The Power of Parameterization in Coinductive Proof Chung-Kil Hur Georg Neis Derek Dreyer Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) Kaiserslautern and Saarbr¨ ucken, Germany
Contributions Parameterized coinduction Very simple construction Complete reasoning principle for coinduction Achieves incrementality and compositionality Paco: Coq library for parameterized coinduction No syntactic guardedness checks Replacement for Coq’s built-in coinduction C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof
Induction Fundamental reasoning principle, e.g. over N : ∀ n . P ( n ) = ⇒ P ( n + 1) P (0) ∀ n . P ( n ) Tarski’s fixed-point theorem Complete lattice, ( C , ⊑ , ⊔ ) mon → C Monotone function, f : C Prove properties least fixed point, µ f f ( x ) ⊑ x = ⇒ µ f ⊑ x C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof
Example of Tarski induction def def = µ f where f = λ A . { 0 } ∪ { n + 1 | n ∈ A } . N ∀ n ∈ N . P ( n ) ⇐ ⇒ µ f ⊆ P ⇐ = f ( P ) ⊆ P Tarski’s thm. ⇐ ⇒ 0 ∈ P ∧ { ( n + 1) | n ∈ P } ⊆ P ⇐ ⇒ P (0) ∧ ( ∀ n . P ( n ) = ⇒ P ( n + 1)) C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof
Coinduction Dual to induction Construct infinite data structures Greatest fixed points, ν f Important applications in computer science: Program refinement (simulation), Program equivalence (bisimulation), Properties of non-terminating executions Tarski’s fixed-point theorem x ⊑ f ( x ) = ⇒ x ⊑ ν f C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof
� � � � � A trivial example: infinite paths Prove that there is an infinite path from a . ���� ���� ���� � ���� ���� ���� a c b � � � � � ���� ���� ���� ���� � ���� ���� � � � e d f Formally, show a ∈ ν step , where: def step ( X ) = { x ∈ Node | ∃ y ∈ X . x → y } How would you prove this? C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof
� � � � � A trivial example: infinite paths Prove it with Tarski’s theorem? ���� ���� ���� � ���� ���� ���� a c b � � � � � ���� ���� ���� ���� � ���� ���� � � � e d f Must determine suitable postfixed point up front: x ⊑ ν f ⇐ ⇒ ∃ r . x ⊑ r ∧ r ⊑ f ( r ) Pick r := { a , b , d } up front. C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof
Parameterized coinduction Parameterize the greatest fixed point with accumulated knowledge def G f ( x ) = ν y . f ( x ⊔ y ) Properties: ν f ≡ G f ( ⊥ ) (Initialize) G f ( x ) ≡ f ( x ⊔ G f ( x )) (Unfold) x ⊑ y = ⇒ G f ( x ) ⊑ G f ( y ) (Monotonicity) y ⊑ G f ( x ) ⇐ ⇒ y ⊑ G f ( x ⊔ y ) (Accumulate) C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof
Proof of the accumulation theorem Goal: y ⊑ G f ( x ) ⇐ ⇒ y ⊑ G f ( x ⊔ y ) (= ⇒ ): Trivial by monotonicity. ( ⇐ =): Assume y ⊑ G f ( x ⊔ y ) (*). Then, G f ( x ⊔ y ) ≡ f ( x ⊔ y ⊔ G f ( x ⊔ y )) fixed point eq. ⊑ f ( x ⊔ G f ( x ⊔ y )) f mon. & (*) ≡ ( λ z . f ( x ⊔ z )) ( G f ( x ⊔ y )) From Tarski, G f ( x ⊔ y ) ⊑ ν z . f ( x ⊔ z ) ≡ G f ( x ) . So, from (*) and ⊑ -transitivity, y ⊑ G f ( x ). C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof
The trivial example, again a ∈ inf = ν step ⇐ ⇒ a ∈ G step ( ∅ ) initialize ⇐ ⇒ ∃ y ∈ G step ( ∅ ) . a → y unfold ⇐ = b ∈ G step ( ∅ ) pick y := b ⇐ ⇒ b ∈ G step ( { b } ) accumulate ⇐ ⇒ ∃ y ∈ { b } ∪ G step ( { b } ) . b → y unfold ⇐ = d ∈ { b } ∪ G step ( { b } ) pick y := d ⇐ ⇒ d ∈ G step ( { b } ) since d � = b ⇐ ⇒ ∃ y ∈ { b } ∪ G step ( { b } ) . d → y unfold ⇐ = b ∈ { b } ∪ G step ( { b } ) pick y := b C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof
Compositionality G supports rely-guarantee proof rule: g 1 ⊑ G f ( r 1 ) r 1 ⊑ r ⊔ g 2 g 2 ⊑ G f ( r 2 ) r 2 ⊑ r ⊔ g 1 g 1 ⊔ g 2 ⊑ G f ( r ) Interderivable with accumulation theorem C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof
Coinduction in Coq For every coinductive data type A , Coq provides cofix A : ( A → A ) → A but checks that the argument to cofix is guarded syntactically. (Otherwise, the rule is obviously unsound.) Allows incremental proofs, but guardedness checks are restrictive are non-compositional are not user-friedly are very slow in large proofs C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof
Paco: A Coq library for parameterized coinduction Implements parameterized greatest fixed points Provides pcofix tactic Replacement for Coq’s cofix Ensures proofs are semantically guarded No syntactic guardedness checks! Freely available: http://plv.mpi-sws.org/paco/ C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof
What else is in the paper... More examples, simulations Integration with “up to” techniques Implementing parameterized coinduction in Coq Paco internals C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof
Recommend
More recommend
