Cooperative Integration of an Interactive Proof Assistant and an Automated Prover Adam Chlipala and George C. Necula University of California, Berkeley.

Slides:



Advertisements
Similar presentations
Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
Advertisements

SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Programmed Strategies for Program Verification Richard B. Kieburtz OHSU/OGI School of Science and Engineering and Portland State University.
Automated Verification with HIP and SLEEK Asankhaya Sharma.
Chapter Three: Closure Properties for Regular Languages
Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Situation Calculus for Action Descriptions We talked about STRIPS representations for actions. Another common representation is called the Situation Calculus.
Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.
Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules Sorin Lerner* Todd Millstein** Erika Rice* Craig Chambers* * University.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.
Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.
What’s left in the course. The course in a nutshell Logics Techniques Applications.
Case Study: Using PVS to Analyze Security Protocols Kyle Taylor.
Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.
1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
` ² Q E D I Nelson-Oppen review
Administrative stuff On Thursday, we will start class at 11:10, and finish at 11:55 This means that each project will get a 10 minute presentation + 5.
After today Week 9 –Tu: Pat Rondon –Th: Ravi/Nathan Week 10 –Tu: Nathan/Ravi –Th: Class canceled Finals week –Th: Zach, John.
CS2420: Lecture 2 Vladimir Kulyukin Computer Science Department Utah State University.
Extensible Untrusted Code Verification Robert Schneck with George Necula and Bor-Yuh Evan Chang May 14, 2003 OSQ Retreat.
Course eval results More applications Last question –Luging: 0.5 –Curling: 1.5 –Figure skating: 2 –Ice fishing: 6.5 –Foosball: 0.5.
Going back to techniques Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain.
Ofer Strichman, Technion Deciding Combined Theories.
Deciding a Combination of Theories - Decision Procedure - Changki pswlab Combination of Theories Daniel Kroening, Ofer Strichman Presented by Changki.
VeriML DARPA CRASH Project Progress Report Antonis Stampoulis October 5 th, 2012 A language-based, dependently-typed, user-extensible approach to proof.
Induction Schemes Math Foundations of Computer Science.
Section 3.1: Proof Strategy Now that we have a fair amount of experience with proofs, we will start to prove more difficult theorems. Our experience so.
Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.
Refinements to techniques for verifying shape analysis invariants in Coq Kenneth Roe GBO Presentation 9/30/2013 The Johns Hopkins University.
CSE Winter 2008 Introduction to Program Verification January 31 proofs through simplification.
Coq and Nuprl Wojciech Moczydłowski History World, type system Inductive types in Coq Extraction in Coq Other features of Coq.
Automated tactics for separation logic VeriML Reconstruct Z3 Proof Safe incremental type checker Certifying code transformation Proof carrying hardware.
DPLL in Coq Zhuang Zhong Overview  Previous work  Stålmarck algorithm and Binary Decision Diagram  Produce traces of proof  Reconstruct.
Daniel Kroening and Ofer Strichman Decision Procedures An Algorithmic Point of View Deciding Combined Theories.
1 Recursive algorithms Recursive solution: solve a smaller version of the problem and combine the smaller solutions. Example: to find the largest element.
1/24 An Introduction to PVS Charngki PSWLAB An Introduction to PVS Judy Crow, Sam Owre, John Rushby, Natarajan Shankar, Mandayam Srivas Computer.
5.1 Indirect Proof Objective: After studying this section, you will be able to write indirect proofs.
1 Lecture 5 PVS commands. 2 Last week Logical formalisms, first-order logic (syntax, semantics). Introduction to PVS. Language of PVS. Proving sequents.
Faithful mapping of model classes to mathematical structures Ádám Darvas ETH Zürich Switzerland Peter Müller Microsoft Research Redmond, WA, USA SAVCBS.
Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Integrating Math Units and Proof Checking for Specification and Verification SAVCBS Workshop 2008 SIGSOFT 2008 / FSE 16 November 9th, 2008 Hampton Smith.
Knowledge Repn. & Reasoning Lecture #9: Propositional Logic UIUC CS 498: Section EA Professor: Eyal Amir Fall Semester 2005.
Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic Adam Chlipala Harvard University PLDI 2011.
1 Interactive Computer Theorem Proving CS294-9 October 5, 2006 Adam Chlipala UC Berkeley Lecture 7: Programming with Proofs.
1 Interactive Computer Theorem Proving CS294-9 October 19, 2006 Adam Chlipala UC Berkeley Lecture 9: Beyond Primitive Recursion.
1 Interactive Computer Theorem Proving CS294-9 September 7, 2006 Adam Chlipala UC Berkeley Lecture 3: Data structures and Induction.
1 Interactive Computer Theorem Proving CS294-9 September 14, 2006 Adam Chlipala UC Berkeley Lecture 4: Inductively- Defined Predicates.
Thoughts on Programming with Proof Assistants Adam Chlipala University of California, Berkeley PLPV Workshop.
Lecture 11: Proof by Reflection
Sparkle a functional theorem prover
The Relationship Between Separation Logic and Implicit Dynamic Frames
A Verified Compiler for an Impure Functional Language
Jared Davis CyberTrust Meeting March 1, 2006
Lesson Objectives Aims
This Lecture Substitution model
Introduction to Proofs Proof Methods and Strategy
This Lecture Substitution model
This Lecture Substitution model
5.1 Indirect Proof Let’s take a Given: Prove: Proof: Either or
Mathematical Induction II
Presentation transcript:

Cooperative Integration of an Interactive Proof Assistant and an Automated Prover Adam Chlipala and George C. Necula University of California, Berkeley STRATEGIES 2006

Summary ● We suggest a new idiom for semi-automated program verification. ● Implemented as a Coq tactic ● In contrast to many automation tactics, it takes advantage of partial success through a possibility for cooperating interaction between human and automatic provers. – Uses standard Nelson-Oppen prover features to structure the interaction

E-Graph ESC-Style Program Verification int sum(node* ls) { if (ls == null) return 0; else return ls->head + sum(ls->tail); } Prove False ls h head r Axiom: When any n and v are in the E-Graph Instantiate with m := n and x := v When any hd(mem, v) is in the E-Graph Instantiate with x := v me m

Let's Try Another.... void splice(node* ls, node *mid, node *new) { mid->tail = new; } Prove False Axiom: When any n and v are in the E-Graph Instantiate with m := n and x := v Axiom: When any sel(n, tl(v)) is in the E-Graph Instantiate with m := n and x := v Axiom: When any n, u, and v are in the E-Graph Instantiate with m := n, x := u, and y := v E-Graph ls m

ESC-Style Downsides ● Inductive proofs must follow program structure! ● If the decision procedure isn't smart enough, you're out of luck. ● Poor support for re-usable proof libraries ● Hard to use higher-order techniques...but really convenient when it works!

Using Coq.... Inductive reach (mem : memory) : addr -> addr -> Prop := | reach_eq : forall a, reach mem a a | reach_ne : forall a b, reach mem (sel mem (tl a)) b -> reach mem a b. induction H2. kettle. destruct H1; kettle. But that's obvious! Obvious again! Kettle was unable to prove the goal. kettle. Proof complete! Calls a Nelson-Oppen prover But wait! How did Kettle prove that? It would need to use a fact like:

The Initial Attempt induction H2. kettle. destruct H1; kettle. use (preserve_reach mem new (tl mid) new); kettle. Kettle decided to do a case split on the equality of tl(ls) and new. It proved the case where they aren't equal and presents the remaining case to us. Now we go prove the lemma we need as preserve_reach..... Proof complete! Instantiate the lemma manually, and Kettle handles the rest! Since we can come up with a good instantiation heuristic for this lemma, we can add it to Kettle's knowledge base and have it used automatically next time....

An Even Better Way Am I going to have to use the elimination rule manually for every proof? That could get tedious! - Run Kettle tactic to reduce goal into simpler subgoals. - For each remaining subgoal G: - For each reachability hypothesis H: - Use elimination on H. - If Kettle can prove the subgoals completely, move on to next subgoal. - Otherwise, undo the elimination and try the next possible H. - If no suitable H was found, leave G for the user. Ltac bounded_kettle' := match goal with | [ H : reach _ _ _ |- _ ] => destruct H; kettle; fail end. Ltac bounded_kettle := kettle; try bounded_kettle'. induction H2; bounded_kettle.

How It Works H1: H2: H3: Ground Decision Procedures ? H1: H2: H3: Tactic ? Quantified Axioms with Triggers H4 : Case Splitting ? H5: H6: H7: H8: H9: H5: Ground Decision Procedures ? ? Quantified Axioms ? Case Splitting ? H8: H9: H5: Tactic ? ? Coq Kettle

Proof Translation ? For all x... x = y ? Assume P... z = y ? Couldn't prove Q...

Reflective Proof Checking “Do a case analysis on the equality of x and y. When x = y, the result follows by arithmetic simplification. Otherwise, instantiate this lemma, and then...” λ Term in Dependent Type Theory ? Definition kettle_prop : Set :=.... Definition kettle_proof : kettle_prop -> Set :=.... Definition interp_prop : kettle_prop -> Prop :=.... Definition check : forall (p : kettle_prop) (pf : kettle_proof p), interp_prop p :=.... Proof The goal is true because I have a Kettle proof of a proposition that compiles to what you're looking for!

Implementation ● We've implemented this as a module linked into a custom Coq binary. ● Implementation tested in some case studies related to pointer-using programs ● In largest case study so far, our tactic helped reduce the number of proof script lines from 37 to 16. –...and leads to less brittle proof scripts that adapt to small spec changes.

Conclusion ● Coq users benefit from a new way of automating parts of proofs. ● Historical users of ESC-style tools can use Coq as a more expressive way of driving their automated provers. ● Another contribution to the quest to find the sweet spot between expressivity and automation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.