当前位置: 文江博客话题详情

Coq 证明用法

发布于 2025-01-15 09:19:53 字数 211 浏览 2 评论 0原文

我是 Coq 的初学者,我很快就学会了这门语言,可以做证明等。

但我不明白我们能用它做什么。 好吧,我们证明了一些定义等。但是我们可以通过哪些方式使用它们呢? 我看到我们可以提取 Haskell 文件,但我也不明白。

因为我想用语言来证明 CVE 例如。

原文

I'm a beginner with Coq, I learnt the language quickly, to do proofs etc.

But I don't understand what can we do with this.
Ok we prove some definitions etc. But in which ways can we use them?
I saw that we can extract in Haskell files, but I don't understand it either.

Because I would like to use the language to prove CVE for example.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

梦晓ヶ微光ヅ倾城 2025-01-22 09:19:53

Coq 的用途之一是验证软件。这意味着写下一个程序并表明它满足您关心的某些规范。规范的定义是开放式的:您可能想要证明 C 程序不会出现缓冲区溢出问题,或者编译器生成的目标代码的行为符合源语言的规范。

Coq 中验证软件有两种主要方法。

内部验证

一种可能性是将程序实现为可以在 Coq 内部执行的函数程序,并证明其属性。该程序可以提取为更传统的编程语言,例如 Haskell 或 OCaml。然后,您可以将此代码链接到提取目标中的其他模块以生成完整的可执行文件。例如,CompCert C 编译器 就采用了这种方法。

具体而言,假设我们要编写一个经过验证的排序算法。下面是 Coq 中插入排序的实现,它使用 数学组件库

From Coq Require Import Extraction.
From mathcomp Require Import all_ssreflect.

Fixpoint insert n ns :=
  if ns is m :: ns then
    if n <= m then n :: m :: ns
    else m :: insert n ns
  else [:: n].

Lemma sorted_insert n ns : sorted leq ns -> sorted leq (insert n ns).
Proof.
case: ns => //= m ns m_ns; rewrite fun_if /=.
case: ltngtP => // /ltnW m_n.
elim: ns => [|p ns IH] /= in m m_ns m_n *; first by rewrite m_n.
case/andP: m_ns => m_p m_ns; rewrite fun_if /= m_n m_p.
by case: ltngtP => //= /ltnW p_n; rewrite IH.
Qed.

Fixpoint insertion_sort ns :=
  if ns is n :: ns then insert n (insertion_sort ns)
  else [::].

Lemma sorted_insertion_sort ns : sorted leq (insertion_sort ns).
Proof.
by elim: ns => //= n ns IH; rewrite sorted_insert.
Qed.

Extraction "insertion.ml" insertion_sort.

如果编译此文件,您将看到它将生成一个 insertion.ml 文件,其中包含该程序在 OCaml 中的翻译。

外部验证

另一种可能性是对程序的行为给出数学描述并证明该描述是正确的。例如,我们可以使用 Coq 将 C 程序的行为定义为输入和输出之间的数学关系,然后使用此描述来论证特定 C 程序是正确的(即,其输入和输出序列满足某些属性) )。这个特定的 C 程序可能会从实际的 C 源代码转换为 Coq 可以理解的形式,如 验证软件工具链所做的那样

这意味着什么?

Coq 证明保证在理想化的程序执行模型中不会出现某些错误。无论您选择哪种验证方法,该模型都比程序实际运行时发生的情况简单得多。例如,我们不会费心对描述运行程序的处理器电路的物理定律进行建模,因为这太复杂了。然而,我们关心的大多数错误都可以用相当简单的模型来描述——例如,我们不需要详细的物理定律来解释为什么在某些执行中会发生缓冲区溢出。这使得 Coq 和相关工具在实践中非常有效地防止错误。

One of the uses of Coq is verifying software. This means writing down a program and showing that it satisfies some specification that you care about. What counts as a specification is rather open ended: you might want to show that a C program does not suffer from buffer overflows, or that a compiler produces object code that behaves according to the specification of the source language.

There are two main ways of verifying software in Coq.

Internal verification

One possibility is to implement the program as a functional program that can be executed inside of Coq, and prove properties about it. This program can be extracted to a more conventional programming language such as Haskell or OCaml. You can then link this code against other modules in the extraction target to produce a complete executable. This is the approach, for instance, followed by the CompCert C compiler.

For concreteness, suppose that we want to write a verified sorting algorithm. Here is an implementation of insertion sort in Coq that uses the Mathematical Components library:

From Coq Require Import Extraction.
From mathcomp Require Import all_ssreflect.

Fixpoint insert n ns :=
  if ns is m :: ns then
    if n <= m then n :: m :: ns
    else m :: insert n ns
  else [:: n].

Lemma sorted_insert n ns : sorted leq ns -> sorted leq (insert n ns).
Proof.
case: ns => //= m ns m_ns; rewrite fun_if /=.
case: ltngtP => // /ltnW m_n.
elim: ns => [|p ns IH] /= in m m_ns m_n *; first by rewrite m_n.
case/andP: m_ns => m_p m_ns; rewrite fun_if /= m_n m_p.
by case: ltngtP => //= /ltnW p_n; rewrite IH.
Qed.

Fixpoint insertion_sort ns :=
  if ns is n :: ns then insert n (insertion_sort ns)
  else [::].

Lemma sorted_insertion_sort ns : sorted leq (insertion_sort ns).
Proof.
by elim: ns => //= n ns IH; rewrite sorted_insert.
Qed.

Extraction "insertion.ml" insertion_sort.

If you compile this file, you will see that it will generate an insertion.ml file that contains a translation of this program in OCaml.

External verification

Another possibility is to give a mathematical description of the behavior of your program and prove that this description is correct. For example, we can use Coq to define the behavior of C programs as a mathematical relation between inputs and outputs, and then use this description to argue that a particular C program is correct (i.e., that its sequence of inputs and outputs satisfy some property). This particular C program might be translated from actual C source code into a form that Coq understands, as done by the Verified Software Toolchain.

What does this mean?

A Coq proof guarantees that certain bugs cannot arise in an idealized model of program execution. Regardless of which verification approach you chose, this model is much simpler than what happens when a program actually runs. For instance, we don't bother modelling the laws of physics that describe the circuits of the processor that is running the program, because that would be too complex. However, most bugs that we care about can be described in terms of fairly simple models -- for example, we don't need detailed laws of physics to explain why a buffer overflow occurs in some execution. This makes Coq and related tools very effective at preventing bugs in practice.

回复 原文
~没有更多了~

关于作者

晚雾

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

882123719

文章 0 评论 0

朦胧时间

文章 0 评论 0

alipaysp_DQOPIT9H5Y

文章 0 评论 0

眼藏柔

文章 0 评论 0

微信用户

文章 0 评论 0

寻梦旅人

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文