comparing a formal proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · comparing a formal proof in...
TRANSCRIPT
![Page 1: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/1.jpg)
Comparing a Formal Proof
in Why3, Coq, Isabelle
Jean-Jacques Lévy Inria Paris - Irif
VIP meeting 20-11-2018
![Page 2: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/2.jpg)
Motivation
2
.. with Ran Chen, Cyril Cohen, Stephan Merz, Laurent Théry
• to be fully published in articles or journals
• algorithms on graphs = a good testbed (better than )
• nice algorithms should have simple formal proofs
• how to publish formal proofs ?
• formal proofs have to be checked by computer
p2
http://www-sop.inria.fr/marelle/Tarjan/contributions.html
VSTTE 2017, CPP 2019 (?)
![Page 3: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/3.jpg)
A one-pass linear-time algorithm
Tarjan, 1972
![Page 4: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/4.jpg)
Strongly connected components
4
• maximum subsets of vertices connected by a path
• depth-first search algorithm pushing vertices on a stack in their order of visit
• computing oldest vertex reachable by at most one « cross-edge »
• when not strictly less than currently visited vertex, a new SCC is on top of current vertex in working stack
• the SCC is popped and algorithm continues
![Page 5: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/5.jpg)
Strongly connected components
5
graph stackspanning forrest
2 8
3
4
9
1
7
5
6
0
![Page 6: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/6.jpg)
Strongly connected components
6
9
8
7
6
5
4
3
2
1
0
4
4
5
5
5
2
1
1
1
0
stackspanning forrest
2 8
3
4
9
1
7
5
6
0
![Page 7: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/7.jpg)
Program
![Page 8: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/8.jpg)
Program
![Page 9: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/9.jpg)
Proof
![Page 10: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/10.jpg)
Program
![Page 11: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/11.jpg)
Program
![Page 12: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/12.jpg)
Invariant
(1) consistent colors
(2) consistent numbering
(3) vertices pairwise distinct in stack
(4) no edge from black to white
(5) in stack any vertex reaches any higher vertex
(6) in stack any vertex reaches a gray lower vertex
(7) the sccs field is the set of black SCCs
![Page 13: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/13.jpg)
Why3 Proof
![Page 14: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/14.jpg)
Pre/Post-conditions
} LOWLINK
![Page 15: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/15.jpg)
Assertions
![Page 16: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/16.jpg)
Assertions
Coq
![Page 17: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/17.jpg)
Coq proof
17
• y’ in sccs
• 3 cases on y’
• y’ is white vertex
• y’ in s3
dfs (successors x)
![Page 18: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/18.jpg)
Assertions
+ 2 Coq proofs (16 loc + 141 loc)
![Page 19: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/19.jpg)
Coq Proof
![Page 20: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/20.jpg)
Functions
20
Record env := Env {black : {set V}; stack : seq V; sccs : {set {set V}};sn : nat; num : {ffun V ➔ nat}}.
Definition dfs1 dfs x e := let: (n1, e1) := dfs [set y in successors x] (add_stack x e) in if n1 < sn e then (n1, add_black x e1) else (infty, add_sccs x e1).
Definition dfs dfs1 dfs’ r e := if [pick x in r] isn't Some x then (infty, e) else let r' := r :\ x in let: (n1, e1) := if num e x != 0 then (num e x, e) else dfs1 x e in
let: (n2, e2) := dfs’ r’ e1 in (minn n1 n2, e2).
![Page 21: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/21.jpg)
Functions
!21
Fixpoint tarjan_rec n := if n is n1.+1 then dfs (dfs1 (tarjan_rec n1)) (tarjan_rec n1) else fun r e => (infty, e).
Let N := #|V| * #|V|.+1 + #|V|.
Definition tarjan := sccs (tarjan_rec N setT e0).2.
![Page 22: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/22.jpg)
Proof
!22
Definition dfs_correct (dfs : {set V} ➔ env ➔ nat ∗ env) r e :=
pre_dfs r e ➔ let (n, e’) := dfs r e in post_dfs r e e’ n.
Definition dfs1_correct (dfs1 : V ➔ env ➔ nat ∗ env) x e :=
(x ∈ white e) ➔ pre_dfs [set x] e ➔
let (n, e’) := dfs1 x e in post_dfs [set x] e e’ n.
![Page 23: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/23.jpg)
Proof
!23
Lemma dfs_is_correct dfs1’ dfs’ (r : {set V}) e : (∀x, x ∈ r ➔ dfs1_correct dfs1’ x e) ➔
(∀x, x ∈ r ➔ ∀e1, white e1 \subset white e ➔
dfs_correct dfs’ (r :\ x) e1) ➔ dfs_correct (dfs dfs1’ dfs’) r e.
Lemma dfs1_is_correct dfs’ (x : V) e : (dfs_correct dfs’ [set y | edge x y] (add_stack x e)) ➔ dfs1_correct (dfs1 dfs’) x e.
Theorem tarjan_rec_terminates n r e : n ≥ #|white e| ∗ #|V|.+1 + #|r| ➔
dfs_correct (tarjan_rec n) r e.
![Page 24: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/24.jpg)
Isabelle/HOL Proof
![Page 25: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/25.jpg)
Proof
!25
function (domintros) dfs1 and dfs where dfs1 x e = (let (n1, e1) = dfs (successors x) (add_stack_incr x e) in if n1 < int (sn e) then (n1, add_black x e1) else (let (l, r) = split_list x (stack e1) in (+∞, (| black = insert x (black e1), gray = gray e, stack = r, sn = sn e1, sccs = insert (set l) (sccs e1), num = set_infty l (num e1) |) )))
and dfs roots e = (if roots = {} then (+∞, e) else (let x = SOME x . x ∈ roots;
res1 = (if num e x ≠ ︎-1 then (num e x, e) else dfs1 x e);
res2 = dfs (roots - {x}) (snd res1) in (min (fst res1) (fst res2), snd res2) ))
![Page 26: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/26.jpg)
Proof
!26
theorem dfs1_dfs_termination :
[x ∈ vertices - colored e; colored_num e] ⟹ dfs1_dfs_dom (Inl(x, e)) [r ⊆ vertices; colored_num e] ⟹ dfs1_dfs_dom (Inr(r, e))
theorem dfs_partial_correct:
[dfs1_dfs_dom (Inl(x, e)); dfs1_pre x e] ⟹ dfs1_post x e (dfs1 x e)
[dfs1_dfs_dom (Inr(r, e)); dfs_pre r e] ⟹ dfs_post r e (dfs r e)
definition colored_num where colored_num e ≡
∀v ∈ colored e. v ∈ vertices ∧ num e v ≠ ︎-1
theorem dfs_correct:
dfs1_pre x e ⟹ dfs1_post x e (dfs1 x e)
dfs_pre r e ⟹ dfs_post roots e (dfs r e)
![Page 27: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/27.jpg)
Conclusion
![Page 28: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/28.jpg)
Why3 - Coq - Isabelle
28
… other systems ?
why3 coq isabelle/HOL
expressivity - ++ +readability +++ - +stability - +++ +ease of use - - -automation ++ - +partial correctness +++ - - -code extraction ++ + -trusted base - +++ +++# lines auto 392 0 ? (314ui)# lines manual 157 1535 1690
http://www-sop.inria.fr/marelle/Tarjan/contributions.html
![Page 29: Comparing a Formal Proofpauillac.inria.fr/~levy/talks/18vip/vip.pdf · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy Inria Paris - Irif VIP meeting 20-11-2018](https://reader031.vdocument.in/reader031/viewer/2022041023/5ed63492746633446e6423e0/html5/thumbnails/29.jpg)
Todo list
29
• other algorithms (biconnected, planarity, minimum spanning tree)
• proof of implementation
• teaching