An Interface Layer for Machine Verification Andrei Lapets February 24, 2010
advertisement
An Interface Layer for
Machine Verification
Andrei Lapets
February 24, 2010
An Interface Layer for
Machine Verification
(of Formal Reasoning)
Andrei Lapets
February 24, 2010
“formal reasoning”
• mental manipulation of abstract mathematical
concepts (numbers, sets, vectors, graphs,
functions, lists, arrays)
– in a classroom setting (examples, assignments)
– in novel research in other areas of study
(scheduling, cryptography, networking)
• examples of the kinds of formal reasoning we
are interested in corroborating…
algebra (mathematics)
Assert
for any n, m ∈ Z,
m 6= 0,
n and m are relatively prime,
√
2 = n/m
implies √
that
m · √2 = m · (n/m),
m · √2 = n,
(m · 2)2 = n2 ,
√ 2
2
m · 2 = n2 ,
m2 · 2 = n2 ,
n2 = m2 · 2,
n2 = 2 · m2 ,
n2 is even,
n is even, and
n2 = (2 · (n/2))2 ,
n2 = 22 · ((n/2)2 ),
n2 = 4 · ((n/2)2 ),
2 · m2 = 4 · (n/2)2 ,
m2 = 2 · (n/2)2 ,
m2 is even,
m is even, and
GCF(m, n) ≥ 2,
GCF(m, n) = 1,
there is a contradiction.
algebra (mathematics)
Assume
for all x, y, x0 , y 0 ∈ R,
(x, y) + (x0 , y 0 ) = (x + x0 , y + y 0 ).
Assert
for any x, y, x0 , y 0 ∈ R,
(x, y) + (x0 , y 0 ) = (x + x0 , y + y 0 ),
x + x0 = x0 + x,
y + y 0 = y 0 + y,
(x + x0 , y + y 0 ) = (x0 + x, y 0 + y),
(x0 + x, y 0 + y) = (x0 , y0 ) + (x, y),
(x, y) + (x0 , y 0 ) = (x0 , y0 ) + (x, y).
algebra (functional programming)
Introduce #cons, nil#.
Introduce #map#.
Assume #\forall f.
map f nil
= nil#.
Assume #\forall f,x,xs. map f (cons x xs) = cons (f x) (map f xs)#.
Introduce #idf#.
Assume #\forall x. idf x = x#.
Assert
#
\forall x,xs.
#.
\Rightarrow
\wedge
map idf xs = xs
cons x (map idf xs) = cons x xs
map idf (cons x xs) = cons (idf x) (map idf xs)
\wedge
idf x = x
\wedge
\wedge
\wedge
map idf (cons x xs) = cons x (map idf xs)
cons x (map idf xs) = cons x xs
map idf (cons x xs) = cons x xs
logic and set theory (DSL type systems)
Assert for any M, I, O, C, C, C 0 ,
(M, I, O, C) : C,
pre((M, I, O, C), C 0 ) V pre((M, I, O, C), C), and
post((M, I, O, C), C) V post((M, I, O, C), C 0 )
implies that
for any V ,
if V |= ((M, I, O, C) : C) then
V |= pre((M, I, O, C), C 0 )
implies that
V |= pre((M, I, O, C), C) and
for all V 0 ,
if V ⊆ V 0 and for all K ∈ C, V 0 |= K then
V 0 |= post((M, I, O, C), C),
V 0 |= post((M, I, O, C), C 0 ).
formal modeling (e.g. scheduling)
Introduce T, T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
impliesP
that
P
x∈V x ≤
x∈V 0 x.
“(in)formal argument”
“user”
“verifier”
“feedback”
machine involvement…
• ...in a human activity (e.g. calculation or
computation) might improve:
accuracy/correctness
capacity
• … in formal reasoning improves:
accuracy/correctness
? capacity
domain
domain
model
model
“user context”
domain
model
domain
domain
model
model
we seem to be stuck at the assembly language level
Markus Wenzel. Isar - a generic interpretative approach to readable formal
proof documents. In TPHOLs '99: Proceedings of the 12th International
Conference on Theorem Proving in Higher Order Logics, pages 167-184,
London, UK, 1999. Springer-Verlag.
domain
model
domain
domain
model
model
domain
model
domain
domain
model
model
“simulated context”
domain
model
domain
model
“comprehension”
domain
domain
model
model
“verification”
• large
– containing many familiar syntactic idioms [1,2]
– encompassing a library of facts and definitions [1,2,3]
• indexed by structure
– “retrieval by content rather than by name” [1,2]
– “implicit arguments, explicit results”
• flexible and aggressive
– provides useful feedback for partial or complete
arguments
• supports construction of arguments in any order as in [1,2]
– predicts the user’s understanding of an argument
• this encompasses “automation” as in [1,2,3]
1.
A. Abel, B. Chang, and F. Pfenning. Human-readable machine-veriable proofs for teaching
constructive logic. In IJCAR Workshop on Proof Transformations, Proof Presentations and
Complexity of Proofs (PTP01), 2001.
2.
C. E. Brown. Verifying and Invalidating Textbook Proofs using Scunak. In Mathematical Knowledge
Management, MKM 2006, pages 110–123, Wokingham, England, 2006.
3.
F. Wiedijk. Comparing mathematical provers. In MKM '03: Proceedings of the Second International
Conference on Mathematical Knowledge Management, pages 188-202, London, UK, 2003.
Springer-Verlag.
√
2 is irrational
Assert
for any n, m ∈ Z,
m 6= 0,
n and m are relatively prime,
√
2 = n/m
implies √
that
m · √2 = m · (n/m),
m · √2 = n,
(m · 2)2 = n2 ,
√ 2
2
m · 2 = n2 ,
m2 · 2 = n2 ,
n2 = m2 · 2,
n2 = 2 · m2 ,
n2 is even,
n is even, and
n2 = (2 · (n/2))2 ,
n2 = 22 · ((n/2)2 ),
n2 = 4 · ((n/2)2 ),
2 · m2 = 4 · (n/2)2 ,
m2 = 2 · (n/2)2 ,
m2 is even,
m is even, and
GCF(m, n) ≥ 2,
GCF(m, n) = 1,
there is a contradiction.
domain
model
domain
model
domain
domain
model
model
domain
model
domain
model
domain
domain
model
model
“aartifact"
•syntactic
•syntacticconstructs
constructs
•propositions
•propositions
parser
parser
inference
inferencealg.
alg.
simulated
static context
(relational db)
simulated
dynamic context
(executable)
• interface (web, command line)
– ASCII text input
• other standards, such as MathML can
easily be accommodated
– raw input returned with highlights
• syntax/parser
– subset of LaTeX
– supports user-defined predicate phrases, operators
• context-sensitive parser built using functional combinators
– no syntactic references to results, algorithms, etc.
• basic inference/search algorithm
– typical higher-order logic inference rules
– limited recursive search for derivations
– arguments processed sequentially
∆,Φ`e1
∆,Φ`e2
∆,Φ`e1 ∧e2
• large
– containing many familiar syntactic idioms [1,2]
– encompassing a library of facts and definitions [1,2,3]
• indexed by structure
– “retrieval by content rather than by name” [1,2]
– “implicit arguments, explicit results”
• flexible and aggressive
– provides useful feedback for partial or complete
arguments
• supports construction of arguments in any order as in [1,2]
– predicts the user’s understanding of an argument
• this encompasses “automation” as in [1,2,3]
1.
A. Abel, B. Chang, and F. Pfenning. Human-readable machine-veriable proofs for teaching
constructive logic. In IJCAR Workshop on Proof Transformations, Proof Presentations and
Complexity of Proofs (PTP01), 2001.
2.
C. E. Brown. Verifying and Invalidating Textbook Proofs using Scunak. In Mathematical
Knowledge Management, MKM 2006, pages 110–123, Wokingham, England, 2006.
3.
F. Wiedijk. Comparing mathematical provers. In MKM '03: Proceedings of the Second
International Conference on Mathematical Knowledge Management, pages 188-202,
London, UK, 2003. Springer-Verlag.
static context
• simulates general user knowledge
– ontology implemented using a relational database
– expressions stored in a specialized representation
– subexpression retrieval possible without iteration/recursion
• indexed by syntax, concepts, and relationships
• interface for manual, expert-directed, distributed
management and expansion
• retrieval
– deliberate browsing, search
– implicit (context- / syntax-directed inference)
• large
– containing many familiar syntactic idioms [1,2]
– encompassing a library of facts and definitions [1,2,3]
• indexed by structure
– “retrieval by content rather than by name” [1,2]
– “implicit arguments, explicit results”
• flexible and aggressive
– provides useful feedback for partial or complete
arguments
• supports construction of arguments in any order as in [1,2]
– predicts the user’s understanding of an argument
• this encompasses “automation” as in [1,2,3]
1.
A. Abel, B. Chang, and F. Pfenning. Human-readable machine-veriable proofs for teaching
constructive logic. In IJCAR Workshop on Proof Transformations, Proof Presentations and
Complexity of Proofs (PTP01), 2001.
2.
C. E. Brown. Verifying and Invalidating Textbook Proofs using Scunak. In Mathematical
Knowledge Management, MKM 2006, pages 110–123, Wokingham, England, 2006.
3.
F. Wiedijk. Comparing mathematical provers. In MKM '03: Proceedings of the Second
International Conference on Mathematical Knowledge Management, pages 188-202,
London, UK, 2003. Springer-Verlag.
static context
• inference propositions with single universal
quantifier
for all x. e1 (x) ∧ . . . ∧ en (x) ⇒ e(x)
• syntax- and context-directed inference
propositions with single universal quantifier
considering e(x). e1 (x) ∧ . . . ∧ en (x) ⇒ e(x)
in context for all x. e1 (x) ∧ . . . ∧ en (x) ⇒ e(x)
•syntactic
•syntacticconstructs
constructs
•propositions
•propositions
parser
parser
inference
inferencealg.
alg.
simulated
static context
(relational db)
simulated
dynamic context
(executable)
dynamic context
• simulates understanding of the argument at hand
• data structure
– tuple (E, Q, R) representing “working” context
• E: set of all expressions/subexpressions encountered so far
• Q: set of equivalence classes over E
• R: hypergraph of predicate/relation hyperedges with node set Q
• context-/syntax-directed inference algorithm
– computes hypergraph closure
• maintains marks/flags to track recently modified relations
• only considers propositions from static context that involve
recently modified relations
• discards expressions and variables that fall out of scope
• large
– containing many familiar syntactic idioms [1,2]
– encompassing a library of facts and definitions [1,2,3]
• indexed by structure
– “retrieval by content rather than by name” [1,2]
– “implicit arguments, explicit results”
• flexible and aggressive
– provides useful feedback for partial or complete
arguments
• supports construction of arguments in any order as in [1,2]
– predicts the user’s understanding of an argument
• this encompasses “automation” as in [1,2,3]
1.
A. Abel, B. Chang, and F. Pfenning. Human-readable machine-veriable proofs for teaching
constructive logic. In IJCAR Workshop on Proof Transformations, Proof Presentations and
Complexity of Proofs (PTP01), 2001.
2.
C. E. Brown. Verifying and Invalidating Textbook Proofs using Scunak. In Mathematical
Knowledge Management, MKM 2006, pages 110–123, Wokingham, England, 2006.
3.
F. Wiedijk. Comparing mathematical provers. In MKM '03: Proceedings of the Second
International Conference on Mathematical Knowledge Management, pages 188-202,
London, UK, 2003. Springer-Verlag.
σ0
…,1,0,1,1,1,0,1,0,0,1,1,0,0,1,1,1,1,0,1,1,1,1,0…
σ
σ0 ≥ σ
there is a contradiction
there is a contradiction
S is a set
S
S ⊆ S0
S0
x=y
f is a total map from X to Y
* is a set
S
x y
f
X
Y
* is a total map from * to *
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
Introduce T, T 0
T
T0
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
N
1
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
T
T0
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
N
1
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
T
T0
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
N
1
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
T
T0
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
N
1
T
T0
n
for any n ∈ N, a ∈ {0, 1}∗ ,
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
N
1
T
T0
n
for any n ∈ N, a ∈ {0, 1}∗ ,
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
N
1
T
T0
T −1
T0 − 1
n + (T − 1)
{n, . . . , n + (T − 1)}
⊆
{n, . . . , n + (T 0 − 1)},
n + (T 0 − 1)
{n, . . . , n + (T 0 − 1)}
{n, . . . , n + (T − 1)}
n
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
N
1
T
T0
T −1
T0 − 1
n + (T − 1)
{n, . . . , n + (T − 1)}
⊆
{n, . . . , n + (T 0 − 1)},
n + (T 0 − 1)
{n, . . . , n + (T 0 − 1)}
{n, . . . , n + (T − 1)}
n
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
N
1
T
T0
T −1
T0 − 1
n
n + (T − 1)
{n, . . . , n + (T − 1)}
⊆
{n, . . . , n + (T 0 − 1)},
n + (T 0 − 1)
{n, . . . , n + (T 0 − 1)}
{n, . . . , n + (T − 1)}
* is a set
* is a set
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
N
1
T
T0
T −1
T0 − 1
n
n + (T − 1)
{n, . . . , n + (T − 1)}
⊆
{n, . . . , n + (T 0 − 1)},
n + (T 0 − 1)
{n, . . . , n + (T 0 − 1)}
{n, . . . , n + (T − 1)}
* is a set
* is a set
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
N
1
T
T0
T −1
T0 − 1
n
n + (T − 1)
for any S, S 0, V, V 0 ,
n + (T 0 − 1)
{n, . . . , n + (T 0 − 1)}
* is a set
{n, . . . , n + (T − 1)}
* is a set
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
for any S, S 0, V, V 0 ,
S0
S
V
V0
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
{n, . . . , n + (T 0 − 1)}
S0
N
{n, . . . , n + (T − 1)}
S
V
V0
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
{n, . . . , n + (T 0 − 1)}
S0
* is a set
* is a finite set
N
{n, . . . , n + (T − 1)}
S
* is a set
* is a finite set
V
V0
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
{n, . . . , n + (T 0 − 1)}
S0
* is a set
* is a finite set
N
{n, . . . , n + (T − 1)}
S
* is a set
* is a finite set
n
n + (T − 1)
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V
V0
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
{n, . . . , n + (T 0 − 1)}
S0
* is a set
* is a finite set
N
{n, . . . , n + (T − 1)}
S
* is a set
* is a finite set
n
n + (T − 1)
* is the set of integers from * to *
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V
V0
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
{n, . . . , n + (T 0 − 1)}
S0
* is a set
* is a finite set
N
{n, . . . , n + (T − 1)}
S
* is a set
* is a finite set
n
n + (T − 1)
* is the set of integers from * to *
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0},
V
V0
* is a set
* is a finite set
* is a set
* is a finite set
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
{n, . . . , n + (T 0 − 1)}
S0
* is a set
* is a finite set
N
{n, . . . , n + (T − 1)}
S
* is a set
* is a finite set
n
n + (T − 1)
* is the set of integers from * to *
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0},
V
V0
* is a set
* is a finite set
* is a set
* is a finite set
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
P
V
P
V0
P
x∈V
x≤
P
x∈V 0
x.
* is a set
x∈V
x
* is a set
x∈V 0
* is a finite set
x
* is a set
* is a finite set
N
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
P
V
x∈V
x≤
P
x∈V 0
x∈V
x
* is a set
P
x∈V 0
x
* is a set
* is the sum of *
x.
* is a finite set
* is the sum of *
V0
P
* is a set
* is a finite set
N
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
P
V
x∈V
x≤
P
x∈V 0
x∈V
x
* is a set
P
x∈V 0
x
* is a set
* is the sum of *
x.
* is a finite set
* is the sum of *
V0
P
* is a set
* is a finite set
N
Introduce T , T 0 .
Assume
T ∈ N,
T 0 ∈ N,
T ≥ 1,
T0 ≥ T.
Assert
for any n ∈ N, a ∈ {0, 1}∗ ,
{n, . . . , n + (T − 1)} ⊆ {n, . . . , n + (T 0 − 1)},
for any S, S 0 , V, V 0 ,
S = {n, . . . , n + (T − 1)},
S 0 = {n, . . . , n + (T 0 − 1)},
V = {ai |i ∈ S},
V 0 = {ai |i ∈ S 0 },
implies that
P
P
x.
x∈V x ≤
x∈V 0
P
V
* is a set
x∈V
x
* is a set
* is a finite set
* is the sum of *
P
V0
x∈V 0
x
* is a set
* is the sum of *
* is a finite set
N
300
|R|
|E|
|Q|
context component size
250
250
240
251
253
255
258
121
108
124
109
128
134
111
114
200
156
150
114
102
100
118
106
102
93
92
88
89
86
87
85
85
84
82
134
129
126
118
105
50
0
1
2
3
4
5
6
7
8
assertion point in sequence
9
10
11
12
√
2 is irrational
Assert
for any n, m ∈ Z,
m 6= 0,
n and m are relatively prime,
√
2 = n/m
implies √
that
m · √2 = m · (n/m),
m · √2 = n,
(m · 2)2 = n2 ,
√ 2
2
m · 2 = n2 ,
m2 · 2 = n2 ,
n2 = m2 · 2,
n2 = 2 · m2 ,
n2 is even,
n is even, and
n2 = (2 · (n/2))2 ,
n2 = 22 · ((n/2)2 ),
n2 = 4 · ((n/2)2 ),
2 · m2 = 4 · (n/2)2 ,
m2 = 2 · (n/2)2 ,
m2 is even,
m is even, and
GCF(m, n) ≥ 2,
GCF(m, n) = 1,
there is a contradiction.
√
2 is irrational
450
400
|R|
|E|
|Q|
context component size
350
300
250
200
150
100
50
0
1
2
3
4
5
6
7
8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
assertion point in sequence
|R| ≤ 6|Q|
R is a vector space ⇒ R2 is a vector space
Assume for all x, y, x0 , y 0 ∈ R,
(x, y) + (x0 , y 0 ) = (x + x0 , y + y 0 ).
Assert for any x, y, x0 , y 0 ∈ R,
(x, y) + (x0 , y 0 ) = (x + x0 , y + y 0 ),
x + x0 = x0 + x,
y + y 0 = y 0 + y,
(x + x0 , y + y 0 ) = (x0 + x, y 0 + y),
(x0 + x, y 0 + y) = (x0 , y 0 ) + (x, y),
(x, y) + (x0 , y 0 ) = (x0 , y 0 ) + (x, y).
R is a vector space ⇒ R2 is a vector space
Assume for all $a,x,y \in \R$, $a * (x,y) = (a*x, a*y)$.
Assume for all $x,y,x',y' \in \R$, $(x,y) + (x',y') = (x+x',y+y')$.
Assert for any $x,y,x',y' \in \R$,
$(x,y) + (x',y') = (x+x',y+y')$,
$x+x' = x'+x$,
$y+y' = y'+y$,
$(x+x',y+y') = (x'+x,y'+y)$,
$(x'+x,y'+y) = (x',y') + (x,y)$,
$(x,y) + (x',y') = (x',y') + (x,y)$.
Assert for any $x,y,x',y',x'',y'' \in \R$,
$(x,y) + (x',y') = (x+x',y+y')$,
$(x+x',y+y') + (x'',y'') = ((x+x')+x'',(y+y')+y'')$,
$((x,y) + (x',y')) + (x'',y'') = ((x+x')+x'',(y+y')+y'')$,
$(x+x')+x'' = x+(x'+x'')$,
$(y+y')+y'' = y+(y'+y'')$,
$((x+x')+x'',(y+y')+y'') = (x+(x'+x''),y+(y'+y''))$,
$(x,y) + (x'+x'',y'+y'') = (x+(x'+x''),y+(y'+y''))$,
$(x+(x'+x''),y+(y'+y'')) = (x,y) + (x'+x'', y'+y'')$,
$(x'+x'', y'+y'') = (x',y') + (x'',y'')$,
$((x,y) + (x',y')) + (x'',y'') = (x,y) + ((x',y') + (x'',y''))$.
Assert for all $x,y \in \R$,
$(0,0) + (x,y) = (0+x,0+y)$,
$0 + x = x$,
$0 + y = y$,
$(0+x,0+y)= (x,y)$,
$(0,0) + (x,y) = (x,y)$.
Assert for all $x,y \in \R$,
$(x,y) + (0,0) = (x+0,y+0)$,
$x + 0 = x$,
$y + 0 = y$,
$(x+0,y+0)= (x,y)$,
$(x,y) + (0,0) = (x,y)$.
Assert for all $a,x,y,x',y' \in \R$,
$(x,y) + (x',y') = (x+x',y+y')$,
$a * ((x,y) + (x',y')) = a*(x+x',y+y')$,
$a*(x+x',y+y') = (a*(x+x'),a*(y+y'))$,
$(a*(x+x'),a*(y+y')) = (((a*x)+(a*x')),(a*y)+(a*y'))$,
$(((a*x)+(a*x')),(a*y)+(a*y')) = (a*x,a*y) + (a*x',a*y')$,
$(a*x,a*y) = a*(x,y)$, $(a*x',a*y') = a*(x',y')$,
$a * ((x,y) + (x',y')) = (a * (x,y)) + (a * (x',y'))$.
Assert for all $a,a',x,y \in \R$,
$a' * (x,y) = (a'*x, a'*y)$,
$a * (a'*x, a'*y) = (a*(a'*x), a*(a'*y))$,
$(a*(a'*x), a*(a'*y)) = ((a*a')*x, (a*a')*y)$,
$((a*a')*x, (a*a')*y) = (a*a')*(x,y)$,
$a * (a' * (x,y)) = (a * a') * (x,y)$.
Assert for all
$1 * (x,y) =
$1*x = x$,
$1*y = y$,
$(1*x,1*y) =
$1 * (x,y) =
$x,y \in \R$,
(1*x,1*y)$,
(x,y)$,
(x,y)$.
Assert for all $x,y \in \R$,
$-1 * (x,y) = (-1*x, -1*y)$,
$((-1*x), (-1*y)) + (x,y) = ((-1*x)+x,(-1*y)+y)$,
$-1*x+x = 0$,
$-1*y+y = 0$,
$(-1 * (x,y)) + (x,y) = (0,0)$.
Assert for all $a,b,x,y \in \R$,
$(a + b) * (x,y) = ((a+b)*x, (a+b)*y)$,
$((a+b)*x, (a+b)*y) = (a*x + b*x, a*y + b*y)$,
$(a*x + b*x, a*y + b*y) = (a*x, a*y) + (b*x, b*y)$,
$(a*x, a*y) = a*(x,y)$,
$(b*x, b*y) = b*(x,y)$,
$(a*x, a*y) + (b*x, b*y) = a*(x,y) + b*(x,y)$,
$(a + b) * (x,y) = a*(x,y) + b*(x,y)$.
R is a vector space ⇒ R2 is a vector space
250
|R|
|E|
|Q|
context component size
200
150
100
50
0
1
5
9 13 17 21 25 29 33 37 41 45 49 53 57 61 65 69 73 77 81
assertion point in sequence
\vbeg
Assume for any $X,Y,Z$, $Z = X - Y$ implies $Z \cup Y = X$.
Assume for any $O'',O',O, P$, if $O'' = O' \cup (O - P)$ then $O'' \subseteq O \cup O'$.
\vend
soundness of NetSketch formalism
\vbeg
Assert for any $x,y,z \in \R$, if $x > y$ and $y > z$ then $x > z$.
\vend
\vbeg
Introduce constant $\Const$. Assume for any $C$, $C$
is a constraint set iff $C \subseteq \Const$. Assume for any $C$,
if $C$ is a constraint set then $C$ is a set.
Introduce constant $\XC$. Assume for any $P$, $P$ is
a parameter set iff $P \subseteq \XC$. Assume for any $P$, if $P$
is a parameter set then $P$ is a set.
Introduce constant $\parameters$. Assume for any
$C$, if $C \subseteq \Const$ then $\parameters(C) \subseteq \XC$.
\vend
\vbeg
Assume for any $A,I,O,C$,
$(A,I,O,C)$ is an untyped module
iff
$I \subseteq \parameters(C)$,
$O \subseteq \parameters(C)$,
$O \cap I = \emptyset$, and
$C \subseteq \Const$.
\vend
\vbeg
Introduce set operator $\hastype$.
Assume for any $A,I,O,C,C'$,
$(A,I,O,C) \hastype C'$ is a typed module
iff
$(A,I,O,C)$ is an untyped module,
$C' \subseteq \Const$, and
$\parameters(C') \subseteq I \cup O$.
\vend
\vbeg
Introduce set operator $\sats$.
\vend
\vbeg
Introduce set operators $\Rrightarrow, \LleftRrightarrow$.
Assume for any $C,C'$,
if $C \subseteq \Const$, $C' \subseteq \Const$ then
$C \Rrightarrow C'$
iff
{for all $V \in \XC \rightarrow \N$, $V \sats C$ implies $V \sats C'$}.
Assume for any $C,C'$, {$C \LleftRrightarrow C'$} iff {$C \Rrightarrow C'$ and $C' \Rrightarrow
C$}.
\vend
\vbeg
Assume for any $C,C'$, $C' \subseteq C$ implies $C
\Rrightarrow C'$.
\vend
\vbeg
Introduce constant $\clo$. Assume for any $C$, $\clo(C) = \{c | c \in \Const, C \Rrightarrow
\{c\}\}$.
Assume for any $C$, if $C \subseteq \Const$ then $\clo(C)
\subseteq \Const$.
\vend
\vbeg
Assume for any $C$, $C \subseteq \clo(C)$.
Assume for any $C,C'$, $C \subseteq C'$ implies $\clo(C) \subseteq \clo(C')$.
\vend
\vbeg
Assume for all $C,C'$,
if $\parameters(C) \cap \parameters(C') = \emptyset$ then $\clo(C \cup C') = {\clo(C) \cup
\clo(C')}$.
\vend
\vbeg
Assume for any $C,C'$, $\parameters(C) \cap \parameters(C') = \emptyset$
implies $\parameters(\clo(C)) \cap \parameters(\clo(C')) = \emptyset$.
\vend
\vbeg
Introduce set operators $\upharpoonright, \downharpoonright$.
Assume for any $C,P$,
$C \subseteq \Const$ and $P \subseteq \XC$
implies that
$C \upharpoonright P = \{c | c \in C, \parameters(c) \subseteq P\}$,
$C \downharpoonright P = \{c | c \in C, \parameters(c) \cap P \neq \emptyset\}$.
\vend
\vbeg
Assume for any $C,P$, $C \upharpoonright P \subseteq C$.
Assume for any $C,P$, $C \downharpoonright P \subseteq C$.
Assume for any $C,C',S,S'$, if $C \subseteq C'$ and $S \subseteq S'$ then $ {C' \upharpoonright
S'} \Rrightarrow {C \upharpoonright S}$.
Assume for any $C,C',S,S'$, if $C \subseteq C'$ and $S \subseteq S'$ then ${C' \downharpoonright
S'} \Rrightarrow {C \downharpoonright S}$.
Assume for any $C,C',P,P'$,
$\parameters (C) \cap \parameters(C') = \emptyset$
implies that
$(C \downharpoonright P) \cup (C' \downharpoonright P') = (C \cup C') \downharpoonright (P
\cup P')$.
\vend
\vbeg
Introduce constants $\pre, \post$.
Assume for any $M,I,O,\CC,C$,
$\pre((M,I,O,\CC),C) = \clo(C) \upharpoonright I$,
$\post((M,I,O,\CC),C) = \clo(C) \downharpoonright O = \clo(C) - \pre((M,I,O,\CC),C)$.
\vend
\vbeg
Assume for all $M,I,O,\CC,C$, $C \Rrightarrow {\pre((M,I,O,\CC),C)}$.
Assume for all $M,I,O,\CC,C$, $C \Rrightarrow {\post((M,I,O,\CC),C)}$.
\vend
\vbeg
Assume for any $M,I,O,\CC,C$, for any $V$,
$V \sats ((M,I,O,\CC) \hastype C)$
iff
{$V \sats {\pre((M,I,O,\CC),C)}$ implies that
for all $V'$,
$V \subseteq V'$ and {for all $K \in \CC$, $V' \sats K$}
implies that
$V' \sats {\post((M,I,O,\CC),C)}$}.
\vend
\vbeg
Assume for any $V,V',C$, if $V \subseteq V'$ and $V \sats C$ then $V' \sats C$.
Assume for any $V,C,C'$, if $C \Rrightarrow C'$ and $V \sats C$ then $V \sats C'$.
Assume for any $V,C,C'$, $V \sats C$ and $V \sats C'$ iff $V \sats {C \cup C'}$.
\vend
\vbeg
Assume for any $M,I,O,\CC,C$,
$((M,I,O,\CC) \hastype C)$ is strongly valid
iff
{for all $V \in I \rightarrow \N$,
$V \sats ((M,I,O,\CC) \hastype C)$}.
\vend
\vbeg
Introduce constants $\Conn, \Loop, \Hole$.
\vend
\vbeg
Introduce constant $\constraints$. Assume for any
$\theta \in \XC \rightarrow \XC$, $\constraints(\theta)$ is a
constraint set.
\vend
\vbeg
Introduce constants $\cn,\lp,\hl$.
\vbeg
Assume for any $M,I,O,\CC,C,\theta$, for all $I',O',C'$,
$\vdash {(M,I,O,\CC) \hastype C}$,
$\theta \in O \rightarrow I$, $\theta$ is injective, and
$I' = I-\ran(\theta)$,
$O' = O - \dom(\theta)$,
$C' = C \upharpoonright {I' \cup O'}$, and
$\pre((\Loop(\theta,M),I',O', \lp(\theta,\CC)), C') \Rrightarrow {\pre((M,I,O,\CC), C)}$
implies that
$\vdash {(\Loop(\theta,M),I',O', \lp(\theta,\CC)) \hastype C'}$.
\vend
\vbeg
Assume for any $n,X,M,I,O,\CC,C$, for all $M',I',O',\CC',C'$,
{for all $i \in \{0,\ldots,n\}$,
$\vdash {(M_i,I_i,O_i,\CC_i) \hastype C_i}$,
{for all $\phi \in I' \rightarrow I_i, \psi \in O_i \rightarrow O'$,
$C' \cup \constraints(\phi) \cup \constraints(\psi) \LleftRrightarrow C_i$}},
$M' = \Hole(X, \{M_i | i \in \{0,\ldots,n\}\})$,
$\CC' = \hl(n,I,O,I',O', \CC)$,
${\pre((M',I',O',\CC'),C')} \Rrightarrow {\post((M', I', O', \CC'), C')}$
implies that
$\vdash {(M', I', O', \CC') \hastype C'}$.
\vend
\vbeg
Assume for any $M,I,O,\CC, C,C'$,
$\vdash {(M,I,O,\CC) \hastype C}$,
$\pre((M,I,O,\CC),C') \Rrightarrow {\pre((M,I,O,\CC),C)}$, and
$\post((M,I,O,\CC),C) \Rrightarrow {\post((M,I,O,\CC),C')}$
implies that
$\vdash {(M,I,O,\CC) \hastype C'}$.
\vend
\vbeg
Assume for any $C,P,P'$, if $P \subseteq P'$ then ${{C \upharpoonright P'} \upharpoonright P} = {C
\upharpoonright P}$.
Assume for any $C,P,P'$, if $P \subseteq P'$ then ${\clo(C \upharpoonright P') \upharpoonright P}
\Rrightarrow {\clo(C) \upharpoonright P}$.
Assume for any $V,C,P,P'$, if $V \sats {C
\downharpoonright P}$ and $V \sats {C \upharpoonright P'}$ then $V
\sats {C \upharpoonright {P' \cup P}}$.
\vend
\vbeg
Assume for any $C,C',C''$, if $C \Rrightarrow C'$ and $C' \Rrightarrow C''$ then $C \Rrightarrow
C''$.
Assert for any $A,I,O,C,C'$,
$(A,I,O,C), C'$ is a typed module and
$C \Rrightarrow C'$
implies that
for any $V$, if $V \sats {\pre((A,I,O,\{C\}),C')}$ then
for all $V'$ if $V \subseteq V'$ and {for all $K \in \{C\}$, $V' \sats K$} then
$V' \sats C$,
$C' \Rrightarrow {\post((A,I,O,\{C\}), C')}$, and
$C \Rrightarrow {\post((A,I,O,\{C\}), C')}$,
$V' \sats {\post((A,I,O,\{C\}), C')}$.
\vend
\vbeg
Assert for any $M,I,O,\CC,C,C'$,
$(M,I,O,\CC) \hastype C$,
$\pre((M,I,O,\CC),C') \Rrightarrow {\pre((M,I,O,\CC),C)}$, and
$\post((M,I,O,\CC),C) \Rrightarrow {\post((M,I,O,\CC),C')}$
implies that
for any $V$,
if $V \sats ((M,I,O,\CC) \hastype C)$ then
$V \sats {\pre((M,I,O,\CC),C')}$
implies that
$V \sats {\pre((M,I,O,\CC), C)}$ and
for all $V'$,
if $V \subseteq V'$ and {for all $K \in \CC$, $V' \sats K$} then
$V' \sats {\post((M,I,O,\CC),C)}$,
$V' \sats {\post((M,I,O,\CC),C')}$.
\vend
\vbeg
Assert for any $n,X,M,I,O,\CC,C$, for all $M',I',O',C',\CC'$,
{for all $i \in \{0,\ldots,n\}$,
$\vdash {(M_i,I_i,O_i,\CC_i) \hastype C_i}$,
{for all $\phi \in I' \rightarrow I_i, \psi \in O_i \rightarrow O'$,
$C' \cup \constraints(\phi) \cup \constraints(\psi) \LleftRrightarrow C_i$}},
$M' = \Hole(X, \{M_i | i \in \{0,\ldots,n\}\})$,
$\CC' = \hl(n,I,O,I',O', \CC)$,
${\pre((M',I',O',\CC'),C')} \Rrightarrow {\post((M',I',O',\CC'), C')}$
implies that
for any $V$, if $V \sats {(M', I', O', \CC') \hastype C'}$ then
$V \sats {\pre((M',I',O',\CC'), C')}$
implies that
$V \sats {\post((M', I', O', \CC'), C')}$,
for all $V'$,
if $V \subseteq V'$ and {for all $K \in \hl(n,I,O,I',O', \CC)$, $V' \sats K$} then
$V' \sats {\post((M',I',O',\CC'), C')}$.
\vend
\vbeg
Assert for any $M,I,O,\CC,C,\theta$, for all $I',O',C'$,
$M,I,O,C,I',O',C'$ are sets,
$\vdash {(M,I,O,\CC) \hastype C}$,
$\theta \in O \rightarrow I$, $\theta$ is injective, and
$I' = I - \ran(\theta)$,
$O' = O - \dom(\theta)$,
$C' = C \upharpoonright {I' \cup O'}$, and
$\pre((\Loop(\theta,M),I',O', \lp(\theta,\CC)), C') \Rrightarrow {\pre((M,I,O,\CC), C)}$
implies that
\vend
\vbeg
for any $V$,
if $V \sats {((M,I,O,\CC) \hastype C)}$ then
if $V \sats {\pre((\Loop(\theta,M),I',O',\lp(\theta,\CC)),C')}$ then
$V \sats {\pre((M,I,O,\CC), C)}$,
for all $V'$,
if $V \subseteq V'$ and {for all $K' \in \lp(\theta,\CC)$, $V' \sats K'$} then
{for all $K \in \CC$, $V' \sats K$},
$V' \sats {\post((M,I,O,\CC), C)}$,
$\post((M,I,O,\CC), C) = {\clo(C) \downharpoonright O}$,
$V' \sats {\clo(C) \downharpoonright O}$,
${O - \dom(\theta)} \subseteq O$,
$C \upharpoonright {I' \cup O'} \subseteq C$,
${\clo(C) \downharpoonright O} \Rrightarrow {\clo(C') \downharpoonright O'}$,
$\post((\Loop(\theta,M),I',O', \lp(\theta,\CC)), C') = {\clo(C') \downharpoonright
O'}$,
$V' \sats {\clo(C') \downharpoonright O'}$,
$V' \sats {\post((\Loop(\theta,M),I',O', \lp(\theta,\CC)), C')}$.
\vend
\vbeg
Assert for any $M,I,O,\CC,C, N,I',O',\CC',C',\theta$, for all $I'',O'',C''$,
$I,O$ are sets, $I',O'$ are sets, $C$ is a constraint set, $C'$ is a constraint set,
$\parameters(C) \cap \parameters(C') = \emptyset$,
$\vdash {(M,I,O,\CC) \hastype C}$,
$\vdash {(N,I',O',\CC') \hastype C'}$,
$\theta \in O \rightarrow I'$, $\theta$ is injective,
$I'' = I \cup (I'-\ran(\theta))$,
$O'' = O' \cup (O - \dom(\theta))$,
$C'' = {C \cup C'} \upharpoonright {I'' \cup O''}$, and
$\post((M,I,O,\CC),C) \Rrightarrow {\pre((N,I',O',\CC'), C') \downharpoonright \ran(\theta)}$
implies that
for any $V$,
if $V \sats ((M,I,O,\CC) \hastype C)$ and $V \sats ((N,I',O',\CC') \hastype C')$ then
if $V \sats {\pre((\Conn(\theta,M,N), I'', O'', \cn(\theta,\CC,\CC')), C'')}$ then
${\pre((\Conn(\theta,M,N), I'', O'', \cn(\theta,\CC,\CC')), C'')} = {\clo(C'')
\upharpoonright I''}$,
$V \sats {\clo(C'') \upharpoonright I''}$,
$V \sats {\clo({C \cup C'} \upharpoonright {I'' \cup O''}) \upharpoonright I''}$,
${\clo({C \cup C'} \upharpoonright {I'' \cup O''}) \upharpoonright I''} \Rrightarrow
{\clo(C \cup C') \upharpoonright I''}$,
$V \sats {\clo(C \cup C') \upharpoonright I''}$,
$ {\clo(C \cup C') \upharpoonright I''} \Rrightarrow {\clo(C) \upharpoonright I}$,
$V \sats {\clo(C) \upharpoonright I}$,
$\pre((M,I,O,\CC),C) = {\clo(C) \upharpoonright I}$,
$V \sats \pre((M,I,O,\CC),C)$,
for all $V'$, if $V \subseteq V'$ and {for all $K' \in \cn(\theta,\CC,\CC')$, $V' \sats K'$}
Assume for any $\CC, \CC', \theta$,
$\cn(\theta,\CC,\CC') = \{C \cup C' \cup \constraints(\theta) | C \in \CC, C' \in \CC'\}$.
Assume for any $\CC, \theta$,
$\lp(\theta,\CC) = \{C \cup \constraints(\theta) | C \in \CC\}$.
Assume for any $n,I,O,I',O',\CC$,
$\hl(n,I,O,I',O',\CC) =
\{C_i \cup \constraints(\phi) \cup \constraints(\psi) |
i \in \{0,\ldots,n\}, \phi \in I' \rightarrow I_i, \psi \in O_i \rightarrow O', C \in
\CC\}$.
\vend
\vbeg
Assume for any $V, \CC, \theta$,
{for all $K \in \lp(\theta,\CC)$, $V \sats K$}
implies that
{for all $K' \in \CC$, $V \sats K'$}.
Assume for any $V,\CC,\CC',\theta$,
{for all $K \in \cn(\theta,\CC,\CC')$, $V \sats K$}
implies that
{for all $K' \in \CC$, $V \sats K'$} and {for all $K'' \in \CC'$, $V \sats K''$}.
\vend
\vbeg
Introduce constant $\vdash$.
\vend
\vbeg
Assume for any $A,I,O,\CC,C,C'$,
$(A,I,O,C) \hastype C'$ is a typed module, and
$C \Rrightarrow C'$
implies that
$\vdash {(A,I,O,\{C\}) \hastype C'}$.
\vend
\vbeg
Assume for any $M,I,O,\CC,C, N,I',O',\CC',C',\theta$, for all $I'',O'',C''$,
$\vdash {(M,I,O,\CC) \hastype C}$,
$\vdash {(N,I',O',\CC') \hastype C'}$,
$\theta \in O \rightarrow I'$, $\theta$ is injective,
$I'' = I \cup (I'-\ran(\theta))$,
$O'' = O' \cup (O - \dom(\theta))$,
$C'' = {C \cup C'} \upharpoonright {I'' \cup O''}$, and
$\post((M,I,O,\CC),C) \Rrightarrow {\pre((N,I',O',\CC'), C') \downharpoonright \ran(\theta)}$
implies that
$\vdash {(\Conn(\theta,M,N),I'', O'', \cn(\theta,\CC,\CC')) \hastype C''}$.
\vend
then
{for all $K' \in \CC$, $V' \sats K'$} ,
$V' \sats \post((M,I,O,\CC),C)$,
$V' \sats {\pre((N,I',O',\CC'), C') \downharpoonright \ran(\theta)}$,
$\pre((N,I',O',\CC'), C') ={\clo(C') \upharpoonright I'}$,
$V' \sats {{\clo(C') \upharpoonright I'} \downharpoonright \ran(\theta)}$,
${\clo(C') \upharpoonright I''} \Rrightarrow {\clo(C') \upharpoonright (I'-\ran(\theta))} $,
${\clo(C \cup C') \upharpoonright I''} \Rrightarrow {\clo(C') \upharpoonright I''} $,
$V' \sats {\clo(C') \upharpoonright (I'-\ran(\theta))}$,
$ {I' - \ran(\theta)} \subseteq I'$,
$ {{\clo(C') \upharpoonright I'} \upharpoonright (I'-\ran(\theta))} = {\clo(C')
\upharpoonright (I'-\ran(\theta))}$,
$V' \sats {{\clo(C') \upharpoonright I'} \upharpoonright (I'-\ran(\theta))}$,
$ {(I'-\ran(\theta)) \cup \ran(\theta)} = I'$,
$V' \sats {{\clo(C') \upharpoonright I'} \upharpoonright {(I'-\ran(\theta)) \cup
{\ran(\theta)}}}$,
$V' \sats {{\clo(C') \upharpoonright I'} \upharpoonright I'}$,
$V' \sats {\clo(C') \upharpoonright I'}$,
$V' \sats \pre((N,I',O',\CC'),C')$,
$V' \sats {(N,I',O',\CC') \hastype C'}$,
for all $V''$, if $V' \subseteq V''$ then
{for all $K'' \in \CC'$, $V' \sats K''$ and $V'' \sats K''$}, {for all $K' \in \CC'$, $V''
\sats K'$},
$V'' \sats \post((M,I,O,\CC),C)$,
$V'' \sats \post((N,I',O',\CC'),C')$,
$\post((M,I,O,\CC),C) = \clo(C) \downharpoonright O$,
$\post((N,I',O',\CC'),C') = \clo(C') \downharpoonright O'$,
$V'' \sats {\clo(C) \downharpoonright O}$,
$V'' \sats {\clo(C') \downharpoonright O'}$,
$V'' \sats {{\clo(C) \downharpoonright O} \cup {\clo(C') \downharpoonright O'}}$,
${\clo(C) \downharpoonright O} \cup {\clo(C') \downharpoonright O'} = {{\clo(C) \cup
\clo(C')} \downharpoonright {O \cup O'}}$,
$V'' \sats {{\clo(C) \cup \clo(C')} \downharpoonright {O \cup O'}}$,
$\clo(C \cup C') = {\clo(C) \cup \clo(C')} $,
$V'' \sats {\clo(C \cup C') \downharpoonright {O \cup O'}}$,
$C \cup C' \subseteq \clo(C \cup C')$,
${C \cup C'} \upharpoonright {I'' \cup O''} \subseteq {C \cup C'}$,
$O'' \subseteq {O \cup O'}$, $C'' \subseteq {C \cup C'}$,
$\clo(C'') \subseteq \clo({C \cup C'})$,
$ {\clo(C \cup C') \downharpoonright {O \cup O'}} \Rrightarrow {\clo(C'') \downharpoonright
O''}$,
${\post((\Conn(\theta,M,N), I'', O'', \cn(\theta,\CC,\CC')), C'')} = {\clo(C'')
\downharpoonright O''}$,
$V'' \sats {\post((\Conn(\theta,M,N), I'', O'', \cn(\theta,\CC,\CC')), C'')}$.
\vend
soundness of NetSketch formalism
500
450
|R|
|E|
|Q|
context component size
400
350
300
250
200
150
100
50
0
1
11
21
31
41
51
61
71 81
91 101 111 121 131 141 151 161 171 181
assertion point in sequence
quadratic worst-case: complete “≤” hypergraph
14000
|R|
|E|
|Q|
context component size
12000
10000
8000
6000
4000
2000
0
1
4
7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 73 76 79
assertion point in sequence
Introduce x.
Assume x ∈ N.
Assert
14 ∗ x = x + x + x + x + x + x + x + x + x + x + x + x + x + x.
√
2 is irrational
16
14
expression com plexity
12
10
8
6
4
2
0
1
2
3
4
5
6
7
8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
assertion point in sequence
R is a vector space ⇒ R2 is a vector space
18
16
expression com plexity
14
12
10
8
6
4
2
0
1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 73 76 79 82
assertion point in sequence
soundness of NetSketch formalism
20
18
expressio n com p lexity
16
14
12
10
8
6
4
2
0
1
9
17 25 33 41 49 57 65 73 81 89 97 105 113 121 129 137 145 153 161 169 177
assertion point in sequence
• syntax and dynamic context improve usability
– undergraduates (including freshmen) familiar with
mathematical conventions able to adapt with
almost no guidance
• approach is tractable for typical arguments
– size of R exhibits linear growth
– high degree of redundancy in the collection of
subexpressions within an argument
– support for high-level reasoning leaps
substantially reduces:
• argument size
• quantifier depth
• opportunities for “garbage collection”
within the hypergraph structure
– e.g. x < y < z, where y never appears again
• further development
– grow static context (syntax, propositions)
– support distinct working “contexts” for
terms, propositions
– target static context contents to specific
verifiers
demo, source code, examples:
http://www.aartifact.org
these slides:
http://www.aartifact.org/docs
