Experience Report: Smuggling a Little Bit of Coq Inside a CAD - - PowerPoint PPT Presentation

▶

Oct 22, 2022 254 likes •432 views

Experience Report: Smuggling a Little Bit of Coq Inside a CAD Development Context Dimitur Krustev IGE+XAO Balkan 6 July 2020 / Coq Workshop 2020 Dimitur Krustev (IGE+XAO Balkan) Smuggling a Little Bit of Coq Coq Workshop 2020 1 / 13 Outline

SLIDE 1

Experience Report: Smuggling a Little Bit of Coq Inside a CAD Development Context

Dimitur Krustev

IGE+XAO Balkan

6 July 2020 / Coq Workshop 2020

Dimitur Krustev (IGE+XAO Balkan) Smuggling a Little Bit of Coq Coq Workshop 2020 1 / 13

SLIDE 2

Outline

1

Introduction

2

When We Use Coq Example: A* Search

3

How We Use Coq

4

Why We Use Coq

5

Conclusions

Dimitur Krustev (IGE+XAO Balkan) Smuggling a Little Bit of Coq Coq Workshop 2020 2 / 13

SLIDE 3

Introduction

IGE+XAO – a company working on electrical CAD software for almost 35 years

a part of Schneider Electric since 2018

Quality assurance based on a combination of widely used standard techniques However, we found formal verification using Coq useful in certain specific circumstances

why when how

Dimitur Krustev (IGE+XAO Balkan) Smuggling a Little Bit of Coq Coq Workshop 2020 3 / 13

SLIDE 4

Introduction

Company – Products

IGE+XAO – focus on electrical CAD systems, since 1986 Solutions for several domains

Transport equipment manufacturing (Aircraft, Trains, Ships, Automotive)

system design of electrical installation cable harness routing cable harness manufacturing . . .

Equipment, Machinery, Plant Automation

schematic editors 3D Electrical Panel Design . . .

Construction

Dimitur Krustev (IGE+XAO Balkan) Smuggling a Little Bit of Coq Coq Workshop 2020 4 / 13

SLIDE 5

Introduction

Company – Products

IGE+XAO – focus on electrical CAD systems, since 1986 Solutions for several domains

Transport equipment manufacturing (Aircraft, Trains, Ships, Automotive)

system design of electrical installation cable harness routing cable harness manufacturing . . .

Equipment, Machinery, Plant Automation

schematic editors 3D Electrical Panel Design . . .

Construction

Dimitur Krustev (IGE+XAO Balkan) Smuggling a Little Bit of Coq Coq Workshop 2020 4 / 13

SLIDE 6

Introduction

Company – Products

IGE+XAO – focus on electrical CAD systems, since 1986 Solutions for several domains

Transport equipment manufacturing (Aircraft, Trains, Ships, Automotive)

system design of electrical installation cable harness routing cable harness manufacturing . . .

Equipment, Machinery, Plant Automation

schematic editors 3D Electrical Panel Design . . .

Construction

Dimitur Krustev (IGE+XAO Balkan) Smuggling a Little Bit of Coq Coq Workshop 2020 4 / 13

SLIDE 7

Introduction

Company – Organization

R&D departments in several countries

France, Poland, Bulgaria, Denmark, Tunisia

Technologies used in recent years

majority of code still in C++ new projects based on .NET – mostly C# more recently, F# also used in .NET projects

QA – standard methods, expected to give best cost/quality ratio

unit/automated/manual tests code reviews code linters

F# in our technology stack

faster to prototype domain-specific algorithms immutable by default – easier to write correct parallel code luckily, OCaml code extracted by Coq mostly usable as F# code

Dimitur Krustev (IGE+XAO Balkan) Smuggling a Little Bit of Coq Coq Workshop 2020 5 / 13

SLIDE 8

When We Use Coq

Tricky generic algorithms – not in standard libraries – with disproportionately high impact on final quality Stable specification, easy to formalize

Domain-specific Algorithms Business Logic Standard Libraries Generic Algorithms & Data Structures

Rare small examples in Coq (apply "patches" to electrical design documents)

Best Area for Coq:

graph

algorithms (A* search, length-preserving tree layout, B&B TSP, ...)

data structures (union-find, priority

queues, ...)

PL-related (a single exception)

Research work, not directly related to our production, is not discussed here

Dimitur Krustev (IGE+XAO Balkan) Smuggling a Little Bit of Coq Coq Workshop 2020 6 / 13

SLIDE 9

When We Use Coq Example: A* Search

Example: A* Search – Context

Context: a tool for automatically drawing wiring diagrams

00061 DR24 00062 DR24 00063 DR24 00064 DR24 1 DR24 00072 DR24 3 DR24 00074 DR24 00081 DR24 00082 DR24 00083 DR24 00084 DR24 0125RD 0148RD 0149RD 0150RD 0016 0017 0020 0134 DR22 0158 22 0161 22 40RT1 TT0003-TB0011 TT0003-TB0020 TT0003-TB0020 TT0003-TB0020 TT0003-TB0020 40RT1;J2;HP 40RT1;J2;HP 4 3 2 1 5 17 19 15 21 22 23 1 2 3 13 14 15 5 6 7 9 10 11 0007

We needed a customized version of A* Search in order to find wire routes during diagram generation

to have more generic API (e.g. arbitrary edge weights) to fine-tune performance (e.g. LIFO tie-breaking) ⇒ an in-house implementation

Subtle correctness arguments Key infrastructure for the whole product ⇒ We chose verification in Coq as main QA approach

Dimitur Krustev (IGE+XAO Balkan) Smuggling a Little Bit of Coq Coq Workshop 2020 7 / 13

SLIDE 10

When We Use Coq Example: A* Search

Example: A* Search – Specification

✞ ☎ Fixpoint CorrectRouteHelper (start: Node) (endNode: Node) (w: Weight) (path: list Node) : Prop := match path with | nil => start = endNode ∧ w = weightZero | node::path => ∃ w’, In (endNode, w’) (neighbors node) ∧ ∃ w’’, CorrectRouteHelper start node w’’ path ∧ w = weightAdd w’’ w’ end. Definition CorrectRoute (start: Node) (route: Node · Weight · list Node) : Prop := let ’(endNode, w, path) := route in isGoalNode endNode = true ∧ NoDup (endNode::path) ∧ CorrectRouteHelper start endNode w path. Theorem Astar_CorrectRoute: ∀ start route, Astar start = Some route → CorrectRoute start route. ✝ ✆

Relatively simple and not expected to change in the future Trade-off: only check result route correctness, not optimality

Dimitur Krustev (IGE+XAO Balkan) Smuggling a Little Bit of Coq Coq Workshop 2020 8 / 13

SLIDE 11

When We Use Coq Example: A* Search

Example: A* Search – Evaluation

Time spent on A* Search verification (∼40h) only slightly longer that what would be needed to create initial implementation in F# with enough unit tests A* in Coq → A* in F# ⊂ Wiring Diagram Generator (WDG) ⊂ Electrical Diagram Visualizer (EDV) Top-level product extensively tested during 2 years: Language Lines of code Issues Impl. Proofs Cmts. Issues A* Coq 173 203 29 A* (extracted) F# 39

C# + F# 108K

400+

EDV C# + TypeScript

800+

Dimitur Krustev (IGE+XAO Balkan) Smuggling a Little Bit of Coq Coq Workshop 2020 9 / 13

SLIDE 12

How We Use Coq

Main goal: keep cost/quality ratio competitive with respect to other QA methods Avoid using tools/libraries not coming with the standard Coq installation Use built-in extraction to produce executable code

major enabler: we already use a language – F# – which is (mostly) compatible with Coq extraction functional programming techniques already used in production – mostly because they make parallel programming easier

Code verified in Coq typically tiny in size and stable over time

⇒ so far, we can avoid Coq integration in automatic build process; integrating extracted code manually instead

Dimitur Krustev (IGE+XAO Balkan) Smuggling a Little Bit of Coq Coq Workshop 2020 10 / 13

SLIDE 13

How We Use Coq

Extraction: Technical Issues

F# is compatible with OCaml core, but some features in extracted code are problematic

F# module system very limited ⇒ avoid using modules no higher-kinded types ⇒ manual tweaking and/or some workarounds in Coq: ✞ ☎ Record FinSetOps (A: Set) := { FinSet: Set; empty: FinSet; add: ∀ (A_dec: ∀ x y: A, {x = y} + {x <> y}), A → FinSet → FinSet; contains: ∀ (A_dec: ∀ x y: A, {x = y} + {x <> y}), A → FinSet → bool ; ... }. Variable fsOps: FinSetOps Node. ✝ ✆

higher-kinded type “hidden” in extracted code:

✞ ☎

. . . l e t closedSet ’ = fsOps . add node_dec node closedSet . . .

✝ ✆

Dimitur Krustev (IGE+XAO Balkan) Smuggling a Little Bit of Coq Coq Workshop 2020 11 / 13

SLIDE 14

Why We Use Coq

The use of Coq – for certain use cases – provides tangible net benefits in the long term1

short-term extra investment – need to spend time in doing proofs short-term result – a 100% guarantee that the specification is respected (typically impossible with other QA methods) long-term gains – no need to repeatedly deal with bugs, which inevitably appear regularly in tricky unverified code

typically far outweigh the short-term investment required

Due to the nature of our products, use of formal verification can bring sufficient benefits only in a small number of situations, but the impact on quality is disproportionately high

1assuming availability of competent Coq users Dimitur Krustev (IGE+XAO Balkan) Smuggling a Little Bit of Coq Coq Workshop 2020 12 / 13

SLIDE 15

Conclusions

Using Coq to formally verify selected parts of the code can be highly beneficial – in certain use cases – even for standard

ff-the-shelf software

Dimitur Krustev (IGE+XAO Balkan) Smuggling a Little Bit of Coq Coq Workshop 2020 13 / 13

SLIDE 16

Bonus Example: Tree Layout Preserving Lengths

Early success (c. 2013) Context: Prepare cable harnesses for manufacturing on a table We found some existing algorithms designed for another domain (bioinformatics) – Bachmaier et al. 2005

1M B1 1M B3 1M B9 1M B23 1 M B 1 7 1M B21 1M B18 1M B20 1M B7 1M B5 1M B4 1M B10 1M B14 1M B16 1M B15 1M B12 1M B11 1M B6 J1 40RT2;J1;HP AC 40RT1;J2;HP 40RT1;J2;HP AC J0024 J0024 GC0002 GC0002 S1.EQ6;J2;HP S1.EQ6;J2;HP AC S1.EQ6;J1;HP S1.EQ6;J1;HP AC S1.EQ7;J1;HP S1.EQ7;J1;HP AC

They needed adaptation for our domain ⇒ We successfully used Coq to verify our customized algorithm

✞ ☎ Lemma layoutCountedTree_preservesLengths: ∀ ND ED getLen getCnt (t: Tree ND ED) a1 a2 x y, let t1 := layoutCountedTree getLen getCnt t a1 a2 x y in ∀ nd1 x1 y1 ed nd2 x2 y2, List.In ((nd1, (x1, y1)), ed, (nd2, (x2, y2))) (treeEdges t1) → (Rsqr ( getLen ed) = Rsqr (x2 − x1) + Rsqr (y2 − y1))%R. ✝ ✆

Dimitur Krustev (IGE+XAO Balkan) Smuggling a Little Bit of Coq Coq Workshop 2020 1 / 1