Second-Order Functions and Theorems in ACL2 Alessandro Coglio Workshop 2015 Kestrel Institute.

Slides:



Advertisements
Similar presentations
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Advertisements

Semantics Static semantics Dynamic semantics attribute grammars
1 Constraint operations: Simplification, Optimization and Implication.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Getting started with ML ML is a functional programming language. ML is statically typed: The types of literals, values, expressions and functions in a.
© 2006 Rockwell Collins, Inc. All rights reserved. Parameterized Congruences in ACL2 David Greve August, 2006.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
ISBN Chapter 3 Describing Syntax and Semantics.
Termination Analysis Math Foundations of Computer Science.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
Winter 2004/5Pls – inductive – Catriel Beeri1 Inductive Definitions (our meta-language for specifications)  Examples  Syntax  Semantics  Proof Trees.
1st PKI Research Workshop, NIST, Gaithersburg A Note On SPKI’s Authorisation Syntax Olav Bandmann* Industrilogik L4i AB Mads Dam KTH/IMIT *Work done.
Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.
Artificial Intelligence and Lisp Lecture 6 LiU Course TDDC65 Autumn Semester, 2010
Type Inference David Walker COS 441. Criticisms of Typed Languages Types overly constrain functions & data polymorphism makes typed constructs useful.
Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.
Type Inference David Walker CS 510, Fall Criticisms of Typed Languages Types overly constrain functions & data polymorphism makes typed constructs.
Lesson 6. Refinement of the Operator Model This page describes formally how we refine Figure 2.5 into a more detailed model so that we can connect it.
Describing Syntax and Semantics
1 Relational Algebra and Calculus Yanlei Diao UMass Amherst Feb 1, 2007 Slides Courtesy of R. Ramakrishnan and J. Gehrke.
Introduction to Logic for Artificial Intelligence Lecture 2 Erik Sandewall 2010.
Propositional Calculus CS 680: Formal Methods in Verification Computer Systems Jeremy Johnson.
Equational Reasoning Math Foundations of Computer Science.
1 Relational Algebra and Calculus Chapter 4. 2 Relational Query Languages  Query languages: Allow manipulation and retrieval of data from a database.
The ACL2 Proof Assistant Formal Methods Jeremy Johnson.
Theoretical basis of GUHA Definition 1. A (simplified) observational predicate language L n consists of (i) (unary) predicates P 1,…,P n, and an infinite.
Induction Schemes Math Foundations of Computer Science.
A Z Approach in Validating ORA-SS Data Models Scott Uk-Jin Lee Jing Sun Gillian Dobbie Yuan Fang Li.
Copyright © Cengage Learning. All rights reserved. CHAPTER 5 SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION.
MATH 224 – Discrete Mathematics
1 Lisp Functions –Built-in functions –Defining functions –Function Evaluation and Special Forms defun, if Control statements –Conditional if, cond –Repetition.
IFIP WG2.1 meeting, 京都市, Sep Refinement and Transformations in Specware A progress report Alessandro Coglio, Kestrel Institute Stephen Westfold,
1 Recurrences Algorithms Jay Urbain, PhD Credits: Discrete Mathematics and Its Applications, by Kenneth Rosen The Design and Analysis of.
Formal Methods in SE Lecture 20. Agenda 2  Relations in Z Specification Formal Methods in SE.
TSC Workshop, May 2008, U Oklahoma 1 Teaching Software Correctness May 13-15, 2008, University of Oklahoma Rex Page, U Assistants Carl.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
1 Relational Algebra and Calculas Chapter 4, Part A.
Relational Algebra.
Propositional Calculus CS 270: Mathematical Foundations of Computer Science Jeremy Johnson.
1 Relational Algebra Chapter 4, Sections 4.1 – 4.2.
Software Synthesis with ACL2 Eric Smith Kestrel Institute ACL2 Workshop 2015.
Recursive Data Structures and Grammars  Themes  Recursive Description of Data Structures  Recursive Definitions of Properties of Data Structures  Recursive.
Introduction to ACL2 CS 680 Formal Methods for Computer Verification Jeremy Johnson Drexel University.
Automated Reasoning Early AI explored how to automated several reasoning tasks – these were solved by what we might call weak problem solving methods as.
Ch. 13 Ch. 131 jcmt CSE 3302 Programming Languages CSE3302 Programming Languages (notes?) Dr. Carter Tiernan.
Recursive Data Structures and Grammars  Themes  Recursive Description of Data Structures  Recursive Definitions of Properties of Data Structures  Recursive.
Advanced Engineering Mathematics, 7 th Edition Peter V. O’Neil © 2012 Cengage Learning Engineering. All Rights Reserved. CHAPTER 4 Series Solutions.
1 COSC generating functions, templates, and macros Yves Lespérance Adapted from Peter Roosen-Runge.
Formal Verification. Background Information Formal verification methods based on theorem proving techniques and model­checking –To prove the absence of.
Functional Programming: Lisp MacLennan Chapter 10.
1 FP Foundations, Scheme In Text: Chapter Chapter 14: FP Foundations, Scheme Mathematical Functions Def: A mathematical function is a mapping of.
1/20 Arrays Changki PSWLAB Arrays Daniel Kroening and Ofer Strichman Decision Procedure.
Boolean Expression Evaluation CS 270: Math Foundations of CS Jeremy Johnson.
Adding Parallelism Capabilities to ACL2 August 16, 2006 David L. Rager.
1 Proving Properties of Recursive List Functions CS 270 Math Foundations of CS Jeremy Johnson.
Certifying and Synthesizing Membership Equational Proofs Patrick Lincoln (SRI) joint work with Steven Eker (SRI), Jose Meseguer (Urbana) and Grigore Rosu.
CENG 424-Logic for CS Introduction Based on the Lecture Notes of Konstantin Korovin, Valentin Goranko, Russel and Norvig, and Michael Genesereth.
Artificial Intelligence and Lisp Lecture 6 LiU Course TDDC65 Autumn Semester,
CS 550 Programming Languages Jeremy Johnson
Introduction to Logic for Artificial Intelligence Lecture 2
Spring 2017 Program Analysis and Verification
The DE Language Erik Reeber 6/30/04.
September 4, 1997 Programming Languages (CS 550) Lecture 6 Summary Operational Semantics of Scheme using Substitution Jeremy R. Johnson TexPoint fonts.
Proving Properties of Recursive List Functions
FP Foundations, Scheme In Text: Chapter 14.
Simplification of Boolean Expressions
Announcements Quiz 5 HW6 due October 23
Abstraction and Repetition
This Lecture Substitution model
Functional Programming: Lisp
Presentation transcript:

Second-Order Functions and Theorems in ACL2 Alessandro Coglio Workshop 2015 Kestrel Institute

If ACL2 were second-order… ACL2 Second-Order (defun map (f l) (cond ((atom l) nil) (t (cons (f (car l)) (map f (cdr l)))))) … we could define second-order functions: individual parameter function parameter f is used as a function

If ACL2 were second-order… (defun map (f l) (cond ((atom l) nil) (t (cons (f (car l)) (map f (cdr l)))))) (defthm len-of-map (equal (len (map f l)) (len l))) … we could prove second-order theorems: universally quantified over f and l (defun map (f l) (cond ((atom l) nil) (t (cons (f (car l)) (map f (cdr l))))))

If ACL2 were second-order… (defun map (f l) (cond ((atom l) nil) (t (cons (f (car l)) (map f (cdr l)))))) (defthm len-of-map (equal (len (map f l)) (len l))) (defun rev-fix-cons (a x) (cons a (map fix (rev x)))) … we could apply second-order functions: map is applied to the function fix (defthm len-of-map (equal (len (map f l)) (len l)))

If ACL2 were second-order… (defun map (f l) (cond ((atom l) nil) (t (cons (f (car l)) (map f (cdr l)))))) (defthm len-of-map (equal (len (map f l)) (len l))) (defun rev-fix-cons (a x) (cons a (map fix (rev x)))) … we could use second-order theorems: (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) proved using (:rewrite len-of-map) (defun rev-fix-cons (a x) (cons a (map fix (rev x))))

If ACL2 were second-order… (defun map (f l) (cond ((atom l) nil) (t (cons (f (car l)) (map f (cdr l)))))) (defthm len-of-map (equal (len (map f l)) (len l))) (defun rev-fix-cons (a x) (cons a (map fix (rev x)))) (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) (defun map (f l) (cond ((atom l) nil) (t (cons (f (car l)) (map f (cdr l)))))) (defthm len-of-map (equal (len (map f l)) (len l))) (defun rev-fix-cons (a x) (cons a (map fix (rev x)))) (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x))))

If ACL2 were second-order… (defun map (f l) (cond ((atom l) nil) (t (cons (f (car l)) (map f (cdr l)))))) (defthm len-of-map (equal (len (map f l)) (len l))) (defun rev-fix-cons (a x) (cons a (map fix (rev x)))) (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) With the SOFT (‘Second-Order Functions and Theorems’) tool… … we can define second-order functions: (defun map (f l) (cond ((atom l) nil) (t (cons (f (car l)) (map f (cdr l)))))) almost like this

(defthm len-of-map (equal (len (map f l)) (len l))) (defun rev-fix-cons (a x) (cons a (map fix (rev x)))) (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) … we can define second-order functions: (defun (cond ((atom l) nil) (t (cons (f (car l)) (map f (cdr l)))))) we must use defun2 (2 nd -order version of defun ) almost like this map (f l)2 With the SOFT (‘Second-Order Functions and Theorems’) tool…

(defthm len-of-map (equal (len (map f l)) (len l))) (defun rev-fix-cons (a x) (cons a (map fix (rev x)))) (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) … we can define second-order functions: (defun2 map (f (cond ((atom l) nil) (t (cons (f (car l)) (map f (cdr l)))))) we must use defun2 (2 nd -order version of defun ) we must separate function and individual parameters almost like this ) (l) With the SOFT (‘Second-Order Functions and Theorems’) tool…

(defthm len-of-map (equal (len (map f l)) (len l))) (defun rev-fix-cons (a x) (cons a (map fix (rev x)))) (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) (defun2 map (f) (l) (cond ((atom l) nil) (t (cons (f (car l)) (map we must use defun2 (2 nd -order version of defun ) we must separate function and individual parameters we must omit function parameters in 2 nd -order function calls almost like this f (cdr l)))))) … we can define second-order functions: With the SOFT (‘Second-Order Functions and Theorems’) tool…

(defthm len-of-map (equal (len (map f l)) (len l))) (defun rev-fix-cons (a x) (cons a (map fix (rev x)))) (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) … we can define second-order functions: (defun2 map (f) (l) (cond ((atom l) nil) (t (cons (f (car l)) (map (cdr l)))))) we must use defun2 (2 nd -order version of defun ) we must separate function and individual parameters we must omit function parameters in 2 nd -order function calls (defunvar (*) => *) we must declare function variables f With the SOFT (‘Second-Order Functions and Theorems’) tool…

(defthm len-of-map (equal (len (map f l)) (len l))) (defun rev-fix-cons (a x) (cons a (map fix (rev x)))) (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) … we can define second-order functions: (defun2 map (f) (l) (cond ((atom l) nil) (t (cons (f (car l)) (map (cdr l)))))) (defunvar f (*) => *) f possible naming conventions (not enforced by SOFT): With the SOFT (‘Second-Order Functions and Theorems’) tool…

(defthm len-of-map (equal (len (map f l)) (len l))) (defun rev-fix-cons (a x) (cons a (map fix (rev x)))) (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) … we can define second-order functions: (defun2 map ( (cond ((atom l) nil) (t (cons ( (defunvar possible naming conventions (not enforced by SOFT): start function variable names with ? f (*) => *)? f) (l) f (car l)) (map (cdr l)))))) ? ? With the SOFT (‘Second-Order Functions and Theorems’) tool…

(defthm len-of-map (equal (len (map f l)) (len l))) (defun rev-fix-cons (a x) (cons a (map fix (rev x)))) (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) … we can define second-order functions: (defun2 map (cond ((atom l) nil) (t (cons (?f (car l)) (map (defunvar ?f (*) => *) possible naming conventions (not enforced by SOFT): start function variable names with ? include function parameters in names of 2 nd -order functions (?f) (l) (cdr l)))))) [?f] [?f] With the SOFT (‘Second-Order Functions and Theorems’) tool… “restores” omitted function parameter

(defthm len-of-map (equal (len (map f l)) (len l))) (defun rev-fix-cons (a x) (cons a (map fix (rev x)))) (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) (defun2 map[?f] (?f) (l) (cond ((atom l) nil) (t (cons (?f (car l)) (map[?f] (cdr l)))))) (defunvar ?f (*) => *) (defun2 map[?f] (?f) (l) (cond ((atom l) nil) (t (cons (?f (car l)) (map[?f] (cdr l)))))) … we can prove second-order theorems: (defthm len-of-map (equal (len (map l)) (len l))) [?f] f With the SOFT (‘Second-Order Functions and Theorems’) tool… a regular defthm, whose formula references ?f universally quantified over ?f and l

(defun rev-fix-cons (a x) (cons a (map fix (rev x)))) (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) (defthm len-of-map[?f] (equal (len (map[?f] l)) (len l))) (defthm len-of-map[?f] (equal (len (map[?f] l)) (len l))) … we can apply second-order functions: (defun rev-fix-cons (a x) (cons a (map fix (rev x)))) [ ] we must create an instance of map (defunvar ?f (*) => *) (defun2 map[?f] (?f) (l) (cond ((atom l) nil) (t (cons (?f (car l)) (map[?f] (cdr l)))))) With the SOFT (‘Second-Order Functions and Theorems’) tool…

(defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) … we can apply second-order functions: (defun rev-fix-cons (a x) (cons a (map[fix] (rev x)))) (defun-inst (map[?f] (?f. fix))) binding of actual function parameters to formal function parameters, by name we must create an instance of map named application of map to fix (an instance of map) map[fix] (defthm len-of-map[?f] (equal (len (map[?f] l)) (len l))) (defunvar ?f (*) => *) (defun2 map[?f] (?f) (l) (cond ((atom l) nil) (t (cons (?f (car l)) (map[?f] (cdr l)))))) With the SOFT (‘Second-Order Functions and Theorems’) tool…

(defun rev-fix-cons (a x) (cons a (map[fix] (rev x)))) (defun-inst map[fix] (map[?f] (?f. fix))) (defthm len-of-map[?f] (equal (len (map[?f] l)) (len l))) (defunvar ?f (*) => *) (defun2 map[?f] (?f) (l) (cond ((atom l) nil) (t (cons (?f (car l)) (map[?f] (cdr l)))))) With the SOFT (‘Second-Order Functions and Theorems’) tool… (defun-inst map[fix] (map[?f] (?f. fix))) (defun rev-fix-cons (a x) (cons a (map[fix] (rev x)))) (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) … we can use second-order theorems: (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x))))

(defthm len-of-map[?f] (equal (len (map[?f] l)) (len l))) (defunvar ?f (*) => *) (defun2 map[?f] (?f) (l) (cond ((atom l) nil) (t (cons (?f (car l)) (map[?f] (cdr l)))))) With the SOFT (‘Second-Order Functions and Theorems’) tool… (defun-inst map[fix] (map[?f] (?f. fix))) (defun rev-fix-cons (a x) (cons a (map[fix] (rev x)))) … we can use second-order theorems: (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) proved using (:rewrite len-of-map[fix]) function variable substitution (defthm-inst len-of-map[fix] (len-of-map[?f] (?f. fix))) named instance of len-of-map[?f]

(defthm len-of-map[?f] (equal (len (map[?f] l)) (len l))) (defunvar ?f (*) => *) (defun2 map[?f] (?f) (l) (cond ((atom l) nil) (t (cons (?f (car l)) (map[?f] (cdr l)))))) With the SOFT (‘Second-Order Functions and Theorems’) tool… (defun-inst map[fix] (map[?f] (?f. fix))) (defun rev-fix-cons (a x) (cons a (map[fix] (rev x)))) (defthm-inst len-of-map[fix] (len-of-map[?f] (?f. fix))) (defthm-inst len-of-map[fix] (len-of-map[?f] (?f. fix))) (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) (defthm len-of-rev-fix-cons (equal (len (rev-fix-cons a x)) (1+ (len x)))) How does this work?

SOFT (‘Second-Order Functions and Theorems’) is an ACL2 library to mimic second-order functions and theorems in the first-order logic of ACL2. It does not extend the ACL2 logic. It does not introduce unsoundness or inconsistency on its own. It provides the following macros: defunvar defun2 defchoose2 defun-sk2 defun-inst defthm-inst With the SOFT (‘Second-Order Functions and Theorems’)

SOFT (‘Second-Order Functions and Theorems’) is an ACL2 library to mimic second-order functions and theorems in the first-order logic of ACL2. It does not extend the ACL2 logic. It does not introduce unsoundness or inconsistency on its own. It provides the following macros: defun2 defchoose2 defun-sk2 defun-inst defthm-inst ( ?f (*... *) => *)(def Macro to introduce function variables: name type (in the sense of Church) stub (table...) expand ?f (*... *) => *) defunvar ?f is uninterpreted records information about ?f

defunvar SOFT (‘Second-Order Functions and Theorems’) is an ACL2 library to mimic second-order functions and theorems in the first-order logic of ACL2. It does not extend the ACL2 logic. It does not introduce unsoundness or inconsistency on its own. It provides the following macros: defun2 defchoose2 defun-sk2 defun-inst defthm-inst

SOFT (‘Second-Order Functions and Theorems’) is an ACL2 library to mimic second-order functions and theorems in the first-order logic of ACL2. It does not extend the ACL2 logic. It does not introduce unsoundness or inconsistency on its own. It provides the following macros: defunvar defchoose2 defun-sk2 defun-inst defthm-inst ( sof (?f 1... ?f n ) (x 1... x m ) doc decl... decl body) Macro to introduce plain second-order functions: name function parameters individual parameters same as in a defun defun2 guard and measure may reference the ?f i

(defun2 sof (?f 1... ?f n ) (x 1... x m ) doc decl... decl body) Macro to introduce plain second-order functions: (defunsof(x 1... x m ) doc decl... decl body) expand (table...) 1 st -order function records information about sof

SOFT (‘Second-Order Functions and Theorems’) is an ACL2 library to mimic second-order functions and theorems in the first-order logic of ACL2. It does not extend the ACL2 logic. It does not introduce unsoundness or inconsistency on its own. It provides the following macros: defunvar defchoose2 defun-sk2 defun-inst defthm-inst defun2 introduce choice 2 nd -order functions and quantifier 2 nd -order functions (2 nd -order versions of defchoose and defun-sk ; analogous to defun2 )

SOFT (‘Second-Order Functions and Theorems’) is an ACL2 library to mimic second-order functions and theorems in the first-order logic of ACL2. It does not extend the ACL2 logic. It does not introduce unsoundness or inconsistency on its own. It provides the following macros: defunvar defun2 defchoose2 defun-sk2 defthm-inst Macro to instantiate second-order functions: ( f (?f 1... ?f n ) (sof (?g 1. h 1 )... (?g m. h m ))...) name of the new function instance function parameters, present iff f is 2 nd -order instantiation, i.e. map from function variables to function variables, 1 st -order functions, and 2 nd -order functions name of the 2 nd -order function to instantiate keyed options, e.g. to control guard verification defun-inst

Macro to instantiate second-order functions: (defun-inst f (?f 1... ?f n ) (sof (?g 1. h 1 )... (?g m. h m ))...) expand (table...) (defun f...) (defchoose f...) (defun-sk f...) one of these, based on the macro used to introduce sof body, guard, and measure of f are the result of applying the instantiation to body, guard, and measure of sof records information about f this involves not only replacing ?g i with h i, but also 2 nd -order functions that depend on ?g i with suitable h i -instances

SOFT (‘Second-Order Functions and Theorems’) is an ACL2 library to mimic second-order functions and theorems in the first-order logic of ACL2. It does not extend the ACL2 logic. It does not introduce unsoundness or inconsistency on its own. It provides the following macros: defunvar defun2 defchoose2 defun-sk2 defthm-inst defun-inst

SOFT (‘Second-Order Functions and Theorems’) is an ACL2 library to mimic second-order functions and theorems in the first-order logic of ACL2. It does not extend the ACL2 logic. It does not introduce unsoundness or inconsistency on its own. It provides the following macros: defunvar defun2 defchoose2 defun-sk2 defun-inst defthm-inst Macro to instantiate second-order theorems: ( thm (sothm (?g 1. h 1 )... (?g m. h m )) :rule-classes cls) name of the new theorem instance name of the 2 nd -order theorem to instantiate instantiation, as in defun-inst same as in defthm

:instructions ((:use (:functional-instance sothm (?g 1 h 1 )... (?g m h m ) more-pairs)) Macro to instantiate second-order theorems: (defthm-inst thm (sothm (?g 1. h 1 )... (?g m. h m )) :rule-classes cls) expand replacements of 2 nd -order functions in sothm with suitable h i -instances definitions and axioms of the h i -instances in more-pairs this functional instance is formula this proves the constraints generated by more-pairs (defthm thm formula :rule-classes cls sothm ?g 1 h1h1 ?g m hmhm (:repeat (:then (:use facts) :prove)))) result of applying instantiation to formula of sothm

SOFT (‘Second-Order Functions and Theorems’) is an ACL2 library to mimic second-order functions and theorems in the first-order logic of ACL2. It does not extend the ACL2 logic. It does not introduce unsoundness or inconsistency on its own. It provides the following macros: defunvar defun2 defchoose2 defun-sk2 defun-inst defthm-inst

SOFT can be used to formalize algebras and similar mathematical structures in a compositional way, e.g.: Unlike encapsulate, algebraic properties are expressed by predicates, not by axioms attached to the abstract operations. (defun-sk2 semigroup[?op] (?op) () (forall (x y z) (equal (?op (?op x y) z) (?op x (?op y z))))) (defun-sk2 identity[?op] (?op) (id) (forall x (and (equal (?op id x) x) (equal (?op x id) x)))) (defun2 monoid[?op] (?op) (id) (and (semigroup[?op]) (identity[?op] id))) (defun-sk2 inverse[?op_?inv] (?op ?inv) (id) (forall x (and (equal (?op x (?inv x)) id) (equal (?op (?inv x) x) id)))) (defun2 group[?op_?inv] (?op ?inv) (id) (and (monoid[?op] id) (inverse[?op_?inv] id))) SOFT

(defun2 fold[?f_?g] (?f ?g) (x) (cond ((atom x) (?f x)) (t (?g (fold[?f_?g] (car x)) (fold[?f_?g] (cdr x)))))) SOFT can be used to formalize algorithm schemas, e.g.: SOFT generic folding function on binary trees divide-and-conquer algorithm schema, specialized to binary trees: to solve a problem on a binary tree, recursively solve the problem on its subtrees and combine the solutions using ?g ; solve the problem on leaves directly using ?f cons bc a

SOFT can be used to formalize algorithm schemas, e.g.: SOFT (defun2 fold[?f_?g] (?f ?g) (x) (cond ((atom x) (?f x)) (t (?g (fold[?f_?g] (car x)) (fold[?f_?g] (cdr x)))))) (defun2 fold[?f_?g] (?f ?g) (x) (cond ((atom x) (?f x)) (t (?g (fold[?f_?g] (car x)) (fold[?f_?g] (cdr x)))))) (defun-sk2 atom-io[?f_?io] (?f ?io) () (forall x (implies (atom x) (?io x (?f x))))) predicate asserting that ?f yields valid solutions on leaves, w.r.t. an input/output relation ?io that relates problems with acceptable solutions

(defun-sk2 consp-io[?g_?io] (?g ?io) () (forall (x y1 y2) (implies (and (consp x) (?io (car x) y1) (?io (cdr x) y2)) (?io x (?g y1 y2))))) SOFT can be used to formalize algorithm schemas, e.g.: SOFT (defun2 fold[?f_?g] (?f ?g) (x) (cond ((atom x) (?f x)) (t (?g (fold[?f_?g] (car x)) (fold[?f_?g] (cdr x)))))) (defun-sk2 atom-io[?f_?io] (?f ?io) () (forall x (implies (atom x) (?io x (?f x))))) (defun-sk2 atom-io[?f_?io] (?f ?io) () (forall x (implies (atom x) (?io x (?f x))))) predicate asserting that ?g combines valid solutions on subtrees into valid solutions on trees, w.r.t. the input/output relation ?io that relates problems with acceptable solutions

SOFT can be used to formalize algorithm schemas, e.g.: SOFT (defun2 fold[?f_?g] (?f ?g) (x) (cond ((atom x) (?f x)) (t (?g (fold[?f_?g] (car x)) (fold[?f_?g] (cdr x)))))) (defun-sk2 atom-io[?f_?io] (?f ?io) () (forall x (implies (atom x) (?io x (?f x))))) (defun-sk2 consp-io[?g_?io] (?g ?io) () (forall (x y1 y2) (implies (and (consp x) (?io (car x) y1) (?io (cdr x) y2)) (?io x (?g y1 y2))))) (defun-sk2 consp-io[?g_?io] (?g ?io) () (forall (x y1 y2) (implies (and (consp x) (?io (car x) y1) (?io (cdr x) y2)) (?io x (?g y1 y2))))) (defthm fold-io[?f_?g_?io] (implies (and (atom-io[?f_?io]) (consp-io[?g_?io])) (?io x (fold[?f_?g] x)))) theorem asserting the correctness of fold[?f_?g], w.r.t. the input/output relation ?io that relates problems with acceptable solutions

(defun2 fold[?f_?g] (?f ?g) (x) (cond ((atom x) (?f x)) (t (?g (fold[?f_?g] (car x)) (fold[?f_?g] (cdr x)))))) (defun-sk2 atom-io[?f_?io] (?f ?io) () (forall x (implies (atom x) (?io x (?f x))))) (defun-sk2 consp-io[?g_?io] (?g ?io) () (forall (x y1 y2) (implies (and (consp x) (?io (car x) y1) (?io (cdr x) y2)) (?io x (?g y1 y2))))) (defthm fold-io[?f_?g_?io] (implies (and (atom-io[?f_?io]) (consp-io[?g_?io])) (?io x (fold[?f_?g] x)))) SOFT can be used to formalize algorithm schemas, e.g.: Algorithm schemas are useful for program refinement.

SOFT program refinement can be used for. (defun2 spec 0 (?f 1... ?f n )...) requirements over n ≥ 1 target functions are specified by a 2 nd -order predicate this could be a defun-sk2 unlike encapsulate, no witnesses for the n functions are needed; it is the goal of refinement to generate witnessing implementations inconsistent requirements amount to spec 0 being always false, without introducing inconsistencies; no defaxiom is used goal: solve spec 0 for ?f 1, …, ?f n

SOFT can be used for program refinement. (defun2 spec 0 (?f 1... ?f n )...) (defun2 spec 1 (?f 1... ?f n )...) (defun2 spec 2 (?f 1... ?f n )...) the specification is stepwise refined by a sequence of increasingly strong 2 nd -order predicates

SOFT can be used for program refinement. (defun2 spec 0 (?f 1... ?f n )...) (defun2 spec 1 (?f 1... ?f n )...) (defun2 spec 2 (?f 1... ?f n )...) the specification is stepwise refined by a sequence of increasingly strong 2 nd -order predicates each predicate narrows down the possible implementations or rephrases their description towards their determination the refinement relation is logical implication

SOFT can be used for program refinement. (defun2 spec 0 (?f 1... ?f n )...) (defun2 spec 1 (?f 1... ?f n )...) (defun2 spec 2 (?f 1... ?f n )...) (defun2 spec m (?f 1... ?f n ) () (and (equal ?f 1 f 1 )... (equal ?f n f n ))) the sequence ends with a 2 nd -order predicate that provides explicit solutions f 1, …, f n for the target functions f 1, …, f n are executable functions, constructed as part of the refinement process, along with spec 1, …, spec m f 1, …, f n is the obtained implementation of spec 0 almost like this

SOFT can be used for program refinement. (defun2 spec 0 (?f 1... ?f n )...) (defun2 spec 1 (?f 1... ?f n )...) (defun2 spec 2 (?f 1... ?f n )...) (defun2 spec m (?f 1... ?f n ) () (and (equal ?f 1 f 1 )... (equal ?f n f n ))) almost like this (equal ?f i f i ) (equal ?f 1 f 1 ) (equal ?f n f n ) this would be a 2 nd -order equality

SOFT can be used for program refinement. (defun2 spec 0 (?f 1... ?f n )...) (defun2 spec 1 (?f 1... ?f n )...) (defun2 spec 2 (?f 1... ?f n )...) (defun2 spec m (?f 1... ?f n ) () (and (equal ?f 1 f 1 )... (equal ?f n f n ))) almost like this equal ?f i fifi (defun-sk2 def i (?f i ) () (forall args ( (((( args) args)))) 1 st -order expression of the 2 nd -order equality

SOFT can be used for program refinement. (defun2 spec 0 (?f 1... ?f n )...) (defun2 spec 1 (?f 1... ?f n )...) (defun2 spec 2 (?f 1... ?f n )...) (defun2 spec m (?f 1... ?f n ) () (and (... ( almost like this def i equal ?f 1 f 1 equal ?f n f n def 1 def n ) )))

(defun2 spec 2 (?f 1... ?f n SOFT can be used for program refinement. (defun2 spec 0 (?f 1... ?f n )...) (defun2 spec 1 (?f 1... ?f n )...) )...)?f n auxiliary target functions may be introduced along the way (defun2 spec m (?f 1... ?f n (and (def 1 )... (def n ) ) ()... ?f n+p ))... (def n+p ) this approach to program refinement is called ‘shallow pop-refinement’ (see paper for details)

(defun-sk2 spec[?h] (?h) () (forall x (io x (?h x)))) (defun-sk (x y) (forall e (iff (member e y) (and (leaf e x) (natp e))))) (defun (e bt) (cond ((atom bt) (equal e bt)) (t (or (leaf e (car bt)) (leaf e (cdr bt)))))) program refinementSOFT Example ofusing: requirements specification input/output relation io leaf return a list of all and only the leaves that are naturals (in no particular order and possibly with duplicates)

(defun-sk2 spec[?h] (?h) () (forall x (io x (?h x)))) Example of program refinement using SOFT: (defun-sk2 spec[?h] (?h) () (forall x (io x (?h x)))) since the specification involves binary trees, we use the divide-and-conquer algorithm schema for binary trees

Example of program refinement using SOFT: since the specification involves binary trees, we use the divide-and-conquer algorithm schema for binary trees (defun-sk2 spec[?h] (?h) () (forall x (io x (?h x)))) (equal ?h fold[?f_?g]) we constrain ?h to be fold[?f_?g] for some ?f and ?g (defun2 spec [?h] (?h) () (forall x (io x (?h x))) ) 1 (and ) 2 nd -order equalities and inlined quantifiers are artistic licenses (the real version uses suitable defun-sk2 s)

Example of program refinement using SOFT: since the specification involves binary trees, we use the divide-and-conquer algorithm schema for binary trees (defun-sk2 spec[?h] (?h) () (forall x (io x (?h x)))) we constrain ?h to be fold[?f_?g] for some ?f and ?g 2 nd -order equalities and inlined quantifiers are artistic licenses (the real version uses suitable defun-sk2 s) (defun2 spec1[?h (and (equal ?h fold[?f_?g]) (forall x (io x (?h x))))) ] (?h) ()_?f_?g ?f ?g this refinement step introduces auxiliary target functions; ?h is determined when ?f and ?g are determined strict implication; this refinement step reduces the set of possible implementations

(defun-sk2 spec[?h] (?h) () (forall x (io x (?h x)))) (defun2 spec1[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (forall x (io x (?h x))))) (defun-sk2 spec[?h] (?h) () (forall x (io x (?h x)))) Example of program refinement using SOFT: (defun2 spec1[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (forall x (io x (?h x))))) we use the first conjunct to rewrite the second conjunct

(defun2 spec1[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (forall x (io x (?h x))))) (defun-sk2 spec[?h] (?h) () (forall x (io x (?h x)))) Example of program refinement using SOFT: 2 (defun2 spec [?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (forall x (io x ( x))))) we use the first conjunct to rewrite the second conjunct ?h x)))))?h fold[?f_?g] non-strict refinement (equivalence)

(defun2 spec1[?h_?f_?g] (?h ?f ?g) () (defun-sk2 spec[?h] (?h) () Example of program refinement using SOFT: (and (equal ?h fold[?f_?g]) (forall x (io x (?h x)))))...) (forall x (io x (?h x))))...) (defun2 spec1[?h_?f_?g] (?h ?f ?g) ()...) (defun2 spec2[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (forall x (io x (fold[?f_?g] x))))) we apply the correctness theorem of the divide-and- conquer algorithm schema backwards

(defun2 spec1[?h_?f_?g] (?h ?f ?g) ()...) (defun-sk2 spec[?h] (?h) ()...) Example of program refinement using SOFT: (defun2 spec2[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (forall x (io x (fold[?f_?g] x))))) (defthm fold-io[?f_?g_?io] (implies (and (atom-io[?f_?io]) (consp-io[?g_?io])) (?io x (fold[?f_?g] x)))) we apply the correctness theorem of the divide-and- conquer algorithm schema backwards correctness theorem of the divide-and-conquer algorithm schema

(defun2 spec1[?h_?f_?g] (?h ?f ?g) ()...) (defun-sk2 spec[?h] (?h) ()...) Example of program refinement using SOFT: (defun2 spec2[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (forall x (io x (fold[?f_?g] x))))) we apply the correctness theorem of the divide-and- conquer algorithm schema backwards implies (and (atom-io[?f_?io]) (consp-io[?g_?io])) (?io x (fold[?f_?g] x))

(defun2 spec1[?h_?f_?g] (?h ?f ?g) ()...) (defun-sk2 spec[?h] (?h) ()...) Example of program refinement using SOFT: (defun2 spec2[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (forall x (io x (fold[?f_?g] x))))) we apply the correctness theorem of the divide-and- conquer algorithm schema backwards (and (atom-io[?f_?io]) (consp-io[?g_?io])) (?io x (fold[?f_?g] x)) defthm-inst (?io. io) match (io x (fold[?f_?g] x)) (and (atom-io[?f_ (consp-io[?g_ io]) io]))

(defun2 spec1[?h_?f_?g] (?h ?f ?g) ()...) (defun-sk2 spec[?h] (?h) ()...) Example of program refinement using SOFT: (defun2 spec2[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (forall x (io x (fold[?f_?g] x))))) we apply the correctness theorem of the divide-and- conquer algorithm schema backwards (and (atom-io[?f_?io]) (consp-io[?g_?io])) (?io x (fold[?f_?g] x))(io x (fold[?f_?g] x)) (and (atom-io[?f_io]) (consp-io[?g_io])) defthm-inst (?io. io)

(atom-io[?f_io]) (consp-io[?g_io])) (defun2 spec1[?h_?f_?g] (?h ?f ?g) ()...) (defun-sk2 spec[?h] (?h) ()...) Example of program refinement using SOFT: (defun2 spec2[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (forall x (io x (fold[?f_?g] x))))) we apply the correctness theorem of the divide-and- conquer algorithm schema backwards (io x (fold[?f_?g] x)) (and (defun2 spec [?h_?f_?g] (?h ?f ?g) () (equal ?h fold[?f_?g]) ) 3

(defun2 spec1[?h_?f_?g] (?h ?f ?g) ()...) (defun-sk2 spec[?h] (?h) ()...) Example of program refinement using SOFT: (defun2 spec2[?h_?f_?g] (?h ?f ?g) ()...) (and (equal ?h fold[?f_?g]) (forall x (io x (fold[?f_?g] x))))) (defun2 spec3[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (atom-io[?f_io]) (consp-io[?g_io])))

(defun2 spec1[?h_?f_?g] (?h ?f ?g) ()...) (defun-sk2 spec[?h] (?h) ()...) Example of program refinement using SOFT: (defun2 spec2[?h_?f_?g] (?h ?f ?g) ()...) (defun2 spec3[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (atom-io[?f_io]) (consp-io[?g_io]))) these are requirements specifications for ?f and ?g that can be stepwise refined independently

(defun2 spec1[?h_?f_?g] (?h ?f ?g) ()...) (defun-sk2 spec[?h] (?h) ()...) (defun2 spec2[?h_?f_?g] (?h ?f ?g) ()...) (defun2 spec3[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (atom-io[?f_io]) (consp-io[?g_io]))) Example of program refinement using SOFT: (defun2 spec1[?h_?f_?g] (?h ?f ?g) ()...) (defun-sk2 spec[?h] (?h) ()...) (defun2 spec2[?h_?f_?g] (?h ?f ?g) ()...) (defun2 spec3[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (atom-io[?f_io]) (consp-io[?g_io]))) (atom-io[?f_io]) (equal ?f f) for some (defun f...)

(defun2 spec1[?h_?f_?g] (?h ?f ?g) ()...) (defun-sk2 spec[?h] (?h) ()...) (defun2 spec2[?h_?f_?g] (?h ?f ?g) ()...) (defun2 spec3[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (atom-io[?f_io]) (consp-io[?g_io]))) Example of program refinement using SOFT: (atom-io[?f_io]) (equal ?f f) we apply this implication backwards in the main refinement sequence

(atom-io[?f_io]) (equal ?f f) (defun2 spec1[?h_?f_?g] (?h ?f ?g) ()...) (defun-sk2 spec[?h] (?h) ()...) (defun2 spec2[?h_?f_?g] (?h ?f ?g) ()...) (defun2 spec3[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (atom-io[?f_io]) (consp-io[?g_io]))) Example of program refinement using SOFT: (atom-io[?f_io]) (equal ?f f) (defun2 spec [?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (consp-io[?g_io]))) 4

(defun-sk2 spec[?h] (?h) ()...) Example of program refinement using SOFT: (defun2 spec3[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (atom-io[?f_io]) (consp-io[?g_io]))) (defun2 spec1[?h_?f_?g] (?h ?f ?g) ()...) (defun2 spec2[?h_?f_?g] (?h ?f ?g) ()...) (defun2 spec4[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (equal ?f f) (consp-io[?g_io])))

(defun-sk2 spec[?h] (?h) ()...) Example of program refinement using SOFT: (defun2 spec4[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (equal ?f f) (consp-io[?g_io]))) we proceed analogously for ?g (equal ?g g) (defun2 spec [?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (equal ?f f) )) (consp-io[?g_io]) (stepwise)

(defun-sk2 spec[?h] (?h) ()...) Example of program refinement using SOFT: (defun2 spec4[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (equal ?f f) (consp-io[?g_io]))) we proceed analogously for ?g (consp-io[?g_io]) (equal ?g g) (defun2 spec [?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (equal ?f f) )) 5

(defun-sk2 spec[?h] (?h) ()...) Example of program refinement using SOFT: (defun2 spec4[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (equal ?f f) (consp-io[?g_io]))) (defun2 spec5[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[?f_?g]) (equal ?f f) (equal ?g g)))

(defun-sk2 spec[?h] (?h) ()...) Example of program refinement using SOFT: (defun2 spec5[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[ (equal ?f f) (equal ?g g))) we use the second and third conjuncts to rewrite the first conjunct ?f f _?g])_?g g ])

(defun2 spec5[?h_?f_?g] (?h ?f ?g) () (and (equal ?h fold[f_g]) (equal ?f f) (equal ?g g))) (defun-sk2 spec[?h] (?h) ()...) Example of program refinement using SOFT: fold[f_g] f, g is the obtained implementation of spec the implementation witnesses the consistency of spec

SOFT is available in the ACL2 community books: tools/soft.lisp tools/soft-paper-examples.lisp

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.