81
. . . . . . . . . . . . . . . . . . . . . . . . . . . . Mechanized Ramification Wang Shengyi Joint work with Aquinas Hobor National University of Singapore April 17, 2015 Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 1 / 43

Mechanized Ramification

Embed Size (px)

Citation preview

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Mechanized Ramification

Wang ShengyiJoint work with Aquinas Hobor

National University of Singapore

April 17, 2015

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 1 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Overview

Overview

My Work Ramification

Mechanized Semantic Library Separation Logic

Coq Hoare Logic

Formalizing

Formalizing

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 2 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Hoare Triple

tPuC tQu

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 3 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Hoare Logic Rules

tPu skip tPu tP[E/x]u x := E tPutPu S tQu tQuT tRu

tPu S;T tRu

tB^ Pu S tQu t␣B^ PuT tQutPu if B then S else T endif tQu

P1 ñ P2 tP2u S tQ2u Q2 ñ Q1

tP1u S tQ1u

tP^ Bu S tPutPuwhile B do S done t␣B^ Pu

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 4 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example I

J

tx+ 1 ď 10u x := x + 1 tx ď 10u

tx ď 10^ x ă 10u x := x + 1 tx ď 10u

tx ď 10u while x < 10 do x := x + 1 done t␣x ă 10^ x ď 10u

tx ď 10u while x < 10 do x := x + 1 done tx = 10u

tP[E/x]u x:=E tPu

P1ñP2 tP2u S tQ2u Q2ñQ1tP1u S tQ1u

tP^Bu S tPutPu while B do S done t␣B^Pu

P1ñP2 tP2u S tQ2u Q2ñQ1tP1u S tQ1u

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 5 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j k

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j k

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

k

i

j

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

kj

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

i

kj

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

kj

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

i

kj

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

kj

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

i

kj

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

kj

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

i

kj

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

kj

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

i

kj

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

kj

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Loop Invariant of Example II

(

Dα, β. listα i^ listβ j^ α:0 = α: ¨ β

)^ list γ x

^ (@k. reach(i, k)^ reach(j, k)ñ k = nil)^ (@k. reach(x, k)^ (reach(i, k)_ reach(j, k))ñ k = nil))

reach(i, j) def= D n ě 0. reachn(i, j) reachn+1(i, j)

def= D a, k. i ÞÑ a, k ^ reachn(k, j)

reach0(i, j)def= i = j

list ϵ idef= i = nil list (a ¨ α) i

def= D j. i ÞÑ a, j ^ listα j

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 7 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Loop Invariant of Example II

(Dα, β. listα i^ listβ j^ α:0 = α: ¨ β)

^ list γ x

^ (@k. reach(i, k)^ reach(j, k)ñ k = nil)

^ (@k. reach(x, k)^ (reach(i, k)_ reach(j, k))ñ k = nil))

reach(i, j) def= D n ě 0. reachn(i, j) reachn+1(i, j)

def= D a, k. i ÞÑ a, k ^ reachn(k, j)

reach0(i, j)def= i = j list ϵ i

def= i = nil list (a ¨ α) i

def= D j. i ÞÑ a, j ^ listα j

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 7 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Hoare Logic

Loop Invariant of Example II

(Dα, β. listα i^ listβ j^ α:0 = α: ¨ β)^ list γ x

^ (@k. reach(i, k)^ reach(j, k)ñ k = nil)^ (@k. reach(x, k)^ (reach(i, k)_ reach(j, k))ñ k = nil))

reach(i, j) def= D n ě 0. reachn(i, j) reachn+1(i, j)

def= D a, k. i ÞÑ a, k ^ reachn(k, j)

reach0(i, j)def= i = j list ϵ i

def= i = nil list (a ¨ α) i

def= D j. i ÞÑ a, j ^ listα j

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 7 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Separation Logic

Separating Conjunction

P › Q

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 8 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Separation Logic

Separating Conjunction

h |ù P › Q def= D h1, h2. h1 ‘ h2 = h^ h1 |ù P^ h2 |ù Q

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 9 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Separation Logic

Frame Rule

tPuC tQutP › FuC tQ › Fu

(mod(C)X fv(R) =H)

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 10 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Separation Logic

Loop Invariant of Example II

Hoare Logic:

(Dα, β. listα i^ listβ j^ α:0 = α: ¨ β)

^ list γ x

^(@k. reach(i, k)^ reach(j, k)ñ k = nil)

^ (@k. reach(x, k)^ (reach(i, k)_ reach(j, k))ñ k = nil))

reach(i, j) def= D n ě 0. reachn(i, j) reachn+1(i, j)

def= D a, k. i ÞÑ a, k ^ reachn(k, j)

reach0(i, j)def= i = j list ϵ i

def= i = nil list (a ¨ α) i

def= D j. i ÞÑ a, j ^ listα j

Separation Logic:

Dα, β. listα i › listβ j^ α:0 = α: ¨ β

list ϵ idef= i = nil list (a ¨ α) i

def= D j. i ÞÑ a, j › listα j

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 11 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Separation Logic

Loop Invariant of Example II

Hoare Logic:

(Dα, β. listα i^ listβ j^ α:0 = α: ¨ β)^ list γ x

^(@k. reach(i, k)^ reach(j, k)ñ k = nil)^ (@k. reach(x, k)^ (reach(i, k)_ reach(j, k))ñ k = nil))

reach(i, j) def= D n ě 0. reachn(i, j) reachn+1(i, j)

def= D a, k. i ÞÑ a, k ^ reachn(k, j)

reach0(i, j)def= i = j list ϵ i

def= i = nil list (a ¨ α) i

def= D j. i ÞÑ a, j ^ listα j

Separation Logic:

Dα, β. listα i › listβ j^ α:0 = α: ¨ β

list ϵ idef= i = nil list (a ¨ α) i

def= D j. i ÞÑ a, j › listα j

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 11 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Separation Logic

Example III

struct node {bool mstruct node *l, *r

}void mark(struct node *x) {

if (x == nil || x->m)return

struct node *l = x->lstruct node *r = x->rx->m = truemark(l)mark(r)

}

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 12 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Separation Logic

Example III

struct node {bool mstruct node *l, *r

}void mark(struct node *x) {

if (x == nil || x->m)return

struct node *l = x->lstruct node *r = x->rx->m = truemark(l)mark(r)

}

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 12 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Separation Logic

Frame Rule Application for Trees

ttree(l, τ)u mark(l) ttree(l, τ)u

#

t ÞÑ 1, l, r › tree(l, τ)

› tree(r, τ)

+

mark(l)

#

t ÞÑ 1, l, r › tree(l, τ)

› tree(r, τ)

+

tree(x, τ)def=(x = 0^ emp)_

D d, l, r. τ(x) = (d, l, r)^ x ÞÑ d, l, r › tree(l, τ) › tree(r, τ)

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 13 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Separation Logic

Frame Rule Application for Trees

ttree(l, τ)u mark(l) ttree(l, τ)u#

t ÞÑ 1, l, r › tree(l, τ)

› tree(r, τ)

+

mark(l)

#

t ÞÑ 1, l, r › tree(l, τ)

› tree(r, τ)

+

tree(x, τ)def=(x = 0^ emp)_

D d, l, r. τ(x) = (d, l, r)^ x ÞÑ d, l, r › tree(l, τ) › tree(r, τ)

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 13 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Separation Logic

Example III

struct node {bool mstruct node *l, *r

}void mark(struct node *x) {

if (x == nil || x->m)return

struct node *l = x->lstruct node *r = x->rx->m = truemark(l)mark(r)

}

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 14 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Separation Logic

Example III

struct node {bool mstruct node *l, *r

}void mark(struct node *x) {

if (x == nil || x->m)return

struct node *l = x->lstruct node *r = x->rx->m = truemark(l)mark(r)

}

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 14 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Separation Logic

Frame Rule Does Not Work

#

t ÞÑ 1, l, rY› graph(l, γ)

Y› graph(r, γ)

+

mark(l)

#

t ÞÑ 1, l, rY› graph(l, γ)

Y› graph(r, γ)

+

graph(x, γ)def=(x = 0^ emp)_

Dd, l, r. γ(x) = (d, l, r)^ x ÞÑ d, l, r Y› graph(l, γ)Y› graph(l, γ)

h |ù PY› Q def= Dh1, h2, h3. (h1 ‘ h2 ‘ h3 = h)^ (h1 ‘ h2 |ù P)^ (h2 ‘ h3 |ù Q)

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 15 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Ramification

Ramify Rule

tPuC tQu R $ P › (Q ´́› R1)

tRuC tR1u(mod(C)X fv(Q ´́› R1) =H)

P

Q

Q ´́› R1

R

R1

h |ù Q ´́› R1 def= @h1, h2. h1 ‘ h = h2 ñ h1 |ù Qñ h2 |ù R1.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 16 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Ramification

Ramify Rule

tPuC tQu R $ P › (Q ´́› R1)

tRuC tR1u(mod(C)X fv(Q ´́› R1) =H)

PQ

Q ´́› R1

RR1

h |ù Q ´́› R1 def= @h1, h2. h1 ‘ h = h2 ñ h1 |ù Qñ h2 |ù R1.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 16 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Ramification

Ramify Rule

tPuC tQu R $ P › (Q ´́› R1)

tRuC tR1u(mod(C)X fv(Q ´́› R1) =H)

P

Q

Q ´́› R1

R

R1

h |ù Q ´́› R1 def= @h1, h2. h1 ‘ h = h2 ñ h1 |ù Qñ h2 |ù R1.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 16 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Coq

Mechanizm : Coq

Dependent Type TheoryPolymorphism Higher Kinded Type

Calculus of Constructions

Calculus of Inductive Constructions

Inductive Type

Coinductive Type

Calculus of (Co)inductive Constructions

Coq Proof Assistant

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 17 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Coq

Coq

Coq ProofAssistant

SpecificationLanguage:Gallina

TacticLanguage:

Ltac

Only TotalFunctions

(MustTerminate)

WideApplications

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 18 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Mechanized Semantic Library

Separation Algebra

Coq Definition of h1 ‘ h2 = hClass Join (t: Type) : Type := join: tÑ tÑ tÑ Prop.

Class Perm alg (t: Type) {J: Join t} : Type :=mkPerm {join eq: @ {x y z z’}, join x y zÑ join x y z’Ñ z = z’;join assoc: @ {a b c d e}, join a b dÑ join d c eÑ

{f : t & join b c f ^ join a f e};join comm: @ {a b c}, join a b cÑ join b a c;join positivity: @ {a a’ b b’}, join a a’ bÑ join b b’ aÑ a=b

}.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 19 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Mechanized Semantic Library

Separation Algebra

Coq Definition of h1 ‘ h2 = hClass Join (t: Type) : Type := join: tÑ tÑ tÑ Prop.

Class Perm alg (t: Type) {J: Join t} : Type :=mkPerm {join eq: @ {x y z z’}, join x y zÑ join x y z’Ñ z = z’;join assoc: @ {a b c d e}, join a b dÑ join d c eÑ

{f : t & join b c f ^ join a f e};join comm: @ {a b c}, join a b cÑ join b a c;join positivity: @ {a a’ b b’}, join a a’ bÑ join b b’ aÑ a=b

}.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 19 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Mechanized Semantic Library

Separation Algebra

h |ù P › Q def= D h1, h2. h1 ‘ h2 = h^ h1 |ù P^ h2 |ù Q

Definition of ›Definition sepcon {A: Type}{JA: Join A} (p q : pred A) : pred A :=

fun h:AñD h1 h2, join h1 h2 h^ p h1^ q h2.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 20 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Related Works Mechanized Semantic Library

Separation Algebra

h |ù P › Q def= D h1, h2. h1 ‘ h2 = h^ h1 |ù P^ h2 |ù Q

Definition of ›Definition sepcon {A: Type}{JA: Join A} (p q : pred A) : pred A :=

fun h:AñD h1 h2, join h1 h2 h^ p h1^ q h2.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 20 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of the Ramification Theory Overlapping Conjunction

Overlapping Conjunction

h |ù PY› Q def= Dh1, h2, h3. (h1 ‘ h2 ‘ h3 = h)^

(h1 ‘ h2 |ù P)^ (h2 ‘ h3 |ù Q)

Coq DefinitionDefinition ocon {A: Type}{JA: Join A} (p q : pred A) : pred A :=

fun h:AñD h1 h2 h3 h12 h23, join h1 h2 h12^ join h2 h3 h23^join h12 h3 h^ p h12^ q h23.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 21 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of the Ramification Theory Overlapping Conjunction

Overlapping Conjunction

h |ù PY› Q def= Dh1, h2, h3. (h1 ‘ h2 ‘ h3 = h)^

(h1 ‘ h2 |ù P)^ (h2 ‘ h3 |ù Q)

Coq DefinitionDefinition ocon {A: Type}{JA: Join A} (p q : pred A) : pred A :=

fun h:AñD h1 h2 h3 h12 h23, join h1 h2 h12^ join h2 h3 h23^join h12 h3 h^ p h12^ q h23.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 21 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of the Ramification Theory Ramification Library

Ramification Library (Lemma 4.1 to Lemma 4.6)

precise(P,Q) PY› R $ P › (Q ´́› QY› R1)

(P › F)Y› R $ P › (Q ´́› (Q › F)Y› R1)

precise(P) R $ P › (Q ´́› R1)

(P › F)^ R $ P › (Q ´́› (Q › F)^ R1)

. . .

R $ P › (P1 ´́› R1) S $ Q › (Q1 ´́› S1)

R › S $ P › Q › (P1 › Q1 ´́› R1 › S1)

precise(P, P1) @i. PY› Qi $ P › (P1 ´́› P1 Y› Q1i)

PY› Q1 Y› Q2 $ P › (P1 ´́› P1 Y› Q11 Y› Q1

2)

h1 ď h3def= Dh2. h1 ‘ h2 = h3

precise(P) def= @h1, h2, h3. h1 ď h3 ñ h2 ď h3 ñ h1 |ù P ñ h2 |ù P ñ h1 = h2

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 22 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of the Ramification Theory Ramification Library

Custom Tactics (10 tactics)

Ltac try join h1 h2 h1h2 :=let helperm1 m2 m1m2 :=match goal with| [H1: join m1 ?X, H2: join ?X m2 $ ]ñdestruct (join assoc H1 H2) as [m1m2 [? ?]]| [H1: joinm1 ?X, H2: join ?X m2 $ ]ñdestruct (join assoc (join comm H1) H2) as [m1m2 [? ?]]| [H1: join m1 ?X, H2: joinm2 ?X $ ]ñdestruct (join assoc H1 (join comm H2)) as [m1m2 [? ?]]| [H1: joinm1 ?X, H2: joinm2 ?X $ ]ñdestruct (join assoc (join comm H1) (join comm H2)) as [m1m2 [? ?]]

endin helper h1 h2 h1h2 || helper h2 h1 h1h2.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 23 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Mathematical Graphs

Mathematical Graphs

Class PreGraph (Vertex: Type) Data {EV : EqDec Vertex} :={

valid : VertexÑ Prop;node label : VertexÑ Data;edge func : VertexÑ list Vertex

}.

graph(x, γ)def=(x = 0^ emp)_

Dd, l, r. γ(x) = (d, l, r)^ x ÞÑ d, l, r Y› graph(l, γ)Y› graph(l, γ)

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 24 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Mathematical Graphs

Mathematical Graphs

ClassMathGraph (Vertex : Type) Data (nV : Vertex) {EV : EqDec Vertex} :={

m pg :> PreGraph Vertex Data;valid graph: @ x, valid xÑ@ y, In y (edge func x)Ñ y = nV _ valid y;valid not null: @ x, valid xÑ x ­= nV

}.

graph(x, γ)def=(x = 0^ emp)_

Dd, l, r. γ(x) = (d, l, r)^ x ÞÑ d, l, r Y› graph(l, γ)Y› graph(l, γ)

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 25 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Mathematical Graphs

Mathematical Graphs

Class BiGraph (Vertex Data: Type) {EV : EqDec Vertex} :={

b pg :> PreGraph Vertex Data;only two neighbours :@ v:Vertex,{v1: Vertex & {v2 : Vertex | edge func v = v1 :: v2 :: nil}}

}.

graph(x, γ)def=(x = 0^ emp)_

Dd, l, r. γ(x) = (d, l, r)^ x ÞÑ d, l, r Y› graph(l, γ)Y› graph(l, γ)

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 26 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Mathematical Graphs

Mathematical Graphs

Class BiMathGraph (Vertex Data : Type) (nV : Vertex) {EV : EqDec Vertex} :={

bm bi :> BiGraph Vertex Data;bm ma :> MathGraph Vertex Data nV ;pg the same: m pg = b pg

}.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 27 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Mathematical Graphs

Lemmas about Mathematical Graphs

Lemma finite reachable computable:@ (mg : MathGraph V D null) x l, valid xÑ(@ y, reachable m pg x yÑ In y l)ÑD l’, reachable list m pg x l’ ^ NoDup l’.

Definition reachable list (pg : PreGraph V D) (x : V) (L : list V) : Prop :=valid x^ @ y, In y LØ reachable pg x y.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 28 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Mathematical Graphs

It is Extremely Hard

• We essentially need to determine a list of the reachable vertices in a graph.Obvious idea: BFS.

• Contructing BFS is hard.• It could go into a loop, which is why BFS must track already visited nodes.• The graph could have infinite nodes, which is why BFS must have an upper

bound argument. (a computer’s memory is finite).• Coq does not support general recursion.

• It is still hard to prove the result of BFS is the whole reachable set.• When BFS reaches an already-visited node, how do we know it will not forget

about its children?• When BFS terminates, there are two situations to prove.• Reachable nodes are those nodes with a path. The exploration path and the

given path need not be at all similar.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 29 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Mathematical Graphs

It is Extremely Hard

• We essentially need to determine a list of the reachable vertices in a graph.Obvious idea: BFS.

• Contructing BFS is hard.• It could go into a loop, which is why BFS must track already visited nodes.• The graph could have infinite nodes, which is why BFS must have an upper

bound argument. (a computer’s memory is finite).• Coq does not support general recursion.

• It is still hard to prove the result of BFS is the whole reachable set.• When BFS reaches an already-visited node, how do we know it will not forget

about its children?• When BFS terminates, there are two situations to prove.• Reachable nodes are those nodes with a path. The exploration path and the

given path need not be at all similar.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 29 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Mathematical Graphs

It is Extremely Hard

• We essentially need to determine a list of the reachable vertices in a graph.Obvious idea: BFS.

• Contructing BFS is hard.• It could go into a loop, which is why BFS must track already visited nodes.• The graph could have infinite nodes, which is why BFS must have an upper

bound argument. (a computer’s memory is finite).• Coq does not support general recursion.

• It is still hard to prove the result of BFS is the whole reachable set.• When BFS reaches an already-visited node, how do we know it will not forget

about its children?• When BFS terminates, there are two situations to prove.• Reachable nodes are those nodes with a path. The exploration path and the

given path need not be at all similar.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 29 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Mathematical Graphs

It is Extremely Hard

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 30 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Mathematical Graphs

It is Extremely Hard

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 31 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Spatial Graphs

Spatial Graphs

graph(x, γ)def=(x = 0^ emp)_ Dd, l, r. γ(x) = (d, l, r)^x ÞÑ d, l, r Y› graph(l, γ)Y› graph(l, γ)

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 32 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Spatial Graphs

Recursive Predicates

P(x) = . . . x . . . P . . .

F(p) = λx.(. . . x . . . p . . . ) and P = µF

P(x) = (µF)(x) = F(µF)(x) = F(P)(x) = (. . . x . . . P . . . )

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 33 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Spatial Graphs

Covariant and Contractive predicates

Covariant predicates:Tarski’s fixed point for order-reserving functions

Contractive predicates:Indirection theory of step-indexing recursion

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 34 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Spatial Graphs

Spatial Graphs : First Attempt (strategy proposed in HV)

Definition graph fun (Q: adrÑ pred world) (x: adr) :=(!!(x = 0) && emp) ||(EX d:adr, EX l:adr, EX r:adr, !!(gamma bi x = (d, l, r)) &&

graph node x d l r Y› ((Q l)Y› (Q r))).Definition graph := corec graph fun.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 35 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Spatial Graphs

Spatial Graphs : First Attempt (strategy proposed in HV)

Lemma 4.7graph(x, γ) %$ iter sepcon reach(γ, x) λx.x ÞÑ γ(x)

iter sepcon ta1, a2, . . . , anu pdef= p(a1) › p(a2) › . . . › p(an).

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 36 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Spatial Graphs

Spatial Graphs : Second Attempt

Definition graph fun (Q: adrÑ pred world) (x: adr) :=(!!(x = 0) && emp) ||(EX d:adr, EX l:adr, EX r:adr, !!(gamma bi x = (d, l, r)) &&

graph node x d l r Y› ((Ź Q l)Y› (Ź Q r))).Definition graph := HORec graph fun.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 37 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Spatial Graphs

Spatial Graphs : Second Attempt

Lemma 4.9@x, γ. precise(graph(x, γ))

This problem seems to be lurking in this style of recursion for 5-10 years.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 38 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Spatial Graphs

Spatial Graphs : Second Attempt

Not Precise@P. ␣precise(ŹP).

This problem seems to be lurking in this style of recursion for 5-10 years.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 38 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Spatial Graphs

Spatial Graphs : Third Attempt

Lemma 4.7graph(x, γ) %$ iter sepcon reach(γ, x) λx.x ÞÑ γ(x)

Definition graph (x : adr) (bimg : @BiMathGraph adr nat 0 natEqDec): predworld :=

(!!(x = 0) && emp) || EX l : list adr, !!reachable list b pg x l &&iter sepcon l (graph cell bm bi).

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 39 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Spatial Graphs

Spatial Graphs : Third Attempt

Lemma graph unfold: @ x g,graph x g = (!!(x = 0) && emp) ||EX d:nat, EX l:adr, EX r:adr, !!(gamma bm bi x = (d, l, r)^ valid x) &&

(trinode x d l r Y› graph l g Y› graph r g).

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 40 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Formalization of Graphs Spatial Graphs

Succeed

Lemma 4.14reach(γ1, S1

1) Ě reach(γ, S1) γ1 Ò S11 = γ Ò S1

graphs(S1, γ)Y› graphs(S2, γ) $ graphs(S1, γ)›(graphs(S1

1, γ1) ´́› graphs(S1

1, γ1)Y› graphs(S2, γ1))

graphs tx1, x2, . . . , xnu γ = graph(x1, γ)Y› graph(x2, γ)Y› . . .Y› graph(xn, γ).

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 41 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Summary

Summary

Lemmas and theorems in the paper 13Lemmas and theorems in Coq source code 250

Definitions in Coq source code 106Lines in Coq source code (dense) 3996

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 42 / 43

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Thank you!

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 43 / 43