|Subject:||Re: [Axiom-developer] Proving Axiom Correct|
|Date:||Fri, 6 Apr 2018 16:50:41 -0400|
me the cracks. One example is the coercion code, a lot of which is ad hoc,>My reason for not so much trusting theorem-proving isn't because I don't>understand much of it (although that is a fact), but because of its formalism>which you obviously love.Actually, I find the formalism to be painful and very non-intuitive.Experience has shown me that it takes about 18 months to climb thatcurve.But consider that there are two VERY large areas of computationalmathematics that have grown up side-by-side for the last half-century.CAS and Proof exist as essentially separate bodies of computationalmathematics.My research effort is fundamentally about joining these two areas.Proof systems can't use CAS results because they have no basis for trust.They take stabs at algorithmic proofs but have no good structure tocombine them (which Axiom provides).CAS systems don't do proofs, and in fact are nearly impossible to useas a basis (MMA uses rewrite, Maple and others use ad hoc tree-likestructures, etc.) Axiom provides a good basis for proofs.Axiom is ideally structured to be a bridge.Since I'm coming from the CAS world my view of bridge-buildinginvolves applying Proof technology to Axiom. If I were coming fromthe Proof world I'd be trying to structure a proof system along thelines of Axiom so I could organize the proven algorithms. These aretwo ends of the same bridge.>You consder Axiom code (and by implication, mathematics on which it is>based) as "hand-waving", which in my opinion, does not necessarily mean>non-rigorous.I don't consider the mathematics to be "hand-waving". But I do considerthe code to be hand-waving. After 47 years of programming I'm well awarethat "it works for my test cases" is a very poor measure of correctness.There is a half-century of research that exists, is automated, and attacksthat question in a mathematically sound way.Axiom code is rather opaque. It is, in general, excellent code. Barry andJames created an excellent structure for its time. But time has also shownimplemented as special cases in the interpreter. There are reasonabletheories about that which ought to be implemented.I'm not trying to do anything new or innovative. I'm just trying to combinewhat everyone does (on the proof side) with what everyone does (on theCAS side). The end result should be of benefit to all of computationalmathematics.Tim
On Fri, Apr 6, 2018 at 1:48 PM, William Sit <address@hidden> wrote:
I never said, nor implied you are wasting your time.
If there is any difference (and similarity) between our views, it is about trust. You do not trust Axiom code but you trust theorem-proving while I prefer to trust Axiom code and not so much on theorem-proving. Both research areas are mathematically based. Clearly, no one can in a life time understand all the mathematics behind these theories, and honestly, the theories in theorem-proving (including rewriting systems, type-theory, lambda calculus, Coq, etc.) are branches of mathematics much like group theory, model theory, number theory, geometries, etc.).
My reason for not so much trusting theorem-proving isn't because I don't understand much of it (although that is a fact), but because of its formalism, which you obviously love. You consider most Axiom code (and by implication, mathematics on which it is based) as "hand-waving", which in my opinion, does not necessarily mean non-rigorous. Mathematicians frequently use "hand-waving" for results or methods or processes that are well-known (to experts, perhaps) so as not to make the argument too long and distract from the main one. So they use "it is easy to see", or "by induction", or "play the same game", etc.
Believe it or not, theorem-proving use the same language and "hand-waving". Even Coq does the same if you look at its "proofs". See Proof for Lemmas 22 and 23, for example: "Both proofs go over easily by induction over the structure of the derivation." http://www.lix.po
There is one exception: Whitehead and Russell's Principia Mathematica. Check this out (Wikipedia):
"Famously, several hundred pages of PM precede the proof of the validity of the proposition 1+1=2."
Now that is another form of "proving to the bare metal". Should we say, if we don't trust 1+1=2, then all is lost? No, ..., but ... (see Wiki):
"PM was an attempt to describe a set of axioms and inference rules in symbolic logic from which all mathematical truths could in principle be proven. As such, this ambitious project is of great importance in the history of mathematics and philosophy, being one of the foremost products of the belief that such an undertaking may be achievable. However, in 1931, Gödel's incompleteness theorem proved definitively that PM, and in fact any other attempt, could never achieve this lofty goal; that is, for any set of axioms and inference rules proposed to encapsulate mathematics, either the system must be inconsistent, or there must in fact be some truths of mathematics which could not be deduced from them."
"The Principia covered only set theory, cardinal numbers, ordinal numbers, and real numbers. Deeper theorems from real analysis were not included, but by the end of the third volume it was clear to experts that a large amount of known mathematics could in principle be developed in the adopted formalism. It was also clear how lengthy such a development would be.
A fourth volume on the foundations of geometry had been planned, but the authors admitted to intellectual exhaustion upon completion of the third."
Perhaps someday, a more powerful computer system than Coq can reproduce PM (and prove its correctness, much like Coq proves the Four Color Theorem) and continue further.
Nonetheless, even computers have their limits.
That is why I suggest "good enough" is good enough. It is also why I admire your tenacity to follow your goal. Despite Gödel's incompleteness theorem, we need to prove correctness (of Axiom) as deep and wide as we can, and there are many ways to do that.
From: Tim Daly <address@hidden>
Sent: Friday, April 6, 2018 6:34 AM
To: William Sit
Cc: axiom-dev; Tim Daly
Subject: Re: [Axiom-developer] Proving Axiom CorrectTiman important thing on which to waste them.But I've only got a few years left to waste and this seems to me to betrying to make Axiom better and less error-prone.Axiom is about computational mathematics there is a natural goal ofto applying mathematics (ala Floyd/Hoare/Dijkstra). Given thatbetter and less error-prone ways of programming. That has led meI've spent a lot of time and study in the subject of understandingOne lesson I have learned over all my years is that you'd can't everchange people's minds by argument or discussion.
Proving Axiom correct is a very challenging and not very popular idea.
Writing Spad code is hard. Proving the code correct is beyond the
skill of most programmers. Sadly, even writing words to explain how
the code works seems beyond the skill of most programmers.
My point of view is that writing Spad code that way is "pre-proof,
19th century 'hand-waving' mathematics". We can do better.
You obviously believe this is a waste of time. You are probably right.
On Fri, Apr 6, 2018 at 1:23 AM, William Sit <address@hidden> wrote:
Thanks again for taking the time to explain your efforts and to further my understanding on the issue of proving "down to the metal". By following all the leads you gave, I had a quick course.
Unfortunately, despite the tremendous efforts in the computing industry to assure us of correctness ("proven" by formalism), at least from what you wrote (which I understand was not meant to be comprehensive), not only are those efforts piecewise, they also concentrate on quite limited aspects.
My comments are in regular font; italicized paragraphs are quoted passages, isolated italics and highlights are mine. Itemized headings are from your email.
1. BLAS/LAPACK: they use a lot of coding tricks to avoid overflow/underflow/significanc
Coding tricks are adverse to proofs by formal logics, or at least such code makes it practically impossible to assure correctness. Most of the time, these tricks are patches to deal with post-implementation revealed bugs (whose discoveries are more from real-life usage than from program proving).
2. Field Programmable Gate Array (FPGA)
These are great at the gate level and of course, theoretically, they are the basic blocks in building Turing machines (practically, finite state machines or FSMs). Mealy/Moore state machines are just two ways to look at FSMs; I readAs an example, before proving that a compiler is correct implemented, one needs to specify the language and the compiling algorithm (which of course, can be and have been done, like YACC). Despite all the verification and our trust in the proof algorithms and implementations, there remains a small probability that something may still be amiss in the specifications, like an unanticipated but grammatically correct input is diagnosed as an error. We have all seen compiler error messages that do not pinpoint where the error originated.
3. ProvenVisor on ARMs. http://www.provenrun.com
I read that, and my understanding is that these proven microkernels are concerned with security (both from external and from internal threats) in multicore architectures (which are prevalent in all CPU designs nowadays) and multi- and coexisting OSes. Even under such a general yet limited aspect of "proven correctness" (by formalism no less), there is no guarantee (paragraph under: Formally Proven Security):
In order to achieve the highest level of security, ProvenVisor uses a microkernel architecture implemented using formally proven code to get as close as possible to zero-defects, to guarantee the expected security properties and to ease the path to any required certifications. This architecture and the formal proofs insure the sustainability of the maintenance process of systems based on ProvenVisor. ...
This may be legalese, but from the highlighted phrases clearly show that the goal is not "proven and complete specifications" on security. Even the formally proven code does not guarantee zero-defects on expected violations. It is only a "best effort" (which still is commendable). The scope is also limited:
Prove & Run’s formal software development toolchain. This means that it is mathematically proven that virtual machines (VMs) hosted by ProvenVisor will always retain their integrity (no other VM can tamper with their internal data) and confidentiality (no other VM can read their internal data). A misbehaving or malicious OS has no way to modify another OS or to spy on another OS.
A malicious program need not run in a hosted OS or VM if it gains access to the microkernel, say with an external hardware (and external software) that can modify it. After all, there has to be such equipment to test whether the microkernel is working or not and to apply patches if need be.
And a major "professional service" offered is:
Revamping existing architectures for security with ad-hoc solutions: Secure Boot, secure Over-the-Air firmware update, firewalling, intrusion detection/protection solutions, authentication, secure storage, etc…
Does "ad-hoc solutions" mean patches?
4. The issue of Trust: If you can't trust the hardware gates to compute a valid AND/OR/NOT then all is lost.
Actually, I not only trust, but also believe in the correctness, or proof thereof, of gate-level logic or a microkernel, but that is a far far cry from, say, my trust in the correctness of an implementation of the Risch algorithm or Kovacic's algorithm. The complexity of coding high level symbolic algebraic methods, when traced down to the metal, as you say, is beyond current proof technology (nor is there sufficient interest in the hardware industry to provide that level of research). Note that the industry is still satisfied with "ad-hoc solutions" (and that might mean patches, and we all know how error-prone those are---so much so that people learn and re-invent the wheel over and over again for a better wheel).
Can prove-technology catch up, ever?
I know I can't catch up. Still ignorant and biased.
From: Tim Daly <address@hidden>
Sent: Thursday, April 5, 2018 2:59 AM
To: William Sit
Cc: axiom-dev; Tim Daly
Subject: Re: [Axiom-developer] Proving Axiom CorrectMy Altera Cyclone has 2 ARM processors built into the chip. ProvenVisorGustafson arithmetic at the hardware level.machines and I can't buy one (nor can I afford it). But this would allowUnfortunately the new chip is only available to data centers in serverthe CPU and FPGAIntel bought Altera. They have recently released a new chip that combinesIt turns out that shortly after I bought the FPGA from Altera (2 years ago)This allows Gustafson's arithmetic to be a real hardware processor.the state machines can be modelled as Turing machines.using Mealy/Moore state machines. Since this is a clocked logic designhttp://daly.axiom-developre.orhttp://daly.axiom-developer.orhttp://daly.axiom-developer.orhttp://daly.axiom-developer.orin order to implement the hardware instructions. This is my setup at home:So I bought an Altera Cyclone Field Programmable Gate Array (FPGA)no current processor implements his instructions.point format promises to eliminate these kinds of errors. UnfortunatelyWilliam,I understand the issue of proving "down to the metal".
Axiom's Volume 10.5 has my implementation of the BLAS / LAPACK
libraries in Common Lisp. Those libraries have a lot of coding tricks
to avoid overflow/underflow/significanc
Two years ago I got Gustafson's "End of Error" book. His new floating
This is not yet published work.
The game is to implement the instructions at the hardware gate level
has a verified hypervisor running on the ARM core
So I've looked at the issue all the way down to the gate-level hardware
which is boolean logic and Turing machine level proofs.
It all eventually comes down to trust but I'm not sure what else I can do
to ensure that the proofs are trustworthy. If you can't trust the hardware
gates to compute a valid AND/OR/NOT then all is lost.
On Wed, Apr 4, 2018 at 6:03 PM, William Sit <address@hidden> wrote:
|[Prev in Thread]||Current Thread||[Next in Thread]|