Proofs With RODIN - Télécom SudParisgibson/Teaching/MAT7003/L8-ProofsWithRodin.pdf · Working...
Transcript of Proofs With RODIN - Télécom SudParisgibson/Teaching/MAT7003/L8-ProofsWithRodin.pdf · Working...
MAT 7003 : Mathematical Foundations
(for Software Engineering)
J Paul Gibson, A207
http://www-public.it-sudparis.eu/~gibson/Teaching/MAT7003/
2012: J Paul Gibson TSP: MSC SAI Mathematical Foundations MAT7003.ProofsWithRodin.1
http://www-public.it-sudparis.eu/~gibson/Teaching/MAT7003/
Proofs With RODIN
http://www-public.it-sudparis.eu/~gibson/Teaching/MAT7003/L8-ProofsWithRodin.pdf
Working with RODIN: different proof techniques
Proof by exhaustion, establishes the conclusion by dividing it into a finite number of cases and proving each one separately.
Proof by contradiction (reductio ad absurdum) - it is shown that if some statement were true then a logical contradiction occurs, hence the statement must be false.
Proof by transposition (contrapositive) establishes the conclusion "if p then q" by proving the equivalent statement "if not q then not p".
Proof by mathematical induction establishes a "base case" and then an
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.2
Proof by mathematical induction establishes a "base case" and then an "induction rule" is used to prove a series of, possibly infinite, other cases
Proof by construction, or proof by example, is the construction of a concrete example with a property to show that something having that property exists
A nonconstructive proof establishes that a certain mathematical object must exist without explaining how such an object can be found. Often, this uses a proof by contradiction in which the nonexistence of the object is proven to be impossible.
The proving perspective (Rodin User Manual)http://wiki.event-b.org/index.php/The_Proving_Perspective_(Rodin_User_Manual)
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.3
The proving perspective (Rodin User Manual)http://wiki.event-b.org/index.php/The_Proving_Perspective_(Rodin_User_Manual)
DecorationThe leaves of the tree are decorated with one of three icons: • means that this leaf is
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.4
discharged, • means that this leaf is not discharged, • means that this leaf has been reviewed.
The proving perspective (Rodin User Manual)http://wiki.event-b.org/index.php/The_Proving_Perspective_(Rodin_User_Manual)
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.5
The proving perspective (Rodin User Manual)http://wiki.event-b.org/index.php/The_Proving_Perspective_(Rodin_User_Manual)
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.6
The proving perspective (Rodin User Manual)http://wiki.event-b.org/index.php/The_Proving_Perspective_(Rodin_User_Manual)
Proof Control View
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.7
The proving perspective (Rodin User Manual)http://wiki.event-b.org/index.php/The_Proving_Perspective_(Rodin_User_Manual)
Search HypothesesView
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.8
The proving perspective (Rodin User Manual)http://wiki.event-b.org/index.php/The_Proving_Perspective_(Rodin_User_Manual)
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.9
Example 1: odd and even integers
1. How would you specify the sets of odd and even integers?
2. What interesting properties should we be able to prove?
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.10
3. Does the structure of the specification help/hinder the proof process?
We can examine how to do this using Rodin
OddEven : proposed solution 1
Q: Can youexplain the axiomsand theorems ?
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.11
OddEven 1: proving 2 is even
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.12
Why can’t the tool do this automatically?
Interactive proof – the red bits provide interaction points
OddEven 1: proving 2 is even
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.13
A good start is to simplify by removing the axioms that are not relevant in the proof
OddEven 1: proving 2 is even
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.14
We know 2 is even because 2 = 1 + 1 … so we need to tell the tool by using the forall axiom.But we can separate the <=> as we only need it in 1 direction. This rewrites the equivalenceas 2 implications
OddEven 1: proving 2 is even
NOTE: The proof tree is updated
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.15
NOTE: The proof tree is updated
Which of two forall axioms do we no longer need?
OddEven 1: proving 2 is even
Now, we want to instantiate x with the value 2 and apply modus ponens (by clicking on the =>)
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.16
This gives a goal which is immediatelyprovable by instantiation of y to 1
OddEven 1: proving 2 is even
Now, dont forget to savethe
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.17
savethe proof
OddEven 1: proving 4 is even
Follow the same reasoning as for proving 2 is even
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.18
OddEven 1: proving 3 is odd
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.19
The goal seems obvious, but why is it not proven automatically?
In order not to waste time we can mark it as reviewed
OddEven 1: proving 3 is odd
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.20
OddEven 1: proving 5 is odd
We can do the same for 5
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.21
OddEven 1: proving even+even = even
Can you do the proof
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.22
yourselves?
OddEven : proposed solution 2
Q: Can youexplain the axiomsand theorems ?
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.23
Think about why certain are more easilyproven than others … try to prove axm5 and reviewaxiom7
OddEven : proposed solution 3
Q: Can youexplain the axiomsand theorems ?
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.24
Think about why certain are more easilyproven than others … try to prove axm10
OddEven : proposed solution 3
We start the proof by considering the simplest cases wherea=0 or b = 0
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.25
wherea=0 or b = 0 …dc a = 0dc b = 0
OddEven : proposed solution 3
We can then add hypotheses to help in the proof
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.26
QUESTION: But, are we missing something critical?
Arrays in Event-B
Some of you asked about specifying arrays.
These are simply a function frominteger indexes to array element values
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.27
Another Event-B Example : Purse Behaviour
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.28
Another Event-B Example : Purse Behaviour
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.29
Another Event-B Example : Purse Behaviour
Modelling a change of state to a Purse: adding a coin
2012: J Paul Gibson TSP: MSC SAI Mathematical FoundationsMAT7003.ProofsWithRodin.30
Question: can you model the removal of a coin?