1 Lecture 5 PVS commands

2 Last week Logical formalisms, first-order logic (syntax, semantics). Introduction to PVS. Language of PVS. Proving sequents in PVS. Proof rules for sequent calculus.

3 Sequents Sequents: antecedent and succedent.  1, …,  k   1, …,  Proving the sequent amounts to showing:  1  …  k   1  …  Which we can rewrite to: {  1  …   k   1  …  }

4 Antecedent/consequent exchange A,   , B Rewrites to A  , , B Rewrites to A,   , B Rewrites to A, ,   B

5 Proof Trees and Subgoals Each inference step is based on the use of an inference rule. Validity of all subgoals must imply parent goal validity. A  B Rewrites to A1  B1 Which generates the subgoals A11  B11 A12  B12 A13  B13

6 PVS inference rules and decision procedures hide flatten, split, lift-if skolem inst, inst? lemma, rewrite, beta, expand, replace assert, prop, ground apply-extensionality induct, generalize

7 hide rule (forget some hypothesis)  1, …,  i-1,  i,  i+1, …,  k   1, …,  rewrites to  1, …,  i-1,  i+1, …,  k   1, …, 

8 flatten rule (flattening some antecedent conjunct h1  h2, A  B rewrites to h1, h2, A  B

9 flatten rule (flattening some consequent disjunct) A   1   2, B rewrites to A   1,  2, B

10 flatten rule (flattening some consequent implication) A  , B rewrites to , A  , B

11 split rule (consequent subgoaling) A   1  2, B rewrites to A   1, B A   2, B

12 split rule (antecedent subgoaling)  1   2, A  B rewrites to  1, A  B  2, A  B

13 skolem rule (skolemizing some consequent universal quantifier) A   (x:T): , B rewrites to  :T, A   [x/  ], B where  must be a new name, not occurring freely in the sequent.

14 skolem rule (skolemizing some antecedent existential quantifier)  (x:T): , A  B rewrites to  [x/  ],  :T, A  B  must be a new name, not occurring freely in the sequent.

15 inst rule (instantiating existential variable in consequent) A   (x:T): , B rewrites to A   [x/e], B A  e:T, B finding a proper instance e may be hard!

16 inst rule (instantiating universal variable in antecedent)  (x:T): , A  B Rewrites to  [x/e], A  B  (x:T): , A  e:T, B finding a proper instance e may be hard!

17 lemma rule (introducing a lemma in the antecedents) A  B rewrites to , A  B provided that declaration name : LEMMA  holds. All lemmas or declarations from imported theories are hidden from antecedents.

18 assert decision procedure (proving some ) A  B rewrites to  TRUE provided that A  B can be proved using linear arithmetics

19 prop decision procedure (proving a propositionally valid sequent) A  B rewrites to  TRUE provided that A  B may be proved using propositional calculus only

20 ground decision procedure (combination of assert, prop, and abstract datatype reasoning ) A  B rewrites to  TRUE provided that A,linear_arithmetics_theory,abstract_datatype_theories  B

21 Control commands PVS allows for commands for controlling the control flow. Leaving the prover and terminating current proof: syntax : (quit) Undoing one or more proof steps: syntax: (undo & optional to) Example (undo 3) undoes 3 previous steps; :(undo undo) undoes the last undo: limited capability.

22 Changing branches in a Proof It is possible to defer work on one branch and pursue another. Syntax: (postpone &optional print?). Places current goal on parent’s list of pending subgoals; brings up next unproved subgoal as the current. To see a list of unproven subgoals in Emacs Type “M-x siblings”. Tip: it is generally a good idea to postpone splitting to reduce the proof size.

23 Where to apply rules LocationTop level logical connective OR, => | AND, IFF AntecedentUse (split)Use (flatten) ConsequentUse (flatten)Use (split)

24 Disjunctive versus Conjunctive Normal Form Formulae involving NOT and IFF are handled the same way regardless of which part of the sequent they appear. Prover normally flattens negated formulae automatically. LocationNOTIF..THEN..ELS E AnyUse(flatten)Use(split)

25 Using Lemmas Lemmas are assumptions. Syntax: (lemma “name”) adds the lemma

26 Example Consider the following scenario Andy, Bob, Cindy, Dinah, Eve, Fred, and Gary live in the seven houses, numbered 1 through 7, on Maple Street. Gary's address is 5 greater than Bob's. Bob's address is greater than Andy's. Dinah's address is less than Eve's, whose address is 2 less than Gary's. Cindy's address is less than either Dinah's or Fred's. Who lives where?

27 Formalisation and Proof We will prove who lives where using only (SPLIT), (FLATTEN), (INST), (SKOLEM), (LEMMA), (ASSERT) We define people: TYPE = {A, B, C, D, E, F, G} address: [people -> int] p,q: VAR people

28 Axiom for address range The axiom below asserts that each person's address is between 1 and 7. Range: AXIOM address(p) = 1 or address(p) = 2 or address(p) = 3 or address(p) = 4 or address(p) = 5 or address(p) = 6 or address(p) = 7

29 Axioms for uniqueness and mapping The axiom below states that each person's address is unique Unique: AXIOM address(p) = address(q) implies p = q The axiom below states that each address has a person. Provable with set theory. Onto: AXIOM forall (a: int): ((0 < a and a < 8) implies (exists p: address(p) = a)) Onto1: AXIOM forall (a: {i: int | (1 <= i) & (i <= 7)}): (exists p: address(p) = a)

30 Translation of the Problem Axioms "clue1" through "clue7" translate the problem. Each lemma is introduced as it becomes provable. clue1: AXIOM address(B) + 5 = address(G) L1: LEMMA address(B) = 1 or address(B) = 2 clue2: AXIOM address(B) > address(A) L2: LEMMA address(B) = 2 L3: LEMMA address(A) = 1 L4: LEMMA address(G) = 7 clue3: AXIOM address(D) < address(E) clue4: AXIOM address(E) + 2 = address(G) L5: LEMMA address(E) = 5 L6: LEMMA address(D) = 3 or address(D) = 4 clue5: AXIOM address(C) < address(D) L7: LEMMA address(C) = 3 and address(D) = 4 clue7: AXIOM address(C) < address(F) L8: LEMMA address(F) = 6 Task for tutorial: download the file (linked from the module website) and prove it with PVS