Isabelle/HOL:Selected Features and Recent Improvements

Similar documents
Finite Model Generation for Isabelle/HOL Using a SAT Solver

Integrating a SAT Solver with Isabelle/HOL

Formalization of Incremental Simplex Algorithm by Stepwise Refinement

Integration of SMT Solvers with ITPs There and Back Again

Automatic Proof and Disproof in Isabelle/HOL

Programs and Proofs in Isabelle/HOL

Functional Programming with Isabelle/HOL

Interactive Theorem Proving in Higher-Order Logics

Organisatorials. About us. Binary Search (java.util.arrays) When Tue 9:00 10:30 Thu 9:00 10:30. COMP 4161 NICTA Advanced Course

locales ISAR IS BASED ON CONTEXTS CONTENT Slide 3 Slide 1 proof - fix x assume Ass: A. x and Ass are visible Slide 2 Slide 4 inside this context

Lost in translation. Leonardo de Moura Microsoft Research. how easy problems become hard due to bad encodings. Vampire Workshop 2015

Coq, a formal proof development environment combining logic and programming. Hugo Herbelin

Isabelle Tutorial: System, HOL and Proofs

type classes & locales

λ calculus is inconsistent

COMP 4161 Data61 Advanced Course. Advanced Topics in Software Verification. Gerwin Klein, June Andronick, Christine Rizkallah, Miki Tanaka

Numerical Computations and Formal Methods

Formally Certified Satisfiability Solving

Provably Correct Software

Overview. A Compact Introduction to Isabelle/HOL. Tobias Nipkow. System Architecture. Overview of Isabelle/HOL

The Isar Proof Language in 2016

An Introduction to ProofPower

Deductive Program Verification with Why3, Past and Future

COMP 4161 NICTA Advanced Course. Advanced Topics in Software Verification. Toby Murray, June Andronick, Gerwin Klein

Computer-supported Modeling and Reasoning. First-Order Logic. 1 More on Isabelle. 1.1 Isabelle System Architecture

DPLL(Γ+T): a new style of reasoning for program checking

How Efficient Can Fully Verified Functional Programs Be - A Case Study of Graph Traversal Algorithms

HOL DEFINING HIGHER ORDER LOGIC LAST TIME ON HOL CONTENT. Slide 3. Slide 1. Slide 4. Slide 2 WHAT IS HIGHER ORDER LOGIC? 2 LAST TIME ON HOL 1

Random Testing in PVS

Parametricity of Inductive Predicates

Verification of an LCF-Style First-Order Prover with Equality

Packaging Theories of Higher Order Logic

Lectures 20, 21: Axiomatic Semantics

Property-Based Testing for Coq. Cătălin Hrițcu

arxiv: v1 [cs.lo] 11 Nov 2010

Static and User-Extensible Proof Checking. Antonis Stampoulis Zhong Shao Yale University POPL 2012

Lecture 5 - Axiomatic semantics

The design of a programming language for provably correct programs: success and failure

Programming Proofs and Proving Programs. Nick Benton Microsoft Research, Cambridge

An Industrially Useful Prover

Introduction to Axiomatic Semantics (1/2)

PRocH: Proof Reconstruction for HOL Light

Towards certification of TLA + proof obligations with SMT solvers

The Prototype Verification System PVS

Introduction to dependent types in Coq

From Types to Sets in Isabelle/HOL

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

Turning inductive into equational specifications

Programming Languages Third Edition

Proofs and Proof Certification in the TLA + Proof System

Introduction to Axiomatic Semantics (1/2)

SAT-based Finite Model Generation for Higher-Order Logic

The Mathematical Vernacular

Logik für Informatiker Logic for computer scientists

Formal Methods in Software Development

1.3. Conditional expressions To express case distinctions like

Polarized Rewriting and Tableaux in B Set Theory

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

Programming and Proving in

The Isabelle/Isar Reference Manual

Natural deduction environment for Matita

Introduction to the Lambda Calculus

A Simpl Shortest Path Checker Verification

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Formal Systems and their Applications

Com S 541. Programming Languages I

Blockchains: new home for proven-correct software. Paris, Yoichi Hirai formal verification engineer, the Ethereum Foundation

Proving the Correctness of Distributed Algorithms using TLA

Basic Foundations of Isabelle/HOL

Locales and Locale Expressions in Isabelle/Isar

[Draft. Please do not distribute] Online Proof-Producing Decision Procedure for Mixed-Integer Linear Arithmetic

Contents. Chapter 1 SPECIFYING SYNTAX 1

CSE505, Fall 2012, Midterm Examination October 30, 2012

SMTCoq: A plug-in for integrating SMT solvers into Coq

Sciduction: Combining Induction, Deduction and Structure for Verification and Synthesis

Theory Engineering Using Composable Packages

Deduction at Scale. Monday, March 7. The Organizers/Jochen Essl Welcome/Logistics 09:00 09:30

Mathematics for Computer Scientists 2 (G52MC2)

Cooperating Theorem Provers: A Case Study Combining HOL-Light and CVC Lite

Improving Coq Propositional Reasoning Using a Lazy CNF Conversion

Beluga: A Framework for Programming and Reasoning with Deductive Systems (System Description)

Turning proof assistants into programming assistants

This is already grossly inconvenient in present formalisms. Why do we want to make this convenient? GENERAL GOALS

Automated Discovery of Conditional Lemmas in Hipster!

Introductory logic and sets for Computer scientists

A heuristic method for formally verifying real inequalities

An LCF-Style Interface between HOL and First-Order Logic

Discrete Mathematics Lecture 4. Harper Langston New York University

Appendix G: Some questions concerning the representation of theorems

Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214

A Logic of Proofs for Differential Dynamic Logic

Context aware Calculation and Deduction

Negations in Refinement Type Systems

Mathematics for Computer Scientists 2 (G52MC2)

Automated Termination and Confluence Analysis of Rewrite System

Functional Programming

Formal Verification. Lecture 10

Propositional Logic. Part I

Prototyping a Formal Verification Platform for SoCs

The semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers.

Transcription:

/: Selected Features and Recent Improvements webertj@in.tum.de Security of Systems Group, Radboud University Nijmegen February 20, 2007 /:Selected Features and Recent Improvements

1 2 Logic User Interface Proof Language Existing Libraries 3 4 /:Selected Features and Recent Improvements

Motivation Theorem Proving Motivation Errare humanum est. Cicero /:Selected Features and Recent Improvements

Motivation Theorem Proving Motivation Complex systems almost inevitably contain bugs. /:Selected Features and Recent Improvements

Motivation Theorem Proving Motivation Complex systems almost inevitably contain bugs. Program testing can be used to show the presence of bugs, but never to show their absence! Edsger W. Dijkstra /:Selected Features and Recent Improvements

Motivation Theorem Proving Motivation /:Selected Features and Recent Improvements

Motivation Theorem Proving Theorem Provers A theorem prover is a computer program to prove theorems. /:Selected Features and Recent Improvements

Motivation Theorem Proving Theorem Provers A theorem prover is a computer program to prove theorems. Given a precise description of a system, and a formal specification of its intended behavior, /:Selected Features and Recent Improvements

Motivation Theorem Proving Theorem Provers A theorem prover is a computer program to prove theorems. Given a precise description of a system, and a formal specification of its intended behavior, we obtain a computer-checked proof that the system meets its specification. /:Selected Features and Recent Improvements

Motivation Theorem Proving Theorem Provers: Characteristic Features Logic User interface Proof language Existing libraries... /:Selected Features and Recent Improvements

Logic User Interface Proof Language Existing Libraries is a generic interactive theorem prover, developed by Larry Paulson at Cambridge University and Tobias Nipkow at Technische Universität München. First release in 1986. /:Selected Features and Recent Improvements

s Logics Logic User Interface Proof Language Existing Libraries implements a meta-logic, /Pure, based on the simply-typed λ-calculus. This meta-logic serves as the basis for several different object logics: ZF set theory (/ZF) First-order logic (/FOL) Higher-order logic (/) Modal logics... /:Selected Features and Recent Improvements

/ Logic User Interface Proof Language Existing Libraries /: higher-order logic, based on Church s simple theory of types (1940). /:Selected Features and Recent Improvements

/ Logic User Interface Proof Language Existing Libraries /: higher-order logic, based on Church s simple theory of types (1940). Simply-typed λ-calculus: Types: σ :: B σ σ Terms: t σ :: x σ (t σ σ t σ ) σ (λx σ1. t σ2 ) σ1 σ 2 /:Selected Features and Recent Improvements

/ Logic User Interface Proof Language Existing Libraries /: higher-order logic, based on Church s simple theory of types (1940). Simply-typed λ-calculus: Types: σ :: B σ σ Terms: t σ :: x σ (t σ σ t σ ) σ (λx σ1. t σ2 ) σ1 σ 2 Two logical constants: BBB, σσb /:Selected Features and Recent Improvements

/ Logic User Interface Proof Language Existing Libraries /: higher-order logic, based on Church s simple theory of types (1940). Simply-typed λ-calculus: Types: σ :: B σ σ Terms: t σ :: x σ (t σ σ t σ ) σ (λx σ1. t σ2 ) σ1 σ 2 Two logical constants: BBB, σσb Other constants, e.g. are definable. True False! /:Selected Features and Recent Improvements

The Semantics of Logic User Interface Proof Language Existing Libraries Standard set-theoretic semantics: Types denote certain non-empty sets. Terms denote elements of these sets. /:Selected Features and Recent Improvements

The Semantics of Logic User Interface Proof Language Existing Libraries Standard set-theoretic semantics: Types denote certain non-empty sets. Terms denote elements of these sets. Semantics of types: [[B]] {, } [[]] is given by the model [[σ 1 σ 2 ]] [[σ 2 ]] [[σ 1]] /:Selected Features and Recent Improvements

Features of / Logic User Interface Proof Language Existing Libraries / also provides... axiomatic type classes type and constant definitions recursive datatypes recursive functions inductively defined sets / is both a specification logic and a programming language. /:Selected Features and Recent Improvements

User Interface Logic User Interface Proof Language Existing Libraries uses Proof General as its default interface. (X-)Emacs-based Proof script management Mathematical symbols Theory dependency graph... A batch mode is available as well: $ isatool usedir... /:Selected Features and Recent Improvements

Proof Language Logic User Interface Proof Language Existing Libraries Many interactive theorem provers (including ) offer a tactic-style proof language. The prover maintains a proof state which keeps track of the formulae that remain to be shown. Tactics (which can implement simple natural-deduction rules or complex decision procedures) are applied to the proof state to simplify remaining proof goals. A proof is a sequence of tactic applications. /:Selected Features and Recent Improvements

Tactic-Style Proofs: Example Logic User Interface Proof Language Existing Libraries lemma ( x.y. P x y) (y. x. P x y) apply (erule exe) apply (rule alli) apply (erule tac x y in alle) apply (rule tac x x in exi) apply assumption done /:Selected Features and Recent Improvements

Logic User Interface Proof Language Existing Libraries Tactic-Style Proofs: Shortcomings Tactic-style proofs have little in common with traditional mathematical proofs. Tactic-style proofs are impossible to understand independently of the theorem prover. Tactic-style proofs are hard to maintain. /:Selected Features and Recent Improvements

/Isar: Readable Proofs Logic User Interface Proof Language Existing Libraries /Isar is a structured proof language, where proofs resemble those found in mathematical textbooks. lemma ( x. y. P x y) (y. x. P x y) proof assume x. y. P x y from this obtain x where X: y. P x y.. fix y from X have P x y.. then show x. P x y.. qed Isar proofs can be understood independently of the theorem prover. /:Selected Features and Recent Improvements

Logic User Interface Proof Language Existing Libraries lemma ( x. y. P x y) (y. x. P x y) proof assume x. y. P x y from this obtain x where X: y. P x y.. fix y from X have P x y.. then show x. P x y.. qed /:Selected Features and Recent Improvements

Logic User Interface Proof Language Existing Libraries lemma ( x. y. P x y) (y. x. P x y) by auto /:Selected Features and Recent Improvements

s Automatic Tactics Logic User Interface Proof Language Existing Libraries provides several automatic tactics and decision procedures. term rewriting (auto, simp) tableau-based (blast) Fourier-Motzkin (arith) Cooper s quantifier elimination (presburger)... These can easily be instantiated for different object logics. /:Selected Features and Recent Improvements

Logic User Interface Proof Language Existing Libraries Quis custodiet ipsos custodes? Juvenal /:Selected Features and Recent Improvements

LCF-Style Systems Logic User Interface Proof Language Existing Libraries Theorems are implemented as an abstract datatype. They can be constructed only in a very controlled manner, through calling functions from the system s kernel. There is one such kernel function for each inference rule of the system s logic. Advanced tactics and decision procedures are built on top of the kernel. They must use the kernel functions (or other, more basic tactics) to create theorems. /:Selected Features and Recent Improvements

Existing Libraries Logic User Interface Proof Language Existing Libraries Substantial amounts of mathematics and computer science have been formalized. Algebra Calculus Graph theory... Automata theory Programming language semantics, program logics... / alone contains over 7,300 definitions and theorems. /:Selected Features and Recent Improvements

Some Recent Projects Logic User Interface Proof Language Existing Libraries Verified Java Bytecode Verification (Gerwin Klein, PhD thesis, 2003) Verisoft: the pervasive formal verification of computer systems (since 2003) Flyspeck: a formal proof of the Kepler conjecture (Thomas C. Hales, since 2003) /:Selected Features and Recent Improvements

Document Preparation Document Preparation Integration of External Provers Proof Objects Code Generation Reflection Disproving Non-Theorems generates L A TEX sources from theory files. Other output modes (e.g. HTML) are available as well. Theory files can contain comments and annotations without logical significance. Antiquotations in these comments refer to theorems, terms etc. You can use one tool to prove your theorems and write your paper! /:Selected Features and Recent Improvements

Integration of External Provers Document Preparation Integration of External Provers Proof Objects Code Generation Reflection Disproving Non-Theorems Motivation: Increased Improved Performance /:Selected Features and Recent Improvements

In Tools We Trust? Document Preparation Integration of External Provers Proof Objects Code Generation Reflection Disproving Non-Theorems The Oracle Approach A formula is accepted as a theorem if the external tool claims it to be provable. /:Selected Features and Recent Improvements

In Tools We Trust? Document Preparation Integration of External Provers Proof Objects Code Generation Reflection Disproving Non-Theorems The Oracle Approach A formula is accepted as a theorem if the external tool claims it to be provable. The LCF-style Approach The external tool provides a certificate of its answer that is translated into an proof. /:Selected Features and Recent Improvements

System Overview Document Preparation Integration of External Provers Proof Objects Code Generation Reflection Disproving Non-Theorems Input formula Preprocessing DIMACS SMT LIB TPTP External Prover provable? no yes Model Counterexample Certificate Theorem Proof reconstruction /:Selected Features and Recent Improvements

Recent Prover Integrations Document Preparation Integration of External Provers Proof Objects Code Generation Reflection Disproving Non-Theorems SAT: zchaff, MiniSAT (, Alwen Tiu et al.) SMT: harvey (Pascal Fontaine, Stephan Merz et al.) FOL: Spass, Vampire (Jia Meng, Larry Paulson) : 4, -Light (Sebastian Skalberg, Steven Obua) /:Selected Features and Recent Improvements

Proof Objects Document Preparation Integration of External Provers Proof Objects Code Generation Reflection Disproving Non-Theorems Proof objects constitute certificates that are easily verifiable by an external proof checker. Proof objects in (implemented by Stefan Berghofer) use λ-terms, based on the Curry-Howard isomorphism. Information that can be inferred is omitted to reduce the size of the proof object. Applications: proof-carrying code, proof export, program extraction from proofs For programs extracted from proofs, a realizability statement is automatically proven to establish the program s correctness. /:Selected Features and Recent Improvements

Code Generation Document Preparation Integration of External Provers Proof Objects Code Generation Reflection Disproving Non-Theorems Motivation: executing formal specifications, rapid prototyping, program extraction, reflection ML and Haskell code can be generated from executable terms (Stefan Berghofer, Florian Haftmann). Such terms are built from executable constants, datatypes, inductive relations and recursive functions. Translating inductive relations requires a mode analysis. Normalization by evaluation: simplifies executable terms (possibly containing free variables) by evaluating them symbolically. Orders of magnitude faster than rewriting. /:Selected Features and Recent Improvements

Reflection Document Preparation Integration of External Provers Proof Objects Code Generation Reflection Disproving Non-Theorems Instead of implementing a decision procedure in ML, we write it in the logic (/) as a recursive function on an appropriately defined datatype representing terms, prove its correctness, and generate code from the definition. Motivation: Assuming that the code generator is part of the trusted kernel, the generated code can simply be executed, with no need for proof checking. This can lead to a significant speed-up. Amine Chaieb has implemented a reflected version of Cooper s quantifier elimination procedure for Presburger arithmetic and a generic reflection interface for user-defined decision procedures. /:Selected Features and Recent Improvements

Disproving Non-Theorems Document Preparation Integration of External Provers Proof Objects Code Generation Reflection Disproving Non-Theorems Traditionally, the focus in theorem proving has been on, well, proving theorems. However, disproving a faulty conjecture can be just as important. In formal verification, initial conjectures are more often false than not, and a counterexample often exhibits a fault in the implementation. provides two essentially different tools for disproving conjectures: quickcheck (by Stefan Berghofer) and refute (by Tjark Weber). /:Selected Features and Recent Improvements

quickcheck Document Preparation Integration of External Provers Proof Objects Code Generation Reflection Disproving Non-Theorems Inspired by the Haskell quickcheck library (for testing Haskell programs). Free variables are instantiated with random values. The code generator is used to simplify the resulting term. Parameters: size of instantiations, number of iterations. Fast, but not suited for existential or non-executable statements. Implications with strong premises are problematic. /:Selected Features and Recent Improvements

refute Document Preparation Integration of External Provers Proof Objects Code Generation Reflection Disproving Non-Theorems A SAT-based finite model generator. A formula is translated into a propositional formula that is satisfiable iff the formula has a model of a given size. Parameters: (minimal, maximal) size of the model. Any statement can be handled, but non-elementary complexity. Still useful in practice ( small model property ). /:Selected Features and Recent Improvements

Finite Model Generation Document Preparation Integration of External Provers Proof Objects Code Generation Reflection Disproving Non-Theorems Theorem proving: from formulae to proofs Finite model generation: from formulae to models Input formula valid? no yes Proof Counter model Applications: Finding counterexamples to false conjectures Showing the consistency of a specification Solving open mathematical problems Guiding resolution-based provers /:Selected Features and Recent Improvements

Questions? is a powerful interactive theorem prover. A reasonably high degree of automation is available through both internal and external tools. Definitional packages and existing libraries facilitate the development of new specifications. A human-readable proof language, existing lemmas and a decent user interface facilitate the development of proofs. Several side applications: proof import/export, code extraction, counterexamples for unprovable formulae /:Selected Features and Recent Improvements

Questions? Questions? Beware of bugs in the above code; I have only proved it correct, not tried it. Donald Knuth /:Selected Features and Recent Improvements

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback