InteractiveTheoremProvinginCoqandthe Curry...

Interactive Theorem Proving in Coq and theCurry-Howard Isomorphism

Abhishek Kr Singh

TIFR Mumbai.

20 February 2015

Overview of the talk

I What is Interactive Theorem Proving ?

I Why is it so important ?I How such a tool becomes feasible ?I Philosophy behind the Coq Proof Assistant.I Expressive power of Coq.I Major achievements using Coq Proof Assistant.

Overview of the talk

I What is Interactive Theorem Proving ?I Why is it so important ?

I How such a tool becomes feasible ?I Philosophy behind the Coq Proof Assistant.I Expressive power of Coq.I Major achievements using Coq Proof Assistant.

Overview of the talk

I What is Interactive Theorem Proving ?I Why is it so important ?I How such a tool becomes feasible ?

I Philosophy behind the Coq Proof Assistant.I Expressive power of Coq.I Major achievements using Coq Proof Assistant.

Overview of the talk

I What is Interactive Theorem Proving ?I Why is it so important ?I How such a tool becomes feasible ?I Philosophy behind the Coq Proof Assistant.

I Expressive power of Coq.I Major achievements using Coq Proof Assistant.

Overview of the talk

I What is Interactive Theorem Proving ?I Why is it so important ?I How such a tool becomes feasible ?I Philosophy behind the Coq Proof Assistant.I Expressive power of Coq.

I Major achievements using Coq Proof Assistant.

Overview of the talk

I What is Interactive Theorem Proving ?I Why is it so important ?I How such a tool becomes feasible ?I Philosophy behind the Coq Proof Assistant.I Expressive power of Coq.I Major achievements using Coq Proof Assistant.

Overview of the talk

I What is Interactive Theorem Proving ?I Why is it so important ?I How such a tool becomes feasible ?I Philosophy behind the Coq Proof Assistant.I Expressive power of Coq.I Major achievements using Coq Proof Assistant.

What is Interactive theorem proving ?

I Computer based tool (Proof Assistant)

I Such as Coq, Isabelle/HOL, ACL2, PVS, Twelf etc.

I One can write definitions, declarations and state theorems :I Interactively develop proofs:I Once the proof is complete it is guaranteed to be correct.

What is Interactive theorem proving ?

I Computer based tool (Proof Assistant)I Such as Coq, Isabelle/HOL, ACL2, PVS, Twelf etc.

I One can write definitions, declarations and state theorems :I Interactively develop proofs:I Once the proof is complete it is guaranteed to be correct.

What is Interactive theorem proving ?

I Computer based tool (Proof Assistant)I Such as Coq, Isabelle/HOL, ACL2, PVS, Twelf etc.

I One can write definitions, declarations and state theorems :

I Interactively develop proofs:I Once the proof is complete it is guaranteed to be correct.

What is Interactive theorem proving ?

I Computer based tool (Proof Assistant)I Such as Coq, Isabelle/HOL, ACL2, PVS, Twelf etc.

I One can write definitions, declarations and state theorems :I Interactively develop proofs:

I Once the proof is complete it is guaranteed to be correct.

What is Interactive theorem proving ?

I Computer based tool (Proof Assistant)I Such as Coq, Isabelle/HOL, ACL2, PVS, Twelf etc.

I One can write definitions, declarations and state theorems :I Interactively develop proofs:I Once the proof is complete it is guaranteed to be correct.

What is Interactive theorem proving ?

I A session in Coq

Why need a certificate of correctness from Proof Assistant ?

I FACT:

I We know what constitutes a correct proof.I We are used to writing as well as verifying proofs manually.

I Why need a proof Assistant ?

Why need a certificate of correctness from Proof Assistant ?

I FACT:I We know what constitutes a correct proof.

I We are used to writing as well as verifying proofs manually.

I Why need a proof Assistant ?

Why need a certificate of correctness from Proof Assistant ?

I FACT:I We know what constitutes a correct proof.I We are used to writing as well as verifying proofs manually.

I Why need a proof Assistant ?

Why need a certificate of correctness from Proof Assistant ?

I FACT:I We know what constitutes a correct proof.I We are used to writing as well as verifying proofs manually.

I Why need a proof Assistant ?

Why need a Proof Assistant ?I PROBLEMS:

I We hardly write a complete proof.I Its a common practice to remove some trivial steps of

reasoning in a proof to focus on the key idea of the proof.I In this process many unexplained reasoning steps are

introduced. Some of which may not even be provable.

I Verifying an incomplete proof is impossible.I verifier has to fill in those details himself.I It may not remain the same proof at all.I Who will verify this new proof for correctness ?

I SOLUTIONS:I We can decide a formal language which is precise and

expressive enoughI First Order Logic + Induction Principles

I Take a resolution of writing every step of deduction.I It should be possible to verify such a proof without much

reasoning from the verifier.

Why need a Proof Assistant ?I PROBLEMS:

I We hardly write a complete proof.

I Its a common practice to remove some trivial steps ofreasoning in a proof to focus on the key idea of the proof.

I In this process many unexplained reasoning steps areintroduced. Some of which may not even be provable.

I Verifying an incomplete proof is impossible.I verifier has to fill in those details himself.I It may not remain the same proof at all.I Who will verify this new proof for correctness ?

I SOLUTIONS:I We can decide a formal language which is precise and

expressive enoughI First Order Logic + Induction Principles

I Take a resolution of writing every step of deduction.I It should be possible to verify such a proof without much

reasoning from the verifier.

Why need a Proof Assistant ?I PROBLEMS:

I We hardly write a complete proof.I Its a common practice to remove some trivial steps of

reasoning in a proof to focus on the key idea of the proof.

I In this process many unexplained reasoning steps areintroduced. Some of which may not even be provable.

I Verifying an incomplete proof is impossible.I verifier has to fill in those details himself.I It may not remain the same proof at all.I Who will verify this new proof for correctness ?

I SOLUTIONS:I We can decide a formal language which is precise and

expressive enoughI First Order Logic + Induction Principles

I Take a resolution of writing every step of deduction.I It should be possible to verify such a proof without much

reasoning from the verifier.

Why need a Proof Assistant ?I PROBLEMS:

I We hardly write a complete proof.I Its a common practice to remove some trivial steps of

reasoning in a proof to focus on the key idea of the proof.I In this process many unexplained reasoning steps are

introduced. Some of which may not even be provable.

I Verifying an incomplete proof is impossible.I verifier has to fill in those details himself.I It may not remain the same proof at all.I Who will verify this new proof for correctness ?

I SOLUTIONS:I We can decide a formal language which is precise and

expressive enoughI First Order Logic + Induction Principles

I Take a resolution of writing every step of deduction.I It should be possible to verify such a proof without much

reasoning from the verifier.

Why need a Proof Assistant ?I PROBLEMS:

I We hardly write a complete proof.I Its a common practice to remove some trivial steps of

reasoning in a proof to focus on the key idea of the proof.I In this process many unexplained reasoning steps are

introduced. Some of which may not even be provable.

I Verifying an incomplete proof is impossible.

I verifier has to fill in those details himself.I It may not remain the same proof at all.I Who will verify this new proof for correctness ?

I SOLUTIONS:I We can decide a formal language which is precise and

expressive enoughI First Order Logic + Induction Principles

I Take a resolution of writing every step of deduction.I It should be possible to verify such a proof without much

reasoning from the verifier.

Why need a Proof Assistant ?I PROBLEMS:

I We hardly write a complete proof.I Its a common practice to remove some trivial steps of

reasoning in a proof to focus on the key idea of the proof.I In this process many unexplained reasoning steps are

introduced. Some of which may not even be provable.

I Verifying an incomplete proof is impossible.I verifier has to fill in those details himself.

I It may not remain the same proof at all.I Who will verify this new proof for correctness ?

I SOLUTIONS:I We can decide a formal language which is precise and

expressive enoughI First Order Logic + Induction Principles

I Take a resolution of writing every step of deduction.I It should be possible to verify such a proof without much

reasoning from the verifier.

Why need a Proof Assistant ?I PROBLEMS:

I We hardly write a complete proof.I Its a common practice to remove some trivial steps of

reasoning in a proof to focus on the key idea of the proof.I In this process many unexplained reasoning steps are

introduced. Some of which may not even be provable.

I Verifying an incomplete proof is impossible.I verifier has to fill in those details himself.I It may not remain the same proof at all.

I Who will verify this new proof for correctness ?

I SOLUTIONS:I We can decide a formal language which is precise and

expressive enoughI First Order Logic + Induction Principles

I Take a resolution of writing every step of deduction.I It should be possible to verify such a proof without much

reasoning from the verifier.

Why need a Proof Assistant ?I PROBLEMS:

I We hardly write a complete proof.I Its a common practice to remove some trivial steps of

reasoning in a proof to focus on the key idea of the proof.I In this process many unexplained reasoning steps are

introduced. Some of which may not even be provable.

I Verifying an incomplete proof is impossible.I verifier has to fill in those details himself.I It may not remain the same proof at all.I Who will verify this new proof for correctness ?

I SOLUTIONS:I We can decide a formal language which is precise and

expressive enoughI First Order Logic + Induction Principles

I Take a resolution of writing every step of deduction.I It should be possible to verify such a proof without much

reasoning from the verifier.

Why need a Proof Assistant ?I PROBLEMS:

I We hardly write a complete proof.I Its a common practice to remove some trivial steps of

reasoning in a proof to focus on the key idea of the proof.I In this process many unexplained reasoning steps are

introduced. Some of which may not even be provable.

I Verifying an incomplete proof is impossible.I verifier has to fill in those details himself.I It may not remain the same proof at all.I Who will verify this new proof for correctness ?

I SOLUTIONS:

I We can decide a formal language which is precise andexpressive enough

I First Order Logic + Induction Principles

I Take a resolution of writing every step of deduction.I It should be possible to verify such a proof without much

reasoning from the verifier.

Why need a Proof Assistant ?I PROBLEMS:

I We hardly write a complete proof.I Its a common practice to remove some trivial steps of

reasoning in a proof to focus on the key idea of the proof.I In this process many unexplained reasoning steps are

introduced. Some of which may not even be provable.

I Verifying an incomplete proof is impossible.I verifier has to fill in those details himself.I It may not remain the same proof at all.I Who will verify this new proof for correctness ?

I SOLUTIONS:I We can decide a formal language which is precise and

expressive enoughI First Order Logic + Induction Principles

I Take a resolution of writing every step of deduction.I It should be possible to verify such a proof without much

reasoning from the verifier.

Why need a Proof Assistant ?I PROBLEMS:

I We hardly write a complete proof.I Its a common practice to remove some trivial steps of

reasoning in a proof to focus on the key idea of the proof.I In this process many unexplained reasoning steps are

introduced. Some of which may not even be provable.

I Verifying an incomplete proof is impossible.I verifier has to fill in those details himself.I It may not remain the same proof at all.I Who will verify this new proof for correctness ?

I SOLUTIONS:I We can decide a formal language which is precise and

expressive enoughI First Order Logic + Induction Principles

I Take a resolution of writing every step of deduction.

I It should be possible to verify such a proof without muchreasoning from the verifier.

Why need a Proof Assistant ?I PROBLEMS:

I We hardly write a complete proof.I Its a common practice to remove some trivial steps of

reasoning in a proof to focus on the key idea of the proof.I In this process many unexplained reasoning steps are

introduced. Some of which may not even be provable.

I Verifying an incomplete proof is impossible.I verifier has to fill in those details himself.I It may not remain the same proof at all.I Who will verify this new proof for correctness ?

I SOLUTIONS:I We can decide a formal language which is precise and

expressive enoughI First Order Logic + Induction Principles

I Take a resolution of writing every step of deduction.I It should be possible to verify such a proof without much

reasoning from the verifier.

Why need a Proof Assistant ?

I PROBLEMS:

I Given the freedom of writing proofs on paper it is highlyimpractical to expect that one will follow these restrictions.( Simmilar situation MS Word- Vs- LATEX )

I Every moment one need to strugle with the desire to finishwriting proof as early as possible.

I Even if provided with a complete proof, it is an extremlyboring job to verify this proof manually.

I No inteligence required. Verification becomes a purelymechanical job.

I SOLUTION:I Computers are best suited for this kind of job.I The Coq Proof Assistant is a computer based tool that can

do this job for us.

Why need a Proof Assistant ?

I PROBLEMS:I Given the freedom of writing proofs on paper it is highly

impractical to expect that one will follow these restrictions.( Simmilar situation MS Word- Vs- LATEX )

I Every moment one need to strugle with the desire to finishwriting proof as early as possible.

I Even if provided with a complete proof, it is an extremlyboring job to verify this proof manually.

I No inteligence required. Verification becomes a purelymechanical job.

I SOLUTION:I Computers are best suited for this kind of job.I The Coq Proof Assistant is a computer based tool that can

do this job for us.

Why need a Proof Assistant ?

I PROBLEMS:I Given the freedom of writing proofs on paper it is highly

impractical to expect that one will follow these restrictions.( Simmilar situation MS Word- Vs- LATEX )

I Every moment one need to strugle with the desire to finishwriting proof as early as possible.

I Even if provided with a complete proof, it is an extremlyboring job to verify this proof manually.

I No inteligence required. Verification becomes a purelymechanical job.

I SOLUTION:I Computers are best suited for this kind of job.I The Coq Proof Assistant is a computer based tool that can

do this job for us.

Why need a Proof Assistant ?

I PROBLEMS:I Given the freedom of writing proofs on paper it is highly

impractical to expect that one will follow these restrictions.( Simmilar situation MS Word- Vs- LATEX )

I Every moment one need to strugle with the desire to finishwriting proof as early as possible.

I Even if provided with a complete proof, it is an extremlyboring job to verify this proof manually.

I No inteligence required. Verification becomes a purelymechanical job.

I SOLUTION:I Computers are best suited for this kind of job.I The Coq Proof Assistant is a computer based tool that can

do this job for us.

Why need a Proof Assistant ?

I PROBLEMS:I Given the freedom of writing proofs on paper it is highly

impractical to expect that one will follow these restrictions.( Simmilar situation MS Word- Vs- LATEX )

I Every moment one need to strugle with the desire to finishwriting proof as early as possible.

I Even if provided with a complete proof, it is an extremlyboring job to verify this proof manually.

I No inteligence required. Verification becomes a purelymechanical job.

I SOLUTION:I Computers are best suited for this kind of job.I The Coq Proof Assistant is a computer based tool that can

do this job for us.

Why need a Proof Assistant ?

I PROBLEMS:I Given the freedom of writing proofs on paper it is highly

impractical to expect that one will follow these restrictions.( Simmilar situation MS Word- Vs- LATEX )

I Every moment one need to strugle with the desire to finishwriting proof as early as possible.

I Even if provided with a complete proof, it is an extremlyboring job to verify this proof manually.

I No inteligence required. Verification becomes a purelymechanical job.

I SOLUTION:

I Computers are best suited for this kind of job.I The Coq Proof Assistant is a computer based tool that can

do this job for us.

Why need a Proof Assistant ?

I PROBLEMS:I Given the freedom of writing proofs on paper it is highly

impractical to expect that one will follow these restrictions.( Simmilar situation MS Word- Vs- LATEX )

I Every moment one need to strugle with the desire to finishwriting proof as early as possible.

I Even if provided with a complete proof, it is an extremlyboring job to verify this proof manually.

I No inteligence required. Verification becomes a purelymechanical job.

I SOLUTION:I Computers are best suited for this kind of job.

I The Coq Proof Assistant is a computer based tool that cando this job for us.

Why need a Proof Assistant ?

I PROBLEMS:I Given the freedom of writing proofs on paper it is highly

impractical to expect that one will follow these restrictions.( Simmilar situation MS Word- Vs- LATEX )

I Every moment one need to strugle with the desire to finishwriting proof as early as possible.

I Even if provided with a complete proof, it is an extremlyboring job to verify this proof manually.

I No inteligence required. Verification becomes a purelymechanical job.

I SOLUTION:I Computers are best suited for this kind of job.I The Coq Proof Assistant is a computer based tool that can

do this job for us.

An example from geometry

I Take an arbitrary triangle

An example from geometry

I 4ABC is any arbitrary triangle

An example from geometry

I 4ABC is any arbitrary triangle

An example from geometry

I 4ABC is any arbitrary triangle

An example from geometry

I 4ABC is any arbitrary triangle

An example from geometry

I 4ABC is any arbitrary triangle

An example from geometry

I 4ABC is any arbitrary triangle

An example from geometry

I 4ABC is any arbitrary triangle

An example from geometry

I 4ABC is any arbitrary triangle

An example from geometry

I 4ABC is any arbitrary triangle

An example from geometry

I Theorem: Every triangle is isosceles.

I Construction: Draw lines bisecting ∠A and the perpendicularbisector of BC . Let O be their intersection point. Draw OFand OE perpendiculars on AB and AC respectively.

The Coq Proof Assistant

I Its a result of almost 30 years of research.

I Started in 1984 with the implementation of Calculus ofConstruction at INRIA by T. Coquand and Gerard Huet.

I In 1991, Christine Paulin extended it to Calculus of InductiveConstruction (CIC).

I Latest version is based on Set predicative Calculus of InductiveConstruction (pCIC).

I CIC is a very expressive variation of Simply typed LambdaCalculus.

I Coq is written mainly in Objective Caml.

The Coq Proof Assistant

I Its a result of almost 30 years of research.I Started in 1984 with the implementation of Calculus of

Construction at INRIA by T. Coquand and Gerard Huet.

I In 1991, Christine Paulin extended it to Calculus of InductiveConstruction (CIC).

I Latest version is based on Set predicative Calculus of InductiveConstruction (pCIC).

I CIC is a very expressive variation of Simply typed LambdaCalculus.

I Coq is written mainly in Objective Caml.

The Coq Proof Assistant

I Its a result of almost 30 years of research.I Started in 1984 with the implementation of Calculus of

Construction at INRIA by T. Coquand and Gerard Huet.I In 1991, Christine Paulin extended it to Calculus of Inductive

Construction (CIC).

I Latest version is based on Set predicative Calculus of InductiveConstruction (pCIC).

I CIC is a very expressive variation of Simply typed LambdaCalculus.

I Coq is written mainly in Objective Caml.

The Coq Proof Assistant

I Its a result of almost 30 years of research.I Started in 1984 with the implementation of Calculus of

Construction at INRIA by T. Coquand and Gerard Huet.I In 1991, Christine Paulin extended it to Calculus of Inductive

Construction (CIC).I Latest version is based on Set predicative Calculus of Inductive

Construction (pCIC).

I CIC is a very expressive variation of Simply typed LambdaCalculus.

I Coq is written mainly in Objective Caml.

The Coq Proof Assistant

I Its a result of almost 30 years of research.I Started in 1984 with the implementation of Calculus of

Construction at INRIA by T. Coquand and Gerard Huet.I In 1991, Christine Paulin extended it to Calculus of Inductive

Construction (CIC).I Latest version is based on Set predicative Calculus of Inductive

Construction (pCIC).I CIC is a very expressive variation of Simply typed Lambda

Calculus.

I Coq is written mainly in Objective Caml.

The Coq Proof Assistant

I Its a result of almost 30 years of research.I Started in 1984 with the implementation of Calculus of

Construction at INRIA by T. Coquand and Gerard Huet.I In 1991, Christine Paulin extended it to Calculus of Inductive

Construction (CIC).I Latest version is based on Set predicative Calculus of Inductive

Construction (pCIC).I CIC is a very expressive variation of Simply typed Lambda

Calculus.I Coq is written mainly in Objective Caml.

Coq’s Philosophy

I “A programming paradigm can be used for developing proofs”.

I Known as Curry-Howard Isomorphism / Propositions as TypesCorrespondence.

I Proving and Programming are essentially the same task.

Programming view =⇒ Specifications Programs

Proving view =⇒ Propositions Proofs

I Proofs are related to Propositions in the same way asPrograms are related to Specifications.

I If one can encode Propositions as specification then Proofscan be encoded as Programs.

I Same environment can be used for developing program withgiven specifications and Proofs for given Propositions.

Coq’s Philosophy

I “A programming paradigm can be used for developing proofs”.I Known as Curry-Howard Isomorphism / Propositions as Types

Correspondence.

I Proving and Programming are essentially the same task.

Programming view =⇒ Specifications Programs

Proving view =⇒ Propositions Proofs

I Proofs are related to Propositions in the same way asPrograms are related to Specifications.

I If one can encode Propositions as specification then Proofscan be encoded as Programs.

I Same environment can be used for developing program withgiven specifications and Proofs for given Propositions.

Coq’s Philosophy

I “A programming paradigm can be used for developing proofs”.I Known as Curry-Howard Isomorphism / Propositions as Types

Correspondence.I Proving and Programming are essentially the same task.

Programming view =⇒ Specifications Programs

Proving view =⇒ Propositions Proofs

I Proofs are related to Propositions in the same way asPrograms are related to Specifications.

I If one can encode Propositions as specification then Proofscan be encoded as Programs.

I Same environment can be used for developing program withgiven specifications and Proofs for given Propositions.

Coq’s Philosophy

I “A programming paradigm can be used for developing proofs”.I Known as Curry-Howard Isomorphism / Propositions as Types

Correspondence.I Proving and Programming are essentially the same task.

Programming view =⇒ Specifications Programs

Proving view =⇒ Propositions Proofs

I Proofs are related to Propositions in the same way asPrograms are related to Specifications.

I If one can encode Propositions as specification then Proofscan be encoded as Programs.

I Same environment can be used for developing program withgiven specifications and Proofs for given Propositions.

Coq’s Philosophy

I “A programming paradigm can be used for developing proofs”.I Known as Curry-Howard Isomorphism / Propositions as Types

Correspondence.I Proving and Programming are essentially the same task.

Programming view =⇒ Specifications Programs

Proving view =⇒ Propositions Proofs

I Proofs are related to Propositions in the same way asPrograms are related to Specifications.

I If one can encode Propositions as specification then Proofscan be encoded as Programs.

I Same environment can be used for developing program withgiven specifications and Proofs for given Propositions.

Coq’s Philosophy

I “A programming paradigm can be used for developing proofs”.I Known as Curry-Howard Isomorphism / Propositions as Types

Correspondence.I Proving and Programming are essentially the same task.

Programming view =⇒ Specifications Programs

Proving view =⇒ Propositions Proofs

I Proofs are related to Propositions in the same way asPrograms are related to Specifications.

I If one can encode Propositions as specification then Proofscan be encoded as Programs.

I Same environment can be used for developing program withgiven specifications and Proofs for given Propositions.

Coq’s Philosophy

I “A programming paradigm can be used for developing proofs”.I Known as Curry-Howard Isomorphism / Propositions as Types

Correspondence.I Proving and Programming are essentially the same task.

Programming view =⇒ Specifications Programs

Proving view =⇒ Propositions Proofs

I Proofs are related to Propositions in the same way asPrograms are related to Specifications.

I If one can encode Propositions as specification then Proofscan be encoded as Programs.

I Same environment can be used for developing program withgiven specifications and Proofs for given Propositions.

Simply typed lambda calculus (λ→)

I

Simply Typed Lambda Calculus↙ ↘

Basic Programming Basic Proving

I

Types Lambda Calculus↓ ↓

Russel: Alonzo Church:To save mathematics A model for computation

from paradoxes Turing Complete Model

I Types were invented in Mathematics but now it is morepopular in programming world.For example: A function declaration in C :(floatInt)Division (Int)The same function can be specified in Mathematics asDivision : Int → floatInt.

Simply typed lambda calculus (λ→)

I

Simply Typed Lambda Calculus↙ ↘

Basic Programming Basic Proving

I

Types Lambda Calculus↓ ↓

Russel: Alonzo Church:To save mathematics A model for computation

from paradoxes Turing Complete Model

I Types were invented in Mathematics but now it is morepopular in programming world.For example: A function declaration in C :(floatInt)Division (Int)The same function can be specified in Mathematics asDivision : Int → floatInt.

Simply typed lambda calculus (λ→)

I

Simply Typed Lambda Calculus↙ ↘

Basic Programming Basic Proving

I

Types Lambda Calculus↓ ↓

Russel: Alonzo Church:To save mathematics A model for computation

from paradoxes Turing Complete Model

I Types were invented in Mathematics but now it is morepopular in programming world.

For example: A function declaration in C :(floatInt)Division (Int)The same function can be specified in Mathematics asDivision : Int → floatInt.

Simply typed lambda calculus (λ→)

I

Simply Typed Lambda Calculus↙ ↘

Basic Programming Basic Proving

I

Types Lambda Calculus↓ ↓

Russel: Alonzo Church:To save mathematics A model for computation

from paradoxes Turing Complete Model

I Types were invented in Mathematics but now it is morepopular in programming world.For example: A function declaration in C :(floatInt)Division (Int)

The same function can be specified in Mathematics asDivision : Int → floatInt.

Simply typed lambda calculus (λ→)

I

Simply Typed Lambda Calculus↙ ↘

Basic Programming Basic Proving

I

Types Lambda Calculus↓ ↓

Russel: Alonzo Church:To save mathematics A model for computation

from paradoxes Turing Complete Model

I Types were invented in Mathematics but now it is morepopular in programming world.For example: A function declaration in C :(floatInt)Division (Int)The same function can be specified in Mathematics asDivision : Int → floatInt.

Untyped Lambda Calculus

I Syntax: Terms are built from an infinite set of variables V byapplying the operation of abstraction and functionapplications.

I Abstract syntax term := V | λx .term | term term.I Abstraction is a way to define nameless functions:

(λx . x + x) represents the function f (x) = x + x .I Application corresponds to function application on an

argument:(λx . x + x) 2 represents f (2) which is computed bysubstitution f (2) = (λx . x + x) [x := 2].

I The notion of computation is captured by reductions.(λx . x + x) 2 →β (λx . x + x)[x := 2] = 2 + 2.

I The notion of natural numbers, successor function, functioncomposition, and general recursion can be represented inLambda calculus.

Untyped Lambda Calculus

I Syntax: Terms are built from an infinite set of variables V byapplying the operation of abstraction and functionapplications.

I Abstract syntax term := V | λx .term | term term.

I Abstraction is a way to define nameless functions:(λx . x + x) represents the function f (x) = x + x .

I Application corresponds to function application on anargument:(λx . x + x) 2 represents f (2) which is computed bysubstitution f (2) = (λx . x + x) [x := 2].

I The notion of computation is captured by reductions.(λx . x + x) 2 →β (λx . x + x)[x := 2] = 2 + 2.

I The notion of natural numbers, successor function, functioncomposition, and general recursion can be represented inLambda calculus.

Untyped Lambda Calculus

I Syntax: Terms are built from an infinite set of variables V byapplying the operation of abstraction and functionapplications.

I Abstract syntax term := V | λx .term | term term.I Abstraction is a way to define nameless functions:

(λx . x + x) represents the function f (x) = x + x .I Application corresponds to function application on an

argument:(λx . x + x) 2 represents f (2) which is computed bysubstitution f (2) = (λx . x + x) [x := 2].

I The notion of computation is captured by reductions.(λx . x + x) 2 →β (λx . x + x)[x := 2] = 2 + 2.

I The notion of natural numbers, successor function, functioncomposition, and general recursion can be represented inLambda calculus.

Untyped Lambda Calculus

I Syntax: Terms are built from an infinite set of variables V byapplying the operation of abstraction and functionapplications.

I Abstract syntax term := V | λx .term | term term.I Abstraction is a way to define nameless functions:

(λx . x + x) represents the function f (x) = x + x .

I Application corresponds to function application on anargument:(λx . x + x) 2 represents f (2) which is computed bysubstitution f (2) = (λx . x + x) [x := 2].

I The notion of computation is captured by reductions.(λx . x + x) 2 →β (λx . x + x)[x := 2] = 2 + 2.

I The notion of natural numbers, successor function, functioncomposition, and general recursion can be represented inLambda calculus.

Untyped Lambda Calculus

I Syntax: Terms are built from an infinite set of variables V byapplying the operation of abstraction and functionapplications.

I Abstract syntax term := V | λx .term | term term.I Abstraction is a way to define nameless functions:

(λx . x + x) represents the function f (x) = x + x .I Application corresponds to function application on an

argument:

(λx . x + x) 2 represents f (2) which is computed bysubstitution f (2) = (λx . x + x) [x := 2].

I The notion of computation is captured by reductions.(λx . x + x) 2 →β (λx . x + x)[x := 2] = 2 + 2.

I The notion of natural numbers, successor function, functioncomposition, and general recursion can be represented inLambda calculus.

Untyped Lambda Calculus

I Syntax: Terms are built from an infinite set of variables V byapplying the operation of abstraction and functionapplications.

I Abstract syntax term := V | λx .term | term term.I Abstraction is a way to define nameless functions:

(λx . x + x) represents the function f (x) = x + x .I Application corresponds to function application on an

argument:(λx . x + x) 2 represents f (2) which is computed bysubstitution f (2) = (λx . x + x) [x := 2].

I The notion of computation is captured by reductions.(λx . x + x) 2 →β (λx . x + x)[x := 2] = 2 + 2.

I The notion of natural numbers, successor function, functioncomposition, and general recursion can be represented inLambda calculus.

Untyped Lambda Calculus

I Syntax: Terms are built from an infinite set of variables V byapplying the operation of abstraction and functionapplications.

I Abstract syntax term := V | λx .term | term term.I Abstraction is a way to define nameless functions:

(λx . x + x) represents the function f (x) = x + x .I Application corresponds to function application on an

argument:(λx . x + x) 2 represents f (2) which is computed bysubstitution f (2) = (λx . x + x) [x := 2].

I The notion of computation is captured by reductions.

(λx . x + x) 2 →β (λx . x + x)[x := 2] = 2 + 2.I The notion of natural numbers, successor function, function

composition, and general recursion can be represented inLambda calculus.

Untyped Lambda Calculus

I Syntax: Terms are built from an infinite set of variables V byapplying the operation of abstraction and functionapplications.

I Abstract syntax term := V | λx .term | term term.I Abstraction is a way to define nameless functions:

(λx . x + x) represents the function f (x) = x + x .I Application corresponds to function application on an

argument:(λx . x + x) 2 represents f (2) which is computed bysubstitution f (2) = (λx . x + x) [x := 2].

I The notion of computation is captured by reductions.(λx . x + x) 2 →β (λx . x + x)[x := 2] = 2 + 2.

I The notion of natural numbers, successor function, functioncomposition, and general recursion can be represented inLambda calculus.

Untyped Lambda Calculus

I Syntax: Terms are built from an infinite set of variables V byapplying the operation of abstraction and functionapplications.

I Abstract syntax term := V | λx .term | term term.I Abstraction is a way to define nameless functions:

(λx . x + x) represents the function f (x) = x + x .I Application corresponds to function application on an

argument:(λx . x + x) 2 represents f (2) which is computed bysubstitution f (2) = (λx . x + x) [x := 2].

I The notion of computation is captured by reductions.(λx . x + x) 2 →β (λx . x + x)[x := 2] = 2 + 2.

I The notion of natural numbers, successor function, functioncomposition, and general recursion can be represented inLambda calculus.

Untyped Lambda Calculus

I Confluence property: every terminating computation yields thesame result.

I Since any term can be applied to any other term, a functioncan be applied to itself.

I This may yield nonterminating computation. Example:(λx . xx)(λx . xx)→β (λx . xx)(λx . xx)→β . . .

I Self application causes nontermination in Computation.I Self reference causes inconsistencies in Mathematics.I Russel used types to save Mathematics from inconsistencies.I Assigning types to arguments of functions can save us from

self application and hence nontermination.

Untyped Lambda Calculus

I Confluence property: every terminating computation yields thesame result.

I Since any term can be applied to any other term, a functioncan be applied to itself.

I This may yield nonterminating computation. Example:(λx . xx)(λx . xx)→β (λx . xx)(λx . xx)→β . . .

I Self application causes nontermination in Computation.I Self reference causes inconsistencies in Mathematics.I Russel used types to save Mathematics from inconsistencies.I Assigning types to arguments of functions can save us from

self application and hence nontermination.

Untyped Lambda Calculus

I Confluence property: every terminating computation yields thesame result.

I Since any term can be applied to any other term, a functioncan be applied to itself.

I This may yield nonterminating computation. Example:(λx . xx)(λx . xx)→β (λx . xx)(λx . xx)→β . . .

I Self application causes nontermination in Computation.I Self reference causes inconsistencies in Mathematics.I Russel used types to save Mathematics from inconsistencies.I Assigning types to arguments of functions can save us from

self application and hence nontermination.

Untyped Lambda Calculus

I Confluence property: every terminating computation yields thesame result.

I Since any term can be applied to any other term, a functioncan be applied to itself.

I This may yield nonterminating computation. Example:(λx . xx)(λx . xx)→β (λx . xx)(λx . xx)→β . . .

I Self application causes nontermination in Computation.

I Self reference causes inconsistencies in Mathematics.I Russel used types to save Mathematics from inconsistencies.I Assigning types to arguments of functions can save us from

self application and hence nontermination.

Untyped Lambda Calculus

I Confluence property: every terminating computation yields thesame result.

I Since any term can be applied to any other term, a functioncan be applied to itself.

I This may yield nonterminating computation. Example:(λx . xx)(λx . xx)→β (λx . xx)(λx . xx)→β . . .

I Self application causes nontermination in Computation.I Self reference causes inconsistencies in Mathematics.

I Russel used types to save Mathematics from inconsistencies.I Assigning types to arguments of functions can save us from

self application and hence nontermination.

Untyped Lambda Calculus

I Confluence property: every terminating computation yields thesame result.

I Since any term can be applied to any other term, a functioncan be applied to itself.

I This may yield nonterminating computation. Example:(λx . xx)(λx . xx)→β (λx . xx)(λx . xx)→β . . .

I Self application causes nontermination in Computation.I Self reference causes inconsistencies in Mathematics.I Russel used types to save Mathematics from inconsistencies.

I Assigning types to arguments of functions can save us fromself application and hence nontermination.

Untyped Lambda Calculus

I Confluence property: every terminating computation yields thesame result.

I Since any term can be applied to any other term, a functioncan be applied to itself.

I This may yield nonterminating computation. Example:(λx . xx)(λx . xx)→β (λx . xx)(λx . xx)→β . . .

I Self application causes nontermination in Computation.I Self reference causes inconsistencies in Mathematics.I Russel used types to save Mathematics from inconsistencies.I Assigning types to arguments of functions can save us from

self application and hence nontermination.

Simply typed Lambda Calculus (λ→)

The System λ→consists of:

1. Types T = VT |T → T ;2. Pseudoterms ΛE = V |ΛE ΛE |λV : T .ΛE3. Bases Γ = {x1 : A1, . . . , xn : An},

with all xi distinct and all Ai ∈ T ;4. Contraction rule (λx : A.M)N →β M[x := N];

I A function definition requires providing types for argumentFor example λx : Nat. x is a valid definition but λx . x is not.

I A function f : A→ B can only be applied to arguments a oftype A.

I And the type for f (a) will be B .I These restrictions are given by providing typing rules.

Simply typed Lambda Calculus (λ→)

The System λ→consists of:

1. Types T = VT |T → T ;2. Pseudoterms ΛE = V |ΛE ΛE |λV : T .ΛE3. Bases Γ = {x1 : A1, . . . , xn : An},

with all xi distinct and all Ai ∈ T ;4. Contraction rule (λx : A.M)N →β M[x := N];

I A function definition requires providing types for argumentFor example λx : Nat. x is a valid definition but λx . x is not.

I A function f : A→ B can only be applied to arguments a oftype A.

I And the type for f (a) will be B .I These restrictions are given by providing typing rules.

Simply typed Lambda Calculus (λ→)

The System λ→consists of:

1. Types T = VT |T → T ;2. Pseudoterms ΛE = V |ΛE ΛE |λV : T .ΛE3. Bases Γ = {x1 : A1, . . . , xn : An},

with all xi distinct and all Ai ∈ T ;4. Contraction rule (λx : A.M)N →β M[x := N];

I A function definition requires providing types for argument

For example λx : Nat. x is a valid definition but λx . x is not.I A function f : A→ B can only be applied to arguments a of

type A.I And the type for f (a) will be B .I These restrictions are given by providing typing rules.

Simply typed Lambda Calculus (λ→)

The System λ→consists of:

1. Types T = VT |T → T ;2. Pseudoterms ΛE = V |ΛE ΛE |λV : T .ΛE3. Bases Γ = {x1 : A1, . . . , xn : An},

with all xi distinct and all Ai ∈ T ;4. Contraction rule (λx : A.M)N →β M[x := N];

I A function definition requires providing types for argumentFor example λx : Nat. x is a valid definition but λx . x is not.

I A function f : A→ B can only be applied to arguments a oftype A.

I And the type for f (a) will be B .I These restrictions are given by providing typing rules.

Simply typed Lambda Calculus (λ→)

The System λ→consists of:

1. Types T = VT |T → T ;2. Pseudoterms ΛE = V |ΛE ΛE |λV : T .ΛE3. Bases Γ = {x1 : A1, . . . , xn : An},

with all xi distinct and all Ai ∈ T ;4. Contraction rule (λx : A.M)N →β M[x := N];

I A function definition requires providing types for argumentFor example λx : Nat. x is a valid definition but λx . x is not.

I A function f : A→ B can only be applied to arguments a oftype A.

I And the type for f (a) will be B .I These restrictions are given by providing typing rules.

Simply typed Lambda Calculus (λ→)

The System λ→consists of:

1. Types T = VT |T → T ;2. Pseudoterms ΛE = V |ΛE ΛE |λV : T .ΛE3. Bases Γ = {x1 : A1, . . . , xn : An},

with all xi distinct and all Ai ∈ T ;4. Contraction rule (λx : A.M)N →β M[x := N];

I A function definition requires providing types for argumentFor example λx : Nat. x is a valid definition but λx . x is not.

I A function f : A→ B can only be applied to arguments a oftype A.

I And the type for f (a) will be B .

I These restrictions are given by providing typing rules.

Simply typed Lambda Calculus (λ→)

The System λ→consists of:

1. Types T = VT |T → T ;2. Pseudoterms ΛE = V |ΛE ΛE |λV : T .ΛE3. Bases Γ = {x1 : A1, . . . , xn : An},

with all xi distinct and all Ai ∈ T ;4. Contraction rule (λx : A.M)N →β M[x := N];

I A function definition requires providing types for argumentFor example λx : Nat. x is a valid definition but λx . x is not.

I A function f : A→ B can only be applied to arguments a oftype A.

I And the type for f (a) will be B .I These restrictions are given by providing typing rules.

Simply typed Lambda Calculus (λ→)

Typing rule for System (λ→)

(start-rule)(x : A) ∈ Γ

Γ ` x : A;

(→elimination)Γ ` M : (A→ B) Γ ` N : A

Γ ` (MN) : B;

(→introduction)Γ, x : A ` M : B

Γ ` (λx : A.M) : (A→ B).

I Confluence property / Church-RosserI Strong Normalization.I We have a notation M : T to declare that term M has type T .I Curry-Howard Isomorphism: M : T can also be read as M is a

proof of T .

Simply typed Lambda Calculus (λ→)

Typing rule for System (λ→)

(start-rule)(x : A) ∈ Γ

Γ ` x : A;

(→elimination)Γ ` M : (A→ B) Γ ` N : A

Γ ` (MN) : B;

(→introduction)Γ, x : A ` M : B

Γ ` (λx : A.M) : (A→ B).

I Confluence property / Church-Rosser

I Strong Normalization.I We have a notation M : T to declare that term M has type T .I Curry-Howard Isomorphism: M : T can also be read as M is a

proof of T .

Simply typed Lambda Calculus (λ→)

Typing rule for System (λ→)

(start-rule)(x : A) ∈ Γ

Γ ` x : A;

(→elimination)Γ ` M : (A→ B) Γ ` N : A

Γ ` (MN) : B;

(→introduction)Γ, x : A ` M : B

Γ ` (λx : A.M) : (A→ B).

I Confluence property / Church-RosserI Strong Normalization.

I We have a notation M : T to declare that term M has type T .I Curry-Howard Isomorphism: M : T can also be read as M is a

proof of T .

Simply typed Lambda Calculus (λ→)

Typing rule for System (λ→)

(start-rule)(x : A) ∈ Γ

Γ ` x : A;

(→elimination)Γ ` M : (A→ B) Γ ` N : A

Γ ` (MN) : B;

(→introduction)Γ, x : A ` M : B

Γ ` (λx : A.M) : (A→ B).

I Confluence property / Church-RosserI Strong Normalization.I We have a notation M : T to declare that term M has type T .

I Curry-Howard Isomorphism: M : T can also be read as M is aproof of T .

Simply typed Lambda Calculus (λ→)

Typing rule for System (λ→)

(start-rule)(x : A) ∈ Γ

Γ ` x : A;

(→elimination)Γ ` M : (A→ B) Γ ` N : A

Γ ` (MN) : B;

(→introduction)Γ, x : A ` M : B

Γ ` (λx : A.M) : (A→ B).

I Confluence property / Church-RosserI Strong Normalization.I We have a notation M : T to declare that term M has type T .I Curry-Howard Isomorphism: M : T can also be read as M is a

proof of T .

Proof of Implication as function

Proofs as Functions

Proofs as Functions

Proofs as Functions

Proofs as Functions

Curry Howard Isomorphism

I The same typing rules of Simply typed Lambda Calculus canbe viewed as Introduction and Elimination rules for Implication

(→elimination)Γ ` M : (A→ B) Γ ` N : A

Γ ` (MN) : B;

(→introduction)Γ, x : A ` M : B

Γ ` (λx : A.M) : (A→ B).

I Types A, B and A→ B can be viewed as Propositions.I Term λx : A.M can be viewed as proof of Proposition A→ B .

Curry Howard Isomorphism

I The same typing rules of Simply typed Lambda Calculus canbe viewed as Introduction and Elimination rules for Implication

(→elimination)Γ ` M : (A→ B) Γ ` N : A

Γ ` (MN) : B;

(→introduction)Γ, x : A ` M : B

Γ ` (λx : A.M) : (A→ B).

I Types A, B and A→ B can be viewed as Propositions.I Term λx : A.M can be viewed as proof of Proposition A→ B .

Curry Howard Isomorphism

I The same typing rules of Simply typed Lambda Calculus canbe viewed as Introduction and Elimination rules for Implication

(→elimination)Γ ` M : (A→ B) Γ ` N : A

Γ ` (MN) : B;

(→introduction)Γ, x : A ` M : B

Γ ` (λx : A.M) : (A→ B).

I Types A, B and A→ B can be viewed as Propositions.

I Term λx : A.M can be viewed as proof of Proposition A→ B .

Curry Howard Isomorphism

I The same typing rules of Simply typed Lambda Calculus canbe viewed as Introduction and Elimination rules for Implication

(→elimination)Γ ` M : (A→ B) Γ ` N : A

Γ ` (MN) : B;

(→introduction)Γ, x : A ` M : B

Γ ` (λx : A.M) : (A→ B).

I Types A, B and A→ B can be viewed as Propositions.I Term λx : A.M can be viewed as proof of Proposition A→ B .

Proof Terms

Proof Terms

Proof Terms

Proof Terms

Proof Terms

Proof Terms

Proof Terms

Propositions and Proofs

I Coq realises the following intuitionistic behaviour forpropositional connectives:

I There is no possible proof for ⊥ (where ⊥ denotes falsity).I A proof of ϕ1 ∧ ϕ2 consists of a proof of ϕ1 and a proof of ϕ2;I A proof of ϕ1 ∨ ϕ2 consists of a number i ∈ {1, 2} and a proof

of ϕi ;I A proof of ϕ1 → ϕ2 is a method (function) transforming every

proof of ϕ1 into a proof of ϕ2.I A proof of ¬ϕis a proof of ϕ→⊥.

Propositions and Proofs

I Coq realises the following intuitionistic behaviour forpropositional connectives:

I There is no possible proof for ⊥ (where ⊥ denotes falsity).

I A proof of ϕ1 ∧ ϕ2 consists of a proof of ϕ1 and a proof of ϕ2;I A proof of ϕ1 ∨ ϕ2 consists of a number i ∈ {1, 2} and a proof

of ϕi ;I A proof of ϕ1 → ϕ2 is a method (function) transforming every

proof of ϕ1 into a proof of ϕ2.I A proof of ¬ϕis a proof of ϕ→⊥.

Propositions and Proofs

I Coq realises the following intuitionistic behaviour forpropositional connectives:

I There is no possible proof for ⊥ (where ⊥ denotes falsity).I A proof of ϕ1 ∧ ϕ2 consists of a proof of ϕ1 and a proof of ϕ2;

I A proof of ϕ1 ∨ ϕ2 consists of a number i ∈ {1, 2} and a proofof ϕi ;

I A proof of ϕ1 → ϕ2 is a method (function) transforming everyproof of ϕ1 into a proof of ϕ2.

I A proof of ¬ϕis a proof of ϕ→⊥.

Propositions and Proofs

I Coq realises the following intuitionistic behaviour forpropositional connectives:

I There is no possible proof for ⊥ (where ⊥ denotes falsity).I A proof of ϕ1 ∧ ϕ2 consists of a proof of ϕ1 and a proof of ϕ2;I A proof of ϕ1 ∨ ϕ2 consists of a number i ∈ {1, 2} and a proof

of ϕi ;

I A proof of ϕ1 → ϕ2 is a method (function) transforming everyproof of ϕ1 into a proof of ϕ2.

I A proof of ¬ϕis a proof of ϕ→⊥.

Propositions and Proofs

I Coq realises the following intuitionistic behaviour forpropositional connectives:

I There is no possible proof for ⊥ (where ⊥ denotes falsity).I A proof of ϕ1 ∧ ϕ2 consists of a proof of ϕ1 and a proof of ϕ2;I A proof of ϕ1 ∨ ϕ2 consists of a number i ∈ {1, 2} and a proof

of ϕi ;I A proof of ϕ1 → ϕ2 is a method (function) transforming every

proof of ϕ1 into a proof of ϕ2.

I A proof of ¬ϕis a proof of ϕ→⊥.

Propositions and Proofs

I Coq realises the following intuitionistic behaviour forpropositional connectives:

I There is no possible proof for ⊥ (where ⊥ denotes falsity).I A proof of ϕ1 ∧ ϕ2 consists of a proof of ϕ1 and a proof of ϕ2;I A proof of ϕ1 ∨ ϕ2 consists of a number i ∈ {1, 2} and a proof

of ϕi ;I A proof of ϕ1 → ϕ2 is a method (function) transforming every

proof of ϕ1 into a proof of ϕ2.I A proof of ¬ϕis a proof of ϕ→⊥.

Introduction and Elimination Rules

Introduction rule Elimination rule

∆ ` ϕ ∆ ` ψ∆ ` ϕ ∧ ψ

(∧I) ∆ ` ϕ ∧ ψ∆ ` ϕ

(∧E)∆ ` ϕ ∧ ψ∆ ` ψ

∆ ` ϕ∆ ` ϕ ∨ ψ

(∨I) ∆ ` ψ∆ ` ϕ ∨ ψ

∆, ϕ ` ρ ∆, ψ ` ρ ∆ ` ϕ ∨ ψ∆ ` ρ

(∨E)

∆, ϕ ` ψ∆ ` ϕ→ ψ

(→I)∆ ` ϕ→ ψ ∆ ` ϕ

∆ ` ψ(→E)

∆ `⊥∆ ` ϕ

(⊥E)

The System F (λ2)

I Functions λx : α. x and λx : β. x are essentially same but needto be written separately in λ→

I System F treats types polymorphically. We add types of form∀α.σ.

1. Types T = VT |T → T | ∀VTT ;2. Pseudoterms ΛE = V |ΛE ΛE |λV : T .ΛE |ΛVT .ΛE |ΛET3. Bases Γ = {x1 : A1, . . . , xn : An},

with all xi distinct and all Ai ∈ T ;4. Contraction rule (λx : A.M)N →β M[x := N];

(Λα.M)A→β M[α := A]

The System F (λ2)

I Functions λx : α. x and λx : β. x are essentially same but needto be written separately in λ→

I System F treats types polymorphically. We add types of form∀α.σ.

1. Types T = VT |T → T | ∀VTT ;2. Pseudoterms ΛE = V |ΛE ΛE |λV : T .ΛE |ΛVT .ΛE |ΛET3. Bases Γ = {x1 : A1, . . . , xn : An},

with all xi distinct and all Ai ∈ T ;4. Contraction rule (λx : A.M)N →β M[x := N];

(Λα.M)A→β M[α := A]

The System F (λ2)

I Functions λx : α. x and λx : β. x are essentially same but needto be written separately in λ→

I System F treats types polymorphically. We add types of form∀α.σ.

1. Types T = VT |T → T | ∀VTT ;2. Pseudoterms ΛE = V |ΛE ΛE |λV : T .ΛE |ΛVT .ΛE |ΛET3. Bases Γ = {x1 : A1, . . . , xn : An},

with all xi distinct and all Ai ∈ T ;4. Contraction rule (λx : A.M)N →β M[x := N];

(Λα.M)A→β M[α := A]

Typing Rule for System F

(start-rule)(x : A) ∈ Γ

Γ ` x : A;

(→elimination)Γ ` M : (A→ B) Γ ` N : A

Γ ` (MN) : B;

(→introduction)Γ, x : A ` M : B

Γ ` (λx : A.M) : (A→ B);

(∀−elimination)Γ ` M : (∀α.A)

Γ ` MB : A[α := B], B ∈ T ;

(∀−introduction) Γ ` M : AΓ ` (Λα.M) : (∀α.A)

, α /∈ FV (Γ).

Curry Howard

I The new addition in typing rule can be interpreted asintroduction and elimination rules for ∀α.A

I Which means that (Λα.M) represents the proof of ∀α.Aprovided the given conditions are satisfied.

I Other connectives can now be represented as follows:

⊥ := ∀α.ασ ∧ τ := ∀α.(σ → τ → α)→ ασ ∨ τ := ∀α.(σ → α)→ (τ → α)→ α

Curry Howard

I The new addition in typing rule can be interpreted asintroduction and elimination rules for ∀α.A

I Which means that (Λα.M) represents the proof of ∀α.Aprovided the given conditions are satisfied.

I Other connectives can now be represented as follows:

⊥ := ∀α.ασ ∧ τ := ∀α.(σ → τ → α)→ ασ ∨ τ := ∀α.(σ → α)→ (τ → α)→ α

Curry Howard

I The new addition in typing rule can be interpreted asintroduction and elimination rules for ∀α.A

I Which means that (Λα.M) represents the proof of ∀α.Aprovided the given conditions are satisfied.

I Other connectives can now be represented as follows:

⊥ := ∀α.ασ ∧ τ := ∀α.(σ → τ → α)→ ασ ∨ τ := ∀α.(σ → α)→ (τ → α)→ α

Curry Howard

I The new addition in typing rule can be interpreted asintroduction and elimination rules for ∀α.A

I Which means that (Λα.M) represents the proof of ∀α.Aprovided the given conditions are satisfied.

I Other connectives can now be represented as follows:

⊥ := ∀α.ασ ∧ τ := ∀α.(σ → τ → α)→ ασ ∨ τ := ∀α.(σ → α)→ (τ → α)→ α

Lambda Cube

Lambda Cube

Lambda Cube

Lambda Cube

Lambda Cube

Lambda Cube

Lambda Cube

Lambda Cube

Typing Rule for λC

(application rule)Γ ` F : (

∏x : A.B) Γ ` a : A

Γ ` Fa : B[x := a];

(abstraction rule)Γ, x : A ` b : B Γ ` (

∏x : A.B) : s

Γ ` (λx : A.b) : (∏

x : A.B);

Induction in Coq

I With the expressive power of λC it is possible to representinduction principle.

I For example induction principle for natural:∀P : nat → Prop, P0→ (∀n : nat, Pn→ P(Sn))→ ∀n :nat, Pn

I For natural numbers Coq generates the above inductionprinciple as type of a constant nat_indi,e. nat_ind:∀P : nat → Prop, P0→ (∀n : nat, Pn→P(Sn))→ ∀n : nat, Pn

I Natural numbers are define in Coq as follows:

Induction in Coq

I With the expressive power of λC it is possible to representinduction principle.

I For example induction principle for natural:∀P : nat → Prop, P0→ (∀n : nat, Pn→ P(Sn))→ ∀n :nat, Pn

I For natural numbers Coq generates the above inductionprinciple as type of a constant nat_indi,e. nat_ind:∀P : nat → Prop, P0→ (∀n : nat, Pn→P(Sn))→ ∀n : nat, Pn

I Natural numbers are define in Coq as follows:

Induction in Coq

I With the expressive power of λC it is possible to representinduction principle.

I For example induction principle for natural:∀P : nat → Prop, P0→ (∀n : nat, Pn→ P(Sn))→ ∀n :nat, Pn

I For natural numbers Coq generates the above inductionprinciple as type of a constant nat_indi,e. nat_ind:∀P : nat → Prop, P0→ (∀n : nat, Pn→P(Sn))→ ∀n : nat, Pn

I Natural numbers are define in Coq as follows:

Induction in Coq

I With the expressive power of λC it is possible to representinduction principle.

I For example induction principle for natural:∀P : nat → Prop, P0→ (∀n : nat, Pn→ P(Sn))→ ∀n :nat, Pn

I For natural numbers Coq generates the above inductionprinciple as type of a constant nat_indi,e. nat_ind:∀P : nat → Prop, P0→ (∀n : nat, Pn→P(Sn))→ ∀n : nat, Pn

I Natural numbers are define in Coq as follows:

Induction in Coq

I Some other Inductive type already defined in Coq

Induction in Coq

I One can define functions on Inductive set by case analysis

I One can also define recursive function on inductive type

I Coq also allows user to define their own inductive types.

Induction in Coq

I One can define functions on Inductive set by case analysis

I One can also define recursive function on inductive type

I Coq also allows user to define their own inductive types.

Induction in Coq

I One can define functions on Inductive set by case analysis

I One can also define recursive function on inductive type

I Coq also allows user to define their own inductive types.

Induction in Coq

I One can define functions on Inductive set by case analysis

I One can also define recursive function on inductive type

I Coq also allows user to define their own inductive types.

Induction in Coq

I One can define functions on Inductive set by case analysis

I One can also define recursive function on inductive type

I Coq also allows user to define their own inductive types.

Induction in Coq

I One can define functions on Inductive set by case analysis

I One can also define recursive function on inductive type

I Coq also allows user to define their own inductive types.

Induction in Coq

I Coq automatically generates an induction principle:

I One can also define mutually inductive types in Coq:

Induction in Coq

I Coq automatically generates an induction principle:

I One can also define mutually inductive types in Coq:

Induction in Coq

I Coq automatically generates an induction principle:

I One can also define mutually inductive types in Coq:

Induction in Coq

I Coq automatically generates an induction principle:

I One can also define mutually inductive types in Coq:

Induction in Coq

I One can also define reflexive inductive types

I However a definition of following form is not possible

Induction in Coq

I One can also define reflexive inductive types

I However a definition of following form is not possible

Induction in Coq

I One can also define reflexive inductive types

I However a definition of following form is not possible

Induction in Coq

I One can also define reflexive inductive types

I However a definition of following form is not possible

Induction in Coq

I Strict positivity is needed to avoid non-termination and henceinconsistency

I Evaluating loop( C2 loop) will cause nontermination.

Induction in Coq

I Strict positivity is needed to avoid non-termination and henceinconsistency

I Evaluating loop( C2 loop) will cause nontermination.

Induction in Coq

I Strict positivity is needed to avoid non-termination and henceinconsistency

I Evaluating loop( C2 loop) will cause nontermination.

Some other features of Coq

I Users can generate induction principle.

I Co-Inductive types: representation and reasoning with infiniteobjects.

I Ltac: Proof Automation.I Proof by reflection.

Some other features of Coq

I Users can generate induction principle.I Co-Inductive types: representation and reasoning with infinite

objects.

I Ltac: Proof Automation.I Proof by reflection.

Some other features of Coq

I Users can generate induction principle.I Co-Inductive types: representation and reasoning with infinite

objects.I Ltac: Proof Automation.

I Proof by reflection.

Some other features of Coq

I Users can generate induction principle.I Co-Inductive types: representation and reasoning with infinite

objects.I Ltac: Proof Automation.I Proof by reflection.

Some other features of Coq

I Users can generate induction principle.I Co-Inductive types: representation and reasoning with infinite

objects.I Ltac: Proof Automation.I Proof by reflection.

Mathematical formalizations

I A proof of Four Colour Theorem- G. Gonthier and BenjaminWerner in 2005

I Odd order theorem (Feit Thompson Theorem) - G. Gonthier2006-2012.

I Fundamental Theorem of Algebra- Herman Guevers, FreekWeidijk, Henk Barendregt, J Zwanenburg, Randy Pollack.

I Godel’s Incompleteness theorem- 2003, Russell O’Connor.I Constructive Category theory- Amokrane Saibi.I Elements of Constructive geometry, group theory and domain

theory- Gilles Khan.I Real Analysis- Micaela Mayero.I And many more..

https://coq.inria.fr/cocorico/Top100MathematicalTheoremsInCoq.

Mathematical formalizations

I A proof of Four Colour Theorem- G. Gonthier and BenjaminWerner in 2005

I Odd order theorem (Feit Thompson Theorem) - G. Gonthier2006-2012.

I Fundamental Theorem of Algebra- Herman Guevers, FreekWeidijk, Henk Barendregt, J Zwanenburg, Randy Pollack.

I Godel’s Incompleteness theorem- 2003, Russell O’Connor.I Constructive Category theory- Amokrane Saibi.I Elements of Constructive geometry, group theory and domain

theory- Gilles Khan.I Real Analysis- Micaela Mayero.I And many more..

https://coq.inria.fr/cocorico/Top100MathematicalTheoremsInCoq.

Mathematical formalizations

I A proof of Four Colour Theorem- G. Gonthier and BenjaminWerner in 2005

I Odd order theorem (Feit Thompson Theorem) - G. Gonthier2006-2012.

I Fundamental Theorem of Algebra- Herman Guevers, FreekWeidijk, Henk Barendregt, J Zwanenburg, Randy Pollack.

I Godel’s Incompleteness theorem- 2003, Russell O’Connor.I Constructive Category theory- Amokrane Saibi.I Elements of Constructive geometry, group theory and domain

theory- Gilles Khan.I Real Analysis- Micaela Mayero.I And many more..

https://coq.inria.fr/cocorico/Top100MathematicalTheoremsInCoq.

Mathematical formalizations

I A proof of Four Colour Theorem- G. Gonthier and BenjaminWerner in 2005

I Odd order theorem (Feit Thompson Theorem) - G. Gonthier2006-2012.

I Fundamental Theorem of Algebra- Herman Guevers, FreekWeidijk, Henk Barendregt, J Zwanenburg, Randy Pollack.

I Godel’s Incompleteness theorem- 2003, Russell O’Connor.

I Constructive Category theory- Amokrane Saibi.I Elements of Constructive geometry, group theory and domain

theory- Gilles Khan.I Real Analysis- Micaela Mayero.I And many more..

https://coq.inria.fr/cocorico/Top100MathematicalTheoremsInCoq.

Mathematical formalizations

I A proof of Four Colour Theorem- G. Gonthier and BenjaminWerner in 2005

I Odd order theorem (Feit Thompson Theorem) - G. Gonthier2006-2012.

I Fundamental Theorem of Algebra- Herman Guevers, FreekWeidijk, Henk Barendregt, J Zwanenburg, Randy Pollack.

I Godel’s Incompleteness theorem- 2003, Russell O’Connor.I Constructive Category theory- Amokrane Saibi.

I Elements of Constructive geometry, group theory and domaintheory- Gilles Khan.

I Real Analysis- Micaela Mayero.I And many more..

https://coq.inria.fr/cocorico/Top100MathematicalTheoremsInCoq.

Mathematical formalizations

I A proof of Four Colour Theorem- G. Gonthier and BenjaminWerner in 2005

I Odd order theorem (Feit Thompson Theorem) - G. Gonthier2006-2012.

I Fundamental Theorem of Algebra- Herman Guevers, FreekWeidijk, Henk Barendregt, J Zwanenburg, Randy Pollack.

I Godel’s Incompleteness theorem- 2003, Russell O’Connor.I Constructive Category theory- Amokrane Saibi.I Elements of Constructive geometry, group theory and domain

theory- Gilles Khan.

I Real Analysis- Micaela Mayero.I And many more..

https://coq.inria.fr/cocorico/Top100MathematicalTheoremsInCoq.

Mathematical formalizations

I A proof of Four Colour Theorem- G. Gonthier and BenjaminWerner in 2005

I Odd order theorem (Feit Thompson Theorem) - G. Gonthier2006-2012.

I Fundamental Theorem of Algebra- Herman Guevers, FreekWeidijk, Henk Barendregt, J Zwanenburg, Randy Pollack.

I Godel’s Incompleteness theorem- 2003, Russell O’Connor.I Constructive Category theory- Amokrane Saibi.I Elements of Constructive geometry, group theory and domain

theory- Gilles Khan.I Real Analysis- Micaela Mayero.

I And many more..https://coq.inria.fr/cocorico/Top100MathematicalTheoremsInCoq.

Mathematical formalizations

I A proof of Four Colour Theorem- G. Gonthier and BenjaminWerner in 2005

I Odd order theorem (Feit Thompson Theorem) - G. Gonthier2006-2012.

I Fundamental Theorem of Algebra- Herman Guevers, FreekWeidijk, Henk Barendregt, J Zwanenburg, Randy Pollack.

I Godel’s Incompleteness theorem- 2003, Russell O’Connor.I Constructive Category theory- Amokrane Saibi.I Elements of Constructive geometry, group theory and domain

theory- Gilles Khan.I Real Analysis- Micaela Mayero.I And many more..

https://coq.inria.fr/cocorico/Top100MathematicalTheoremsInCoq.

Software formalizations

I Clight: Formal Semantics of a large subset of C Languageformalized in Coq - [S. Blazy, X. Leroy]

I Big step operational Semantics (Leads to simpler proofs, whenproving the preservation of correctness under some programtransformation).

I Includes pointer arithmetic, poniters to functions, struct andunion types, C control structures except goto.

I Clight is the source language of CompCert verified compiler.

I Semantics of a subset of C Language- [E Gimenez 2004]I Denotational semantics of a subset of C using CoqI Includes for loop but does not include general loops and

recursive functions.I Doesn’t support pointer arithmetic.I This subset is the target language for compilation of the Lustre

Synchronous dataflow language.

Software formalizations

I Clight: Formal Semantics of a large subset of C Languageformalized in Coq - [S. Blazy, X. Leroy]

I Big step operational Semantics (Leads to simpler proofs, whenproving the preservation of correctness under some programtransformation).

I Includes pointer arithmetic, poniters to functions, struct andunion types, C control structures except goto.

I Clight is the source language of CompCert verified compiler.

I Semantics of a subset of C Language- [E Gimenez 2004]I Denotational semantics of a subset of C using CoqI Includes for loop but does not include general loops and

recursive functions.I Doesn’t support pointer arithmetic.I This subset is the target language for compilation of the Lustre

Synchronous dataflow language.

Software formalizations

I Clight: Formal Semantics of a large subset of C Languageformalized in Coq - [S. Blazy, X. Leroy]

I Big step operational Semantics (Leads to simpler proofs, whenproving the preservation of correctness under some programtransformation).

I Includes pointer arithmetic, poniters to functions, struct andunion types, C control structures except goto.

I Clight is the source language of CompCert verified compiler.

I Semantics of a subset of C Language- [E Gimenez 2004]I Denotational semantics of a subset of C using CoqI Includes for loop but does not include general loops and

recursive functions.I Doesn’t support pointer arithmetic.I This subset is the target language for compilation of the Lustre

Synchronous dataflow language.

Software formalizations

I Clight: Formal Semantics of a large subset of C Languageformalized in Coq - [S. Blazy, X. Leroy]

I Big step operational Semantics (Leads to simpler proofs, whenproving the preservation of correctness under some programtransformation).

I Includes pointer arithmetic, poniters to functions, struct andunion types, C control structures except goto.

I Clight is the source language of CompCert verified compiler.

I Semantics of a subset of C Language- [E Gimenez 2004]I Denotational semantics of a subset of C using CoqI Includes for loop but does not include general loops and

recursive functions.I Doesn’t support pointer arithmetic.I This subset is the target language for compilation of the Lustre

Synchronous dataflow language.

Software formalizations

I Clight: Formal Semantics of a large subset of C Languageformalized in Coq - [S. Blazy, X. Leroy]

I Big step operational Semantics (Leads to simpler proofs, whenproving the preservation of correctness under some programtransformation).

I Includes pointer arithmetic, poniters to functions, struct andunion types, C control structures except goto.

I Clight is the source language of CompCert verified compiler.

I Semantics of a subset of C Language- [E Gimenez 2004]

I Denotational semantics of a subset of C using CoqI Includes for loop but does not include general loops and

recursive functions.I Doesn’t support pointer arithmetic.I This subset is the target language for compilation of the Lustre

Synchronous dataflow language.

Software formalizations

I Clight: Formal Semantics of a large subset of C Languageformalized in Coq - [S. Blazy, X. Leroy]

I Big step operational Semantics (Leads to simpler proofs, whenproving the preservation of correctness under some programtransformation).

I Includes pointer arithmetic, poniters to functions, struct andunion types, C control structures except goto.

I Clight is the source language of CompCert verified compiler.

I Semantics of a subset of C Language- [E Gimenez 2004]I Denotational semantics of a subset of C using Coq

I Includes for loop but does not include general loops andrecursive functions.

I Doesn’t support pointer arithmetic.I This subset is the target language for compilation of the Lustre

Synchronous dataflow language.

Software formalizations

I Clight: Formal Semantics of a large subset of C Languageformalized in Coq - [S. Blazy, X. Leroy]

I Big step operational Semantics (Leads to simpler proofs, whenproving the preservation of correctness under some programtransformation).

I Includes pointer arithmetic, poniters to functions, struct andunion types, C control structures except goto.

I Clight is the source language of CompCert verified compiler.

I Semantics of a subset of C Language- [E Gimenez 2004]I Denotational semantics of a subset of C using CoqI Includes for loop but does not include general loops and

recursive functions.

I Doesn’t support pointer arithmetic.I This subset is the target language for compilation of the Lustre

Synchronous dataflow language.

Software formalizations

I Clight: Formal Semantics of a large subset of C Languageformalized in Coq - [S. Blazy, X. Leroy]

I Big step operational Semantics (Leads to simpler proofs, whenproving the preservation of correctness under some programtransformation).

I Includes pointer arithmetic, poniters to functions, struct andunion types, C control structures except goto.

I Clight is the source language of CompCert verified compiler.

I Semantics of a subset of C Language- [E Gimenez 2004]I Denotational semantics of a subset of C using CoqI Includes for loop but does not include general loops and

recursive functions.I Doesn’t support pointer arithmetic.

I This subset is the target language for compilation of the LustreSynchronous dataflow language.

Software formalizations

I Clight: Formal Semantics of a large subset of C Languageformalized in Coq - [S. Blazy, X. Leroy]

I Big step operational Semantics (Leads to simpler proofs, whenproving the preservation of correctness under some programtransformation).

I Includes pointer arithmetic, poniters to functions, struct andunion types, C control structures except goto.

I Clight is the source language of CompCert verified compiler.

I Semantics of a subset of C Language- [E Gimenez 2004]I Denotational semantics of a subset of C using CoqI Includes for loop but does not include general loops and

recursive functions.I Doesn’t support pointer arithmetic.I This subset is the target language for compilation of the Lustre

Synchronous dataflow language.

Software Formalizations

I C formalized in HOL [M. Norish 1998]

I CompCert: A formally verified compiler for a subset of C[Team led by X. Leroy]

I The compiler is specified, programmed and prooved in Coq.

I BedRock [Adam Chilpala]I A software develpement toolI Running entirely inside Coq.I giving assembly level correctness proof.

Software Formalizations

I C formalized in HOL [M. Norish 1998]I CompCert: A formally verified compiler for a subset of C

[Team led by X. Leroy]

I The compiler is specified, programmed and prooved in Coq.

I BedRock [Adam Chilpala]I A software develpement toolI Running entirely inside Coq.I giving assembly level correctness proof.

Software Formalizations

I C formalized in HOL [M. Norish 1998]I CompCert: A formally verified compiler for a subset of C

[Team led by X. Leroy]I The compiler is specified, programmed and prooved in Coq.

I BedRock [Adam Chilpala]I A software develpement toolI Running entirely inside Coq.I giving assembly level correctness proof.

Software Formalizations

I C formalized in HOL [M. Norish 1998]I CompCert: A formally verified compiler for a subset of C

[Team led by X. Leroy]I The compiler is specified, programmed and prooved in Coq.

I BedRock [Adam Chilpala]

I A software develpement toolI Running entirely inside Coq.I giving assembly level correctness proof.

Software Formalizations

I C formalized in HOL [M. Norish 1998]I CompCert: A formally verified compiler for a subset of C

[Team led by X. Leroy]I The compiler is specified, programmed and prooved in Coq.

I BedRock [Adam Chilpala]I A software develpement tool

I Running entirely inside Coq.I giving assembly level correctness proof.

Software Formalizations

I C formalized in HOL [M. Norish 1998]I CompCert: A formally verified compiler for a subset of C

[Team led by X. Leroy]I The compiler is specified, programmed and prooved in Coq.

I BedRock [Adam Chilpala]I A software develpement toolI Running entirely inside Coq.

I giving assembly level correctness proof.

Software Formalizations

I C formalized in HOL [M. Norish 1998]I CompCert: A formally verified compiler for a subset of C

[Team led by X. Leroy]I The compiler is specified, programmed and prooved in Coq.

I BedRock [Adam Chilpala]I A software develpement toolI Running entirely inside Coq.I giving assembly level correctness proof.

Thank You

Henk Barendregt, S. Abramsky, D. M. Gabbay, T. S. E.Maibaum, and H. P. Barendregt.Lambda calculi with types.In Handbook of Logic in Computer Science, pages 117–309.Oxford University Press, 1992.

Y. Bertot and P. Castéran.Interactive Theorem Proving and Program Development:Coq’Art: The Calculus of Inductive Constructions.Texts in Theoretical Computer Science. An EATCS Series.Springer, 2004.

Thierry Coquand and Gerard Huet.The calculus of constructions.Inf. Comput., 76(2-3):95–120, February 1988.

Herman Geuvers.Introduction to type theory.In Language Engineering and Rigorous Software Development,International LerNet ALFA Summer School 2008, Piriapolis,

Uruguay, February 24 - March 1, 2008, Revised TutorialLectures, pages 1–56, 2008.

Eduardo Giménez.A tutorial on recursive types in coq.1998.

J.Y. Girard, P. Taylor, and Y. Lafont.Proofs and Types.Cambridge tracts in theoretical computer science. CambridgeUniversity Press, 1989.

Robert Harper, Furio Honsell, and Gordon Plotkin.A framework for defining logics.Journal of the Association for Computing Maachinery, pages194–204, 1993.

Gérard Huet.Induction principles formalized in the calculus of constructions.In TAPSOFT’87, pages 276–286. Springer, 1987.

The Coq development team.The Coq proof assistant reference manual.

LogiCal Project, 2004.Version 8.0.

Frank Pfenning and Christine Paulin-Mohring.Inductively defined types in the calculus of constructions.pages 209–228. Springer-Verlag, 1990.

P. Urzyczyn and M. Sorensen.Lectures on the curry-howard isomorphism.Volume 149 of Studies in Logic and the Foundations ofMathematics, Elsevier„ 2006.