The Tactician (extended version): A Seamless, Interactive Tactic Learner and Prover for Coq

We present Tactician, a tactic learner and prover for the Coq Proof Assistant. Tactician helps users make tactical proof decisions while they retain control over the general proof strategy. To this end, Tactician learns from previously written tactic scripts and gives users either suggestions about the next tactic to be executed or altogether takes over the burden of proof synthesis. Tactician's goal is to provide users with a seamless, interactive, and intuitive experience together with robust and adaptive proof automation. In this paper, we give an overview of Tactician from the user's point of view, regarding both day-to-day usage and issues of package dependency management while learning in the large. Finally, we give a peek into Tactician's implementation as a Coq plugin and machine learning platform.Comment: 19 pages, 2 figures. This is an extended version of a paper published in CICM-2020. For the project website, see https://coq-tactician.github.i

LiFtEr: Language to Encode Induction Heuristics for Isabelle/HOL

Proof assistants, such as Isabelle/HOL, offer tools to facilitate inductive theorem proving. Isabelle experts know how to use these tools effectively; however, there is a little tool support for transferring this expert knowledge to a wider user audience. To address this problem, we present our domain-specific language, LiFtEr. LiFtEr allows experienced Isabelle users to encode their induction heuristics in a style independent of any problem domain. LiFtEr's interpreter mechanically checks if a given application of induction tool matches the heuristics, thus automating the knowledge transfer loop.Comment: This is the pre-print of our paper of the same title accepted at APLAS2019 (https://doi.org/10.1007/978-3-030-34175-6_14). We updated the draft after fixing the errata found by Kenji Miyamot

A Proof Strategy Language and Proof Script Generation for Isabelle/HOL

We introduce a language, PSL, designed to capture high level proof strategies in Isabelle/HOL. Given a strategy and a proof obligation, PSL's runtime system generates and combines various tactics to explore a large search space with low memory usage. Upon success, PSL generates an efficient proof script, which bypasses a large part of the proof search. We also present PSL's monadic interpreter to show that the underlying idea of PSL is transferable to other ITPs.Comment: This paper has been submitted to CADE2

Mechanical Verification of Interactive Programs Specified by Use Cases

International audienceInteractive programs, like user interfaces, are hard to formally specify and thus to prove correct. Some ideas coming from functional programming languages have been successful to improve the way we write safer programs, compared to traditional imperative languages, but these ideas mostly apply to code fragments without any inputs–outputs. Using the purely functional language Coq, we present a new technique to represent interactive programs and formally verify use cases using the Coq proof engine as a symbolic debugger. To this end we introduce the notion of scenarios, well-typed schema of interactions between an environment and a program. We design and certify a blog system as an illustration. Our approach generalizes unit-testing techniques and outlines a new method for mechanically assisted checking of effectful functional programs. I. Introduction Implementing and proving correct interactive programs is challenging. Indeed, interactive programs are hard to reason about because they communicate with an outer environment (the operating system, the network, the user,. . .) which may be under-specified and non determin-istic. Moreover, the communications between the program and the environment can happen at many points during the execution and may depend on previous interactions. Many techniques have been developed to model, specify and prove correct interactive or concurrent programs[15]. For instance, process algebra and temporal logics are well understood abstract models for such programs. In these abstract models, some interesting behavioral properties can be automatically proved by model-checkers. Yet, these tools usually provide guarantees about the model of the program, not its actual implementation. In another approach, called software-proof co-design, the specification and the verification of a program is not disconnected from its actual implementation. In that case, specifying, implementing and verifying are tightly interleaved in the software development process. This tight integration is possible within the Coq proof assistant which is both a programming language and an assisted prover. Yet, even if a realistic compiler for the C language has already been developed in Coq[12], using Coq as a general purpose programming language may be considere

定理証明支援系Coqにおける手続き的証明から宣言的証明への変換

　定理証明支援系Coqにおける証明は、一般に手続き的証明と呼ばれる形式で記述される。これは対話的証明を前提としており、自然言語による証明記述と大きく異なるため、可読性が高いものではない。この問題を解決するためにCoq用宣言的証明言語C-zarが開発された。宣言的証明は可読性が高く、また外部ツールを導入し易い。しかし、C-zar は手続き的証明に対して記述量が多い上に柔軟性が低く、Coq ユーザに受け入れられなかった。本研究では、Coq の手続き的証明からC-zarの証明を生成することで、両者間の橋渡しを行う。一般に手続き的証明から宣言的証明への変換手法としては、証明項や証明木のような中間表現を経由する方法が考えられ、既に定理証明支援系Matitaでは証明項を経由する手続き的証明から宣言的証明への変換が存在する。しかし、中間表現は元の証明と比べて詳細かつ巨大になり、元の手続き的証明1ステップに対して数百ステップの宣言的証明が生成されてしまう場合もある。一方で、C-zar は手続き的証明で用いられるタクティックと呼ばれるコマンドを利用することができ、これによって手続き的証明の1ステップは、多くの場合C-zarの数ステップと対応させることができる。本研究では、元の手続き的証明と証明項の両方を用いて変換を行うことで、元の証明に近い粒度の宣言的証明の生成を実現する。電気通信大学201

Quasi-interpretation Synthesis by Decomposition : An application to higher-order programs

International audienceQuasi-interpretations have shown their interest to deal with resource analysis of first order functional programs. There are at least two reasons to study the question of modularity of quasi-interpretations. Firstly, modularity allows to decrease the complexity of the quasi-inter\-pretation search algorithms. Secondly, modularity allows to increase the intentionality of the quasi-interpretation method, that is the number of captured programs. In particular, we take advantage of modularity conditions to extend smoothly quasi-interpretations to higher order programs. In this paper, we study the modularity of quasi-interpretations through the notions of constructor-sharing and hierarchical unions. We show that in the case of constructor-sharing and hierarchical unions, the existence of quasi-interpretations is no longer a modular property. However, we can still certify the complexity of programs