verification. This is a formidable task, ultimately requiring the contributions of
researchers and ... This paper reports on the formalization of the integral calculus
in.
Formalization of the Integral Calculus in the PVS Theorem Prover RICKY W. BUTLER NASA Langley Research Center, Hampton, VA 23681-2199
The PVS theorem prover is a widely used formal verification tool used for the analysis of safetycritical systems. The PVS prover, though fully equipped to support deduction in a very general logic framework, namely higher-order logic, it must nevertheless, be augmented with the definitions and associated theorems for every branch of mathematics and computer science that is used in a verification. This is a formidable task, ultimately requiring the contributions of researchers and developers all over the world. This paper reports on the formalization of the integral calculus in the PVS theorem prover. All of the basic definitions and theorems covered in a first course on integral calculus have been completed. The theory and proofs were based on Rosenlicht’s classic text on real analysis and follow the traditional epsilon-delta method. The goal of this work was to provide a practical set of PVS theories that could be used for verification of hybrid systems that arise in air traffic management systems and other aerospace applications. All of the basic linearity, integrability, boundedness, and continuity properties of the integral calculus were proved. The work culminated in the proof of the Fundamental Theorem Of Calculus. There is a brief discussion about why mechanically checked proofs are so much longer than standard mathematics textbook proofs.
1.
INTRODUCTION AND MOTIVATION
There are several motivations for the development of the integral calculus library for the PVS theorem prover: (1) Increasingly our formal methods team is being called upon to develop analysis techniques that can demonstrate the safety of algorithms and systems used for air traffic management both on the ground and in the air [DMG01, CGBK04, CM00]. This problem domain inevitably requires reasoning about the effect of the software on aircraft trajectories. Aircraft trajectories are often modeled using differential equations and the analytic solutions of these equations involves the integral calculus. (2) The power of the PVS theorem prover has been growing over the last 10 years. A particularly challenging problem is the formalization and mechanical verification of the classic proofs of integral calculus including the Fundamental Theorem of Calculus. The author has often wondered if theorem proving technology might ever reach the place where it can be a pedagogical aid to the mathematics student and eventually a tool of practical use to the mathematician. The formalization of the integral calculus in PVS should provide a basis for judging how close we are to this goal. (3) The goal of reducing all of mathematics to primitive logic has a long heritage. Russell and Whitehead sought to place all of the mathematics upon the foundation of set theory and classical logic. When the paradoxes were discovered at the beginning of the 20th century, they abandoned their effort. Although mathematicians
Journal of Formalized Reasoning Vol. 2, No. 1, 2009, Pages 1–26.
2
·
Ricky W. Butler
have not demonstrated much interest in continuing the Russell and Whitehead program, computer scientists have[QED04]. The Lebesgue integral has been formalized in the Isabelle/Isar theorem prover [Ric03] and the Gauge Integral in Isabelle/HOL as well [Fle00]. Harrison describes the development of the theory of integration in the HOL theorem prover in [Har98]. L. Cruz-Filipe developed a constructive theory of analysis in the Coq theorem prover in his Ph.D dissertation [CF04]. Here, we are providing the mathematical foundations for classic Riemann Integral in the PVS theorem prover. This work uses and extends the work done by Bruno Dutertre [Dut96]. He developed the first version of the PVS analysis library which provided definitions and properties of limits, derivatives, and continuity. This work develops the theory of integration through the Fundamental Theorem of Calculus. In this paper I will provide a summary of the formalization and a few illustrations of the mechanical proofs to emphasize the difference between the rigorous proofs provided by Rosenlicht [Ros68] in his classic text and a mechanically checked proof in PVS [ORS92, SOR93]. The PVS theories and proofs are available at NASA Langley’s formal methods web site 1 . 2.
A QUICK INTRODUCTION TO PVS SYNTAX
The PVS specification language is basically a typed higher-order logic. A specification is constructed from predefined and user-defined types and expressions and functions over these types. The predefined types include booleans, reals, integers, rationals, etc. From these, other types can be constructed using function, record and tuple type constructions. The following is a typical type construction: range: TYPE = {i: int |
25 < i < 35}
This declares a new type range which contains all of the integers strictly between 25 and 35. A record type is constructed as follows rectype: TYPE = [#
field1: real, field2: int
#] A variable r of type rectype could be declared as follows r: VAR rectype The second field of this record can be accessed as follows: r‘field2. Function declarations are central to PVS specifications. The following is a typical function declaration f(x: real, y: real): nonneg_real = sqrt(x*x + y*y) The function f is a function of two real variables. It returns a non-negative real number equal to the square root of the sum of the squares of these variables. It is defined using another previously defined function: sqrt. Types, function declarations, and theorems are collected together in PVS theories which are structured as follows: 1 http://shemesh.larc.nasa.gov
Journal of Formalized Reasoning Vol. 2, No. 1, 2009.
Formalization of the Integral Calculus in the PVS Theorem Prover
·
3
theory_name [T: TYPE FROM real]: THEORY BEGIN ASSUMING ... ENDASSUMING ... END theory_name This theory is parameterized by a type T which is a subtype of real. Theories can be imported and used in other theories. In the formalization of the integral calculus all of the theories were declared over an arbtrary subtype of the reals with the restriction that the sub-type was connected and had more than one element. This was accomplished using the assuming clause ASSUMING connected_domain : ASSUMPTION FORALL (x,y: T),(z: real): x
