Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle...
Transcript of Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle...
![Page 1: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/1.jpg)
Comparing a Formal Proof
in Why3, Coq, Isabelle
Jean-Jacques Lévy
18-10-2019journée LaMHA + LTP
![Page 2: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/2.jpg)
Motivation
2
.. with Ran Chen, Cyril Cohen, Stephan Merz, Laurent Théry
• to be fully published in articles or journals
• algorithms on graphs = a good testbed (better than )
• nice algorithms should have simple formal proofs
• how to publish formal proofs ?
• formal proofs have to be checked by computer
p2
http://www-sop.inria.fr/marelle/Tarjan/contributions.html
VSTTE 2017, ITP 2019
![Page 3: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/3.jpg)
A one-pass linear-time algorithm
Tarjan, 1972
![Page 4: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/4.jpg)
Strongly connected components
4
• x and y are strongly connected if there exists a path from x to y and a path from y to x
• depth-first search algorithm tracking bases of scc’s
• vertices are pushed on a stack in order of their visit and popped when the base of a scc is found
• scc is a maximal set of vertices in which each pair is strongly connected
![Page 5: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/5.jpg)
Strongly connected components
5
graphstack
spanning forrest
2 8
3
4
9
1
7
5
6
0
![Page 6: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/6.jpg)
Strongly connected components
6
stack9
8
7
6
5
4
3
2
1
0
4
4
5
5
5
2
1
1
1
0
spanning forrest
2 8
3
4
9
1
7
5
6
0
a vertex x is a base when
![Page 7: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/7.jpg)
Functional programming
![Page 8: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/8.jpg)
Functional programming
![Page 9: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/9.jpg)
Proof
![Page 10: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/10.jpg)
Program
![Page 11: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/11.jpg)
Program
![Page 12: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/12.jpg)
Invariants
(1) consistent colors
(2) consistent numbering
(3) vertices pairwise distinct in stack
(4) no edge from black to white
(5) in stack any vertex reaches any higher vertex
(6) in stack any vertex reaches a gray lower vertex
(7) the sccs field is the set of black SCCs
![Page 13: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/13.jpg)
Invariants
stack
123489
**
1234567
**
![Page 14: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/14.jpg)
Why3 Proof
![Page 15: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/15.jpg)
Pre/Post-conditions
} LOWLINK
![Page 16: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/16.jpg)
Assertions
![Page 17: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/17.jpg)
Assertionscom
pleteness
![Page 18: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/18.jpg)
Completeness proved in Coq
18
• 3 cases on y’
• y’ in sccs
• y’ is white vertex
• y’ in s3
dfs (successors x)
http://jeanjacqueslevy.net/why3/graph/abs/scct/1-68/scc.html
![Page 19: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/19.jpg)
Assertions
+ 2 Coq proofs (16 loc + 141 loc)
![Page 20: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/20.jpg)
Coq Proof
![Page 21: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/21.jpg)
Functions
21
Record env := Env {black : {set V}; stack : seq V; sccs : {set {set V}};sn : nat; num : {ffun V ➔ nat}}.
Definition dfs1 dfs x e := let: (n1, e1) := dfs [set y in successors x] (add_stack x e) in if n1 < sn e then (n1, add_black x e1) else (infty, add_sccs x e1).
Definition dfs dfs1 dfs’ r e := if [pick x in r] isn't Some x then (infty, e) else let r' := r :\ x in let: (n1, e1) := if num e x != 0 then (num e x, e) else dfs1 x e in
let: (n2, e2) := dfs’ r’ e1 in (minn n1 n2, e2).
![Page 22: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/22.jpg)
Functions
22
Fixpoint tarjan_rec n := if n is n1.+1 then dfs (dfs1 (tarjan_rec n1)) (tarjan_rec n1) else fun r e => (infty, e).
Let N := #|V| * #|V|.+1 + #|V|.
Definition tarjan := sccs (tarjan_rec N setT e0).2.
![Page 23: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/23.jpg)
Proof
23
Definition dfs_correct (dfs : {set V} ➔ env ➔ nat ∗ env) r e :=
pre_dfs r e ➔ let (n, e’) := dfs r e in post_dfs r e e’ n.
Definition dfs1_correct (dfs1 : V ➔ env ➔ nat ∗ env) x e :=
(x ∈ white e) ➔ pre_dfs [set x] e ➔
let (n, e’) := dfs1 x e in post_dfs [set x] e e’ n.
![Page 24: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/24.jpg)
Proof
24
Lemma dfs_is_correct dfs1’ dfs’ (r : {set V}) e : (∀x, x ∈ r ➔ dfs1_correct dfs1’ x e) ➔
(∀x, x ∈ r ➔ ∀e1, white e1 \subset white e ➔
dfs_correct dfs’ (r :\ x) e1) ➔ dfs_correct (dfs dfs1’ dfs’) r e.
Lemma dfs1_is_correct dfs’ (x : V) e : (dfs_correct dfs’ [set y | edge x y] (add_stack x e)) ➔ dfs1_correct (dfs1 dfs’) x e.
Theorem tarjan_rec_terminates n r e : n ≥ #|white e| ∗ #|V|.+1 + #|r| ➔
dfs_correct (tarjan_rec n) r e.
![Page 25: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/25.jpg)
Another Coq proof
• Coq with Ssreflect + Mathematical Components
![Page 26: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/26.jpg)
Another Coq proof
26
stack e<latexit sha1_base64="Fjv1N16zA/up9j6TOEMoVmfri/Y=">AAAC3HicjVHLSsNAFD3GV62vqgsXboKt4EJKUhcKuhDcuFSwttDUkoyjDs2LZCKW0p07cesPuNXvEf9A/8I7Ywo+EJ2Q5My595y5d64X+yKVlvUyYoyOjU9MFqaK0zOzc/OlhcWTNMoSxuss8qOk6bkp90XI61JInzfjhLuB5/OG191X8cYVT1IRhceyF/N24F6E4lwwVxLVKS1XnMCLrvuOkGYqXdYdODvOBq90SmWraull/gR2DsrI12FUeoaDM0RgyBCAI4Qk7MNFSk8LNizExLXRJy4hJHScY4AiaTPK4pThEtul7wXtWjkb0l55plrN6BSf3oSUJtZIE1FeQlidZup4pp0V+5t3X3uq2nr093KvgFiJS2L/0g0z/6tTvUicY1v3IKinWDOqO5a7ZPpWVOXmp64kOcTEKXxG8YQw08rhPZtak+re1d26Ov6qMxWr9izPzfCmqqQB29/H+ROc1Kr2ZrV2VCvv7eajLmAFq1ineW5hDwc4RF3X/4BHPBmnxo1xa9x9pBojuWYJX5Zx/w4knJhT</latexit>
num[x] = 1+ 1<latexit sha1_base64="rDApI6DMzwZ89A7wOljQIf0nf8k=">AAAC5XicjVHLSsNAFD3GV62vqEs3g1UQhJLUhS4UCm5cVrBWaIskcVoH8yKZSEvp1p07cesPuNVfEf9A/8I7Ywo+EJ2Q5My595yZe68b+yKVlvUyZoxPTE5NF2aKs3PzC4vm0vJJGmWJx+te5EfJqeuk3Bchr0shfX4aJ9wJXJ833MsDFW9c8SQVUXgs+zFvB043FB3hOZKoM5OttwI36g1aQrIwC4bNXpvts5YIO7LPtpi9fmaWrLKlF/sJ7ByUkK9aZD6jhXNE8JAhAEcISdiHg5SeJmxYiIlrY0BcQkjoOMcQRdJmlMUpwyH2kr5d2jVzNqS98ky12qNTfHoTUjJskCaivISwOo3peKadFfub90B7qrv16e/mXgGxEhfE/qUbZf5Xp2qR6GBX1yCoplgzqjovd8l0V9TN2aeqJDnExCl8TvGEsKeVoz4zrUl17aq3jo6/6kzFqr2X52Z4U7ekAdvfx/kTnFTK9na5clQpVffyURewijVs0jx3UMUhaqiT9zUe8Igno2vcGLfG3UeqMZZrVvBlGffvzn6bMg==</latexit>
white
num[x] = 1<latexit sha1_base64="HDK7ctJY120NtfizFCaM8/M4k/I=">AAAC4XicjVHLSsNAFD2Nr/qOutRFsAquSloXulAouHFZwdpCUyQZpzqYF8lEWko37tyJW3/Arf6M+Af6F94ZU/CB6IQkZ86958zce73YF6m07ZeCMTY+MTlVnJ6ZnZtfWDSXlk/SKEsYb7DIj5KW56bcFyFvSCF93ooT7gaez5ve5YGKN694koooPJb9mHcC9zwUXcFcSdSpubbhBF7UGzhCWmEWDNu9jrVvOSLsyv7GqVmyy7Ze1k9QyUEJ+apH5jMcnCECQ4YAHCEkYR8uUnraqMBGTFwHA+ISQkLHOYaYIW1GWZwyXGIv6XtOu3bOhrRXnqlWMzrFpzchpYVN0kSUlxBWp1k6nmlnxf7mPdCe6m59+nu5V0CsxAWxf+lGmf/VqVokutjVNQiqKdaMqo7lLpnuirq59akqSQ4xcQqfUTwhzLRy1GdLa1Jdu+qtq+OvOlOxas/y3Axv6pY04Mr3cf4EJ9VyZbtcPaqWanv5qItYxTq2aJ47qOEQdTTI+xoPeMSTwYwb49a4+0g1CrlmBV+Wcf8Omeaabg==</latexit>
sccs<latexit sha1_base64="DBw5V/kSjDMNyvUyZG3kj/X8L3M=">AAAC1nicjVHLSsNAFD3GV323unQTrIKrktaFLlwU3LisYB/QFkmm0zo0LzITtZS6E7f+gFv9JPEP9C+8M0bwgeiEJGfOvefM3Hu92BdSOc7zlDU9Mzs3n1tYXFpeWV3LF9YbMkoTxuss8qOk5bmS+yLkdSWUz1txwt3A83nTGx7pePOCJ1JE4akaxbwbuINQ9AVzFVFn+cJ2J/Ciq3FHKFsyJifbZ/miU3LMsn+CcgaKyFYtyj+hgx4iMKQIwBFCEfbhQtLTRhkOYuK6GBOXEBImzjHBImlTyuKU4RI7pO+Adu2MDWmvPaVRMzrFpzchpY0d0kSUlxDWp9kmnhpnzf7mPTae+m4j+nuZV0Cswjmxf+k+Mv+r07Uo9HFgahBUU2wYXR3LXFLTFX1z+1NVihxi4jTuUTwhzIzyo8+20UhTu+6ta+IvJlOzes+y3BSv+pY04PL3cf4EjUqpvFeqnFSK1cNs1DlsYgu7NM99VHGMGurkfYl7PODRalnX1o11+55qTWWaDXxZ1t0bfqeWKQ==</latexit>
0 num[x] < 1<latexit sha1_base64="9xH2rGh5YNbn/uLdIo6+P4K1KaY=">AAAC6HicjVG7TsMwFD2EV3kXGFksChJTlZYBhg6VWBiLRKFSU6EkdYtpXiQOalX1A9jYECs/wApfgvgD+AuuTZCACoGjJMfnnnPsazuRJxJpmi8TxuTU9Mxsbm5+YXFpeSW/unaShGns8robemHccOyEeyLgdSmkxxtRzG3f8fip0ztQ9dMrHiciDI7lIOIt3+4GoiNcWxJ1li9smczy+CWzfCfsDy0hWZD6o2a/xSrMEkFHDrZIZRZNPdg4KGWggGzUwvwzLLQRwkUKHxwBJGEPNhJ6mijBRERcC0PiYkJC1zlGmCdvSipOCpvYHn27NGtmbEBzlZlot0urePTG5GTYJk9IupiwWo3peqqTFftb9lBnqr0N6O9kWT6xEufE/uX7VP7Xp3qR6GBf9yCop0gzqjs3S0n1qaidsy9dSUqIiFO4TfWYsKudn+fMtCfRvauztXX9VSsVq+Zupk3xpnZJF1z6eZ3j4KRcLO0Wy0flQrWSXXUOG9jEDt3nHqo4RA11yr7GAx7xZFwYN8atcfchNSYyzzq+DeP+HcH6nME=</latexit>
![Page 27: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/27.jpg)
Another Coq proof
![Page 28: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/28.jpg)
Isabelle/HOL Proof
![Page 29: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/29.jpg)
Proof
29
function (domintros) dfs1 and dfs where dfs1 x e = (let (n1, e1) = dfs (successors x) (add_stack_incr x e) in if n1 < int (sn e) then (n1, add_black x e1) else (let (l, r) = split_list x (stack e1) in (+∞, (| black = insert x (black e1), gray = gray e, stack = r, sn = sn e1, sccs = insert (set l) (sccs e1), num = set_infty l (num e1) |) )))
and dfs roots e = (if roots = {} then (+∞, e) else (let x = SOME x . x ∈ roots;
res1 = (if num e x ≠ ︎-1 then (num e x, e) else dfs1 x e);
res2 = dfs (roots - {x}) (snd res1) in (min (fst res1) (fst res2), snd res2) ))
![Page 30: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/30.jpg)
Proof
30
theorem dfs1_dfs_termination :
[x ∈ vertices - colored e; colored_num e] ⟹ dfs1_dfs_dom (Inl(x, e)) [r ⊆ vertices; colored_num e] ⟹ dfs1_dfs_dom (Inr(r, e))
theorem dfs_partial_correct:
[dfs1_dfs_dom (Inl(x, e)); dfs1_pre x e] ⟹ dfs1_post x e (dfs1 x e)
[dfs1_dfs_dom (Inr(r, e)); dfs_pre r e] ⟹ dfs_post r e (dfs r e)
definition colored_num where colored_num e ≡
∀v ∈ colored e. v ∈ vertices ∧ num e v ≠ ︎-1
theorem dfs_correct:
dfs1_pre x e ⟹ dfs1_post x e (dfs1 x e)
dfs_pre r e ⟹ dfs_post roots e (dfs r e)
![Page 31: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/31.jpg)
Conclusion
![Page 32: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/32.jpg)
Why3 - Coq - Isabelle
32
… other systems ?
why3 coq isabelle/HOL
expressivity - ++ +readability +++ - +stability - +++ +ease of use - - -automation ++ - +partial correctness +++ - - -code extraction ++ + -trusted base - +++ +++# lines auto 392 0 ? (314ui)# lines manual 157 1535 1690
http://www-sop.inria.fr/marelle/Tarjan/contributions.html
![Page 33: Comparing a Formal Proof · 2019-10-22 · Comparing a Formal Proof in Why3, Coq, Isabelle Jean-Jacques Lévy 18-10-2019 journée LaMHA + LTP](https://reader035.fdocuments.us/reader035/viewer/2022062414/5ed6349a746633446e6423ed/html5/thumbnails/33.jpg)
Todo list
33
• other algorithms (biconnected, planarity, minimum spanning tree)
• proof of implementation
• teaching