Mercurial > cpdt > repo
changeset 12:bcf375310f5f
Squash book into main directory
author | Adam Chlipala <adamc@hcoop.net> |
---|---|
date | Wed, 03 Sep 2008 13:30:05 -0400 |
parents | b22369f7f0fe |
children | ea400f692b07 |
files | Makefile book/Makefile book/html/.dir book/latex/.dir book/src/Intro.v book/src/StackMachine.v book/src/Tactics.v html/.dir latex/.dir src/Intro.v src/StackMachine.v src/Tactics.v syllabus.txt |
diffstat | 9 files changed, 309 insertions(+), 354 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/Makefile Wed Sep 03 13:30:05 2008 -0400 @@ -0,0 +1,40 @@ +MODULES_NODOC := Tactics +MODULES_DOC := Intro StackMachine +MODULES := $(MODULES_NODOC) $(MODULES_DOC) +VS := $(MODULES:%=src/%.v) +VS_DOC := $(MODULES_DOC:%=%.v) +GLOBALS := .coq_globals + +.PHONY: coq clean doc dvi html + +coq: Makefile.coq + make -f Makefile.coq + +Makefile.coq: Makefile $(VS) + coq_makefile $(VS) \ + COQC = "coqc -I src -impredicative-set \ + -dump-glob $(GLOBALS)" \ + -o Makefile.coq + +clean:: Makefile.coq + make -f Makefile.coq clean + rm -f Makefile.coq .depend $(GLOBALS) \ + latex/*.sty latex/cpdt.* + +doc: latex/cpdt.dvi html + +latex/cpdt.tex: $(VS) + cd src ; coqdoc --latex $(VS_DOC) \ + -p "\usepackage{url}" -toc \ + -o ../latex/cpdt.tex + +latex/cpdt.dvi: latex/cpdt.tex + cd latex ; latex cpdt ; latex cpdt + +html: $(VS) + cd src ; coqdoc $(VS_DOC) -toc \ + --glob-from ../$(GLOBALS) \ + -d ../html + +dvi: + xdvi latex/cpdt
--- a/book/Makefile Mon Sep 01 09:27:25 2008 -0400 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,40 +0,0 @@ -MODULES_NODOC := Tactics -MODULES_DOC := Intro StackMachine -MODULES := $(MODULES_NODOC) $(MODULES_DOC) -VS := $(MODULES:%=src/%.v) -VS_DOC := $(MODULES_DOC:%=%.v) -GLOBALS := .coq_globals - -.PHONY: coq clean doc dvi html - -coq: Makefile.coq - make -f Makefile.coq - -Makefile.coq: Makefile $(VS) - coq_makefile $(VS) \ - COQC = "coqc -I src -impredicative-set \ - -dump-glob $(GLOBALS)" \ - -o Makefile.coq - -clean:: Makefile.coq - make -f Makefile.coq clean - rm -f Makefile.coq .depend $(GLOBALS) \ - latex/*.sty latex/cpdt.* - -doc: latex/cpdt.dvi html - -latex/cpdt.tex: $(VS) - cd src ; coqdoc --latex $(VS_DOC) \ - -p "\usepackage{url}" -toc \ - -o ../latex/cpdt.tex - -latex/cpdt.dvi: latex/cpdt.tex - cd latex ; latex cpdt ; latex cpdt - -html: $(VS) - cd src ; coqdoc $(VS_DOC) -toc \ - --glob-from ../$(GLOBALS) \ - -d ../html - -dvi: - xdvi latex/cpdt
--- a/book/src/Intro.v Mon Sep 01 09:27:25 2008 -0400 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,129 +0,0 @@ -(* Copyright (c) 2008, Adam Chlipala - * - * This work is licensed under a - * Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 - * Unported License. - * The license text is available at: - * http://creativecommons.org/licenses/by-nc-nd/3.0/ - *) - -(** - -This work is licensed under a -Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 -Unported License. -The license text is available at: -%\begin{center} \url{http://creativecommons.org/licenses/by-nc-nd/3.0/} \end{center}% -#<a href="http://creativecommons.org/licenses/by-nc-nd/3.0/">http://creativecommons.org/licenses/by-nc-nd/3.0/</a># - -*) - - -(** * Whence This Book? *) - -(** - -We would all like to have programs check that our programs are correct. Due in no small part to some bold but unfulfilled promises in the history of computer science, today most people who write software, practitioners and academics alike, assume that the costs of formal program verification outweigh the associated benefits. The purpose of this book is to convince you that the technology of program verification is mature enough today that it makes sense to use it in a support role in many kinds of research projects in computer science. Beyond the convincing, I also want to provide a handbook on practical engineering of certified programs with the Coq proof assistant. - -There are a good number of (though definitely not "many") tools that are in wide use today for building machine-checked mathematical proofs and machine-certified programs. This is my attempt at an exhaustive list of interactive "proof assistants" satisfying a few criteria. First, the authors of each tool must intend for it to be put to use for software-related applications. Second, there must have been enough engineering effort put into the tool that someone not doing research on the tool itself would feel his time was well spent using it. A third criterion is more of an empirical validation of the second: the tool must have a significant user community outside of its own development team. - -% -\begin{tabular}{rl} -\textbf{ACL2} & \url{http://www.cs.utexas.edu/users/moore/acl2/} \\ -\textbf{Coq} & \url{http://coq.inria.fr/} \\ -\textbf{Isabelle/HOL} & \url{http://isabelle.in.tum.de/} \\ -\textbf{PVS} & \url{http://pvs.csl.sri.com/} \\ -\textbf{Twelf} & \url{http://www.twelf.org/} \\ -\end{tabular} -% -# -<table align="center"> -<tr><td align="right"><b>ACL2</b></td> <td><a href="http://www.cs.utexas.edu/users/moore/acl2/">http://www.cs.utexas.edu/users/moore/acl2/</a></td></tr> -<tr><td align="right"><b>Coq</b></td> <td><a href="http://coq.inria.fr/">http://coq.inria.fr/</a></td></tr> -<tr><td align="right"><b>Isabelle/HOL</b></td> <td><a href="http://isabelle.in.tum.de/">http://isabelle.in.tum.de/</a></td></tr> -<tr><td align="right"><b>PVS</b></td> <td><a href="http://pvs.csl.sri.com/">http://pvs.csl.sri.com/</a></td></tr> -<tr><td align="right"><b>Twelf</b></td> <td><a href="http://www.twelf.org/">http://www.twelf.org/</a></td></tr> -</table> -# - -Isabelle/HOL, implemented with the "proof assistant development framework" Isabelle, is the most popular proof assistant for the HOL logic. The other implementations of HOL can be considered equivalent for purposes of the discussion here. - -*) - - -(** * Why Coq? *) - -(** -This book is going to be about certified programming using Coq, and I am convinced that it is the best tool for the job. Coq has a number of very attractive properties, which I will summarize here, mentioning which of the other candidate tools lack each property. -*) - - -(** ** Based on a Higher-Order Functional Programming Language *) - -(** -There is no reason to give up the familiar comforts of functional programming when you start writing certified programs. All of the tools I listed are based on functional programming languages, which means you can use them without their proof-related aspects to write and run regular programs. - -ACL2 is notable in this field for having only a %\textit{%#<i>#first-order#</i>#%}% language at its foundation. That is, you cannot work with functions over functions and all those other treats that functional programmers love. By giving up this facility, ACL2 can make broader assumptions about how well its proof automation will work, but we can generally recover the same advantages in other proof assistants when we happen to be programming in first-order fragments. -*) - - -(** ** Dependent Types *) - -(** -A language of %\textit{%#<i>#dependent types#</i>#%}% may include references to programs inside of types. For instance, the type of an array might include a program expression giving the size of the array, making it possible to verify lack of out-of-bounds accesses statically. Dependent types can go even further than this, effectively capturing any correctness property in a type. For instance, later in this book, we will see how to give a Mini-ML compiler a type that guarantees that it maps well-typed source programs to well-typed target programs. - -ACL2 and HOL lack dependent types outright. PVS and Twelf each supports a different strict subset of Coq's dependent type language. Twelf's type language is restricted to a bare-bones, monomorphic lambda calculus, which places serious restrictions on how complicated %\textit{%#<i>#computations inside types#</i>#%}% can be. This restriction is important for the soundness argument behind Twelf's approach to representing and checking proofs. - -In contrast, PVS's dependent types are much more general, but they are squeezed inside the single mechanism of %\textit{%#<i>#subset types#</i>#%}%, where a normal type is refined by attaching a predicate over its elements. Each member of the subset type is an element of the base type that satisfies the predicate. - -Dependent types are not just useful because they help you express correctness properties in types. Dependent types also often let you write certified programs %\textit{%#<i>#without writing anything that looks like a proof#</i>#%}%. Even with subset types, which for many contexts can be used to express any relevant property with enough acrobatics, the human driving the proof assistant usually has to build some proofs explicitly. Writing formal proofs is hard, so we want to avoid it as far as possible, so dependent types are invaluable. - -*) - -(** ** An Easy-to-Check Kernel Proof Language *) - -(** -Scores of automated decision procedures are useful in practical theorem proving, but it is unfortunate to have to trust in the correct implementation of each procedure. Proof assistants satisfying the "de Bruijn criterion" may use complicated and extensible procedures to seek out proofs, but in the end they produce %\textit{%#<i>#proof terms#</i>#%}% in kernel languages. These core languages have feature complexity on par with what you find in proposals for formal foundations for mathematics. To believe a proof, we can ignore the possibility of bugs during %\textit{%#<i>#search#</i>#%}% and just rely on a (relatively small) proof-checking kernel that we apply to the %\textit{%#<i>#result#</i>#%}% of the search. - -ACL2 and PVS do not meet the de Bruijn criterion, employing fancy decision procedures that produce no "evidence trails" justifying their results. -*) - -(** ** Convenient Programmable Proof Automation *) - -(** -A commitment to a kernel proof language opens up wide possibilities for user extension of proof automation systems, without allowing user mistakes to trick the overall system into accepting invalid proofs. Almost any interesting verification problem is undecidable, so it is important to help users build their own procedures for solving the restricted problems that they encounter in particular implementations. - -Twelf features no proof automation marked as a bonafide part of the latest release; there is some code included for testing purposes. The Twelf style is based on writing out all proofs in full detail. Because Twelf is specialized to the domain of syntactic metatheory proofs about programming languages and logics, it is feasible to use it to write those kinds of proofs manually. Outside that domain, the lack of automation can be a serious obstacle to productivity. Most kinds of program verification fall outside Twelf's forte. - -Of the remaining tools, all can support user extension with new decision procedures by hacking directly in the tool's implementation language (such as OCaml for Coq). Since ACL2 and PVS do not satisfy the de Bruijn criterion, overall correctness is at the mercy of the authors of new procedures. - -Isabelle/HOL and Coq both support coding new proof manipulations in ML in ways that cannot lead to the acceptance of invalid proofs. Additionally, Coq includes a domain-specific language for coding decision procedures in normal Coq source code, with no need to break out into ML. This language is called Ltac, and I think of it as the unsung hero of the proof assistant world. Not only does Ltac prevent you from making fatal mistakes, it also includes a number of novel programming constructs which combine to make a "proof by decision procedure" style very pleasant. We will meet these features in the chapters to come. -*) - -(** ** Proof by Reflection *) - -(** -A surprising wealth of benefits follow from choosing a proof language that integrates a rich notion of computation. Coq includes programs and proof terms in the same syntactic class. This makes it easy to write programs that compute proofs. With rich enough dependent types, such programs are %\textit{%#<i>#certified decision procedures#</i>#%}%. In such cases, these certified procedures can be put to good use %\textit{%#<i>#without ever running them#</i>#%}%! Their types guarantee that, if we did bother to run them, we would receive proper "ground" proofs. - -The critical ingredient for this technique, many of whose instances are referred to as %\textit{%#<i>#proof by reflection#</i>#%}%, is a way of inducing non-trivial computation inside of logical propositions during proof checking. Further, most of these instances require dependent types to make it possible to state the appropriate theorems. Of the proof assistants I listed, only Coq really provides this support. -*) - - -(** * Engineering with a Proof Assistant *) - -(** -In comparisons with its competitors, Coq is often derided for promoting unreadable proofs. It is very easy to write proof scripts that manipulate proof goals imperatively, with no structure to aid readers. Such developments are nightmares to maintain, and they certainly do not manage to convey "why the theorem is true" to anyone but the original author. One additional (and not insignificant) purpose of this book is to show why it is unfair and unproductive to dismiss Coq based on the existence of such developments. - -I will go out on a limb and guess that the reader is a dedicated fan of some functional programming language or another, and that he may even have been involved in teaching that language to undergraduates. I want to propose an analogy between two attitudes: coming to a negative conclusion about Coq after reading common Coq developments in the wild, and coming to a negative conclusion about Your Favorite Language after looking at the programs undergraduates write in it in the first week of class. The pragmatics of mechanized proving and program verification have been under serious study for much less time than the pragmatics of programming have been. The computer theorem proving community is still developing the key insights that correspond to those that functional programming texts and instructors impart to their students, to help those students get over that critical hump where using the language stops being more trouble than it is worth. Most of the insights for Coq are barely even disseminated among the experts, let alone set down in a tutorial form. I hope to use this book to go a long way towards remedying that. - -If I do that job well, then this book should be of interest even to people who have participated in classes or tutorials specifically about Coq. The book should even be useful to people who have been using Coq for years but who are mystified when their Coq developments prove impenetrable by colleagues. The crucial angle in this book is that there are "design patterns" for reliably avoiding the really grungy parts of theorem proving, and consistent use of these patterns can get you over the hump to the point where it is worth your while to use Coq to prove your theorems and certify your programs, even if formal verification is not your main concern in a project. We will follow this theme by pursuing two main methods for replacing manual proofs with more understandable artifacts: dependently-typed functions and custom Ltac decision procedures. -*) - - -(** * Prerequisites for This Book *) - -(** -I try to keep the required background knowledge to a minimum in this book. I will assume familiarity with the material from usual discrete math and logic courses taken by all undergraduate computer science majors, and I will assume that readers have significant experience programming in one of the ML dialects, in Haskell, or in some other, closely-related language. Experience with only dynamically-typed functional languages might lead to befuddlement in some places, but a reader who has come to grok Scheme deeply will probably be fine. - -A good portion of the book is about how to formalize programming languages, compilers, and proofs about them. I depart significantly from today's most popular methodology for pencil-and-paper formalism among programming languages researchers. There is no need to be familiar with operational semantics, preservation and progress theorems, or any of the material found in courses on programming language semantics but not in basic discrete math and logic courses. I will use operational semantics very sparingly, and there will be no preservation or progress proofs. Instead, I will use a style that seems to work much better in Coq, which can be given the fancy-sounding name %\textit{%#<i>#foundational type-theoretic semantics#</i>#%}% or the more populist name %\textit{%#<i>#semantics by definitional compilers#</i>#%}%. -*)
--- a/book/src/StackMachine.v Mon Sep 01 09:27:25 2008 -0400 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,114 +0,0 @@ -(* Copyright (c) 2008, Adam Chlipala - * - * This work is licensed under a - * Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 - * Unported License. - * The license text is available at: - * http://creativecommons.org/licenses/by-nc-nd/3.0/ - *) - -(* begin hide *) -Require Import List. - -Require Import Tactics. -(* end hide *) - - -(** * Arithmetic expressions over natural numbers *) - - (** ** Source language *) - -Inductive binop : Set := Plus | Times. - -Inductive exp : Set := -| Const : nat -> exp -| Binop : binop -> exp -> exp -> exp. - -Definition binopDenote (b : binop) : nat -> nat -> nat := - match b with - | Plus => plus - | Times => mult - end. - -Fixpoint expDenote (e : exp) : nat := - match e with - | Const n => n - | Binop b e1 e2 => (binopDenote b) (expDenote e1) (expDenote e2) - end. - - - (** ** Target language *) - -Inductive instr : Set := -| IConst : nat -> instr -| IBinop : binop -> instr. - -Definition prog := list instr. -Definition stack := list nat. - -Definition instrDenote (i : instr) (s : stack) : option stack := - match i with - | IConst n => Some (n :: s) - | IBinop b => - match s with - | arg1 :: arg2 :: s' => Some ((binopDenote b) arg1 arg2 :: s') - | _ => None - end - end. - -Fixpoint progDenote (p : prog) (s : stack) {struct p} : option stack := - match p with - | nil => Some s - | i :: p' => - match instrDenote i s with - | None => None - | Some s' => progDenote p' s' - end - end. - - - (** ** Translation *) - -Fixpoint compile (e : exp) : prog := - match e with - | Const n => IConst n :: nil - | Binop b e1 e2 => compile e2 ++ compile e1 ++ IBinop b :: nil - end. - - - (** ** Translation correctness *) - -Lemma compileCorrect' : forall e s p, progDenote (compile e ++ p) s = - progDenote p (expDenote e :: s). - induction e. - - intros. - unfold compile. - unfold expDenote. - simpl. - reflexivity. - - intros. - unfold compile. - fold compile. - unfold expDenote. - fold expDenote. - rewrite app_ass. - rewrite IHe2. - rewrite app_ass. - rewrite IHe1. - simpl. - reflexivity. -Abort. - -Lemma compileCorrect' : forall e s p, progDenote (compile e ++ p) s = - progDenote p (expDenote e :: s). - induction e; crush. -Qed. - -Theorem compileCorrect : forall e, progDenote (compile e) nil = Some (expDenote e :: nil). - intro. - rewrite (app_nil_end (compile e)). - rewrite compileCorrect'. - reflexivity. -Qed.
--- a/book/src/Tactics.v Mon Sep 01 09:27:25 2008 -0400 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,26 +0,0 @@ -(* Copyright (c) 2008, Adam Chlipala - * - * This work is licensed under a - * Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 - * Unported License. - * The license text is available at: - * http://creativecommons.org/licenses/by-nc-nd/3.0/ - *) - -Require Import List. - - -Ltac rewriteHyp := - match goal with - | [ H : _ |- _ ] => rewrite H - end. - -Ltac rewriterP := repeat (rewriteHyp; autorewrite with cpdt in *). - -Ltac rewriter := autorewrite with cpdt in *; rewriterP. - -Hint Rewrite app_ass : cpdt. - -Ltac sintuition := simpl; intuition. - -Ltac crush := sintuition; rewriter; sintuition.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/Intro.v Wed Sep 03 13:30:05 2008 -0400 @@ -0,0 +1,129 @@ +(* Copyright (c) 2008, Adam Chlipala + * + * This work is licensed under a + * Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 + * Unported License. + * The license text is available at: + * http://creativecommons.org/licenses/by-nc-nd/3.0/ + *) + +(** + +This work is licensed under a +Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 +Unported License. +The license text is available at: +%\begin{center} \url{http://creativecommons.org/licenses/by-nc-nd/3.0/} \end{center}% +#<a href="http://creativecommons.org/licenses/by-nc-nd/3.0/">http://creativecommons.org/licenses/by-nc-nd/3.0/</a># + +*) + + +(** * Whence This Book? *) + +(** + +We would all like to have programs check that our programs are correct. Due in no small part to some bold but unfulfilled promises in the history of computer science, today most people who write software, practitioners and academics alike, assume that the costs of formal program verification outweigh the associated benefits. The purpose of this book is to convince you that the technology of program verification is mature enough today that it makes sense to use it in a support role in many kinds of research projects in computer science. Beyond the convincing, I also want to provide a handbook on practical engineering of certified programs with the Coq proof assistant. + +There are a good number of (though definitely not "many") tools that are in wide use today for building machine-checked mathematical proofs and machine-certified programs. This is my attempt at an exhaustive list of interactive "proof assistants" satisfying a few criteria. First, the authors of each tool must intend for it to be put to use for software-related applications. Second, there must have been enough engineering effort put into the tool that someone not doing research on the tool itself would feel his time was well spent using it. A third criterion is more of an empirical validation of the second: the tool must have a significant user community outside of its own development team. + +% +\begin{tabular}{rl} +\textbf{ACL2} & \url{http://www.cs.utexas.edu/users/moore/acl2/} \\ +\textbf{Coq} & \url{http://coq.inria.fr/} \\ +\textbf{Isabelle/HOL} & \url{http://isabelle.in.tum.de/} \\ +\textbf{PVS} & \url{http://pvs.csl.sri.com/} \\ +\textbf{Twelf} & \url{http://www.twelf.org/} \\ +\end{tabular} +% +# +<table align="center"> +<tr><td align="right"><b>ACL2</b></td> <td><a href="http://www.cs.utexas.edu/users/moore/acl2/">http://www.cs.utexas.edu/users/moore/acl2/</a></td></tr> +<tr><td align="right"><b>Coq</b></td> <td><a href="http://coq.inria.fr/">http://coq.inria.fr/</a></td></tr> +<tr><td align="right"><b>Isabelle/HOL</b></td> <td><a href="http://isabelle.in.tum.de/">http://isabelle.in.tum.de/</a></td></tr> +<tr><td align="right"><b>PVS</b></td> <td><a href="http://pvs.csl.sri.com/">http://pvs.csl.sri.com/</a></td></tr> +<tr><td align="right"><b>Twelf</b></td> <td><a href="http://www.twelf.org/">http://www.twelf.org/</a></td></tr> +</table> +# + +Isabelle/HOL, implemented with the "proof assistant development framework" Isabelle, is the most popular proof assistant for the HOL logic. The other implementations of HOL can be considered equivalent for purposes of the discussion here. + +*) + + +(** * Why Coq? *) + +(** +This book is going to be about certified programming using Coq, and I am convinced that it is the best tool for the job. Coq has a number of very attractive properties, which I will summarize here, mentioning which of the other candidate tools lack each property. +*) + + +(** ** Based on a Higher-Order Functional Programming Language *) + +(** +There is no reason to give up the familiar comforts of functional programming when you start writing certified programs. All of the tools I listed are based on functional programming languages, which means you can use them without their proof-related aspects to write and run regular programs. + +ACL2 is notable in this field for having only a %\textit{%#<i>#first-order#</i>#%}% language at its foundation. That is, you cannot work with functions over functions and all those other treats that functional programmers love. By giving up this facility, ACL2 can make broader assumptions about how well its proof automation will work, but we can generally recover the same advantages in other proof assistants when we happen to be programming in first-order fragments. +*) + + +(** ** Dependent Types *) + +(** +A language of %\textit{%#<i>#dependent types#</i>#%}% may include references to programs inside of types. For instance, the type of an array might include a program expression giving the size of the array, making it possible to verify lack of out-of-bounds accesses statically. Dependent types can go even further than this, effectively capturing any correctness property in a type. For instance, later in this book, we will see how to give a Mini-ML compiler a type that guarantees that it maps well-typed source programs to well-typed target programs. + +ACL2 and HOL lack dependent types outright. PVS and Twelf each supports a different strict subset of Coq's dependent type language. Twelf's type language is restricted to a bare-bones, monomorphic lambda calculus, which places serious restrictions on how complicated %\textit{%#<i>#computations inside types#</i>#%}% can be. This restriction is important for the soundness argument behind Twelf's approach to representing and checking proofs. + +In contrast, PVS's dependent types are much more general, but they are squeezed inside the single mechanism of %\textit{%#<i>#subset types#</i>#%}%, where a normal type is refined by attaching a predicate over its elements. Each member of the subset type is an element of the base type that satisfies the predicate. + +Dependent types are not just useful because they help you express correctness properties in types. Dependent types also often let you write certified programs %\textit{%#<i>#without writing anything that looks like a proof#</i>#%}%. Even with subset types, which for many contexts can be used to express any relevant property with enough acrobatics, the human driving the proof assistant usually has to build some proofs explicitly. Writing formal proofs is hard, so we want to avoid it as far as possible, so dependent types are invaluable. + +*) + +(** ** An Easy-to-Check Kernel Proof Language *) + +(** +Scores of automated decision procedures are useful in practical theorem proving, but it is unfortunate to have to trust in the correct implementation of each procedure. Proof assistants satisfying the "de Bruijn criterion" may use complicated and extensible procedures to seek out proofs, but in the end they produce %\textit{%#<i>#proof terms#</i>#%}% in kernel languages. These core languages have feature complexity on par with what you find in proposals for formal foundations for mathematics. To believe a proof, we can ignore the possibility of bugs during %\textit{%#<i>#search#</i>#%}% and just rely on a (relatively small) proof-checking kernel that we apply to the %\textit{%#<i>#result#</i>#%}% of the search. + +ACL2 and PVS do not meet the de Bruijn criterion, employing fancy decision procedures that produce no "evidence trails" justifying their results. +*) + +(** ** Convenient Programmable Proof Automation *) + +(** +A commitment to a kernel proof language opens up wide possibilities for user extension of proof automation systems, without allowing user mistakes to trick the overall system into accepting invalid proofs. Almost any interesting verification problem is undecidable, so it is important to help users build their own procedures for solving the restricted problems that they encounter in particular implementations. + +Twelf features no proof automation marked as a bonafide part of the latest release; there is some code included for testing purposes. The Twelf style is based on writing out all proofs in full detail. Because Twelf is specialized to the domain of syntactic metatheory proofs about programming languages and logics, it is feasible to use it to write those kinds of proofs manually. Outside that domain, the lack of automation can be a serious obstacle to productivity. Most kinds of program verification fall outside Twelf's forte. + +Of the remaining tools, all can support user extension with new decision procedures by hacking directly in the tool's implementation language (such as OCaml for Coq). Since ACL2 and PVS do not satisfy the de Bruijn criterion, overall correctness is at the mercy of the authors of new procedures. + +Isabelle/HOL and Coq both support coding new proof manipulations in ML in ways that cannot lead to the acceptance of invalid proofs. Additionally, Coq includes a domain-specific language for coding decision procedures in normal Coq source code, with no need to break out into ML. This language is called Ltac, and I think of it as the unsung hero of the proof assistant world. Not only does Ltac prevent you from making fatal mistakes, it also includes a number of novel programming constructs which combine to make a "proof by decision procedure" style very pleasant. We will meet these features in the chapters to come. +*) + +(** ** Proof by Reflection *) + +(** +A surprising wealth of benefits follow from choosing a proof language that integrates a rich notion of computation. Coq includes programs and proof terms in the same syntactic class. This makes it easy to write programs that compute proofs. With rich enough dependent types, such programs are %\textit{%#<i>#certified decision procedures#</i>#%}%. In such cases, these certified procedures can be put to good use %\textit{%#<i>#without ever running them#</i>#%}%! Their types guarantee that, if we did bother to run them, we would receive proper "ground" proofs. + +The critical ingredient for this technique, many of whose instances are referred to as %\textit{%#<i>#proof by reflection#</i>#%}%, is a way of inducing non-trivial computation inside of logical propositions during proof checking. Further, most of these instances require dependent types to make it possible to state the appropriate theorems. Of the proof assistants I listed, only Coq really provides this support. +*) + + +(** * Engineering with a Proof Assistant *) + +(** +In comparisons with its competitors, Coq is often derided for promoting unreadable proofs. It is very easy to write proof scripts that manipulate proof goals imperatively, with no structure to aid readers. Such developments are nightmares to maintain, and they certainly do not manage to convey "why the theorem is true" to anyone but the original author. One additional (and not insignificant) purpose of this book is to show why it is unfair and unproductive to dismiss Coq based on the existence of such developments. + +I will go out on a limb and guess that the reader is a dedicated fan of some functional programming language or another, and that he may even have been involved in teaching that language to undergraduates. I want to propose an analogy between two attitudes: coming to a negative conclusion about Coq after reading common Coq developments in the wild, and coming to a negative conclusion about Your Favorite Language after looking at the programs undergraduates write in it in the first week of class. The pragmatics of mechanized proving and program verification have been under serious study for much less time than the pragmatics of programming have been. The computer theorem proving community is still developing the key insights that correspond to those that functional programming texts and instructors impart to their students, to help those students get over that critical hump where using the language stops being more trouble than it is worth. Most of the insights for Coq are barely even disseminated among the experts, let alone set down in a tutorial form. I hope to use this book to go a long way towards remedying that. + +If I do that job well, then this book should be of interest even to people who have participated in classes or tutorials specifically about Coq. The book should even be useful to people who have been using Coq for years but who are mystified when their Coq developments prove impenetrable by colleagues. The crucial angle in this book is that there are "design patterns" for reliably avoiding the really grungy parts of theorem proving, and consistent use of these patterns can get you over the hump to the point where it is worth your while to use Coq to prove your theorems and certify your programs, even if formal verification is not your main concern in a project. We will follow this theme by pursuing two main methods for replacing manual proofs with more understandable artifacts: dependently-typed functions and custom Ltac decision procedures. +*) + + +(** * Prerequisites for This Book *) + +(** +I try to keep the required background knowledge to a minimum in this book. I will assume familiarity with the material from usual discrete math and logic courses taken by all undergraduate computer science majors, and I will assume that readers have significant experience programming in one of the ML dialects, in Haskell, or in some other, closely-related language. Experience with only dynamically-typed functional languages might lead to befuddlement in some places, but a reader who has come to grok Scheme deeply will probably be fine. + +A good portion of the book is about how to formalize programming languages, compilers, and proofs about them. I depart significantly from today's most popular methodology for pencil-and-paper formalism among programming languages researchers. There is no need to be familiar with operational semantics, preservation and progress theorems, or any of the material found in courses on programming language semantics but not in basic discrete math and logic courses. I will use operational semantics very sparingly, and there will be no preservation or progress proofs. Instead, I will use a style that seems to work much better in Coq, which can be given the fancy-sounding name %\textit{%#<i>#foundational type-theoretic semantics#</i>#%}% or the more populist name %\textit{%#<i>#semantics by definitional compilers#</i>#%}%. +*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/StackMachine.v Wed Sep 03 13:30:05 2008 -0400 @@ -0,0 +1,114 @@ +(* Copyright (c) 2008, Adam Chlipala + * + * This work is licensed under a + * Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 + * Unported License. + * The license text is available at: + * http://creativecommons.org/licenses/by-nc-nd/3.0/ + *) + +(* begin hide *) +Require Import List. + +Require Import Tactics. +(* end hide *) + + +(** * Arithmetic expressions over natural numbers *) + + (** ** Source language *) + +Inductive binop : Set := Plus | Times. + +Inductive exp : Set := +| Const : nat -> exp +| Binop : binop -> exp -> exp -> exp. + +Definition binopDenote (b : binop) : nat -> nat -> nat := + match b with + | Plus => plus + | Times => mult + end. + +Fixpoint expDenote (e : exp) : nat := + match e with + | Const n => n + | Binop b e1 e2 => (binopDenote b) (expDenote e1) (expDenote e2) + end. + + + (** ** Target language *) + +Inductive instr : Set := +| IConst : nat -> instr +| IBinop : binop -> instr. + +Definition prog := list instr. +Definition stack := list nat. + +Definition instrDenote (i : instr) (s : stack) : option stack := + match i with + | IConst n => Some (n :: s) + | IBinop b => + match s with + | arg1 :: arg2 :: s' => Some ((binopDenote b) arg1 arg2 :: s') + | _ => None + end + end. + +Fixpoint progDenote (p : prog) (s : stack) {struct p} : option stack := + match p with + | nil => Some s + | i :: p' => + match instrDenote i s with + | None => None + | Some s' => progDenote p' s' + end + end. + + + (** ** Translation *) + +Fixpoint compile (e : exp) : prog := + match e with + | Const n => IConst n :: nil + | Binop b e1 e2 => compile e2 ++ compile e1 ++ IBinop b :: nil + end. + + + (** ** Translation correctness *) + +Lemma compileCorrect' : forall e s p, progDenote (compile e ++ p) s = + progDenote p (expDenote e :: s). + induction e. + + intros. + unfold compile. + unfold expDenote. + simpl. + reflexivity. + + intros. + unfold compile. + fold compile. + unfold expDenote. + fold expDenote. + rewrite app_ass. + rewrite IHe2. + rewrite app_ass. + rewrite IHe1. + simpl. + reflexivity. +Abort. + +Lemma compileCorrect' : forall e s p, progDenote (compile e ++ p) s = + progDenote p (expDenote e :: s). + induction e; crush. +Qed. + +Theorem compileCorrect : forall e, progDenote (compile e) nil = Some (expDenote e :: nil). + intro. + rewrite (app_nil_end (compile e)). + rewrite compileCorrect'. + reflexivity. +Qed.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/Tactics.v Wed Sep 03 13:30:05 2008 -0400 @@ -0,0 +1,26 @@ +(* Copyright (c) 2008, Adam Chlipala + * + * This work is licensed under a + * Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 + * Unported License. + * The license text is available at: + * http://creativecommons.org/licenses/by-nc-nd/3.0/ + *) + +Require Import List. + + +Ltac rewriteHyp := + match goal with + | [ H : _ |- _ ] => rewrite H + end. + +Ltac rewriterP := repeat (rewriteHyp; autorewrite with cpdt in *). + +Ltac rewriter := autorewrite with cpdt in *; rewriterP. + +Hint Rewrite app_ass : cpdt. + +Ltac sintuition := simpl; intuition. + +Ltac crush := sintuition; rewriter; sintuition.
--- a/syllabus.txt Mon Sep 01 09:27:25 2008 -0400 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,45 +0,0 @@ -========================================== -Certified Programming with Dependent Types -========================================== - -This class is about building programs with machine-checked proofs of functional correctness. Techniques like model checking enable mostly-automated verification of shallow properties of deep programs. Our focus in this class will be on verifying deep properties of small- to medium-sized programs, using interactive proof assistants. In particular, we will focus on the Coq proof assistant, which, together with its associated tools, serves as a (perhaps surprisingly, to most people) quite mature development environment for programming with specifications. The goal of this class is to convince you that you (yes, you!) can start using Coq today to build verified programs, with an increase in effort over traditional programming that is justified by the formal correctness theorems you end up with. - -The focus of the class will be on engineering best practices for certified programming and interactive theorem proving. Just what these practices are is far from a settled question, but we'll do our best to maximize programmer/prover productivity and promote readability and maintainability of the results. We plan to push one particular recipe for this that almost no one is using yet: dependent types plus custom-tailored proof automation. - -Dependent type systems allow types that refer to programs. The possibilities of this idea are pretty mind-boggling, ranging from assigning array deference a type guaranteeing no out-of-bounds references, to assigning a compiler a type that guarantees that its output programs have the same observable behavior as its input programs. Putting dependent types to use requires a lot of theory, a lot of tool construction, and a good amount of experience with basic "design patterns." Luckily for us, Coq already provides the first two. One of the big aims of this class is to provide the third. - -With dependent types, you can often "prove" important properties of your programs with almost no additional effort beyond writing the program normally, when you manage to find appropriate dependent types to assign. When this works, what you've discovered is that there is a correctness proof that mirrors the structure of your program. For many interesting verification problems, no such proofs exist. For instance, a compiler correctness proof must follow the structure of program executions, which may follow neither the structure of the compiler nor the structure of the programs it processes. - -Coq provides a very general "proof script" facility for writing out manual proofs of such theorems. It's a safe approximation to say that any mathematical proof can be formalized in this way. Most of the current and historical work with proof assistants for higher-order languages has used very manual proof approaches. With proof assistants like Coq and Isabelle/HOL, we have "proof by video game," where the human prover alternates between reading dumps of proof state and entering short commands to simplify the goal. The final results tend to be impossible to understand without replaying the proof step by step. With proof assistants like Twelf, the situation is worse for initial proving, as the proofs people write in practice are essentially isomorphic to formal natural deduction proofs in full gory detail. The results are more structured and thus more readable in that sense, but the extreme level of detail can be just as confusion-inducing as extreme lack of structure. - -In this class, we'll focus instead on a style that we call "proof by decision procedure." Coq includes a Turing-complete language for writing programs that manipulate proof states, such that, by construction, one of these programs can never claim to have proved a goal when it really hasn't. We will show how many examples of certified programming can be completed by writing custom decision procedures that are robust to changes in program implementation and specification. Proofs in this style are naturally decomposed into pieces that can be read and understood in isolation, free of deep hierarchical structure, a major victory for maintainability. - -We expect to spend almost all of class time on example programs and proofs, with the class working together to build the solutions in a live Coq environment. We'll draw examples from a variety of domains, based on audience interest. We'll probably spend a good amount of time on applications related to certified programming language tools, since they provide a great stress test for reasoning about programs with complicated specifications, and also because the instructor thinks they're cool. We also hope to spend a lot of the class on case studies suggested by participants based on their own research and other interests. - - -================================================ -Topics to cover in whole class periods or longer -================================================ - -* A simple compiler from a binder-free language to a stack machine, and its mostly-automated proof -* Crash course on basic tactics for manual proofs -* Crash course on induction and its pitfalls in Coq -* Infinite data objects and proofs via co-inductive types -* Programming with subset types and refinement -* Introduction to more dependent types -* Alternatives for defining dependent datatypes -* Introduction to Ltac, Coq's Turing-complete tactic language -* Pattern matching and backtracking in Coq tactics -* Proof by reflection (AKA putting certified decision procedures to work) -* Proving things about programs that use type equality proofs -* Techniques for representing variable binders - * First-order techniques: concrete names, De Bruijn indices, locally nameless - * Higher-order abstract syntax, and how to get most of its benefits in Coq -* Language semantics by definitional compilers -* Building certified program transformations - * Extensional transformations, e.g., CPS conversion - * Intensional transformations, e.g., closure conversion -* Semantics and certified transformations for languages with general recursion and side effects -* Ynot: Imperative programming with specifications in Coq - -* Student project presentations