higher-order type theory and Coq Vladimir Komendantsky University - PowerPoint PPT Presentation

Verification of functional programs in higher-order type theory and Coq Vladimir Komendantsky University of St Andrews, UK 18 November 2011 @ Roy’s Festschrift

Outline Notational conventions 1 Program verification in the interactive theorem prover 2 Programming decision algorithms 3 Programming proofs 4 V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 2 / 22

Inductive type definitions Σ : ∀ ( A :Type) . ( A → Type) → Type x : A p : P x exist x p : Σ A P V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 3 / 22

“Hello world” example main() { printf(”hello, world \ n”); } V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 4 / 22

“Hello world” example main() { printf(”hello, world \ n”); } Inductive True : Prop := I : True. V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 4 / 22

“Hello world” example main() { printf(”hello, world \ n”); } Inductive True : Prop := I : True. Lemma HelloWorld : True. Proof. apply I. Qed. V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 4 / 22

Simply-typed functional programming versus program extraction A simply-typed program has type A , and the type of A is Set (a non-recursive subsort of Type). Extraction takes, for example, exist x p of type Σ A P and “extracts” x by forgetting the enclosing structure. V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 5 / 22

Generic subtype structure subType P is the structure for types isomorphic to Σ T P with P : pred T. val is a generic injection from a subType P of T into T. For example, if u : subType P, then val u : T. val is injective because P is proof-irrelevant. valP is the generic proof of P (val u) for u : subType P. Sub x Px is the generic constructor for subType P insub x is the generic partial projection of T into a subType S of T. If S : subType P then insub x = Some u with val u = x if P x, and None otherwise. V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 6 / 22

Separation of computational and higher-order logical content Structure subType (T : Type) (P : pred T) : Type := SubType { sub sort : > Type; val : sub sort → T; Sub : ∀ x, P x → sub sort; : ∀ K ( : ∀ x Px, K (@Sub x Px)) u, K u; : ∀ x Px, val (@Sub x Px) = x } . Lemma val insub adj (T : Type) (P : pred T) (S : subType P) (x : T) (u : sub sort S) (Px : P x) : (val u = x ↔ Some u = insub x). split; first by move ← ; rewrite valK. by rewrite (insubT Px) ⇒ uSubx; rewrite (Some inj uSubx); apply: SubK. Qed. V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 7 / 22

Natural numbers and bounded natural numbers N : Type n : N 0 : N S n : N Equality == of two natural numbers is decidable. m < n = S m − n == 0 I : N → Type p : m < n Ordinal n m p : I n V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 8 / 22

Regular expressions re : N → Type i : I n Void n : re n Eps n : re n Atom n i : re n E : re n F : re n E : re n F : re n Alt n E F : re n Conc n E F : re n E : re n Star n E : re n V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 9 / 22

The “output” of a regular expression is decidable o : ∀ n . re n → bool o Void = false o Eps = true o (Atom i ) = false o (Alt E F ) = o E || o F o (Conc E F ) = o E & & o F o (Star E ) = true V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 10 / 22

Quotient regular expressions a a E E 0 E 1 a b V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 11 / 22

Quotient regular expressions a a E E 0 E 1 a b E a a E 0 b a E 1 V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 11 / 22

A motivating exercise Let us define a monomial to be a regular expression whose main operation is not +, and a polynomial to be a finite, possibly empty sum of monomials. We say that a monomial E is in head normal form (h.n.f.) if it is either 0 or 1 or a j × F for some symbol a j and a regular expression F . Exercise Consider a concrete alphabet A = { a , b } and a regular expression E = ( a × ( a × b ) ∗ × a ) ∗ over this alphabet. Represent E by a finite set of polynomials whose monomials are in h.n.f. V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 12 / 22

Rewrite rules The polynomial E can be reduced to a polynomial with all monomials in head normal form by recursive application of the following rewrite rule schemes to every monomial: ( F 1 × · · · × F l × F l +1 ) × G �→ ( F 1 × · · · × F l ) × ( F l +1 × G ) ( F 1 + · · · + F l ) × G �→ F 1 × G + · · · + F l × G (1) F ∗ × G F × ( F ∗ × G ) + G �→ F × F ∗ + 1 F ∗ �→ Then, the set of monomials can be rearranged using the ACI equivalences : F + ( G + H ) = L ( F + G ) + H F + G = L G + F (2) F + F = L F and the additive zero property: F = L F + 0 (3) V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 13 / 22

Solution to the exercise Using the four rewrite rule schemes, the ACI-equivalences and the property of zero, we obtain the following system of equations: a × ( a × b ) ∗ × a × E + 1 E = L = L a × E 1 + o ( E ) , ( a × b ) ∗ × a × E E 1 = = L ( a × b ) × E 1 + a × E = L a × E 2 + a × E + o ( E 1 ) , E 2 = b × E 1 = L b × E 1 + o ( E 2 ) Thus the regular expression E is described in terms of its output and the regular expression E 1 which denotes a residual language that results from taking those words in the language of E that start from the symbol a and removing that occurrence of a . V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 14 / 22

The termination property demonstrated in the solution We demonstrated that any E can be reduced to a polynomial E 1 = a i 1 × E 1 1 + · · · + a i p 1 × E 1 p 1 + o ( E ) Then, we apply the same recursive algorithm to reduce E 1 1 , . . . , E 1 p 1 , and so on, until the obtained polynomial is of the form E q = a j 1 × E q 1 + · · · + a j pq × E q p q + o ( E q ) where E q 1 , . . . , E q p q are already defined, that is, these regular expressions appear in the set p 1 , . . . , E q − 1 E 1 1 , . . . , E 1 , . . . , E q − 1 1 p q − 1 Termination of this recursive process is the goal of Mirkin Theorem. V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 15 / 22

Basic finite types seq : Type → Type a : A s : seq A nil A : seq A cons A a s : seq A map : ∀ T 1 T 2 . ( T 1 → T 2 ) → seq T 1 → seq T 2 map f [] = [] map f ( x :: s ) = f x :: map f s head : ∀ T . T → seq T → T head x [] = x head x ( y :: ) = y behead : ∀ T . seq T → seq T behead [] = [] behead ( :: s ) = s V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 16 / 22

Advanced finite types Advanced finite types feature in Ssreflect libraries. There is a generic type of finite structures finType : Type supporting, among others, the following operations, for some T : finType: 1 The expression enum T yields a duplicate-free, canonical list of all elements of T . 2 # | T | denotes the cardinality of T . 3 enum val i is the i -th element of enum T where i : I # | T | . 4 enum rank t is the index i : I # | T | such that enum val i = t . V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 17 / 22

Type-rich definition of regular expressions re : finType → Type a : X Void X : re X Eps X : re X Atom X a : re X E : re X F : re X E : re X F : re X Alt X E F : re X Conc X E F : re X E : re X Star X E : re X V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 18 / 22

Regular languages language : finType → Type language X = pred (word X ) void : ∀ X . language X void = pred of simpl pred0 eps : ∀ X . language X eps = pred of simpl (pred1 []) atom : ∀ X . X → language X atom a = pred of simpl (pred1 [ a ]) alt : ∀ X . language X → language X → language X alt L 1 L 2 = pred of simpl (predU (mem L 1 ) (mem L 2 )) conc : ∀ X . language X → language X → language X conc L 1 L 2 w = # | λ ( i : I (S (size w )) . L 1 (take i w ) && L 2 (drop i w ) | != 0 star : ∀ X . language X → language X star L = letrec star ′ : word X → bool in star ′ ( a :: w ) = conc (residual a L ) star ′ w star ′ [] = true V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 19 / 22

Regular languages, continued lang : ∀ X . re X → language X lang Void = void lang Eps = eps lang (Atom a ) = atom a lang (Alt E F ) = alt (lang E ) (lang F ) lang (Conc E F ) = conc (lang E ) (lang F ) lang (Star E ) = star (lang E ) V. Komendantsky (St Andrews) Program verification in type theory Roy Dyckhoff’s Festschrift 20 / 22