Difference between pages "D45 Prover Enhancement" and "Membership in Goal"

From Event-B
(Difference between pages)
Jump to navigationJump to search
imported>Nicolas
 
imported>Billaude
 
Line 1: Line 1:
= Overview =
+
= Objective =
* Two tasks concerned the prover performance from the core platform: the addition of rewriting and inference rules, and the addition of a mechanism to allow the customization and the parametrization or combination of tactics. While the addition of rewriting and inference rules has always been a regular task to enhance the Rodin integrated prover during DEPLOY lifetime, a new way to manage tactics has been implemented. In fact, the user is now able to define various types of tactics called 'profiles' which could be customized and parameterized tactics to discharge some specific proof obligations.
 
* {{TODO}} An overview of the contribution about the ProB Disprover (Daniel Plagge, Jens Bendiposto)
 
* The SMT Solvers plug-in allowing to use the SMT solvers within Rodin is an effective alternative to the Atelier-B provers, particularly when reasoning on linear arithmetic. {{TODO}} (Laurent Voisin, Yoann Guyot)
 
  
= Motivations =
+
This page describes the design of the reasoner MembershipGoal and its associated tactic MembershipGoalTac.<br>
== New rewriting and inference rules ==
+
This reasoner discharges sequent whose goal denotes a membership which can be inferred with hypotheses. Here an basic example of what it discharges :<br>
In an Event-B development, more than 60% of the time is spent on proofs. It has been a continuous aim to increase the number of automatically discharged proof obligations (POs) by improving the capabilities of the integrated sequent prover through the addition of rewriting and inference rules. These rules were provided through tactics, or existing or newly created. These tactics were automatic, or manual, or sometimes both. Providing new proving rules, even if it sometimes does not increase directly the number of automatically discharged POs aims to help the user to interactively discharge them and spare his time.
+
<math>H,\quad x\in S,\quad S\subset T,\quad T\subseteq U \quad\vdash x\in U</math>
  
== Advanced Preferences for Auto-tactics ==
+
= Analysis =
  
Sometimes, the automatic prover fails because the order of the applied tactics doesn't lead to discharge the proof obligation. Previously the ordering of tactics was lost at each change. Another issue is to have more than one possibility to combine the tactics. Indeed, various combinators called ''tacticals'' allow to combine tactics in a specific manner, thus providing a sort of tactic arithmetic. The advanced preferences for auto-tactics solved these two issues.
+
Such sequent are proved by PP and ML. But, these provers have both drawbacks :
 +
*All the visible are added as needed hypotheses, which is most of the time not the case.
 +
*They take quite consequent time to prove it (even with the basic example given here above, the difference in time execution is noticeable).
 +
*If there are too many hypotheses, or if the expression of the <math>x</math> is too complicated, they may not prove it.
 +
This is particularly true when in the list of inclusion expressions of each side of the relation are not equal. For example : <math>H,\quad a\in S,\quad S\subset T_1\cap T_2,\quad T_1\cup T_3\subseteq  U\quad\vdash a\in U</math>
 +
<p>
 +
Such a reasoner contributes to prove more Proof Obligations automatically, faster and with fewer needed hypotheses which makes proof rule more legible and proof replay less sensitive to modifications.
  
== Isabelle Plug-in ==
+
= Tactic =
{{TODO}} ''To be completed by Matthias Schmaltz''
 
== ProB Disprover ==
 
{{TODO}} ''Daniel Plagge, Jens Bendiposto''
 
== SMT Solver Integration ==
 
{{TODO}} ''Laurent Voisin'' & ''Yoann Guyot''
 
  
= Choices / Decisions =
+
This part explains how the tactic (MembershipGoalTac) associated to the reasoner MembershipGoal is working.
== New rewriting and inference rules ==
+
== Goal ==
{{TODO}} ''To be completed by Laurent Voisin''
+
The tactic (as the reasoner) should works only on goals such as :
== Advanced Preferences for Auto-tactics ==
+
*<math><goal>\quad:\quad expresion\quad\in\quad<set></math>
{{TODO}} ''To be completed by Nicolas Beauger''
+
*<math><member>\quad:\quad expresion\quad\mid\quad FA</math>
Since Rodin 2.1, simple tactic profiles have been added. They allow to persiste and set specifically for some project various ordered ways to apply the basic tactics. Since Rodin 2.3, tacticals and parameterisation have been added to the profiles increasing even more the potential of such proving feature. The combinators allow for exemple to loop on a subset of tactics, including existing profiles, and the parameterisation allows for example to set a timeout on external provers such as AtelierB P1.
+
*<math><set>\quad:\quad expresion\otimes expresion\quad\mid\quad expresion\parallel expresion\quad\mid\quad <union>\quad\left[\cup <union>\right]</math>
 +
*<math><union>\quad:\quad<cprod>\quad\left[\cprod<cprod>\right]</math>
 +
*<math><cprod>\quad:\quad\left(<set>\right)\quad\mid\quad expresion</math>
 +
For example those examples matches with the definition here above :
 +
*<math>f(x)\in g\otimes h</math>
 +
*<math>x\in A\cprod\left(B\cup C\right)</math>
 +
Every other goals denoting a membership should be re-
 +
== Hypotheses ==
 +
The hard part is to find the hypotheses leading to discharge the sequent. To do so, the tactic recovers three kinds of hypotheses :
 +
#the ones related to the left member of the goal <math>\left( x\in S\right)</math> (this is the start point):
 +
#*<math>x\in \cdots</math>
 +
#*<math>\cdots\mapsto x\mapsto\cdots\in\cdots</math>
 +
#*<math>\left\{\cdots, x,\cdots\right\}\subseteq\cdots</math>
 +
#the ones denoting inclusion (all but the ones matching the description of the first point) :
 +
#*<math>\cdots\subset\cdots</math>
 +
#*<math>\cdots\subseteq\cdots</math>
 +
#the one from which we can infer inclusion :
 +
#*<math>f\in A\;op\;B \quad\vdash\quad f\subseteq A\cprod B\quad\bigl(</math> where <math>op</math>  is one of :<math>\quad\rel, \trel, \srel, \strel, \pfun, \tfun, \pinj, \tinj, \psur, \tsur, \tbij\bigr)</math>
 +
#*<math>f\subseteq A\cprod B \quad\vdash\quad f\otimes f\subseteq A\cprod\left(B\cprod B\right)</math>
 +
Then, it will search a link between those hypotheses so that the sequent can be discharged.
 +
== Find a path ==  
 +
Now that we recovered all the hypotheses that could be useful for the reasoner, it <i>just</i> remains to find a path among the hypotheses leading to discharge the sequent. Depending on the relations on each side of the inclusion, we will act differently. <math>f</math> always represent an expression (may be a domain, a range, etc.).
 +
#The following sequent is provable because <math>f\subseteq \varphi (f)</math>.
 +
#*<math>x\in f,\quad \varphi (f)\subseteq g\quad\vdash\quad x\in g</math>
 +
#*<math>\varphi (f) = f\quad\mid\quad f\cup h \quad\mid\quad h\cup f \quad\mid\quad h\ovl f</math>
 +
#The following sequent is provable because <math>\psi (f)\subseteq f</math>.
 +
#*<math>x\in \psi (f),\quad f\subseteq g\quad\vdash\quad x\in g</math>
 +
#*<math>\psi (f) = f\quad\mid\quad f\cap h \quad\mid\quad h\cap f \quad\mid\quad f\setminus h \quad\mid\quad f\ransub A \quad\mid\quad f\ranres A \quad\mid\quad A\domsub f \quad\mid\quad A\domres f</math>
 +
#We can generalized the first two points. This is the Russian dolls system. We can easily prove a sequent with multiple inclusions by going from hypothesis to hypothesis.
 +
#*<math>x\in \psi (f),\quad \varphi (f)\subseteq g\quad\vdash\quad x\in g</math>
 +
#For some relations, <i>positions</i> are needed to be known to continue to find hypotheses, but it is not always necessary.
 +
#*<math>x\mapsto y\in f,\quad f\subseteq A\cprod B\quad\vdash\quad x\in A</math>
 +
#*<math>x\in dom(f),\quad f\subseteq A\cprod B\quad\vdash\quad x\in A</math>
 +
#*<math>x\in ran(f),\quad f\subseteq A\cprod B\quad\vdash\quad x\in B</math>
 +
#*<math>x\in f,\quad f\otimes g\subseteq A\cprod\left(B\cprod C\right)\quad\vdash\quad x\in A\cprod B</math>
 +
#*<math>x\in f,\quad f\parallel g\subseteq \left(A\cprod C\right)\cprod\left(B\cprod D\right)\quad\vdash\quad x\in A\cprod B</math>
 +
#Those rewrites can be useful when the Russian dolls system does not succeed.
 +
#*<math>dom(f)\cup dom(g) = dom(f\ovl g)</math>
 +
#*<math>ran(f)\cup ran(g)\subseteq ran(f\ovl g)</math>
 +
#*<math>dom(A\domres f) = dom(f)\cap A</math>
 +
#*<math>ran(f\ranres A) = ran(f)\cap A</math>
 +
#*<math>A\subseteq X\quad\land\quad B\subseteq Y\quad\vdash\quad A\cprod B\subseteq X\cprod Y</math>
 +
#:Be careful ! The previous one may appear as reciprocal, but it is not the case at all (just replace the set <math>B</math> by <math>\varnothing</math>).
 +
#*<math>f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B\quad\vdash\quad f\subseteq A\cprod B</math>
 +
#*<math>f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B\quad\vdash\quad f^{-1}\subseteq B\cprod A</math>
 +
#*<math>f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B\quad\vdash\quad f[A]\subseteq B</math>
 +
#*<math>f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B\quad\vdash\quad f\domres prj1 = prj1\ranres f\subseteq A\cprod B\cprod A</math>
 +
#*<math>f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B\quad\vdash\quad f\domres prj2 = prj2\ranres f\subseteq A\cprod B\cprod B</math>
 +
#*<math>f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B\quad\vdash\quad f\domres id = id\ranres f\subseteq (A\cprod B)\cprod(A\cprod B)</math>
 +
#*<math>f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B,\quad g\in B\;op_2\;C\;\lor\; g\subseteq B\cprod C \quad\vdash\quad f;g = g\circ f \subseteq A\cprod C</math>
 +
#*<math>f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B,\quad g\in A\;op_2\;C\;\lor\; g\subseteq A\cprod C \quad\vdash\quad f\otimes g \subseteq A\cprod (B\cprod C)</math>
 +
#*<math>f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B,\quad g\in C\;op_2\;D\;\lor\; g\subseteq C\cprod D \quad\vdash\quad f\parallel g \subseteq (A\cprod C)\cprod (B\cprod D)</math>
 +
#:<math>\bigl(</math> where <math>op_1</math> and <math>op_2</math> are ones of :<math>\quad\rel, \trel, \srel, \strel, \pfun, \tfun, \pinj, \tinj, \psur, \tsur, \tbij\bigr)</math>
  
== Isabelle Plug-in ==
+
By using these inclusion and rewrites, it tries to find a path among the recovered hypotheses. Every hypotheses denoting an inclusion should be used only once. Every hypotheses from which new hypothesis can be inferred could be used as many times as wanted. Among all paths that lead to discharge the sequent, the tactic give the first it finds. Moreover, so that the reasoner does not do the same work as the tactic of writing new hypothesis, it gives all needed hypotheses and added hypotheses in the input.
{{TODO}} ''To be completed by Matthias Schmaltz''
 
== ProB Disprover ==
 
{{TODO}} ''Daniel Plagge, Jens Bendiposto''
 
== SMT Solver Integration ==
 
{{TODO}} ''Laurent Voisin'' & ''Yoann Guyot''
 
  
= Available Documentation =
+
= Reasoner =
* {{TODO}} Links for New rewriting and inference rules
 
* {{TODO}} Links for Advanced Preferences for Auto-tactics
 
* {{TODO}} Links for Isabelle Plug-in
 
* {{TODO}} Links for ProB Disprover
 
* {{TODO}} Links for SMT Solver Integration
 
  
= Status =
+
This part describes how the reasoner works.
== New rewriting and inference rules ==
 
{{TODO}} ''To be completed by Laurent Voisin''
 
== Advanced Preferences for Auto-tactics ==
 
{{TODO}} ''To be completed by Nicolas Beauger''
 
== Isabelle Plug-in ==
 
{{TODO}} ''To be completed by Matthias Schmaltz''
 
== ProB Disprover ==
 
{{TODO}} ''Daniel Plagge, Jens Bendiposto''
 
== SMT Solver Integration ==
 
{{TODO}} ''Laurent Voisin'' & ''Yoann Guyot''
 
  
[[Category:D45 Deliverable]]
+
== Goal ==
 +
The goal must match the same kind of goal as describes in the tactic part.
 +
 
 +
== Input ==
 +
Because we do not want to do the job of re-writing, every added hypotheses used to discharge the sequent should be contained in the input (the reasoner must extend HypothesesReasoner) as well as hypotheses used to perform the re-writing and hypotheses used to discharge the sequent. Thus we get those obligations :
 +
*Every added hypotheses must be re-writable with hypotheses contained in the sequent and in the input.
 +
*Every added hypotheses should be used to discharge the sequent.
 +
*Hypotheses used to perform re-writing could be also used to discharge a sequent and may be used several times to prove that added hypotheses are re-writable.
 +
*Hypotheses used to discharge the sequent should be used only once in the path (no loop allowed).
 +
*It checks that with all these hypotheses can actually discharge the sequent
 +
 
 +
If all those tests pass, then the sequent is discharged. The added hypotheses are set as AddedHyps, and all the other hypotheses of the input are set as NeededHps.
 +
 
 +
[[Category:Design proposal]]

Revision as of 13:34, 30 June 2011

Objective

This page describes the design of the reasoner MembershipGoal and its associated tactic MembershipGoalTac.
This reasoner discharges sequent whose goal denotes a membership which can be inferred with hypotheses. Here an basic example of what it discharges :
H,\quad x\in S,\quad S\subset T,\quad T\subseteq U \quad\vdash x\in U

Analysis

Such sequent are proved by PP and ML. But, these provers have both drawbacks :

  • All the visible are added as needed hypotheses, which is most of the time not the case.
  • They take quite consequent time to prove it (even with the basic example given here above, the difference in time execution is noticeable).
  • If there are too many hypotheses, or if the expression of the x is too complicated, they may not prove it.

This is particularly true when in the list of inclusion expressions of each side of the relation are not equal. For example : H,\quad a\in S,\quad S\subset T_1\cap T_2,\quad T_1\cup T_3\subseteq U\quad\vdash a\in U

Such a reasoner contributes to prove more Proof Obligations automatically, faster and with fewer needed hypotheses which makes proof rule more legible and proof replay less sensitive to modifications.

Tactic

This part explains how the tactic (MembershipGoalTac) associated to the reasoner MembershipGoal is working.

Goal

The tactic (as the reasoner) should works only on goals such as :

  • <goal>\quad:\quad expresion\quad\in\quad<set>
  • <member>\quad:\quad expresion\quad\mid\quad FA
  • <set>\quad:\quad expresion\otimes expresion\quad\mid\quad expresion\parallel expresion\quad\mid\quad <union>\quad\left[\cup <union>\right]
  • <union>\quad:\quad<cprod>\quad\left[\cprod<cprod>\right]
  • <cprod>\quad:\quad\left(<set>\right)\quad\mid\quad expresion

For example those examples matches with the definition here above :

  • f(x)\in g\otimes h
  • x\in A\cprod\left(B\cup C\right)

Every other goals denoting a membership should be re-

Hypotheses

The hard part is to find the hypotheses leading to discharge the sequent. To do so, the tactic recovers three kinds of hypotheses :

  1. the ones related to the left member of the goal \left( x\in S\right) (this is the start point):
    • x\in \cdots
    • \cdots\mapsto x\mapsto\cdots\in\cdots
    • \left\{\cdots, x,\cdots\right\}\subseteq\cdots
  2. the ones denoting inclusion (all but the ones matching the description of the first point) :
    • \cdots\subset\cdots
    • \cdots\subseteq\cdots
  3. the one from which we can infer inclusion :
    • f\in A\;op\;B \quad\vdash\quad f\subseteq A\cprod B\quad\bigl( where op is one of :\quad\rel, \trel, \srel, \strel, \pfun, \tfun, \pinj, \tinj, \psur, \tsur, \tbij\bigr)
    • f\subseteq A\cprod B \quad\vdash\quad f\otimes f\subseteq A\cprod\left(B\cprod B\right)

Then, it will search a link between those hypotheses so that the sequent can be discharged.

Find a path

Now that we recovered all the hypotheses that could be useful for the reasoner, it just remains to find a path among the hypotheses leading to discharge the sequent. Depending on the relations on each side of the inclusion, we will act differently. f always represent an expression (may be a domain, a range, etc.).

  1. The following sequent is provable because f\subseteq \varphi (f).
    • x\in f,\quad \varphi (f)\subseteq g\quad\vdash\quad x\in g
    • \varphi (f) = f\quad\mid\quad f\cup h \quad\mid\quad h\cup f \quad\mid\quad h\ovl f
  2. The following sequent is provable because \psi (f)\subseteq f.
    • x\in \psi (f),\quad f\subseteq g\quad\vdash\quad x\in g
    • \psi (f) = f\quad\mid\quad f\cap h \quad\mid\quad h\cap f \quad\mid\quad f\setminus h \quad\mid\quad f\ransub A \quad\mid\quad f\ranres A \quad\mid\quad A\domsub f \quad\mid\quad A\domres f
  3. We can generalized the first two points. This is the Russian dolls system. We can easily prove a sequent with multiple inclusions by going from hypothesis to hypothesis.
    • x\in \psi (f),\quad \varphi (f)\subseteq g\quad\vdash\quad x\in g
  4. For some relations, positions are needed to be known to continue to find hypotheses, but it is not always necessary.
    • x\mapsto y\in f,\quad f\subseteq A\cprod B\quad\vdash\quad x\in A
    • x\in dom(f),\quad f\subseteq A\cprod B\quad\vdash\quad x\in A
    • x\in ran(f),\quad f\subseteq A\cprod B\quad\vdash\quad x\in B
    • x\in f,\quad f\otimes g\subseteq A\cprod\left(B\cprod C\right)\quad\vdash\quad x\in A\cprod B
    • x\in f,\quad f\parallel g\subseteq \left(A\cprod C\right)\cprod\left(B\cprod D\right)\quad\vdash\quad x\in A\cprod B
  5. Those rewrites can be useful when the Russian dolls system does not succeed.
    • dom(f)\cup dom(g) = dom(f\ovl g)
    • ran(f)\cup ran(g)\subseteq ran(f\ovl g)
    • dom(A\domres f) = dom(f)\cap A
    • ran(f\ranres A) = ran(f)\cap A
    • A\subseteq X\quad\land\quad B\subseteq Y\quad\vdash\quad A\cprod B\subseteq X\cprod Y
    Be careful ! The previous one may appear as reciprocal, but it is not the case at all (just replace the set B by \varnothing).
    • f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B\quad\vdash\quad f\subseteq A\cprod B
    • f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B\quad\vdash\quad f^{-1}\subseteq B\cprod A
    • f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B\quad\vdash\quad f[A]\subseteq B
    • f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B\quad\vdash\quad f\domres prj1 = prj1\ranres f\subseteq A\cprod B\cprod A
    • f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B\quad\vdash\quad f\domres prj2 = prj2\ranres f\subseteq A\cprod B\cprod B
    • f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B\quad\vdash\quad f\domres id = id\ranres f\subseteq (A\cprod B)\cprod(A\cprod B)
    • f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B,\quad g\in B\;op_2\;C\;\lor\; g\subseteq B\cprod C \quad\vdash\quad f;g = g\circ f \subseteq A\cprod C
    • f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B,\quad g\in A\;op_2\;C\;\lor\; g\subseteq A\cprod C \quad\vdash\quad f\otimes g \subseteq A\cprod (B\cprod C)
    • f\in A\;op_1\;B\;\lor\; f\subseteq A\cprod B,\quad g\in C\;op_2\;D\;\lor\; g\subseteq C\cprod D \quad\vdash\quad f\parallel g \subseteq (A\cprod C)\cprod (B\cprod D)
    \bigl( where op_1 and op_2 are ones of :\quad\rel, \trel, \srel, \strel, \pfun, \tfun, \pinj, \tinj, \psur, \tsur, \tbij\bigr)

By using these inclusion and rewrites, it tries to find a path among the recovered hypotheses. Every hypotheses denoting an inclusion should be used only once. Every hypotheses from which new hypothesis can be inferred could be used as many times as wanted. Among all paths that lead to discharge the sequent, the tactic give the first it finds. Moreover, so that the reasoner does not do the same work as the tactic of writing new hypothesis, it gives all needed hypotheses and added hypotheses in the input.

Reasoner

This part describes how the reasoner works.

Goal

The goal must match the same kind of goal as describes in the tactic part.

Input

Because we do not want to do the job of re-writing, every added hypotheses used to discharge the sequent should be contained in the input (the reasoner must extend HypothesesReasoner) as well as hypotheses used to perform the re-writing and hypotheses used to discharge the sequent. Thus we get those obligations :

  • Every added hypotheses must be re-writable with hypotheses contained in the sequent and in the input.
  • Every added hypotheses should be used to discharge the sequent.
  • Hypotheses used to perform re-writing could be also used to discharge a sequent and may be used several times to prove that added hypotheses are re-writable.
  • Hypotheses used to discharge the sequent should be used only once in the path (no loop allowed).
  • It checks that with all these hypotheses can actually discharge the sequent

If all those tests pass, then the sequent is discharged. The added hypotheses are set as AddedHyps, and all the other hypotheses of the input are set as NeededHps.

Retrieved from ‘https://wiki.event-b.org/index.php?title=D45_Prover_Enhancement&oldid=6060