Extending ACL2 with SMT solvers

Similar documents
A Tool for Simplifying ACL2 Definitions

Proof-Pattern Recognition and Lemma Discovery in ACL2

Lecture 6: Arithmetic and Threshold Circuits

Induction Schemes. Math Foundations of Computer Science

Inference rule for Induction

Parameterized Congruences in ACL2

Formally Certified Satisfiability Solving

Polymorphic Types in ACL2

Introduction to ACL2. CS 680 Formal Methods for Computer Verification. Jeremy Johnson Drexel University

Finite Set Theory. based on Fully Ordered Lists. Jared Davis UT Austin. ACL2 Workshop 2004

Finite Model Generation for Isabelle/HOL Using a SAT Solver

SCHEME 7. 1 Introduction. 2 Primitives COMPUTER SCIENCE 61A. October 29, 2015

Improving Eliminate-Irrelevance for ACL2

1.3. Conditional expressions To express case distinctions like

Mathematica for the symbolic. Combining ACL2 and. ACL2 Workshop 2003 Boulder,CO. TIMA Laboratory -VDS Group, Grenoble, France

An Industrially Useful Prover

Reasoning About Programs Panagiotis Manolios

SAT-CNF Is N P-complete

A Mechanically Checked Proof of the Correctness of the Boyer-Moore Fast String Searching Algorithm

Reasoning About Programs Panagiotis Manolios

Boolean Functions (Formulas) and Propositional Logic

Lecture Notes on Real-world SMT

SCHEME 8. 1 Introduction. 2 Primitives COMPUTER SCIENCE 61A. March 23, 2017

Backtracking and Induction in ACL2

Bit-Blasting ACL2 Theorems

CS 173 [A]: Discrete Structures, Fall 2012 Homework 8 Solutions

Chapter 1. Fundamentals of Higher Order Programming

HECTOR: Formal System-Level to RTL Equivalence Checking

Deductive Methods, Bounded Model Checking

Propositional Calculus. Math Foundations of Computer Science

1. Suppose you are given a magic black box that somehow answers the following decision problem in polynomial time:

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

NP-Completeness. Algorithms

Minimum Satisfying Assignments for SMT. Işıl Dillig, Tom Dillig Ken McMillan Alex Aiken College of William & Mary Microsoft Research Stanford U.

Functions, Conditionals & Predicates

Predicate Refinement Heuristics in Program Verification with CEGAR

Using Hashtables to Find the Generation Point of a Problematic Cons

Summer 2017 Discussion 10: July 25, Introduction. 2 Primitives and Define

Debugging in LISP. trace causes a trace to be printed for a function when it is called

Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols

SAT Solver. CS 680 Formal Methods Jeremy Johnson

SCHEME The Scheme Interpreter. 2 Primitives COMPUTER SCIENCE 61A. October 29th, 2012

Fall 2018 Discussion 8: October 24, 2018 Solutions. 1 Introduction. 2 Primitives

An introduction to Scheme

An Overview of the DE Hardware Description Language and Its Application in Formal Verification of the FM9001 Microprocessor

Refinement and Theorem Proving

CS 151 Complexity Theory Spring Final Solutions. L i NL i NC 2i P.

Homework 1. Notes. What To Turn In. Unix Accounts. Reading. Handout 3 CSCI 334: Spring, 2017

4 Generating functions in two variables

Notes on Higher Order Programming in Scheme. by Alexander Stepanov

Modeling Algorithms in SystemC and ACL2. John O Leary, David Russinoff Intel Corporation

Fall 2017 Discussion 7: October 25, 2017 Solutions. 1 Introduction. 2 Primitives

Compositional Cutpoint Verification

A Machine-Checked Safety Proof for a CISC-Compatible SFI Technique

Modeling Asynchronous Circuits in ACL2 Using the Link-Joint Interface

Recursion and Induction

Best known solution time is Ω(V!) Check every permutation of vertices to see if there is a graph edge between adjacent vertices

SAT Solvers. Ranjit Jhala, UC San Diego. April 9, 2013

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Satisfiability Modulo Theories. DPLL solves Satisfiability fine on some problems but not others

ACL2 Challenge Problem: Formalizing BitCryptol April 20th, John Matthews Galois Connections

Improving Coq Propositional Reasoning Using a Lazy CNF Conversion

Formal Verification of Stack Manipulation in the SCIP Processor. J. Aaron Pendergrass

Spring 2018 Discussion 7: March 21, Introduction. 2 Primitives

Recursion and Induction

Symbolic Programming. Dr. Zoran Duric () Symbolic Programming 1/ 89 August 28, / 89

Copyright 2000, Kevin Wayne 1

OpenSMT2. A Parallel, Interpolating SMT Solver. Antti Hyvärinen, Matteo Marescotti, Leonardo Alt, Sepideh Asadi, and Natasha Sharygina

Specification, Verification, and Interactive Proof

Reasoning About LLVM Code Using Codewalker

Documentation for LISP in BASIC

The Prototype Verification System PVS

Complexity. Congestion Games. Algorithmic Game Theory. Alexander Skopalik Algorithmic Game Theory 2013 Congestion Games

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories. ACSys Seminar

SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION

Exercises Computational Complexity

(a) (4 pts) Prove that if a and b are rational, then ab is rational. Since a and b are rational they can be written as the ratio of integers a 1

QuteSat. A Robust Circuit-Based SAT Solver for Complex Circuit Structure. Chung-Yang (Ric) Huang National Taiwan University

Contents. Chapter 1 SPECIFYING SYNTAX 1

We ve studied the main models and concepts of the theory of computation:

Integration of SMT Solvers with ITPs There and Back Again

6.001 Notes: Section 4.1

PCP and Hardness of Approximation

Integrated Math I. IM1.1.3 Understand and use the distributive, associative, and commutative properties.

Milawa an extensible proof checker

Notes for Recitation 9

Exact Algorithms Lecture 7: FPT Hardness and the ETH

CS521 \ Notes for the Final Exam

18733: Applied Cryptography S17. Mini Project. due April 19, 2017, 11:59pm EST. φ(x) := (x > 5) (x < 10)

DPLL(Γ+T): a new style of reasoning for program checking

NP and computational intractability. Kleinberg and Tardos, chapter 8

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Section 17.2

Formalization of Incremental Simplex Algorithm by Stepwise Refinement

Propositional Calculus: Boolean Algebra and Simplification. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

CSE505, Fall 2012, Midterm Examination October 30, 2012

Hardness of Approximation for the TSP. Michael Lampis LAMSADE Université Paris Dauphine

FINAL EXAM SOLUTIONS

c constructor P, Q terms used as propositions G, H hypotheses scope identifier for a notation scope M, module identifiers t, u arbitrary terms

Coq quick reference. Category Example Description. Inductive type with instances defined by constructors, including y of type Y. Inductive X : Univ :=

Abstract Interpretation

Transcription:

Extending ACL2 with SMT solvers Yan Peng & Mark Greenstreet University of British Columbia October 2nd, 2015 Smtlink handles tedious details of proofs so you can focus on the interesting parts. 1 / 24

Contents 1 Motivation AMS verification Examples Motivation 2 Architecture Interesting issues Soundness 3 Customization interface Our digital PLL proof example 4 2 / 24

AMS verification Examples Motivation The digital Phase-Locked Loop example[cna10] ( ) Coarse Center Frequency code Control 0:23 15:23 Σ DAC 0:14 F ref discarded Bang Bang Frequency Control Linear Phase Control Φ ref Φ DCO/N PFD + up dn BBPFD Σ F ref N 0:7 c v φ DCO Φ DCO A PLL is a feedback control system that, given an input reference clock f ref, it outputs a clock at a frequency f DCO that s N times of the input clock frequency and aligned with the reference in phase. Analog/Mixed-Signal design are composed of both analog and digital circuits. 3 / 24

AMS verification Examples Motivation Modelling the digital PLL The digital PLL is naturally modelled using non-linear recurrences that update the state variables on each rising edge of φ ref. c(i + 1) = next c (c(i), v(i), φ(i)) v(i + 1) = next v (c(i), v(i), φ(i)) φ(i + 1) = next φ (c(i), v(i), φ(i)) 1 1 Three state variables: capacitance setting c (digital), supply voltage v (linear), phase correction φ (time-difference of digital transitions). 4 / 24

AMS verification Examples Motivation Modelling the digital PLL In more details, c(i + 1) = saturate(c(i) + g c sgn(φ(i)), c min, c max ) v(i + 1) = saturate(v(i) + g v (c center c(i)), v min, v max ) φ(i + 1) = wrap(φ(i) + (f dco (c(i), v(i)) f ref ) g φ φ(i)) f dco (c, v) = 1+αv 1+βc f 0 saturate(x, lo, hi) = min(max(x, lo), hi) wrap(φ) = wrap(φ + 1), if φ 1 = φ, if 1 < φ < 1 = wrap(φ 1), if 1 φ Turns out to be a relatively large system of non-linear arithmetic formulas. 4 / 24

AMS verification Examples Motivation Convergence (continuous) 0.01 0.005 0 0.005 0.01 0.015 c 1 c 2 (2n 1) 5 0 5 10 c (quantized) Requires reasoning about sequences of states. We want to show that each crossing of φ = 0 is closer to the origin than the previous one. 5 / 24

y Motivation AMS verification Examples Motivation Example: polynomial inequalities Do you sometimes find it frustrating to prove a theorem like this? 3 2 1 0-1 -2-3 -3-2 -1 0 1 2 3 X y 0.5 0.4 0.3 0.2 0.1 0-0.1 1 1.05 1.1 1.15 X 1 (defthm poly-ineq-example-a 2 (implies (and (rationalp x) (rationalp y) 3 (<= (+ (* 4/5 x x) (* y y)) 1) 4 (<= (- (* x x) (* y y)) 1)) 5 (<= y (- (* 3 (- x 17/8) (- x 17/8)) 3)))) 6 / 24

y y Motivation AMS verification Examples Motivation Example: higher order polynomial inequalities Maybe this? With a higher order term? 3 2 1 0-1 -2-3 -3-2 -1 0 1 2 3 X 0.5 0.4 0.3 0.2 0.1 0-0.1 1 1.05 1.1 1.15 1.2 1.25 X 1 (defthm poly-ineq-example-b 2 (implies (and (rationalp x) (rationalp y) 3 (<= (+ (* 2/3 x x) (* y y)) 1) 4 (<= (- (* x x) (* y y)) 1)) 5 (<= y (+ 2 (- (* 4/9 x)) (- (* x x x x)) (* 1/4 x x x x x x)) ))) 7 / 24

Motivation AMS verification Examples Motivation Example: exponential functions Or even this one with exponential functions? #10-5 z=0.5,n=3,m=2 0.5 6 5 0.2 4 function function 0.3 0.1 0 3 2-0.1 1-0.2-0.3-1 0 0 y 1 2 3 4 5 6 7 z=0.5,n=20,m=15 7 0.4 1-1 0 x 1-1 -1 y 0 11 0.5 0-0.5 x -1 (defun x^2+y^2 ^2 (x y) (+ (* x x) (* y y))) (defthm poly-of-expt-example (implies (and (rationalp x) (rationalp y) (rationalp z) (integerp m) (integerp n) (< 0 z) (< z 1) (< 0 m) (< m n)) (<= (* 2 (expt z n) x y) (* (expt z m) ( x^2+y^2 ^2 x y) )))) 8 / 24

AMS verification Examples Motivation Motivation 1 Motivation: provide better proof capabilities for AMS and other physical systems. 2 ACL2 provides extensive support for induction proofs and for structuring large, complicated proofs. 3 Z3 has automatic procedures for solving arithmetic formulas. No direct support for induction. Need to avoid too much information important to give Z3 the relevant facts to keep the problems tractable. 9 / 24

Architecture Interesting issues Soundness Starting with a clause processor Original Clause G Clause Processor ^ ^ ^ C 1 C 2 C n SMT solver Clause returned by clause processor C 1 ^ C 2 ^... ^ C n ) G Verified clause processor & trusted clause processor. We use a trusted clause processor for the integration. We utilize clauses C 1, C 2... C n to get ACL2 to check many of the steps of our translation. 10 / 24

Architecture Interesting issues Soundness Two-step translation architecture original clause ACL2 (lisp) return G original translation step 1 expand & simplify (implies expanded original) G, A 1, A 2,..., A m expanded clause ACL2 (lisp) expanded A 1 A 2... A m (G G) generate return clause lisp (ACL2) translation step 2 translate to smt py (proven) yes generate false return unsat? clause no python (z3) G SMT SMT clause (python) acl2smt G SMT Not(clause) satisfiable? sat, unsat, or unknown Z3 First translation step: clause transformation Second translation step: transliteration 11 / 24

Architecture Interesting issues Soundness Extract type predicates Original Clause G G Clause Processor G T T C 1 Extract type predicates SMT solver C 1 =(T _ G) ^ ((T ) G T ) ) G) ACL2 is not typed while Z3 is typed. It is common for the users to include type-recognizers in the hypotheses. We are currently translating rationalp in ACL2 into reals in Z3. 12 / 24

Architecture Interesting issues Soundness Extract type predicates Original Clause G G Clause Processor G T T C 1 Extract type predicates SMT solver C 1 =(T _ G) ^ ((T ) G T ) ) G) G T G T (implies (and (rationalp x) (rationalp y) (rationalp z) (integerp m) (integerp n) (< 0 z) (< z 1) (< 0 m) (< m n)) (<= (* 2 (expt z n) x y) (* (expt z m) ( x^2+y^2 ^2 x y) ))) (and (rationalp x) (rationalp y) (rationalp z) (integerp m) (integerp n)) (implies (and (< 0 z) (< z 1) (< 0 m) (< m n)) (<= (* 2 (expt z n) x y) (* (expt z m) ( x^2+y^2 ^2 x y) ))) 12 / 24

Architecture Interesting issues Soundness Expand functions Original Clause G G Clause Processor G F Extract type predicates ^ C 1 C 2 Expand functions SMT solver C 2 =(T func _ G) ^ (G F ) G) Functions are expanded into primitive functions. Recursive functions are expanded to a user specified level then replaced with a variable of appropriate type. Uninterpreted functions stay the same. 13 / 24

Architecture Interesting issues Soundness Expand functions Original Clause G G Clause Processor G F Extract type predicates ^ C 1 C 2 Expand functions SMT solver C 2 =(T func _ G) ^ (G F ) G) (rationalp ( x^2+y^2 ^2 x y)) T func ( x^2+y^2 ^2 x y) function type clause function expansion ((lambda (VAR1 VAR2) (+ (* VAR1 VAR1) (* VAR2 VAR2))) x y) 13 / 24

Architecture Interesting issues Soundness Revisit the expt proof Let s take a look at the expt theorem again: 1 (defun x^2+y^2 ^2 (x y) (+ (* x x) (* y y))) 2 (defthm poly-of-expt-example 3 (implies (and (rationalp x) (rationalp y) (rationalp z) 4 (integerp m) (integerp n) 5 (< 0 z) (< z 1) (< 0 m) (< m n)) 6 (<= (* 2 (expt z n) x y) 7 (* (expt z m) ( x^2+y^2 ^2 x y) )))) The reason that this is a theorem is because: 0 < z < 1 and 0 < m < n 0 < z n < z m 2xy x 2 + y 2 14 / 24

Architecture Interesting issues Soundness Substitute subexpressions Original Clause G G Clause Processor G S ^ Expand functions ^ C 1 C 2 C 3 SMT solver Extract type predicates C 3 =(T subs _ G) ^ (G S ) G) Substitute subexpressions The user can substitute subexpressions with variables. 15 / 24

Architecture Interesting issues Soundness Substitute subexpressions Original Clause G G Clause Processor G S ^ Expand functions ^ C 1 C 2 C 3 SMT solver Extract type predicates C 3 =(T subs _ G) ^ (G S ) G) Substitute subexpressions (and (rationalp (expt z m)) (rationalp (expt z n))) (expt z n) (expt z m) T subs subexpression types subexpression substitution expt_z_m expt_z_n 15 / 24

Architecture Interesting issues Soundness User given hypotheses Original Clause G G H Clause Processor SMT solver Extract type predicates G H ^ C 1 ^ C 3 C 2 Expand functions Substitute subexpressions C 4 =(H _ G) ^ (G H ) G) ^ C 4 User given hypothesis The user can provide hypotheses about this theorem. The hypothesis feature conveys facts from the ACL2 world about these variables to the SMT solver. 16 / 24

Architecture Interesting issues Soundness User given hypotheses Original Clause G G H Clause Processor SMT solver Extract type predicates G H ^ C 1 ^ C 3 C 2 Expand functions Substitute subexpressions C 4 =(H _ G) ^ (G H ) G) ^ C 4 User given hypothesis ;; given hypotheses in the theorem ((lambda (expt_z_n expt_z_m) (and (< expt_z_n expt_z_m) (< 0 expt_z_m) (< 0 expt_z_n))) (expt z n) (expt z m)) expt_z_m expt_z_n hypothesis clause added hypotheses H (and (< expt_z_n expt_z_m) (< 0 expt_z_m) (< 0 expt_z_n)) 16 / 24

Architecture Interesting issues Soundness The expt proof The transformed result clause G becomes: (lambda (expt_z_m expt_z_n) ;; bind substitution variables to their original expressions (implies (and (and (< 0 z) (< z 1) (< 0 m) (< m n)) (and (< expt_z_n expt_z_m) (< 0 expt_z_m) (< 0 expt_z_n))) (<= (* 2 expt_z_m x y) (* expt_z_n ((lambda (VAR1 VAR2) (+ (* VAR1 VAR1) (* VAR2 VAR2))) x y) ))) (expt z m) (expt z n))) The returned clauses are respectively: T G, T func G, T subs G and H G. 17 / 24

Architecture Interesting issues Soundness The expt proof The clause processor hint: 1 :hints (("Goal" :clause-processor 2 (Smtlink clause 3 ((:expand ((:functions (( x^2+y^2 ^2 rationalp))) 4 (:expansion-levels 1))) 5 (:let ((expt_z_m (expt z m) rationalp) 6 (expt_z_n (expt z n) rationalp))) 7 (:hypothesize ((< expt_z_n expt_z_m) 8 (< 0 expt_z_m) 9 (< 0 expt_z_n))))))) 17 / 24

Architecture Interesting issues Soundness Trust a little, but not too much Let G be the original clause, A be all auxiliary clauses generated during the first translation step and G be the main clause after this step. Let G SMT be the transliteration result after the second translation step. Q 1 and Q 2 are the two sets of clauses returned to ACL2. Q 1 = (G A) G (1) Q 2 = A G Since we assume that the second translation step is sound, meaning G SMT G, and the SMT solver proves G SMT, We conclude that G is a theorem. 18 / 24

Customization interface Our digital PLL proof example Customization interface 1 (local 2 (progn 3 (defun my-smtlink-expt-config () 4 (declare (xargs :guard t)) 5 (change-smtlink-config *default-smtlink-config* 6 :dir-interface ;; SMT file directory 7 "../z3_interface" 8 :SMT-module ;; SMT module name 9 "RewriteExpt" 10 :SMT-class ;; SMT class name 11 "to_smt_w_expt" 12 )) 13 (defattach smt-cnf my-smtlink-expt-config))) The default Smtlink and the customizable Smtlink uses different trust tags. 19 / 24

Customization interface Our digital PLL proof example As an example, we created a customized Smtlink that adds a partial theory of expt to Z3. (expt x 0) 1 (expt 0 n) 0, if n > 0 (expt x (+ n1 n2)) (* (expt x n1) (expt x n2)) (expt x (* c n)) (* (expt x n) (expt x n)... ) (< (expt x m) (expt x n)), if 1 < x and m < n... This simplified the use of Smtlink to produce a simpler proof. The new proof is about half the length of the original. 20 / 24

Customization interface Our digital PLL proof example An example from the digital Phase-Locked Loop proof Definitions: B-term(h) =(1 K t ) h 1 + α(d 0 + d v ) (µ 1 + β(g 1 h + (equ c v 0 )) 1) n B-sum(n) = (B-term(h) + B-term( h)) h=1 21 / 24

Customization interface Our digital PLL proof example An example from the digital Phase-Locked Loop proof Proof of B-term-neg and B-sum-neg using Smtlink: 1 (defthm B-term-neg 2 (implies (a-bunch-of-hypothesis) 3 (< (+ (B-term h v0 dv g1 Kt) 4 (B-term (- h) v0 dv g1 Kt)) 0)) 5 :hints (("Goal" 6 :clause-processor 7 (smtlink-custom-config clause 8 (smt-std-hint "B-term-neg") ))) 9 :rule-classes :linear) 10 11 (defthm B-sum-neg 12 (implies (a-bunch-of-hypothesis) 13 (< (B-sum 1 n-minus-2 v0 dv g1 Kt) 0)) 14 :hints (("Goal" :in-theory (e/d (B-sum) (B-term))))) 21 / 24

Future work Support better counter-example report Fetch counter-example result from the SMT solver and interpret it into ACL2 constants. The clause processor can execute the counter-example to make sure they are indeed counter-examples. Add bounded model checking ability We can use the SMT solver to build a bounded model checker that can be called through the customizable Smtlink interface. Typing with less typing Type information can be extracted from define. type-alist may contain lemmas/facts that Smtlink can send to the SMT solver to help with proofs. Explore other interesting applications 22 / 24

Summary Smtlink handles tedious details of proofs so you can focus on the interesting parts. We have demonstrated Smtlink for AMS design verification. Other cyberphysical problems should benefit as well. Smtlink is designed to be extensible to support, for example: other domains, and using more of the SMT solver s capabilities. 23 / 24

Summary Smtlink handles tedious details of proofs so you can focus on the interesting parts. It provides an architecture and examples for further research on combining the complementary strengths of ACL2 and SMT solvers. Thank you! Questions or thoughts? 23 / 24

Bibliography J. Crossley, E. Naviasky, and E. Alon, An energy-efficient ring-oscillator digital pll, Custom Integrated Circuits Conference (CICC), 2010 IEEE, Sept 2010, pp. 1 4. 24 / 24

Additional material Primitive functions Our digital PLL proof example - code Primitive functions are: binary-+, unary--, binary-*, unary-/, equal, <, if, not, and lambda along with the constants t, nil, and arbitrary integer constants. 25 / 24

Additional material Primitive functions Our digital PLL proof example - code An example from the digital Phase-Locked Loop proof Definition of B-term (I ve removed guards and returns to save space): 1 (define B-term-expt (Kt nco) 2 (expt (gamma Kt) (- nco))) 3 4 (define B-term-rest (nco v0 dv g1) 5 (1- (* (mu) (/ (1+ (* *alpha* (+ v0 dv))) 6 (1+ (* *beta* (+ (* g1 nco) (equ-c v0)))))))) 7 8 (define B-term (nco v0 dv g1 Kt) 9 (* (B-term-expt Kt nco) (B-term-rest nco v0 dv g1))) 26 / 24

Additional material Primitive functions Our digital PLL proof example - code An example from the digital Phase-Locked Loop proof Definition of B-sum (I ve removed guards and returns to save space): 1 (define B-sum (nco_lo nco_hi v0 dv g1 Kt) 2 :measure (if (and (integerp nco_hi) (integerp nco_lo) 3 (>= nco_hi nco_lo)) 4 (1+ (- nco_hi nco_lo)) 0) 5 (if (and (integerp nco_hi) (integerp nco_lo) (>= nco_hi nco_lo)) 6 (+ (B-term nco_hi v0 dv g1 Kt ) 7 (B-term (- nco_hi) v0 dv g1 Kt) 8 (B-sum nco_lo (- nco_hi 1) v0 dv g1 Kt)) 9 0)) 26 / 24

Additional material Primitive functions Our digital PLL proof example - code An example from the digital Phase-Locked Loop proof std-smt-hint: 1 (define smt-std-hint (clause-name) 2 :guard (stringp clause-name) 3 ( (:expand ((:functions ( (B-term rationalp) 4 (B-term-expt rationalp) 5 (B-term-rest rationalp) 6 (dv0 rationalp) 7... 8 (fdco rationalp) 9 (gamma rationalp) 10 (m rationalp) 11 (mu rationalp))) 12 (:expansion-level 1))) 13 (:uninterpreted-functions ((expt rationalp rationalp rationalp))) 14 (:python-file,clause-name))) 26 / 24

Additional material Primitive functions Our digital PLL proof example - code An example from the digital Phase-Locked Loop proof Proof of B-term-neg using Smtlink: 1 (defthm B-term-neg 2 (implies (and (integerp h) (<= 1 h) (< h (/ (* 2 g1))) 3 (hyp-macro g1 Kt v0 dv)) 4 (< (+ (B-term h v0 dv g1 Kt) (B-term (- h) v0 dv g1 Kt)) 0)) 5 :hints ( 6 ("Goal" 7 :in-theory (enable B-term B-term-expt B-term-rest mu equ-c gamma dv0) 8 :clause-processor 9 (smtlink-custom-config clause (smt-std-hint "B-term-neg") ))) 10 :rule-classes :linear) 26 / 24

Additional material Primitive functions Our digital PLL proof example - code An example from the digital Phase-Locked Loop proof Proof of B-sum-neg: 1 (defthm B-sum-neg 2 (implies (and (integerp n-minus-2) 3 (<= 1 n-minus-2) 4 (< n-minus-2 (/ (* 2 g1))) 5 (hyp-fn (list :v0 v0 :dv dv :g1 g1 :Kt Kt))) 6 (< (B-sum 1 n-minus-2 v0 dv g1 Kt) 0)) 7 :hints (("Goal" :in-theory (e/d (B-sum) (B-term))))) 26 / 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback