FouCo: Foundational Corecursive Definitions for Isabelle/HOL

FouCo: Foundational Corecursive Definitions for Isabelle/HOL
Topic: Logic, Verification
Location:
Inria Nancy – Grand-Est, Nancy, France
¨ Informatik, Saarbrucken,
¨
or Max-Planck-Institut fur
Germany
Supervisor: Dr. Jasmin Blanchette ([email protected], Inria & MPI)
Co-supervisors:
Dr. Andrei Popescu ([email protected], Middlesex University, London)
¨
Dmitriy Traytel ([email protected], Technische Universit¨at Munchen)
Background:
Isabelle/HOL is a popular proof assistant based on higher-order logic
(HOL), a variant of the simply typed λ-calculus. It has been used successfully in a number of projects, such as the verification of the seL4 microkernel [1], the formalization of a Java compiler [2] and its memory
model [3], and the mechanized proof of the Kepler conjecture [4].
¨
Isabelle is primarily developed at the Technische Universit¨at Munchen,
where the supervisor is currently based. From January 2015, he will work
¨
on a 50%–50%-basis at Inria Nancy and the MPI in Saarbrucken.
The internship can take place at either location. The co-supervisors will perform their duties remotely from London and Munich.
Objective:
Isabelle has recently been extended with codatatypes (coinductive datatypes) [5,6], thereby joining the good company of Agda, Coq, and Matita.
However, the ability to introduce codatatypes is not worth much without adequate support for defining meaningful functions that operate on
them. Yet, the system must be careful: A function definition such as
f x = f x + 1 can be used to derive a contradiction (0 = 1). The key
question to answer is: What right-hand sides can be safely allowed in a function definition?
Generally, there are two main approaches to support recursive and corecursive functions in a proof assistant:
The intrinsic approach: A syntactic criterion is built into the logic: termination for recursive specifications, productivity for corecursive
specifications. The termination or productivity checker is part of
the system’s trusted code base.
The foundational approach: The (co)recursive specifications are reduced
to a fixpoint construction, which permits a simple definition of the
form f = . . . , where f does not occur in the right-hand side. The
original equations are derived as theorems from this definition.
Agda, Coq, and Matita favor the intrinsic approach. The main hurdle for
their users is that syntactic criteria are inflexible; the specification must
be massaged so that it falls within a supported syntactic fragment. But
perhaps more troubling in systems that process theorems, soundness is
not obvious at all and extremely tedious to ensure; as a result, there is a
history of critical bugs in termination and productivity checkers.
In contrast, Isabelle adheres to the foundational approach. Its logic is
expressive enough to capture the (co)algebraic constructions underlying
(co)datatypes and (co)recursive functions, without extending the logic. Isabelle already has support for primitive corecursion, via the primcorec
command [6, Section 6]. Those are specifications where each corecursive
call occurs under exactly one constructor. For example, given a type of
infinite streams constructed by SCons, the specification
natsFrom n = SCons n (natsFrom (n + 1))
which defines the stream n, n + 1, n + 2, . . . falls, within this primitive
fragment, since each call to natsFrom produces one constructor before entering the nested call.
The goal of this project would be to implement (parts of) a corec command that generalizes primcorec to allow (1) multiple nested constructor
guards; (2) well-behaved operations to appear around the nested calls;
and (3) combinations of recursion and corecursion. Points 2 and 3 would
enable Isabelle to go beyond the state of the art in Agda, Coq, and Matita.
The corec command would parse the specification of a function and instantiate a so-called corecursor—a highly general function that can be used
to express a large class of corecursive functions. The theory justifying
these features has been developed already [7] and is implemented in a
rough prototype [7, Section 4].
The desired implementation would be part of Isabelle, which is written
in Standard ML (an Anglo-Saxon dialect of OCaml). It would consist of
two modules:
• The corec command proper, which would parse the specification of
a function f, define f in terms of the corecursor, and derive some
theorems.
• A command to register arbitrary operations as well-behaved, thereby
strengthening the corecursor and the syntactic fragment supported
by corec.
We explicitly do not expect the internship to result in the completion of
both modules. The project can be broken down in a number of milestones, and we would consider it a success if, for example, one of the two
modules is completed by the end of the summer, without suppport for
combinations of recursion and corecursion. The supervisor and one of
the co-supervisors would also participate in the coding effort. This work
would likely result in a publication at an international conference (e.g.,
Certified Programs and Proofs or Iteractive Theorem Proving).
2
This internship is an ideal opportunity to familiarize oneself with proof
assistants, coinduction and corecursion, to learn Isabelle both at the user
level and at the ML programming level, and to get acquainted with the
exciting research taking place in the VeriDis and Automation of Logic
groups (cf. veridis.loria.fr and www.mpi-inf.mpg.de/departments/
automation-of-logic).
Requirements:
We expect the student to be familiar with the λ-calculus and functional
programming. We do not expect familiarity with Isabelle, Coq, codatatypes, coinduction, corecursion, or fixpoints. Knowledge of German is
¨
not required for an internship in Saarbrucken.
References:
[1] G. Klein et al. seL4: Formal verification of an operating-system kernel. C.
ACM, 53(6):107–115, 2010.
[2] A. Lochbihler. Verifying a compiler for Java threads. In: Gordon, A.D.
(ed.) ESOP 2010. LNCS, vol. 6012, pp. 427–447. Springer (2010)
[3] A. Lochbihler. Making the Java memory model safe. ACM Trans. Program. Lang. Syst. 35(4), 12:1–65 (2014)
[4] T. Hales et al.
https://code.google.com/p/flyspeck/wiki/AnnouncingCompletion
(2014)
[5] D. Traytel, A. Popescu, J. C. Blanchette. Foundational, compositional
(co)datatypes for higher-order logic: Category theory applied to theorem
proving. In LICS 2012, pp. 596–605. IEEE (2012)
¨
[6] J. C. Blanchette, J. Holzl,
A. Lochbihler, L. Panny, A. Popescu, D. Traytel.
Truly modular (co)datatypes for Isabelle/HOL. In Klein, G., Gamboa, R.
(eds.) ITP 2014, LNCS, vol. 8558, pp. 93–110. Springer, 2014.
[7] J. C. Blanchette, A. Popescu, D. Traytel. Foundational Extensible Corecursion. http://www21.in.tum.de/~blanchet/fouco.pdf (2014)
3