mechanized ramification
TRANSCRIPT
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Mechanized Ramification
Wang ShengyiJoint work with Aquinas Hobor
National University of Singapore
April 17, 2015
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 1 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Overview
Overview
My Work Ramification
Mechanized Semantic Library Separation Logic
Coq Hoare Logic
Formalizing
Formalizing
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 2 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Hoare Triple
tPuC tQu
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 3 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Hoare Logic Rules
tPu skip tPu tP[E/x]u x := E tPutPu S tQu tQuT tRu
tPu S;T tRu
tB^ Pu S tQu t␣B^ PuT tQutPu if B then S else T endif tQu
P1 ñ P2 tP2u S tQ2u Q2 ñ Q1
tP1u S tQ1u
tP^ Bu S tPutPuwhile B do S done t␣B^ Pu
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 4 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example I
J
tx+ 1 ď 10u x := x + 1 tx ď 10u
tx ď 10^ x ă 10u x := x + 1 tx ď 10u
tx ď 10u while x < 10 do x := x + 1 done t␣x ă 10^ x ď 10u
tx ď 10u while x < 10 do x := x + 1 done tx = 10u
tP[E/x]u x:=E tPu
P1ñP2 tP2u S tQ2u Q2ñQ1tP1u S tQ1u
tP^Bu S tPutPu while B do S done t␣B^Pu
P1ñP2 tP2u S tQ2u Q2ñQ1tP1u S tQ1u
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 5 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
j
i
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
j k
i
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
j k
i
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
k
i
j
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
kj
i
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
j
i
k
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
j
i
k
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
i
kj
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
kj
i
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
j
i
k
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
j
i
k
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
i
kj
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
kj
i
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
j
i
k
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
j
i
k
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
i
kj
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
kj
i
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
j
i
k
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
j
i
k
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
i
kj
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
kj
i
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
j
i
k
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
j
i
k
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
i
kj
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Example II
struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
kj
i
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Loop Invariant of Example II
(
Dα, β. listα i^ listβ j^ α:0 = α: ¨ β
)^ list γ x
^ (@k. reach(i, k)^ reach(j, k)ñ k = nil)^ (@k. reach(x, k)^ (reach(i, k)_ reach(j, k))ñ k = nil))
reach(i, j) def= D n ě 0. reachn(i, j) reachn+1(i, j)
def= D a, k. i ÞÑ a, k ^ reachn(k, j)
reach0(i, j)def= i = j
list ϵ idef= i = nil list (a ¨ α) i
def= D j. i ÞÑ a, j ^ listα j
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 7 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Loop Invariant of Example II
(Dα, β. listα i^ listβ j^ α:0 = α: ¨ β)
^ list γ x
^ (@k. reach(i, k)^ reach(j, k)ñ k = nil)
^ (@k. reach(x, k)^ (reach(i, k)_ reach(j, k))ñ k = nil))
reach(i, j) def= D n ě 0. reachn(i, j) reachn+1(i, j)
def= D a, k. i ÞÑ a, k ^ reachn(k, j)
reach0(i, j)def= i = j list ϵ i
def= i = nil list (a ¨ α) i
def= D j. i ÞÑ a, j ^ listα j
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 7 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Loop Invariant of Example II
(Dα, β. listα i^ listβ j^ α:0 = α: ¨ β)^ list γ x
^ (@k. reach(i, k)^ reach(j, k)ñ k = nil)^ (@k. reach(x, k)^ (reach(i, k)_ reach(j, k))ñ k = nil))
reach(i, j) def= D n ě 0. reachn(i, j) reachn+1(i, j)
def= D a, k. i ÞÑ a, k ^ reachn(k, j)
reach0(i, j)def= i = j list ϵ i
def= i = nil list (a ¨ α) i
def= D j. i ÞÑ a, j ^ listα j
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 7 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Separation Logic
Separating Conjunction
P › Q
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 8 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Separation Logic
Separating Conjunction
h |ù P › Q def= D h1, h2. h1 ‘ h2 = h^ h1 |ù P^ h2 |ù Q
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 9 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Separation Logic
Frame Rule
tPuC tQutP › FuC tQ › Fu
(mod(C)X fv(R) =H)
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 10 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Separation Logic
Loop Invariant of Example II
Hoare Logic:
(Dα, β. listα i^ listβ j^ α:0 = α: ¨ β)
^ list γ x
^(@k. reach(i, k)^ reach(j, k)ñ k = nil)
^ (@k. reach(x, k)^ (reach(i, k)_ reach(j, k))ñ k = nil))
reach(i, j) def= D n ě 0. reachn(i, j) reachn+1(i, j)
def= D a, k. i ÞÑ a, k ^ reachn(k, j)
reach0(i, j)def= i = j list ϵ i
def= i = nil list (a ¨ α) i
def= D j. i ÞÑ a, j ^ listα j
Separation Logic:
Dα, β. listα i › listβ j^ α:0 = α: ¨ β
list ϵ idef= i = nil list (a ¨ α) i
def= D j. i ÞÑ a, j › listα j
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 11 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Separation Logic
Loop Invariant of Example II
Hoare Logic:
(Dα, β. listα i^ listβ j^ α:0 = α: ¨ β)^ list γ x
^(@k. reach(i, k)^ reach(j, k)ñ k = nil)^ (@k. reach(x, k)^ (reach(i, k)_ reach(j, k))ñ k = nil))
reach(i, j) def= D n ě 0. reachn(i, j) reachn+1(i, j)
def= D a, k. i ÞÑ a, k ^ reachn(k, j)
reach0(i, j)def= i = j list ϵ i
def= i = nil list (a ¨ α) i
def= D j. i ÞÑ a, j ^ listα j
Separation Logic:
Dα, β. listα i › listβ j^ α:0 = α: ¨ β
list ϵ idef= i = nil list (a ¨ α) i
def= D j. i ÞÑ a, j › listα j
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 11 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Separation Logic
Example III
struct node {bool mstruct node *l, *r
}void mark(struct node *x) {
if (x == nil || x->m)return
struct node *l = x->lstruct node *r = x->rx->m = truemark(l)mark(r)
}
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 12 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Separation Logic
Example III
struct node {bool mstruct node *l, *r
}void mark(struct node *x) {
if (x == nil || x->m)return
struct node *l = x->lstruct node *r = x->rx->m = truemark(l)mark(r)
}
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 12 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Separation Logic
Frame Rule Application for Trees
ttree(l, τ)u mark(l) ttree(l, τ)u
#
t ÞÑ 1, l, r › tree(l, τ)
› tree(r, τ)
+
mark(l)
#
t ÞÑ 1, l, r › tree(l, τ)
› tree(r, τ)
+
tree(x, τ)def=(x = 0^ emp)_
D d, l, r. τ(x) = (d, l, r)^ x ÞÑ d, l, r › tree(l, τ) › tree(r, τ)
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 13 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Separation Logic
Frame Rule Application for Trees
ttree(l, τ)u mark(l) ttree(l, τ)u#
t ÞÑ 1, l, r › tree(l, τ)
› tree(r, τ)
+
mark(l)
#
t ÞÑ 1, l, r › tree(l, τ)
› tree(r, τ)
+
tree(x, τ)def=(x = 0^ emp)_
D d, l, r. τ(x) = (d, l, r)^ x ÞÑ d, l, r › tree(l, τ) › tree(r, τ)
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 13 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Separation Logic
Example III
struct node {bool mstruct node *l, *r
}void mark(struct node *x) {
if (x == nil || x->m)return
struct node *l = x->lstruct node *r = x->rx->m = truemark(l)mark(r)
}
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 14 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Separation Logic
Example III
struct node {bool mstruct node *l, *r
}void mark(struct node *x) {
if (x == nil || x->m)return
struct node *l = x->lstruct node *r = x->rx->m = truemark(l)mark(r)
}
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 14 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Separation Logic
Frame Rule Does Not Work
#
t ÞÑ 1, l, rY› graph(l, γ)
Y› graph(r, γ)
+
mark(l)
#
t ÞÑ 1, l, rY› graph(l, γ)
Y› graph(r, γ)
+
graph(x, γ)def=(x = 0^ emp)_
Dd, l, r. γ(x) = (d, l, r)^ x ÞÑ d, l, r Y› graph(l, γ)Y› graph(l, γ)
h |ù PY› Q def= Dh1, h2, h3. (h1 ‘ h2 ‘ h3 = h)^ (h1 ‘ h2 |ù P)^ (h2 ‘ h3 |ù Q)
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 15 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Ramification
Ramify Rule
tPuC tQu R $ P › (Q ´́› R1)
tRuC tR1u(mod(C)X fv(Q ´́› R1) =H)
P
Q
Q ´́› R1
R
R1
h |ù Q ´́› R1 def= @h1, h2. h1 ‘ h = h2 ñ h1 |ù Qñ h2 |ù R1.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 16 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Ramification
Ramify Rule
tPuC tQu R $ P › (Q ´́› R1)
tRuC tR1u(mod(C)X fv(Q ´́› R1) =H)
PQ
Q ´́› R1
RR1
h |ù Q ´́› R1 def= @h1, h2. h1 ‘ h = h2 ñ h1 |ù Qñ h2 |ù R1.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 16 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Ramification
Ramify Rule
tPuC tQu R $ P › (Q ´́› R1)
tRuC tR1u(mod(C)X fv(Q ´́› R1) =H)
P
Q
Q ´́› R1
R
R1
h |ù Q ´́› R1 def= @h1, h2. h1 ‘ h = h2 ñ h1 |ù Qñ h2 |ù R1.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 16 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Coq
Mechanizm : Coq
Dependent Type TheoryPolymorphism Higher Kinded Type
Calculus of Constructions
Calculus of Inductive Constructions
Inductive Type
Coinductive Type
Calculus of (Co)inductive Constructions
Coq Proof Assistant
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 17 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Coq
Coq
Coq ProofAssistant
SpecificationLanguage:Gallina
TacticLanguage:
Ltac
Only TotalFunctions
(MustTerminate)
WideApplications
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 18 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Mechanized Semantic Library
Separation Algebra
Coq Definition of h1 ‘ h2 = hClass Join (t: Type) : Type := join: tÑ tÑ tÑ Prop.
Class Perm alg (t: Type) {J: Join t} : Type :=mkPerm {join eq: @ {x y z z’}, join x y zÑ join x y z’Ñ z = z’;join assoc: @ {a b c d e}, join a b dÑ join d c eÑ
{f : t & join b c f ^ join a f e};join comm: @ {a b c}, join a b cÑ join b a c;join positivity: @ {a a’ b b’}, join a a’ bÑ join b b’ aÑ a=b
}.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 19 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Mechanized Semantic Library
Separation Algebra
Coq Definition of h1 ‘ h2 = hClass Join (t: Type) : Type := join: tÑ tÑ tÑ Prop.
Class Perm alg (t: Type) {J: Join t} : Type :=mkPerm {join eq: @ {x y z z’}, join x y zÑ join x y z’Ñ z = z’;join assoc: @ {a b c d e}, join a b dÑ join d c eÑ
{f : t & join b c f ^ join a f e};join comm: @ {a b c}, join a b cÑ join b a c;join positivity: @ {a a’ b b’}, join a a’ bÑ join b b’ aÑ a=b
}.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 19 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Mechanized Semantic Library
Separation Algebra
h |ù P › Q def= D h1, h2. h1 ‘ h2 = h^ h1 |ù P^ h2 |ù Q
Definition of ›Definition sepcon {A: Type}{JA: Join A} (p q : pred A) : pred A :=
fun h:AñD h1 h2, join h1 h2 h^ p h1^ q h2.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 20 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Mechanized Semantic Library
Separation Algebra
h |ù P › Q def= D h1, h2. h1 ‘ h2 = h^ h1 |ù P^ h2 |ù Q
Definition of ›Definition sepcon {A: Type}{JA: Join A} (p q : pred A) : pred A :=
fun h:AñD h1 h2, join h1 h2 h^ p h1^ q h2.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 20 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of the Ramification Theory Overlapping Conjunction
Overlapping Conjunction
h |ù PY› Q def= Dh1, h2, h3. (h1 ‘ h2 ‘ h3 = h)^
(h1 ‘ h2 |ù P)^ (h2 ‘ h3 |ù Q)
Coq DefinitionDefinition ocon {A: Type}{JA: Join A} (p q : pred A) : pred A :=
fun h:AñD h1 h2 h3 h12 h23, join h1 h2 h12^ join h2 h3 h23^join h12 h3 h^ p h12^ q h23.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 21 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of the Ramification Theory Overlapping Conjunction
Overlapping Conjunction
h |ù PY› Q def= Dh1, h2, h3. (h1 ‘ h2 ‘ h3 = h)^
(h1 ‘ h2 |ù P)^ (h2 ‘ h3 |ù Q)
Coq DefinitionDefinition ocon {A: Type}{JA: Join A} (p q : pred A) : pred A :=
fun h:AñD h1 h2 h3 h12 h23, join h1 h2 h12^ join h2 h3 h23^join h12 h3 h^ p h12^ q h23.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 21 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of the Ramification Theory Ramification Library
Ramification Library (Lemma 4.1 to Lemma 4.6)
precise(P,Q) PY› R $ P › (Q ´́› QY› R1)
(P › F)Y› R $ P › (Q ´́› (Q › F)Y› R1)
precise(P) R $ P › (Q ´́› R1)
(P › F)^ R $ P › (Q ´́› (Q › F)^ R1)
. . .
R $ P › (P1 ´́› R1) S $ Q › (Q1 ´́› S1)
R › S $ P › Q › (P1 › Q1 ´́› R1 › S1)
precise(P, P1) @i. PY› Qi $ P › (P1 ´́› P1 Y› Q1i)
PY› Q1 Y› Q2 $ P › (P1 ´́› P1 Y› Q11 Y› Q1
2)
h1 ď h3def= Dh2. h1 ‘ h2 = h3
precise(P) def= @h1, h2, h3. h1 ď h3 ñ h2 ď h3 ñ h1 |ù P ñ h2 |ù P ñ h1 = h2
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 22 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of the Ramification Theory Ramification Library
Custom Tactics (10 tactics)
Ltac try join h1 h2 h1h2 :=let helperm1 m2 m1m2 :=match goal with| [H1: join m1 ?X, H2: join ?X m2 $ ]ñdestruct (join assoc H1 H2) as [m1m2 [? ?]]| [H1: joinm1 ?X, H2: join ?X m2 $ ]ñdestruct (join assoc (join comm H1) H2) as [m1m2 [? ?]]| [H1: join m1 ?X, H2: joinm2 ?X $ ]ñdestruct (join assoc H1 (join comm H2)) as [m1m2 [? ?]]| [H1: joinm1 ?X, H2: joinm2 ?X $ ]ñdestruct (join assoc (join comm H1) (join comm H2)) as [m1m2 [? ?]]
endin helper h1 h2 h1h2 || helper h2 h1 h1h2.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 23 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Mathematical Graphs
Mathematical Graphs
Class PreGraph (Vertex: Type) Data {EV : EqDec Vertex} :={
valid : VertexÑ Prop;node label : VertexÑ Data;edge func : VertexÑ list Vertex
}.
graph(x, γ)def=(x = 0^ emp)_
Dd, l, r. γ(x) = (d, l, r)^ x ÞÑ d, l, r Y› graph(l, γ)Y› graph(l, γ)
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 24 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Mathematical Graphs
Mathematical Graphs
ClassMathGraph (Vertex : Type) Data (nV : Vertex) {EV : EqDec Vertex} :={
m pg :> PreGraph Vertex Data;valid graph: @ x, valid xÑ@ y, In y (edge func x)Ñ y = nV _ valid y;valid not null: @ x, valid xÑ x = nV
}.
graph(x, γ)def=(x = 0^ emp)_
Dd, l, r. γ(x) = (d, l, r)^ x ÞÑ d, l, r Y› graph(l, γ)Y› graph(l, γ)
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 25 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Mathematical Graphs
Mathematical Graphs
Class BiGraph (Vertex Data: Type) {EV : EqDec Vertex} :={
b pg :> PreGraph Vertex Data;only two neighbours :@ v:Vertex,{v1: Vertex & {v2 : Vertex | edge func v = v1 :: v2 :: nil}}
}.
graph(x, γ)def=(x = 0^ emp)_
Dd, l, r. γ(x) = (d, l, r)^ x ÞÑ d, l, r Y› graph(l, γ)Y› graph(l, γ)
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 26 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Mathematical Graphs
Mathematical Graphs
Class BiMathGraph (Vertex Data : Type) (nV : Vertex) {EV : EqDec Vertex} :={
bm bi :> BiGraph Vertex Data;bm ma :> MathGraph Vertex Data nV ;pg the same: m pg = b pg
}.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 27 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Mathematical Graphs
Lemmas about Mathematical Graphs
Lemma finite reachable computable:@ (mg : MathGraph V D null) x l, valid xÑ(@ y, reachable m pg x yÑ In y l)ÑD l’, reachable list m pg x l’ ^ NoDup l’.
Definition reachable list (pg : PreGraph V D) (x : V) (L : list V) : Prop :=valid x^ @ y, In y LØ reachable pg x y.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 28 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Mathematical Graphs
It is Extremely Hard
• We essentially need to determine a list of the reachable vertices in a graph.Obvious idea: BFS.
• Contructing BFS is hard.• It could go into a loop, which is why BFS must track already visited nodes.• The graph could have infinite nodes, which is why BFS must have an upper
bound argument. (a computer’s memory is finite).• Coq does not support general recursion.
• It is still hard to prove the result of BFS is the whole reachable set.• When BFS reaches an already-visited node, how do we know it will not forget
about its children?• When BFS terminates, there are two situations to prove.• Reachable nodes are those nodes with a path. The exploration path and the
given path need not be at all similar.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 29 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Mathematical Graphs
It is Extremely Hard
• We essentially need to determine a list of the reachable vertices in a graph.Obvious idea: BFS.
• Contructing BFS is hard.• It could go into a loop, which is why BFS must track already visited nodes.• The graph could have infinite nodes, which is why BFS must have an upper
bound argument. (a computer’s memory is finite).• Coq does not support general recursion.
• It is still hard to prove the result of BFS is the whole reachable set.• When BFS reaches an already-visited node, how do we know it will not forget
about its children?• When BFS terminates, there are two situations to prove.• Reachable nodes are those nodes with a path. The exploration path and the
given path need not be at all similar.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 29 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Mathematical Graphs
It is Extremely Hard
• We essentially need to determine a list of the reachable vertices in a graph.Obvious idea: BFS.
• Contructing BFS is hard.• It could go into a loop, which is why BFS must track already visited nodes.• The graph could have infinite nodes, which is why BFS must have an upper
bound argument. (a computer’s memory is finite).• Coq does not support general recursion.
• It is still hard to prove the result of BFS is the whole reachable set.• When BFS reaches an already-visited node, how do we know it will not forget
about its children?• When BFS terminates, there are two situations to prove.• Reachable nodes are those nodes with a path. The exploration path and the
given path need not be at all similar.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 29 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Mathematical Graphs
It is Extremely Hard
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 30 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Mathematical Graphs
It is Extremely Hard
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 31 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Spatial Graphs
Spatial Graphs
graph(x, γ)def=(x = 0^ emp)_ Dd, l, r. γ(x) = (d, l, r)^x ÞÑ d, l, r Y› graph(l, γ)Y› graph(l, γ)
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 32 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Spatial Graphs
Recursive Predicates
P(x) = . . . x . . . P . . .
F(p) = λx.(. . . x . . . p . . . ) and P = µF
P(x) = (µF)(x) = F(µF)(x) = F(P)(x) = (. . . x . . . P . . . )
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 33 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Spatial Graphs
Covariant and Contractive predicates
Covariant predicates:Tarski’s fixed point for order-reserving functions
Contractive predicates:Indirection theory of step-indexing recursion
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 34 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Spatial Graphs
Spatial Graphs : First Attempt (strategy proposed in HV)
Definition graph fun (Q: adrÑ pred world) (x: adr) :=(!!(x = 0) && emp) ||(EX d:adr, EX l:adr, EX r:adr, !!(gamma bi x = (d, l, r)) &&
graph node x d l r Y› ((Q l)Y› (Q r))).Definition graph := corec graph fun.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 35 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Spatial Graphs
Spatial Graphs : First Attempt (strategy proposed in HV)
Lemma 4.7graph(x, γ) %$ iter sepcon reach(γ, x) λx.x ÞÑ γ(x)
iter sepcon ta1, a2, . . . , anu pdef= p(a1) › p(a2) › . . . › p(an).
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 36 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Spatial Graphs
Spatial Graphs : Second Attempt
Definition graph fun (Q: adrÑ pred world) (x: adr) :=(!!(x = 0) && emp) ||(EX d:adr, EX l:adr, EX r:adr, !!(gamma bi x = (d, l, r)) &&
graph node x d l r Y› ((Ź Q l)Y› (Ź Q r))).Definition graph := HORec graph fun.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 37 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Spatial Graphs
Spatial Graphs : Second Attempt
Lemma 4.9@x, γ. precise(graph(x, γ))
This problem seems to be lurking in this style of recursion for 5-10 years.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 38 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Spatial Graphs
Spatial Graphs : Second Attempt
Not Precise@P. ␣precise(ŹP).
This problem seems to be lurking in this style of recursion for 5-10 years.
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 38 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Spatial Graphs
Spatial Graphs : Third Attempt
Lemma 4.7graph(x, γ) %$ iter sepcon reach(γ, x) λx.x ÞÑ γ(x)
Definition graph (x : adr) (bimg : @BiMathGraph adr nat 0 natEqDec): predworld :=
(!!(x = 0) && emp) || EX l : list adr, !!reachable list b pg x l &&iter sepcon l (graph cell bm bi).
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 39 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Spatial Graphs
Spatial Graphs : Third Attempt
Lemma graph unfold: @ x g,graph x g = (!!(x = 0) && emp) ||EX d:nat, EX l:adr, EX r:adr, !!(gamma bm bi x = (d, l, r)^ valid x) &&
(trinode x d l r Y› graph l g Y› graph r g).
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 40 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Spatial Graphs
Succeed
Lemma 4.14reach(γ1, S1
1) Ě reach(γ, S1) γ1 Ò S11 = γ Ò S1
graphs(S1, γ)Y› graphs(S2, γ) $ graphs(S1, γ)›(graphs(S1
1, γ1) ´́› graphs(S1
1, γ1)Y› graphs(S2, γ1))
graphs tx1, x2, . . . , xnu γ = graph(x1, γ)Y› graph(x2, γ)Y› . . .Y› graph(xn, γ).
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 41 / 43
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Summary
Summary
Lemmas and theorems in the paper 13Lemmas and theorems in Coq source code 250
Definitions in Coq source code 106Lines in Coq source code (dense) 3996
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 42 / 43