Final Project

Logical Foundations using the Coq Proof Assistant

2021/A
Lecturer: Liron Cohen

Submission instructions:
o Due date: 6-Feb-2022 at 23:59. There will be no extensions.
o The completed project is to be submitted via Moodle.
o Specific instructions for each part of the project are given below.

General instructions:
o The final project must be done individually, and you may NOT discuss the project’s
problems with other students.
o You can, and should, use the course material. It is recommended to draw inspiration
from similar definitions and proofs in the course book.
o It is also highly recommended to use automation in the proofs (again, in a similar
manner to the way they are used in the course book). Without automation the proofs
can be very long and tedious.
o Note that you may be asked to explain your solution in a personal meeting after
submitting your work.

Academic integrity:
I’d like to restate the academic integrity policy:
The utmost level of academic integrity is expected of all students. Violations of the code of
academic integrity are treated very seriously by BGU and can have long-term repercussions.
Academic dishonesty includes any act of obtaining, soliciting or making available to others,
material related to homework assignments. If you commit any of the above, you are guilty of
academic dishonesty. Note that BGU holds responsible for the code violation both the recipient
and the donor of improper information.

Therefore, together with your solution to the project, you are requested to upload a scan of
this page after you have filled in the following statement.

My signature below constitutes my pledge that I have followed BGU’s policy on academic
integrity as well as the specific instructions for this project. I affirm that this project represents
my own work, without the use of any unpermitted aids or resources. I understand that there
will no tolerance towards academic dishonesty, and that cheating can and will lead to automatic
failure from the class as well as a report to the Academic Integrity Committee.

Full name: ________________________________________

ID number: ________________________________________

Signature: ________________________________________
Part 1 – Imperative programming (50%)

Fill in the following exercises in the attached Imp.v file:

• XtimesYinZ_spec
• loop_never_stops
• no_whiles_eqv
• no_whiles_terminating
• stack_compiler
• execute_app
• stack_compiler_correct
• break_imp
• while_break_true
• ceval_deterministic
• add_for_loop

Instructions: As usual, in order for the auto grader to work correctly (and give you full credit
for your work!), please be careful to follow these rules:
o Please use only the file attached to this assignment. Do not use any other version of
this file.
o Do not alter the "markup" that delimits exercises: The Exercise header, the name of
the exercise, the "empty square bracket" marker at the end, etc. Please leave this
markup exactly as you find it.
o Do not delete or comment exercises. If you skip an exercise (e.g., because it is marked
"optional," or because you can't solve it), it is OK to leave a partial proof in your [.v]
file; in this case, please make sure it ends with [Admitted] (not, for example [Abort]).
o It is fine to use additional definitions (of helper functions, useful lemmas, etc.) in your
solutions. You can put these between the exercise header and the theorem you are
asked to prove.

Part 2 – Inductive data structures (25%)

Consider the following datatype of inductively-defined binary trees, which are either
empty, or nodes containing a data element of type X and a left tree and a right tree.

Set Warnings "-notation-overridden,-parsing".

From Coq Require Import Arith.Arith.
From LF Require Import Lists.

Inductive tree X : Type :=

| empty : tree X
| node : tree X -> X -> tree X -> tree X.

Arguments empty {X}.

Arguments node {X} _ _ _.
Copy the above lines into your solution file.

1. Write down a definition of the following illustrated tree, T. It might be useful to define
helper functions.

2. Write a function “in_order” that takes a tree as input and produces the in-order
traversal of the elements in the nodes of a tree. For example, for the tree T is will produce
the list [1;3;2;0;4;1;5].

3. Complete the following definition of “tree_map”, which, like the map function for lists,
applies a function f to each element in the tree. Test your solution.

Fixpoint tree_map {X Y} (f:X -> Y) (t:tree X) : tree Y :=

4. Prove the following specification which shows the relationship between tree_map and
in_order in terms of the usual list map function. Again, it might be useful to formalize
and prove helper lemmas.

Lemma tree_map_in_order : forall X Y (f:X -> Y) (t:tree X),

map f (in_order t) = in_order (tree_map f t).

5. Formalize a (non-trivial) true specification concerning tree_map and prove it correct.

6. It is often useful to prove that certain properties do not hold. Formalize such a (non-trivial)
false specification concerning tree_map and prove that it does not hold.

Instructions:
o For this part you will need to create your own Coq file from scratch. Name the file
“trees.v”.
o You can use directly the files from the course book (using “Require Import”). We
recommend to work inside the folder LF.
o Recall that you can search for lemmas using Coq’s “Search”.
o To get partial grading, it is possible to answer only some of the questions, leaving the
rest of the proofs as “Admitted”.
Part 3 – Formalizing mathematics (25%):

This question concerns Euclid's GCD algorithm. Euclid's algorithm is an efficient method for
computing the greatest common divisor (GCD) of two integers (numbers). For the purpose
of the exercise, we will restrict our attention to the natural numbers.
Euclid original algorithm was based on substruction and can be stated as follows:

while a ≠ b
if a > b
a := a − b
else
b := b − a
return a

Formally, it can be stated in Coq as follows:

Set Warnings "-notation-overridden,-parsing".

From Coq Require Import Arith.Arith.
Require Nat.

Inductive euclid : nat -> nat -> nat -> Prop :=

| stop : forall z, euclid z z z
| step_a : forall a b z, a > b -> euclid (a - b) b z -> euclid a b z
| step_b : forall a b z, a < b -> euclid a (b - a) z -> euclid a b z.

A simplified version of Euclid’s algorithm can be formalized as follows:

Inductive gcd : nat -> nat -> nat -> Prop :=

| base : forall z, gcd z z z
| step_a’ : forall a b z, gcd a b z -> gcd (a + b) b z
| step_b’ : forall a b z, gcd a b z -> gcd a (a + b) z.

Copy the above lines into your solution file.

1. Prove that euclid indeed generates the same result as gcd. That is, prove the following
statement:

Theorem euclid_gcd : forall a b z, euclid a b z -> gcd a b z.

2. We would like to prove that the program euclid terminates. Within the inductive
definition, this amounts to proving the totality of the relation, that is, for any positive a,
b, there exists a z satisfying euclid a b z . Since the definition of inductive datatypes
asserts that any value can only be obtained by finitely many applications of the
constructors, we conclude that the value z is computed in a finite number of steps.
Such so-called termination proofs are notoriously difficult to formalize, so you may use
the following lemma without a proof.

Lemma noether_max P :
(forall a b, (forall a' b', max a' b' < max a b -> P a' b') -> P a b)
-> forall a b, P a b.
(* I have a truly remarkable proof of this theorem which this file
is too small to contain. *)
Admitted.
 Copy the code below to your solution file and complete the proof of termination below.
To help you on your quest, we supply one lemma you might want to use (but need to
prove in order to do so). You will be needing to come up with other helper lemmas
yourself. (Hint: properties of max might be helpful.)

Lemma case_split_3way P : forall a b,

(a < b -> P a b) -> (a = b -> P a b) -> (a > b -> P a b) -> P a b.
Proof.
(* FILL IN HERE *)
Qed.

Theorem euclid_terminates : forall a b,

a > 0 -> b > 0 -> exists z, euclid a b z.

Instructions:
o For this part you will need to create your own Coq file from scratch. Name the file
“GCD.v”.
o You can use directly the files from the course book (using “Require Import”). We
recommend to work inside the folder LF.
o To get partial grading, it is possible to answer only some of the questions, leaving the
rest of the proofs as “Admitted”.

Good Luck!