certified functional (co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfbig...
TRANSCRIPT
![Page 1: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/1.jpg)
Certified Functional (Co)programming with
JasminBlanchette
AndreasLochbihler
AndreiPopescu
DmitriyTraytel
Partly based on material by Tobias Nipkow
![Page 2: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/2.jpg)
Preliminaries
Programming
Coprogramming
Advanced Coprogramming
![Page 3: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/3.jpg)
Preliminaries
ApplicationsHigher-Order
LogicProving
Programming
Coprogramming
Advanced Coprogramming
![Page 4: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/4.jpg)
Big proofs about programs(an incomplete list)
seL4MicrokernelKlein et al.
FlyspeckPrograms in Hales’s proofof the Kepler conjectureBauer, Nipkow, Obua
JinjaThreadsJava compiler & JMMLochbihler
CAVALTL model checkerLammich, Nipkow et al.
CoConConference managementsystemLammich, Popescu et al.
IsaFoR/CeTATermination proof certifierSternagel, Thiemann et al.
Markov_ModelspCTL model checkerHölzl, Nipkow
PDF-CompilerProbability density functionscompilerEberl, Hölzl, Nipkow
IsaSATSAT solver with 2WLFleury, Blanchette et al.
![Page 5: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/5.jpg)
HOL = Higher-Order Logic
HOL = Functional Programming + Logic
HOL has
• (co)datatypes
• (co)recursive functions
• logical operators
HOL is a programming language!
Higher-order = functions are values, too
HOL formulas:
• Equations: term = term,e.g. 1+2 = 4
• Also: ∧, ∨, −→, ∀, ∃, . . .
![Page 6: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/6.jpg)
HOL = Higher-Order LogicHOL = Functional Programming + Logic
HOL has
• (co)datatypes
• (co)recursive functions
• logical operators
HOL is a programming language!
Higher-order = functions are values, too
HOL formulas:
• Equations: term = term,e.g. 1+2 = 4
• Also: ∧, ∨, −→, ∀, ∃, . . .
![Page 7: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/7.jpg)
HOL = Higher-Order LogicHOL = Functional Programming + Logic
HOL has
• (co)datatypes
• (co)recursive functions
• logical operators
HOL is a programming language!
Higher-order = functions are values, too
HOL formulas:
• Equations: term = term,e.g. 1+2 = 4
• Also: ∧, ∨, −→, ∀, ∃, . . .
![Page 8: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/8.jpg)
HOL = Higher-Order LogicHOL = Functional Programming + Logic
HOL has
• (co)datatypes
• (co)recursive functions
• logical operators
HOL is a programming language!
Higher-order = functions are values, too
HOL formulas:
• Equations: term = term,e.g. 1+2 = 4
• Also: ∧, ∨, −→, ∀, ∃, . . .
![Page 9: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/9.jpg)
HOL = Higher-Order LogicHOL = Functional Programming + Logic
HOL has
• (co)datatypes
• (co)recursive functions
• logical operators
HOL is a programming language!
Higher-order = functions are values, too
HOL formulas:
• Equations: term = term,e.g. 1+2 = 4
• Also: ∧, ∨, −→, ∀, ∃, . . .
![Page 10: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/10.jpg)
Types
Basic syntax
τ ::= (τ)| bool | nat | int | · · · base types| ’a | ’b | · · · type variables| τ⇒ τ functions (ASCII: =>)| τ×τ pairs (ASCII: *)| τ list lists| τ set sets| . . . user-defined types
![Page 11: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/11.jpg)
Terms
Basic syntax
t ::= (t)| a constant or variable (identifier)| t t function application| λx . t function abstraction| . . . lots of syntactic sugar
Examples: f (g x) y
h (%x. f (g x))
![Page 12: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/12.jpg)
Terms must be well-typed
(the argument of every function call must be of the right type)
Notation:t :: τ means “t is a well-typed term of type τ”.
t :: τ1⇒ τ2 u :: τ1
t u :: τ2
![Page 13: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/13.jpg)
Terms must be well-typed
(the argument of every function call must be of the right type)
Notation:t :: τ means “t is a well-typed term of type τ”.
t :: τ1⇒ τ2 u :: τ1
t u :: τ2
![Page 14: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/14.jpg)
Type inference
Isabelle automatically computes the type of each variable in a term.
In the presence of overloaded functions (functions with multiple types) this isnot always possible.
Users can help with type annotations inside the term.Example: f (x::nat)
![Page 15: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/15.jpg)
Currying
Thou shalt curry thy functions
• Curried: f :: τ1⇒ τ2⇒ τ
• Tupled: f’ :: τ1×τ2⇒ τ
Advantage:
Currying allows partial applicationf a1 where a1 :: τ1
![Page 16: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/16.jpg)
Currying
Thou shalt curry thy functions
• Curried: f :: τ1⇒ τ2⇒ τ
• Tupled: f’ :: τ1×τ2⇒ τ
Advantage:
Currying allows partial applicationf a1 where a1 :: τ1
![Page 17: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/17.jpg)
Formulas
Metalogic (Pure):
• Type prop
• Constants:∧:: (’a⇒ prop)⇒ prop
=⇒ :: prop⇒ prop⇒ prop
≡ :: ’a⇒ ’a⇒ prop
Object logic (HOL):
• Type bool
• Constants:Trueprop :: bool⇒ prop (implicit)∀,∃ :: (’a⇒ bool)⇒ bool
−→,∧,∨, . . . :: bool⇒ bool⇒ bool
= :: ’a⇒ ’a⇒ bool
![Page 18: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/18.jpg)
Formulas
Metalogic (Pure):
• Type prop
• Constants:∧:: (’a⇒ prop)⇒ prop
=⇒ :: prop⇒ prop⇒ prop
≡ :: ’a⇒ ’a⇒ prop
Object logic (HOL):
• Type bool
• Constants:Trueprop :: bool⇒ prop (implicit)∀,∃ :: (’a⇒ bool)⇒ bool
−→,∧,∨, . . . :: bool⇒ bool⇒ bool
= :: ’a⇒ ’a⇒ bool
![Page 19: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/19.jpg)
Syntactic sugar
• Infix: +, -, *, #, @, . . .
• Mixfix: if _ then _ else _, case _ of, . . .
• Binders:∧_. _, ∀_. _, ∃_. _, . . .
Prefix binds more strongly than infix:f x + y ≡ (f x) + y 6≡ f (x + y)
Enclose if and case in parentheses:(if _ then _ else _)
![Page 20: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/20.jpg)
Syntactic sugar
• Infix: +, -, *, #, @, . . .
• Mixfix: if _ then _ else _, case _ of, . . .
• Binders:∧_. _, ∀_. _, ∃_. _, . . .
Prefix binds more strongly than infix:f x + y ≡ (f x) + y 6≡ f (x + y)
Enclose if and case in parentheses:(if _ then _ else _)
![Page 21: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/21.jpg)
Theory = Isabelle Module
Syntax
theory MyThimports T1 . . . Tn
begin
(definitions, theorems, proofs, ...)∗
end
MyTh: name of theory. Must live in file MyTh.thy
Ti : names of imported theories. Import transitive.
Typically: imports Main
![Page 22: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/22.jpg)
Theory = Isabelle Module
Syntax
theory MyThimports T1 . . . Tn
begin
(definitions, theorems, proofs, ...)∗
end
MyTh: name of theory. Must live in file MyTh.thy
Ti : names of imported theories. Import transitive.
Typically: imports Main
![Page 23: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/23.jpg)
Theory = Isabelle Module
Syntax
theory MyThimports T1 . . . Tn
begin
(definitions, theorems, proofs, ...)∗
end
MyTh: name of theory. Must live in file MyTh.thy
Ti : names of imported theories. Import transitive.
Typically: imports Main
![Page 24: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/24.jpg)
Concrete syntax
In .thy files:Types, terms and formulas need to be inclosed in double quotes (")
except for single identifiers.
Double quotes are not always shown on slides.
![Page 25: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/25.jpg)
Concrete syntax
In .thy files:Types, terms and formulas need to be inclosed in double quotes (")
except for single identifiers.
Double quotes are not always shown on slides.
![Page 26: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/26.jpg)
Concrete syntax
In .thy files:Types, terms and formulas need to be inclosed in double quotes (")
except for single identifiers.
Double quotes are not always shown on slides.
![Page 27: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/27.jpg)
Isabelle/jEdit
• Based on the jEdit editor
• Processes Isabelle text automaticallywhen editing .thy files (like modern Java IDEs)
• Bottom panels: Output, Query (Find Theorems), . . .
• Side panels: State, Theories, . . .
![Page 28: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/28.jpg)
The proof state
1.∧
x1 . . .xm. A1 =⇒ ·· ·=⇒ An =⇒ C
x1, . . . ,xm fixed local variablesA1, . . . ,An local assumptionsC actual (sub)goal
![Page 29: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/29.jpg)
Apply scripts
General schema:
lemma name: "..." lemma name: "..."apply (...) apply (...)
......
apply (...) apply (...)
apply (...) by (...)
done
If the lemma is suitable as a simplification rule:
lemma name[simp]: "..."
![Page 30: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/30.jpg)
Apply scripts
General schema:
lemma name: "..." lemma name: "..."apply (...) apply (...)
......
apply (...) apply (...)
apply (...) by (...)
done
If the lemma is suitable as a simplification rule:
lemma name[simp]: "..."
![Page 31: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/31.jpg)
Delayed gratification
The command oops gives up the current proof attempt.
The command sorry “completes” any proof.It makes top-down development possible:
Assume lemma first, prove it later.
![Page 32: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/32.jpg)
Isar Proofs
Apply script = assembly language program
Isar proof = structured program with comments
But apply still useful for proof exploration.
![Page 33: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/33.jpg)
Isar Proofs
Apply script = assembly language program
Isar proof = structured program with comments
But apply still useful for proof exploration.
![Page 34: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/34.jpg)
Isar Proofs
Apply script = assembly language program
Isar proof = structured program with comments
But apply still useful for proof exploration.
![Page 35: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/35.jpg)
A typical Isar proof
A proof of ϕ0 =⇒ ϕn+1:
proof
assume ϕ0
have ϕ1
by simp...have ϕn
by blast
show ϕn+1
by . . .
qed
![Page 36: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/36.jpg)
Isar core syntax
proof = proof [method] step∗ qed
| by method
method = (simp . . .) | (blast . . .) | (induction . . .) | · · ·
step = fix variables (∧
)| assume prop (=⇒)| [from fact+] (have | show) prop proof
prop = [name:] "formula"
fact = name | · · ·
![Page 37: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/37.jpg)
Example: Cantor’s theorem
lemma "¬ surj (f :: ’a ⇒ ’a set)"
proof
assume a: "surj f"
from a have b: "∀A. ∃a. A = f a"
by (simp add: surj_def)
from b have c: "∃a. {x. x /∈ f x} = f a"
by blast
from c show False
by blast
qed
![Page 38: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/38.jpg)
Abbreviations
this = the previous proposition proved or assumedthen = from this
![Page 39: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/39.jpg)
using and with
(have | show) prop using facts
=from facts (have | show) prop
with facts=
from facts this
![Page 40: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/40.jpg)
using and with
(have | show) prop using facts=
from facts (have | show) prop
with facts=
from facts this
![Page 41: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/41.jpg)
using and with
(have | show) prop using facts=
from facts (have | show) prop
with facts=
from facts this
![Page 42: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/42.jpg)
Structured lemma statement
lemma
fixes f :: "’a ⇒ ’a set"
assumes s: "surj f"
shows False
proof -
have "∃a. {x. x /∈ f x} = f a"
using s by (auto simp: surj_def)
then show False
by blast
qed
Proves surj f =⇒ False
but surj f becomes local fact s in proof.
![Page 43: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/43.jpg)
Structured lemma statement
lemma
fixes f :: "’a ⇒ ’a set"
assumes s: "surj f"
shows False
proof -
have "∃a. {x. x /∈ f x} = f a"
using s by (auto simp: surj_def)
then show False
by blast
qed
Proves surj f =⇒ False
but surj f becomes local fact s in proof.
![Page 44: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/44.jpg)
Structured lemma statements
fixes x :: τ1 and y :: τ2 . . .assumes a: P and b: Q . . .shows R
• fixes and assumes sections optional
• shows optional if no fixes and assumes
![Page 45: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/45.jpg)
Structured lemma statements
fixes x :: τ1 and y :: τ2 . . .assumes a: P and b: Q . . .shows R
• fixes and assumes sections optional
• shows optional if no fixes and assumes
![Page 46: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/46.jpg)
Case distinction
show "R"
proof cases
assume "P"
...
show "R" ...
next
assume "¬ P"
...
show "R" ...
qed
have "P ∨ Q" ...
then show "R"
proof
assume "P"
...
show "R" ...
next
assume "Q"
...
show "R" ...
qed
![Page 47: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/47.jpg)
Case distinction
show "R"
proof cases
assume "P"
...
show "R" ...
next
assume "¬ P"
...
show "R" ...
qed
have "P ∨ Q" ...
then show "R"
proof
assume "P"
...
show "R" ...
next
assume "Q"
...
show "R" ...
qed
![Page 48: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/48.jpg)
Contradiction
show "¬ P"
proof
assume "P"
...
show False ...
qed
show "P"
proof (rule ccontr)
assume "¬ P"
...
show False ...
qed
![Page 49: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/49.jpg)
Contradiction
show "¬ P"
proof
assume "P"
...
show False ...
qed
show "P"
proof (rule ccontr)
assume "¬ P"
...
show False ...
qed
![Page 50: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/50.jpg)
←→
show "P ←→ Q"
proof
assume "P"
...
show "Q" ...
next
assume "Q"
...
show "P" ...
qed
![Page 51: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/51.jpg)
∀ and ∃ introduction
show "∀x. P x"
proof
fix x
show "P x" ...
qed
show "∃x. P x"
proof
...
show "P witness" ...
qed
![Page 52: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/52.jpg)
∀ and ∃ introduction
show "∀x. P x"
proof
fix x
show "P x" ...
qed
show "∃x. P x"
proof
...
show "P witness" ...
qed
![Page 53: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/53.jpg)
Preliminaries
Programming
Datatypes Recursion Induction
Coprogramming
Advanced Coprogramming
![Page 54: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/54.jpg)
Natural numbers
datatype nat =
0
| Suc nat
This introduces:
• The type nat
• The constructors 0 :: nat and Suc :: nat ⇒ nat
• A case combinator case_nat
• A (primitive) recursor constant rec_nat
• Various theorems about the above, including an induction rule
Numeral notations are also supported:
3 = Suc (Suc (Suc 0) is a theorem
![Page 55: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/55.jpg)
Natural numbers
datatype nat =
0
| Suc nat
This introduces:
• The type nat
• The constructors 0 :: nat and Suc :: nat ⇒ nat
• A case combinator case_nat
• A (primitive) recursor constant rec_nat
• Various theorems about the above, including an induction rule
Numeral notations are also supported:
3 = Suc (Suc (Suc 0) is a theorem
![Page 56: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/56.jpg)
Lists
datatype ’a list =
Nil
| Cons ’a "’a list"
More honest
datatype (set: ’a) list =
Nil ("[]")
| Cons ’a "’a list" (infixr "#" 65)
for map: map
This introduces:• The type ’a list and the constructors Nil and Cons
• A functorial action: map :: (’a ⇒ ’b) ⇒ ’a list ⇒ ’b list
• A natural transformation: set :: ’a list ⇒ ’a set
• A size function: size :: ’a list ⇒ nat
• etc.
![Page 57: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/57.jpg)
Lists
datatype ’a list =
Nil
| Cons ’a "’a list"
More honest
datatype (set: ’a) list =
Nil ("[]")
| Cons ’a "’a list" (infixr "#" 65)
for map: map
This introduces:• The type ’a list and the constructors Nil and Cons
• A functorial action: map :: (’a ⇒ ’b) ⇒ ’a list ⇒ ’b list
• A natural transformation: set :: ’a list ⇒ ’a set
• A size function: size :: ’a list ⇒ nat
• etc.
![Page 58: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/58.jpg)
Lists
datatype ’a list =
Nil
| Cons ’a "’a list"
More honest
datatype (set: ’a) list =
Nil ("[]")
| Cons ’a "’a list" (infixr "#" 65)
for map: map
This introduces:• The type ’a list and the constructors Nil and Cons
• A functorial action: map :: (’a ⇒ ’b) ⇒ ’a list ⇒ ’b list
• A natural transformation: set :: ’a list ⇒ ’a set
• A size function: size :: ’a list ⇒ nat
• etc.
![Page 59: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/59.jpg)
List notations
Empty list: []
Cons: x # xs
Enumeration: [x1, x2, . . ., xn]
Head: hd (x # xs) = x
Tail: tl (x # xs) = xs tl [] = []
Case: (case xs of [] ⇒ . . . | y # ys ⇒ . . .)
![Page 60: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/60.jpg)
Primitive recursion
Definition using primrec or fun:
primrec append :: ’a list ⇒ ’a list ⇒ ’a list (infixr "@" 65)
where
[] @ ys = ys
| (x # xs) @ ys = x # (xs @ ys)
Code export:
export_code append in Haskell
Symbolic evaluation in Isabelle:
value "[1,2,3] @ [4,5,6] :: int list"
![Page 61: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/61.jpg)
Primitive recursion
Definition using primrec or fun:
primrec append :: ’a list ⇒ ’a list ⇒ ’a list (infixr "@" 65)
where
[] @ ys = ys
| (x # xs) @ ys = x # (xs @ ys)
Code export:
export_code append in Haskell
Symbolic evaluation in Isabelle:
value "[1,2,3] @ [4,5,6] :: int list"
![Page 62: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/62.jpg)
Primitive recursion
Definition using primrec or fun:
primrec append :: ’a list ⇒ ’a list ⇒ ’a list (infixr "@" 65)
where
[] @ ys = ys
| (x # xs) @ ys = x # (xs @ ys)
Code export:
export_code append in Haskell
Symbolic evaluation in Isabelle:
value "[1,2,3] @ [4,5,6] :: int list"
![Page 63: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/63.jpg)
Structural induction
We want to prove xs @ [] = xs.
Structural induction rule (thm list.induct)?P [] =⇒ (base case)(∧x xs. ?P xs =⇒ ?P (x # xs)) =⇒ (induction step)
?P ?list
Base case:[] @ [] = [] (by definition of @)
Induction step:(x # xs) @ [] = x # (xs @ []) (by definition of @)
= x # xs (by induction hypothesis)
![Page 64: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/64.jpg)
Structural induction
We want to prove xs @ [] = xs.
Structural induction rule (thm list.induct)?P [] =⇒ (base case)(∧x xs. ?P xs =⇒ ?P (x # xs)) =⇒ (induction step)
?P ?list
Base case:[] @ [] = [] (by definition of @)
Induction step:(x # xs) @ [] = x # (xs @ []) (by definition of @)
= x # xs (by induction hypothesis)
![Page 65: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/65.jpg)
Structural induction
We want to prove xs @ [] = xs.
Structural induction rule (thm list.induct)?P [] =⇒ (base case)(∧x xs. ?P xs =⇒ ?P (x # xs)) =⇒ (induction step)
?P ?list
Base case:[] @ [] = [] (by definition of @)
Induction step:(x # xs) @ [] = x # (xs @ []) (by definition of @)
= x # xs (by induction hypothesis)
![Page 66: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/66.jpg)
Structural induction
We want to prove xs @ [] = xs.
Structural induction rule (thm list.induct)?P [] =⇒ (base case)(∧x xs. ?P xs =⇒ ?P (x # xs)) =⇒ (induction step)
?P ?list
Base case:[] @ [] = [] (by definition of @)
Induction step:(x # xs) @ [] = x # (xs @ []) (by definition of @)
= x # xs (by induction hypothesis)
![Page 67: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/67.jpg)
List reversal
[1,2,3,4]rev−−−→ [4,3,2,1]
Naive list reversalprimrec rev :: ’a list ⇒ ’a list where
rev [] = []
| rev (x # xs) = rev xs @ [x]
Fast list reversalprimrec qrev :: ’a list ⇒ ’a list ⇒ ’a list where
qrev [] ys = ys
| qrev (x # xs) ys = qrev xs (x # ys)
1. What is rev (rev xs)?
2. Are rev and qrev equivalent? What is the relationship?
![Page 68: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/68.jpg)
List reversal
[1,2,3,4]rev−−−→ [4,3,2,1]
Naive list reversalprimrec rev :: ’a list ⇒ ’a list where
rev [] = []
| rev (x # xs) = rev xs @ [x]
Fast list reversalprimrec qrev :: ’a list ⇒ ’a list ⇒ ’a list where
qrev [] ys = ys
| qrev (x # xs) ys = qrev xs (x # ys)
1. What is rev (rev xs)?
2. Are rev and qrev equivalent? What is the relationship?
![Page 69: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/69.jpg)
List reversal
[1,2,3,4]rev−−−→ [4,3,2,1]
Naive list reversalprimrec rev :: ’a list ⇒ ’a list where
rev [] = []
| rev (x # xs) = rev xs @ [x]
Fast list reversalprimrec qrev :: ’a list ⇒ ’a list ⇒ ’a list where
qrev [] ys = ys
| qrev (x # xs) ys = qrev xs (x # ys)
1. What is rev (rev xs)?
2. Are rev and qrev equivalent? What is the relationship?
![Page 70: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/70.jpg)
Well-founded recursion
[a,b,c,d,e]
[X,Y,Z]
merge[a,X,b,Y,c,Z,d,e]
Merge two listsfunction merge :: ’a list ⇒ ’a list ⇒ ’a list where
merge [] ys = ys
| merge (x # xs) ys = x # merge ys xs
Not primitively recursive! We need a termination proof:
termination
proof(relation "measure (λ(xs, ys). size xs + size ys)")
qed simp_all
With proof automation:
termination by size_change
![Page 71: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/71.jpg)
Well-founded recursion
[a,b,c,d,e]
[X,Y,Z]
merge[a,X,b,Y,c,Z,d,e]
Merge two listsfunction merge :: ’a list ⇒ ’a list ⇒ ’a list where
merge [] ys = ys
| merge (x # xs) ys = x # merge ys xs
Not primitively recursive! We need a termination proof:
termination
proof(relation "measure (λ(xs, ys). size xs + size ys)")
qed simp_all
With proof automation:
termination by size_change
![Page 72: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/72.jpg)
Termination proofs yield induction rules
merge [] ys = ys
merge (x # xs) ys = x # merge ys xs
How can we prove size (merge xs ys) = size xs + size ys?
Structural induction on xs does not work!Induction hypothesis: size (merge xs ys) = size xs + size ys
size (merge (x # xs) ys)
= size (x # merge ys xs) = 1 + size (merge ys xs) = ...
Induction rule for merge(∧ys. ?P [] ys) =⇒ (1st equation)
(∧x xs ys. ?P ys xs =⇒ ?P (x # xs) ys) =⇒ (2nd equation)
?P ?xs ?ys
![Page 73: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/73.jpg)
Termination proofs yield induction rules
merge [] ys = ys
merge (x # xs) ys = x # merge ys xs
How can we prove size (merge xs ys) = size xs + size ys?
Structural induction on xs does not work!Induction hypothesis: size (merge xs ys) = size xs + size ys
size (merge (x # xs) ys)
= size (x # merge ys xs) = 1 + size (merge ys xs) = ...
Induction rule for merge(∧ys. ?P [] ys) =⇒ (1st equation)
(∧x xs ys. ?P ys xs =⇒ ?P (x # xs) ys) =⇒ (2nd equation)
?P ?xs ?ys
![Page 74: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/74.jpg)
Termination proofs yield induction rules
merge [] ys = ys
merge (x # xs) ys = x # merge ys xs
How can we prove size (merge xs ys) = size xs + size ys?
Structural induction on xs does not work!Induction hypothesis: size (merge xs ys) = size xs + size ys
size (merge (x # xs) ys)
= size (x # merge ys xs) = 1 + size (merge ys xs) = ...
Induction rule for merge(∧ys. ?P [] ys) =⇒ (1st equation)
(∧x xs ys. ?P ys xs =⇒ ?P (x # xs) ys) =⇒ (2nd equation)
?P ?xs ?ys
![Page 75: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/75.jpg)
Finitely-branching Rose trees
C [] A [•] D [] E [•,•]
X [] Y [] Z []
T [•,•,•,•]
datatype ’a rtree = Node ’a "’a rtree list"
Structural induction(∧x ts. (
∧t. t ∈ set ts =⇒ ?P t) =⇒ ?P (Node x ts)) =⇒
?P ?tree
![Page 76: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/76.jpg)
Finitely-branching Rose trees
C [] A [•] D [] E [•,•]
X [] Y [] Z []
T [•,•,•,•]
datatype ’a rtree = Node ’a "’a rtree list"
Structural induction(∧x ts. (
∧t. t ∈ set ts =⇒ ?P t) =⇒ ?P (Node x ts)) =⇒
?P ?tree
![Page 77: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/77.jpg)
Mirroring rose trees
C [] A [•] D [] E [•,•]
X [] Y [] Z []
T [•,•,•,•]
rmirror−−−−−→ C []A [•]D []E [•,•]
X []Y []Z []
T [•,•,•,•]
primrec rmirror :: ’a tree ⇒ ’a tree where
rmirror (Node x ts) = Node x (rev (map rmirror ts))
Prove rmirror (rmirror t) = t by structural inductionIH: rmirror (rmirror t) = t for all t ∈ set ts
rmirror (rmirror (Node x ts))
= rmirror (Node x (rev (map rmirror ts)))
= Node x (rev (map rmirror (rev (map rmirror ts))))
= Node x (rev (rev (map rmirror (map rmirror ts))))
= Node x (map (rmirror ◦ rmirror) ts) by IH?= Node x (map id ts) = Node x ts
![Page 78: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/78.jpg)
Mirroring rose trees
C [] A [•] D [] E [•,•]
X [] Y [] Z []
T [•,•,•,•]
rmirror−−−−−→ C []A [•]D []E [•,•]
X []Y []Z []
T [•,•,•,•]
primrec rmirror :: ’a tree ⇒ ’a tree where
rmirror (Node x ts) = Node x (rev (map rmirror ts))
Prove rmirror (rmirror t) = t by structural inductionIH: rmirror (rmirror t) = t for all t ∈ set ts
rmirror (rmirror (Node x ts))
= rmirror (Node x (rev (map rmirror ts)))
= Node x (rev (map rmirror (rev (map rmirror ts))))
= Node x (rev (rev (map rmirror (map rmirror ts))))
= Node x (map (rmirror ◦ rmirror) ts) by IH?= Node x (map id ts) = Node x ts
![Page 79: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/79.jpg)
Conditional term rewriting
Congruence rule for map?xs = ?ys =⇒(∧y. y ∈ set ?ys =⇒ ?f y = ?g y) =⇒
map ?f ?xs = map ?g ?ys
Assume: rmirror (rmirror t) = t for all t ∈ set ts
Show: map (rmirror ◦ rmirror) ts = map id ts
ts =
??ts
∧t. t ∈ set ts =⇒ t ∈ set ts
∧t. t ∈ set
??ts
=⇒ (rmirror ◦ rmirror) t
rmirror (rmirror t)
= ??
(λx. x)
t
map (rmirror ◦ rmirror) ts = ??
map ??
(λx. x) ??ts
![Page 80: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/80.jpg)
Conditional term rewriting
Congruence rule for map?xs = ?ys =⇒(∧y. y ∈ set ?ys =⇒ ?f y = ?g y) =⇒
map ?f ?xs = map ?g ?ys
Assume: rmirror (rmirror t) = t for all t ∈ set ts
Show: map (rmirror ◦ rmirror) ts = map id ts
ts = ??
ts
∧t. t ∈ set ts =⇒ t ∈ set ts
∧t. t ∈ set ??
ts
=⇒ (rmirror ◦ rmirror) t
rmirror (rmirror t)
= ??
(λx. x)
t
map (rmirror ◦ rmirror) ts =
??
map ??
(λx. x)
??
ts
![Page 81: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/81.jpg)
Conditional term rewriting
Congruence rule for map?xs = ?ys =⇒(∧y. y ∈ set ?ys =⇒ ?f y = ?g y) =⇒
map ?f ?xs = map ?g ?ys
Assume: rmirror (rmirror t) = t for all t ∈ set ts
Show: map (rmirror ◦ rmirror) ts = map id ts
ts =
??
ts
∧t. t ∈ set ts =⇒ t ∈ set ts
∧t. t ∈ set
??
ts =⇒ (rmirror ◦ rmirror) t
rmirror (rmirror t)
= ??
(λx. x)
t
map (rmirror ◦ rmirror) ts =
??
map ??
(λx. x) ??
ts
![Page 82: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/82.jpg)
Conditional term rewriting
Congruence rule for map?xs = ?ys =⇒(∧y. y ∈ set ?ys =⇒ ?f y = ?g y) =⇒
map ?f ?xs = map ?g ?ys
Assume: rmirror (rmirror t) = t for all t ∈ set ts
Show: map (rmirror ◦ rmirror) ts = map id ts
ts =
??
ts
∧t. t ∈ set ts =⇒ t ∈ set ts
∧t. t ∈ set
??
ts =⇒
(rmirror ◦ rmirror) t
rmirror (rmirror t) = ??
(λx. x)
t
map (rmirror ◦ rmirror) ts =
??
map ??
(λx. x) ??
ts
![Page 83: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/83.jpg)
Conditional term rewriting
Congruence rule for map?xs = ?ys =⇒(∧y. y ∈ set ?ys =⇒ ?f y = ?g y) =⇒
map ?f ?xs = map ?g ?ys
Assume: rmirror (rmirror t) = t for all t ∈ set ts
Show: map (rmirror ◦ rmirror) ts = map id ts
ts =
??
ts
∧t. t ∈ set ts =⇒ t ∈ set ts∧
t. t ∈ set
??
ts =⇒
(rmirror ◦ rmirror) t
rmirror (rmirror t) =
??
(λx. x) t
map (rmirror ◦ rmirror) ts =
??
map
??
(λx. x)
??
ts
![Page 84: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/84.jpg)
Now it’s your turn
1. Download Programming.thy from the tutorial webpage andopen it in Isabelle/jEdit.
2. Define concat :: ’a list list ⇒ ’a list
Find out how concat behaves w.r.t. @ and rev and prove it.
3. Define pre-order and post-order traversals for rose trees.Prove that preorder (rmirror t) = rev (postorder t).
![Page 85: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/85.jpg)
Preliminaries
Programming
Coprogramming
Codatatypes PrimitiveCorecursion
Coinduction
Advanced Coprogramming
![Page 86: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/86.jpg)
Types with infinite valuestype finite values infinite values
0, S(0), S(S(0)), S(S(S(0))), . . .
nat 0, 1, 2, 3, . . .enat 0, 1, 2, 3, . . . ∞
0, S(0), S(S(0)), S(S(S(0))), . . . S(S(S(S(S(. . .)))))
list [], [0], [0,0], [0,1,2,3,4], . . .stream [0,0,0, . . .], [1,2,3, . . .], [0,1,0,1, . . .], . . .llist [], [0], [0,0], [0,1,2,3,4], . . . [0,0,0, . . .], [1,2,3, . . .], [0,1,0,1, . . .], . . .
tree · 4
· ·5
3
· ·8
6
· ·
·
53
· ·8
5
3
· ·8
5
......
·
·
![Page 87: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/87.jpg)
Types with infinite valuestype finite values infinite values
0, S(0), S(S(0)), S(S(S(0))), . . .
nat 0, 1, 2, 3, . . .enat 0, 1, 2, 3, . . . ∞
0, S(0), S(S(0)), S(S(S(0))), . . . S(S(S(S(S(. . .)))))
list [], [0], [0,0], [0,1,2,3,4], . . .stream [0,0,0, . . .], [1,2,3, . . .], [0,1,0,1, . . .], . . .llist [], [0], [0,0], [0,1,2,3,4], . . . [0,0,0, . . .], [1,2,3, . . .], [0,1,0,1, . . .], . . .
tree · 4
· ·5
3
· ·8
6
· ·
·
53
· ·8
5
3
· ·8
5
......
·
·
![Page 88: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/88.jpg)
Types with infinite valuestype finite values infinite values
0, S(0), S(S(0)), S(S(S(0))), . . .
nat 0, 1, 2, 3, . . .enat 0, 1, 2, 3, . . . ∞
0, S(0), S(S(0)), S(S(S(0))), . . . S(S(S(S(S(. . .)))))
list [], [0], [0,0], [0,1,2,3,4], . . .stream [0,0,0, . . .], [1,2,3, . . .], [0,1,0,1, . . .], . . .llist [], [0], [0,0], [0,1,2,3,4], . . . [0,0,0, . . .], [1,2,3, . . .], [0,1,0,1, . . .], . . .
tree · 4
· ·5
3
· ·8
6
· ·
·
53
· ·8
5
3
· ·8
5
......
·
·
![Page 89: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/89.jpg)
Types with infinite valuestype finite values infinite values
0, S(0), S(S(0)), S(S(S(0))), . . .
nat 0, 1, 2, 3, . . .enat 0, 1, 2, 3, . . . ∞
0, S(0), S(S(0)), S(S(S(0))), . . . S(S(S(S(S(. . .)))))
list [], [0], [0,0], [0,1,2,3,4], . . .stream [0,0,0, . . .], [1,2,3, . . .], [0,1,0,1, . . .], . . .llist [], [0], [0,0], [0,1,2,3,4], . . . [0,0,0, . . .], [1,2,3, . . .], [0,1,0,1, . . .], . . .
tree · 4
· ·5
3
· ·8
6
· ·
·
53
· ·8
5
3
· ·8
5
......
·
·
![Page 90: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/90.jpg)
Codatatypes in Isabelle/HOL
datatype nat = 0 | Suc nat
codatatype enat =
is_zero:
Zero | eSuc
(epred:
enat
)
where "epred Zero = Zero"
discriminator selector
defaults
datatype ’a list = Nil | Cons ’a "’a list"
codatatype ’a stream = SCons ’a "’a stream"
codatatype ’a llist = LNil | LCons ’a "’a llist"
codatatype ’a tree =
is_Leaf: Leaf
| Node (left: ’a tree) (val: ’a) (right: ’a tree)
where "left Leaf = Leaf" | "right Leaf = Leaf"
![Page 91: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/91.jpg)
Codatatypes in Isabelle/HOL
datatype nat = 0 | Suc nat
codatatype enat = is_zero: Zero | eSuc (epred: enat)
where "epred Zero = Zero"
discriminator selector
defaults
datatype ’a list = Nil | Cons ’a "’a list"
codatatype ’a stream = SCons ’a "’a stream"
codatatype ’a llist = LNil | LCons ’a "’a llist"
codatatype ’a tree =
is_Leaf: Leaf
| Node (left: ’a tree) (val: ’a) (right: ’a tree)
where "left Leaf = Leaf" | "right Leaf = Leaf"
![Page 92: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/92.jpg)
Codatatypes in Isabelle/HOL
datatype nat = 0 | Suc nat
codatatype enat = is_zero: Zero | eSuc (epred: enat)
where "epred Zero = Zero"
discriminator selector
defaults
datatype ’a list = Nil | Cons ’a "’a list"
codatatype ’a stream = SCons ’a "’a stream"
codatatype ’a llist = LNil | LCons ’a "’a llist"
codatatype ’a tree =
is_Leaf: Leaf
| Node (left: ’a tree) (val: ’a) (right: ’a tree)
where "left Leaf = Leaf" | "right Leaf = Leaf"
![Page 93: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/93.jpg)
Codatatypes in Isabelle/HOL
datatype nat = 0 | Suc nat
codatatype enat = is_zero: Zero | eSuc (epred: enat)
where "epred Zero = Zero"
discriminator selector
defaults
datatype ’a list = Nil | Cons ’a "’a list"
codatatype ’a stream = SCons ’a "’a stream"
codatatype ’a llist = LNil | LCons ’a "’a llist"
codatatype ’a tree =
is_Leaf: Leaf
| Node (left: ’a tree) (val: ’a) (right: ’a tree)
where "left Leaf = Leaf" | "right Leaf = Leaf"
![Page 94: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/94.jpg)
No recursion on codatatypes
datatype nat = 0 | Suc nat
codatatype enat = Zero | eSuc enat
Suppose we could do recursion on codatatypes . . .
primrec to_nat :: enat ⇒ nat where
to_nat Zero = 0
| to_nat (eSuc n) = Suc (to_nat n)
. . . but codatatypes are not well-founded: ∞ = eSuc ∞
to_nat ∞ = to_nat (eSuc ∞) = Suc (to_nat ∞)
n = 1+n
False
![Page 95: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/95.jpg)
No recursion on codatatypes
datatype nat = 0 | Suc nat
codatatype enat = Zero | eSuc enat
Suppose we could do recursion on codatatypes . . .
primrec to_nat :: enat ⇒ nat where
to_nat Zero = 0
| to_nat (eSuc n) = Suc (to_nat n)
. . . but codatatypes are not well-founded: ∞ = eSuc ∞
to_nat ∞ = to_nat (eSuc ∞) = Suc (to_nat ∞)
n = 1+n
False
![Page 96: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/96.jpg)
Building infinite values by primitive corecursion
primitive recursion• datatype as argument
• peel off one constructor
• recursive call only onarguments of the constructor
primitive corecursion• codatatype as result
• produce one constructor
• corecursive call only inarguments to the constructor
codatatype enat = Zero | eSuc enat
primcorec infty :: enat ("∞") where ∞ = eSuc ∞
Derive destructor characterisation:
lemma infty.sel:
"is_zero ∞ = False"
"epred ∞ = ∞"
![Page 97: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/97.jpg)
Building infinite values by primitive corecursion
primitive recursion• datatype as argument
• peel off one constructor
• recursive call only onarguments of the constructor
primitive corecursion• codatatype as result
• produce one constructor
• corecursive call only inarguments to the constructor
codatatype enat = Zero | eSuc enat
primcorec infty :: enat ("∞") where ∞ = eSuc ∞
Derive destructor characterisation:
lemma infty.sel:
"is_zero ∞ = False"
"epred ∞ = ∞"
![Page 98: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/98.jpg)
Computing with infinite values
Computing with codatatypes is pattern matching on results:We can inspect arbitrary finite amounts of output in finitely many steps.
Addition on enat
primcorec eplus :: "enat ⇒ enat ⇒ enat" (infixl "⊕" 65)
where "m ⊕ n = (if is_zero m then n else eSuc (epred m ⊕ n))"
corecursivecall
guard
corecursiveargument
corecursionstopslemma infty.sel:
"is_zero ∞ = False""epred ∞ = ∞"
Evaluate ∞ ⊕ 3 by observing!is_zero ( ∞ ⊕ 3) = False
epred ( ∞ ⊕ 3) = epred ∞ ⊕ 3
is_zero (epred ∞ ⊕ 3) = is_zero (∞ ⊕ 3) = False
epred (epred ∞ ⊕ 3) = . . .
Conjecture: ∞ ⊕ 3 = ∞
![Page 99: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/99.jpg)
Computing with infinite values
Computing with codatatypes is pattern matching on results:We can inspect arbitrary finite amounts of output in finitely many steps.
Addition on enat
primcorec eplus :: "enat ⇒ enat ⇒ enat" (infixl "⊕" 65)
where "m ⊕ n = (if is_zero m then n else eSuc (epred m ⊕ n))"
corecursivecall
guard
corecursiveargument
corecursionstopslemma infty.sel:
"is_zero ∞ = False""epred ∞ = ∞"
Evaluate ∞ ⊕ 3 by observing!is_zero ( ∞ ⊕ 3) = False
epred ( ∞ ⊕ 3) = epred ∞ ⊕ 3
is_zero (epred ∞ ⊕ 3) = is_zero (∞ ⊕ 3) = False
epred (epred ∞ ⊕ 3) = . . .
Conjecture: ∞ ⊕ 3 = ∞
![Page 100: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/100.jpg)
Computing with infinite values
Computing with codatatypes is pattern matching on results:We can inspect arbitrary finite amounts of output in finitely many steps.
Addition on enat
primcorec eplus :: "enat ⇒ enat ⇒ enat" (infixl "⊕" 65)
where "m ⊕ n = (if is_zero m then n else eSuc (epred m ⊕ n))"
corecursivecall
guard
corecursiveargument
corecursionstopslemma infty.sel:
"is_zero ∞ = False""epred ∞ = ∞"
Evaluate ∞ ⊕ 3 by observing!is_zero ( ∞ ⊕ 3) = False
epred ( ∞ ⊕ 3) = epred ∞ ⊕ 3
is_zero (epred ∞ ⊕ 3) = is_zero (∞ ⊕ 3) = False
epred (epred ∞ ⊕ 3) = . . .
Conjecture: ∞ ⊕ 3 = ∞
![Page 101: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/101.jpg)
Computing with infinite values
Computing with codatatypes is pattern matching on results:We can inspect arbitrary finite amounts of output in finitely many steps.
Addition on enat
primcorec eplus :: "enat ⇒ enat ⇒ enat" (infixl "⊕" 65)
where "m ⊕ n = (if is_zero m then n else eSuc (epred m ⊕ n))"
corecursivecall
guard
corecursiveargument
corecursionstops
lemma infty.sel:"is_zero ∞ = False""epred ∞ = ∞"
Evaluate ∞ ⊕ 3 by observing!is_zero ( ∞ ⊕ 3) = False
epred ( ∞ ⊕ 3) = epred ∞ ⊕ 3
is_zero (epred ∞ ⊕ 3) = is_zero (∞ ⊕ 3) = False
epred (epred ∞ ⊕ 3) = . . .
Conjecture: ∞ ⊕ 3 = ∞
![Page 102: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/102.jpg)
Computing with infinite values
Computing with codatatypes is pattern matching on results:We can inspect arbitrary finite amounts of output in finitely many steps.
Addition on enat
primcorec eplus :: "enat ⇒ enat ⇒ enat" (infixl "⊕" 65)
where "m ⊕ n = (if is_zero m then n else eSuc (epred m ⊕ n))"
corecursivecall
guard
corecursiveargument
corecursionstopslemma infty.sel:
"is_zero ∞ = False""epred ∞ = ∞"
Evaluate ∞ ⊕ 3
by observing!is_zero ( ∞ ⊕ 3) = False
epred ( ∞ ⊕ 3) = epred ∞ ⊕ 3
is_zero (epred ∞ ⊕ 3) = is_zero (∞ ⊕ 3) = False
epred (epred ∞ ⊕ 3) = . . .
Conjecture: ∞ ⊕ 3 = ∞
![Page 103: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/103.jpg)
Computing with infinite values
Computing with codatatypes is pattern matching on results:We can inspect arbitrary finite amounts of output in finitely many steps.
Addition on enat
primcorec eplus :: "enat ⇒ enat ⇒ enat" (infixl "⊕" 65)
where "m ⊕ n = (if is_zero m then n else eSuc (epred m ⊕ n))"
corecursivecall
guard
corecursiveargument
corecursionstopslemma infty.sel:
"is_zero ∞ = False""epred ∞ = ∞"
Evaluate ∞ ⊕ 3 by observing!is_zero ( ∞ ⊕ 3) =
False
epred ( ∞ ⊕ 3) = epred ∞ ⊕ 3
is_zero (epred ∞ ⊕ 3) = is_zero (∞ ⊕ 3) = False
epred (epred ∞ ⊕ 3) = . . .
Conjecture: ∞ ⊕ 3 = ∞
![Page 104: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/104.jpg)
Computing with infinite values
Computing with codatatypes is pattern matching on results:We can inspect arbitrary finite amounts of output in finitely many steps.
Addition on enat
primcorec eplus :: "enat ⇒ enat ⇒ enat" (infixl "⊕" 65)
where "m ⊕ n = (if is_zero m then n else eSuc (epred m ⊕ n))"
corecursivecall
guard
corecursiveargument
corecursionstopslemma infty.sel:
"is_zero ∞ = False""epred ∞ = ∞"
Evaluate ∞ ⊕ 3 by observing!is_zero ( ∞ ⊕ 3) = False
epred ( ∞ ⊕ 3) = epred ∞ ⊕ 3
is_zero (epred ∞ ⊕ 3) = is_zero (∞ ⊕ 3) = False
epred (epred ∞ ⊕ 3) = . . .
Conjecture: ∞ ⊕ 3 = ∞
![Page 105: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/105.jpg)
Computing with infinite values
Computing with codatatypes is pattern matching on results:We can inspect arbitrary finite amounts of output in finitely many steps.
Addition on enat
primcorec eplus :: "enat ⇒ enat ⇒ enat" (infixl "⊕" 65)
where "m ⊕ n = (if is_zero m then n else eSuc (epred m ⊕ n))"
corecursivecall
guard
corecursiveargument
corecursionstopslemma infty.sel:
"is_zero ∞ = False""epred ∞ = ∞"
Evaluate ∞ ⊕ 3 by observing!is_zero ( ∞ ⊕ 3) = False
epred ( ∞ ⊕ 3) =
epred ∞ ⊕ 3
is_zero (epred ∞ ⊕ 3) = is_zero (∞ ⊕ 3) = False
epred (epred ∞ ⊕ 3) = . . .
Conjecture: ∞ ⊕ 3 = ∞
![Page 106: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/106.jpg)
Computing with infinite values
Computing with codatatypes is pattern matching on results:We can inspect arbitrary finite amounts of output in finitely many steps.
Addition on enat
primcorec eplus :: "enat ⇒ enat ⇒ enat" (infixl "⊕" 65)
where "m ⊕ n = (if is_zero m then n else eSuc (epred m ⊕ n))"
corecursivecall
guard
corecursiveargument
corecursionstopslemma infty.sel:
"is_zero ∞ = False""epred ∞ = ∞"
Evaluate ∞ ⊕ 3 by observing!is_zero ( ∞ ⊕ 3) = False
epred ( ∞ ⊕ 3) = epred ∞ ⊕ 3
is_zero (epred ∞ ⊕ 3) = is_zero (∞ ⊕ 3) = False
epred (epred ∞ ⊕ 3) = . . .
Conjecture: ∞ ⊕ 3 = ∞
![Page 107: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/107.jpg)
Computing with infinite values
Computing with codatatypes is pattern matching on results:We can inspect arbitrary finite amounts of output in finitely many steps.
Addition on enat
primcorec eplus :: "enat ⇒ enat ⇒ enat" (infixl "⊕" 65)
where "m ⊕ n = (if is_zero m then n else eSuc (epred m ⊕ n))"
corecursivecall
guard
corecursiveargument
corecursionstopslemma infty.sel:
"is_zero ∞ = False""epred ∞ = ∞"
Evaluate ∞ ⊕ 3 by observing!is_zero ( ∞ ⊕ 3) = False
epred ( ∞ ⊕ 3) = epred ∞ ⊕ 3
is_zero (epred ∞ ⊕ 3) =
is_zero (∞ ⊕ 3) = False
epred (epred ∞ ⊕ 3) = . . .
Conjecture: ∞ ⊕ 3 = ∞
![Page 108: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/108.jpg)
Computing with infinite values
Computing with codatatypes is pattern matching on results:We can inspect arbitrary finite amounts of output in finitely many steps.
Addition on enat
primcorec eplus :: "enat ⇒ enat ⇒ enat" (infixl "⊕" 65)
where "m ⊕ n = (if is_zero m then n else eSuc (epred m ⊕ n))"
corecursivecall
guard
corecursiveargument
corecursionstopslemma infty.sel:
"is_zero ∞ = False""epred ∞ = ∞"
Evaluate ∞ ⊕ 3 by observing!is_zero ( ∞ ⊕ 3) = False
epred ( ∞ ⊕ 3) = epred ∞ ⊕ 3
is_zero (epred ∞ ⊕ 3) = is_zero (∞ ⊕ 3) = False
epred (epred ∞ ⊕ 3) = . . .
Conjecture: ∞ ⊕ 3 = ∞
![Page 109: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/109.jpg)
Computing with infinite values
Computing with codatatypes is pattern matching on results:We can inspect arbitrary finite amounts of output in finitely many steps.
Addition on enat
primcorec eplus :: "enat ⇒ enat ⇒ enat" (infixl "⊕" 65)
where "m ⊕ n = (if is_zero m then n else eSuc (epred m ⊕ n))"
corecursivecall
guard
corecursiveargument
corecursionstopslemma infty.sel:
"is_zero ∞ = False""epred ∞ = ∞"
Evaluate ∞ ⊕ 3 by observing!is_zero ( ∞ ⊕ 3) = False
epred ( ∞ ⊕ 3) = epred ∞ ⊕ 3
is_zero (epred ∞ ⊕ 3) = is_zero (∞ ⊕ 3) = False
epred (epred ∞ ⊕ 3) = . . .
Conjecture: ∞ ⊕ 3 = ∞
![Page 110: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/110.jpg)
When are two extended naturals equals?
If we can make the same observations!
2
R
=? 2⊕0
is-zero 2 = False = is-zero (1⊕0) = Falseepred 2 = 1
R
=? epred (2⊕0) = epred 2⊕0 = 1⊕0
is-zero 1 = False = is-zero (1⊕0) = Falseepred 1 = 0
R
=? epred (1⊕0) = epred 1⊕0 = 0⊕0
is-zero 0 = True = is-zero (0⊕0) = True
Coinduction rule for equality
R n m∀n m. R n m −→ is-zero n = is-zero m∧
(¬ is-zero m −→ R (epred n) (epred m))n = m
![Page 111: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/111.jpg)
When are two extended naturals equals?
If we can make the same observations!
2
R
=? 2⊕0
is-zero 2 = False = is-zero (1⊕0) = Falseepred 2 = 1
R
=? epred (2⊕0) = epred 2⊕0 = 1⊕0
is-zero 1 = False = is-zero (1⊕0) = Falseepred 1 = 0
R
=? epred (1⊕0) = epred 1⊕0 = 0⊕0
is-zero 0 = True = is-zero (0⊕0) = True
Coinduction rule for equality
R n m∀n m. R n m −→ is-zero n = is-zero m∧
(¬ is-zero m −→ R (epred n) (epred m))n = m
![Page 112: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/112.jpg)
When are two extended naturals equals?
If we can make the same observations!
2
R
=? 2⊕0
is-zero 2 = False = is-zero (1⊕0) = Falseepred 2 = 1
R
=? epred (2⊕0) = epred 2⊕0 = 1⊕0
is-zero 1 = False = is-zero (1⊕0) = Falseepred 1 = 0
R
=? epred (1⊕0) = epred 1⊕0 = 0⊕0
is-zero 0 = True = is-zero (0⊕0) = True
Coinduction rule for equality
R n m∀n m. R n m −→ is-zero n = is-zero m∧
(¬ is-zero m −→ R (epred n) (epred m))n = m
![Page 113: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/113.jpg)
When are two extended naturals equals?
If we can make the same observations!
2
R
=? 2⊕0
is-zero 2 = False = is-zero (1⊕0) = Falseepred 2 = 1
R
=? epred (2⊕0) = epred 2⊕0 = 1⊕0
is-zero 1 = False = is-zero (1⊕0) = Falseepred 1 = 0
R
=? epred (1⊕0) = epred 1⊕0 = 0⊕0
is-zero 0 = True = is-zero (0⊕0) = True
Coinduction rule for equality
R n m∀n m. R n m −→ is-zero n = is-zero m∧
(¬ is-zero m −→ R (epred n) (epred m))n = m
![Page 114: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/114.jpg)
When are two extended naturals equals?
If we can make the same observations!
2
R
=? 2⊕0
is-zero 2 = False = is-zero (1⊕0) = Falseepred 2 = 1
R
=? epred (2⊕0) = epred 2⊕0 = 1⊕0
is-zero 1 = False = is-zero (1⊕0) = Falseepred 1 = 0
R
=? epred (1⊕0) = epred 1⊕0 = 0⊕0
is-zero 0 = True = is-zero (0⊕0) = True
Coinduction rule for equality
R n m∀n m. R n m −→ is-zero n = is-zero m∧
(¬ is-zero m −→ R (epred n) (epred m))n = m
![Page 115: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/115.jpg)
When are two extended naturals equals?
If we can make the same observations!
2 R
=?
2⊕0
is-zero 2 = False = is-zero (1⊕0) = Falseepred 2 = 1 R
=?
epred (2⊕0) = epred 2⊕0 = 1⊕0
is-zero 1 = False = is-zero (1⊕0) = Falseepred 1 = 0 R
=?
epred (1⊕0) = epred 1⊕0 = 0⊕0
is-zero 0 = True = is-zero (0⊕0) = True
Coinduction rule for equality
R n m∀n m. R n m −→ is-zero n = is-zero m∧
(¬ is-zero m −→ R (epred n) (epred m))n = m
![Page 116: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/116.jpg)
Prove that ∞⊕ x = ∞
Coinduction rule for equality
R n m∀n m. R n m −→ is-zero n = is-zero m∧
(¬ is-zero m −→ R (epred n) (epred m))n = m
1. Define R n m←→ n = ∞⊕ x ∧m = ∞
2. Show that R (∞⊕ x) ∞.3. Show bisimulation property of R:
• Assume R n m for arbitrary n, m.So n = ∞⊕ x and m = ∞.
• is-zero n = is-zero (∞⊕ x) = False = is-zero ∞
• Show R (epred n) (epred m):• epred n = epred (∞⊕ x) = epred ∞⊕ x• epred m = epred ∞ = ∞
![Page 117: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/117.jpg)
Isabelle demo
![Page 118: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/118.jpg)
From lazy lists to trees and back
codatatype ’a llist =
lnull: LNil
| LCons (lhd: ’a)
(ltl: ’a llist)
tree_of−−−−−→llist_of←−−−−−
codatatype ’a tree =
is_Leaf: Leaf
| Node (left: ’a tree)
(val: ’a)
(right: ’a tree)
[0,1,2, ...]tree_of−−−−−→
0
· 1
· 2
· ...
[0,1,2,3,4,5,6, . . .]llist_of←−−−−−
0
1
3
......
5
......
2
4
......
6
......
![Page 119: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/119.jpg)
From lazy lists to trees and back
codatatype ’a llist =
lnull: LNil
| LCons (lhd: ’a)
(ltl: ’a llist)
tree_of−−−−−→llist_of←−−−−−
codatatype ’a tree =
is_Leaf: Leaf
| Node (left: ’a tree)
(val: ’a)
(right: ’a tree)
[0,1,2, ...]tree_of−−−−−→
0
· 1
· 2
· ...
[0,1,2,3,4,5,6, . . .]llist_of←−−−−−
0
1
3
......
5
......
2
4
......
6
......
![Page 120: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/120.jpg)
From lazy lists to trees and back
codatatype ’a llist =
lnull: LNil
| LCons (lhd: ’a)
(ltl: ’a llist)
tree_of−−−−−→llist_of←−−−−−
codatatype ’a tree =
is_Leaf: Leaf
| Node (left: ’a tree)
(val: ’a)
(right: ’a tree)
[0,1,2, ...]tree_of−−−−−→
0
· 1
· 2
· ...
[0,1,2,3,4,5,6, . . .]llist_of←−−−−−
0
1
3
......
5
......
2
4
......
6
......
![Page 121: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/121.jpg)
Tree chopping
Remove the root of a tree:
chop
x
y
=
y
chop
y
What if there is a Leaf?
![Page 122: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/122.jpg)
Tree chopping
Remove the root of a tree:
chop
x
y
=
y
chop
y
What if there is a Leaf?
![Page 123: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/123.jpg)
Tree chopping
Remove the root of a tree:
chop
x
y
=
y
chop
y
What if there is a Leaf?
![Page 124: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/124.jpg)
Preliminaries
Programming
Coprogramming
Advanced Coprogramming
CorecursionUp To Friends
CoinductionUp To Friends
MixedRecursion-
Corecursion
![Page 125: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/125.jpg)
Am I productive?
![Page 126: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/126.jpg)
s = 0 ## s
primitive corecusion
![Page 127: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/127.jpg)
s = 0 ## s
primitive corecusion
![Page 128: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/128.jpg)
s = 0 ## stl s
stl evil
![Page 129: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/129.jpg)
s = 0 ## stl s
stl evil
![Page 130: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/130.jpg)
s = 0 ## 1 ## s
corecursion up to constructors
![Page 131: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/131.jpg)
s = 0 ## 1 ## s
corecursion up to constructors
![Page 132: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/132.jpg)
eo s = shd s ## eo (stl (stl s))
primitive corecusion
![Page 133: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/133.jpg)
eo s = shd s ## eo (stl (stl s))
primitive corecusion
![Page 134: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/134.jpg)
s = 0 ## 1 ## eo s
eo evil
![Page 135: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/135.jpg)
s = 0 ## 1 ## eo s
eo evil
![Page 136: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/136.jpg)
s ⊕ t = (shd s + shd t) ## (stl s ⊕ stl t)
primitive corecusion
![Page 137: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/137.jpg)
s ⊕ t = (shd s + shd t) ## (stl s ⊕ stl t)
primitive corecusion
![Page 138: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/138.jpg)
s ⊗ t = (shd s * shd t) ## (stl s ⊗ t ⊕ s ⊗ stl t)
corecursion up to ⊕
![Page 139: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/139.jpg)
s ⊗ t = (shd s * shd t) ## (stl s ⊗ t ⊕ s ⊗ stl t)
corecursion up to ⊕
![Page 140: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/140.jpg)
The standard definition
![Page 141: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/141.jpg)
s = 0 ## ((1 ## s) ⊕ s)
corecursion up-to constructors and ⊕
![Page 142: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/142.jpg)
s = 0 ## ((1 ## s) ⊕ s)
corecursion up-to constructors and ⊕
![Page 143: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/143.jpg)
s = (0 ## 1 ## s) ⊕ (0 ## s)
corecursion up to constructors and ⊕⊕ comes before the guard
![Page 144: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/144.jpg)
s = (0 ## 1 ## s) ⊕ (0 ## s)
corecursion up to constructors and ⊕⊕ comes before the guard
![Page 145: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/145.jpg)
s = (1 ## s) ⊗ (1 ## s)
corecursion up to constructors and ⊗⊗ comes before the guard
![Page 146: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/146.jpg)
s = (1 ## s) ⊗ (1 ## s)
corecursion up to constructors and ⊗⊗ comes before the guard
![Page 147: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/147.jpg)
pow2 t = (2 ˆ shd t) ## (stl s ⊗ pow2 t)
corecursion up to ⊗
![Page 148: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/148.jpg)
pow2 t = (2 ˆ shd t) ## (stl s ⊗ pow2 t)
corecursion up to ⊗
![Page 149: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/149.jpg)
s = pow2 (0 ## s)
corecursion up to constructors and pow2
pow2 comes before the guard
![Page 150: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/150.jpg)
s = pow2 (0 ## s)
corecursion up to constructors and pow2
pow2 comes before the guard
![Page 151: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/151.jpg)
selfie s = shd s ## selfie (selfie (stl s) ⊕ selfie s)
corecursion up to ⊕ and selfie [sic!]
![Page 152: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/152.jpg)
selfie s = shd s ## selfie (selfie (stl s) ⊕ selfie s)
corecursion up to ⊕ and selfie [sic!]
![Page 153: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/153.jpg)
s m n = if (m == 0 && n > 1) || gcd m n == 1
then n ## s (m * n) (n + 1)
else s m (n + 1)
mixed recursion/primitive corecursion
![Page 154: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/154.jpg)
s m n = if (m == 0 && n > 1) || gcd m n == 1
then n ## s (m * n) (n + 1)
else s m (n + 1)
mixed recursion/primitive corecursion
![Page 155: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/155.jpg)
s n = if n > 0
then s (n - 1) ⊕ (0 ## s (n + 1))
else 1 ## s 1
mixed recursion/corecursion up to ⊕
![Page 156: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/156.jpg)
s n = if n > 0
then s (n - 1) ⊕ (0 ## s (n + 1))
else 1 ## s 1
mixed recursion/corecursion up to ⊕
![Page 157: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/157.jpg)
s n = if n > 0
then stl (s (n - 1)) ⊕ (0 ## s (n + 1))
else 1 ## s 1
stl really evil
![Page 158: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/158.jpg)
s n = if n > 0
then stl (s (n - 1)) ⊕ (0 ## s (n + 1))
else 1 ## s 1
stl really evil
![Page 159: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/159.jpg)
Isabelle demo
![Page 160: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/160.jpg)
Exercises
Languages as Infinite Tries 8
......
......
a b
a b a b
a b a b a b a b
Growing a Tree 88
[0,1,2,3,4,5,6, . . .]llist_of←−−−−−
0
1
3
......
5
......
2
4
......
6
......
Factorial via Shuffle 888
Prove that s = 1 ## (s ⊗ s) defines the stream of factorials.
![Page 161: Certified Functional (Co)programming withmatryoshka.gforge.inria.fr/cade26-tutorial/slides.pdfBig proofs about programs (an incomplete list) seL4 Microkernel Klein et al. Flyspeck](https://reader035.vdocument.in/reader035/viewer/2022071113/5fe97e3038dadf7d44051abb/html5/thumbnails/161.jpg)
A glimpse
with