the power of parameterization in coinductive proof · the power of parameterization in coinductive...

The Power of Parameterization

in Coinductive Proof

Chung-Kil Hur Microsoft Research Cambridge

Georg Neis, Derek Dreyer, Viktor Vafeiadis

MPI-SWS

POPL 2013

23 Jan 2013

1

Two Principles for Coinduction

• Tarski’s Fixed Point Theorem

+ Simple & Robust

- Inconvenient to use

• Syntactically Guarded Coinduction

- Complex & Fragile due to “Guardedness Checking”

+ More convenient to use

2

Our Contribution

• Parameterized Coinduction

+ Simple & Robust + Most convenient to use

3

Our Contribution

• Parameterized Coinduction

+ Simple & Robust + Most convenient to use

3

Key Idea

Semantic Guardedness

Previous Approaches

Tarski’s Fixed Point Theorem Syntactically Guarded Coinduction

Our Approach

Parameterized Coinduction

Talk Outline

4

Example of Recursively Defined Set:

Divergent Nodes in STS

5

𝑈

a b

c

f e d

g

h



5

𝑈

a b

c

f e d

Div = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ Div }

g

h



5

𝑈

a b

c

f e d

Div = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ Div } Div = 𝑓(Div) where

𝑓 𝑆

g

h

𝑆



5

𝑈

a b

c

f e d


𝑓 𝑆

g

h

(Tarski’s Theorem) 𝜈𝑓 is the greatest solution of 𝑋 = 𝑓(𝑋)

For 𝑓 ∶ ℘ 𝑈 → ℘ 𝑈 , mon

𝑆



5

𝑈

a b

c

f e d


𝑓 𝑆

g

h

(Tarski’s Theorem) 𝜈𝑓 is the greatest solution of 𝑋 = 𝑓(𝑋)

𝑆 is consistent

𝜈𝑓 = ⋃ 𝑆 𝑆 ⊆ 𝑓 𝑆 }

For 𝑓 ∶ ℘ 𝑈 → ℘ 𝑈 , mon

𝑆

Tarski’s Principle

6

𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon

𝑈 𝜈𝑓

(Tarski’s Principle)

𝑋 ⊆ 𝜈𝑓 𝑋


6

𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon

𝑈 𝜈𝑓

𝑆


𝑋 ⊆ 𝜈𝑓

∃ 𝑆. 𝑋 ⊆ 𝑆

𝑋


6

𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon

𝑈 𝜈𝑓

𝑆 𝑓


𝑋 ⊆ 𝜈𝑓

∃ 𝑆. 𝑋 ⊆ 𝑆 ∧ 𝑆 ⊆ 𝑓(𝑆)

𝑋


6

𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon

𝑈 𝜈𝑓

𝑆 𝑓


𝑋 ⊆ 𝜈𝑓

∃ 𝑆. 𝑋 ⊆ 𝑆 ∧ 𝑆 ⊆ 𝑓(𝑆)

𝑋

Sound by Definition: 𝜈𝑓 = ⋃ 𝑆 𝑆 ⊆ 𝑓 𝑆 }

h

Tarski Principle: Example

7

𝑈

𝜈𝑓

a b

c

f e d

g

𝑓 𝑆 = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ S }

h


7

𝑈

𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓 g

𝑓 𝑆 = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ S }

h


7

𝑈

𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓 g

𝑓 𝑆 = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ S }

c ⊆ 𝑓 c = ∅

h


7

𝑈

𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓

c ⊆ {c, b, d}

g

𝑓 𝑆 = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ S }

h


7

𝑈

𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓

c, b, d ⊆ 𝑓( c, b, d )

c ⊆ {c, b, d}

g

𝑓 𝑆 = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ S }

h


7

𝑈

𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓

c, b, d ⊆ 𝑓( c, b, d )

c ⊆ {c, b, d}

g

𝑓 𝑆 = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ S }


+ Simple & Easy to Understand

- Have to Find a Consistent Set Up Front

Talk Outline

8

Previous Approaches


Our Approach


Syntactically Guarded Coinduction

𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon

(Guarded Coinduction)

9

𝑋 ⊆ 𝜈𝑓


𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon


9

𝑋 ⊆ 𝜈𝑓 ⟹ 𝑋 ⊆ 𝜈𝑓

𝑋 ⊆ 𝜈𝑓


𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon


9


𝑋 ⊆ 𝜈𝑓 (pf is guarded)

pf:


𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon


• Guardedness rules out trivial proofs.

9



pf:


𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon


• Guardedness rules out trivial proofs. • Its definition is syntactic and complex.

9



pf:


𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon



9



pf:

• The assumption can be used only after making progress.


𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon



What cofix does in Coq

9



pf:



𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon



What cofix does in Coq

9



pf:

Permits Incremental Reasoning


h

Example: Guarded Coinduction

10

𝑈 𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓

g

h


10

𝑈 𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓

{c} ⊆ 𝑓(𝜈𝑓) g

h


10

𝑈 𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓

{c} ⊆ 𝑓(𝜈𝑓) ∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 g

h


10

𝑈 𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓

{c} ⊆ 𝑓(𝜈𝑓) ∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g

h


10

𝑈 𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓

{c} ⊆ 𝑓(𝜈𝑓)

{b} ⊆ 𝜈𝑓

∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g

h


10

𝑈 𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓

{c} ⊆ 𝑓(𝜈𝑓)

{b} ⊆ 𝜈𝑓

b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓

By Guarded Coinduction

∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g

h


10

𝑈 𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓

{c} ⊆ 𝑓(𝜈𝑓)

{b} ⊆ 𝜈𝑓

b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓


∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g

Trivial Proof is NOT Guarded

h


10

𝑈 𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓

{c} ⊆ 𝑓(𝜈𝑓)

{b} ⊆ 𝜈𝑓

b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓


∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g

h


10

𝑈 𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓

{c} ⊆ 𝑓(𝜈𝑓)

{b} ⊆ 𝜈𝑓

b ⊆ 𝜈𝑓 ⇒ {d} ⊆ 𝜈𝑓

b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓


∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g

h


10

𝑈 𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓

{c} ⊆ 𝑓(𝜈𝑓)

{b} ⊆ 𝜈𝑓

b ⊆ 𝜈𝑓 ⇒ {d} ⊆ 𝜈𝑓

b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓

b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓


∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g

h


10

𝑈 𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓

{c} ⊆ 𝑓(𝜈𝑓)

{b} ⊆ 𝜈𝑓

b ⊆ 𝜈𝑓 ⇒ {d} ⊆ 𝜈𝑓

b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓

b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓


∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g

This Proof is Guarded

h


10

𝑈 𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓

{c} ⊆ 𝑓(𝜈𝑓)

{b} ⊆ 𝜈𝑓

b ⊆ 𝜈𝑓 ⇒ {d} ⊆ 𝜈𝑓

b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓

b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓


∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g

This Proof is Guarded

Prove Incrementally with NO Consistent Set Up Front

Example: Simulation between Programs

11

Proof using Tarski’s Principle

12

Proof using Guarded Coinduction

13


13

Thanks to Incremental Proof + Simple Automation


13

Thanks to Incremental Proof + Simple Automation BUT!!!

Problems with

Syntactic Guardedness

14

Problems with


14

The proof is NOT Syntactically Guarded

Problems with


14

Guardedness NOT Expressed in the Logic

1. Far from complete 2. Bad interaction with automation 3. Hard to debug 4. Slow

Summary:

Pros and Cons of Two Principles

• Tarski’s Fixed Point Theorem

+ Simple & Robust

- Inconvenient to use

• Syntactically Guarded Coinduction

- Complex & Fragile due to “Guardedness Checking”

+ More Convenient to use

15

Talk Outline

16

Previous Approaches


Our Approach



17


𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon

𝑋 ⊆ 𝜈𝑓 𝑋 ⊆ 𝜈𝑓


pf: ⟹


17


𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon

𝑋 ⊆ 𝜈𝑓 𝑋 ⊆ 𝜈𝑓

𝑋 ⊆ 𝜈𝑓

G ⟹

Semantically

Semantically

Guardedness Expressed Directly Within the Logic

Guarded Implication

18

𝑌 ⊆ 𝜈𝑓 𝑋 ⊆ 𝜈𝑓 ⟹ G

Guarded Implication

18


Do NOT want to EXTEND the logic

Guarded Implication

18


𝑋 ⊆ G𝑓(𝑌)


Instead, Define G𝑓

Called “Parameterized Greatest Fixed Point” of 𝑓

⇒

Guarded Implication

18






Greatest Fixed Point of 𝑓 Under Guarded Assumption of 𝑌 ⊆ 𝜈𝑓

⇒

Guarded Implication

18



G𝑓 𝑌 ≝ 𝜈(𝜆𝑆. 𝑓(𝑌 ∪ 𝑆))




Greatest Fixed Point of 𝑓 Under Guarded Assumption of 𝑌 ⊆ 𝜈𝑓

⇒

Properties of 𝐆𝒇

19

(Unfolding) G𝑓 𝑌 = 𝑓(𝑌 ∪ G𝑓 𝑌 )

(Semantically Guarded Coinduction) 𝑋 ⊆ G𝑓 𝑌 ⟺ 𝑋 ⊆ G𝑓(𝑋 ∪ 𝑌)

(Init) G𝑓 ∅ = 𝜈𝑓

h

Example:


20

𝑈 𝜈𝑓

a b

c

f e d

{c} ⊆ 𝜈𝑓

g

h

Example:


20

𝑈 𝜈𝑓

a b

c

f e d

{c} ⊆ G𝑓(∅)

g

h

Example:


20

𝑈 𝜈𝑓

a b

c

f e d

{c} ⊆ 𝑓(∅ ∪ G𝑓(∅))

{c} ⊆ G𝑓(∅)

g

h

Example:


20

𝑈 𝜈𝑓

a b

c

f e d

{c} ⊆ G𝑓(∅)

∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅))

g

h

Example:


20

𝑈 𝜈𝑓

a b

c

f e d

{c} ⊆ G𝑓(∅)

∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))

g

h

Example:


20

𝑈 𝜈𝑓

a b

c

f e d

{b} ⊆ G𝑓(∅)

{c} ⊆ G𝑓(∅)

∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))

g

h

Example:


20

𝑈 𝜈𝑓

a b

c

f e d

{b} ⊆ G𝑓(∅)

{b} ⊆ G𝑓({b})

By Semantically Guarded Coinduction

{c} ⊆ G𝑓(∅)

∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))

g

h

Example:


20

𝑈 𝜈𝑓

a b

c

f e d

{b} ⊆ G𝑓(∅)

{b} ⊆ G𝑓({b})


{c} ⊆ G𝑓(∅)

∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))

g

NO Trivial Proof

h

Example:


20

𝑈 𝜈𝑓

a b

c

f e d

{b} ⊆ G𝑓(∅)

{b} ⊆ G𝑓({b})


{c} ⊆ G𝑓(∅)

{b} ⊆ 𝑓({b} ∪ G𝑓({b}))

∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))

g

h

Example:


20

𝑈 𝜈𝑓

a b

c

f e d

{b} ⊆ G𝑓(∅)

{b} ⊆ G𝑓({b})


{c} ⊆ G𝑓(∅)

∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅))

∃𝑦. b → 𝑦 ∧ 𝑦 ∈ ({b} ∪ G𝑓({b}))

b ∈ (∅ ∪ G𝑓(∅))

g

h

Example:


20

𝑈 𝜈𝑓

a b

c

f e d

{b} ⊆ G𝑓(∅)

{b} ⊆ G𝑓({b})


{c} ⊆ G𝑓(∅)

∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))

d ∈ ({b} ∪ G𝑓({b}))

g

h

Example:


20

𝑈 𝜈𝑓

a b

c

f e d

{b} ⊆ G𝑓(∅)

{d} ⊆ G𝑓( b )

{b} ⊆ G𝑓({b})


{c} ⊆ G𝑓(∅)

∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))

d ∈ ({b} ∪ G𝑓({b}))

g

h

Example:


20

𝑈 𝜈𝑓

a b

c

f e d

{b} ⊆ G𝑓(∅)

{d} ⊆ G𝑓( b )

{b} ⊆ G𝑓({b})


{c} ⊆ G𝑓(∅)

{d} ⊆ 𝑓({b} ∪ G𝑓({b}))

∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))

d ∈ ({b} ∪ G𝑓({b}))

g

h

Example:


20

𝑈 𝜈𝑓

a b

c

f e d

{b} ⊆ G𝑓(∅)

{d} ⊆ G𝑓( b )

{b} ⊆ G𝑓({b})


{c} ⊆ G𝑓(∅)

∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅))

∃𝑦. d → 𝑦 ∧ 𝑦 ∈ ({b} ∪ G𝑓({b}))

b ∈ (∅ ∪ G𝑓(∅))

d ∈ ({b} ∪ G𝑓({b}))

g

h

Example:


20

𝑈 𝜈𝑓

a b

c

f e d

{b} ⊆ G𝑓(∅)

{d} ⊆ G𝑓( b )

{b} ⊆ G𝑓({b})


{c} ⊆ G𝑓(∅)

∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))

d ∈ ({b} ∪ G𝑓({b}))

b ∈ ({b} ∪ G𝑓({b}))

g

h

Example:


20

𝑈 𝜈𝑓

a b

c

f e d

{b} ⊆ G𝑓(∅)

{d} ⊆ G𝑓( b )

{b} ⊆ G𝑓({b})


{c} ⊆ G𝑓(∅)

∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))

d ∈ ({b} ∪ G𝑓({b}))

b ∈ ({b} ∪ G𝑓({b}))

g

NO Guardedness Checking!

Paco: A Coq Library for


http://plv.mpi-sws.org/paco/

21

Syntactic Guardedness Semantic Guardedness

Paco: A Coq Library for


http://plv.mpi-sws.org/paco/

21

Guardedness Checking NOT Needed!

Syntactic Guardedness Semantic Guardedness Guardedness Checking Needed!

22

Failed Proof using


22

Successful Proof using

Semantically Guarded Coinduction

22

Successful Proof using

Semantically Guarded Coinduction

Possible because of NO Syntactic Guardedness Checking

Syntactic Guardedness is

NOT Compositional

23

𝑋 ⊆ 𝜈𝑓


NOT Compositional

23

𝑌 ⊆ 𝜈𝑓 ⇒ 𝑋 ⊆ 𝜈𝑓

𝑋 ⊆ 𝜈𝑓

𝑋 ⊆ 𝜈𝑓 ⇒ 𝑌 ⊆ 𝜈𝑓


NOT Compositional

23


𝑋 ⊆ 𝜈𝑓


pf2:

pf1: (pf1is guarded)

(pf2is guarded)


NOT Compositional

23


𝑋 ⊆ 𝜈𝑓


pf2:

pf1: (pf1is guarded)

(pf2is guarded)

Not Expressible in the logic


NOT Compositional

23


𝑋 ⊆ 𝜈𝑓


pf2:

pf1:

Make Proofs Transparent


NOT Compositional

23


𝑋 ⊆ 𝜈𝑓


pf2:

pf1:


𝑋 ⊆ 𝜈𝑓 ⇒ 𝑋 ⊆ 𝜈𝑓 pf2 ∘ pf1:


NOT Compositional

23


𝑋 ⊆ 𝜈𝑓


(pf2 ∘ pf1 is guarded)

pf2:

pf1:


𝑋 ⊆ 𝜈𝑓 ⇒ 𝑋 ⊆ 𝜈𝑓 pf2 ∘ pf1:


NOT Compositional

23


𝑋 ⊆ 𝜈𝑓


(pf2 ∘ pf1 is guarded)

pf2:

pf1:


𝑋 ⊆ 𝜈𝑓 ⇒ 𝑋 ⊆ 𝜈𝑓 pf2 ∘ pf1:

Two Problems with Transparent Proofs 1. Slowdown 2. NO Abstraction

Semantic Guardedness is

Compositional

24


𝑋 ⊆ G𝑓(∅)

𝑌 ⊆ G𝑓(𝑋)

Semantic Guardedness is

Compositional

24


𝑋 ⊆ G𝑓(∅)

𝑌 ⊆ G𝑓(𝑋)

Possible because Guardedness can be expressed in the Logic!

Problems with


25

1. Non-Compositional

2. Far from complete

3. Bad interaction with automation

4. Hard to debug

5. Slow

Problems with


25

1. Non-Compositional

2. Far from complete

3. Bad interaction with automation

4. Hard to debug

5. Slow

Semantic

Related Work • Glynn Winskel (1989) • Lawrence Moss (2001)

Combination with Up-To Techniques

Mechanization in Coq

− Using Mendler-style recursion

What else is in the paper?

26

the power of parameterization in coinductive proof · the power of parameterization in coinductive...

Documents