Introduction to ACL2. CS 680 Formal Methods for Computer Verification. Jeremy Johnson Drexel University

Similar documents
Reasoning About Programs Panagiotis Manolios

Induction Schemes. Math Foundations of Computer Science

Introduction to Functional Programming in Racket. CS 550 Programming Languages Jeremy Johnson

Reasoning About Programs Panagiotis Manolios

Reasoning About Programs Panagiotis Manolios

Imperative, OO and Functional Languages A C program is

Recursion & Iteration

Software Verification with ACL2

Lisp. Versions of LISP

Symbolic Programming. Dr. Zoran Duric () Symbolic Programming 1/ 89 August 28, / 89

Verifying Centaur s Floating Point Adder

Functional Programming. Pure Functional Programming

Gene Kim 9/9/2016 CSC 2/444 Lisp Tutorial

Functions, Conditionals & Predicates

Summer 2017 Discussion 10: July 25, Introduction. 2 Primitives and Define

CS 61A Interpreters, Tail Calls, Macros, Streams, Iterators. Spring 2019 Guerrilla Section 5: April 20, Interpreters.

Functional programming with Common Lisp

A Brief Introduction to Scheme (II)

A Simple Java Code Generator for ACL2 Based on a Deep Embedding of ACL2 in Java

Reasoning About Programs Panagiotis Manolios

Fall 2018 Discussion 8: October 24, 2018 Solutions. 1 Introduction. 2 Primitives

Functional Programming. Pure Functional Languages

CS 480. Lisp J. Kosecka George Mason University. Lisp Slides

Functional Programming. Pure Functional Languages

Common LISP Tutorial 1 (Basic)

Proof-Pattern Recognition and Lemma Discovery in ACL2

Common Lisp. Blake McBride

Documentation for LISP in BASIC

Common LISP-Introduction

Announcement. Overview. LISP: A Quick Overview. Outline of Writing and Running Lisp.

Lecture Notes on Lisp A Brief Introduction

Introduction to Scheme

CS 314 Principles of Programming Languages

Scheme: Data. CS F331 Programming Languages CSCE A331 Programming Language Concepts Lecture Slides Monday, April 3, Glenn G.

CSCI337 Organisation of Programming Languages LISP

Scheme Tutorial. Introduction. The Structure of Scheme Programs. Syntax

A Tool for Simplifying ACL2 Definitions

Creating Formally Verified Components for Layered Assurance with an LLVM-to-ACL2 Translator

SCHEME 8. 1 Introduction. 2 Primitives COMPUTER SCIENCE 61A. March 23, 2017

Scheme. Functional Programming. Lambda Calculus. CSC 4101: Programming Languages 1. Textbook, Sections , 13.7

INF4820: Algorithms for Artificial Intelligence and Natural Language Processing. Common Lisp Fundamentals

Modern Programming Languages. Lecture LISP Programming Language An Introduction

Functional Programming Languages (FPL)

Intro. Scheme Basics. scm> 5 5. scm>

Organization of Programming Languages CS3200/5200N. Lecture 11

Functional Programming

User-defined Functions. Conditional Expressions in Scheme

1.3. Conditional expressions To express case distinctions like

Principles of Programming Languages Topic: Functional Programming Professor L. Thorne McCarty Spring 2003

Functional Languages. Hwansoo Han

by the evening of Tuesday, Feb 6

MIDTERM EXAMINATION - CS130 - Spring 2005

Recursive Functions of Symbolic Expressions and Their Computation by Machine Part I

Announcements. The current topic: Scheme. Review: BST functions. Review: Representing trees in Scheme. Reminder: Lab 2 is due on Monday at 10:30 am.

CSCC24 Functional Programming Scheme Part 2

Fall 2017 Discussion 7: October 25, 2017 Solutions. 1 Introduction. 2 Primitives

11/6/17. Functional programming. FP Foundations, Scheme (2) LISP Data Types. LISP Data Types. LISP Data Types. Scheme. LISP: John McCarthy 1958 MIT

Functional Programming. Big Picture. Design of Programming Languages

SCHEME 7. 1 Introduction. 2 Primitives COMPUTER SCIENCE 61A. October 29, 2015

Homework 1. Notes. What To Turn In. Unix Accounts. Reading. Handout 3 CSCI 334: Spring, 2017

FUNKCIONÁLNÍ A LOGICKÉ PROGRAMOVÁNÍ 3. LISP: ZÁKLADNÍ FUNKCE, POUŽÍVÁNÍ REKURZE,

Introduction to Functional Programming and basic Lisp

Modeling Asynchronous Circuits in ACL2 Using the Link-Joint Interface

Scheme: Strings Scheme: I/O

Scheme Quick Reference

CS 135 Winter 2018 Tutorial 7: Accumulative Recursion and Binary Trees. CS 135 Winter 2018 Tutorial 7: Accumulative Recursion and Binary Trees 1

CS 314 Principles of Programming Languages. Lecture 16

CSC 533: Programming Languages. Spring 2015

An Overview of the DE Hardware Description Language and Its Application in Formal Verification of the FM9001 Microprocessor

LECTURE 16. Functional Programming

CS61A Midterm 2 Review (v1.1)

Introduction to lambda calculus Part 3

FP Foundations, Scheme

Higher order procedures procedures as types

Lisp Basic Example Test Questions

Functional Languages. CSE 307 Principles of Programming Languages Stony Brook University

Lists in Lisp and Scheme

Scheme: Expressions & Procedures

More Scheme CS 331. Quiz. 4. What is the length of the list (()()()())? Which element does (car (cdr (x y z))) extract from the list?

Introduction to CS 270 Math Foundations of CS

John McCarthy IBM 704

Homework 1. Reading. Problems. Handout 3 CSCI 334: Spring, 2012

Scheme Quick Reference

A Small Interpreted Language

Development of a Translator from LLVM to ACL2

COP4020 Programming Assignment 1 - Spring 2011

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

Spring 2018 Discussion 7: March 21, Introduction. 2 Primitives

COP4020 Programming Languages. Functional Programming Prof. Robert van Engelen

Parameterized Congruences in ACL2

ACL2 Challenge Problem: Formalizing BitCryptol April 20th, John Matthews Galois Connections

A verified runtime for a verified theorem prover

Orc and ACL2. Nathan Wetzler May 4, University of Texas, Austin

MORE SCHEME. 1 What Would Scheme Print? COMPUTER SCIENCE MENTORS 61A. October 30 to November 3, Solution: Solutions begin on the following page.

Notes on Higher Order Programming in Scheme. by Alexander Stepanov

CS 314 Principles of Programming Languages

Principles of Programming Languages 2017W, Functional Programming

Pierce Ch. 3, 8, 11, 15. Type Systems

Propositional Calculus. Math Foundations of Computer Science

Increment and the While. Class 15

Transcription:

Introduction to ACL2 CS 680 Formal Methods for Computer Verification Jeremy Johnson Drexel University

ACL2 www.cs.utexas.edu/~moore/acl2 ACL2 is a programming language, logic, and theorem prover/checker based on Common Lisp. ACL2 is a powerful system for integrated modeling, simulation, and inductive reasoning. Under expert control, it has been used to verify some of the most complex theorems to have undergone mechanical verification. 1

ACL2s (acl2s.ccs.neu.edu) Eclipse plugin (sedan version) Pure functional subset Ensure valid input Different operational modes Termination analysis Random testing and bug generation Install and test and read (ACL2s Programming Language) 2

Read-Eval-Print-Loop (REPL) ACL2s reads inputs, evaluates them and prints the result ACL2S BB!>VALUE (* 2 3) 6 ACL2S BB!> 2/11/2009 Goldwasser 3

A Pure Functional Language x 1 = y 1,,x n =y n f(x 1,,x n ) = f(y 1,,y n ) No side-effects, no assignments, no state, no loops Use recursion instead of iteration Still Turing complete Makes reasoning about programs easier 4

C++ Function with Side-Effects #include <iostream> using namespace std; int cc() { static int x = 0; return ++x; } % g++ count.c %./a.out cc() = 1 cc() = 2 cc() = 3 int main() { cout << "cc() = " << cc() << endl; cout << "cc() = " << cc() << endl; cout << "cc() = " << cc() << endl; } 5

ACL2 Syntax and Semantics Atoms (symbols, booleans, rationals, strings) predicates Lists ((1 2) 3) nil, cons, first and rest Functions and function application (* 2 (+ 1 2)) if expressions (if test then else) 6

ACL2 Atoms Rationals: For example, 11, 7, 3/2, 14/15 Symbols: For example, x, var, lst, t, nil Booleans: There are two Booleans, t, denoting true and nil, denoting false Strings: For example, hello, good bye 7

Function Application (* 2 3) 6 (* 2 (+ 1 2)) 6 (numerator 2/3) 2 (f x 1 x n ) [applicative order] 8

if expressions if : Boolean All All All (if test then else) (if test then else) = then, when test = t (if test then else) = else, when test = nil 9

Example if expressions (if t nil t) (if nil 3 4) (if (if t nil t) 1 2) 10

Equal equal : All All Boolean (equal x y) is t if x = y and nil otherwise. (equal 3 nil) = nil (equal 0 0) = t (equal (if t nil t) nil) = t 11

Predicates All Boolean booleanp symbolp integerp rationalp 12

Defining Functions (defun booleanp (x) (if (equal x t) t (equal x nil))) 13

Input/Output Contracts (defunc booleanp (x) :input-contract t :output-contract (booleanp (booleanp x)) (if (equal x t) t (equal x nil))) 14

Input/Output Contracts ic oc For booleanp (type checking) x :: t (booleanp (booleanp x)) x :: (if t (booleanp (booleanp x)) t) x :: (booleanp (booleanp x)) 15

Contract Checking ACL2s will not admit a function unless it can prove that every function call in its body satisfies its contract (body contract checking) and can show that it satisfies its contract (contract checking) 16

Contract Violations ACL2S BB!>VALUE (unary-/ 0) ACL2 Error in ACL2::TOP-LEVEL: The guard for the function call (UNARY-/ X), which is (COMMON-LISP::AND (RATIONALP X) (COMMON-LISP::NOT (EQUAL X 0))), is violated by the arguments in the call (UNARY-/ 0). 17

Contract Checking Example (defunc foo (a) :input-contract (integerp a) :output-contract (booleanp (foo a)) (if (posp a) (foo (- a 1)) (rest a))) 18

Boolean Functions And : Boolean Boolean Boolean (defunc and (a b) :input-contract (if (booleanp a) (booleanp b) nil) :output-contract (booleanp (and a b)) (if a b nil)) Or Not Implies Iff Xor 19

Numbers *, +, <, unary--, unary-/ (defunc unary-/ (a) :input-contract (and (rationalp a) (not (equal a 0)))...) Numerator, Denominator Exercise: Subtraction and Division 20

posp (defunc posp (a) :input-contract t :output-contract (booleanp (posp a)) (if (integerp a) (< 0 a) nil)) 21

Incorrect posp (defunc posp (a) :input-contract t :output-contract (booleanp (posp a)) (and (integerp a) (< 0 a))) 22

Termination? ACL2 will only accept functions that it can prove terminate for all inputs Does the following always terminate? ;; Given integer n, return 0+1+2+...+n (defunc sum-n (n) :input-contract (integerp n) :output-contract (integerp (sum-n n)) (if (equal n 0) 0 (+ n (sum-n (- n 1))))) 23

Termination? Modify the input-contract so that sum-n does terminate for all inputs ;; Given integer n, return 0+1+2+...+n (defunc sum-n (n) :input-contract (integerp n) :output-contract (integerp (sum-n n)) (if (equal n 0) 0 (+ n (sum-n (- n 1))))) 24

Termination? Modify the input-contract so that sum-n does terminate for all inputs ;; Given integer n, return 0+1+2+...+n (defunc sum-n (n) :input-contract (natpp n) :output-contract (integerp (sum-n n)) (if (equal n 0) 0 (+ n (sum-n (- n 1))))) 25

natp ;; Test whether the input is a natural number (integer 0) (defunc natp (a) :input-contract t :output-contract (booleanp (natp a)) (if (integerp a) (or (< 0 a) (equal a 0)) nil)) 26

Lists: L = (x 1 x n ) A list is either empty () [same as nil] or made up of Cons cells consp : All Boolean cons : All List Cons (cons x L) = (x x 1 x n ) first : Cons All (first (cons x L)) = x rest : Cons List (rest (cons x L)) = L 27

List Examples (list x 1 x n ) [macro variable # of args] (cons x 1 (cons x 2 (cons x n nil) )) (consp ()) = nil (cons 1 ()) = (1) (consp (cons 1 ())) = t (cons 1 (cons 2 (cons 3 ()))) = (1 2 3) (list 1 2 3) = (1 2 3) (cons (cons 1 ()) ()) = ((1)) 28

Exercise How do you construct the list ((1) 2)? 29

Exercise How do you construct the list ((1) 2)? (cons 1 ()) = (1) (cons 2 ()) = (2) Want (cons x y) where x = (1) and y = (2) (cons (cons 1 ()) (cons 2 ())) = ((1) 2) Test this (and try additional examples) in ACL2 REPL 30

More About cons A cons cell contains two fields first [also called car] rest [also called cdr] For a list the rest field must be a list Generally both fields of a cons All (cons 1 2) = (1. 2) Called a dotted pair 31

List Processing Recursive Definition List : nil cons All List Process lists using these two cases and use recursion to recursively process lists in cons Use first and rest to access components of cons 32

Recursion and listp 1 (defunc listp (l) :input-contract t :output-contract (booleanp (listp l)) (if (consp l) (listp (rest l)) (equal l () ))) 1. listp is a built-in function in the full ACL2 mode that only checks for consp. True-listp behaves as above. 33

Incorrect listp Nonterminating ACL will not accept functions it can not prove terminate (defunc listp (a) :input-contract t :output-contract (booleanp (listp a)) (if (consp a) (listp a) (equal a nil))) 34

Version 2 of listp (defunc listp (l) :input-contract t :output-contract (booleanp (listp l)) (if (equal l nil) t (if (consp l) (listp (rest l)) nil))) 35

Version 3 of listp (defunc listp (l) :input-contract t :output-contract (booleanp (listp l)) (cond ((equal l nil) t) ((consp l) (listp (rest l))) nil)) 36

Length 1 (defun length (l) :input-contract (true-listp l) :output-contract (natp (length l)) (if (equal l nil) 0 ( ) )) 1. Length is a built-in function in the full ACL2 mode 37

Length (defun length (l) :input-contract (true-listp l) :output-contract (natp (length l)) (if (equal l nil) 0 (+ 1 (length (rest l))) )) The recursive function can be thought of as a definition of length 38

Member 1 (defunc member (x l) :input-contract (true-listp l) :output-contract (booleanp (member x l)) (cond ((equal l nil) nil) ( ) ( ))) 1. Member is a built-in function in the full ACL2 mode 39

Member (defun member (x l) :input-contract (true-listp l) :output-contract (booleanp (member x l)) (cond ((equal l nil) nil) ((equal x (first l)) t) ((member x (rest l)))) 40

Append 1 (defun append (x y) :input-contract (and (true-listp x) (true-listp y)) :output-contract (true-listp (append x y)) ) (append (1 2 3) (4 5 6)) (1 2 3 4 5 6) Recurse on the first input 1. Append is a built-in function in the full ACL2 mode 41

Append (defun append (x y) :input-contract (if (equal x nil) y (cons (first x) (append (rest x) y)))) 42

Reverse 1 (defun reverse (l) :input-contract (true-listp l) :output-contract (true-listp (reverse l)) ) (reverse (1 2 3)) (3 2 1) 1. Reverse is a built-in function in the full ACL2 mode 43

Reverse (defun reverse (l) :input-contract (true-listp l) :output-contract (true-listp (reverse l)) (if (equal l nil) nil (append (reverse (rest l)) (cons (first l) nil)))) 44

Numatoms (defun atomp (x) :input-contract t :output-contract (booleanp (atomp x)) (not (consp x))) (defun numatoms (x) :input-contract t :output-contract (natp (numatoms x)) (cond ((equal x nil) 0) ((atomp x) 1) 45 ((+ (numatoms (first x)) (numatoms (rest x))))))

Shallow vs Deep Recursion Length and Member only recurse on the rest field for lists that are conses Such recursion is called shallow it does not matter whether the lists contain atoms or lists (length ((1 2) 3 4)) = 3 Numatoms recurses in both the first and rest fields Such recursion is called deep it completely traverses the list when elements are lists (numatoms ((1 2) 3 4)) = 4 46

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback