Section: New Results

Formalisation work

Participants : Jean-Jacques Lévy, Daniel de Rauglaudre.

Proofs of algorithms on graphs

Jean-Jacques Lévy and Chen Ran (a PhD student of the Institute of Software, Beijing, visiting the Toccata team 9 months until April 2017) pursue their work about formal proofs of algorithms. Their goal is to provide proofs of algorithms which ought to be both checked by computer and easily human readable. If these kinds of proofs exist for algorithms on inductive structures or recursive algorithms on arrays, they seem less easy to design for combinatorial structures such as graphs. In 2016, they completed proofs for algorithms computing the strongly connected components in graphs. There are mainly two algorithms: one by Kosaraju (1978) working in two phases (some formal proofs of it have already been achieved by Pottier with Coq and by Théry and Gonthier with Coq-SSReflect), one by Tarjan (1972) working in a single pass.

Their proofs use a first-order logic with definitions of inductive predicates. This logic is the one defined in the Why3 system (research-team Toccata, Saclay). They widely use automatic provers interfaced with Why3. A minor part of these proofs is also achieved in Coq. The difficulty of this approach is to combine automatic provers and intuitive design.

In 2017, the same proofs were fully completed in Coq-ssreflect by Cohen and Théry, and in Isabelle-HOL by Merz, both proofs with the assistance of J.-J. Lévy. A Fstar proof is also under development. These proofs are between a factor 4 to 8 in length with respect to the initial Why3 proofs, but more importantly they look less human readable, mainly because of the absence of automatic deduction and several technicalities about termination.

Part of this work (Tarjan 1972) was presented at JFLA 2017 in Gourette [41]. A more comprehensive version was presented at the VSTTE 2017 conference in Heidelberg [37]. Scripts of proofs can be found at http://jeanjacqueslevy.net/why3.

Banach-Tarski Paradox

Banach-Tarski Paradox states that, if we admit the axiom of choice, a sphere is equidecomposable into two spheres identical to the initial one. The equidecomposability is a property of geometric objects: two objects (sets) are equidecomposable if they can be partitioned into a same finite number of sets, and each set of the first object is mapped to a set of the second object by only rotations and translations. In other words, one breaks the first object into a finite number of pieces, and with them, one reconstructs the second object. Its pen and paper proof was done in 1924 by Banach and Tarski.

The formal proof was completed this year by Daniel de Rauglaudre, after 9 months, with a result of about 10000 lines of Coq. A paper about it was published in JFR (Journal of Formalized Reasoning) [35].

Univalence for Free

Together with E. Tanter at Inria Chile and N. Tabareau at Inria Nantes, Matthieu Sozeau developed the theory and implementation of an ad-hoc version of univalence. This axiom at the basis of Homotopy Type Theory morally says that all constructions of type theory are invariant under equivalence, which for programming purposes means invariance by isomorphism. Using a carefuly designed variant of the parametriciy translation for type theory, they can show that indeed all type constructors of type theory, except indexed inductive types with non-hset indices respect univalence. In practice, this leads to a type-class based framework for constructing the proofs that values of a given type do indeed transport equivalences/isomorphisms correctly, relying on univalence itself only for universes and in well-delimited places. An article about this work is in revision [57].

Certified compilation and meta-programming

Matthieu Sozeau participates to the CertiCoq project (https://www.cs.princeton.edu/~appel/certicoq) whose aim is to verify a compiler for the Coq programming language down to CompCert C-light which provides itself a certified compilation path to assembly language. The compiler can already be run and most phases are proven correct. As part of this work, Matthieu Sozeau took the lead of the Template-Coq library development originally developed by Gregory Malecha and extended it. Template-Coq provides quoting and unquoting facilities for Coq's kernel syntax and environment to Coq, allowing to reason on the actual definitions checked by the Coq system in Coq itself. For CertiCoq, the quoted type of Coq terms corresponds to its frontend language. The plugin can however be used in many other ways, notably to implement certified syntactic translations from Coq (or extended theories) to Coq, and to develop plugins to the Coq system in Coq itself. Together with Nicolas Tabareau and Simon Boulier in Nantes and Abhishek Anand at Cornell University, they are developing a general plugin for certified meta-programming in the system. It will be presented at CoqPL'18 [42]. Matthieu Sozeau worked in particular on reimplementing the basic typing and conversion algorithms of Coq inside Coq itself, providing a mechanised specification of the implementation of the system that can be used to verify arbitrarily large parts of it. The type inference algorithm developed there is also useful to help writting program translations on the “forgetful” kernel syntax.