...

.

...

.

...

.

...

.

...

.

...

.

...

.

Mechanized Ramification

Wang ShengyiJoint work with Aquinas Hobor

National University of Singapore

April 17, 2015

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 1 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Overview

Overview

MyWork Ramification

Mechanized Semantic Library Separation Logic

Coq Hoare Logic

Formalizing

Formalizing

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 2 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Hoare Triple

tPuC tQu

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 3 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Hoare Logic Rules

tPu skip tPu tP[E/x]u x := E tPutPu S tQu tQuT tRu

tPu S;T tRu

tB^ Pu S tQu t B^ PuT tQutPu if B then S else T endif tQu

P1 P2 tP2u S tQ2u Q2 Q1tP1u S tQ1u

tP^ Bu S tPutPuwhile B do S done t B^ Pu

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 4 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example I

J

tx+ 1 10u x := x + 1 tx 10u

tx 10^ x 10u x := x + 1 tx 10u

tx 10u while x < 10 do x := x + 1 done t x 10^ x 10u

tx 10u while x < 10 do x := x + 1 done tx = 10u

tP[E/x]u x:=E tPu

P1P2 tP2u S tQ2u Q2Q1tP1u S tQ1u

tP^Bu S tPutPu while B do S done t B^Pu

P1P2 tP2u S tQ2u Q2Q1tP1u S tQ1u

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 5 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j k

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j k

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

k

i

j

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

kj

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

i

kj

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

kj

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

i

kj

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

kj

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

i

kj

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

kj

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

i

kj

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

kj

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

j

i

k

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

i

kj

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Example II

struct li {struct li *next} *i *j;j:=nil; while i nil do k:=i.next; i.next:=j; j:=i; i:=k done

nil nil

kj

i

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 6 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Loop Invariant of Example II

(

D; : list i^ list j^ :0 = :

)^ list x^ (@k: reach(i; k)^ reach(j; k) k = nil)

^ (@k: reach(x; k)^ (reach(i; k)_ reach(j; k)) k = nil))

reach(i; j) def= D n 0: reachn(i; j) reachn+1(i; j) def= D a; k: i a; k ^ reachn(k; j)reach0(i; j)

def= i = j

list i def= i = nil list (a ) i def= D j: i a; j^ list j

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 7 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Loop Invariant of Example II

(D; : list i^ list j^ :0 = : )

^ list x

^ (@k: reach(i; k)^ reach(j; k) k = nil)

^ (@k: reach(x; k)^ (reach(i; k)_ reach(j; k)) k = nil))

reach(i; j) def= D n 0: reachn(i; j) reachn+1(i; j) def= D a; k: i a; k ^ reachn(k; j)reach0(i; j)

def= i = j list i def= i = nil list (a ) i def= D j: i a; j^ list j

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 7 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Hoare Logic

Loop Invariant of Example II

(D; : list i^ list j^ :0 = : )^ list x^ (@k: reach(i; k)^ reach(j; k) k = nil)

^ (@k: reach(x; k)^ (reach(i; k)_ reach(j; k)) k = nil))

reach(i; j) def= D n 0: reachn(i; j) reachn+1(i; j) def= D a; k: i a; k ^ reachn(k; j)reach0(i; j)

def= i = j list i def= i = nil list (a ) i def= D j: i a; j^ list j

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 7 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Separation Logic

Separating Conjunction

P Q

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 8 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Separation Logic

Separating Conjunction

h | P Q def= D h1; h2: h1 ` h2 = h^ h1 | P^ h2 | Q

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 9 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Separation Logic

Frame Rule

tPuC tQutP FuC tQ Fu

(mod(C)X fv(R) =H)

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 10 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Separation Logic

Loop Invariant of Example II

Hoare Logic:

(D; : list i^ list j^ :0 = : )

^ list x

^(@k: reach(i; k)^ reach(j; k) k = nil)

^ (@k: reach(x; k)^ (reach(i; k)_ reach(j; k)) k = nil))

reach(i; j) def= D n 0: reachn(i; j) reachn+1(i; j) def= D a; k: i a; k ^ reachn(k; j)reach0(i; j)

def= i = j list i def= i = nil list (a ) i def= D j: i a; j^ list j

Separation Logic:

D; : list i list j^ :0 = : list i def= i = nil list (a ) i def= D j: i a; j list j

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 11 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Separation Logic

Loop Invariant of Example II

Hoare Logic:

(D; : list i^ list j^ :0 = : )^ list x^(@k: reach(i; k)^ reach(j; k) k = nil)

^ (@k: reach(x; k)^ (reach(i; k)_ reach(j; k)) k = nil))

reach(i; j) def= D n 0: reachn(i; j) reachn+1(i; j) def= D a; k: i a; k ^ reachn(k; j)reach0(i; j)

def= i = j list i def= i = nil list (a ) i def= D j: i a; j^ list j

Separation Logic:

D; : list i list j^ :0 = : list i def= i = nil list (a ) i def= D j: i a; j list j

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 11 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Separation Logic

Example III

struct node {bool mstruct node *l, *r

}void mark(struct node *x) {

if (x == nil || x->m)returnstruct node *l = x->l

struct node *r = x->rx->m = truemark(l)mark(r)

}

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 12 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Separation Logic

Example III

struct node {bool mstruct node *l, *r

}void mark(struct node *x) {

if (x == nil || x->m)returnstruct node *l = x->l

struct node *r = x->rx->m = truemark(l)mark(r)

}

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 12 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Separation Logic

Frame Rule Application for Trees

ttree(l; )u mark(l) ttree(l; )u

#t 1; l; r tree(l; )

tree(r; )

+mark(l)

#t 1; l; r tree(l; )

tree(r; )

+

tree(x; )def=(x = 0^ emp)_D d; l; r: (x) = (d; l; r)^ x d; l; r tree(l; ) tree(r; )

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 13 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Separation Logic

Frame Rule Application for Trees

ttree(l; )u mark(l) ttree(l; )u#t 1; l; r tree(l; )

tree(r; )

+mark(l)

#t 1; l; r tree(l; )

tree(r; )

+

tree(x; )def=(x = 0^ emp)_D d; l; r: (x) = (d; l; r)^ x d; l; r tree(l; ) tree(r; )

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 13 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Separation Logic

Example III

struct node {bool mstruct node *l, *r

}void mark(struct node *x) {

if (x == nil || x->m)returnstruct node *l = x->l

struct node *r = x->rx->m = truemark(l)mark(r)

}

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 14 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Separation Logic

Example III

struct node {bool mstruct node *l, *r

}void mark(struct node *x) {

if (x == nil || x->m)returnstruct node *l = x->l

struct node *r = x->rx->m = truemark(l)mark(r)

}

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 14 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Separation Logic

Frame Rule Does Not Work

#t 1; l; rY graph(l; )

Y graph(r; )

+mark(l)

#t 1; l; rY graph(l; )

Y graph(r; )

+

graph(x; )def=(x = 0^ emp)_Dd; l; r: (x) = (d; l; r)^ x d; l; r Y graph(l; )Y graph(l; )

h | PY Q def= Dh1; h2; h3: (h1 ` h2 ` h3 = h)^ (h1 ` h2 | P)^ (h2 ` h3 | Q)Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 15 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Ramification

Ramify Rule

tPuC tQu R $ P (Q R1)tRuC tR1u (mod(C)X fv(Q R

1) =H)

P

Q

Q R1

R

R1

h | Q R1 def= @h1; h2: h1 ` h = h2 h1 | Q h2 | R1:Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 16 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Ramification

Ramify Rule

tPuC tQu R $ P (Q R1)tRuC tR1u (mod(C)X fv(Q R

1) =H)

PQ

Q R1

RR1

h | Q R1 def= @h1; h2: h1 ` h = h2 h1 | Q h2 | R1:Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 16 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Ramification

Ramify Rule

tPuC tQu R $ P (Q R1)tRuC tR1u (mod(C)X fv(Q R

1) =H)

P

Q

Q R1

R

R1

h | Q R1 def= @h1; h2: h1 ` h = h2 h1 | Q h2 | R1:Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 16 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Coq

Mechanizm : Coq

Dependent TypeTheoryPolymorphism Higher Kinded Type

Calculus of Constructions

Calculus of Inductive Constructions

Inductive Type

Coinductive Type

Calculus of (Co)inductive Constructions

Coq Proof Assistant

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 17 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Coq

Coq

Coq ProofAssistant

SpecificationLanguage:Gallina

TacticLanguage:

Ltac

Only TotalFunctions(Must

Terminate)

WideApplications

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 18 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Mechanized Semantic Library

Separation Algebra

Coq Definition of h1 ` h2 = hClass Join (t: Type) : Type := join: t t t Prop.

Class Perm alg (t: Type) {J: Join t} : Type :=mkPerm {join eq: @ {x y z z}, join x y z join x y z z = z;join assoc: @ {a b c d e}, join a b d join d c e

{f : t & join b c f ^ join a f e};join comm: @ {a b c}, join a b c join b a c;join positivity: @ {a a b b}, join a a b join b b a a=b

}.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 19 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Mechanized Semantic Library

Separation Algebra

Coq Definition of h1 ` h2 = hClass Join (t: Type) : Type := join: t t t Prop.

Class Perm alg (t: Type) {J: Join t} : Type :=mkPerm {join eq: @ {x y z z}, join x y z join x y z z = z;join assoc: @ {a b c d e}, join a b d join d c e

{f : t & join b c f ^ join a f e};join comm: @ {a b c}, join a b c join b a c;join positivity: @ {a a b b}, join a a b join b b a a=b

}.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 19 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Mechanized Semantic Library

Separation Algebra

h | P Q def= D h1; h2: h1 ` h2 = h^ h1 | P^ h2 | Q

Definition of Definition sepcon {A: Type}{JA: Join A} (p q : pred A) : pred A :=

fun h:AD h1 h2, join h1 h2 h^ p h1^ q h2.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 20 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Related Works Mechanized Semantic Library

Separation Algebra

h | P Q def= D h1; h2: h1 ` h2 = h^ h1 | P^ h2 | Q

Definition of Definition sepcon {A: Type}{JA: Join A} (p q : pred A) : pred A :=

fun h:AD h1 h2, join h1 h2 h^ p h1^ q h2.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 20 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of the RamificationTheory Overlapping Conjunction

Overlapping Conjunction

h | PY Q def= Dh1; h2; h3: (h1 ` h2 ` h3 = h)^(h1 ` h2 | P)^ (h2 ` h3 | Q)

Coq DefinitionDefinition ocon {A: Type}{JA: Join A} (p q : pred A) : pred A :=

fun h:AD h1 h2 h3 h12 h23, join h1 h2 h12^ join h2 h3 h23^join h12 h3 h^ p h12^ q h23.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 21 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of the RamificationTheory Overlapping Conjunction

Overlapping Conjunction

h | PY Q def= Dh1; h2; h3: (h1 ` h2 ` h3 = h)^(h1 ` h2 | P)^ (h2 ` h3 | Q)

Coq DefinitionDefinition ocon {A: Type}{JA: Join A} (p q : pred A) : pred A :=

fun h:AD h1 h2 h3 h12 h23, join h1 h2 h12^ join h2 h3 h23^join h12 h3 h^ p h12^ q h23.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 21 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of the RamificationTheory Ramification Library

Ramification Library (Lemma 4.1 to Lemma 4.6)

precise(P;Q) PY R $ P (Q QY R1)(P F)Y R $ P (Q (Q F)Y R1)

precise(P) R $ P (Q R1)(P F)^ R $ P (Q (Q F)^ R1)

: : :

R $ P (P1 R1) S $ Q (Q1 S1)R S $ P Q (P1 Q1 R1 S1)

precise(P; P1) @i: PY Qi $ P (P1 P1 Y Q1i)PY Q1 Y Q2 $ P (P1 P1 Y Q11 Y Q12)

h1 h3 def= Dh2: h1 ` h2 = h3precise(P) def= @h1; h2; h3: h1 h3 h2 h3 h1 | P h2 | P h1 = h2

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 22 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of the RamificationTheory Ramification Library

Custom Tactics (10 tactics)

Ltac try join h1 h2 h1h2 :=let helperm1 m2 m1m2 :=match goal with| [H1: join m1 ?X, H2: join ?X m2 $ ]destruct (join assoc H1 H2) as [m1m2 [? ?]]| [H1: joinm1 ?X, H2: join ?X m2 $ ]destruct (join assoc (join comm H1) H2) as [m1m2 [? ?]]| [H1: join m1 ?X, H2: joinm2 ?X $ ]destruct (join assoc H1 (join comm H2)) as [m1m2 [? ?]]| [H1: joinm1 ?X, H2: joinm2 ?X $ ]destruct (join assoc (join comm H1) (join comm H2)) as [m1m2 [? ?]]

endin helper h1 h2 h1h2 || helper h2 h1 h1h2.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 23 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Mathematical Graphs

Mathematical Graphs

Class PreGraph (Vertex: Type) Data {EV : EqDec Vertex} :={

valid : Vertex Prop;node label : Vertex Data;edge func : Vertex list Vertex

}.

graph(x; )def=(x = 0^ emp)_Dd; l; r: (x) = (d; l; r)^ x d; l; r Y graph(l; )Y graph(l; )

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 24 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Mathematical Graphs

Mathematical Graphs

ClassMathGraph (Vertex : Type) Data (nV : Vertex) {EV : EqDec Vertex} :={

m pg :> PreGraph Vertex Data;valid graph: @ x, valid x@ y, In y (edge func x) y = nV _ valid y;valid not null: @ x, valid x x = nV

}.

graph(x; )def=(x = 0^ emp)_Dd; l; r: (x) = (d; l; r)^ x d; l; r Y graph(l; )Y graph(l; )

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 25 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Mathematical Graphs

Mathematical Graphs

Class BiGraph (Vertex Data: Type) {EV : EqDec Vertex} :={

b pg :> PreGraph Vertex Data;only two neighbours :@ v:Vertex,{v1: Vertex & {v2 : Vertex | edge func v = v1 :: v2 :: nil}}

}.

graph(x; )def=(x = 0^ emp)_Dd; l; r: (x) = (d; l; r)^ x d; l; r Y graph(l; )Y graph(l; )

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 26 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Mathematical Graphs

Mathematical Graphs

Class BiMathGraph (Vertex Data : Type) (nV : Vertex) {EV : EqDec Vertex} :={

bm bi :> BiGraph Vertex Data;bm ma :>MathGraph Vertex Data nV ;pg the same: m pg = b pg

}.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 27 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Mathematical Graphs

Lemmas about Mathematical Graphs

Lemma finite reachable computable:@ (mg : MathGraph V D null) x l, valid x(@ y, reachable m pg x y In y l)D l, reachable list m pg x l ^ NoDup l.

Definition reachable list (pg : PreGraph V D) (x : V) (L : list V) : Prop :=valid x^ @ y, In y L reachable pg x y.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 28 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Mathematical Graphs

It is Extremely Hard

We essentially need to determine a list of the reachable vertices in a graph.Obvious idea: BFS.

Contructing BFS is hard. It could go into a loop, which is why BFS must track already visited nodes. The graph could have infinite nodes, which is why BFS must have an upperbound argument. (a computers memory is finite).

Coq does not support general recursion. It is still hard to prove the result of BFS is the whole reachable set.

When BFS reaches an already-visited node, how do we know it will not forgetabout its children?

When BFS terminates, there are two situations to prove. Reachable nodes are those nodes with a path. The exploration path and thegiven path need not be at all similar.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 29 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Mathematical Graphs

It is Extremely Hard

We essentially need to determine a list of the reachable vertices in a graph.Obvious idea: BFS.

Contructing BFS is hard. It could go into a loop, which is why BFS must track already visited nodes. The graph could have infinite nodes, which is why BFS must have an upperbound argument. (a computers memory is finite).

Coq does not support general recursion.

It is still hard to prove the result of BFS is the whole reachable set. When BFS reaches an already-visited node, how do we know it will not forgetabout its children?

When BFS terminates, there are two situations to prove. Reachable nodes are those nodes with a path. The exploration path and thegiven path need not be at all similar.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 29 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Mathematical Graphs

It is Extremely Hard

We essentially need to determine a list of the reachable vertices in a graph.Obvious idea: BFS.

Contructing BFS is hard. It could go into a loop, which is why BFS must track already visited nodes. The graph could have infinite nodes, which is why BFS must have an upperbound argument. (a computers memory is finite).

Coq does not support general recursion. It is still hard to prove the result of BFS is the whole reachable set.

When BFS reaches an already-visited node, how do we know it will not forgetabout its children?

When BFS terminates, there are two situations to prove. Reachable nodes are those nodes with a path. The exploration path and thegiven path need not be at all similar.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 29 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Mathematical Graphs

It is Extremely Hard

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 30 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Mathematical Graphs

It is Extremely Hard

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 31 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Spatial Graphs

Spatial Graphs

graph(x; )def=(x = 0^ emp)_ Dd; l; r: (x) = (d; l; r)^x d; l; r Y graph(l; )Y graph(l; )

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 32 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Spatial Graphs

Recursive Predicates

P(x) = : : : x : : : P : : :

F(p) = x:(: : : x : : : p : : : ) and P = F

P(x) = (F)(x) = F(F)(x) = F(P)(x) = (: : : x : : : P : : : )

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 33 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Spatial Graphs

Covariant and Contractive predicates

Covariant predicates:Tarskis fixed point for order-reserving functions

Contractive predicates:Indirection theory of step-indexing recursion

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 34 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Spatial Graphs

Spatial Graphs : First Attempt (strategy proposed in HV)

Definition graph fun (Q: adr pred world) (x: adr) :=(!!(x = 0) && emp) ||(EX d:adr, EX l:adr, EX r:adr, !!(gamma bi x = (d, l, r)) &&

graph node x d l r Y ((Q l)Y (Q r))).Definition graph := corec graph fun.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 35 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Spatial Graphs

Spatial Graphs : First Attempt (strategy proposed in HV)

Lemma 4.7graph(x; ) %$ iter sepcon reach(; x) x:x (x)

iter sepcon ta1; a2; : : : ; anu p def= p(a1) p(a2) : : : p(an):Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 36 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Spatial Graphs

Spatial Graphs : Second Attempt

Definition graph fun (Q: adr pred world) (x: adr) :=(!!(x = 0) && emp) ||(EX d:adr, EX l:adr, EX r:adr, !!(gamma bi x = (d, l, r)) &&

graph node x d l r Y (( Q l)Y ( Q r))).Definition graph := HORec graph fun.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 37 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Spatial Graphs

Spatial Graphs : Second Attempt

Lemma 4.9@x; : precise(graph(x; ))

This problem seems to be lurking in this style of recursion for 5-10 years.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 38 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Spatial Graphs

Spatial Graphs : Second Attempt

Not Precise@P: precise(P):

This problem seems to be lurking in this style of recursion for 5-10 years.

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 38 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Spatial Graphs

Spatial Graphs : Third Attempt

Lemma 4.7graph(x; ) %$ iter sepcon reach(; x) x:x (x)

Definition graph (x : adr) (bimg : @BiMathGraph adr nat 0 natEqDec): predworld :=

(!!(x = 0) && emp) || EX l : list adr, !!reachable list b pg x l &&iter sepcon l (graph cell bm bi).

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 39 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Spatial Graphs

Spatial Graphs : Third Attempt

Lemma graph unfold: @ x g,graph x g = (!!(x = 0) && emp) ||EX d:nat, EX l:adr, EX r:adr, !!(gamma bm bi x = (d, l, r)^ valid x) &&

(trinode x d l r Y graph l g Y graph r g).

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 40 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Formalization of Graphs Spatial Graphs

Succeed

Lemma 4.14reach(1; S11) reach(; S1) 1 S11 = S1graphs(S1; )Y graphs(S2; ) $ graphs(S1; )

(graphs(S11; 1) graphs(S11; 1)Y graphs(S2; 1))

graphs tx1; x2; : : : ; xnu = graph(x1; )Y graph(x2; )Y : : :Y graph(xn; ):Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 41 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Summary

Summary

Lemmas and theorems in the paper 13Lemmas and theorems in Coq source code 250

Definitions in Coq source code 106Lines in Coq source code (dense) 3996

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 42 / 43

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Thank you!

Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 43 / 43

OverviewRelated WorksHoare LogicSeparation LogicRamificationCoqMechanized Semantic Library

Formalization of the Ramification TheoryOverlapping ConjunctionRamification Library

Formalization of GraphsMathematical GraphsSpatial Graphs

Summary