nicta advanced course theorem proving principles...
TRANSCRIPT
![Page 1: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/1.jpg)
NICTA Advanced Course
Theorem Proving
Principles, Techniques, Applications
{P} . . . {Q}
1
![Page 2: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/2.jpg)
CONTENT
➜ Intro & motivation, getting started with Isabelle
➜ Foundations & Principles
• Lambda Calculus
• Higher Order Logic, natural deduction
• Term rewriting
➜ Proof & Specification Techniques
• Inductively defined sets, rule induction
• Datatypes, recursion, induction
• More recursion, Calculational reasoning
• Hoare logic, proofs about programs
• Locales, Presentation
CONTENT 2
![Page 3: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/3.jpg)
LAST TIME
➜ Recdef
➜ More induction
➜ Well founded orders
➜ Well founded recursion
➜ Calculations: also/finally
➜ [trans]-rules
LAST TIME 3
![Page 4: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/4.jpg)
A CRASH COURSE IN SEMANTICS
4
![Page 5: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/5.jpg)
IMP - A SMALL IMPERATIVE LANGUAGE
Commands:
datatype com = SKIP| Assign loc aexp ( := )
| Semi com com ( ; )
| Cond bexp com com (IF THEN ELSE )| While bexp com (WHILE DO OD)
types loc = stringtypes state = loc ⇒ nat
types aexp = state ⇒ nattypes bexp = state ⇒ bool
IMP - A SMALL IMPERATIVE LANGUAGE 5
![Page 6: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/6.jpg)
IMP - A SMALL IMPERATIVE LANGUAGE
Commands:
datatype com = SKIP| Assign loc aexp ( := )
| Semi com com ( ; )
| Cond bexp com com (IF THEN ELSE )| While bexp com (WHILE DO OD)
types loc = stringtypes state = loc ⇒ nat
types aexp = state ⇒ nattypes bexp = state ⇒ bool
IMP - A SMALL IMPERATIVE LANGUAGE 5-A
![Page 7: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/7.jpg)
IMP - A SMALL IMPERATIVE LANGUAGE
Commands:
datatype com = SKIP| Assign loc aexp ( := )
| Semi com com ( ; )
| Cond bexp com com (IF THEN ELSE )| While bexp com (WHILE DO OD)
types loc = stringtypes state = loc ⇒ nat
types aexp = state ⇒ nattypes bexp = state ⇒ bool
IMP - A SMALL IMPERATIVE LANGUAGE 5-B
![Page 8: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/8.jpg)
EXAMPLE PROGRAM
Usual syntax:B := 1;
WHILE A 6= 0 DOB := B ∗ A;
A := A − 1
OD
Expressions are functions from state to bool or nat:
B := (λσ. 1);
WHILE (λσ. σ A 6= 0) DOB := (λσ. σ B ∗ σ A);
A := (λσ. σ A − 1)
OD
EXAMPLE PROGRAM 6
![Page 9: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/9.jpg)
EXAMPLE PROGRAM
Usual syntax:B := 1;
WHILE A 6= 0 DOB := B ∗ A;
A := A − 1
OD
Expressions are functions from state to bool or nat:
B := (λσ. 1);
WHILE (λσ. σ A 6= 0) DOB := (λσ. σ B ∗ σ A);
A := (λσ. σ A − 1)
OD
EXAMPLE PROGRAM 6-A
![Page 10: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/10.jpg)
WHAT DOES IT DO?
So far we have defined:
➜ Syntax of commands and expressions
➜ State of programs (function from variables to values)
Now we need: the meaning (semantics) of programs
How to define execution of a program?
➜ A wide field of its own (visit a semantics course!)
➜ Some choices:
• Operational (inductive relations, big step, small step)• Denotational (programs as functions on states, state transformers)• Axiomatic (pre-/post conditions, Hoare logic)
WHAT DOES IT DO? 7
![Page 11: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/11.jpg)
WHAT DOES IT DO?
So far we have defined:
➜ Syntax of commands and expressions
➜ State of programs (function from variables to values)
Now we need: the meaning (semantics) of programs
How to define execution of a program?
➜ A wide field of its own (visit a semantics course!)
➜ Some choices:
• Operational (inductive relations, big step, small step)• Denotational (programs as functions on states, state transformers)• Axiomatic (pre-/post conditions, Hoare logic)
WHAT DOES IT DO? 7-A
![Page 12: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/12.jpg)
WHAT DOES IT DO?
So far we have defined:
➜ Syntax of commands and expressions
➜ State of programs (function from variables to values)
Now we need:
the meaning (semantics) of programs
How to define execution of a program?
➜ A wide field of its own (visit a semantics course!)
➜ Some choices:
• Operational (inductive relations, big step, small step)• Denotational (programs as functions on states, state transformers)• Axiomatic (pre-/post conditions, Hoare logic)
WHAT DOES IT DO? 7-B
![Page 13: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/13.jpg)
WHAT DOES IT DO?
So far we have defined:
➜ Syntax of commands and expressions
➜ State of programs (function from variables to values)
Now we need: the meaning (semantics) of programs
How to define execution of a program?
➜ A wide field of its own (visit a semantics course!)
➜ Some choices:
• Operational (inductive relations, big step, small step)• Denotational (programs as functions on states, state transformers)• Axiomatic (pre-/post conditions, Hoare logic)
WHAT DOES IT DO? 7-C
![Page 14: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/14.jpg)
WHAT DOES IT DO?
So far we have defined:
➜ Syntax of commands and expressions
➜ State of programs (function from variables to values)
Now we need: the meaning (semantics) of programs
How to define execution of a program?
➜ A wide field of its own (visit a semantics course!)
➜ Some choices:
• Operational (inductive relations, big step, small step)• Denotational (programs as functions on states, state transformers)• Axiomatic (pre-/post conditions, Hoare logic)
WHAT DOES IT DO? 7-E
![Page 15: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/15.jpg)
WHAT DOES IT DO?
So far we have defined:
➜ Syntax of commands and expressions
➜ State of programs (function from variables to values)
Now we need: the meaning (semantics) of programs
How to define execution of a program?
➜ A wide field of its own (visit a semantics course!)
➜ Some choices:
• Operational (inductive relations, big step, small step)• Denotational (programs as functions on states, state transformers)• Axiomatic (pre-/post conditions, Hoare logic)
WHAT DOES IT DO? 7-F
![Page 16: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/16.jpg)
STRUCTURAL OPERATIONAL SEMANTICS
〈SKIP, σ〉 −→ σ
e σ = v
〈x := e, σ〉 −→ σ[x 7→ v]
〈c1, σ〉 −→ σ′ 〈c2, σ′〉 −→ σ′′
〈c1; c2, σ〉 −→ σ′′
b σ = True 〈c1, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
b σ = False 〈c2, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
STRUCTURAL OPERATIONAL SEMANTICS 8
![Page 17: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/17.jpg)
STRUCTURAL OPERATIONAL SEMANTICS
〈SKIP, σ〉 −→ σ
e σ = v
〈x := e, σ〉 −→
σ[x 7→ v]
〈c1, σ〉 −→ σ′ 〈c2, σ′〉 −→ σ′′
〈c1; c2, σ〉 −→ σ′′
b σ = True 〈c1, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
b σ = False 〈c2, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
STRUCTURAL OPERATIONAL SEMANTICS 8-A
![Page 18: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/18.jpg)
STRUCTURAL OPERATIONAL SEMANTICS
〈SKIP, σ〉 −→ σ
e σ = v
〈x := e, σ〉 −→ σ[x 7→ v]
〈c1, σ〉 −→ σ′ 〈c2, σ′〉 −→ σ′′
〈c1; c2, σ〉 −→ σ′′
b σ = True 〈c1, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
b σ = False 〈c2, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
STRUCTURAL OPERATIONAL SEMANTICS 8-B
![Page 19: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/19.jpg)
STRUCTURAL OPERATIONAL SEMANTICS
〈SKIP, σ〉 −→ σ
e σ = v
〈x := e, σ〉 −→ σ[x 7→ v]
〈c1, σ〉 −→ σ′ 〈c2, σ′〉 −→ σ′′
〈c1; c2, σ〉 −→ σ′′
b σ = True
〈c1, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
b σ = False 〈c2, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
STRUCTURAL OPERATIONAL SEMANTICS 8-C
![Page 20: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/20.jpg)
STRUCTURAL OPERATIONAL SEMANTICS
〈SKIP, σ〉 −→ σ
e σ = v
〈x := e, σ〉 −→ σ[x 7→ v]
〈c1, σ〉 −→ σ′ 〈c2, σ′〉 −→ σ′′
〈c1; c2, σ〉 −→ σ′′
b σ = True 〈c1, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
b σ = False
〈c2, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
STRUCTURAL OPERATIONAL SEMANTICS 8-D
![Page 21: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/21.jpg)
STRUCTURAL OPERATIONAL SEMANTICS
〈SKIP, σ〉 −→ σ
e σ = v
〈x := e, σ〉 −→ σ[x 7→ v]
〈c1, σ〉 −→ σ′ 〈c2, σ′〉 −→ σ′′
〈c1; c2, σ〉 −→ σ′′
b σ = True 〈c1, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
b σ = False 〈c2, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
STRUCTURAL OPERATIONAL SEMANTICS 8-E
![Page 22: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/22.jpg)
STRUCTURAL OPERATIONAL SEMANTICS
b σ = False
〈WHILE b DO c OD, σ〉 −→
σ
b σ = True 〈c, σ〉 −→ σ′ 〈WHILE b DO c OD, σ′〉 −→ σ′′
〈WHILE b DO c OD, σ〉 −→ σ′′
STRUCTURAL OPERATIONAL SEMANTICS 9
![Page 23: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/23.jpg)
STRUCTURAL OPERATIONAL SEMANTICS
b σ = False
〈WHILE b DO c OD, σ〉 −→ σ
b σ = True 〈c, σ〉 −→ σ′ 〈WHILE b DO c OD, σ′〉 −→ σ′′
〈WHILE b DO c OD, σ〉 −→ σ′′
STRUCTURAL OPERATIONAL SEMANTICS 9-A
![Page 24: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/24.jpg)
STRUCTURAL OPERATIONAL SEMANTICS
b σ = False
〈WHILE b DO c OD, σ〉 −→ σ
b σ = True
〈c, σ〉 −→ σ′ 〈WHILE b DO c OD, σ′〉 −→ σ′′
〈WHILE b DO c OD, σ〉 −→
σ′′
STRUCTURAL OPERATIONAL SEMANTICS 9-B
![Page 25: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/25.jpg)
STRUCTURAL OPERATIONAL SEMANTICS
b σ = False
〈WHILE b DO c OD, σ〉 −→ σ
b σ = True 〈c, σ〉 −→ σ′
〈WHILE b DO c OD, σ′〉 −→ σ′′
〈WHILE b DO c OD, σ〉 −→
σ′′
STRUCTURAL OPERATIONAL SEMANTICS 9-C
![Page 26: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/26.jpg)
STRUCTURAL OPERATIONAL SEMANTICS
b σ = False
〈WHILE b DO c OD, σ〉 −→ σ
b σ = True 〈c, σ〉 −→ σ′ 〈WHILE b DO c OD, σ′〉 −→ σ′′
〈WHILE b DO c OD, σ〉 −→ σ′′
STRUCTURAL OPERATIONAL SEMANTICS 9-D
![Page 27: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/27.jpg)
DEMO: THE DEFINITIONS IN ISABELLE
10
![Page 28: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/28.jpg)
PROOFS ABOUT PROGRAMS
Now we know:
➜ What programs are: Syntax
➜ On what they work: State
➜ How they work: Semantics
So we can prove properties about programs
Example:Show that example program from slide 6 implements the factorial.
lemma 〈factorial, σ〉 −→ σ′ =⇒ σ′B = fac (σA)
(where fac 0 = 0, fac (Suc n) = (Suc n) ∗ fac n)
PROOFS ABOUT PROGRAMS 11
![Page 29: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/29.jpg)
PROOFS ABOUT PROGRAMS
Now we know:
➜ What programs are: Syntax
➜ On what they work: State
➜ How they work: Semantics
So we can prove properties about programs
Example:Show that example program from slide 6 implements the factorial.
lemma 〈factorial, σ〉 −→ σ′ =⇒ σ′B = fac (σA)
(where fac 0 = 0, fac (Suc n) = (Suc n) ∗ fac n)
PROOFS ABOUT PROGRAMS 11-A
![Page 30: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/30.jpg)
PROOFS ABOUT PROGRAMS
Now we know:
➜ What programs are: Syntax
➜ On what they work: State
➜ How they work: Semantics
So we can prove properties about programs
Example:Show that example program from slide 6 implements the factorial.
lemma 〈factorial, σ〉 −→ σ′ =⇒ σ′B = fac (σA)
(where fac 0 = 0, fac (Suc n) = (Suc n) ∗ fac n)
PROOFS ABOUT PROGRAMS 11-B
![Page 31: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/31.jpg)
DEMO: EXAMPLE PROOF
12
![Page 32: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/32.jpg)
TOO TEDIOUS
Induction needed for each loop
Is there something easier?
TOO TEDIOUS 13
![Page 33: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/33.jpg)
TOO TEDIOUS
Induction needed for each loop
Is there something easier?
TOO TEDIOUS 13-A
![Page 34: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/34.jpg)
FLOYD/HOARE
Idea: describe meaning of program by pre/post conditions
Examples:
{True} x := 2 {x = 2}
{y = 2} x := 21 ∗ y {x = 42}
{x = n} IF y < 0 THEN x := x + y ELSE x := x− y {x = n− |y|}
{A = n} factorial {B = fac n}
Proofs: have rules that directly work on such triples
FLOYD/HOARE 14
![Page 35: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/35.jpg)
FLOYD/HOARE
Idea: describe meaning of program by pre/post conditions
Examples:{True} x := 2 {x = 2}
{y = 2} x := 21 ∗ y {x = 42}
{x = n} IF y < 0 THEN x := x + y ELSE x := x− y {x = n− |y|}
{A = n} factorial {B = fac n}
Proofs: have rules that directly work on such triples
FLOYD/HOARE 14-A
![Page 36: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/36.jpg)
FLOYD/HOARE
Idea: describe meaning of program by pre/post conditions
Examples:{True} x := 2 {x = 2}
{y = 2} x := 21 ∗ y {x = 42}
{x = n} IF y < 0 THEN x := x + y ELSE x := x− y {x = n− |y|}
{A = n} factorial {B = fac n}
Proofs: have rules that directly work on such triples
FLOYD/HOARE 14-B
![Page 37: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/37.jpg)
FLOYD/HOARE
Idea: describe meaning of program by pre/post conditions
Examples:{True} x := 2 {x = 2}
{y = 2} x := 21 ∗ y {x = 42}
{x = n} IF y < 0 THEN x := x + y ELSE x := x− y {x = n− |y|}
{A = n} factorial {B = fac n}
Proofs: have rules that directly work on such triples
FLOYD/HOARE 14-C
![Page 38: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/38.jpg)
FLOYD/HOARE
Idea: describe meaning of program by pre/post conditions
Examples:{True} x := 2 {x = 2}
{y = 2} x := 21 ∗ y {x = 42}
{x = n} IF y < 0 THEN x := x + y ELSE x := x− y {x = n− |y|}
{A = n} factorial {B = fac n}
Proofs: have rules that directly work on such triples
FLOYD/HOARE 14-D
![Page 39: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/39.jpg)
FLOYD/HOARE
Idea: describe meaning of program by pre/post conditions
Examples:{True} x := 2 {x = 2}
{y = 2} x := 21 ∗ y {x = 42}
{x = n} IF y < 0 THEN x := x + y ELSE x := x− y {x = n− |y|}
{A = n} factorial {B = fac n}
Proofs: have rules that directly work on such triples
FLOYD/HOARE 14-E
![Page 40: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/40.jpg)
MEANING OF A HOARE-TRIPLE
{P} c {Q}
What are the assertions P and Q?
➜ Here: again functions from state to bool
(shallow embedding of assertions)
➜ Other choice: syntax and semantics for assertions (deep embedding)
What does {P} c {Q} mean?
Partial Correctness:|= {P} c {Q} ≡ (∀σ σ′. P σ ∧ 〈c, σ〉 −→ σ′ =⇒ Q σ′)
Total Correctness:|= {P} c {Q} ≡ (∀σ. P σ =⇒ ∃σ′. 〈c, σ〉 −→ σ′ ∧ Q σ′)
This lecture: partial correctness only (easier)
MEANING OF A HOARE-TRIPLE 15
![Page 41: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/41.jpg)
MEANING OF A HOARE-TRIPLE
{P} c {Q}
What are the assertions P and Q?
➜ Here: again functions from state to bool
(shallow embedding of assertions)
➜ Other choice: syntax and semantics for assertions (deep embedding)
What does {P} c {Q} mean?
Partial Correctness:|= {P} c {Q} ≡ (∀σ σ′. P σ ∧ 〈c, σ〉 −→ σ′ =⇒ Q σ′)
Total Correctness:|= {P} c {Q} ≡ (∀σ. P σ =⇒ ∃σ′. 〈c, σ〉 −→ σ′ ∧ Q σ′)
This lecture: partial correctness only (easier)
MEANING OF A HOARE-TRIPLE 15-A
![Page 42: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/42.jpg)
MEANING OF A HOARE-TRIPLE
{P} c {Q}
What are the assertions P and Q?
➜ Here: again functions from state to bool
(shallow embedding of assertions)
➜ Other choice: syntax and semantics for assertions (deep embedding)
What does {P} c {Q} mean?
Partial Correctness:|= {P} c {Q} ≡ (∀σ σ′. P σ ∧ 〈c, σ〉 −→ σ′ =⇒ Q σ′)
Total Correctness:|= {P} c {Q} ≡ (∀σ. P σ =⇒ ∃σ′. 〈c, σ〉 −→ σ′ ∧ Q σ′)
This lecture: partial correctness only (easier)
MEANING OF A HOARE-TRIPLE 15-B
![Page 43: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/43.jpg)
MEANING OF A HOARE-TRIPLE
{P} c {Q}
What are the assertions P and Q?
➜ Here: again functions from state to bool
(shallow embedding of assertions)
➜ Other choice: syntax and semantics for assertions (deep embedding)
What does {P} c {Q} mean?
Partial Correctness:|= {P} c {Q} ≡ (∀σ σ′. P σ ∧ 〈c, σ〉 −→ σ′ =⇒ Q σ′)
Total Correctness:|= {P} c {Q} ≡ (∀σ. P σ =⇒ ∃σ′. 〈c, σ〉 −→ σ′ ∧ Q σ′)
This lecture: partial correctness only (easier)
MEANING OF A HOARE-TRIPLE 15-C
![Page 44: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/44.jpg)
MEANING OF A HOARE-TRIPLE
{P} c {Q}
What are the assertions P and Q?
➜ Here: again functions from state to bool
(shallow embedding of assertions)
➜ Other choice: syntax and semantics for assertions (deep embedding)
What does {P} c {Q} mean?
Partial Correctness:|= {P} c {Q} ≡ (∀σ σ′. P σ ∧ 〈c, σ〉 −→ σ′ =⇒ Q σ′)
Total Correctness:|= {P} c {Q} ≡ (∀σ. P σ =⇒ ∃σ′. 〈c, σ〉 −→ σ′ ∧ Q σ′)
This lecture: partial correctness only (easier)
MEANING OF A HOARE-TRIPLE 15-D
![Page 45: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/45.jpg)
MEANING OF A HOARE-TRIPLE
{P} c {Q}
What are the assertions P and Q?
➜ Here: again functions from state to bool
(shallow embedding of assertions)
➜ Other choice: syntax and semantics for assertions (deep embedding)
What does {P} c {Q} mean?
Partial Correctness:|= {P} c {Q} ≡ (∀σ σ′. P σ ∧ 〈c, σ〉 −→ σ′ =⇒ Q σ′)
Total Correctness:|= {P} c {Q} ≡ (∀σ. P σ =⇒ ∃σ′. 〈c, σ〉 −→ σ′ ∧ Q σ′)
This lecture: partial correctness only (easier)
MEANING OF A HOARE-TRIPLE 15-E
![Page 46: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/46.jpg)
HOARE RULES
{P} SKIP {P}
{P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q} {P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′ {P ′} c {Q′} Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16
![Page 47: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/47.jpg)
HOARE RULES
{P} SKIP {P} {P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q} {P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′ {P ′} c {Q′} Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16-A
![Page 48: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/48.jpg)
HOARE RULES
{P} SKIP {P} {P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q} {P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′ {P ′} c {Q′} Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16-B
![Page 49: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/49.jpg)
HOARE RULES
{P} SKIP {P} {P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q} {P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′ {P ′} c {Q′} Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16-C
![Page 50: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/50.jpg)
HOARE RULES
{P} SKIP {P} {P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q}
{P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′ {P ′} c {Q′} Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16-D
![Page 51: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/51.jpg)
HOARE RULES
{P} SKIP {P} {P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q} {P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′ {P ′} c {Q′} Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16-E
![Page 52: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/52.jpg)
HOARE RULES
{P} SKIP {P} {P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q} {P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′ {P ′} c {Q′} Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16-F
![Page 53: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/53.jpg)
HOARE RULES
{P} SKIP {P} {P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q} {P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′
{P ′} c {Q′}
Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16-G
![Page 54: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/54.jpg)
HOARE RULES
{P} SKIP {P} {P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q} {P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′ {P ′} c {Q′} Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16-H
![Page 55: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/55.jpg)
HOARE RULES
` {P} SKIP {P} ` {λσ. P (σ(x := e σ))} x := e {P}
` {P} c1 {R} ` {R} c2 {Q}
` {P} c1; c2 {Q}
` {λσ. P σ ∧ b σ} c1 {R} ` {λσ. P σ ∧ ¬b σ} c2 {Q}
` {P} IF b THEN c1 ELSE c2 {Q}
` {λσ. P σ ∧ b σ} c {P}∧
σ. P σ ∧ ¬b σ =⇒ Q σ
` {P} WHILE b DO c OD {Q}
∧σ. P σ =⇒ P ′ σ ` {P ′} c {Q′}
∧σ. Q′ σ =⇒ Qσ
` {P} c {Q}
HOARE RULES 17
![Page 56: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/56.jpg)
ARE THE RULES CORRECT?
Soundness: ` {P} c {Q} =⇒|= {P} c {Q}
Proof: by rule induction on ` {P} c {Q}
Demo: Hoare Logic in Isabelle
ARE THE RULES CORRECT? 18
![Page 57: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/57.jpg)
ARE THE RULES CORRECT?
Soundness: ` {P} c {Q} =⇒|= {P} c {Q}
Proof: by rule induction on ` {P} c {Q}
Demo: Hoare Logic in Isabelle
ARE THE RULES CORRECT? 18-A
![Page 58: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/58.jpg)
ARE THE RULES CORRECT?
Soundness: ` {P} c {Q} =⇒|= {P} c {Q}
Proof: by rule induction on ` {P} c {Q}
Demo: Hoare Logic in Isabelle
ARE THE RULES CORRECT? 18-B
![Page 59: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/59.jpg)
NICER, BUT STILL KIND OF TEDIOUS
Hoare rule application seems boring & mechanical.
Automation?
Problem: While – need creativity to find right (invariant) P
Solution:
➜ annotate program with invariants
➜ then, Hoare rules can be applied automatically
Example:{M = 0 ∧ N = 0}
WHILE M 6= a INV {N = M ∗ b} DO N := N + b; M := M + 1 OD{N = a ∗ b}
NICER, BUT STILL KIND OF TEDIOUS 19
![Page 60: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/60.jpg)
NICER, BUT STILL KIND OF TEDIOUS
Hoare rule application seems boring & mechanical.
Automation?
Problem: While – need creativity to find right (invariant) P
Solution:
➜ annotate program with invariants
➜ then, Hoare rules can be applied automatically
Example:{M = 0 ∧ N = 0}
WHILE M 6= a INV {N = M ∗ b} DO N := N + b; M := M + 1 OD{N = a ∗ b}
NICER, BUT STILL KIND OF TEDIOUS 19-A
![Page 61: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/61.jpg)
NICER, BUT STILL KIND OF TEDIOUS
Hoare rule application seems boring & mechanical.
Automation?
Problem: While – need creativity to find right (invariant) P
Solution:
➜ annotate program with invariants
➜ then, Hoare rules can be applied automatically
Example:{M = 0 ∧ N = 0}
WHILE M 6= a INV {N = M ∗ b} DO N := N + b; M := M + 1 OD{N = a ∗ b}
NICER, BUT STILL KIND OF TEDIOUS 19-B
![Page 62: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/62.jpg)
NICER, BUT STILL KIND OF TEDIOUS
Hoare rule application seems boring & mechanical.
Automation?
Problem: While – need creativity to find right (invariant) P
Solution:
➜ annotate program with invariants
➜ then, Hoare rules can be applied automatically
Example:{M = 0 ∧ N = 0}
WHILE M 6= a INV {N = M ∗ b} DO N := N + b; M := M + 1 OD{N = a ∗ b}
NICER, BUT STILL KIND OF TEDIOUS 19-C
![Page 63: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/63.jpg)
NICER, BUT STILL KIND OF TEDIOUS
Hoare rule application seems boring & mechanical.
Automation?
Problem: While – need creativity to find right (invariant) P
Solution:
➜ annotate program with invariants
➜ then, Hoare rules can be applied automatically
Example:{M = 0 ∧ N = 0}
WHILE M 6= a INV {N = M ∗ b} DO N := N + b; M := M + 1 OD{N = a ∗ b}
NICER, BUT STILL KIND OF TEDIOUS 19-D
![Page 64: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/64.jpg)
WEAKEST PRECONDITIONS
pre c Q = weakest P such that {P} c {Q}
With annotated invariants, easy to get:
pre SKIP Q = Q
pre (x := a) Q = λσ. Q(σ(x := aσ))
pre (c1; c2) Q = pre c1 (pre c2 Q)
pre (IF b THEN c1 ELSE c2) Q = λσ. (b −→ pre c1 Q σ) ∧
(¬b −→ pre c2 Q σ)
pre (WHILE b INV I DO c OD) Q = I
WEAKEST PRECONDITIONS 20
![Page 65: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/65.jpg)
WEAKEST PRECONDITIONS
pre c Q = weakest P such that {P} c {Q}
With annotated invariants, easy to get:
pre SKIP Q = Q
pre (x := a) Q = λσ. Q(σ(x := aσ))
pre (c1; c2) Q = pre c1 (pre c2 Q)
pre (IF b THEN c1 ELSE c2) Q = λσ. (b −→ pre c1 Q σ) ∧
(¬b −→ pre c2 Q σ)
pre (WHILE b INV I DO c OD) Q = I
WEAKEST PRECONDITIONS 20-A
![Page 66: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/66.jpg)
WEAKEST PRECONDITIONS
pre c Q = weakest P such that {P} c {Q}
With annotated invariants, easy to get:
pre SKIP Q = Q
pre (x := a) Q = λσ. Q(σ(x := aσ))
pre (c1; c2) Q = pre c1 (pre c2 Q)
pre (IF b THEN c1 ELSE c2) Q = λσ. (b −→ pre c1 Q σ) ∧
(¬b −→ pre c2 Q σ)
pre (WHILE b INV I DO c OD) Q = I
WEAKEST PRECONDITIONS 20-B
![Page 67: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/67.jpg)
WEAKEST PRECONDITIONS
pre c Q = weakest P such that {P} c {Q}
With annotated invariants, easy to get:
pre SKIP Q = Q
pre (x := a) Q = λσ. Q(σ(x := aσ))
pre (c1; c2) Q = pre c1 (pre c2 Q)
pre (IF b THEN c1 ELSE c2) Q = λσ. (b −→ pre c1 Q σ) ∧
(¬b −→ pre c2 Q σ)
pre (WHILE b INV I DO c OD) Q = I
WEAKEST PRECONDITIONS 20-C
![Page 68: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/68.jpg)
WEAKEST PRECONDITIONS
pre c Q = weakest P such that {P} c {Q}
With annotated invariants, easy to get:
pre SKIP Q = Q
pre (x := a) Q = λσ. Q(σ(x := aσ))
pre (c1; c2) Q = pre c1 (pre c2 Q)
pre (IF b THEN c1 ELSE c2) Q = λσ. (b −→ pre c1 Q σ) ∧
(¬b −→ pre c2 Q σ)
pre (WHILE b INV I DO c OD) Q = I
WEAKEST PRECONDITIONS 20-D
![Page 69: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/69.jpg)
WEAKEST PRECONDITIONS
pre c Q = weakest P such that {P} c {Q}
With annotated invariants, easy to get:
pre SKIP Q = Q
pre (x := a) Q = λσ. Q(σ(x := aσ))
pre (c1; c2) Q = pre c1 (pre c2 Q)
pre (IF b THEN c1 ELSE c2) Q = λσ. (b −→ pre c1 Q σ) ∧
(¬b −→ pre c2 Q σ)
pre (WHILE b INV I DO c OD) Q = I
WEAKEST PRECONDITIONS 20-E
![Page 70: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/70.jpg)
VERIFICATION CONDITIONS
{pre c Q} c {Q} only true under certain conditions
These are called verification conditions vc c Q:
vc SKIP Q = True
vc (x := a) Q = True
vc (c1; c2) Q = vc c2 Q ∧ (vc c1 (pre c2 Q))
vc (IF b THEN c1 ELSE c2) Q = vc c1 Q ∧ vc c2 Q
vc (WHILE b INV I DO c OD) Q = (∀σ. Iσ ∧ bσ −→ pre c I σ)∧
(∀σ. Iσ ∧ ¬bσ −→ Q σ)∧
vc c I
vc c Q ∧ (pre c Q =⇒ P ) =⇒ {P} c {Q}
VERIFICATION CONDITIONS 21
![Page 71: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/71.jpg)
VERIFICATION CONDITIONS
{pre c Q} c {Q} only true under certain conditions
These are called verification conditions vc c Q:
vc SKIP Q = True
vc (x := a) Q = True
vc (c1; c2) Q = vc c2 Q ∧ (vc c1 (pre c2 Q))
vc (IF b THEN c1 ELSE c2) Q = vc c1 Q ∧ vc c2 Q
vc (WHILE b INV I DO c OD) Q = (∀σ. Iσ ∧ bσ −→ pre c I σ)∧
(∀σ. Iσ ∧ ¬bσ −→ Q σ)∧
vc c I
vc c Q ∧ (pre c Q =⇒ P ) =⇒ {P} c {Q}
VERIFICATION CONDITIONS 21-A
![Page 72: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/72.jpg)
VERIFICATION CONDITIONS
{pre c Q} c {Q} only true under certain conditions
These are called verification conditions vc c Q:
vc SKIP Q = True
vc (x := a) Q = True
vc (c1; c2) Q = vc c2 Q ∧ (vc c1 (pre c2 Q))
vc (IF b THEN c1 ELSE c2) Q = vc c1 Q ∧ vc c2 Q
vc (WHILE b INV I DO c OD) Q = (∀σ. Iσ ∧ bσ −→ pre c I σ)∧
(∀σ. Iσ ∧ ¬bσ −→ Q σ)∧
vc c I
vc c Q ∧ (pre c Q =⇒ P ) =⇒ {P} c {Q}
VERIFICATION CONDITIONS 21-B
![Page 73: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/73.jpg)
VERIFICATION CONDITIONS
{pre c Q} c {Q} only true under certain conditions
These are called verification conditions vc c Q:
vc SKIP Q = True
vc (x := a) Q = True
vc (c1; c2) Q = vc c2 Q ∧ (vc c1 (pre c2 Q))
vc (IF b THEN c1 ELSE c2) Q = vc c1 Q ∧ vc c2 Q
vc (WHILE b INV I DO c OD) Q = (∀σ. Iσ ∧ bσ −→ pre c I σ)∧
(∀σ. Iσ ∧ ¬bσ −→ Q σ)∧
vc c I
vc c Q ∧ (pre c Q =⇒ P ) =⇒ {P} c {Q}
VERIFICATION CONDITIONS 21-C
![Page 74: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/74.jpg)
VERIFICATION CONDITIONS
{pre c Q} c {Q} only true under certain conditions
These are called verification conditions vc c Q:
vc SKIP Q = True
vc (x := a) Q = True
vc (c1; c2) Q = vc c2 Q ∧ (vc c1 (pre c2 Q))
vc (IF b THEN c1 ELSE c2) Q = vc c1 Q ∧ vc c2 Q
vc (WHILE b INV I DO c OD) Q = (∀σ. Iσ ∧ bσ −→ pre c I σ)∧
(∀σ. Iσ ∧ ¬bσ −→ Q σ)∧
vc c I
vc c Q ∧ (pre c Q =⇒ P ) =⇒ {P} c {Q}
VERIFICATION CONDITIONS 21-D
![Page 75: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/75.jpg)
VERIFICATION CONDITIONS
{pre c Q} c {Q} only true under certain conditions
These are called verification conditions vc c Q:
vc SKIP Q = True
vc (x := a) Q = True
vc (c1; c2) Q = vc c2 Q ∧ (vc c1 (pre c2 Q))
vc (IF b THEN c1 ELSE c2) Q = vc c1 Q ∧ vc c2 Q
vc (WHILE b INV I DO c OD) Q = (∀σ. Iσ ∧ bσ −→ pre c I σ)∧
(∀σ. Iσ ∧ ¬bσ −→ Q σ)∧
vc c I
vc c Q ∧ (pre c Q =⇒ P ) =⇒ {P} c {Q}
VERIFICATION CONDITIONS 21-E
![Page 76: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/76.jpg)
VERIFICATION CONDITIONS
{pre c Q} c {Q} only true under certain conditions
These are called verification conditions vc c Q:
vc SKIP Q = True
vc (x := a) Q = True
vc (c1; c2) Q = vc c2 Q ∧ (vc c1 (pre c2 Q))
vc (IF b THEN c1 ELSE c2) Q = vc c1 Q ∧ vc c2 Q
vc (WHILE b INV I DO c OD) Q = (∀σ. Iσ ∧ bσ −→ pre c I σ)∧
(∀σ. Iσ ∧ ¬bσ −→ Q σ)∧
vc c I
vc c Q ∧ (pre c Q =⇒ P ) =⇒ {P} c {Q}
VERIFICATION CONDITIONS 21-F
![Page 77: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/77.jpg)
SYNTAX TRICKS
➜ x := λσ. 1 instead of x := 1 sucks
➜ {λσ. σ x = n} instead of {x = n} sucks as well
Problem: program variables are functions, not values
Solution: distinguish program variables syntactically
Choices:➜ declare program variables with each Hoare triple
• nice, usual syntax• works well if you state full program and only use vcg
➜ separate program variables from Hoare triple (use extensible records),indicate usage as function syntactically
• more syntactic overhead• program pieces compose nicely
SYNTAX TRICKS 22
![Page 78: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/78.jpg)
SYNTAX TRICKS
➜ x := λσ. 1 instead of x := 1 sucks
➜ {λσ. σ x = n} instead of {x = n} sucks as well
Problem: program variables are functions, not values
Solution: distinguish program variables syntactically
Choices:➜ declare program variables with each Hoare triple
• nice, usual syntax• works well if you state full program and only use vcg
➜ separate program variables from Hoare triple (use extensible records),indicate usage as function syntactically
• more syntactic overhead• program pieces compose nicely
SYNTAX TRICKS 22-A
![Page 79: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/79.jpg)
SYNTAX TRICKS
➜ x := λσ. 1 instead of x := 1 sucks
➜ {λσ. σ x = n} instead of {x = n} sucks as well
Problem: program variables are functions, not values
Solution: distinguish program variables syntactically
Choices:➜ declare program variables with each Hoare triple
• nice, usual syntax• works well if you state full program and only use vcg
➜ separate program variables from Hoare triple (use extensible records),indicate usage as function syntactically
• more syntactic overhead• program pieces compose nicely
SYNTAX TRICKS 22-B
![Page 80: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/80.jpg)
SYNTAX TRICKS
➜ x := λσ. 1 instead of x := 1 sucks
➜ {λσ. σ x = n} instead of {x = n} sucks as well
Problem: program variables are functions, not values
Solution: distinguish program variables syntactically
Choices:➜ declare program variables with each Hoare triple
• nice, usual syntax• works well if you state full program and only use vcg
➜ separate program variables from Hoare triple (use extensible records),indicate usage as function syntactically
• more syntactic overhead• program pieces compose nicely
SYNTAX TRICKS 22-C
![Page 81: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/81.jpg)
SYNTAX TRICKS
➜ x := λσ. 1 instead of x := 1 sucks
➜ {λσ. σ x = n} instead of {x = n} sucks as well
Problem: program variables are functions, not values
Solution: distinguish program variables syntactically
Choices:➜ declare program variables with each Hoare triple
• nice, usual syntax• works well if you state full program and only use vcg
➜ separate program variables from Hoare triple (use extensible records),indicate usage as function syntactically
• more syntactic overhead• program pieces compose nicely
SYNTAX TRICKS 22-D
![Page 82: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/82.jpg)
SYNTAX TRICKS
➜ x := λσ. 1 instead of x := 1 sucks
➜ {λσ. σ x = n} instead of {x = n} sucks as well
Problem: program variables are functions, not values
Solution: distinguish program variables syntactically
Choices:➜ declare program variables with each Hoare triple
• nice, usual syntax• works well if you state full program and only use vcg
➜ separate program variables from Hoare triple (use extensible records),indicate usage as function syntactically
• more syntactic overhead• program pieces compose nicely
SYNTAX TRICKS 22-E
![Page 83: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/83.jpg)
SYNTAX TRICKS
➜ x := λσ. 1 instead of x := 1 sucks
➜ {λσ. σ x = n} instead of {x = n} sucks as well
Problem: program variables are functions, not values
Solution: distinguish program variables syntactically
Choices:➜ declare program variables with each Hoare triple
• nice, usual syntax• works well if you state full program and only use vcg
➜ separate program variables from Hoare triple (use extensible records),indicate usage as function syntactically
• more syntactic overhead• program pieces compose nicely
SYNTAX TRICKS 22-F
![Page 84: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/84.jpg)
RECORDS IN ISABELLE
Records are a tuples with named components
Example:
record A = a :: natb :: int
➜ Selectors: a :: A ⇒ nat, b :: A ⇒ int, a r = Suc 0
➜ Constructors: (| a = Suc 0, b = −1 |)
➜ Update: r(| a := Suc 0 |)
Records are extensible:record B = A +
c :: nat list
(| a = Suc 0, b = −1, c = [0, 0] |)
RECORDS IN ISABELLE 23
![Page 85: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/85.jpg)
RECORDS IN ISABELLE
Records are a tuples with named components
Example:
record A = a :: natb :: int
➜ Selectors: a :: A ⇒ nat, b :: A ⇒ int, a r = Suc 0
➜ Constructors: (| a = Suc 0, b = −1 |)
➜ Update: r(| a := Suc 0 |)
Records are extensible:record B = A +
c :: nat list
(| a = Suc 0, b = −1, c = [0, 0] |)
RECORDS IN ISABELLE 23-A
![Page 86: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/86.jpg)
RECORDS IN ISABELLE
Records are a tuples with named components
Example:
record A = a :: natb :: int
➜ Selectors: a :: A ⇒ nat, b :: A ⇒ int, a r = Suc 0
➜ Constructors: (| a = Suc 0, b = −1 |)
➜ Update: r(| a := Suc 0 |)
Records are extensible:record B = A +
c :: nat list
(| a = Suc 0, b = −1, c = [0, 0] |)
RECORDS IN ISABELLE 23-B
![Page 87: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/87.jpg)
RECORDS IN ISABELLE
Records are a tuples with named components
Example:
record A = a :: natb :: int
➜ Selectors: a :: A ⇒ nat, b :: A ⇒ int, a r = Suc 0
➜ Constructors: (| a = Suc 0, b = −1 |)
➜ Update: r(| a := Suc 0 |)
Records are extensible:record B = A +
c :: nat list
(| a = Suc 0, b = −1, c = [0, 0] |)
RECORDS IN ISABELLE 23-C
![Page 88: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/88.jpg)
RECORDS IN ISABELLE
Records are a tuples with named components
Example:
record A = a :: natb :: int
➜ Selectors: a :: A ⇒ nat, b :: A ⇒ int, a r = Suc 0
➜ Constructors: (| a = Suc 0, b = −1 |)
➜ Update: r(| a := Suc 0 |)
Records are extensible:record B = A +
c :: nat list
(| a = Suc 0, b = −1, c = [0, 0] |)
RECORDS IN ISABELLE 23-D
![Page 89: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/89.jpg)
RECORDS IN ISABELLE
Records are a tuples with named components
Example:
record A = a :: natb :: int
➜ Selectors: a :: A ⇒ nat, b :: A ⇒ int, a r = Suc 0
➜ Constructors: (| a = Suc 0, b = −1 |)
➜ Update: r(| a := Suc 0 |)
Records are extensible:record B = A +
c :: nat list
(| a = Suc 0, b = −1, c = [0, 0] |)
RECORDS IN ISABELLE 23-E
![Page 90: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/90.jpg)
RECORDS IN ISABELLE
Records are a tuples with named components
Example:
record A = a :: natb :: int
➜ Selectors: a :: A ⇒ nat, b :: A ⇒ int, a r = Suc 0
➜ Constructors: (| a = Suc 0, b = −1 |)
➜ Update: r(| a := Suc 0 |)
Records are extensible:record B = A +
c :: nat list
(| a = Suc 0, b = −1, c = [0, 0] |)
RECORDS IN ISABELLE 23-F
![Page 91: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/91.jpg)
DEMO
24
![Page 92: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/92.jpg)
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25
![Page 93: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/93.jpg)
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25-A
![Page 94: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/94.jpg)
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25-B
![Page 95: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/95.jpg)
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25-C
![Page 96: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/96.jpg)
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25-D
![Page 97: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/97.jpg)
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25-E
![Page 98: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/98.jpg)
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25-F
![Page 99: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/99.jpg)
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25-G
![Page 100: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/100.jpg)
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25-H
![Page 101: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/101.jpg)
WE HAVE SEEN TODAY ...
➜ Syntax and semantics of IMP
➜ Hoare logic rules
➜ Soundness of Hoare logic
➜ Verification conditions
➜ Example program proofs
WE HAVE SEEN TODAY ... 26
![Page 102: NICTA Advanced Course Theorem Proving Principles ...kleing/teaching/thprv-04/slides/lecture13.pdfCONTENT Intro & motivation, getting started with Isabelle Foundations & Principles](https://reader031.vdocuments.net/reader031/viewer/2022022115/5c6dff0909d3f274098c57b8/html5/thumbnails/102.jpg)
EXERCISES
➜ Write a program in IMP that calculates quotient and reminder ofx ∈ IN and y ∈ IN
➜ Find the right invariant for its while loop.
➜ Show its correctness in Isabelle:
` {True} program { Q ∗ y + R = x ∧ R < y }
➜ Write an IMP program that sorts arrays (lists) by insertion sort.
➜ Formulate and show its correctness in Isabelle.
EXERCISES 27