Overview. A Compact Introduction to Isabelle/HOL. Tobias Nipkow. System Architecture. Overview of Isabelle/HOL

Similar documents
An Introduction to Isabelle/HOL 2008

Isabelle s meta-logic. p.1

Programming and Proving in

Theorem Proving Principles, Techniques, Applications Recursion

Concrete Semantics. A Proof Assistant Approach. Tobias Nipkow Fakultät für Informatik Technische Universität München

Programming and Proving in Isabelle/HOL

HOL DEFINING HIGHER ORDER LOGIC LAST TIME ON HOL CONTENT. Slide 3. Slide 1. Slide 4. Slide 2 WHAT IS HIGHER ORDER LOGIC? 2 LAST TIME ON HOL 1

Basic Foundations of Isabelle/HOL

Programming and Proving in Isabelle/HOL

Interactive Proof: Introduction to Isabelle/HOL

2 Programming and Proving

Introduction to dependent types in Coq

Programs and Proofs in Isabelle/HOL

Functional Programming and Modeling

Programming and Proving in Isabelle/HOL

λ calculus is inconsistent

Provably Correct Software

type classes & locales

Computer-supported Modeling and Reasoning. First-Order Logic. 1 More on Isabelle. 1.1 Isabelle System Architecture

Inductive datatypes in HOL. lessons learned in Formal-Logic Engineering

COMP4161: Advanced Topics in Software Verification. fun. Gerwin Klein, June Andronick, Ramana Kumar S2/2016. data61.csiro.au

COMP 4161 NICTA Advanced Course. Advanced Topics in Software Verification. Toby Murray, June Andronick, Gerwin Klein

Integration of SMT Solvers with ITPs There and Back Again

A Tutorial Introduction to Structured Isar Proofs

Functional Programming with Isabelle/HOL

Tobias Nipkow, Gerwin Klein. Concrete Semantics. with Isabelle/HOL. October 16, Springer-Verlag

Automated Reasoning. Natural Deduction in First-Order Logic

Organisatorials. About us. Binary Search (java.util.arrays) When Tue 9:00 10:30 Thu 9:00 10:30. COMP 4161 NICTA Advanced Course

Preuves Interactives et Applications

CS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Dan Grossman Spring 2011

Isabelle. A Proof Assistant for Higher-Order Logic HOL. Markus Wenzel. Springer-Verlag

c constructor P, Q terms used as propositions G, H hypotheses scope identifier for a notation scope M, module identifiers t, u arbitrary terms

Coq quick reference. Category Example Description. Inductive type with instances defined by constructors, including y of type Y. Inductive X : Univ :=

Lambda Calculus and Type Inference

COMP 4161 Data61 Advanced Course. Advanced Topics in Software Verification. Gerwin Klein, June Andronick, Christine Rizkallah, Miki Tanaka

Lambda Calculus and Type Inference

A CRASH COURSE IN SEMANTICS

CS 320: Concepts of Programming Languages

Polymorphic lambda calculus Princ. of Progr. Languages (and Extended ) The University of Birmingham. c Uday Reddy

Reasoning about programs. Chapter 9 of Thompson

Data types for mcrl2

Review. CS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Let bindings (CBV) Adding Stuff. Booleans and Conditionals

An Introduction to Programming and Proving in Agda (incomplete draft)

On Agda JAIST/AIST WS CVS/AIST Yoshiki Kinoshita, Yoriyuki Yamagata. Agenda

10 Years of Partiality and General Recursion in Type Theory

Higher-Order Logic. Specification and Verification with Higher-Order Logic

The Eisbach User Manual

Type Checking and Type Inference

Isabelle/HOL:Selected Features and Recent Improvements

Expr_annotated.v. Expr_annotated.v. Printed by Zach Tatlock

Efficient Mergesort. Christian Sternagel. October 11, 2017

Three Applications of Strictness in the Efficient Implementaton of Higher-Order Terms

Chapter 3 Linear Structures: Lists

Formal Systems and their Applications

Programming Languages Lecture 14: Sum, Product, Recursive Types

From Types to Sets in Isabelle/HOL

CSE 3302 Programming Languages Lecture 8: Functional Programming

Chapter 3 Linear Structures: Lists

locales ISAR IS BASED ON CONTEXTS CONTENT Slide 3 Slide 1 proof - fix x assume Ass: A. x and Ass are visible Slide 2 Slide 4 inside this context

Overloading, Type Classes, and Algebraic Datatypes

PROGRAMMING IN HASKELL. CS Chapter 6 - Recursive Functions

1.3. Conditional expressions To express case distinctions like

Interactive Theorem Proving in Higher-Order Logics

Automatic Proof and Disproof in Isabelle/HOL

Processadors de Llenguatge II. Functional Paradigm. Pratt A.7 Robert Harper s SML tutorial (Sec II)

Turning inductive into equational specifications

MoreIntro_annotated.v. MoreIntro_annotated.v. Printed by Zach Tatlock. Oct 04, 16 21:55 Page 1/10

Haske k ll An introduction to Functional functional programming using Haskell Purely Lazy Example: QuickSort in Java Example: QuickSort in Haskell

Inductive Definitions, continued

Programming Language Features. CMSC 330: Organization of Programming Languages. Turing Completeness. Turing Machine.

CMSC 330: Organization of Programming Languages

MLW. Henk Barendregt and Freek Wiedijk assisted by Andrew Polonsky. March 26, Radboud University Nijmegen

CSCE 314 TAMU Fall CSCE 314: Programming Languages Dr. Flemming Andersen. Haskell Functions

1. M,M sequential composition: try tactic M; if it succeeds try tactic M. sequential composition (, )

Calculus of Inductive Constructions

An introduction introduction to functional functional programming programming using usin Haskell

Shell CSCE 314 TAMU. Haskell Functions

Introduction to the Lambda Calculus

Isabelle Primer for Mathematicians

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Sections p.

The Isabelle/Isar Reference Manual

Multi-paradigm Declarative Languages

Lecture #13: Type Inference and Unification. Typing In the Language ML. Type Inference. Doing Type Inference

Backtracking and Induction in ACL2

CMSC 330: Organization of Programming Languages. Functional Programming with Lists

Flang typechecker Due: February 27, 2015

Isabelle Tutorial: System, HOL and Proofs

Assistant for Language Theory. SASyLF: An Educational Proof. Corporation. Microsoft. Key Shin. Workshop on Mechanizing Metatheory

axiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.

Computing Fundamentals 2 Introduction to CafeOBJ

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter p. 1/27

Automatic inductive equational reasoning

3 Pairs and Lists. 3.1 Formal vs. Informal Proofs

A Verified Compiler from Isabelle/HOL to CakeML

Lecture #23: Conversion and Type Inference

Interactive Theorem Proving (ITP) Course Parts VII, VIII

Conversion vs. Subtyping. Lecture #23: Conversion and Type Inference. Integer Conversions. Conversions: Implicit vs. Explicit. Object x = "Hello";

The Prototype Verification System PVS

Formally Certified Satisfiability Solving

15 212: Principles of Programming. Some Notes on Continuations

Transcription:

Overview A Compact Introduction to Isabelle/HOL Tobias Nipkow TU München 1. Introduction 2. Datatypes 3. Logic 4. Sets p.1 p.2 System Architecture Overview of Isabelle/HOL ProofGeneral Isabelle/HOL Isabelle Standard ML (X)Emacs based interface Isabelle instance for HOL generic theorem prover implementation language p.3 p.4

HOL Formulae HOL has datatypes HOL = Higher-Order Logic HOL = Functional programming + Logic recursive functions logical operators (,,,,... ) HOL is a programming language! Higher-order = functions are values, too! p.5 Syntax (in decreasing priority): f orm ::= (f orm) term = term f orm form form form form form form x. form x. form Scope of quantifiers: as far to the right as possible Examples A B C (( A) B) C A = B C (A = B) C x. P x Q x x. (P x Q x) x. y. P x y Q x x. ( y. (P x y Q x)) p.6 Types Types and Terms Syntax: τ ::= (τ) bool nat... base types a b... type variables τ τ total functions τ τ pairs (ascii: *) τ list lists... user-defined types Parentheses: T1 T2 T3 T1 (T2 T3) p.7 p.8

Terms: Basic syntax Terms and Types Syntax: term ::= (term) a constant or variable (identifier) term term function application λx. term function abstraction... lots of syntactic sugar Terms must be well-typed (the argument of every function call must be of the right type) Notation: t :: τ means t is a well-typed term of type τ. Examples: f (g x) y h (λx. f (g x)) Parantheses: f a 1 a 2 a 3 ((f a 1 ) a 2 ) a 3 p.9 p.10 Type inference Currying Isabelle automatically computes ( infers ) the type of each variable in a term. In the presence of overloaded functions (functions with multiple types) not always possible. User can help with type annotations inside the term. Example: f (x::nat) Thou shalt curry your functions Curried: f :: τ 1 τ 2 τ Tupled: f :: τ 1 τ 2 τ Advantage: partial application f a 1 with a 1 :: τ 1 p.11 p.12

Terms: Syntactic sugar Some predefined syntactic sugar: Infix: +, -, *, #, @,... Mixfix: if _ then _ else _, case _ of,... Base types: bool, nat, list Prefix binds more strongly than infix:! f x + y (f x) + y f (x + y)! p.13 p.14 Type bool Type nat Formulae = terms of type bool True :: bool False :: bool,,... :: bool bool bool. if-and-only-if: = 0 :: nat Suc :: nat nat +, *,... :: nat nat nat.! Numbers and arithmetic operations are overloaded: 0,1,2,... :: a, + :: a a a You need type annotations: 1 :: nat, x + (y::nat)... unless the context is unambiguous: Suc z p.15 p.16

Type list []: empty list x # xs: list with first element x ("head") and rest xs ("tail") Syntactic sugar: [x 1,...,x n ] Isabelle Theories Large library: hd, tl, map, size, filter, set, nth, take, drop, distinct,... Don t reinvent, reuse! HOL/List.thy p.17 p.18 Theory = Module Syntax: theory MyTh = ImpTh 1 +... + ImpTh n : (declarations, definitions, theorems, proofs,...) end Proof General MyTh: name of theory. Must live in file MyTh.thy ImpTh i : name of imported theories. Import transitive. Unless you need something special: theory M yt h = Main: An Isabelle Interface by David Aspinall p.19 p.20

Proof General X-Symbols Customized version of (x)emacs: all of emacs (info: C-h i) Isabelle aware (when editing.thy files) mathematical symbols ( x-symbols ) Interaction: via mouse or keyboard (key bindings see C-h m) Input of funny symbols in Proof General via menu ( X-Symbol ) via ascii encoding (similar to L A T E X): \<and>, \<or>,... via abbreviation: /\, \/, -->,... x-symbol λ ascii (1) \<forall> \<exists> \<lambda> \<not> /\ \/ --> => ascii (2) ALL EX % & (1) is converted to x-symbol, (2) stays ascii. p.21 p.22 Demo: terms and types An introduction to recursion and induction p.23 p.24

A recursive datatype: toy lists Concrete syntax datatype a list = Nil Cons a " a list" Nil: empty list Cons x xs: head x :: a, tail xs :: a list A toy list: Cons False (Cons True Nil) Predefined lists: [False, True] In.thy files: Types and formulae need to be inclosed in "..." Except for single identifiers, e.g. a "..." normally not shown on slides p.25 p.26 Structural induction on lists P xs holds for all lists xs if P Nil and for arbitrary x and xs, P xs implies P (Cons x xs) Demo: append and reverse p.27 p.28

Proofs Proof methods General schema: lemma name: "..." apply (...) apply (...). done If the lemma is suitable as a simplification rule: lemma name[simp]: "..." Structural induction Format: (induct x) x must be a free variable in the first subgoal. The type of x must be a datatype. Effect: generates 1 new subgoal per constructor Simplification and a bit of logic Format: auto Effect: tries to solve as many subgoals as possible using simplification and basic logical reasoning. p.29 p.30 The proof state Notation 1. x 1... x p. [ A 1 ;... ; A n ] = B x 1... x p Local constants A 1... A n Local assumptions B Actual (sub)goal [ A 1 ;... ; A n ] = B abbreviates A 1 =... = A n = B ; and p.31 p.32

Type and function definition in Isabelle/HOL Datatype definition in Isabelle/HOL p.33 p.34 The example The general case datatype a list = Nil Cons a " a list" Properties: Types: Nil :: a list Cons :: a a list a list Distinctness: Nil Cons x xs Injectivity: (Cons x xs = Cons y ys) = (x = y xs = ys) datatype (α 1,...,α n )τ = C 1 τ 1,1...τ 1,n1... C k τ k,1...τ k,nk Types: C i :: τ i,1 τ i,ni (α 1,...,α n )τ Distinctness: C i... C j... if i j Injectivity: (C i x 1...x ni = C i y 1...y ni ) = (x 1 = y 1... x ni = y ni ) Distinctness and Injectivity are applied automatically Induction must be applied explicitly p.35 p.36

case Case distinctions Every datatype introduces a case construct, e.g. (case xs of []... y#ys... y... ys...) In general: one case per constructor Same order of cases as in datatype No nested patterns (e.g. x#y#zs) But nested cases Needs ( ) in context apply( case_tac t) creates k subgoals t = C i x 1...x p =... one for each constructor C i. p.37 p.38 Why nontermination can be harmful Function definition in Isabelle/HOL How about f x = f x + 1? Subtract f x on both sides. = 0 = 1! All functions in HOL must be total! p.39 p.40

Function definition schemas in Isabelle/HOL Non-recursive with defs/constdefs No problem Primitive-recursive with primrec Terminating by construction Well-founded recursion with recdef User must (help to) prove termination ( later) primrec p.41 p.42 The example The general case primrec "app Nil ys = ys" "app (Cons x xs) ys = Cons x (app xs ys)" If τ is a datatype (with constructors C 1,...,C k ) then f :: τ τ can be defined by primitive recursion: f x 1...(C 1 y 1,1...y 1,n1 )...x p = r 1. f x 1...(C k y k,1...y k,nk )...x p = r k The recursive calls in r i must be structurally smaller, i.e. of the form f a 1...y i,j...a p p.43 p.44

nat is a datatype datatype nat = 0 Suc nat Functions on nat definable by primrec! Demo: trees primrec f 0 =... f(suc n) =... f n... p.45 p.46 Proof by Simplification Term rewriting foundations p.47 p.48

Term rewriting means... Using equations l = r from left to right As long as possible Terminology: equation rewrite rule Equations: Rewriting: An example 0 + n = n (1) (Suc m) + n = Suc (m + n) (2) (Suc m Suc n) = (m n) (3) (0 m) = True (4) 0 + Suc 0 Suc 0 + x Suc 0 Suc 0 + x Suc 0 Suc (0 + x) 0 0 + x True (1) = (2) = (3) = (4) = p.49 p.50 Schematic variables Interlude: Variables in Isabelle Three kinds of variables: bound: x. x = x free: x = x schematic:?x =?x ( unknown ) Can be mixed: b. f?a y = b Logically: free = schematic Operationally: free variables are fixed schematic variables are instantiated by substitutions (e.g. during rewriting) p.51 p.52

From x to?x State lemmas with free variables: lemma app_nil2[simp]: "xs @ [] = xs". done After the proof: Isabelle changes xs to?xs (internally):?xs @ [] =?xs Now usable with arbitrary values for?xs Term rewriting in Isabelle p.53 p.54 Basic simplification auto versus simp Goal: 1. [ P 1 ;... ; P m ] = C apply(simp add: eq 1... eq n ) Simplify P 1... P m and C using lemmas with attribute simp auto acts on all subgoals simp acts only on subgoal 1 auto applies simp and more rules from primrec and datatype additional lemmas eq 1... eq n assumptions P 1... P m p.55 p.56

Termination Simplification may not terminate. Isabelle uses simp-rules (almost) blindly from left to right. Conditional simp-rules are only applied if conditions are provable. Demo: simp p.57 p.58 Basic heuristics Induction heuristics Theorems about recursive functions are proved by induction Induction on argument number i of f if f is defined by recursion on argument number i p.59 p.60

A tail recursive reverse consts itrev :: a list a list a list primrec itrev [] ys = ys itrev (x#xs) ys = itrev xs (x#ys) lemma itrev xs [] = rev xs Why in this direction? Because the lhs is more complex than the rhs. Demo: first proof attempt p.61 p.62 Generalisation (1) Replace constants by variables lemma itrev xs ys = rev xs @ ys Demo: second proof attempt p.63 p.64

Generalisation (2) Quantify free variables by (except the induction variable) HOL: Propositional Logic lemma ys. itrev xs ys = rev xs @ ys p.65 p.66 Overview Rule notation Natural deduction Rule application in Isabelle/HOL A 1...A n A instead of [A 1...A n ] = A p.67 p.68

Natural deduction Natural Deduction Two kinds of rules for each logical operator : Introduction: how can I prove A B? Elimination: what can I prove from A B? p.69 p.70 Natural deduction for propositional logic A B A B conji A B [A;B] = C conje C A A B B A B disji1/2 A B A = C B = C C A = B A B impi A B A B = C C A = B B = A iffi A = B A = False A noti A=B A = B iffd1 A A C note impe disje A=B B = A iffd2 Operational reading A 1...A n A Introduction rule: To prove A it suffices to prove A 1...A n. Elimination rule If I know A 1 and want to prove A it suffices to prove A 2...A n. p.71 p.72

Classical contradiction rules Proof by assumption A = False A ccontr A = A A classical A 1... A n A i assumption p.73 p.74 Rule application: the rough idea Rule application: the details Applying rule [ A 1 ;... ; A n ] = A to subgoal C: Unify A and C Replace C with n new subgoals A 1... A n Working backwards, like in Prolog! Example: rule: [?P;?Q] =?P?Q subgoal: 1. A B Result: 1. A 2. B Rule: [ A 1 ;... ; A n ] = A Subgoal: 1. [ B 1 ;... ; B m ] = C Substitution: σ(a) σ(c) New subgoals: 1. σ( [ B 1 ;... ; B m ] = A 1 ) Command:. n. σ( [ B 1 ;... ; B m ] = A n ) apply(rule <rulename>) p.75 p.76

Proof by assumption proves apply assumption Demo: application of introduction rule 1. [ B 1 ;... ; B m ] = C by unifying C with one of the B i (backtracking!) p.77 p.78 Applying elimination rules How to prove it by natural deduction apply(erule <elim-rule>) Like rule but also unifies first premise of rule with an assumption eliminates that assumption Example: Rule: [?P?Q; [?P;?Q] =?R] =?R Subgoal: 1. [ X; A B; Y ] = Z Unification:?P?Q A B and?r Z New subgoal: 1. [ X; Y ] = [ A; B ] = Z same as: 1. [ X; Y; A; B ] = Z Intro rules decompose formulae to the right of =. apply(rule <intro-rule>) Elim rules decompose formulae on the left of =. apply(erule <elim-rule>) p.79 p.80

= vs Demo: examples Write theorems as [A 1 ;...; A n ] = A not as A 1... A n A (to ease application) Exception (in apply-style): induction variable must not occur in the premises. Example: [A; B(x) ] = C(x) A = B(x) C(x) Reverse transformation (after proof): lemma abc[rule_format]: A = B(x) C(x) p.81 p.82 Demo: further techniques HOL: Predicate Logic p.83 p.84

Parameters Scope Subgoal: 1. x 1... x n. Formula The x i are called parameters of the subgoal. Intuition: local constants, i.e. arbitrary but fixed values. Rules are automatically lifted over x 1... x n and applied directly to Formula. Scope of parameters: whole subgoal Scope of,,... : ends with ; or = x y. [ y. P y Q z y; Q x y ] = x. Q x y means x y. [ ( y1. P y 1 Q z y 1 ); Q x y ] = x 1. Q x 1 y p.85 p.86 α-conversion Natural deduction for quantifiers Bound variables are renamed automatically to avoid name clashes with other variables. x. P(x) x. P(x) alli x. P(x) P(?x) = R alle R P(?x) x. P(x) exi x. P(x) x. P(x) = R exe R alli and exe introduce new parameters ( x). alle and exi introduce new unknowns (?x). p.87 p.88

Instantiating rules Two successful proofs apply(rule_tac x = "term" in rule) Like rule, but?x in rule is instantiated by term before application. Similar: erule_tac! x is in rule, not in the goal! 1. x. y. x = y apply(rule alli) 1. x. y. x = y best practice exploration apply(rule_tac x = "x" in exi) apply(rule exi) 1. x. x = x 1. x. x =?y x apply(rule refl) apply(rule refl)?y λu. u simpler & clearer shorter & trickier p.89 p.90 Safe and unsafe rules Demo: quantifier proofs Safe alli, exe Unsafe alle, exi Create parameters first, unknowns later p.91 p.92

Demo: proof methods Sets p.93 p.94 Overview Set notation Inductively defined sets Set notation p.95 p.96

Sets Proofs about sets Type a set: sets over type a {}, {e 1,...,e n }, {x. P x} e A, A B A B, A B, A - B, - A x A B x, x A B x {i..j} insert :: a a set a set... Natural deduction proofs: equalityi: [A B; B A] = A = B subseti: ( x. x A = x B) = A B... (see Tutorial) p.97 p.98 Demo: proofs about sets Inductively defined sets p.99 p.100

Example: finite sets Example: even numbers Informally: The empty set is finite Adding an element to a finite set yields a finite set These are the only finite sets In Isabelle/HOL: consts Fin :: a set set inductive Fin intros {} Fin A Fin = insert a A Fin The set of all finite set p.101 Informally: 0 is even If n is even, so is n + 2 These are the only even numbers In Isabelle/HOL: consts Ev :: nat set inductive Ev intros 0 Ev n Ev = n + 2 Ev The set of all even numbers p.102 consts S :: τ set inductive S Format of inductive definitions intros [ a 1 S;... ; a n S; A 1 ;...; A k ] = a S. where A 1 ;...; A k are side conditions not involving S. Easy: 4 Ev Proving properties of even numbers 0 Ev = 2 Ev = 4 Ev Trickier: m Ev = m+m Ev Idea: induction on the length of the derivation of m Ev Better: induction on the structure of the derivation Two cases: m Ev is proved by rule 0 Ev = m = 0 = 0+0 Ev rule n Ev = n+2 Ev = m = n+2 and n+n Ev (ind. hyp.!) = m+m = (n+2)+(n+2) = ((n+n)+2)+2 Ev p.103 p.104

Rule induction for Ev Rule induction in general To prove n Ev = P n by rule induction on n Ev we must prove P 0 P n = P(n+2) Rule Ev.induct: [ n Ev; P 0; n. P n = P(n+2) ] = P n An elimination rule Set S is defined inductively. To prove x S = P x by rule induction on x S we must prove for every rule [ a 1 S;... ; a n S ] = a S that P is preserved: [ P a 1 ;... ; P a n ] = P a In Isabelle/HOL: apply(erule S.induct) p.105 p.106 Demo: inductively defined sets p.107

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback