![Page 1: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/1.jpg)
Teaching Experience:Logic and Formal Methods with
Coq
Martin Henz and Aquinas HoborSchool of Computing
National University of Singapore
![Page 2: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/2.jpg)
2
WARNING
![Page 3: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/3.jpg)
3
YOU ARE ABOUTTO HEAR THE LEAST
TECHNICAL TALK AT CPP / APLAS 2011
WARNING
![Page 4: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/4.jpg)
4
Propositional Logic
Predicate Logic
Induction
Modal Logic
Hoare Logic
Introductory Logic (At NUS SoC: CS3234 & CS5209)
![Page 5: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/5.jpg)
5
Why is teaching logic hard?
![Page 6: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/6.jpg)
6
What do the students say?
Why is teaching logic hard?
![Page 7: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/7.jpg)
7
What do the students say?
Hard and very abstract
Why is teaching logic hard?
![Page 8: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/8.jpg)
8
What do the students say?
Hard and very abstract
Dry and boring
Why is teaching logic hard?
![Page 9: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/9.jpg)
9
What do the students say?
Hard and very abstract
Dry and boring
Removed from applications
Why is teaching logic hard?
![Page 10: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/10.jpg)
10
What about introducing tool support?
What can we do?
![Page 11: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/11.jpg)
11
What about introducing tool support?
How can a tool help address some of our problems?
What can we do?
![Page 12: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/12.jpg)
12
A partial win
Students often do not know when a proof is correct – tools help with this problem a lot
On the other hand, topic is still abstract
Also, the students now have to learn how to use the tool – makes their job harder
“Hard and very abstract”
![Page 13: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/13.jpg)
13
A major win
Students in computer science enjoy using computers!
Some tools can be a lot of fun to use
Building [Coq] scripts is surprisingly addictive, in a videogame kind of way… [Xavier Leroy, 2005]
“Dry and boring”
![Page 14: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/14.jpg)
14
A partial win
Students appreciate getting hands on a tool
We can bring up success stories for that tool
But we have found that it is not enough – we adjust by trying to bring up other example applications as we go through the curriculum
“Removed from applications”
![Page 15: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/15.jpg)
15
There are lots of tools out there: SAT solvers, model checkers, proof assistants, program verifiers, …
There is a cost to learn each tool
Breadth vs. Depth tradeoff
Coq is useful for almost the entire course
Selecting Coq
![Page 16: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/16.jpg)
16
See our paper!
We have also produced a (very much in progress, alpha) series of lecture notes (~80 pages) on the basic topics we cover: www.comp.nus.edu.sg/~henz/cs3234
For the rest of this talk I am going to cover a few highlights, lowlights, and options we have explored.
Integrating Coq into the Curriculum
![Page 17: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/17.jpg)
17
Start with something that may be more familiar: syllogisms
Syntax vs. semantics, proof theory (natural deduction), semantic arguments (models)
Introduce Coq
With Notation you can write things like,All Greeks are humans.in Coq!
Topic 1: Aristotelian (Term) Logic
![Page 18: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/18.jpg)
18
Semantics is naive set theory (Venn diagrams)
Good puzzles from Lewis Carroll:
Topic 1: Aristotelian (Term) Logic
![Page 19: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/19.jpg)
19
Semantics is naive set theory (Venn diagrams)
Good puzzles from Lewis Carroll:1. No ducks waltz.
Topic 1: Aristotelian (Term) Logic
![Page 20: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/20.jpg)
20
Semantics is naive set theory (Venn diagrams)
Good puzzles from Lewis Carroll:1. No ducks waltz.2. No officers ever decline to waltz.
½
Topic 1: Aristotelian (Term) Logic
![Page 21: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/21.jpg)
21
Semantics is naive set theory (Venn diagrams)
Good puzzles from Lewis Carroll:1. No ducks waltz.2. No officers ever decline to waltz.3. All my poultry are ducks.
½
Topic 1: Aristotelian (Term) Logic
![Page 22: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/22.jpg)
22
Semantics is naive set theory (Venn diagrams)
Good puzzles from Lewis Carroll:1. No ducks waltz.2. No officers ever decline to waltz.3. All my poultry are ducks.
It should be obvious that: No officers are my poultry.
2
Topic 1: Aristotelian (Term) Logic
![Page 23: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/23.jpg)
23
We find it useful to cover propositional logic in Coq twice
We first cover it encoded as a datatypeInductive Formula : Type := | AndForm : Formula -> Formula -> Formula …
We provide a module signature with the axioms of propositional logic
Topic 2: Object vs. Meta logic
![Page 24: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/24.jpg)
24
We have them prove simple facts via those axioms (in a module functor).
We point out that the tactics they have been using (e.g., split) are similar to axioms in the module signature (e.g., conj_i)
We find this approach helps students understand the distinction between object logic and meta logic.
Topic 2: Object vs. Meta logic
![Page 25: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/25.jpg)
25
Teaching with Coq becomes a bit entwined with teaching Coq.
To a typical third-year undergraduate student, Coq is remarkably close to voodoo.
Poor error messages don’t help matters…
This tends to cause undue hacking, etc.
Topic 3: Explaining Coq
![Page 26: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/26.jpg)
26
Topic 3: Explaining Coq We have found the following form of
diagram useful when explaining tactics to students:
![Page 27: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/27.jpg)
27
It is extremely useful to demonstrate binder management via Coq.
That is, use “rewrite” tactic to show Coq handles variable capture, etc.
Paper proofs improved once they could try such things out in the theorem prover.
Topic 4: Predicate Logic
![Page 28: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/28.jpg)
28
Students usually have a very hard time understanding induction on paper.
Coq handles induction beautifully.
We saw a significant increase in comprehension vs. prior years in understanding induction.
Their paper proofs improved a lot as a result!
Topic 5: Induction
![Page 29: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/29.jpg)
29
Coq does not directly support natural deduction proofs in modal logic.
Best [de Wind ‘01]. Still not much fun.
Semantic style: use modal operators to express theorems, but often have to unfold definitions to prove them.
Topic 6: Modal Logic
![Page 30: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/30.jpg)
30
We did get some benefits from using Coq.
We covered a kind of higher-order multimodal logic.
One benefit was that we were able to investigate correspondence theory in Coq.
Topic 6: Modal Logic
![Page 31: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/31.jpg)
31
Concrete program verification in Coq isextremely painful.
Maybe better tactics would help, or some other clever tricks… not sure.
We had to assign virtually all of the concrete verifications by hand.
Instructors used Coq to debug Huth & Ryan.
Maybe it would be valuable to add a second tool.
Topic 7: Hoare Logic
![Page 32: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/32.jpg)
32
We had more success on the semantic side of Hoare logic – usually ignored in courses.
Used a “dynamic logic” approach to define the Hoare tuple via modal logic.
If you set things up just right, the students can prove the soundness of a simple Hoare logic (both partial and total) in Coq!
Topic 7: Hoare Logic
![Page 33: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/33.jpg)
33
Custom tactics: we tried it, most of the time we avoid it now.
Homework: we try to assign some of the same problems both in Coq and on Paper.
Applications: we discuss several (sports tournament scheduling, network security analysis, etc.).
Topic 8: Odds and Ends
![Page 34: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/34.jpg)
34
Takes significant experimentation to find the right definitions.
Running this course took a lot of time. Hopefully as the notes become more polished this will be reduced.
Cheating: it’s an issue. Our final exams are done in the lab and are 40% in Coq.
Topic 8: Odds and Ends
![Page 35: Martin Henz and Aquinas Hobor School of Computing National University of Singapore](https://reader030.vdocument.in/reader030/viewer/2022032606/56649e875503460f94b8b4a5/html5/thumbnails/35.jpg)
35
“I would like to thank you for the Automated Theorem Prover (Coq) you taught in CS5209 course. It makes life easy while trying to prove theorem as compared to paper part. In addition to this it saves life of student in Final exam. In the beginning for the course I hated Coq a lot, but slowly I start liking it as I understood the way tactic works and how to use them. Now it has become most favorite and interesting part of mine in this course.” (2009/2010)
A final quote