About 15 years ago, I was hanging out at the MIT AI Lab, and there was an ongoing seminar on the Coq proof assistant. The idea was that you wouldn't have to guess whether your programs were correct; you could prove that they worked correctly.
The were just two little problems:
- It looked ridiculously intimidating.
- Rumor said that it took a grad student all summer to implement and prove the greatest common divisor algorithm, which sounded rather impractical.
So I decided to stick to Lispy languages, which is what I was officially supposed to be hacking on, anyway, and I never did try to sit in on the seminar.
Taking another look
I should have taken a look much sooner. This stuff provides even more twisted fun than Haskell! Also, projects like the CompCert C compiler are impressive: Imagine a C compiler where every optimization has been proven correct.
Even better, we can write code in Coq, prove it correct, then export it to Haskell or several other functional languages.
Here's an example Coq proof. Let's start with a basic theorem that says
"If we know A is true, and we know B is true, then we know A /\ B
(both A and B) is true."
Theorembasic_conj:forall(AB:Prop),A->B->A/\B.Proof.(* Give names to our inputs. *)introsABH_A_TrueH_B_True.(* Specify that we want to prove each half of /\ separately. *)split.-applyH_A_True.(* Prove the left half. *)-applyH_B_True.(* Prove the right half. *)Qed.But Coq proofs are intended to be read interactively, using a tool like CoqIDE or Emacs Proof General. Let me walk you through how this proof would really look.
Proof.At this point, the right-hand pane will show the theorem that we're trying to prove:
1 subgoals, subgoal 1 (ID 1)
============================
forall A B : Prop, A -> B -> A /\ B