Post on 29-May-2020
transcript
Comparing a Formal Proof
in Why3, Coq, Isabelle
Jean-Jacques Lévy
18-10-2019journée LaMHA + LTP
Motivation
2
.. with Ran Chen, Cyril Cohen, Stephan Merz, Laurent Théry
• to be fully published in articles or journals
• algorithms on graphs = a good testbed (better than )
• nice algorithms should have simple formal proofs
• how to publish formal proofs ?
• formal proofs have to be checked by computer
p2
http://www-sop.inria.fr/marelle/Tarjan/contributions.html
VSTTE 2017, ITP 2019
A one-pass linear-time algorithm
Tarjan, 1972
Strongly connected components
4
• x and y are strongly connected if there exists a path from x to y and a path from y to x
• depth-first search algorithm tracking bases of scc’s
• vertices are pushed on a stack in order of their visit and popped when the base of a scc is found
• scc is a maximal set of vertices in which each pair is strongly connected
Strongly connected components
5
graphstack
spanning forrest
2 8
3
4
9
1
7
5
6
0
Strongly connected components
6
stack9
8
7
6
5
4
3
2
1
0
4
4
5
5
5
2
1
1
1
0
spanning forrest
2 8
3
4
9
1
7
5
6
0
a vertex x is a base when
Functional programming
Functional programming
Proof
Program
Program
Invariants
(1) consistent colors
(2) consistent numbering
(3) vertices pairwise distinct in stack
(4) no edge from black to white
(5) in stack any vertex reaches any higher vertex
(6) in stack any vertex reaches a gray lower vertex
(7) the sccs field is the set of black SCCs
Invariants
stack
123489
**
1234567
**
Why3 Proof
Pre/Post-conditions
} LOWLINK
Assertions
Assertionscom
pleteness
Completeness proved in Coq
18
• 3 cases on y’
• y’ in sccs
• y’ is white vertex
• y’ in s3
dfs (successors x)
http://jeanjacqueslevy.net/why3/graph/abs/scct/1-68/scc.html
Assertions
+ 2 Coq proofs (16 loc + 141 loc)
Coq Proof
Functions
21
Record env := Env {black : {set V}; stack : seq V; sccs : {set {set V}};sn : nat; num : {ffun V ➔ nat}}.
Definition dfs1 dfs x e := let: (n1, e1) := dfs [set y in successors x] (add_stack x e) in if n1 < sn e then (n1, add_black x e1) else (infty, add_sccs x e1).
Definition dfs dfs1 dfs’ r e := if [pick x in r] isn't Some x then (infty, e) else let r' := r :\ x in let: (n1, e1) := if num e x != 0 then (num e x, e) else dfs1 x e in
let: (n2, e2) := dfs’ r’ e1 in (minn n1 n2, e2).
Functions
22
Fixpoint tarjan_rec n := if n is n1.+1 then dfs (dfs1 (tarjan_rec n1)) (tarjan_rec n1) else fun r e => (infty, e).
Let N := #|V| * #|V|.+1 + #|V|.
Definition tarjan := sccs (tarjan_rec N setT e0).2.
Proof
23
Definition dfs_correct (dfs : {set V} ➔ env ➔ nat ∗ env) r e :=
pre_dfs r e ➔ let (n, e’) := dfs r e in post_dfs r e e’ n.
Definition dfs1_correct (dfs1 : V ➔ env ➔ nat ∗ env) x e :=
(x ∈ white e) ➔ pre_dfs [set x] e ➔
let (n, e’) := dfs1 x e in post_dfs [set x] e e’ n.
Proof
24
Lemma dfs_is_correct dfs1’ dfs’ (r : {set V}) e : (∀x, x ∈ r ➔ dfs1_correct dfs1’ x e) ➔
(∀x, x ∈ r ➔ ∀e1, white e1 \subset white e ➔
dfs_correct dfs’ (r :\ x) e1) ➔ dfs_correct (dfs dfs1’ dfs’) r e.
Lemma dfs1_is_correct dfs’ (x : V) e : (dfs_correct dfs’ [set y | edge x y] (add_stack x e)) ➔ dfs1_correct (dfs1 dfs’) x e.
Theorem tarjan_rec_terminates n r e : n ≥ #|white e| ∗ #|V|.+1 + #|r| ➔
dfs_correct (tarjan_rec n) r e.
Another Coq proof
• Coq with Ssreflect + Mathematical Components
Another Coq proof
26
stack e<latexit sha1_base64="Fjv1N16zA/up9j6TOEMoVmfri/Y=">AAAC3HicjVHLSsNAFD3GV62vqgsXboKt4EJKUhcKuhDcuFSwttDUkoyjDs2LZCKW0p07cesPuNXvEf9A/8I7Ywo+EJ2Q5My595y5d64X+yKVlvUyYoyOjU9MFqaK0zOzc/OlhcWTNMoSxuss8qOk6bkp90XI61JInzfjhLuB5/OG191X8cYVT1IRhceyF/N24F6E4lwwVxLVKS1XnMCLrvuOkGYqXdYdODvOBq90SmWraull/gR2DsrI12FUeoaDM0RgyBCAI4Qk7MNFSk8LNizExLXRJy4hJHScY4AiaTPK4pThEtul7wXtWjkb0l55plrN6BSf3oSUJtZIE1FeQlidZup4pp0V+5t3X3uq2nr093KvgFiJS2L/0g0z/6tTvUicY1v3IKinWDOqO5a7ZPpWVOXmp64kOcTEKXxG8YQw08rhPZtak+re1d26Ov6qMxWr9izPzfCmqqQB29/H+ROc1Kr2ZrV2VCvv7eajLmAFq1ineW5hDwc4RF3X/4BHPBmnxo1xa9x9pBojuWYJX5Zx/w4knJhT</latexit>
num[x] = 1+ 1<latexit sha1_base64="rDApI6DMzwZ89A7wOljQIf0nf8k=">AAAC5XicjVHLSsNAFD3GV62vqEs3g1UQhJLUhS4UCm5cVrBWaIskcVoH8yKZSEvp1p07cesPuNVfEf9A/8I7Ywo+EJ2Q5My595yZe68b+yKVlvUyZoxPTE5NF2aKs3PzC4vm0vJJGmWJx+te5EfJqeuk3Bchr0shfX4aJ9wJXJ833MsDFW9c8SQVUXgs+zFvB043FB3hOZKoM5OttwI36g1aQrIwC4bNXpvts5YIO7LPtpi9fmaWrLKlF/sJ7ByUkK9aZD6jhXNE8JAhAEcISdiHg5SeJmxYiIlrY0BcQkjoOMcQRdJmlMUpwyH2kr5d2jVzNqS98ky12qNTfHoTUjJskCaivISwOo3peKadFfub90B7qrv16e/mXgGxEhfE/qUbZf5Xp2qR6GBX1yCoplgzqjovd8l0V9TN2aeqJDnExCl8TvGEsKeVoz4zrUl17aq3jo6/6kzFqr2X52Z4U7ekAdvfx/kTnFTK9na5clQpVffyURewijVs0jx3UMUhaqiT9zUe8Igno2vcGLfG3UeqMZZrVvBlGffvzn6bMg==</latexit>
white
num[x] = 1<latexit sha1_base64="HDK7ctJY120NtfizFCaM8/M4k/I=">AAAC4XicjVHLSsNAFD2Nr/qOutRFsAquSloXulAouHFZwdpCUyQZpzqYF8lEWko37tyJW3/Arf6M+Af6F94ZU/CB6IQkZ86958zce73YF6m07ZeCMTY+MTlVnJ6ZnZtfWDSXlk/SKEsYb7DIj5KW56bcFyFvSCF93ooT7gaez5ve5YGKN694koooPJb9mHcC9zwUXcFcSdSpubbhBF7UGzhCWmEWDNu9jrVvOSLsyv7GqVmyy7Ze1k9QyUEJ+apH5jMcnCECQ4YAHCEkYR8uUnraqMBGTFwHA+ISQkLHOYaYIW1GWZwyXGIv6XtOu3bOhrRXnqlWMzrFpzchpYVN0kSUlxBWp1k6nmlnxf7mPdCe6m59+nu5V0CsxAWxf+lGmf/VqVokutjVNQiqKdaMqo7lLpnuirq59akqSQ4xcQqfUTwhzLRy1GdLa1Jdu+qtq+OvOlOxas/y3Axv6pY04Mr3cf4EJ9VyZbtcPaqWanv5qItYxTq2aJ47qOEQdTTI+xoPeMSTwYwb49a4+0g1CrlmBV+Wcf8Omeaabg==</latexit>
sccs<latexit sha1_base64="DBw5V/kSjDMNyvUyZG3kj/X8L3M=">AAAC1nicjVHLSsNAFD3GV323unQTrIKrktaFLlwU3LisYB/QFkmm0zo0LzITtZS6E7f+gFv9JPEP9C+8M0bwgeiEJGfOvefM3Hu92BdSOc7zlDU9Mzs3n1tYXFpeWV3LF9YbMkoTxuss8qOk5bmS+yLkdSWUz1txwt3A83nTGx7pePOCJ1JE4akaxbwbuINQ9AVzFVFn+cJ2J/Ciq3FHKFsyJifbZ/miU3LMsn+CcgaKyFYtyj+hgx4iMKQIwBFCEfbhQtLTRhkOYuK6GBOXEBImzjHBImlTyuKU4RI7pO+Adu2MDWmvPaVRMzrFpzchpY0d0kSUlxDWp9kmnhpnzf7mPTae+m4j+nuZV0Cswjmxf+k+Mv+r07Uo9HFgahBUU2wYXR3LXFLTFX1z+1NVihxi4jTuUTwhzIzyo8+20UhTu+6ta+IvJlOzes+y3BSv+pY04PL3cf4EjUqpvFeqnFSK1cNs1DlsYgu7NM99VHGMGurkfYl7PODRalnX1o11+55qTWWaDXxZ1t0bfqeWKQ==</latexit>
0 num[x] < 1<latexit sha1_base64="9xH2rGh5YNbn/uLdIo6+P4K1KaY=">AAAC6HicjVG7TsMwFD2EV3kXGFksChJTlZYBhg6VWBiLRKFSU6EkdYtpXiQOalX1A9jYECs/wApfgvgD+AuuTZCACoGjJMfnnnPsazuRJxJpmi8TxuTU9Mxsbm5+YXFpeSW/unaShGns8robemHccOyEeyLgdSmkxxtRzG3f8fip0ztQ9dMrHiciDI7lIOIt3+4GoiNcWxJ1li9smczy+CWzfCfsDy0hWZD6o2a/xSrMEkFHDrZIZRZNPdg4KGWggGzUwvwzLLQRwkUKHxwBJGEPNhJ6mijBRERcC0PiYkJC1zlGmCdvSipOCpvYHn27NGtmbEBzlZlot0urePTG5GTYJk9IupiwWo3peqqTFftb9lBnqr0N6O9kWT6xEufE/uX7VP7Xp3qR6GBf9yCop0gzqjs3S0n1qaidsy9dSUqIiFO4TfWYsKudn+fMtCfRvauztXX9VSsVq+Zupk3xpnZJF1z6eZ3j4KRcLO0Wy0flQrWSXXUOG9jEDt3nHqo4RA11yr7GAx7xZFwYN8atcfchNSYyzzq+DeP+HcH6nME=</latexit>
Another Coq proof
Isabelle/HOL Proof
Proof
29
function (domintros) dfs1 and dfs where dfs1 x e = (let (n1, e1) = dfs (successors x) (add_stack_incr x e) in if n1 < int (sn e) then (n1, add_black x e1) else (let (l, r) = split_list x (stack e1) in (+∞, (| black = insert x (black e1), gray = gray e, stack = r, sn = sn e1, sccs = insert (set l) (sccs e1), num = set_infty l (num e1) |) )))
and dfs roots e = (if roots = {} then (+∞, e) else (let x = SOME x . x ∈ roots;
res1 = (if num e x ≠ ︎-1 then (num e x, e) else dfs1 x e);
res2 = dfs (roots - {x}) (snd res1) in (min (fst res1) (fst res2), snd res2) ))
Proof
30
theorem dfs1_dfs_termination :
[x ∈ vertices - colored e; colored_num e] ⟹ dfs1_dfs_dom (Inl(x, e)) [r ⊆ vertices; colored_num e] ⟹ dfs1_dfs_dom (Inr(r, e))
theorem dfs_partial_correct:
[dfs1_dfs_dom (Inl(x, e)); dfs1_pre x e] ⟹ dfs1_post x e (dfs1 x e)
[dfs1_dfs_dom (Inr(r, e)); dfs_pre r e] ⟹ dfs_post r e (dfs r e)
definition colored_num where colored_num e ≡
∀v ∈ colored e. v ∈ vertices ∧ num e v ≠ ︎-1
theorem dfs_correct:
dfs1_pre x e ⟹ dfs1_post x e (dfs1 x e)
dfs_pre r e ⟹ dfs_post roots e (dfs r e)
Conclusion
Why3 - Coq - Isabelle
32
… other systems ?
why3 coq isabelle/HOL
expressivity - ++ +readability +++ - +stability - +++ +ease of use - - -automation ++ - +partial correctness +++ - - -code extraction ++ + -trusted base - +++ +++# lines auto 392 0 ? (314ui)# lines manual 157 1535 1690
http://www-sop.inria.fr/marelle/Tarjan/contributions.html
Todo list
33
• other algorithms (biconnected, planarity, minimum spanning tree)
• proof of implementation
• teaching