Yves Bertot

• National Institute for Research in Computer Science and Control

This extended abstract is about an effort to build a formal description of a triangulation algorithm starting with a naive description of the algorithm where triangles, edges, and triangulations are simply given as sets and the most complex notions are those of boundary and separating edges. When performing proofs about this algorithm, questions of...

This extended abstract is about an effort to build a formal description of a triangulation algorithm starting with a naive description of the algorithm where triangles, edges, and triangulations are simply given as sets and the most complex notions are those of boundary and separating edges. When performing proofs about this algorithm, questions of...

We describe how to compute very far decimals of \(\pi \) and how to provide formal guarantees that the decimals we compute are correct. In particular, we report on an experiment where 1 million decimals of \(\pi \) and the billionth hexadecimal (without the preceding ones) have been computed in a formally verified way. Three methods have been studi...

We describe how to compute very far decimals of $\pi$ and how to provide formal guarantees that the decimals we compute are correct. In particular, we report on an experiment where 1 million decimals of $\pi$ and the billionth hexadecimal (without the preceding ones) have been computed in a formally verified way. Three methods have been studied, th...

We describe the formalisation in Coq of a proof that the numbers `e` and `pi` are transcendental. This proof lies at the interface of two domains of mathematics that are often considered separately: calculus (real and elementary complex analysis) and algebra. For the work on calculus, we rely on the Coquelicot library and for the work on algebra, w...

We describe the formalisation in Coq of a proof that the numbers e and $\pi$ are transcendental. This proof lies at the interface of two domains of mathematics that are often considered separately: calculus (real and elementary complex analysis) and algebra. For the work on calculus, we rely on the Coquelicot library and for the work on algebra, we...

We describe two approaches for the computation of mathematical constant approximations inside interactive theorem provers. These two approaches share the same basis of fixed point computation and differ only in the way the proofs of correctness of the approximations are described. The first approach performs interval computations, while the second...

We study several formal proofs and algorithms related to the number pi in the context of Coq's standard library. In particular, we clarify the relation between roots of the cosine function and the limit of the alternated series whose terms are the inverse of odd natural numbers (known as Leibnitz' formula).We give a formal description of the arctan...

This paper reports on a six-year collaborative effort that culminated in a complete formalization of a proof of the Feit-Thompson Odd Order Theorem in the Coq proof assistant. The formalized proof is constructive, and relies on nothing but the axioms and rules of the foundational framework implemented by Coq. To support the formalization, we develo...

This paper presents an interface for geometry proving. It is a combination of a dynamic geometry software -Geogebra[11] with a proof assistant -Coq[8]. Thanks to the features of Geogebra, users can create and manipulate geometric constructions, they discover conjectures and interactively build formal proofs with the support of Coq. Our system allow...

Bernstein coefficients provide a discrete approximation of the behavior of a polynomial inside an interval. This can be used for example to isolate real roots of polynomials. We prove a criterion for the existence of a single root in an interval and the correctness of the de Casteljau algorithm to compute efficiently Bernstein coefficients.

In this article, we present the development of a library of formal proofs for theorem proving in plane geometry in a pedagogical context. We use the Coq proof assistant [4]. This library includes the basic geometric notions to state theorems and provides a database of theorems to construct interactive proofs more easily. It is an extension of the l...

This article presents the formal proof of correctness for a plane Delaunay triangulation algorithm. It consists in repeating a sequence of edge flippings from an initial triangulation until the Delaunay property is achieved. To describe triangulations, we rely on a combinatorial hypermap specification framework we have been developing for years. We...

We describe the formal verification of two theorems of theoretical biology. These theorems concern genetic regulatory networks: they give, in a discrete modeling framework, relations between the topology and the dynamics of these biological networks. In the considered discrete modeling framework, the dynamics is described by a transition graph, whe...

We propose a (limited) solution to the problem of constructing stream values defined by recursive equations that do not respect the guardedness condition. The guardedness condition is imposed on definitions of corecursive functions in Coq, AGDA, and other higher-order proof assistants. In this paper, we concentrate in particular on those non-guarde...

Gilles Kahn was one of the most influential figures in the development of computer science and information technology, not only in Europe but throughout the world. This volume of articles by several leading computer scientists serves as a fitting memorial to Kahn's achievements and reflects the broad range of subjects to which he contributed throug...

interpreters are tools to compute approximations for behaviors of a program. These approximations can then be used for optimisation or for error detection. In this paper, we show how to describe an abstract interpreter using the type-theory based theorem prover Coq, using inductive types for syntax and structural recursive programming for the abstr...

The Coq proof assistant has been developed at INRIA, Ecole Normale Supérieure de Lyon, and University of Paris South for more than twenty years [6]. Its theoretical foundation is known as the “Calculus of Inductive Constructions” [4,5]. Versions of the system were distributed regularly from 1989 (version 4.10). The current revision is 8.1 and a rev...

In this paper, we present an approach to describe uniformly iterated “big” operations, like \(\sum_{i=0}^n f(i)\) or max i ∈ I f(i) and to provide lemmas that encapsulate all the commonly used reasoning steps on these constructs. We show that these iterated operations can be handled generically using the syntactic notation and canonical structur...

We propose to use the Knaster-Tarski least fixed point theorem as a basis to define recursive functions in the Calculus of Inductive Constructions. This widens the class of functions that can be modelled in type-theory based theorem proving tools to potentially non-terminating functions. This is only possible if we extend the logical framework by a...

In Constructive Type Theory, recursive and corecursive definitions are subject to syntactic restrictions which guarantee termination for recursive functions and productivity for corecursive functions. However, many terminating and productive functions do not pass the syntactic tests. Bove proposed in her thesis an elegant reformulation of the metho...

In Constructive Type Theory, recursive and corecursive definitions are subject to syntactic restrictions which guarantee termination for recursive functions and productivity for corecursive functions. However, many terminating and productive functions do not pass the syntactic tests. Bove proposed in her thesis an elegant reformulation of the metho...

We describe several views of the semantics of a simple programming language as formal documents in the calculus of inductive constructions that can be verified by the Coq proof system. Covered aspects are natural semantics, denotational semantics, axiomatic semantics, and abstract interpretation. Descriptions as recursive functions are also provide...

We propose to use Tarski's least fixpoint theorem as a basis to define recursive functions in the calculus of inductive constructions. This widens the class of functions that can be modeled in type-theory based theorem proving tool to potentially non-terminating functions. This is only possible if we extend the logical framework by adding the axiom...

We extend the work of A. Ciaffaglione and P. Di Gianantonio on mechanical verification of algorithms for exact computation on real numbers, using infinite streams of digits implemented as co-inductive types. Four aspects are studied: the first aspect concerns the proof that digit streams can be related to the axiomatized real numbers that are alrea...

Expressions and logical formulas Programming in Coq Propositions and proofs Proving properties of programs on numbers Proving properties of programs on lists Defining new datatypes Numbers in the Coq system Inductive properties<br/

We describe the basic notions of co-induction as they are available in the coq system. As an application, we describe arithmetic properties for simple representations of real numbers.

Ces notes présentent successivement le lambda-calcul pur, le lambda-calcul simplement typé, les différentes formes de récursion typée, les types dépendants et leur utilisation en programmation et en logique

Nous décrivons la vérification formelle d'algorithmes de calcul de racines carrées, cubiques, et énièmes dans un cadre fonctionnel. Nous montrons que les premiers algorithmes se décrivent bien en utilisant la représentation binaire des entiers, qui permet en outre d'assurer la terminaison de ces algorithmes. La même structure est sous-jacente à l'a...

One approach to Prof. Hoare’s challenge is to view the development of verified software from the perspective of interactive theorem provers. This idea is not new and many medium-scale software systems have been developed and verified in this manner. Developments based on HOL, ACL2, or PVS have already been described and advocated and our position s...

We present the formal description of an algorithm to filter values from an infinite steam using a type theory based prover. The key aspect is that filters are partial co-recursive functions and we solve the problem of expressing partiality. We then show how to prove properties of this filter algorithm and we study an application computing the strea...

Nous décrivons une extension du travail de P. Di Gianantonio sur l'utilisation de types co-inductifs dans la description de librairies de calcul exact sur les nombres réels. Notre extension permet de représenter les séries formelles convergentes et de calculer sur ces représentations dans les systèmes de démonstration sur ordinateur qui disposent d...

This paper reports on the correctness proof of compiler optimizations based on data-flow analysis. We formulate the optimizations and analyses as instances of a general framework for data-flow analyses and transformations, and prove that the optimizations preserve the behavior of the compiled programs. This development is a part of a larger effort...

We describe a tool that combines a general purpose theorem prover and an o-the- shelf interface for dynamic geometry drawing to enhance man-machine interaction involving geometrical proofs. With our tool, we can edit the statements of geo- metrical theorems, construct and verify their proofs with the theorem prover, and visualize the statements usi...

this paper, we present the results of an ongoing eoeort in building user interfaces for proof systems. Our approach is generic: we are not constructing a user interface for a particular proof system, rather we have developed techniques and tools that have been applied to several proof systems. We rst propose, and motivate, a distributed architectur...

Tactics are commands used to guide goal-directed proofs in interactive proof environments. This paper presents various possible simpli cations on tactic expression and provides a justication for these simplications, based on a precise description of the way tactics operate.

Traduction en chinois parue en 2010. Tsinghua University Press. ISBN 9787302208136

Until now we have restricted our study to simply typed λ-calculus and this considerably limited the expressive power of the specifications and propositions. This limitation disappears with the introduction of a new type construct, called the dependent product. This construct generalizes the arrow A → B which represents functional types or implicati...

There are two parts to this chapter. The first part presents several collections of tactics specialized in various domains of logic and mathematics: tactics specialized in reasoning about inductive types, the main automatic tactics, which rely on a Prolog-like proof search mechanism, the tactics for equality and rewriting, the tactics for numerical...

Reasoning about infinite objects while staying in the finite world of a computer is one of the most fascinating uses of proof tools.

In this chapter we introduce the reasoning techniques used in Coq, start­ing with a very reduced fragment of logic, minimal propositional logic, where formulas are exclusively constructed using propositional variables and implication.

Most modern programming languages provide ways to structure programs in large units called modules.When modules are adequately designed, they can be reused in very different application contexts.

We can use the Coq system to model programs, by describing them as functions in a purely functional programming language. However, the Coq system does not provide an efficient environment to execute them. It is better to rely on the usual programming tools (compilers, abstract machines, and so on) to provide this environment. The Coq system simply...

We gave an informal presentation of certified programs in Chap. 1. Given a relation R of A→B→Prop, we want to produce a function that maps any a in A to a value b in B together with a proof of “R a b” (a certificate).

The strength of inductive types in the Calculus of Constructions is mostly a consequence of their interaction with the dependent product. With the extra expressive power we can formulate a large variety of properties on data and programs, simply by using type expressions. Dependent inductive types easily cover the usual aspects of logic: namely, co...

One of the main use of Coq is to certify and, more generally, to reason about programs We must show how the Gallina language represents these programs. The formalism used in this chapter is a simply typed λ-calculus [24], akin to a purely functional programming language without polymorphism. This simple formalism is introduced in a way that makes f...

The inductive types of Coq extend the various notions of type definitions provided in conventional programming languages. They can be compared to the recursive type definitions found in most functional programming languages. However, the possibility of mixing recursive types and dependent products makes the inductive types of Coq much more precise...

Proof by reflection is a characteristic feature of proving in type theory. There is a programming language embedded inside the logical language and it can be used to describe decision procedures or systematic reasoning methods. We already know that programming in Coq is a costly task and this approach is only worth the effort because the proof proc...

There is a lot of freedom in inductive definitions. A type may be a constant whose type is one of the sorts in the system, it may also be a function, this function may have a dependent type, and some of its arguments may be parameters. The constructors may be constants or functions, possibly with a dependent type, their arguments may or may not be...

The previous chapters show that the Calculus of Constructions is powerful enough as a type system for the representation of logical formulas and theorems. Interpreting types as formulas and terms as proofs works well and makes it possible to reduce the problem of verifying formal proofs to the problem of verifying that some terms are well-typed. Th...

Structural recursion is powerful, especially in combination with higher-order definitions, as we have seen in the example of Ackermann’s function. Nevertheless, it is not always adapted to describe algorithms where termination is difficult to express as structural recursion with respect to one of the arguments.

In Chap. 10, we described succinctly the principle of the extraction mechanism. This chapter contains a simple case study to illustrate the subtle links between the sorts Prop and Set. In particular, we can develop and extract certified programs that provide reasonable efficiency, thanks to our knowledge of the extraction process.

Coq [37] is a proof assistant with which students, researchers, or engineers can express specifications and develop programs that fulfill these specifications. This tool is well adapted to develop programs for which absolute trust is required: for example, in telecommunication, transportation, energy, banking, etc. In these domains the need for pro...

We propose to use a simple inductive type as a basis to represent the field of rational numbers. We describe the relation between this representation of numbers and the representation as fractions of non-zero natural numbers. The usual operations of comparison, multiplication, and addition are then defined in a naive way. The whole construction is...

In this paper we present the formalisation of the library which is an implementation of rational numbers as binary sequences for both lazy and strict computation. We use the representation also known as the Stern-Brocot representation for rational numbers. This formalisation uses advanced machinery of the theorem prover and applies recent developme...

Nous proposons dans cette thèse de développer une méthodologie quant à lutilisation industrielle de la méthode B dans le domaine des cartes à puce. Pour cela, ce document se décompose en six chapitres. Le premier chapitre présente un panel non exhaustif, mais cependant représentatif, de la diversité des méthodes formelles aujourdhui disponibles. El...

We present a formal proof (at the implementation level) of an efficient algorithm proposed by P. Zimmermann in 1999 to compute square roots of arbitrarily large integers. This program, which is part of the GNU Multiple Precision Arithmetic Library, is completely proven within the COQ system. Proofs are developed using the CORRECTNESS tool to deal w...

this paper, we rst show how the organization of the graphical user-interface around structured data makes it possible to obtain elaborately laid-out mathematical formulas. In particular, we insist on the three-level extension mechanisms that make it possible to customize the layout to applications. In the next section, we describe the data-structur...

We present a formal proof (at the implementation level) of an ecient algorithm proposed in [Zim99] to compute square roots of arbitrarily large integers. This program, which is part of the GNU Multiple Precision Arithmetic Library (GMP), is completely proven within the Coq system. Proofs are developed using the Correctness tool to deal with imperat...

We describe the operational and denotational semantics of a small imperative language in type theory with inductive and recursive de nitions. The operational semantics is given by natural inference rules, implemented as an inductive relation. The realization of the denotational semantics is more delicate: The nature of the language imposes a few di...

In type-theory based proof systems that provide inductive structures, computation tools are automatically associated to inductive de nitions. Choosing a particular representation for a given concept has a strong inuence on proof structure. We propose a method to make the change from one representation to another easier, by systematically translatin...

We study the development of formally proved algorithms for computational geometry. The result of this work is a formal description of the basic principles that make convex hull algorithms work and two programs that implement convex hull computation and have been automatically obtained from formally verified mathematical proofs. A special attention...

The byte-code verier is advertised as a key component of the security and safety strategy for the Java language, making it possible to use and exchange Java programs without fearing too much damage due to erroneous programs or malignant program providers. As Java is likely to become one of the languages used to embed programs in all kinds of applia...

We worked on a type system proposed in [11] to enforce a discipline for object initialization in the Java Virtual Machine language, to show how this type system could be implemented in the Coq proof and specification language. We used this description both to prove the theorems of [11] and to construct an effective verifier for this discipline.

In type-theory based proof systems that provide inductive structures, computation tools are automatically associated to inductive definitions. Choosing a particular representation for a given concept has a strong influence on proof structure. We propose a method to make the change from one representation to another easier, by systematically transla...

We propose tools to visualize large proof developments as graphs of theorems and definitions where edges denote the dependency between two theorems. In particular, we study means to limit the size of graphs. Experiments have been done with the Coq theorem prover [DFH + 93] and the GraphViz [EGKN] and daVinci [FW98] graph visualization suites.

On propose ici des outils pour visualiser de grandes preuves sous forme de graphes de théorèmes et de définitions, où les arrêtes dénotent les dépendances entre deux théorèmes. En particulier, on étudie les moyens de limiter la taille de ces graphes. On a mené les expérimentations à l'aide des systèmes Coq [DFH+93] GraphViz [EGKN] et daVinci [FW98]...

The CtCoq system is a graphical user-interface using a distributed architecture adapted to the Coq proof system [3]. Basic features provided by this graphical interface are direct manipulation of formulas and commands using the mouse, mathematical notations with an extended character set and colors, menus for guiding users in their manipulations of...

Dans le calcul des constructions inductives, des outils de calcul et de preuve sont associés à chaque type de données concret défini inductivement. Par conséquent, le choix d'une structure de données influence fortement le contenu des preuves. Nous proposons dans ce document une méthode pour passer plus facilement d'une structure de données à une a...

The CtCoq user-interface is a graphical user-interface designed to be added to the Coq proof development system, acting as a broker between the human user and the logical engine. The principal design goal for CtCoq was to support large-scale proof development and we claim that this user-interface helps to increase the productivity of Coq users thro...

We present issues that arose in the design of the CtCoq user-interface for proof development. Covered issues include multi-processing, data display, mouse interaction, and script management.

This paper describes the process of mechanically certifying a compiler with respect to the semantic specification of the source and target languages. The proofs are performed in type theory using the Coq system. These proofs introduce specific theoretical tools: fragmentation theorems and general induction principles.

In this paper, we present the results of an ongoing effort in building user interfaces for proof systems. Our approach is generic: we are not constructing a user interface for a particular proof system, rather we have developed techniques and tools that have been applied to several proof systems. We first propose and motivate a distributed architec...

Tactics are commands used to guide goal-directed proofs in interactive proof environments. This paper presents various possible simplifications on tactic expression and provides a justification for these simplifications, based on a precise description of the way tactics operate. In particular, this paper introduces a class of head-oriented tactics...

A proof by pointing user interface component allows a user to direct the course of a proof assistant by selecting terms with a mouse. Such a gesture is interpreted as a high-level tactical which triggers a sequence of low-level basic commands for the proof engine. The algorithm inherently relies on a structure-conscious environment; as a novelty we...

: CtCoq is a graphical environment to perform proofs in Coq. Key-words: CtCoq, Coq, proof system (R#sum# : tsvp) * with support from NSF Unit de recherche INRIA Sophia Antipolis 2004 route des Lucioles, BP 93, 06902 SOPHIA ANTIPOLIS Cedex (France) Tlphone : 04 93 65 77 77 -- international : +33 4 93 65 77 77 -- Fax : 04 93 65 77 65 -- international...

Starting from the specification of a small imperative programming language, and the description of two program transformations on this language, we formally prove the correctness of these transformations. The formal specifications are given in a single format, and can be compiled into both executable tools and collections of definitions to reason a...

this paper aims at providing additional support to the users of the Coq system. The currently supported activities are the following ones:

this paper aims at providing additional support to the users of the coq system. The currently supported activities are the following ones:

. Starting from the specification of a small imperative programming language, and the description of two program transformations on this language, we formally prove the correctness of these transformations. The formal specifications are given in a single format, and can be compiled into both executable tools and collections of definitions to reason...

This paper explains how to add a modern user interface to existing theorem provers, using principles and tools designed for programming environments. 1 Introduction There are a number of reasons for which it is interesting to build better user interfaces for theorem proving systems, i.e., computer systems that assist in making formal deductions. ff...

This paper presents the implementation of an interpreter for the parallel language ESTEREL in the CENTAUR system. The dynamic semantics of the language is described and completed with two modules providing a graphical visualization of the execution and a graphical execution controller. The problems of implementing a parallel language using natural...

We describe formal manipulations of programming language semantics that permit execution animation for interpreters. We first study the use of occurrences in the -calculus and we describe an implementation of the notion of residuals. We then describe applications in the development of interpreters for the lazy -calculus and the parallel language Oc...

We introduce a formal language to describe origin functions, which permit to study the notions of descendance and residuals in reduction systems. Computation on this formal language are defined using a term rewriting system, which we show to be canonical. This work has application in semantics and debugging. 1 Introduction. We introduce new tools t...

This paper presents a principle for using locations in logical expressions to guide the process of building proofs. Using a sequent-style presentation of theorem provers, we annotate the inference rules to specify an algorithm that associates the construction of a proof tree to a location within a goal sequent. This principle provides a natural and...

This paper explains how to add a modern user interface to existing theorem provers, using principles and tools designed for programming environments. Une strat'egie de construction d'interfaces utilisateur pour les syst`emes de preuves assist'ees par ordinateur R'esum'e -- Cet article propose une m'ethode pour ajouter une interface utilisateur mode...

We use Origin functions to describe the notions of descendance and residuals in reduction systems such as the -calculus and linear term rewriting systems. We compare the origin functions for the -calculus and for term rewriting systems that implement this calculus, and Env. We show that the notions of origin do not correspond exactly, but we descri...

Résumé disponible sur le PDF

We use origin functions to describe the notion of descendance and residuals in reduction systems such as the lambda-calculus and lineart term rewriting systems. We compare the origin functions for the lambda-calculus and for term rewriting systems that implement this calculus, lambda-sigma and lambda Env. We show that the notions of origin do not c...

. The CtCoq system is a graphical user-interface using a distributed archi tecture adapted to the Coq proof system [4]. Basic features are direct manipulation of formulas and commands using the mouse, mathematical notations with an extended character set and colors, menus for guiding users in their manipulations of commands and formulas. More advan...

. In this paper we present a tool that uses the mouse to quicken some frequent operations on mathematical formulae. This tool uses a paradigm of object dragging to replace expressions by provably equivalent formulae, using a rewrite command. The paper also shows how the tool can be programmed to take new operators into account. 1 Introduction Rewri...