Formally Verified Approximations of Definite Integrals
 12 Downloads
Abstract
Finding an elementary form for an antiderivative is often a difficult task, so numerical integration has become a common tool when it comes to making sense of a definite integral. Some of the numerical integration methods can even be made rigorous: not only do they compute an approximation of the integral value but they also bound its inaccuracy. Yet numerical integration is still missing from the toolbox when performing formal proofs in analysis. This paper presents an efficient method for automatically computing and proving bounds on some definite integrals inside the Coq formal system. Our approach is not based on traditional quadrature methods such as Newton–Cotes formulas. Instead, it relies on computing and evaluating antiderivatives of rigorous polynomial approximations, combined with an adaptive domain splitting. Our approach also handles improper integrals, provided that a factor of the integrand belongs to a catalog of identified integrable functions. This work has been integrated to the CoqInterval library.
Keywords
Formal proof Numeric computations Definite integrals Improper integrals Decision procedure Interval arithmetic Polynomial approximations Real analysis1 Introduction
Computing the value of definite integrals is the modern and generalized take on the ancient problem of computing the area of a figure. Quadrature methods hence refer to the numerical methods for estimating such integrals. Numerical integration is often the preferred way of obtaining such estimations as symbolic approaches may be too difficult or even just impossible. These quadrature methods usually consist in interpolating the integrand function by a degreen polynomial, integrating the polynomial and then bounding the error using a bound on the \(n+1\)th derivative of the integrand function. Most often though, these methods are used in a nonrigorous way, for instance without bounding the error, or worse on functions with unbounded derivatives. Open formulas of quadrature can also be used to approximate improper integrals with removable singularities, like \(\int _0^1 \frac{\sin t}{t}dt\), but their use in practice is even less rigorous.
Yet estimating the value of integrals is a crucial part of some mathematical proofs, making numerical integration an invaluable ally. Examples of such proofs occur in various areas of mathematics, such as number theory (e.g. Helfgott’s proof of the ternary Goldbach conjecture [7]) or geometry (e.g. the first proof of the double bubble conjecture [6]). This motivates developing highconfidence methods for computing reliable yet accurate and fast estimations of integrals.
The present article describes a formalproof producing procedure to obtain numerical enclosures of definite integrals \(\int _{u}^{v} f\), where f is a realvalued function. It extends a previous publication by the same authors [9], devoted to the case of a bounded integration domain, for an integrand function f which is Riemannintegrable on [u; v]. This extended version includes a generalization of the enclosure method to the case of improper integrals. Improper integrals are limits of definite integrals: for instance, \(\int _{u}^{+\infty } f\) is the limit of \(\int _{u}^v f\) when \(v\rightarrow +\infty \), and \(\int _{a^+}^{v} f\), with a a singular point for f, denotes the limit of \(\int _{u}^vf\) when \(u \rightarrow a^+\). Estimating an improper integral amounts to combining two enclosures: one for a proper integral and one for a remainder.
Our procedure can deal with any proper integral of a function f for which we have an interval extension and/or a polynomial approximation. Regarding improper integrals, the current procedure can only deal with a limited class of integrals: their limit bounds should be either \(0^+\) or \(+\,\infty \), and the syntactic shape of the integrand f should make manifest its domination by a suitable element of the scale \(x^{\alpha }\ln ^\beta x\) or of the scale \(e^{\gamma x}\). Enclosures are computed inside the Coq proof assistant and the computations are correct by construction. Interestingly, the formal proof that the integral exists comes as a byproduct of these computations, even in the case of improper integrals.
The paper is organized as follows: Sect. 2 introduces some definitions and notations used throughout the paper, and briefly describes the Coq libraries we build on. Section 3 describes the algorithms used to estimate proper integrals while Sect. 4 focuses on estimating the remainder of improper integrals. Section 5 describes the design of the proofproducing Coq tactic. In Sect. 6 we provide crosssoftware benchmarks highlighting issues with both our and others’ algorithms. In Sect. 7, we discuss the limitations and perspectives of this work.
2 Preliminaries
In this section we introduce some vocabulary and notations used throughout the paper and we summarize the existing Coq libraries the present work builds on.
2.1 Notations and First Definitions
In this paper, an interval is a closed connected subset of the set of real numbers. We use \({\mathbb {I}}\) to denote the set of intervals: \(\lbrace [a;b] ~~ a, b \in {\mathbb {R}} \cup \lbrace \pm \infty \rbrace \rbrace \). A point interval is an interval of the shape [a; a] where \(a \in {\mathbb {R}}\). Any interval variable will be denoted using a bold font. For any interval \({\mathbf {x}} \in {\mathbb {I}}\), \(\inf {\mathbf {x}}\) (resp. \(\sup {\mathbf {x}}\)) denotes its left (resp. right) bound, with \(\inf {\mathbf {x}} \in {\mathbb {R}} \cup \{\infty \}\) (resp. \(\sup {\mathbf {x}} \in {\mathbb {R}} \cup \{+\infty \}\)). An enclosure of \(x \in {\mathbb {R}}\) is an interval \({\mathbf {x}} \in {\mathbb {I}}\) such that \(x \in {\mathbf {x}}\).
2.2 Elementary Real Analysis in Coq
2.3 Numerical Computations in Coq
The tactic typically takes a goal \(A \le e \le B\) where e is an expression in \({\mathcal {E}}\), and A and B are constants. Using the paradigm of interval arithmetic, it builds a set \({\mathbf {e}}\) such that \(e \in {\mathbf {e}}\) holds by construction and such that \({\mathbf {e}}\) reduces to an interval \([\inf {\mathbf {e}};\sup {\mathbf {e}}]\) by computation. Then it checks that \(A \le \inf {\mathbf {e}}\) and \(\sup {\mathbf {e}} \le B\), again by computation, from which it proves \(A \le e \le B\). All the computations on interval bounds are performed using a rigorous yet efficient formalization of multiprecision floatingpoint arithmetic.
The inclusion property of interval arithmetic is easily transported from operators to whole expressions by induction on these expressions. This gives a way to obtain the property \(e \in {\mathbf {e}}\) above when \({\mathbf {e}}\) is built using interval operators. This approach, however, cannot keep track of correlations between subexpressions and might compute overestimated enclosures which are thus useless for proving some goals. For instance, assume that \(x \in [3;4]\), so \(x \in [\,4;\,3]\) using the interval extension of the negation, so \(x + (\,x) \in [3+(\,4);4+(\,3)]\) using the interval extension of the addition. If one wants to prove that \(x  x\) is always 0, the interval \([\,1;1]\) obtained by naive interval arithmetic is useless. This is why the CoqInterval library also comes with refinements of naive interval arithmetic, such as automatic differentiation and rigorous polynomial approximations using Taylor models, so as to reduce this loss of correlations.
The goal of this work is to extend the class \({\mathcal {E}}\) of supported expressions with integrals whose bodies are in \({\mathcal {E}}\).
3 Interval Methods to Approximate a Proper Integral
In this section, we describe how to compute a numerical enclosure of the real number \(\int _u^v f\) from enclosures of the finite bounds u and v and of the integrand function f. We describe two basic methods based respectively on the evaluation of a simple interval extension and on a polynomial approximation of f. They can be combined and improved by a dichotomy process.
3.1 Naive Integral Enclosure
Our first approach uses an interval extension of the integrand.
Definition 1
In the rest of the section we suppose that \(F : {\mathbb {I}} \rightarrow {\mathbb {I}}\) is an interval extension of the univariate function f, and we want to compute an enclosure of \(\int _u^v f\), with \(u, v \in {\mathbb {R}}\), and f integrable on [u; v].
Definition 2
The closed convex hull of a set \(A \subseteq {\mathbb {R}}\) is the smallest interval containing A, denoted here \(\mathrm {hull}(A)\). Moreover, the interval \(\mathrm {hull}({\mathbf {a}}, {\mathbf {b}})\) denotes the convex hull of (the union of) two intervals \({\mathbf {a}}\) and \({\mathbf {b}}\). Finally, \(\mathrm {hull({\mathbf {a}},+\infty )}\) designates the interval \([\inf {\mathbf {a}};+\infty )\).
Lemma 1
Proof
Let us first suppose that \(u \le v\). Denote \(f([u;v]) := \{ f(t) ~~ t \in [u;v]\}\). Assume without loss of generality that f([u; v]) is bounded. If \([m;M] := \mathrm {hull}(f([u;v]))\), then for any \(t \in [u;v]\), we have \(m \le f(t) \le M\). So \((v  u) m \le \int _u^v f \le (v  u) M\), hence (1). The case \(v \le u\) is symmetrical. \(\square \)
In practice we do not compute with f but only its interval extension F. Moreover, we want the computations to operate using only enclosures of the bounds. So we adapt Formula (1) accordingly.
Lemma 2
Proof
If \(u \in {\mathbf {u}}\) and \(v \in {\mathbf {v}}\), then by (1) and reusing notations from the proof, we have \(\int _u^v f \in (v  u) \cdot \mathrm {hull}(f([u;v]))\). Since \((v  u) \in ({\mathbf {v}}  {\mathbf {u}})\), we only have to show that \(\mathrm {hull}(f([u;v])) \subseteq F(\mathrm {hull}({\mathbf {u}},\mathbf {v}))\). Since \([u;v] \subseteq \mathrm {hull}(\mathbf {u},\mathbf {v})\) and F is an interval extension of f, we have \(f([u;v]) \subseteq f(\mathrm {hull}(\mathbf {u},\mathbf {v})) \subseteq F(\mathrm {hull}(\mathbf {u},\mathbf {v}))\). Therefore \(\mathrm {hull}(f([u;v]))\) is included in the interval \(F(\mathrm {hull}(\mathbf {u},\mathbf {v}))\), by definition of the closed convex hull. \(\square \)
3.2 Polynomial Approximation
The enclosure method described in Sect. 3.1 is crude. Better knowledge of the integrated function allows for a more efficient approach.
The CoqInterval library defines a rigorous polynomial approximation (RPA) of \(f : {\mathbb {R}} \rightarrow {\mathbb {R}}\) on the interval \(\mathbf {x}\) as a pair \((\mathbf {p}, {\varvec{\Delta }})\), with \(\mathbf {p}\in {\mathbb {I}}[X]\), such that there exists a polynomial \(p\in {\mathbb {R}}[X]\) enclosed^{2} in \(\mathbf {p}\) for which \(f(x)  p(x) \in {\varvec{\Delta }}\) for all \(x \in \mathbf {x}\). CoqInterval computes these RPAs by composing and performing arithmetic operations on Taylor expansions of elementary functions [11]. Thanks to these polynomial approximations, we can make use of the following lemma.
Lemma 3
(Polynomial approximation) Suppose f is approximated on [u; v] by \(p \in {\mathbb {R}}[X]\) and \({\varvec{\Delta }} \in {\mathbb {I}}\) in the sense that \(\forall x \in [u;v],~ f(x)  p(x) \in {\varvec{\Delta }}\). Then for any primitive P of p, we have \(\int _u^v f \in P(v)  P(u) + (v  u) \cdot {\varvec{\Delta }}\).
Proof
We have \(\int _u^v f  (P(v)  P(u)) = \int _u^v (f(t)  p(t))\,dt\). By hypothesis, the constant function \({\varvec{\Delta }}\) is an interval extension of \(t \mapsto f(t)  p(t)\) on [u; v], hence Lemma 1 applies (notice that \(\mathrm {hull}({\varvec{\Delta }}) = {\varvec{\Delta }}\)). \(\square \)
Note that our method and proofs do not depend on the way RPAs are obtained. In particular, we are not taking advantage of the fact that p is computed with respect to the center of [u; v], which would make it possible to skip half of the computations [4].
3.3 Quality of the Integral Enclosures
In order to improve the accuracy of the result, one can increase d instead of n. If f behaves similarly to \(\exp \) or \(\sin \), Taylor–Lagrange formula tells us that \(k_d\) decreases as fast as \((d!)^{1}\). Moreover, the time complexity of computing a polynomial approximation usually grows like \(d^3\). So, if \(n \simeq v  u\), doubling the computation time by increasing d gives about 25% more bits of accuracy.
As can be seen from the considerations above, striking the proper balance between n and d for reaching a target accuracy in a minimal amount of time is difficult, so we have made the decision of letting the user control d (see Sect. 5.3) while the implementation adaptively splits the integration interval. Had we not been constrained by Coq’s logic, we could have accessed a clock so as to dynamically balance between n and d [4].
3.4 Dichotomy and Adaptivity
Both methods presented in Sects. 3.1 and 3.2 can compute an interval enclosing \(\int _u^v f\) when u and v are proper bounds. Polynomial approximations usually give tighter enclosures of the integral, but not always, so we combine both methods by taking the intersection of their result.

If \(w(\mathbf {i_1}) \le \frac{\varepsilon }{2}\) and \(w(\mathbf {i_2}) \le \frac{\varepsilon }{2}\), the function simply returns \(\mathbf {i_1} + \mathbf {i_2}\).

If \(w(\mathbf {i_1}) \le \frac{\varepsilon }{2}\) and \(w(\mathbf {i_2}) > \frac{\varepsilon }{2}\), the first enclosure is sufficient but the second is not. So the function calls itself recursively on [m; v] with \( depth 1\) as the new maximal depth and \(\varepsilon  w(\mathbf {i_1})\) as the new target accuracy, yielding \(\mathbf {i'_2}\). The function then returns \(\mathbf {i_1} + \mathbf {i'_2}\).

If \(w(\mathbf {i_1}) > \frac{\varepsilon }{2}\) and \(w(\mathbf {i_2}) \le \frac{\varepsilon }{2}\), we proceed symmetrically.

Otherwise, the function calls itself on both [u; m] and [m; v] with \( depth  1\) as the new maximal depth and \(\frac{\varepsilon }{2}\) as the new target accuracy, yielding \(\mathbf {i'_1}\) and \(\mathbf {i'_2}\). It then returns \(\mathbf {i'_1} + \mathbf {i'_2}\).
4 Interval Methods to Approximate an Improper Integral
Improper integrals are computed by splitting the interval into two parts, a proper part which is treated with the previous methods, and the remainder which is handled in a specific way. The splitting is automatically performed by a variant of the adaptive method presented in Sect. 3.4 where the splitting point m for \([u;+\infty )\) is chosen to be 2u when \(u > 0\).
In this section, we describe how we bound the remainder. We consider improper integrals of the shape \(\int _{u}^{v} f g\) where either \(u = 0^+\) or \(v = +\infty \), and f is bounded. Function g belongs to a catalog of functions with known enclosures of their integral, such as \(x^\alpha \ln ^\beta x\). Section 4.1 presents the general theorem for integrals of the shape \(\int _{u}^{+\infty } f g\), while Sect. 4.2 lists the functions g contained in our catalog. Finally, Sect. 4.3 focuses on integrals of the shape \(\int _{0^+}^{v} f g\).
4.1 Improper Integral of a Product
To determine that \(\int _{u}^{+\infty } h\) exists, we have added to Coquelicot a proof of the following Cauchy criterion: this integral exists if and only if for any \(v \ge u\), \(\int _{u}^{v} h\) exists and for all \(\varepsilon > 0\), there exists \(M > 0\) such that for all \(u, v \ge M\), \(\int _{u}^{v} h\le \varepsilon \). We use this criterion to show the following lemma.
Lemma 4
Proof
Since f is bounded on \([u;+\infty )\), let \([m;M] := {\mathrm {hull} \{f(t) ~~ t \ge u \}}\). Suppose without loss of generality that \(g \ge 0\) on \([u;+\infty )\). Let \(v\ge u\). For \(u \le t \le v\), we have \(m \cdot g(t) \le f(t) \cdot g(t) \le M \cdot g(t)\), hence \(m \cdot \int _{u}^{v} g \le \int _{u}^{v} f g\le M \cdot \int _{u}^{v} g\). Let \(\varepsilon > 0\). Since g is integrable, the Cauchy criterion gives some neighborhood P of \(+\,\infty \) such that \(\forall u,v \in P,~ \int _{u}^{v} g < \frac{\varepsilon }{1 + \max (m,M)}\). But \(\int _{u}^{v} f g \le \max (m,M) \cdot \int _{u}^{+\infty } g < \varepsilon \); hence fg is integrable. Moreover \(m \int _{u}^{+\infty } g\le \int _{u}^{+\infty } f g \le M \int _{u}^{+\infty } g\). Thus \(\int _{u}^{+\infty } f g \in [m;M] \cdot \int _{u}^{+\infty } g\). If \(g \le 0\), the proof is similar. \(\square \)
We provide an effective version of the previous lemma, in the same spirit as Lemma 2, with a similar proof:
Lemma 5
4.2 Catalog of Supported Integrable Functions
In order to use Lemma 5, we need to be able to find a suitable extension \(I_g\) for the remainder of the integral of g. In that spirit, we look at two classes of wellknown integrable functions.
4.2.1 Bertrand Integrals
When \(\alpha < 1\) and \(\beta < 0\), there is no closed form, but by moving \(\ln ^\beta x\) into the bounded part of Lemma 4, we can nevertheless compute bounds on the integral.
4.2.2 Exponential
4.3 Case of \(0^+\)
When the singular bound is \(0^+\) instead of \(+\,\infty \), we use a variant of Lemma 4.
Lemma 6
5 Automating the Proof Process
In this section we explain how to compute the approximations of the integrand (or of its bounded factor in the case of an improper integral) required by the theorems of Sects. 3 and 4, and how to automate the proof of its integrability. We conclude by describing how all the ingredients combine into the implementation of a parameterized Coq tactic.
5.1 StraightLine Programs and Enclosures
As described in Sect. 2.3, enclosures and interval extensions are computed from expressions that appear as bounds or as the body of an integral, like for instance \(\ln 2\), 3, and \(\left( t + \pi \right) \sqrt{t}  (t + \pi )\), in \(\int _{\ln 2}^3 \left( (t + \pi ) \sqrt{t}  (t + \pi )\right) \, dt\). The tactic represents these expressions symbolically, as straightline programs. Such a program is a standard way of encoding directed acyclic graphs and thus of explicitly sharing common subexpressions. It is just a list of statements indicating what the operation is and where its inputs can be found. The place where the output is stored is left implicit: the result of an operation is always put at the top of the evaluation stack. Note that our evaluation model is simple: the stack grows linearly with the size of the expression since no element of the stack is ever removed. The stack is initially filled with values corresponding to the constants of the program. The result of evaluating a straightline program is at the top of the stack.
The tactic then looks in the context for hypotheses of the form \(A_i \le x_i \le B_i\) so that it can build a stack \(\vec {\mathbf {x}}\) of intervals such that \(\forall i,~ x_i \in \mathbf {x}_i\). If there is no such hypothesis, the tactic just uses \((\infty ;+\infty )\) for \(\mathbf {x}_i\). The tactic can now apply Formula (5) to replace the goal by \(\llbracket p \rrbracket _{{\mathbb {I}}}(\vec {\mathbf {x}}) \subseteq [A;B]\). It then attempts to prove this new goal entirely by computation. Note that even if the original goal holds, this attempt may fail due to loss of correlation inherent to interval arithmetic.
Formula (5) also implies that if a function f can be reified as \(t\mapsto \llbracket p \rrbracket _{{\mathbb {R}}}(t,\vec {x})\), then \(\mathbf {t} \mapsto \llbracket p \rrbracket _{{\mathbb {I}}}(\mathbf {t},\vec {\mathbf {x}})\) is an interval extension of f if \(\forall i,~ x_i \in \mathbf {x}_i\). This way, we obtain the interval extensions of the integrand that we need for Sects. 3 and 4.
There is also an evaluation scheme for computing RPAs for f. The program p is the same, but the initial evaluation stack now contains RPAs: a degree1 polynomial for representing the domain of t, and constant polynomials for the constants. The result is an RPA of \(t \mapsto \llbracket p \rrbracket _{{\mathbb {R}}}(t, \vec {x})\). By computing the image of this resulting polynomial approximation, one gets an enclosure of the expression that is usually better than the one computed by \(\mathbf {t} \mapsto \llbracket p \rrbracket _{{\mathbb {I}}}(\mathbf {t},\vec {\mathbf {x}})\).
5.2 Checking Integrability
When computing the enclosure of an integral, the tactic should first obtain a formal proof that the integrand is integrable on the integration domain, as this is a prerequisite to all the theorems in Sect. 3. In fact we can be more clever by proving that, if we succeed in numerically computing an informative enclosure of the integral, the function was actually integrable. This way, the tactic does not have to prove anything beforehand about the integrand.
By combining Formulas (5) and (8), we obtain a numeric/symbolic method to prove that a function is continuous on a domain. Indeed, we just have to compute an enclosure of the function on that domain, and to check that it is not \(\bot _{{\mathbb {I}}}\). A closer look at the way naive integral enclosures are computed provides the following corollary: whenever the enclosure of the integral is not \(\bot _{{\mathbb {I}}}\), the function is actually continuous and thus integrable on any compact of the input domain. This solves the issue for proper integrals.
5.3 Integration into a Tactic
The tactic supports constants for which it can get a formallyproved enclosure. In previous releases of CoqInterval, the only supported constants were floatingpoint numbers and \(\pi \). Floatingpoint numbers are enclosed by the corresponding point interval, which is trivially correct. An interval function and its correctness proof provide enclosures of the constant \(\pi \), at the required precision.
The tactic now supports constants expressed as integrals \(\int _u^v e\,dt\). First, it reifies the bounds u and v into programs and it evaluates them over \({\mathbb {I}}\) to get hopefully tight enclosures of them. In the case of an improper integral, only one of the bounds is reified; the other has to syntactically match either \(0^+\) or \(+\,\infty \). Second, the tactic reifies e into a program p with t at the top of the initial evaluation stack. The tactic uses p to instantiate various evaluation methods, so that interval extensions and RPAs of e can be computed on all the integration subdomains, as described in Sect. 5.1. For improper integrals, the expression e has to be a product fg; the tactic then produces a program for f too, while g should syntactically match one of the functions of Sect. 4.2. Third, using the formulas of Sects. 3 and 4, the tactic creates a term of type \({\mathbb {I}}\) that, once reduced by Coq’s kernel, has actual floatingpoint bounds. The tactic also proves that this term is an enclosure of the integral, using the theorems of Sects. 3, 4, and 5.2.
Regarding improper intervals, since the tactic only recognizes integrand of the form fg with g one of the functions of Sect. 4.2, it is up to the user to rewrite the integrand that way if it is not so already. Moreover, while g can in theory be of the shape \(t^{\alpha } \ln ^{\beta } t\), with \(\alpha \) and \(\beta \) arbitrary exponents in the integrability range, the current implementation only supports integer exponents.
5.4 Controlling the Tactic
The user can also indicate the degree of the RPAs used for approximating the integrand (default is 10). This value empirically provides a good compromise between bisecting too deeply and computing costly RPAs when targeting the default accuracy of 10 bits. For poorly approximated integrands, choosing a smaller degree can improve timings significantly, while for highly regular integrands and a high target accuracy, choosing a larger degree might be worth a try.
Finally, the user can limit the maximal depth of bisection (default is 3). If the target absolute error is reached on each interval of the subdivision, then increasing the maximal depth does not affect timings. There might, however, be some points of the integration domain around which the target error is never reached. This setting prevents the computations from splitting the domain indefinitely, while the computed enclosure is already accurate enough to prove the goal.
Note that as in previous CoqInterval releases, the user can adjust the precision of floatingpoint computations used for interval computations, which has an impact on how integrals are computed. The default value is 30 bits, which is sufficient in practice for getting the default 10 bits of integral accuracy.
There are three reasons why the userspecified target accuracy might not be reached. When specifying a relative bound, if the initial estimate of the integral is too coarse, the absolute bound used by the adaptive algorithm will be too large and the final result might be less accurate than desired. An insufficient bisection depth might also lead the result to be less accurate. This is also true with an insufficient precision of intermediate computations.
6 Benchmarks
The tactic options have been set using the following experimental protocol. The floatingpoint precision is set at about 10 more bits than the target accuracy, so that roundoff errors do not worsen interval enclosures when summing integrals. The maximal depth is initially set to a large enough value. Then, various degrees of RPAs are tested and the one that leads to the fastest execution is kept. Finally, the maximal depth is reduced as long as the tactic succeeds in proving the bounds, so that we get an idea of how deep splitting has to be performed to compute an accurate enclosure of the integral. Note that reducing the maximal depth might improve timings in case the adaptive algorithm had been overly conservative and did too much domain splitting. Reducing the target accuracy could also improve timings (again by preventing some domain splitting), but this was not done.
The tables below indicate, for each error bound, the time needed and the tactic settings. Timings are in seconds and are obtained on a runofthemill laptop from 2012 using Coq 8.7. All the timings below are obtained using the vm_compute machinery to perform computations. The tactic also supports the native_compute machinery [2], but its long startup time makes it useful only for the longest computations. So that the asymptotic complexity of our algorithms is more apparent, we chose to use only vm_compute in the benchmarks. But the reader should keep in mind that native_compute makes the tactic about twice as fast, e.g. the slowest benchmark below goes from 365 s down to 186 s.
6.1 Proper Integrals
For each proper integral, we also ran several quadrature methods from Octave [5]: quad, quadv, quadgk, quadl, quadcc. We also used IntLab [16]; it provides verifyquad, an interval arithmetic procedure that computes integral enclosures using a verified Romberg method. For each method, we ask for an absolute accuracy of \(10^{15}\). We only comment when the answer is off, or when the execution time exceeds 1 s. Finally, we also tested VNODELP [14] on each example by representing the integral as the value of the solution of a differential equation.
The last problem is an example taken from Tucker’s book [17] and originally suggested by Rump [16, p. 372]. This integral is often incorrectly approximated by computer algebra systems, because of the large number of oscillations (about 950 sign changes) and the large value of the nth derivatives of the function. While the maximal depth is not too large, the tactic reaches it for numerous subdomains, hence the large computation time.
6.2 Improper Integrals
Bounding the remainder with a low accuracy is sufficient to prove that the integral on the whole domain is included in [226.849; 226.850] and thus that the upper bound 226.844 used in [7] is incorrect.
7 Conclusion
In the proper case, the enclosure method just requires that there exist rigorous polynomial approximations of the elementary functions in the integrand, so it is only limited by the underlying CoqInterval library. At the time of writing, the supported functions are \(\sqrt{\cdot }\), \(\cos \), \(\sin \), \(\tan \), \(\exp \), \(\ln \), \(\arctan \), and the integer power function. Any new function added to the library would be supported almost immediately by the integration module.
The current treatment of improper integrals is less automated. In particular, the syntactic expression of the integrand has to make explicit the scale element that models its asymptotic behavior near the singularity. The tactic currently supports two scales: \(e^{\gamma x}\) and \(x^{\alpha }\ln ^{\beta } x\). We could provide more scales to users, or at least merge these two into the more common scale \(e^{\gamma x}x^{\alpha }\ln ^{\beta }x\). More importantly, a more satisfactory tool for the improper case would require some support for the symbolic computation of expansions of the integrand along a given scale. This would both make the method more general and reduce the preparatory work required from the user.
Nested integrals are not supported by our method. The naive approach could easily be adapted to support them, but performances would be even worse due to the curse of dimensionality. As for the polynomialbased approach, it is not suitable for nested integrals, since there exists no general method for integrating multivariate polynomials. In fact, any 3SAT instance can be reduced to approximating the integral of a multivariate polynomial.
While our adaptive bisection algorithm and our rigorous quadrature based on primitives of polynomial might seem crude, they proved effective in practice. They produce accurate approximations of nonpathological integrals in a few seconds, and thus they are usable in an interactive setting. Moreover, they can handle functions with unbounded second derivatives in a rigorous way, as well as unbounded integration domains. Another contribution of this paper is the way we are able to infer that a function is integrable from a successful computation of its integral.
For proper integrals, we could also have tried rigorous quadrature methods such as Newton–Cotes formulas. Rather than a degreen approximation, the algorithm would integrate a degreen polynomial interpolant of the integrand, which gives a much tighter enclosure of the integral at a fraction of the cost. The increased accuracy comes from the ability to compute a tight enclosure of the \(n+1\)th derivative of the integrand. Unfortunately, CoqInterval only knows how to bound the first derivative. Note that a very simplified version of this approach has already been implemented in Coq in the setting of exact real arithmetic by O’Connor and Spitters [15]. Since it does not even involve the first derivative, it is akin to our naive approach and thus the performances are dreadful: computing \(\int _{0}^{1} \sin (x) \, dx\) up to three decimals takes 7 s. Comparatively, our tool computes 400 decimal digits in that same time, using degree170 Taylor models and 1400 bits of precision. Note that such an accuracy is unattainable using Simpson’s rule, even outside Coq, since it would require about \(10^{99}\) point evaluations.
We could also have tried a much more general method, that is, solving a differential equation built from the integrand, as we did when using VNODELP. Again, there has been some work done for Coq in the setting of exact real arithmetic [10], but the performances are not good enough in practice. Much closer to actual numerical methods is Immler’s work in Isabelle/HOL [8], which uses an arithmetic on affine forms. This approach is akin to computing with degree1 RPAs.
Footnotes
 1.
 2.
We say that \(\mathbf {p} \in {\mathbb {I}}[X]\) is an enclosure of \(p \in {\mathbb {R}}[X]\) if, for all \(i \in {\mathbb {N}}\), the ith coefficient \(\mathbf {p}_i\) of \(\mathbf {p}\) is an enclosure of the ith coefficient \(p_i\) of p, where we take the convention that for \(i > \deg \mathbf {p}\), \(\mathbf {p}_i = \{0\}\) and for \(i > \deg p\), \(p_i = 0\).
 3.
Notes
Acknowledgements
We would like to thank Érik MartinDorel for his improvements to the Coq framework for computing rigorous polynomial approximations and Philippe Dumas for stimulating discussions and suggestions.
References
 1.Ahmed, Z.: Ahmed’s integral: the maiden solution. Math. Spectr. 48(1), 11–12 (2015)Google Scholar
 2.Boespflug, M., Dénès, M., Grégoire, B.: Full reduction at full throttle. In: Jouannaud, J.P., Shao, Z. (eds.) Certified Programs and Proofs, LNCS, vol. 7086, pp. 362–377. Springer, Kenting (2011). https://doi.org/10.1007/9783642253799_26 CrossRefGoogle Scholar
 3.Boldo, S., Lelay, C., Melquiond, G.: Coquelicot: a userfriendly library of real analysis for Coq. Math. Comput. Sci. 9(1), 41–62 (2015). https://doi.org/10.1007/s1178601401811 MathSciNetCrossRefzbMATHGoogle Scholar
 4.Corliss, G.F., Rall, L.B.: Adaptive, selfvalidating numerical quadrature. SIAM J. Sci. Stat. Comput. 8(5), 831–847 (1987). https://doi.org/10.1137/0908069 MathSciNetCrossRefzbMATHGoogle Scholar
 5.Eaton, J.W., Bateman, D., Hauberg, S., Wehbring, R.: GNU Octave version 3.8.1 manual: a highlevel interactive language for numerical computations (2014). http://www.gnu.org/software/octave/doc/interpreter
 6.Hass, J., Schlafly, R.: Double bubbles minimize. Ann. Math. Second Ser. 151(2), 459–515 (2000). https://doi.org/10.2307/121042 MathSciNetCrossRefzbMATHGoogle Scholar
 7.Helfgott, H.A.: Major arcs for Goldbach’s problem (2014). arXiv:1305.2897
 8.Immler, F.: Formally verified computation of enclosures of solutions of ordinary differential equations. In: Badger, J.M., Rozier, K.Y. (eds.) NASA Formal Methods (NFM), LNCS, vol. 8430, pp. 113–127. Springer, Kenting (2014). https://doi.org/10.1007/9783319062006_9 CrossRefGoogle Scholar
 9.Mahboubi, A., Melquiond, G., SibutPinote, T.: Formally verified approximations of definite integrals. In: Blanchette, J.C., Merz, S. (eds.) 7th Conference on Interactive Theorem Proving, LNCS, vol. 9807, pp. 274–289, Nancy (2016). https://doi.org/10.1007/9783319431444_17
 10.Makarov, E., Spitters, B.: The Picard algorithm for ordinary differential equations in Coq. In: Blazy, S., PaulinMohring, C., Pichardie, D. (eds.) 4th International Conference on Interactive Theorem Proving, LNCS, vol. 7998, pp. 463–468. Springer, Rennes (2013). https://doi.org/10.1007/9783642396342_34 CrossRefGoogle Scholar
 11.MartinDorel, É., Melquiond, G.: Proving tight bounds on univariate expressions with elementary functions in Coq. J. Autom. Reason. (2015). https://doi.org/10.1007/s1081701593504 zbMATHGoogle Scholar
 12.Mayero, M.: Formalisation et automatisation de preuves en analyses réelle et numérique. Ph.D. Thesis, Université Paris VI (2001)Google Scholar
 13.Moore, R.E., Kearfott, R.B., Cloud, M.J.: Introduction to Interval Analysis. SIAM, Philadelphia (2009). https://doi.org/10.1137/1.9780898717716 CrossRefzbMATHGoogle Scholar
 14.Nedialkov, N.S.: Interval tools for ODEs and DAEs. In: Scientific Computing, Computer Arithmetic and Validated Numerics (SCAN) (2006). https://doi.org/10.1109/SCAN.2006.28. http://www.cas.mcmaster.ca/~nedialk/vnodelp/
 15.O’Connor, R., Spitters, B.: A computer verified, monadic, functional implementation of the integral. Theoret. Comput. Sci. 411(37), 3386–3402 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
 16.Rump, S.M.: Verification methods: rigorous results using floatingpoint arithmetic. Acta Numer. 19, 287–449 (2010). https://doi.org/10.1017/S096249291000005X. http://www.ti3.tuharburg.de/rump/intlab/
 17.Tucker, W.: Validated Numerics: A Short Introduction to Rigorous Computations. Princeton University Press, Princeton (2011)zbMATHGoogle Scholar