Our objective is to describe a formal proof of correctness for the following Haskell [13] program in a type theory-based proof verification system, such as the Coq system [10, 1]. sieve (p:rest) = p:sieve [r | r <- rest, r ‘rem ‘ p / = 0] primes = sieve [2..] This program is a functional implementation of Eratosthenes ’ sieve that consists in removing all multiples of previously found primes from the sequence of natural numbers. We want to prove that the expression primes is the stream containing all the prime numbers in increasing order. This work relies on co-inductive types [5, 11, 12] because the program manipulates infinite lists, also known as streams. It first uses the infinite list of natural numbers larger than 2, then the infinite list of numbers larger than 3 and containing no multiples of 2, then the infinite list of numbers larger than 4 and containing no multiples of prime numbers smaller than 4, and so on. This example was initially proposed as a challenge by G. Kahn and used as an illustration of a program and its proof of correctness in a

When providing a collection of constructors to define an inductive type, we actually also define a dual operation: a destructor. This destructor is always defined using the same structure of pattern-matching, so that we have a tendency to forget that we do extend the “pattern-matching ” capability with a new destructor at each definition. Constructors and destructors play a dual role in the definition of inductive types. Constructors produce elements of the inductive type, destructors consume elements of the inductive type. The inductive type itself is defined as the smallest collection of elements that is stable with respect to the constructors: it must contain all constants that are declared to be in the inductive type and all results of the constructors when the arguments of these constructors are already found to be in the inductive type. When considering structural recursion, recursive definitions are functions that consume elements of the inductive type. The discipline of structural recursion imposes that recursive calls consume data that is obtained through the destructor. The inductive type uses the constructors and destructors in a specific way. Co-inductive

We show how to reason, in the proof assistant Coq, about realistic programming languages using a combination of separation logic and heterogeneous multimodal logic. A heterogeneous multimodal logic is a logic with several modal operators that are not required to satisfy the same frame conditions. The result is a powerful and elegant system for reasoning about programming languages and their semantics. The techniques are quite general and can be adopted to a wide variety of settings.

Thanks to recent advances, modern proof assistants now enable verification of realistic sequential programs. However, regarding the concurrency paradigm, previous work essentially focused on formalization of abstract systems, such as pure concurrent calculi, which are too minimal to be realistic. In this paper, we propose a library that enables verification of realistic concurrent programs in the Coq proof assistant. Our approach is based on an extension of the #-calculus whose encoding enables such programs to be modeled conveniently. This encoding is coupled with a specification language akin to spatial logics, including in particular a notion of fairness, which is important to write satisfactory specifications for realistic concurrent programs. In order to facilitate formal proof, we propose a collection of lemmas that can be reused in the context of di#erent verifications. Among these lemmas, the most e#ective for simplifying the proof task take advantage of confluence properties. In order to evaluate feasibility of verification of concurrent programs using this library, we perform verification for a non-trivial application.

A modular formalization of the branching time temporal logic CTL∗ is presented. Our formalization subsumes prior formalizations of propositional linear temporal logic (PTL) and computation tree logic (CTL). Moreover, the modularity allows to instantiate our formalization for different formal security models. Validity of axioms and soundness of inference rules in axiomatizations of PTL, UB, CTL, and CTL∗ are discussed as well.

Abstract. We study temporal properties over infinite binary red-blue trees in the setting of constructive type theory. We consider several familiar path-based properties, typical to linear-time and branching-time temporal logics like LTL and CTL ∗ , and the corresponding tree-based properties, in the spirit of the modal μ-calculus. We conduct a systematic study of the relationships of the path-based and tree-based versions of “eventually always blueness ” and mixed inductive-coinductive “almost always blueness ” and arrive at a diagram relating these properties to each other in terms of implications that hold either unconditionally or under specific assumptions (Weak Continuity for Numbers, the Fan Theorem, Lesser Principle of Omniscience, Bar Induction). We have fully formalized our development with the Coq proof assistant. 1