Coq LASER 2011 Summerschool Elba Island, Italy Christine - - PowerPoint PPT Presentation

▶

May 16, 2023 187 likes •313 views

Coq LASER 2011 Summerschool Elba Island, Italy Christine Paulin-Mohring Universit Paris Sud & INRIA Saclay - le-de-France September 2011 C. Paulin (Paris-Sud) Coq Sept. 2011 1 / 22 Introduction Outline Introduction What is C OQ ?

SLIDE 1

Coq

LASER 2011 Summerschool Elba Island, Italy Christine Paulin-Mohring

Université Paris Sud & INRIA Saclay - Île-de-France

September 2011

C. Paulin (Paris-Sud)

Coq

Sept. 2011

1 / 22

SLIDE 2

Introduction

Outline

Introduction What is COQ ? Example Basics of COQ language First steps in COQ

C. Paulin (Paris-Sud)

Coq

Sept. 2011

2 / 22

SLIDE 3

Introduction What is COQ ?

The proof assistant COQ

◮ An environment for developing mathematical facts:

◮ defining objects (integers, sets, trees, functions, programs . . . ) ◮ make statements (predicates) ◮ write proofs

◮ The compiler checks the correctness:

◮ of definitions (well-formed sets, terminating functions . . . ) ◮ of proofs

◮ The environment helps with:

◮ advanced notations ◮ proof search ◮ modular developments ◮ program extraction

C. Paulin (Paris-Sud)

Coq

Sept. 2011

3 / 22

SLIDE 4

Introduction What is COQ ?

Examples done with COQ

◮ Mathematics

◮ Fundamental theorem of Algebra (Barendregt et al) ◮ Feit-Thompson theorem on finite groups (INRIA-Microsoft

Research)

◮ Mixing maths and programs

◮ Four color theorem (Gonthier-Werner) ◮ Primality checker (Théry et al) ◮ A Wave Equation Resolution Scheme (Boldo et al)

◮ Programming environments with proofs

◮ JavaCard architecture (Gemalto-Trusted Logic, EAL7 certification) ◮ Certified optimizing compiler for C (Leroy et al) ◮ Formal Proofs for Computational Cryptography (Barthe et al) ◮ Ynot library: imperative programs-separation logic (Morrisett and al)

C. Paulin (Paris-Sud)

Coq

Sept. 2011

4 / 22

SLIDE 5

Introduction What is COQ ?

Related systems

◮ COQ is a proof assistant similar to HOL (Isabelle/HOL,

HOL4,HOL-light), PVS, . . .

◮ COQ is based on intuitionistic type theory:

◮ Similar to Epigram, Matita, . . . also Agda, NuPrl . . . ◮ Intentional behavior:

functions are programs that can be computed (not binary relations).

◮ Strong correspondance between proofs and programs.

C. Paulin (Paris-Sud)

Coq

Sept. 2011

5 / 22

SLIDE 6

Introduction What is COQ ?

Practical informations on COQ

◮ The Coq web site coq.inria.fr

◮ Official distribution (multi-platform), Reference manual ◮ Libraries and User’s contributions

◮ Reference book : the Coq’art by Yves Bertot and Pierre Castéran

Interactive Theorem Proving and Program Development

Coq’Art: The Calculus of Inductive Constructions Series: Texts in Theoretical Computer Science.

http://www.labri.fr/perso/casteran/CoqArt

◮ See also:

◮ Software foundations by B. Pierce and al.

http://www.cis.upenn.edu/~bcpierce/sf/

◮ Certified Programming with Dependent Types by A. Chlipala.

http://adam.chlipala.net/cpdt/

C. Paulin (Paris-Sud)

Coq

Sept. 2011

6 / 22

SLIDE 7

Introduction What is COQ ?

Two levels architecture

COQ environment

◮ notations ◮ extended language ◮ libraries ◮ tactics ◮ user extensible

compiled to

COQ kernel

◮ limited language ◮ few rules ◮ expressive

1+1=2 becomes @eq nat (plus (S O) (S O)) (S (S O))

C. Paulin (Paris-Sud)

Coq

Sept. 2011

7 / 22

SLIDE 8

Introduction What is COQ ?

Using COQ for program verification

◮ Express “program p is correct” as a mathematical statement in

COQ and prove it! Can be hard but proof is safe.

◮ Program your favorite program analyser (model-checking, abstract

interpretation,. . . ) in COQ, prove it correct and use it ! A big investment, but automatic result for each program instance.

◮ Represent program p as a COQ term t and the specification as a

type T such that t : T implies p is correct. Works well for functional (possibly monadic) programs.

◮ Use an external tool to generate proof obligations and then COQ

to solve obligations Less safe approach but can deal with undecidable fragments

C. Paulin (Paris-Sud)

Coq

Sept. 2011

8 / 22

SLIDE 9

Introduction What is COQ ?

Coq: outline of the courses

Introduction What is COQ ? Example Basics of COQ language First steps in COQ

C. Paulin (Paris-Sud)

Coq

Sept. 2011

9 / 22

SLIDE 10

Introduction Example

Example of C program verification

Approximate cosinus function near 0 using floating point numbers.

float my_cosine(float x) { return 1.0f − x * x * 0.5f; }

4 3 2 1 −1 −2 −3 −4 2 1 −1 −2

cos(x) 1 − x2

♠❡t❤♦❞ ❡rr♦r

✵①✶♣✲✺ 0.0312500000 ✵①✶✳❢❢❢♣✲✻ 0.0312461853 ✵①✶✳❢❢❡♣✲✻ 0.0312423706 ✵①✶✳❢❢❞♣✲✻ 0.0312385559 ✵①✶✳❢❢❝♣✲✻ 0.0312347412 ✵①✶✳❢❢❝✵✶✹♣✲✶ 0.9995123148 ✵①✶✳❢❢❝✵✵❝♣✲✶ 0.9995120764 ✵①✶✳❢❢❝✵✵✹♣✲✶ 0.9995118380

Method error Floating point error near

1 32

C. Paulin (Paris-Sud)

Coq

Sept. 2011

10 / 22

SLIDE 11

Introduction Example

Using COQ for C program verification

Code with specification (using real numbers):

/@ requires \abs(x) <= 0x1p−5; @ ensures \abs(\result − \cos(x)) <= 0x1p−23; @/ float my_cosine(float x) { //@ assert \abs(1.0 − xx0.5 − \cos(x)) <= 0x1p−24; return 1.0f − x * x * 0.5f; }

Demo : Frama-C/Why/Coq

C. Paulin (Paris-Sud)

Coq

Sept. 2011

11 / 22

Coq

LASER 2011 Summerschool Elba Island, Italy Christine Paulin-Mohring

Université Paris Sud & INRIA Saclay - Île-de-France

September 2011

Outline

Introduction What is COQ ? Example Basics of COQ language First steps in COQ

The proof assistant COQ

◮ An environment for developing mathematical facts:

◮ The compiler checks the correctness:

◮ The environment helps with:

Examples done with COQ

◮ Mathematics

Research)

◮ Mixing maths and programs

◮ Programming environments with proofs

Related systems

◮ COQ is a proof assistant similar to HOL (Isabelle/HOL,

HOL4,HOL-light), PVS, . . .

◮ COQ is based on intuitionistic type theory:

functions are programs that can be computed (not binary relations).

Practical informations on COQ

◮ The Coq web site coq.inria.fr

◮ Reference book : the Coq’art by Yves Bertot and Pierre Castéran

Interactive Theorem Proving and Program Development

Coq’Art: The Calculus of Inductive Constructions Series: Texts in Theoretical Computer Science.

http://www.labri.fr/perso/casteran/CoqArt

◮ See also:

http://www.cis.upenn.edu/~bcpierce/sf/

http://adam.chlipala.net/cpdt/

Two levels architecture

COQ environment

◮ notations ◮ extended language ◮ libraries ◮ tactics ◮ user extensible

compiled to

COQ kernel

◮ limited language ◮ few rules ◮ expressive

1+1=2 becomes @eq nat (plus (S O) (S O)) (S (S O))

Using COQ for program verification

◮ Express “program p is correct” as a mathematical statement in

COQ and prove it! Can be hard but proof is safe.

◮ Program your favorite program analyser (model-checking, abstract

interpretation,. . . ) in COQ, prove it correct and use it ! A big investment, but automatic result for each program instance.

◮ Represent program p as a COQ term t and the specification as a

type T such that t : T implies p is correct. Works well for functional (possibly monadic) programs.

◮ Use an external tool to generate proof obligations and then COQ

to solve obligations Less safe approach but can deal with undecidable fragments

Coq: outline of the courses

Introduction What is COQ ? Example Basics of COQ language First steps in COQ

Example of C program verification

Approximate cosinus function near 0 using floating point numbers.

float my_cosine(float x) { return 1.0f − x * x * 0.5f; }

cos(x) 1 − x2

Method error Floating point error near

Using COQ for C program verification

Code with specification (using real numbers):

/*@ requires \abs(x) <= 0x1p−5; @ ensures \abs(\result − \cos(x)) <= 0x1p−23; @*/ float my_cosine(float x) { //@ assert \abs(1.0 − x*x*0.5 − \cos(x)) <= 0x1p−24; return 1.0f − x * x * 0.5f; }

Demo : Frama-C/Why/Coq

/@ requires \abs(x) <= 0x1p−5; @ ensures \abs(\result − \cos(x)) <= 0x1p−23; @/ float my_cosine(float x) { //@ assert \abs(1.0 − xx0.5 − \cos(x)) <= 0x1p−24; return 1.0f − x * x * 0.5f; }