Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Formal Methods Lecture 4: Isabelle – Types and Terms Mads Dam KTH/CSC Course 2D1453, 2006-07 Some material from Paulson.

Published byVanessa Walker Modified over 8 years ago

Similar presentations

Presentation on theme: "Advanced Formal Methods Lecture 4: Isabelle – Types and Terms Mads Dam KTH/CSC Course 2D1453, 2006-07 Some material from Paulson."— Presentation transcript:

1 Advanced Formal Methods Lecture 4: Isabelle – Types and Terms Mads Dam KTH/CSC Course 2D1453, 2006-07 Some material from Paulson

2 Types in Isabelle Types: T ::= A | X | X :: C | T ) T | (T 1,...,T n ) K where: A 2 {bool, int,...} base type X 2 {’ , ’  type variable K 2 {set, list,...} type constructor Used for defining new types C 2 {order, linorder, type,...} type classes Used for associating axioms to types Examples: int list, int set,... nat :: order, int :: field,...

3 Introducing New Types Types in Isabelle are nonempty Theorem in HOL: 9 x :: T. x = x So all types must be inhabited Three basic mechanisms: Type declarations Type abbreviations Recursive type definitions

4 Type Declarations Syntax: typedecl K Example: typedecl addr Introduces an abstract type of addresses Nothing known of an x :: addr But: Some x :: addr exists

5 Type Abbreviations Syntax: types (’  1,...,’  n ) K = T Examples: types number = nat tag = string ’  taglist = (’  £ tag) list All type abbreviations are expanded in Isabelle Not visible in internal representation or Isabelle output

6 Recursive Type Definitions datatype ’  list = Nil | Cons ’  (’  list) Defines a recursive datatype with associated constants: Nil :: ’  list Cons :: ’  ) ’  list ) ’  list Plus axioms: Distinctness: Nil  Cons x xs Injectivity: (Cons x xs = Cons y ys) = (x = y Æ xs = ys) Also axioms for induction

7 Datatypes Generally datatype (’  1,...,’  n ) K = constr 1 T 1,1... T 1,n 1... constr m T m,1... T m,n m Constants and types as previous slide Note: Simplifier automatically extended with distinctness and injectivity Induction must be handled explicitly Not trivial that (T 1,...,T n ) K exists! Proof goals automatically added and discharged

8 This Scheme Does Not Always Work Consider datatype lam = mkfun (lam ) lam) Note: Can interpret untyped lambda calculus using lam! Problematic definition: Cardinality of T ) T as set is strictly greater than that of T, for any T So need to rule out most functions LCF and domain theory: T ) T is set of continuous functions on complete lattice or cpo LCF embedding in Isabelle exists

9 Simple Recursion datatype (’  1,...,’  n ) K = constr 1 T 1,1... T 1,n 1... constr m T m,1... T m,n m Each type T i,j can be either: Non-recursive: All type constants K’ in T i,j are defined ”prior” to the definition of K An expression of the form (T 1 ’,...,T n ’) K where each T k ’ is non-recursive

10 Mutual Recursion datatype (’  1,...,’  n ) K = constr 1 T 1,1... T 1,n 1... constr m T m,1... T m,n m and (’  1 ’,...,’  n’ ’) K’ constr 1 ’ T 1,1 ’... T 1,n 1 ’ ’... constr m’ ’ T m’,1 ’... T m’,n m’ ’ ’ Each T i,j, T i,j ’ is either non-recursive or of the form... K or... K’

11 Covariance and Contravariance Introduce relations X · + T and X · - T X · + T: T is covariant in X X · - T: T is contravariant in X Covariance = monotonicity: As sets, if X · + T then A µ B implies T[A/X] µ T[B/X] Contravariance = antimonotonicity: If X · - T then Aµ B implies T[B/X] µ T[A/X] - X · + X X · + T 1 X · - T 2 X · - T 1 ) T 2 X · - T 1 X · + T 2 X · + T 1 ) T 2 X · + T i 1· i· n X · + (T 1,...,T n ) K X · - T i 1· i· n X · - (T 1,...,T n ) K

12 Nested Recursion datatype (’  1,...,’  n ) K = constr 1 T 1,1... T 1,n 1... constr m T m,1... T m,n m Each type T i,j is of form T[(T 1,1 ’,...,T 1,n ’) K/X 1,..., [(T k,1 ’,...,T k,n ’) K/X k ] such that X i · + T for all i: 1 · i · k Any K’ occurring in T is defined prior to K Note: Simple recursion is special case Mutual, nested recursion possible too

13 Type Classes Used to associate axioms with types Example: Preorders axclass ordrel < type consts le :: (’  :: ordrel) ) ’  ) bool axclass preorder < ordrel orderrefl: le x x ordertrans: (le x y) Æ (le y z) ) le x z Advanced topic – return to this later

14 Terms in Isabelle Terms: t ::= x | c | ?x | t t | x. t where: x 2 Var – variables C 2 Con – constants ?x – schematic variable x. t - must be typable Schematic variables: Free variables are fixed Schematic variables can be instantiated during proof

15 Schematic Variables State lemma with free variables lemma foobar : f(x,y) = g(x,y)... done During proof: x, y must never be instantiated! After proof is finished, Isabelle converts free var’s to schematic var’s f(?x,?y) = g(?x,?y) Now can use foobar with ?x  f and ?y  a, say

16 Defining Terms Three basic mechanisms: Defining new constants non-recursively No problems Constructs: defs, constdefs Defining new constants by primitive recursion Termination can be proved automatically Constructs: primrec General recursion Termination must be proved Constructs: recdef

17 Non-Recursive Definitions Declaration: consts sq :: nat ) nat Definition: defs sqdef: sq n = n * n Or combined: constdefs sq :: nat ) nat sq n = n * n

18 Unfolding Definitions Definitions are not always unfolded automatically by Isabelle To unfold definition of sq: apply(unfold sqdef) Tactics such as simp and auto do unfold constant definitions

19 Definition by Primitive Recursion consts append :: ’  list ) ’  list )’  list primrec append Nil ys = ys append (Cons x xs) ys = Cons x (append xs ys) Append applied to strict subterm xs of Cons x xs: Termination is guaranteed

20 Primitive Recursion, General Scheme Assume data type definition of T with constructors constr 1,..., constr m Let f :: T 1 )... ) T n ) T’ and T i = T Primitive recursive definition of f: f x 1... (constr 1 y 1... y k 1 )... x n = t 1... f x 1... (constr m y 1... y k m )... x n = t m Each application of f in t 1,...,t m of the form f t 1 ’... y k j.. t n ’

21 Partial Functions datatype ’  option = None | Some ’  Important application: T ⇒ ’  option ≈ partial function: None ≈ no result Some t ≈ result t Example: consts lookup :: ’  ⇒ (’  × ’  ) list ⇒ ’  option primrec lookup k [] = None lookup k (x#xs) = (if fst x = k then Some(snd x) else lookup k xs)

22 The Case Construct Every datatype introduces a case construct, e.g. (case xs of Nil ⇒... | (Cons y ys) ⇒... y... ys...) In general: one case per constructor No nested patterns, e.g. Cons y 1 (Cons y 2 ys) But cases can be nested Case distinctions: apply(case tac t) creates k subgoals t = constr i y 1... y k i ⇒... one for each constructor constr i

23 Mutual and Nested Primitive Recursion Primitive recursion scheme applies also for mutual and nested recursion Assume data type definition of T 1 and T 2 with constructors constr 1 1,..., constr m 1 1, constr 1 2,...,constr m{2} 2, respectively Let: f :: T 1 )... ) T n f ) T f ’, T i = T 1, g :: T 1 )... ) T n g ) T g ’, T j = T 2

24 Mutual and Nested Recursion, II Mutual, primitive recursive definition of f and g: f x 1... (constr 1 1 y 1... y k 1,1 )... x n f = t 1,f... f x 1... (constr m 1 1 y 1... y k m1,1 )... x n f = t m 1,f g x 1... (constr 1 2 y 1... y k 1,2 )... x n g = t 1,g... g x 1... (constr m 2 y 1... y k m2,2 )... x n g = t m 2,g Each application of f or g in t 1,f,...,t m 1,f, t 1,g,...,t m 2,g of the form h t 1 ’... y k... t n ’, h 2 {f,g} Slightly more general schemes possible too

25 General Recursion In Isabelle, recursive functions must be proved total before they ”exist” General mechanism for termination proofs: Well-founded induction Definition: Structure (A,R) is well-founded, if for every non- empty subset B of A there is some b 2 B such that not b’ R b for any b’ 2 B. Well-foundedness ensures that there cannot exist any infinite sequence a 0, a 1,...,a n,... such that a n+1 R a n for all n 2 . Why? Examples: The set of natural numbers under < is well- ordered. The set of reals is not.

26 Well-founded Induction Principle of well-founded induction: Suppose that (A,R) is a well-founded structure. Let B be a subset of A. *Suppose x 2 A and y 2 B whenever y R x implies x 2 B. Then A = B Here: A is the type, B is the property. Goal is 8a :: A. a 2 B Proof: For a contradiction suppose A  B. Then A – B is nonempty. Since (A,R) is well-founded, there is some a 2 A – B such that not a’ R a for all a’ 2 A – B. But a 2 A and whenever y R a then y 2 B. But then by (*), a 2 A, a contradiction.

27 Well-founded Induction in Isabelle consts f :: T 1 £... £ T n ) T recdef f R f(pattern 1,1,...,pattern 1,n ) = t 1... f(pattern m,1,...,pattern m,n ) = t m where 1.R well-founded relation on T 2.Defining clauses are exhaustive 3.Definition bodies t 1,...,t m can use f freely 4.Whenever f(t 1 ’,...,t n ’) is a subterm of t i then (t 1 ’,...,t n ’) R (pattern i,1,...,pattern i,n )

28 Recdef Using Progress Measures Let g :: T 1 £... £ T n ! nat Define: measure g = {(t 1,t 2 ) | g t 1 < g t 2 } Then can use instead: recdef f (measure g) f(pattern 1,1,...,pattern 1,n ) = t 1... f(pattern m,1,...,pattern m,n ) = t m and condition 4. becomes: Whenever f(t 1 ’,...,t n ’) is a subterm of t i then g(t 1 ’,...,t n ’) < g(pattern i,1,...,pattern i,n )

29 Example: Fibonacci consts fib :: nat ) nat recdef fib (measure ( n. n)) fib 0 = 0 fib (Suc 0) = 1 fib (Suc(Suc x)) = fib x + fib (Suc x) Many more examples in tutorial

30 Exercises Exercise 1: Define a little imperative language of booleans b and commands c as follows b ::= b a | not b | b and b c ::= c a | if b c c | while b c | c ; c | done b a is an atomic boolean, and c a an atomic command. Represent the languages as a mutually recursive datatype in Isabelle. Define the semantics of booleans as a function boolsem :: boolean ) state ) bool cmdsem :: cmd ) state ) cmd ) state ) bool where state is a primitive type. The idea of cmdsem is that cmdsem c1 s1 c2 s2 = true iff one step of evaluation of c1 in state s1 results in state s2 with command c2 left to evaluate. Make suitable assumptions on atomic booleans and commands. In particular, assume that evaluation of atomic commands is deterministic. Represent the languages and semantics in Isabelle, and prove that command evaluation is deterministic. Exercise 2: Derive (pen and paper) natural number induction from well- founded induction

Download ppt "Advanced Formal Methods Lecture 4: Isabelle – Types and Terms Mads Dam KTH/CSC Course 2D1453, 2006-07 Some material from Paulson."

Similar presentations

Types and Programming Languages Lecture 4 Simon Gay Department of Computing Science University of Glasgow 2006/07.

Types and Programming Languages Lecture 4 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Types and Programming Languages Lecture 15 Simon Gay Department of Computing Science University of Glasgow 2006/07.

Types and Programming Languages Lecture 15 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Types and Programming Languages Lecture 7 Simon Gay Department of Computing Science University of Glasgow 2006/07.

Types and Programming Languages Lecture 7 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Type Inference David Walker COS 320. Criticisms of Typed Languages Types overly constrain functions & data polymorphism makes typed constructs useful.

Type Inference David Walker COS 320. Criticisms of Typed Languages Types overly constrain functions & data polymorphism makes typed constructs useful.
Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.

Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.
Chapter Three: Closure Properties for Regular Languages

Chapter Three: Closure Properties for Regular Languages
CSE341: Programming Languages Lecture 2 Functions, Pairs, Lists Dan Grossman Winter 2013.

CSE341: Programming Languages Lecture 2 Functions, Pairs, Lists Dan Grossman Winter 2013.
CMSC 330: Organization of Programming Languages Tuples, Types, Conditionals and Recursion or “How many different OCaml topics can we cover in a single.

CMSC 330: Organization of Programming Languages Tuples, Types, Conditionals and Recursion or “How many different OCaml topics can we cover in a single.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.
Getting started with ML ML is a functional programming language. ML is statically typed: The types of literals, values, expressions and functions in a.

Getting started with ML ML is a functional programming language. ML is statically typed: The types of literals, values, expressions and functions in a.
Lambda Calculus and Lisp PZ03J. Lambda Calculus The lambda calculus is a model for functional programming like Turing machines are models for imperative.

Lambda Calculus and Lisp PZ03J. Lambda Calculus The lambda calculus is a model for functional programming like Turing machines are models for imperative.
ML: a quasi-functional language with strong typing Conventional syntax: - val x = 5; (*user input *) val x = 5: int (*system response*) - fun len lis =

ML: a quasi-functional language with strong typing Conventional syntax: - val x = 5; (*user input *) val x = 5: int (*system response*) - fun len lis =
Termination Analysis Math Foundations of Computer Science.

Termination Analysis Math Foundations of Computer Science.
Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, 2006-07 Material from L. Paulson.

Advanced Formal Methods Lecture 6: Isabelle - HOL Mads Dam KTH/CSC Course 2D1453, Material from L. Paulson.
Introduction to Computability Theory

Introduction to Computability Theory
1 Introduction to Computability Theory Lecture7: PushDown Automata (Part 1) Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture7: PushDown Automata (Part 1) Prof. Amos Israeli.
Proving Facts About Programs With a Proof Assistant John Wallerius An Example From: Isabelle/HOL, A Proof Assistant for Higher Order Logic, By T. Nipkow,

Proving Facts About Programs With a Proof Assistant John Wallerius An Example From: Isabelle/HOL, A Proof Assistant for Higher Order Logic, By T. Nipkow,
Programming Language Semantics Denotational Semantics Chapter 5 Based on a lecture by Martin Abadi.

Programming Language Semantics Denotational Semantics Chapter 5 Based on a lecture by Martin Abadi.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.

Similar presentations

Ads by Google