Subset coercions in C M S under direction of C - - PowerPoint PPT Presentation

Subset coercions in C

M S under direction of C P-M

Paris-Sud 11 University LRI - D´  Team & INRIA F - P Project

TYPES’06 Workshop 18-21 April 2006

The Big Picture

The Big Picture

The Big Picture

The Big Picture

The Big Picture

Outline

1

The idea

2

Theoretical development R Traduction in C

3

The implementation

A simple idea

Definition

{ x : T | P } is the set of objects of set T verifying property P.

Useful for specifying, widely used in mathematics ; Separates object and property.

A simple idea

Definition

{ x : T | P } is the set of objects of set T verifying property P.

Useful for specifying, widely used in mathematics ; Separates object and property. Adapting the idea

t : T P[t/x] t : { x : T | P } t : { x : T | P } t : T

From “Predicate subtyping”. . .

PVS Specialized typing algorithm for subset types, generating Type-checking conditions.

t : { x : T | P }

used as

t : T

• k

t : T

used as

t : { x : T | P }

if P[t/x]

From “Predicate subtyping”. . .

PVS Specialized typing algorithm for subset types, generating Type-checking conditions.

t : { x : T | P }

used as

t : T

• k

t : T

used as

t : { x : T | P }

if P[t/x] + Practical success ;

From “Predicate subtyping”. . .

PVS Specialized typing algorithm for subset types, generating Type-checking conditions.

t : { x : T | P }

used as

t : T

• k

t : T

used as

t : { x : T | P }

if P[t/x] + Practical success ; – No strong safety guarantee in PVS.

. . . to Subset coercions

1

A property-irrelevant language (R) with decidable typing ;

Γ ⊢ t : { x : T | P } Γ ⊢ t : T Γ ⊢ t : T Γ, x : T ⊢ P : Prop t : { x : T | P }

. . . to Subset coercions

1

A property-irrelevant language (R) with decidable typing ;

2

A total traduction to C terms with holes ;

Γ ⊢ t : { x : T | P } Γ ⊢ σ1 t : T Γ ⊢ t : T Γ, x : T ⊢ P : Prop Γ ⊢? : P[t/x] (t, ?) : { x : T | P }

. . . to Subset coercions

1

A property-irrelevant language (R) with decidable typing ;

2

A total traduction to C terms with holes ;

3

A method to turn the holes into proof obligations.

Outline

1

The idea

2

Theoretical development R Traduction in C

3

The implementation

R’s typing ⊢ and coercion

Calculus of Constructions - C +

Γ ⊢ t : U Γ ⊢ T : s U T

C

Γ ⊢ t : T

R’s typing ⊢ and coercion

Calculus of Constructions - C +

Γ ⊢ t : U Γ ⊢ T : s U T

C

Γ ⊢ t : T T ≡βπ U

S-C

T U S T T U

S-T

S U

R’s typing ⊢ and coercion

Calculus of Constructions - C +

Γ ⊢ t : U Γ ⊢ T : s U T

C

Γ ⊢ t : T T ≡βπ U

S-C

T U S T T U

S-T

S U U V

S-S { x : U | P } V

U V

S-P U { x : V | P }

R’s typing ⊢ and coercion

Calculus of Constructions - C +

Γ ⊢ t : U Γ ⊢ T : s U T

C

Γ ⊢ t : T T ≡βπ U

S-C

T U S T T U

S-T

S U U V

S-S { x : U | P } V

U V

S-P U { x : V | P }

0 : nat nat { x : nat | x 0 } 0 : { x : nat | x 0 }

R’s typing ⊢ and coercion

Calculus of Constructions - C +

Γ ⊢ t : U Γ ⊢ T : s U T

C

Γ ⊢ t : T T ≡βπ U

S-C

T U S T T U

S-T

S U U V

S-S { x : U | P } V

U V

S-P U { x : V | P }

0 : nat nat { x : nat | x 0 } 0 : { x : nat | x 0 } ? : 0 0

R’s typing ⊢ and coercion

Calculus of Constructions - C +

Γ ⊢ t : U Γ ⊢ T : s U T

C

Γ ⊢ t : T T ≡βπ U

S-C

T U S T T U

S-T

S U U V

S-S { x : U | P } V

U V

S-P U { x : V | P }

U T V W

S-P Πx : T.V Πx : U.W

Results

Theorem (Decidability of type checking)

Γ ⊢ t : T is decidable. Γ ⊢ f : T T Πx : A.B Γ ⊢ e : E E A

A

Γ ⊢ (f e) : B[e/x]

Results

Theorem (Decidability of type checking)

Γ ⊢ t : T is decidable.

Lemma (Elimination of transitivity) If T U ∧ U V then T V.

Γ ⊢ f : T T Πx : A.B Γ ⊢ e : E E A

A

Γ ⊢ (f e) : B[e/x]

Outline

1

The idea

2

Theoretical development R Traduction in C

3

The implementation

The target system

CIC with metavariables

Γ ⊢? t : T Γ ⊢? p : P[t/x] Γ ⊢? elt T P t p : { x : T | P } Γ ⊢? t : { x : T | P } Γ ⊢? σ1 t : T Γ ⊢? t : { x : T | P } Γ ⊢? σ2 t : P[σ1 t/x] Γ ⊢? P : Prop Γ ⊢??P : P

From C to R

The easy way

(σ1 t)◦ = t◦ (elt T P t p)◦ = t◦ (σ2 t)◦ = ⊥ (?P)◦ = ⊥

If Γ ⊢? t : T then Γ◦ ⊢ t◦ : T ◦ if ()◦ is defined on Γ, t and T.

From C to R and back

The easy way

(σ1 t)◦ = t◦ (elt T P t p)◦ = t◦ (σ2 t)◦ = ⊥ (?P)◦ = ⊥

If Γ ⊢? t : T then Γ◦ ⊢ t◦ : T ◦ if ()◦ is defined on Γ, t and T. The hard way If Γ ⊢ t : T then Γ ⊢? tΓ : TΓ.

Traduction : deriving explicit coercions

Traduction for coercions If T U then Γ ⊢? c[•] : T U which implies

Γ ⊢? λx : TΓ.c[x] : TΓ → UΓ.

Traduction : deriving explicit coercions

Traduction for coercions If T U then Γ ⊢? c[•] : T U which implies

Γ ⊢? λx : TΓ.c[x] : TΓ → UΓ.

Definition

T ≡βπ U Γ ⊢? : T U

Traduction : deriving explicit coercions

Traduction for coercions If T U then Γ ⊢? c[•] : T U which implies

Γ ⊢? λx : TΓ.c[x] : TΓ → UΓ.

Definition

T ≡βπ U Γ ⊢? • : T U

Traduction : deriving explicit coercions

Traduction for coercions If T U then Γ ⊢? c[•] : T U which implies

Γ ⊢? λx : TΓ.c[x] : TΓ → UΓ.

Definition

T ≡βπ U Γ ⊢? • : T U Γ ⊢? : { x : T | P } T

Traduction : deriving explicit coercions

Traduction for coercions If T U then Γ ⊢? c[•] : T U which implies

Γ ⊢? λx : TΓ.c[x] : TΓ → UΓ.

Definition

T ≡βπ U Γ ⊢? • : T U Γ ⊢? σ1 • : { x : T | P } T

Traduction : deriving explicit coercions

Traduction for coercions If T U then Γ ⊢? c[•] : T U which implies

Γ ⊢? λx : TΓ.c[x] : TΓ → UΓ.

Definition

T ≡βπ U Γ ⊢? • : T U Γ ⊢? σ1 • : { x : T | P } T Γ ⊢? : T { x : T | P }

Traduction : deriving explicit coercions

Traduction for coercions If T U then Γ ⊢? c[•] : T U which implies

Γ ⊢? λx : TΓ.c[x] : TΓ → UΓ.

Definition

T ≡βπ U Γ ⊢? • : T U Γ ⊢? σ1 • : { x : T | P } T Γ ⊢? elt • ?PΓ,x:T [•/x] : T { x : T | P }

Traduction : deriving explicit coercions

Traduction for coercions If T U then Γ ⊢? c[•] : T U which implies

Γ ⊢? λx : TΓ.c[x] : TΓ → UΓ.

Definition

T ≡βπ U Γ ⊢? • : T U Γ ⊢? σ1 • : { x : T | P } T Γ ⊢? elt • ?PΓ,x:T [•/x] : T { x : T | P }

Example

Γ ⊢? 0 : nat Γ ⊢? c : nat { x : nat | x 0 } Γ ⊢? (elt • ?(x0)[•/x])[0] = elt 0 ?00 : { x : nat | x 0 }

Traduction : interpretation of terms Γ

Example (Application)

Γ ⊢ f : T T Πx : V.W : s Γ ⊢ u : U U V Γ ⊢ (f u) : W[u/x] f uΓ =

let π = coerceΓ T (Πx : V.W) in let c = coerceΓ U V in

(π[fΓ]) (c[uΓ])

Theorem (Soundness) If Γ ⊢ t : T then Γ ⊢? tΓ : TΓ.

Theoretical matters

⊢?’s equational theory : (β) (λx : X.e) v ≡ e[v/x] (σi) σi (elt E P e1 e2) ≡ ei (η) (λx : X.e x) ≡ e

if x FV(e)

(SP)

elt E P (σ1 e) (σ2 e)

≡ e

Theoretical matters

⊢?’s equational theory : (β) (λx : X.e) v ≡ e[v/x] (σi) σi (elt E P e1 e2) ≡ ei (η) (λx : X.e x) ≡ e

if x FV(e)

(SP)

elt E P (σ1 e) (σ2 e)

≡ e (σ)

elt E P t p

≡

elt E P t′ p′ if t ≡ t′

⇒ Proof Irrelevance

Outline

1

The idea

2

Theoretical development R Traduction in C

3

The implementation

The P vernacular

Architecture Wrap around C’s vernacular commands (Definition,

Fixpoint, . . . ).

1

Use the C parser : Program Definition f : T := t. ;

The P vernacular

Architecture Wrap around C’s vernacular commands (Definition,

Fixpoint, . . . ).

1

Use the C parser : Program Definition f : T := t. ;

2

Typecheck Γ◦ ⊢ t : T and generate Γ◦ ⊢? tΓ◦ : TΓ◦ ;

Program Definition f : TΓ◦ := tΓ◦ .

The P vernacular

Architecture Wrap around C’s vernacular commands (Definition,

Fixpoint, . . . ).

1

Use the C parser : Program Definition f : T := t. ;

2

Typecheck Γ◦ ⊢ t : T and generate Γ◦ ⊢? tΓ◦ : TΓ◦ ;

3

Interactive proving of obligations ;

Program Definition f : TΓ◦ := tΓ◦ + obligations.

The P vernacular

Architecture Wrap around C’s vernacular commands (Definition,

Fixpoint, . . . ).

1

Use the C parser : Program Definition f : T := t. ;

2

Typecheck Γ◦ ⊢ t : T and generate Γ◦ ⊢? tΓ◦ : TΓ◦ ;

3

Interactive proving of obligations ;

4

Final definition. Definition f : TΓ◦ := tΓ◦ + obligations.

The P vernacular

Architecture Wrap around C’s vernacular commands (Definition,

Fixpoint, . . . ).

1

Use the C parser : Program Definition f : T := t. ;

2

Typecheck Γ◦ ⊢ t : T and generate Γ◦ ⊢? tΓ◦ : TΓ◦ ;

3

Interactive proving of obligations ;

4

Final definition. Definition f : TΓ◦ := tΓ◦ + obligations. Remark (Restriction) We assume Γ◦ = Γ and Γ ⊢CCI TΓ : s.

P : The list example

P : The list example

P : The list example

P : The list example

P : The list example

P : The list example

P : The list example

P : The list example

P : The list example

Conclusion

Our contribution A more flexible programming language, (almost) conservative over CIC, integrated with the existing environment and a formal justification of “Predicate subtyping”.

Conclusion

Our contribution A more flexible programming language, (almost) conservative over CIC, integrated with the existing environment and a formal justification of “Predicate subtyping”. Future work Application to more constructs ((co-)inductive types) and commands. Improvements of C (existential variables, type inference, proof irrelevance). Complete and useful interpretation of ML languages.

Addendum : some practical enhancements

Handling of dependent existential variables (WIP).

Addendum : some practical enhancements

Handling of dependent existential variables (WIP). Pattern-matching and equalities. match v return T with p1 ⇒ t1 · · · pn ⇒ tn

(match µv as t′

return

t′ = µ(v) → T) with p1 ⇒ fun h ⇒ t1 . . . pn ⇒ fun h ⇒ tn) (refl equal µ(v))

Addendum : some practical enhancements

Handling of dependent existential variables (WIP). Pattern-matching and equalities. Well-founded recursion.

Program Fixpoint f (a : nat) {wf lt a} : nat := t

Addendum : some practical enhancements

Handling of dependent existential variables (WIP). Pattern-matching and equalities. Well-founded recursion.

Program Fixpoint f (a : nat) {wf lt a} : nat := t a : nat f : {x : nat | x < a} → nat t : nat