Program -ing in Coq Matthieu Sozeau under the direction of Christine - - PowerPoint PPT Presentation

Program-ing in Coq

Matthieu Sozeau under the direction of Christine Paulin-Mohring

LRI, Univ. Paris-Sud - D´ emons Team & INRIA Saclay - ProVal Project

Foundations of Programming seminar February 15th 2008 University of Nottingham

The Big Picture

The Big Picture

The Big Picture

The Big Picture

The Big Picture

The Big Picture

The Big Picture

The Big Picture

Inductive diveucl a b : Set := divex : ∀ q r, b > r → a = q × b + r → diveucl a b. Lemma eucl dev : ∀ n, n > 0 → ∀ m:nat, diveucl m n. Proof. intros b H a; pattern a in ⊢ ×; apply gt wf rec; intros n H0. elim (le gt dec b n). intro lebn. elim (H0 (n - b)); auto with arith. intros q r g e. apply divex with (S q) r; simpl in ⊢ ×; auto with arith. elim plus assoc. elim e; auto with arith. intros gtbn. apply divex with 0 n; simpl in ⊢ ×; auto with arith. Qed.

The Big Picture

The Curry-Howard isomorphism

Programming language = Proof system

The Curry-Howard isomorphism

Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment.

The Curry-Howard isomorphism

Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment.

Epigram PVS DML Ωmega

The Curry-Howard isomorphism

Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment.

◮ Logical Framework Type Theory.

Epigram PVS DML Ωmega

The Curry-Howard isomorphism

Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment.

◮ Logical Framework Type Theory.

Separates proofs and programs using sorts ⇒ Extraction

Epigram PVS DML Ωmega

The Curry-Howard isomorphism

Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment.

◮ Logical Framework Type Theory.

Separates proofs and programs using sorts ⇒ Extraction

◮ Paradigm Purely functional.

Epigram PVS DML Ωmega

The Curry-Howard isomorphism

Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment.

◮ Logical Framework Type Theory.

Separates proofs and programs using sorts ⇒ Extraction

◮ Paradigm Purely functional.

Total, no separation of terms and types.

Epigram PVS DML Ωmega

The Curry-Howard isomorphism

Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment.

◮ Logical Framework Type Theory.

Separates proofs and programs using sorts ⇒ Extraction

◮ Paradigm Purely functional.

Total, no separation of terms and types.

◮ Development style and proof automation Interactive,

semi-automatic proof using tactics.

Epigram PVS DML Ωmega

The Curry-Howard isomorphism

Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment.

◮ Logical Framework Type Theory.

Separates proofs and programs using sorts ⇒ Extraction

◮ Paradigm Purely functional.

Total, no separation of terms and types.

◮ Development style and proof automation Interactive,

semi-automatic proof using tactics.

◮ Phase distinction none

Epigram PVS DML Ωmega

The Curry-Howard isomorphism

Programming language = Proof system Program extends the Coq proof-assistant into a dependently-typed programming environment.

◮ Logical Framework Type Theory.

Separates proofs and programs using sorts ⇒ Extraction

◮ Paradigm Purely functional.

Total, no separation of terms and types.

◮ Development style and proof automation Interactive,

semi-automatic proof using tactics.

◮ Phase distinction ⇒ in Program

Epigram PVS DML Ωmega

1 The idea

A simple idea From PVS to Coq

2 Theoretical development

Russell Interpretation in Coq Inductive types

3 Program

Architecture Hello world Extensions

4 Conclusion

• M. Sozeau (LRI)

Program-ing in Coq 4 / 27

A simple idea

Definition

{x : T | P} is the set of objects of set T verifying property P.

◮ Useful for specifying, widely used in mathematics ; ◮ Links object and property.

• M. Sozeau (LRI)

Program-ing in Coq 5 / 27

A simple idea

Definition

{x : T | P} is the set of objects of set T verifying property P.

◮ Useful for specifying, widely used in mathematics ; ◮ Links object and property.

Adapting the idea

t : T P[t/x] t : { x : T | P } t : { x : T | P } t : T

• M. Sozeau (LRI)

Program-ing in Coq 5 / 27

A simple idea

Definition

{x : T | P} is the set of objects of set T verifying property P.

◮ Useful for specifying, widely used in mathematics ; ◮ Links object and property.

Adapting the idea

t : T p : P[t/x] (t, p) : { x : T | P } t : { x : T | P } proj t : T

• M. Sozeau (LRI)

Program-ing in Coq 5 / 27

From “Predicate subtyping”. . .

PVS

◮ Specialized typing algorithm for subset types, generating

Type-checking conditions. t : { x : T | P } used as t : T

• k

t : T used as t : { x : T | P } if P[t/x]

• M. Sozeau (LRI)

Program-ing in Coq 6 / 27

From “Predicate subtyping”. . .

PVS

◮ Specialized typing algorithm for subset types, generating

Type-checking conditions. t : { x : T | P } used as t : T

• k

t : T used as t : { x : T | P } if P[t/x] + Practical success ;

• M. Sozeau (LRI)

Program-ing in Coq 6 / 27

From “Predicate subtyping”. . .

PVS

◮ Specialized typing algorithm for subset types, generating

Type-checking conditions. t : { x : T | P } used as t : T

• k

t : T used as t : { x : T | P } if P[t/x] + Practical success ; – No strong safety guarantee in PVS.

• M. Sozeau (LRI)

Program-ing in Coq 6 / 27

. . . to Subset coercions

1 A property-irrelevant language (Russell) with decidable typing ;

Γ ⊢ t : { x : T | P } Γ ⊢ t : T Γ ⊢ t : T Γ, x : T ⊢ P : Prop Γ ⊢ t : { x : T | P }

• M. Sozeau (LRI)

Program-ing in Coq 7 / 27

. . . to Subset coercions

1 A property-irrelevant language (Russell) with decidable typing ; 2 A total interpretation to Coq terms with holes ;

Γ ⊢ t : { x : T | P } Γ ⊢ proj t : T Γ ⊢ t : T Γ, x : T ⊢ P : Prop Γ ⊢? : P[t/x] Γ ⊢ (t, ?) : { x : T | P }

• M. Sozeau (LRI)

Program-ing in Coq 7 / 27

. . . to Subset coercions

1 A property-irrelevant language (Russell) with decidable typing ; 2 A total interpretation to Coq terms with holes ; 3 A mechanism to turn the holes into proof obligations and

manage them. Γ ⊢ t : { x : T | P } Γ ⊢ proj t : T Γ ⊢ t : T Γ, x : T ⊢ P : Prop Γ ⊢ p : P[t/x] Γ ⊢ (t, p) : { x : T | P }

• M. Sozeau (LRI)

Program-ing in Coq 7 / 27

1 The idea

A simple idea From PVS to Coq

2 Theoretical development

Russell Interpretation in Coq Inductive types

3 Program

Architecture Hello world Extensions

4 Conclusion

• M. Sozeau (LRI)

Program-ing in Coq 8 / 27

Russell syntax

x ∈ V s, t, u, v ::= x | Set | Prop | Type

• M. Sozeau (LRI)

Program-ing in Coq 9 / 27

Russell syntax

x ∈ V s, t, u, v ::= x | Set | Prop | Type | λx : s.t | s t | Πx : s.t

• M. Sozeau (LRI)

Program-ing in Coq 9 / 27

Russell syntax

x ∈ V s, t, u, v ::= x | Set | Prop | Type | λx : s.t | s t | Πx : s.t | (u, v)Σx:s.t | π1 s | π2 s | Σx : s.t

• M. Sozeau (LRI)

Program-ing in Coq 9 / 27

Russell syntax

x ∈ V s, t, u, v ::= x | Set | Prop | Type | λx : s.t | s t | Πx : s.t | (u, v)Σx:s.t | π1 s | π2 s | Σx : s.t | { x : s | t }

• M. Sozeau (LRI)

Program-ing in Coq 9 / 27

Russell typing ⊢ and coercion

Calculus of Constructions with Γ ⊢ t : U Γ ⊢ U ≡βπ T : s Γ ⊢ t : T

• M. Sozeau (LRI)

Program-ing in Coq 10 / 27

Russell typing ⊢ and coercion

Calculus of Constructions with Γ ⊢ t : U Γ ⊢ U T : s Γ ⊢ t : T Γ ⊢ T ≡βπ U : s Γ ⊢ T U : s

• M. Sozeau (LRI)

Program-ing in Coq 10 / 27

Russell typing ⊢ and coercion

Calculus of Constructions with Γ ⊢ t : U Γ ⊢ U T : s Γ ⊢ t : T Γ ⊢ T ≡βπ U : s Γ ⊢ T U : s Γ ⊢ U V : Set Γ, x : U ⊢ P : Prop Γ ⊢ { x : U | P } V : Set Γ ⊢ U V : Set Γ, x : V ⊢ P : Prop Γ ⊢ U { x : V | P } : Set

• M. Sozeau (LRI)

Program-ing in Coq 10 / 27

Russell typing ⊢ and coercion

Calculus of Constructions with Γ ⊢ t : U Γ ⊢ U T : s Γ ⊢ t : T Γ ⊢ T ≡βπ U : s Γ ⊢ T U : s Γ ⊢ U V : Set Γ, x : U ⊢ P : Prop Γ ⊢ { x : U | P } V : Set Γ ⊢ U V : Set Γ, x : V ⊢ P : Prop Γ ⊢ U { x : V | P } : Set Γ ⊢ 0 : N Γ ⊢ N { x : N | x = 0 } : Set Example Γ ⊢ 0 : { x : N | x = 0 }

• M. Sozeau (LRI)

Program-ing in Coq 10 / 27

Russell typing ⊢ and coercion

Calculus of Constructions with Γ ⊢ t : U Γ ⊢ U T : s Γ ⊢ t : T Γ ⊢ T ≡βπ U : s Γ ⊢ T U : s Γ ⊢ U V : Set Γ, x : U ⊢ P : Prop Γ ⊢ { x : U | P } V : Set Γ ⊢ U V : Set Γ, x : V ⊢ P : Prop Γ ⊢ U { x : V | P } : Set Γ ⊢ 0 : N Γ ⊢ N { x : N | x = 0 } : Set Example Γ ⊢ 0 : { x : N | x = 0 } Γ ⊢? : 0 = 0

• M. Sozeau (LRI)

Program-ing in Coq 10 / 27

Russell typing ⊢ and coercion

Calculus of Constructions with Γ ⊢ t : U Γ ⊢ U T : s Γ ⊢ t : T Γ ⊢ T ≡βπ U : s Γ ⊢ T U : s Γ ⊢ U V : Set Γ, x : U ⊢ P : Prop Γ ⊢ { x : U | P } V : Set Γ ⊢ U V : Set Γ, x : V ⊢ P : Prop Γ ⊢ U { x : V | P } : Set Γ ⊢ U T : s1 Γ, x : U ⊢ V W : s2 Γ ⊢ Πx : T.V Πx : U.W : s2 Γ ⊢ T U : s Γ, x : T ⊢ V W : s s ∈ {Set, Prop} Γ ⊢ Σx : T.V Σy : U.W : s

• M. Sozeau (LRI)

Program-ing in Coq 10 / 27

Russell typing ⊢ and coercion

Calculus of Constructions with Γ ⊢ t : U Γ ⊢ U T : s Γ ⊢ t : T Γ ⊢ T ≡βπ U : s Γ ⊢ T U : s Γ ⊢ U V : Set Γ, x : U ⊢ P : Prop Γ ⊢ { x : U | P } V : Set Γ ⊢ U V : Set Γ, x : V ⊢ P : Prop Γ ⊢ U { x : V | P } : Set Γ ⊢ U T : s1 Γ, x : U ⊢ V W : s2 Γ ⊢ Πx : T.V Πx : U.W : s2 Γ ⊢ T U : s Γ, x : T ⊢ V W : s s ∈ {Set, Prop} Γ ⊢ Σx : T.V Σy : U.W : s is symmetric!

• M. Sozeau (LRI)

Program-ing in Coq 10 / 27

Results

Theorem (Decidability of type checking and type inference)

Γ ⊢ t : T is decidable. Γ ⊢ f : T Γ ⊢ T Πx : A.B : s Γ ⊢ e : E Γ ⊢ E A : s′ Γ ⊢ (f e) : B[e/x]

• M. Sozeau (LRI)

Program-ing in Coq 11 / 27

Results

Theorem (Decidability of type checking and type inference)

Γ ⊢ t : T is decidable. Γ ⊢ f : T Γ ⊢ T Πx : A.B : s Γ ⊢ e : E Γ ⊢ E A : s′ Γ ⊢ (f e) : B[e/x]

Coq corner

Mechanised proofs of Subject Reduction and equivalence between declarative and algorithmic presentations of the system.

• M. Sozeau (LRI)

Program-ing in Coq 11 / 27

1 The idea

A simple idea From PVS to Coq

2 Theoretical development

Russell Interpretation in Coq Inductive types

3 Program

Architecture Hello world Extensions

4 Conclusion

• M. Sozeau (LRI)

Program-ing in Coq 12 / 27

From Russell to Coq

The target system : Cic with metavariables

Γ ⊢? t : T Γ ⊢? p : P[t/x] Γ ⊢? elt T P t p : { x : T | P } Γ ⊢? t : { x : T | P } Γ ⊢? σ1 t : T Γ ⊢? t : { x : T | P } Γ ⊢? σ2 t : P[σ1 t/x] Γ ⊢? P : Prop Γ ⊢??P : P We build an interpretation Γ from Russell to Cic? terms.

• M. Sozeau (LRI)

Program-ing in Coq 13 / 27

From Russell to Coq

The target system : Cic with metavariables

Γ ⊢? t : T Γ ⊢? p : P[t/x] Γ ⊢? elt T P t p : { x : T | P } Γ ⊢? t : { x : T | P } Γ ⊢? σ1 t : T Γ ⊢? t : { x : T | P } Γ ⊢? σ2 t : P[σ1 t/x] Γ ⊢? P : Prop Γ ⊢??P : P We build an interpretation Γ from Russell to Cic? terms.

Our goal

If Γ ⊢ t : T then Γ ⊢? tΓ : TΓ.

• M. Sozeau (LRI)

Program-ing in Coq 13 / 27

Deriving explicit coercions

Interpretation of coercions

If Γ ⊢ T U : s then Γ ⊢? c[•] : T U which implies Γ, x : TΓ ⊢? c[x] : UΓ.

• M. Sozeau (LRI)

Program-ing in Coq 14 / 27

Deriving explicit coercions

Interpretation of coercions

If Γ ⊢ T U : s then Γ ⊢? c[•] : T U which implies Γ, x : TΓ ⊢? c[x] : UΓ.

Definition

T ≡βπ U Γ ⊢? : T U

• M. Sozeau (LRI)

Program-ing in Coq 14 / 27

Deriving explicit coercions

Interpretation of coercions

If Γ ⊢ T U : s then Γ ⊢? c[•] : T U which implies Γ, x : TΓ ⊢? c[x] : UΓ.

Definition

T ≡βπ U Γ ⊢? • : T U

• M. Sozeau (LRI)

Program-ing in Coq 14 / 27

Deriving explicit coercions

Interpretation of coercions

If Γ ⊢ T U : s then Γ ⊢? c[•] : T U which implies Γ, x : TΓ ⊢? c[x] : UΓ.

Definition

T ≡βπ U Γ ⊢? • : T U Γ ⊢? : { x : T | P } T

• M. Sozeau (LRI)

Program-ing in Coq 14 / 27

Deriving explicit coercions

Interpretation of coercions

If Γ ⊢ T U : s then Γ ⊢? c[•] : T U which implies Γ, x : TΓ ⊢? c[x] : UΓ.

Definition

T ≡βπ U Γ ⊢? • : T U Γ ⊢? σ1 • : { x : T | P } T

• M. Sozeau (LRI)

Program-ing in Coq 14 / 27

Deriving explicit coercions

Interpretation of coercions

If Γ ⊢ T U : s then Γ ⊢? c[•] : T U which implies Γ, x : TΓ ⊢? c[x] : UΓ.

Definition

T ≡βπ U Γ ⊢? • : T U Γ ⊢? σ1 • : { x : T | P } T Γ ⊢? : T { x : T | P }

• M. Sozeau (LRI)

Program-ing in Coq 14 / 27

Deriving explicit coercions

Interpretation of coercions

If Γ ⊢ T U : s then Γ ⊢? c[•] : T U which implies Γ, x : TΓ ⊢? c[x] : UΓ.

Definition

T ≡βπ U Γ ⊢? • : T U Γ ⊢? σ1 • : { x : T | P } T Γ ⊢? elt

• ?PΓ,x:T [•/x] : T { x : T | P }
• M. Sozeau (LRI)

Program-ing in Coq 14 / 27

Deriving explicit coercions

Interpretation of coercions

If Γ ⊢ T U : s then Γ ⊢? c[•] : T U which implies Γ, x : TΓ ⊢? c[x] : UΓ.

Definition

T ≡βπ U Γ ⊢? • : T U Γ ⊢? σ1 • : { x : T | P } T Γ ⊢? elt

• ?PΓ,x:T [•/x] : T { x : T | P }

Example

Γ ⊢? 0 : N Γ ⊢? elt

• ?(x=0)[•/x] : N { x : N | x = 0 }

Γ ⊢? elt 0 ?0=0 : { x : N | x = 0 }

• M. Sozeau (LRI)

Program-ing in Coq 14 / 27

Interpretation of terms

Example (Application)

Γ ⊢ f : T Γ ⊢ T Πx : V.W : s Γ ⊢ u : U Γ ⊢ U V : s′ Γ ⊢ (f u) : W[u/x] f uΓ

• let π = coerceΓ T (Πx : V.W) in

let c = coerceΓ U V in (π[fΓ]) (c[uΓ])

Theorem (Soundness)

If Γ ⊢ t : T then Γ ⊢? tΓ : TΓ.

• M. Sozeau (LRI)

Program-ing in Coq 15 / 27

Theoretical matters . . .

⊢?’s equational theory: (β) (λx : X.e) v ≡ e[v/x] (πi) πi (e1, e2)T ≡ ei (σi) σi (elt E P e1 e2) ≡ ei (η) (λx : X.e x) ≡ e if x / ∈ FV (e) (SP) elt E P (σ1 e) (σ2 e) ≡ e

• M. Sozeau (LRI)

Program-ing in Coq 16 / 27

Theoretical matters . . .

⊢?’s equational theory: (β) (λx : X.e) v ≡ e[v/x] (πi) πi (e1, e2)T ≡ ei (σi) σi (elt E P e1 e2) ≡ ei (η) (λx : X.e x) ≡ e if x / ∈ FV (e) (SP) elt E P (σ1 e) (σ2 e) ≡ e (PI) elt E P t p ≡ elt E P t′ p′ if t ≡ t′ ⇒ Proof Irrelevance

• M. Sozeau (LRI)

Program-ing in Coq 16 / 27

Theoretical matters . . .

⊢?’s equational theory: (β) (λx : X.e) v ≡ e[v/x] (πi) πi (e1, e2)T ≡ ei (σi) σi (elt E P e1 e2) ≡ ei (η) (λx : X.e x) ≡ e if x / ∈ FV (e) (SP) elt E P (σ1 e) (σ2 e) ≡ e (PI) elt E P t p ≡ elt E P t′ p′ if t ≡ t′ ⇒ Proof Irrelevance

. . . have practical effects

Difficulty to reason on code: elt T P x p1 ≡ elt T P x p2 where p1, p2 : P x.

• M. Sozeau (LRI)

Program-ing in Coq 16 / 27

Inductive types

Different representations

vector n { x : list A | length x = n } or vector n vnil : vector 0 | vcons : A → ∀n, vector n → vector (S n) ?

• M. Sozeau (LRI)

Program-ing in Coq 17 / 27

Inductive types

Different representations

vector n { x : list A | length x = n } or vector n vnil : vector 0 | vcons : A → ∀n, vector n → vector (S n) ? Γ ⊢ v : vector x Γ ⊢ x = y : Prop Γ ⊢ vector x vector y : Set Γ ⊢ v : vector y

• M. Sozeau (LRI)

Program-ing in Coq 17 / 27

1 The idea

A simple idea From PVS to Coq

2 Theoretical development

Russell Interpretation in Coq Inductive types

3 Program

Architecture Hello world Extensions

4 Conclusion

• M. Sozeau (LRI)

Program-ing in Coq 18 / 27

The Program vernacular

Architecture

Wrap around Coq’s vernacular commands (Definition, Fixpoint, Lemma, . . . ).

• M. Sozeau (LRI)

Program-ing in Coq 19 / 27

The Program vernacular

Architecture

Wrap around Coq’s vernacular commands (Definition, Fixpoint, Lemma, . . . ).

1 Use the Coq parser.

Program Definition f : T := t .

• M. Sozeau (LRI)

Program-ing in Coq 19 / 27

The Program vernacular

Architecture

Wrap around Coq’s vernacular commands (Definition, Fixpoint, Lemma, . . . ).

1 Use the Coq parser. 2 Typecheck Γ ⊢ t : T and generate Γ ⊢? tΓ : TΓ ;

Program Definition f : TΓ := tΓ .

• M. Sozeau (LRI)

Program-ing in Coq 19 / 27

The Program vernacular

Architecture

Wrap around Coq’s vernacular commands (Definition, Fixpoint, Lemma, . . . ).

1 Use the Coq parser. 2 Typecheck Γ ⊢ t : T and generate Γ ⊢? tΓ : TΓ ; 3 Interactive proving of obligations ;

Program Definition f : TΓ := tΓ + obligations.

• M. Sozeau (LRI)

Program-ing in Coq 19 / 27

The Program vernacular

Architecture

Wrap around Coq’s vernacular commands (Definition, Fixpoint, Lemma, . . . ).

1 Use the Coq parser. 2 Typecheck Γ ⊢ t : T and generate Γ ⊢? tΓ : TΓ ; 3 Interactive proving of obligations ; 4 Final definition.

Definition f : TΓ := tΓ + obligations.

• M. Sozeau (LRI)

Program-ing in Coq 19 / 27

The Program vernacular

Architecture

Wrap around Coq’s vernacular commands (Definition, Fixpoint, Lemma, . . . ).

1 Use the Coq parser. 2 Typecheck Γ ⊢ t : T and generate Γ ⊢? tΓ : TΓ ; 3 Interactive proving of obligations ; 4 Final definition.

Restriction We assume Γ ⊢CCI TΓ : s. Definition f : TΓ := tΓ + obligations.

• M. Sozeau (LRI)

Program-ing in Coq 19 / 27

Hello world: Euclidean division

DEMO

• M. Sozeau (LRI)

Program-ing in Coq 20 / 27

1 The idea

A simple idea From PVS to Coq

2 Theoretical development

Russell Interpretation in Coq Inductive types

3 Program

Architecture Hello world Extensions

4 Conclusion

• M. Sozeau (LRI)

Program-ing in Coq 21 / 27

Pattern-matching revisited

Put logic into the terms. Let e : N: match e return T with | S n ⇒ t1 | 0 ⇒ t2 end

• M. Sozeau (LRI)

Program-ing in Coq 22 / 27

Pattern-matching revisited

Put logic into the terms. Let e : N: match e as t return t = e → T with | S n ⇒ fun (H : S n = e) ⇒ t1 | 0 ⇒ fun (H : 0 = e) ⇒ t2 end (refl equal e)

• M. Sozeau (LRI)

Program-ing in Coq 22 / 27

Pattern-matching revisited

Put logic into the terms.

Further refinements

◮ Each branch typed only once ;

Let e : N: match e as t return t = e → T with | S (S n) ⇒ fun (H : S (S n) = e) ⇒ t1 | n ⇒ fun (H : n = e) ⇒ t2 end (refl equal e)

• M. Sozeau (LRI)

Program-ing in Coq 22 / 27

Pattern-matching revisited

Put logic into the terms.

Further refinements

◮ Each branch typed only once ;

Let e : N: match e as t return t = e → T with | S (S n) ⇒ fun (H : S (S n) = e) ⇒ t1 | S 0 ⇒ fun (H : S 0 = e) ⇒ t2 | 0 ⇒ fun (H : 0 = e) ⇒ t2 end (refl equal e)

• M. Sozeau (LRI)

Program-ing in Coq 22 / 27

Pattern-matching revisited

Put logic into the terms.

Further refinements

◮ Each branch typed only once ; ◮ Add inequalities for intersecting patterns ;

Let e : N: match e as t return t = e → T with | S (S n) ⇒ fun (H : S (S n) = e) ⇒ t1 | n ⇒ fun (H : n = e) ⇒ let H′ : ∀n′, n = S (S n′) in t2 end (refl equal e)

• M. Sozeau (LRI)

Program-ing in Coq 22 / 27

Pattern-matching revisited

Put logic into the terms.

Further refinements

◮ Each branch typed only once ; ◮ Add inequalities for intersecting patterns ; ◮ Generalized to dependent inductive types.

Let e : vector n: match e return T with | vnil ⇒ t1 | vcons x n′ v′ ⇒ t2 end

• M. Sozeau (LRI)

Program-ing in Coq 22 / 27

Pattern-matching revisited

Put logic into the terms.

Further refinements

◮ Each branch typed only once ; ◮ Add inequalities for intersecting patterns ; ◮ Generalized to dependent inductive types.

Let e : vector n: match e as t in vector n′ return n′ = n → t ≃ e → T with | vnil ⇒ fun (H : 0 = n)(Hv : vnil ≃ e) ⇒ t1 | vcons x n′ v′ ⇒ fun (H : S n′ = n)(Hv : vcons x n′ v′ ≃ e) ⇒ t2 end(refl equal n)(JMeq refl e)

• M. Sozeau (LRI)

Program-ing in Coq 22 / 27

Sugar

Obligations

Unresolved implicits ( ) are turned into obligations, ` a la refine.

Bang

! (False rect ) where False rect : ∀A : Type, False → A. It corresponds to ML’s assert(false). match 0 with 0 ⇒ 0 | n ⇒ ! end

• M. Sozeau (LRI)

Program-ing in Coq 23 / 27

Sugar

Obligations

Unresolved implicits ( ) are turned into obligations, ` a la refine.

Bang

! (False rect ) where False rect : ∀A : Type, False → A. It corresponds to ML’s assert(false). match 0 with 0 ⇒ 0 | n ⇒ ! end

Destruction

Let let | p := tin e match t with p ⇒ e end. p can be an arbitrary pattern.

• M. Sozeau (LRI)

Program-ing in Coq 23 / 27

Recursion

Support for well-founded recursion and measures. Program Fixpoint f (a : N) {wf < a} : N := b.

• M. Sozeau (LRI)

Program-ing in Coq 24 / 27

Recursion

Support for well-founded recursion and measures. Program Fixpoint f (a : N) {wf < a} : N := b. a : N f : {x : N | x < a} → N b : N

• M. Sozeau (LRI)

Program-ing in Coq 24 / 27

Safe Lists

DEMO

• M. Sozeau (LRI)

Program-ing in Coq 25 / 27

Conclusion

Our contributions

◮ A more flexible programming language, (almost) conservative

• ver Cic, integrated with the existing environment and a formal

justification of “Predicate subtyping”.

◮ A tool to make programming in Coq using the full language

possible, which can effectively be used for non-trivial developments.

Ongoing and future work

◮ Reasoning support through tactics ◮ Implementation of proof-irrelevance in Coq’s kernel ◮ Overloading support through a typeclass mechanism.

• M. Sozeau (LRI)

Program-ing in Coq 26 / 27

The End

http://www.lri.fr/∼sozeau/research/russell.en.html

• M. Sozeau (LRI)

Program-ing in Coq 27 / 27