Formal proofs and certified computation in Coq

Similar documents
Proving Tight Bounds on Univariate Expressions with Elementary Functions in Coq

Coq, a formal proof development environment combining logic and programming. Hugo Herbelin

Introduction to Coq Proof Assistant

Numerical Computations and Formal Methods

A Certified Reduction Strategy for Homological Image Processing

Provably Correct Software

Introduction to the Calculus of Inductive Definitions

Functional Programming in Coq. Nate Foster Spring 2018

Functional Programming with Isabelle/HOL

Combining Coq and Gappa for Certifying FP Programs

A Parameterized Floating-Point Formalizaton in HOL Light

Univalent fibrations in type theory and topology

Isabelle/HOL:Selected Features and Recent Improvements

A NEW PROOF-ASSISTANT THAT REVISITS HOMOTOPY TYPE THEORY THE THEORETICAL FOUNDATIONS OF COQ USING NICOLAS TABAREAU

ABriefOverviewofAgda A Functional Language with Dependent Types

Refinements for free! 1

Importing HOL-Light into Coq

Turning proof assistants into programming assistants

Specification, Verification, and Interactive Proof

Formal Verification in Industry

Formal Verification of Floating-Point programs

10 Years of Partiality and General Recursion in Type Theory

Embedding logics in Dedukti

Improving Coq Propositional Reasoning Using a Lazy CNF Conversion

Static and User-Extensible Proof Checking. Antonis Stampoulis Zhong Shao Yale University POPL 2012

Types Summer School Gothenburg Sweden August Dogma oftype Theory. Everything has a type

Interactive Theorem Proving in Higher-Order Logics

Formal Verification of a Floating-Point Elementary Function

Adam Chlipala University of California, Berkeley ICFP 2006

Proving Bounds on Real-Valued Functions with Computations

Deductive Program Verification with Why3, Past and Future

Introduction to dependent types in Coq

A Formalization of Convex Polyhedra based on the Simplex Method

Chapter 1. Introduction

Formally Certified Satisfiability Solving

When double rounding is odd

Appendix G: Some questions concerning the representation of theorems

Basic Foundations of Isabelle/HOL

The type system of Axiom

Automated verification of termination certificates

When double rounding is odd

Research Statement. Daniel R. Licata

A Coq Framework For Verified Property-Based Testing (part of QuickChick)

Automata and Formal Languages - CM0081 Introduction to Agda

A NEW PROOF-ASSISTANT THAT REVISITS HOMOTOPY TYPE THEORY THE THEORETICAL FOUNDATIONS OF COQ USING NICOLAS TABAREAU

SJTU SUMMER 2014 SOFTWARE FOUNDATIONS. Dr. Michael Clarkson

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

CS3110 Spring 2017 Lecture 9 Inductive proofs of specifications

Floating-point arithmetic in the Coq system

Formal verification of floating-point arithmetic at Intel

A Reflection-based Proof Tactic for Lattices in COQ

Packaging Theories of Higher Order Logic

Combining Coq and Gappa for Certifying Floating-Point Programs

Lecture 11 Lecture 11 Nov 5, 2014

Using Agda to Explore Path-Oriented Models of Type Theory

picoq: Parallel Regression Proving for Large-Scale Verification Projects

A Computational Approach to Pocklington Certificates in Type Theory

HOL DEFINING HIGHER ORDER LOGIC LAST TIME ON HOL CONTENT. Slide 3. Slide 1. Slide 4. Slide 2 WHAT IS HIGHER ORDER LOGIC? 2 LAST TIME ON HOL 1

From Crypto to Code. Greg Morrisett

Mathematics for Computer Scientists 2 (G52MC2)

The Lean Theorem Prover (system description)

Formal C semantics: CompCert and the C standard

Combining Coq and Gappa for Certifying Floating-Point Programs

An Introduction to ProofPower

The design of a programming language for provably correct programs: success and failure

Mathematical Modeling to Formally Prove Correctness

Formalization of Incremental Simplex Algorithm by Stepwise Refinement

Partiality and Recursion in Interactive Theorem Provers - An Overview

The Mathematical Vernacular

the application rule M : x:a: B N : A M N : (x:a: B) N and the reduction rule (x: A: B) N! Bfx := Ng. Their algorithm is not fully satisfactory in the

On a few open problems of the Calculus of Inductive Constructions and on their practical consequences

Generating formally certified bounds on values and round-off errors

How to Compute the Area of a Triangle: a Formal Revisit

Blockchains: new home for proven-correct software. Paris, Yoichi Hirai formal verification engineer, the Ethereum Foundation

Lecture slides & distribution files:

Proofs-Programs correspondance and Security

Synthesis of distributed mobile programs using monadic types in Coq

SMTCoq: A plug-in for integrating SMT solvers into Coq

Renement: a reection on proofs and computations

Verification and Validation

Verification and Validation

How Efficient Can Fully Verified Functional Programs Be - A Case Study of Graph Traversal Algorithms

On Agda JAIST/AIST WS CVS/AIST Yoshiki Kinoshita, Yoriyuki Yamagata. Agenda

Matching Logic A New Program Verification Approach

Towards Coq Formalisation of {log} Set Constraints Resolution

MLW. Henk Barendregt and Freek Wiedijk assisted by Andrew Polonsky. March 26, Radboud University Nijmegen

An introduction to Homotopy Type Theory

Bidirectional Certified Programming

Topic 3: Propositions as types

An Industrially Useful Prover

CIS 194: Homework 8. Due Wednesday, 8 April. Propositional Logic. Implication

Programming and Reasonning with PowerLists in Coq. Virginia Niculescu. Rapport n o RR

Meta programming on the proof level

The Coq Proof Assistant A Tutorial

Logical Verification Course Notes. Femke van Raamsdonk Vrije Universiteit Amsterdam

A Simpl Shortest Path Checker Verification

Framework for Design of Dynamic Programming Algorithms

Proofs and Proof Certification in the TLA + Proof System

The three faces of homotopy type theory. Type theory and category theory. Minicourse plan. Typing judgments. Michael Shulman.

Formal Methods for Aviation Software Design and Certification

Transcription:

Formal proofs and certified computation in Coq Érik Martin-Dorel http://erik.martin-dorel.org Équipe ACADIE, Laboratoire IRIT Université Toulouse III - Paul Sabatier French Symposium on Games 26 30 May 2015 Université Paris Diderot 1 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 1/18 18

Formal Methods Gather a set of mathematically-based techniques designed to specify and verify computer systems Model Checking Verification Techniques Abstract Interpretation Deductive Verification Formal Proofs 2 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 2/18 18

Formal Methods Gather a set of mathematically-based techniques designed to specify and verify computer systems Used in areas where errors can cause loss of life errors can cause significant financial damage Model Checking Verification Techniques Abstract Interpretation Deductive Verification Formal Proofs 2 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 2/18 18

Formal Methods Gather a set of mathematically-based techniques designed to specify and verify computer systems Used in areas where errors can cause loss of life errors can cause significant financial damage For instance for the Paris Métro Line 14 at Intel, AMD,... Model Checking Deductive Verification Verification Techniques Abstract Interpretation Formal Proofs 2 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 2/18 18

Formal Proofs needs a proof assistant (= proof checker (= theorem prover)) specify algorithms and theorems develop proofs interactively check proofs but also perform computations, develop automatic tactics... various tools: ACL2, Agda, Coq, HOL Light, Isabelle, Mizar, PVS... 3 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 3/18 18

Formal Proofs needs a proof assistant (= proof checker (= theorem prover)) specify algorithms and theorems develop proofs interactively check proofs but also perform computations, develop automatic tactics... various tools: ACL2, Agda, Coq, HOL Light, Isabelle, Mizar, PVS... main criteria to classify them: the kind of underlying logic (FOL/HOL, classical/intuitionistic... ) the presence of a proof kernel (De Bruijn s criterion) the degree of automation the availability of large libraries of formalized results see also [Freek Wiedijk (2006): The Seventeen Provers of the World] 3 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 3/18 18

How to Believe a Machine-Checked Proof [R. Pollack 1998] 4 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 4/18 18

How to Believe a Machine-Checked Proof [R. Pollack 1998] Two sub-problems: 1 decide if the putative formal proof is really a derivation in the given formal system 4 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 4/18 18

How to Believe a Machine-Checked Proof [R. Pollack 1998] Two sub-problems: 1 decide if the putative formal proof is really a derivation in the given formal system 2 decide if what it proves really has the informal meaning claimed for it 4 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 4/18 18

How to Believe a Machine-Checked Proof [R. Pollack 1998] Two sub-problems: 1 decide if the putative formal proof is really a derivation in the given formal system this question can be answered by a machine need to trust the hardware, the OS... and the proof checker (but it is a simple program: it just need to check the proof, not to discover it!) 2 decide if what it proves really has the informal meaning claimed for it 4 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 4/18 18

How to Believe a Machine-Checked Proof [R. Pollack 1998] Two sub-problems: 1 decide if the putative formal proof is really a derivation in the given formal system this question can be answered by a machine need to trust the hardware, the OS... and the proof checker (but it is a simple program: it just need to check the proof, not to discover it!) 2 decide if what it proves really has the informal meaning claimed for it this is an informal question well surveyable: check that the formalized definitions indeed correspond to the usual mathematical ones (no need to dive into proof details: they re fully handled by the checker) 4 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 4/18 18

Focus on the Coq proof assistant Written in OCaml 5 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 5/18 18

Focus on the Coq proof assistant Written in OCaml Initiated by Thierry Coquand and Gérard Huet, and developed by Inria since 1984 (the latest stable release being version 8.4pl6) 5 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 5/18 18

Focus on the Coq proof assistant Written in OCaml Initiated by Thierry Coquand and Gérard Huet, and developed by Inria since 1984 (the latest stable release being version 8.4pl6) Provides a strongly-typed functional programming language and proof framework, based on the Calculus of Inductive Constructions, a higher-order logic that is constructive (= intuitionistic) and very expressive 5 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 5/18 18

Focus on the Coq proof assistant Written in OCaml Initiated by Thierry Coquand and Gérard Huet, and developed by Inria since 1984 (the latest stable release being version 8.4pl6) Provides a strongly-typed functional programming language and proof framework, based on the Calculus of Inductive Constructions, a higher-order logic that is constructive (= intuitionistic) and very expressive [Yves Bertot, Pierre Castéran (2004): Coq Art: The Calculus of Inductive Constructions] 5 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 5/18 18

Focus on the Coq proof assistant Written in OCaml Initiated by Thierry Coquand and Gérard Huet, and developed by Inria since 1984 (the latest stable release being version 8.4pl6) Provides a strongly-typed functional programming language and proof framework, based on the Calculus of Inductive Constructions, a higher-order logic that is constructive (= intuitionistic) and very expressive [Yves Bertot, Pierre Castéran (2004): Coq Art: The Calculus of Inductive Constructions] Coq has been awarded the 2013 ACM Software System Award, and the 2013 SIGPLAN Programming Languages Software Award. 5 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 5/18 18

Recap the role of Coq s kernel The Curry Howard correspondence A proposition is............. a type 6 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 6/18 18

Recap the role of Coq s kernel The Curry Howard correspondence A proposition is............. a type A proof of a proposition is... a program that inhabits this type 6 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 6/18 18

Recap the role of Coq s kernel The Curry Howard correspondence A proposition is............. a type A proof of a proposition is... a program that inhabits this type A false proposition is........ an empty type 6 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 6/18 18

Recap the role of Coq s kernel The Curry Howard correspondence A proposition is............. a type A proof of a proposition is... a program that inhabits this type A false proposition is........ an empty type A proof of P implies Q is... a program p turning any proof of P into a proof of Q; denoted by p : P Q 6 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 6/18 18

Recap the role of Coq s kernel The Curry Howard correspondence A proposition is............. a type A proof of a proposition is... a program that inhabits this type A false proposition is........ an empty type A proof of P implies Q is... a program p turning any proof of P into a proof of Q; denoted by p : P Q Checking that p is a proof of a theorem T (in a proof environment E) amounts to calculating the type of p (w.r.t. E) and comparing it with T. 6 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 6/18 18

Recap the role of Coq s kernel The Curry Howard correspondence A proposition is............. a type A proof of a proposition is... a program that inhabits this type A false proposition is........ an empty type A proof of P implies Q is... a program p turning any proof of P into a proof of Q; denoted by p : P Q Checking that p is a proof of a theorem T (in a proof environment E) amounts to calculating the type of p (w.r.t. E) and comparing it with T. We say that it is a type judgement E p : T. 6 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 6/18 18

Coq, proofs and computation Coq comes with a primitive notion of computation, called conversion. Key feature of Coq s logic: the convertibility rule In environment E, if p : A and if A and B are convertible, then p : B. 7 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 7/18 18

Coq, proofs and computation Coq comes with a primitive notion of computation, called conversion. Key feature of Coq s logic: the convertibility rule In environment E, if p : A and if A and B are convertible, then p : B. So roughly speaking, typing is performed modulo computation. 7 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 7/18 18

Coq, proofs and computation Coq comes with a primitive notion of computation, called conversion. Key feature of Coq s logic: the convertibility rule In environment E, if p : A and if A and B are convertible, then p : B. So roughly speaking, typing is performed modulo computation. Toy example of proof based on computation Assume we want to prove 4 8, not using the axiomatic approach a a i.e. without relying on n : N, n n and m, n : N, m n m n + 1 7 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 7/18 18

Coq, proofs and computation Coq comes with a primitive notion of computation, called conversion. Key feature of Coq s logic: the convertibility rule In environment E, if p : A and if A and B are convertible, then p : B. So roughly speaking, typing is performed modulo computation. Toy example of proof based on computation Assume we want to prove 4 8, not using the axiomatic approach a We define as the subtraction over N, i.e. m n := max(0, m n). a i.e. without relying on n : N, n n and m, n : N, m n m n + 1 7 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 7/18 18

Coq, proofs and computation Coq comes with a primitive notion of computation, called conversion. Key feature of Coq s logic: the convertibility rule In environment E, if p : A and if A and B are convertible, then p : B. So roughly speaking, typing is performed modulo computation. Toy example of proof based on computation Assume we want to prove 4 8, not using the axiomatic approach a We define as the subtraction over N, i.e. m n := max(0, m n). We rewrite 4 8 as 4 8 = 0. a i.e. without relying on n : N, n n and m, n : N, m n m n + 1 7 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 7/18 18

Coq, proofs and computation Coq comes with a primitive notion of computation, called conversion. Key feature of Coq s logic: the convertibility rule In environment E, if p : A and if A and B are convertible, then p : B. So roughly speaking, typing is performed modulo computation. Toy example of proof based on computation Assume we want to prove 4 8, not using the axiomatic approach a We define as the subtraction over N, i.e. m n := max(0, m n). We rewrite 4 8 as 4 8 = 0. We compute and get 0 = 0, which trivially holds (refl : 0 = 0) a i.e. without relying on n : N, n n and m, n : N, m n m n + 1 7 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 7/18 18

Coq, proofs and computation Coq comes with a primitive notion of computation, called conversion. Key feature of Coq s logic: the convertibility rule In environment E, if p : A and if A and B are convertible, then p : B. So roughly speaking, typing is performed modulo computation. Toy example of proof based on computation Assume we want to prove 4 8, not using the axiomatic approach a We define as the subtraction over N, i.e. m n := max(0, m n). We rewrite 4 8 as 4 8 = 0. We compute and get 0 = 0, which trivially holds (refl : 0 = 0) As 0 = 0 and 4 8 = 0 are convertible, we also have refl : 4 8 = 0, hence the result. a i.e. without relying on n : N, n n and m, n : N, m n m n + 1 7 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 7/18 18

Approaches to certify computation with a Proof Assistant Borrowing [G. Barthe, G. Ruys, H. Barendregt, 1995] s terminology autarkic approach : perform all calculations inside the proof assistant skeptical approach : rely on certificates that are produced by a given tool, external to the proof assistant, then checked 8 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 8/18 18

Approaches to certify computation with a Proof Assistant Borrowing [G. Barthe, G. Ruys, H. Barendregt, 1995] s terminology autarkic approach : perform all calculations inside the proof assistant skeptical approach : rely on certificates that are produced by a given tool, external to the proof assistant, then checked extraction of programs: generate compilable source code (e.g. in OCaml) correct by construction, from the formalized algorithm: e.g., the CompCert C compiler has been designed this way [X. Leroy (2009): A Formally Verified Compiler Back-end]. 8 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 8/18 18

Approaches to certify computation with a Proof Assistant Borrowing [G. Barthe, G. Ruys, H. Barendregt, 1995] s terminology autarkic approach : perform all calculations inside the proof assistant skeptical approach : rely on certificates that are produced by a given tool, external to the proof assistant, then checked extraction of programs: generate compilable source code (e.g. in OCaml) correct by construction, from the formalized algorithm: e.g., the CompCert C compiler has been designed this way [X. Leroy (2009): A Formally Verified Compiler Back-end]. deductive verification: annotate the (imperative) program code and use dedicated tools, such as Frama-C/Jessie/Why3, to generate proof obligations (to be discharged by automated provers or proof assistants as back-ends) 8 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 8/18 18

Overview of the Reals library (included in Coq s stdlib) originated in the Coq formalization of the Three Gap Theorem (Steinhaus conjecture), cf. [Micaela Mayero s PhD thesis, 2001] 9 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 9/18 18

Overview of the Reals library (included in Coq s stdlib) originated in the Coq formalization of the Three Gap Theorem (Steinhaus conjecture), cf. [Micaela Mayero s PhD thesis, 2001] classical axiomatization of R as a complete Archimedean ordered field 9 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 9/18 18

Overview of the Reals library (included in Coq s stdlib) originated in the Coq formalization of the Three Gap Theorem (Steinhaus conjecture), cf. [Micaela Mayero s PhD thesis, 2001] classical axiomatization of R as a complete Archimedean ordered field the classical flavor of this formalization is due to the trichotomy axiom (named total_order_t in the code) 9 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 9/18 18

Overview of the Reals library (included in Coq s stdlib) originated in the Coq formalization of the Three Gap Theorem (Steinhaus conjecture), cf. [Micaela Mayero s PhD thesis, 2001] classical axiomatization of R as a complete Archimedean ordered field the classical flavor of this formalization is due to the trichotomy axiom (named total_order_t in the code) part of the Coq standard library 9 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 9/18 18

Overview of the Reals library (included in Coq s stdlib) originated in the Coq formalization of the Three Gap Theorem (Steinhaus conjecture), cf. [Micaela Mayero s PhD thesis, 2001] classical axiomatization of R as a complete Archimedean ordered field the classical flavor of this formalization is due to the trichotomy axiom (named total_order_t in the code) part of the Coq standard library technicalities: the division is a total function 9 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 9/18 18

Overview of the Reals library (included in Coq s stdlib) originated in the Coq formalization of the Three Gap Theorem (Steinhaus conjecture), cf. [Micaela Mayero s PhD thesis, 2001] classical axiomatization of R as a complete Archimedean ordered field the classical flavor of this formalization is due to the trichotomy axiom (named total_order_t in the code) part of the Coq standard library technicalities: the division is a total function gathers support results on derivability, Riemann integral (both defined with dependent types) and reference functions 9 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 9/18 18

Overview of the Coquelicot library a new library of real analysis for Coq 10 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 10/18 18

Overview of the Coquelicot library a new library of real analysis for Coq conservative extension of the Reals standard library 10 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 10/18 18

Overview of the Coquelicot library a new library of real analysis for Coq conservative extension of the Reals standard library cf. [Sylvie Boldo, Catherine Lelay, Guillaume Melquiond (2015): Coquelicot: A User-Friendly Library of Real Analysis for Coq] 10 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 10/18 18

Overview of the Coquelicot library a new library of real analysis for Coq conservative extension of the Reals standard library cf. [Sylvie Boldo, Catherine Lelay, Guillaume Melquiond (2015): Coquelicot: A User-Friendly Library of Real Analysis for Coq] new features: 10 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 10/18 18

Overview of the Coquelicot library a new library of real analysis for Coq conservative extension of the Reals standard library cf. [Sylvie Boldo, Catherine Lelay, Guillaume Melquiond (2015): Coquelicot: A User-Friendly Library of Real Analysis for Coq] new features: user-friendly definitions of limits, derivatives, integrals... (with total functions in place of dependent types) 10 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 10/18 18

Overview of the Coquelicot library a new library of real analysis for Coq conservative extension of the Reals standard library cf. [Sylvie Boldo, Catherine Lelay, Guillaume Melquiond (2015): Coquelicot: A User-Friendly Library of Real Analysis for Coq] new features: user-friendly definitions of limits, derivatives, integrals... (with total functions in place of dependent types) comprehensive set of theorems on these notions, up to power series, parametric integrals, two-dimensional differentiability, asymptotic behaviors 10 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 10/18 18

Overview of the Coquelicot library a new library of real analysis for Coq conservative extension of the Reals standard library cf. [Sylvie Boldo, Catherine Lelay, Guillaume Melquiond (2015): Coquelicot: A User-Friendly Library of Real Analysis for Coq] new features: user-friendly definitions of limits, derivatives, integrals... (with total functions in place of dependent types) comprehensive set of theorems on these notions, up to power series, parametric integrals, two-dimensional differentiability, asymptotic behaviors tactics to automate proofs on derivatives 10 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 10/18 18

Overview of the C-CoRN library C-CoRN = Constructive Coq Repository at Nijmegen 11 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 11/18 18

Overview of the C-CoRN library C-CoRN = Constructive Coq Repository at Nijmegen originated in the FTA project for formalizing the Fundamental Theorem of Algebra constructively 11 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 11/18 18

Overview of the C-CoRN library C-CoRN = Constructive Coq Repository at Nijmegen originated in the FTA project for formalizing the Fundamental Theorem of Algebra constructively intuitionistic axiomatization via an algebraic hierarchy built upon constructive setoids + construction of a real number structure via Cauchy sequences, cf. [Milad Niqui s PhD thesis, 2004]. 11 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 11/18 18

Overview of the C-CoRN library C-CoRN = Constructive Coq Repository at Nijmegen originated in the FTA project for formalizing the Fundamental Theorem of Algebra constructively intuitionistic axiomatization via an algebraic hierarchy built upon constructive setoids + construction of a real number structure via Cauchy sequences, cf. [Milad Niqui s PhD thesis, 2004]. features: 11 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 11/18 18

Overview of the C-CoRN library C-CoRN = Constructive Coq Repository at Nijmegen originated in the FTA project for formalizing the Fundamental Theorem of Algebra constructively intuitionistic axiomatization via an algebraic hierarchy built upon constructive setoids + construction of a real number structure via Cauchy sequences, cf. [Milad Niqui s PhD thesis, 2004]. features: large and generic library in the spirit of E. Bishop s constructive analysis 11 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 11/18 18

Overview of the C-CoRN library C-CoRN = Constructive Coq Repository at Nijmegen originated in the FTA project for formalizing the Fundamental Theorem of Algebra constructively intuitionistic axiomatization via an algebraic hierarchy built upon constructive setoids + construction of a real number structure via Cauchy sequences, cf. [Milad Niqui s PhD thesis, 2004]. features: large and generic library in the spirit of E. Bishop s constructive analysis computational real numbers proof by computation is possible 11 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 11/18 18

Overview of the C-CoRN library C-CoRN = Constructive Coq Repository at Nijmegen originated in the FTA project for formalizing the Fundamental Theorem of Algebra constructively intuitionistic axiomatization via an algebraic hierarchy built upon constructive setoids + construction of a real number structure via Cauchy sequences, cf. [Milad Niqui s PhD thesis, 2004]. features: large and generic library in the spirit of E. Bishop s constructive analysis computational real numbers proof by computation is possible by construction, all functions overs the constructive reals are continuous hinders the applicability to proofs in standard/numerical analysis 11 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 11/18 18

Overview of the SSReflect/MathComp libraries SSReflect was born during the formal verification of the Four Color Theorem by Georges Gonthier collaborating with Benjamin Werner 12 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 12/18 18

Overview of the SSReflect/MathComp libraries SSReflect was born during the formal verification of the Four Color Theorem by Georges Gonthier collaborating with Benjamin Werner SSReflect: extension of the Coq proof language that promotes the Small Scale Reflection: use reflection ( proof by computation) whenever possible, even for low-level reasoning 12 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 12/18 18

Overview of the SSReflect/MathComp libraries SSReflect was born during the formal verification of the Four Color Theorem by Georges Gonthier collaborating with Benjamin Werner SSReflect: extension of the Coq proof language that promotes the Small Scale Reflection: use reflection ( proof by computation) whenever possible, even for low-level reasoning the Mathematical Components project, led by G. Gonthier, culminated in the formalization of the Feit Thompson theorem in Sept. 2012 (more than 300 textbook pages and a 6-year formalization effort): Theorem Feit_Thompson (gt: fingrouptype)(g: {group gt}): odd # G solvable G. 12 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 12/18 18

Overview of the SSReflect/MathComp libraries SSReflect was born during the formal verification of the Four Color Theorem by Georges Gonthier collaborating with Benjamin Werner SSReflect: extension of the Coq proof language that promotes the Small Scale Reflection: use reflection ( proof by computation) whenever possible, even for low-level reasoning the Mathematical Components project, led by G. Gonthier, culminated in the formalization of the Feit Thompson theorem in Sept. 2012 (more than 300 textbook pages and a 6-year formalization effort): Theorem Feit_Thompson (gt: fingrouptype)(g: {group gt}): odd # G solvable G. MathComp: comprehensive library of algebra, based on SSReflect 12 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 12/18 18

Overview of the CoqEAL library CoqEAL = the Coq Effective Algebra Library 13 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 13/18 18

Overview of the CoqEAL library CoqEAL = the Coq Effective Algebra Library originated in the ForMath project 13 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 13/18 18

Overview of the CoqEAL library CoqEAL = the Coq Effective Algebra Library originated in the ForMath project aim: facilitate the verification of effective symbolic computation algorithms in Coq 13 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 13/18 18

Overview of the CoqEAL library CoqEAL = the Coq Effective Algebra Library originated in the ForMath project aim: facilitate the verification of effective symbolic computation algorithms in Coq idea: prove a high-level version of the algorithm (e.g. by relying on SSReflect/MathComp) then proceed by refinement 13 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 13/18 18

Overview of the CoqEAL library CoqEAL = the Coq Effective Algebra Library originated in the ForMath project aim: facilitate the verification of effective symbolic computation algorithms in Coq idea: prove a high-level version of the algorithm (e.g. by relying on SSReflect/MathComp) then proceed by refinement CoqEAL has been specifically designed to reduce the bookkeeping that occurs in the refinement proofs 13 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 13/18 18

Overview of the CoqEAL library CoqEAL = the Coq Effective Algebra Library originated in the ForMath project aim: facilitate the verification of effective symbolic computation algorithms in Coq idea: prove a high-level version of the algorithm (e.g. by relying on SSReflect/MathComp) then proceed by refinement CoqEAL has been specifically designed to reduce the bookkeeping that occurs in the refinement proofs [C. Cohen, M. Dénès, A. Mörtberg (2013): Refinements for Free!] 13 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 13/18 18

Overview of the CoqInterval library Issues and methods aim: (automatically) prove in Coq that the distance between f (x) and some approximation P(x) is bounded by some ɛ > 0 for all x I. 14 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 14/18 18

Overview of the CoqInterval library Issues and methods aim: (automatically) prove in Coq that the distance between f (x) and some approximation P(x) is bounded by some ɛ > 0 for all x I. [G. Melquiond (2008): Proving bounds on real-valued functions with computations] 14 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 14/18 18

Overview of the CoqInterval library Issues and methods aim: (automatically) prove in Coq that the distance between f (x) and some approximation P(x) is bounded by some ɛ > 0 for all x I. [G. Melquiond (2008): Proving bounds on real-valued functions with computations] main datatype: intervals with floating-point numbers bounds e.g., we ll consider an interval such as [3.1415, 3.1416] in place of π 14 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 14/18 18

Overview of the CoqInterval library Issues and methods aim: (automatically) prove in Coq that the distance between f (x) and some approximation P(x) is bounded by some ɛ > 0 for all x I. [G. Melquiond (2008): Proving bounds on real-valued functions with computations] main datatype: intervals with floating-point numbers bounds e.g., we ll consider an interval such as [3.1415, 3.1416] in place of π dependency problem: when a variable occur several times, it typically leads to an overestimation of the range e.g., for f (x) = x (1 x) and x = [0, 1], we get eval IA (f, x) = [0, 1], while the exact range is f (x) = [0, 1 4 ] 14 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 14/18 18

Overview of the CoqInterval library Issues and methods aim: (automatically) prove in Coq that the distance between f (x) and some approximation P(x) is bounded by some ɛ > 0 for all x I. [G. Melquiond (2008): Proving bounds on real-valued functions with computations] main datatype: intervals with floating-point numbers bounds e.g., we ll consider an interval such as [3.1415, 3.1416] in place of π dependency problem: when a variable occur several times, it typically leads to an overestimation of the range e.g., for f (x) = x (1 x) and x = [0, 1], we get eval IA (f, x) = [0, 1], while the exact range is f (x) = [0, 1 4 ] solutions: bisection, automatic differentiation... 14 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 14/18 18

Overview of the CoqInterval library Issues and methods aim: (automatically) prove in Coq that the distance between f (x) and some approximation P(x) is bounded by some ɛ > 0 for all x I. [G. Melquiond (2008): Proving bounds on real-valued functions with computations] main datatype: intervals with floating-point numbers bounds e.g., we ll consider an interval such as [3.1415, 3.1416] in place of π dependency problem: when a variable occur several times, it typically leads to an overestimation of the range e.g., for f (x) = x (1 x) and x = [0, 1], we get eval IA (f, x) = [0, 1], while the exact range is f (x) = [0, 1 4 ] solutions: bisection, automatic differentiation... or Taylor Models: [N. Brisebarre, M. Joldeş, EMD, M. Mayero, J-M. Muller, I. Paşca, L. Rideau, and L. Théry (2012): Rigorous Polynomial Approximation Using Taylor Models in Coq] 14 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 14/18 18

Overview of the CoqInterval library Proof example #1 Example taken from [John Harrison (1997): Verifying the Accuracy of Polynomial Approximations in HOL] Require Import Reals Interval_tactic. Local Open Scope R_scope. Theorem Harrison97 : x : R, 10831 (e x 1) 1000000 x 10831 1000000 = ( x + 8388676 2 24 x 2 + 11184876 2 26 x 3) 23 27 1 2 33. 15 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 15/18 18

Overview of the CoqInterval library Proof example #1 Example taken from [John Harrison (1997): Verifying the Accuracy of Polynomial Approximations in HOL] Require Import Reals Interval_tactic. Local Open Scope R_scope. Theorem Harrison97 : x : R, 10831 (e x 1) 1000000 x 10831 1000000 = ( x + 8388676 2 24 x 2 + 11184876 2 26 x 3) 23 27 1 2 33. Proof. intros x H. interval with (i_bisect_taylor x 3, i_prec 50). (* in 0.5s *) Qed. 15 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 15/18 18

Overview of the CoqInterval library Proof example #2 (xkcd.com/217) 16 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 16/18 18

Overview of the CoqInterval library Proof example #2 (xkcd.com/217) Lemma xkcd217 : 19 999 099 979/10 9 < e π π < 19 999 099 980/10 9. Proof. split; interval with (i_prec 40). (* in 0.15s *) Qed. 16 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 16/18 18

Related works on formalized game theory [René Vestergaard (2005): A constructive approach to sequential Nash equilibria] proof, formalized in Coq, that all non-cooperative, sequential games have a Nash equilibrium [Stéphane Le Roux PhD thesis, 2008] generalizes and formalizes in Coq the notions of strategic game and Nash equilibrium (notably, not requiring payoffs to be real numbers) [Evgeny Dantsin, Jan-Georg Smaus, Sergei Soloviev (2012): Algorithms in Games Evolving in Time: Winning Strategies Based on Testing] formalizes in Isabelle/HOL sufficient conditions for the computability of a winning strategy function (for two-player games evolving in time) 17 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 17/18 18

Perspectives Motivation: results of game theory have a key role in decision making and numerous applications providing a formal certificate would facilitate the audit of such decisions by independent experts. 18 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 18/18 18

Perspectives Motivation: results of game theory have a key role in decision making and numerous applications providing a formal certificate would facilitate the audit of such decisions by independent experts. Aim: identify key problems in game theory that are amenable to formal proof. 18 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 18/18 18

Perspectives Motivation: results of game theory have a key role in decision making and numerous applications providing a formal certificate would facilitate the audit of such decisions by independent experts. Aim: identify key problems in game theory that are amenable to formal proof. Long-term goal: obtain some game-theoretic and formally-certified components that may be extended, combined, and reused. 18 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 18/18 18

Perspectives Motivation: results of game theory have a key role in decision making and numerous applications providing a formal certificate would facilitate the audit of such decisions by independent experts. Aim: identify key problems in game theory that are amenable to formal proof. Long-term goal: obtain some game-theoretic and formally-certified components that may be extended, combined, and reused. Thank you for your attention! 18 / Erik Martin-Dorel (IRIT) Formal proofs and certified computation in Coq 18/18 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback