B Method Proof assistants May 16, 2017 Lucas Franceschino What is - - PowerPoint PPT Presentation

May 16, 2017

B Method

Proof assistants Lucas Franceschino

What is B method?

◎ B-method goal

Specifications Actual program

3

◎ B-method goal

Specifications Actual program

 Machine

3

◎ B-method goal

Specifications Actual program

 Machine  Refinement 1

3

◎ B-method goal

Specifications Actual program

 Machine  Refinement 1  Refinement 2

3

◎ B-method goal

Specifications Actual program

 Machine  Refinement 1  Refinement 2  Refinement 3

3

◎ B-method goal

Specifications Actual program

 Machine  Refinement 1 C / ada  Refinement 2  Refinement 3

3

◎ B-method goal

Specifications Actual program

 Machine  Refinement 1 C / ada  Refinement 2  Refinement 3

3

◎ B-method goal

Specifications Actual program

No gap between specification specification and actual pr actual progr

• gram

3

♂ The initiator of B method

Jean-Raymond Abrial

1970

Specification of data structures and programs Initiated the Z-Notation (in Oxford)

• G. Laffitte,
• F. Mejia,
• I. Mc Neal

B4free, Bart, ABTools…

4

♂ The initiator of B method

Jean-Raymond Abrial

1970

Specification of data structures and programs Initiated the Z-Notation (in Oxford)

Good for formal specifications, not for development

• G. Laffitte,
• F. Mejia,
• I. Mc Neal

4

♂ The initiator of B method

Jean-Raymond Abrial

1970

Specification of data structures and programs Initiated the Z-Notation (in Oxford)

Good for formal specifications, not for development

1996

Published “The B Book” Atelier B

• G. Laffitte,
• F. Mejia,
• I. Mc Neal

B4free, Bart, ABTools…

4

♂ The initiator of B method

Jean-Raymond Abrial

1970

Specification of data structures and programs Initiated the Z-Notation (in Oxford)

Good for formal specifications, not for development

1996

Published “The B Book” Atelier B

2010

Published “Modeling in Event-B : system and software engineering” Rodin platform

• G. Laffitte,
• F. Mejia,
• I. Mc Neal

B4free, Bart, ABTools…

4

♂ The initiator of B method

Jean-Raymond Abrial

1970

Specification of data structures and programs Initiated the Z-Notation (in Oxford)

Good for formal specifications, not for development

1996

Published “The B Book” Atelier B Was in the development team of Ada

2010

Published “Modeling in Event-B : system and software engineering” Rodin platform

• G. Laffitte,
• F. Mejia,
• I. Mc Neal

B4free, Bart, ABTools…

4

Use cases

 Train related B projects around the world

Braking system, platform screen doors…

6

 Use case: Meteor in Paris (line 14)

110 000 lines of B  87 000 lines of Ada  29 000 lemmas 

7

 Use case: Meteor in Paris (line 14)

Driverless trains  Extension in 2003  80 million passengers in 2009 

110 000 lines of B  87 000 lines of Ada  29 000 lemmas 

7

 Use case: Meteor in Paris (line 14)

9.2 km . October 1998  Driverless trains  Extension in 2003  80 million passengers in 2009 

110 000 lines of B  87 000 lines of Ada  29 000 lemmas 

7

 Use case: Meteor in Paris (line 14)

9.2 km . October 1998  No bugs discovered yet!  Still in version 1.0  Driverless trains  Extension in 2003  80 million passengers in 2009 

110 000 lines of B  87 000 lines of Ada  29 000 lemmas 

7

Other use cases

• Peugeot cars: formalization of sub systems (lights system,

airbags, motor) to help building diagnostic tools

• Modeling of tasks scheduling from the software controlling the

stage separations of Ariane rocket

• Protocol study
• JavaCard runtime formalization

Java runtime for smartcard

Provide safe: authentication, data storage, application processing

8

Developing in B

B method development



Specification



Integration tests



Conception



Unit tests



Code Validation

10

B method development



Specification



Integration tests



Conception



Unit tests



Code Validation

10

B method development



Specification



Integration tests



Conception



Unit tests



Code Validation

10

B method development



Specification



Integration tests



Conception



Unit tests



Code Validation

10

B method development



Specification



Integration tests



Conception



Unit tests



Code Validation

10

B method development



Specification



Integration tests



Conception



Unit tests



Code Validation

10

How does method B works

 Module: modelling of a sub system

 Component

11

How does method B works

 Module: modelling of a sub system

 Component Static part Static part Definition of: Variables, constants, sets List of invariants Dynamic part Dynamic part Initialize variables Define operations on variables Pr Proo

• of

Static part coherence Initializing preserve invariants Operations preserve invariants

11

How does method B works

 Module: modelling of a sub system  Abstract machine

 Component Static part Static part Definition of: Variables, constants, sets List of invariants Dynamic part Dynamic part Initialize variables Define operations on variables Pr Proo

• of

Static part coherence Initializing preserve invariants Operations preserve invariants

11

How does method B works

 Module: modelling of a sub system  Abstract machine  Refinements

 Component Static part Static part Definition of: Variables, constants, sets List of invariants Dynamic part Dynamic part Initialize variables Define operations on variables Pr Proo

• of

Static part coherence Initializing preserve invariants Operations preserve invariants

11

How does method B works

 Module: modelling of a sub system  Abstract machine  Refinements

 Component Static part Static part Definition of: Variables, constants, sets List of invariants Dynamic part Dynamic part Initialize variables Define operations on variables Pr Proo

• of

Static part coherence Initializing preserve invariants Operations preserve invariants

 Implementation

11

How does method B works

 Module: modelling of a sub system  Abstract machine  Refinements

 Component Static part Static part Definition of: Variables, constants, sets List of invariants Dynamic part Dynamic part Initialize variables Define operations on variables Pr Proo

• of

Static part coherence Initializing preserve invariants Operations preserve invariants

 Implementation

We refine a previous component: we make it more precise and specific

11

Machine, refinement, implementation

 Abstract machine  Refinements  Implementation

Substitutions

12

Machine, refinement, implementation

 Abstract machine  Refinements  Implementation

Substitutions

12

Machine, refinement, implementation

 Abstract machine  Refinements  Implementation

 Precondition  Choice  Become such that  Simultaneous operations  Sequencing  While loop  Let bindings Substitutions

12

Machine, refinement, implementation

 Abstract machine  Refinements  Implementation

 Precondition  Choice  Become such that  Simultaneous operations  Sequencing  While loop  Let bindings

Predicated-based IF

Substitutions

12

Machine, refinement, implementation

 Abstract machine  Refinements  Implementation

 Precondition  Choice  Become such that  Simultaneous operations  Sequencing  While loop  Let bindings

Predicated-based IF ANY x WHERE x ∈ S

Substitutions

12

Machine, refinement, implementation

 Abstract machine  Refinements  Implementation

 Precondition  Choice  Become such that  Simultaneous operations  Sequencing  While loop  Let bindings

Predicated-based IF ANY x WHERE x ∈ S a := 1 ; ; b := 1

Substitutions

12

Machine, refinement, implementation

 Abstract machine  Refinements  Implementation

 Precondition  Choice  Become such that  Simultaneous operations  Sequencing  While loop  Let bindings

Predicated-based IF ANY x WHERE x ∈ S a := 1 ; ; b := 1 x : (x ∈ INT ∧ x < 20) not deterministic

Substitutions

12

Machine, refinement, implementation

 Abstract machine  Refinements  Implementation

 Precondition  Choice  Become such that  Simultaneous operations  Sequencing  While loop  Let bindings

Predicated-based IF ANY x WHERE x ∈ S a := 1 ; ; b := 1 a := 1 || || b := 1 b := 1 || || a := 1 x : (x ∈ INT ∧ x < 20) not deterministic

Substitutions

12

Machine, refinement, implementation

 Abstract machine  Refinements  Implementation

 Precondition  Choice  Let bindings  Become such that  Simultaneous operations  Sequencing  While loop  Precondition  Choice  Become such that  Simultaneous operations  Sequencing  While loop  Let bindings

Predicated-based IF ANY x WHERE x ∈ S a := 1 ; ; b := 1 a := 1 || || b := 1 b := 1 || || a := 1 x : (x ∈ INT ∧ x < 20) not deterministic

Substitutions

12

Machine, refinement, implementation

 Abstract machine  Refinements  Implementation

 Precondition  Choice  Let bindings  Become such that  Simultaneous operations  Sequencing  While loop  Precondition  Choice  Let bindings  Become such that  Simultaneous operations  Sequencing  While loop  Precondition  Choice  Become such that  Simultaneous operations  Sequencing  While loop  Let bindings

Predicated-based IF ANY x WHERE x ∈ S a := 1 ; ; b := 1 a := 1 || || b := 1 b := 1 || || a := 1 x : (x ∈ INT ∧ x < 20) not deterministic

Substitutions

12

Machine, refinement, implementation

 Abstract machine  Refinements  Implementation

 Precondition  Choice  Let bindings  Become such that  Simultaneous operations  Sequencing  While loop  Precondition  Choice  Let bindings  Become such that  Simultaneous operations  Sequencing  While loop  Precondition  Choice  Become such that  Simultaneous operations  Sequencing  While loop  Let bindings

Predicated-based IF ANY x WHERE x ∈ S a := 1 ; ; b := 1 a := 1 || || b := 1 b := 1 || || a := 1 x : (x ∈ INT ∧ x < 20) not deterministic M a k i n g p r

• g

r a m m

• r

e c

• n

c r e t e

Substitutions

12

More substitutions

Machine Refinement Implementation Block Y Y Y Identical Y Y Y Becomes Equal Y Y Y Precondition Y Y N Assertion Y Y Y Bounded choice Y Y N IF conditional Y Y Y Conditional Bounded choice Y Y N Case Conditional Y Y Y Unbounded choice Y Y N Local Definition Y Y N Becomes Element of Y Y N Becomes such that Y Y N Local Variable N Y Y Sequencing N Y Y Operation Call Y Y Y While Loop N N Y Simultaneous Y Y N

13

B language

14

B language

State oriented

S1 S2

14

B language

State oriented

S1 S2

Hoare logic

14

B language

State oriented

S1 S2

Hoare logic

• y := 3 3

2 x := x*x 4

14

B language

State oriented

S1 S2

Hoare logic

• y := 3 3

2 x := x*x 4 / ≔

ASSIGNMENT

14

B language

State oriented

S1 S2

Hoare logic

• y := 3 3

2 x := x*x 4 / ≔

ASSIGNMENT

, ;

COMPOSITION

14

B language

State oriented

S1 S2

Hoare logic

• y := 3 3

2 x := x*x 4 / ≔

ASSIGNMENT

, ;

COMPOSITION

∧ , ∧ if then else end

CONDITIONAL

14

B language

State oriented

S1 S2

Hoare logic

• y := 3 3

2 x := x*x 4 / ≔

ASSIGNMENT

, ;

COMPOSITION

∧ , ∧ if then else end

CONDITIONAL

∧ while do done ∧

WHILE

14

B language

State oriented

S1 S2

Hoare logic

• y := 3 3

2 x := x*x 4 / ≔

ASSIGNMENT

, ;

COMPOSITION

∧ , ∧ if then else end

CONDITIONAL

∧ while do done ∧

WHILE

→ , , →

CONSEQUENCE

14

B language

15

B language

Arithmetic

15

B language

Arithmetic

15

B language

Arithmetic

15

B language

∏ ∑ Arithmetic

15

B language

Functions and relations ∏ ∑ Arithmetic

15

B language

Partial / total functions, surjections, lambda, domain/range manipulations, closure, inversions… Functions and relations ∏ ∑ Arithmetic

15

B language

Partial / total functions, surjections, lambda, domain/range manipulations, closure, inversions… Functions and relations ∏ ∑ Arithmetic

15

B language

Sets Partial / total functions, surjections, lambda, domain/range manipulations, closure, inversions… Functions and relations ∏ ∑ Arithmetic

15

B language

Set comprehension, generalized union & intersections Sets Partial / total functions, surjections, lambda, domain/range manipulations, closure, inversions… Functions and relations ∏ ∑ Arithmetic

15

B language

Records Set comprehension, generalized union & intersections Sets Partial / total functions, surjections, lambda, domain/range manipulations, closure, inversions… Functions and relations ∏ ∑ Arithmetic

15

B language

Trees Records Set comprehension, generalized union & intersections Sets Partial / total functions, surjections, lambda, domain/range manipulations, closure, inversions… Functions and relations ∏ ∑ Arithmetic

15

B language

Sequences Trees Records Set comprehension, generalized union & intersections Sets Partial / total functions, surjections, lambda, domain/range manipulations, closure, inversions… Functions and relations ∏ ∑ Arithmetic

15

B language

No algebraic data types Sequences Trees Records Set comprehension, generalized union & intersections Sets Partial / total functions, surjections, lambda, domain/range manipulations, closure, inversions… Functions and relations ∏ ∑ Arithmetic

15

Proofs with B

How does B method handles proofs?

Component

 Abstract machine  Refinements  Implementation 17

How does B method handles proofs?

Component

 Abstract machine  Refinements  Implementation

MACHINE Name(input1, input2, ...)

17

How does B method handles proofs?

Component

 Abstract machine  Refinements  Implementation

MACHINE Name(input1, input2, ...) CONSTRAINTS input1 ∈ INT ∧ input2 ∈ INT ...

17

How does B method handles proofs?

Component

 Abstract machine  Refinements  Implementation

MACHINE Name(input1, input2, ...) CONSTRAINTS input1 ∈ INT ∧ input2 ∈ INT ... CONSTANTS cst1, cst2, ...

17

How does B method handles proofs?

Component

 Abstract machine  Refinements  Implementation

MACHINE Name(input1, input2, ...) CONSTRAINTS input1 ∈ INT ∧ input2 ∈ INT ... CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ...

17

How does B method handles proofs?

Component

 Abstract machine  Refinements  Implementation

MACHINE Name(input1, input2, ...) CONSTRAINTS input1 ∈ INT ∧ input2 ∈ INT ... CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ } ∧ ...

17

How does B method handles proofs?

Component

 Abstract machine  Refinements  Implementation

MACHINE Name(input1, input2, ...) CONSTRAINTS input1 ∈ INT ∧ input2 ∈ INT ... CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ } ∧ ... ASSERTIONS predicate1 ∧ predicate2 ∧ ...

17

How does B method handles proofs?

Component

 Abstract machine  Refinements  Implementation

MACHINE Name(input1, input2, ...) CONSTRAINTS input1 ∈ INT ∧ input2 ∈ INT ... CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ } ∧ ... ASSERTIONS predicate1 ∧ predicate2 ∧ ...

17

How does B method handles proofs?

Component

 Abstract machine  Refinements  Implementation

MACHINE Name(input1, input2, ...) CONSTRAINTS input1 ∈ INT ∧ input2 ∈ INT ... CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ } ∧ ... ASSERTIONS predicate1 ∧ predicate2 ∧ ...

Prove all predicates

17

How does B method handles proofs?

Component

 Abstract machine  Refinements  Implementation

MACHINE Name(input1, input2, ...) CONSTRAINTS input1 ∈ INT ∧ input2 ∈ INT ... CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ } ∧ ... ASSERTIONS predicate1 ∧ predicate2 ∧ ... INITIALISATION var1 := expr || var2 := expr

Prove all predicates

17

How does B method handles proofs?

Component

 Abstract machine  Refinements  Implementation

MACHINE Name(input1, input2, ...) CONSTRAINTS input1 ∈ INT ∧ input2 ∈ INT ... CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ } ∧ ... ASSERTIONS predicate1 ∧ predicate2 ∧ ... INITIALISATION var1 := expr || var2 := expr

Prove all predicates For each initialization, prove invariant conservations

17

How does B method handles proofs?

Component

 Abstract machine  Refinements  Implementation

MACHINE Name(input1, input2, ...) CONSTRAINTS input1 ∈ INT ∧ input2 ∈ INT ... CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ } ∧ ... ASSERTIONS predicate1 ∧ predicate2 ∧ ... INITIALISATION var1 := expr || var2 := expr OPERATIONS varOutput1 ← fun1(i1, i2, ...) = ... varOutput2 ← fun2(i1, i2, ...) = ...

Prove all predicates For each initialization, prove invariant conservations

17

How does B method handles proofs?

Component

 Abstract machine  Refinements  Implementation

MACHINE Name(input1, input2, ...) CONSTRAINTS input1 ∈ INT ∧ input2 ∈ INT ... CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ } ∧ ... ASSERTIONS predicate1 ∧ predicate2 ∧ ... INITIALISATION var1 := expr || var2 := expr OPERATIONS varOutput1 ← fun1(i1, i2, ...) = ... varOutput2 ← fun2(i1, i2, ...) = ...

Prove all predicates For each initialization, prove invariant conservations Show each operation conserve invariants

17

How does B method handles proofs?

Component

 Abstract machine  Refinements  Implementation

MACHINE Name(input1, input2, ...) CONSTRAINTS input1 ∈ INT ∧ input2 ∈ INT ... CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ } ∧ ... ASSERTIONS predicate1 ∧ predicate2 ∧ ... INITIALISATION var1 := expr || var2 := expr OPERATIONS varOutput1 ← fun1(i1, i2, ...) = ... varOutput2 ← fun2(i1, i2, ...) = ...

Prove all predicates For each initialization, prove invariant conservations Show each operation conserve invariants

 Proof Obligations

17

Proving with B method: interactive only

18

Proving with B method: interactive only

18

Proving with B method: interactive only

18

Proving with B method: interactive only

18

Proving with B method: interactive only

18

Proving with B method: interactive only

18

Proving with B method: interactive only

18

How does B method internally prove things?

First, expressions are normalized

19

How does B method internally prove things?

First, expressions are normalized

1

19

How does B method internally prove things?

First, expressions are normalized

1 S ⊆ 1,2,3 ∈ 1 ∪ 2 ∪ 3

19

How does B method internally prove things?

(btrue => a) == a ; (bvrb(x)) & (x\a) => #x.a == a ; (bvrb(x)) & (x\b) => #x.(a & b) == (#x.a & b) THEORY SimplifyX IS (i => (j => k)) == (i & j => k) ; (a => bfalse) == not(a) ; (bfalse => a) == btrue ; (a => btrue) == btrue ;

Theory files: list of rules

20

How does B method internally prove things?

(btrue => a) == a ; (bvrb(x)) & (x\a) => #x.a == a ; (bvrb(x)) & (x\b) => #x.(a & b) == (#x.a & b) THEORY SimplifyX IS (i => (j => k)) == (i & j => k) ; (a => bfalse) == not(a) ; (bfalse => a) == btrue ; (a => btrue) == btrue ;

Theory files: list of rules 10.000 lines of rules

20

How does B method internally prove things?

(btrue => a) == a ; (bvrb(x)) & (x\a) => #x.a == a ; (bvrb(x)) & (x\b) => #x.(a & b) == (#x.a & b) THEORY SimplifyX IS (i => (j => k)) == (i & j => k) ; (a => bfalse) == not(a) ; (bfalse => a) == btrue ; (a => btrue) == btrue ;

Theory files: list of rules 10.000 lines of rules User can add rules  No safe core

20

How does B method internally prove things?

(btrue => a) == a ; (bvrb(x)) & (x\a) => #x.a == a ; (bvrb(x)) & (x\b) => #x.(a & b) == (#x.a & b) THEORY SimplifyX IS (i => (j => k)) == (i & j => k) ; (a => bfalse) == not(a) ; (bfalse => a) == btrue ; (a => btrue) == btrue ;

Theory files: list of rules 10.000 lines of rules User can add rules  No safe core

Still, we can prove a rule before adding it

20

How does B method internally prove things?

(btrue => a) == a ; (bvrb(x)) & (x\a) => #x.a == a ; (bvrb(x)) & (x\b) THEORY SimplifyX IS (i => (j => k)) == (i & j => k) ; (a => bfalse) == not(a) ; (bfalse => a) == btrue ; (a => btrue) == btrue ; P == btrue ;

Theory files: list of rules 10.000 lines of rules User can add rules  No safe core

Still, we can prove a rule before adding it

20

How does B method internally prove things?

Theory files: list of rules  No safe core 10.000 lines of rules User can add rules

THEORY SimplifyX IS (i => (j => k)) == (i & j => k) ; (a => bfalse) == not(a) ; (bfalse => a) == btrue ; (a => btrue) == btrue ;

Automatic prover

• Applies recursively rules
• Case proof
• Tactics

(btrue => a) == a ; (bvrb(x)) & (x\a) => #x.a == a ; (bvrb(x)) & (x\b) P == btrue ; Still, we can prove a rule before adding it

21

Interactive proofs

Proof construction Search information Browsing proof obligations Command repetition

22

Interactive proofs

Proof construction Search information Browsing proof obligations Command repetition Repeat (rr), loop (bb)…

22

Interactive proofs

Proof construction Search information Browsing proof obligations Command repetition Back (ba), Reset (re), Next (ne), Previous (pv), Goto (go)… Repeat (rr), loop (bb)…

22

Interactive proofs

Proof construction Search information Browsing proof obligations Command repetition Back (ba), Reset (re), Next (ne), Previous (pv), Goto (go)… Repeat (rr), loop (bb)… Search rule / hypothesis / goal, show proof, reduce PO…

22

Interactive proofs

Proof construction

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification pr

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification pr ss

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification Rule applications pr ss

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification Rule applications pr ss ar

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification Rule applications Rewrite equality applications, abstract terms pr ss ar

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification Rule applications Rewrite equality applications, abstract terms pr ss ar eh

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification Rule applications Rewrite equality applications, abstract terms pr ss ar eh ae

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification Rule applications Rewrite equality applications, abstract terms pr ss ar eh ae 3 ∧ 3 ∈ ∧ ∈ ⇒

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification Rule applications Rewrite equality applications, abstract terms pr ss ar eh ae

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification Rule applications Rewrite equality applications, abstract terms Inference rules contradiction, false hypothesis, cases, instantiate pr ss ar eh ae

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification Rule applications Rewrite equality applications, abstract terms Inference rules contradiction, false hypothesis, cases, instantiate pr ss ar eh ae ct

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification Rule applications Rewrite equality applications, abstract terms Inference rules contradiction, false hypothesis, cases, instantiate pr ss ar eh ae ct fh

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification Rule applications Rewrite equality applications, abstract terms Inference rules contradiction, false hypothesis, cases, instantiate pr ss ar eh ae ct fh dc

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification Rule applications Rewrite equality applications, abstract terms Inference rules contradiction, false hypothesis, cases, instantiate pr ss ar eh ae ct fh dc se

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification Rule applications Rewrite equality applications, abstract terms Inference rules contradiction, false hypothesis, cases, instantiate Operations on hypothesis deduction, add hypothesis… pr ss ar eh ae ct fh dc se

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification Rule applications Rewrite equality applications, abstract terms Inference rules contradiction, false hypothesis, cases, instantiate Operations on hypothesis deduction, add hypothesis… pr ss ar eh ae ct fh dc se dd

23

Interactive proofs

Proof construction Prover call automatic proofs & simplification Rule applications Rewrite equality applications, abstract terms Inference rules contradiction, false hypothesis, cases, instantiate Operations on hypothesis deduction, add hypothesis… pr ss ar eh ae ct fh dc se dd ah

23

Concrete case

Example: seat reservation system

Two operations: reserve a seat or free a seat Data : set of seats and sub set of taken seats

25

Thank you for listening!

Any questions?