Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 11: Proof by Reflection

Published byDouglas Watts Modified over 7 years ago

Similar presentations

Presentation on theme: "Lecture 11: Proof by Reflection"— Presentation transcript:

1 Lecture 11: Proof by Reflection
Interactive Computer Theorem Proving Lecture 11: Proof by Reflection CS294-9 November 2, 2006 Adam Chlipala UC Berkeley

2 Proofs Revisited 1 + 1 = 2 S O + S O = S (S O) 8E Def. =I 8E Def. =E
...in standard first-order logic 8E 8 n, m, S n + m = n + S m Def. 8 m, S O + m = O + S m =I 8 n, O + n = n 8E Def. S O + S O = S O + S O S O + S O = O + S (S O) =E S O + S O = O + S (S O) O + S (S O) = S (S O) =E S O + S O = S (S O)

3 Proofs Revisited 1 + 1 = 2 S O + S O = S (S O) =I ...in Coq
Evaluate the proof fully before checking correct rule usage.... S O + S O = S (S O) O + S (S O) = S (S O) S (S O) = S (S O) OK, now it's clear that reflexivity justifies this! =I S O + S O = S (S O)

4 A Simple Motivating Example
isEven O Even_O isEven S (S n) Even_SS isEven n To prove isEven (2 n): Even_SS (Even_SS (Even_SS (Even_SS (Even_SS (...Even_O...))))) n Even_SS's In the real representation, the variable n of Even_SS appears explicitly in each rule invocation, so we have a quadratic-size proof scheme! Challenge: What proof scheme allows us to build isEven proofs for constants such that there exists some constant K where the proof size for 2n is only K more than the size of the representation of 2n?

5 Reflection Recipe (First Cut)
To prove goals that use a predicate P: Implement in Coq a (partial) decision procedure for P that approximates the truth of P with an algorithm returning booleans. Prove that P holds when the procedure returns true. Prove individual instances by applying that soundness theorem with reflexivity proofs.

6 An isEven Decision Procedure
Fixpoint check_even (n : nat) : bool := match n with | 0 => true | 1 => false | S (S n') => check_even n' end. Key property: For any constant n, check_even n evaluates to true or false, using only Coq's built-in reduction rules.

7 Soundness Theorem Theorem check_even_sound : forall n,
check_even n = true -> isEven n. Generic proof of isEven 2n: check_even_sound 2n (refl_equal true) check_even_sound 2n : check_even 2n = true -> isEven 2n Reduce to: true = true -> isEven 2n

8 Reflective “Tauto” (P1 \/ Q1) /\ (P2 \/ Q2) /\ ... /\ (Pn \/ Qn)
-> (Q1 \/ P1) /\ (Q2 \/ P2) /\ ... /\ (Qn \/ Pn) The tauto tactic (which is also used by intuition) solves this goal by expanding out all 2n cases arising from the disjunctions in the assumption, leading to exponentially-sized proofs. Challenge: Develop a reflective proof scheme that lets us prove formulas in a useful class of tautologies with proof size quadratic in the formula's length.

9 Prop isn't an inductive type!
First Attempt To keep it simple, let's start by considering formulas built from True, False, and, and or. Fixpoint eval_formula (P : Prop) : bool := match P with | True => true | False => false | P1 /\ P2 => eval_formula P1 && eval_formula P2 | P1 \/ P2 => eval_formula P1 || eval_formula P2 | _ => false end. Prop isn't an inductive type!

10 Revised Reflection Recipe
To prove goals that use a predicate P: Create a syntactic representation S of P's domain D. Define a compilation of S into D. Implement a decision procedure over S and prove that, when it returns true for s in S, P holds of the compilation of s. Use the soundness theorem reflectively.

11 A Syntactic Representation
Inductive formula : Set := | Truth : formula | Falsehood : formula | And : formula -> formula -> formula | Or : formula -> formula -> formula. Fixpoint interp_formula (f : formula) : Prop := match f with | Truth => True | Falsehood => False | And f1 f2 => interp_formula f1 /\ interp_formula f2 | Or f1 f2 => interp_formula f1 \/ interp_formula f2 end.

12 A Prover Fixpoint eval_formula (P : formula) : bool := match P with
| Truth => true | Falsehood => false | And P1 P2 => eval_formula P1 && eval_formula P2 | Or P1 P2 => eval_formula P1 || eval_formula P2 end.

13 Its Soundness Theorem Theorem eval_formula_sound : forall (f : formula), eval_formula f = true -> compile_formula f. Generic scheme for proving formula P: Compute the representation f of P. (This step can't be done in Coq's logic!) Use the proof term: eval_formula_sound f (refl_equal true)

14 An Example Want to prove: True \/ False Representation:
Or Truth Falsehood Proof term: eval_formula_sound (Or Truth Falsehood) (refl_equal true) eval_formula (Or Truth Falsehood) = true -> compile_formula (Or Truth Falsehood) compile_formula (Or Truth Falsehood) Reduce True \/ False Reduce true = true -> compile_formula (Or Truth Falsehood)

15 Second Version Now let's expand our class of formulas to include, in addition to True, False, and, and or: Implication Arbitrary propositions as “propositional variables” Type Inductive formula : Set := | Truth : formula | Falsehood : formula | And : formula -> formula -> formula | Or : formula -> formula -> formula | Imp : formula -> formula -> formula | Atomic : Prop -> formula.

16 Problem: We can't compare Props for equality
Not Quite There.... Now we can prove some theorems: Definition easy_prover (f : formula) : bool := match f with | Or True _ => true | _ => false end. But we get stuck for other “easy” ones: Example: How can we write a prover that can show: P -> P for any P? Problem: We can't compare Props for equality

17 Third Version Inductive formula : Set := | Truth : formula
| Falsehood : formula | And : formula -> formula -> formula | Or : formula -> formula -> formula | Imp : formula -> formula -> formula | Atomic : var -> formula. On the side, maintain a mapping: atomics : var -> Prop We will depend on decidable equality for var: var_eq_dec : forall (x y : var), {x = y} + {x <> y}

18 It Works! Fixpoint prover (f : formula) : bool := match f with
Fixpoint interp_formula (f : formula) : Prop := match f with | Truth => True | And f1 f2 => interp_formula f1 /\ interp_formula f2 | Atomic v => atomics v ... end. Fixpoint prover (f : formula) : bool := match f with | Imp (Atomic v1) (Atomic v2) => if var_eq_dec v1 v2 then true else false ... end.

Download ppt "Lecture 11: Proof by Reflection"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
1 A formula in predicate logic An atom is a formula. If F is a formula then (~F) is a formula. If F and G are Formulae then (F /\ G), (F \/ G), (F → G),

1 A formula in predicate logic An atom is a formula. If F is a formula then (~F) is a formula. If F and G are Formulae then (F /\ G), (F \/ G), (F → G),
Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.

Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.

1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Decision Procedures for Presburger Arithmetic Presented by Constantinos Bartzis.

Decision Procedures for Presburger Arithmetic Presented by Constantinos Bartzis.
1 Polynomial Church-Turing thesis A decision problem can be solved in polynomial time by using a reasonable sequential model of computation if and only.

1 Polynomial Church-Turing thesis A decision problem can be solved in polynomial time by using a reasonable sequential model of computation if and only.
Administrative stuff On Thursday, we will start class at 11:10, and finish at 11:55 This means that each project will get a 10 minute presentation + 5.

Administrative stuff On Thursday, we will start class at 11:10, and finish at 11:55 This means that each project will get a 10 minute presentation + 5.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Induction and recursion

Induction and recursion
Propositional Calculus CS 680: Formal Methods in Verification Computer Systems Jeremy Johnson.

Propositional Calculus CS 680: Formal Methods in Verification Computer Systems Jeremy Johnson.
Equational Reasoning Math Foundations of Computer Science.

Equational Reasoning Math Foundations of Computer Science.
Properties of Logarithms They’re in Section 3.4a.

Properties of Logarithms They’re in Section 3.4a.
The ACL2 Proof Assistant Formal Methods Jeremy Johnson.

The ACL2 Proof Assistant Formal Methods Jeremy Johnson.
Binary Decision Diagrams (BDDs)

Binary Decision Diagrams (BDDs)
SAT and SMT solvers Ayrat Khalimov (based on Georg Hofferek‘s slides) AKDV 2014.

SAT and SMT solvers Ayrat Khalimov (based on Georg Hofferek‘s slides) AKDV 2014.
CS 4100 Artificial Intelligence Prof. C. Hafner Class Notes Jan 19, 2012.

CS 4100 Artificial Intelligence Prof. C. Hafner Class Notes Jan 19, 2012.
INTRODUCTION TO ARTIFICIAL INTELLIGENCE COS302 MICHAEL L. LITTMAN FALL 2001 Satisfiability.

INTRODUCTION TO ARTIFICIAL INTELLIGENCE COS302 MICHAEL L. LITTMAN FALL 2001 Satisfiability.
Type Inference II David Walker COS 441. Type Inference Goal: Given unannotated program, find its type or report it does not type check Overview: generate.

Type Inference II David Walker COS 441. Type Inference Goal: Given unannotated program, find its type or report it does not type check Overview: generate.

Similar presentations

Ads by Google