HOL Ligh t: A T utorial In tro duction 1 HOL Ligh t: A - PDF document

HOL Ligh t: A T utorial In tro duction 1 HOL Ligh t: A T utorial In tro duction John Harrison Univ ersit y of Cam bridge � ( Ab o Ak ademi Univ ersit y) � History and ev olution � Quic k rundo wn of features � Real analysis theory � Programming language seman tics � Mizar mo de � CORDIC algorithm example John Harrison Univ ersit y of Cam bridge, 7 No v em b er 1996

HOL Ligh t: A T utorial In tro duction 2 HOL Ligh t's lineage HOL Ligh t has ev olv ed via: � Edin burgh LCF (Milner et al.) � Cam bridge LCF (P aulson) � HOL (Gordon, Melham) � hol90 (Slind) Other LCF-st yle systems include: � Nuprl (Constable et al.) � Co q (Huet et al.) � Isab elle (P aulson) John Harrison Univ ersit y of Cam bridge, 7 No v em b er 1996

HOL Ligh t: A T utorial In tro duction 3 The sp ectrum of theorem pro v ers A UTOMA TH (de Bruijn) Stanford LCF (Milner) Mizar (T rybulec) . . . . . . PVS (Owre, Rush b y , Shank ar) . . . . . . NQTHM (Bo y er, Mo ore) Otter (McCune) John Harrison Univ ersit y of Cam bridge, 7 No v em b er 1996

HOL Ligh t: A T utorial In tro duction 4 The LCF approac h The k ey ideas are: � All theorems created b y lo w-lev el primitiv e rules. � Guaran teed b y using an abstract t yp e of theorems; no need to store pro ofs. � ML a v ailable for implemen ting deriv ed rules b y arbitrary programming. This giv es adv an tages of reliabilit y and extensibilit y . The system's source co de can b e completely op en. The user con trols the means of pro duction (of theorems). T o impro v e e�ciency one can: � Encapsulate reasoning in single theorems. � Separate pro of searc h and pro of c hec king. John Harrison Univ ersit y of Cam bridge, 7 No v em b er 1996

HOL Ligh t: A T utorial In tro duction 5 Some of HOL Ligh t's deriv ed rules � Simpli�er for (conditional, con textual) rewriting. � T actic mec hanism for mixed forw ard and bac kw ard pro ofs. � T autology c hec k er. � Automated theorem pro v ers for pure logic, based on tableaux and mo del elimination. � T o ols for de�nition of (in�nitary , m utually) inductiv e relations. � T o ols for de�nition of (m utually) recursiv e datat yp es � Linear arithmetic decision pro cedures o v er R , Z and N . � Di�eren tiator for real functions. John Harrison Univ ersit y of Cam bridge, 7 No v em b er 1996

HOL Ligh t: A T utorial In tro duction 6 Real analysis theory (1) � De�nitional construction of real n um b ers � Basic top ology � General limit op erations � Sequences and series � Limits of real functions � Di�eren tiation � P o w er series and T a ylor expansions � T ranscenden tal functions � Gauge in tegration John Harrison Univ ersit y of Cam bridge, 7 No v em b er 1996

HOL Ligh t: A T utorial In tro duction 7 Real analysis theory (2) There are lots of concrete theorems, e.g. |- abs(abs x - abs y) <= abs (x - y) |- sin(x + y) = sin(x) * cos(y) + cos(x) * sin(y) |- tan(&n * pi) = &0 |- &0 < x /\ &0 < y ==> (ln(x / y) = ln(x) - ln(y)) John Harrison Univ ersit y of Cam bridge, 7 No v em b er 1996

HOL Ligh t: A T utorial In tro duction 8 Real analysis theory (3) and man y general ones: |- f contl x /\ g contl (f x) ==> (\x. g(f x)) contl x |- a <= b /\ (f(a) <= y /\ y <= f(b)) /\ (!x. a <= x /\ x <= b ==> f contl x) ==> (?x. a <= x /\ x <= b /\ (f(x) = y)) |- (f diffl l)(g x) /\ (g diffl m)(x) ==> ((\x. f(g x)) diffl (l * m))(x) |- a <= b /\ (!x. a <= x /\ x <= b ==> (f diffl f'(x))(x)) ==> Dint(a,b) f' (f(b) - f(a)) John Harrison Univ ersit y of Cam bridge, 7 No v em b er 1996

HOL Ligh t: A T utorial In tro duction 9 Our Programming Language (1) This includes the follo wing constructs: c ommand = variable := expr ession | c ommand ; c ommand | if expr ession then c ommand else c ommand | if expr ession then c ommand | while expr ession do c ommand | do c ommand while expr ession | skip | f expr ession g | [ expr ession ] The language is seman tically em b edded in HOL using standard tec hniques. John Harrison Univ ersit y of Cam bridge, 7 No v em b er 1996

HOL Ligh t: A T utorial In tro duction 10 Our Programming Language (2) W e can v erify the total correctness of programs according to giv en pre and p ost-conditions. |- correct p c q corresp onds to the standard total correctness assertion [ p ] c [ q ], i.e. a command c , executed in a state satisfying p , will terminate in a state satisfying q . W e can pro v e correctness assertions b y systematically breaking do wn the command according to its structure. In particular, w e can annotate it with `v eri�cation conditions', and so (automatically) reduce the correctness pro of to the problem of v erifying some assertions ab out the underlying mathematical domains. John Harrison Univ ersit y of Cam bridge, 7 No v em b er 1996

HOL Ligh t: A T utorial In tro duction 11 Mizar Mo de The standard HOL pro of st yles (whether forw ard or bac kw ard) are highly pr o c e dur al . They require a certain amoun t of `programming' from the user. W e also pro vide a more de clar ative pro of st yle, as used in Mizar. The mac hine �lls in the gaps in the pro of for us with explicit inference steps. F or example, here is a pro of of 8 x: 0 � x ) l n (1 + x ) � x : let x be real; assume &0 <= x; then &0 < &1 + x by arithmetic; so exp(ln(&1 + x)) = &1 + x by EXP_LN; so suffices to show &1 + x <= exp(x) by EXP_MONO_LE; thus thesis by EXP_LE_X John Harrison Univ ersit y of Cam bridge, 7 No v em b er 1996

HOL Ligh t: A T utorial In tro duction 12 Floating p oin t correctness (1) W e w an t to sp ecify the correctness according to the follo wing diagram: sin sin ( v ( a )) - v ( a ) v ( S I N ( a )) 6 6 v v - a S I N ( a ) S I N What relationship b et w een v ( S I N ( a )) and sin ( v ( a )) should w e require? John Harrison Univ ersit y of Cam bridge, 7 No v em b er 1996

HOL Ligh t: A T utorial In tro duction 13 Floating p oin t correctness (2) There are v arious plausible options, all of whic h are easy to express formally in HOL Ligh t: � The answ er is the closest represen table n um b er to the true answ er (with round to ev en in case of t w o equally close answ ers) � The ab o v e is true for all but a small prop ortion of p ossible inputs. � The absolute error is small. � The relativ e error is small. � The error is commensurate with the lik ely error in the input. John Harrison Univ ersit y of Cam bridge, 7 No v em b er 1996

HOL Ligh t: A T utorial In tro duction 14 The CORDIC program begin var k,x,y,z; x := X; y := 0; k := 1; while k < N do ( z := srl(n) k x; if ult(n) z (neg(n) x) then (x := add(n) x z; y := add(m) y (logs k)); k := k + 1 ) end where add(n) , neg(n) , ult(n) and srl(n) k are n -bit addition, 2s complemen t negation, unsigned comparison ( < ) and righ t shift b y k places, resp ectiv ely . The arra y logs con tains pre-stored constan ts. John Harrison Univ ersit y of Cam bridge, 7 No v em b er 1996

HOL Ligh t: A T utorial In tro duction 15 Without the prett yprin ter This sho ws what the underlying seman tic represen tation lo oks lik e: Assign (\k,(x,(y,z)). k,(X,(y,z))) Seq Assign (\k,(x,(y,z)). k,(x,(0,z))) Seq Assign (\k,(x,(y,z)). 1,(x,(y,z))) Seq While (\k,(x,(y,z)). k < N) (Assign (\k,(x,(y,z)). k,(x,(y,srl n k x))) Seq If (\k,(x,(y,z)). ult n z (neg n x)) (Assign (\k,(x,(y,z)). k,(add n x z,(y,z))) Seq Assign (\k,(x,(y,z)). k,(x,(add m y (logs k),z)))) Seq Assign (\k,(x,(y,z)). k + 1,(x,(y,z)))) Ho w ev er the user need not normally see this form! John Harrison Univ ersit y of Cam bridge, 7 No v em b er 1996

HOL Ligh t: A T utorial In tro duction 16 The CORDIC program in C int k; unsigned long x,y,z; x = X; y = 0; k = 1; while (k < N) { z = x >> k; if (z < -x) { x = x + z; y = y + logs[k]; } k = k + 1; } (Using unsigned longs in place of the particular w ord sizes, for the sak e of familiarit y .) John Harrison Univ ersit y of Cam bridge, 7 No v em b er 1996