Defining and Reasoning About Recursive Functions: A Practical Tool for the Coq Proof Assistant

We present a practical tool for defining and proving properties of recursive functions in the Coq proof assistant. The tool Defining and Reasoning About Recursive Functions 115 A more general solution consists in defining functions by well-founded recursion. Two approaches prevail in the current state-of-the-art: the so-called accessibility predicate approach [21] (and its variant converging iterations [1]), and the so-called ad-hoc predicate approach [9] (which has been developed for a type theory different from Coq, and whose adaptation to Coq involves some subtleties); the two approaches make an advanced use of type theory, and are described in Section 2. Both approaches help users in modeling functions. However, for lack of an appropriate and tool supported method, defining general recursive functions in Coq remains more difficult than defining those functions in proof assistants based on different logicals frameworks. For example, PVS [23], Isabelle [20] and HOL [15] allow users to provide a measure to prove termination, and generate proof obligations that must be discharged by the user in order for the system to accept the function as terminating. The possibility of relying on measures to guarantee termination makes the task of defining functions significantly easier. Yet the approach has never been implemented in proof assistants such as Coq. Difficulties with reasoning about functions. Proof assistants based on type theory only offer limited support for reasoning about (structurally or generally recursive, total or partial) functions. There are three principles that can be used to reason about recursive functions: induction principles (which allow to prove properties about the function’s output), inversion principles (which allow to deduce possible values of the function’s input knowing the output), and fixpoint equations (which allow to unfold the function’s definition in proofs). Unfortunately, users are not systematically provided with these results: for the Coq proof assistant, the tool of Balaa and Bertot [1] only generates the fixpoint equation for generally recursive functions, whereas the new tactic functional induction, which stems from the work of Barthe and Courtieu [2], only generates the induction principle for structurally recursive functions. The ad-hoc predicate approach of Bove and Capretta [9] provides an induction principle, but does not help in showing the totality of the function (and as stated above, cannot be adapted immediately to Coq). Our objectives and contributions. The purpose of this article is to rectify this situation for the Coq proof assistant by proposing a tool that considerably simplifies the tasks of writing and reasoning about recursive functions. The tool takes as input the definition of a recursive function as pseudo-code (a language similar to type theory, but not subject to the restrictions imposed by the guard condition or by any criterion for totality), and generates Coq terms for its representation as a partial recursive function, its induction and inversion principles, and its fixpoint equation. Furthermore, the tool allows users to provide a well-founded order or a measure to prove termination, and generates from this information proof obligations that, if discharged, prove the termination of the function considered. Thus, if the pseudo-code describes a total function f : A → B that can be proved to be terminating, our tool will generate a Coq function f̄ of the same type. The function f̄ may not have exactly the same code as f , but this is of 116 G. Barthe et al. no concern to the user, because the tool has provided her with all the principles needed to reason about f̄ (so she does not need to use the definition). Moreover, Coq will extract from f̄ a Caml function which is (almost) the same program as f . At the heart of our tool lies a simple observation: inductive relations provide a convenient tool to describe mathematical functions by their graph (in particular they do not impose any restriction w.r.t. termination and totality), and to reason about them (using automatically generated induction and inversion principles derived from inductive definitions). Thus, relating a recursive function to its graph gives us for free reasoning principles about the function. Despite its simplicity, the observation does not seem to have been exploited previously to help defining and reasoning about recursive functions. Technically, the observation can be exploited both following the general accessibility approach and the ad-hoc predicate approach, leading to two mechanisms whose relative merits are discussed in Section 3. In Section 4, we illustrate the benefits of the tool. 2 A Critical Review of Existing Methods Programming a nontrivial application inside a proof assistant is typically a long and tedious process. To make such developments easier for the user, mechanisms to define recursive functions should comply with the requirements below. They are by no means sufficient (see the conclusion for further requirements), but they definitely appear to be necessary: – deferred termination (DT): the system should allow the user to define her functions without imposing that this very definition includes a termination proof; – support for termination proofs (ST): termination proofs, which are usually not the main concern of the user, should be automated as much as possible; – support for reasoning (SR): the system should provide the user with reasoning principles for proving all other properties of her functions; – executability (X): when applied to structurally recursive definitions, mechanisms should yield the same result as, e.g., the Fixpoint construction of Coq. Unfortunately, the current version of the Coq proof assistant does not satisfy these requirements, neither for structurally recursive nor for general recursive functions. In the sequel, we briefly review the state-of-the-art approaches for general recursive definitions, and other related works, assessing in each case its benefits and limitations. A summary is presented in Figure 1. For the sake of concreteness, we center our discussion around the fast exponentiation function, which is informally defined by the clauses 2n = 2 · 2n−1 if n is odd and (2n/2)2 if n is even. The natural definition of the function in Coq would be: Defining and Reasoning About Recursive Functions 117 Approach Deferred termination Induction principle Inversion principle Fixpoint equation Support for termination Implemented in Coq Balaa & Bertot no no no yes no prototype Barthe & Courtieu n.a. yes no no n.a. yes Bove & Capretta yes yes no no no no this paper yes yes yes yes yes prototype ! for structurally recursive functions Fig. 1. Comparaison of state-of-the-art approaches Fixpoint pow2 (n: nat) : nat := match n with |0 ⇒ 1 |S q ⇒ match (even_odd_dec (S q)) with |left _ ⇒ square (pow2 (div2 (S q))) |right _ ⇒ n * (pow2 q) end