1 Theorem Proving and Model Checking in PVS 15-820A Proving Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University.

Slides:



Advertisements
Similar presentations
For(int i = 1; i
Advertisements

Lesson 10.4: Mathematical Induction
Master Theorem Chen Dan Dong Feb. 19, 2013
School of Computing Clemson University Mathematical Reasoning  Goal: To prove correctness  Method: Use a reasoning table  Prove correctness on all valid.
……+(4n-3) = n(2n-1) P 1 = 1(2(1)-1)=1 check.
CSE 8389 Theorem Proving - Seidel Spring CSE 8389 Theorem Proving Peter-Michael Seidel.
Sample Test 1 Question. A pattern of binary digits can be interpreted in several different ways. Show how the pattern translates using each of.
2-7 Flow Proofs.
Chapter 4.5 Notes: Prove Triangles Congruent by ASA and AAS Goal: You will use two more methods to prove congruences.
Interpolants [Craig 1957] G(y,z) F(x,y)
Bit Vector Decision Procedures A Basis for Reasoning about Hardware & Software Randal E. Bryant Carnegie Mellon University.
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
What is the best way to start? 1.Plug in n = 1. 2.Factor 6n 2 + 5n Let n be an integer. 4.Let n be an odd integer. 5.Let 6n 2 + 5n + 4 be an odd.
Vex 1.0 © 2005 Carnegie Mellon Robotics Academy Inc. Dimensioning the Vex Plus Gusset.
A practical approach to formal methods Lecturer: Ralph Back Place: A5059 Time:e very second Monday, Dates: 28.1, 11.2, 25.2, 10.3, 31.3, 14.4,
The Rare Glitch Project: Verifying Bus Protocols for Embedded Systems Edmund Clarke, Daniel Kroening Carnegie Mellon University.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Model Checking for Embedded Systems Edmund Clarke, CMU High-Confidence Embedded Systems Workshop, May 1 st.
1 Theorem Proving and Model Checking in PVS A Modeling Hardware and Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University.
PYTHAGOREAN THEOREAM
1 Theorem Proving and Model Checking in PVS A PVS – An Introduction Edmund Clarke Daniel Kroening Carnegie Mellon University.
CSNB143 – Discrete Structure Topic 5 – Induction Part I.
Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software.
HW #1. Due Mar 22 Midnight Verify the following program using SAT solver 1. Translate the program into a SSA form 2. Create a Boolean formula from.
MAT 3749 Introduction to Analysis Section 1.3 Part I Countable Sets
CSCI 6231 – Final Lecture Additional Resources and Topics.
Holt Geometry 3-6 Perpendicular Lines 3-6 Perpendicular Lines Holt Geometry Warm Up Warm Up Lesson Presentation Lesson Presentation Lesson Quiz Lesson.
1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke.
How to Structure a Proof. A Few Guidelines for Creating a Two-Column Proof Copy the drawing, the given, and what you want to prove. Make a chart containing.
Proving Angles Congruent Chapter 2 Section 6. Theorem A conjecture or statement that you can prove true. You can use given information, definitions, properties,
Angle Relationship Proofs. Linear Pair Postulate  Angles which form linear pairs are supplementary.
2-6 Proving Angles Congruent. Theorem: a conjecture or statement that you prove true.
I can use theorems, postulates and/or definitions to prove theorems about triangles including: measures of interior angles of a triangle sum to 180 degrees.
1 Carnegie Mellon Welcome to recitation! : Introduction to Computer Systems 3 rd Recitation, Sept. 10, 2012 Instructor: Adrian Trejo (atrejo) Section.
3-4 Parallel and Perpendicular Lines
Sample Test 1 Question This one includes ASCII.. Sample Test 1 Question Show how the pattern translates using each of the following interpretations.
4.5 – Prove Triangles Congruent by ASA and AAS In a polygon, the side connecting the vertices of two angles is the included side. Given two angle measures.
A generic library for floating-point numbers and its application to exact computing Marc Daumas, Laurence Rideau, Laurent Théry TPHOLs’2001.
Ch 3.1 Standard 2.0: Students write geometric proofs. Standard 4.0: Students prove basic theorems involving congruence. Standard 7.0: Students prove and.
5-5 Indirect Proof. Indirect Reasoning: all possibilities are considered and then all but one are proved false. The remaining possibility must be true.
Mathematical Induction Thinking Skill: Develop Confidence in Reason Warm Up: Find the k+1 term (P k+1 ) 1) 2)
Frederico Araujo CS6362 – Fall 2010 Automated Theorem Proving.
Prove that: odd + odd = even even + even = even odd + even = odd even + odd = odd.
Using Properties of Parallel Lines Sec. 3.5 p. 157 GOAL: To use properties of parallel lines.
 I can prove and use theorems about the angles formed by parallel lines and a transversal.
7.5 You Shouldn’t Make Assumptions
Holt McDougal Geometry 3-4 Perpendicular Lines 3-4 Perpendicular Lines Holt Geometry Warm Up Warm Up Lesson Presentation Lesson Presentation Lesson Quiz.
Flowchart and Paragraph Proofs
Formal Methods: Model Checkers and Theorem Provers
Chapter 4: Cyclic Groups
Lesson 3.3 – 3.4: Proving Lines Parallel
Entry Task Pick one of the theorems or the postulate from the last lesson and write the converse of that statement. Same Side Interior Angles Postulate.
5.6 Proving Triangle Congruence by ASA & AAS
Techniques for Computing Limits: The Limit Laws
Countable and Countably Infinite Sets
Modular Arithmetic and Change of Base
The sum of any two even integers is even.
Objective Prove and apply theorems about perpendicular lines.
Magic Fractions nRich – cannot find url.
Do Now.
3-3 Proving Lines Parallel:
3-3 Proving Lines Parallel:
Perfect Squares for # Perfect Squares for # 1-25.
Lecture 5 Number Theory & Proof Methods
Clements MAΘ October 30th, 2014
15-820A Modeling Hardware and Software with PVS
Chapter 4 Congruent Triangles.
Perpendicular and Parallel Lines
Chapter 2 Reasoning and Proof.
3-4 Perpendicular Lines Warm Up Lesson Presentation Lesson Quiz
Presentation transcript:

1 Theorem Proving and Model Checking in PVS A Proving Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University

2 Theorem Proving and Model Checking in PVS Outline Modeling Software with PVS –Complete Example for Sequential Software, including proof –The Magic GRIND –Modularization

3 Theorem Proving and Model Checking in PVS Modeling Software with PVS C: TYPE = [# a: [below(10)->integer], i: nat #] 1. Define Type for STATE int a[10]; unsigned i; int main() {... } A

4 Theorem Proving and Model Checking in PVS Modeling Software with PVS A 2. Translate your program into goto program int a[10]; unsigned i,j,k; int main() { i=k=0; while(i<10) { i++; k+=2; } j=100; k++; } int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; }

5 Theorem Proving and Model Checking in PVS Modeling Software with PVS A 3. Partition your program into basic blocks int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; } L1(c: C):C= c WITH [i:=0, k:=0] L2(c: C):C= c L3(c: C):C= c WITH [i:=c`i+1, k:=c`k+2] L4(c: C):C= c WITH [j:=100, k:=c`k+1] 4. Write transition function for each basic block

6 Theorem Proving and Model Checking in PVS Modeling Software with PVS 5. Combine transition functions using a program counter int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; } PCt: TYPE = { L1, L2, L3, L4, END } t(c: C): C= CASES c`PC OF L1: L1(c) WITH [PC:=L2], L2: L2(c) WITH [PC:= IF NOT (c`i<10) THEN L4 ELSE L3 ENDIF, L3: L3(c) WITH [PC:=L2], L4: L4(c) WITH [PC:=END], END: c ENDCASES A

7 Theorem Proving and Model Checking in PVS Modeling Software with PVS A 6. Define Configuration Sequence c(T: nat, initial: C):RECURSIVE C= IF T=0 THEN initial WITH [PC:=L1] ELSE t(c(T-1, initial)) ENDIF MEASURE T 7. Now prove properties about PC=LEND states program_correct: THEOREM FORALL (initial: C): FORALL (T: nat | c(T)`PC=LEND): c(T)`result=correct_result(initial)

8 Theorem Proving and Model Checking in PVS C: TYPE = [# size: nat, a: [nat -> integer], x: integer, i: nat, result: bool, PC: PCt #] Example I bool find_linear(unsigned size, const int a[], int x) { unsigned i; for(i=0; i<size; i++) if(a[i]==x) return TRUE; return FALSE; } A 1. Define Type for STATE

9 Theorem Proving and Model Checking in PVS bool find_linear(unsigned size, const int a[], int x) { L1: i=0; L2: if(!(i<size)) goto L8; L3: if(!(a[i]==x)) goto L6; L4: result=TRUE; L5: goto LEND; L6: i++; L7: goto L2; L8: result=FALSE; LEND:; return result; } Example II bool find_linear(unsigned size, const int a[], int x) { unsigned i; for(i=0; i<size; i++) if(a[i]==x) return TRUE; return FALSE; } A 2. Translate your program into goto program

10 Theorem Proving and Model Checking in PVS Example III/IV A 3. Partition your program into basic blocks L1(c: C):C=c WITH [i:=0] L2(c: C):C=c L3(c: C):C=c L4(c: C):C=c WITH [result:=TRUE] L5(c: C):C=c L6(c: C):C=c WITH [i:=c`i+1] L7(c: C):C=c L8(c: C):C=c WITH [result:=FALSE] 4. Write transition function for each basic block bool find_linear (unsigned size, const int a[], int x) { L1: i=0; L2: if(!(i<size)) goto L8; L3: if(!(a[i]==x)) goto L6; L4: result=TRUE; L5: goto LEND; L6: i++; L7: goto L2; L8: result=FALSE; LEND:; return result; }

11 Theorem Proving and Model Checking in PVS Example V 5. Combine transition functions using a program counter t(c: C):C=CASES c`PC OF L1: L1(c) WITH [PC:=L2], L2: L2(c) WITH [PC:= IF NOT c`i < c`size THEN L8 ELSE L3 ENDIF], L3: L3(c) WITH [PC:= IF NOT c`a(c`i)=c`x THEN L6 ELSE L4 ENDIF], L4: L4(c) WITH [PC:=L5], L5: L5(c) WITH [PC:=LEND], L6: L6(c) WITH [PC:=L7], L7: L7(c) WITH [PC:=L2], L8: L8(c) WITH [PC:=LEND], LEND: c ENDCASES A bool find_linear (unsigned size, const int a[], int x) { L1: i=0; L2: if(!(i<size)) goto L8; L3: if(!(a[i]==x)) goto L6; L4: result=TRUE; L5: goto LEND; L6: i++; L7: goto L2; L8: result=FALSE; LEND:; return result; }

12 Theorem Proving and Model Checking in PVS Example VI A 6. Define Configuration Sequence c(T: nat, initial: C):RECURSIVE C= IF T=0 THEN initial WITH [PC:=L1] ELSE t(c(T-1, initial)) ENDIF MEASURE T 7. Now prove properties about PC=LEND states program_correct: THEOREM FORALL (initial: C): FORALL (T: nat | c(T)`PC=LEND): c(T)`result=correct_result(initial) What is the correct result?

13 Theorem Proving and Model Checking in PVS C: TYPE = [# size: nat, a: [nat -> integer], x: integer, i: nat, result: bool, PC: PCt #] Example IV correct_result(c: C): bool= EXISTS (j: below(c`size)): c`a(j)=c`x A OK! LET’S PROVE THIS!

14 Theorem Proving and Model Checking in PVS C: TYPE = [# size: nat, a: [nat -> integer], x: integer, i: nat, result: bool, PC: PCt #] Something useful first… A program_correct: THEOREM FORALL (initial: C): FORALL (T: nat | c(T)`PC=LEND): c(T)`result=correct_result(initial) This relates initial state and final state We need to say: c(T)`a = initial`a Æ c(T)`x = initial`x Æ c(T)`size = initial`size OR: The program only changes i, result, PC We need to say: c(T)`a = initial`a Æ c(T)`x = initial`x Æ c(T)`size = initial`size OR: The program only changes i, result, PC

15 Theorem Proving and Model Checking in PVS invar_constants(T: nat, initial: C): bool= c(T, initial)`size=initial`size AND c(T, initial)`a =initial`a AND c(T, initial)`x =initial`x; constants: LEMMA FORALL (initial:C, T: nat): invar_constants(T, initial) Something useful first… A We need to say: c(T)`a = initial`a Æ c(T)`x = initial`x Æ c(T)`size = initial`size OR: The program only changes i, result, PC We need to say: c(T)`a = initial`a Æ c(T)`x = initial`x Æ c(T)`size = initial`size OR: The program only changes i, result, PC Proof: Induction on T + GRIND next: the real invariant…

16 Theorem Proving and Model Checking in PVS FORALL (j: below(c`i)): c`a(j)/=c`x Loop Invariant bool find_linear(unsigned size, const int a[], int x) { unsigned i; for(i=0; i<size; i++) if(a[i]==x) return TRUE; return FALSE; } A

17 Theorem Proving and Model Checking in PVS The Invariant A invar(c: C):bool=CASES c`PC OF L1: % i=0; L2: % if(!(i<size)) goto L8; L3: % if(!(a[i]==x)) goto L6; L4: % result=TRUE; L5: % goto LEND; L6: % i++; L7: % goto L2; L8: % result=FALSE; LEND: c`result EXISTS (j: below(c`size)): c`a(j)=c`x ENDCASES Beginning of the Loop End of the Loop

18 Theorem Proving and Model Checking in PVS The Invariant A invar(c: C):bool=CASES c`PC OF L1: % i=0; L2: FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(i<size)) goto L8; L3: % if(!(a[i]==x)) goto L6; L4: % result=TRUE; L5: % goto LEND; L6: % i++; L7: FORALL (j: below(c`i)): c`a(j)/=c`x, % goto L2; L8: % result=FALSE; LEND: c`result EXISTS (j: below(c`size)): c`a(j)=c`x ENDCASES What here?

19 Theorem Proving and Model Checking in PVS The Invariant A invar(c: C):bool=CASES c`PC OF L1: TRUE, % i=0; L2: FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(i<size)) goto L8; L3: % if(!(a[i]==x)) goto L6; L4: % result=TRUE; L5: % goto LEND; L6: % i++; L7: FORALL (j: below(c`i)): c`a(j)/=c`x, % goto L2; L8: % result=FALSE; LEND: c`result EXISTS (j: below(c`size)): c`a(j)=c`x ENDCASES Exiting the Loop Exiting the Loop Exiting the Loop Exiting the Loop

20 Theorem Proving and Model Checking in PVS The Invariant A invar(c: C):bool=CASES c`PC OF L1: TRUE, % i=0; L2: FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(i<size)) goto L8; L3: % if(!(a[i]==x)) goto L6; L4: % result=TRUE; L5: % goto LEND; L6: % i++; L7: FORALL (j: below(c`i)): c`a(j)/=c`x, % goto L2; L8: c`i>=c`size AND FORALL (j: below(c`i)): c`a(j)/=c`x, % result=FALSE; LEND: c`result EXISTS (j: below(c`size)): c`a(j)=c`x ENDCASES What here?

21 Theorem Proving and Model Checking in PVS The Invariant A invar(c: C):bool=CASES c`PC OF L1: TRUE, % i=0; L2: FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(i<size)) goto L8; L3: c`i<c`size AND FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(a[i]==x)) goto L6; L4: % result=TRUE; L5: % goto LEND; L6: % i++; L7: FORALL (j: below(c`i)): c`a(j)/=c`x, % goto L2; L8: c`i>=c`size AND FORALL (j: below(c`i)): c`a(j)/=c`x, % result=FALSE; LEND: c`result EXISTS (j: below(c`size)): c`a(j)=c`x ENDCASES What here?

22 Theorem Proving and Model Checking in PVS The Invariant A invar(c: C):bool=CASES c`PC OF L1: TRUE, % i=0; L2: FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(i<size)) goto L8; L3: c`i<c`size AND FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(a[i]==x)) goto L6; L4: % result=TRUE; L5: % goto LEND; L6: FORALL (j: below(c`i+1)): c`a(j)/=c`x, % i++; L7: FORALL (j: below(c`i)): c`a(j)/=c`x, % goto L2; L8: c`i>=c`size AND FORALL (j: below(c`i)): c`a(j)/=c`x, % result=FALSE; LEND: c`result EXISTS (j: below(c`size)): c`a(j)=c`x ENDCASES What here?

23 Theorem Proving and Model Checking in PVS The Invariant invar(c: C):bool=CASES c`PC OF L1: TRUE, % i=0; L2: FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(i<size)) goto L8; L3: c`i<c`size AND FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(a[i]==x)) goto L6; L4: c`i<c`size AND c`a(c`i)=c`x, % result=TRUE; L5: c`i<c`size AND c`a(c`i)=c`x AND c`result=true, % goto LEND; L6: FORALL (j: below(c`i+1)): c`a(j)/=c`x, % i++; L7: FORALL (j: below(c`i)): c`a(j)/=c`x, % goto L2; L8: c`i>=c`size AND FORALL (j: below(c`i)): c`a(j)/=c`x, % result=FALSE; LEND: c`result EXISTS (j: below(c`size)): c`a(j)=c`x ENDCASES

24 Theorem Proving and Model Checking in PVS The Invariant DARING CLAIM “Once you have found the invariant, the proof is done.” We now have the invariant. Lets do the actual proof. Who believes we are done? A

25 Theorem Proving and Model Checking in PVS The Gentzen Sequent {-1} i(0)`reset {-2} i(4)`reset | {1} i(1)`reset {2} i(2)`reset {3} (c(2)`A AND NOT c(2)`B) Disjunction (Consequents) Conjunction (Antecedents)  Or: Reset in cycles 0, 4 is on, and off in 1, 2. Show that A and not B holds in cycle 2.

26 Theorem Proving and Model Checking in PVS The Magic of (GRIND) Myth: Grind does it all… Reality: Use it when: –Case splitting, skolemization, expansion, and trivial instantiations are left Does not do induction Does not apply lemmas “... frequently used to automatically complete a proof branch…”

27 Theorem Proving and Model Checking in PVS The Magic of (GRIND) If it goes wrong… –you can get unprovable subgoals –it might expand recursions forever How to abort? –Hit Ctrl-C twice, then (restore) How to make it succeed? –Before running (GRIND), remove unnecessary parts of the sequent using (DELETE fnum). It will prevent that GRIND makes wrong instantiations and expands the wrong definitions.

28 Theorem Proving and Model Checking in PVS NOW LET’S PROVE THE INVARIANT

29 Theorem Proving and Model Checking in PVS A word on automation… A The generation of C, t, and c can be trivially automated Most of the invariant can be generated automatically – all but the actual loop invariant (case L7/L2) The proof is automatic unless quantifier instantiation is required

30 Theorem Proving and Model Checking in PVS Modularization t(c: C):C=CASES c`PC OF L1: L1(c) WITH [PC:=L2], L2: L2(c) WITH [PC:= IF NOT c`i < c`size THEN L8 ELSE L3 ENDIF], L3: L3(c) WITH [PC:= IF NOT c`a(c`i)=c`x THEN L6 ELSE L4 ENDIF], L4: L4(c) WITH [PC:=L5], L5: L5(c) WITH [PC:=LEND], L6: L6(c) WITH [PC:=L7], L7: L7(c) WITH [PC:=L2], L8: L8(c) WITH [PC:=LEND], LEND: c ENDCASES bool find_linear (unsigned size, const int a[], int x) { L1: i=0; L2: if(!(i<size)) goto L8; L3: if(!(a[i]==x)) goto L6; L4: result=TRUE; L5: goto LEND; L6: i++; L7: goto L2; L8: result=FALSE; LEND:; return result; } How about a program with a 1000 basic blocks? = 1000 cases? A Better not Remedy: Modularize the program and the proof Idea: find_linear is a function in the C program, make it a function in PVS as well C  C Functions in PVS must be total, thus, this requires proof of termination

31 Theorem Proving and Model Checking in PVS Modularization A epsilon_ax: AXIOM (EXISTS x: p(x)) => p(epsilon(p)) find_linear(start: C): C= c( epsilon! (T: nat): c(T, start)`PC=LEND, start) a T such that c(T, start)`PC=LEND "epsilon! (x:t): p(x)” is translated to "epsilon(LAMBDA (x:t): p(x))” THIS IS WHAT REQUIRES TERMINATION

32 Theorem Proving and Model Checking in PVS Modularization A termination: THEOREM FORALL (initial: C): EXISTS (T: nat): c(T, initial)`PC=LEND epsilon_ax: AXIOM (EXISTS x: p(x)) => p(epsilon(p)) allows to show the left hand side of the right hand side then says c(epsilon! (T: nat): c(T, start)`PC=LEND, start)`PC=LEND

33 Theorem Proving and Model Checking in PVS Modularization A find_linear(start: C): C= c( epsilon! (T: nat): c(T, start)`PC=LEND, start) What to prove about it? find_linear_correct: THEOREM FORALL (c: C): LET new=find_linear(c) IN new=c WITH [result:=correct_result(c)] ? ? What is missing?

34 Theorem Proving and Model Checking in PVS Modularization A find_linear(start: C): C= c( epsilon! (T: nat): c(T, start)`PC=LEND, start) What to prove about it? find_linear_correct: THEOREM FORALL (c: C): LET new=find_linear(c) IN new=c WITH [result:=correct_result(c), PC:=new`PC, i:=new`i] “All variables but result, PC, and i are unchanged, and result is the correct result.”

35 Theorem Proving and Model Checking in PVS NOW LET’S PROVE THE THEOREM

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.