Equations plugin

Set Equations Transparent.

Installation: opam install coq-equations. To use the plugin, add the following import From Equations Require Import Equations..

Equations fib (n : nat) : nat :=
  fib 0             := 0;
  fib n'.+1 with n' :=
    fib n'.+1 n''.+1 := fib n'' + fib n';
    fib n'.+1 0      := 1.


Equations fib_iter (n : nat) (f0 f1 : nat) : nat :=
  fib_iter n'.+1 f0 f1 := fib_iter n' f1 (f0 + f1);
  fib_iter 0     f0 f1 := f0.

mczify package

The mczify package provides access to linear and non-linear integral arithmetic solver tactics: lia and nia, which work with Mathcomp's definitions.

To install execute opam install coq-mathcomp-zify. To use the plugin, import From mathcomp Require Import zify.

Note that Coq also has its version of the lia tactic, to use it, one has to import the Psatz module. But the vanilla lia tactic cannot process Mathcomp's definitions.

Lemma fib_iter_spec n f0 f1 :
  fib_iter n.+1 f0 f1 = f0 * fib n + f1 * fib n.+1.
n, f0, f1:nat
fib_iter n.+1 f0 f1 = f0 * fib n + f1 * fib n.+1
Proof.
n, f0, f1:nat
fib_iter n.+1 f0 f1 = f0 * fib n + f1 * fib n.+1
elim: n f0 f1=> [/=|n IHn] f0 f1; first by lia.
n:nat
IHn:forall f0 f1 : nat, fib_iter n.+1 f0 f1 = f0 * fib n + f1 * fib n.+1
f0, f1:nat
fib_iter n.+2 f0 f1 = f0 * fib n.+1 + f1 * fib n.+2
rewrite fib_iter_equation_2 IHn /=; lia.
Qed.

fib_iter_equation_2 is a one-step reduction equation generated by Equations

Functional induction

Equations generates induction principles for functions which mirror their definitions.

Lemma fib_iter_correct n :
  fib_iter n 0 1 = fib n.
n:nat
fib_iter n 0 1 = fib n
Proof.
n:nat
fib_iter n 0 1 = fib n
(* We had to use a custom induction principle here:
   elim/nat_ind2: n => // n IHn1 IHn2. *)

apply: (fib_elim (fun n f => fib_iter n 0 1 = f))=> //.
n:nat
forall n n0 : nat,
fib_iter n0 0 1 = fib n0 ->
fib_iter n 0 1 = fib n ->
n = n0.+1 -> fib_iter n0.+2 0 1 = fib n0 + fib n

move=> {}n n' IH1 IH2 n_eq_Sn'.
n, n':nat
IH1:fib_iter n' 0 1 = fib n'
IH2:fib_iter n 0 1 = fib n
n_eq_Sn':n = n'.+1
fib_iter n'.+2 0 1 = fib n' + fib n
rewrite n_eq_Sn' in IH2 *.
n, n':nat
IH1:fib_iter n' 0 1 = fib n'
n_eq_Sn':n = n'.+1
IH2:fib_iter n'.+1 0 1 = fib n'.+1
fib_iter n'.+2 0 1 = fib n' + fib n'.+1
rewrite fib_iter_spec /=; lia.
Qed.

CoqHammer package

The CoqHammer package provides a number of tactics like sauto, sfirstorder, hammer to automate proofs.

Note: these tactics never use induction, so you might need to start your proofs by induction first and then call the solvers.

The sauto tactic does general proof search for the goal expressed in Calculus of Inductive Construction and does not rely on external tools.

On the other hand, hammer relies on external automated theorem provers (ATP) and SMT-solvers like: Eprover, Vampire, CVC4, Z3.

CoqHammer only uses SMT solvers as ATPs, meaning that the natural numbers, lists and other datastructures are treated as uninterpreted by the supported SMT solvers.

The hammer tactic works in three phases:

1. Use simple and fast machine-learning for premise selection;
2. Translate the goal into the format ATPs understand and call the available ATPs;
3. Post-process the ATPs' output: reinterpret artefacts returned by the ATPs into Coq's logic (most ATPs use classical logic).

Installation: opam install coq-hammer (will be available soon for Coq 8.13 too). Import: From Hammer Require Import Hammer..

From Hammer Require Import Hammer.

Lemma foo m n p q r :
  m + (n + p * (q * r)) = m + n + p * q * r.
m, n, p, q, r:nat
m + (n + p * (q * r)) = m + n + p * q * r
Proof.
m, n, p, q, r:nat
m + (n + p * (q * r)) = m + n + p * q * r hammer.
Replace the hammer tactic with: sauto  Qed.

Lemma lt_zero_lt_one x : x < 0 -> x < 1.
x:nat
x < 0 -> x < 1
Proof.
x:nat
x < 0 -> x < 1 hammer.
Replace the hammer tactic with: sauto  Qed.

Note: lia or sauto can also handle the two above goals.

QuickChick plugin

If we try proving a lemma for a long time without actually succeeding we might start asking ourselves if it's not provable at all because we made a mistake somewhere.

If only we had a quicker way of checking if it makes sense to prove a property of an algorithm.

Property-based randomized testing to the rescue!

Key ideas: - Write specifications as computable predicates; - Generate lots of random inputes to test your functions; - Shrink counterexamples;

One could say that property-based randomized testing sits in the sweet spot between hand-written unit tests and fully formal proofs.

Installation: opam install coq-quickchick. Import: From QuickChick Require Import QuickChick..

QuickChick is a port of QuickCheck written around the year 2000 by John Hughes for Haskell.

For more detail about QuickChick see "Foundational Property-Based Testing" by Paraskevopoulou, Hritcu, Denes, Lampropoulos, Pierce.

Also, "QuickChick: Property-Based Testing in Coq" by Lampropoulos and Pierce provides a gentle introduction into the topic: https://softwarefoundations.cis.upenn.edu/qc-current/index.html

From QuickChick Require Import QuickChick.
Import QcDefaultNotation.
Open Scope qc_scope.
Import GenLow GenHigh.
Set Warnings "-extraction-opaque-accessed,-extraction".


Inductive instr := Push (n : nat) | Add | Sub | Mul.

We are going to the Deriving plugin to deriving an instance of eqType for instr. Installation: opam install coq-deriving. Import: From deriving Require Import deriving..

From deriving Require Import deriving.

Fail Check erefl : Add == Add.
The command has indeed failed with message:
The term "Add" has type "instr"
while it is expected to have type "Equality.sort ?T".

The following boilerplate (four lines) does the job:

Definition instr_indDef := [indDef for instr_rect].
Canonical instr_indType := IndType instr instr_indDef.
Definition instr_eqMixin := [derive eqMixin for instr].
Canonical instr_eqType := EqType instr instr_eqMixin.

Check erefl : Add == Add.
erefl : Add == Add
     : Add == Add


Definition prog := seq instr.
Definition stack := seq nat.

Fixpoint run (p : prog) (s : stack) : stack :=
  if p is (i :: p') then
    let s' :=
      match i with
      | Push n => n :: s
      | Add => if s is (a1 :: a2 :: s') then a2 + a1 :: s'
                else s
      | Sub => if s is (a1 :: a2 :: s') then a2 - a1 :: s'
                else s
      | Mul => if s is (a1 :: a2 :: s') then a2 * a1 :: s'
                else s
      end
    in run p' s'
  else s.

Now, to prove properties about run, one would find useful the following lemma.

Lemma run_append p1 p2 s :
  run (p1 ++ p2) s = run p2 (run p1 s).
p1, p2:seq instr
s:stack
run (p1 ++ p2) s = run p2 (run p1 s)
Proof.
p1, p2:seq instr
s:stack
run (p1 ++ p2) s = run p2 (run p1 s) by elim: p1 s=> /=. Qed.

Unfortunately, if we change the semantics of run to the one that stops processing its input immediately once there is an error condition, this property would not hold.

Fixpoint run' (p : prog) (s : stack) : stack :=
  if p is (i :: p') then
    match i with
    | Push n => run' p' (n :: s)
    | Add => if s is (a1 :: a2 :: s') then run' p' (a2 + a1 :: s')
              else s
    | Sub => if s is (a1 :: a2 :: s') then run' p' (a2 - a1 :: s')
              else s
    | Mul => if s is (a1 :: a2 :: s') then run' p' (a2 * a1 :: s')
              else s
    end
  else s.

The user writes their generators and shrinkers, but luckily for us for sufficiently simple datatypes QuickChick can do it automatically.

Derive Arbitrary for instr.
Derive Show for instr.

Definition cat_run'_prop (p1 p2 : prog) (s : stack) :=
  run' (p1 ++ p2) s == run' p2 (run' p1 s).

QuickChick cat_run'_prop.
[Sub; Add]
[Push 0]
[]
*** Failed after 3 tests and 4 shrinks. (0 discards)
(*
[Mul; Sub; Sub; Sub; Mul]
[Push 0]
[]
*** Failed after 6 tests and 11 shrinks. (0 discards)
*)

For the original run, QuickChick cannot find counter-examples:

Definition cat_run_prop (p1 p2 : prog) (s : stack) :=
  run (p1 ++ p2) s == run p2 (run p1 s).

QuickChick cat_run_prop.
+++ Passed 10000 tests (0 discards)
(* +++ Passed 10000 tests (0 discards) *)

Practical observation: Using QuickChick can be a nice way of figuring out the precodintions to the lemmas of interest, i.e. testing helps proving!

Moreover, since our testing code (and most of QuickChick itself) is written in Coq, we can also formally verify this code using Coq. That is, proving helps testing!

Property-based randomized testing is a powerful yet complex beast and we barely scratched the surface here.

It's easy to end up generating lots of dead inputs -- in many cases the precodintions discard a lot of random inputs.

Fixpoint insert e s : seq nat :=
  if s is x :: s' then
    if e <= x then
      e :: s
    else
      x :: (insert e s')
  else [:: e].


Definition insert_sorted_prop (e : nat) (s : seq nat) :=
  sorted leq s ==> sorted leq (insert e s).

Let us check how many inputs we generate for nothing: one can use QuickChick's collect facility to do that.

Time QuickChick (fun e s =>
  collect (sorted leq s) (insert_sorted_prop e s)).
5498 : false
4502 : true
+++ Passed 10000 tests (0 discards)
Finished transaction in 1.66 secs (0.29u,0.073s) (successful)
(*
5526 : false
4474 : true
+++ Passed 10000 tests (0 discards)
*)

QuickChick supports user-defined random generators that can produce inputs with the required properties. Even more, the user can formally verify that the supplied random generator is sound and complete.

Moreover, there is an improvement over QuickChick called FuzzChick which combines methods developed in the fuzzing communitywith the methods developed in PBRT community to alleviate the pain of implementing custom generators which can be quite complex.

Mutation Proving

mCoq: Mutation Proving for Analysis of Verification Projects by K. Palmskog et al.(2019).

This is related to Mutation Testing:

• make small changes resembling faults to software system;
• execute accompanying test suite on changed system;
• measure how well the test suite catches introduced faults;
• improve test suite and repeat;

Mutation Proving:

• a mutation operator op is applied to a Coq project;
• op may generate a mutant where specifications are different;
• an op mutant where a proof fails during checking is killed;
• a op mutant where all proofs are successfully checked is live.

Examples of operations:

• Reorder branches of if-expressions;
• Replace plus with minus;
• Replace a list with its tail;
• ...

A practical observation: a high amount of live mutants might indicate weak specs.

But sometimes it's just hard to come up with a precise spec, e.g. this is often the case when talking about time/space complexity:

The key but unstated invariant of ss is that its i`th item has size `2i if it is not empty, so that merge sort push only performs perfectly balanced merges... without the [::] placeholder the MathComp sort becomes two element-wise insertion sort. —Georges Gonthier

A bit of context:

Section SortSeq.

Variables (T : Type) (leT : rel T).

Fixpoint merge_sort_push s1 ss :=
  match ss with
  | [::] :: ss'
  | [::] as ss' => s1 :: ss'
  | s2 :: ss' => [::] :: merge_sort_push (merge s2 s1) ss'
                ^^^^
  this can be deleted, but proofs will still go through
  end.

Fixpoint merge_sort_pop s1 ss :=
  if ss is s2 :: ss' then merge_sort_pop (merge s2 s1) ss'
  else s1.

Fixpoint merge_sort_rec ss s :=
  if s is [:: x1, x2 & s'] then
    let s1 := if leT x1 x2 then [:: x1; x2]
              else [:: x2; x1] in
    merge_sort_rec (merge_sort_push s1 ss) s'
  else merge_sort_pop s ss.

Definition sort := merge_sort_rec [::].

(* ... *)

End SortSeq.

Extraction

From Coq Require Import Extraction.

Module Insertion.
Section InsertionSort.

Variable T : eqType.
Variable leT : rel T.
Implicit Types x y z : T.
Implicit Types s t u : seq T.
Fixpoint insert e s : seq T :=
  if s is x :: s' then
    if leT e x then
      e :: s
    else
      x :: (insert e s')
  else [:: e].

Sort input list s

Fixpoint sort s : seq T :=
  if s is x :: s' then
    insert x (sort s')
  else
    [::].

Proofs of correctness skipped

End InsertionSort.

Extraction Language OCaml.
Extraction sort.
(** val sort0 :
    Equality.coq_type -> Equality.sort rel ->
    Equality.sort list -> Equality.sort list **)

let rec sort0 t leT = function
| [] -> []
| x :: s' -> insert t leT x (sort0 t leT s')


Extraction Language Haskell.
Extraction sort.
sort :: Type -> (Rel Sort) -> (list Sort) -> list Sort
sort t leT s =
  case s of {
   [] -> [];
   ( :: ) x s' -> insert t leT x (sort t leT s')}

Caveat: extracting SSReflect-based projects is usually not straightforward. It can be done, see e.g. https://github.com/certichain/toychain. But one has to overcome some issues.

End Insertion.