The Z/EVES Reference Manual (For Version 1.5)
The Z/EVES Reference Manual (For Version 1.5)
The Z/EVES Reference Manual (For Version 1.5)
ORA Canada
P.O. Box 46005, 2339 Ogilvie Rd.
Ottawa, Ontario K1J 9M7
CANADA
Contents
1 Introduction 1
2 Basic Concepts 3
2.1 The Z/EVES User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.1 Entering Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.2 Entering Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.3 Recovery From Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Proving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2.1 Implicit Declarations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2.2 Type Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3 Domain Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
i
ii Z/EVES Project TR-97-5493-03d
4 Z/EVES Commands 37
4.1 Z Section Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.1.1 Declare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.1.2 Declare To . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.1.3 Declare Through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Z/EVES Project TR-97-5493-03d iii
4.1.4 Parent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.2 Printing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.2.1 Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.2.2 Print Declaration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.2.3 Print Formula . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.2.4 Print History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.2.5 Print Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.2.6 Print Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.2.7 Print Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.2.8 Searching for Theorems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.3 Undoing Declarations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.3.1 Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.3.2 Undo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.3.3 Undo Back To . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.3.4 Undo Back Through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.4 Interface Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.4.1 Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.4.2 Quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.4.3 Read . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.4.4 Ztags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5 Proof Commands 43
5.1 Starting Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.1.1 Try . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.1.2 Try Lemma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.2 Undoing Proof Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.2.1 Back . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.2.2 Retry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.3 Case Splitting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.3.1 Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.3.2 Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.3.3 Split . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.3.4 Conjunctive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.3.5 Disjunctive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.4 Using Theorems and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.4.1 Apply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.4.2 Invoke . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
5.4.3 Invoke Predicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
5.4.4 Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
5.5 Using Equalities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.5.1 Equality Substitute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.6 Quantifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.6.1 Instantiate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.6.2 Prenex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.7 Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.7.1 Simplify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.7.2 Rewrite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.7.3 Reduce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.7.4 Trivial Simplify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.7.5 Trivial Rewrite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
5.7.6 Rearrange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
iv Z/EVES Project TR-97-5493-03d
A Collected Syntax 53
Introduction
Z/EVES is a tool for analysing Z specifications. It can be used for parsing, type checking, domain
checking, schema expansion, precondition calculation, refinement proofs, and proving theorems.
The language accepted by Z/EVES, Z/LATEX, is a LATEX [4] markup form that is compatible
with the zed, zed-csp, and fuzz LATEX styles and with Spivey’s fuzz type checker, but with several
extensions that are useful in stating theorems and their proofs. Appendix C summarizes these
extensions. Z/LATEX is described in full in Chapter 3.
Z/EVES is based on the EVES system [2, 3], and uses the EVES prover to carry out its proof
steps. However, it should not be necessary to have any knowledge of EVES or its language (Verdi)
in order to use Z/EVES.
This reference manual describes the language accepted by Z/EVES; the system and prover com-
mands and their effects; and the different types of theorems that can be expressed. Where necessary,
the actual Z/LATEX form for samples of Z/LATEX text is given. However, Z/LATEX as typeset by LATEX
is much more readable, and this form is used where possible.
Other documents useful for understanding the Z/EVES system are
• a description of the Z/EVES version of the Mathematical Toolkit [7],
• a user’s guide to Z/EVES [8], and
• installation guides and release notes for particular platforms (e.g., [5, 6]).
1
2 Z/EVES Project TR-97-5493-03d
Chapter 2
Basic Concepts
3
4 Z/EVES Project TR-97-5493-03d
2.2 Proving
Z/EVES allows for the statement and proof of theorems within a specification. Chapter 5 describes
various proof step commands. Proofs work on a predicate called the goal ; eack step transforms the
goal into a new goal that is equivalent. Transforming a goal to true thus completes a proof.
Z/EVES proofs are based on a translation to first-order predicate calculus. This translation is
not visible to the user, but it has ramifications, explained below, that affect the user.
The meaningfulness conditions for Z constructs are presented in “raw” form. Z/EVES applies
trivial propositional simplification (e.g., true ∨ P is replaced by true) to these conditions before
displaying them.
In the descriptions of the domain checking conditions in this document, we use variables (possibly
decorated) to represent phrases of different grammatical types as follows:
Symbol Grammatical type
e expression
P, Q predicate
ST schema-text
SE schema-exp
D decl-part
n, v , N , X name
PR prefix relation symbol
IR infix relation symbol
PG prefix generic symbol
IG infix generic symbol
F infix function symbol
The descriptions define a function DC from Z phrases to Z predicates, which gives the domain
checking condition for a phrase. The domain checking rules appear throughout the language de-
scription, and are also summarized in Appendix B.
6 Z/EVES Project TR-97-5493-03d
Chapter 3
The Z/LATEX language accepted by Z/EVES is almost a superset of the language accepted by the
fuzz [10] tool; a few features of the fuzz language are not supported, and a number of extensions
have been added. The differences between Z/LATEX and fuzz are described in Appendix C.
3.1.1 Words
A word is an identifier, an “extended” identifier, a “quoted” identifier, a LATEX command, or a
symbol. Unlike fuzz, a word used as a schema name is not lexically different from any other word.
Like fuzz, however, once a word has been declared to be part of a schema name, it may not be used
in the declaration name of any other object, except another schema with a different name prefix.
An identifier is a nonempty sequence of decimal digits, letters, and escaped underscores (\_) that
begins with a letter. Case is significant; the identifer foo is different from the identifier FOO.
An extended identifier is an identifier which begins with a letter and contains escaped dollar signs
(\$). Extended identifiers appear in names generated by Z/EVES; to avoid name clashes, names
declared by the user (e.g., variable names) may not contain extended identifiers.
A quoted identifier is a backquote (‘) followed by a nonempty sequence of characters that does not
contain backquote or newline, followed by a backquote. Like extended identifiers, quoted identifiers
appear in names generated by Z/EVES. Quoted identifiers are not permitted in user-declared names,
unless the contents of the quoted identifier are a valid (ordinary) identifier.
A LATEX command consists of a backslash followed by either a nonempty sequence of letters, or
by any single character. (The character in a syntax description or an example means a space.)
Some LATEX commands may have an argument, which is either a single decimal digit, or a left brace,
a sequence of decimal digits, and a right brace.
A symbol is a nonempty sequence of the characters *+-.<=>. Symbols must be defined (Sec-
tion 3.5.11) before they are used. Z/EVES always tries to scan the longest known symbol. If, for
7
8 Z/EVES Project TR-97-5493-03d
example, the symbols + and ++ are both defined, the input +++ will result in the two tokens ++ and
+.
3.1.2 Numerals
A numeral is a nonempty sequence of decimal digits, optionally preceded with a negation sign (\neg,
which prints as a raised minus sign). Thus, −3 is an expression (the application of function (−) to
the literal 3), whereas 3 is a negative literal.
3.1.3 Strings
A string is a double quote (") followed by a possibly empty sequence of characters that does not
contain double quote or newline, followed by a double quote.
The following LATEX commands may be used in the text for adjusting LATEX spacing. They are
ignored by Z/EVES.
\, thin space
\! negative thin space
\: medium space
\; thick space
\@ inter-sentence space
\ inter-word space
\tn tab command, single digit argument
\t{n} tab command, multi-digit argument
~ non-breakable inter-word space
3.1.5 Equivalents
The following pairs of tokens are considered equivalent:
Z/EVES Project TR-97-5493-03d 9
@ \spot
| \mid
The name \empty is a LATEX command, so the Toolkit defines the equivalent name \emptyset.
Syntax declarations (Section 3.5.11) are used in the Z/EVES Toolkit rather than fuzz directives,
because they allow an “interchange name” to be specified for the a declared symbol. Future work
on Z/EVES may include an interchange format printer, and this will allow the Toolkit to be easily
translated into that format. Specifications containing symbols which are defined with syntax decla-
rations will also enjoy this benefit. (The interchange format is part of the proposed ISO standard
for Z.)
• A definition is sometimes broken into a number of lines for readability; extra newlines and
spaces in a definition are not significant.
A lexical class denotes a set of terminals. The following lexical classes appear in the syntax:
10 Z/EVES Project TR-97-5493-03d
3.3 Specifications
specification ::= spec-item . . . spec-item
spec-item ::= z-section
| z-paragraph
| syntax-decl
| input-cmd
interaction ::= decl-or-cmd . . . decl-or-cmd
decl-or-cmd ::= spec-item
| z-section-proof
| command ;
In batch mode, a specification consists of a sequence of Z sections, Z section proofs, Z paragraphs,
syntax declarations, and LATEX-style file input commands. In interactive mode, Z/EVES commands
are also allowed; Z/EVES commands are described in Chapter 4.
Note that in interactive mode, all (complete) commands must be terminated with a semicolon
(;). In interactive or batch mode, commands in the proof part of a theorem must be separated with
\\, ;, or \also.
3.4 Z Sections
The Z/EVES Z section facility provides a way of dividing a specification into component modules.
A Z section is a set of paragraphs that has been type checked and saved in a file (a “section file”);
it can then be used in the definition of other Z sections. If a Z section A depends on (i.e., uses
declarations from) a Z section B, then B is said to be a parent of A.
When a section is created, Z/EVES saves information about its parents as well as the declarations.
A section is not permitted to depend on itself, or on a section whose parents have been modified
and is possibly obsolete (Section 3.4.2.1).
Once a section has been created, the declarations in it can be proved. In the proof of the section,
the order of declarations may differ from that of the section being proved, additional declarations
may be made, and additional parents (“proof parents”) may be specified for the section. If all the
proof obligations for the section are discharged, Z/EVES records this fact, and any proof parents,
in a file (a “section proof” file). See Section 4.1 for a description of Z section proofs.
The Z/EVES Z section facility has been designed to stay out of the way of users who do not wish
to use it. If a user starts entering declarations and commands without first starting a section, the
Toolkit section is first loaded, if it is not already present, before the first declaration or command is
processed.
The Z/EVES Z section facility is based on the proposed Z standard for sections [1], and on ideas
from the GNU Ada library facility.
Z/EVES Project TR-97-5493-03d 11
Z/EVES checks that section files for parent sections are up-to-date, and that no section depends on
itself, either directly or through some chain of ancestors. A section file for a section S is up-to-date
if for every parent P of S:
2. the section file for P has not been modified since the section file for S was created, and
For example, suppose section A has a parent B, and section B has no parents. After creating
section files for B and A, in that order, we start a new section C, whose parent is A. If the section file
for B was modified after the section file for A was created, then Z/EVES considers the section file
for A to be out-of-date.
Continuing the example, suppose we have section files for A and B as described above. We then
add A to B’s parent list and try to recreate B. Z/EVES will detect the attempt at circular dependency
— A depends on B, and we are now trying to say that B depends on A.
3.5 Paragraphs
z-paragraph ::= zed-box
| schema-box
| axiomatic-box
| generic-box
| theorem
para-opt ::= [ ability ]
ability ::= enabled | disabled
sep ::= \\ | ; | \also
Paragraphs declare types, constants, global variables, schemas, and theorems. The following
information is provided for each type of declaration:
• proof obligations generated by Z/EVES that, when proven, ensure that functions are applied
only to arguments in their domain (domain checking), and
A list of options may be specified for a paragraph. Currently, the only option recognized is
an “ability;” if the disabled ability is specified, some declarations in the paragraph are not used
automatically in proofs. The default ability is enabled.
Items in a paragraph must be separated by one of the above separators. To Z/EVES, they are
equivalent, but LATEX formats \\ and \also as newlines, and adds extra vertical space for \also.
Z/EVES Project TR-97-5493-03d 13
Domain Checking
DC ([N , . . .]) = true
Implicit Declarations
None.
Domain Checking
DC (S =
b SE ) = DC (SE )
Implicit Declarations
Schema definitions are treated as much like schema boxes as possible; see Section 3.5.7 for a descrip-
tion of the implicit declarations added for schema boxes.
The determination of the declaration part of a defined schema (for use in the $declarationPart
theorem) is not straightforward in general, and Z/EVES determines it as follows: if the schema
expression is a schema reference, this is the declaration part; if it is a schema text of the form [D | P ],
14 Z/EVES Project TR-97-5493-03d
the declaration part is derived from D as explained in Section 3.5.7; if the schema expression is a
conjunction, the declaration part is the conjunction of the declaration parts of the conjuncts. In
any other case, the declaration part is simply true. In particular, then, a definition S =b [D | P ] is
treated in the same way as the equivalent schema box (Section 3.5.7). The rules for θ-terms and
binding sets are always added.
For defined schemas with definitions that are not conjunctions of schema references and schema
texts, it is advisable for the user to add a forward rule giving suitable information about the decla-
ration part; see the discussion in Section 3.5.7. For example, given the definition
AddItem = b [∆State | . . .]
Success = b [report! : Report | report! = OK ]
b (AddItem ∧ Success) ∨ (ΞState ∧ NoRoom),
. . . Op =
where Z/EVES is unable to determine a suitable declaration part for Op, we might add
The $declarationPart theorem is useful in proofs where the Op schema is referred to, and we
want to carry out proof steps without invoking it (and thus increasing the size of the formula). The
forward rule allows Z/EVES to use some of information derived from the schema’s definition without
expanding it.
Proof Considerations
A schema determines an alphabet (that is, the set of components of the schema) and a predicate.
This predicate can be explored in Z/EVES while working on a goal containing a schema-ref (by
invoking the schema name).
The predicate associated with a schema defined by a schema definition has the form x1 ∈ T1 ∧
. . . ∧ xk ∈ Tk ∧ P , where x1 , . . . , xk are the components of the schema, the Ti are expressions
denoting the types of these components (as inferred by the type checker), and predicate P is derived
from the schema expression as explained in Section 3.7. Under some circumstances, some of the
component constraints are recognized as redundant, and Z/EVES omits them from the predicate.
In particular, if the schema expression is a conjunction of schema references or schema texts, none
of the component constraints are needed and the predicate is simply P .
Domain Checking
DC (n[X ] == e) = DC (e)
Implicit Declarations
No theorems are added for definitions. The defined name can, however, be “invoked” (Section 5.4.2)
in a proof step.
Z/EVES Project TR-97-5493-03d 15
It is usually advisable to add a “typing” theorem for a name introduced in a definition. For
example, given the definition
id [X ] == {x : X • (x , x )}
an assumption rule (Section 3.5.10.4) asserting something like id [X ] ∈ X ↔ X is useful. In fact, it
is useful to make these typing rules as strong as possible, to provide the most information. In this
case, the identity relation is in fact a bijection, and the typing theorem could be written as
theorem grule id type [X ]
id X ∈ X
→ X.
Domain Checking
DC (N ::= a | bhheii) = DC (e)
Implicit Declarations
For a free type N ::= a | bhheii, the following theorems are added:
• grule a$declaration : a ∈ N ,
• grule b$declaration : b ∈ e → N ,
• rule b$injective : ∀ x $, x $0 : e • b (x $) = b (x $0 ) ⇔ x $ = x $0 ,
• internal theorems which allow Z/EVES to infer that any two values on different branches are
distinct,
• theorem N $expansion : N = a ∪ { x : e • b(x ) },
• disabled rule N $member : x $ ∈ N ⇔ x $ = a ∨ (∃ v 0 : e • x $ = b(v 0)), and
• theorem N $induction : x ∈ N ∧ X ∈ P N ∧ a ∈ X ∧ (∀ v 0 : e • b(v 0) ∈ X ) ⇒ x ∈ X .
The induction property can be used as follows. To show ∀ n : N • P (n):
1. define inductionSet == { n : N | P (n) },
2. try ∀ n : N • P (n); Z/EVES will strip the quantifier, leaving the goal n ∈ N ⇒ P (n),
3. use N $induction[X := inductionSet, x := n],
4. invoke inductionSet, and
5. prove.
Eventually, this gets Z/EVES working on the subgoals P (a) and ∀ v : N | P (v ) • P (b(v )), which
are the induction base and step cases, respectively.
(It is necessary to define inductionSet in this sequence of commands, because Z/EVES will not
necessarily allow a set comprehension to be introduced in a proof step; see Section 2.2.1. Thus, we
introduce the comprehension in a declaration, then refer to that definition in the proof step.)
16 Z/EVES Project TR-97-5493-03d
Domain Checking
DC ([ability usage name] P ) = DC (P )
Implicit Declarations
A labelled predicate is added as a theorem, with the name and usage specified in its label, if any.
See Section 3.5.10 for an explanation of the meaning of the usage specifications, and Section 5.7 for
an explanation of how the various kinds of theorems are used in reduction commands.
Type rules
Declarations in the decl-part may not refer to previous declarations, but predicates in the axiom-part
may refer to any declaration in the decl-part.
Domain Checking
S
D
DC = DC (D) ∧ (∀ D • DC (P ))
P
Implicit Declarations
For a schema box
S
D
P
• frule S $declarationPart : S ⇒ D 0
where D 0 is derived from the declaration part D by replacing declarations of the form n1 , n2 . . . :
T by predicates n1 ∈ T ∧ n2 ∈ T ∧ . . ..
The following theorems are added for the schema used as a set:
• disabled rule S $member : x $ ∈ S ⇔ (∃ S • x $ = θS ),
• rule S $thetaMember : θS ∈ S ⇔ S (a special case of S $member ), and
• frule S $declaration : S ∈ P h|n1 : T1 , . . . |i, where the Ti are determined by the type checker.
If the schema has an alphabet {n1 , n2 , . . .} that has not been encountered before, the following
theorems are also added:
• rule S $select$ni : (θS ).ni = ni for each i ,
• rule S $thetasEqual : θS = θS 0 ⇔ n1 = n10 ∧ · · · (alternatively, θS0 = θS1 ⇔ . . . if there are i
and j for which ni = nj0 ),
• disabled rule S $inSet : x $ ∈ h|n1 : n10 , . . . |i ⇔ (∃ n1 : n10 , . . . • x $ = θS ),
• rule S $thetaInSet : θS ∈ h|n1 : n10 , . . . |i ⇔ n1 ∈ n10 ∧ · · ·
(a special case of S $inSet. As above, we may have ni 0 : ni 1 if necessary), and
• rule S $setInPowerSet : h|n1 : n1 , . . . |i ∈ P h|n1 : n10 , . . . |i ⇔ n1 = {} ∨ . . . ∨ (n1 ∈ P n10 ∧ ...).
(As above, we may have ni 0 and ni 1 if necessary).
These rules for schemas used as sets are generated lazily, that is, only when a schema is in fact
used as a set. Many schemas (e.g., schemas defining operations) are never used in this way and so
these rules need never be generated.
Type rules
Declarations in the decl-part are added to the global vocabulary only after the entire decl-part is
processed. Thus, a declaration in the decl-part may not refer to previous declarations in the decl-
part, but the predicates in the labelled-axiom-part may refer to any declaration in the decl-part.
Domain Checking
D
P
DC = DC (D) ∧ (∀ D • DC (P ) ∧ DC (Q) ∧ · · ·)
Q
···
18 Z/EVES Project TR-97-5493-03d
Implicit Declarations
For an axiomatic box
D
P
Q
···
the following theorems are added:
• frule n$declaration : n ∈ S
for each declared name n : S in the declaration part. If the name is declared more than once,
the theorems derived from subsequent declarations have names n$declaration2, n$declaration3,
and so on.
• Each predicate in the predicate part is also added as a theorem, using the name and usage
provided in its label, if given; otherwise, it is added as an axiom with an internally generated
name.
It is possible to write axiomatic boxes with schema references in their declaration parts. This
seems to be rare in practice, and the Z/EVES support for this style is weak. In particular, no
declaration theorems are added.
Syntax
generic-box ::= \begin[para-opt]{gendef} [gen-formals]
decl-part
[\where
labelled-axiom-part]
\end{gendef}
3.5.10 Theorems
Theorem paragraphs allow for the expression of facts—or of properties that one hopes are facts.
These facts can be proved using Z/EVES proof commands. In addition, theorems can be used in
the proofs of other theorems. Theorems can be used at the user’s request (with the apply or use
commands), or may be used automatically by the prove, reduce, rewrite, or simplify commands
(depending on the usage given in the theorem declaration).
WARNING: The syntactic restrictions on rewrite, forward, and assumption rules, described
below, are not checked by the current version of Z/EVES. Expect strange error messages when the
syntax rules are violated. We plan to implement these checks in a future release.
Syntax
theorem ::= \begin[para-opt]{theorem}{[usage] theorem-name}[gen-formals]
predicate
[ \proof
command sep . . . sep command ]
\end{theorem}
Z/EVES Project TR-97-5493-03d 19
Type rules
Theorems are type checked, but, unlike other paragraphs, may contain undeclared (free) variables.
Domain Checking
No domain checking condition is generated. (There is a technical difficulty in doing so, as the
necessary type information is not always available.)
Implicit Declarations
None.
3.5.10.1 Facts
The usage axiom specifies that a theorem is to be used as a fact. Facts are not considered during
reduction; they must be explicitly added to the current goal with the use command (Section 5.4.4).
The first string-or-word specifies the symbol to be declared. If the symbol is an identifier or
LATEX command, it is given as a word. Otherwise, the operator symbol is a sequence of symbol
characters, and is given as a string.
The opclass specifies the syntactic category of the operator symbol, i.e., what kind of operator
it is, or whether an interchange name is being specified for the symbol, or whether the symbol is to
be ignored.
The second string-or-word specifies the “internal name” of the operator symbol. This is usually
the interchange name, but may be any name that does not conflict with an existing internal name.
If the name is a valid identifier or LATEX command, it is given as a word. Otherwise, it is given as a
string. If the symbol is to be ignored, this argument should be specified as {}, since the symbol will
have no internal name.
Syntax
declaration ::= basic-decl ; . . . ; basic-decl
basic-decl ::= decl-name-list : expression
| schema-ref
decl-name-list ::= decl-name , . . . , decl-name
22 Z/EVES Project TR-97-5493-03d
Domain Checking
DC (n, . . . : e) = DC (e)
DC (S [e, . . .]) = DC (e) ∧ · · ·
DC (D; D 0 ) = DC (D) ∧ DC (D 0 )
Proof Considerations
The meaning of a declaration x : S is the same as the predicate x ∈ S , but there is a significant
difference in the applicability of proof steps to declarations and predicates. Predicates can be
rewritten or (if they are schema references) invoked; declarations cannot (although any expressions
appearing in them may be). For example, the Toolkit defines rewrite rules that turn x ∈ A ∪ B into
x ∈ A ∨ x ∈ B , but there are no corresponding rules for the declaration x : A ∪ B (and, indeed,
x : A ∨ x : B is not valid syntax).
The prenex command (see Section 5.6.2) eliminates quantifiers whenever possible, converting
declarations into predicates. It is usually beneficial to prenex whenever possible.
Z/EVES generates internal forward rules, so that inside the scope of a declaration, the corre-
sponding predicate is assumed. Thus, if a user-defined forward rule applies to a schema reference
(e.g., S ⇒ x > 0), the rule is applied when S appears as a declaration. In this case, the internal
forward rule asserts S as a predicate; which then triggers the user’s forward rule.
Proof Considerations
In proof, Z/EVES treats schemas as predicates. Most of the schema operators correspond to obvious
predicate operators (e.g., ∧); we will explain those cases where there is a non-obvious correspondence.
Z/EVES Project TR-97-5493-03d 23
Type rules
The scope rules for schema quantification and predicate quantification are subtly different: the
quantifier in a schema quantification captures names declared in the schema expression but not
names used there. For example, in ∀ X : P N • S [X ] ∧ [a : X ] ∧ [X : P Z | . . .], only the rightmost
X is captured by the quantifier, the other two refer to X in an outer scope.
Domain Checking
DC (∀ D | P • SE ) = DC (D) ∧ (∀ D • DC (P )) ∧ DC (SE )
DC (∃ D | P • SE ) = as above
DC (∃1 D | P • SE ) = as above
The domain checking conditions are slightly weaker than necessary; it would be possible to have
instead. We decided to use the simpler form above, as it seems unlikely that ∃ D | P will be false in
many cases.
Proof Considerations
The unique existence quantifier for schemas is not yet fully supported; however, it is possible to type
check specifications using it (with the check command).
Z/EVES renames the bound variable if necessary in the predicate associated with the schema
quantification, to account for the different scope rules in schema expressions and predicates.
Domain Checking
DC ([D | P ]) = DC (D) ∧ (∀ D • DC (P ))
See Section 3.6 for a description of the domain checking for declarations.
Type rules
In a replacement, the expression must have the same type as the decl-name component of the schema.
Z/EVES will automatically declare a ∆ or Ξ schema if it appears in a schema reference without
b [S ; S 0 ]
having been declared; this follows the common convention. The default declarations are ∆S =
0 0
and ΞS = b [S ; S | θS = θS ].
It is possible for the default definition of a ∆ or Ξ schema to be ill-typed, in which case the
schema reference containing the ∆ or Ξ is itself in error.
Semantics
Replacements specify values for components. Any replaced component is not in the alphabet of the
schema reference. For example, given the schema S = b [x , y : Z | x < y], the reference S [x := 0] is
equivalent to a reference to the schema [y : Z | 0 < y].
Domain Checking
DC (S [X , Y ][x /y, z := e]) = DC (X ) ∧ DC (Y ) ∧ DC (e)
Domain Checking
DC (¬ SE ) = DC (SE )
Domain Checking
DC (pre SE ) = DC (SE )
Proof Considerations
The predicate associated with a schema precondition is explicitly quantified; thus, for S = b [∆T ; r ! :
RT | . . .], the predicate for pre S is ∃ x 0 : X , . . . R! : RT • S , where x 0 is declared in T 0 and X is
determined by the type checker.
Z/EVES Project TR-97-5493-03d 25
Domain Checking
DC (SE ∧ SE 0 ) = DC (SE ) ∧ DC (SE 0 )
DC (SE ∨ SE 0 ) = DC (SE ) ∧ DC (SE 0 )
DC (SE ⇒ SE 0 ) = DC (SE ) ∧ DC (SE 0 )
DC (SE ⇔ SE 0 ) = DC (SE ) ∧ DC (SE 0 )
Domain Checking
DC (SE SE 0 ) = DC (SE ) ∧ DC (SE 0 )
DC (SE \ (n, . . .)) = DC (SE )
Proof Considerations
The predicate associated with a projection or hiding is existentially quantified, as for a schema
precondition.
Domain Checking
DC (SE o9 SE 0 ) = DC (SE ) ∧ DC (SE 0 )
DC (SE >>SE 0 ) = DC (SE ) ∧ DC (SE 0 )
Proof Considerations
The predicates associated with these schema operations, like those for preconditions and hiding, are
explicitly quantified.
26 Z/EVES Project TR-97-5493-03d
3.8 Predicates
predicate ::= \forall schema-text @ predicate
| \exists schema-text @ predicate
| \exists_1 schema-text @ predicate
| \LET let-def ; . . . ; let-def @ predicate
| \IF predicate \THEN predicate \ELSE predicate
| predicate-1
predicate-1 ::= expression rel expression rel . . . rel expression
| pre-rel decoration [gen-actuals] expression
| schema-ref
| \pre schema-ref
| \lnot predicate-1
| predicate-1 \land predicate-1
| predicate-1 \lor predicate-1
| predicate-1 \implies predicate-1
| predicate-1 \iff predicate-1
| true
| false
| ( predicate )
In the above syntax, operators defined in later productions have higher precedence than operators
defined in earlier productions. Within a production, operators defined earlier in the production have
higher precedence than operators defined later in the production. All binary operators are left-
associative, except \implies, which associates to the right.
The domain checking conditions for predicates do not respect logical equivalences. For example,
although P ⇒ Q is logically equivalent to (¬ Q) ⇒ (¬ P ), the conditions generated for the two
predicates are different. The conditions use a left to right reading of the predicate, so, for example,
for P ⇒ Q to be meaningful, first P must be meaningful, and then Q must be meaningful whenever
P holds. This allows predicates to be guarded, as in the formula x 6= 0 ⇒ x div x = 1.
3.8.1 Quantifications
Syntax
predicate ::= \forall schema-text @ predicate
| \exists schema-text @ predicate
| \exists_1 schema-text @ predicate
Domain Checking
DC (∀ D | P • Q) = DC (D) ∧ (∀ D • DC (P ) ∧ (P ⇒ DC (Q)))
DC (∃ D | P • Q) = as above
DC (∃1 D | P • Q) = as above
Proof Considerations
Unique existence is handled rather strangely in the prover; a predicate ∃1 D | P • Q has an internal
form using the set comprehension {D | P ∧ Q} (which is asserted to have a single element). An
internal rewrite rule converts this to a form involving the standard quantifiers.
Because the internal form uses a set comprehension, it may not be possible to use a unique
existence quantifier in a predicate appearing in a proof step (unless the quantification has already
appeared in some formula). See Section 2.2.1.
Z/EVES Project TR-97-5493-03d 27
Domain Checking
DC (let x == e; . . . • P ) = DC (e) ∧ · · · ∧ (let x == e; . . . • DC (P ))
Proof Considerations
Let predicates are not represented directly in the prover; in particular, any part of the body of a let
predicate that contains a reference to one of the local variables cannot be directly manipulated or
changed in a proof step.
The commands invoke and reduce will apply a β-reduction, that is, the let form will be replaced
by an expanded body. For example, the predicate let x == 1, y == 2 + 3 • x < y will be changed
to 1 < 2 + 3.
It is not possible to use a let predicate in a proof step, unless that predicate (or one like it) has
already appeared in some paragraph of a specification; see Section 2.2.1.
Domain Checking
DC (if P then Q else R) = DC (P ) ∧ (if P then DC (Q) else DC (R))
Proof Considerations
If the “test” predicate (P in the above example) is a conditional predicate or an application of a
Boolean connective, it may be necessary to use normalization in a proof; see Section 5.8.5.
Domain Checking
DC (e1 IR e2 . . .) = DC (e1 ) ∧ DC (IR) ∧ DC (e2 ) · · ·
Proof Considerations
A predicate x R y is represented internally as (x , y) ∈ ( R ), except when R is one of the predefined
arithmetic comparisons.
28 Z/EVES Project TR-97-5493-03d
Domain Checking
DC (PR e) = DC (e) ∧ DC (PR)
Proof Considerations
A predicate PR e is represented internally as e ∈ (PR ).
Domain Checking
See Section 3.7.3.
Proof Considerations
A schema precondition is represented by an existential quantification, as described in Section 3.7.5.
Domain Checking
DC (¬ P ) = DC (P )
DC (P ∧ Q) = DC (P ) ∧ (P ⇒ DC (Q))
DC (P ∨ Q) = DC (P ) ∧ (P ∨ DC (Q))
DC (P ⇒ Q) = DC (P ) ∧ (P ⇒ DC (Q))
DC (P ⇔ Q) = DC (P ) ∧ DC (Q)
3.8.8 Constants
Syntax
predicate-1 ::= true
| false
Z/EVES Project TR-97-5493-03d 29
Domain Checking
DC (true) = true
DC (false) = true
3.9 Expressions
expression-0 ::= \lambda schema-text @ expression
| \mu schema-text [@ expression]
| \LET let-def ; . . . ; let-def @ expression
| expression
expression ::= \IF predicate \THEN expression \ELSE expression
| expression-1
expression-1 ::= expression-1 in-gen decoration expression-1
| expression-2 \cross . . . \cross expression-2
| expression-2
expression-2 ::= expression-2 in-fun decoration [gen-actuals] expression-2
| pre-gen decoration expression-4
| - decoration [gen-actuals] expression-4
| expression-4 \limg expression-0 \rimg decoration [gen-actuals]
| expression-3
expression-3 ::= expression-3 expression-4
| expression-4
expression-4 ::= [local-or-global] var-name [gen-actuals]
| number
| schema-ref
| \{ schema-text [@ expression] \}
| \{ [expression-list] \}
| \langle expression-list \rangle
| \lbag expression-list \rbag
| \lblot binding ; . . . ; binding \rblot
| ( expression-list )
| \theta schema-name decoration [replacements]
| expression-4 . var-name
| expression-4 . number
| expression-4 post-fun decoration [gen-actuals]
| expression-4 \bsup expression \esup
| expression-4 ^{ expression }
| ( expression-0 )
In the above syntax, operators defined in later productions have higher precedence than operators
defined in earlier productions. Within a production, operators defined earlier in the production have
higher precedence than operators defined later in the production. All binary operators are left-
associative, except infix generic (in-gen) operators, which associate to the right. Note that × is not
an associative operator; A × B × C means neither (A × B ) × C nor A × (B × C ). Also, note that
the \power operator is considered to be an ordinary prefix generic operator.
A word defined as an in-fun operator is given a “precedence” between one and six. The higher
the precedence, the higher the binding power.
30 Z/EVES Project TR-97-5493-03d
Domain Checking
DC (λ D | P • e) = DC (D) ∧ (∀ D • DC (P ) ∧ (P ⇒ DC (e)))
Proof Considerations
A lambda expression λ D | P • e is equivalent to the set comprehension { D | P • (T , e) }, where
T is the characteristic tuple of the declaration D. No special rules are generated beyond those for
the comprehension; in particular, Z/EVES has no special knowledge that the lambda expression
determines a (partial) function. It will probably be necessary, therefore, for the user to state and
prove such theorems.
As explained in Section 2.2.1, it may not be possible to use a lambda expression in a proof
command.
Domain Checking
DC (µ D | P • e) = DC (D) ∧ (∀ D • DC (P ) ∧ (P ⇒ DC (e))) ∧ (∃1 D • P )
Proof Considerations
Definite description terms are converted to a standard form µ x : S (if they are not already in that
form); in general µ D | P • e is converted to µ x : {D | P • e}. Internally, this form is represented
as a function of the set S . The Toolkit gives several rules for working with this form.
As explained in Section 2.2.1, it may not be possible to use a definite description in a proof
command.
Domain Checking
DC (let x == e; . . . • e 0 ) = DC (e) ∧ · · · ∧ (let x == e; . . . • DC (e 0 ))
Proof Considerations
See the comments on local variable bindings in predicates in Section 3.8.2.
Z/EVES Project TR-97-5493-03d 31
Domain Checking
DC (if P then e else e 0 ) = DC (P ) ∧ (if P then DC (e) else DC (e 0 ))
Domain Checking
DC (e × e 0 × · · ·) = DC (e) ∧ DC (e 0 ) ∧ · · ·
Proof Considerations
There are no built-in facts about cross products and tuples; suitable rules can be added manually if
need be. The Toolkit gives rules for two and three-element cross products.
Domain Checking
DC (e F e 0 ) = DC (( F )(e, e 0 ))
true if f is a total function
(
DC (f (a)) = a ∈ dom f if f is a partial function
f applies$to a otherwise
For the analysis of function applications, Z/EVES considers the declaration of the function (when
the function is a variable or constant) to determine if it is total, partial, or unknown.
Proof Considerations
Except in the case of a predefined arithmetic function, an infix function application is represented
internally as a normal function application. For example, 1 . . 9 is represented as ( . . )(1, 9).
32 Z/EVES Project TR-97-5493-03d
Semantics
A name preceded by \Local is interpreted as a variable name, even if there is a constant of the same
name. Conversely, a name preceded by \Global is interpreted as a reference to a global constant,
even if there is a variable of that name in scope.
Domain Checking
DC (e IG e 0 ) = DC (e) ∧ DC (e 0 )
DC (PG e) = DC (e)
DC (v [e1 , . . .]) = DC (e1 ) ∧ . . .
Proof Considerations
The \Local and \Global tags can occur in Z/EVES output as a result of a prenex or substitution
operation.
3.9.8 Constants
Syntax
expression-4 ::= number
Domain Checking
DC (number) = true
Domain Checking
See Section 3.7.3.
Proof Considerations
Rules pertaining to schema-refs are declared when schemas are declared; see Section 3.5.7.
Z/EVES Project TR-97-5493-03d 33
Domain Checking
DC ({ D | P • e }) = DC (D) ∧ (∀ D • DC (P ) ∧ (P ⇒ DC (e)))
Proof Considerations
Set comprehensions are not represented directly in the prover; in particular, any part of the com-
prehension that contains a reference to one of the local variables cannot be directly manipulated or
changed in a proof step.
Two internal rewriting rules apply to comprehensions. For the comprehension { D | P • e }, they
are
• x ∈ { D | P • e } ⇔ (∃ D | P • x = e), and
• { D | P • e } ∈ P X ⇔ (∀ D | P • e ∈ X ).
Any command that applies rewrite rules can apply these rules. The second fact is somewhat weak,
in that it does not help in showing that a comprehension defines a relation or partial function; such
rules must be added by the user if needed.
It is not possible to use a comprehension in a proof step, unless the comprehension (or one like
it) has already appeared in some paragraph of a specification; see Section 2.2.1.
Domain Checking
DC ({e, e 0 , . . .}) = DC (e) ∧ DC (e 0 ) ∧ · · ·
Proof Considerations
The empty set is represented internally as a constant; unit sets are represented as functions of their
element; displays with two or more elements are represented as unions of unit sets.
Domain Checking
DC (he, e 0 , . . .i) = DC (e) ∧ DC (e 0 ) ∧ · · ·
Proof Considerations
The empty sequence is represented internally as a constant; unit sequences are represented as func-
tions of their element; displays with two or more elements are represented as concatenations (i.e.,
applications of function a ) of unit sequences.
Domain Checking
DC ([[e, e 0 , . . . ]]) = DC (e) ∧ DC (e 0 ) ∧ · · ·
Proof Considerations
The empty bag is represented internally as a constant. Unit bags are represented as functions of
their element. Displays with two or more elements are represented as bag unions of unit bags.
Syntax
expression-4 ::= \lblot binding ; . . . ; binding \rblot
binding ::= decl-name-list : expression
Domain Checking
DC (h|n : e, . . . |i) = DC (e) ∧ · · ·
Proof Considerations
The alphabet of a binding set display must be the alphabet of some schema appearing in the
specification. The significant facts about the binding set are derived when the schema is declared;
see Section 3.5.7.
3.9.15 Tuples
Syntax
expression-4 ::= ( expression-list )
Z/EVES Project TR-97-5493-03d 35
Domain Checking
DC ((e, e 0 , . . .)) = DC (e) ∧ DC (e 0 ) ∧ · · ·
Proof Considerations
There are no built-in facts about cross products and tuples; suitable rules can be added manually if
need be. The Toolkit gives rules for two and three-element tuples.
Domain Checking
DC (θS ) = true
DC (θS [n := e, . . .]) = DC (e) ∧ · · ·
Proof Considerations
Several facts about theta terms are introduced when a schema is defined; see Section 3.5.7.
Domain Checking
DC (e.n) = DC (e)
Proof Considerations
Several facts about named component selections are introduced when a schema is defined; see Sec-
tion 3.5.7.
There are no built-in facts about numeric selections; suitable rules can be added manually if need
be. The Toolkit gives rules for selections from two and three-element tuples.
3.10 Identifiers
This section gives the syntax of the various kinds of identifiers, simple and compound, used in Z
specifications, and the syntax of the various kinds of identifier lists.
3.10.3 Identifiers
ident ::= word decoration
event-name ::= schema-name | ident
theorem-name ::= word
decoration := [stroke . . . stroke]
stroke := ’ | ! | ?
| _0 | _1 | _2 | _3 | _4 | _5 | _6 | _7 | _8 | _9
ident-list ::= ident , . . . , ident
gen-formals ::= [ ident-list ]
An identifier consists of a word, optionally followed by a sequence of strokes (a decoration). Note
that it would be valid LATEX to write something like x_{10}, but not valid Z/LATEX.
LATEX gives an error on a double subscript, e.g., x_1_2, and typesets mixed subscripts and
superscripts above one another, so that x_1’ and x’_1 both appear as x10 . Thus, it is advisable to
use {} between adjacent sub- or superscripts, e.g. x_2{}_1{}’. Z/EVES ignores the braces, and
the typeset form (x21 0 ) clearly indicates the order of strokes.
Event names are used in Z/EVES commands (Chapter 4) to denote names of declarations.
Chapter 4
Z/EVES Commands
Z/EVES is an interactive system. This chapter describes the Z/EVES interactive commands and
their effects.
Both Z paragraphs and Z/EVES commands can be entered at the Z/EVES prompt. A paragraph
is type-checked and, if well-typed, is added to the history. If the paragraph has a non-trivial domain
checking condition, that condition is added as a proof goal; its name will end with $domainCheck .
37
38 Z/EVES Project TR-97-5493-03d
At any time, new declarations may be made, and additional proof parents may be added with
the parent command. Thus, the order of declarations in a section proof, except for the requirement
that a name be declared before it is used, need have no relation to the order of declarations in the
section being proved. Also, additional declarations required for a proof may be added before the
proof where they are required.
When a section proof is ended, if there are no pending declarations or undischarged proof obli-
gations, a section proof file is created in the current directory. If the name of the section is S, the
name of the file will be S.pct. This file records the proof parents specified in the section proof,
both in the \begin{zsectionproof} command and in parent commands. If the section proof is
not finished, nothing happens. The reset command may be used if you want to discard the section
proof.
4.1.1 Declare
command ::= declare event-name , . . . , event-name
The declare command declares the specified declarations, which must be on the pending list.
The declarations are processed in the specified order, and removed from the pending list.
4.1.2 Declare To
command ::= declare to event-name
The declare to command declares all declarations on the pending list up to but not including
the specified declaration, which must be on the pending list. The declarations are processed in the
order in which they appear in the pending list, and are then removed from the list.
4.1.4 Parent
command ::= parent ident
The parent command declares an additional proof parent for the current Z section proof.
4.2.1 Help
command ::= help ident
Error messages in Z/EVES are named, and the names are printed with the messages; the help
command prints an explanation for the specified message.
Z/EVES Project TR-97-5493-03d 39
4.3.1 Reset
command ::= reset
The reset command returns Z/EVES to its initial state. If the Toolkit section was present
before the command was entered, it will still be available afterwards.
4.3.2 Undo
command ::= undo [number]
The undo command removes the specified number of most recently added declarations. If no
number is given, the most recent declaration is removed.
4.4.2 Quit
command ::= quit
The quit command terminates Z/EVES.
Z/EVES Project TR-97-5493-03d 41
4.4.3 Read
command ::= read [script] string
The read command reads input from the specified file, in batch mode. If the script option is
given, the file is read in interactive mode.
4.4.4 Ztags
command ::= ztags string , . . . , string
The ztags command generates a “tags” file for the specified files. When editing Z specification
files with the GNU Emacs editor and the Emacs Z mode provided with the Z/EVES system, the
tags file provides information to the editor that allows searching for definitions in the specified files,
and a number of other useful features.
The specified file names may contain system-specific “wild card” characters, and the tags file
produced is named TAGS, in the current directory.
42 Z/EVES Project TR-97-5493-03d
Chapter 5
Proof Commands
In interactive use, the Z/EVES system maintains a current goal. The current goal is set when a Z
paragraph with a non-trivial domain condition or a theorem paragraph is entered, or when one of
the try commands is entered. The proof commands perform various transformations on the current
goal, and the current goal may be examined with the print formula command. A proof is complete
when the current goal is the predicate true.
Several proof commands contain predicates or expressions. Any such formulas are type checked
in the context of the goal, so that the types of the variables appearing in the goal are known, and
generic actuals can usually be inferred by the type checker. However, there is a slight weakness in
the type checker’s handling of a theorem’s generic formals, and any types referring to these formals
will not be inferred.
5.1.1 Try
command ::= try predicate
The try command establishes a new, unnamed, proof goal. The given predicate is type checked,
but references to free variables are allowed. However, if there is not enough information in the
predicate to determine the types of these variables (e.g., membership in some defined set), it is
unlikely that a proof of the predicate will be successful.
43
44 Z/EVES Project TR-97-5493-03d
The try lemma command begins the proof, or returns to an unfinished proof, of a named proof
goal.
5.2.1 Back
command ::= back [number]
The back command discards the specified number (or one, if no number is given) of proof steps.
5.2.2 Retry
command ::= retry
The retry command discards the current proof attempt, and restores the proof goal to its original
form.
5.3.1 Cases
command ::= cases
The cases command splits the goal into separate cases, if possible. A case split is possible if the
goal is a conjunction, disjunction, a conditional predicate (of the form if . . . then . . . else . . .), or
an implication whose conclusion is one of these.
Each case is numbered, and the highest numbered case becomes a new proof goal. Different cases
can be considered by using the next command.
5.3.2 Next
command ::= next
The next command moves to the next case, if a case split has been performed. If there are no
further cases, the final form of each of the goal cases are collected. It is not necessary to complete
the proof of a case before moving on to the next.
Z/EVES Project TR-97-5493-03d 45
5.3.3 Split
command ::= split predicate
The split command is used to consider two cases. The command split P transforms a goal
G to the new goal if P then G else G. (The cases command can be applied to this new goal to
break it into two cases: P ⇒ G and ¬ P ⇒ G.)
The specified predicate is type checked with respect to the current goal.
5.3.4 Conjunctive
command ::= conjunctive
The conjunctive command performs the following transformations on the current goal:
• Implication, logical equivalence, and conditional predicates are replaced by ∧ and ∨, (e.g.,
a ⇒ b becomes (¬ a) ∨ b).
5.3.5 Disjunctive
command ::= disjunctive
The disjunctive command performs the following transformations on the current goal:
• Implication, logical equivalence, and conditional predicates are replaced by ∧ and ∨, (e.g.,
a ⇒ b becomes (¬ a) ∨ b).
5.4.1 Apply
command ::= apply theorem-name
| apply theorem-name to expression expression
| apply theorem-name to predicate predicate
The specified name must be the name of a theorem that was declared as a rewrite rule. If no
expression or predicate is specified, the rule is applied wherever possible in the current goal. If
an expression or predicate is specified, the rule is applied, if possible, only to occurrences of the
expression or predicate in the current goal.
46 Z/EVES Project TR-97-5493-03d
5.4.2 Invoke
command ::= invoke [event-name]
If the specified name is the name of a schema or of a name introduced in a definition, all
occurrences of the name in the current goal are replaced by its definition. If no name is specified,
all schema and definition names in the current goal are invoked.
The specified name must be either
• a schema name, which may have a prefix but must not have decorations, generic actuals, or
replacements, or
5.4.4 Use
command ::= use theorem-ref
theorem-ref ::= theorem-name decoration [gen-actuals] [replacements]
theorem-name ::= word
The specified name must be the name of a theorem, and generic actuals must be supplied for all
generic formals of the theorem. The generic actuals are type checked with respect to the current
goal.
Leading universal quantifiers in the theorem’s predicate are stripped, and the variables bound
by these quantifiers become free in the theorem, together with variables in the theorem that were
already free. Each free variable in the theorem must be instantiated, i.e., given a value, in one of
two ways:
• A free variable x is also free in the current goal or is globally defined; this is equivalent to the
replacement x := x .
If a decoration is specified in the theorem reference, the decoration is appended to all free variables
of the theorem. The resulting variables must then be instantiated as described above.
Z/EVES then adds the theorem to the current goal, with free variables in the theorem replaced
by their values, and type checks the result.
Z/EVES Project TR-97-5493-03d 47
5.6 Quantifiers
5.6.1 Instantiate
command ::= instantiate instantiations
instantiations ::= let-def , . . . , let-def
let-def ::= var-name == expression
The instantiate command is used to instantiate one or more quantified variables. The variables
instantiated must appear together in a quantified predicate (that is, one cannot instantiate both x
and y in ∀ x : Z | x > 1 • ∀ y : Z • . . ., but can do so in ∀ x , y : Z • . . .).
The expressions in the command are type checked with respect to the current goal.
5.6.2 Prenex
command ::= prenex
The prenex command removes any quantifiers that can be made into leading universal quantifiers.
For example, the predicate
(∃ x : N | x ∈ S ) ⇒ (∀ y : S 0 • y < x )
x ∈ N ∧ x ∈ S ∧ y ∈ S0 ⇒ y < x.
5.7 Reduction
The reduction commands traverse the current goal, accumulating assumptions and performing re-
duction on predicates and expressions in the goal. In a traversal, each formula and subformula of the
goal is examined, and may be replaced by a logically equivalent formula which Z/EVES considers
“simpler.” Other replacements may occur, depending on the type of reduction being performed.
Z/EVES can perform three types of reduction: simplification, rewriting, and reducing. The
reduction commands come in two flavours: the “regular” reduction commands, and the “trivial”
reduction commands, which are less powerful, but faster. There is no command for “trivial” reducing;
this would simply invoke all definitions in the current goal, which can be done with the invoke
command (Section 5.4.2).
48 Z/EVES Project TR-97-5493-03d
The reduction commands use only theorems and definitions that are enabled. The declaration of a
name or theorem may specify that the name should normally be disabled. A command modifier can
be used to enable or disable a theorem or definition for a single reduction command; see Section 5.8.
The effectiveness of the Z/EVES reduction commands depends to some extent on the order of
hypotheses in the current goal. The rearrange command may be used to rearrange the hypotheses
to improve the performance of the reduction commands.
The prove by reduce and prove by rewrite commands repeatedly reduce or rewrite the cur-
rent goal, until the goal is unchanged.
5.7.1 Simplify
command ::= simplify
The simplify command performs simplification on the current goal.
In simplification, Z/EVES performs equality and integer reasoning, propositional reasoning and
tautology checking, and applies forward rules and assumption rules where possible. A forward rule
can be applied if its hypothesis matches a subformula; its conclusion is then assumed in the proof.
An assumption rule can be applied if its trigger matches a subformula and its condition, if any, can
be proved with simplification; its conclusion is then assumed in the proof. See Section 3.5.10.3 for
a description of forward rules, and Section 3.5.10.4 for a description of assumption rules.
5.7.2 Rewrite
command ::= rewrite
The rewrite command performs rewriting on the current goal.
In rewriting, Z/EVES performs simplification, and also applies rewrite rules where possible. A
rewrite rule can be applied if its pattern matches a subformula and its condition, if any, can be
proved with rewriting; the subformula is replaced with the replacement of the rule and the result
will again be rewritten. See Section 3.5.10.2 for a description of rewrite rules.
For example, suppose the following rule has been declared:
and the current goal is S = {} × T . A rewrite command would apply this rule, and the current
goal would become S = {}.
5.7.3 Reduce
command ::= reduce
The reduce command performs reducing on the current goal.
In reducing, Z/EVES performs simplification and rewriting, and if a subformula is a schema
reference or generic instance, the subformula will be replaced by the definition of the schema or
generic symbol (Section 5.4.2) and the result will again be reduced. Also, conditional rewrite rules
apply if their conditions can be shown to be true by reducing.
5.7.6 Rearrange
command ::= rearrange
If the current goal is of the form H1 ∧ H2 ∧ . . . ⇒ C , the rearrange command rearranges the
hypotheses so that those that are “simpler,” in some sense, appear before more complicated ones.
This often improves the effectiveness of reduction commands.
5.8 Modifiers
Modifiers temporarily affect the behaviour of a reduction command.
would be normalized to
This normalization increases the power of the prover, but since it involves repeating parts of a for-
mula, the current goal can become extremely large, so normalization is disabled by default. The
with normalization command enables normalization during performance of the specified com-
mand.
The extra power that normalization gives Z/EVES is especially noticeable when, for example,
the conclusion of the current goal is a disjunction. A good strategy in this case is to do what
reduction you can without normalization (the default), and then do a final simplification step with
normalization.
Bibliography
51
52 Z/EVES Project TR-97-5493-03d
Appendix A
Collected Syntax
Specifications
specification ::= spec-item . . . spec-item
spec-item ::= z-section
| z-paragraph
| syntax-decl
| input-cmd
interaction ::= decl-or-cmd . . . decl-or-cmd
decl-or-cmd ::= spec-item
| z-section-proof
| command ;
Z Sections
Z-section ::= \begin{zsection}{ ident }{ [ident , . . . , ident] }
section-item . . . section-item
\end{zsection}
section-item ::= z-paragraph
| syntax-decl
| input-cmd
Paragraphs
z-paragraph ::= zed-box
| schema-box
| axiomatic-box
| generic-box
| theorem
zed-box ::= \begin[para-opt]{zed}
zed-box-item sep . . . sep zed-box-item
\end{zed}
| \begin[para-opt]{syntax}
zed-box-item sep . . . sep zed-box-item
\end{syntax}
53
54 Z/EVES Project TR-97-5493-03d
Syntax Declarations
syntax-decl ::= \syndef{string-or-word}{opclass}{[string-or-word]}
string-or-word ::= string | word
opclass ::= infun1 | infun2 | infun3 | infun4 | infun5 | infun6
| ingen | pregen
| inrel | prerel
| postfun
| word
| ignore
Input Commands
input-cmd ::= \input{text}
| \include{text}
Declarations
declaration ::= basic-decl ; . . . ; basic-decl
basic-decl ::= decl-name-list : expression
| schema-ref
decl-name-list ::= decl-name , . . . , decl-name
Schema Expressions
schema-exp ::= \forall schema-text @ schema-exp
| \exists schema-text @ schema-exp
| \exists_1 schema-text @ schema-exp
| schema-exp-1
schema-exp-1 ::= [ schema-text ]
| schema-ref
| \lnot schema-exp-1
| \pre schema-exp-1
| schema-exp-1 \land schema-exp-1
| schema-exp-1 \lor schema-exp-1
| schema-exp-1 \implies schema-exp-1
| schema-exp-1 \iff schema-exp-1
| schema-exp-1 \project schema-exp-1
| schema-exp-1 \hide ( decl-name-list )
| schema-exp-1 \semi schema-exp-1
| schema-exp-1 \pipe schema-exp-1
| ( schema-exp-1 )
schema-text ::= declaration [| predicate]
schema-ref ::= schema-name decoration [gen-actuals] [replacements]
schema-name ::= [prefix] word
prefix ::= \Delta | \Xi
replacements ::= [ rename-or-repl , . . . , rename-or-repl ]
rename-or-repl ::= decl-name / decl-name
| decl-name := expression
56 Z/EVES Project TR-97-5493-03d
Predicates
Expressions
Names
var-name ::= ident | ( op-name )
decl-name ::= ident | op-name
decl-name-list ::= decl-name , . . . , decl-name
op-name ::= \_ in-sym decoration \_
| pre-sym decoration \_
| \_ post-sym decoration
| \_ \limg \_ \rimg
| - decoration
in-sym ::= in-fun | in-gen | in-rel
pre-sym ::= pre-gen | pre-rel
post-sym ::= post-fun
ident ::= word decoration
event-name ::= schema-name | ident
theorem-name ::= word
decoration := [stroke . . . stroke]
stroke := ’ | ! | ?
| _0 | _1 | _2 | _3 | _4 | _5 | _6 | _7 | _8 | _9
ident-list ::= ident , . . . , ident
event-name-list ::= event-name , . . . , event-name
gen-formals ::= [ ident-list ]
Z Section Proofs
Z-section-proof ::= \begin{zsectionproof}{ ident }{ [ident , . . . , ident] }
decl-or-cmd . . . decl-or-cmd
\end{zsectionproof}
58 Z/EVES Project TR-97-5493-03d
Printing Commands
command ::= help ident
| print declaration event-name
| print formula
| print history [summary] [number]
| print proof [summary]
| print status
| print syntax word
| [print] theorems about expression expression
| [print] theorems about predicate predicate
Undoing Commands
command ::= reset
| undo [number]
| undo back to event-name
| undo back through event-name
Interface Commands
command ::= check string
| quit
| read [script] string
| ztags string , . . . , string
Z/EVES Project TR-97-5493-03d 59
Proof Commands
command ::= apply theorem-name
| apply theorem-name to expression expression
| apply theorem-name to predicate predicate
| back [number]
| cases
| conjunctive
| disjunctive
| equality substitute expression
| instantiate instantiations
| invoke [event-name]
| invoke predicate predicate
| next
| prenex
| prove by reduce
| prove by rewrite
| rearrange
| reduce
| retry
| rewrite
| simplify
| split predicate
| trivial rewrite
| trivial simplify
| try predicate
| try lemma event-name
| use theorem-ref
| with disabled ( event-name-list ) command
| with enabled ( event-name-list ) command
| with expression ( expression ) command
| with normalization command
| with predicate ( predicate ) command
instantiations ::= let-def , . . . , let-def
theorem-ref ::= word decoration [gen-actuals] [replacements]
60 Z/EVES Project TR-97-5493-03d
Appendix B
Notation
Symbol Grammatical type
e expression
P, Q predicate
ST schema-text
SE schema-exp
D decl-part
n, v , N , X name
The descriptions use tables to define a function DC from Z phrases to Z predicates, which gives
the domain checking condition for a phrase.
61
62 Z/EVES Project TR-97-5493-03d
Paragraphs
[N , . . .] true
n[X ] == e DC (e)
D
P DC (D) ∧ (∀ D • DC (P ) ∧ DC (Q) ∧ · · ·)
Q
···
[X ]
D
P DC (D) ∧ (∀ D • DC (P ) ∧ DC (Q) ∧ · · ·)
Q
···
S
D DC (D) ∧ (∀ D • DC (P ))
P
S=
b SE DC (SE )
theorem n
no condition
...
Z/EVES Project TR-97-5493-03d 63
Schema Expressions
∀ D | P • SE DC (D) ∧ (∀ D • DC (P )) ∧ DC (SE )
∃ D | P • SE DC (D) ∧ (∀ D • DC (P )) ∧ DC (SE )
∃1 D | P • SE DC (D) ∧ (∀ D • DC (P )) ∧ DC (SE )
[D | P ] DC (D) ∧ (∀ D • DC (P ))
¬ SE DC (SE )
pre SE DC (SE )
SE ∧ SE 0 DC (SE ) ∧ DC (SE 0 )
SE ∨ SE 0 DC (SE ) ∧ DC (SE 0 )
SE ⇒ SE 0 DC (SE ) ∧ DC (SE 0 )
SE ⇔ SE 0 DC (SE ) ∧ DC (SE 0 )
SE SE 0 DC (SE ) ∧ DC (SE 0 )
SE \ (n, . . .) DC (SE )
SE o
9 SE 0 DC (SE ) ∧ DC (SE 0 )
(SE ) DC (SE )
Declarations
Declaration Domain check
n, . . . : e DC (e)
S [e, . . .] DC (e) ∧ · · ·
D; D 0 DC (D) ∧ DC (D 0 )
64 Z/EVES Project TR-97-5493-03d
Predicates
Predicate Domain check
∀D | P • Q DC (D) ∧ (∀ D • DC (P ) ∧ (P ⇒ DC (Q)))
∃D | P • Q DC (D) ∧ (∀ D • DC (P ) ∧ (P ⇒ DC (Q)))
∃1 D | P • Q DC (D) ∧ (∀ D • DC (P ) ∧ (P ⇒ DC (Q)))
PR e DC (e) ∧ DC (PR)
true true
false true
¬P DC (P )
P ∧Q DC (P ) ∧ (P ⇒ DC (Q))
P ∨Q DC (P ) ∧ (P ∨ DC (Q))
P ⇒Q DC (P ) ∧ (P ⇒ DC (Q))
P ⇔Q DC (P ) ∧ DC (Q)
(P ) DC (P )
Z/EVES Project TR-97-5493-03d 65
Expressions
λD | P • e DC (D) ∧ (∀ D • DC (P ) ∧ (P ⇒ DC (e)))
e IG e 0 DC (e) ∧ DC (e 0 )
PG e DC (e)
e × e0 × · · · DC (e) ∧ DC (e 0 ) ∧ · · ·
true if f is a total function
f (a) a ∈ dom f if f is a partial function
f applies$to a otherwise
e F e0 DC (( F )(e, e 0 ))
{e, e 0 , . . .} DC (e) ∧ DC (e 0 ) ∧ · · ·
{D | P • e } DC (D) ∧ (∀ D • DC (P ) ∧ (P ⇒ DC (e)))
he, e 0 , . . .i DC (e) ∧ DC (e 0 ) ∧ · · ·
[[e, e 0 , . . . ]] DC (e) ∧ DC (e 0 ) ∧ · · ·
(e, e 0 , . . .) DC (e) ∧ DC (e 0 ) ∧ · · ·
h|n : e, . . . |i DC (e) ∧ · · ·
θS true
θS [n := e, . . .] DC (e) ∧ · · ·
e.n DC (e)
v [e1 , . . .] DC (e1 ) ∧ . . .
(e) DC (e)
66 Z/EVES Project TR-97-5493-03d
Appendix C
The language accepted by Z/EVES is almost a superset of the language accepted by the fuzz [10]
tool; a few features of the fuzz language are not supported, and a number of extensions have been
added.
The following features of the fuzz language are not supported:
• The fuzz %%type and %%tame directives are not currently supported. The other directives
are supported, but the \syndef declaration should be used instead. fuzz also accepts some
undocumented directives (e.g., %%token) which are not supported.
• Quoted identifiers (e.g., "FOO_BAR") are not supported; this would not allow the implementa-
tion of strings.
• An “ability” attribute may be specified for declaration boxes, to indicate to Z/EVES that the
results of processing the declaration (subsidiary declarations, etc.) should not automatically
be used in proofs.
• In some contexts, a predicate may have an optional label, to indicate to Z/EVES that the
predicate is a named axiom or rule.
67
68 Z/EVES Project TR-97-5493-03d