Results 1  10
of
29
Metatheory à la carte
 In POPL ’13
, 2013
"... Formalizing metatheory, or proofs about programming languages, in a proof assistant has many wellknown benefits. However, the considerable effort involved in mechanizing proofs has prevented it from becoming standard practice. This cost can be amortized by reusing as much of an existing formalizat ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
(Show Context)
Formalizing metatheory, or proofs about programming languages, in a proof assistant has many wellknown benefits. However, the considerable effort involved in mechanizing proofs has prevented it from becoming standard practice. This cost can be amortized by reusing as much of an existing formalization as possible when building a new language or extending an existing one. Unfortunately reuse of components is typically adhoc, with the language designer cutting and pasting existing definitions and proofs, and expending considerable effort to patch up the results. This paper presents a more structured approach to the reuse of formalizations of programming language semantics through the composition of modular definitions and proofs. The key contribution is the development of an approach to induction for extensible Church encodings which uses a novel reinterpretation of the universal property of folds. These encodings provide the foundation for a framework, formalized in Coq, which uses type classes to automate the composition of proofs from modular components. Several interesting language features, including binders and general recursion, illustrate the capabilities of our framework. We reuse these features to build fully mechanized definitions and proofs for a number of languages, including a version of miniML. Bounded induction enables proofs of properties for noninductive semantic functions, and mediating type classes enable proof adaptation for more featurerich languages. 1.
A MachineChecked Proof of the Odd Order Theorem
"... This paper reports on a sixyear collaborative effort that culminated in a complete formalization of a proof of the FeitThompson Odd Order Theorem in the Coq proof assistant. The formalized proof is constructive, and relies on nothing but the axioms and rules of the foundational framework impleme ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
(Show Context)
This paper reports on a sixyear collaborative effort that culminated in a complete formalization of a proof of the FeitThompson Odd Order Theorem in the Coq proof assistant. The formalized proof is constructive, and relies on nothing but the axioms and rules of the foundational framework implemented by Coq. To support the formalization, we developed a comprehensive set of reusable libraries of formalized mathematics, including results in finite group theory, linear algebra, Galois theory, and the theories of the real and complex algebraic numbers.
Type classes for efficient exact real arithmetic
 IN COQ. CORR ABS/1106.3448
, 2011
"... Floating point operations are fast, but require continuous effort by the user to ensure correctness. This burden can be shifted to the machine by providing a library of exact analysis in which the computer handles the error estimates. Previously, we provided a fast implementation of the exact real ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
Floating point operations are fast, but require continuous effort by the user to ensure correctness. This burden can be shifted to the machine by providing a library of exact analysis in which the computer handles the error estimates. Previously, we provided a fast implementation of the exact real numbers in the Coq proof assistant. This implementation incorporates various optimizations to speed up the basic operations of O’Connor’s implementation by a 100 times. We implemented these optimizations in a modular way using type classes to define an abstract specification of the underlying dense set from which the real numbers are built. This abstraction does not hurt the efficiency. This article is a substantially expanded version of (Krebbers/Spitters, Calculemus 2011) in which the implementation is extended in the various ways. First, we implement and verify the sine and cosine function. Secondly, we create an additional implementation of the dense set based on Coq’s fast rational numbers. Thirdly, we extend the hierarchy to capture order on undecidable structures, while it was limited to decidable structures before. This hierarchy, based on type classes, allows us to share theory on the naturals, integers, rationals, dyadics, and reals in a convenient way. Finally, we obtain another dramatic speedup by avoiding evaluation of termination proofs at runtime.
Static and UserExtensible Proof Checking
"... Despite recent successes, largescale proof development within proof assistants remains an arcane art that is extremely timeconsuming. We argue that this can be attributed to two profound shortcomings in the architecture of modern proof assistants. The first is that proofs need to include a large am ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Despite recent successes, largescale proof development within proof assistants remains an arcane art that is extremely timeconsuming. We argue that this can be attributed to two profound shortcomings in the architecture of modern proof assistants. The first is that proofs need to include a large amount of minute detail; this is due to the rigidity of the proof checking process, which cannot be extended with domainspecific knowledge. In order to avoid these details, we rely on developing and using tactics, specialized procedures that produce proofs. Unfortunately, tactics are both hard to write and hard to use, revealing the second shortcoming of modern proof assistants. This is because there is no static knowledge about their expected use and behavior. As has recently been demonstrated, languages that allow typesafe manipulation of proofs, like Beluga, Delphin and VeriML, can be used to partly mitigate this second issue, by assigning rich types to tactics. Still, the architectural issues remain. In this paper, we build on this existing work, and demonstrate two novel ideas: an extensible conversion rule and support for static proof scripts. Together, these ideas enable us to support both userextensible proof checking, and sophisticated static checking of tactics, leading to a new point in the design space of future proof assistants. Both ideas are based on the interplay between a lightweight staging construct and the rich type information available.
Computer certified efficient exact reals in coq
 Intelligent Computer Mathematics
, 2011
"... Abstract. Floating point operations are fast, but require continuous effort on the part of the user in order to ensure that the results are correct. This burden can be shifted away from the user by providing a library of exact analysis in which the computer handles the error estimates. We provide a ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Floating point operations are fast, but require continuous effort on the part of the user in order to ensure that the results are correct. This burden can be shifted away from the user by providing a library of exact analysis in which the computer handles the error estimates. We provide an implementation of the exact real numbers in the Coq proof assistant. This improves on the earlier Coqimplementation by O’Connor in two ways: we use dyadic rationals built from the machine integers and we optimize computation of power series by using approximate division. Moreover, we use type classes for clean mathematical interfaces. This appears to be the first time that type classes are used in heavy computation. We obtain over a 100 times speed up of the basic operations and indications for improving the Coq system. 1
Automating Formal Proofs for Reactive Systems
"... Implementing systems in proof assistants like Coq and proving their correctness in full formal detail has consistently demonstrated promise for making extremely strong guarantees about critical software, ranging from compilers and operating systems to databases and web browsers. Unfortunately, thes ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
Implementing systems in proof assistants like Coq and proving their correctness in full formal detail has consistently demonstrated promise for making extremely strong guarantees about critical software, ranging from compilers and operating systems to databases and web browsers. Unfortunately, these verifications demand such heroic manual proof effort, even for a single system, that the approach has not been widely adopted. We demonstrate a technique to eliminate the manual proof burden for verifying many properties within an entire class of applications, in our case reactive systems, while only expending effort comparable to the manual verification of a single system. A crucial insight of our approach is simultaneously designing both (1) a domainspecific language (DSL) for expressing reactive systems and their correctness properties and (2) proof automation which exploits the constrained language of both programs and properties to enable fully automatic, pushbutton verification. We apply this insight in a deeply embedded Coq DSL, dubbed REFLEX, and illustrate REFLEX’s expressiveness by implementing and automatically verifying realistic systems including a modern web browser, an SSH server, and a web server. Using REFLEX radically reduced the proof burden: in previous, similar versions of our benchmarks written in Coq by experts, proofs accounted for over 80 % of the code base; our versions require no manual proofs. Categories and Subject Descriptors F.3.1 [Logics and meanings of programs]: Mechanical verification; D.2.4 [Software Engineer
Tactics for reasoning modulo AC in Coq
 In First International Conf. on Certified Programs and Proofs
, 2011
"... Abstract. We present a set of tools for rewriting modulo associativity and commutativity (AC) in Coq, solving a longstanding practical problem. We use two building blocks: first, an extensible reflexive decision procedure for equality modulo AC; second, an OCaml plugin for pattern matching modulo ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present a set of tools for rewriting modulo associativity and commutativity (AC) in Coq, solving a longstanding practical problem. We use two building blocks: first, an extensible reflexive decision procedure for equality modulo AC; second, an OCaml plugin for pattern matching modulo AC. We handle associative only operations, neutral elements, uninterpreted function symbols, and userdefined equivalence relations. By relying on typeclasses for thereification phase, we can infer these properties automatically, so that endusers do not need to specify which operation is A or AC, or which constant is a neutral element. 1
The Picard Algorithm for Ordinary Differential Equations in Coq
"... Abstract. Ordinary Differential Equations (ODEs) are ubiquitous in physical applications of mathematics. The PicardLindelöf theorem is the first fundamental theorem in the theory of ODEs. It allows one to solve differential equations numerically. We provide a constructive development of the Picar ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Ordinary Differential Equations (ODEs) are ubiquitous in physical applications of mathematics. The PicardLindelöf theorem is the first fundamental theorem in the theory of ODEs. It allows one to solve differential equations numerically. We provide a constructive development of the PicardLindelöf theorem which includes a program together with sufficient conditions for its correctness. The proof/program is written in the Coq proof assistant and uses the implementation of efficient real numbers from the CoRN library and the MathClasses library. Our proof makes heavy use of operators and functionals, functions on spaces of functions. This is faithful to the usual mathematical description, but a novel level of abstraction for certified exact real computation.
Typed syntactic metaprogramming
 International Conference on Functional Programming (ICFP
, 2013
"... We present a novel set of metaprogramming primitives for use in a dependentlytyped functional language. The types of our metaprograms provide strong and precise guarantees about their termination, correctness and completeness. Our system supports typesafe construction and analysis of terms, typ ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
We present a novel set of metaprogramming primitives for use in a dependentlytyped functional language. The types of our metaprograms provide strong and precise guarantees about their termination, correctness and completeness. Our system supports typesafe construction and analysis of terms, types and typing contexts. Unlike alternative approaches, they are written in the same style as normal programs and use the language’s standard functional computational model. We formalise the new metaprogramming primitives, implement them as an extension of Agda, and provide evidence of usefulness by means of two compelling applications in the fields of datatypegeneric programming and proof tactics.
BARRIERS IN CONCURRENT SEPARATION LOGIC: NOW WITH TOOL SUPPORT!
"... Abstract. We develop and prove sound a concurrent separation logic for Pthreadsstyle barriers. Although Pthreads barriers are widely used in systems, and separation logic is widely used for verification, there has not been any effort to combine the two. Unlike locks and critical sections, Pthreads ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We develop and prove sound a concurrent separation logic for Pthreadsstyle barriers. Although Pthreads barriers are widely used in systems, and separation logic is widely used for verification, there has not been any effort to combine the two. Unlike locks and critical sections, Pthreads barriers enable simultaneous resource redistribution between multiple threads and are inherently stateful, leading to significant complications in the design of the logic and its soundness proof. We show how our logic can be applied to a specific example program in a modular way. Our proofs are machinechecked in Coq. We showcase a program verification toolset that automatically applies the logic rules and discharges the associated proof obligations. 1.