Health Warning Principles, Techniques, Applications Theorem Proving - PowerPoint PPT Presentation

W HAT YOU WILL LEARN ➜ how to use a theorem prover ➜ background, how it works ➜ how to prove and specify NICTA Advanced Course Slide 1 Slide 3 Theorem Proving Health Warning Principles, Techniques, Applications Theorem Proving is addictive Gerwin Klein Formal Methods O RGANISATORIALS W HAT YOU WILL NOT LEARN When Mon 14:00 – 15:30 ➜ semantics / model theory Wed 10:30 – 12:00 ➜ soundness / completeness proofs 7 weeks ends Mon, 20.9.2004 ➜ decision procedures Exceptions Mon 6.9., 13.9., 20.9. at 15:00 – 16:30 Slide 2 Slide 4 Web page: http://www.cse.unsw.edu.au/˜kleing/teaching/thprv-04/ free – no credits – no assigments W HAT YOU WILL LEARN 1 C ONTENT 2

C ONTENT W HAT IS A PROOF ? to prove (Marriam-Webster) ➜ Intro & motivation, getting started with Isabelle (today) ➜ from Latin probare (test, approve, prove) ➜ Foundations & Principles ➜ to learn or find out by experience (archaic) • Lambda Calculus ➜ to establish the existence, truth, or validity of • Higher Order Logic, natural deduction (by evidence or logic) • Term rewriting Slide 5 Slide 7 prove a theorem, the charges were never proved in court ➜ Proof & Specification Techniques pops up everywhere • Datatypes, recursion, induction ➜ politics (weapons of mass destruction) • Inductively defined sets, rule induction ➜ courts (beyond reasonable doubt) • Calculational reasoning, mathematics style proofs • Hoare logic, proofs about programs ➜ religion (god exists) ➜ science (cold fusion works) C REDITS W HAT IS A MATHEMATICAL PROOF ? material (in part) shamelessly stolen from In mathematics, a proof is a demonstration that, given certain axioms, some statement of interest is necessarily true. (Wikipedia) √ Example: 2 is not rational. Tobias Nipkow, Larry Paulson, Markus Wenzel Proof: assume there is r ∈ Q such that r 2 = 2 . Slide 6 Slide 8 Hence there are mutually prime p and q with r = p q . Thus 2 q 2 = p 2 , i.e. p 2 is divisible by 2 . 2 is prime, hence it also divides p , i.e. p = 2 s . David Basin, Burkhardt Wolff Substituting this into 2 q 2 = p 2 and dividing by 2 gives q 2 = 2 s 2 . Don’t blame them, errors are mine Hence, q is also divisible by 2 . Contradiction. Qed. W HAT IS A PROOF ? 3 N ICE , BUT .. 4

N ICE , BUT .. W HAT IS A THEOREM PROVER ? ➜ still not rigorous enough for some Implementation of a formal logic on a computer. • what are the rules? ➜ fully automated (propositional logic) • what are the axioms? ➜ automated, but not necessarily terminating (first order logic) • how big can the steps be? ➜ with automation, but mainly interactive (higher order logic) • what is obvious or trivial? Slide 9 Slide 11 ➜ informal language, easy to get wrong ➜ based on rules and axioms ➜ easy to miss something, easy to cheat ➜ can deliver proofs Theorem. A cat has nine tails. There are other (algorithmic) verifi cation tools: Proof. No cat has eight tails. Since one cat has one more tail than ➜ model checking, static analysis, ... no cat, it must have nine tails. ➜ usually do not deliver proofs W HAT IS A FORMAL PROOF ? W HY THEOREM PROVING ? A derivation in a formal calculus ➜ Analysing systems/programs thoroughly Example: A ∧ B − → B ∧ A derivable in the following system ➜ Finding design and specification errors early S ∪ { X } ⊢ Y X ∈ S S ⊢ X (assumption) → Y (impI) Rules: S ⊢ X − ➜ High assurance (mathematical, machine checked proof) S ∪ { X, Y } ⊢ Z S ⊢ X S ⊢ Y (conjI) S ∪ { X ∧ Y } ⊢ Z (conjE) ➜ it’s not always easy S ⊢ X ∧ Y Slide 10 Slide 12 ➜ it’s fun Proof: 1. { A, B } ⊢ B (by assumption) 2. { A, B } ⊢ A (by assumption) 3. { A, B } ⊢ B ∧ A (by conjI with 1 and 2) 4. { A ∧ B } ⊢ B ∧ A (by conjE with 3) 5. {} ⊢ A ∧ B − → B ∧ A (by impI with 4) W HAT IS A THEOREM PROVER ? 5 6

W HY I SABELLE ? Main theorem proving system for this course: ➜ free ➜ widely used system ➜ active development Isabelle ➜ high expressiveness and automation ∀ Slide 13 Slide 15 ➜ reasonably easy to use = α ➜ (and because I know it best ;-)) λ β → We will see other systems, too: HOL4, Coq, Waldmeister W HAT IS I SABELLE ? A generic interactive proof assistant ➜ generic: not specialised to one particular logic (two large developments: HOL and ZF, will mainly use HOL) ➜ interactive: Slide 14 Slide 16 more than just yes/no, you can interactively guide the system If I prove it on the computer, it is correct, right? ➜ proof assistant: helps to explore, find, and maintain proofs W HY I SABELLE ? 7 I F I PROVE IT ON THE COMPUTER , IT IS CORRECT , RIGHT ? 8

I F I PROVE IT ON THE COMPUTER , IT IS CORRECT , RIGHT ? I F I PROVE IT ON THE COMPUTER , IT IS CORRECT , RIGHT ? No, because: Soundness architectures ➀ hardware could be faulty careful implementation PVS ➁ operating system could be faulty ➂ implementation runtime system could be faulty LCF approach, small proof kernel HOL4 Slide 17 Slide 19 Isabelle ➃ compiler could be faulty ➄ implementation could be faulty explicit proofs + proof checker Coq ➅ logic could be inconsistent Twelf ➆ theorem could mean something else Isabelle I F I PROVE IT ON THE COMPUTER , IT IS CORRECT , RIGHT ? M ETA L OGIC No, but: Meta language: The language used to talk about another language. Examples: probability for English in a Spanish class, English in an English class ➜ 1 and 2 reduced by using different systems Slide 18 ➜ 3 and 4 reduced by using different compilers Slide 20 Meta logic: ➜ faulty implementation reduced by right architecture The logic used to formalize another logic ➜ inconsistent logic reduced by implementing and analysing it Example: ➜ wrong theorem reduced by expressive/intuitive logics Mathematics used to formalize derivations in formal logic No guarantees, but assurance way higher than manual proof I F I PROVE IT ON THE COMPUTER , IT IS CORRECT , RIGHT ? 9 M ETA L OGIC – E XAMPLE 10

M ETA L OGIC – E XAMPLE � Syntax: � x. F Formulae: F ::= V | F − → F | F ∧ F | False Syntax: ( F another meta level formula) !!x. F V ::= [ A − Z ] in ASCII: S ⊢ X Derivable: X a formula, S a set of formulae Slide 21 Slide 23 ➜ universial quantifier on the meta level logic / meta logic ➜ used to denote parameters S ∪ { X } ⊢ Y X ∈ S ➜ example and more later S ⊢ X S ⊢ X − → Y S ∪ { X, Y } ⊢ Z S ⊢ X S ⊢ Y S ⊢ X ∧ Y S ∪ { X ∧ Y } ⊢ Z ⇒ I SABELLE ’ S M ETA L OGIC = Syntax: A = ⇒ B ( A, B other meta level formulae) A ==> B in ASCII: Binds to the right: A = ⇒ B = ⇒ C = A = ⇒ ( B = ⇒ C ) � λ Slide 22 ⇒ Slide 24 = Abbreviation: [ [ A ; B ] ] = ⇒ C = A = ⇒ B = ⇒ C ➜ read: A and B implies C ➜ used to write down rules, theorems, and proof states � 11 E XAMPLE : A THEOREM 12

E XAMPLE : A THEOREM E XAMPLE : A RULE WITH NESTED IMPLICATION mathematics: if x < 0 and y < 0 , then x + y < 0 X Y . . . . . . . . X ∨ Y Z Z formal logic: ⊢ x < 0 ∧ y < 0 − → x + y < 0 logic: Z variation: x < 0; y < 0 ⊢ x + y < 0 Slide 25 Slide 27 S ∪ { X } ⊢ Z S ∪ { Y } ⊢ Z Isabelle: lemma ” x < 0 ∧ y < 0 − → x + y < 0 ” variation: S ∪ { X ∨ Y } ⊢ Z variation: lemma ” [ [ x < 0; y < 0] ] = ⇒ x + y < 0 ” variation: lemma Isabelle: [ [ X ∨ Y ; X = ⇒ Z ; Y = ⇒ Z ] ] = ⇒ Z assumes ” x < 0 ” and ” y < 0 ” shows ” x + y < 0 ” E XAMPLE : A RULE λ X Y Syntax: ( F another meta level formula) λx. F logic: X ∧ Y in ASCII: %x. F S ⊢ X S ⊢ Y variation: S ⊢ X ∧ Y ➜ lambda abstraction Slide 26 Slide 28 ➜ used to for functions in object logics Isabelle: [ [ X ; Y ] ] = ⇒ X ∧ Y ➜ used to encode bound variables in object logics ➜ more about this in the next lecture E XAMPLE : A RULE WITH NESTED IMPLICATION 13 14

S YSTEM R EQUIREMENTS ➜ Linux , MacOS X or Solaris ➜ Standard ML (PolyML fastest, SML/NJ supports more platforms) ➜ XEmacs or Emacs E NOUGH T HEORY ! Slide 29 Slide 31 (for ProofGeneral) G ETTING STARTED WITH I SABELLE If you do not have Linux, MacOS X or Solaris, try IsaMorph : http://www.brucker.ch/projects/isamorph/ S YSTEM A RCHITECTURE D OCUMENTATION Available from http://isabelle.in.tum.de Proof General – user interface ➜ Learning Isabelle • Tutorial on Isabelle/HOL (LNCS 2283) HOL, ZF – object-logics • Tutorial on Isar • Tutorial on Locales Slide 30 Slide 32 ➜ Reference Manuals Isabelle – generic, interactive theorem prover • Isabelle/Isar Reference Manual • Isabelle Reference Manual Standard ML – logic implemented as ADT • Isabelle System Manual ➜ Reference Manuals for Object-Logics User can access all layers! S YSTEM R EQUIREMENTS 15 P ROOF G ENERAL 16