Finite Set Theory. based on Fully Ordered Lists. Jared Davis UT Austin. ACL2 Workshop 2004

Similar documents
Finite Set Theory based on Fully Ordered Lists

A Tool for Simplifying ACL2 Definitions

Improving Eliminate-Irrelevance for ACL2

Induction Schemes. Math Foundations of Computer Science

Reasoning About Programs Panagiotis Manolios

Backtracking and Induction in ACL2

Compositional Cutpoint Verification

Parameterized Congruences in ACL2

An ACL2 Tutorial. Matt Kaufmann and J Strother Moore

An Industrially Useful Prover

Polymorphic Types in ACL2

Reasoning About Programs Panagiotis Manolios

Milawa an extensible proof checker

Building a system for symbolic differentiation

Logic and Computation Lecture 20 CSU 290 Spring 2009 (Pucella) Thursday, Mar 12, 2009

Reasoning About Programs Panagiotis Manolios

Function Memoization and Unique Object Representation for ACL2 Functions

Progress Report: Term Dags Using Stobjs

Building a system for symbolic differentiation

3 Pairs and Lists. 3.1 Formal vs. Informal Proofs

ACL2 Challenge Problem: Formalizing BitCryptol April 20th, John Matthews Galois Connections

LECTURE 8: SETS. Software Engineering Mike Wooldridge

Function Memoization and Unique Object Representation for ACL2 Functions

Review of Sets. Review. Philippe B. Laval. Current Semester. Kennesaw State University. Philippe B. Laval (KSU) Sets Current Semester 1 / 16

Copyright. John D. Erickson

Chapter 3. Set Theory. 3.1 What is a Set?

CIS4/681 { Articial Intelligence 2 > (insert-sort '( )) ( ) 2 More Complicated Recursion So far everything we have dened requires

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Sections p.

Mechanized Operational Semantics

A Mechanically Checked Proof of the Correctness of the Boyer-Moore Fast String Searching Algorithm

Recursion and Induction

(Refer Slide Time: 0:19)

CSC 501 Semantics of Programming Languages

A User s Manual for an Interactive Enhancement to the Boyer-Moore Theorem Prover

Lecture 5: The Halting Problem. Michael Beeson

A set with only one member is called a SINGLETON. A set with no members is called the EMPTY SET or 2 N

CS 61A Interpreters, Tail Calls, Macros, Streams, Iterators. Spring 2019 Guerrilla Section 5: April 20, Interpreters.

Machines Reasoning about Machines

Proving Theorems about Java and the JVM

Bases of topologies. 1 Motivation

Extending ACL2 with SMT solvers

May, 2008 (updated, April, 2018)

Copyright by Sol Otis Swords 2010

Proof-Pattern Recognition and Lemma Discovery in ACL2

ACL2: A Program Verifier for Applicative Common Lisp. Matt Kaufmann - AMD, Austin, TX J Strother Moore UT CS Dept, Austin, TX

An Explicit-Continuation Metacircular Evaluator

Interpreters and Tail Calls Fall 2017 Discussion 8: November 1, 2017 Solutions. 1 Calculator. calc> (+ 2 2) 4

Announcements. The current topic: Scheme. Review: BST functions. Review: Representing trees in Scheme. Reminder: Lab 2 is due on Monday at 10:30 am.

CSE 20 DISCRETE MATH. Winter

CSC Discrete Math I, Spring Sets

Verification Condition Generation via Theorem Proving

CSE 20 DISCRETE MATH. Fall

Consistency and Set Intersection

Recursion and Induction

An Overview of the DE Hardware Description Language and Its Application in Formal Verification of the FM9001 Microprocessor

Refinement and Theorem Proving

2.1 Sets 2.2 Set Operations

Theorem Proving Principles, Techniques, Applications Recursion

9.5 Equivalence Relations


CS422 - Programming Language Design

Consider a description of arithmetic. It includes two equations that define the structural types of digit and operator:

Lecture 09: Data Abstraction ++ Parsing is the process of translating a sequence of characters (a string) into an abstract syntax tree.

Handout 9: Imperative Programs and State

Faced with the choice between changing one s mind and proving that there is no need to do so, almost everyone gets busy on the proof.

Certified Programming with Dependent Types

Functional programming with Common Lisp

Midterm Exam 2 CS313K Logic, Sets, and Functions Spring, 2009

Lisp. Versions of LISP

Towards A Formal Theory of On Chip Communications in the ACL2 Logic

Multi Domain Logic and its Applications to SAT

Functional Programming. Pure Functional Programming

Lecture 4: examples of topological spaces, coarser and finer topologies, bases and closed sets

Modeling Asynchronous Circuits in ACL2 Using the Link-Joint Interface

Sets. {1, 2, 3, Calvin}.

Introduction to Co-Induction in Coq

Program Calculus Calculational Programming

Integrating External Deduction Tools with ACL2,

1.3. Conditional expressions To express case distinctions like

Scheme. Functional Programming. Lambda Calculus. CSC 4101: Programming Languages 1. Textbook, Sections , 13.7

Simplifying Logical Formulas

Efficient execution in an automated reasoning environment

Verifying Transformation Rules of the HATS High- Assurance Transformation System: An Approach

Strongly connected: A directed graph is strongly connected if every pair of vertices are reachable from each other.

Section 6.3: Further Rules for Counting Sets

User-defined Functions. Conditional Expressions in Scheme

Repetition Through Recursion

Lecture Notes on Monadic Logic Programming

Summer 2017 Discussion 10: July 25, Introduction. 2 Primitives and Define

COP4020 Programming Languages. Functional Programming Prof. Robert van Engelen

Efficient, Formally Verifiable Data Structures using ACL2 Single-Threaded Objects for High-Assurance Systems

Introduction to Scheme

Lee Pike. June 3, 2005

Functional programming in μscheme

CS 314 Principles of Programming Languages

This is already grossly inconvenient in present formalisms. Why do we want to make this convenient? GENERAL GOALS

COE428 Lecture Notes Week 1 (Week of January 9, 2017)

Inductive Definitions, continued

Software Verification with ACL2

Fall 2018 Discussion 8: October 24, 2018 Solutions. 1 Introduction. 2 Primitives

Transcription:

Finite Set Theory based on Fully Ordered Lists Jared Davis UT Austin ACL2 Workshop 2004

Motivation (1/2) Unique representation for each set No mutual recursion needed for membership, subset, and set equality Unified notion of set, element equality Nested sets supported trivially Efficiency characteristics Unordered sets: constant time insert, quadratic subset, equality, difference, intersection, cardinality Ordered sets: all operations are linear

Motivation (2/2) A challenging representation for reasoning I found this approach to complicate set construction to a degree out of proportion to its merits. In particular, functions like union and intersection, which are quite easy to reason about in the list world (where order and duplication matter but are simply ignored), become quite difficult to reason about in the set world, where most of the attention is paid to the sorting of the output with respect to the total ordering. J S. Moore A learning experience Familiar domain, easy to understand intuitively yet challenging to get ACL2 to prove things Highly recommended for teaching, exercises

Implementation Preliminaries A total order over ACL2 objects, << Taken verbatim from books/misc/total-order Fairly intuitive: (<< 1 2), (<< 'a 'b), (<< a b ) A set recognizer, setp Lists which are totally ordered under the above relation Total ordering implies no duplicates, linear execution (setp X) = (if (atom X) (null X) (or (null (cdr X)) (and (consp (cdr X)) (<< (car X) (cadr X)) (setp (cdr X))))))

Primitive Level Levels of abstraction: primitive, membership, outer Non-set objects as the empty set, the non-set convention The list primitives (car, cdr, cons, endp) do not respect this convention! E.g., (car '(2 1)) = 2 (cdr '(1 1)) = (1) (cons 3 '(2 1)) = (3 2 1) (endp '(1 1)) = nil New set primitives as replacements head replaces car, tail replaces cdr, insert replaces cons, empty replaces endp, sfix is set identity

Membership Level (1/4) Set membership is straightforward (in a X) = (and (not (empty X)) (or (equal a (head X)) (in a (tail X))))) Nice theorems, e.g., (in a (insert b X)) = (or (equal a b) (in a X)) Moving away from the set order (not (in (head X) (tail X))) Weak induction scheme for (insert a X) Ultimate goal: entirely hide the set order

Membership Level (2/4) We introduce a naïve, quadratic subset (subset X Y) = (or (empty X) (and (in (head X) Y) (subset (tail X) Y))) Pick-a-point strategy for proving subset Intent: (implies ( a, (implies (in a X) (in a Y)) (subset X Y)) More natural than induction Reduces subset proofs to membership of single elements Cannot represent this as a direct ACL2 theorem!

Membership Level (3/4) Implementing the pick-a-point strategy Introduce undefined function symbols hyps, sub, and super, with the following constraint: (implies (and (hyps) (in a (sub))) (in a (super))) Prove the generic theorem subset-by-membership (implies (hyps) (subset (sub) (super))) Use functional instantiation of the above to reduce proofs of subset to proofs of membership.

Membership Level (4/4) Computed hints are used to automatically attempt functional instantiation to prove subsets Using the pick-a-point method, we prove (defthm double-containment (implies (and (setp X) (setp Y)) (equal (equal X Y) (and (subset X Y) (subset Y X))))) The big picture Set equality proven by double containment, containment via membership. No further use for the set order

Example Proof (1/2) Theorem: (subset (tail x) x) This simplifies, using the :definition SYNP and the :rewrite rule PICK-A-POINT-SUBSET-STRATEGY, to Goal': (SUBSET-TRIGGER (TAIL X) X). We suspect this conjecture should be proven by functional instantiation of ALL-BY-MEMBERSHIP. This suspicion is caused by PICK-A-POINT-SUBSET-STRATEGY, so if this is not what you want to do, then you should disable PICK-A-POINT-SUBSET-STRATEGY. Accordingly, we suggest the following hint: ("Goal'" (:USE ((:FUNCTIONAL-INSTANCE ALL-BY-MEMBERSHIP (ALL-HYPS (LAMBDA NIL T)) (ALL-SET (LAMBDA NIL (TAIL X))) (ALL (LAMBDA (COMPUTED-HINTS::?X) (SUBSET COMPUTED-HINTS::?X X))) (PREDICATE (LAMBDA (COMPUTED-HINTS::?X) (IN COMPUTED-HINTS::?X X))))) :EXPAND ((SUBSET-TRIGGER (TAIL X) X))))

Example Proof (2/2) [Note: A hint was supplied for our processing of the goal below. Thanks!] We now augment the goal above by adding the hypothesis indicated by the :USE hint. The hypothesis can be derived from ALL-BY-MEMBERSHIP via functional instantiation, bypassing constraints that have been proved when processing the event SUBSET-REFLEXIVE, provided we can establish the constraint generated. Thus, we now have the two subgoals shown below. Subgoal 2 (IMPLIES (IMPLIES T (SUBSET (TAIL X) X)) (SUBSET (TAIL X) X)). But we reduce the conjecture to T, by case analysis. Subgoal 1 (IMPLIES (IN ARBITRARY-ELEMENT (TAIL X)) (IN ARBITRARY-ELEMENT X)). But simplification reduces this to T, using the :rewrite rule IN-TAIL and the :type-prescription rule IN-TYPE. Q.E.D.

Top Level Union, intersection, difference, deletion, cardinality Naïve definitions used for easy reasoning Extensive set of theorems, including distributing unions over intersections, DeMorgan laws for distributing differences, etc. No use of set order Proofs are automatic, i.e., no manual hints are needed Proofs are natural, following the traditional style of hand-written set theory proofs

Achieving Efficiency (1/3) Review of MBE, Guards Guards let us state intended domains of functions MBE lets us provide two definitions for a function: logical definition is used for reasoning executable definition is used for evaluation Obligation: both definitions must be logically equal when the function's guards are satisfied. We MBE in efficient executable definitions Logical definitions do not change All of our theorems, proof techniques are still valid!

Achieving Efficiency (2/3) Recall: set primitives (head, tail,...) must examine entire set to enforce the non-set convention. But even checking (setp X) is linear We guard primitives to operate only on sets, and use MBE to substitute: (sfix X) => X O(n) => O(1) (head X) => (car X) O(n) => O(1) (tail X) => (cdr X) O(n) => O(1) (empty X) => (endp X) O(n) => O(1) Insert is left alone, becomes linear automatically Non-sets convention becomes computationally free

Achieving Efficiency (3/3) More substitutions Linear subset replacement is introduced Cardinality becomes len Linear union, intersection, difference introduced Equivalences proven through double containment Even membership properties of fast definitions are difficult to establish (must be based on set order) Library operations are now linear time Yet reasoning is not impacted We still get to use our simple, clean definitions

Adding a Sort Insertion is a problem for efficiency Building large sets is quadratic, versus linear for unordered sets Mergesort added to address this issue MBE is again useful: mergesort is logically repeated insertion, executably O(n log 2 n) Simple to implement, uses union to perform the merge This will never be as efficient as unordered sets

Instantiable Extensions A theory of quantification Given predicate P, extend this predicate across sets: (all<p> X) = forall a in X, (P a...) holds (exists<p> X) = exists a in X such that (P a...) holds (find<p> X) = find an a in X such that (P a...) holds Instantiate these definitions, and dozens of theorems including a custom pick-a-point strategy for all<p> with a single macro call. Higher order functional programming Filter sets, returning all elements satisfying a predicate Map functions over sets, reason about inverses, etc.

Future Directions Further automating functional instantiation? Custom set orders? Improving the viability of instantiable theories? Current system introduces hundreds of events Writing the macros to instantiate them is tedious Applying these techniques to other containers?

Thanks! Sets library available under the GPL Old version distributed with ACL2 2.8 and 2.9 Current version: http://www.cs.utexas.edu/users/jared/osets/ Special thanks to... Sandip Ray, Robert Krug, Matt Kaufmann, Eric Smith, J Moore, Hanbing Liu, Serita Nelesen, Omar El-Domeiri, and everyone at UT's weekly ACL2 Seminar.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback