2012: J Paul Gibson TSP: MSC SAI Mathematical Foundations MAT7003.ProofsWithRodin.1

MAT 7003 : Mathematical Foundations

(for Software Engineering)

J Paul Gibson, A207

paul.gibson@it-sudparis.eu

http://www-public.it-sudparis.eu/~gibson/Teaching/MAT7003/

Proofs With RODIN

http://www-public.it-sudparis.eu/~gibson/Teaching/MAT7003/L8-ProofsWithRodin.pdf

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.2

Working with RODIN: different proof techniques

Proof by exhaustion, establishes the conclusion by dividing it into a finite number of cases and proving each one separately.

Proof by contradiction (reductio ad absurdum) - it is shown that if some statement were true then a logical contradiction occurs, hence the statement must be false.

Proof by transposition (contrapositive) establishes the conclusion "if p then q" by proving the equivalent statement "if not q then not p".

Proof by mathematical induction establishes a "base case" and then an "induction rule" is used to prove a series of, possibly infinite, other cases

Proof by construction, or proof by example, is the construction of a concrete example with a property to show that something having that property exists

A nonconstructive proof establishes that a certain mathematical object must exist without explaining how such an object can be found. Often, this uses a proof by contradiction in which the nonexistence of the object is proven to be impossible.

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.3

The proving perspective (Rodin User Manual)http://wiki.event-b.org/index.php/The_Proving_Perspective_(Rodin_User_Manual)

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.4

The proving perspective (Rodin User Manual)http://wiki.event-b.org/index.php/The_Proving_Perspective_(Rodin_User_Manual)

DecorationThe leaves of the tree are decorated with one of three icons: • means that this leaf is discharged, • means that this leaf is not discharged, • means that this leaf has been reviewed.

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.5

The proving perspective (Rodin User Manual)http://wiki.event-b.org/index.php/The_Proving_Perspective_(Rodin_User_Manual)

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.6

The proving perspective (Rodin User Manual)http://wiki.event-b.org/index.php/The_Proving_Perspective_(Rodin_User_Manual)

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.7

The proving perspective (Rodin User Manual)http://wiki.event-b.org/index.php/The_Proving_Perspective_(Rodin_User_Manual)

Proof Control View

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.8

The proving perspective (Rodin User Manual)http://wiki.event-b.org/index.php/The_Proving_Perspective_(Rodin_User_Manual)

Search HypothesesView

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.9

The proving perspective (Rodin User Manual)http://wiki.event-b.org/index.php/The_Proving_Perspective_(Rodin_User_Manual)

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.10

Example 1: odd and even integers

1. How would you specify the sets of odd and even integers?

2. What interesting properties should we be able to prove?

3. Does the structure of the specification help/hinder the proof process?

We can examine how to do this using Rodin

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.11

OddEven : proposed solution 1

Q: Can you explain the axioms and theorems ?

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.12

OddEven 1: proving 2 is even

Why can’t the tool do this automatically?

Interactive proof – the red bits provide interaction points

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.13

OddEven 1: proving 2 is even

A good start is to simplify by removing the axioms that are not relevant in the proof

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.14

OddEven 1: proving 2 is even

We know 2 is even because 2 = 1 + 1 … so we need to tell the tool by using the forall axiom. But we can separate the <=> as we only need it in 1 direction. This rewrites the equivalence as 2 implications

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.15

OddEven 1: proving 2 is even

NOTE: The proof tree is updated

Which of two forall axioms do we no longer need?

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.16

OddEven 1: proving 2 is even

Now, we want to instantiate x with the value 2 and apply modus ponens (by clicking on the =>)

This gives a goal which is immediately provable by instantiation of y to 1

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.17

OddEven 1: proving 2 is even

Now, dont forget to save the proof

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.18

OddEven 1: proving 4 is even

Follow the same reasoning as for proving 2 is even

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.19

OddEven 1: proving 3 is odd

The goal seems obvious, but why is it not proven automatically?

In order not to waste time we can mark it as reviewed

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.20

OddEven 1: proving 3 is odd

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.21

OddEven 1: proving 5 is odd

We can do the same for 5

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.22

OddEven 1: proving even+even = even

Can you do the proof yourselves?

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.23

OddEven : proposed solution 2

Q: Can you explain the axioms and theorems ?

Think about why certain are more easily proven than others … try to prove axm5 and review axiom7

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.24

OddEven : proposed solution 3

Q: Can you explain the axioms and theorems ?

Think about why certain are more easily proven than others … try to prove axm10

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.25

OddEven : proposed solution 3

We start the proof by considering the simplest cases where a=0 or b = 0 …dc a = 0dc b = 0

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.26

OddEven : proposed solution 3

We can then add hypotheses to help in the proof

QUESTION: But, are we missing something critical?

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.27

Arrays in Event-B

Some of you asked about specifying arrays.

These are simply a function from integer indexes to array element values

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.28

Another Event-B Example : Purse Behaviour

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.29

Another Event-B Example : Purse Behaviour

TSP: MSC SAI Mathematical Foundations2012: J Paul Gibson MAT7003.ProofsWithRodin.30

Another Event-B Example : Purse Behaviour

Modelling a change of state to a Purse: adding a coin

Question: can you model the removal of a coin?