C ONTENT T HE T HREE B ASIC W AYS OF I NTRODUCING T HEOREMS - PowerPoint PPT Presentation

L AST T IME ON HOL ➜ Defining HOL ➜ Higher Order Abstract Syntax ➜ Deriving proof rules NICTA Advanced Course ➜ More automation Slide 1 Slide 3 Theorem Proving Principles, Techniques, Applications − → C ONTENT T HE T HREE B ASIC W AYS OF I NTRODUCING T HEOREMS ➜ Axioms : ➜ Intro & motivation, getting started with Isabelle Expample: axioms refl: ” t = t ” ➜ Foundations & Principles Do not use. Evil. Can make your logic inconsistent. • Lambda Calculus • Higher Order Logic, natural deduction ➜ Definitions: • Term rewriting Slide 2 Slide 4 Example: defs inj def: ”inj f ≡ ∀ x y. f x = f y − → x = y ” ➜ Proof & Specification Techniques • Inductively defined sets, rule induction ➜ Proofs: • Datatypes, recursion, induction Example: lemma ”inj ( λx. x + 1) ” • Calculational reasoning, mathematics style proofs • Hoare logic, proofs about programs The harder, but safe choice. L AST T IME ON HOL 1 T HE T HREE B ASIC W AYS OF I NTRODUCING T YPES 2

T HE T HREE B ASIC W AYS OF I NTRODUCING T YPES H OW TYPEDEF W ORKS ➜ typedecl : by name only existing type ✬ ✩ Example: typedecl names Introduces new type names without any further assumptions new type Rep ➜ types : by abbreviation ✲ Example: types α rel = ” α ⇒ α ⇒ bool ” Slide 5 Slide 7 Introduces abbreviation rel for existing type α ⇒ α ⇒ bool Type abbreviations are immediatly expanded internally Abs ✫ ✪ ✛ ➜ typedef : by definiton as a set Example: typdef new type = ” { some set } ” < proof > Introduces a new type as a subset of an existing type. The proof shows that the set on the rhs in non-empty. H OW TYPEDEF W ORKS E XAMPLE : P AIRS ( α, β ) Prod existing type ✬ ✩ ➀ Pick existing type: α ⇒ β ⇒ bool new type ➁ Identify subset: ( α, β ) Prod = { f. ∃ a b. f = λ ( x :: α ) ( y :: β ) . x = a ∧ y = b } Rep ✲ ➂ We get from Isabelle: Slide 6 Slide 8 • functions Abs Prod, Rep Prod • both injective Abs ✫ ✪ ✛ • Abs Prod (Rep Prod x ) = x ➃ We now can: • define constants Pair, fst, snd in terms of Abs Prod and Rep Prod • derive all characteristic theorems • forget about Rep/Abs, use characteristic theorems instead H OW TYPEDEF W ORKS 3 4

T HE P ROBLEM Given a set of equations l 1 = r 1 l 2 = r 2 . . . Slide 9 Slide 11 l n = r n D EMO : I NTRODUCTING NEW T YPES does equation l = r hold? Applications in: ➜ Mathematics (algebra, group theory, etc) ➜ Functional Programming (model of execution) ➜ Theorem Proving (dealing with equations, simplifying statements) T ERM R EWRITING : T HE I DEA use equations as reduction rules l 1 − → r 1 l 2 − → r 2 . . . Slide 10 Slide 12 T ERM R EWRITING l n − → r n ∗ decide l = r by deciding l ← → r T HE P ROBLEM 5 A RROW C HEAT S HEET 6

A RROW C HEAT S HEET C ONFLUENCE s 0 − → = { ( x, y ) | x = y } identity ∗ ∗ Problem: n +1 n x y − → = − → ◦ − → n+1 fold composition is a given set of reduction rules confluent? ∗ ∗ + i t − → = � − → transitive closure undecidable i> 0 + 0 ∗ − → = − → ∪ − → reflexive transitive closure = 0 − → = − → ∪ − → Slide 13 reflexive closure Slide 15 Local Confluence s − 1 − → = { ( y, x ) | x − → y } inverse x y − 1 ← − = − → inverse ∗ ∗ ← → = ← − ∪ − → symmetric closure t + i ← → = � ← → transitive symmetric closure i> 0 + 0 ∗ Fact: local confluence and termination = ⇒ confluence ← → = ← → ∪ ← → reflexive transitive symmetric closure T ERMINATION ∗ H OW TO D ECIDE l → r ← ∗ ∗ Same idea as for β : look for n such that l − → n and r − → n − → is terminating if there are no infinite reduction chains Does this always work? − → is normalizing if each element has a normal form ∗ ∗ ∗ If l − → n and r − → n then l ← → r . Ok. − → is convergent if it is terminating and confluent ∗ If l ← → r , will there always be a suitable n ? No! Example: Example: Slide 14 Slide 16 Rules: f x − → a , g x − → b , f ( g x ) − → b − → β in λ is not terminating, but confluent ∗ f x ← → g x because f x − → a ← − f ( g x ) − → b ← − g x → β in λ → is terminating and confluent, i.e. convergent − But: f x − → a and g x − → b and a, b in normal form Problem: is a given set of reduction rules terminating? Works only for systems with Church-Rosser property: ∗ ∗ ∗ l ← → r = ⇒ ∃ n. l − → n ∧ r − → n undecidable Fact: − → is Church-Rosser iff it is confluent. C ONFLUENCE 7 W HEN IS − → T ERMINATING ? 8

W HEN IS − → T ERMINATING ? C ONTROL Basic Idea : when the r i are in some way simpler then the l i ➜ Equations turned into simplifaction rules with [simp] attribute More formally : − → is terminating when there is a well founded order < in which r i < l i for all rules. ➜ Adding/deleting equations locally: (well founded = no infinite decreasing chains a 1 > a 2 > . . . ) apply (simp add: < rules > ) and apply (simp del: < rules > ) Slide 17 Slide 19 Example: f ( g x ) − → g x , g ( f x ) − → f x ➜ Using only the specified set of equations: This system always terminates. Reduction order: apply (simp only: < rules > ) s < r t iff size ( s ) < size ( t ) with size ( s ) = numer of function symbols in s ➀ g x < r f ( g x ) and f x < r g ( f x ) ➁ < r is well founded, because < is well founded on I N T ERM R EWRITING IN I SABELLE Term rewriting engine in Isabelle is called Simplifier apply simp ➜ uses simplification rules ➜ (almost) blindly from left to right Slide 18 Slide 20 D EMO ➜ until no rule is applicable. termination: not guaranteed (may loop) confluence: not guaranteed (result may depend on which rule is used first) C ONTROL 9 10

A TYPICAL I SAR PROOF proof assume formula 0 have formula 1 by simp . . . I SAR have formula n by blast Slide 21 Slide 23 show formula n +1 by . . . A L ANGUAGE FOR S TRUCTURED P ROOFS qed proves formula 0 = ⇒ formula n +1 (analogous to assumes / shows in lemma statements) I SAR I SAR CORE SYNTAX proof = proof [method] statement ∗ qed apply scripts What about.. | by method ➜ unreadable ➜ Elegance? method = (simp . . . ) | (blast . . . ) | (rule . . . ) | . . . ➜ hard to maintain ➜ Explaining deeper insights? ➜ ➜ Slide 22 do not scale Large developments? Slide 24 statement = fix variables ( � ) | assume proposition ( = ⇒ ) No structure. Isar! | [ from name + ] ( have | show ) proposition proof | next (separates subgoals) proposition = [name:] formula A TYPICAL I SAR PROOF 11 12 PROOF AND QED

T HE T HREE M ODES OF I SAR PROOF AND QED proof [method] statement ∗ qed ➜ [prove] : goal has been stated, proof needs to follow. lemma ” [ [ A ; B ] ] = ⇒ A ∧ B ” proof (rule conjI) ➜ [state] : assume A: ” A ” proof block has openend or subgoal has been proved, new from statement, goal statement or assumptions can follow. from A show ” A ” by assumption next Slide 25 Slide 27 ➜ [chain] : assume B: ” B ” from statement has been made, goal statement needs to follow. from B show ” B ” by assumption qed lemma ” [ [ A ; B ] ] = ⇒ A ∧ B ” [prove] ➜ proof ( < method > ) applies method to the stated goal proof (rule conjI) [state] assume A: ” A ” [state] ➜ proof applies a single rule that fits from A [chain] show ” A ” [prove] by assumption [state] ➜ proof - does nothing to the goal next [state] . . . H OW DO I KNOW WHAT TO A SSUME AND S HOW ? H AVE Look at the proof state! Can be used to make intermediate steps. lemma ” [ [ A ; B ] ] = ⇒ A ∧ B ” Example: proof (rule conjI) lemma ” ( x :: nat ) + 1 = 1 + x ” proof - ➜ proof (rule conjI) changes proof state to Slide 26 Slide 28 have A: ” x + 1 = Suc x ” by simp 1. [ [ A ; B ] ] = ⇒ A have B: ” 1 + x = Suc x ” by simp 2. [ [ A ; B ] ] = ⇒ B show ” x + 1 = 1 + x ” by (simp only: A B) ➜ so we need 2 shows: show ” A ” and show ” B ” qed ➜ We are allowed to assume A , because A is in the assumptions of the proof state. T HE T HREE M ODES OF I SAR 13 14

E XERCISES ➜ use typedef to define a new type v with exactly one element. ➜ define a constant u of type v ➜ show that every element of v is equal to u ➜ design a set of rules that turns formulae with ∧ , ∨ , − → , ¬ Slide 29 Slide 31 into disjunctive normal form D EMO : I SAR P ROOFS (= disjunction of conjunctions with negation only directly on variables) ➜ prove those rules in Isabelle ➜ use simp only with these rules on ( ¬ B − → C ) − → A − → B W E HAVE LEARNED TODAY ... ➜ Introducing new Types ➜ Equations and Term Rewriting ➜ Confluence and Termination of reduction systems ➜ Term Rewriting in Isabelle Slide 30 ➜ First structured proofs (Isar) E XERCISES 15 E XERCISES 16