a b c
play

a = b c . . . 1 C ONTENT Intro & motivation, getting started - PowerPoint PPT Presentation

Nov 30, 2023 •326 likes •1.26k views

NICTA Advanced Course Theorem Proving Principles, Techniques, Applications a = b c . . . 1 C ONTENT Intro & motivation, getting started with Isabelle Foundations & Principles Lambda Calculus Higher Order Logic,

  1. NICTA Advanced Course Theorem Proving Principles, Techniques, Applications a = b ≤ c ≤ . . . 1

  2. C ONTENT ➜ Intro & motivation, getting started with Isabelle ➜ Foundations & Principles • Lambda Calculus • Higher Order Logic, natural deduction • Term rewriting ➜ Proof & Specification Techniques • Inductively defined sets, rule induction • Datatypes, recursion, induction • More recursion, Calculational reasoning • Hoare logic, proofs about programs • Locales, Presentation C ONTENT 2

  3. L AST W EEK ➜ Constructive Logic & Curry-Howard-Isomorphism L AST W EEK 3

  4. L AST W EEK ➜ Constructive Logic & Curry-Howard-Isomorphism ➜ The Coq System L AST W EEK 3- A

  5. L AST W EEK ➜ Constructive Logic & Curry-Howard-Isomorphism ➜ The Coq System ➜ The HOL4 system L AST W EEK 3- B

  6. L AST W EEK ➜ Constructive Logic & Curry-Howard-Isomorphism ➜ The Coq System ➜ The HOL4 system ➜ Before that: datatypes, recursion, induction L AST W EEK 3- C

  7. G ENERAL R ECURSION The Choice G ENERAL R ECURSION 4

  8. G ENERAL R ECURSION The Choice ➜ Limited expressiveness, automatic termination • primrec G ENERAL R ECURSION 4- A

  9. G ENERAL R ECURSION The Choice ➜ Limited expressiveness, automatic termination • primrec ➜ High expressiveness, prove termination manually • recdef G ENERAL R ECURSION 4- B

  10. RECDEF — EXAMPLES consts sep :: ”’a × ’a list ⇒ ’a list” recdef sep ”measure ( λ (a, xs). size xs)” ”sep (a, x # y # zs) = x # a # sep (a, y # zs)” ”sep (a, xs) = xs” RECDEF — EXAMPLES 5

  11. RECDEF — EXAMPLES consts sep :: ”’a × ’a list ⇒ ’a list” recdef sep ”measure ( λ (a, xs). size xs)” ”sep (a, x # y # zs) = x # a # sep (a, y # zs)” ”sep (a, xs) = xs” consts ack :: ”nat × nat ⇒ nat” recdef ack ”measure ( λ m. m) < *lex* > measure ( λ n. n)” ”ack (0, n) = Suc n” ”ack (Suc m, 0) = ack (m, 1)” ”ack (Suc m, Suc n) = ack (m, ack (Suc m, n))” RECDEF — EXAMPLES 5- A

  12. RECDEF ➜ The definiton: • one parameter • free pattern matching, order of rules important • termination relation ( measure sufficient for most cases) 6 RECDEF

  13. RECDEF ➜ The definiton: • one parameter • free pattern matching, order of rules important • termination relation ( measure sufficient for most cases) ➜ Termination relation: • must decrease for each recursive call • must be well founded 6- A RECDEF

  14. RECDEF ➜ The definiton: • one parameter • free pattern matching, order of rules important • termination relation ( measure sufficient for most cases) ➜ Termination relation: • must decrease for each recursive call • must be well founded ➜ Generates own induction principle 6- B RECDEF

  15. RECDEF — INDUCTION PRINCIPLE ➜ Each recdef definition induces an induction principle RECDEF — INDUCTION PRINCIPLE 7

  16. RECDEF — INDUCTION PRINCIPLE ➜ Each recdef definition induces an induction principle ➜ For each equation: show that the property holds for the lhs provided it holds for each recursive call on the rhs RECDEF — INDUCTION PRINCIPLE 7- A

  17. RECDEF — INDUCTION PRINCIPLE ➜ Each recdef definition induces an induction principle ➜ For each equation: show that the property holds for the lhs provided it holds for each recursive call on the rhs ➜ Example sep.induct : [ V a. P a []; [ V a w. P a [ w ] V a x y zs. P a ( y # zs ) = ⇒ P a ( x # y # zs ); ] ] = ⇒ P a xs RECDEF — INDUCTION PRINCIPLE 7- B

  18. T ERMINATION Isabelle tries to prove termination automatically ➜ For most functions and termination relations this works. T ERMINATION 8

  19. T ERMINATION Isabelle tries to prove termination automatically ➜ For most functions and termination relations this works. ➜ Sometimes not T ERMINATION 8- A

  20. T ERMINATION Isabelle tries to prove termination automatically ➜ For most functions and termination relations this works. ➜ Sometimes not ⇒ error message with unsolved subgoal T ERMINATION 8- B

  21. T ERMINATION Isabelle tries to prove termination automatically ➜ For most functions and termination relations this works. ➜ Sometimes not ⇒ error message with unsolved subgoal ➜ You can give hints (additional lemmas) to the recdef package: recdef quicksort ”measure length” quicksort [] = [] quicksort ( x # xs ) = quicksort [ y ∈ xs.y ≤ x ]@[ x ]@ quicksort [ y ∈ xs.x < y ] (hints recdef simp: less Suc eq le) T ERMINATION 8- C

  22. T ERMINATION Isabelle tries to prove termination automatically ➜ For most functions and termination relations this works. ➜ Sometimes not ⇒ error message with unsolved subgoal ➜ You can give hints (additional lemmas) to the recdef package: recdef quicksort ”measure length” quicksort [] = [] quicksort ( x # xs ) = quicksort [ y ∈ xs.y ≤ x ]@[ x ]@ quicksort [ y ∈ xs.x < y ] (hints recdef simp: less Suc eq le) For exploration: ➜ allow failing termination proof T ERMINATION 8- D

  23. T ERMINATION Isabelle tries to prove termination automatically ➜ For most functions and termination relations this works. ➜ Sometimes not ⇒ error message with unsolved subgoal ➜ You can give hints (additional lemmas) to the recdef package: recdef quicksort ”measure length” quicksort [] = [] quicksort ( x # xs ) = quicksort [ y ∈ xs.y ≤ x ]@[ x ]@ quicksort [ y ∈ xs.x < y ] (hints recdef simp: less Suc eq le) For exploration: ➜ allow failing termination proof ➜ recdef (permissive) quicksort ”measure length” T ERMINATION 8- E

  24. T ERMINATION Isabelle tries to prove termination automatically ➜ For most functions and termination relations this works. ➜ Sometimes not ⇒ error message with unsolved subgoal ➜ You can give hints (additional lemmas) to the recdef package: recdef quicksort ”measure length” quicksort [] = [] quicksort ( x # xs ) = quicksort [ y ∈ xs.y ≤ x ]@[ x ]@ quicksort [ y ∈ xs.x < y ] (hints recdef simp: less Suc eq le) For exploration: ➜ allow failing termination proof ➜ recdef (permissive) quicksort ”measure length” ➜ termination conditions as assumption in simp and induct rules T ERMINATION 8- F

  25. D EMO 9

  26. H OW DOES RECDEF WORK ? We need: general recursion operator H OW DOES RECDEF WORK ? 10

  27. H OW DOES RECDEF WORK ? We need: general recursion operator rec F = F ( rec F ) something like: H OW DOES RECDEF WORK ? 10- A

  28. H OW DOES RECDEF WORK ? We need: general recursion operator rec F = F ( rec F ) something like: ( F stands for the recursion equations) Example: H OW DOES RECDEF WORK ? 10- B

  29. H OW DOES RECDEF WORK ? We need: general recursion operator rec F = F ( rec F ) something like: ( F stands for the recursion equations) Example: ➜ recursion equations: f = 0 f ( Suc n ) = fn H OW DOES RECDEF WORK ? 10- C

  30. H OW DOES RECDEF WORK ? We need: general recursion operator rec F = F ( rec F ) something like: ( F stands for the recursion equations) Example: ➜ recursion equations: f = 0 f ( Suc n ) = fn f = λn ′ . case n ′ of 0 ⇒ 0 | Suc n ⇒ f n ➜ as one λ -term: H OW DOES RECDEF WORK ? 10- D

  31. H OW DOES RECDEF WORK ? We need: general recursion operator rec F = F ( rec F ) something like: ( F stands for the recursion equations) Example: ➜ recursion equations: f = 0 f ( Suc n ) = fn f = λn ′ . case n ′ of 0 ⇒ 0 | Suc n ⇒ f n ➜ as one λ -term: F = λf. λn ′ . case n ′ of 0 ⇒ 0 | Suc n ⇒ f n ➜ functor: H OW DOES RECDEF WORK ? 10- E

  32. H OW DOES RECDEF WORK ? We need: general recursion operator rec F = F ( rec F ) something like: ( F stands for the recursion equations) Example: ➜ recursion equations: f = 0 f ( Suc n ) = fn f = λn ′ . case n ′ of 0 ⇒ 0 | Suc n ⇒ f n ➜ as one λ -term: F = λf. λn ′ . case n ′ of 0 ⇒ 0 | Suc n ⇒ f n ➜ functor: ➜ rec :: (( α ⇒ β ) ⇒ ( α ⇒ β )) ⇒ ( α ⇒ β ) like above cannot exist in HOL (only total functions) ➜ But ’guarded’ form possible: wfrec :: ( α × α ) set ⇒ (( α ⇒ β ) ⇒ ( α ⇒ β )) ⇒ ( α ⇒ β ) ➜ ( α × α ) set a well founded order, decreasing with execution H OW DOES RECDEF WORK ? 10- F

  33. H OW DOES RECDEF WORK ? Why rec F = F ( rec F ) ? H OW DOES RECDEF WORK ? 11

  34. H OW DOES RECDEF WORK ? Why rec F = F ( rec F ) ? Because we want the recursion equations to hold. Example: λg. λn ′ . case n ′ of 0 ⇒ 0 | Suc n ⇒ g n ≡ F ≡ f rec F H OW DOES RECDEF WORK ? 11- A

  35. H OW DOES RECDEF WORK ? Why rec F = F ( rec F ) ? Because we want the recursion equations to hold. Example: λg. λn ′ . case n ′ of 0 ⇒ 0 | Suc n ⇒ g n ≡ F ≡ f rec F f 0 = rec F 0 H OW DOES RECDEF WORK ? 11- B

  36. H OW DOES RECDEF WORK ? Why rec F = F ( rec F ) ? Because we want the recursion equations to hold. Example: λg. λn ′ . case n ′ of 0 ⇒ 0 | Suc n ⇒ g n ≡ F ≡ f rec F f 0 = rec F 0 = F ( rec F ) 0 . . . H OW DOES RECDEF WORK ? 11- C

  37. H OW DOES RECDEF WORK ? Why rec F = F ( rec F ) ? Because we want the recursion equations to hold. Example: λg. λn ′ . case n ′ of 0 ⇒ 0 | Suc n ⇒ g n ≡ F ≡ f rec F f 0 = rec F 0 = F ( rec F ) 0 . . . ( λg. λn ′ . case n ′ of 0 ⇒ 0 | Suc n ⇒ g n ) ( rec F ) 0 = . . . H OW DOES RECDEF WORK ? 11- D

Recommend

More recommend