picoq: Parallel Regression Proving for Large-Scale Verification Projects
Size: px
Start display at page:

Download "picoq: Parallel Regression Proving for Large-Scale Verification Projects"

Transcription

1 picoq: Parallel Regression Proving for Large-Scale Verification Projects Karl Palmskog, Ahmet Celik, and Milos Gligoric The University of Texas at Austin, USA 1 / 29

2 Introduction Verification Using Proof Assistants 1 encode definitions in (higher-order) formalism 2 prove propositions interactively using powerful tactics 3 check soundness of every low-level step proof assistant tactics proof user logic engine proof checker subgoals examples: Coq, HOL4, HOL Light, Isabelle/HOL, Lean, Nuprl,... 2 / 29

3 Introduction Some Large-Scale Proof Assistant Projects Project Year Assistant Check Time LOC 4-Color Theorem 2005 Coq hours 60k Odd Order Theorem 2012 Coq hours 150k Kepler Conjecture 2015 HOL Light days 500k CompCert C compiler 2009 Coq tens of mins 40k Cogent (BilbyFS) 2016 Isabelle/HOL hours 14k Verdi (Raft consensus) 2016 Coq tens of mins 50k problem: long proof checking times 3 / 29

4 Introduction Proof Engineering Techniques For Effective Proving Proof selection: check only proofs affected by changes file/module selection proof selection Examples: Make, Isabelle [ITP 14], icoq [ASE 17] 4 / 29

5 Introduction Proof Engineering Techniques For Effective Proving Proof selection: check only proofs affected by changes file/module selection proof selection Examples: Make, Isabelle [ITP 14], icoq [ASE 17] Proof parallelization: leverage multi-core hardware parallel checking of proofs parallel checking of files Examples: Make, Isabelle [ITP 13], Coq [ITP 15] 4 / 29

6 Introduction Our Contributions taxonomy of regression proving techniques that leverage both selection and parallelism implementation of techniques in tool, picoq, that supports Coq projects (useful for CI, e.g., Travis on GitHub) evaluation using picoq on six open source projects (23 kloc over 22 revisions per project, on average) 5 / 29

7 Background The Coq Proof Assistant (1985-present) based on constructive dependent type theory Gallina programming/specification language Ltac proof tactic language small trusted core checker for programs & proofs 6 / 29

8 Background Coq Source File Example Require Import List. Require Import ListUtil. Import ListNotations. Fixpoint dedup A A_eq_dec (xs : list A) : list A := match xs with [] [] x :: xs if in_dec A_eq_dec x xs then dedup A A_eq_dec xs else x :: dedup A A_eq_dec xs end. Lemma remove_dedup : forall A A_eq_dec (x : A) xs, remove A_eq_dec x (dedup A A_eq_dec xs) = dedup A A_eq_dec (remove A_eq_dec x xs). Proof. induction xs; intros; auto; simpl. repeat (try case in_dec; try case A_eq_dec; simpl; intuition); auto using f_equal. - exfalso. apply n0. apply remove_preserve; auto. - exfalso. apply n. apply in_remove in i; intuition. Qed. Dedup.v 7 / 29

9 Background Coq Source File Example Require Import List. Require Import ListUtil. Import ListNotations. Require statements expressing file dependencies. Fixpoint dedup A A_eq_dec (xs : list A) : list A := match xs with [] [] x :: xs if in_dec A_eq_dec x xs then dedup A A_eq_dec xs else x :: dedup A A_eq_dec xs end. Lemma remove_dedup : forall A A_eq_dec (x : A) xs, remove A_eq_dec x (dedup A A_eq_dec xs) = dedup A A_eq_dec (remove A_eq_dec x xs). Proof. induction xs; intros; auto; simpl. repeat (try case in_dec; try case A_eq_dec; simpl; intuition); auto using f_equal. - exfalso. apply n0. apply remove_preserve; auto. - exfalso. apply n. apply in_remove in i; intuition. Qed. Dedup.v 7 / 29

10 Background Coq Source File Example Require Import List. Require Import ListUtil. Import ListNotations. Fixpoint dedup A A_eq_dec (xs : list A) : list A := match xs with [] [] x :: xs if in_dec A_eq_dec x xs then dedup A A_eq_dec xs else x :: dedup A A_eq_dec xs end. Definition of a recursive function to remove duplicate list elements in Gallina. Lemma remove_dedup : forall A A_eq_dec (x : A) xs, remove A_eq_dec x (dedup A A_eq_dec xs) = dedup A A_eq_dec (remove A_eq_dec x xs). Proof. induction xs; intros; auto; simpl. repeat (try case in_dec; try case A_eq_dec; simpl; intuition); auto using f_equal. - exfalso. apply n0. apply remove_preserve; auto. - exfalso. apply n. apply in_remove in i; intuition. Qed. Dedup.v 7 / 29

11 Background Coq Source File Example Require Import List. Require Import ListUtil. Import ListNotations. Fixpoint dedup A A_eq_dec (xs : list A) : list A := match xs with [] [] x :: xs if in_dec A_eq_dec x xs then dedup A A_eq_dec xs else x :: dedup A A_eq_dec xs end. Lemma remove_dedup : forall A A_eq_dec (x : A) xs, remove A_eq_dec x (dedup A A_eq_dec xs) = dedup A A_eq_dec (remove A_eq_dec x xs). Proof. induction xs; intros; auto; simpl. repeat (try case in_dec; try case A_eq_dec; simpl; intuition); auto using f_equal. - exfalso. apply n0. apply remove_preserve; auto. - exfalso. apply n. apply in_remove in i; intuition. Qed. Dedup.v Statement (type) of a lemma in Gallina. 7 / 29

12 Background Coq Source File Example Require Import List. Require Import ListUtil. Import ListNotations. Fixpoint dedup A A_eq_dec (xs : list A) : list A := match xs with [] [] x :: xs if in_dec A_eq_dec x xs then dedup A A_eq_dec xs else x :: dedup A A_eq_dec xs end. Lemma remove_dedup : forall A A_eq_dec (x : A) xs, remove A_eq_dec x (dedup A A_eq_dec xs) = dedup A A_eq_dec (remove A_eq_dec x xs). Proof. induction xs; intros; auto; simpl. repeat (try case in_dec; try case A_eq_dec; simpl; intuition); auto using f_equal. - exfalso. apply n0. apply remove_preserve; auto. - exfalso. apply n. apply in_remove in i; intuition. Qed. Dedup.v Proof script in Ltac potentially time-consuming to process. 7 / 29

13 Background Coq Proof-Checking Toolchain Legacy Top-Down Proof Checking (1990s) coqc: compilation of source.v files to binary.vo files.vo files contain functions and all proofs file-level parallelism via Make 8 / 29

14 Background Coq Proof-Checking Toolchain Legacy Top-Down Proof Checking (1990s) coqc: compilation of source.v files to binary.vo files.vo files contain functions and all proofs file-level parallelism via Make Quick Compilation and Asynchronous Checking (2015) coqc -quick: compilation of.v files to binary.vio files.vio files contain functions and proof tasks proof tasks checkable asynchronously in parallel 8 / 29

15 Regression Proving Modes for Coq (Taxonomy) Parallelization Selection Granularity None Files Proofs File level f none f file N/A Proof level p none p file p icoq 9 / 29

16 f none Mode: File-Level Parallelization, No Selection Parallelization Selection Granularity None Files Proofs File level f none f file N/A Proof level p none p file p icoq legacy mode used in most GitHub Coq projects no overhead from proof task management or dep. tracking parallelism restricted by file dependency graph overhead from writing proofs to disk 10 / 29

17 f none Mode in Practice ListUtil.v Dedup.v RemoveAll.v 11 / 29

18 f none Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v 11 / 29

19 f none Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v Phase Task Definitions and Lemmas 1 ListUtil.vo remove preserve, in remove 11 / 29

20 f none Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v Phase Task Definitions and Lemmas 1 ListUtil.vo remove preserve, in remove 2 Dedup.vo dedup, remove dedup 2 RemoveAll.vo remove all, remove all in, remove all preserve 11 / 29

21 p none Mode: Proof-Level Parallelization, No Selection Parallelization Selection Granularity None Files Proofs File level f none f file N/A Proof level p none p file p icoq legacy mode used in some GitHub Coq projects overhead from proof task management parallelism (largely) unrestricted by file dependency graph no overhead from writing proofs to disk and dep. tracking 12 / 29

22 p none Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v 13 / 29

23 p none Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v Phase Task Definitions and Lemmas 1 ListUtil.vio remove preserve, in remove 13 / 29

24 p none Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v Phase Task Definitions and Lemmas 1 ListUtil.vio remove preserve, in remove 2 Dedup.vio dedup, remove dedup 2 RemoveAll.vio remove all, remove all in, remove all preserve 13 / 29

25 p none Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v Phase Task Definitions and Lemmas 1 ListUtil.vio remove preserve, in remove 2 Dedup.vio dedup, remove dedup 2 RemoveAll.vio remove all, remove all in, remove all preserve 3 checking remove preserve 3 checking in remove 3 checking remove dedup 3 checking remove all in 3 checking remove all preserve 13 / 29

26 f file Mode: File-Level Parallelization, File Selection Parallelization Selection Granularity None Files Proofs File level f none f file N/A Proof level p none p file p icoq novel mode that persists file checksums overhead from file dependency tracking parallelism restricted by file dependency graph overhead from writing proofs to disk 14 / 29

27 f file Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v 15 / 29

28 f file Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v 15 / 29

29 f file Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v Phase Task Definitions and Lemmas 1 ListUtil.vo remove preserve, in remove 15 / 29

30 f file Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v Phase Task Definitions and Lemmas 1 ListUtil.vo remove preserve, in remove 2 Dedup.vo dedup, remove dedup 15 / 29

31 p file Mode: Proof-Level Parallelism, File Selection Parallelization Selection Granularity None Files Proofs File level f none f file N/A Proof level p none p file p icoq novel mode that persists file checksums overhead from file dependency tracking parallelism (mostly) unrestricted by file dependency graph no overhead from writing proofs to disk 16 / 29

32 p file Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v 17 / 29

33 p file Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v 17 / 29

34 p file Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v Phase Task Definitions and Lemmas 1 ListUtil.vio remove preserve, in remove 17 / 29

35 p file Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v Phase Task Definitions and Lemmas 1 ListUtil.vio remove preserve, in remove 2 RemoveAll.vio remove all, remove all in, remove all preserve 17 / 29

36 p file Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v Phase Task Definitions and Lemmas 1 ListUtil.vio remove preserve, in remove 2 RemoveAll.vio remove all, remove all in, remove all preserve 3 checking remove all in 3 checking remove all preserve 17 / 29

37 p icoq Mode: Proof-Level Parallelism, Proof Selection Parallelization Selection Granularity None Files Proofs File level f none f file N/A Proof level p none p file p icoq novel mode that persists file & proof checksums overhead from file & proof dependency tracking parallelism (mostly) unrestricted by file dependency graph no overhead from writing proofs to disk 18 / 29

38 p icoq Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v 19 / 29

39 p icoq Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v 19 / 29

40 p icoq Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v 19 / 29

41 p icoq Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v Phase Task Definitions and Lemmas 1 ListUtil.vio remove preserve, in remove 19 / 29

42 p icoq Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v Phase Task Definitions and Lemmas 1 ListUtil.vio remove preserve, in remove 2 Dedup.vio dedup, remove dedup 2 RemoveAll.vio remove all, remove all in, remove all preserve 19 / 29

43 p icoq Mode in Practice ListUtil.v remove preserve in remove dedup remove dedup Dedup.v remove all preserve remove all remove all in RemoveAll.v Phase Task Definitions and Lemmas 1 ListUtil.vio remove preserve, in remove 2 Dedup.vio dedup, remove dedup 2 RemoveAll.vio remove all, remove all in, remove all preserve 3 checking in remove 3 checking remove dedup 3 checking remove all in 19 / 29

44 p icoq Workflow with 4-way Parallelization file dep. graph.v files Analysis Checking Collection proof dep. graph 20 / 29

45 p icoq Workflow with 4-way Parallelization Analysis Checking Collection file dep. graph.v files proof dep. graph compilation commands.vio files affected proofs 20 / 29

46 p icoq Workflow with 4-way Parallelization Analysis Checking Collection file dep. graph.v files proof dep. graph compilation commands.vio files affected proofs proof dependencies proofchecking commands 20 / 29

47 p icoq Workflow with 4-way Parallelization Analysis Checking Collection file dep. graph compilation commands proof dependencies new dep. graphs.v files.vio files proof dep. graph affected proofs proofchecking commands storage 20 / 29

48 picoq Tool Implementation extension of icoq toolchain (Java, OCaml, bash) Java task executor for parallel compilation of.vo/.vio files extension of coqc for parallel checking of (and dependency extraction from) specific proofs across files $ coqc -schedule -vio -task - depends - checking 4 \ file1. vio 1,15,16 \ file2. vio 3,10,11,13,20 21 / 29

49 picoq Tool Implementation extension of icoq toolchain (Java, OCaml, bash) Java task executor for parallel compilation of.vo/.vio files extension of coqc for parallel checking of (and dependency extraction from) specific proofs across files $ coqc -schedule -vio -task - depends - checking 4 \ file1. vio 1,15,16 \ file2. vio 3,10,11,13,20 21 / 29

50 picoq Tool Implementation extension of icoq toolchain (Java, OCaml, bash) Java task executor for parallel compilation of.vo/.vio files extension of coqc for parallel checking of (and dependency extraction from) specific proofs across files $ coqc -schedule -vio -task - depends - checking 4 \ file1. vio 1,15,16 \ file2. vio 3,10,11,13,20 21 / 29

51 Evaluation Evaluation: Open Source Git-Based Projects Project LOC Domain Coquelicot real number analysis Finmap 5661 finite sets and maps Flocq floating-point arithmetic Fomegac 2637 formal system metatheory Surface Effects 9621 functional programming languages Verdi distributed systems Avg / 29

52 Evaluation Evaluation: Open Source Git-Based Projects Project LOC #Revs. #Files #Proof Tasks Coquelicot Finmap Flocq Fomegac Surface Effects Verdi Avg / 29

53 Evaluation Evaluation Details Experiment machine: Intel Core i GHz 4 CPU cores 16 GB memory Ubuntu Linux Coq 8.5 Evaluation Setup every build starts from scratch (version control) up to 4 parallel jobs/processes dependency metadata persisted between revisions 24 / 29

54 Evaluation Results with 4-way Parallelization: Coquelicot f none p none f file p file p icoq 40 Time [s] 20 0 befc2aa c83 af196a6f 96153bf b49 7c74911f cc869c0d a94e2add ac f7b7c3f 51ccec65 a21157ac 67c0544f 99d324c8 02aa4835 ef18b8b a43e920b f25236ff e49f02aa fc2b7663 a22616bb a035d3bd 680ca587 Revision 25 / 29

55 Evaluation Results with 4-way Parallelization: Fomegac f none p none f file p file p icoq 30 Time [s] af6b37e ac790c93 a9bcb72a 78a261b b65 ca71b96c 4c1f4b3b 99f338f0 Revision 62d1a9d5 5f156d72 4b9edb51 b d7d688 7a654d7c 26 / 29

56 Evaluation Speedups over f none for 4-way Parallel Checking Speedup factor over f none f none p none f file p file p icoq Coquelicot Finmap Flocq Fomegac Surface Effects Verdi How much faster modes are than the default mode, for each project 27 / 29

57 Evaluation Speedups from Sequential to 4-way Parallel Checking Speedup factor over sequential f none p none f file p file p icoq 0 Coquelicot Finmap Flocq Fomegac Surface Effects Verdi Effect of parallelism on each mode and project 28 / 29

58 Conclusion Conclusion taxonomy of regression proving modes implementation of modes for Coq in tool picoq eval shows speedups for parallelism/selection (up to 28.6 ) Contact us: Karl Palmskog, palmskog@utexas.edu Ahmet Celik, ahmetcelik@utexas.edu Milos Gligoric, gligoric@utexas.edu Resources: Website: GitHub: This work was partially supported by the US National Science Foundation under Grants Nos. CCF and CCF / 29

59 f none vs. p none for 4-way Parallel Checking Coquelicot Finmap Flocq Fomegac Surface Effects Verdi 30 / 29

60 f none vs. f file for 4-way Parallel Checking Coquelicot Finmap Flocq Fomegac Surface Effects Verdi 31 / 29

61 p none vs. p file for 4-way Parallel Checking Coquelicot Finmap Flocq Fomegac Surface Effects Verdi 32 / 29

62 p file vs. p icoq for 4-way Parallel Checking Coquelicot Finmap Flocq Fomegac Surface Effects Verdi 33 / 29

63 Regression Proving in Evolving Projects Typical proving scenario: 1 change definition or lemma statement 2 begin process of re-checking all proofs 3 checking fails much later (for seemingly unrelated proof) Typical testing scenario: 1 change method statements or method signature 2 begin process of re-running all tests 3 testing fails much later (for seemingly unrelated test) 34 / 29

64 Software Engineering Techniques For Effective Testing Test selection: run only tests affected by changes file/class selection method selection hybrid Examples: Ekstazi [ISSTA 15], STARTS [ASE 17], HyRTS [ICSE 18] Test parallelization: leverage multi-core hardware parallel threads parallel processes (VM forking) hybrid Examples: Gradle, Maven, JUnit 35 / 29

65 Regression Proving vs. Regression Testing proof checking is deterministic proof checking has no side effects (e.g., I/O) only file-level deps. relevant for (asynch) proof checking 36 / 29

Similar documents

Static and User-Extensible Proof Checking. Antonis Stampoulis Zhong Shao Yale University POPL 2012

Static and User-Extensible Proof Checking. Antonis Stampoulis Zhong Shao Yale University POPL 2012 Static and User-Extensible Proof Checking Antonis Stampoulis Zhong Shao Yale University POPL 2012 Proof assistants are becoming popular in our community CompCert [Leroy et al.] sel4 [Klein et al.] Four-color

More information

Functional Programming in Coq. Nate Foster Spring 2018

Functional Programming in Coq. Nate Foster Spring 2018 Functional Programming in Coq Nate Foster Spring 2018 Review Previously in 3110: Functional programming Modular programming Data structures Interpreters Next unit of course: formal methods Today: Proof

More information

Verification in Coq. Prof. Clarkson Fall Today s music: Check Yo Self by Ice Cube

Verification in Coq. Prof. Clarkson Fall Today s music: Check Yo Self by Ice Cube Verification in Coq Prof. Clarkson Fall 2017 Today s music: Check Yo Self by Ice Cube Review Previously in 3110: Functional programming in Coq Logic in Coq Curry-Howard correspondence (proofs are programs)

More information

Adam Chlipala University of California, Berkeley ICFP 2006

Adam Chlipala University of California, Berkeley ICFP 2006 Modular Development of Certified Program Verifiers with a Proof Assistant Adam Chlipala University of California, Berkeley ICFP 2006 1 Who Watches the Watcher? Program Verifier Might want to ensure: Memory

More information

Verdi: A Framework for Implementing and Formally Verifying Distributed Systems

Verdi: A Framework for Implementing and Formally Verifying Distributed Systems Verdi: A Framework for Implementing and Formally Verifying Distributed Systems Key-value store VST James R. Wilcox, Doug Woos, Pavel Panchekha, Zach Tatlock, Xi Wang, Michael D. Ernst, Thomas Anderson

More information

Infinite Objects and Proofs 1

Infinite Objects and Proofs 1 Infinite Objects and Proofs 1 Pierre Castéran Beijing, August 2009 1 This lecture corresponds to the chapter 13 : Infinite Objects and Proofs of the book. In this lecture, we shall see how to represent

More information

Intrinsically Typed Reflection of a Gallina Subset Supporting Dependent Types for Non-structural Recursion of Coq

Intrinsically Typed Reflection of a Gallina Subset Supporting Dependent Types for Non-structural Recursion of Coq Intrinsically Typed Reflection of a Gallina Subset Supporting Dependent Types for Non-structural Recursion of Coq Akira Tanaka National Institute of Advanced Industrial Science and Technology (AIST) 2018-11-21

More information

Specification, Verification, and Interactive Proof

Specification, Verification, and Interactive Proof Specification, Verification, and Interactive Proof SRI International May 23, 2016 PVS PVS - Prototype Verification System PVS is a verification system combining language expressiveness with automated tools.

More information

A Formally-Proved Algorithm to Compute the Correct Average of Decimal Floating-Point Numbers

A Formally-Proved Algorithm to Compute the Correct Average of Decimal Floating-Point Numbers A Formally-Proved Algorithm to Compute the Correct Average of Decimal Floating-Point Numbers Sylvie Boldo, Florian Faissole, and Vincent Tourneur 1 ARITH-25 - June 26th 1 Thanks to the IEEE for the student

More information

Induction in Coq. Nate Foster Spring 2018

Induction in Coq. Nate Foster Spring 2018 Induction in Coq Nate Foster Spring 2018 Review Previously in 3110: Functional programming in Coq Logic in Coq Curry-Howard correspondence (proofs are programs) Today: Induction in Coq REVIEW: INDUCTION

More information

Theorem Proving Principles, Techniques, Applications Recursion

Theorem Proving Principles, Techniques, Applications Recursion NICTA Advanced Course Theorem Proving Principles, Techniques, Applications Recursion 1 CONTENT Intro & motivation, getting started with Isabelle Foundations & Principles Lambda Calculus Higher Order Logic,

More information

Blockchains: new home for proven-correct software. Paris, Yoichi Hirai formal verification engineer, the Ethereum Foundation

Blockchains: new home for proven-correct software. Paris, Yoichi Hirai formal verification engineer, the Ethereum Foundation Blockchains: new home for proven-correct software Paris, 2017-2-17 Yoichi Hirai formal verification engineer, the Ethereum Foundation Lyon: 2014 January Have you heard of a web site where you can get Bitcoin

More information

Coq with Classes. Matthieu Sozeau. Journées PPS 2011 September 5th 2011 Trouville, France. Project Team πr 2 INRIA Paris

Coq with Classes. Matthieu Sozeau. Journées PPS 2011 September 5th 2011 Trouville, France. Project Team πr 2 INRIA Paris Coq with Classes Matthieu Sozeau Project Team πr 2 INRIA Paris Journées PPS 2011 September 5th 2011 Trouville, France This talk A quick overview of Coq Elaboration Type Classes Matthieu Sozeau - Coq with

More information

Inductive data types

Inductive data types Inductive data types Assia Mahboubi 9 juin 2010 In this class, we shall present how Coq s type system allows us to define data types using inductive declarations. Generalities Inductive declarations An

More information

c constructor P, Q terms used as propositions G, H hypotheses scope identifier for a notation scope M, module identifiers t, u arbitrary terms

c constructor P, Q terms used as propositions G, H hypotheses scope identifier for a notation scope M, module identifiers t, u arbitrary terms Coq quick reference Meta variables Usage Meta variables Usage c constructor P, Q terms used as propositions db identifier for a hint database s string G, H hypotheses scope identifier for a notation scope

More information

Coq quick reference. Category Example Description. Inductive type with instances defined by constructors, including y of type Y. Inductive X : Univ :=

Coq quick reference. Category Example Description. Inductive type with instances defined by constructors, including y of type Y. Inductive X : Univ := Coq quick reference Category Example Description Meta variables Usage Meta variables Usage c constructor P, Q terms used as propositions db identifier for a hint database s string G, H hypotheses scope

More information

Software verification using proof assistants

Software verification using proof assistants Software verification using proof assistants IT University of Copenhagen My background Ph.D. from University of Uppsala Formalising Process Calculi, Supervisor: Joachim Parrow PostDoc IT University of

More information

Coq, a formal proof development environment combining logic and programming. Hugo Herbelin

Coq, a formal proof development environment combining logic and programming. Hugo Herbelin Coq, a formal proof development environment combining logic and programming Hugo Herbelin 1 Coq in a nutshell (http://coq.inria.fr) A logical formalism that embeds an executable typed programming language:

More information

Formally Certified Satisfiability Solving

Formally Certified Satisfiability Solving SAT/SMT Proof Checking Verifying SAT Solver Code Future Work Computer Science, The University of Iowa, USA April 23, 2012 Seoul National University SAT/SMT Proof Checking Verifying SAT Solver Code Future

More information

CIS 500: Software Foundations

CIS 500: Software Foundations CIS 500: Software Foundations Midterm I October 4, 2016 Name (printed): Username (PennKey login id): My signature below certifies that I have complied with the University of Pennsylvania s Code of Academic

More information

Appendix G: Some questions concerning the representation of theorems

Appendix G: Some questions concerning the representation of theorems Appendix G: Some questions concerning the representation of theorems Specific discussion points 1. What should the meta-structure to represent mathematics, in which theorems naturally fall, be? There obviously

More information

Turning proof assistants into programming assistants

Turning proof assistants into programming assistants Turning proof assistants into programming assistants ST Winter Meeting, 3 Feb 2015 Magnus Myréen Why? Why combine proof- and programming assistants? Why proofs? Testing cannot show absence of bugs. Some

More information

MoreIntro_annotated.v. MoreIntro_annotated.v. Printed by Zach Tatlock. Oct 04, 16 21:55 Page 1/10

MoreIntro_annotated.v. MoreIntro_annotated.v. Printed by Zach Tatlock. Oct 04, 16 21:55 Page 1/10 Oct 04, 16 21:55 Page 1/10 * Lecture 02 Infer some type arguments automatically. Set Implicit Arguments. Note that the type constructor for functions (arrow " >") associates to the right: A > B > C = A

More information

Defining the Ethereum Virtual Machine for Interactive Theorem Provers

Defining the Ethereum Virtual Machine for Interactive Theorem Provers Defining the Ethereum Virtual Machine for Interactive Theorem Provers Ethereum Foundation Workshop on Trusted Smart Contracts Malta, Apr. 7, 2017 1/32 Outline 1 2 3 Remaining Problems 4 2/32 Outline 1

More information

Provably Correct Software

Provably Correct Software Provably Correct Software Max Schäfer Institute of Information Science/Academia Sinica September 17, 2007 1 / 48 The Need for Provably Correct Software BUT bugs are annoying, embarrassing, and cost gazillions

More information

type classes & locales

type classes & locales Content Rough timeline Intro & motivation, getting started [1] COMP 4161 NICTA Advanced Course Advanced Topics in Software Verification Gerwin Klein, June Andronick, Toby Murray type classes & locales

More information

versat: A Verified Modern SAT Solver

versat: A Verified Modern SAT Solver Computer Science, The University of Iowa, USA Satisfiability Problem (SAT) Is there a model for the given propositional formula? Model: assignments to the variables that makes the formula true. SAT if

More information

Importing HOL-Light into Coq

Importing HOL-Light into Coq Outlines Importing HOL-Light into Coq Deep and shallow embeddings of the higher order logic into Coq Work in progress Chantal Keller chantal.keller@ens-lyon.fr Bejamin Werner benjamin.werner@inria.fr 2009

More information

Printed by Zachary Tatlock Nov 04, 16 8:59 Page 1/9. (** Call By Value << v ::= \ x. e e1 > e1 e1 e2 > e1 e2 e2 > e2 v e2 > v e2

Printed by Zachary Tatlock Nov 04, 16 8:59 Page 1/9. (** Call By Value << v ::= \ x. e e1 > e1 e1 e2 > e1 e2 e2 > e2 v e2 > v e2 Nov 04, 16 8:59 Page 1/9 Require Import List. Require Import String. Import ListNotations. Open Scope string_scope. Require Import StructTactics. Inductive expr : Set := Var : string > expr Lam : string

More information

Push-button verification of Files Systems via Crash Refinement

Push-button verification of Files Systems via Crash Refinement Push-button verification of Files Systems via Crash Refinement Verification Primer Behavioral Specification and implementation are both programs Equivalence check proves the functional correctness Hoare

More information

Programming with dependent types: passing fad or useful tool?

Programming with dependent types: passing fad or useful tool? Programming with dependent types: passing fad or useful tool? Xavier Leroy INRIA Paris-Rocquencourt IFIP WG 2.8, 2009-06 X. Leroy (INRIA) Dependently-typed programming 2009-06 1 / 22 Dependent types In

More information

Introduction to Co-Induction in Coq

Introduction to Co-Induction in Coq August 2005 Motivation Reason about infinite data-structures, Reason about lazy computation strategies, Reason about infinite processes, abstracting away from dates. Finite state automata, Temporal logic,

More information

Proving Properties on Programs From the Coq Tutorial at ITP 2015

Proving Properties on Programs From the Coq Tutorial at ITP 2015 Proving Properties on Programs From the Coq Tutorial at ITP 2015 Reynald Affeldt August 29, 2015 Hoare logic is a proof system to verify imperative programs. It consists of a language of Hoare triples

More information

Mathematics for Computer Scientists 2 (G52MC2)

Mathematics for Computer Scientists 2 (G52MC2) Mathematics for Computer Scientists 2 (G52MC2) L03 : More Coq, Classical Logic School of Computer Science University of Nottingham October 8, 2009 The cut rule Sometimes we want to prove a goal Q via an

More information

Design of an Interactive Digital Library of Formal Algorithmic Knowledge

Design of an Interactive Digital Library of Formal Algorithmic Knowledge OFFICE OF NAVAL RESEARCH (ONR) CORNELL UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE Design of an Interactive Digital Library of Formal Algorithmic Knowledge December 12, 2002 / Stanford University Stuart

More information

Deductive Program Verification with Why3, Past and Future

Deductive Program Verification with Why3, Past and Future Deductive Program Verification with Why3, Past and Future Claude Marché ProofInUse Kick-Off Day February 2nd, 2015 A bit of history 1999: Jean-Christophe Filliâtre s PhD Thesis Proof of imperative programs,

More information

Programs and Proofs in Isabelle/HOL

Programs and Proofs in Isabelle/HOL Programs and Proofs in Isabelle/HOL Makarius Wenzel http://sketis.net March 2016 = Isabelle λ β α Introduction What is Isabelle? Hanabusa Itcho : Blind monks examining an elephant Introduction 2 History:

More information

An Extensive Study of Static Regression Test Selection in Modern Software Evolution

An Extensive Study of Static Regression Test Selection in Modern Software Evolution An Extensive Study of Static Regression Test Selection in Modern Software Evolution Owolabi Legunsen, Farah Hariri, August Shi, Yafeng Lu, Lingming Zhang, and Darko Marinov FSE 2016 Seattle, Washington

More information

CIS 500 Software Foundations. Midterm I. (Standard and advanced versions together) October 1, 2013 Answer key

CIS 500 Software Foundations. Midterm I. (Standard and advanced versions together) October 1, 2013 Answer key CIS 500 Software Foundations Midterm I (Standard and advanced versions together) October 1, 2013 Answer key 1. (12 points) Write the type of each of the following Coq expressions, or write ill-typed if

More information

Certified Password Quality

Certified Password Quality Certified Password Quality A Case Study Using Coq and Linux Pluggable Authentication Modules João F. Ferreira 1, 2, Saul A. Johnson 1, Alexandra Mendes 1 and Philip J. Brooke 1 1 School of Computing, Media

More information

Numerical Computations and Formal Methods

Numerical Computations and Formal Methods Program verification Formal arithmetic Decision procedures Proval, Laboratoire de Recherche en Informatique INRIA Saclay IdF, Université Paris Sud, CNRS October 28, 2009 Program verification Formal arithmetic

More information

Propositional Calculus. Math Foundations of Computer Science

Propositional Calculus. Math Foundations of Computer Science Propositional Calculus Math Foundations of Computer Science Propositional Calculus Objective: To provide students with the concepts and techniques from propositional calculus so that they can use it to

More information

10 Years of Partiality and General Recursion in Type Theory

10 Years of Partiality and General Recursion in Type Theory 10 Years of Partiality and General Recursion in Type Theory Ana Bove Chalmers University of Technology DTP 10 July 9th 2010 Claims and Disclaims I know that I know nothing Socrates Ana Bove DTP 10 July

More information

SOFTWARE VERIFICATION AND COMPUTER PROOF (lesson 1) Enrico Tassi Inria Sophia-Antipolis

SOFTWARE VERIFICATION AND COMPUTER PROOF (lesson 1) Enrico Tassi Inria Sophia-Antipolis SOFTWARE VERIFICATION AND COMPUTER PROOF (lesson 1) Enrico Tassi Inria Sophia-Antipolis Who am I? 1. I'm a researcher at Inria 2. I work on proof assistants, the kind of tools that we will be using for

More information

locales ISAR IS BASED ON CONTEXTS CONTENT Slide 3 Slide 1 proof - fix x assume Ass: A. x and Ass are visible Slide 2 Slide 4 inside this context

locales ISAR IS BASED ON CONTEXTS CONTENT Slide 3 Slide 1 proof - fix x assume Ass: A. x and Ass are visible Slide 2 Slide 4 inside this context LAST TIME Syntax and semantics of IMP Hoare logic rules NICTA Advanced Course Soundness of Hoare logic Slide 1 Theorem Proving Principles, Techniques, Applications Slide 3 Verification conditions Example

More information

Verification of a brick Wang tiling algorithm

Verification of a brick Wang tiling algorithm EPiC Series in Computing Volume 39, 2016, Pages 107 116 SCSS 2016. 7th International Symposium on Symbolic Computation in Software Science Verification of a brick Wang tiling algorithm Toshiaki Matsushima

More information

Machine-checked proofs of program correctness

Machine-checked proofs of program correctness Machine-checked proofs of program correctness COS 326 Andrew W. Appel Princeton University slides copyright 2013-2015 David Walker and Andrew W. Appel In this course, you saw how to prove that functional

More information

Formal Verification of a Floating-Point Elementary Function

Formal Verification of a Floating-Point Elementary Function Introduction Coq & Flocq Coq.Interval Gappa Conclusion Formal Verification of a Floating-Point Elementary Function Inria Saclay Île-de-France & LRI, Université Paris Sud, CNRS 2015-06-25 Introduction Coq

More information

Embedding logics in Dedukti

Embedding logics in Dedukti 1 INRIA, 2 Ecole Polytechnique, 3 ENSIIE/Cedric Embedding logics in Dedukti Ali Assaf 12, Guillaume Burel 3 April 12, 2013 Ali Assaf, Guillaume Burel: Embedding logics in Dedukti, 1 Outline Introduction

More information

Programming with (co-)inductive types in Coq

Programming with (co-)inductive types in Coq Programming with (co-)inductive types in Coq Matthieu Sozeau February 3rd 2014 Programming with (co-)inductive types in Coq Matthieu Sozeau February 3rd 2014 Last time 1. Record Types 2. Mathematical Structures

More information

An experiment with variable binding, denotational semantics, and logical relations in Coq. Adam Chlipala University of California, Berkeley

An experiment with variable binding, denotational semantics, and logical relations in Coq. Adam Chlipala University of California, Berkeley A Certified TypePreserving Compiler from Lambda Calculus to Assembly Language An experiment with variable binding, denotational semantics, and logical relations in Coq Adam Chlipala University of California,

More information

How Efficient Can Fully Verified Functional Programs Be - A Case Study of Graph Traversal Algorithms

How Efficient Can Fully Verified Functional Programs Be - A Case Study of Graph Traversal Algorithms How Efficient Can Fully Verified Functional Programs Be - A Case Study of Graph Traversal Algorithms Mirko Stojadinović Faculty of Mathematics, University of Belgrade Abstract. One approach in achieving

More information

Certified Programming with Dependent Types

Certified Programming with Dependent Types 1/30 Certified Programming with Dependent Types Inductive Predicates Niels van der Weide March 7, 2017 2/30 Last Time We discussed inductive types Print nat. (* Inductive nat : Set := O : nat S : nat nat*)

More information

Structures in Coq January 27th 2014

Structures in Coq January 27th 2014 MPRI 2-7-2 Proof assistants ~sozeau/teaching/mpri-2-7-2-270114.pdf! Structures in Coq January 27th 2014 Matthieu Sozeau! "r² project team! Inria Paris & PPS! matthieu.sozeau@inria.fr! www.pps /~sozeau

More information

Formal proofs and certified computation in Coq

Formal proofs and certified computation in Coq Formal proofs and certified computation in Coq Érik Martin-Dorel http://erik.martin-dorel.org Équipe ACADIE, Laboratoire IRIT Université Toulouse III - Paul Sabatier French Symposium on Games 26 30 May

More information

Logik für Informatiker Logic for computer scientists

Logik für Informatiker Logic for computer scientists Logik für Informatiker for computer scientists WiSe 2011/12 Overview Motivation Why is logic needed in computer science? The LPL book and software Scheinkriterien Why is logic needed in computer science?

More information

SAT Solver. CS 680 Formal Methods Jeremy Johnson

SAT Solver. CS 680 Formal Methods Jeremy Johnson SAT Solver CS 680 Formal Methods Jeremy Johnson Disjunctive Normal Form A Boolean expression is a Boolean function Any Boolean function can be written as a Boolean expression s x 0 x 1 f Disjunctive normal

More information

Unit- and Sequence Test Generation with HOL-TestGen

Unit- and Sequence Test Generation with HOL-TestGen Unit- and Sequence Test Generation with HOL-TestGen Tests et Methodes Formelles Prof. Burkhart Wolff Univ - Paris-Sud / LRI 16.6.2015 B.Wolff - HOL-TestGen 1 Overview HOL-TestGen and its Business-Case

More information

COMP 4161 Data61 Advanced Course. Advanced Topics in Software Verification. Gerwin Klein, June Andronick, Christine Rizkallah, Miki Tanaka

COMP 4161 Data61 Advanced Course. Advanced Topics in Software Verification. Gerwin Klein, June Andronick, Christine Rizkallah, Miki Tanaka COMP 4161 Data61 Advanced Course Advanced Topics in Software Verification Gerwin Klein, June Andronick, Christine Rizkallah, Miki Tanaka 1 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution

More information

Formal methods for software security

Formal methods for software security Formal methods for software security Thomas Jensen, INRIA Forum "Méthodes formelles" Toulouse, 31 January 2017 Formal methods for software security Formal methods for software security Confidentiality

More information

An Extensible Programming Language for Verified Systems Software. Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012

An Extensible Programming Language for Verified Systems Software. Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012 An Extensible Programming Language for Verified Systems Software Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012 The status quo in computer system design DOM JS API Web page Network JS API CPU Timer interrupts

More information

Verified compilers. Guest lecture for Compiler Construction, Spring Magnus Myréen. Chalmers University of Technology

Verified compilers. Guest lecture for Compiler Construction, Spring Magnus Myréen. Chalmers University of Technology Guest lecture for Compiler Construction, Spring 2015 Verified compilers Magnus Myréen Chalmers University of Technology Mentions joint work with Ramana Kumar, Michael Norrish, Scott Owens and many more

More information

COMP4161: Advanced Topics in Software Verification. fun. Gerwin Klein, June Andronick, Ramana Kumar S2/2016. data61.csiro.au

COMP4161: Advanced Topics in Software Verification. fun. Gerwin Klein, June Andronick, Ramana Kumar S2/2016. data61.csiro.au COMP4161: Advanced Topics in Software Verification fun Gerwin Klein, June Andronick, Ramana Kumar S2/2016 data61.csiro.au Content Intro & motivation, getting started [1] Foundations & Principles Lambda

More information

Translation Validation for a Verified OS Kernel

Translation Validation for a Verified OS Kernel To appear in PLDI 13 Translation Validation for a Verified OS Kernel Thomas Sewell 1, Magnus Myreen 2, Gerwin Klein 1 1 NICTA, Australia 2 University of Cambridge, UK L4.verified sel4 = a formally verified

More information

Formal Verification of Floating-Point programs

Formal Verification of Floating-Point programs Formal Verification of Floating-Point programs Sylvie Boldo and Jean-Christophe Filliâtre Montpellier June, 26th 2007 INRIA Futurs CNRS, LRI Motivations Goal: reliability in numerical software Motivations

More information

Modular dependent induction in Coq, Mendler-style. Paolo Torrini

Modular dependent induction in Coq, Mendler-style. Paolo Torrini Modular dependent induction in Coq, Mendler-style Paolo Torrini Dept. of Computer Science, KU Leuven ITP 16, Nancy, 22.08.2016 * The Author left the Institution in April 2016 motivation: cost-effective

More information

A Formally-Verified C static analyzer

A Formally-Verified C static analyzer A Formally-Verified C static analyzer David Pichardie joint work with J.-H. Jourdan, V. Laporte, S.Blazy, X. Leroy, presented at POPL 15!! How do you trust your software? bug finders sound verifiers verified

More information

Analysis of dependent types in Coq through the deletion of the largest node of a binary search tree

Analysis of dependent types in Coq through the deletion of the largest node of a binary search tree Analysis of dependent types in Coq through the deletion of the largest node of a binary search tree Sneha Popley and Stephanie Weirich August 14, 2008 Abstract Coq reflects some significant differences

More information

CS 456 (Fall 2018) Scribe Notes: 2

CS 456 (Fall 2018) Scribe Notes: 2 CS 456 (Fall 2018) Scribe Notes: 2 Albert Yu, Adam Johnston Lists Bags Maps Inductive data type that has an infinite collection of elements Not through enumeration but inductive type definition allowing

More information

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Sections p.

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Sections p. CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Sections 10.1-10.3 p. 1/106 CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer

More information

CIS 500: Software Foundations

CIS 500: Software Foundations CIS 500: Software Foundations Midterm I October 3, 2017 Name (printed): Username (PennKey login id): My signature below certifies that I have complied with the University of Pennsylvania s Code of Academic

More information

A heuristic method for formally verifying real inequalities

A heuristic method for formally verifying real inequalities A heuristic method for formally verifying real inequalities Robert Y. Lewis Vrije Universiteit Amsterdam June 22, 2018 Motivation Specific topic for today: verifying systems of nonlinear inequalities over

More information

Functional Programming with Isabelle/HOL

Functional Programming with Isabelle/HOL Functional Programming with Isabelle/HOL = Isabelle λ β HOL α Florian Haftmann Technische Universität München January 2009 Overview Viewing Isabelle/HOL as a functional programming language: 1. Isabelle/HOL

More information

Embedding Impure & Untrusted ML Oracles into Coq Verified Code

Embedding Impure & Untrusted ML Oracles into Coq Verified Code 1/42 Embedding Impure & Untrusted ML Oracles into Coq Verified Code December 2018 Sylvain.Boulme@univ-grenoble-alpes.fr Motivations from CompCert successes and weaknesses 2/42 Contents Motivations from

More information

Applying Data Refinement for Monadic Programs to Hopcroft s Algorithm

Applying Data Refinement for Monadic Programs to Hopcroft s Algorithm Applying Data Refinement for Monadic Programs to Hopcroft s Algorithm Peter Lammich, Thomas Tuerk ITP 2012, 13th August 2012 Background Peter Lammich (lammich@in.tum.de) Isabelle Collection Framework (ICF)

More information

Foundations of Computer Science Spring Mathematical Preliminaries

Foundations of Computer Science Spring Mathematical Preliminaries Foundations of Computer Science Spring 2017 Equivalence Relation, Recursive Definition, and Mathematical Induction Mathematical Preliminaries Mohammad Ashiqur Rahman Department of Computer Science College

More information

Chapter 1. Introduction

Chapter 1. Introduction 1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in

More information

Dependently Typed Programming with Mutable State

Dependently Typed Programming with Mutable State Dependently Typed Programming with Mutable State Aaron Stump 1 Evan Austin 2 1 Computer Science The University of Iowa 2 Computer Science The University of Kansas U.S. National Science Foundation CAREER

More information

Combining Coq and Gappa for Certifying FP Programs

Combining Coq and Gappa for Certifying FP Programs Introduction Example Gappa Tactic Conclusion Combining Coq and Gappa for Certifying Floating-Point Programs Sylvie Boldo Jean-Christophe Filliâtre Guillaume Melquiond Proval, Laboratoire de Recherche en

More information

Mechanized Operational Semantics

Mechanized Operational Semantics Mechanized Operational Semantics J Strother Moore Department of Computer Sciences University of Texas at Austin Marktoberdorf Summer School 2008 (Lecture 3: Direct Proofs) 1 Fact 1 Given an operational

More information

Browser Security Guarantees through Formal Shim Verification

Browser Security Guarantees through Formal Shim Verification Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary Tatlock Sorin Lerner UC San Diego Browsers: Critical Infrastructure Ubiquitous: many platforms, sensitive apps Vulnerable:

More information

Generation of Code from COQ for Succinct Data Structures

Generation of Code from COQ for Succinct Data Structures Generation of Code from COQ for Succinct Data Structures Akira Tanaka*, Reynald Affeldt*, Jacques Garrigue** *National Institute of Advanced Industrial Science and Technology (AIST) **Nagoya University

More information

An Industrially Useful Prover

An Industrially Useful Prover An Industrially Useful Prover J Strother Moore Department of Computer Science University of Texas at Austin July, 2017 1 Recap Yesterday s Talk: ACL2 is used routinely in the microprocessor industry to

More information

Building Verified Program Analyzers in Coq

Building Verified Program Analyzers in Coq Building Verified Program Analyzers in Coq Lecture 1: Motivations and Examples David Pichardie - INRIA Rennes / Harvard University How do you trust your software? bug finders sound verifiers verified verifiers

More information

Work-in-progress: "Verifying" the Glasgow Haskell Compiler Core language

Work-in-progress: Verifying the Glasgow Haskell Compiler Core language Work-in-progress: "Verifying" the Glasgow Haskell Compiler Core language Stephanie Weirich Joachim Breitner, Antal Spector-Zabusky, Yao Li, Christine Rizkallah, John Wiegley June 2018 Let's prove GHC correct

More information

SANER 17. Klagenfurt, Austria

SANER 17. Klagenfurt, Austria SANER 17 Klagenfurt, Austria Carol V. Alexandru, Sebastiano Panichella, Harald C. Gall Software Evolution and Architecture Lab University of Zurich, Switzerland {alexandru,panichella,gall}@ifi.uzh.ch 22.02.2017

More information

Formal Methods for Aviation Software Design and Certification

Formal Methods for Aviation Software Design and Certification Formal Methods for Aviation Software Design and Certification PART II: Formal Methods Gordon Stewart COUNT Short Course Series May 24-26 RUSS COLLEGE OF ENGINEERING AND TECHNOLOGY DO- 333: What Are Formal

More information

Toward explicit rewrite rules in the λπ-calculus modulo

Toward explicit rewrite rules in the λπ-calculus modulo Toward explicit rewrite rules in the λπ-calculus modulo Ronan Saillard (Olivier Hermant) Deducteam INRIA MINES ParisTech December 14th, 2013 1 / 29 Motivation Problem Checking, in a trustful way, that

More information

3 Pairs and Lists. 3.1 Formal vs. Informal Proofs

3 Pairs and Lists. 3.1 Formal vs. Informal Proofs 3 Pairs and Lists 3.1 Formal vs. Informal Proofs The question of what, exactly, constitutes a proof of a mathematical claim has challenged philosophers throughout the ages. A rough and ready definition,

More information

Inductive data types (I)

Inductive data types (I) 5th Asian-Pacific Summer School on Formal Methods August 5-10, 2013, Tsinghua University, Beijing, China Inductive data types (I) jean-jacques.levy@inria.fr 2013-8-6 http://sts.thss.tsinghua.edu.cn/coqschool2013

More information

Organisatorials. About us. Binary Search (java.util.arrays) When Tue 9:00 10:30 Thu 9:00 10:30. COMP 4161 NICTA Advanced Course

Organisatorials. About us. Binary Search (java.util.arrays) When Tue 9:00 10:30 Thu 9:00 10:30. COMP 4161 NICTA Advanced Course Organisatorials COMP 4161 NICTA Advanced Course When Tue 9:00 10:30 Thu 9:00 10:30 Where Tue: Law 163 (F8-163) Thu: Australian School Business 205 (E12-205) Advanced Topics in Software Verification Rafal

More information

Ruby Extension Library Verified using Coq Proof-assistant

Ruby Extension Library Verified using Coq Proof-assistant Ruby Extension Library Verified using Coq Proof-assistant Tanaka Akira @tanaka_akr National Institute of Advanced Industrial Science and Technology (AIST) RubyKaigi 2017 2017-09-20 Supplement material:

More information

Proving Tight Bounds on Univariate Expressions with Elementary Functions in Coq

Proving Tight Bounds on Univariate Expressions with Elementary Functions in Coq Proving Tight Bounds on Univariate Expressions with Elementary Functions in Coq Érik Martin-Dorel http://www.irit.fr/~erik.martin-dorel/ Équipe ACADIE, Laboratoire IRIT Université Toulouse III - Paul Sabatier

More information

arxiv: v2 [cs.pl] 19 May 2017

arxiv: v2 [cs.pl] 19 May 2017 Proof Mining with Dependent Types Ekaterina Komendantskaya and Jónathan Heras arxiv:1705.04680v2 [cs.pl] 19 May 2017 1 Mathematical and Computer Sciences, Heriot-Watt University, UK ek19@hw.ac.uk 2 Mathematics

More information

A Simple Supercompiler Formally Verified in Coq

A Simple Supercompiler Formally Verified in Coq A Simple Supercompiler Formally Verified in Coq IGE+XAO Balkan 4 July 2010 / META 2010 Outline 1 Introduction 2 3 Test Generation, Extensional Equivalence More Realistic Language Use Information Propagation

More information

CIS 1.5 Course Objectives. a. Understand the concept of a program (i.e., a computer following a series of instructions)

CIS 1.5 Course Objectives. a. Understand the concept of a program (i.e., a computer following a series of instructions) By the end of this course, students should CIS 1.5 Course Objectives a. Understand the concept of a program (i.e., a computer following a series of instructions) b. Understand the concept of a variable

More information

Formalization of Incremental Simplex Algorithm by Stepwise Refinement

Formalization of Incremental Simplex Algorithm by Stepwise Refinement Formalization of Incremental Simplex Algorithm by Stepwise Refinement Mirko Spasić, Filip Marić Faculty of Mathematics, University of Belgrade FM2012, 30. August 2012. Overview 1 Introduction 2 Approach

More information

The Prototype Verification System PVS

The Prototype Verification System PVS The Prototype Verification System PVS Wolfgang Schreiner Wolfgang.Schreiner@risc.uni-linz.ac.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.uni-linz.ac.at

More information

Introduction to dependent types in Coq

Introduction to dependent types in Coq October 24, 2008 basic use of the Coq system In Coq, you can play with simple values and functions. The basic command is called Check, to verify if an expression is well-formed and learn what is its type.

More information

Formal Verification of Automatic Circuit Transformations for Fault-Tolerance

Formal Verification of Automatic Circuit Transformations for Fault-Tolerance 09/30/15, Austin, TX, USA @ FMCAD'15 Formal Verification of Automatic Circuit Transformations for Fault-Tolerance Dmitry Burlyaev Pascal Fradet 1/28 Outline For a given (fault-tolerance) transformation

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback