Programming with Dependent Types in Coq

Similar documents
Program-ing in Coq. Matthieu Sozeau under the direction of Christine Paulin-Mohring

Interactive Theorem Provers

Nunchaku: Flexible Model Finding for Higher-Order Logic

NICTA Advanced Course. Theorem Proving Principles, Techniques, Applications

Univalence for Free. Matthieu Sozeau Joint work with Nicolas Tabareau - INRIA. GT Types & Réalisabilité March 13th 2013

A New Look At Generalized Rewriting in Type Theory

A New Look at Generalized Rewriting in Type Theory

Structuring the verification of heap-manipulating programs

Examples for program extraction in Higher-Order Logic

Discrete Mathematics Review

Imperative Insertion Sort

Using the Prover I: Lee Pike. June 3, NASA Langley Formal Methods Group Using the Prover I:

CS294-9 September 14, 2006 Adam Chlipala UC Berkeley

NICTA Advanced Course. Theorem Proving Principles, Techniques, Applications. Gerwin Klein Formal Methods

Beyond First-Order Logic

VeriML: Typed Computation of Logical Terms inside a Language with Effects

Reasoning with Higher-Order Abstract Syntax and Contexts: A Comparison

Programming Languages Fall 2013

Modeling Ontological Structures with Type Classes in Coq

Automating Interactive Theorem Proving with Coq and Ltac. by Oron Propp and Alex Sekula Mentored by Drew Haven PRIMES

Universe Polymorphism in Coq

Gerwin Klein, June Andronick, Ramana Kumar S2/2016

Limitations of OCAML records

Hoare Logic: Reasoning About Imperative Programs

EDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach

A Principled approach to Ornamentation in ML

Notes from Yesterday s Discussion. Big Picture. CIS 500 Software Foundations Fall November 1. Some lessons.

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Verified Characteristic Formulae for CakeML. Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 18, 2017

Outline. A recursive function follows the structure of inductively-defined data.

Depending on equations

Introduction to lambda calculus Part 6

M a s t e r r e s e a rc h I n t e r n s h i p. Formalisation of Ground Inference Systems in a Proof Assistant

The Tortoise and the Hare Algorithm

CIS 500: Software Foundations

The TLA + proof system

A General Method for the Proof of Theorems on Tail-recursive Functions

Rules and derivations in an elementary logic course arxiv: v1 [cs.lo] 7 Jan 2016

Cylindrical Algebraic Decomposition in Coq

Functional Data Structures

Typed Arithmetic Expressions

Propositional and Predicate Logic - V

Analyse et Conception Formelle. Lesson 4. Proofs with a proof assistant

Type Soundness for Path Polymorphism

Programming Languages and Types

Syntax and semantics of a GPU kernel programming language

The L Machines are very high-level, in two senses:

Recursion and Intro to Coq

The syntactic guard condition of Coq

Sri vidya college of engineering and technology

The Calculus of Inductive Constructions

Representations of Boolean Functions in Constructive Type Theory

hal , version 1-21 Oct 2009

Static Program Analysis

The Tortoise and the Hare Algorithm

Information Flow Inference for ML

Iris: Higher-Order Concurrent Separation Logic. Lecture 6: Case Study: foldr

Reasoning About Imperative Programs. COS 441 Slides 10b

Review. Principles of Programming Languages. Equality. The Diamond Property. The Church-Rosser Theorem. Corollaries. CSE 230: Winter 2007

Normalization by Evaluation

An axiom free Coq proof of Kruskal s tree theorem

CSE 505, Fall 2009, Midterm Examination 5 November Please do not turn the page until everyone is ready.

Induction on Failing Derivations

The Coq Proof Assistant

(Type) Constraints. Solving constraints Type inference

Roy L. Crole. Operational Semantics Abstract Machines and Correctness. University of Leicester, UK

The LCF Approach to Theorem Proving

Extending higher-order logic with predicate subtyping: application to PVS

The Algebra of Infinite Sequences: Notations and Formalization

Lecture Notes on Data Abstraction

Landau Symbols. Manuel Eberl. November 28, 2018

A Certified Denotational Abstract Interpreter (Proof Pearl)

Write your own Theorem Prover

Simply Typed Lambda Calculus

3 Propositional Logic

CMSC 631 Program Analysis and Understanding Fall Type Systems

λ Slide 1 Content Exercises from last time λ-calculus COMP 4161 NICTA Advanced Course Advanced Topics in Software Verification

Meta-Reasoning in a Concurrent Logical Framework

Subtyping and Intersection Types Revisited

Type Inference. For the Simply-Typed Lambda Calculus. Peter Thiemann, Manuel Geffken. Albert-Ludwigs-Universität Freiburg. University of Freiburg

Operational Semantics

Reasoning about Trace Properties of Higher-order Programs

logical verification lecture program extraction and prop2

Computer Algebra in Coq using reflection

Formalising the Completeness Theorem of Classical Propositional Logic in Agda (Proof Pearl)

CSE505, Fall 2012, Final Examination December 10, 2012

Typing λ-terms. Types. Typed λ-terms. Base Types. The Typing Relation. Advanced Formal Methods. Lecture 3: Simply Typed Lambda calculus

A Machine Checked Model of Idempotent MGU Axioms For a List of Equational Constraints

Propositional logic. First order logic. Alexander Clark. Autumn 2014

Finite Automata Theory and Formal Languages TMV027/DIT321 LP Recap: Logic, Sets, Relations, Functions

Notes on Inductive Sets and Induction

Inductive Predicates

Software Engineering

Cylindrical Algebraic Decomposition in Coq

CS411 Notes 3 Induction and Recursion

The Locally Nameless Representation

An Introduction to Proof Assistants

Coinductive big-step operational semantics

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

CIS 500: Software Foundations

Transcription:

Programming with Dependent Types in Coq Matthieu Sozeau LRI, Univ. Paris-Sud - Démons Team & INRIA Saclay - ProVal Project PPS Seminar February 26th 2009 Paris, France

Coq A higher-order, polymorphic logic: A (P Q : A Prop), ( x, P x Q x) x, P x Q x x y : N, x + y = y + x

Coq A higher-order, polymorphic logic: A (P Q : A Prop), ( x, P x Q x) x, P x Q x x y : N, x + y = y + x A purely functional programming language with dependent types: (λ A (x : A), x) : A, A A div : (a : nat) (b : nat b 0), { (q, r) : nat nat a = b q + r r < b }

Coq A higher-order, polymorphic logic: A (P Q : A Prop), ( x, P x Q x) x, P x Q x x y : N, x + y = y + x A purely functional programming language with dependent types: (λ A (x : A), x) : A, A A div : (a : nat) (b : nat b 0), { (q, r) : nat nat a = b q + r r < b } Problem: writing such programs is difficult.

Programming with tactics Lemma eucl dev : n, n > 0 m : nat, { (q, r) : nat nat n > r m = q n + r }. Proof. intros b H a; pattern a; apply gt wf rec; intros n H0. elim (le gt dec b n). intro lebn. case (H0 (n - b)); auto with arith. intros [q r] [g e]. (S q, r); simpl; auto with arith. elim plus assoc. elim e; auto with arith. intros gtbn. (0, n); simpl; auto with arith. Qed.

Programming directly λ b (H : b > 0) a, gt wf rec a (λ n, { (q, r) : nat nat b > r n = q b + r}) (λ n (H0 : Π m : nat, n > m { (q, r) : nat nat b > r m = q b + r}), sumbool rec (λ : {b n} + {b > n}, { (q, r) : nat nat b > r n = q b + r}) (λ lebn : b n, let (x, x0) := H0 (n - b) (lt minus n b lebn H) in (let (q, r) as p return ((let (q, r) := p in b > r n - b = q b + r) { (q, r) : nat nat b > r n = q b + r}) := x in λ y : b > r n - b = q b + r, match y with conj g e elt (eq ind (b + (q b + r)) (λ n0, b > r n = n0) (eq ind (n - b) (λ n0, b > r n = b + n0) (conj g (le plus minus b n lebn)) (q b + r) e) (b + q b + r) (plus assoc b (q b) r)) end) x0) (λ gtbn : b > n, elt (conj gtbn refl)) (le gt dec b n))

Thesis We can write programs as usual and still give them rich types.

The Big Picture

The Big Picture

The Big Picture

The Big Picture

The Big Picture

The Big Picture

The Big Picture

The Big Picture

1 Russell Subset Coercions: A Simple Idea Metatheory Interpretation in Coq 2 Program Extensions Hello World 3 Finger Trees Finger Trees in Haskell Dependent Finger Trees Specializations Ropes Random-access sequences 4 Conclusion 7 / 50

A simple idea Definition The set {x : T P } is the set of objects in T verifying property P. Useful for specifying, widely used in mathematics ; Links object and property. 8 / 50

From Predicate subtyping... PVS Specialized typing algorithm for subset types, generating Type-checking conditions. t : T P [t/x] t : { x : T P } t : { x : T P } t : T 9 / 50

From Predicate subtyping... PVS Specialized typing algorithm for subset types, generating Type-checking conditions. + Practical success ; t : T P [t/x] t : { x : T P } t : { x : T P } t : T 9 / 50

From Predicate subtyping... PVS Specialized typing algorithm for subset types, generating Type-checking conditions. + Practical success ; No strong safety guarantee in PVS. t : T P [t/x] t : { x : T P } t : { x : T P } t : T 9 / 50

From Predicate subtyping... PVS Specialized typing algorithm for subset types, generating Type-checking conditions. + Practical success ; No strong safety guarantee in PVS. t : T p : P [t/x] elt t p : { x : T P } t : { x : T P } σ 1 t : T 9 / 50

... to Subset Coercions 1 A property-irrelevant language (Russell) with decidable typing Γ t : { x : T P } Γ t : T Γ t : T Γ, x : T P : Prop Γ t : { x : T P } 10 / 50

... to Subset Coercions 1 A property-irrelevant language (Russell) with decidable typing 2 A total interpretation to Coq terms with holes Γ t : { x : T P } Γ σ 1 t : T Γ t : T Γ, x : T P : Prop Γ?P [t/x] : P [t/x] Γ elt t? P [t/x] : { x : T P } 10 / 50

... to Subset Coercions 1 A property-irrelevant language (Russell) with decidable typing 2 A total interpretation to Coq terms with holes 3 A mechanism to turn the holes into proof obligations and manage them. Γ t : { x : T P } Γ σ 1 t : T Γ t : T Γ, x : T P : Prop Γ p : P [t/x] Γ elt t p : { x : T P } 10 / 50

Russell typing and coercion Calculus of Constructions with Γ t : U Γ U β T : s Γ t : T 11 / 50

Russell typing and coercion Calculus of Constructions with Γ t : U Γ U T : s Γ t : T Γ T β U : s Γ T U : s 11 / 50

Russell typing and coercion Calculus of Constructions with Γ t : U Γ U T : s Γ t : T Γ T β U : s Γ T U : s Γ U V : Set Γ, x : U P : Prop Γ { x : U P } V : Set Γ U V : Set Γ, x : V P : Prop Γ U { x : V P } : Set 11 / 50

Russell typing and coercion Calculus of Constructions with Γ t : U Γ U T : s Γ t : T Γ T β U : s Γ T U : s Γ U V : Set Γ, x : U P : Prop Γ { x : U P } V : Set Γ U V : Set Γ, x : V P : Prop Γ U { x : V P } : Set Example Γ 0 : N Γ N { x : N x 0 } : Set Γ 0 : { x : N x 0 } Γ? : 0 0 11 / 50

Russell typing and coercion Calculus of Constructions with Γ t : U Γ U T : s Γ t : T Γ T β U : s Γ T U : s Γ U V : Set Γ, x : U P : Prop Γ { x : U P } V : Set Γ U V : Set Γ, x : V P : Prop Γ U { x : V P } : Set Γ U T : s 1 Γ, x : U V W : s 2 Γ Πx : T.V Πx : U.W : s 2 Γ S T : s Γ T U : s Γ S U : s 11 / 50

Russell typing and coercion Calculus of Constructions with Γ t : U Γ U T : s Γ t : T Γ T β U : s Γ T U : s Γ U V : Set Γ, x : U P : Prop Γ { x : U P } V : Set Γ U V : Set Γ, x : V P : Prop Γ U { x : V P } : Set Γ U T : s 1 Γ, x : U V W : s 2 Γ Πx : T.V Πx : U.W : s 2 Γ S T : s Γ T U : s Γ S U : s is symmetric! 11 / 50

Metatheory Theorem (Subject Reduction) If Γ t : T and t β u then Γ u : T Using the TPOSR technique due to Robin Adams. 12 / 50

Metatheory Theorem (Subject Reduction) If Γ t : T and t β u then Γ u : T Using the TPOSR technique due to Robin Adams. Theorem (Decidability of type checking and type inference) Γ t : T is decidable. 12 / 50

From Russell to Coq The target system : CIC with metavariables Γ? t : T Γ? p : P [t/x] Γ? elt T,P t p : { x : T P } Γ? t : { x : T P } Γ? σ 1 t : T Γ? t : { x : T P } Γ? σ 2 t : P [σ 1 t/x] Γ? P : Prop Γ?? Γ P : P We build an interpretation Γ from Russell to CIC? terms. 13 / 50

From Russell to Coq The target system : CIC with metavariables Γ? t : T Γ? p : P [t/x] Γ? elt T,P t p : { x : T P } Γ? t : { x : T P } Γ? σ 1 t : T Γ? t : { x : T P } Γ? σ 2 t : P [σ 1 t/x] Γ? P : Prop Γ?? Γ P : P We build an interpretation Γ from Russell to CIC? terms. Our goal: proving soundness If Γ t : T then Γ? t Γ : T Γ. 13 / 50

Deriving explicit coercions: Γ? c : T U Interpretation of coercions If Γ T U : s then there exists c so that Γ? c : T U. 14 / 50

Deriving explicit coercions: Γ? c : T U Interpretation of coercions If Γ T U : s then there exists c so that Γ? c : T U. Γ? T β U : s Γ? : T U 14 / 50

Deriving explicit coercions: Γ? c : T U Interpretation of coercions If Γ T U : s then there exists c so that Γ? c : T U. Γ? T β U : s Γ? : T U 14 / 50

Deriving explicit coercions: Γ? c : T U Interpretation of coercions If Γ T U : s then there exists c so that Γ? c : T U. Γ? Γ? T β U : s Γ? : T U : { x : T P } T 14 / 50

Deriving explicit coercions: Γ? c : T U Interpretation of coercions If Γ T U : s then there exists c so that Γ? c : T U. Γ? T β U : s Γ? : T U Γ? σ 1 : { x : T P } T 14 / 50

Deriving explicit coercions: Γ? c : T U Interpretation of coercions If Γ T U : s then there exists c so that Γ? c : T U. Γ? T β U : s Γ? : T U Γ? σ 1 : { x : T P } T Γ? : T { x : T P } 14 / 50

Deriving explicit coercions: Γ? c : T U Interpretation of coercions If Γ T U : s then there exists c so that Γ? c : T U. Γ? T β U : s Γ? : T U Γ? σ 1 : { x : T P } T Γ? elt? P Γ,x:T [ /x] : T { x : T P } 14 / 50

Deriving explicit coercions: Γ? c : T U Interpretation of coercions If Γ T U : s then there exists c so that Γ? c : T U. Γ? T β U : s Γ? : T U Γ? σ 1 : { x : T P } T Γ? elt? P Γ,x:T [ /x] : T { x : T P } Example Γ? 0 : N Γ? elt? 0 : N { x : N x 0 } Γ? elt 0? 0 0 : { x : N x 0 } 14 / 50

Interpretation of terms: Γ Example (Application) Γ f : T Γ T Πx : V.W : s Γ u : U Γ U V : s Γ (f u) : W [u/x] f u Γ = let π = coerce Γ T (Πx : V.W ) in let c = coerce Γ U V in (π[ f Γ ]) (c[ u Γ ]) Theorem (Soundness) If Γ t : T then Γ? t Γ : T Γ. 15 / 50

Theoretical matters...? s equational theory: { (β) (λx : X.e) v e[v/x] β-rules (σ i ) σ i (elt E,P e 1 e 2 ) e i } Coq 16 / 50

Theoretical matters...? s equational theory: { (β) (λx : X.e) v e[v/x] β-rules (σ i ) σ i (elt E,P e 1 e 2 ) e i } Coq { (η) (λx : X.e x) e if x / FV(e) η-rules (SP) elt E,P (σ 1 e) (σ 2 e) e 16 / 50

Theoretical matters...? s equational theory: { (β) (λx : X.e) v e[v/x] β-rules (σ i ) σ i (elt E,P e 1 e 2 ) e i } Coq { (η) (λx : X.e x) e if x / FV(e) η-rules (SP) elt E,P (σ 1 e) (σ 2 e) e Proof Irrelevance elt E,P t p elt E,P t p if t t 16 / 50

Theoretical matters...? s equational theory: { (β) (λx : X.e) v e[v/x] β-rules (σ i ) σ i (elt E,P e 1 e 2 ) e i } Coq { (η) (λx : X.e x) e if x / FV(e) η-rules (SP) elt E,P (σ 1 e) (σ 2 e) e Proof Irrelevance elt E,P t p elt E,P t p if t t... have practical effects Difficulty to reason on code: t u t Γ Coq u Γ. 16 / 50

1 Russell Subset Coercions: A Simple Idea Metatheory Interpretation in Coq 2 Program Extensions Hello World 3 Finger Trees Finger Trees in Haskell Dependent Finger Trees Specializations Ropes Random-access sequences 4 Conclusion 17 / 50

The Program vernacular Replaces the Program tactic by Catherine Parent. 18 / 50

The Program vernacular Replaces the Program tactic by Catherine Parent. Architecture Wrap around Coq s vernacular commands (Definition, Fixpoint, Lemma,... ). 18 / 50

The Program vernacular Replaces the Program tactic by Catherine Parent. Architecture Wrap around Coq s vernacular commands (Definition, Fixpoint, Lemma,... ). 1 Use the Coq parser ; Program Definition f : T := t. 18 / 50

The Program vernacular Replaces the Program tactic by Catherine Parent. Architecture Wrap around Coq s vernacular commands (Definition, Fixpoint, Lemma,... ). 1 Use the Coq parser ; 2 Typecheck Γ t : T and generate Γ? t Γ : T Γ ; Program Definition f : T Γ := t Γ. 18 / 50

The Program vernacular Replaces the Program tactic by Catherine Parent. Architecture Wrap around Coq s vernacular commands (Definition, Fixpoint, Lemma,... ). 1 Use the Coq parser ; 2 Typecheck Γ t : T and generate Γ? t Γ : T Γ ; 3 Interactive proof of the obligations ; Program Definition f : T Γ := t Γ + obligations. 18 / 50

The Program vernacular Replaces the Program tactic by Catherine Parent. Architecture Wrap around Coq s vernacular commands (Definition, Fixpoint, Lemma,... ). 1 Use the Coq parser ; 2 Typecheck Γ t : T and generate Γ? t Γ : T Γ ; 3 Interactive proof of the obligations ; 4 Final definition. Definition f : T Γ := t Γ + obligations. 18 / 50

Sugar Obligations Unresolved implicits ( ) are turned into obligations, à la refine. Bang! = (False rect ) where False rect : A : Type, False A. It corresponds to ML s assert(false). match x with 0! n end 19 / 50

Sugar Obligations Unresolved implicits ( ) are turned into obligations, à la refine. Bang! = (False rect ) where False rect : A : Type, False A. It corresponds to ML s assert(false). match x with 0! n end Destruction Let let p := t in e = match t with p e end. p can be an arbitrary pattern. 19 / 50

Recursion Support for well-founded recursion and measures. Program Fixpoint f (a : N) {wf < a} : N := b. 20 / 50

Recursion Support for well-founded recursion and measures. Program Fixpoint f (a : N) {wf < a} : N := b. a : N f : {x : N x < a} N b : N 20 / 50

Hello World: Euclidean division DEMO 21 / 50

Pattern-matching revisited Put logic into the terms. Let e : N: match e return T with S n t 1 0 t 2 end 22 / 50

Pattern-matching revisited Put logic into the terms. Let e : N: match e as t return t = e T with S n fun (H : S n = e) t 1 0 fun (H : 0 = e) t 2 end (refl equal e) 22 / 50

Pattern-matching revisited Put logic into the terms. Further refinements Each branch typed only once ; Let e : N: match e as t return t = e T with S (S n) fun (H : S (S n) = e) t 1 n fun (H : n = e) t 2 end (refl equal e) 22 / 50

Pattern-matching revisited Put logic into the terms. Further refinements Each branch typed only once ; Let e : N: match e as t return t = e T with S (S n) fun (H : S (S n) = e) t 1 S 0 fun (H : S 0 = e) t 2 0 fun (H : 0 = e) t 2 end (refl equal e) 22 / 50

Pattern-matching revisited Put logic into the terms. Further refinements Each branch typed only once ; Add inequalities for intersecting patterns ; Let e : N: match e as t return t = e T with S (S n) fun (H : S (S n) = e) t 1 n fun (H : n = e) let H : n, n S (S n ) in t 2 end (refl equal e) 22 / 50

Pattern-matching revisited Put logic into the terms. Further refinements Each branch typed only once ; Add inequalities for intersecting patterns ; Generalized to dependent inductive types. Let e : vector n: match e return T with vnil t 1 vcons x n v t 2 end 22 / 50

Pattern-matching revisited Put logic into the terms. Further refinements Each branch typed only once ; Add inequalities for intersecting patterns ; Generalized to dependent inductive types. Let e : vector n: match e as t in vector n return n = n JMeq t e T with vnil fun (H : 0 = n)(hv : JMeq vnil e) t 1 vcons x n v fun (H : S n = n) (Hv : JMeq (vcons x n v ) e) t 2 end (refl equal n)(jmeq refl e) 22 / 50

1 Russell Subset Coercions: A Simple Idea Metatheory Interpretation in Coq 2 Program Extensions Hello World 3 Finger Trees Finger Trees in Haskell Dependent Finger Trees Specializations Ropes Random-access sequences 4 Conclusion 23 / 50

Dependent Finger Trees A complex datastructure, with a reference implementation in Haskell (Hinze & Paterson, JFP 2006). Using Program and type classes, we construct a faithful port which is proved safe (terminating and invariant preserving). 24 / 50

Dependent Finger Trees A complex datastructure, with a reference implementation in Haskell (Hinze & Paterson, JFP 2006). Using Program and type classes, we construct a faithful port which is proved safe (terminating and invariant preserving). Through dependent types, it provides guarantees to be used by higher-level structures. 24 / 50

Dependent Finger Trees A complex datastructure, with a reference implementation in Haskell (Hinze & Paterson, JFP 2006). Using Program and type classes, we construct a faithful port which is proved safe (terminating and invariant preserving). Through dependent types, it provides guarantees to be used by higher-level structures. Instantiated to (safe) ropes whose extraction has reasonnable performance. 24 / 50

A quick tour of Finger Trees A Simple General Purpose Data Structure (Hinze & Paterson, JFP 2006) Purely functional, nested datatype Parameterized data structure Efficient deque operations, concatenation and splitting 25 / 50

The Big Finger Tree Picture data Digit a = One a Two a a Three a a a Four a a a a data Node a = Node2 a a Node3 a a a

The Big Finger Tree Picture data Digit a = One a Two a a Three a a a Four a a a a data Node a = Node2 a a Node3 a a a data FingerTree a = Empty Single a Deep (Digit a) (FingerTree (Node a)) (Digit a) Two Two Deep Deep Empty Three One Node2 Node3 Node2

Operating on a Finger Tree add left :: a FingerTree a FingerTree a add left a Empty = Single a add left a (Single b) = Deep (One a) Empty (One b) add left a (Deep pr m sf ) =... Deep Three Empty Three C D E F G H 27 / 50

Operating on a Finger Tree add left :: a FingerTree a FingerTree a add left a Empty = Single a add left a (Single b) = Deep (One a) Empty (One b) add left a (Deep pr m sf ) =... Deep Four Empty Three B C D E F G H 27 / 50

Operating on a Finger Tree add left :: a FingerTree a FingerTree a add left a Empty = Single a add left a (Single b) = Deep (One a) Empty (One b) add left a (Deep pr m sf ) =... Deep Two Single Three A B F G H Node3 C D E 27 / 50

Adding cached measures class Monoid v Measured v a where :: a v

Adding cached measures class Monoid v Measured v a where :: a v instance (Measured v a) Measured v (Digit a) where

Adding cached measures class Monoid v Measured v a where :: a v instance (Measured v a) Measured v (Digit a) where data Node v a = Node2 v a a Node3 v a a a data FingerTree v a = Empty Single a Deep v (Digit a) (FingerTree v (Node v a)) (Digit a) Node2 a b a b Two Deep a g Empty ε Node3 c d e c d e One Node2 f g f g

Outline 1 Russell Subset Coercions: A Simple Idea Metatheory Interpretation in Coq 2 Program Extensions Hello World 3 Finger Trees Finger Trees in Haskell Dependent Finger Trees Specializations Ropes Random-access sequences 4 Conclusion 29 / 50

Why do this? Generally useful, non-trivial structure Abstraction and specification power needed to ensure coherence of measures 30 / 50

Digits Variable A : Type. Inductive digit : Type := One : A digit Two : A A digit Three : A A A digit Four : A A A A digit. Definition full x := match x with Four True False end. 31 / 50

Digits cont d Program Definition add digit left (a : A) (d : digit full d) : digit := match d with One x Two a x Two x y Three a x y Three x y z Four a x y z Four! end. 32 / 50

Nodes Variables (v : Type) (mono : monoid v). Variables (A : Type) (measure : A v). 33 / 50

Nodes Variables (v : Type) (mono : monoid v). Variables (A : Type) (measure : A v). Inductive node : Type := Node2 : x y, { s : v s = x y } node Node3 : x y z, { s : v s = x y z } node. 33 / 50

Nodes Variables (v : Type) (mono : monoid v). Variables (A : Type) (measure : A v). Inductive node : Type := Node2 : x y, { s : v s = x y } node Node3 : x y z, { s : v s = x y z } node. Program Definition node2 (x y : A) : node := Node2 x y ( x y ). Program Definition node measure (n : node) : v := match n with Node2 s s Node3 s s end. 33 / 50

Dependent Finger Trees Inductive fingertree (A : Type) : Type := Empty : fingertree A Single : x : A, fingertree A Deep : (l : digit A) (m : v), fingertree (node A) (r : digit A), fingertree A. node : (A : Type) (measure : A v), Type 34 / 50

Dependent Finger Trees Inductive fingertree (A : Type) (measure : A v) : Type := Empty : fingertree A measure Single : x : A, fingertree A measure Deep : (l : digit A) (m : v), fingertree (node A measure) (node measure A measure) (r : digit A), fingertree A measure. node : (A : Type) (measure : A v), Type node measure A (measure : A v) : node A measure v 34 / 50

Dependent Finger Trees Inductive fingertree (A : Type) (measure : A v) : v Type := Empty : fingertree A measure ε Single : x : A, fingertree A measure (measure x) Deep : (l : digit A) (m : v), fingertree (node A measure) (node measure A measure) m (r : digit A), fingertree A measure (digit measure measure l m digit measure measure r). 34 / 50

Adding to the left fix add left A (measure : A v) (a : A) (s : v) (t : fingertree measure s) {struct t} : fingertree measure (measure a s) := 35 / 50

Adding to the left fix add left A (measure : A v) (a : A) (s : v) (t : fingertree measure s) {struct t} : fingertree measure (measure a s) := match t with Empty Single a measure a = measure a ε Single b Deep (One a) Empty (One b) Deep pr st t sf end. 35 / 50

Adding to the left fix add left A (measure : A v) (a : A) (s : v) (t : fingertree measure s) {struct t} : fingertree measure (measure a s) := match t with Empty Single a measure a = measure a ε Single b Deep (One a) Empty (One b) Deep pr st t sf match pr with Four b c d e let sub := add left (node3 measure c d e) t in Deep (Two a b) sub sf x Deep (add digit left a pr) t sf end end. 35 / 50

Two hundred lines, one hundred obligations concatenation def app (A : Type) (measure : A v) (xs : v) (x : fingertree measure xs) (ys : v) (y : fingertree measure ys) : fingertree measure (xs ys). 36 / 50

Splitting nodes def splitnode (p : v bool) (i : v) (n : node A measure) : { (l, x, r) : option (digit A) A option (digit A) let ls := option digit measure measure l in let rs := option digit measure measure r in node measure n = ls x rs (l = None p (i ls) = false) (r = None p (i ls x ) = true)} :=... Program Definition split node (p : v bool) i (n : node A) : { (l, x, r) : option (digit A) A option (digit A) n = l x r (l = None p (i l ) = false) (r = None p (i l x ) = true)} :=... 37 / 50

Summary We proved that all the functions from the original paper: are terminating and total respect the measures respect the invariants given in the paper Haskell Program Lines L.o.C. Obls L.o.P. app 200 200 100 auto split 20 30 14 200 FingerTree 650 700 n.a. 400 38 / 50

Summary We proved that all the functions from the original paper: are terminating and total respect the measures respect the invariants given in the paper Haskell Program Lines L.o.C. Obls L.o.P. app 200 200 100 auto split 20 30 14 200 FingerTree 650 700 n.a. 400 Non-dependent interface, specializations A version with modules for a better extraction to OCaml 38 / 50

Outline 1 Russell Subset Coercions: A Simple Idea Metatheory Interpretation in Coq 2 Program Extensions Hello World 3 Finger Trees Finger Trees in Haskell Dependent Finger Trees Specializations Ropes Random-access sequences 4 Conclusion 39 / 50

Ropes on top of Finger Trees Ingredients: A := string int int (substrings) v := int (the length, computationally relevant) measure (str, start, len) := len mono := (0, +) Implement substring, get 40 / 50

Ropes on top of Finger Trees Ingredients: A := string int int (substrings) v := int (the length, computationally relevant) measure (str, start, len) := len mono := (0, +) Implement substring, get Extracted code comparable to an optimized rope implementation. 40 / 50

Ropes on top of Finger Trees Ingredients: A := string int int (substrings) v := int (the length, computationally relevant) measure (str, start, len) := len mono := (0, +) Implement substring, get Extracted code comparable to an optimized rope implementation. Relies on implicit invariants of the monoid, measure and code. 40 / 50

Certified Sequences: the monoid def below i := { x : nat x < i }. def v := { i : nat & (below i A) }. 41 / 50

Certified Sequences: the monoid def below i := { x : nat x < i }. def v := { i : nat & (below i A) }. def epsilon : v := 0 (fun!). def append (n, fx) (m, fy) : v := (n + m) (fun i if lt ge dec i n then fx i else fy (i - n)). 41 / 50

Instantiation def measure (x : A) : v := 1 (fun x). def seq (x : v) := fingertree seqmonoid measure x. 42 / 50

Instantiation def measure (x : A) : v := 1 (fun x). def seq (x : v) := fingertree seqmonoid measure x. tail n f : seq (n f ) seq (pred n (fun i f (S i))) app n fx m fy : seq (n fx) seq (m fy) seq (n + m (fun i if lt ge dec i n then fx i else fy (i - n))) 42 / 50

The sequence and its operations fix make (i : nat) (v : A) { struct i } : seq (i (fun v)). 43 / 50

The sequence and its operations fix make (i : nat) (v : A) { struct i } : seq (i (fun v)). def get (i : nat) (m : below i A) (x : seq (i m)) (j : below i) : { value : A value = m j }. 43 / 50

The sequence and its operations fix make (i : nat) (v : A) { struct i } : seq (i (fun v)). def get (i : nat) (m : below i A) (x : seq (i m)) (j : below i) : { value : A value = m j }. def set (i : nat) (m : below i A) (x : seq (i m)) (j : below i) (value : A) : seq (i (fun idx if idx = j then value else m idx)). 43 / 50

The sequence and its operations fix make (i : nat) (v : A) { struct i } : seq (i (fun v)). def get (i : nat) (m : below i A) (x : seq (i m)) (j : below i) : { value : A value = m j }. def set (i : nat) (m : below i A) (x : seq (i m)) (j : below i) (value : A) : seq (i (fun idx if idx = j then value else m idx)). Modularity: only the specifications are used! Efficiency: Irrelevance of m currently not specified 43 / 50

Theorems for free! Program Lemma get set i m (x : seq (i m)) (j : below i) (value : A) : value = get (set x j value) j. Program Lemma get set diff i m (x : seq (i m)) (j : below i) (value : A) (k : below i) : j k get x k = get (set x j value) k. 44 / 50

Summary A certified implementation of Finger Trees and random-access sequences. Program scales, thanks to the phase distinction. Typeclasses to solve the overloading issues. 45 / 50

1 Russell Subset Coercions: A Simple Idea Metatheory Interpretation in Coq 2 Program Extensions Hello World 3 Finger Trees Finger Trees in Haskell Dependent Finger Trees Specializations Ropes Random-access sequences 4 Conclusion 46 / 50

Our contributions We studied a more flexible programming language, Russell, providing a new formal justification of Predicate subtyping à la PVS, in a system with proof terms. 47 / 50

Our contributions We studied a more flexible programming language, Russell, providing a new formal justification of Predicate subtyping à la PVS, in a system with proof terms. We implemented the Program tool to ease programming in Coq using the full language ( 10k lines of OCaml). 47 / 50

Our contributions We studied a more flexible programming language, Russell, providing a new formal justification of Predicate subtyping à la PVS, in a system with proof terms. We implemented the Program tool to ease programming in Coq using the full language ( 10k lines of OCaml). We experimented it on a verified implementation of Finger Trees and ropes ( 4k lines of literate Coq). 47 / 50

Dissemination A methodology to build certified code in Coq, distributed since 2005: Already experimented by others, e.g. the Ynot project (Nanevsky, Morrisett & Birkedal) implementing Hoare Type Theory on top of Coq. Independent of the theory, can be ported to other systems: Matita (by Enrico Tassi), Agda, Epigram. 48 / 50

Ongoing and future work We hinted at the important foundational issues with η-rules and proof-irrelevance that need to be solved (with Benjamin Werner). Automation for discharging proof-obligations (Sean Wilson at Edinburgh). Handling truly dependent pattern-matching by an elaboration. 49 / 50

The End Programming with Dependent Types in Coq Matthieu Sozeau LRI, Univ. Paris-Sud - Démons Team & INRIA Saclay - ProVal Project PPS Seminar February 26th 2009 Paris, France Try 8.2!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback