Programs and Proofs Mechanizing Mathematics with Dependent Types Lecture Notes Ilya Sergey Draft of July 16, 2020 Contents Contents 1 1 Introduction5 1.1 Why yet another course on Coq?......................5 1.1.1 What this course is about......................7 1.1.2 What this course is not about....................7 1.1.3 Why Ssreflect?............................7 1.2 Prerequisites..................................8 1.3 Setup......................................9 1.3.1 Installing Coq, Ssreflect and Mathematical Components......9 1.3.2 Emacs set-up.............................9 1.3.3 Getting the lecture files and solutions................ 10 1.4 Naming conventions.............................. 10 1.5 Acknowledgements.............................. 11 2 Functional Programming in Coq 13 2.1 Enumeration datatypes............................ 13 2.2 Simple recursive datatypes and programs.................. 15 2.2.1 Dependent function types and pattern matching.......... 18 2.2.2 Recursion principle and non-inhabited types............ 20 2.3 More datatypes................................ 21 2.4 Searching for definitions and notations................... 24 2.5 An alternative syntax to define inductive datatypes............ 25 2.6 Sections and modules............................. 26 3 Propositional Logic 29 3.1 Propositions and the Prop sort....................... 29 3.2 The truth and the falsehood in Coq..................... 30 3.3 Implication and universal quantification................... 35 3.3.1 On forward and backward reasoning................ 37 3.3.2 Refining and bookkeeping assumptions............... 38 3.4 Conjunction and disjunction......................... 39 3.5 Proofs with negation............................. 42 3.6 Existential quantification........................... 43 3.6.1 A conjunction and disjunction analogy............... 45 3.7 Missing axioms from classical logic..................... 46 3.8 Universes and Prop impredicativity..................... 47 3.8.1 Exploring and debugging the universe hierarchy.......... 48 2 Contents 4 Equality and Rewriting Principles 53 4.1 Propositional equality in Coq........................ 53 4.1.1 Case analysis on an equality witness................ 54 4.1.2 Implementing discrimination..................... 55 4.1.3 Reasoning with Coq’s standard equality.............. 57 4.2 Proofs by rewriting.............................. 57 4.2.1 Unfolding definitions and in-place rewritings............ 57 4.2.2 Proofs by congruence and rewritings by lemmas.......... 58 4.2.3 Naming in subgoals and optional rewritings............ 60 4.2.4 Selective occurrence rewritings.................... 61 4.3 Indexed datatype families as rewriting rules................ 62 4.3.1 Encoding custom rewriting rules................... 63 4.3.2 Using custom rewriting rules..................... 63 5 Views and Boolean Reflection 67 5.1 Proving with views in Ssreflect........................ 68 5.1.1 Combining views and bookkeeping................. 69 5.1.2 Using views with equivalences.................... 69 5.1.3 Declaring view hints......................... 70 5.1.4 Applying view lemmas to the goal.................. 70 5.2 Prop versus bool ............................... 71 5.2.1 Using conditionals in predicates................... 74 5.2.2 Case analysing on a boolean assumption.............. 74 5.3 The reflect type family............................ 75 5.3.1 Reflecting logical connectives.................... 76 5.3.2 Reflecting decidable equalities.................... 79 6 Inductive Reasoning in Ssreflect 81 6.1 Structuring the proof scripts......................... 81 6.1.1 Bullets and terminators....................... 81 6.1.2 Using selectors and discharging subgoals.............. 82 6.1.3 Iteration and alternatives...................... 82 6.2 Inductive predicates that should be functions................ 83 6.2.1 Eliminating assumptions with a custom induction hypothesis... 88 6.3 Inductive predicates that are hard to avoid................. 89 6.4 Working with Ssreflect libraries....................... 93 6.4.1 Notation and standard properties of algebraic operations..... 93 6.4.2 A library for lists........................... 94 7 Encoding Mathematical Structures 97 7.1 Encoding partial commutative monoids................... 98 7.1.1 Describing algebraic data structures via dependent records.... 99 7.1.2 An alternative definition....................... 101 7.1.3 Packaging the structure from mixins................ 101 7.2 Properties of partial commutative monoids................. 103 7.3 Implementing inheritance hierarchies.................... 104 Contents 3 7.4 Instantiation and canonical structures.................... 105 7.4.1 Defining arbitrary PCM instances.................. 105 7.4.2 Types with decidable equalities................... 109 8 Case Study: Program Verification in Hoare Type Theory 111 8.1 Imperative programs and their specifications............... 112 8.1.1 Specifying and verifying programs in a Hoare logic........ 113 8.1.2 Adequacy of a Hoare logic...................... 116 8.2 Basics of Separation Logic.......................... 117 8.2.1 Selected rules of Separation Logic.................. 119 8.2.2 Representing loops as recursive functions.............. 120 8.2.3 Verifying heap-manipulating programs............... 121 8.3 Specifying effectful computations using types................ 123 8.3.1 On monads and computations.................... 124 8.3.2 Monadic do-notation......................... 125 8.4 Elements of Hoare Type Theory....................... 126 8.4.1 The Hoare monad........................... 127 8.4.2 Structuring program verification in HTT.............. 128 8.4.3 Verifying the factorial procedure mechanically........... 130 8.5 On shallow and deep embeddings...................... 136 8.6 Soundness of Hoare Type Theory...................... 138 8.7 Specifying and verifying programs with linked lists............. 138 9 Conclusion 143 Bibliography 145 Index 151 1 Introduction These lecture notes are the result of the author’s personal experience of learning how to structure formal reasoning using the Coq proof assistant and employ Coq in large-scale research projects. The present manuscript offers a brief and practically-oriented intro- duction to the basic concepts of mechanized reasoning and interactive theorem proving. The primary audience of this text are the readers with expertise in software develop- ment and programming and knowledge of discrete mathematic disciplines on the level of an undergraduate university program. The high-level goal of the course is, therefore, to demonstrate how much the rigorous mathematical reasoning and development of ro- bust and intellectually manageable programs have in common, and how understanding of common programming language concepts provides a solid background for building math- ematical abstractions and proving theorems formally. The low-level goal of this course is to provide an overview of the Coq proof assistant, taken in its both incarnations: as an expressive functional programming language with dependent types and as a proof assistant providing support for mechanized interactive theorem proving. By aiming for these two goals, this manuscript is, thus, intended to provide a demon- stration how the concepts familiar from the mainstream programming languages and serving as parts of good programming practices can provide illuminating insights about the nature of reasoning in Coq’s logical foundations and make it possible to reduce the burden of mechanical theorem proving. These insights will eventually give the reader a freedom to focus solely on the essential part of her formal development instead of fighting with a proof assistant in futile attempts to encode the “obvious” mathematical intuition—a reason that made many of the new-comers abandon their attempts to apply the machine-assisted approach for formal reasoning as an everyday practice. 1.1 Why yet another course on Coq? The Coq proof assistant [10] has been in development since 1983, and by now there is a number of courses that provide excellent introductions into Coq-powered interactive theo- rem proving and software development. Among the other publicly available manuscripts, the author finds the following three to be the most suitable for teaching purposes. • The classical book Interactive Theorem Proving and Program Development. Coq’Art: The Calculus of Inductive Constructions by Yves Bertot and Pierre Castéran [3] is a great and exhaustive overview of Coq as a formal system and a tool, covering both logical foundations, reasoning methodologies, automation tools and offering large number of examples and exercises (from which this course borrows some). 6 1 Introduction • Benjamin Pierce et al.’s Software Foundations electronic book [53] introduces Coq development from an angle of the basic research in programming languages, focusing primarily on formalization of program language semantics and type systems, which serve both as main motivating examples of Coq usage and a source of intuition for explaining Coq’s logical foundations. • The most recently published book, Certified Programming with Dependent Types by Adam Chlipala [7] provides a gentle introduction to Coq from the perspective of writing programs that manipulate certificates, i.e., first-class proofs of the program’s correctness. The idea of certified programming is a natural fit for a programming language with dependent types, which Coq offers, and the book is structured as a series of examples that make the dependently-typed aspect