Interactive TheoremProving with Coq

Adam Chlipala

Interactive Theorem Proving with Coq – p. 1

MotivationWe focus mainly on automated deduction inthis class.

There are many interesting theories that wedon’t yet know how to decide automatically.For instance:

Formalizing large parts of traditional mathOr proving the soundness of particularproof-carrying code systems

Interactive Theorem Proving with Coq – p. 2

OutlineCome up with a suitably general encoding forpropositions and proofs

See how systems like Coq can make it easierto generate formal proofs

Revisit a past lecture by using Coq to provethe correctness of JML-annotated Javaprograms

Go in the opposite direction by translatingCoq proofs into executable ML programs

Interactive Theorem Proving with Coq – p. 3

Proof checking viatype checking

Recall the discussion of proof representationin an earlier lecture.

We can express logical propositions with anML-style datatype.

If we add dependent types, we can evenexpress deduction rules as terms.

A supposed proof proves some propositiononly if it type-checks to have that proposition’stype.

Interactive Theorem Proving with Coq – p. 4

Review: Conjunctionand : prop → prop → prop

A BA ∧ B

∧I

andi : ΠA : prop. ΠB : prop. A → B → (and A B)

A ∧ BA

∧E1

ande1 : ΠA : prop. ΠB : prop. (and A B) → A

Interactive Theorem Proving with Coq – p. 5

Enter the ML typechecker!

The other propositional connectives can bedescribed with similar-looking terms.

While ML doesn’t support dependent types ingeneral, the types for propositional proofconstructors all fit into a format that it doessupport.

Instead of defining a new type of propositions,we can use the language of ML types itself asour proposition type!

ML polymorphism allows quantification overtypes.

Interactive Theorem Proving with Coq – p. 6

Demo: Proof checkerThis means that every ML compiler alreadycontains the essential machinery for checkinga complete proof system for propositionallogic!

See demo....

Interactive Theorem Proving with Coq – p. 7

But is all thatnecessary?

ML contains many more features than wouldbe required if we just wanted a proof checker.

Also, it’s not clear whether it would support allnew logical formalisms we might come upwith.

Coq uses the Calculus of InductiveConstructions (CIC), a system powerfulenough to allow the definition of the logicalconnectives using a simple extension oflambda calculus.

Interactive Theorem Proving with Coq – p. 8

CICStart with the simply typed lambda calculus.

Add dependently-typed polymorphism.

Add a way to define recursive data types andprimitive recursive functions over them.

These features are all that 99% of Coqdevelopments use.

Interactive Theorem Proving with Coq – p. 9

Defining connectivesInductive and

: Prop -> Prop -> Prop :=| andi : forall (A B : Prop),

A -> B -> and A B.

Inductive or: Prop -> Prop -> Prop :=

| ori1 : forall (A B : Prop),A -> or A B

| ori2 : forall (A B : Prop),B -> or A B.

Interactive Theorem Proving with Coq – p. 10

Defining equalityInductive eq

: forall (T:Type), T -> T -> Prop :=| eqi : forall (T : Type) (X : T),

eq X X.

Interactive Theorem Proving with Coq – p. 11

Interactive proving

Coq works mostly using backwardsreasoning.

You begin a proof by specifying a goal to beproved.

You specify a series of tactics that in generalproduce multiple sub-goals with different setsof hypotheses.

See demo....

Interactive Theorem Proving with Coq – p. 12

Proving programcorrectness

In a past lecture, we saw how to useESC/Java to find many bugs in Javaprograms.

We also saw many ways to trick ESC/Javainto accepting buggy programs. ��

We’ve seen how to produce verificationconditions for programs annotated withspecifications.

However, today’s automated tools aregenerally not clever enough to prove theseconditions.

Interactive Theorem Proving with Coq – p. 13

Manual correctnessproofs

Krakatoa is a verification condition generatorfor Java programs annotated with JML.

It can generate a series of Coq lemmastatements that together imply that that aJava program meets its spec.

A human has to go through and prove thetricky parts of these lemmas.

Interactive Theorem Proving with Coq – p. 14

BenefitsIf you can prove all of the lemmas, then youcan be sure that the program meets itsspecification.

There is no chance that a bug-finding tool’sheuristics just weren’t smart enough to find abug.

See demo for insertion sort....

Interactive Theorem Proving with Coq – p. 15

Compiling proofsinto programs

Most Coq proofs use constructive logic.

It is well-known that such proofs havecomputational interpretations.

The early example ofpropositional-logic-in-ML should give some ofthe intuition behind this.

Interactive Theorem Proving with Coq – p. 16

Programming byproving

This means that it is possible to develop aprogram by proving that its specification issatisfiable!

See demo....

Interactive Theorem Proving with Coq – p. 17