N OT A SINGLE PROOF ASSISTANT FOR ALL BUT PROOF ASSISTANTS FOR - PowerPoint PPT Presentation

N OT A SINGLE PROOF ASSISTANT FOR ALL BUT PROOF ASSISTANTS FOR EVERYONE 
 N ICOLAS T ABAREAU

Not the Work of a Single Man Not a single proof assistant for all but proof assistants for everyone 


Coq: a success but ... Based on the correspondence: Formula Type ⟺ Proof Program ⟺ Type Theory has been developed, providing a common language for mathematics and computer science ⇒ Coq Not a single proof assistant for all but proof assistants for everyone 
 3

Coq: a success but ... Based on the correspondence: Formula Type ⟺ Proof Program ⟺ Type Theory has been developed, providing a common language for mathematics and computer science ⇒ Coq “At the same time a programming language and a logical system” Not a single proof assistant for all but proof assistants for everyone 
 3

Coq: a success but ... Program certification Theorem Proving CompCert Odd Order Theorem Compiler A mature system: ACM 2013 Software System Award Coq Consortium (Inria Foundation) Continuous Integration, 2 releases per year Not a single proof assistant for all but proof assistants for everyone 
 4

... not the last word Many weaknesses cannot be solved without changing the theoretical foundations of Coq : Extend Coq as a programming language Extend Coq as a logical system Not a single proof assistant for all but proof assistants for everyone 
 5

Extend the logic common operators/principles cannot be “constructed” ( e.g. , excluded middle) the notion of equality/conversion is too weak Not a single proof assistant for all but proof assistants for everyone 
 6

Extend the logic common operators/principles cannot be “constructed” ( e.g. , excluded middle) the notion of equality/conversion is too weak Example: prime integers (n;prime_n) ≠ (n;prime_n) Not a single proof assistant for all but proof assistants for everyone 
 6

Extend the logic The difficulty is that every new logical principle must come with its computational interpretation. Not a single proof assistant for all but proof assistants for everyone 
 7

Extend the logic The difficulty is that every new logical principle must come with its computational interpretation. For instance, what is the computational meaning of the excluded middle ? Not a single proof assistant for all but proof assistants for everyone 
 7

Extend the language Great, and now can you show me a “Hello World” ? Well, … … sorry. That’s not possible ! Hello World in Coq Not a single proof assistant for all but proof assistants for everyone 
 8

Extend the language Great, and now can you show me a “Hello World” ? Well, … No “Hello World” ! … sorry. That’s not possible ! Hello World in Coq Not a single proof assistant for all but proof assistants for everyone 
 8

Users Need More On the logical side: On the PL side: Excluded Middle Exceptions UIP Memory Univalence / FunExt Non-determinism Definitional Pf Irr Non-termination Not a single proof assistant for all but proof assistants for everyone 
 9

<latexit sha1_base64="TGU4BnQTnSoMD9C3VkQodt34vfY=">AB/3icbVDLSgMxFL1TX7W+qoIbN8EiCEqZEUGXRTcuR7AP6Awlk2ba0EwyJBmhjF34K25cKOLW3Dn35g+Ftp6IHA491zuyYlSzrRx3W+nsLS8srpWXC9tbG5t75R39xpaZorQOpFcqlaENeVM0LphtNWqihOIk6b0eBmPG8+UKWZFPdmNIwT3BYkawsVKnfBDEUmHOkX+GAi6kQT46RX6nXHGr7gRokXgzUoEZrP8r6EqSJVQYwrHWbc9NTZhjZRjhdFQKMk1TAa4R9uWCpxQHeaT/CN0bJUuskHsEwZN1N8bOU60HiaRdSbY9PX8bCz+N2tnJr4KcybSzFBpofijCMj0bgM1GWKEsOHlmCimM2KSB8rTIytrGRL8Oa/vEga51XPrXp3F5Xa9ayOIhzCEZyAB5dQg1vwoQ4EHuEZXuHNeXJenHfnY2otOLOdfgD5/MHZ1aUYw=</latexit> <latexit sha1_base64="TGU4BnQTnSoMD9C3VkQodt34vfY=">AB/3icbVDLSgMxFL1TX7W+qoIbN8EiCEqZEUGXRTcuR7AP6Awlk2ba0EwyJBmhjF34K25cKOLW3Dn35g+Ftp6IHA491zuyYlSzrRx3W+nsLS8srpWXC9tbG5t75R39xpaZorQOpFcqlaENeVM0LphtNWqihOIk6b0eBmPG8+UKWZFPdmNIwT3BYkawsVKnfBDEUmHOkX+GAi6kQT46RX6nXHGr7gRokXgzUoEZrP8r6EqSJVQYwrHWbc9NTZhjZRjhdFQKMk1TAa4R9uWCpxQHeaT/CN0bJUuskHsEwZN1N8bOU60HiaRdSbY9PX8bCz+N2tnJr4KcybSzFBpofijCMj0bgM1GWKEsOHlmCimM2KSB8rTIytrGRL8Oa/vEga51XPrXp3F5Xa9ayOIhzCEZyAB5dQg1vwoQ4EHuEZXuHNeXJenHfnY2otOLOdfgD5/MHZ1aUYw=</latexit> <latexit sha1_base64="TGU4BnQTnSoMD9C3VkQodt34vfY=">AB/3icbVDLSgMxFL1TX7W+qoIbN8EiCEqZEUGXRTcuR7AP6Awlk2ba0EwyJBmhjF34K25cKOLW3Dn35g+Ftp6IHA491zuyYlSzrRx3W+nsLS8srpWXC9tbG5t75R39xpaZorQOpFcqlaENeVM0LphtNWqihOIk6b0eBmPG8+UKWZFPdmNIwT3BYkawsVKnfBDEUmHOkX+GAi6kQT46RX6nXHGr7gRokXgzUoEZrP8r6EqSJVQYwrHWbc9NTZhjZRjhdFQKMk1TAa4R9uWCpxQHeaT/CN0bJUuskHsEwZN1N8bOU60HiaRdSbY9PX8bCz+N2tnJr4KcybSzFBpofijCMj0bgM1GWKEsOHlmCimM2KSB8rTIytrGRL8Oa/vEga51XPrXp3F5Xa9ayOIhzCEZyAB5dQg1vwoQ4EHuEZXuHNeXJenHfnY2otOLOdfgD5/MHZ1aUYw=</latexit> <latexit sha1_base64="TGU4BnQTnSoMD9C3VkQodt34vfY=">AB/3icbVDLSgMxFL1TX7W+qoIbN8EiCEqZEUGXRTcuR7AP6Awlk2ba0EwyJBmhjF34K25cKOLW3Dn35g+Ftp6IHA491zuyYlSzrRx3W+nsLS8srpWXC9tbG5t75R39xpaZorQOpFcqlaENeVM0LphtNWqihOIk6b0eBmPG8+UKWZFPdmNIwT3BYkawsVKnfBDEUmHOkX+GAi6kQT46RX6nXHGr7gRokXgzUoEZrP8r6EqSJVQYwrHWbc9NTZhjZRjhdFQKMk1TAa4R9uWCpxQHeaT/CN0bJUuskHsEwZN1N8bOU60HiaRdSbY9PX8bCz+N2tnJr4KcybSzFBpofijCMj0bgM1GWKEsOHlmCimM2KSB8rTIytrGRL8Oa/vEga51XPrXp3F5Xa9ayOIhzCEZyAB5dQg1vwoQ4EHuEZXuHNeXJenHfnY2otOLOdfgD5/MHZ1aUYw=</latexit> Excluded Middle ∀ P, ¬ P + P Not a single proof assistant for all but proof assistants for everyone 
 10

<latexit sha1_base64="TGU4BnQTnSoMD9C3VkQodt34vfY=">AB/3icbVDLSgMxFL1TX7W+qoIbN8EiCEqZEUGXRTcuR7AP6Awlk2ba0EwyJBmhjF34K25cKOLW3Dn35g+Ftp6IHA491zuyYlSzrRx3W+nsLS8srpWXC9tbG5t75R39xpaZorQOpFcqlaENeVM0LphtNWqihOIk6b0eBmPG8+UKWZFPdmNIwT3BYkawsVKnfBDEUmHOkX+GAi6kQT46RX6nXHGr7gRokXgzUoEZrP8r6EqSJVQYwrHWbc9NTZhjZRjhdFQKMk1TAa4R9uWCpxQHeaT/CN0bJUuskHsEwZN1N8bOU60HiaRdSbY9PX8bCz+N2tnJr4KcybSzFBpofijCMj0bgM1GWKEsOHlmCimM2KSB8rTIytrGRL8Oa/vEga51XPrXp3F5Xa9ayOIhzCEZyAB5dQg1vwoQ4EHuEZXuHNeXJenHfnY2otOLOdfgD5/MHZ1aUYw=</latexit> <latexit sha1_base64="TGU4BnQTnSoMD9C3VkQodt34vfY=">AB/3icbVDLSgMxFL1TX7W+qoIbN8EiCEqZEUGXRTcuR7AP6Awlk2ba0EwyJBmhjF34K25cKOLW3Dn35g+Ftp6IHA491zuyYlSzrRx3W+nsLS8srpWXC9tbG5t75R39xpaZorQOpFcqlaENeVM0LphtNWqihOIk6b0eBmPG8+UKWZFPdmNIwT3BYkawsVKnfBDEUmHOkX+GAi6kQT46RX6nXHGr7gRokXgzUoEZrP8r6EqSJVQYwrHWbc9NTZhjZRjhdFQKMk1TAa4R9uWCpxQHeaT/CN0bJUuskHsEwZN1N8bOU60HiaRdSbY9PX8bCz+N2tnJr4KcybSzFBpofijCMj0bgM1GWKEsOHlmCimM2KSB8rTIytrGRL8Oa/vEga51XPrXp3F5Xa9ayOIhzCEZyAB5dQg1vwoQ4EHuEZXuHNeXJenHfnY2otOLOdfgD5/MHZ1aUYw=</latexit> <latexit sha1_base64="TGU4BnQTnSoMD9C3VkQodt34vfY=">AB/3icbVDLSgMxFL1TX7W+qoIbN8EiCEqZEUGXRTcuR7AP6Awlk2ba0EwyJBmhjF34K25cKOLW3Dn35g+Ftp6IHA491zuyYlSzrRx3W+nsLS8srpWXC9tbG5t75R39xpaZorQOpFcqlaENeVM0LphtNWqihOIk6b0eBmPG8+UKWZFPdmNIwT3BYkawsVKnfBDEUmHOkX+GAi6kQT46RX6nXHGr7gRokXgzUoEZrP8r6EqSJVQYwrHWbc9NTZhjZRjhdFQKMk1TAa4R9uWCpxQHeaT/CN0bJUuskHsEwZN1N8bOU60HiaRdSbY9PX8bCz+N2tnJr4KcybSzFBpofijCMj0bgM1GWKEsOHlmCimM2KSB8rTIytrGRL8Oa/vEga51XPrXp3F5Xa9ayOIhzCEZyAB5dQg1vwoQ4EHuEZXuHNeXJenHfnY2otOLOdfgD5/MHZ1aUYw=</latexit> <latexit sha1_base64="TGU4BnQTnSoMD9C3VkQodt34vfY=">AB/3icbVDLSgMxFL1TX7W+qoIbN8EiCEqZEUGXRTcuR7AP6Awlk2ba0EwyJBmhjF34K25cKOLW3Dn35g+Ftp6IHA491zuyYlSzrRx3W+nsLS8srpWXC9tbG5t75R39xpaZorQOpFcqlaENeVM0LphtNWqihOIk6b0eBmPG8+UKWZFPdmNIwT3BYkawsVKnfBDEUmHOkX+GAi6kQT46RX6nXHGr7gRokXgzUoEZrP8r6EqSJVQYwrHWbc9NTZhjZRjhdFQKMk1TAa4R9uWCpxQHeaT/CN0bJUuskHsEwZN1N8bOU60HiaRdSbY9PX8bCz+N2tnJr4KcybSzFBpofijCMj0bgM1GWKEsOHlmCimM2KSB8rTIytrGRL8Oa/vEga51XPrXp3F5Xa9ayOIhzCEZyAB5dQg1vwoQ4EHuEZXuHNeXJenHfnY2otOLOdfgD5/MHZ1aUYw=</latexit> Excluded Middle ∀ P, ¬ P + P Useful to do proof by contradiction Note: I don’t want to dive into constructivism debate Not a single proof assistant for all but proof assistants for everyone 
 10