interactive theorem proving with coq - peoplenecula/autded/lecture18-coq.pdf · interactive theorem...
Post on 06-Aug-2020
3 Views
Preview:
TRANSCRIPT
Interactive TheoremProving with Coq
Adam Chlipala
Interactive Theorem Proving with Coq – p. 1
MotivationWe focus mainly on automated deduction inthis class.
There are many interesting theories that wedon’t yet know how to decide automatically.For instance:
Formalizing large parts of traditional mathOr proving the soundness of particularproof-carrying code systems
Interactive Theorem Proving with Coq – p. 2
OutlineCome up with a suitably general encoding forpropositions and proofs
See how systems like Coq can make it easierto generate formal proofs
Revisit a past lecture by using Coq to provethe correctness of JML-annotated Javaprograms
Go in the opposite direction by translatingCoq proofs into executable ML programs
Interactive Theorem Proving with Coq – p. 3
Proof checking viatype checking
Recall the discussion of proof representationin an earlier lecture.
We can express logical propositions with anML-style datatype.
If we add dependent types, we can evenexpress deduction rules as terms.
A supposed proof proves some propositiononly if it type-checks to have that proposition’stype.
Interactive Theorem Proving with Coq – p. 4
Review: Conjunctionand : prop → prop → prop
A BA ∧ B
∧I
andi : ΠA : prop. ΠB : prop. A → B → (and A B)
A ∧ BA
∧E1
ande1 : ΠA : prop. ΠB : prop. (and A B) → A
Interactive Theorem Proving with Coq – p. 5
Enter the ML typechecker!
The other propositional connectives can bedescribed with similar-looking terms.
While ML doesn’t support dependent types ingeneral, the types for propositional proofconstructors all fit into a format that it doessupport.
Instead of defining a new type of propositions,we can use the language of ML types itself asour proposition type!
ML polymorphism allows quantification overtypes.
Interactive Theorem Proving with Coq – p. 6
Demo: Proof checkerThis means that every ML compiler alreadycontains the essential machinery for checkinga complete proof system for propositionallogic!
See demo....
Interactive Theorem Proving with Coq – p. 7
But is all thatnecessary?
ML contains many more features than wouldbe required if we just wanted a proof checker.
Also, it’s not clear whether it would support allnew logical formalisms we might come upwith.
Coq uses the Calculus of InductiveConstructions (CIC), a system powerfulenough to allow the definition of the logicalconnectives using a simple extension oflambda calculus.
Interactive Theorem Proving with Coq – p. 8
CICStart with the simply typed lambda calculus.
Add dependently-typed polymorphism.
Add a way to define recursive data types andprimitive recursive functions over them.
These features are all that 99% of Coqdevelopments use.
Interactive Theorem Proving with Coq – p. 9
Defining connectivesInductive and
: Prop -> Prop -> Prop :=| andi : forall (A B : Prop),
A -> B -> and A B.
Inductive or: Prop -> Prop -> Prop :=
| ori1 : forall (A B : Prop),A -> or A B
| ori2 : forall (A B : Prop),B -> or A B.
Interactive Theorem Proving with Coq – p. 10
Defining equalityInductive eq
: forall (T:Type), T -> T -> Prop :=| eqi : forall (T : Type) (X : T),
eq X X.
Interactive Theorem Proving with Coq – p. 11
Interactive proving
Coq works mostly using backwardsreasoning.
You begin a proof by specifying a goal to beproved.
You specify a series of tactics that in generalproduce multiple sub-goals with different setsof hypotheses.
See demo....
Interactive Theorem Proving with Coq – p. 12
Proving programcorrectness
In a past lecture, we saw how to useESC/Java to find many bugs in Javaprograms.
We also saw many ways to trick ESC/Javainto accepting buggy programs. ��
We’ve seen how to produce verificationconditions for programs annotated withspecifications.
However, today’s automated tools aregenerally not clever enough to prove theseconditions.
Interactive Theorem Proving with Coq – p. 13
Manual correctnessproofs
Krakatoa is a verification condition generatorfor Java programs annotated with JML.
It can generate a series of Coq lemmastatements that together imply that that aJava program meets its spec.
A human has to go through and prove thetricky parts of these lemmas.
Interactive Theorem Proving with Coq – p. 14
BenefitsIf you can prove all of the lemmas, then youcan be sure that the program meets itsspecification.
There is no chance that a bug-finding tool’sheuristics just weren’t smart enough to find abug.
See demo for insertion sort....
Interactive Theorem Proving with Coq – p. 15
Compiling proofsinto programs
Most Coq proofs use constructive logic.
It is well-known that such proofs havecomputational interpretations.
The early example ofpropositional-logic-in-ML should give some ofthe intuition behind this.
Interactive Theorem Proving with Coq – p. 16
Programming byproving
This means that it is possible to develop aprogram by proving that its specification issatisfiable!
See demo....
Interactive Theorem Proving with Coq – p. 17
top related