The Power of Parameterization in Coinductive Proof Chung-Kil Hur - - PowerPoint PPT Presentation

The Power of Parameterization in Coinductive Proof

Chung-Kil Hur Georg Neis Derek Dreyer Viktor Vafeiadis

Max Planck Institute for Software Systems (MPI-SWS) Kaiserslautern and Saarbr¨ ucken, Germany

Contributions Parameterized coinduction

Very simple construction Complete reasoning principle for coinduction Achieves incrementality and compositionality

Paco: Coq library for parameterized coinduction

No syntactic guardedness checks Replacement for Coq’s built-in coinduction

C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof

Induction Fundamental reasoning principle, e.g. over N: P(0) ∀n. P(n) = ⇒ P(n + 1) ∀n. P(n) Tarski’s fixed-point theorem Complete lattice, (C, ⊑, ⊔) Monotone function, f : C

mon

→ C Prove properties least fixed point, µf f (x) ⊑ x = ⇒ µf ⊑ x

C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof

Example of Tarski induction N

def

= µf where f

def

= λA. {0} ∪ {n + 1 | n ∈ A}. ∀n ∈ N. P(n) ⇐ ⇒ µf ⊆ P ⇐ = f (P) ⊆ P Tarski’s thm. ⇐ ⇒ 0 ∈ P ∧ {(n + 1) | n ∈ P} ⊆ P ⇐ ⇒ P(0) ∧ (∀n. P(n) = ⇒ P(n + 1))

C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof

Coinduction Dual to induction Construct infinite data structures Greatest fixed points, νf Important applications in computer science: Program refinement (simulation), Program equivalence (bisimulation), Properties of non-terminating executions Tarski’s fixed-point theorem x ⊑ f (x) = ⇒ x ⊑ νf

C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof

A trivial example: infinite paths Prove that there is an infinite path from a.

• a
• b
• c
• d
• e
• f

Formally, show a ∈ ν step, where: step(X)

def

= {x ∈ Node | ∃y ∈ X. x → y} How would you prove this?

C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof

A trivial example: infinite paths Prove it with Tarski’s theorem?

• a
• b
• c
• d
• e
• f

Must determine suitable postfixed point up front: x ⊑ νf ⇐ ⇒ ∃r. x ⊑ r ∧ r ⊑ f (r) Pick r := {a, b, d} up front.

C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof

Parameterized coinduction Parameterize the greatest fixed point with accumulated knowledge Gf (x)

def

= νy. f (x ⊔ y) Properties: νf ≡ Gf (⊥) (Initialize) Gf (x) ≡ f (x ⊔ Gf (x)) (Unfold) x ⊑ y = ⇒ Gf (x) ⊑ Gf (y) (Monotonicity) y ⊑ Gf (x) ⇐ ⇒ y ⊑ Gf (x ⊔ y) (Accumulate)

C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof

Proof of the accumulation theorem Goal: y ⊑ Gf (x) ⇐ ⇒ y ⊑ Gf (x ⊔ y) (= ⇒): Trivial by monotonicity. (⇐ =): Assume y ⊑ Gf (x ⊔ y) (*). Then, Gf (x ⊔ y) ≡ f (x ⊔ y ⊔ Gf (x ⊔ y)) fixed point eq. ⊑ f (x ⊔ Gf (x ⊔ y)) f mon. & (*) ≡ (λz. f (x ⊔ z)) (Gf (x ⊔ y)) From Tarski, Gf (x ⊔ y) ⊑ νz. f (x ⊔ z) ≡ Gf (x) . So, from (*) and ⊑-transitivity, y ⊑ Gf (x).

C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof

The trivial example, again

a ∈ inf = ν step ⇐ ⇒ a ∈ Gstep(∅) initialize ⇐ ⇒ ∃y ∈ Gstep(∅). a → y unfold ⇐ = b ∈ Gstep(∅) pick y := b ⇐ ⇒ b ∈ Gstep({b}) accumulate ⇐ ⇒ ∃y ∈ {b} ∪ Gstep({b}). b → y unfold ⇐ = d ∈ {b} ∪ Gstep({b}) pick y := d ⇐ ⇒ d ∈ Gstep({b}) since d = b ⇐ ⇒ ∃y ∈ {b} ∪ Gstep({b}). d → y unfold ⇐ = b ∈ {b} ∪ Gstep({b}) pick y := b

C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof

Compositionality G supports rely-guarantee proof rule: g1 ⊑ Gf (r1) r1 ⊑ r ⊔ g2 g2 ⊑ Gf (r2) r2 ⊑ r ⊔ g1 g1 ⊔ g2 ⊑ Gf (r) Interderivable with accumulation theorem

C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof

Coinduction in Coq For every coinductive data type A, Coq provides cofixA : (A → A) → A but checks that the argument to cofix is guarded

• syntactically. (Otherwise, the rule is obviously unsound.)

Allows incremental proofs, but guardedness checks are restrictive are non-compositional are not user-friedly are very slow in large proofs

C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof

Paco: A Coq library for parameterized coinduction Implements parameterized greatest fixed points Provides pcofix tactic Replacement for Coq’s cofix Ensures proofs are semantically guarded No syntactic guardedness checks! Freely available: http://plv.mpi-sws.org/paco/

C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof

What else is in the paper... More examples, simulations Integration with “up to” techniques Implementing parameterized coinduction in Coq Paco internals

C.-K. Hur, G. Neis, D. Dreyer, V. Vafeiadis The Power of Parameterization in Coinductive Proof