(credits: Benjamin Gregoire)
4 What is
Coq ?
4 A programming
language
4 A proof
development tool
4 Why do we use
Coq ?
4 To develop
software without errors (CompCert)
4 To develop
mathematical proofs (Four Colors Theorem)
4 To use the
computer to verify that all details are right
4 How does one
use Coq ?
4 Describe four components :the data,
the operations, the properties, the proofs
Describing
the data
4 Case-based
4 show all
possible cases for the data
4 a finite number
of different cases (bool,disjoint sum)
4 Structured
4 each case has all the components
needed in the data (product)
4 Sometimes
recursive
4 recognize
repetition to tame infinite datatypes (list)
4 Theoretical
foundation :algebraic datatypes, term algebras, cartesian products, disjoint
sums, least and greatest fixed points
Describing the operations
4 Functional programming :each
operation is described as a function
4 Map inputs to
outputs, do not modify
4 Programmation
guided by the cases from data-types
4 Avoid undefined
values
4 all cases must
be covered
4 guaranteed
termination of computations
4 safer
programming
Describing the properties
4 A predefined
language for logic : and, or, forall, exists
4 Possibility to
express consistency between several functions
4 example whenever f (x) is true, g(x) is a prime
number
4 A general scheme to define new
predicates :inductive predicates
4 example the set of even numbers is the least
set E so that 0 ∈ E and x ∈ E → x + 2 ∈ E
4 foundation
:least fixed points
Proving
properties of programs
4 Decompose a
logical formula into simpler ones
4 Goal oriented
approach, backward reasoning
4 Consider a goal
P(a),
4 Suppose there is
a theorem ∀x, Q(x) ∧ R(x) → P(x)
4 By choosing to apply this theorem,
get two new goals : Q(a) and R(a)
4 The system makes
sure no condition is overlooked
4 A collection
for tools specialized for a variety of situations
4 Handle equalities (rewriting),
induction, numeric computation, function definitions, etc...
A
commented example on sorting :the data
Inductive listZ : Type :=
nilZ | consZ (hd : Z) (tl : listZ).
Notation "hd :: tl" := (consZ hd tl).
The
operations
Fixpoint insert (x : Z) (l : listZ) :=
match l with
| nilZ => x::nilZ
| hd::tl =>
if Zle_bool x hd then x::l else hd::insert x tl
end.
Fixpoint sort l :=
match l with
| nilZ => nilZ
| hd::tl => insert hd (sort tl)
end.
The
properties
4 Have a property
sorted to express that a list is sorted
4 Have a property
permutation l1 l2
Definition
permutation l1 l2 :=
forall x, count x l1 = count x l2.
4 assuming the
existence of a function count
Proving
the properties
Two categories
of statements :
4 General theory about the properties
(statements that do not mention the algorithm being proved)
4 ∀x y l, sorted (x::y::l) → x ≤ y
4 transitive(permutation)
4 Specific theory
about the properties being proved
4 ∀x l, sorted l → sorted(insert x l)
4 ∀x l, permutation (x::l) (insert x l)
First steps in Coq
Write a comment
"open parenthesis-star", "star-close parenthesis"
Give a name to
an expression
Verify that an
expression is well-formed
Compute a value
Defining
functions
Expressions
that depend on a variable
The
type of values
The command
Check is used to verify that an expression is well-formed
4 It returns the type of this expression
4 The type says in
which context the expression can be used
The
type of functions
The value
add3 is not a natural number
The value add3 is a function
4 It expects a
natural number as input
4 It outputs a natural number
Applying
functions
Function
application is written only by juxtaposition
4 Parentheses are
not mandatory
Functions
with several arguments
At definition
time, just use several variables
Function with
one argument that return a function.
Anonymous
functions
Functions can be
built without a name
Construct
well-formed expressions containing a variable, with a
header
This is called
an abstraction
The new
expression is a function, usable like add3
or s3 2 1
Functions
are values
4 The value add3 2 is a natural number,
4 The value s3 2 is a function,
4 The value s3 2 1 is a function, like add3
Function
arguments
4 Functions can
also expect functions as argument (higher order)
Type
verification strategy (function application)
Function
application is well-formed if types match :
4 Assume a
function f has type A ->
B
4 Assume a value
a has type A
4 then the
expression f a is well-formed and has type B
Type
verification strategy (abstraction)
An anonymous
function is well-formed if the body is well formed
4 add the
assumption that the variable has the input type
4 add the
argument type in the result
4 Example,
verify : fun x nat
=> x + 3
4 x + 3 is well-formed
when x has type nat, and has type nat
4 Result : fun x nat => x + 3 has type nat -> nat
A
few datatypes
4 An introduction
to some of the pre-defined parts of Coq
4 Grouping objects
together : tuples
4 Natural numbers
and the basic operations
4 Boolean values
and the basic tests on numbers
Putting
data together
4 Grouping
several pieces of data : tuples,
4 fetching
individual components : pattern-matching,
Numbers
As in
programming languages, several types to represent numbers
4 natural numbers (non-negative),
relative integers, more efficient reprentations
4 Need to load the
corresponding libraries
4 Same notations for several types of
numbers :need to choose a scope
4 By default
:natural numbers
4 Good properties
to learn about proofs
4 Not adapted for
efficient computation
Focus
on natural numbers
Require
Import Arith.
Open Scope nat_scope.
Boolean
values
4Values true and false
4Usable in if .. then .. else .. statements
4comparison function provided for
numbers
4To find them :use the command Search bool
4Or SearchPattern (nat -> nat -> bool)