Proof Hints: Difference between revisions

From Event-B
Jump to navigationJump to search
← Older edit
imported>Son
imported>Son
 
(22 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Introduction ==
== Introduction ==


This document does NOT provide a way to avoid doing interactive proofs or pointing out the weakness of existing provers. Rather this document shows how to use information from doing interactive proofs to improve the clarity of models. As a consequence of these improvement, the obligations can be discharged automatically. We call these added information to the model "proof hints".
This document does NOT provide a way to avoid doing interactive proofs or pointing out the weakness of existing provers. Rather this document shows how to use information from doing interactive proofs to improve the clarity of models. As a consequence of these improvement, more obligations can be discharged automatically. Below are our proposal for two kinds of improvements: [[#Hypothesis Selection | hypothesis selection]] and [[#Case Distinction|case distinction]].


This concept of "proof hints" already exists in the form of "witness" or "theorem" in Event-B. These useful features are designed not only to help with proving the correctness of the model but also to give more information about the particular model.
== Improvements ==


The question is how we can decide which "features" are useful to have in the model. In principle we can go to the extreme and include the whole proof strategy into the model in order to be able to have it being discharged automatically. But this is undesirable since it will make the model difficult to understand. Having taken this into account we specify our criteria here for "proof hints".
The presentation for each kind of improvement is as follows:
 
1. It should help to understand the model better.
 
2. It should improve the automatic proving rate of the model.
 
In fact, we regard the first criterion as more important whereas the second criterion can be considered as a bonus for improving the clarity of the model. Below are our proposal for two kinds of proof hints: [[Hypothesis Selection | hypothesis selection]] and proof by cases.
 
== Proof Hints ==
 
The presentation for each kind of proof hints is as follows:


1. '''Description''': A brief description of the proof hints with the situation where this can be helpful.
1. '''Description''': A brief description of the proof hints with the situation where this can be helpful.
Line 28: Line 18:
'''Example''' Consider the following Event-B model
'''Example''' Consider the following Event-B model


[[Image:var-hypsel.png]]
[[Image:var-hypsel.png]]         [[Image:inv-hypsel.png]]
 
[[Image:init-hypsel.png]]        [[Image:set-hypsel.png]]
 
Consider the proof obligation '''set/hypSel0_1/INV''' which states that the event '''set''' maintains invariant '''hypSel0_1''' (Here <math>\ldots</math> denotes the unselected hypotheses).
[[Image:set-hypSel0_1-INV.png]]
 
Any provers works with only the selected hypotheses cannot discharge the above proof olbligation since the hypothesis <math>x \neq 0 \limp y \in \nat</math> is missing. The obligation with the appropriate hypothesis selection is as follows
[[Image:set-hypSel0_1-INV-sel.png]]
 
'''Workaround''' Currently, given and event '''evt''' and invariant '''inv''', the invariant preservation proof obligation '''evt/inv/INV''' generated with the following hypotheses automatically selected;


variables: <math>x, y</math>
* The invariant '''inv'''


invariants:
* The guard of the event '''evt'''


<math>\mathbf{hypSel0\_1:} \quad x \in \nat</math>
In order to have the needed hypothesis selected automatically, we will add this hypothesis into the guard.  Moreover, in order to avoid changing event's behaviour, we will mark this extra guard as a theorem.  Apply this technique, the new event '''set''' is as follows
[[Image:new-set-hypsel.png]]


<math>\mathbf{hypSel0\_2:} \quad x \neq 0 \limp y \in \nat</math>
Note that the extra (theorem) guard can be removed in the further refinement without generating any new proof obligation.


events:
=== Case distinction ===
'''Description''' In order to discharge a proof obligation, the developer makes a manual "proof by cases" based on some condition <math>P</math>. Afterwards, all branches of the proofs are discharged either by ML or AtelierB P0. The solution is to (somehow) give "hints" to the POG to generate different proof obligations for each case separately. ''Proof by cases'' is usually not applied automatically since this splits the proof tree which could lead to blows up in terms of the number of cases.


'''Example''' Consider the following Event-B model


[[Image:casesplit.png]]


'''Workaround''' TODO
Consider the proof obligation '''set/case0_1/INV''' (Here all hypotheses, including those hidden are shown)


'''Proposal''' TODO
[[Image:set-case0_1-INV.png]]


=== Case distinction ===
In order to finish the proof, a correct "proof by cases" is done to consider <math>a = 1</math> or <math>a \neq 1</math>.
'''Description''' This section discuss about a proof hint related to the case where a developer has to do a manual "proof by case", after that, all branches of the proofs are discharged either by ML or AtelierB P0. The solution is to (somehow) give "hints" to the POG to generate different proof obligations for each case separately. Proving by cases are usually not done automatically since this splits the proof tree which could lead to blows up in terms of the number of cases.
 
'''Workaround''' To capture the effect of doing '''proof by cases''', we split the original event '''set''' into two different events as follows
 
[[Image:new-set-evts.png]]


'''Example''' TODO
In the next refinement step, we can merge the above two new event to the original event as follows.


'''Workaround''' TODO
[[Image:merged-set.png]]


'''Proposal''' TODO
[[Category:Proof]]
[[Category:Proof]]
[[Category:Work in progress]]
[[Category:Work in progress]]

Latest revision as of 22:17, 5 March 2010

Introduction

This document does NOT provide a way to avoid doing interactive proofs or pointing out the weakness of existing provers. Rather this document shows how to use information from doing interactive proofs to improve the clarity of models. As a consequence of these improvement, more obligations can be discharged automatically. Below are our proposal for two kinds of improvements: hypothesis selection and case distinction.

Improvements

The presentation for each kind of improvement is as follows:

1. Description: A brief description of the proof hints with the situation where this can be helpful.

2. Example: an example in Event-B is presented.

3. Work around: we show a solution (rather a work-around) for the current RODIN Platform.

Hypothesis Selection

Description In order to discharge the proof obligation, the developer just selects some hypotheses then invoke either AtelierB P0 or newPP restricted to finish these proofs. The solution is to (somehow) give "hints" to the Proof Obligation Generator (POG) to select these hypotheses automatically when generating the corresponding proof obligation.

Example Consider the following Event-B model

Consider the proof obligation set/hypSel0_1/INV which states that the event set maintains invariant hypSel0_1 (Here \ldots denotes the unselected hypotheses).

Any provers works with only the selected hypotheses cannot discharge the above proof olbligation since the hypothesis x \neq 0 \limp y \in \nat is missing. The obligation with the appropriate hypothesis selection is as follows

Workaround Currently, given and event evt and invariant inv, the invariant preservation proof obligation evt/inv/INV generated with the following hypotheses automatically selected;

  • The invariant inv
  • The guard of the event evt

In order to have the needed hypothesis selected automatically, we will add this hypothesis into the guard. Moreover, in order to avoid changing event's behaviour, we will mark this extra guard as a theorem. Apply this technique, the new event set is as follows

Note that the extra (theorem) guard can be removed in the further refinement without generating any new proof obligation.

Case distinction

Description In order to discharge a proof obligation, the developer makes a manual "proof by cases" based on some condition P. Afterwards, all branches of the proofs are discharged either by ML or AtelierB P0. The solution is to (somehow) give "hints" to the POG to generate different proof obligations for each case separately. Proof by cases is usually not applied automatically since this splits the proof tree which could lead to blows up in terms of the number of cases.

Example Consider the following Event-B model

Consider the proof obligation set/case0_1/INV (Here all hypotheses, including those hidden are shown)

In order to finish the proof, a correct "proof by cases" is done to consider a = 1 or a \neq 1.

Workaround To capture the effect of doing proof by cases, we split the original event set into two different events as follows

In the next refinement step, we can merge the above two new event to the original event as follows.

Retrieved from ‘https://wiki.event-b.org/index.php?title=Proof_Hints&oldid=6515