Program-ing in Coq. Matthieu Sozeau under the direction of Christine Paulin-Mohring

Size: px

Start display at page:

Download "Program-ing in Coq. Matthieu Sozeau under the direction of Christine Paulin-Mohring"

Cynthia Chase
5 years ago
Views:

1 Program-ing in Coq Matthieu Sozeau under the direction of Christine Paulin-Mohring LRI, Univ. Paris-Sud - Démons Team & INRIA Saclay - ProVal Project Foundations of Programming seminar February 15th 2008 University of Nottingham

2 The Big Picture

3 The Big Picture

4 The Big Picture

5 The Big Picture

6 The Big Picture

7 The Big Picture

8 The Big Picture

9 The Big Picture Inductive diveucl a b : Set := divex : q r, b > r a = q b + r diveucl a b. Lemma eucl dev : n, n > 0 m:nat, diveucl m n. Proof. intros b H a; pattern a in ; apply gt wf rec; intros n H0. elim (le gt dec b n). intro lebn. elim (H0 (n - b)); auto with arith. intros q r g e. apply divex with (S q) r; simpl in ; auto with arith. elim plus assoc. elim e; auto with arith. intros gtbn. apply divex with 0 n; simpl in ; auto with arith. Qed.

10 The Big Picture

11 The Curry-Howard isomorphism Programming language = Proof system

12 The Curry-Howard isomorphism Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment.

13 The Curry-Howard isomorphism Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment. Epigram PVS DML Ωmega

14 The Curry-Howard isomorphism Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment. Logical Framework Type Theory. Epigram PVS DML Ωmega

15 The Curry-Howard isomorphism Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment. Logical Framework Type Theory. Separates proofs and programs using sorts Extraction Epigram PVS DML Ωmega

16 The Curry-Howard isomorphism Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment. Logical Framework Type Theory. Separates proofs and programs using sorts Extraction Paradigm Purely functional. Epigram PVS DML Ωmega

17 The Curry-Howard isomorphism Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment. Logical Framework Type Theory. Separates proofs and programs using sorts Extraction Paradigm Purely functional. Total, no separation of terms and types. Epigram PVS DML Ωmega

18 The Curry-Howard isomorphism Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment. Logical Framework Type Theory. Separates proofs and programs using sorts Extraction Paradigm Purely functional. Total, no separation of terms and types. Development style and proof automation Interactive, semi-automatic proof using tactics. Epigram PVS DML Ωmega

19 The Curry-Howard isomorphism Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment. Logical Framework Type Theory. Separates proofs and programs using sorts Extraction Paradigm Purely functional. Total, no separation of terms and types. Development style and proof automation Interactive, semi-automatic proof using tactics. Phase distinction none Epigram PVS DML Ωmega

20 The Curry-Howard isomorphism Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment. Logical Framework Type Theory. Separates proofs and programs using sorts Extraction Paradigm Purely functional. Total, no separation of terms and types. Development style and proof automation Interactive, semi-automatic proof using tactics. Phase distinction in Program Epigram PVS DML Ωmega

21 1 The idea A simple idea From PVS to Coq 2 Theoretical development Russell Interpretation in Coq Inductive types 3 Program Architecture Hello world Extensions 4 Conclusion M. Sozeau (LRI) Program-ing in Coq 4 / 27

22 A simple idea Definition {x : T P } is the set of objects of set T verifying property P. Useful for specifying, widely used in mathematics ; Links object and property. M. Sozeau (LRI) Program-ing in Coq 5 / 27

23 A simple idea Definition {x : T P } is the set of objects of set T verifying property P. Useful for specifying, widely used in mathematics ; Links object and property. Adapting the idea t : T P [t/x] t : { x : T P } t : { x : T P } t : T M. Sozeau (LRI) Program-ing in Coq 5 / 27

24 A simple idea Definition {x : T P } is the set of objects of set T verifying property P. Useful for specifying, widely used in mathematics ; Links object and property. Adapting the idea t : T p : P [t/x] (t, p) : { x : T P } t : { x : T P } proj t : T M. Sozeau (LRI) Program-ing in Coq 5 / 27

25 From Predicate subtyping... PVS Specialized typing algorithm for subset types, generating Type-checking conditions. t : { x : T P } used as t : T ok t : T used as t : { x : T P } if P [t/x] M. Sozeau (LRI) Program-ing in Coq 6 / 27

26 From Predicate subtyping... PVS Specialized typing algorithm for subset types, generating Type-checking conditions. t : { x : T P } used as t : T ok t : T used as t : { x : T P } if P [t/x] + Practical success ; M. Sozeau (LRI) Program-ing in Coq 6 / 27

27 From Predicate subtyping... PVS Specialized typing algorithm for subset types, generating Type-checking conditions. t : { x : T P } used as t : T ok t : T used as t : { x : T P } if P [t/x] + Practical success ; No strong safety guarantee in PVS. M. Sozeau (LRI) Program-ing in Coq 6 / 27

28 ... to Subset coercions 1 A property-irrelevant language (Russell) with decidable typing ; Γ t : { x : T P } Γ t : T Γ t : T Γ, x : T P : Prop Γ t : { x : T P } M. Sozeau (LRI) Program-ing in Coq 7 / 27

29 ... to Subset coercions 1 A property-irrelevant language (Russell) with decidable typing ; 2 A total interpretation to Coq terms with holes ; Γ t : { x : T P } Γ proj t : T Γ t : T Γ, x : T P : Prop Γ (t,?) : { x : T P } Γ? : P [t/x] M. Sozeau (LRI) Program-ing in Coq 7 / 27

30 ... to Subset coercions 1 A property-irrelevant language (Russell) with decidable typing ; 2 A total interpretation to Coq terms with holes ; 3 A mechanism to turn the holes into proof obligations and manage them. Γ t : { x : T P } Γ proj t : T Γ t : T Γ, x : T P : Prop Γ p : P [t/x] Γ (t, p) : { x : T P } M. Sozeau (LRI) Program-ing in Coq 7 / 27

31 1 The idea A simple idea From PVS to Coq 2 Theoretical development Russell Interpretation in Coq Inductive types 3 Program Architecture Hello world Extensions 4 Conclusion M. Sozeau (LRI) Program-ing in Coq 8 / 27

32 Russell syntax x V s, t, u, v ::= x Set Prop Type M. Sozeau (LRI) Program-ing in Coq 9 / 27

33 Russell syntax x V s, t, u, v ::= x Set Prop Type λx : s.t s t Πx : s.t M. Sozeau (LRI) Program-ing in Coq 9 / 27

34 Russell syntax x V s, t, u, v ::= x Set Prop Type λx : s.t s t Πx : s.t (u, v) Σx:s.t π 1 s π 2 s Σx : s.t M. Sozeau (LRI) Program-ing in Coq 9 / 27

35 Russell syntax x V s, t, u, v ::= x Set Prop Type λx : s.t s t Πx : s.t (u, v) Σx:s.t π 1 s π 2 s Σx : s.t { x : s t } M. Sozeau (LRI) Program-ing in Coq 9 / 27

36 Russell typing and coercion Calculus of Constructions with Γ t : U Γ U βπ T : s Γ t : T M. Sozeau (LRI) Program-ing in Coq 10 / 27

37 Russell typing and coercion Calculus of Constructions with Γ t : U Γ U T : s Γ t : T Γ T βπ U : s Γ T U : s M. Sozeau (LRI) Program-ing in Coq 10 / 27

38 Russell typing and coercion Calculus of Constructions with Γ t : U Γ U T : s Γ t : T Γ T βπ U : s Γ T U : s Γ U V : Set Γ, x : U P : Prop Γ { x : U P } V : Set Γ U V : Set Γ, x : V P : Prop Γ U { x : V P } : Set M. Sozeau (LRI) Program-ing in Coq 10 / 27

39 Russell typing and coercion Calculus of Constructions with Γ t : U Example Γ U T : s Γ t : T Γ T βπ U : s Γ T U : s Γ U V : Set Γ, x : U P : Prop Γ { x : U P } V : Set Γ U V : Set Γ, x : V P : Prop Γ U { x : V P } : Set Γ 0 : N Γ N { x : N x 0 } : Set Γ 0 : { x : N x 0 } M. Sozeau (LRI) Program-ing in Coq 10 / 27

40 Russell typing and coercion Calculus of Constructions with Γ t : U Example Γ U T : s Γ t : T Γ T βπ U : s Γ T U : s Γ U V : Set Γ, x : U P : Prop Γ { x : U P } V : Set Γ U V : Set Γ, x : V P : Prop Γ U { x : V P } : Set Γ 0 : N Γ N { x : N x 0 } : Set Γ 0 : { x : N x 0 } Γ? : 0 0 M. Sozeau (LRI) Program-ing in Coq 10 / 27

41 Russell typing and coercion Calculus of Constructions with Γ t : U Γ U T : s Γ t : T Γ T βπ U : s Γ T U : s Γ U V : Set Γ, x : U P : Prop Γ { x : U P } V : Set Γ U V : Set Γ, x : V P : Prop Γ U { x : V P } : Set Γ U T : s 1 Γ, x : U V W : s 2 Γ Πx : T.V Πx : U.W : s 2 Γ T U : s Γ, x : T V W : s s {Set, Prop} Γ Σx : T.V Σy : U.W : s M. Sozeau (LRI) Program-ing in Coq 10 / 27

42 Russell typing and coercion Calculus of Constructions with Γ t : U Γ U T : s Γ t : T Γ T βπ U : s Γ T U : s Γ U V : Set Γ, x : U P : Prop Γ { x : U P } V : Set Γ U V : Set Γ, x : V P : Prop Γ U { x : V P } : Set Γ U T : s 1 Γ, x : U V W : s 2 Γ Πx : T.V Πx : U.W : s 2 Γ T U : s Γ, x : T V W : s s {Set, Prop} Γ Σx : T.V Σy : U.W : s is symmetric! M. Sozeau (LRI) Program-ing in Coq 10 / 27

43 Results Theorem (Decidability of type checking and type inference) Γ t : T is decidable. Γ f : T Γ T Πx : A.B : s Γ e : E Γ E A : s Γ (f e) : B[e/x] M. Sozeau (LRI) Program-ing in Coq 11 / 27

44 Results Theorem (Decidability of type checking and type inference) Γ t : T is decidable. Γ f : T Γ T Πx : A.B : s Γ e : E Γ E A : s Γ (f e) : B[e/x] Coq corner Mechanised proofs of Subject Reduction and equivalence between declarative and algorithmic presentations of the system. M. Sozeau (LRI) Program-ing in Coq 11 / 27

45 1 The idea A simple idea From PVS to Coq 2 Theoretical development Russell Interpretation in Coq Inductive types 3 Program Architecture Hello world Extensions 4 Conclusion M. Sozeau (LRI) Program-ing in Coq 12 / 27

46 From Russell to Coq The target system : Cic with metavariables Γ? t : T Γ? p : P [t/x] Γ? elt T P t p : { x : T P } Γ? t : { x : T P } Γ? σ 1 t : T Γ? t : { x : T P } Γ? σ 2 t : P [σ 1 t/x] Γ? P : Prop Γ?? P : P We build an interpretation Γ from Russell to Cic? terms. M. Sozeau (LRI) Program-ing in Coq 13 / 27

47 From Russell to Coq The target system : Cic with metavariables Γ? t : T Γ? p : P [t/x] Γ? elt T P t p : { x : T P } Γ? t : { x : T P } Γ? σ 1 t : T Γ? t : { x : T P } Γ? σ 2 t : P [σ 1 t/x] Γ? P : Prop Γ?? P : P We build an interpretation Γ from Russell to Cic? terms. Our goal If Γ t : T then Γ? t Γ : T Γ. M. Sozeau (LRI) Program-ing in Coq 13 / 27

48 Deriving explicit coercions Interpretation of coercions If Γ T U : s then Γ? c[ ] : T U which implies Γ, x : T Γ? c[x] : U Γ. M. Sozeau (LRI) Program-ing in Coq 14 / 27

49 Deriving explicit coercions Interpretation of coercions If Γ T U : s then Γ? c[ ] : T U which implies Γ, x : T Γ? c[x] : U Γ. Definition T βπ U Γ? : T U M. Sozeau (LRI) Program-ing in Coq 14 / 27

50 Deriving explicit coercions Interpretation of coercions If Γ T U : s then Γ? c[ ] : T U which implies Γ, x : T Γ? c[x] : U Γ. Definition T βπ U Γ? : T U M. Sozeau (LRI) Program-ing in Coq 14 / 27

51 Deriving explicit coercions Interpretation of coercions If Γ T U : s then Γ? c[ ] : T U which implies Γ, x : T Γ? c[x] : U Γ. Definition Γ? T βπ U Γ? : T U : { x : T P } T M. Sozeau (LRI) Program-ing in Coq 14 / 27

52 Deriving explicit coercions Interpretation of coercions If Γ T U : s then Γ? c[ ] : T U which implies Γ, x : T Γ? c[x] : U Γ. Definition T βπ U Γ? : T U Γ? σ 1 : { x : T P } T M. Sozeau (LRI) Program-ing in Coq 14 / 27

53 Deriving explicit coercions Interpretation of coercions If Γ T U : s then Γ? c[ ] : T U which implies Γ, x : T Γ? c[x] : U Γ. Definition T βπ U Γ? : T U Γ? σ 1 : { x : T P } T Γ? : T { x : T P } M. Sozeau (LRI) Program-ing in Coq 14 / 27

54 Deriving explicit coercions Interpretation of coercions If Γ T U : s then Γ? c[ ] : T U which implies Γ, x : T Γ? c[x] : U Γ. Definition T βπ U Γ? : T U Γ? σ 1 : { x : T P } T Γ? elt? P Γ,x:T [ /x] : T { x : T P } M. Sozeau (LRI) Program-ing in Coq 14 / 27

55 Deriving explicit coercions Interpretation of coercions If Γ T U : s then Γ? c[ ] : T U which implies Γ, x : T Γ? c[x] : U Γ. Definition T βπ U Γ? : T U Γ? σ 1 : { x : T P } T Γ? elt? P Γ,x:T [ /x] : T { x : T P } Example Γ? 0 : N Γ? elt? (x 0)[ /x] : N { x : N x 0 } Γ? elt 0? 0 0 : { x : N x 0 } M. Sozeau (LRI) Program-ing in Coq 14 / 27

56 Interpretation of terms Example (Application) Γ f : T Γ T Πx : V.W : s Γ u : U Γ U V : s Γ (f u) : W [u/x] f u Γ let π = coerce Γ T (Πx : V.W ) in let c = coerce Γ U V in (π[ f Γ ]) (c[ u Γ ]) Theorem (Soundness) If Γ t : T then Γ? t Γ : T Γ. M. Sozeau (LRI) Program-ing in Coq 15 / 27

57 Theoretical matters...? s equational theory: (β) (λx : X.e) v e[v/x] (π i ) π i (e 1, e 2 ) T e i (σ i ) σ i (elt E P e 1 e 2 ) e i (η) (λx : X.e x) e if x / F V (e) (SP) elt E P (σ 1 e) (σ 2 e) e M. Sozeau (LRI) Program-ing in Coq 16 / 27

58 Theoretical matters...? s equational theory: (β) (λx : X.e) v e[v/x] (π i ) π i (e 1, e 2 ) T e i (σ i ) σ i (elt E P e 1 e 2 ) e i (η) (λx : X.e x) e if x / F V (e) (SP) elt E P (σ 1 e) (σ 2 e) e (PI) elt E P t p elt E P t p if t t Proof Irrelevance M. Sozeau (LRI) Program-ing in Coq 16 / 27

59 Theoretical matters...? s equational theory: (β) (λx : X.e) v e[v/x] (π i ) π i (e 1, e 2 ) T e i (σ i ) σ i (elt E P e 1 e 2 ) e i (η) (λx : X.e x) e if x / F V (e) (SP) elt E P (σ 1 e) (σ 2 e) e (PI) elt E P t p elt E P t p if t t Proof Irrelevance... have practical effects Difficulty to reason on code: elt T P x p 1 elt T P x p 2 where p 1, p 2 : P x. M. Sozeau (LRI) Program-ing in Coq 16 / 27

60 Inductive types Different representations vector n { x : list A length x = n } or vector n vnil : vector 0 vcons : A n, vector n vector (S n)? M. Sozeau (LRI) Program-ing in Coq 17 / 27

61 Inductive types Different representations vector n { x : list A length x = n } or vector n vnil : vector 0 vcons : A n, vector n vector (S n)? Γ v : vector x Γ x = y : Prop Γ vector x vector y : Set Γ v : vector y M. Sozeau (LRI) Program-ing in Coq 17 / 27

62 1 The idea A simple idea From PVS to Coq 2 Theoretical development Russell Interpretation in Coq Inductive types 3 Program Architecture Hello world Extensions 4 Conclusion M. Sozeau (LRI) Program-ing in Coq 18 / 27

63 The Program vernacular Architecture Wrap around Coq s vernacular commands (Definition, Fixpoint, Lemma,... ). M. Sozeau (LRI) Program-ing in Coq 19 / 27

64 The Program vernacular Architecture Wrap around Coq s vernacular commands (Definition, Fixpoint, Lemma,... ). 1 Use the Coq parser. Program Definition f : T := t. M. Sozeau (LRI) Program-ing in Coq 19 / 27

65 The Program vernacular Architecture Wrap around Coq s vernacular commands (Definition, Fixpoint, Lemma,... ). 1 Use the Coq parser. 2 Typecheck Γ t : T and generate Γ? t Γ : T Γ ; Program Definition f : T Γ := t Γ. M. Sozeau (LRI) Program-ing in Coq 19 / 27

66 The Program vernacular Architecture Wrap around Coq s vernacular commands (Definition, Fixpoint, Lemma,... ). 1 Use the Coq parser. 2 Typecheck Γ t : T and generate Γ? t Γ : T Γ ; 3 Interactive proving of obligations ; Program Definition f : T Γ := t Γ + obligations. M. Sozeau (LRI) Program-ing in Coq 19 / 27

67 The Program vernacular Architecture Wrap around Coq s vernacular commands (Definition, Fixpoint, Lemma,... ). 1 Use the Coq parser. 2 Typecheck Γ t : T and generate Γ? t Γ : T Γ ; 3 Interactive proving of obligations ; 4 Final definition. Definition f : T Γ := t Γ + obligations. M. Sozeau (LRI) Program-ing in Coq 19 / 27

68 The Program vernacular Architecture Wrap around Coq s vernacular commands (Definition, Fixpoint, Lemma,... ). 1 Use the Coq parser. 2 Typecheck Γ t : T and generate Γ? t Γ : T Γ ; 3 Interactive proving of obligations ; 4 Final definition. Restriction We assume Γ CCI T Γ : s. Definition f : T Γ := t Γ + obligations. M. Sozeau (LRI) Program-ing in Coq 19 / 27

69 Hello world: Euclidean division DEMO M. Sozeau (LRI) Program-ing in Coq 20 / 27

70 1 The idea A simple idea From PVS to Coq 2 Theoretical development Russell Interpretation in Coq Inductive types 3 Program Architecture Hello world Extensions 4 Conclusion M. Sozeau (LRI) Program-ing in Coq 21 / 27

71 Pattern-matching revisited Put logic into the terms. Let e : N: match e return T with S n t 1 0 t 2 end M. Sozeau (LRI) Program-ing in Coq 22 / 27

72 Pattern-matching revisited Put logic into the terms. Let e : N: match e as t return t = e T with S n fun (H : S n = e) t 1 0 fun (H : 0 = e) t 2 end (refl equal e) M. Sozeau (LRI) Program-ing in Coq 22 / 27

73 Pattern-matching revisited Put logic into the terms. Further refinements Each branch typed only once ; Let e : N: match e as t return t = e T with S (S n) fun (H : S (S n) = e) t 1 n fun (H : n = e) t 2 end (refl equal e) M. Sozeau (LRI) Program-ing in Coq 22 / 27

74 Pattern-matching revisited Put logic into the terms. Further refinements Each branch typed only once ; Let e : N: match e as t return t = e T with S (S n) fun (H : S (S n) = e) t 1 S 0 fun (H : S 0 = e) t 2 0 fun (H : 0 = e) t 2 end (refl equal e) M. Sozeau (LRI) Program-ing in Coq 22 / 27

75 Pattern-matching revisited Put logic into the terms. Further refinements Each branch typed only once ; Add inequalities for intersecting patterns ; Let e : N: match e as t return t = e T with S (S n) fun (H : S (S n) = e) t 1 n fun (H : n = e) let H : n, n S (S n ) in t 2 end (refl equal e) M. Sozeau (LRI) Program-ing in Coq 22 / 27

76 Pattern-matching revisited Put logic into the terms. Further refinements Each branch typed only once ; Add inequalities for intersecting patterns ; Generalized to dependent inductive types. Let e : vector n: match e return T with vnil t 1 vcons x n v t 2 end M. Sozeau (LRI) Program-ing in Coq 22 / 27

77 Pattern-matching revisited Put logic into the terms. Further refinements Each branch typed only once ; Add inequalities for intersecting patterns ; Generalized to dependent inductive types. Let e : vector n: match e as t in vector n return n = n t e T with vnil fun (H : 0 = n)(hv : vnil e) t 1 vcons x n v fun (H : S n = n)(hv : vcons x n v e) t 2 end(refl equal n)(jmeq refl e) M. Sozeau (LRI) Program-ing in Coq 22 / 27

78 Sugar Obligations Unresolved implicits ( ) are turned into obligations, à la refine. Bang! (False rect ) where False rect : A : Type, False A. It corresponds to ML s assert(false). match 0 with 0 0 n! end M. Sozeau (LRI) Program-ing in Coq 23 / 27

79 Sugar Obligations Unresolved implicits ( ) are turned into obligations, à la refine. Bang! (False rect ) where False rect : A : Type, False A. It corresponds to ML s assert(false). match 0 with 0 0 n! end Destruction Let let p := tin e match t with p e end. p can be an arbitrary pattern. M. Sozeau (LRI) Program-ing in Coq 23 / 27

80 Recursion Support for well-founded recursion and measures. Program Fixpoint f (a : N) {wf < a} : N := b. M. Sozeau (LRI) Program-ing in Coq 24 / 27

81 Recursion Support for well-founded recursion and measures. Program Fixpoint f (a : N) {wf < a} : N := b. a : N f : {x : N x < a} N b : N M. Sozeau (LRI) Program-ing in Coq 24 / 27

82 Safe Lists DEMO M. Sozeau (LRI) Program-ing in Coq 25 / 27

83 Conclusion Our contributions A more flexible programming language, (almost) conservative over Cic, integrated with the existing environment and a formal justification of Predicate subtyping. A tool to make programming in Coq using the full language possible, which can effectively be used for non-trivial developments. Ongoing and future work Reasoning support through tactics Implementation of proof-irrelevance in Coq s kernel Overloading support through a typeclass mechanism. M. Sozeau (LRI) Program-ing in Coq 26 / 27

84 The End sozeau/research/russell.en.html M. Sozeau (LRI) Program-ing in Coq 27 / 27

Programming with Dependent Types in Coq

Programming with Dependent Types in Coq Matthieu Sozeau LRI, Univ. Paris-Sud - Démons Team & INRIA Saclay - ProVal Project PPS Seminar February 26th 2009 Paris, France Coq A higher-order, polymorphic logic: