strict
Title: ProofCert: Broad Spectrum Proof Certificates
Type: IDEAS
Instrument: ERC Advanced Grant (Advanced)
Duration: January 2012 - December 2016
Coordinator: Inria (France)
Abstract: The ProofCert proposal aims at building a foundation that will allow a broad spectrum of formal methods—ranging from automatic model checkers to interactive theorem provers—to work together to establish formal properties of computer systems. This project starts with a wonderful gift to us from decades of work by logicians and proof theorist: their efforts on logic and proof has given us a universally accepted means of communicating proofs between people and computer systems. Logic can be used to state desirable security and correctness properties of software and hardware systems and proofs are uncontroversial evidence that statements are, in fact, true. The current state-of-the-art of formal methods used in academics and industry shows, however, that the notion of logic and proof is severely fractured: there is little or no communication between any two such systems. Thus any efforts on computer system correctness is needlessly repeated many times in the many different systems: sometimes this work is even redone when a given prover is upgraded. In ProofCert, we will build on the bedrock of decades of research into logic and proof theory the notion of proof certificates. Such certificates will allow for a complete reshaping of the way that formal methods are employed.
Title: Structural and computational proof theory
Duration: 01/01/2011 – 31/12/2013
Partners:
University Paris VII, PPS (PI: Michel Parigot)
Inria Saclay–IdF, EPI Parsifal (PI: Lutz Straßburger)
University of Innsbruck, Computational Logic Group (PI: Georg Moser)
Vienna University of Technology, Theory and Logic Group (PI: Matthias Baaz)
Total funding by the ANR: 242 390,00 EUR (including 12 000 EUR pôle de compétivité: SYSTEMTIC Paris région)
This project is a consortium of four partners, two French and two Austrian, who are all internationally recognized for their work on structural proof theory, but each coming from a different tradition. One of the objective of the project is build a bridge between these traditions and develop new proof-theoretic tools and techniques of structural proof theory having a strong potential of applications in computer science, in particular at the level of the models of computation and the extraction of programs and effective bounds from proofs.
On one side, there is the tradition coming from mathematics, which is mainly concerned with first-order logic, and studies, e.g., Herbrand's theorem, Hilbert's epsilon-calculus, and Goedel's Dialectica interpretation. On the other side, there is the tradition coming from computer science, which is mainly concerned with propositional systems, and studies, e.g., Curry-Howard isomorphism, algebraic semantics, linear logic, proof nets, and deep inference. A common ground of both traditions is the paramount role played by analytic proofs and the notion of cut elimination. We will study the inter-connections of these different traditions, in particular we focus on different aspects and developments in deep inference, the Curry-Howard correspondence, term-rewriting, and Hilbert's epsilon calculus. As a byproduct this project will yield a mutual exchange between the two communities starting from this common ground, and investigate, for example, the relationship between Herbrand expansions and the computational interpretations of proofs, or the impact of the epsilon calculus on proof complexity.
Besides the old, but not fully exploited, tools of proof theory, like the epsilon-calculus or Dialectica interpretation, the main tool for our research will be deep inference. Deep inference means that inference rules are allowed to modify formulas deep inside an arbitrary context. This change in the application of inference rules has drastic effects on the most basic proof theoretical properties of the systems, like cut elimination. Thus, much of the early research on deep inference went into reestablishing these fundamental results of logical systems. Now, deep inference is a mature paradigm, and enough theoretical tools are available to think to applications. Deep inference provides new properties, not available in shallow deduction systems, namely full symmetry and atomicity, which open new possibilities at the computing level that we intend to investigate in this project. We intend to investigate the precise relation between deep inference and term rewriting, and hope to develop a general theory of analytic calculi in deep inference. In this way, this project is a natural continuation of the ANR project INFER which ended in May 2010.
Title: From Proofs to Counterexamples for Programming
Duration: 01/01/2012 – 31/12/2013
German Partner: University of Bonn, Institute for Computer Science (Department III)
Finding counterexamples is an endeavor which is as important as proving theorems. But while the latter has seen a huge amount of research effort—we have nowadays a large quantity of tools for automated and interactive theorem proving—the former has mainly been neglegted by proof theorists. One of the reasons is that finding counterexamples or countermodels has been considered a model theoretical activity, rather than a proof theoretical one. Only recently, researchers have begun to explore the well-known duality between "proof search" and "search for countermodels" in a purely proof theoretical way. The main objective of this collaboration is to develop the necessary proof theory for automatically generating such counterexamples in a more general setting.
Title: Extending the Realm of the Curry-Howard-Correspondence
Duration: 01/01/2011 – 31/12/2012
Swiss Partner: University of Bern, Institut für Informatik und angewandte Mathematik (IAM)
The Curry-Howard correspondence between proofs and programs is probably the most interesting and surprising connection between mathematics and computer science. It was discovered in the 1960s, but its main development started in the 1980s. The basis of the correspondence is a correspondence between intuitionistic proofs and typed functional programs (written as terms of lambda-calculus).
Our goal is to develop such a correspondence for new formalisms, like hypersequents, nested sequents and deep inference, in order to better understand their proofs and, we hope, either to discover new programming constructs or to give a new logical interpretation to existing ones.
Title: Applying Recent Advances in Proof Theory for Specification and Reasoning
Inria principal investigator: Kaustuv Chaudhuri
International Partner:
Institution: McGill University (Canada)
Laboratory: School of Computer Science
Researcher: Prof. Brigitte Pientka
International Partner:
Institution: Carnegie Mellon University (United States)
Laboratory: Department of Computer Science
Researcher: Prof. Frank Pfenning
International Partner:
Institution: University of Minnesota (United States)
Laboratory: Department of Computer Science and Engineering
Researcher: Prof. Gopalan Nadathur
Duration: 2011 - 2013
Many aspects of computation systems, ranging from operational semantics, interaction, and various forms of static analysis, are commonly specified using inference rules, which themselves are formalized as theories in a logical framework. While such a use of logic can yield sophisticated, compact, and elegant specifications, formal reasoning about these logic specifications presents a number of difficulties. The RAPT project will address the problem of reasoning about logic specifications by bringing together three different research teams, combining their backgrounds in type theory, proof theory, and the building of computational logic systems. We plan to develop new methods for specifying computation that allow for a range of specification logics (eg, intuitionistic, linear, ordered) as well as new means to reason inductively and co-inductively with such specifications. New implementations of reasoning systems are planned that use interactive techniques for deep meta-theoretic reasoning and fully automated procedures for a range of useful theorems.
Title: Interactive Resource Analysis
webpage: http://
Inria principal investigator: Dale Miller
Inria Partner:
Institution: Inria
Team: FOCUS
Researcher: Ugo Dal Lago
Inria Partner:
Institution: Inria
Team: pi.r2
Researcher: Pierre-Louis Curien
Duration: 2011 - 2013
This project aims at putting together ideas from Implicit Computational Complexity and Interactive Theorem Proving, in order to develop new methodologies for handling quantitative properties related to program resource consumption, like execution time and space. The task of verifying and certifying quantitative properties is undecidable as soon as the considered programming language gets close to a general purpose language. So, full-automatic techniques in general cannot help in classifying programs in a precise way with respect to the amount of resources used and moreover in several cases the programmer will not gain any relevant information on his programs. In particular, this is the case for all the techniques based on the study of structural constraints on the shape of programs, like many of those actually proposed in the field of implicit computational complexity. To overcome these limitations, we aim at combining the ideas developed in the linear logic approach to implicit computational complexity with the ones of interactive theorem proving, getting rid of the intrinsic limitations of the automatic techniques. In the obtained framework, undecidability will be handled through the system's user, who is asked not only to write the code, but also to drive the semi-automatic system in finding a proof for the quantitative properties of interest. In order to reduce the user effort and allow him to focus only on the critical points of the analysis, our framework will integrate implicit computational complexity techniques as automatic decision procedures for particular scenarios. Moreover, in order to be widely applicable, the modularity of the framework will permit to deal with programs written in different languages and to consider different computational resources. The kind of study proposed by this project has been almost neglected so far. Here, we aim at providing such a framework for both theoretic investigations and for testing in practice the effectiveness of the approach.
Brigitte Pientka, Associate Professor, McGill University
February 21 – 24
Gopalan Nadathur, Professor, University of Minnesota
July 10 – 12
Elaine Pimentel, Associate Professor, Universidade Federal de Minas Gerais
June 6 – July 17
Chuck Liang, Professor, Hofstra University
March 6 – May 6 and December 17 – 24
Yuting WANG (May – August)
Subject: Development of the Abella theorem prover.
Institution: University of Minnesota (United States)
Florence Clerc (March – July)
Subject: Relating double-negation translations and focused proof systems
Institution: Master Parisien de Recherche en Informatique
Zakaria Chihani (April – September)
Subject: Proof certificates for some basic proof systems in classical logic
Institution: Master Parisien de Recherche en Informatique
Stefan Hetzl has visited the Vienna University of Technology four times, for a total of 36 days, within the framework of the FWF/ANR Structural project.
Dale Miller served as Program Committee Chair for the following three meetings: CPP 2012: Second International Conference on Certified Programs and Proofs, 13-15 December, Kyoto, Japan; IJCAR 2012: International Joint Conference on Automated Reasoning, Manchester, UK, June; FICS 2012: Fixed Points in Computer Science (a satellite workshop of ETAPS 2012), Tallinn, Estonia, 24 March.
Dale Miller served on the Program Committees of the following three meetings: LFMTP’12: Workshop on Logical Frameworks and Meta-Languages: Theory and Practice, 9 September, Copenhagen, Denmark; LAM 2012: Fifth International Workshop on Logics, Agents, and Mobility, June, Hamburg, Germany; LPAR-18: The 18th International Conference on Logic for Programming, Artificial Intelligence and Reasoning. Merida, Venezuela, 11-15 March.
Dale Miller organized the Special Session on Structural Proof Theory and Computing at the 2012 Annual Meeting of the Association of Symbolic Logic (ASL), Madison, Wisconsin, 31 March - 3 April.
Kaustuv Chaudhuri and Stefan Hetzl organized the Collegium Logicum 2012 workshop at Inria Saclay during 15–16 November
Kaustuv Chaudhuri and Brigitte Pientka organized the RAPT/PROMIS workshop in Montreal, Canada, during 14–18 October
Dale Miller gave an invited talk at the Journees nationales du GDR-IM, 25-26 January 2012, University of Paris 7.
Dale Miller gave an invited talk at the ANR-DFG Hypothese Workshop titled Different Aspects of Proof Theory, ENS Paris, 3 May 2012.
Dale Miller gave research talks at the following venues: Summer Workshop on Proof Theory, Pisa, Italy, 12-15 June; CHocCoLa seminar, ENS Lyon, 15 March; Workshop on Certificates and Computation, ITU Copenhagen, 12 March; Department of Mathematics, Carnegie Mellon University, 5 April.
Licence : Stéphane Graham-Lengrand teaches 50 hours (eq. TD) in L3 at Ecole Polytechnique in the course “INF431: Algorithmique et programmation”.
Master : Dale Miller taught 12 hours at MPRI (Master Parisien de Recherche en Informatique) in the Course 2-1: Logique linéaire et paradigmes logiques du calcul.
Master : Stéphane Graham-Lengrand teaches 36 hours (eq. TD) in M1 at Ecole Polytechnique in the course “INF551: Computer-aided reasoning”, and 15 hours (eq. TD) in M2 at Master Parisien de Recherche en Informatique (MPRI) on “Curry-howard correspondence for classical logic”.
PhD in progress :
Zakaria Chihani, since October 2012, supervisor: Dale Miller
Mahfuza Farooque, since October 2010, co-supervisor: Stéphane Graham-Lengrand
Ivan Gazeau, since October 2009, co-supervisor: Dale Miller
Nicolas Guenot, since October 2008, supervisor: Lutz Straßburger
Hernán-Pablo Vanzetto, since October 2010, co-supervisor: Kaustuv Chaudhuri
Dale Miller served as a reporter for the habilitation of Stefan Hetzl (Fall 2012) and was the president of the jury for the habilitation of Frédéric Blanqui, 13 July 2012.
Dale Miller served as a member of the PhD jury for Robert Simmons, Carnegie Mellon University, 22 October 2012. He was also “rapporteur” for the PhD of Nicolas Pouillard, University of Paris 7, 13 January 2012.