Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214

Similar documents
The Prototype Verification System PVS

Lee Pike. June 3, 2005

HOL DEFINING HIGHER ORDER LOGIC LAST TIME ON HOL CONTENT. Slide 3. Slide 1. Slide 4. Slide 2 WHAT IS HIGHER ORDER LOGIC? 2 LAST TIME ON HOL 1

Recursion and Induction

Introduction to dependent types in Coq

Random Testing in PVS

PVS System Guide Version 2.4 December 2001

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

The initial development of PVS was funded by SRI International. Subsequent enhancements were partially funded by SRI and by NASA Contracts NAS

type classes & locales

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

locales ISAR IS BASED ON CONTEXTS CONTENT Slide 3 Slide 1 proof - fix x assume Ass: A. x and Ass are visible Slide 2 Slide 4 inside this context

LOGIC AND DISCRETE MATHEMATICS

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

Foundations of AI. 9. Predicate Logic. Syntax and Semantics, Normal Forms, Herbrand Expansion, Resolution

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Section 17.2

has developed a specication of portions of the IEEE 854 oating-point standard in PVS [7]. In PVS, the injective function space injection can be dened

Chapter 3 (part 3) Describing Syntax and Semantics

Logic and its Applications

Definition: A context-free grammar (CFG) is a 4- tuple. variables = nonterminals, terminals, rules = productions,,

The design of a programming language for provably correct programs: success and failure

An Annotated Language

Verification Condition Generation via Theorem Proving

Lecture 5 - Axiomatic semantics

The semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers.

Runtime Checking for Program Verification Systems

CS2104 Prog. Lang. Concepts

An Evolution of Mathematical Tools

Constructive Coherent Translation of Propositional Logic

Programming Languages Third Edition

Integration of SMT Solvers with ITPs There and Back Again

Hoare logic. A proof system for separation logic. Introduction. Separation logic

Program Design in PVS. Eindhoven University of Technology. Abstract. Hoare triples (precondition, program, postcondition) have

VS 3 : SMT Solvers for Program Verification

λ calculus is inconsistent

Hoare Logic and Model Checking

Distributed Systems Programming (F21DS1) Formal Verification

STRUCTURES AND STRATEGIES FOR STATE SPACE SEARCH

Hoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic

Encryption as an Abstract Datatype:

Contents. Chapter 1 SPECIFYING SYNTAX 1

Formally Certified Satisfiability Solving

Improving Coq Propositional Reasoning Using a Lazy CNF Conversion

Proving Properties on Programs From the Coq Tutorial at ITP 2015

Computer-Aided Program Design

Lexical and Syntax Analysis

Propositional Calculus: Boolean Functions and Expressions. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of.

5 Exercise Formal Specification winter term 2010/11

Z Notation. June 21, 2018

Module 6. Knowledge Representation and Logic (First Order Logic) Version 2 CSE IIT, Kharagpur

Chapter 16. Logic Programming Languages

for his support. Development of PVS was funded entirely by SRI International.

ALGOL 48 AND ALGOL 50 ALGOLIC LANGUAGES IN MATHE- MATICS

Verifiable Hierarchical Protocols with Network Invariants on Parametric Systems

A Verifying Core for a Cryptographic Language Compiler

Formal Verification. Lecture 10

Interactive Theorem Proving (ITP) Course Parts VII, VIII

Coq projects for type theory 2018

Embedding logics in Dedukti

How Efficient Can Fully Verified Functional Programs Be - A Case Study of Graph Traversal Algorithms

Chapter 1. Introduction

Logic Programming Languages

Propositional Calculus. Math Foundations of Computer Science

Cover Page. The handle holds various files of this Leiden University dissertation

Propositional Calculus. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

Dipartimento di Elettronica Informazione e Bioingegneria. Cognitive Robotics. SATplan. Act1. Pre1. Fact. G. Gini Act2

Prototyping a Formal Verification Platform for SoCs

Lectures 20, 21: Axiomatic Semantics

Lecture 11 Lecture 11 Nov 5, 2014

Citation for published version (APA): Gao, H. (2005). Design and verification of lock-free parallel algorithms. s.n.

Proof Pearl: The Termination Analysis of Terminator

Packaging Theories of Higher Order Logic

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter p. 1/27

Proofs and Proof Certification in the TLA + Proof System

A CRASH COURSE IN SEMANTICS

SAT Solver. CS 680 Formal Methods Jeremy Johnson

Induction Schemes. Math Foundations of Computer Science

Chapter 3. Describing Syntax and Semantics ISBN

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

COMP 4161 NICTA Advanced Course. Advanced Topics in Software Verification. Toby Murray, June Andronick, Gerwin Klein

Software Engineering Lecture Notes

CIS 1.5 Course Objectives. a. Understand the concept of a program (i.e., a computer following a series of instructions)

Static and User-Extensible Proof Checking. Antonis Stampoulis Zhong Shao Yale University POPL 2012

Logic (or Declarative) Programming Foundations: Prolog. Overview [1]

6. Hoare Logic and Weakest Preconditions

Automated Reasoning. Natural Deduction in First-Order Logic

Lexical and Syntax Analysis. Top-Down Parsing

S. Owre, J. M. Rushby, N. Shankar and M. K. Srivas. fowre, rushby, shankar,

Theorem Proving Principles, Techniques, Applications Recursion

On Agda JAIST/AIST WS CVS/AIST Yoshiki Kinoshita, Yoriyuki Yamagata. Agenda

Formal Systems II: Applications

CSL105: Discrete Mathematical Structures. Ragesh Jaiswal, CSE, IIT Delhi

Finite Model Generation for Isabelle/HOL Using a SAT Solver

Simplification. Chapter General Comments. 5.2 Typical simplification steps

c constructor P, Q terms used as propositions G, H hypotheses scope identifier for a notation scope M, module identifiers t, u arbitrary terms

Coq quick reference. Category Example Description. Inductive type with instances defined by constructors, including y of type Y. Inductive X : Univ :=

1.3. Conditional expressions To express case distinctions like

Linear Clause Generation by Tableaux and DAGs

CAV Verification Mentoring Workshop 2017 SMT Solving

Transcription:

Theorem proving PVS theorem prover Abhik Roychoudhury National University of Singapore Both specification and implementation can be formalized in a suitable logic. Proof rules for proving statements in the logic as theorems. Application of proof rules user-guided. Allows us to even verify designs which are underspecified & not executable. Very different from model checking. We will study the PVS theorem prover. Hoare style verification We had fixed the programming language for describing the implementation. Semantics of the programming language can be mathematically formalized. Proof rules for reasoning about individual language constructs. Proof construction again user-guided. Theorem provers can support this style of deduction. But TP is a generic deduction tool for logical reasoning --- not restricted to software verification. PVS Prototype Verification System Language for specification Parser Powerful type-checker Reasons about termination also Decision procedures Including a symbolic model checker Proof Checker / Prover We will primarily look at this one What if my program is written in a diff. lang. from PVS spec. language? Embedding languages into theorem provers A rich topic of study even to this date Deep and shallow embedding Formalize only semantics of the lang. (shallow) Formalize both syntax and semantics of the specification/ programming lang. (deep) To concentrate on proof rules & strategies, we will consider the default specification language of PVS. More on embeddings Shallow embedding Commands interpreted in the theorem prover s logic A command is a function state state Deep embedding Need to also formalize syntax (abstract syntax trees could be formalized) Map abstract syntax trees to commands which effect state changes Syntree ( state state) 1

Using PVS Provides expressive language based on higher-order logic. A design to be verified is described by means of theories. Parameterized theories are possible, allowing modularity and re-use. Given a user-provided theory, PVS will Parse Type-check Prove the theorems in the theory An example theory sum: THEORY BEGIN n: VAR nat sum(n): RECURSIVE nat = ( IF n = 0 THEN 0 ELSE n + sum(n-1) ENDIF ) MEASURE id closed_form: THEOREM sum(n) = (n*(n+1))/2 END SUM Declarations Our example theory has three declarations A declaration for variable n A declaration for the function sum A declaration for the theorem closed_form This defines a closed form representation for the output of the function sum. The theory has no parameters. The function sum is associated with a MEASURE function Our tasks Parse the theory declarations. Type-check This will try to prove termination of sum as well (MEASURE function used here) Generate proof obligations which need to dispensed for type-checking PVS type-checking is undecidable. Prove theorem closed_form by inducting on n We need to input proof rules for guiding the proof. Interactive session At this stage in the lecture: Launch PVS and load the sum THEORY Show the proof obligations for Typechecking Prove the theorem closed_form ( Explain the purpose of each proof rule as and when it is employed in the proof ). Lessons learnt from proof PVS type-checking Proves type consistency and termination of functions by showing reduction in user-provided measure function for recursive function calls PVS Prover Proves sequents of the form {-1}. Antecedents ------------------------------- {1}. Consequents 2

Lessons Learnt PVS Prover constructs a proof tree of closed_form Nodes of the proof tree are sequents Leaves are trivially true. Parent Child node by applying a proof rule An application of a proof rule can create several children (of course!) Mistakes made during proof (in choice of rules) can be undone (extremely useful!!) Other control commands to help navigate the proof tree while constructing it. Sequent Each node of the PVS proof tree is a goal {-1} A1 [-2] A2 --------------- [1] B1 {2} B2 Stands for the proof obligation A1 A2 B1 B2 Sequent Of the form ( A1 An) (B1 Bm ) (A1 An) (B1 Bm) ( A1 An) ( B1 Bm ) The clausal form for a sequent. Antecedents are negated (negative literals) So, many proof rules manipulate antecedents and consequents in a dual fashion skolem, instantiate Sequent ( A 1 A n ) ( B 1 B m ) A 1,, A n are negatively numbered B 1,, B m are positively numbered If A i is marked {-i} or B i is marked { i } A i, B i are unchanged from parent sequent in the proof. If A i is marked [-i] or B i is marked [ i ] A i, B i are changed from parent sequent in the proof. Proof rules Proof tree construction PVS uses a sequent calculus. Proof rules are of the form Γ1-1,, Γk - k ---------------------------------- Γ - Initial sequent is - A No antecedent, consequent is A (the theorem to be proved) Γ1-1 Γ1-1,, Γk - k ---------------------------------- Γ - Γ - Γk - k Proof rule An application of the proof rule 3

Top-down and bottom-up Top-down proof construction (described here) Start with theorem to be proved Simplify it using proof rules of the prover Iterate until all introduced obligations have been proved. Bottom-up proof construction (Inefficient!) Deduce all that you can starting from facts (axioms) and applying proof rules repeatedly Check whether desired theorem proved Our experience so far What are the rules we saw in the proof of closed_form in Sum theory? induct (Automatically employ ind. Scheme) expand ( inlining function definition) skolem (Removing Universal Quantification) flatten (Disjunctive simplication) Other simple rewrites and decision procedures (captured by the grind command) Some Proof rules in PVS Structural Rules Re-arrange formulae in a sequent Propositional rules Simplification in propositional logic Removing disjunctions and conjunctions by creating new sequents in the children node of the proof tree Typical rules: flatten, split, prop Some Proof Rules in PVS Quantifier rules Introduction and elimination of universal / existential quantification. Follow from deduction rules of predicate logic. Widely used rules generalize (introduces universal quantification). skolem (removes universal quantification). instantiate (removes existential quantification). Some Proof Rules in PVS Using Definitions etc. expand (use defs) Use, rewrite (invoke lemmas in a proof) Decision Procedures assert, grind: Employ as much as possible model-check: CTL model checking!! Induction induct: automatically find ind. Schema rule-induct : induction schema user provided In addition The control rules are useful for the user to control proof tree construction fail : propagate failure to parent (failed proof path, will trigger new proof attempts) quit, trace: obvious!! undo : Correct past mistakes in choosing proof rules! Postpone : Useful for managing branches in a proof step. 4

Postpone Some useful information Γ - Γ1-1 Postpone this proof Γ2-2 Editor now displays this sequent Your theory files can import other theories (e.g. certain mathematical functions etc.) Do not need specify everything from scratch. Proof strategies Users can write scripts to instruct the prover to apply its rules in a certain order. Strategies may not be just sequence of rules backtracking is allowed since it is difficult to predict a good strategy for a given obligation Proof strategies (try step1 step2 step3) Apply step1 If step1 fails then apply step2 If step2 also fails, then apply step3 (if condition step1 step2) Conditonal selection Many other variations can be programmed then (sequencing), repeat (iteration) Much of these not needed for simple low-level proofs A final example stacks [t : TYPE] : THEORY BEGIN stack : TYPE push : [t, stack -> stack] pop : [stack -> stack] x, y : VAR t s : VAR stack pop_push : AXIOM pop(push(x, s)) = s thm: THEOREM pop(pop(push(x, push(y, s)))) = s END stacks Not definitional Note that the stack operations have not been defined at all. The stack theory is also parameterized. Instead certain properties of the operations are defined These properties are enough to prove thm No executable model of stacks was needed (as in model checking) Of course theorem provers can work if the exec. description of stacks is provided as well. Wrapping up Reading: http://pvs.csl.sri.com/documentation.shtml The Manuals have lot of info., check System Guide Prover Guide Language Reference In the above order of preference. The Language reference is not so important, one can learn as you work along. 5

Additional (Optional) Reading PVS is only one prover Several others HOL, Isabelle Higher order Logic Nqthm, ACL2 First order logic Comparison of HOL/PVS -- Mike Gordon http://www.cl.cam.ac.uk/users/mjcg/pvs.html 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback