# Library Intro

# Whence This Book?

*certified program*features prominently in this book's title. Here the word "certified" does

*not*refer to governmental rules for how the reliability of engineered systems may be demonstrated to sufficiently high standards. Rather, this concept of certification, a standard one in the programming languages and formal methods communities, has to do with the idea of a

*certificate*, or formal mathematical artifact proving that a program meets its specification. Government certification procedures rarely provide strong mathematical guarantees, while certified programming provides guarantees about as strong as anything we could hope for. We trust the definition of a foundational mathematical logic, we trust an implementation of that logic, and we trust that we have encoded our informal intent properly in formal specifications, but few other opportunities remain to certify incorrect software. For compilers and other programs that run in batch mode, the notion of a

*certifying*program is also common, where each run of the program outputs both an answer and a proof that the answer is correct. Any certifying program can be composed with a proof checker to produce a certified program, and this book focuses on the certified case, while also introducing principles and techniques of general interest for stating and proving theorems in Coq.

ACL2 | http://www.cs.utexas.edu/users/moore/acl2/ |

Coq | http://coq.inria.fr/ |

Isabelle/HOL | http://isabelle.in.tum.de/ |

PVS | http://pvs.csl.sri.com/ |

Twelf | http://www.twelf.org/ |

# Why Coq?

## Based on a Higher-Order Functional Programming Language

*first-order*language at its foundation. That is, you cannot work with functions over functions and all those other treats of functional programming. By giving up this facility, ACL2 can make broader assumptions about how well its proof automation will work, but we can generally recover the same advantages in other proof assistants when we happen to be programming in first-order fragments.

## Dependent Types

*dependent types*may include references to programs inside of types. For instance, the type of an array might include a program expression giving the size of the array, making it possible to verify absence of out-of-bounds accesses statically. Dependent types can go even further than this, effectively capturing any correctness property in a type. For instance, later in this book, we will see how to give a compiler a type that guarantees that it maps well-typed source programs to well-typed target programs.

*computations inside types*can be. This restriction is important for the soundness argument behind Twelf's approach to representing and checking proofs.

*subset types*, where a normal type is refined by attaching a predicate over its elements. Each member of the subset type is an element of the base type that satisfies the predicate. Chapter 6 of this book introduces that style of programming in Coq, while the remaining chapters of Part II deal with features of dependent typing in Coq that go beyond what PVS supports.

*without writing anything that looks like a proof*. Even with subset types, which for many contexts can be used to express any relevant property with enough acrobatics, the human driving the proof assistant usually has to build some proofs explicitly. Writing formal proofs is hard, so we want to avoid it as far as possible. Dependent types are invaluable for this purpose.

## An Easy-to-Check Kernel Proof Language

*proof terms*in small kernel languages, even when they use complicated and extensible procedures to seek out proofs in the first place. These core languages have feature complexity on par with what you find in proposals for formal foundations for mathematics (e.g., ZF set theory). To believe a proof, we can ignore the possibility of bugs during

*search*and just rely on a (relatively small) proof-checking kernel that we apply to the

*result*of the search.

*strategies*that implement fancier proof procedures in terms of a set of primitive proof steps, where the primitive steps are less primitive than in Coq. For instance, a propositional tautology solver is included as a primitive, so it is a question of taste whether such a system meets the de Bruijn criterion. The HOL implementations meet the de Bruijn criterion more manifestly; for Twelf, the situation is murkier.

## Convenient Programmable Proof Automation

## Proof by Reflection

*certified decision procedures*. In such cases, these certified procedures can be put to good use

*without ever running them*! Their types guarantee that, if we did bother to run them, we would receive proper "ground" proofs.

*proof by reflection*, is a way of inducing non-trivial computation inside of logical propositions during proof checking. Further, most of these instances require dependent types to make it possible to state the appropriate theorems. Of the proof assistants I listed, only Coq really provides support for the type-level computation style of reflection, though PVS supports very similar functionality via refinement types.

# Why Not a Different Dependently Typed Language?

# Engineering with a Proof Assistant

# Prerequisites

*Types and Programming Languages*, by Benjamin C. Pierce; however, I have tried to choose examples so that they may be understood without background in semantics.

# Using This Book

There is also an online HTML version available, which of course also provides hyperlinks:http://adam.chlipala.net/cpdt/cpdt.pdf

The source code to the book is also freely available at:http://adam.chlipala.net/cpdt/html/toc.html

http://adam.chlipala.net/cpdt/cpdt.tgz

`templates`for building a fresh set of class template files automatically from the book source.

## Reading This Book

## On the Tactic Library

*tactics*, or programs that find proofs, since the built-in Coq tactics do not support a high enough level of automation. I use these tactics even from the first chapter with code examples.

`CpdtTactics.v`. I implement a new tactic library for each new project, since each project involves a different mix of undecidable theories where a different set of heuristics turns out to work well; and that is what I recommend others do, too.

## Installation and Emacs Set-Up

*earlier*versions.

- Get the book source from
`http://adam.chlipala.net/cpdt/cpdt.tgz` - Unpack the tarball to some directory
`DIR`. - Run
`make`in`DIR`(ideally with a`-j`flag to use multiple processor cores, if you have them). - There are some minor headaches associated with getting Proof General to pass the proper command line arguments to the
`coqtop`program, which provides the interactive Coq toplevel. One way to add settings that will be shared by many source files is to add a custom variable setting to your`.emacs`file, like this:(custom-set-variables ... '(coq-prog-args '("-I" "DIR/src")) ... )

The extra arguments demonstrated here are the proper choices for working with the code for this book. The ellipses stand for other Emacs customization settings you may already have. It can be helpful to save several alternate sets of flags in your`.emacs`file, with all but one commented out within the`custom-set-variables`block at any given time.`.dir-locals.el`file in the directory of the source files for which you want the settings to apply. Here is an example that could be written in such a file to enable use of the book source. Note the need to include an argument that starts Coq in Emacs support mode.((coq-mode . ((coq-prog-args . ("-emacs-U" "-I" "DIR/src")))))

`coqtop`with the command-line argument

`-I DIR/src`. If you have installed Proof General properly, the Coq mode should start automatically when you visit a

`.v`buffer in Emacs, and the above advice on

`.emacs`settings should ensure that the proper arguments are passed to

`coqtop`by Emacs.