Theorem Proving beyond Deduction

Size: px

Start display at page:

Download "Theorem Proving beyond Deduction"

Jacob Stokes
6 years ago
Views:

1 Theorem Proving beyond Deduction Specification and Verification with Higher-Order Logic Arnd Poetzsch-Heffter (Slides by Jens Brandt) Software Technology Group Fachbereich Informatik Technische Universität Kaiserslautern Sommersemester 2008 Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

2 Outline Introduction 1 Introduction 2 SAT Solver 3 Model Checker 4 Conclusion Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

3 Motivation Introduction Motivation Unified Verification Platform use theorem prover to integrate various tools most general and most flexible tool Combining Calculation and Deduction deduction: e.g. theorem proving: proving properties by mechanised logical deduction calculation: e.g. model checking: showing system M has property P by algorithmic calculation research goal: general platform for implementing provers and checkers Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

4 Introduction Want the Best of Both Worlds Motivation want maximally expressive logics higher-order logic readable specs of whole systems, high-level datatypes etc. requires theorem proving want state-of-the-art checking efficiency years of algorithm design and code honing Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

5 Three Approaches Introduction Combinations Loose Integration link tools via protocols, scripting languages etc. Add Calculation to Theorem Prover implement algorithms in a general theorem prover Add Deduction to Specialised Tool add rules to a specialised tool Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

6 Loose Integration Introduction Combinations external tool 1 theorem prover external tool 2 Overview existing infrastructure, future-proof, semantically challenging many tools are linked in this way: SAT, FOL,... approach followed by PROSPER EU project will be illustrated with the help of SAT solvers Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

7 Introduction Combinations Add Calculation to Theorem Prover internal theorem internal tool 1 prover tool 2 Overview example: theorem proving is guided by model checking will be illustrated with the help of a model checker Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

8 Introduction Combinations Add Deduction to Specialised Tool main tool deduction components internal tool Overview goal: extend specialised tool to complete system lightweight proving + state-of-art checking (Cadence, Intel) will not be illustrated in the following Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

9 Outline SAT Solver 1 Introduction 2 SAT Solver 3 Model Checker 4 Conclusion Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

10 SAT Solver SAT Library LCF Approach to Theorem Proving Theorems theorems represented by an abstract type primitive operations axioms inference rules of a logic composing together the inference rules using ML programs Example (Higher-Order Logic Axioms) b. (b = T ) (b = F) b 1 b 2. (b 1 b 2 ) (b 2 b 1 ) (b 1 = b 2 ) f. (λ x. fx) = f P x. P x P(ε P) f.( x y. fx = fy x = y) ( x. y. x = f y) Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

11 SAT Solver SAT Library LCF Approach to Theorem Proving Backdoor oracles can create arbitrary theorems always tagged (string denoting the origin) tags are propagated if oracle is incorrect, all incorrect theorems can be spotted Backdoor API val mk_thm : term list term > thm val mk_oracle_thm : string > term list term > thm val add_tag : tag thm > thm val tag : thm > tag Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

12 SAT Solver Creating Tagged Theorems SAT Library Example (Oracles) show_tags := true; > val it = () : unit val thm1 = mk_oracle_thm "me" ([], T ==> F ); > val thm1 = [oracles: me] [axioms: ] [] T ==> F : thm CONTRAPOS thm1; > val it = [oracles: DISK_THM, me] [axioms: ] [] ~F ==> ~T : thm Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

13 SAT Solver SAT Library Boolean Satisfiability Problem (SAT) Problem Given a Boolean expression, is there some assignment to all the variables that will make the entire expression true? Example (SAT) (x 1 x 2 ) ( x 1 x 2 ) x 1 x 2 ( x 1 x 2 ) Properties problem is NP-complete very important, many applications bounded model checking, equivalence checking, FPGA routing,... Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

14 SAT Solver SAT Tool Interface: DIMACS SAT Library Interface common input file format for SAT solvers several descriptions supported in the following: expression in conjunctive form Example (Input File Format) c Example DIMACS file p cnf (x 1 x 3 x 4 ) x 4 (x 2 x 3 ) Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

15 Using the SAT Library SAT Solver SAT Library Interface two functions that create theorems: satoracle and satprove difference: optional checking Example (Using HolSatLib) satoracle grasp (x \/ ~y \/ z) /\ (~z \/ y ) ; > val it = [oracles: grasp] [axioms: ] [] z /\ y ==> (x \/ ~y \/ z) /\ (~z \/ y) : thm satprove grasp (x \/ ~y \/ z) /\ (~z \/ y ) ; > val it = [oracles: ] [axioms: ] [] z /\ y ==> (x \/ ~y \/ z) /\ (~z \/ y) : thm Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

16 Invoking the SAT Solver SAT Solver SAT Library Arguments of satoracle SAT solver: sato, grasp or zchaff... term t Steps of satoracle write a DIMACS format file corresponding to the term t invoke the solver on the file to create an output file parse the output file to extract the model found create a theorem (tagged with the name of the solver) that shows the model Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

17 Invoking the SAT Solver SAT Solver SAT Library Steps of satprove write a DIMACS format file corresponding to the term t invoke the solver on the file to create an output file parse the output file to extract the model found use HOL to check that the model is really a model and return an untagged theorem Example (Using satprove) satprove grasp (x \/ ~y \/ z) /\ (~z \/ y ) ; > val it = [oracles: ] [axioms: ] [] z /\ y ==> (x \/ ~y \/ z) /\ (~z \/ y) : thm checking a solution is relatively simple Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

18 Unsatisfiable Terms SAT Solver SAT Library Example (Unsatisfiable Terms) satoracle grasp (x \/ ~y \/ z) /\ ~z /\ y /\ ~x ; > val it = [oracles: grasp] [axioms: ] [] ~((x \/ ~y \/ z) /\ ~z /\ y /\ ~x) satprove grasp (x \/ ~y \/ z) /\ ~z /\ y /\ ~x ;! Uncaught exception:! satproveerror Checking the Result proving that no solution exists is not simple no efficient implementation in HOL (basically needs to check all possibilities) Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

19 Tautology Checking SAT Solver SAT Library Procedure 1 prove x. t = x. t 2 use a SAT solver to prove x. t ; 3 by negating both sides of (1), prove x. t = x. t 4 hence by combining (2) and (3) derive x. t. 5 hence by the law of double negation conclude x. t. Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

20 Tautology Checking SAT Solver SAT Library Example (Tautology Checking Code) fun SAT_TAUT_CHECK sat_solver t = let val th1 = canontools.cnf_conv(mk_neg t) val th2 = satoracle sat_solver (rhs(concl th1)) val th3 = AP_TERM $~ th1 val th4 = EQ_MP (SYM th3) th2 val th5 = EQ_MP (SPEC t NOT_NOT) th4 in th5 end; Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

21 Outline Model Checker 1 Introduction 2 SAT Solver 3 Model Checker 4 Conclusion Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

22 Model Checker State Transition Systems in HOL Model Checking States set of states: type states set of initial states: predicate B B : states bool B s means s is an initial state Transitions state transition relation: R R : states states bool R(s,s ) means s a successor to s Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

23 HOL Definitions Model Checker Model Checking Reachable States set of states reachable in at most n steps: ReachBy 0 R B s = B s ReachBy (n+1) R B s = ReachBy n R B s u. ReachBy n R B u R(u,s) set of reachable states: Reachable R B s = n. ReachBy n R B s Checking Safety Properties check M = P with the help of s. ( n. ReachBy n R B s) P s use BDDs: compute BDD and check result if the BDD of true Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

24 Model Checker Computing ReachBy n R B s Model Checking Fixpoint Iteration s. ( n. ReachBy n R B s) P s is not a quantified boolean formula (QBF) Key property: (ReachBy n R B s = ReachBy (n+1) R B s) (Reachable R B s = ReachBy n R B s) Compute Reachable R B s by iteratively computing: ReachBy 0 R B s ReachBy 1 R B s. ReachBy n R B s ReachBy (n+1) R B s Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

25 Binary Decision Diagrams Model Checker Model Checking Example (BDD for (a b) ( a c)) c a b b c b a a variable order a < b < c variable order c < b < a Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

26 Model Checker Model Checking Applying the LCF Approach to BDD Calculation Consider Judgements (ρ, t, b) Analogy structure ρ represents a variable order, t is a boolean term all of whose free variables are Boolean b is a BDD. such a judgement is valid (ρt b) if the BDD representing t with respect to ρ is b abstract type term_bdd that models judgements higher level tools, such as model checkers, are programmed in ML as derived rules Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

27 BDD Judgements Model Checker Model Checking Example {a 1,b 2,c 3} (a b) ( a c) (variable order: a < b < c) 0 1 can also be written as BDD(1 (2 1 0) (3 1 0)) Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

28 Model Checker Model Checking Implementation in HOL HolBddLib BDD Library An ML type termbdd to represent judgements ρ t b analogous to LCF type thm representing logic theorems t ML functions corresponding to inference rules, for example: BddT : termbdd BddNot : termbdd termbdd BddAnd : termbdd termbdd termbdd BddEqualTest : termbdd termbdd bool BddEqMpSYM : thm termbdd termbdd BddThmOracle : termbdd thm Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

29 Model Checker Model Checking Reasoning about BDD Representations of Terms BDD Derivation ρ t b means term t is represented by BDD b w.r.t. ρ let ρ be a map from variables to ordered BDD variable nodes T ρ T BDD(1) F ρ F BDD(0) VAR ρ(v) = n ρ v BDD(n 1 0) AND ρ t 1 b 1 ρ t 2 b 2 ρ t 1 t 2 b 1 AND b 2 EQ ρ t 1 b 1 ρ t 2 b 2 ρ t 1 = t 2 b 1 EQ b 2 IMP ρ t 1 b 1 ρ t 2 b 2 ρ t 1 t 2 b 1 IMP b 2 EXISTS THM ρ t BDD(1) t ρ t b ρ u n ρ u. t EXISTS n b SUB ρ t 1 b t 1 = t 2 ρ t 2 b Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

30 Model Checker Model Checking Combining BDD Calculation and Deduction Calculation and Deduction If t 1 a QBF then ρ t 1 b by BDD evaluation logically use rules T, F, VAR, AND, EQ, IMP, EXISTS,... implement efficiently Use theorem proving to prove t 2 Combine using bridging rules THM and SUB THM is the only rule that creates theorems Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

31 Model Checker Example Deduction using BDDs Model Checking Example Define S n (s) = ReachBy n R B s... ρ S 20 (s) b 20 ρ S 21 (s) b 21 ρ (S 20 (s) = S 21 (s)) b 20 EQ b 21 S 20 (s) = S 21 (s) (S 20 (s) = S 21 (s)) ( n. S n (s)) = S 20 (s) ( n. S n (s)) = S 20 (s) ρ ( n. S n (s)) b 20 ρ P(s) b P ρ ( n. S n (s)) P(s) b 20 IMP b P ( n. S n (s)) P(s) BDD evaluation BDD evaluation EQ THM assuming b 20 EQ b 21 is Instance of lemma Modus Ponens and lemma SUB BDD evaluation IMP THM assuming b 20 IMP b P is Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

32 Model Checker Model Checking Example: Check AG P holds of model M Example M = AG P meaning of = σ. M σ AG P σ M = Machine(R,B) σ. (B(σ 0) n. R(σ n, σ(n+1))) n. P(σ n) definition of ReachBy s n. ReachBy n R B s P s first order logic s. ( n. ReachBy n R B s) P s BDD calculation Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

33 Properties Model Checker Model Checking Reachable R B s Q s means Q true in all reachable states Might want to verify other properties, e.g: DeviceEnabled is always true somewhere along every path starting anywhere (i.e. infinitely often along every path) From any state it is possible to get to a state for which Restart holds Q is true on all paths sometime between i units of time later and j units of time later. CTL is a logic for expressing such properties Exist efficient algorithms for checking them Model checking: check property in a model Emerson & Clarke, early 1980s starting to be used in industry Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

34 Model Checker Computation Tree Logic (CTL) Model Checking Syntax of CTL Well-Formed Formulae wff ::= P (Atomic formula) wff (Negation) wff 1 wff 2 (Conjunction) wff 1 wff 2 (Disjunction) wff 1 wff 2 (Implication) AXwff (All successors) EXwff (Some successors) A[wff 1 U wff 2 ] (Until along all paths) E[wff 1 U wff 2 ] (Until along some path) Branching Time Logic property Φ hold along all paths: AΦ property Φ holds along some paths: EΦ Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

35 Paths Model Checker Model Checking Paths Let R have type α α bool α ranges (intuitively) over states An R-path is a function σ : num α such that: t. R(σ(t),σ(t+1)) PATH(R,s)σ means σ is an R-path from s PATH(R,s)σ = (σ(0)=s) t. R(σ(t),σ(t+1)) Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

36 Model Checker Model Checking Semantic Embedding of CTL in HOL Define: Atom(p) = λ(r,s). p(s) P = λ(r,s). (P(R,s)) P Q = λ(r,s). P(R,s) Q(R,s) P Q = λ(r,s). P(R,s) Q(R,s) P Q = λ(r,s). P(R,s) Q(R,s) AXP = λ(r,s). s. R(s,s ) P(R,s ) EXP = λ(r,s). s. R(s,s ) P(R,s ) A[P U Q] = λ(r,s). σ. PATH(R, s)σ i. Q(R,σ(i)) j. j < i P(R,σ(j)) E[P U Q] = λ(r,s). σ. PATH(R, s)σ i. Q(R,σ(i)) j. j < i P(R,σ(j)) Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

37 AF Model Checker Model Checking Additional Operators Example: AFP = A[T U P] AFP is true if P holds somewhere along every R-path i.e. P is inevitable Derivation is easy AFP = A[T U P] = λ(r,s). σ. PATH(R,s)σ i. P(R,σ(i)) j. j < i T(R,σ(j)) = λ(r,s). σ. PATH(R, s)σ i. P(R, σ(i)) Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

38 Example CTL Formulas Model Checker Model Checking EF(Started Ready) It is possible to get to a state where Started holds but Ready does not hold. AG(Req AFAck) If a request Req occurs, then it will eventually be acknowledged by Ack. AG(AFDeviceEnabled) DeviceEnabled is always true somewhere along every path starting anywhere: i.e. DeviceEnabled holds infinitely often along every path. AG(EFRestart) From any state it is possible to get to a state for which Restart holds. Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

39 Model Checker Verification and Counterexamples Model Checking Typical Safety Question is Q true in all reachable states? i.e. is Reachable R B s Q s true? Computation Compute BDD of Reachable R B s Q s if answer false: can get counterexample Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

40 Model Checker Model Checking Generating Counterexample Traces Finding a Counterexample suppose Reachable R B s Q s is false maybe counterexample before fixedpoint first find counterexample generate BDDs of ReachBy i R B (i = 0,1,...) at each stage check whether Q s holds hence find smallest n and state s n such that ReachBy n R B s n (Q s n ) Then trace backwards using: Pre R Q s = s. R(s,s ) Q s Eq s 1 s 2 = (s 1 = s 2 ) use BDDs to get s n,...,s 0 where ReachBy (i 1) R B s i 1 Pre R (Eq s i ) s i 1 Pre R Q s can be deductively simplified (so that BDD of R not needed) Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

41 Model Checking in HOL Model Checker Model Checking Model Checking e.g. AG P(R,s 0 ) is s. Reachable R (Eq s 0 ) s P s. current work has built a CTL model checker inside HOL HOL + BDD Results deduction can enhance state enumeration simplify formulas to eliminate subterms state enumeration can enhance deduction find counterexamples formulas for reachable states Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

42 Summary Model Checker Model Checking Model Checking Implementation deduction using theorem prover written in ML (HOL) extended with THM as oracle external calls to BDD package written in C (BuDDy) incremental database of computed instances of ρ t b model checking by HOL deduction + BDD calculation implemented by deduction rules programmed in ML next 700 formal verification tools... Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

43 Outline Conclusion 1 Introduction 2 SAT Solver 3 Model Checker 4 Conclusion Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

44 Conclusion Conclusion Conclusion Connect External Tools LCF approach and oracles tags to trace origins of theorems very efficient approach Implement Tools Internally implementation in higher-order logic clean and flexible approach Arnd Poetzsch-Heffter (Slides by Jens Brandt) ( Software Technology Theorem Proving Groupbeyond Fachbereich Deduction Informatik Technische Universität Sommersemester Kaiserslautern) / 44

Outline. Overview. Syntax Semantics. Introduction Hilbert Calculus Natural Deduction. 1 Introduction. 2 Language: Syntax and Semantics

Outline. Overview. Syntax Semantics. Introduction Hilbert Calculus Natural Deduction. 1 Introduction. 2 Language: Syntax and Semantics Introduction Arnd Poetzsch-Heffter Software Technology Group Fachbereich Informatik Technische Universität Kaiserslautern Sommersemester 2010 Arnd Poetzsch-Heffter ( Software Technology Group Fachbereich