higher-order type theory and Coq Vladimir Komendantsky University - - PowerPoint PPT Presentation

higher order type theory
SMART_READER_LITE
LIVE PREVIEW

higher-order type theory and Coq Vladimir Komendantsky University - - PowerPoint PPT Presentation

May 06, 2023 200 likes •461 views

Verification of functional programs in higher-order type theory and Coq Vladimir Komendantsky University of St Andrews, UK 18 November 2011 @ Roys Festschrift Outline Notational conventions 1 Program verification in the interactive

slide-1
SLIDE 1

Verification of functional programs in

higher-order type theory

and

Coq

Vladimir Komendantsky

University of St Andrews, UK

18 November 2011 @ Roy’s Festschrift

slide-2
SLIDE 2

Outline

1

Notational conventions

2

Program verification in the interactive theorem prover

3

Programming decision algorithms

4

Programming proofs

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 2 / 22

slide-3
SLIDE 3

Inductive type definitions

Σ : ∀ (A:Type). (A → Type) → Type x : A p : P x exist x p : Σ A P

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 3 / 22

slide-4
SLIDE 4

“Hello world” example

main() { printf(”hello, world\n”); }

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 4 / 22

slide-5
SLIDE 5

“Hello world” example

main() { printf(”hello, world\n”); } Inductive True : Prop := I : True.

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 4 / 22

slide-6
SLIDE 6

“Hello world” example

main() { printf(”hello, world\n”); } Inductive True : Prop := I : True. Lemma HelloWorld : True. Proof. apply I. Qed.

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 4 / 22

slide-7
SLIDE 7

Simply-typed functional programming versus program extraction

A simply-typed program has type A, and the type of A is Set (a non-recursive subsort of Type). Extraction takes, for example, exist x p of type Σ A P and “extracts” x by forgetting the enclosing structure.

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 5 / 22

slide-8
SLIDE 8

Generic subtype structure

subType P is the structure for types isomorphic to Σ T P with P : pred T. val is a generic injection from a subType P of T into T. For example, if u : subType P, then val u : T. val is injective because P is proof-irrelevant. valP is the generic proof of P (val u) for u : subType P. Sub x Px is the generic constructor for subType P insub x is the generic partial projection of T into a subType S of T. If S : subType P then insub x = Some u with val u = x if P x, and None

  • therwise.
  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 6 / 22

slide-9
SLIDE 9

Separation of computational and higher-order logical content

Structure subType (T : Type) (P : pred T) : Type := SubType { sub sort :> Type; val : sub sort → T; Sub : ∀ x, P x → sub sort; : ∀ K ( : ∀ x Px, K (@Sub x Px)) u, K u; : ∀ x Px, val (@Sub x Px) = x }.

Lemma val insub adj (T : Type) (P : pred T) (S : subType P) (x : T) (u : sub sort S) (Px : P x) : (val u = x ↔ Some u = insub x). split; first by move ← ; rewrite valK. by rewrite (insubT Px) ⇒ uSubx; rewrite (Some inj uSubx); apply: SubK. Qed.

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 7 / 22

slide-10
SLIDE 10

Natural numbers and bounded natural numbers

N : Type 0 : N n : N S n : N Equality == of two natural numbers is decidable. m < n = S m − n == 0 I : N → Type p : m < n Ordinal n m p : I n

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 8 / 22

slide-11
SLIDE 11

Regular expressions

re : N → Type Void n : re n Eps n : re n i : I n Atom n i : re n E : re n F : re n Alt n E F : re n E : re n F : re n Conc n E F : re n E : re n Star n E : re n

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 9 / 22

slide-12
SLIDE 12

The “output” of a regular expression is decidable

  • : ∀ n. re n → bool
  • Void = false
  • Eps = true
  • (Atom i)

= false

  • (Alt E F)

= o E || o F

  • (Conc E F) = o E &

& o F

  • (Star E)

= true

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 10 / 22

slide-13
SLIDE 13

Quotient regular expressions

E E0 E1 a a b a

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 11 / 22

slide-14
SLIDE 14

Quotient regular expressions

E E0 E1 a a b a E0 E E1 a a a b

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 11 / 22

slide-15
SLIDE 15

A motivating exercise

Let us define a monomial to be a regular expression whose main operation is not +, and a polynomial to be a finite, possibly empty sum of

  • monomials. We say that a monomial E is in head normal form (h.n.f.) if it

is either 0 or 1 or aj × F for some symbol aj and a regular expression F.

Exercise

Consider a concrete alphabet A = {a, b} and a regular expression E = (a × (a × b)∗ × a)∗ over this alphabet. Represent E by a finite set of polynomials whose monomials are in h.n.f.

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 12 / 22

slide-16
SLIDE 16

Rewrite rules

The polynomial E can be reduced to a polynomial with all monomials in head normal form by recursive application of the following rewrite rule schemes to every monomial: (F1 × · · · × Fl × Fl+1) × G → (F1 × · · · × Fl) × (Fl+1 × G) (F1 + · · · + Fl) × G → F1 × G + · · · + Fl × G F ∗ × G → F × (F ∗ × G) + G F ∗ → F × F ∗ + 1 (1) Then, the set of monomials can be rearranged using the ACI equivalences: F + (G + H) =L (F + G) + H F + G =L G + F F + F =L F (2) and the additive zero property: F =L F + 0 (3)

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 13 / 22

slide-17
SLIDE 17

Solution to the exercise

Using the four rewrite rule schemes, the ACI-equivalences and the property

  • f zero, we obtain the following system of equations:

E =L a × (a × b)∗ × a × E + 1 =L a × E1 + o(E), E1 = (a × b)∗ × a × E =L (a × b) × E1 + a × E =L a × E2 + a × E + o(E1), E2 = b × E1 =L b × E1 + o(E2) Thus the regular expression E is described in terms of its output and the regular expression E1 which denotes a residual language that results from taking those words in the language of E that start from the symbol a and removing that occurrence of a.

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 14 / 22

slide-18
SLIDE 18

The termination property demonstrated in the solution

We demonstrated that any E can be reduced to a polynomial E 1 = ai1 × E 1

1 + · · · + aip1 × E 1 p1 + o(E)

Then, we apply the same recursive algorithm to reduce E 1

1 , . . . , E 1 p1, and so

  • n, until the obtained polynomial is of the form

E q = aj1 × E q

1 + · · · + ajpq × E q pq + o(E q)

where E q

1 , . . . , E q pq are already defined, that is, these regular expressions

appear in the set E 1

1 , . . . , E 1 p1, . . . , E q−1 1

, . . . , E q−1

pq−1

Termination of this recursive process is the goal of Mirkin Theorem.

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 15 / 22

slide-19
SLIDE 19

Basic finite types

seq : Type → Type nil A : seq A a : A s : seq A cons A a s : seq A map : ∀ T1 T2. (T1 → T2) → seq T1 → seq T2 map f [] = [] map f (x::s) = f x :: map f s head : ∀ T.T → seq T → T head x [] = x head x (y:: ) = y behead : ∀ T. seq T → seq T behead [] = [] behead ( ::s) = s

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 16 / 22

slide-20
SLIDE 20

Advanced finite types

Advanced finite types feature in Ssreflect libraries. There is a generic type

  • f finite structures finType : Type supporting, among others, the following
  • perations, for some T : finType:

1 The expression enum T yields a duplicate-free, canonical list of all

elements of T.

2 #|T| denotes the cardinality of T. 3 enum val i is the i-th element of enum T where i : I #|T|. 4 enum rank t is the index i : I #|T| such that enum val i = t.

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 17 / 22

slide-21
SLIDE 21

Type-rich definition of regular expressions

re : finType → Type Void X : re X Eps X : re X a : X Atom X a : re X E : re X F : re X Alt X E F : re X E : re X F : re X Conc X E F : re X E : re X Star X E : re X

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 18 / 22

slide-22
SLIDE 22

Regular languages

language : finType → Type language X = pred (word X) void : ∀ X. language X void = pred of simpl pred0 eps : ∀ X. language X eps = pred of simpl (pred1 []) atom : ∀ X. X → language X atom a = pred of simpl (pred1 [a]) alt : ∀ X. language X → language X → language X alt L1 L2 = pred of simpl (predU (mem L1) (mem L2)) conc : ∀ X. language X → language X → language X conc L1 L2 w = #|λ (i : I (S (size w)). L1 (take i w) && L2 (drop i w)| != 0 star : ∀ X. language X → language X star L = letrec star′ : word X → bool in star′ (a::w) = conc (residual a L) star′ w star′ [] = true

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 19 / 22

slide-23
SLIDE 23

Regular languages, continued

lang : ∀ X. re X → language X lang Void = void lang Eps = eps lang (Atom a) = atom a lang (Alt E F) = alt (lang E) (lang F) lang (Conc E F) = conc (lang E) (lang F) lang (Star E) = star (lang E)

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 20 / 22

slide-24
SLIDE 24

Correctness criterion for prebases

Theorem (Mirkin)

For any given regular expression E of type re X, we can construct a vector

  • f partial derivatives P of length m > 0 and a matrix of transitions M of

size m×n, where n is the number of symbols in the alphabet X, such that (i) The expression located by the coordinate 0 in P is E. (ii) The cells of the matrix M are subsets of the set [0, m − 1] of natural numbers. (iii) Let P = [E0; . . . ; Em−1]. For each i < m, the following language equivalence holds: Ei =L

  • 0≤j<n

(

k∈M i j

(conc aj Ek) + void ) + o Ei

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 21 / 22

slide-25
SLIDE 25

References

  • G. Gonthier, A. Mahboubi, and E. Tassi.

A Small Scale Reflection Extension for the Coq system. Research Report RR-6455, INRIA, 2011.

  • V. Komendantsky.

Formal proofs of the prebase theorem of Mirkin, 2011. Coq script available at http://www.cs.st-andrews.ac.uk/~{}vk/doc/prebase.v.

  • V. Komendantsky.

Subtyping by folding an inductive relation into a coinductive one. In R. Pe˜ na, editor, Post-proceedings of the 12th International Symposium on Trends in Functional Programming (TFP 2011), LNCS, Madrid, Spain, 16-18 May

  • 2011. Springer.
  • V. Komendantsky.

Reflexive toolbox for regular expression matching: Verification of functional programs in Coq+Ssreflect. In The 6th ACM SIGPLAN Workshop Programming Languages meet Program Verification (PLPV’12), Philadelphia, USA, 24 January 2012. For contributed proofs, see [2].

  • V. Komendantsky (St Andrews)

Program verification in type theory Roy Dyckhoff’s Festschrift 22 / 22