logical verification lecture program extraction and prop2

Transcription

1 logical verification lecture program extraction and prop2

2 overview program extraction program extraction: examples verified programs: alternative approach formulas of prop2 terminology proofs of prop2

3 some history: foundational crisis Bertrand Russell shows that naive set theory (or type theory) is inconsistent: {x x x} {x x x}

4 some answers: three schools Hilbert: formalism, leads eventually to ZFC set theory Russell: logicism, leads eventually to an early version of type theory Brouwer, Heyting, Bishop: intuitionism, rejects excluded middle

5 Brouwer Heyting Kolmogorov interpretation does not exist A B maps proofs of A to proofs of B A B proof of A and proof of B A B proof of A or a proof of B x. P(x) maps x to a proof of P(x) x. P(x) object a with proof of P(a) proof of existence corresponds to constructing an example

6 program extraction rough idea an intuitionistic (constructive) proof corresponds to an executable algorithm

7 constructive functional programming program specification constructive proof of existence automatically generated functional program

8 program specification: example the correctness proof of the specification l : natlist. l : natlist. permutation(l, l ) sorted(l ) yields a program (function) from natlist to natlist

9 program specification: general pattern A B P(x) Q(x, y) x : A. P(x) y : B. Q(x, y) input type output type precondition input/output behaviour the correctness proof yields a program from A to B

10 program extraction in Coq Coq proof in type theory gives functional program in OCaml or Haskell or Scheme

11 program extraction in Coq is almost the identity function but other typing system information from Prop is erased

12 existential quantification in Prop inductive type: Inductive ex (A : Type) (P : A -> Prop) : Prop := ex_intro : forall x : A, P x -> ex P syntax: exists x : A, P x.

13 existential quantification in Set inductive type: Inductive sig (A : Set) (P : A -> Prop) : Set := exist : forall x : A, P x -> sig P syntax: {x:a P x}

14 for program extraction use existential quantification in Set

15 successor: existence proof and extracted program specification: Theorem successor : forall n:nat, {m:nat m = S n}. extracted program: let successor n = S n

16 predecessor: existence proof and extracted program specification: Theorem predecessor : forall n:nat, ~(n = O) -> {m:nat S m = n}. extracted program: let rec predecessor = function O -> assert false (* absurd case *) S n0 -> n0

17 insertion sort: existence proof Theorem Sort : forall l : natlist, {l : natlist permutation l l /\ sorted l }.

18 insertion sort: predicate permutation Inductive permutation : natlist -> natlist -> Prop := permutation_nil : permutation nil nil permutation_cons : forall (n : nat) (l l l : natlist), permutation l l -> inserted n l l -> permutation (cons n l) l.

19 insertion sort: predicate inserted Inductive inserted (n : nat) : natlist -> natlist -> Prop := inserted_front : forall l : natlist, inserted n l (cons n l) inserted_cons : forall (m : nat) (l l : natlist), inserted n l l -> inserted n (cons m l) (cons m l ).

20 le: family of inductive predicates Inductive le (n:nat) : nat -> Prop := le_n : le n n le_s : forall m:nat, le n m -> le n (S m). le_ind : forall (n : nat) (P : nat -> Prop), P n -> (forall m : nat, le n m -> P m -> P (S m)) -> forall n0 : nat, le n n0 -> P n0

21 le: examples le_n 0 : le O O : Prop le_n 7 : le 7 7 : Prop le_s 0 0 (le_n 0) : le O 1 : Prop le_s 0 1 (le_s 0 0 (le_n 0)) : le O 2 : Prop

22 insertion sort: predicate sorted Inductive sorted : natlist -> Prop := sorted0 : sorted nil sorted1 : forall n:nat, sorted (cons n nil) sorted2 : forall n h:nat, forall t:natlist, le n h -> sorted (cons h t) -> sorted (cons n (cons h t)).

23 Leibniz equality two terms are equal if they have the same properties Inductive eq (A : Type) (x : A) : A -> Prop := refl_equal : x = x eq_ind : forall (A : Type) (x : A) (P : A -> Prop), P x -> forall y : A, x = y -> P y

24 verified programs: two approaches correctness proofs from program to proof program extraction from proof to program

25 correctness proofs: Hoare logic imperative program annotated imperative program proof obligations

26 mirror: correctness proof define a function mirror and prove its correctness: Theorem Mirrored_mirror : forall t : bintree, Mirrored t (mirror t).

27 mirror: program extraction prove the specification correct and extract a program from it Theorem Mirror : forall t : bintree, {t : bintree Mirrored t t }.

28 summarizing the two approaches specification Inductive Mirrored approach 1: implementation Fixpoint mirror approach 1: correctness Theorem Mirrored mirror approach 2: program extracted from existence proof Theorem Mirror

29 logics and type theory 1st-order minimal propositional logic simple type theory 1st-order minimal predicate logic dependent type theory 2nd-order minimal propositional logic polymorphic type theory

30 formulas of prop1 (already seen) a b c p q A B A B A B

31 formulas of pred1 (already seen) (using terms) a(...) b(...) c(...) p(...) q(...) A B x. A A B A B x. A

32 formulas of prop2 (new) a b c p q A B a. A A B A B a. A

33 examples in prop1: a a in pred1: x. a(x) a(x) in prop2: a. a a for every proposition, that proposition implies itself

34 higher-order first order: object second order: set of first-order objects predicate on objects function from objects to objects third order: set of second-order objects predicate on predicates on objects functions from second order objects

35 higher-order logic first-order: quantification over variables of order 1 a a x. a(x) a(x) second-order: quantification over variables of order 2 a. a a a. x. a(x) a(x) f. x. a(f (x)) a(f (x)) third-order: quantification over variables of order 3 b. f. b(f ) x. a(f (x)) quantify over predicates gives pred2 same without terms gives prop2

36 second-order predicate logic: example induction principle for natural numbers a. a(0) ( m. a(m) a(s(m))) n. a(n) m 1st order variable n 1st order variable 0 1st order constant a 2nd order variable S 2nd order constant (or 1st order function)

37 second-order predicate logic: example there exists a sorting function f : natlist natlist. l : natlist. sorted(f (l)) permutation(l, f (l)) f l sorted permutation 2nd order variable 1st order variable 2nd order constant (or 1st order function) 2nd order constant (or 1st order function)

38 examples prop2 a. a a prop1 a a pred2 p. x. p(x) p(x) pred1 x. p(x) p(x)

39 proof rules for prop2 introduction rules I I [x] I Il, Ir I I elimination rules E E El, Er E E E

40 universal quantification for prop2 introduction: A a. A I variable condition: a not free in any open assumption check: variable does not occur in any of the available assumptions elimination: a. A A[a := B] E

41 existential quantification for prop2 introduction: A[a := B] a. A I elimination: a. A a. A B B E variable condition: a not free in B check: variable does not occur in the conclusion

42 examples of tautologies ( b. b) a a b. (b a) a b. ((a b) b) ( b. a) a b ((a b) (b a))

43 examples of non-tautological formulas a ( a. a) p(x) ( x. p(x)) ( a. a) a a. b. (a b) (b a) (classical logic needed)

44 minimal prop2: detour introduction rule for a connective immediately followed by an elimination rule for the same connective

45 elimination of an implication detour (as in prop1) is replaced by. B A B I [x]. A B E where every occurrence of the assumption A x is replaced by the proof. B. A

46 elimination of an universal quantification detour (similar to pred1) everywhere a is replaced by A B a. B I B[a := A] E B[a := A]