ffirN*I.a INRIA

(1)

Design of the next ^7OO Proof Assistants

Gérard

^H

uet

Pro_let Coq

INRIA Rocquencourt

ffirN*I.a

^E6 ^[^FLoc^-^Rutgers^-^{July 28th}^1ee6^-^1]

(2)

PLAN

.

General Design Issues

o

Zippers

o

Bôhm Trees

o

Mathematics modelling

ffitN.*"I.a

^E6 ^[^FLoc^-^Rutgers^-^Juty^{28th tss6}^-^2l

(3)

General Design Issues

o Why yet

another

proof

_assistant?

o

Overa

ll

^arch^itectu^re

ffitN.xI.a

^U I ^FLoc- Rutgers - Jury 28th 19e6 - ³]

(4)

A few ^popular ^proof ^assistants

o

ACL2

I

o

LCF-HOL

O NUPRL

o

PVS

o rMPS / ^ff ^iz ^&R

o

^Isabelle

o

Coq-Atf-Lego

i oB

o Elf

o

LP,

etc

ffirN*"I.a

^E6 ^[^FLoc^-^Rutgers^-^Juty^28th^1ee6^-^4l

(5)

YAPA?

o Who will

use it?

For

what

concrete _Purpose?

What

is

the

comPetition?

o

How could we share

the

^efFort?

ffirN.xI.a

^E6 ^[^FLoc^-^Rutgers^-^Jury^28th^1ee6^-⁵^]

(6)

Example 1 : ^proof ^trees

o

Should one keep proof trees around?

+

Program extraction

+ Self-certified

mobile code

+ ^Auditing

^proofs

ⁱⁿ ^natural

^language

Size vs Speed

Decision procedures, rewriting

ffitN.&I.a

^E6 ^[^FLoc^-^Rutgers^-^July^28th^1ee6^-⁶^]

(7)

Example 2: ^libraries

o What

should

the

library

structure

^be?

o Modularity,

Naming

o

Search

for

^relevant^lemmas

o

Phase distinction

o

Dependency analysis

o

Sharing

with other

sites

o

Version ma nagement

o

Sharing

with other

^provers

(qf

^D!)

ffitN.*"I.a Eô

_I^FLoC^-^Rutgers^-^July^28th¹⁹⁹⁶_-⁷]

(8)

Overa

^I

I

^arch

itectu

^re

o Logical

Framework

o

Algorith ms

o

Programmability

o

User interface

o

User-defined notation?

o

Shared

data

base

of

^proven^facts

o

User assistance

o

Software eng ineering , tools

o Will it

scale up?

W ^{/N RIA}

^E6 ^[^FLoc^-^Rutgers^-^Jury^28th^1ee6^-⁸^]

(9)

I got this in the mail today

The

following articles are submitted

to the

Mizar Mathemat-

ical

Library:

1. Piotr

Rudnicki and Andrzej Trybulec

submitted

an article

entitled: "on _the

compositions

of

macro instructions"

2.

^Yatsu

ka

^{N a}ka m u

ra

^and And rzej Trybu lec ^subm

itted

articles

entitled:

^"Some

Topological

Properties

of

Cells

in

^p2

and "The _First _Part of

Jordan's Theorem

for

Special ^poly- gons"

3. Noriko Asamoto, Yatsuka Nakamura, piotr

_Rudnicki

and And

rzej Trybulec submitted

articles

entitled:

^"

On

the compositions

of macro instructions, Part II" ^and

^"

on

the compositions

of

macro

instructions,

Part

III"

The

^preprints

of the

above articles are available at:

http ^:_//mat}r-. uw.

bialystok

.pL/ ^-Form.Math/Preprints Czeslaw Bylinski

Library

committee of the

Association

of Mizar

Users

ft(r ^N.xI"a

^'Ëô _[^FLoC^-^Rutgers^-^Juty^28th^1ee6_-^e]

(10)

Abstract Syntax

Any

implementer

of a ^proof

assistant,

a

programming envi- ronment,

or

a

formal computation

system, is faced early on

with the

^problem

of

designing an abstract syntax framework.

Typical

concerns are:

o

well-formedness

wrt

^arities

^of

^operators

o list

structures

o

bind

ing

operators, loca I defin itions

o

recu rsion

Usual solutions are:

o

LISP

o free

algebras

+

^lists

o

^pureÀ-calculus

.. À-n _lAutomath _lElf

ffitN.xI"a

^E6 ^[^FLoC^-^Rutgers^-^Jury^28th^1ee6^-¹⁰^]

(11)

Managing the state

o

Version ma nagement

o

Dumps, Saves, Updates

o

Global context

o

Undo

o

Pragmas and flags

o

Clicking,

structure

editing

o

Notation

o

Applicative structu res

vs

Destructive ^editing

ft{

^r

N.*"1.a

E6 _[_FLoc_-_Rutgers_-_July_{28th leeo}_-₁₁_]

(12)

The zipper data structure

o

Mentor

,o Applicative

arrays

.

Emacs

o

hierarchical local

Turing

^machine

ffitN.*"I"a

^E6 [ ^FLoc- ^Rutgers- Jury 28th 1ee6 - ¹²^]

(13)

The zipper type

type tree

=

Item of int

I

^Section

of tree list;

;

type path

= ToP

I

^Node

of path * tree list * tree list;

;

type location ₌

Loc

of tree * path;;

Node(p,I,r)

contains

the father

^path

p, its left I

^and

right r

brother

trees- Note: a path

has brother

trees,

uncle trees, great-uncle trees,

etc But its father

is a

path, not

a

tree

like

in

Mentor's

tree

^processor.

ffitN.*I"a

^E6 ^[^FLoC^-^Rutsers^-^July^28th^1ee6^-^{13 ]}

(14)

Updating and Inserting in a zipper

let

^change

(Loc(-,p)) t ₌ Loc(t,p);;

l-et insert-left (Loc(t,p)) t'

= ^match

p with ToP

^>

I lrlode(up,left,right) -> Loc(t',Node(up,left,t

^:

:right))

; ^;

ffitN.*"I"a

^E6 ^[^FLoc^-^Rutgers^-^July^28th^1ee6^-¹⁴^]

(15)

,d

t\j

l I I ,

aa'

(16)

Navigating in a zipper

let left

^(Loc(t,p)

)

= ^match

p with ToP

^>

I

Node(up,I:

:left,right)

^>

I_

^>

let

down

(Loc(t,p))

₌match

t with

Item(_)

^>

I

Section(t1 ^:^:

trees)

^>

|_

^>

let up

^(Loc

^(t

, p)

)

= ^match

p with ToP

^>

I

^Noae^(up,

^left

^,

right)

->

Loc(Section(concat

(t: :right) tett)

_,up); ^;

ft(

^r

N.*,1"a _E6

[ ^FLoc- ^Rutgers- Jury 28th rsso - ^rs^]

(17)

Scoping and

^para

meterization

(À-ca lcu lus issues)

o

naming

of

variables

o

non-locality

of

_B-rule

.

^defⁱⁿitions

.

recu rsion

.

^approximations

o ^proof

search

ffitN.*"I"a

^E6 ^[^FLoC^-^Rutgers^-^July^{28th leeo}^-^{16 ]}

(18)

Bi nd ⁱn g

/ ^Scopi ^ng/

^N^a^mi^ng

A

perplexing

state of

^afFairs.

.

a-conversion

o de

BruUn indexes

o

com binators

o

^M

iller

^patterns

o

Pfenning HOAS

o

Ta

lcott

^bind

ing

structu ^res

.

Pollack's meta-theory

of

LEGO

o Explicit

^substitutions

W ^/N ^RIA

^E6 ^[^FLoc^-^Rutgers^-^{July 28th}^1ee6^-¹⁷^]

(19)

Explicit

^su

bstitutions

o Abadi

Cardelli Curien Lévy

o

Hardin Lévy

o

Lescanne; Rios; Kamareddine

.

^Mufroz

o

Dowek Hardin Kirchner

o

etc

ffitN.*"I.a

^E6 ^[^FLoc^-^Rurgers^-^Jury^28th^1e96^-^{18 ]}

(20)

Sharing

.

Dags

(UNIX

links,

TRS,

etc)

o

À-ca lcu lus

+

^Wadsworth

+

^LévY

+

^Lamping

+ ^Gonthier l

o

Sharing modulo computing

+

^symbolic^link

+

^U

^RL

^book^.ps.gz

+

^BDDs

+

^Sharingsubstitutions

ffitN.*"I"a

^E6 ^[^FLoc^-^Rutgers^-^{July 28th}^].ee6^-^1e^l

(21)

An notations

Annotations

are essential.

They

represent points

of view. It

should be ^possible

to

add new annotations

without

changing

the type of the

core structu

re,

^and

without

^distu rba nce

for

processes unconcerned by

this point of

view.

OO solution? Methods for copying, moving, etc.

Chet's OO-engine

f9r

adding judgements

to

^Coq's^engine.

There

are''à _'num

ber of

featu res

to ^be

^added

to

^ou

r

theory

in

order

to

^meetlong

term ^goals.

These include:

(1)

annotations;

(2)

^generic

tools for structure walking,

matching and unifi-

cation;

^and

(3)

representation

of

binding structures in terms

of

mutable structu res.

(C. Talcott)

ffirN.xI"a

^EÉ ^[^FLoc^-^Rutgers^-^{July 28th}^1ee6^-²⁰^]

(22)

Constraints, unification

Constraints are essential

for

delaying

the

^search

for

existen-

cia ls.

o Constr{in}O

resolution

\)

o

Prolog

o Type

reconstruction

o Floating

universes

o

Linear arithfnetic

ffitN.*"IA

^E6 ^[^FLoC^-^Rutgers^-^July^28th^1ee6^-²¹^]

(23)

À-terms vs Bôhm trees

.\ \ut'\uz'(("r ^uz) \ug'us)

I

\ ut

^u2^'

^ut(uz, \

^u3^'^ue)

Èêad normal forms

vs

unsolvables

À,r

u2...'t-Ln' u;(Ttr ...rTp)

Separability:

Bôhm's theorem.

W ^INRIA

^EÉ ^[^FLoc^-^Rutgers^-^July^28th^1,ss6^- ^22]

(24)

Curry-Howard for Sequent Calculus

Proof checking is usually explained on natural deduction for-

mulations, for which (typed)

À-calculus

is relevant,

by the Curry-Howard

isomorphism.

However,

proof

_searchusually corresponds

to

a sequent calculus

structure. This

introduces cumbersome translations between

the

proof trees associated

to ^tactics computations,

and

the ^proof terms stored

as À-

terms ^justif ications.

However,

it

is ^possible

to

^constra

ⁱⁿ

^seq^uent^ca^lculus deriva-

tions

as Bôhm

trees. This

is

actually implicit from

Howard,

and was

exactly identified in H.

Herbetin's À-calculus

in

his

thesis

"Séquents

qu'on calcule"

^(Paris

7, jan. 95). It

^uses

a "stoup-ed" _notion of

sequent, like

in

Girard's LU.

ffitN.*I"a

^I^FLoC^-^Rutgers^-^July^28th¹⁹⁹⁶^-²³^]

(25)

Cut-free LJT

+ _right , =':oi.'"=

f-; F

A+

^B ^À

. r,A;Al

^B

Contr ,

ffi ^Headf

--+ left

^:

l-;FA f;BlC f;A+BlC Axiom :

r.,A"A ^nil

Thus the

term U ^Mt... ^Mn)

^is^coded^as

⁽

^.

(U Mr)

M27...

M*)

in À-calculus, and

f lMti M2,... Mnl ⁱⁿ

À-calculus,

the

type- free

structure

underlying

LJT.

Note

that the

stoup contains

the

head variable.

Intros;

^Apply

f

^.

ffitN.xI.a

^Et ^I^FLoc^-^Rutgers^-^July^28th^Lss6^-²⁴¹

(26)

Typing Bôhm trees

When we use Bôhm trees

to

represent proofs in some ^logical framework, these trees have types corresponding

to

formulas

(or

more ^generally

judgements) of this framework. But

we

want not to

^beforced

at

construction

of the

abstract syntax

trees

representing

partial proof attempts to ^be ^obliged ^to

enforce

the

possibly complex

type

maintenance.

On

the

other side

of

the spectrum, w€ may consider a Bôhm

tree

as

just _an _untyped _À-term, i.e. ^an ^element of

^some

domain

D verifying

some isomorphism

D ^t!' _ID

_->

D].

^Con-

sistency in

the

sense

of

equational logic ^is

just

_requiring

_that D

be non-trivial.

ft(r ^N.xl"a

^E6 ^[^FLoc^-^Rutsers^-^{July 28th}^1ee6^-^2s^]

(27)

More on typing Bôhm trees

Somewhere

in

between

we

may

type

solvable

Bôhm

trees,

of the

form:

\ ut

u2...'tLn'

u(Tt,

...rTp)

by their

shape

(-,n - ^p), consisting of the ^pair head (-)

and difFerential

arity

(n

- ^p).

^For^{a closed}

^tree,

^rn

^:'u,ftt

^and

then

the

head indicates

the

index

of

sequentiality

k,

whereas

the

difFerential

arity

is

a

kind

of

coercion

specification.

The shape may

be

read as

a type

^Dn

+ D klpl, specifying:

^this

term is a functional value in Dn + D,

whenever

its

main

argument

æp

is

coerced

to a functional ^value in ^Dp +

D.

Note

that

this

type

is invariant by th€ 4 rule, and

thus

makes sense as

a partition of the

extensional

model

Dca.

ft( t N.*"1"a

^'86 _[_FLoC_-_Rutgers_-_Jury_{28th rss6}_-_26]

(28)

Systems of

^g

uarded com binators

Definitions. We

assume given

two

disjoint.denumerable al- phabets

of

symbols:

X: {Xr,X2,...}

^is

^the

^set

^of

^combina'

forsymbols,l,{ -- {ut,u2,...}

^is^the^set

^of

^parameter^symbols.

Intuitively,

combinators name Bôhm trees, whereas ^parame-

ters

name bound À-variables.

We call Bôhm tree presentation

with

respect

to

these

two

al- phabets any denumerable system of equations:

t : _{Et,82,

^...},

with

E6 . X6 u1 u2...r1ni

'-

11,ki(Mt,..., Mpt) where 1

<

k6

1n;,

^O

4 p;, X;

e

X,

and

for

Yj 1 p; Mj : Xq'(rt,

^...,ut6,i)

with

L

< ^kt,j

S

nt

and

{rt,...,uli,j}

^Ç

{"r,,...,uni} çU.

We

assume

furthermore the

system

to be deterministic,

ⁱⁿ

the

sense

that

every

X € N

^possesses

at most

one defining

equation in t. ^We

say

that it is total when

every

X € ^X

possesses exactly one defining equation

in t.

ffitN.x!"a

^EÉ ^[^FLoc^-^Rutgers^-^July^28th^7ss6^-²⁷^]

(29)

Exa m

ples

We remark

that

Bôhm

tree

presentations _aregeneral enough

to

^represent

arbitrary families of finitely ^generated

Bôhm

trees, which is

enough

for

^instance

to

represent

the

Bôhm trees

of

^any

À-terms. But they permit to do more, in that

we may represent dags and looping

structures.

For instance,

the

À-term

in

normal

form \ut uz.(ut ^{),u.(u u)} ),u-u)

^may

be ^presentedas

X in the

^system

X ut u2 l-

^u1(D,

I) D u '- _u(I(u)) I ru :-

^rt)

with

sharing

of

combinator

/.

Whereas

the

single

equation Z u .- u(Z)

defines as

Z

^the

infinite tree

Àut ^.u1(),u2 ^.u2( ..))

ffirN.xI.a

^I^FLoC^-^Rutgers^-^July^28th¹⁹⁹⁶^-²⁸^]

(30)

Other

^exa^m

^ples

Another

example is

the fixpoint

combinator

Y,

^with

Y f :: _fVU))

Still

another example, also denoting an

infinite

Bôhm

tree,

^is

J

^presented^by

the system: J * a:: ^*(l(A)). ^It

^is

^the

^Bôhm

tree of À-term (Y

^j

^),r,

^),y

^(æ

(j _s))), for Y any fixpoint

combinator such as Curry's.

Remark

that

^recursion

is natural and more canonical,

and

that computation is

more

local than B-reduction. Also

^de- finedness is atomic.

ft(

^r

N.*"1.a

_E6

[ ^FLoc- ^Rutgers- July 28th leeo - ^2e]

(31)

Regular Bôhm trees

Definition. We call

regular any

finite Bôhm tree

^presenta-

tion.

^S^uc.hpresentations define Bôh m trees wh ich are ^regu-

lar in

the

sense

of admitting

^only^a

finite

number

of distinct

subtrees, up

to

variable renaming.

Theorem. It

^isdecidable whether

t I M - ^{l'r for}

any regular

t

and simple expressions

M

and

^f

.

( For a ppropriate notions

F

^and sim ple) .

ffirN.xI"a

I ^FLoC- Rutgers - July 28th 1996 - ³⁰]

(32)

Other ^issues

From À-calculus

to

^Bôhm^trees

^to ^Automath ^to

^Coq...

Constants. Let or A-T

^pairs

^or A-T couples. Other

^judge-

ments.

Structu

re of the context. ^Sections,

^Parag^ra^phs,

Mlodules. Meta-variables.

Unification.

Constraints.

Control of totality.

Control of

^unfold ing

,

^opacity,^abstraction.

Tactics'

W ^/NRIA

^E6 ^[FLoc^-^Rutgers^-^Juty^2eth^1ee6^-^31]

(33)

Ind uction

Should induction be primitive (Martin-Lôf) or

axiomatised

(Isa b el le) ?

Four

properties

of

inductive types.

o

Closed: no

junk

o Free:

no confusion

o

Ind uction

:

^fⁱⁿ

itely

^generated^.

.

Dependance:

elimination

by pattern-matching.

Guarded general recursion vs

primitive

recursion.

ffitN.xI.a

^E6 ^[^FLoc^-^Rutgers^-^{July 28th}^leeo^-³²^]

(34)

How powerful should the framework be?

In other words, how much mathematical

knowledge should be internalized

in the proof assistant? E.g.

equality, induc-

tion,

SUbstitution, sharing, decision procedures.

The

more we add,

the

less we may share developments.

Extreme

view: PRA

as

the

framework.

Ref lexion.

Bootstra ^pping^.

E6 _[_FLoc_-_Rutgers_-_Juty_{28th leeo}_-33 _]

W ^lNRIA

(35)

Mathematics modelling

Mathematics

is

rigorous knowledge representation.

It

^com-

bines com

putation in

concrete structu res

with

^a

bstract

rea-

son

ing in

log ica I systems.

There

are historically

4

generations

of

computerized mathematics:

1

^com^puters

2

programming _languages

3

^symbolic

computation

systems

4

proof-checked forma

I

mathematics

Proof

assistants

potentially open the

^way

to the 4tn

^gen-

eration of

computerized mathematics

modelling. BUT

they

will not

^replace

well understood more eflicient

^paradigms

of the

lower levels:

floating point computation,

imperative

prog _ra_{m m}ing

,

^verif

^ication ^of

^fⁱⁿ

^ite-state

^systems

^by

^B^D^D

techniques. The smooth integration of the full ^range ^of

puterized mathematics tools is the

^g

reat

cha llenge

of

com

putenzeo

_ma

Wi"^iËl'Àears

^ËÉ [ ^FLoC- ^Rutgers^-^July^28th^]ee6- ^34l

ffirN*I.a INRIA

Design of the next 7OO Proof Assistants

Gérard

uet

Pro_let Coq

INRIA Rocquencourt

ffirN*I.a

PLAN

.

o

o

o

ffitN.*"I.a

General Design Issues

o Why yet

proof

o

ll

ffitN.xI.a

A few popular proof assistants

o

o

o

o rMPS / ff iz &R

o

o

i oB

o Elf

o

etc

ffirN*"I.a

YAPA?

o Who will

what

What

the

o

the

ffirN.xI.a

Example 1 : proof trees

o

+

+ Self-certified

+ Auditing

in natural

ffitN.&I.a

Example 2: libraries

o What

the

structure

o Modularity,

o

for

o

o

o

with other

o

o

with other

(qf

ffitN.*"I.a Eô

Overa

I

itectu

o Logical

o

o

o

o

o

data

of

o

o

o Will it

W /N RIA

I got this in the mail today

The

to the

Design of the next ^7OO Proof Assistants

A few ^popular ^proof ^assistants

o rMPS / ^ff ^iz ^&R

Example 1 : ^proof ^trees

+ ^Auditing

ⁱⁿ ^natural

Example 2: ^libraries

W ^{/N RIA}

entitled: "on _the

and "The _First _Part of

of macro instructions, Part II" ^and

ft(r ^N.xI"a

of a ^proof

^of

.. À-n _lAutomath _lElf