advanced formal methods lecture 6: isabelle - hol mads dam kth/csc course 2d1453, 2006-07 material...
TRANSCRIPT
![Page 1: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/1.jpg)
Advanced Formal Methods
Lecture 6: Isabelle - HOL
Mads Dam
KTH/CSC
Course 2D1453, 2006-07
Material from L. Paulson
![Page 2: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/2.jpg)
What Is Higher Order Logic?
Propositional logic
No quantifiers
All variables have type bool
First Order Logic
Quantification over values of base type
Terms and formulas are syntactically distinct
Higher Order Logic
Quantification over functions and predicates
Consistency by typing
Formula = term of type bool
Predicate = function with codomain bool
! + a few types and constants
![Page 3: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/3.jpg)
Natural Deduction
Two kinds of rules for each logical operator ©Introduction rules:
How can A © B be proved?
Elimination rules:
What can be inferred from A © B?
Natural deduction calculus:
Proof trees may have unproven leaves = assumptions
Assumptions can be introduced and discharged
Sequent calculus:
All assumptions (and alternative conclusions) represented explicitly in proof judgments
![Page 4: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/4.jpg)
Rule Notation
Write
Instead of «A1 ; ... ; An¬ ) A
In other words: Stipulating an inference rule ”RuleName”
Same as:
Declaring an Isabelle metalogic term «A1 ; ... ; An¬ ) A to be provable by named rule
Derived rule «A1 ; ... ; An¬ ) ARule is provable in Isabelle’s metalogic
A1 ... An
ARuleName
![Page 5: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/5.jpg)
Natural Deduction, Propositional Logic
A B
A Æ BÆI
AÆB «A;B¬ ) C
CÆE
AÇB A ) C B ) C
CÇE
A
A Ç BÇI1/2
B
A Ç B
A ) B
A ! B)I
A ) B A B ) C
C)E
A ) B B ) A
A = BiffI
A ) False
:A:I
A = B
A ) BiffD1/2
A = B
B ) A
:A A
C:E
D for ”definition”
![Page 6: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/6.jpg)
Equality
Exercise 1: Prove that the following rules are derived:
-
t = t=I
s = t A[s/x]
A[t/x]=E
s = t
t = sSym
r = s s = t
r = tTrans
s = t A[s/x] A[t/x] ) C
C=E’
![Page 7: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/7.jpg)
More Rules
ccontr and classical not derivable from other rules
They make the logic ”classical”, i.e. non-constructive
A ! B A
Bmp
:A ) False
Accontr
:A ) A
Aclassical
![Page 8: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/8.jpg)
Proof by Assumption
Implicit in Isabelle’s metalogic
«A1 ; ... ; An¬ ) Ai provable for any i: 1· i· n
In isabelle:
apply assumption
proves
1. «B1 ; ... ; Bn¬ ) C
by unifying C with some Bi, 1 · i · n
Note: This may cause backtracking!
![Page 9: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/9.jpg)
Rule Application
Rule: « A1 ; ... ; An ¬ ) A
Subgoal:
1. « B1 ; ... ; Bm ¬ ) C
Substitution:
(A) == (C)
(recall: == means ”same term as”)
New subgoals:
1. (« B1 ; ... ; Bm ¬ ) A1)
...
n. (« B1 ; ... ; Bm ¬ ) An)
Command:
apply (rule <RuleName>)
![Page 10: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/10.jpg)
Exercises
Exercise 2: Prove the following in HOL. Pen and paper is fine. If you use Isabelle, use only basic HOL rules corresponding to rules given in previous slides – no simplifiers
1. A Ç (B Ç C) ! (A Ç B) Ç C
2. (A ! (B ! C)) ! (A Æ B) ! C3. A Ç A ! A Æ A
4. A Ç B ! : A ! B5. A Æ (B Ç C) ! (A Æ B) Ç C
6. (A Æ :B) Ç (B Æ :A) = (A = :B)
7. :(A Æ B) ! (:A) Ç (:B)
![Page 11: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/11.jpg)
Elimination Rules in Isabelle
Tactic erule assumes that first rule premise is assumption to be eliminated:
apply (erule <RuleName>):
Example:
Rule: « ?P Æ ?Q ; « ?P; ?Q ¬ ) ?R¬ ) ?R
Subgoal: « X ; A Æ B ; Y ¬ ) ZUnifier: ?R == Z, ?P == A, ?Q == B
New subgoal: « X; Y ¬ ) « A; B ¬ ) ZSame as: « X; Y; A; B ¬ ) Z
![Page 12: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/12.jpg)
Safe and Unsafe Rules
Recall: Rules applied bottom up
Safe rules: Provability is preserved (in bottom up direction)
Examples: ÆI, !I, :I, iffI, refl, ccontr, classical, ÆE, ÇE
Unsafe rules: Can turn provable goal into unprovable one:
Examples: ÇI1, ÇI2, !E, iffD1, iffD2, :E
![Page 13: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/13.jpg)
) vs. !
Theorems should be written as
¬ A1 ; ... ; An ¬ ) A
Not as
A1 Æ ... Æ An ! A
Exception: Induction variable must not occur in premises
Example:
« A; B(x)¬ ) C(x), not good
Use instead: A ) B(x) ! C(x)
![Page 14: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/14.jpg)
Predicate Logic - Parameters
Subgoal:
1. Æ x1 ... xn. Formula
The xi are parameters of the subgoal
Intuition: Local constants, arbitrary, fixed values
Rules automatically lifted over Æ x1 ... xn and applied directly to Formula
![Page 15: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/15.jpg)
Scope
Scope of parameters: Whole subgoal
Scope of HOL connectives:
Never extend to meta-level
I.e. ends with ; or )
Æ x y. « 8y. P y ! Q z y; Q x y¬ ) 9x. Q x y
means
Æ x y.« (8y1. P y1 ! Q z y1); Q x y¬ ) 9x1. Q x1 y
![Page 16: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/16.jpg)
Natural Deduction, Predicate Logic
• 8I and 9E introduce new parameters (Æx)• 9I and 8E introduce new unknowns (?x)
Æx.(P x)
8x.(P x)8I
8x.(P x) (P ?x) ) R
R8E
(P ?x)
9x.(P x)9I
9 x.(P x) Æ x.(P x) ) R
R9E
![Page 17: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/17.jpg)
Instantiating Rules
apply (rule tac x = t in <rule>)
Acts as <rule>, but ?x in <rule> is instantiated to t before application
erule tac is similar
So: x is in <rule>, not in the goal
![Page 18: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/18.jpg)
Two Successful Proofs
1. 8x. 9y. x = y
apply (rule 8I)
1. Æx. 9y. x = y
Best practice
apply (rule tac x = ”x” in 9I)
1. Æx. x = x
apply (rule refl)
Exploration
apply (rule 9I)
1. Æx. x = ?y x
apply (rule refl)
Simpler and clearer
?y z.z
Shorter and trickier
![Page 19: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/19.jpg)
Two Unsuccessful Proofs
1. 9 y. 8 x. x = y
apply (rule tac x = ??? in 9I)
???
apply (rule 9I)
1. 8x. x = ?y
apply (rule 8I)
1. Æ x. x = ?y
apply (rule refl)
?y x yields Æx’. x’ = x
???
![Page 20: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/20.jpg)
Safe and Unsafe Rules
Safe: 8I, 9E
Unsafe: 8E, 9I
Create parameters first, unknowns later
![Page 21: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/21.jpg)
Exercises, Predicate Logic
Exercise 3. Prove or disprove the following formulas. If you prove the formulas, use Isabelle, as in exercise 2. For a disproof it is sufficient to show that the formulas are false in ordinary first-order logic.
1. 8x.8y. R x y = 8y.8x. R x y
2. (9x. P x) Ç (9y. Q y) = 9z. (P z) Ç (Q z)
3. : 8x. P x ) 9y.:(P y)
4. 9x.(P x ! 8y.P y)
![Page 22: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/22.jpg)
Renaming Parameters
Careful with Isabelle-generated names
1. 8 x. 9 y. x = y
apply (rule 8I)
1. Æx. 9y. x = y
apply (rule tac x = ”x” in 9I)
What if the above used in context which already knows some x? Instead:
apply (rename tac xxx)
1. Æxxx. 9y. x = y
apply (rule tac x = ”xxx” in 9I)
![Page 23: Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson](https://reader036.vdocument.in/reader036/viewer/2022062423/56649d1f5503460f949f32da/html5/thumbnails/23.jpg)
Forward Proof
”Forward” rule: A1 ) A
Subgoal: 1. « B1 ; ... ; Bm ¬ ) C
Substitution: (Bi) == (A1)
New subgoal: 1. (« B1 ; ... ; Bn ; A ¬ ) C)
Command:
apply (frule <rule>)
Like frule but deletes Bi:
apply (drule <rule>)