Tutorial Disprover: Difference between revisions

 
(17 intermediate revisions by 2 users not shown)
Line 3: Line 3:
== WARNING ==
== WARNING ==


This is work in progress! The disprover plugin is currently experimental. Please keep in mind, that you might run into some rough edges or even get wrong results.
We believe the Disprover to be useful to find counter examples and avoid spending time to try and prove an unprovable proof obligation (PO).
The disprover plugin can also be used as a prover, in case its search for counter examples is exhaustive. This, however, means that if your PO involves deferred sets (carrier sets which are not fixed) the disprover will never be able to prove it (as ProB only checks one particular cardinality of the deferred set).
Please keep in mind, that you might run into some rough edges (please inform us about any issues).


== Introduction ==
== Introduction ==
Line 10: Line 12:
or proofs for a given proof obligation.
or proofs for a given proof obligation.


The Disprover is described in [http://www.stups.uni-duesseldorf.de/publications_detail.php?id=219 Debugging Event-B Models using the ProB Disprover Plug-in], Ligot, Bendisposto, Leuschel.
An early version of the ProB Disprover is described in [https://www3.hhu.de/stups/downloads/pdf/LiBeLe07_219.pdf Debugging Event-B Models using the ProB Disprover Plug-in], Ligot, Bendisposto, Leuschel.


Recently, the Disprover has been extended to detect cases in which the search for a counter-example was complete, yet there was no result. In this cases, the absence of a counter-example will be reported as a proof.
Recently, the Disprover has been extended to detect cases in which the search for a counter-example was complete, yet there was no result. In this cases, the absence of a counter-example will be reported as a proof.
See [https://www3.hhu.de/stups/downloads/pdf/disprover_eval.pdf the paper describing the disprover as a prover] for more details.


== Installation ==
== Installation ==
Line 21: Line 24:
== How to use it ==
== How to use it ==


[[Image:disprover-all.png]]: The proof obligation editor in Rodin presents the user with a number of Hypotheses and one Goal, to be proved.  If the Disprover is installed, it is available in the tool bar alongside the other provers.
[[Image:disprover-all.png]]: The proof obligation editor in Rodin presents the user with a number of Hypotheses and one Goal, to be proved.  If the Disprover is installed, it is available in the tool bar alongside the other provers:
 
[[File:disprover_proof_control.png]]


== How it works ==
== How it works ==


Upon selecting the Disprover, it builds a formula from the Hypotheses and the negated Goal.  The ProB model checker then tries to find a model for that formula.  If that is possible, this model is a counter example that will be presented back to the user in the proof tree. The disprover also checks if there cannot be a model for the formula. If this is the case it acts like a decision procedure, i.e., absence of a model is a proof for the goal. Unfortunately, sometimes neither a counter example nor a proof can be found.
Upon selecting the Disprover, it builds a formula from the Hypotheses and the negated Goal.  The ProB model checker then tries to find a model for that formula.  If that is possible, this model is a counter example that will be presented back to the user in the proof tree. The disprover also checks if there cannot be a model for the formula. If this is the case it acts like a decision procedure, i.e., absence of a model is a proof for the goal. This is shown in the proof tree as follows:
 
[[File:disprover_proof.png]]
 
Unfortunately, sometimes neither a counter example nor a proof can be found.
 
== Preferences ==
 
The disprover has a variety of preferences, shown below:
 
[[File:DisproverPrefs.png]]
 
If you wish you can increase the time out in milliseconds using the first preference.
The last preference allows you to export the PO to a classical B machine at a standard location (/tmp/ProB_Rodin_PO_SelectedHyps.mch).
This file can be loaded with ProB Tcl/Tk or ProB2-UI.
To find counter examples you should run a constraint-based static assertion check.
If successful, you can inspect the counter example in the state view.
You can also inspect which of the non-selected hypotheses are false for this counter example.
These hypotheses are good candidates for inclusion in the selected hypotheses.
 
 
== Disprover Export Example ==
 
Camille version of context:
<pre>
context ProBDisproverTest
constants f n
axioms
@axm0 n=10
@axm1 f∈1‥n → BOOL
@axm2 f(1) ≠ f(n)
theorem @thm1 ran(f)=BOOL
end
</pre>
 
 
 
Let us just select axm0 and axm1 in the hypothesis and run the disprover.
This will result in generating the B machine below.
 
 
[[File:DisproverExportExample.png]]
 
As you can see the selected hypotheses are put into the PROPERTIES and the proof
goal into the ASSERTIONS.
The Disprover also generates the OPERATION CheckRemainingHypotheses which checks the remaining unselected hypotheses.
 
<pre>
MACHINE ProofObligation_SelectedHyps
/* Exported: 4/3/2022 11:59 */
/* Origin: context : package(event_b_project) */
 
CONSTANTS
  f, n
PROPERTIES /* Selected Hypotheses: */
  f : POW(INTEGER * BOOL)
  &
  n : INTEGER
  &
  f : 1 .. n --> BOOL
  &
  n = 10
 
ASSERTIONS /* Proof Goal: */
  ran(f) = BOOL
OPERATIONS
CheckRemainingHypotheses = SELECT
  f : INTEGER +-> BOOL
  &
  n : dom(f)
  &
  1 : dom(f)
  &
  f(1) /= f(n)
  THEN skip
  END /* CheckRemainingHypotheses */
DEFINITIONS
SET_PREF_DISPROVER_MODE == TRUE;
SET_PREF_TRY_FIND_ABORT == FALSE
END
</pre>
 
You can load this machine for example in ProB2-UI and then run the symbolic constraint-based static assertion check:
 
[[File:CBCStaticAssertionCheck.png]]
 
In this case it finds a counter example, which can be inspected in the state view:
 
[[File:DisproverProB2UIStateView1.png]]
 
After initialising the machine you can also inspect the guards of the generated operation in the state view:
[[File:DisproverProB2UIStateView2.png]]
 
As you can see there is axm2 which is false for this counter example.
Adding this to the selected hypotheses will make the goal provable.

Latest revision as of 11:56, 19 December 2022


WARNING

We believe the Disprover to be useful to find counter examples and avoid spending time to try and prove an unprovable proof obligation (PO). The disprover plugin can also be used as a prover, in case its search for counter examples is exhaustive. This, however, means that if your PO involves deferred sets (carrier sets which are not fixed) the disprover will never be able to prove it (as ProB only checks one particular cardinality of the deferred set). Please keep in mind, that you might run into some rough edges (please inform us about any issues).

Introduction

The ProB Disprover plugin for RODIN utilizes the ProB animator and model checker to automatically find counterexamples or proofs for a given proof obligation.

An early version of the ProB Disprover is described in Debugging Event-B Models using the ProB Disprover Plug-in, Ligot, Bendisposto, Leuschel.

Recently, the Disprover has been extended to detect cases in which the search for a counter-example was complete, yet there was no result. In this cases, the absence of a counter-example will be reported as a proof. See the paper describing the disprover as a prover for more details.

Installation

The ProB Disprover is currently only available through the ProB Nightly Build Update Site (http://nightly.cobra.cs.uni-duesseldorf.de/rodin/updatesite/).


How to use it

Disprover-all.png: The proof obligation editor in Rodin presents the user with a number of Hypotheses and one Goal, to be proved. If the Disprover is installed, it is available in the tool bar alongside the other provers:

Disprover proof control.png

How it works

Upon selecting the Disprover, it builds a formula from the Hypotheses and the negated Goal. The ProB model checker then tries to find a model for that formula. If that is possible, this model is a counter example that will be presented back to the user in the proof tree. The disprover also checks if there cannot be a model for the formula. If this is the case it acts like a decision procedure, i.e., absence of a model is a proof for the goal. This is shown in the proof tree as follows:

Disprover proof.png

Unfortunately, sometimes neither a counter example nor a proof can be found.

Preferences

The disprover has a variety of preferences, shown below:

DisproverPrefs.png

If you wish you can increase the time out in milliseconds using the first preference. The last preference allows you to export the PO to a classical B machine at a standard location (/tmp/ProB_Rodin_PO_SelectedHyps.mch). This file can be loaded with ProB Tcl/Tk or ProB2-UI. To find counter examples you should run a constraint-based static assertion check. If successful, you can inspect the counter example in the state view. You can also inspect which of the non-selected hypotheses are false for this counter example. These hypotheses are good candidates for inclusion in the selected hypotheses.


Disprover Export Example

Camille version of context:

context ProBDisproverTest
constants f n
axioms
 @axm0 n=10
 @axm1 f∈1‥n → BOOL
 @axm2 f(1) ≠ f(n)
 theorem @thm1 ran(f)=BOOL
end


Let us just select axm0 and axm1 in the hypothesis and run the disprover. This will result in generating the B machine below.


DisproverExportExample.png

As you can see the selected hypotheses are put into the PROPERTIES and the proof goal into the ASSERTIONS. The Disprover also generates the OPERATION CheckRemainingHypotheses which checks the remaining unselected hypotheses.

MACHINE ProofObligation_SelectedHyps
 /* Exported: 4/3/2022 11:59 */
 /* Origin: context : package(event_b_project) */

CONSTANTS
  f, n
PROPERTIES /* Selected Hypotheses: */
  f : POW(INTEGER * BOOL)
  &
  n : INTEGER
  &
  f : 1 .. n --> BOOL
  &
  n = 10

ASSERTIONS /* Proof Goal: */
  ran(f) = BOOL
OPERATIONS
 CheckRemainingHypotheses = SELECT
  f : INTEGER +-> BOOL
  &
  n : dom(f)
  &
  1 : dom(f)
  &
  f(1) /= f(n)
  THEN skip
  END /* CheckRemainingHypotheses */
DEFINITIONS
 SET_PREF_DISPROVER_MODE == TRUE;
 SET_PREF_TRY_FIND_ABORT == FALSE
END

You can load this machine for example in ProB2-UI and then run the symbolic constraint-based static assertion check:

CBCStaticAssertionCheck.png

In this case it finds a counter example, which can be inspected in the state view:

DisproverProB2UIStateView1.png

After initialising the machine you can also inspect the guards of the generated operation in the state view: DisproverProB2UIStateView2.png

As you can see there is axm2 which is false for this counter example. Adding this to the selected hypotheses will make the goal provable.