Lee Pike. June 3, 2005

Similar documents
Recursion and Induction

Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214

The initial development of PVS was funded by SRI International. Subsequent enhancements were partially funded by SRI and by NASA Contracts NAS

The Prototype Verification System PVS

Random Testing in PVS

CSL105: Discrete Mathematical Structures. Ragesh Jaiswal, CSE, IIT Delhi

Automated Reasoning. Natural Deduction in First-Order Logic

AXIOMS FOR THE INTEGERS

The ight schedule database shall store the scheduling associated with all departing and arriving information In particular the database shall contain:

Foundations of AI. 9. Predicate Logic. Syntax and Semantics, Normal Forms, Herbrand Expansion, Resolution

Introduction to dependent types in Coq

HOL DEFINING HIGHER ORDER LOGIC LAST TIME ON HOL CONTENT. Slide 3. Slide 1. Slide 4. Slide 2 WHAT IS HIGHER ORDER LOGIC? 2 LAST TIME ON HOL 1

Computer-supported Modeling and Reasoning. First-Order Logic. 1 More on Isabelle. 1.1 Isabelle System Architecture

CPSC 121: Models of Computation. Module 6: Rewriting predicate logic statements

THE LOGIC OF QUANTIFIED STATEMENTS

c constructor P, Q terms used as propositions G, H hypotheses scope identifier for a notation scope M, module identifiers t, u arbitrary terms

Coq quick reference. Category Example Description. Inductive type with instances defined by constructors, including y of type Y. Inductive X : Univ :=

Developing User Strategies in PVS: A Tutorial

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

Certified Programming with Dependent Types

S. Owre, J. M. Rushby, N. Shankar and M. K. Srivas. fowre, rushby, shankar,

From Types to Sets in Isabelle/HOL

Encryption as an Abstract Datatype:

Incremental Proof Development in Dafny

Part I Logic programming paradigm

Reasoning About Imperative Programs. COS 441 Slides 10

Runtime Checking for Program Verification Systems

15-819M: Data, Code, Decisions

Encoding functions in FOL. Where we re at. Ideally, would like an IF stmt. Another example. Solution 1: write your own IF. No built-in IF in Simplify

Overview. CS389L: Automated Logical Reasoning. Lecture 6: First Order Logic Syntax and Semantics. Constants in First-Order Logic.

Induction and Semantics in Dafny

CS 456 (Fall 2018) Scribe Notes: 2

CSC 501 Semantics of Programming Languages

Section 2.4: Arguments with Quantified Statements

Abstract Interpretation

Program Design in PVS. Eindhoven University of Technology. Abstract. Hoare triples (precondition, program, postcondition) have

Satisfiability Modulo Theories. DPLL solves Satisfiability fine on some problems but not others

Logic and its Applications

VS 3 : SMT Solvers for Program Verification

Formal Systems II: Applications

On Agda JAIST/AIST WS CVS/AIST Yoshiki Kinoshita, Yoriyuki Yamagata. Agenda

CS103 Handout 29 Winter 2018 February 9, 2018 Inductive Proofwriting Checklist

Refinement Types as Proof Irrelevance. William Lovas with Frank Pfenning

Numerical Computations and Formal Methods

A Verification System for Timed Interval Calculus

Subtypes for Specications John Rushby Science Laboratory Computer International SRI Menlo Park, CA J. Rushby FSE97: Subtypes for Specications 1

An Evolution of Mathematical Tools

Propositional Logic. Part I

Proof Assistance for Real-Time Systems Using an Interactive Theorem Prover

Conjunctive queries. Many computational problems are much easier for conjunctive queries than for general first-order queries.

CS 161 Computer Security

Analysis of dependent types in Coq through the deletion of the largest node of a binary search tree

Specification, Verification, and Interactive Proof

Warm-Up Problem. Let L be the language consisting of as constant symbols, as a function symbol and as a predicate symbol. Give an interpretation where

PVS System Guide Version 2.4 December 2001

Classical Planning Problems: Representation Languages

has developed a specication of portions of the IEEE 854 oating-point standard in PVS [7]. In PVS, the injective function space injection can be dened

Basic Foundations of Isabelle/HOL

Knowledge Representation. CS 486/686: Introduction to Artificial Intelligence

Automated Reasoning Systems

Reasoning About Programs Panagiotis Manolios

Improving Coq Propositional Reasoning Using a Lazy CNF Conversion

Typed First-order Logic

First Order Predicate Logic CIS 32

The STERNOL Specification Tool (SST)

Integration of SMT Solvers with ITPs There and Back Again

Writing PVS Proof Strategies

Why. an intermediate language for deductive program verification

6.034 Notes: Section 10.1

Predicate Logic CHAPTER What This Chapter Is About

Linear Clause Generation by Tableaux and DAGs

logic with quantifiers (informally)

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Sections p.

Batch Proving and Proof Scripting in PVS

Proving Theorems with Athena

A Short Introduction to First-Order Theorem Proving with KeY

4 Programming with Types

Generating Small Countermodels. Andrew Reynolds Intel August 30, 2012

Introductory logic and sets for Computer scientists

Cover Page. The handle holds various files of this Leiden University dissertation

CSE20: Discrete Mathematics

Strategy-Enhanced Interactive Proving and Arithmetic Simplification for PVS

Reminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture

Section 2.2: Introduction to the Logic of Quantified Statements

Lecture 1: Conjunctive Queries

Unification in Maude. Steven Eker

Data types for mcrl2

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter 12

Lecture Notes on Real-world SMT

Myla Archer and Constance Heitmeyer. farcher, April 30, Abstract

An Annotated Language

1.3. Conditional expressions To express case distinctions like

Specification and Proof with PVS

CSE Discrete Structures

The Resolution Principle

Module 8: Local and functional abstraction

User s Guide for BDDs in Jython

Solutions to In-Class Problems Week 1, Fri

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

Inductive Definitions, continued

Transcription:

Proof NASA Langley Formal Methods Group lee.s.pike@nasa.gov June 3, 2005

Proof Proof

Quantification Quantified formulas are declared by quantifying free variables in the formula. For example, lem1: LEMMA FORALL (x: int, y: int): x * y = y * x z: VAR int lem2: LEMMA FORALL (x: int): EXISTS z: x + z = 0 Free variables in formulas are implicitly assumed to be universally quantified. Example: the formula x + y = y + x is treated by the prover as FORALL (x: int, y: int): x + y = y + x and are used to eliminate quantifiers. Proof

is the process of introducing a fresh (i.e., unused in the sequent) constant (a skolem constant) to represent an arbitrary value in the domain. Universal quantifiers in the consequent are skolemized. Existential quantifiers in the antecedent are skolemized. The intuition can be seen in how quantifiers are treated in informal proofs: Prove that for all natural numbers n, P(n) implies Q(n). Let a be an arbitrary natural number and show that P(a) implies Q(a)... Suppose there exists a natural number n such that P(n) holds; let a be an arbitrary natural number such that P(a)... Proof

is the process of replacing a quantified variable with a previously-declared constant. Universal quantifiers in the antecedent are instantiated. Existential quantifiers in the consequent are instantiated. : Suppose for all n, P(n) holds, and prove.... We know P(3).... Suppose Q(3). Prove there exists an n such that P(n). We will show that if Q(3), then P(5)... Proof

Universal vs. Existential Variables Top-level quantifier Location FORALL EXISTS Antecedent use (inst) use (skolem) Consequent use (skolem) use (inst) Proof Embedded quantifiers must be brought to the outermost level for quantifier rules to apply. There are several variants each for skolem and inst. skolem variants provide more automation than inst variants.

Skolem Constants Skolem constants are generated using explicit prover commands. There is a skolem command and several variants. Easiest to start with is the following: Syntax: (skolem! &optional (fnums *)...) Generates Skolem constants for formulas given in fnums Only top-level quantifiers may be skolemized. Command is usually invoked without arguments, causing it to apply to the whole sequent. The Emacs command M-x show-skolem-constants shows the currently active constants in a separate emacs buffer. Proof

More Rules Some commands are available that combine low-level operations to increase degree of automation. A common sequence is skolem! followed by flatten. The following command does them both: Syntax: (skosimp* &optional preds?) Repeatedly applies skolem! followed by flatten until no more simplification occurs Often used at the start of a proof to get to the point where you really want to start Proof

Instantiating Eliminating quantifiers by instantiation requires substituting suitable terms for them in the current sequent. Basic command for doing this: Syntax: (inst fnum &rest terms) This command offers a way to instantiate variables in a formula with terms of the right type. Typechecking is performed on the terms. As a result, additional proof goals may be generated to make sure the terms can be used in substitution. Example: Given that formula 3 is (EXISTS i: i > 1), instantiating with the substitution of 2 for i produces the formula 2 > 1. (inst 3 "2") Proof

Instantiate & Copy Syntax: (inst-cp fnum &rest terms) Works just like inst, but saves a copy of the formula in quantified form This is useful if you want to use a lemma twice. One instance may need one term for the instantiation of a variable, while another instance may need a different term, so...... inst-cp allows you to have it both ways. Proof

Find my Constant Syntax: (inst? &optional (fnums *)...) Similar to inst, but tries to automatically find the terms for substitution This is useful in most proof situations. There are usually expressions lying around in the sequent that are the terms you want to substitute. inst? is pretty good at finding them. The larger the sequent, however, the more candidate terms exist to choose from, causing the success rate to drop. Proof

PVS Theory for We will be using a simple PVS theory to illustrate basic prover commands: %%% and exercises for basic prover commands prover_basic: THEORY BEGIN arb: TYPE+ arb_pred: TYPE = [arb -> bool] % Arbitrary nonempty type % Predicate type for arb Proof a,b,c: arb x,y,z: VAR arb P,Q,R: arb_pred % Constants of type arb % Variables of type arb % Predicate names.

Sample Quantified Formulas. quant_0: LEMMA quant_1: LEMMA quant_2: LEMMA (FORALL x: P(x)) => P(a) (FORALL x: P(x)) => (EXISTS y: P(y)) (EXISTS x: P(x)) OR (EXISTS x: Q(x)) IFF (EXISTS x: P(x) OR Q(x)) Proof l,m,n: VAR int distrib: LEMMA l * (m + n) = (l * m) + (l * n) END prover_basic

Skolem Constants (Cont d) Starting proof of formula distrib from theory prover basic: distrib : ------- {1} FORALL (x: int, y: int, z: int): x * (y + z) = (x * y) + (x * z) Rule? (skolem!) Skolemizing, this simplifies to: distrib : Proof ------- {1} x!1 * (y!1 + z!1) = (x!1 * y!1) + (x!1 * z!1) The variables x, y, z have been replaced with the skolem constants x!1, y!1, z!1.

Example of quant_0 : ------- {1} (FORALL x: P(x)) => P(a) Rule? (flatten) Applying disjunctive simplification to flatten sequent, this simplifies to: quant_0 : Proof {-1} (FORALL x: P(x)) ------- {1} P(a) Rule? (inst -1 "a") Instantiating the top quantifier in -1 with the terms: a, Q.E.D.

Another Example of Try getting the prover to automatically find the instantiation. quant_1 : ------- {1} ((FORALL x: P(x) => Q(x)) AND P(a)) => Q(a) Rule? (flatten) Applying disjunctive simplification to flatten sequent, this simplifies to: quant_1 : Proof {-1} (FORALL x: P(x) => Q(x)) {-2} P(a) ------- {1} Q(a) Looks like the constant a is what we want.

Another Example (Cont d) Rule? (inst?) Found substitution: x gets a, Instantiating quantified variables, this simplifies to: quant_1 : {-1} P(a) => Q(a) [-2] P(a) ------- [1] Q(a) Proof Rule? (prop) Applying propositional simplification, Q.E.D. The prover made the right pick!

Can the Prover Always Find an? quant_2 : ------- {1} (FORALL x: P(x)) => (EXISTS y: P(y)) Rule? (skosimp*) Repeatedly Skolemizing and flattening, this simplifies to: quant_2 : Proof {-1} (FORALL x: P(x)) ------- {1} (EXISTS y: P(y)) What will INST? do here?

Find an? (Cont d) Rule? (inst?) Couldn t find a suitable instantiation for any quantified formula. Please provide partial instantiation. No change on: (INST?) quant_2 : {-1} (FORALL x: P(x)) ------- {1} (EXISTS y: P(y)) Proof The prover gives up it can t do the creative work of finding a viable term if it s not present in the sequent.

Find an? (Cont d) Rule? (inst + "a") Instantiating the top quantifier in + with the terms: a, this simplifies to: quant_2 : [-1] (FORALL x: P(x)) ------- {1} P(a) Proof Rule? (inst?) Found substitution: x gets a, Instantiating quantified variables, Q.E.D. Need to supply your own term in this case.

Hiding Formulas Two commands tell the prover to temporarily forget information and then recall it later. The first tells the prover which items to ignore Syntax: (hide &rest fnums). Causes the designated formulas to be hidden away. Those formulas will not be used in making deductions. This is useful if you have a complicated sequent and some of the formulas look irrelevant. Also useful if a formula has already served its purpose. Saves processing time during proof steps. Proof

Revealing Formulas The second command allows you to bring hidden formulas back Syntax: (reveal &rest fnums) Restores the designated formulas to the current sequent Makes the deletion of information through the hide command safe The Emacs command M-x show-hidden-formulas tells you what is hidden and what their current formula numbers are. Proof

PVS uses decision procedures to supplement logical reasoning. Terminating algorithms that can decide whether a logical formula is valid or invalid These constitute automated theorem-proving, so they usually provide no derivations. Example: a truth table for propositional logic PVS integrates a number of decision procedures including Theory of equality with uninterpreted functions Linear arithmetic over natural numbers and reals PVS-specific language features such as function overrides Various prover rules apply decision procedures in combination with other reasoning techniques. Important feature for achieving automation At the cost of visibility into intermediate steps Proof

Deductive Hammers: Small To Large The prover has a hierarchy of increasingly muscular simplification rules. PROP Repeated application of flatten and split BDDSIMP Propositional simplification using Binary Decision Diagrams (BDDs) ASSERT Applies type-appropriate decision procedures and auto-rewrites GROUND Propositional simplification plus decision procedures SMASH Repeatedly tries BDDSIMP, ASSERT, and LIFT-IF GRIND All of the above plus definition expansion and INST? Proof

Automated Deduction Tips Typically, these simplification rules are invoked without arguments. : (assert), (ground), (grind) Caution: GRIND is fairly aggressive Can take a while to complete Might leave you in a strange place when it s done Might need to be interrupted to abort runaway behavior Proof

Using Type Information The prover needs to be asked to reveal information about typed expressions A command for importing type predicate constraints: Syntax: (typepred &rest exprs) Causes type constraints for expressions to be added to sequent Subtype predicates are often recalled this way Proof

Type-Predicate Example bounded1 : ------- {1} FORALL (a: {x: real abs(x) < 1}): a * a < 1 Rule? (skosimp*) Repeatedly Skolemizing and flattening, this simplifies to: bounded1 : ------- {1} a!1 * a!1 < 1 Proof Rule? (typepred "a!1") Adding type constraints for this simplifies to: bounded1 : a!1, {-1} abs(a!1) < 1 ------- [1] a!1 * a!1 < 1

Summary A constant companion: skolem universals in the consequent & existentials in the antecedent. For one and all: inst universals in the antecedent & existentials in the consequent. Hide n Seek: hide & reveal Automatic for the provers: prop, assert, ground, grind. Hey formula, what s your type? typepred & typepred! Proof

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback