1 Interactive Computer Theorem Proving CS294-9 September 7, 2006 Adam Chlipala UC Berkeley Lecture 3: Data structures and Induction.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Programmed Strategies for Program Verification Richard B. Kieburtz OHSU/OGI School of Science and Engineering and Portland State University.
Types and Programming Languages Lecture 4 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.
Computing Fundamentals 2 Introduction to CafeOBJ Lecturer: Patrick Browne Lecture Room: K408 Lab Room: A308 Based on work by: Nakamura Masaki, João Pascoal.
Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.
Introduction to Theorem Proving
1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.
Functional Design and Programming Lecture 11: Functional reasoning.
Termination Analysis Math Foundations of Computer Science.
MinML: an idealized programming language CS 510 David Walker.
Administrative stuff On Thursday, we will start class at 11:10, and finish at 11:55 This means that each project will get a 10 minute presentation + 5.
CS 454 Theory of Computation Sonoma State University, Fall 2011 Instructor: B. (Ravi) Ravikumar Office: 116 I Darwin Hall Original slides by Vahid and.
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Notes for Chapter 12 Logic Programming The AI War Basic Concepts of Logic Programming Prolog Review questions.
The ACL2 Proof Assistant Formal Methods Jeremy Johnson.
A Brief Summary for Exam 1 Subject Topics Propositional Logic (sections 1.1, 1.2) –Propositions Statement, Truth value, Proposition, Propositional symbol,
Coinduction in a language and verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond IFIP WG 2.3 meeting Seattle,
1 Knowledge Based Systems (CM0377) Lecture 4 (Last modified 5th February 2001)
CSE-321 Programming Languages Introduction to Functional Programming (Part II) POSTECH March 13, 2006 박성우.
Great Theoretical Ideas in Computer Science about AWESOME Some Generating Functions Probability Infinity MATH Some Formal Logic (which is really.
Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.
CS 611: Lecture 6 Rule Induction September 8, 1999 Cornell University Computer Science Department Andrew Myers.
CSE-490 Logic in Computer Science The Coq Proof Assistant POSTECH Dec 15, 2006 박성우.
Propositional Calculus CS 270: Mathematical Foundations of Computer Science Jeremy Johnson.
Theory of Computation, Feodor F. Dragan, Kent State University 1 TheoryofComputation Spring, 2015 (Feodor F. Dragan) Department of Computer Science Kent.
Code-Carrying Theory Aytekin Vargun Rensselaer Polytechnic Institute.
Coq and Nuprl Wojciech Moczydłowski History World, type system Inductive types in Coq Extraction in Coq Other features of Coq.
INM175 Topic 8 1 Module INM175 Discrete Mathematics Topic 8 Algebraic Theories.
CMSC 330: Organization of Programming Languages Operational Semantics a.k.a. “WTF is Project 4, Part 3?”
Advanced Formal Methods Lecture 4: Isabelle – Types and Terms Mads Dam KTH/CSC Course 2D1453, Some material from Paulson.
CMSC 330: Organization of Programming Languages Operational Semantics.
1 Proving Properties of Recursive List Functions CS 270 Math Foundations of CS Jeremy Johnson.
1 Proving Properties of Recursive Functions and Data Structures CS 270 Math Foundations of CS Jeremy Johnson.
Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic Adam Chlipala Harvard University PLDI 2011.
1 Interactive Computer Theorem Proving CS294-9 October 5, 2006 Adam Chlipala UC Berkeley Lecture 7: Programming with Proofs.
1 Interactive Computer Theorem Proving CS294-9 November 30, 2006 Adam Chlipala UC Berkeley Lecture 14: Twelf.
1 Interactive Computer Theorem Proving CS294-9 October 19, 2006 Adam Chlipala UC Berkeley Lecture 9: Beyond Primitive Recursion.
1 Interactive Computer Theorem Proving CS294-9 September 14, 2006 Adam Chlipala UC Berkeley Lecture 4: Inductively- Defined Predicates.
CSE 20: Discrete Mathematics for Computer Science Prof. Shachar Lovett.
Thoughts on Programming with Proof Assistants Adam Chlipala University of California, Berkeley PLPV Workshop.
CENG 424-Logic for CS Introduction Based on the Lecture Notes of Konstantin Korovin, Valentin Goranko, Russel and Norvig, and Michael Genesereth.
Lecture 2: Propositional and First-Order Logic
Generic Programming and Proving for Programming Language Metatheory
Lecture 11: Proof by Reflection
Chapter 7. Propositional and Predicate Logic
CSCE 355 Foundations of Computation
CS 550 Programming Languages Jeremy Johnson
From Classical Proof Theory to P vs. NP
Propositional Calculus: Boolean Functions and Expressions
A lightening tour in 45 minutes
Chapter 3 The Real Numbers.
Computer Science Department
CSCE 355 Foundations of Computation
Lesson 4 Typed Arithmetic Typed Lambda Calculus
Proving Properties of Recursive Functions and Data Structures
Proving Properties of Recursive List Functions
Chapter 10: Mathematical proofs
Propositional Calculus: Boolean Algebra and Simplification
Discrete Mathematics and its Applications
CSE 311: Foundations of Computing
Denotational Semantics (Denotational Semantics)
Simplification of Boolean Expressions
Copyright © Cengage Learning. All rights reserved.
Computer Security: Art and Science, 2nd Edition
Search techniques.
List and list operations (continue).
This Lecture Substitution model
Agenda Proofs (Konsep Pembuktian) Direct Proofs & Counterexamples
CS 403: Programming Languages
Presentation transcript:

1 Interactive Computer Theorem Proving CS294-9 September 7, 2006 Adam Chlipala UC Berkeley Lecture 3: Data structures and Induction

2 The Peano Axioms 0 2 N 8 n 2 N, S(n) 2 N 8 n 2 N, S(n) ≠ 0 8 a, b 2 N, a = b $ S(a) = S(b) P(0) ^ (8 n 2 N, P(n) ! P(S(n))) ! 8 n 2 N, P(n) For any property P: We can define N (up to isomorphism) as the least set satisfying these properties.

3 The Set Theory Approach “Now that we have natural numbers, let's use them to define some data structures....” natlist(0) = {;} natlist(S(n)) = {;} [ N £ natlist(n) natlist = [ n 2 N natlist(n) nil = ; cons(n, ls) = hn, lsi P(nil) ^ (8 n 2 N, 8 ls 2 natlist, P (ls)! P(cons(n, ls))) Derived induction principle: For any property P: ! 8 ls 2 natlist, P(ls)

4 Why This Isn't Such a Great Idea ● These definitions are pretty awkward! – Set theorists usually don't write all their proofs formally, so they can get away with it. ● Proofs at this level of detail must be very large. – Mathematicians aren't used to optimizing for space! ● What about more complicated data structures?

5 Type Theory's Great Idea Functions and data structures should be the fundamental building blocks of math, not sets! Coq Function types Inductive types Constructors Case analysis Recursive functions ZF Set Theory Negation Conjunction Universal quantifier Equality Natural deduction proof rules Empty set Set equality Set pairing Set union Natural numbers Mathematical induction...

6 Back to the Beginning... Inductive nat : Set := | O : nat | S : nat ! nat. What we get: ● A type nat ● Two constructors O and S for building nats ● Case analysis (pattern matching) on nats ● The ability to write recursive functions over nats

7 Verifying the Peano Axioms Check nat. nat : Set. Check O. O : nat. Check S. S : nat ! nat. 0 2 N 8 n 2 N, S(n) 2 N There exists set N...

8 Pattern Matching match n with | O => e1 | S n' => e2(n') end General form for nat: match O with | O => O | S n' => n' end Evaluates to: O match S (S O) with | O => O | S n' => n' end Evaluates to: S O Examples And with anonymous function notation (like Scheme lambda and OCaml fun): fun n => match n with | O => O | S n' => n' end

9 Peano Axiom #3 8 n 2 N, S(n) ≠ 0 ● Proof. Let n be given. ● Assume for a contradiction that S n = 0. ● Assert True. ● By computation, we have the equivalent f 0. ● By the assumption, f (S n). ● By computation, False. fun n => match n with | O => True | S n' => False end Define f as: Contradiction!

10 Peano Axiom #4 ● Proof. Let a and b be given. ● Assume S a = S b. ● By reflexivity, p (S b) = p (S b). ● By the assumption, p (S a) = p (S b). ● By computation, a = b. fun n => match n with | O => O | S n' => n' end Define p as: 8 a, b 2 N, S(a) = S(b) ! a = b

11 Peano Axiom #5 P(0) ^ (8 n 2 N, P(n) ! P(S(n))) ! 8 n 2 N, P(n) nat_ind : forall P : nat -> Prop, P O -> (forall n : nat, P n -> P (S n)) -> forall n : nat, P n Check nat_ind. We could prove this manually using recursive functions, but...

12 Recursive Functions Fixpoint add (n m : nat) {struct n} : nat := match n with | O => m | S n' => S (add n' m) end. Analogue of the standard named function definition syntax in most programming languages Two arguments of type natReturn type nat Basic termination argument: primitive recursion over argument n No recursive calls allowed in this match branch Only recursive calls with first argument equal to n' allowed in this branch

13 Aside: Why So Fussy About Termination? Fixpoint f (n : nat) {struct n} : nat := S (f n). Imagine that Coq allowed this definition: ● We would then have f n = S (f n), for all n. ● But we can also prove m ≠ S m, for all m. ● So f O = S (f O) and f O ≠ S (f O). ● Contradiction! Our logic is unsound!

14 More Datatypes: Booleans Inductive bool : Set := | false : bool | true : bool. bool_ind : forall P : bool -> Prop, P false -> P true -> forall b : bool, P b Check bool_ind.

15 More Datatypes: Lists Inductive natlist : Set := | nil : natlist | cons : nat -> natlist -> natlist. natlist_ind : forall P : natlist -> Prop, P nil -> (forall (n : nat) (ls : natlist), P ls -> P (cons n ls)) -> forall ls : natlist, P ls Check natlist_ind.

16 More Datatypes: Trees Inductive nattree : Set := | Leaf : nattree | Node : nattree -> nat -> nattree -> nattree. nattree_ind : forall P : nattree -> Prop, P Leaf -> (forall (t1 : nattree) (n : nat) (t2 : nattree), P t1 -> P t2 -> P (Node t1 n t2)) -> forall t : nattree, P t Check nattree_ind.

17 Simple Inductive Types in General Inductive tname : Set := | c 1 : t 1,1 ->... -> t 1,k1 -> tname |... | c n : t n,1 ->... -> t n,kn -> tname. Sort specification (We'll see more possibilities later, but for now we only consider Set.) Each constructor is given a function type from zero or more arguments to the type being defined. Zero or more named constructors Arguments types are restricted so that they either don't refer to tname or are exactly tname.

18 Using an Inductive Type Inductive tname : Set := | c 1 : t 1,1 ->... -> t 1,k1 -> tname |... | c n : t n,1 ->... -> t n,kn -> tname. match e with | c 1 x 1... x k1 => e 1 (x 1,..., x k1 ) |... | c n x 1... x kn => e n (x 1,..., x kn ) end Pattern matching Fixpoint f (x : tname) : T := e(x). Recursive functions Fixpoint f (x 1 : T 1 )... (x k : tname)... (x n : T n ) {struct x k } : T := e(x 1,..., x n ). (fix f (x : tname) : T := e(x)) Must use a match somewhere to obtain a strict subterm of x to use in a recursive call.

19 Using an Inductive Type II Inductive tname : Set := | c 1 : t 1,1 ->... -> t 1,k1 -> tname |... | c n : t n,1 ->... -> t n,kn -> tname. Induction principle “For every predicate P over tnames, If for every constructor c i of tname: For every set e i,j of arguments to c i, Assuming P e i,j for every e i,j of type tname, We can prove P (c i e i,1... e i,ki ) Then For every value e of type tname, We can prove P e.” Induction principles are derived by Coq as a convenience. They are implemented behind the scenes using recursive functions. (We'll see how later in the course.)...and the induction tactic automatically figures out the right induction principle and how to apply it, so you usually don't have to think about the details of these things....

20 So what's the deal with this “by computation” stuff, anyway? Coq considers to be interchangeable any two expressions that evaluate to a common result Atomic evaluation step: Applying a function (fun x => S x) (S O) ) S (S O) (fix f (x : nat) : nat => S x) (S O) ) S (S O) Atomic evaluation step: Simplifying a case analysis (match S x with O => O | S n => n end) ) x Atomic evaluation step: Expanding a definition f O ) (fun x => S (S x)) O Definition f := fun x => S (S x).

21 Reduction Order Reductions can happen anywhere in an expression, so: (match x with O => O | S n => (fun y => S y) n end) ) (match x with O => O | S n => S n end) (fun x => (fun y => S y) x) ) (fun x => S x) Important meta-theorem about Coq: For any expression, any order of reductions leads to the same result.

22 Why Should I Care? All of these theorems can be proved by reflexivity: ● = 2 ● 0 + x = x ● length (cons 0 (cons 1 nil)) = 2 ● append (cons 0 nil) (cons 1 nil) = cons 0 (cons 1 nil) ● append nil ls = ls ● compiler myProgram = outputAssemblyCode Proving theorems about programs and math in general is much more pleasant when these things come for free.

23 Conclusion ● Sample HW1 solution is on the web site. ● HW2 is posted – Fun with data structures and induction ● Next lecture: Using inductive types to define new logical predicates and the rules that can be used to prove them

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.