Tutorial on Isabelle/HOL

More documents

Recommendations

Info

apply(auto)done2.5 Datatypes 21In fact, all proofs in this case study look exactly like this. Hence we do notshow them below.More interesting is the transformation of If-expressions into a normalform where the first argument of IF cannot be another IF but must be aconstant or variable. Such a normal form can be computed by repeatedlyreplacing a subterm of the form IF (IF b x y) z u by IF b (IF x z u) (IFy z u), which has the same value. The following primitive recursive functionsperform this task:primrec normif :: "ifex ⇒ ifex ⇒ ifex ⇒ ifex" where"normif (CIF b) t e = IF (CIF b) t e" |"normif (VIF x) t e = IF (VIF x) t e" |"normif (IF b t e) u f = normif b (normif t u f) (normif e u f)"primrec norm :: "ifex ⇒ ifex" where"norm (CIF b) = CIF b" |"norm (VIF x) = VIF x" |"norm (IF b t e) = normif b (norm t) (norm e)"Their interplay is tricky; we leave it to you to develop an intuitive understanding.Fortunately, Isabelle can help us to verify that the transformationpreserves the value of the expression:theorem "valif (norm b) env = valif b env"The proof is canonical, provided we first show the following simplificationlemma, which also helps to understand what normif does:lemma [simp]:"∀ t e. valif (normif b t e) env = valif (IF b t e) env"Note that the lemma does not have a name, but is implicitly used in theproof of the theorem shown above because of the [simp] attribute.But how can we be sure that norm really produces a normal form in theabove sense? We define a function that tests If-expressions for normality:primrec normal :: "ifex ⇒ bool" where"normal(CIF b) = True" |"normal(VIF x) = True" |"normal(IF b t e) = (normal t ∧ normal e ∧(case b of CIF b ⇒ True | VIF x ⇒ True | IF x y z ⇒ False))"Now we prove normal (norm b). Of course, this requires a lemma about normalityof normif:lemma [simp]: "∀ t e. normal(normif b t e) = (normal t ∧ normal e)"How do we come up with the required lemmas? Try to prove the maintheorems without them and study carefully what auto leaves unproved. Thiscan provide the clue. The necessity of universal quantification (∀ t e) in thetwo lemmas is explained in Sect. 3.2
22 2. Functional Programming in HOLExercise 2.5.2 We strengthen the definition of a normal If-expression asfollows: the first argument of all IFs must be a variable. Adapt the abovedevelopment to this changed requirement. (Hint: you may need to formulatesome of the goals as implications (−→) rather than equalities (=).)2.6 Some Basic TypesThis section introduces the types of natural numbers and ordered pairs. Alsodescribed is type option, which is useful for modelling exceptional cases.2.6.1 Natural NumbersThe type nat of natural numbers is predefined to have the constructors 0and Suc. It behaves as if it were declared like this:datatype nat = 0 | Suc natIn particular, there are case-expressions, for examplecase n of 0 ⇒ 0 | Suc m ⇒ mprimitive recursion, for exampleprimrec sum :: "nat ⇒ nat" where"sum 0 = 0" |"sum (Suc n) = Suc n + sum n"and induction, for examplelemma "sum n + sum n = n*(Suc n)"apply(induct_tac n)apply(auto)doneThe arithmetic operations +, -, *, div, mod, min and max are predefined,as are the relations ≤ and
Page 1 and 2: Tobias NipkowMarkus WenzelLawrence
Page 3 and 4: viPrefacegives the best performance
Page 5 and 6: viiiContents3.1.3 The simp Method .
Page 7 and 8: xContents6.6 Case Study: Verified M
Page 9 and 10: xiiContents
Page 12 and 13: 1. The Basics1.1 IntroductionThis b
Page 14 and 15: 1.3 Types, Terms and Formulae 5base
Page 16 and 17: 1.4 Variables 71.4 VariablesIsabell
Page 18: 2. Functional Programming in HOLThi
Page 21 and 22: 12 2. Functional Programming in HOL
Page 29: 20 2. Functional Programming in HOL
Page 36 and 37: 3. More Functional ProgrammingThe p
Page 38 and 39: 3.1 Simplification 29could have bee
Page 40 and 41: 3.1 Simplification 31lemma "(let xs
Page 42 and 43: 3.1 Simplification 33lemma "rev [a]
Page 44 and 45: 3.2 Induction Heuristics 35Proof Ge
Page 46 and 47: 3.3 Case Study: Compiling Expressio
Page 48 and 49: 3.4 Advanced Datatypes 39two case-e
Page 50 and 51: apply simp_all3.4 Advanced Datatype
Page 52 and 53: 3.4 Advanced Datatypes 43lemma [sim
Page 54 and 55: 3.4 Advanced Datatypes 45✑◗ ✑
Page 56 and 57: 3.5 Total Recursive Functions: fun
Page 58 and 59: "ack2 n 0 = Suc n" |"ack2 0 (Suc m)
Page 60: 3.5 Total Recursive Functions: fun
Page 63 and 64: 54 4. Presenting Theoriesdefinition
Page 65 and 66: 56 4. Presenting Theories| Yen nat
Page 67 and 68: 58 4. Presenting Theories4.2.1 Isab
Page 69 and 70: 60 4. Presenting Theoriesheader {*
Page 71 and 72: 62 4. Presenting Theoriestext {*Thi
Page 73 and 74: 64 4. Presenting TheoriesTagged com
Page 76 and 77: 5. The Rules of the GameThis chapte
Page 79: 70 5. The Rules of the GameThe assu
Page 83 and 84:
74 5. The Rules of the Game¬(P →
Page 85 and 86:
76 5. The Rules of the GameOther me
Page 87 and 88:
78 5. The Rules of the Gamere-orien
Page 89 and 90:
80 5. The Rules of the Gamelemma "[
Page 91 and 92:
82 5. The Rules of the GameAs befor
Page 93 and 94:
84 5. The Rules of the Gamelemma "[
Page 95 and 96:
86 5. The Rules of the Game5.10.1 D
Page 97 and 98:
88 5. The Rules of the Game5.11 Som
Page 99 and 100:
90 5. The Rules of the GameThe next
Page 101 and 102:
92 5. The Rules of the Gameit can p
Page 103 and 104:
94 5. The Rules of the Game5.15.1 M
Page 105 and 106:
96 5. The Rules of the Game5.15.2 M
Page 107 and 108:
98 5. The Rules of the Game5.16.1 T
Page 109 and 110:
100 5. The Rules of the Game5.17 Ma
Page 111 and 112:
102 5. The Rules of the GameWe deci
Page 113 and 114:
104 5. The Rules of the Gamegcd ?m1
Page 116 and 117:
6. Sets, Functions and RelationsThi
Page 118 and 119:
6.1 Sets 1096.1.1 Finite Set Notati
Page 120 and 121:
6.2 Functions 111The internal form
Page 122 and 123:
6.3 Relations 1131. ∀ x y. f x =
Page 124 and 125:
Induction over the reflexive transi
Page 126 and 127:
inv_image r f ≡ {(x,y). (f x, f y
Page 128 and 129:
6.6 Case Study: Verified Model Chec
Page 130 and 131:
Page 132 and 133:
6.6.2 Computation Tree Logic — CT
Page 134 and 135:
Page 136:
Page 139 and 140:
130 7. Inductively Defined Setsan e
Page 141 and 142:
132 7. Inductively Defined Sets1. n
Page 143 and 144:
134 7. Inductively Defined Setsindu
Page 145 and 146:
136 7. Inductively Defined SetsNow
Page 147 and 148:
138 7. Inductively Defined Sets7.3.
Page 149 and 150:
140 7. Inductively Defined Setswher
Page 151 and 152:
142 7. Inductively Defined Sets7.3.
Page 153 and 154:
144 7. Inductively Defined Sets| "[
Page 155 and 156:
146 7. Inductively Defined Setstheo
Page 158:
Part IIIAdvanced Material
Page 161 and 162:
152 8. More about TypesThe intuitiv
Page 163 and 164:
154 8. More about Typesthe simplifi
Page 165 and 166:
156 8. More about Typesmore is impl
Page 167 and 168:
158 8. More about TypesThe cases me
Page 169 and 170:
160 8. More about Types8.3 Axiomati
Page 171 and 172:
162 8. More about Typesprefix_def:"
Page 173 and 174:
164 8. More about TypesLinear Order
Page 175 and 176:
166 8. More about Types8.4 NumbersU
Page 177 and 178:
168 8. More about Types2 + n = Suc
Page 179 and 180:
170 8. More about Typeswhen the lef
Page 181 and 182:
172 8. More about Types((c::’a::r
Page 183 and 184:
174 8. More about Types8.5.2 Defini
Page 185 and 186:
176 8. More about TypesThe fact tha
Page 187 and 188:
178 9. Advanced Simplification and
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 198 and 199:
10. Case Study: Verifying a Securit
Page 200 and 201:
10.2 Agents and Messages 1911. A
Page 202 and 203:
analz (synth H) = analz H ∪ synth
Page 204 and 205:
10.6 Proving Elementary Properties
Page 206 and 207:
10.7 Proving Secrecy Theorems 197No
Page 208 and 209:
10.7 Proving Secrecy Theorems 199ca
Page 210:
201You know my methods. Apply them!
Page 213 and 214:
204 A. AppendixConstant Type Syntax
Page 215 and 216:
206 BIBLIOGRAPHY[13] Florian Haftma
Page 217 and 218:
Index!, 203?, 203∃! , 203?!, 203&
Page 219 and 220:
210 Index- defining inductively, 12
Page 221 and 222:
212 Index- and fun, 48patterns- hig
show all

Tutorial on Isabelle/HOL

Create successful ePaper yourself

Delete template?

Save as template?