Programming with Dependent Types in Coq

Size: px

Start display at page:

Download "Programming with Dependent Types in Coq"

Godwin Dalton
5 years ago
Views:

1 Programming with Dependent Types in Coq Matthieu Sozeau LRI, Univ. Paris-Sud - Démons Team & INRIA Saclay - ProVal Project PPS Seminar February 26th 2009 Paris, France

2 Coq A higher-order, polymorphic logic: A (P Q : A Prop), ( x, P x Q x) x, P x Q x x y : N, x + y = y + x

3 Coq A higher-order, polymorphic logic: A (P Q : A Prop), ( x, P x Q x) x, P x Q x x y : N, x + y = y + x A purely functional programming language with dependent types: (λ A (x : A), x) : A, A A div : (a : nat) (b : nat b 0), { (q, r) : nat nat a = b q + r r < b }

4 Coq A higher-order, polymorphic logic: A (P Q : A Prop), ( x, P x Q x) x, P x Q x x y : N, x + y = y + x A purely functional programming language with dependent types: (λ A (x : A), x) : A, A A div : (a : nat) (b : nat b 0), { (q, r) : nat nat a = b q + r r < b } Problem: writing such programs is difficult.

5 Programming with tactics Lemma eucl dev : n, n > 0 m : nat, { (q, r) : nat nat n > r m = q n + r }. Proof. intros b H a; pattern a; apply gt wf rec; intros n H0. elim (le gt dec b n). intro lebn. case (H0 (n - b)); auto with arith. intros [q r] [g e]. (S q, r); simpl; auto with arith. elim plus assoc. elim e; auto with arith. intros gtbn. (0, n); simpl; auto with arith. Qed.

6 Programming directly λ b (H : b > 0) a, gt wf rec a (λ n, { (q, r) : nat nat b > r n = q b + r}) (λ n (H0 : Π m : nat, n > m { (q, r) : nat nat b > r m = q b + r}), sumbool rec (λ : {b n} + {b > n}, { (q, r) : nat nat b > r n = q b + r}) (λ lebn : b n, let (x, x0) := H0 (n - b) (lt minus n b lebn H) in (let (q, r) as p return ((let (q, r) := p in b > r n - b = q b + r) { (q, r) : nat nat b > r n = q b + r}) := x in λ y : b > r n - b = q b + r, match y with conj g e elt (eq ind (b + (q b + r)) (λ n0, b > r n = n0) (eq ind (n - b) (λ n0, b > r n = b + n0) (conj g (le plus minus b n lebn)) (q b + r) e) (b + q b + r) (plus assoc b (q b) r)) end) x0) (λ gtbn : b > n, elt (conj gtbn refl)) (le gt dec b n))

7 Thesis We can write programs as usual and still give them rich types.

8 The Big Picture

9 The Big Picture

10 The Big Picture

11 The Big Picture

12 The Big Picture

13 The Big Picture

14 The Big Picture

15 The Big Picture

16 1 Russell Subset Coercions: A Simple Idea Metatheory Interpretation in Coq 2 Program Extensions Hello World 3 Finger Trees Finger Trees in Haskell Dependent Finger Trees Specializations Ropes Random-access sequences 4 Conclusion 7 / 50

17 A simple idea Definition The set {x : T P } is the set of objects in T verifying property P. Useful for specifying, widely used in mathematics ; Links object and property. 8 / 50

18 From Predicate subtyping... PVS Specialized typing algorithm for subset types, generating Type-checking conditions. t : T P [t/x] t : { x : T P } t : { x : T P } t : T 9 / 50

19 From Predicate subtyping... PVS Specialized typing algorithm for subset types, generating Type-checking conditions. + Practical success ; t : T P [t/x] t : { x : T P } t : { x : T P } t : T 9 / 50

20 From Predicate subtyping... PVS Specialized typing algorithm for subset types, generating Type-checking conditions. + Practical success ; No strong safety guarantee in PVS. t : T P [t/x] t : { x : T P } t : { x : T P } t : T 9 / 50

21 From Predicate subtyping... PVS Specialized typing algorithm for subset types, generating Type-checking conditions. + Practical success ; No strong safety guarantee in PVS. t : T p : P [t/x] elt t p : { x : T P } t : { x : T P } σ 1 t : T 9 / 50

22 ... to Subset Coercions 1 A property-irrelevant language (Russell) with decidable typing Γ t : { x : T P } Γ t : T Γ t : T Γ, x : T P : Prop Γ t : { x : T P } 10 / 50

23 ... to Subset Coercions 1 A property-irrelevant language (Russell) with decidable typing 2 A total interpretation to Coq terms with holes Γ t : { x : T P } Γ σ 1 t : T Γ t : T Γ, x : T P : Prop Γ?P [t/x] : P [t/x] Γ elt t? P [t/x] : { x : T P } 10 / 50

24 ... to Subset Coercions 1 A property-irrelevant language (Russell) with decidable typing 2 A total interpretation to Coq terms with holes 3 A mechanism to turn the holes into proof obligations and manage them. Γ t : { x : T P } Γ σ 1 t : T Γ t : T Γ, x : T P : Prop Γ p : P [t/x] Γ elt t p : { x : T P } 10 / 50

25 Russell typing and coercion Calculus of Constructions with Γ t : U Γ U β T : s Γ t : T 11 / 50

26 Russell typing and coercion Calculus of Constructions with Γ t : U Γ U T : s Γ t : T Γ T β U : s Γ T U : s 11 / 50

27 Russell typing and coercion Calculus of Constructions with Γ t : U Γ U T : s Γ t : T Γ T β U : s Γ T U : s Γ U V : Set Γ, x : U P : Prop Γ { x : U P } V : Set Γ U V : Set Γ, x : V P : Prop Γ U { x : V P } : Set 11 / 50

28 Russell typing and coercion Calculus of Constructions with Γ t : U Γ U T : s Γ t : T Γ T β U : s Γ T U : s Γ U V : Set Γ, x : U P : Prop Γ { x : U P } V : Set Γ U V : Set Γ, x : V P : Prop Γ U { x : V P } : Set Example Γ 0 : N Γ N { x : N x 0 } : Set Γ 0 : { x : N x 0 } Γ? : / 50

29 Russell typing and coercion Calculus of Constructions with Γ t : U Γ U T : s Γ t : T Γ T β U : s Γ T U : s Γ U V : Set Γ, x : U P : Prop Γ { x : U P } V : Set Γ U V : Set Γ, x : V P : Prop Γ U { x : V P } : Set Γ U T : s 1 Γ, x : U V W : s 2 Γ Πx : T.V Πx : U.W : s 2 Γ S T : s Γ T U : s Γ S U : s 11 / 50

30 Russell typing and coercion Calculus of Constructions with Γ t : U Γ U T : s Γ t : T Γ T β U : s Γ T U : s Γ U V : Set Γ, x : U P : Prop Γ { x : U P } V : Set Γ U V : Set Γ, x : V P : Prop Γ U { x : V P } : Set Γ U T : s 1 Γ, x : U V W : s 2 Γ Πx : T.V Πx : U.W : s 2 Γ S T : s Γ T U : s Γ S U : s is symmetric! 11 / 50

31 Metatheory Theorem (Subject Reduction) If Γ t : T and t β u then Γ u : T Using the TPOSR technique due to Robin Adams. 12 / 50

32 Metatheory Theorem (Subject Reduction) If Γ t : T and t β u then Γ u : T Using the TPOSR technique due to Robin Adams. Theorem (Decidability of type checking and type inference) Γ t : T is decidable. 12 / 50

33 From Russell to Coq The target system : CIC with metavariables Γ? t : T Γ? p : P [t/x] Γ? elt T,P t p : { x : T P } Γ? t : { x : T P } Γ? σ 1 t : T Γ? t : { x : T P } Γ? σ 2 t : P [σ 1 t/x] Γ? P : Prop Γ?? Γ P : P We build an interpretation Γ from Russell to CIC? terms. 13 / 50

34 From Russell to Coq The target system : CIC with metavariables Γ? t : T Γ? p : P [t/x] Γ? elt T,P t p : { x : T P } Γ? t : { x : T P } Γ? σ 1 t : T Γ? t : { x : T P } Γ? σ 2 t : P [σ 1 t/x] Γ? P : Prop Γ?? Γ P : P We build an interpretation Γ from Russell to CIC? terms. Our goal: proving soundness If Γ t : T then Γ? t Γ : T Γ. 13 / 50

35 Deriving explicit coercions: Γ? c : T U Interpretation of coercions If Γ T U : s then there exists c so that Γ? c : T U. 14 / 50

36 Deriving explicit coercions: Γ? c : T U Interpretation of coercions If Γ T U : s then there exists c so that Γ? c : T U. Γ? T β U : s Γ? : T U 14 / 50

37 Deriving explicit coercions: Γ? c : T U Interpretation of coercions If Γ T U : s then there exists c so that Γ? c : T U. Γ? T β U : s Γ? : T U 14 / 50

38 Deriving explicit coercions: Γ? c : T U Interpretation of coercions If Γ T U : s then there exists c so that Γ? c : T U. Γ? Γ? T β U : s Γ? : T U : { x : T P } T 14 / 50

39 Deriving explicit coercions: Γ? c : T U Interpretation of coercions If Γ T U : s then there exists c so that Γ? c : T U. Γ? T β U : s Γ? : T U Γ? σ 1 : { x : T P } T 14 / 50

40 Deriving explicit coercions: Γ? c : T U Interpretation of coercions If Γ T U : s then there exists c so that Γ? c : T U. Γ? T β U : s Γ? : T U Γ? σ 1 : { x : T P } T Γ? : T { x : T P } 14 / 50

41 Deriving explicit coercions: Γ? c : T U Interpretation of coercions If Γ T U : s then there exists c so that Γ? c : T U. Γ? T β U : s Γ? : T U Γ? σ 1 : { x : T P } T Γ? elt? P Γ,x:T [ /x] : T { x : T P } 14 / 50

42 Deriving explicit coercions: Γ? c : T U Interpretation of coercions If Γ T U : s then there exists c so that Γ? c : T U. Γ? T β U : s Γ? : T U Γ? σ 1 : { x : T P } T Γ? elt? P Γ,x:T [ /x] : T { x : T P } Example Γ? 0 : N Γ? elt? 0 : N { x : N x 0 } Γ? elt 0? 0 0 : { x : N x 0 } 14 / 50

43 Interpretation of terms: Γ Example (Application) Γ f : T Γ T Πx : V.W : s Γ u : U Γ U V : s Γ (f u) : W [u/x] f u Γ = let π = coerce Γ T (Πx : V.W ) in let c = coerce Γ U V in (π[ f Γ ]) (c[ u Γ ]) Theorem (Soundness) If Γ t : T then Γ? t Γ : T Γ. 15 / 50

44 Theoretical matters...? s equational theory: { (β) (λx : X.e) v e[v/x] β-rules (σ i ) σ i (elt E,P e 1 e 2 ) e i } Coq 16 / 50

45 Theoretical matters...? s equational theory: { (β) (λx : X.e) v e[v/x] β-rules (σ i ) σ i (elt E,P e 1 e 2 ) e i } Coq { (η) (λx : X.e x) e if x / FV(e) η-rules (SP) elt E,P (σ 1 e) (σ 2 e) e 16 / 50

46 Theoretical matters...? s equational theory: { (β) (λx : X.e) v e[v/x] β-rules (σ i ) σ i (elt E,P e 1 e 2 ) e i } Coq { (η) (λx : X.e x) e if x / FV(e) η-rules (SP) elt E,P (σ 1 e) (σ 2 e) e Proof Irrelevance elt E,P t p elt E,P t p if t t 16 / 50

47 Theoretical matters...? s equational theory: { (β) (λx : X.e) v e[v/x] β-rules (σ i ) σ i (elt E,P e 1 e 2 ) e i } Coq { (η) (λx : X.e x) e if x / FV(e) η-rules (SP) elt E,P (σ 1 e) (σ 2 e) e Proof Irrelevance elt E,P t p elt E,P t p if t t... have practical effects Difficulty to reason on code: t u t Γ Coq u Γ. 16 / 50

48 1 Russell Subset Coercions: A Simple Idea Metatheory Interpretation in Coq 2 Program Extensions Hello World 3 Finger Trees Finger Trees in Haskell Dependent Finger Trees Specializations Ropes Random-access sequences 4 Conclusion 17 / 50

49 The Program vernacular Replaces the Program tactic by Catherine Parent. 18 / 50

50 The Program vernacular Replaces the Program tactic by Catherine Parent. Architecture Wrap around Coq s vernacular commands (Definition, Fixpoint, Lemma,... ). 18 / 50

51 The Program vernacular Replaces the Program tactic by Catherine Parent. Architecture Wrap around Coq s vernacular commands (Definition, Fixpoint, Lemma,... ). 1 Use the Coq parser ; Program Definition f : T := t. 18 / 50

52 The Program vernacular Replaces the Program tactic by Catherine Parent. Architecture Wrap around Coq s vernacular commands (Definition, Fixpoint, Lemma,... ). 1 Use the Coq parser ; 2 Typecheck Γ t : T and generate Γ? t Γ : T Γ ; Program Definition f : T Γ := t Γ. 18 / 50

53 The Program vernacular Replaces the Program tactic by Catherine Parent. Architecture Wrap around Coq s vernacular commands (Definition, Fixpoint, Lemma,... ). 1 Use the Coq parser ; 2 Typecheck Γ t : T and generate Γ? t Γ : T Γ ; 3 Interactive proof of the obligations ; Program Definition f : T Γ := t Γ + obligations. 18 / 50

54 The Program vernacular Replaces the Program tactic by Catherine Parent. Architecture Wrap around Coq s vernacular commands (Definition, Fixpoint, Lemma,... ). 1 Use the Coq parser ; 2 Typecheck Γ t : T and generate Γ? t Γ : T Γ ; 3 Interactive proof of the obligations ; 4 Final definition. Definition f : T Γ := t Γ + obligations. 18 / 50

55 Sugar Obligations Unresolved implicits ( ) are turned into obligations, à la refine. Bang! = (False rect ) where False rect : A : Type, False A. It corresponds to ML s assert(false). match x with 0! n end 19 / 50

56 Sugar Obligations Unresolved implicits ( ) are turned into obligations, à la refine. Bang! = (False rect ) where False rect : A : Type, False A. It corresponds to ML s assert(false). match x with 0! n end Destruction Let let p := t in e = match t with p e end. p can be an arbitrary pattern. 19 / 50

57 Recursion Support for well-founded recursion and measures. Program Fixpoint f (a : N) {wf < a} : N := b. 20 / 50

58 Recursion Support for well-founded recursion and measures. Program Fixpoint f (a : N) {wf < a} : N := b. a : N f : {x : N x < a} N b : N 20 / 50

59 Hello World: Euclidean division DEMO 21 / 50

60 Pattern-matching revisited Put logic into the terms. Let e : N: match e return T with S n t 1 0 t 2 end 22 / 50

61 Pattern-matching revisited Put logic into the terms. Let e : N: match e as t return t = e T with S n fun (H : S n = e) t 1 0 fun (H : 0 = e) t 2 end (refl equal e) 22 / 50

62 Pattern-matching revisited Put logic into the terms. Further refinements Each branch typed only once ; Let e : N: match e as t return t = e T with S (S n) fun (H : S (S n) = e) t 1 n fun (H : n = e) t 2 end (refl equal e) 22 / 50

63 Pattern-matching revisited Put logic into the terms. Further refinements Each branch typed only once ; Let e : N: match e as t return t = e T with S (S n) fun (H : S (S n) = e) t 1 S 0 fun (H : S 0 = e) t 2 0 fun (H : 0 = e) t 2 end (refl equal e) 22 / 50

64 Pattern-matching revisited Put logic into the terms. Further refinements Each branch typed only once ; Add inequalities for intersecting patterns ; Let e : N: match e as t return t = e T with S (S n) fun (H : S (S n) = e) t 1 n fun (H : n = e) let H : n, n S (S n ) in t 2 end (refl equal e) 22 / 50

65 Pattern-matching revisited Put logic into the terms. Further refinements Each branch typed only once ; Add inequalities for intersecting patterns ; Generalized to dependent inductive types. Let e : vector n: match e return T with vnil t 1 vcons x n v t 2 end 22 / 50

66 Pattern-matching revisited Put logic into the terms. Further refinements Each branch typed only once ; Add inequalities for intersecting patterns ; Generalized to dependent inductive types. Let e : vector n: match e as t in vector n return n = n JMeq t e T with vnil fun (H : 0 = n)(hv : JMeq vnil e) t 1 vcons x n v fun (H : S n = n) (Hv : JMeq (vcons x n v ) e) t 2 end (refl equal n)(jmeq refl e) 22 / 50

67 1 Russell Subset Coercions: A Simple Idea Metatheory Interpretation in Coq 2 Program Extensions Hello World 3 Finger Trees Finger Trees in Haskell Dependent Finger Trees Specializations Ropes Random-access sequences 4 Conclusion 23 / 50

68 Dependent Finger Trees A complex datastructure, with a reference implementation in Haskell (Hinze & Paterson, JFP 2006). Using Program and type classes, we construct a faithful port which is proved safe (terminating and invariant preserving). 24 / 50

69 Dependent Finger Trees A complex datastructure, with a reference implementation in Haskell (Hinze & Paterson, JFP 2006). Using Program and type classes, we construct a faithful port which is proved safe (terminating and invariant preserving). Through dependent types, it provides guarantees to be used by higher-level structures. 24 / 50

70 Dependent Finger Trees A complex datastructure, with a reference implementation in Haskell (Hinze & Paterson, JFP 2006). Using Program and type classes, we construct a faithful port which is proved safe (terminating and invariant preserving). Through dependent types, it provides guarantees to be used by higher-level structures. Instantiated to (safe) ropes whose extraction has reasonnable performance. 24 / 50

71 A quick tour of Finger Trees A Simple General Purpose Data Structure (Hinze & Paterson, JFP 2006) Purely functional, nested datatype Parameterized data structure Efficient deque operations, concatenation and splitting 25 / 50

72 The Big Finger Tree Picture data Digit a = One a Two a a Three a a a Four a a a a data Node a = Node2 a a Node3 a a a

73 The Big Finger Tree Picture data Digit a = One a Two a a Three a a a Four a a a a data Node a = Node2 a a Node3 a a a data FingerTree a = Empty Single a Deep (Digit a) (FingerTree (Node a)) (Digit a) Two Two Deep Deep Empty Three One Node2 Node3 Node2

74 Operating on a Finger Tree add left :: a FingerTree a FingerTree a add left a Empty = Single a add left a (Single b) = Deep (One a) Empty (One b) add left a (Deep pr m sf ) =... Deep Three Empty Three C D E F G H 27 / 50

75 Operating on a Finger Tree add left :: a FingerTree a FingerTree a add left a Empty = Single a add left a (Single b) = Deep (One a) Empty (One b) add left a (Deep pr m sf ) =... Deep Four Empty Three B C D E F G H 27 / 50

76 Operating on a Finger Tree add left :: a FingerTree a FingerTree a add left a Empty = Single a add left a (Single b) = Deep (One a) Empty (One b) add left a (Deep pr m sf ) =... Deep Two Single Three A B F G H Node3 C D E 27 / 50

77 Adding cached measures class Monoid v Measured v a where :: a v

78 Adding cached measures class Monoid v Measured v a where :: a v instance (Measured v a) Measured v (Digit a) where

79 Adding cached measures class Monoid v Measured v a where :: a v instance (Measured v a) Measured v (Digit a) where data Node v a = Node2 v a a Node3 v a a a data FingerTree v a = Empty Single a Deep v (Digit a) (FingerTree v (Node v a)) (Digit a) Node2 a b a b Two Deep a g Empty ε Node3 c d e c d e One Node2 f g f g

80 Outline 1 Russell Subset Coercions: A Simple Idea Metatheory Interpretation in Coq 2 Program Extensions Hello World 3 Finger Trees Finger Trees in Haskell Dependent Finger Trees Specializations Ropes Random-access sequences 4 Conclusion 29 / 50

81 Why do this? Generally useful, non-trivial structure Abstraction and specification power needed to ensure coherence of measures 30 / 50

82 Digits Variable A : Type. Inductive digit : Type := One : A digit Two : A A digit Three : A A A digit Four : A A A A digit. Definition full x := match x with Four True False end. 31 / 50

83 Digits cont d Program Definition add digit left (a : A) (d : digit full d) : digit := match d with One x Two a x Two x y Three a x y Three x y z Four a x y z Four! end. 32 / 50

84 Nodes Variables (v : Type) (mono : monoid v). Variables (A : Type) (measure : A v). 33 / 50

85 Nodes Variables (v : Type) (mono : monoid v). Variables (A : Type) (measure : A v). Inductive node : Type := Node2 : x y, { s : v s = x y } node Node3 : x y z, { s : v s = x y z } node. 33 / 50

86 Nodes Variables (v : Type) (mono : monoid v). Variables (A : Type) (measure : A v). Inductive node : Type := Node2 : x y, { s : v s = x y } node Node3 : x y z, { s : v s = x y z } node. Program Definition node2 (x y : A) : node := Node2 x y ( x y ). Program Definition node measure (n : node) : v := match n with Node2 s s Node3 s s end. 33 / 50

87 Dependent Finger Trees Inductive fingertree (A : Type) : Type := Empty : fingertree A Single : x : A, fingertree A Deep : (l : digit A) (m : v), fingertree (node A) (r : digit A), fingertree A. node : (A : Type) (measure : A v), Type 34 / 50

88 Dependent Finger Trees Inductive fingertree (A : Type) (measure : A v) : Type := Empty : fingertree A measure Single : x : A, fingertree A measure Deep : (l : digit A) (m : v), fingertree (node A measure) (node measure A measure) (r : digit A), fingertree A measure. node : (A : Type) (measure : A v), Type node measure A (measure : A v) : node A measure v 34 / 50

89 Dependent Finger Trees Inductive fingertree (A : Type) (measure : A v) : v Type := Empty : fingertree A measure ε Single : x : A, fingertree A measure (measure x) Deep : (l : digit A) (m : v), fingertree (node A measure) (node measure A measure) m (r : digit A), fingertree A measure (digit measure measure l m digit measure measure r). 34 / 50

90 Adding to the left fix add left A (measure : A v) (a : A) (s : v) (t : fingertree measure s) {struct t} : fingertree measure (measure a s) := 35 / 50

91 Adding to the left fix add left A (measure : A v) (a : A) (s : v) (t : fingertree measure s) {struct t} : fingertree measure (measure a s) := match t with Empty Single a measure a = measure a ε Single b Deep (One a) Empty (One b) Deep pr st t sf end. 35 / 50

92 Adding to the left fix add left A (measure : A v) (a : A) (s : v) (t : fingertree measure s) {struct t} : fingertree measure (measure a s) := match t with Empty Single a measure a = measure a ε Single b Deep (One a) Empty (One b) Deep pr st t sf match pr with Four b c d e let sub := add left (node3 measure c d e) t in Deep (Two a b) sub sf x Deep (add digit left a pr) t sf end end. 35 / 50

93 Two hundred lines, one hundred obligations concatenation def app (A : Type) (measure : A v) (xs : v) (x : fingertree measure xs) (ys : v) (y : fingertree measure ys) : fingertree measure (xs ys). 36 / 50

94 Splitting nodes def splitnode (p : v bool) (i : v) (n : node A measure) : { (l, x, r) : option (digit A) A option (digit A) let ls := option digit measure measure l in let rs := option digit measure measure r in node measure n = ls x rs (l = None p (i ls) = false) (r = None p (i ls x ) = true)} :=... Program Definition split node (p : v bool) i (n : node A) : { (l, x, r) : option (digit A) A option (digit A) n = l x r (l = None p (i l ) = false) (r = None p (i l x ) = true)} := / 50

95 Summary We proved that all the functions from the original paper: are terminating and total respect the measures respect the invariants given in the paper Haskell Program Lines L.o.C. Obls L.o.P. app auto split FingerTree n.a / 50

96 Summary We proved that all the functions from the original paper: are terminating and total respect the measures respect the invariants given in the paper Haskell Program Lines L.o.C. Obls L.o.P. app auto split FingerTree n.a. 400 Non-dependent interface, specializations A version with modules for a better extraction to OCaml 38 / 50

97 Outline 1 Russell Subset Coercions: A Simple Idea Metatheory Interpretation in Coq 2 Program Extensions Hello World 3 Finger Trees Finger Trees in Haskell Dependent Finger Trees Specializations Ropes Random-access sequences 4 Conclusion 39 / 50

98 Ropes on top of Finger Trees Ingredients: A := string int int (substrings) v := int (the length, computationally relevant) measure (str, start, len) := len mono := (0, +) Implement substring, get 40 / 50

99 Ropes on top of Finger Trees Ingredients: A := string int int (substrings) v := int (the length, computationally relevant) measure (str, start, len) := len mono := (0, +) Implement substring, get Extracted code comparable to an optimized rope implementation. 40 / 50

100 Ropes on top of Finger Trees Ingredients: A := string int int (substrings) v := int (the length, computationally relevant) measure (str, start, len) := len mono := (0, +) Implement substring, get Extracted code comparable to an optimized rope implementation. Relies on implicit invariants of the monoid, measure and code. 40 / 50

101 Certified Sequences: the monoid def below i := { x : nat x < i }. def v := { i : nat & (below i A) }. 41 / 50

102 Certified Sequences: the monoid def below i := { x : nat x < i }. def v := { i : nat & (below i A) }. def epsilon : v := 0 (fun!). def append (n, fx) (m, fy) : v := (n + m) (fun i if lt ge dec i n then fx i else fy (i - n)). 41 / 50

103 Instantiation def measure (x : A) : v := 1 (fun x). def seq (x : v) := fingertree seqmonoid measure x. 42 / 50

104 Instantiation def measure (x : A) : v := 1 (fun x). def seq (x : v) := fingertree seqmonoid measure x. tail n f : seq (n f ) seq (pred n (fun i f (S i))) app n fx m fy : seq (n fx) seq (m fy) seq (n + m (fun i if lt ge dec i n then fx i else fy (i - n))) 42 / 50

105 The sequence and its operations fix make (i : nat) (v : A) { struct i } : seq (i (fun v)). 43 / 50

106 The sequence and its operations fix make (i : nat) (v : A) { struct i } : seq (i (fun v)). def get (i : nat) (m : below i A) (x : seq (i m)) (j : below i) : { value : A value = m j }. 43 / 50

107 The sequence and its operations fix make (i : nat) (v : A) { struct i } : seq (i (fun v)). def get (i : nat) (m : below i A) (x : seq (i m)) (j : below i) : { value : A value = m j }. def set (i : nat) (m : below i A) (x : seq (i m)) (j : below i) (value : A) : seq (i (fun idx if idx = j then value else m idx)). 43 / 50

108 The sequence and its operations fix make (i : nat) (v : A) { struct i } : seq (i (fun v)). def get (i : nat) (m : below i A) (x : seq (i m)) (j : below i) : { value : A value = m j }. def set (i : nat) (m : below i A) (x : seq (i m)) (j : below i) (value : A) : seq (i (fun idx if idx = j then value else m idx)). Modularity: only the specifications are used! Efficiency: Irrelevance of m currently not specified 43 / 50

109 Theorems for free! Program Lemma get set i m (x : seq (i m)) (j : below i) (value : A) : value = get (set x j value) j. Program Lemma get set diff i m (x : seq (i m)) (j : below i) (value : A) (k : below i) : j k get x k = get (set x j value) k. 44 / 50

110 Summary A certified implementation of Finger Trees and random-access sequences. Program scales, thanks to the phase distinction. Typeclasses to solve the overloading issues. 45 / 50

111 1 Russell Subset Coercions: A Simple Idea Metatheory Interpretation in Coq 2 Program Extensions Hello World 3 Finger Trees Finger Trees in Haskell Dependent Finger Trees Specializations Ropes Random-access sequences 4 Conclusion 46 / 50

112 Our contributions We studied a more flexible programming language, Russell, providing a new formal justification of Predicate subtyping à la PVS, in a system with proof terms. 47 / 50

113 Our contributions We studied a more flexible programming language, Russell, providing a new formal justification of Predicate subtyping à la PVS, in a system with proof terms. We implemented the Program tool to ease programming in Coq using the full language ( 10k lines of OCaml). 47 / 50

114 Our contributions We studied a more flexible programming language, Russell, providing a new formal justification of Predicate subtyping à la PVS, in a system with proof terms. We implemented the Program tool to ease programming in Coq using the full language ( 10k lines of OCaml). We experimented it on a verified implementation of Finger Trees and ropes ( 4k lines of literate Coq). 47 / 50

115 Dissemination A methodology to build certified code in Coq, distributed since 2005: Already experimented by others, e.g. the Ynot project (Nanevsky, Morrisett & Birkedal) implementing Hoare Type Theory on top of Coq. Independent of the theory, can be ported to other systems: Matita (by Enrico Tassi), Agda, Epigram. 48 / 50

116 Ongoing and future work We hinted at the important foundational issues with η-rules and proof-irrelevance that need to be solved (with Benjamin Werner). Automation for discharging proof-obligations (Sean Wilson at Edinburgh). Handling truly dependent pattern-matching by an elaboration. 49 / 50

117 The End Programming with Dependent Types in Coq Matthieu Sozeau LRI, Univ. Paris-Sud - Démons Team & INRIA Saclay - ProVal Project PPS Seminar February 26th 2009 Paris, France Try 8.2!

Program-ing in Coq. Matthieu Sozeau under the direction of Christine Paulin-Mohring

Program-ing in Coq. Matthieu Sozeau under the direction of Christine Paulin-Mohring Program-ing in Coq Matthieu Sozeau under the direction of Christine Paulin-Mohring LRI, Univ. Paris-Sud - Démons Team & INRIA Saclay - ProVal Project Foundations of Programming seminar February 15th 2008