CSE 8389 Theorem Proving - Seidel Spring CSE 8389 Theorem Proving Peter-Michael Seidel

CSE 8389 Theorem Proving - Seidel Spring PVS Workflow PVS File System Properties PROOFS Conversion of system (Program, circuit, protocol…) and property. Can be automated or done manually  Proof construction Interaction with the theorem prover  A

CSE 8389 Theorem Proving - Seidel Spring PVS Workflow PVS File System Properties PROOFS Conversion of system (Program, circuit, protocol…) and property. Can be automated or done manually  Proof construction Interaction with the theorem prover  A

CSE 8389 Theorem Proving - Seidel Spring The PVS Language There are two languages 1.The language to write definitions and theorems (“definition language“) 2.The language to prove theorems (“proof language”) They have nothing to do with each other The definition language looks like “normal math” (translator to Latex built in) The proof language looks like LISP

CSE 8389 Theorem Proving - Seidel Spring Theorem Proving The goal is to show that theorem T is a tautology |= T or follows from the Assumptions & Axioms F 1,…, F k F 1,…, F k |= T PVS operates on sequents of the form F 1,…, F k |– G 1,…, G l AntecedentsConsequents Meaning: The disjunction of the Consequents is a logical consequence of the conjunction of the Antecedents F 1  F 2  …  F k implies G 1  G 2  …  G l Initial sequent (show Theorem): |- T TheoremAxioms, Assumptions Antecedents and Consequents are HOL Formulas

CSE 8389 Theorem Proving - Seidel Spring Proof Trees Sequents can be modified by PVS proof commands F 1,…, F k |– G 1,…, G l AntecedentsConsequents The result of a proof command is a (possibly empty) set of subsequents Initial sequent (show Theorem): |- T The repeated application of proof commands on sequents defines a tree A proof branch is closed if a proof command generates an empty list of subsequents, i.e. PVS was able to validate this branch of the proof. A theorem T is proven if all proof branches are closed.

CSE 8389 Theorem Proving - Seidel Spring Sequents in PVS notation {-1} i(0)`reset {-2} i(4)`reset | {1} i(1)`reset {2} i(2)`reset {3} (c(2)`A AND NOT c(2)`B) Disjunction (Consequents) Conjunction (Antecedents) Or: Reset in cycles 0, 4 is on, and off in 1, 2. Show that A and not B holds in cycle 2.

CSE 8389 Theorem Proving - Seidel Spring Example Gauss Specifications (for any n > 0) Sum(n) := Recsum(n) := Gauss(n) := gauss: Theory Begin Importing n, i: Var nat sum(n): nat = sigma(0, n, Lambda i: i) recsum(n): recursive nat = if n = 0 Then 0 Else n + recsum(n-1) endif measure n gauss(n): real = n * (n + 1) / 2 end gauss

CSE 8389 Theorem Proving - Seidel Spring Example Gauss Specifications (for any n > 0) Sum(n) := Recsum(n) := Gauss(n) := Theorems For all n > 0: Sum(n) = Recsum(n) = Gauss(n)

CSE 8389 Theorem Proving - Seidel Spring Example Gauss Theorems For all n > 0: Sum(n) = Recsum(n) = Gauss(n) gauss: Theory … sum_is_recsum: Lemma sum(n) = recsum(n) recsum_is_gauss: Lemma recsum(n) = gauss(n) sum_is_gauss: Theorem sum(n) = gauss(n) end gauss

CSE 8389 Theorem Proving - Seidel Spring Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n) Sum(n) := Recsum(n) := recursive definition suggests induction Induction basis

CSE 8389 Theorem Proving - Seidel Spring Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n) Definitions Sum(n) := Recsum(n) := Sum(0) = ?? Recsum(0) = ??

CSE 8389 Theorem Proving - Seidel Spring Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n) Induction step

CSE 8389 Theorem Proving - Seidel Spring Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

CSE 8389 Theorem Proving - Seidel Spring Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

CSE 8389 Theorem Proving - Seidel Spring Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

CSE 8389 Theorem Proving - Seidel Spring Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

CSE 8389 Theorem Proving - Seidel Spring Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

CSE 8389 Theorem Proving - Seidel Spring Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

CSE 8389 Theorem Proving - Seidel Spring Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

CSE 8389 Theorem Proving - Seidel Spring Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

CSE 8389 Theorem Proving - Seidel Spring Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

CSE 8389 Theorem Proving - Seidel Spring Example Gauss Theorems For all n > 0: Sum(n) = Recsum(n) = Gauss(n) gauss: Theory … sum_is_recsum: Lemma sum(n) = recsum(n) recsum_is_gauss: Lemma recsum(n) = gauss(n) sum_is_gauss: Theorem sum(n) = gauss(n) end gauss

CSE 8389 Theorem Proving - Seidel Spring Example Gauss recsum_is_gauss: Lemma recsum(n) = gauss(n) Definitions Recsum(n) := Gauss(n) := recursive definition suggests induction more powerful

CSE 8389 Theorem Proving - Seidel Spring Example Gauss Theorems For all n > 0: Sum(n) = Recsum(n) = Gauss(n) gauss: Theory … sum_is_recsum: Lemma sum(n) = recsum(n) recsum_is_gauss: Lemma recsum(n) = gauss(n) sum_is_gauss: Theorem sum(n) = gauss(n) end gauss

CSE 8389 Theorem Proving - Seidel Spring Example Gauss sum_is_gauss: Lemma sum(n) = gauss(n)

CSE 8389 Theorem Proving - Seidel Spring Proof Trees recsum_is_gauss sum_is_gauss sum_is_recsum

CSE 8389 Theorem Proving - Seidel Spring Proof commands COPY duplicates a formula Why? When you instantiate a quantified formula, the original one is lost DELETE removes unnecessary formulae – keep your proof easy to follow

CSE 8389 Theorem Proving - Seidel Spring Propositional Rules BDDSIMP simplify propositional structure using BDDs CASE: case splitting usage: (CASE “i!1=5”) FLATTEN: Flattens conjunctions, disjunctions, and implications IFF: Convert a=b to a b for a, b boolean LIFT-IF move up case splits inside a formula

CSE 8389 Theorem Proving - Seidel Spring Quantifiers INST: Instantiate Quantifiers –Do this if you have EXISTS in the consequent, or FORALL in the antecedent –Usage: (INST -10 “100+x”) SKOLEM!: Introduce Skolem Constants –Do this if you have FORALL in the consequent (and do not want induction), or EXISTS in the antecedent –If the type of the variable matters, use SKOLEM-TYPEPRED

CSE 8389 Theorem Proving - Seidel Spring Equality REPLACE: If you have an equality in the antecedent, you can use REPLACE –Example: (REPLACE -1) {-1} l=r replace l by r –Example: (REPLACE -1 RL) {-1} l=r replace r by l

CSE 8389 Theorem Proving - Seidel Spring Using Lemmas / Theorems EXPAND: Expand the definition –Example: (EXPAND “min”) LEMMA: add a lemma as antecedent –Example: (LEMMA “my_lemma”) –After that, instantiate the quantifiers with (INST -1 “x”) –Try (USE “my_lemma”). It will try to guess how you want to instantiate

CSE 8389 Theorem Proving - Seidel Spring Induction INDUCT: Performs induction –Usage: (INDUCT “i”) –There should be a FORALL i: … equation in the consequent –You get two subgoals, one for the induction base and one for the step –PVS comes with many induction schemes. Look in the prelude for the full list

CSE 8389 Theorem Proving - Seidel Spring The Magic of (GRIND) Myth: Grind does it all… Reality: Use it when: –Case splitting, skolemization, expansion, and trivial instantiations are left Does not do induction Does not apply lemmas “... frequently used to automatically complete a proof branch…”

CSE 8389 Theorem Proving - Seidel Spring The Magic of (GRIND) If it goes wrong… –you can get unprovable subgoals –it might expand recursions forever How to abort? –Hit Ctrl-C twice, then (restore) How to make it succeed? –Before running (GRIND), remove unnecessary parts of the sequent using (DELETE fnum). It will prevent that GRIND makes wrong instantiations and expands the wrong definitions.

CSE 8389 Theorem Proving - Seidel Spring Proof Trees Induction Proof |- T( n: nat ) Induction basisInduction step n=0 |- T(0) T(n*) |- T(n*+1)

CSE 8389 Theorem Proving - Seidel Spring Number representations Natural number with binary representation: PVS conversion bv2nat: Range of numbers which have a binary representation of length n : Integer with two’s complement representation : PVS conversion bv2int: Range of numbers with two’s complement representation of length n :

CSE 8389 Theorem Proving - Seidel Spring Lemmas from Bitvector Library Lemma 1 Lemma 2 Lemma 3 Lemma 4

CSE 8389 Theorem Proving - Seidel Spring Lemmas from Bitvector Library Lemma 5 Lemma 6 Lemma 7 Lemma 8

CSE 8389 Theorem Proving - Seidel Spring Lemmas from Bitvector Library Lemma 9 Lemma 10 Lemma 11 Lemma 12

CSE 8389 Theorem Proving - Seidel Spring Ripple Carry Adder

CSE 8389 Theorem Proving - Seidel Spring Ripple Carry Adder

CSE 8389 Theorem Proving - Seidel Spring Ripple Carry Adder

CSE 8389 Theorem Proving - Seidel Spring Ripple Carry Adder

CSE 8389 Theorem Proving - Seidel Spring Ripple Carry Adder

CSE 8389 Theorem Proving - Seidel Spring Ripple Carry Adder

CSE 8389 Theorem Proving - Seidel Spring Ripple Carry Adder

CSE 8389 Theorem Proving - Seidel Spring Ripple Carry Adder

CSE 8389 Theorem Proving - Seidel Spring Ripple Carry Adder

CSE 8389 Theorem Proving - Seidel Spring Conditional Sum Adder Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0 Assume n is power of 2:

CSE 8389 Theorem Proving - Seidel Spring Conditional Sum Adder Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0

CSE 8389 Theorem Proving - Seidel Spring Conditional Sum Adder Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0 Assume n is power of 2:

CSE 8389 Theorem Proving - Seidel Spring Conditional Sum Adder Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0 Assume n is power of 2:

CSE 8389 Theorem Proving - Seidel Spring Conditional Sum Adder Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0 Assume n is power of 2:

CSE 8389 Theorem Proving - Seidel Spring Conditional Sum Adder Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0 Assume n is power of 2:

CSE 8389 Theorem Proving - Seidel Spring Conditional Sum Adder Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0 Assume n is power of 2:

CSE 8389 Theorem Proving - Seidel Spring Conditional Sum Adder Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0 Assume n is power of 2:

CSE 8389 Theorem Proving - Seidel Spring Conditional Sum Adder

CSE 8389 Theorem Proving - Seidel Spring Modeling Hardware with PVS Combinational Hardware –No latches –Circuit is loop-free –Examples: arithmetic circuits, ALUs, … Clocked Circuits –Combinational part + registers (latches) –Examples: Processors, Controllers,… A

CSE 8389 Theorem Proving - Seidel Spring Modeling Hardware with PVS Idea: Model combinational circuits using functions on bit vectors f(A, B, reset: bit):bit= IF NOT(reset) THEN (NOT A) OR B ELSE false ENDIF A Translation from/to Verilog, VHDL, etc. easy

CSE 8389 Theorem Proving - Seidel Spring Modeling Hardware with PVS Combinational Hardware –No latches –Circuit is loop-free –Examples: arithmetic circuits, ALUs, … Clocked Circuits –Combinational part + registers (latches) –Examples: Processors, Controllers,… A

CSE 8389 Theorem Proving - Seidel Spring Clocked Circuits A TresetAB 01?? Configuration in cycle 4

CSE 8389 Theorem Proving - Seidel Spring Clocked Circuits A t(c: C, i: I):C= (# A:= IF i`reset THEN false ELSE (NOT c`A) OR c`B ENDIF, B:= IF i`reset THEN false ELSE c`A OR c`B ENDIF #) C: TYPE = [# A, B: bit #] I: TYPE = [# reset: bit #] 1. Define Type for STATE and INPUTS 2. Define the Transition Function

CSE 8389 Theorem Proving - Seidel Spring Clocked Circuits A c(T: nat):RECURSIVE C= IF T=0 THEN initial ELSE t(c(T-1), i(T-1)) ENDIF MEASURE T initial: C i: [nat -> I]; 3. Define Initial State and Inputs 4. Define the Configuration Sequence

CSE 8389 Theorem Proving - Seidel Spring Clocked Circuits A c(T: nat):RECURSIVE C= IF T=0 THEN initial ELSE t(c(T-1), i(T-1)) ENDIF MEASURE T 5. Prove things about this sequence c_lem: LEMMA (i(0)`reset AND NOT i(1)`reset AND NOT i(2)`reset) => (c(2)`A AND NOT c(2)`B) You can also verify invariants, even temporal properties that way.

CSE 8389 Theorem Proving - Seidel Spring Modeling Software with PVS (Software written in functional language) (Take a subset of PVS, and compile that) Software written in language like ANSI-C f(i: int):int= LET a1=LAMBDA (x: below(10)): 0 IN... LET a2=a1 WITH [(i):=5] IN... ai(0) int f(int i) { int a[10]={ 0, … };... a[i]=5;... return a[0]; } A What about loops?

CSE 8389 Theorem Proving - Seidel Spring Modeling Software with PVS A C: TYPE = [# a: [below(10)->integer], i: nat #] 1. Define Type for STATE int a[10]; unsigned i; int main() {... } nat? Of course, bvec[32] is better

CSE 8389 Theorem Proving - Seidel Spring Modeling Software with PVS A 2. Translate your program into goto program int a[10]; unsigned i,j,k; int main() { i=k=0; while(i<10) { i++; k+=2; } j=100; k++; } int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; }

CSE 8389 Theorem Proving - Seidel Spring Modeling Software with PVS A 3. Partition your program into basic blocks int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; } L1(c: C):C= c WITH [i:=0, k:=0] L2(c: C):C= c L3(c: C):C= c WITH [i:=c`i+1, k:=c`k+2] L4(c: C):C= c WITH [j:=100, k:=c`k+1] 4. Write transition function for each basic block

CSE 8389 Theorem Proving - Seidel Spring Modeling Software with PVS A 5. Combine transition functions using a program counter int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; } PCt: TYPE = { L1, L2, L3, L4, END } add PC: PCt to C t(c: C): C= CASES c`PC OF L1: L1(c) WITH [PC:=L2], L2: L2(c) WITH [PC:= IF NOT (c`i<10) THEN L4 ELSE L3 ENDIF, L3: L3(c) WITH [PC:=L2], L4: L4(c) WITH [PC:=END], END: c ENDCASES make sure the PC of the initial state is L1