Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Partial function in Coq / underdefined?

Tags:

compiler-construction

agda

isabelle

I have been trying to write and verify a compiler in Agda, using Concrete Semantics (which is written for Coq Isabelle/HOL) as a reference point. I am defining compilation for the same languages used in that text.

For context I have finished writing the compiler, and am now in the verification stage, however I had to make a significant difference to Concrete Semantics in the definition of machine instruction execution. This difference seemed necessary in Agda, but now is making the verification stage incredibly complex.

In trying to do the simpler version of instruction execution given in Concrete Semantics, I've come across this line, which may explain why I am having trouble directly translating this into Agda:

Also useful are the head of a list, its first element, and the tail, the rest of the list:

fun hd :: 'a list ⇒ 'a
hd (x # xs) = x

Note that since HOL is a logic of total functions, hd [] is defined, but we do not know what the result is. That is, hd [] is not undefined but underdefined.

What is does it mean for hd [] to be underdefined? Is this the equivalent of having an incomplete pattern in Agda?

The assembly instruction execution function relies heavily on hd. In my implementation of it in Agda I gave indices to multiple types to allow me to build proofs that the stack always has the minimum number of elements, in order to avoid the incomplete pattern matching problem. Now that I am trying to verify the compiler the proofs are magnitudes more complex than the proofs in Concrete Semantics, since I have to work with these indices.

Am I missing something or are the proofs in Concrete Semantics incomplete with hd [] not being defined?

like image 652
Jacob Ward Avatar asked Nov 22 '18 16:11

Jacob Ward

1 Answers

hd [] in Isabelle/HOL is defined; it has a value, but you don't know anything about that value. It is possible to prove that hd [] = hd [] because x = x holds for all x, but you'll be unable to prove anything else (non-trivial) on hd [].

Am I missing something or are the proofs in Concrete Semantics incomplete with hd [] not being defined?

They are not incomplete. Proofs that rely on behaviour of hd will most likely assume that the list on which hd is called is non-empty, or prove that it is non-empty based on other assumptions.

like image 146
larsrh Avatar answered Sep 21 '22 12:09

larsrh
Sign in to Comment

Related questions

Higher-order functions in C as a syntactic sugar with minimal effort
Detecting semicolon after loop/if brackets
Global const optimization and symbol interposition
ASP.NET MVC: how to signal compilation error if a view has error?
How to write a JIT library?
Start exe even with missing dependency dlls?
Generics, overload resolution and delegates (sorry, can't find a better title) [duplicate]
C++/CLI array initializer compilation error
CMake, choose Xcode compiler
How to interact with the compiler in Scala code itself?
Use Ada code in Android
compiling down a version - eclipse, maven
Compile thumb1 only
Do optimizers move temporary non-POD types out of loops?
Compile VB.NET online? [closed]
How is maximal-munch implemented?
How to prove left-recursive grammar is not in LL(1) using parsing table
Variant vs Inheritance [closed]
What jobs does a typical C++ compiler handle?
Is every LL(1) grammar also a LALR(1) grammar?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!