Concrete Semantics. A Proof Assistant Approach. Tobias Nipkow Fakultät für Informatik Technische Universität München

Similar documents
Programming and Proving in

Programming and Proving in Isabelle/HOL

Overview. A Compact Introduction to Isabelle/HOL. Tobias Nipkow. System Architecture. Overview of Isabelle/HOL

Isabelle s meta-logic. p.1

Theorem Proving Principles, Techniques, Applications Recursion

Interactive Proof: Introduction to Isabelle/HOL

Programming and Proving in Isabelle/HOL

An Introduction to Isabelle/HOL 2008

Programming and Proving in Isabelle/HOL

2 Programming and Proving

Basic Foundations of Isabelle/HOL

HOL DEFINING HIGHER ORDER LOGIC LAST TIME ON HOL CONTENT. Slide 3. Slide 1. Slide 4. Slide 2 WHAT IS HIGHER ORDER LOGIC? 2 LAST TIME ON HOL 1

Tobias Nipkow, Gerwin Klein. Concrete Semantics. with Isabelle/HOL. October 16, Springer-Verlag

Functional Programming and Modeling

λ calculus is inconsistent

Functional Programming with Isabelle/HOL

A Tutorial Introduction to Structured Isar Proofs

COMP4161: Advanced Topics in Software Verification. fun. Gerwin Klein, June Andronick, Ramana Kumar S2/2016. data61.csiro.au

Introduction to dependent types in Coq

CS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Dan Grossman Spring 2011

COMP 4161 NICTA Advanced Course. Advanced Topics in Software Verification. Toby Murray, June Andronick, Gerwin Klein

1.3. Conditional expressions To express case distinctions like

PROGRAMMING IN HASKELL. Chapter 2 - First Steps

Provably Correct Software

COMP 4161 Data61 Advanced Course. Advanced Topics in Software Verification. Gerwin Klein, June Andronick, Christine Rizkallah, Miki Tanaka

Higher-Order Logic. Specification and Verification with Higher-Order Logic

Haske k ll An introduction to Functional functional programming using Haskell Purely Lazy Example: QuickSort in Java Example: QuickSort in Haskell

type classes & locales

Integration of SMT Solvers with ITPs There and Back Again

c constructor P, Q terms used as propositions G, H hypotheses scope identifier for a notation scope M, module identifiers t, u arbitrary terms

Coq quick reference. Category Example Description. Inductive type with instances defined by constructors, including y of type Y. Inductive X : Univ :=

An introduction introduction to functional functional programming programming using usin Haskell

1. M,M sequential composition: try tactic M; if it succeeds try tactic M. sequential composition (, )

Induction and Semantics in Dafny

Isabelle/HOL:Selected Features and Recent Improvements

Foundations. Yu Zhang. Acknowledgement: modified from Stanford CS242

Isabelle Primer for Mathematicians

Inductive datatypes in HOL. lessons learned in Formal-Logic Engineering

CS 242. Fundamentals. Reading: See last slide

Inductive Definitions, continued

Organisatorials. About us. Binary Search (java.util.arrays) When Tue 9:00 10:30 Thu 9:00 10:30. COMP 4161 NICTA Advanced Course

Programs and Proofs in Isabelle/HOL

CS 456 (Fall 2018) Scribe Notes: 2

Efficient Mergesort. Christian Sternagel. October 11, 2017

Datatype declarations

MoreIntro_annotated.v. MoreIntro_annotated.v. Printed by Zach Tatlock. Oct 04, 16 21:55 Page 1/10

CS 320: Concepts of Programming Languages

Programming Languages Third Edition

Data types for mcrl2

locales ISAR IS BASED ON CONTEXTS CONTENT Slide 3 Slide 1 proof - fix x assume Ass: A. x and Ass are visible Slide 2 Slide 4 inside this context

Formal Systems and their Applications

10 Years of Partiality and General Recursion in Type Theory

Reasoning about programs. Chapter 9 of Thompson

Lambda Calculus and Type Inference

Expr_annotated.v. Expr_annotated.v. Printed by Zach Tatlock

Lambda Calculus and Type Inference

axiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.

Computer-supported Modeling and Reasoning. First-Order Logic. 1 More on Isabelle. 1.1 Isabelle System Architecture

A CRASH COURSE IN SEMANTICS

Review. CS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Let bindings (CBV) Adding Stuff. Booleans and Conditionals

n n Try tutorial on front page to get started! n spring13/ n Stack Overflow!

Lecture #13: Type Inference and Unification. Typing In the Language ML. Type Inference. Doing Type Inference

From Types to Sets in Isabelle/HOL

Lists. Michael P. Fourman. February 2, 2010

Induction in Coq. Nate Foster Spring 2018

Lecture #23: Conversion and Type Inference

CMSC 330: Organization of Programming Languages. Operational Semantics

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

Preuves Interactives et Applications

Programming Languages Lecture 14: Sum, Product, Recursive Types

Conversion vs. Subtyping. Lecture #23: Conversion and Type Inference. Integer Conversions. Conversions: Implicit vs. Explicit. Object x = "Hello";

Processadors de Llenguatge II. Functional Paradigm. Pratt A.7 Robert Harper s SML tutorial (Sec II)

3.7 Denotational Semantics

The Isar Proof Language in 2016

Lecture Notes on Program Equivalence

1 Introduction. 3 Syntax

Typed Lambda Calculus

CSCI-GA Scripting Languages

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter p. 1/27

Type Checking and Type Inference

Interactive Theorem Proving in Higher-Order Logics

CSE 3302 Programming Languages Lecture 8: Functional Programming

3 Pairs and Lists. 3.1 Formal vs. Informal Proofs

CIS 500: Software Foundations

Foundations of Computation

Exercise 1 ( = 24 points)

Turning inductive into equational specifications

Lambda Calculus. Variables and Functions. cs3723 1

Overloading, Type Classes, and Algebraic Datatypes

4.5 Pure Linear Functional Programming

Assistant for Language Theory. SASyLF: An Educational Proof. Corporation. Microsoft. Key Shin. Workshop on Mechanizing Metatheory

Programming Language Concepts: Lecture 14

Types and Programming Languages. Lecture 5. Extensions of simple types

MoreIntro.v. MoreIntro.v. Printed by Zach Tatlock. Oct 07, 16 18:11 Page 1/10. Oct 07, 16 18:11 Page 2/10. Monday October 10, 2016 lec02/moreintro.

Introduction to lambda calculus Part 3

CIS 500: Software Foundations

Automatic Proof and Disproof in Isabelle/HOL

Automated Reasoning. Natural Deduction in First-Order Logic

SML A F unctional Functional Language Language Lecture 19

CSCE 314 TAMU Fall CSCE 314: Programming Languages Dr. Flemming Andersen. Haskell Functions

Transcription:

Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakultät für Informatik Technische Universität München 2014-1-26 1

Part I Isabelle 2

Chapter 2 Programming and Proving 3

1 Overview of Isabelle/HOL 2 Type and function definitions 3 Induction Heuristics 4 Simplification 4

Notation Implication associates to the right: A = B = C means A = (B = C) Similarly for other arrows:, A 1... A n B means A 1 =... = A n = B 5

1 Overview of Isabelle/HOL 2 Type and function definitions 3 Induction Heuristics 4 Simplification 6

HOL = Higher-Order Logic HOL = Functional Programming + Logic HOL has datatypes recursive functions logical operators HOL is a programming language! Higher-order = functions are values, too! HOL Formulas: For the moment: only term = term, e.g. 1 + 2 = 4 Later:,,,,... 7

1 Overview of Isabelle/HOL Types and terms Interface By example: types bool, nat and list Summary 8

Types Basic syntax: τ ::= (τ) bool nat int... base types a b... type variables τ τ functions τ τ pairs (ascii: *) τ list lists τ set sets... user-defined types Convention: τ 1 τ 2 τ 3 τ 1 (τ 2 τ 3 ) 9

Terms Terms can be formed as follows: Function application: f t is the call of function f with argument t. If f has more arguments: f t 1 t 2... Examples: sin π, plus x y Function abstraction: λx. t is the function with parameter x and result t, i.e. x t. Example: λx. plus x x 10

Basic syntax: Terms t ::= (t) a constant or variable (identifier) t t function application λx. t function abstraction... lots of syntactic sugar Examples: f (g x) y h (λx. f (g x)) Convention: f t 1 t 2 t 3 ((f t 1 ) t 2 ) t 3 This language of terms is known as the λ-calculus. 11

The computation rule of the λ-calculus is the replacement of formal by actual parameters: (λx. t) u = t[u/x] where t[u/x] is t with u substituted for x. Example: (λx. x + 5) 3 = 3 + 5 The step from (λx. t) u to t[u/x] is called β-reduction. Isabelle performs β-reduction automatically. 12

Terms must be well-typed (the argument of every function call must be of the right type) Notation: t :: τ means t is a well-typed term of type τ. t :: τ 1 τ 2 u :: τ 1 t u :: τ 2 13

Type inference Isabelle automatically computes the type of each variable in a term. This is called type inference. In the presence of overloaded functions (functions with multiple types) this is not always possible. User can help with type annotations inside the term. Example: f (x::nat) 14

Currying Thou shalt Curry your functions Curried: f :: τ 1 τ 2 τ Tupled: f :: τ 1 τ 2 τ Advantage: Currying allows partial application f a 1 where a 1 :: τ 1 15

Predefined syntactic sugar Infix: +,,, #, @,... Mixfix: if then else, case of,... Prefix binds more strongly than infix:! f x + y (f x) + y f (x + y)! Enclose if and case in parentheses:! (if then else )! 16

Isabelle text = Theory = Module Syntax: theory M yt h imports ImpT h 1... ImpT h n begin (definitions, theorems, proofs,...) end MyT h: name of theory. Must live in file MyT h.thy ImpT h i : name of imported theories. Import transitive. Usually: imports Main 17

Concrete syntax In.thy files: Types, terms and formulas need to be inclosed in " Except for single identifiers " normally not shown on slides 18

1 Overview of Isabelle/HOL Types and terms Interface By example: types bool, nat and list Summary 19

isabelle jedit Based on jedit editor Processes Isabelle text automatically when editing.thy files (like modern Java IDEs) 20

Overview_Demo.thy 21

1 Overview of Isabelle/HOL Types and terms Interface By example: types bool, nat and list Summary 22

Type bool datatype bool = True False Predefined functions:,,,... :: bool bool bool A formula is a term of type bool if-and-only-if: = 23

Type nat datatype nat = 0 Suc nat Values of type nat: 0, Suc 0, Suc(Suc 0),... Predefined functions: +,,... :: nat nat nat! Numbers and arithmetic operations are overloaded: 0,1,2,... :: a, + :: a a a You need type annotations: 1 :: nat, x + (y::nat) unless the context is unambiguous: Suc z 24

Nat_Demo.thy 25

An informal proof Lemma add m 0 = m Proof by induction on m. Case 0 (the base case): add 0 0 = 0 holds by definition of add. Case Suc m (the induction step): We assume add m 0 = m, the induction hypothesis (IH). We need to show add (Suc m) 0 = Suc m. The proof is as follows: add (Suc m) 0 = Suc (add m 0) by def. of add = Suc m by IH 26

Type a list Lists of elements of type a datatype a list = Nil Cons a ( a list) Some lists: Nil, Cons 1 Nil, Cons 1 (Cons 2 Nil),... Syntactic sugar: [] = Nil: empty list x # xs = Cons x xs: list with first element x ( head ) and rest xs ( tail ) [x 1,..., x n ] = x 1 #... x n # [] 27

Structural Induction for lists To prove that P(xs) for all lists xs, prove P([]) and for arbitrary x and xs, P(xs) implies P(x#xs). P([]) x xs. P(xs) = P(x#xs) P(xs) 28

List_Demo.thy 29

An informal proof Lemma app (app xs ys) zs = app xs (app ys zs) Proof by induction on xs. Case Nil: app (app Nil ys) zs = app ys zs = app Nil (app ys zs) holds by definition of app. Case Cons x xs: We assume app (app xs ys) zs = app xs (app ys zs) (IH), and we need to show app (app (Cons x xs) ys) zs = app (Cons x xs) (app ys zs). The proof is as follows: app (app (Cons x xs) ys) zs = Cons x (app (app xs ys) zs) by definition of app = Cons x (app xs (app ys zs)) by IH = app (Cons x xs) (app ys zs) by definition of app 30

Large library: HOL/List.thy Included in Main. Don t reinvent, reuse! Predefined: xs @ ys (append), length, and map: map f [x 1,..., x n ] = [f x 1,..., f x n ] fun map :: ( a b) a list b list where map f [] = [] map f (x#xs) = f x # map f xs Note: map takes function as argument. 31

1 Overview of Isabelle/HOL Types and terms Interface By example: types bool, nat and list Summary 32

datatype defines (possibly) recursive data types. fun defines (possibly) recursive functions by pattern-matching over datatype constructors. 33

Proof methods induction performs structural induction on some variable (if the type of the variable is a datatype). auto solves as many subgoals as it can, mainly by simplification (symbolic evaluation): = is used only from left to right! 34

Proofs General schema: lemma name: "..." apply (...) apply (...). done If the lemma is suitable as a simplification rule: lemma name[simp]: "..." 35

Top down proofs Command sorry completes any proof. Allows top down development: Assume lemma first, prove it later. 36

The proof state 1. x 1... x p. A = B x 1... x p A B fixed local variables local assumption(s) actual (sub)goal 37

Preview: Multiple assumptions [ A 1 ;... ; A n ] = B abbreviates A 1 =... = A n = B ; and 38

1 Overview of Isabelle/HOL 2 Type and function definitions 3 Induction Heuristics 4 Simplification 39

2 Type and function definitions Type definitions Function definitions 40

Type synonyms type_synonym name = τ Introduces a synonym name for type τ Examples: type_synonym string = char list type_synonym ( a, b)foo = a list b list Type synonyms are expanded after parsing and are not present in internal representation and output 41

datatype the general case datatype (α 1,..., α n )τ = C 1 τ 1,1... τ 1,n1... C k τ k,1... τ k,nk Types: C i :: τ i,1 τ i,ni (α 1,..., α n )τ Distinctness: C i... C j... if i j Injectivity: (C i x 1... x ni = C i y 1... y ni ) = (x 1 = y 1 x ni = y ni ) Distinctness and injectivity are applied automatically Induction must be applied explicitly 42

Case expressions Datatype values can be taken apart with case: (case xs of []... y#ys... y... ys...) Wildcards: Nested patterns: (case m of 0 Suc 0 Suc 0) (case xs of [0] 0 [Suc n] n 2) Complicated patterns mean complicated proofs! Need ( ) in context 43

Tree_Demo.thy 44

The option type datatype a option = None Some a If a has values a 1, a 2,... then a option has values None, Some a 1, Some a 2,... Typical application: fun lookup :: ( a b) list a b option where lookup [] x = None lookup ((a,b) # ps) x = (if a = x then Some b else lookup ps x) 45

2 Type and function definitions Type definitions Function definitions 46

Non-recursive definitions Example: definition sq :: nat nat where sq n = n n No pattern matching, just f x 1... x n =... 47

The danger of nontermination How about f x = f x + 1?! All functions in HOL must be total! 48

Key features of fun Pattern-matching over datatype constructors Order of equations matters Termination must be provable automatically by size measures Proves customized induction schema 49

Example: separation fun sep :: a a list a list where sep a (x#y#zs) = x # a # sep a (y#zs) sep a xs = xs 50

Example: Ackermann fun ack :: nat nat nat where ack 0 n = Suc n ack (Suc m) 0 = ack m (Suc 0) ack (Suc m) (Suc n) = ack m (ack (Suc m) n) Terminates because the arguments decrease lexicographically with each recursive call: (Suc m, 0) > (m, Suc 0) (Suc m, Suc n) > (Suc m, n) (Suc m, Suc n) > (m, ) 51

A restrictive version of fun Means primitive recursive Most functions are primitive recursive Frequently found in Isabelle theories The essence of primitive recursion: f(0) =... no recursion f(suc n) =... f(n)... g([]) =... no recursion g(x#xs) =... g(xs)... primrec 52

1 Overview of Isabelle/HOL 2 Type and function definitions 3 Induction Heuristics 4 Simplification 53

Basic induction heuristics Theorems about recursive functions are proved by induction Induction on argument number i of f if f is defined by recursion on argument number i 54

A tail recursive reverse Our initial reverse: fun rev :: a list a list where rev [] = [] rev (x#xs) = rev xs @ [x] A tail recursive version: fun itrev :: a list a list a list where itrev [] ys = ys itrev (x#xs) ys = lemma itrev xs [] = rev xs 55

Induction_Demo.thy Generalisation 56

Generalisation Replace constants by variables Generalize free variables by arbitrary in induction proof (or by universal quantifier in formula) 57

So far, all proofs were by structural induction because all functions were primitive recursive. In each induction step, 1 constructor is added. In each recursive call, 1 constructor is removed. Now: induction for complex recursion patterns. 58

Computation Induction: Example fun div2 :: nat nat where div2 0 = 0 div2 (Suc 0) = 0 div2 (Suc(Suc n)) = Suc(div2 n) induction rule div2.induct: P (0) P (Suc 0) n. P (n) = P (Suc(Suc n)) P (m) 59

Computation Induction If f :: τ τ is defined by fun, a special induction schema is provided to prove P (x) for all x :: τ: for each defining equation f(e) =... f(r 1 )... f(r k )... prove P (e) assuming P (r 1 ),..., P (r k ). Induction follows course of (terminating!) computation Motto: properties of f are best proved by rule f.induct 60

How to apply f.induct If f :: τ 1 τ n τ : (induction a 1... a n rule: f.induct) Heuristic: there should be a call f a 1... a n ideally the a i should be variables. in your goal 61

Induction_Demo.thy Computation Induction 62

1 Overview of Isabelle/HOL 2 Type and function definitions 3 Induction Heuristics 4 Simplification 63

Simplification means... Using equations l = r from left to right As long as possible Terminology: equation simplification rule Simplification = (Term) Rewriting 64

An example Equations: 0 + n = n (1) (Suc m) + n = Suc (m + n) (2) (Suc m Suc n) = (m n) (3) (0 m) = T rue (4) Rewriting: 0 + Suc 0 Suc 0 + x Suc 0 Suc 0 + x Suc 0 Suc (0 + x) 0 0 + x T rue (1) = (2) = (3) = (4) = 65

Conditional rewriting Simplification rules can be conditional: [ P 1 ;... ; P k ] = l = r is applicable only if all P i can be proved first, again by simplification. Example: p(0) = T rue p(x) = f(x) = g(x) We can simplify f(0) to g(0) but we cannot simplify f(1) because p(1) is not provable. 66

Termination Simplification may not terminate. Isabelle uses simp-rules (almost) blindly from left to right. Example: f(x) = g(x), g(x) = f(x) [ P 1 ;... ; P k ] = l = r is suitable as a simp-rule only if l is bigger than r and each P i n < m = (n < Suc m) = True Suc n < m = (n < m) = True YES NO 67

Goal: 1. [ P 1 ;... ; P m ] = C Proof method simp apply(simp add: eq 1... eq n ) Simplify P 1... P m and C using lemmas with attribute simp rules from fun and datatype additional lemmas eq 1... eq n assumptions P 1... P m Variations: (simp... del:... ) removes simp-lemmas add and del are optional 68

auto versus simp auto acts on all subgoals simp acts only on subgoal 1 auto applies simp and more auto can also be modified: (auto simp add:... simp del:... ) 69

Rewriting with definitions Definitions (definition) must be used explicitly: (simp add: f def... ) f is the function whose definition is to be unfolded. 70

Automatic: Case splitting with simp P(if A then s else t) = (A P(s)) ( A P(t)) By hand: P(case e of 0 a Suc n b) = (e = 0 P(a)) ( n. e = Suc n P(b)) Proof method: (simp split: nat.split) Or auto. Similar for any datatype t: t.split 71

Simp_Demo.thy 72

Chapter 3 Case Study: IMP Expressions 73

5 Case Study: IMP Expressions 74

5 Case Study: IMP Expressions 75

This section introduces arithmetic and boolean expressions of our imperative language IMP. IMP commands are introduced later. 76

5 Case Study: IMP Expressions Arithmetic Expressions Boolean Expressions Stack Machine and Compilation 77

Concrete and abstract syntax Concrete syntax: strings, eg "a+5*b" Abstract syntax: trees, eg + a * 5 b Parser: function from strings to trees Linear view of trees: terms, eg Plus a (Times 5 b) Abstract syntax trees/terms are datatype values! 78

Concrete syntax is defined by a context-free grammar, eg a ::= n x (a) a + a a a... where n can be any natural number and x any variable. We focus on abstract syntax which we introduce via datatypes. 79

Datatype aexp Variable names are strings, values are integers: type_synonym vname = string datatype aexp = N int V vname Plus aexp aexp Concrete Abstract 5 N 5 x V x x+y Plus (V x ) (V y ) 2+(z+3) Plus (N 2) (Plus (V z ) (N 3)) 80

Warning This is syntax, not (yet) semantics! N 0 Plus (N 0) (N 0) 81

The (program) state What is the value of x+1? The value of an expression depends on the value of its variables. The value of all variables is recorded in the state. The state is a function from variable names to values: type_synonym val = int type_synonym state = vname val 82

Function update notation If f :: τ 1 τ 2 and a :: τ 1 and b :: τ 2 then f(a := b) is the function that behaves like f except that it returns b for argument a. f(a := b) = (λx. if x = a then b else f x) 83

Some states: λx. 0 How to write down a state (λx. 0)( a := 3) ((λx. 0)( a := 5))( x := 3) Nicer notation: < a := 5, x := 3, y := 7> Maps everything to 0, but a to 5, x to 3, etc. 84

AExp.thy 85

5 Case Study: IMP Expressions Arithmetic Expressions Boolean Expressions Stack Machine and Compilation 86

BExp.thy 87

5 Case Study: IMP Expressions Arithmetic Expressions Boolean Expressions Stack Machine and Compilation 88

ASM.thy 89

This was easy. Because evaluation of expressions always terminates. But execution of programs may not terminate. Hence we cannot define it by a total recursive function. We need more logical machinery to define program execution and reason about it. 90

Chapter 4 Logic and Proof Beyond Equality 91

6 Logical Formulas 7 Proof Automation 8 Single Step Proofs 9 Inductive Definitions 92

6 Logical Formulas 7 Proof Automation 8 Single Step Proofs 9 Inductive Definitions 93

Syntax (in decreasing precedence): form ::= (form) term = term form form form form form form form x. form x. form Examples: A B C (( A) B) C s = t C (s = t) C A B = B A A (B = B) A x. P x Q x x. (P x Q x) Input syntax: (same precedence as ) 94

Variable binding convention: Similarly for and λ. x y. P x y x. y. P x y 95

Warning Quantifiers have low precedence and need to be parenthesized (if in some context)! P x. Q x P ( x. Q x)! 96

Mathematical symbols... and their ascii representations: \<forall> ALL \<exists> EX λ \<lambda> % --> <--> /\ & \/ \<not> ~ \<noteq> ~= 97

Sets over type a a set {}, {e 1,...,e n } e A, A B A B, A B, A B, A... \<in> : \<subseteq> <= \<union> Un \<inter> Int 98

Set comprehension {x. P} where x is a variable But not {t. P} where t is a proper term Instead: {t x y z. P} is short for {v. x y z. v = t P} where x, y, z are the free variables in t 99

6 Logical Formulas 7 Proof Automation 8 Single Step Proofs 9 Inductive Definitions 100

simp and auto simp: rewriting and a bit of arithmetic auto: rewriting and a bit of arithmetic, logic and sets Show you where they got stuck highly incomplete Extensible with new simp-rules Exception: auto acts on all subgoals 101

fastforce rewriting, logic, sets, relations and a bit of arithmetic. incomplete but better than auto. Succeeds or fails Extensible with new simp-rules 102

blast A complete proof search procedure for FOL...... but (almost) without = Covers logic, sets and relations Succeeds or fails Extensible with new deduction rules 103

Automating arithmetic arith: proves linear formulas (no ) complete for quantifier-free real arithmetic complete for first-order theory of nat and int (Presburger arithmetic) 104

Sledgehammer 105

Architecture: Goal & filtered library Isabelle Proof external ATPs 1 Characteristics: Sometimes it works, sometimes it doesn t. Do you feel lucky? 1 Automatic Theorem Provers 106

by(proof-method) apply(proof-method) done 107

Auto_Proof_Demo.thy 108

6 Logical Formulas 7 Proof Automation 8 Single Step Proofs 9 Inductive Definitions 109

Step-by-step proofs can be necessary if automation fails and you have to explore where and why it failed by taking the goal apart. 110

What are these?-variables? After you have finished a proof, Isabelle turns all free variables V in the theorem into?v. Example: theorem conji: [?P;?Q] =?P?Q These?-variables can later be instantiated: By hand: conji[of "a=b" "False"] [a = b; False] = a = b False By unification: unifying?p?q with a=b False sets?p to a=b and?q to False. 111

Rule application Example: rule: [?P;?Q] =?P?Q subgoal: 1.... = A B Result: 1.... = A 2.... = B The general case: applying rule [ A 1 ;... ; A n ] = A to subgoal... = C: Unify A and C Replace C with n new subgoals A 1... A n apply(rule xyz) Backchaining 112

Typical backwards rules?p?q?p?q conji?p =?Q x.?p x?p?q impi x.?p x alli?p =?Q?Q =?P?P =?Q iffi They are known as introduction rules because they introduce a particular connective. 113

Teaching blast new intro rules If r is a theorem [ A 1 ;... ; A n ] = A then (blast intro: r) allows blast to backchain on r during proof search. Example: theorem trans: [?x?y;?y?z ] =?x?z goal 1. [ a b; b c; c d ] = a d proof apply(blast intro: trans) Can greatly increase the search space! 114

Forward proof: OF If r is a theorem A = B and s is a theorem that unifies with A then r[of s] is the theorem obtained by proving A with s. Example: theorem refl:?t =?t conji[of refl[of "a"]]?q = a = a?q 115

The general case: If r is a theorem [ A 1 ;... ; A n ] = A and r 1,..., r m (m n) are theorems then r[of r 1... r m ] is the theorem obtained by proving A 1... A m with r 1... r m. Example: theorem refl:?t =?t conji[of refl[of "a"] refl[of "b"]] a = a b = b 116

From now on:? mostly suppressed on slides 117

Single_Step_Demo.thy 118

= versus = is part of the Isabelle framework. It structures theorems and proof states: [ A 1 ;... ; A n ] = A is part of HOL and can occur inside the logical formulas A i and A. Phrase theorems like this not like this [ A 1 ;... ; A n ] = A A 1... A n A 119

6 Logical Formulas 7 Proof Automation 8 Single Step Proofs 9 Inductive Definitions 120

Informally: 0 is even Example: even numbers If n is even, so is n + 2 These are the only even numbers In Isabelle/HOL: inductive ev :: nat bool where ev 0 ev n = ev (n + 2) 121

An easy proof: ev 4 ev 0 = ev 2 = ev 4 122

Consider fun even :: nat bool where even 0 = True even (Suc 0) = False even (Suc (Suc n)) = even n A trickier proof: ev m = even m By induction on the structure of the derivation of ev m Two cases: ev m is proved by rule ev 0 = m = 0 = even m = True rule ev n = ev (n+2) = m = n+2 and even n (IH) = even m = even (n+2) = even n = True 123

To prove Rule induction for ev ev n = P n by rule induction on ev n we must prove P 0 P n = P(n+2) Rule ev.induct: ev n P 0 n. [ ev n; P n ] = P(n+2) P n 124

Format of inductive definitions inductive I :: τ bool where [ I a 1 ;... ; I a n ] = I a. Note: I may have multiple arguments. Each rule may also contain side conditions not involving I. 125

Rule induction in general To prove I x = P x by rule induction on I x we must prove for every rule that P is preserved: [ I a 1 ;... ; I a n ] = I a [ I a 1 ; P a 1 ;... ; I a n ; P a n ] = P a 126

! Rule induction is absolutely central to (operational) semantics and the rest of this lecture course! 127

Inductive_Demo.thy 128

Inductively defined sets inductive_set I :: τ set where [ a 1 I;... ; a n I ] = a I. Difference to inductive: arguments of I are tupled, not curried I can later be used with set theoretic operators, eg I... 129

Chapter 5 Isar: A Language for Structured Proofs 130

10 Isar by example 11 Proof patterns 12 Streamlining Proofs 13 Proof by Cases and Induction 131

Apply scripts unreadable hard to maintain do not scale No structure! 132

Apply scripts versus Isar proofs Apply script = assembly language program Isar proof = structured program with comments But: apply still useful for proof exploration 133

A typical Isar proof proof assume formula 0 have formula 1 by simp. have formula n by blast show formula n+1 by... qed proves formula 0 = formula n+1 134

proof = proof [method] step qed by method Isar core syntax method = (simp... ) (blast... ) (induction... )... step = fix variables ( ) assume prop (= ) [from fact + ] (have show) prop proof prop = [name:] formula fact = name... 135

10 Isar by example 11 Proof patterns 12 Streamlining Proofs 13 Proof by Cases and Induction 136

Example: Cantor s theorem lemma surj(f :: a a set) proof default proof: assume surj, show False assume a: surj f from a have b: A. a. A = f a by(simp add: surj def) from b have c: a. {x. x / f x} = f a by blast from c show False by blast qed 137

Isar_Demo.thy Cantor and abbreviations 138

Abbreviations this = the previous proposition proved or assumed then = from this thus = then show hence = then have 139

using and with (have show) prop using facts = from facts (have show) prop with facts = from facts this 140

Structured lemma statement lemma fixes f :: a a set assumes s: surj f shows False proof no automatic proof step have a. {x. x / f x} = f a using s by(auto simp: surj def) thus False by blast qed Proves surj f = False but surj f becomes local fact s in proof. 141

The essence of structured proofs Assumptions and intermediate facts can be named and referred to explicitly and selectively 142

Structured lemma statements fixes x :: τ 1 and y :: τ 2... assumes a: P and b: Q... shows R fixes and assumes sections optional shows optional if no fixes and assumes 143

10 Isar by example 11 Proof patterns 12 Streamlining Proofs 13 Proof by Cases and Induction 144

Case distinction show R proof cases assume P. show R... next assume P. show R... qed have P Q... then show R proof assume P. show R... next assume Q. show R... qed 145

Contradiction show P proof assume P. show False... qed show P proof (rule ccontr) assume P. show False... qed 146

show P Q proof assume P. show Q... next assume Q. show P... qed 147

show x. P(x) proof fix x show P(x)... qed and introduction local fixed variable show x. P(x) proof. show P(witness)... qed 148

elimination: obtain have x. P(x) then obtain x where p: P(x) by blast. x fixed local variable Works for one or more x 149

obtain example lemma surj(f :: a a set) proof assume surj f hence a. {x. x / f x} = f a by(auto simp: surj def) then obtain a where {x. x / f x} = f a by blast hence a / f a a f a by blast thus False by blast qed 150

Set equality and subset show A = B proof show A B... next show B A... qed show A B proof fix x assume x A. show x B... qed 151

Isar_Demo.thy Exercise 152

10 Isar by example 11 Proof patterns 12 Streamlining Proofs 13 Proof by Cases and Induction 153

12 Streamlining Proofs Pattern Matching and Quotations Top down proof development moreover and raw proof blocks 154

Example: pattern matching show formula 1 formula 2 proof assume?l. show?r... next assume?r. show?l... qed (is?l?r) 155

?thesis show formula (is?thesis) proof -. show?thesis... qed Every show implicitly defines?thesis 156

let Introducing local abbreviations in proofs: let?t = "some-big-term". have "...?t... " 157

By name: have x0: x > 0.... from x0... Quoting facts by value By value: have x > 0.... from x>0... back quotes 158

Isar_Demo.thy Pattern matching and quotation 159

12 Streamlining Proofs Pattern Matching and Quotations Top down proof development moreover and raw proof blocks 160

Example lemma ( ys zs. xs = ys @ zs length ys = length zs) ( ys zs. xs = ys @ zs length ys = length zs + 1) proof??? 161

Isar_Demo.thy Top down proof development 162

When automation fails Split proof up into smaller steps. Or explore by apply: have... using... apply - apply auto apply... to make incoming facts part of proof state or whatever At the end: done Better: convert to structured proof 163

12 Streamlining Proofs Pattern Matching and Quotations Top down proof development moreover and raw proof blocks 164

moreover ultimately have P 1... moreover have P 2... moreover. moreover have P n... ultimately have P... have lab 1 : P 1... have lab 2 : P 2.... have lab n : P n... from lab 1 lab 2... have P... With names 165

Raw proof blocks { fix x 1... x n assume A 1... A m. have B } proves [ A 1 ;... ; A m ] = B where all x i have been replaced by?x i. 166

Isar_Demo.thy moreover and { } 167

In general: Proof state and Isar text proof method Applies method and generates subgoal(s): x1... x n [ A 1 ;... ; A m ] = B How to prove each subgoal: fix x 1... x n assume A 1... A m. show B Separated by next 168

10 Isar by example 11 Proof patterns 12 Streamlining Proofs 13 Proof by Cases and Induction 169

Isar_Induction_Demo.thy Proof by cases 170

Datatype case analysis datatype t = C 1 τ... proof (cases "term") case (C 1 x 1... x k )... x j... next. qed where case (C i x 1... x k ) fix x 1... x k assume C i : }{{} label term = (C i x 1... x k ) }{{} formula 171

Isar_Induction_Demo.thy Structural induction for nat 172

Structural induction for nat show P(n) proof (induction n) case 0. let?case = P (0) show?case next case (Suc n) fix n assume Suc: P (n). let?case = P (Suc n). show?case qed 173

Structural induction with = show A(n) = P(n) proof (induction n) case 0 assume 0: A(0). let?case = P(0) show?case next case (Suc n) fix n. assume Suc: A(n) = P(n) A(Suc n). let?case = P(Suc n) show?case qed 174

In a proof of A 1 =... = A n = B by structural induction: In the context of case C we have C.IH C.prems C Named assumptions the induction hypotheses the premises A i C.IH + C.prems 175

A remark on style case (Suc n)... show?case is easy to write and maintain fix n assume formula... show formula is easier to read: all information is shown locally no contextual references (e.g.?case) 176

13 Proof by Cases and Induction Rule Induction Rule Inversion 177

Isar_Induction_Demo.thy Rule induction 178

Rule induction inductive I :: τ σ bool where rule 1 :.... rule n :... show I x y = P x y proof (induction rule: I.induct) case rule 1... show?case next. next case rule n... show?case qed 179

Fixing your own variable names case (rule i x 1... x k ) Renames the first k variables in rule i (from left to right) to x 1... x k. 180

Named assumptions In a proof of I... = A 1 =... = A n = B by rule induction on I... : In the context of case R we have R.IH R.hyps R.prems R the induction hypotheses the assumptions of rule R the premises A i R.IH + R.hyps + R.prems 181

13 Proof by Cases and Induction Rule Induction Rule Inversion 182

inductive ev :: nat bool where ev0: ev 0 evss: ev n = ev(suc(suc n)) Rule inversion What can we deduce from ev n? That it was proved by either ev0 or evss! ev n = n = 0 ( k. n = Suc (Suc k) ev k) Rule inversion = case distinction over rules 183

Isar_Induction_Demo.thy Rule inversion 184

Rule inversion template from ev n have P proof cases case ev0 n = 0. show?thesis... next case (evss k) n = Suc (Suc k), ev k. show?thesis... qed Impossible cases disappear automatically 185

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback