Coq: MiniCandid#147
Merged
Merged
Conversation
using the shiny new support in dune to build Coq projects: https://dune.readthedocs.io/en/stable/dune-files.html#coq-theory
without the proof for canonical subtyping yet.
starting a bit on a Candid formalization, focusing on the Opt-to-constituent rule. Stuck at #146, and worked around by adding restrictions to the compositional rule for opt.
nomeata
commented
Dec 3, 2020
|
|
||
| Theorem subtyping_trans: transitive _ Subtype. | ||
| Proof. | ||
| cofix Hyp. |
Contributor
Author
There was a problem hiding this comment.
Just to show off: This is a proof by coinduction.
nomeata
added a commit
that referenced
this pull request
Dec 4, 2020
based on our experience, we really can really use some formal treatment of our Candid work. This branch contains some initial work. Part of this commit: * A simple Coq setup (using the more modern dune-based setup) * A nix-setup to build this * Simple CI integration * A Coq-ification of the definitions in IDL-Soundness.md * Mechanizing the “canonical subtyping is sound” proof in that document More work is pending on #141, with ongoing experiments in #147.
nomeata
added a commit
that referenced
this pull request
Dec 11, 2020
the coq formalization in #147 shows that the old rule didn’t quite work (it was confused about `5 ~> ? : opt null` I believe), but this variant does. I think all implemnetations do the right thing anways (so maybe rewriting this as a partial coercion _function_ would be helpful)
Contributor
Author
|
This is ready for |
Contributor
Author
|
I woudn’t mind parking this in |
chenyan-dfinity
approved these changes
Jan 19, 2021
ninegua
pushed a commit
to ninegua/candid
that referenced
this pull request
Apr 22, 2022
* test: mitmproxy for certificate * fix * fix * fix * fix * fix * fix * Try mitmproxy 4 * Try mitmproxy 4 with python 3.6 * Try latest version * Try --setheaders * CLI flag changed * dumm di dumm * add mitm test * bump icref * fix * fix * fix * fix * fix * fix Co-authored-by: Joachim Breitner <mail@joachim-breitner.de>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This contains an initial formalization of Candid in Coq. It covers these types:
nat,int,null,opt t,empty,reservedIt considers two different formalisms:
NoOpportunisticDecodingThis is without
t <: opt t', but witht <: opt t.Things go through, although the
opt t <: opt t'rule has to be tweaked to keep subtyping transitive (see Subtyping: Transitivity of opt-to-constituent rule #146).OpportunisticDecodingThis is with
t <: opt t'.Because of the negative hypotheses in the coercion relation, this can’t be defined as a simple inductive relation (which is a seroius smell!).
So instead I define it as a function (which is mostly straight forward), and prove the properties there.
We could take this as indication that maybe our spec should also just define it via equations. We don’t gain anything from the relational presentation, I think, and implementors all anyways implement functions.
Nevertheless, I did prove that the relation defined by admits the intro and induction rules that would come out of the inductive relation (ignoring the negative hypotheses). This revealed some issues with the way the rules are presented, will create a PR for that soon.
In both cases, I prove
I do not prove Higher-order soundness, because we know it does not hold (see #141).
This also uses some proof-of-concept “named Coq cases“ feature, see https://www.joachim-breitner.de/blog/777-Named_goals_in_Coq.