For Lab… • Please download the inv_lab.zip file, which contains : • - the Sections directory • - the Sparkle_obj.exe • - the inv_lab.icl • and this inv_lab.ppt PowerPoint file • from http://plc.inf.elte.hu/cefp/download • and extract to the • C:\Clean 2.1.1\Tools\Sparkle directory.
For Lab… • Start the Sparkle_obj.exe • Go to the Project menu and add the StdEnv library to the environment (Add StdEnv) • Then also in the Project menu add the inv_lab.icl module to the environment • (Add Module)
For Lab… • Go to the Theorems menu and load the inv_misc section file (Load Section) • Now we can formalize the invariant property… • in a New Theorem … • this will be the first goal …
For Lab… Goal : - property that still has to be proven - it is associated with a goal context Goal context : - declared variables - local hypotheses
For Lab… Proof state : - list of goals - the active goal is the current goal - the others are the subgoals
For Lab… Tactic : - a function form a single goal to a list of goals - must be sound: the validity of the created goals must logically imply the validity of the original goal
Let’s prove • First go to the Theorems menu and make an own • section to store your proofs (New Section) • Go to the Theorems menu to formalize a new • theorem (New Theorem) • - give a name of it • - set your section by the • “Create theorem in section:”point • - and give the following property as initial • proposition • (obj_x > obj_z) INV (exec1 x y z) (z = 2 /\ x = 5)
Let’s prove • Then you get a Theorem Info window • here click on the asterisk to start the proof… • We have an invariant proposition, so the first tactic we apply is the Invariant tactic. • you can choose it from the List of tactics • or you can also use the help of the hint • mechanism of Sparkle. • (Theorems menu, Tactic suggestions window)
Let’s prove • This tactic make three new goals from the invariant one, according to the invariant definition. • - Initially it has to hold • - Every step has to preserve it • (and we have two steps)
Let’s prove • By the first of the new goals we have a hypothesis • H1: z = 2 /\ x = 5 • here we can eliminate the conjunction with the tactic Split, and we get two new hyphotheses • H1: z = 2 • H2: x = 5
Let’s prove • We can use this two hypotheses to rewrite every • occurrence of z to 2 and then every occurrence of • x to 5 in the current goal . • Rewrite -> All H1 • and then • Rewrite -> All H2
Let’s prove • In the goal we can apply a deduction rule to eliminate the three implication and make three hypotheses from them. • Introduce H3 H4 H5
Let’s prove • Then we have to rewrite the value of obj_x_var0 and obj_z_var0 in the goal. • Rewrite -> All H3 • and then • Rewrite -> All H5
Let’s prove • Here we can apply the reduction rule, which reduces the goal to normal form according to the Clean function definitions. • Reduce NF ALL
Let’s prove • We get a very simple goal: • True = True • which is provable with the tactic: • Reflexive
Let’s prove • We have two other goals. In these goals we don’t have x and z variables, therefore we don’t use the Split tactic as previously. But we can eliminate the implications. By the first one: • Introduce H2 H3 H4 H5
Let’s prove • Then we have to rewrite the value of the obj_x_var1 and obj_z_var1 variables • Rewrite -> All H3 • and then • Rewrite -> All H4
Let’s prove • With this we get a goal: • obj_x_var1_old + 6 > obj_z_var1_old • and we have a hypothesis: • obj_x_var1_old > obj_z_var1_old • so we have to use an integer property here…
Let’s prove • There is a built in theorem in the ints section, which is very similar: • m n p: • m < n p < 0 = False • m < n + p • if we consider m as obj_z_var1_old, n as obj_x_var1_old and p as 6.
Let’s prove • But we have >in place of <, so we have to reduce the definition of > in the goal and in the hypothesis. • Reduce NF All • and then • Reduce NF All in H2
Let’s prove • Now we can apply the built in theorem: • Apply • and • search the theorem add_right2_of_< rule.
Let’s prove • So we get a conjunction as goal, what we can unfold to two different goal with the • Split Deep • tactic.
Let’s prove • One of the new goals is the same as the hypethesis H2, so we can prove it with • Aply H2. • The other is a trivial property of integers, so we can prove it with • IntCompare.
Let’s prove • With this one goal remained unproven. In this goal we can eliminate the implications first. • Introduce H2 H3 H4 H5
Let’s prove • And then we can rewrite the value of the obj_x_var2 and obj_z_var2 variables. • Rewrite -> All H4 • and then • Rewrite -> All H5
Let’s prove • With this we get a goal, which is the same as one of our hypothesis, so we can prove it with • Apply H2. • This is the final step of the proof, so we can save our proof. Go to the Section Center window (pink one) and save your own section with the disc ikon.
Exercise • Now let’s try to prove the following invariant: • (obj_y > 0) INV (exec1 x y z) (y = 3) • For help you can use the x>0_->_7x>0 theorem from the inv_misc section. • If you finished it, save your section and upload the corresponding .sec file from the Sections directory (the name will be as you have given to your own section).