from guarded to well founded

From guarded to well-founded Formalizing Coq s guard condition - PowerPoint PPT Presentation

Jan 21, 2023 •322 likes •860 views

From guarded to well-founded Formalizing Coq s guard condition Cyprien Mangin Matthieu Sozeau cyprien.mangin@m4x.org matthieu.sozeau@inria.fr Inria Paris & IRIF, Universit e Paris-Diderot July 8, 2018 1 Outline 1 Guard condition

  1. From guarded to well-founded Formalizing Coq ’s guard condition Cyprien Mangin Matthieu Sozeau cyprien.mangin@m4x.org matthieu.sozeau@inria.fr Inria Paris & IRIF, Universit´ e Paris-Diderot July 8, 2018 1

  2. Outline 1 Guard condition and trust 2 Translating guarded definitions 3 Current state of the implementation 2

  3. Outline 1 Guard condition and trust 2 Translating guarded definitions 3 Current state of the implementation 3

  4. Recursive definitions In Coq , we have Fixpoint and match instead of recursors. Fixpoint plus ( n m : nat ) { struct n } : nat := match n with | O ⇒ m | S n ’ ⇒ S ( plus n ’ m ) end . 4

  5. Recursive definitions In Coq , we have Fixpoint and match instead of recursors. Fixpoint plus ( n m : nat ) { struct n } : nat := match n with | O ⇒ m | S n ’ ⇒ S ( plus n ’ m ) end . The two presentations should be equivalent. 4

  6. Recursive definitions In Coq , we have Fixpoint and match instead of recursors. Fixpoint plus ( n m : nat ) { struct n } : nat := match n with | O ⇒ m | S n ’ ⇒ S ( plus n ’ m ) end . The two presentations should be equivalent. Fixpoint nat_rect ( P : nat → Type ) ( fO : P O ) ( fS : forall n , P n → P ( S n )) ( n : nat ) : P n := match n with | O ⇒ fO | S n ’ ⇒ fS n ’ ( nat_rect P fO fS n ’) end . 4

  7. Deep recursion Inductive Even : nat → Prop := zeven : Even O | seven { n : nat } : Even n → Even ( S ( S n )). Inductive Odd : nat → Prop := oneodd : ( Odd ( S O )) | sodd { n : nat } : Odd n → Odd ( S ( S n )). Definition EO ( n : nat ) := { Even n } + { Odd n } . Definition aux { n : nat } ( H : EO n ) : EO ( S ( S n )) := match H with left p ⇒ left ( seven p ) | right p ⇒ right ( sodd p ) end . Fixpoint evod ( n : nat ) : EO n := match n with | O ⇒ left zeven | S m ⇒ match m with | O ⇒ right oneodd | S p ⇒ aux ( evod p ) end end . 5

  8. The guard condition We need to make sure that every Fixpoint terminates. ◮ Syntactic condition on the body of a Fixpoint . ◮ For each variable in the current context, track whether it is a subterm of the recursive argument. ◮ For each recursive call, check that the recursive argument is a subterm. 6

  9. The guard condition We need to make sure that every Fixpoint terminates. ◮ Syntactic condition on the body of a Fixpoint . ◮ For each variable in the current context, track whether it is a subterm of the recursive argument. ◮ For each recursive call, check that the recursive argument is a subterm. Fixpoint plus ( n m : nat ) { struct n } : nat := match n with | O ⇒ m | S n’ ⇒ S ( plus n’ m ) end . 6

  10. The guard condition We need to make sure that every Fixpoint terminates. ◮ Syntactic condition on the body of a Fixpoint . ◮ For each variable in the current context, track whether it is a subterm of the recursive argument. ◮ For each recursive call, check that the recursive argument is a subterm. Fixpoint plus ( n m : nat ) { struct n } : nat := match n with | O ⇒ m | S n’ ⇒ S ( plus n’ m ) end . 6

  11. Issues of trust Are the two presentations really equivalent? 7

  12. Issues of trust Are the two presentations really equivalent? ◮ In 1994, yes: Eduardo Gim´ enez reduces guarded definitions to recursors. 7

  13. Issues of trust Are the two presentations really equivalent? ◮ In 1994, yes: Eduardo Gim´ enez reduces guarded definitions to recursors. ◮ Afterwards. . . not so clear anymore. The guard condition evolved over the years. 7

  14. Issues of trust Are the two presentations really equivalent? ◮ In 1994, yes: Eduardo Gim´ enez reduces guarded definitions to recursors. ◮ Afterwards. . . not so clear anymore. The guard condition evolved over the years. ◮ Commutative cuts 7

  15. Issues of trust Are the two presentations really equivalent? ◮ In 1994, yes: Eduardo Gim´ enez reduces guarded definitions to recursors. ◮ Afterwards. . . not so clear anymore. The guard condition evolved over the years. ◮ Commutative cuts ◮ A match can be a subterm if all branches are a subterm. 7

  16. Issues of trust Are the two presentations really equivalent? ◮ In 1994, yes: Eduardo Gim´ enez reduces guarded definitions to recursors. ◮ Afterwards. . . not so clear anymore. The guard condition evolved over the years. ◮ Commutative cuts ◮ A match can be a subterm if all branches are a subterm. ◮ A match with certain restrictions can be a subterm if all branches are a subterm. 7

  17. Issues of trust Are the two presentations really equivalent? ◮ In 1994, yes: Eduardo Gim´ enez reduces guarded definitions to recursors. ◮ Afterwards. . . not so clear anymore. The guard condition evolved over the years. ◮ Commutative cuts ◮ A match can be a subterm if all branches are a subterm. ◮ A match with certain restrictions can be a subterm if all branches are a subterm. ◮ . . . ? ⇒ We want a current justification of the guard condition. 7

  18. Our proposal: relying on well-foundedness The code that checks for the guard condition tracks whether each variable is a subterm. 8

  19. Our proposal: relying on well-foundedness The code that checks for the guard condition tracks whether each variable is a subterm. Use the subterm relation as a well-founded relation. For each such subterm, add a Coq proof that it is a subterm. 8

  20. Our proposal: relying on well-foundedness The code that checks for the guard condition tracks whether each variable is a subterm. Use the subterm relation as a well-founded relation. For each such subterm, add a Coq proof that it is a subterm. Definition nat_subterm : relation nat . Theorem wf_nat_subterm : well_founded nat_subterm . (* Large subterms. *) Definition nat_subterm_eq : relation nat . Definition nat_case ( N : nat ) ( x : nat ) ( Hsub : nat_subterm_eq x N ) ( P : nat → Type ) ( fO : P O ) ( fS : forall ( y : nat ), nat_subterm y N → P ( S y )) : P x . Definition plus_body ( n m : nat ) ( F : forall ( n ’ m ’ : nat ), nat_subterm n ’ n → nat ) : nat . 8

  21. Outline 1 Guard condition and trust 2 Translating guarded definitions 3 Current state of the implementation 9

  22. Back to the guard condition Seen from the top, rather straightforward: ◮ Recursively go through the function body, while collecting subterm information in the context. ◮ At a recursive call, check that we have a subterm in the recursive position. 10

  23. Back to the guard condition Seen from the top, rather straightforward: ◮ Recursively go through the function body, while collecting subterm information in the context. ◮ At a recursive call, check that we have a subterm in the recursive position. To check the guard on... match c return p with | C_i x y z ⇒ t end ...check that c and p are guarded, then compute the recursive information on x , y , z depending on the information on c , and check t under this context. 10

  24. Back to the guard condition Seen from the top, rather straightforward: ◮ Recursively go through the function body, while collecting subterm information in the context. ◮ At a recursive call, check that we have a subterm in the recursive position. To check the guard on... ( fun x ⇒ t ) ...check that t is guarded under a context where x is not a subterm 10

  25. Back to the guard condition Seen from the top, rather straightforward: ◮ Recursively go through the function body, while collecting subterm information in the context. ◮ At a recursive call, check that we have a subterm in the recursive position. To check the guard on... match c with | C f ⇒ ( fun x ⇒ t ) end y ...check that t is guarded under a context where x is not a subterm...unless there was some term applied to a match previously. 10

  26. Back to the guard condition Seen from the top, rather straightforward: ◮ Recursively go through the function body, while collecting subterm information in the context. ◮ At a recursive call, check that we have a subterm in the recursive position. To check the guard on... f x y z ...when f is the function being defined, check that the argument in recursive position is a subterm. 10

  27. The subterm relation For each inductive type, we can systematically define a direct subterm relation. Inductive nat : Set := O : nat | S : nat → nat . Inductive nat_direct_subterm : relation nat := nat_ds_1 : forall ( n : nat ), nat_direct_subterm n ( S n ). 1 See for instance Equations 11

  28. The subterm relation For each inductive type, we can systematically define a direct subterm relation. Inductive nat : Set := O : nat | S : nat → nat . Inductive nat_direct_subterm : relation nat := nat_ds_1 : forall ( n : nat ), nat_direct_subterm n ( S n ). The subterm relation is its transitive closure. Definition nat_subterm : relation nat := clos_trans nat nat_direct_subterm . This is already done automatically by some tools 1 , as well as proving its well-foundedness. 1 See for instance Equations 11

  29. Translation Fixpoint evod ( n : nat ) : EO n := match n with | O ⇒ left zeven | S m ⇒ match m with | O ⇒ right oneodd | S p ⇒ aux ( evod p ) end end . Definition evod_body ( n : nat ) ( F : forall ( m : nat ), nat_subterm m n → EO m ) : EO n := nat_case n n r_refl EO ( left zeven ) ( fun m Hsub ⇒ nat_case n m ( r_step Hsub ) ( fun m ⇒ EO ( S m )) ( right oneodd ) ( fun p Hsub ⇒ aux ( F p Hsub ))). 12

Recommend

Productive Coprogramming with Guarded Recursion Jeroen Slot en Ilse Pool First slide Last time

Productive Coprogramming with Guarded Recursion Jeroen Slot en Ilse Pool First slide Last time

Productive Coprogramming with Guarded Recursion Jeroen Slot en Ilse Pool First slide Last time we saw that corecursive functions have to be guarded. But guarded recur- sion does not always work, so we need something else, which we will be

783 views • 5 slides
Rewrite Semantics for Guarded Recursion in Type Theory Patrick Bahr IT University of Copenhagen

Rewrite Semantics for Guarded Recursion in Type Theory Patrick Bahr IT University of Copenhagen

Rewrite Semantics for Guarded Recursion in Type Theory Patrick Bahr IT University of Copenhagen joint work with Rasmus Mgelberg and Hans Bugge Grathwohl Overview Guarded Recursive Types Dependent Types Reduction Semantics 2 / 21 Guarded

488 views • 45 slides
The Clocks Are Ticking: No More Delays! Reduction Semantics for Type Theory with Guarded

The Clocks Are Ticking: No More Delays! Reduction Semantics for Type Theory with Guarded

The Clocks Are Ticking: No More Delays! Reduction Semantics for Type Theory with Guarded Recursion Patrick Bahr 1 Hans Bugge Grathwohl 2 Rasmus Mgelberg 1 1 IT University of Copenhagen 2 Aarhus University What is guarded recursion?

710 views • 48 slides
Guarded Traced Categories Sergey Goncharov and Lutz Schr oder Friedrich-Alexander-Universit

Guarded Traced Categories Sergey Goncharov and Lutz Schr oder Friedrich-Alexander-Universit

Guarded Traced Categories Sergey Goncharov and Lutz Schr oder Friedrich-Alexander-Universit at Erlangen-N urnberg FoSSaCS 2018, 16-19 April 2018, Thessaloniki, Greece Guarded Traced (Symmetric Monoidal) Categories Sergey Goncharov and

696 views • 34 slides
A model of PCF in Guarded Type Theory Marco Paviotti 1 Rasmus Mgelberg 1 Lars Birkedal 2 1 IT

A model of PCF in Guarded Type Theory Marco Paviotti 1 Rasmus Mgelberg 1 Lars Birkedal 2 1 IT

A model of PCF in Guarded Type Theory Marco Paviotti 1 Rasmus Mgelberg 1 Lars Birkedal 2 1 IT University of Copenhagen 2 Aarhus University June 23th, 2015 MFPS 2015 Nijmegen, Netherlands 1 / 20 Guarded Type Theory Birkedal and Mgelberg

838 views • 38 slides
The Well-Founded Model A Quick Introduction Peter Baumgartner The Well-Founded Model

The Well-Founded Model A Quick Introduction Peter Baumgartner The Well-Founded Model

The Well-Founded Model A Quick Introduction Peter Baumgartner The Well-Founded Model Peter Baumgartner p.1 Various Logic Program Semantics Assign meaning to a program / knowledge base: perfect model, stable models, well-founded

412 views • 16 slides
Cotton Brazil The Technological Giant 2 Abrapa has10 member associations Founded in2002

Cotton Brazil The Technological Giant 2 Abrapa has10 member associations Founded in2002

Cotton Brazil The Technological Giant 2 Abrapa has10 member associations Founded in2002 Founded in2015 99 % of the areaunder cotton inBrazil Founded in2006 Founded in1999 99 % of nationalcotton Founded in2000 production Founded in1999

785 views • 31 slides
GAIL: A DESIGN AND IMPLEMENTATION OF A CONSTRAINED GUARDED ACTION INTERMEDIATE LANGUAGE SUITABLE

GAIL: A DESIGN AND IMPLEMENTATION OF A CONSTRAINED GUARDED ACTION INTERMEDIATE LANGUAGE SUITABLE

GAIL: A DESIGN AND IMPLEMENTATION OF A CONSTRAINED GUARDED ACTION INTERMEDIATE LANGUAGE SUITABLE FOR REWRITE-BASED OPTIMIZATION Tim Zwiebel Northwestern University 2 Overview GAIL Rewriting Code Generator User Interface Future Work

577 views • 36 slides
Conservative Extensions in Guarded and Two-Variable Fragments Mauricio Martel Universitt

Conservative Extensions in Guarded and Two-Variable Fragments Mauricio Martel Universitt

Conservative Extensions in Guarded and Two-Variable Fragments Mauricio Martel Universitt Bremen, Germany Joint work with Jean Christoph Jung, Carsten Lutz, Thomas Schneider, and Frank Wolter Logic Tea ILLC, Amsterdam Mauricio Martel

1.14k views • 93 slides
Automotive System Testing by Independent Guarded Assertions Thomas Gustafsson Mats Skoglund,

Automotive System Testing by Independent Guarded Assertions Thomas Gustafsson Mats Skoglund,

1 Automotive System Testing by Independent Guarded Assertions Thomas Gustafsson Mats Skoglund, Avenir Kobetski, Daniel Sundmark firstname.lastname@sics.se thomas.gustafsson@scania.com Swedish Institute of Computer Science Scania CV Info

430 views • 18 slides
Decidable Fragments of First-Order and Fixed-Point Logic From prefix-vocabulary classes to guarded

Decidable Fragments of First-Order and Fixed-Point Logic From prefix-vocabulary classes to guarded

Decidable Fragments of First-Order and Fixed-Point Logic From prefix-vocabulary classes to guarded logics Erich Grdel graedel@rwth-aachen.de. Aachen University The classical decision problem part of Hilberts formalist programme for the

878 views • 76 slides
Checking Extended CTL Properties Using Guarded Quotient Structure Xiaodong Wang advised by:

Checking Extended CTL Properties Using Guarded Quotient Structure Xiaodong Wang advised by:

Checking Extended CTL Properties Using Guarded Quotient Structure Xiaodong Wang advised by: Professor Sistla Outline Part I: Symmetry based method Part II: CCTL logic Part III: Input language Part IV: Model checking algorithm

630 views • 60 slides
A Metalanguage for Guarded Iteration Sergey Goncharov Christoph Rauch Lutz Schr oder

A Metalanguage for Guarded Iteration Sergey Goncharov Christoph Rauch Lutz Schr oder

A Metalanguage for Guarded Iteration Sergey Goncharov Christoph Rauch Lutz Schr oder Friedrich-Alexander-Universit at Erlangen-N urnberg ICTAC 2018, October 15-19, Stellenbosch Two Flavors of Computations Domain theory

600 views • 33 slides
Guarded Traced Categories for Recursion and Iteration Sergey Goncharov a oder a and Paul Blain

Guarded Traced Categories for Recursion and Iteration Sergey Goncharov a oder a and Paul Blain

Guarded Traced Categories for Recursion and Iteration Sergey Goncharov a oder a and Paul Blain Levy b ) (joint ongoing work with Lutz Schr April 2, 2019, Reykjavik TCS Seminar a Friedrich-Alexander-Universit at Erlangen-N urnberg b

1.08k views • 54 slides
Guarded Kleene Algebra with Tests Verification of Uninterpreted Programs in Nearly Linear Time

Guarded Kleene Algebra with Tests Verification of Uninterpreted Programs in Nearly Linear Time

Guarded Kleene Algebra with Tests Verification of Uninterpreted Programs in Nearly Linear Time Steffen Smolka 1 Nate Foster 1 Justin Hsu 2 e 3 Dexter Kozen 1 Alexandra Silva 3 Tobias Kapp 1 Cornell University 2 University of Wisconsin-Madison 3

1.15k views • 80 slides
A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal Author: Wei-Lin Chen

A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal Author: Wei-Lin Chen

A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal Author: Wei-Lin Chen Po-Kang Chen Quincy Wu Outline Introduction Motivation Related Works Authentication of Public WLAN Implementation &

426 views • 30 slides
A Mechanized Proof of Higmans Lemma by Open Induction Christian Sternagel University of

A Mechanized Proof of Higmans Lemma by Open Induction Christian Sternagel University of

A Mechanized Proof of Higmans Lemma by Open Induction Christian Sternagel University of Innsbruck, Austria January 18, 2016 Dagstuhl Seminar 16031 Well-Quasi-Orders in Computer Science Supported by the Austrian Science Fund (FWF):

833 views • 69 slides
Algorithmic Aspects of WQO (Well-Quasi-Ordering) Theory Part I: Basics of WQO Theory Sylvain

Algorithmic Aspects of WQO (Well-Quasi-Ordering) Theory Part I: Basics of WQO Theory Sylvain

Algorithmic Aspects of WQO (Well-Quasi-Ordering) Theory Part I: Basics of WQO Theory Sylvain Schmitz & Philippe Schnoebelen LSV, CNRS & ENS Cachan ESSLLI 2012, Opole, Aug 6-15, 2012 Lecture notes & exercices available at

536 views • 50 slides
NON-WELL-FOUNDED SET BASED MULTI-AGENT EPISTEMIC ACTION LANGUAGE 34 th Italian Conference on

NON-WELL-FOUNDED SET BASED MULTI-AGENT EPISTEMIC ACTION LANGUAGE 34 th Italian Conference on

University of Udine Department of Mathematics, Computer Science and Physics NON-WELL-FOUNDED SET BASED MULTI-AGENT EPISTEMIC ACTION LANGUAGE 34 th Italian Conference on Computational Logic Francesco Fabiano , Idriss Riouak, Agostino Dovier and

958 views • 63 slides
a = b c . . . 1 C ONTENT Intro & motivation, getting started with Isabelle

a = b c . . . 1 C ONTENT Intro & motivation, getting started with Isabelle

NICTA Advanced Course Theorem Proving Principles, Techniques, Applications a = b c . . . 1 C ONTENT Intro & motivation, getting started with Isabelle Foundations & Principles Lambda Calculus Higher Order Logic,

1.26k views • 93 slides
On proving liveness properties of programs Alexey Gotsman University of Cambridge joint work

On proving liveness properties of programs Alexey Gotsman University of Cambridge joint work

On proving liveness properties of programs Alexey Gotsman University of Cambridge joint work with Byron Cook, Andreas Podelski, and Andrey Rybalchenko BCTCS06, 6 April 2006 State-of-the-art Systems Model checking Abstraction Properties

484 views • 13 slides
The Role of the Coinduction Hypothesis in Coinductive Proofs Anton Setzer Swansea University

The Role of the Coinduction Hypothesis in Coinductive Proofs Anton Setzer Swansea University

The Role of the Coinduction Hypothesis in Coinductive Proofs Anton Setzer Swansea University With contributions by Peter Hancock, Andreas Abel, Brigitte Pientka, David Thibodeau Operations, Sets, Types, M unchenwiler near Bern, Switzerland

941 views • 59 slides
Coinductive Reasoning in Dependent Type Theory - Copatterns, Objects, Processes Anton Setzer

Coinductive Reasoning in Dependent Type Theory - Copatterns, Objects, Processes Anton Setzer

Coinductive Reasoning in Dependent Type Theory - Copatterns, Objects, Processes Anton Setzer http://www.cs.swan.ac.uk/~csetzer/index.html Swansea University http://www.swansea.ac.uk/compsci/ (Part on Processes presented by Bashar Igried on

1.1k views • 72 slides
Constraints in Verification Andreas Podelski University of Freiburg two kinds of constraints in

Constraints in Verification Andreas Podelski University of Freiburg two kinds of constraints in

Constraints in Verification Andreas Podelski University of Freiburg two kinds of constraints in verification 1. upper bound for fixpoint constraint over sets of states X F(X) X X bound verification

656 views • 52 slides

More recommend