Coq Summer School, Session 9 : Dependent programs with logical parts. Pierre Letouzey

Similar documents
c constructor P, Q terms used as propositions G, H hypotheses scope identifier for a notation scope M, module identifiers t, u arbitrary terms

Coq quick reference. Category Example Description. Inductive type with instances defined by constructors, including y of type Y. Inductive X : Univ :=

Inductive Definitions, continued

Coq. LASER 2011 Summerschool Elba Island, Italy. Christine Paulin-Mohring

Types Summer School Gothenburg Sweden August Dogma oftype Theory. Everything has a type

Introduction to dependent types in Coq

Coq Summer School, Session 2 : Basic programming with numbers and lists. Pierre Letouzey

Certified Programming with Dependent Types

Inductive data types

Coq projects for type theory 2018

Coq Summer School. Yves Bertot

Induction in Coq. Nate Foster Spring 2018

CIS 500 Software Foundations. Midterm I. (Standard and advanced versions together) October 1, 2013 Answer key

Automated Reasoning. Natural Deduction in First-Order Logic

Mathematics for Computer Scientists 2 (G52MC2)

A Coq tutorial for confirmed Proof system users

Infinite Objects and Proofs 1

Provably Correct Software

3 Pairs and Lists. 3.1 Formal vs. Informal Proofs

CIS 194: Homework 8. Due Wednesday, 8 April. Propositional Logic. Implication

Inductive prod (A B : Set) : Set := pair : A -> B -> prod A B. Inductive sum (A B : Set) : Set := inl : A -> sum A B inr : B -> sum A B.

Introduction to Coq Proof Assistant

Expr_annotated.v. Expr_annotated.v. Printed by Zach Tatlock

Programming with dependent types: passing fad or useful tool?

CIS 500: Software Foundations

Introduction to the Coq proof assistant First part

Coq in a Hurry. Yves Bertot

Coq, a formal proof development environment combining logic and programming. Hugo Herbelin

CIS 500: Software Foundations

Dependent Types and Irrelevance

CIS 500: Software Foundations

Coq in a Hurry. Yves Bertot. To cite this version: HAL Id: inria v6

Programming Languages Fall 2014

SOFTWARE VERIFICATION AND COMPUTER PROOF (lesson 1) Enrico Tassi Inria Sophia-Antipolis

CIS 500 Software Foundations. Final Exam. May 3, Answer key

The Coq Proof Assistant A Tutorial

Ideas over terms generalization in Coq

Extraction in Coq: an Overview

Preuves Interactives et Applications

Verification in Coq. Prof. Clarkson Fall Today s music: Check Yo Self by Ice Cube

CPSC 320 Sample Solution, Playing with Graphs!

L04_in_class.v. L04_in_class.v. Printed by Zach Tatlock

10 Years of Partiality and General Recursion in Type Theory

CIS 500 Software Foundations Midterm I

Heq: a Coq library for Heterogeneous Equality

Lesson 4 Typed Arithmetic Typed Lambda Calculus

A Certified Implementation of a Distributed Security Logic

Programming with (co-)inductive types in Coq

CS 456 (Fall 2018) Scribe Notes: 2

LASER 2011 Summerschool Elba Island, Italy Basics of COQ

Calculus of Inductive Constructions

Adam Chlipala University of California, Berkeley ICFP 2006

Coq in a Hurry. Yves Bertot. HAL Id: inria v5

The Coq Proof Assistant A Tutorial

MLW. Henk Barendregt and Freek Wiedijk assisted by Andrew Polonsky. March 26, Radboud University Nijmegen

Universes. Universes for Data. Peter Morris. University of Nottingham. November 12, 2009

Introduction to Co-Induction in Coq

First-Class Type Classes

Martin-L f's Type Theory. B. Nordstr m, K. Petersson and J. M. Smith. Contents. 5.4 The set of functions (Cartesian product of a family of sets) 24

Inductive data types (I)

CIS 500 Software Foundations Fall September 25

An Ssreflect Tutorial

CS3110 Spring 2017 Lecture 9 Inductive proofs of specifications

02157 Functional Programming. Michael R. Ha. Lecture 2: Functions, Types and Lists. Michael R. Hansen

Analysis of dependent types in Coq through the deletion of the largest node of a binary search tree

4 Programming with Types

Pattern Matching and Abstract Data Types

Why. an intermediate language for deductive program verification

Type-directed Syntax Transformations for ATS-style Programs with Proofs

Advanced Features: Type Classes and Relations

Recap from last time. Programming Languages. CSE 130 : Fall Lecture 3: Data Types. Put it together: a filter function

The Coq Proof Assistant A Tutorial

Type Systems Winter Semester 2006

A CRASH COURSE IN SEMANTICS

MoreIntro.v. MoreIntro.v. Printed by Zach Tatlock. Oct 07, 16 18:11 Page 1/10. Oct 07, 16 18:11 Page 2/10. Monday October 10, 2016 lec02/moreintro.

Handout 9: Imperative Programs and State

A Formalization of Convex Polyhedra based on the Simplex Method

User-defined Functions. Conditional Expressions in Scheme

3.7 Denotational Semantics

On Agda JAIST/AIST WS CVS/AIST Yoshiki Kinoshita, Yoriyuki Yamagata. Agenda

A Tutorial on [Co-]Inductive Types in Coq

The Lambda Calculus. 27 September. Fall Software Foundations CIS 500. The lambda-calculus. Announcements

From natural numbers to the lambda calculus

An Algebra of Dependent Data Types

CS/ENGRD 2110 Object-Oriented Programming and Data Structures Spring 2012 Thorsten Joachims. Lecture 10: Asymptotic Complexity and

The type checker will complain that the two branches have different types, one is string and the other is int

CSE 130 [Winter 2014] Programming Languages

Numerical Computations and Formal Methods

MoreIntro_annotated.v. MoreIntro_annotated.v. Printed by Zach Tatlock. Oct 04, 16 21:55 Page 1/10

CIS4/681 { Articial Intelligence 2 > (insert-sort '( )) ( ) 2 More Complicated Recursion So far everything we have dened requires

Lecture Notes on Binary Decision Diagrams

Program Verification Through Characteristic Formulae

INF121: Functional Algorithmic and Programming

Programming Languages

Intrinsically Typed Reflection of a Gallina Subset Supporting Dependent Types for Non-structural Recursion of Coq

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter 11 p. 1/38

CSCI-GA Scripting Languages

Printed by Zachary Tatlock Nov 04, 16 8:59 Page 1/9. (** Call By Value << v ::= \ x. e e1 > e1 e1 e2 > e1 e2 e2 > e2 v e2 > v e2

Structures in Coq January 27th 2014

Lecture Notes on Contracts

Transcription:

Coq Summer School, Session 9 : Dependent programs with logical parts Pierre Letouzey

Notions just seen in last session... Programs with constraints on some arguments (preconditions): pred_safe : forall x, x<>0 -> nat

Notions just seen in last session... Programs with constraints on some arguments (preconditions): pred_safe : forall x, x<>0 -> nat A few types with restrictions: Inductive bnat (n : nat) : Type := cb : forall m, m < n -> bnat n. Inductive array (n : nat) : Type := ca : forall l : list Z, length l = n -> array n.

Notions just seen in last session... Programs with constraints on some arguments (preconditions): pred_safe : forall x, x<>0 -> nat A few types with restrictions: Inductive bnat (n : nat) : Type := cb : forall m, m < n -> bnat n. Inductive array (n : nat) : Type := ca : forall l : list Z, length l = n -> array n. We'll see now more constructions for programs with rich specications (i.e. types)

A generic notion of type with restriction bnat and array are quite similar: numbers, or lists, such that some property hold.

A generic notion of type with restriction bnat and array are quite similar: numbers, or lists, such that some property hold. Coq's generic way to build types with restriction: { x : A P x }

A generic notion of type with restriction bnat and array are quite similar: numbers, or lists, such that some property hold. Coq's generic way to build types with restriction: For instance: { x : A P x } Definition bnat n := { m m < n }. Definition array n := { l : list Z length l = n }.

A generic notion of type with restriction Behind the nice { } notation, the sig type: Inductive sig (A : Type) (P : A -> Prop) : Type := exist : forall x : A, P x -> sig P

A generic notion of type with restriction Behind the nice { } notation, the sig type: Inductive sig (A : Type) (P : A -> Prop) : Type := exist : forall x : A, P x -> sig P To access the element, or the proof of the property: proj1_sig, proj2_sig or directly let (x,p) :=... in... or in proof mode via the tactics case, destruct,...

A generic notion of type with restriction Behind the nice { } notation, the sig type: Inductive sig (A : Type) (P : A -> Prop) : Type := exist : forall x : A, P x -> sig P To access the element, or the proof of the property: proj1_sig, proj2_sig or directly let (x,p) :=... in... or in proof mode via the tactics case, destruct,... To build a sig interactively: the exists tactic.

A example: bounded successor As a function: Definition bsucc n : bnat n -> bnat (S n) := fun m => let (x,p):= m in exist _ (S x) (lt_n_s p).

A example: bounded successor As a function: Definition bsucc n : bnat n -> bnat (S n) := fun m => let (x,p):= m in exist _ (S x) (lt_n_s p). Via tactics: Definition bsucc n : bnat n -> bnat (S n). Proof. intros n m. destruct m as [x p]. exists (S x). auto with arith. Defined.

A example: bounded successor As a function: Definition bsucc n : bnat n -> bnat (S n) := fun m => let (x,p):= m in exist _ (S x) (lt_n_s p). Via tactics: Definition bsucc n : bnat n -> bnat (S n). Proof. intros n m. destruct m as [x p]. exists (S x). auto with arith. Defined. Via the Program framework : Program Definition bsucc n : bnat n -> bnat (S n) := fun m => S m. Next Obligation. destruct m. simpl. auto with arith.

General shape of a rich specication With sig, we can hence express also post-conditions: forall x, P x -> { y Q x y } Adapt to your needs: multiple arguments or outputs (y can be a tuple) or pre or post (Q can be a conjonction). Apart with Program, sig is rarely used for pre-conditions.

The special case of boolean output We could handle boolean outputs via sig: Definition rich_beq_nat : forall n m : nat, { b : bool b = true <-> n=m }.

The special case of boolean output We could handle boolean outputs via sig: Definition rich_beq_nat : forall n m : nat, { b : bool b = true <-> n=m }. More convenient: sumbool, a type with two alternatives and annotations for characterizing them. Definition eq_nat_dec : forall n m : nat, { n=m }+{ n<>m }.

The special case of boolean output Behind the { }+{ } notation, the sumbool type: Inductive sumbool (A B : Prop) : Type := left : A -> {A}+{B} right : B -> {A}+{B}

The special case of boolean output Behind the { }+{ } notation, the sumbool type: Inductive sumbool (A B : Prop) : Type := left : A -> {A}+{B} right : B -> {A}+{B} To analyse a sumbool construction: directly via if... then... else... or bool_of_sumbool or in proof mode via the tactics case, destruct,...

The special case of boolean output Behind the { }+{ } notation, the sumbool type: Inductive sumbool (A B : Prop) : Type := left : A -> {A}+{B} right : B -> {A}+{B} To analyse a sumbool construction: directly via if... then... else... or bool_of_sumbool or in proof mode via the tactics case, destruct,... To build a sumbool interactively: the left and right tactics.

Decidability result Many Coq functions are currently formulated this way: eq_nat_dec, Z_eq_dec, le_lt_dec,... (see SearchAbout sumbool).

Decidability result Many Coq functions are currently formulated this way: eq_nat_dec, Z_eq_dec, le_lt_dec,... (see SearchAbout sumbool). For instance: Definition le_lt_dec n m : { n <= m }+{ m < n }. Proof. induction n. left. auto with arith. destruct m. right. auto with arith. destruct (IHn m); [left right]; auto with arith. Defined.

Decidability result Many Coq functions are currently formulated this way: eq_nat_dec, Z_eq_dec, le_lt_dec,... (see SearchAbout sumbool). For instance: Definition le_lt_dec n m : { n <= m }+{ m < n }. Proof. induction n. left. auto with arith. destruct m. right. auto with arith. destruct (IHn m); [left right]; auto with arith. Defined. For equality, see tactic decide equality.

Why program with logical annotations? To handle partial functions, instead of dummy values at undened spots or option types

Why program with logical annotations? To handle partial functions, instead of dummy values at undened spots or option types To satisfy precisely an interface (see exercise on sets)

Why program with logical annotations? To handle partial functions, instead of dummy values at undened spots or option types To satisfy precisely an interface (see exercise on sets) To have all-in-one objects (handy for destruct).

Why program with logical annotations? To handle partial functions, instead of dummy values at undened spots or option types To satisfy precisely an interface (see exercise on sets) To have all-in-one objects (handy for destruct). To have the right justications when doing general recursion (see next session).

Why program with logical annotations? To handle partial functions, instead of dummy values at undened spots or option types To satisfy precisely an interface (see exercise on sets) To have all-in-one objects (handy for destruct). To have the right justications when doing general recursion (see next session). Additional remarks: Computations in Coq may then be tricky and/or slower and/or memory hungry.

Why program with logical annotations? To handle partial functions, instead of dummy values at undened spots or option types To satisfy precisely an interface (see exercise on sets) To have all-in-one objects (handy for destruct). To have the right justications when doing general recursion (see next session). Additional remarks: Computations in Coq may then be tricky and/or slower and/or memory hungry. Pure & ecient Ocaml/Haskell code can be obtained by extraction.

Why program with logical annotations? To handle partial functions, instead of dummy values at undened spots or option types To satisfy precisely an interface (see exercise on sets) To have all-in-one objects (handy for destruct). To have the right justications when doing general recursion (see next session). Additional remarks: Computations in Coq may then be tricky and/or slower and/or memory hungry. Pure & ecient Ocaml/Haskell code can be obtained by extraction. Denitions by tactics are dreadful, Program helps but is still quite experimental.

Why program with logical annotations? To handle partial functions, instead of dummy values at undened spots or option types To satisfy precisely an interface (see exercise on sets) To have all-in-one objects (handy for destruct). To have the right justications when doing general recursion (see next session). Additional remarks: Computations in Coq may then be tricky and/or slower and/or memory hungry. Pure & ecient Ocaml/Haskell code can be obtained by extraction. Denitions by tactics are dreadful, Program helps but is still quite experimental. Instead of destructing rich objects, other technics can also be convenient (i, reect).

Why specic constructs like sig and sumbool? { x P x } is a clone of exists x, P x. Both regroup a witness and a justication..

Why specic constructs like sig and sumbool? { x P x } is a clone of exists x, P x. Both regroup a witness and a justication. Similarly, { A }+{ B } is a clone of A \/ B..

Why specic constructs like sig and sumbool? { x P x } is a clone of exists x, P x. Both regroup a witness and a justication. Similarly, { A }+{ B } is a clone of A \/ B. In fact, sig/sumbool live in a dierent world than ex/or.

The two worlds of Coq In Coq, two separate worlds (technically, we speak of sorts):

The two worlds of Coq In Coq, two separate worlds (technically, we speak of sorts): The logical world

The two worlds of Coq In Coq, two separate worlds (technically, we speak of sorts): The logical world a proof : a statement : Prop

The two worlds of Coq In Coq, two separate worlds (technically, we speak of sorts): The logical world a proof : a statement : Prop or_introl _ I : True\/False : Prop

The two worlds of Coq In Coq, two separate worlds (technically, we speak of sorts): The logical world a proof : a statement : Prop or_introl _ I : True\/False : Prop The informative world (everything else).

The two worlds of Coq In Coq, two separate worlds (technically, we speak of sorts): The logical world a proof : a statement : Prop or_introl _ I : True\/False : Prop The informative world (everything else). a program : a type : Type

The two worlds of Coq In Coq, two separate worlds (technically, we speak of sorts): The logical world a proof : a statement : Prop or_introl _ I : True\/False : Prop The informative world (everything else). a program : a type : Type O : nat : Type

The two worlds of Coq In Coq, two separate worlds (technically, we speak of sorts): The logical world a proof : a statement : Prop or_introl _ I : True\/False : Prop The informative world (everything else). a program : a type : Type O : nat : Type pred : nat->nat : Type

The two worlds of Coq Usually we program in Type and make proofs in Prop. But that's just a convention. We can build functions by tactics, or reciprocally program a proof: Definition or_sym A B : A\/B -> B\/A := fun h => match h with or_introl a => or_intror _ a or_intror b => or_introl _ b end. The similarity between proofs and programs, between statements and types is called the Curry-Howard isomorphism.

The two worlds of Coq In Coq, a rigid separation between Prop and Type: Logical parts should not interfere with computations in Type. Definition nat_of_or A B : A\/B -> nat := fun h => match h with or_introl _ => 0 or_intror _ => 1 end. Error:... proofs can be eliminated only to build proofs. Idea: proofs are there only as guarantee, we're interested only in their existence, we consider them as having no computational content.

Extraction Coq's strict separation between Prop and Type is the fondation of the extraction mechanism: roughly, logical parts are removed, pruned programs still compute the same outputs. Coq < Recursive Extraction le_lt_dec. type nat = O S of nat type sumbool = Left Right (** val le_lt_dec : nat -> nat -> sumbool **) let rec le_lt_dec n m = match n with O -> Left S n0 -> (match m with O -> Right S m0 -> le_lt_dec n0 m0)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback