The Power of Parameterization in Coinductive Proof · The Power of Parameterization in Coinductive...
Transcript of The Power of Parameterization in Coinductive Proof · The Power of Parameterization in Coinductive...
The Power of Parameterization
in Coinductive Proof
Chung-Kil Hur Microsoft Research Cambridge
Georg Neis, Derek Dreyer, Viktor Vafeiadis
MPI-SWS
POPL 2013
23 Jan 2013
1
Two Principles for Coinduction
• Tarski’s Fixed Point Theorem
+ Simple & Robust
- Inconvenient to use
• Syntactically Guarded Coinduction
- Complex & Fragile due to “Guardedness Checking”
+ More convenient to use
2
Our Contribution
• Parameterized Coinduction
+ Simple & Robust + Most convenient to use
3
Our Contribution
• Parameterized Coinduction
+ Simple & Robust + Most convenient to use
3
Key Idea
Semantic Guardedness
Previous Approaches
Tarski’s Fixed Point Theorem Syntactically Guarded Coinduction
Our Approach
Parameterized Coinduction
Talk Outline
4
Example of Recursively Defined Set:
Divergent Nodes in STS
5
𝑈
a b
c
f e d
g
h
Example of Recursively Defined Set:
Divergent Nodes in STS
5
𝑈
a b
c
f e d
Div = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ Div }
g
h
Example of Recursively Defined Set:
Divergent Nodes in STS
5
𝑈
a b
c
f e d
Div = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ Div } Div = 𝑓(Div) where
𝑓 𝑆
g
h
𝑆
Example of Recursively Defined Set:
Divergent Nodes in STS
5
𝑈
a b
c
f e d
Div = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ Div } Div = 𝑓(Div) where
𝑓 𝑆
g
h
(Tarski’s Theorem) 𝜈𝑓 is the greatest solution of 𝑋 = 𝑓(𝑋)
For 𝑓 ∶ ℘ 𝑈 → ℘ 𝑈 , mon
𝑆
Example of Recursively Defined Set:
Divergent Nodes in STS
5
𝑈
a b
c
f e d
Div = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ Div } Div = 𝑓(Div) where
𝑓 𝑆
g
h
(Tarski’s Theorem) 𝜈𝑓 is the greatest solution of 𝑋 = 𝑓(𝑋)
𝑆 is consistent
𝜈𝑓 = ⋃ 𝑆 𝑆 ⊆ 𝑓 𝑆 }
For 𝑓 ∶ ℘ 𝑈 → ℘ 𝑈 , mon
𝑆
Tarski’s Principle
6
𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon
𝑈 𝜈𝑓
(Tarski’s Principle)
𝑋 ⊆ 𝜈𝑓 𝑋
Tarski’s Principle
6
𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon
𝑈 𝜈𝑓
𝑆
(Tarski’s Principle)
𝑋 ⊆ 𝜈𝑓
∃ 𝑆. 𝑋 ⊆ 𝑆
𝑋
Tarski’s Principle
6
𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon
𝑈 𝜈𝑓
𝑆 𝑓
(Tarski’s Principle)
𝑋 ⊆ 𝜈𝑓
∃ 𝑆. 𝑋 ⊆ 𝑆 ∧ 𝑆 ⊆ 𝑓(𝑆)
𝑋
Tarski’s Principle
6
𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon
𝑈 𝜈𝑓
𝑆 𝑓
(Tarski’s Principle)
𝑋 ⊆ 𝜈𝑓
∃ 𝑆. 𝑋 ⊆ 𝑆 ∧ 𝑆 ⊆ 𝑓(𝑆)
𝑋
Sound by Definition: 𝜈𝑓 = ⋃ 𝑆 𝑆 ⊆ 𝑓 𝑆 }
h
Tarski Principle: Example
7
𝑈
𝜈𝑓
a b
c
f e d
g
𝑓 𝑆 = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ S }
h
Tarski Principle: Example
7
𝑈
𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓 g
𝑓 𝑆 = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ S }
h
Tarski Principle: Example
7
𝑈
𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓 g
𝑓 𝑆 = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ S }
c ⊆ 𝑓 c = ∅
h
Tarski Principle: Example
7
𝑈
𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
c ⊆ {c, b, d}
g
𝑓 𝑆 = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ S }
h
Tarski Principle: Example
7
𝑈
𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
c, b, d ⊆ 𝑓( c, b, d )
c ⊆ {c, b, d}
g
𝑓 𝑆 = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ S }
h
Tarski Principle: Example
7
𝑈
𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
c, b, d ⊆ 𝑓( c, b, d )
c ⊆ {c, b, d}
g
𝑓 𝑆 = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ S }
h
Tarski Principle: Example
7
𝑈
𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
c, b, d ⊆ 𝑓( c, b, d )
c ⊆ {c, b, d}
g
𝑓 𝑆 = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ S }
h
Tarski Principle: Example
7
𝑈
𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
c, b, d ⊆ 𝑓( c, b, d )
c ⊆ {c, b, d}
g
𝑓 𝑆 = 𝑥 ∃𝑦. 𝑥 → 𝑦 ∧ 𝑦 ∈ S }
Tarski’s Principle
+ Simple & Easy to Understand
- Have to Find a Consistent Set Up Front
Talk Outline
8
Previous Approaches
Tarski’s Fixed Point Theorem Syntactically Guarded Coinduction
Our Approach
Parameterized Coinduction
Syntactically Guarded Coinduction
𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon
(Guarded Coinduction)
9
𝑋 ⊆ 𝜈𝑓
Syntactically Guarded Coinduction
𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon
(Guarded Coinduction)
9
𝑋 ⊆ 𝜈𝑓 ⟹ 𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓
Syntactically Guarded Coinduction
𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon
(Guarded Coinduction)
9
𝑋 ⊆ 𝜈𝑓 ⟹ 𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓 (pf is guarded)
pf:
Syntactically Guarded Coinduction
𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon
(Guarded Coinduction)
• Guardedness rules out trivial proofs.
9
𝑋 ⊆ 𝜈𝑓 ⟹ 𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓 (pf is guarded)
pf:
Syntactically Guarded Coinduction
𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon
(Guarded Coinduction)
• Guardedness rules out trivial proofs. • Its definition is syntactic and complex.
9
𝑋 ⊆ 𝜈𝑓 ⟹ 𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓 (pf is guarded)
pf:
Syntactically Guarded Coinduction
𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon
(Guarded Coinduction)
• Guardedness rules out trivial proofs. • Its definition is syntactic and complex.
9
𝑋 ⊆ 𝜈𝑓 ⟹ 𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓 (pf is guarded)
pf:
• The assumption can be used only after making progress.
Syntactically Guarded Coinduction
𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon
(Guarded Coinduction)
• Guardedness rules out trivial proofs. • Its definition is syntactic and complex.
What cofix does in Coq
9
𝑋 ⊆ 𝜈𝑓 ⟹ 𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓 (pf is guarded)
pf:
• The assumption can be used only after making progress.
Syntactically Guarded Coinduction
𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon
(Guarded Coinduction)
• Guardedness rules out trivial proofs. • Its definition is syntactic and complex.
What cofix does in Coq
9
𝑋 ⊆ 𝜈𝑓 ⟹ 𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓 (pf is guarded)
pf:
Permits Incremental Reasoning
• The assumption can be used only after making progress.
h
Example: Guarded Coinduction
10
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
g
h
Example: Guarded Coinduction
10
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
{c} ⊆ 𝑓(𝜈𝑓) g
h
Example: Guarded Coinduction
10
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
{c} ⊆ 𝑓(𝜈𝑓) ∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 g
h
Example: Guarded Coinduction
10
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
{c} ⊆ 𝑓(𝜈𝑓) ∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 g
h
Example: Guarded Coinduction
10
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
{c} ⊆ 𝑓(𝜈𝑓) ∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g
h
Example: Guarded Coinduction
10
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
{c} ⊆ 𝑓(𝜈𝑓)
{b} ⊆ 𝜈𝑓
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g
h
Example: Guarded Coinduction
10
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
{c} ⊆ 𝑓(𝜈𝑓)
{b} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓
By Guarded Coinduction
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g
h
Example: Guarded Coinduction
10
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
{c} ⊆ 𝑓(𝜈𝑓)
{b} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓
By Guarded Coinduction
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g
h
Example: Guarded Coinduction
10
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
{c} ⊆ 𝑓(𝜈𝑓)
{b} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓
By Guarded Coinduction
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g
Trivial Proof is NOT Guarded
h
Example: Guarded Coinduction
10
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
{c} ⊆ 𝑓(𝜈𝑓)
{b} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓
By Guarded Coinduction
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g
h
Example: Guarded Coinduction
10
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
{c} ⊆ 𝑓(𝜈𝑓)
{b} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {d} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓
By Guarded Coinduction
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g
h
Example: Guarded Coinduction
10
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
{c} ⊆ 𝑓(𝜈𝑓)
{b} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {d} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓
By Guarded Coinduction
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g
h
Example: Guarded Coinduction
10
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
{c} ⊆ 𝑓(𝜈𝑓)
{b} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {d} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓
By Guarded Coinduction
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g
h
Example: Guarded Coinduction
10
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
{c} ⊆ 𝑓(𝜈𝑓)
{b} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {d} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓
By Guarded Coinduction
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g
This Proof is Guarded
h
Example: Guarded Coinduction
10
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
{c} ⊆ 𝑓(𝜈𝑓)
{b} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {d} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓
By Guarded Coinduction
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g
This Proof is Guarded
h
Example: Guarded Coinduction
10
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
{c} ⊆ 𝑓(𝜈𝑓)
{b} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {d} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓
b ⊆ 𝜈𝑓 ⇒ {b} ⊆ 𝜈𝑓
By Guarded Coinduction
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ 𝜈𝑓 b ∈ 𝜈𝑓 g
This Proof is Guarded
Prove Incrementally with NO Consistent Set Up Front
Example: Simulation between Programs
11
Example: Simulation between Programs
11
Proof using Tarski’s Principle
12
Proof using Tarski’s Principle
12
Proof using Guarded Coinduction
13
Proof using Guarded Coinduction
13
Thanks to Incremental Proof + Simple Automation
Proof using Guarded Coinduction
13
Thanks to Incremental Proof + Simple Automation BUT!!!
Problems with
Syntactic Guardedness
14
Problems with
Syntactic Guardedness
14
Problems with
Syntactic Guardedness
14
Problems with
Syntactic Guardedness
14
Problems with
Syntactic Guardedness
14
Problems with
Syntactic Guardedness
14
The proof is NOT Syntactically Guarded
Problems with
Syntactic Guardedness
14
Guardedness NOT Expressed in the Logic
1. Far from complete 2. Bad interaction with automation 3. Hard to debug 4. Slow
Problems with
Syntactic Guardedness
14
Guardedness NOT Expressed in the Logic
1. Far from complete 2. Bad interaction with automation 3. Hard to debug 4. Slow
Summary:
Pros and Cons of Two Principles
• Tarski’s Fixed Point Theorem
+ Simple & Robust
- Inconvenient to use
• Syntactically Guarded Coinduction
- Complex & Fragile due to “Guardedness Checking”
+ More Convenient to use
15
Talk Outline
16
Previous Approaches
Tarski’s Fixed Point Theorem Syntactically Guarded Coinduction
Our Approach
Parameterized Coinduction
Syntactically Guarded Coinduction
17
Syntactically Guarded Coinduction
𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon
𝑋 ⊆ 𝜈𝑓 𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓 (pf is guarded)
pf: ⟹
Syntactically Guarded Coinduction
17
Syntactically Guarded Coinduction
𝑓 ∶ ℘ 𝑈 → ℘(𝑈) mon
𝑋 ⊆ 𝜈𝑓 𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓
G ⟹
Semantically
Semantically
Guardedness Expressed Directly Within the Logic
Guarded Implication
18
𝑌 ⊆ 𝜈𝑓 𝑋 ⊆ 𝜈𝑓 ⟹ G
Guarded Implication
18
𝑌 ⊆ 𝜈𝑓 𝑋 ⊆ 𝜈𝑓 ⟹ G
Do NOT want to EXTEND the logic
Guarded Implication
18
𝑌 ⊆ 𝜈𝑓 𝑋 ⊆ 𝜈𝑓 ⟹ G
𝑋 ⊆ G𝑓(𝑌)
Do NOT want to EXTEND the logic
Instead, Define G𝑓
Called “Parameterized Greatest Fixed Point” of 𝑓
⇒
Guarded Implication
18
𝑌 ⊆ 𝜈𝑓 𝑋 ⊆ 𝜈𝑓 ⟹ G
𝑋 ⊆ G𝑓(𝑌)
Do NOT want to EXTEND the logic
Instead, Define G𝑓
Called “Parameterized Greatest Fixed Point” of 𝑓
Greatest Fixed Point of 𝑓 Under Guarded Assumption of 𝑌 ⊆ 𝜈𝑓
⇒
Guarded Implication
18
𝑌 ⊆ 𝜈𝑓 𝑋 ⊆ 𝜈𝑓 ⟹ G
𝑋 ⊆ G𝑓(𝑌)
G𝑓 𝑌 ≝ 𝜈(𝜆𝑆. 𝑓(𝑌 ∪ 𝑆))
Do NOT want to EXTEND the logic
Instead, Define G𝑓
Called “Parameterized Greatest Fixed Point” of 𝑓
Greatest Fixed Point of 𝑓 Under Guarded Assumption of 𝑌 ⊆ 𝜈𝑓
⇒
Properties of 𝐆𝒇
19
(Unfolding) G𝑓 𝑌 = 𝑓(𝑌 ∪ G𝑓 𝑌 )
(Semantically Guarded Coinduction) 𝑋 ⊆ G𝑓 𝑌 ⟺ 𝑋 ⊆ G𝑓(𝑋 ∪ 𝑌)
(Init) G𝑓 ∅ = 𝜈𝑓
Properties of 𝐆𝒇
19
(Unfolding) G𝑓 𝑌 = 𝑓(𝑌 ∪ G𝑓 𝑌 )
(Semantically Guarded Coinduction) 𝑋 ⊆ G𝑓 𝑌 ⟺ 𝑋 ⊆ G𝑓(𝑋 ∪ 𝑌)
(Init) G𝑓 ∅ = 𝜈𝑓
Properties of 𝐆𝒇
19
(Unfolding) G𝑓 𝑌 = 𝑓(𝑌 ∪ G𝑓 𝑌 )
(Semantically Guarded Coinduction) 𝑋 ⊆ G𝑓 𝑌 ⟺ 𝑋 ⊆ G𝑓(𝑋 ∪ 𝑌)
(Init) G𝑓 ∅ = 𝜈𝑓
Properties of 𝐆𝒇
19
(Unfolding) G𝑓 𝑌 = 𝑓(𝑌 ∪ G𝑓 𝑌 )
(Semantically Guarded Coinduction) 𝑋 ⊆ G𝑓 𝑌 ⟺ 𝑋 ⊆ G𝑓(𝑋 ∪ 𝑌)
(Init) G𝑓 ∅ = 𝜈𝑓
Properties of 𝐆𝒇
19
(Unfolding) G𝑓 𝑌 = 𝑓(𝑌 ∪ G𝑓 𝑌 )
(Semantically Guarded Coinduction) 𝑋 ⊆ G𝑓 𝑌 ⟺ 𝑋 ⊆ G𝑓(𝑋 ∪ 𝑌)
(Init) G𝑓 ∅ = 𝜈𝑓
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝜈𝑓
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ G𝑓(∅)
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ 𝑓(∅ ∪ G𝑓(∅))
{c} ⊆ G𝑓(∅)
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ G𝑓(∅)
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅))
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ G𝑓(∅)
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅))
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{c} ⊆ G𝑓(∅)
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{b} ⊆ G𝑓(∅)
{c} ⊆ G𝑓(∅)
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{b} ⊆ G𝑓(∅)
{b} ⊆ G𝑓({b})
By Semantically Guarded Coinduction
{c} ⊆ G𝑓(∅)
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{b} ⊆ G𝑓(∅)
{b} ⊆ G𝑓({b})
By Semantically Guarded Coinduction
{c} ⊆ G𝑓(∅)
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{b} ⊆ G𝑓(∅)
{b} ⊆ G𝑓({b})
By Semantically Guarded Coinduction
{c} ⊆ G𝑓(∅)
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))
g
NO Trivial Proof
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{b} ⊆ G𝑓(∅)
{b} ⊆ G𝑓({b})
By Semantically Guarded Coinduction
{c} ⊆ G𝑓(∅)
{b} ⊆ 𝑓({b} ∪ G𝑓({b}))
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{b} ⊆ G𝑓(∅)
{b} ⊆ G𝑓({b})
By Semantically Guarded Coinduction
{c} ⊆ G𝑓(∅)
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅))
∃𝑦. b → 𝑦 ∧ 𝑦 ∈ ({b} ∪ G𝑓({b}))
b ∈ (∅ ∪ G𝑓(∅))
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{b} ⊆ G𝑓(∅)
{b} ⊆ G𝑓({b})
By Semantically Guarded Coinduction
{c} ⊆ G𝑓(∅)
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅))
∃𝑦. b → 𝑦 ∧ 𝑦 ∈ ({b} ∪ G𝑓({b}))
b ∈ (∅ ∪ G𝑓(∅))
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{b} ⊆ G𝑓(∅)
{b} ⊆ G𝑓({b})
By Semantically Guarded Coinduction
{c} ⊆ G𝑓(∅)
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))
d ∈ ({b} ∪ G𝑓({b}))
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{b} ⊆ G𝑓(∅)
{d} ⊆ G𝑓( b )
{b} ⊆ G𝑓({b})
By Semantically Guarded Coinduction
{c} ⊆ G𝑓(∅)
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))
d ∈ ({b} ∪ G𝑓({b}))
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{b} ⊆ G𝑓(∅)
{d} ⊆ G𝑓( b )
{b} ⊆ G𝑓({b})
By Semantically Guarded Coinduction
{c} ⊆ G𝑓(∅)
{d} ⊆ 𝑓({b} ∪ G𝑓({b}))
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))
d ∈ ({b} ∪ G𝑓({b}))
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{b} ⊆ G𝑓(∅)
{d} ⊆ G𝑓( b )
{b} ⊆ G𝑓({b})
By Semantically Guarded Coinduction
{c} ⊆ G𝑓(∅)
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅))
∃𝑦. d → 𝑦 ∧ 𝑦 ∈ ({b} ∪ G𝑓({b}))
b ∈ (∅ ∪ G𝑓(∅))
d ∈ ({b} ∪ G𝑓({b}))
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{b} ⊆ G𝑓(∅)
{d} ⊆ G𝑓( b )
{b} ⊆ G𝑓({b})
By Semantically Guarded Coinduction
{c} ⊆ G𝑓(∅)
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅))
∃𝑦. d → 𝑦 ∧ 𝑦 ∈ ({b} ∪ G𝑓({b}))
b ∈ (∅ ∪ G𝑓(∅))
d ∈ ({b} ∪ G𝑓({b}))
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{b} ⊆ G𝑓(∅)
{d} ⊆ G𝑓( b )
{b} ⊆ G𝑓({b})
By Semantically Guarded Coinduction
{c} ⊆ G𝑓(∅)
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))
d ∈ ({b} ∪ G𝑓({b}))
b ∈ ({b} ∪ G𝑓({b}))
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{b} ⊆ G𝑓(∅)
{d} ⊆ G𝑓( b )
{b} ⊆ G𝑓({b})
By Semantically Guarded Coinduction
{c} ⊆ G𝑓(∅)
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))
d ∈ ({b} ∪ G𝑓({b}))
b ∈ ({b} ∪ G𝑓({b}))
g
h
Example:
Parameterized Coinduction
20
𝑈 𝜈𝑓
a b
c
f e d
{b} ⊆ G𝑓(∅)
{d} ⊆ G𝑓( b )
{b} ⊆ G𝑓({b})
By Semantically Guarded Coinduction
{c} ⊆ G𝑓(∅)
∃𝑦. c → 𝑦 ∧ 𝑦 ∈ (∅ ∪ G𝑓(∅)) b ∈ (∅ ∪ G𝑓(∅))
d ∈ ({b} ∪ G𝑓({b}))
b ∈ ({b} ∪ G𝑓({b}))
g
NO Guardedness Checking!
Paco: A Coq Library for
Parameterized Coinduction
http://plv.mpi-sws.org/paco/
21
Syntactic Guardedness Semantic Guardedness
Paco: A Coq Library for
Parameterized Coinduction
http://plv.mpi-sws.org/paco/
21
Syntactic Guardedness Semantic Guardedness
Paco: A Coq Library for
Parameterized Coinduction
http://plv.mpi-sws.org/paco/
21
Guardedness Checking NOT Needed!
Syntactic Guardedness Semantic Guardedness Guardedness Checking Needed!
22
Failed Proof using
Syntactically Guarded Coinduction
22
Successful Proof using
Semantically Guarded Coinduction
22
Successful Proof using
Semantically Guarded Coinduction
22
Successful Proof using
Semantically Guarded Coinduction
Possible because of NO Syntactic Guardedness Checking
Syntactic Guardedness is
NOT Compositional
23
𝑋 ⊆ 𝜈𝑓
Syntactic Guardedness is
NOT Compositional
23
𝑌 ⊆ 𝜈𝑓 ⇒ 𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓 ⇒ 𝑌 ⊆ 𝜈𝑓
Syntactic Guardedness is
NOT Compositional
23
𝑌 ⊆ 𝜈𝑓 ⇒ 𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓 ⇒ 𝑌 ⊆ 𝜈𝑓
pf2:
pf1: (pf1is guarded)
(pf2is guarded)
Syntactic Guardedness is
NOT Compositional
23
𝑌 ⊆ 𝜈𝑓 ⇒ 𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓 ⇒ 𝑌 ⊆ 𝜈𝑓
pf2:
pf1: (pf1is guarded)
(pf2is guarded)
Not Expressible in the logic
Syntactic Guardedness is
NOT Compositional
23
𝑌 ⊆ 𝜈𝑓 ⇒ 𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓 ⇒ 𝑌 ⊆ 𝜈𝑓
pf2:
pf1:
Make Proofs Transparent
Syntactic Guardedness is
NOT Compositional
23
𝑌 ⊆ 𝜈𝑓 ⇒ 𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓 ⇒ 𝑌 ⊆ 𝜈𝑓
pf2:
pf1:
Make Proofs Transparent
𝑋 ⊆ 𝜈𝑓 ⇒ 𝑋 ⊆ 𝜈𝑓 pf2 ∘ pf1:
Syntactic Guardedness is
NOT Compositional
23
𝑌 ⊆ 𝜈𝑓 ⇒ 𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓 ⇒ 𝑌 ⊆ 𝜈𝑓
(pf2 ∘ pf1 is guarded)
pf2:
pf1:
Make Proofs Transparent
𝑋 ⊆ 𝜈𝑓 ⇒ 𝑋 ⊆ 𝜈𝑓 pf2 ∘ pf1:
Syntactic Guardedness is
NOT Compositional
23
𝑌 ⊆ 𝜈𝑓 ⇒ 𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓
𝑋 ⊆ 𝜈𝑓 ⇒ 𝑌 ⊆ 𝜈𝑓
(pf2 ∘ pf1 is guarded)
pf2:
pf1:
Make Proofs Transparent
𝑋 ⊆ 𝜈𝑓 ⇒ 𝑋 ⊆ 𝜈𝑓 pf2 ∘ pf1:
Two Problems with Transparent Proofs 1. Slowdown 2. NO Abstraction
Semantic Guardedness is
Compositional
24
𝑋 ⊆ G𝑓(𝑌)
𝑋 ⊆ G𝑓(∅)
𝑌 ⊆ G𝑓(𝑋)
Semantic Guardedness is
Compositional
24
𝑋 ⊆ G𝑓(𝑌)
𝑋 ⊆ G𝑓(∅)
𝑌 ⊆ G𝑓(𝑋)
Possible because Guardedness can be expressed in the Logic!
Problems with
Syntactic Guardedness
25
1. Non-Compositional
2. Far from complete
3. Bad interaction with automation
4. Hard to debug
5. Slow
Problems with
Syntactic Guardedness
25
1. Non-Compositional
2. Far from complete
3. Bad interaction with automation
4. Hard to debug
5. Slow
Semantic
Related Work • Glynn Winskel (1989) • Lawrence Moss (2001)
Combination with Up-To Techniques
Mechanization in Coq
− Using Mendler-style recursion
What else is in the paper?
26