Software Synthesis with ACL2 Eric Smith Kestrel Institute ACL2 Workshop 2015.

Slides:



Advertisements
Similar presentations
Tom Schrijvers K.U.Leuven, Belgium with Manuel Chakravarty, Martin Sulzmann and Simon Peyton Jones.
Advertisements

Proofs, Recursion and Analysis of Algorithms Mathematical Structures for Computer Science Chapter 2 Copyright © 2006 W.H. Freeman & Co.MSCS SlidesProofs,
© 2006 Rockwell Collins, Inc. All rights reserved. Parameterized Congruences in ACL2 David Greve August, 2006.
Opmaker2: Efficient Action Schema Acquisition T.L.McCluskey, S.N.Cresswell, N. E. Richardson and M.M.West The University of Huddersfield,UK
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Divide-and-Conquer Recursive in structure –Divide the problem into several smaller sub-problems that are similar to the original but smaller in size –Conquer.
ISBN Chapter 3 Describing Syntax and Semantics.
The Z Specification Language
IFL, Lawrence KS, 3 Oct Property-Based Testing a catalog of classroom examples Rex Page University of Oklahoma.
Termination Analysis Math Foundations of Computer Science.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.
Computational problems, algorithms, runtime, hardness
VIDE Integrated Environment for Development and Verification of Programs.
Divide-and-Conquer1 7 2  9 4   2  2 79  4   72  29  94  4.
Divide-and-Conquer1 7 2  9 4   2  2 79  4   72  29  94  4.
CSE 830: Design and Theory of Algorithms
Boolean Unification EE219B Presented by: Jason Shamberger March 1, 2000.
Chapter 11: Limitations of Algorithmic Power
Describing Syntax and Semantics
Combinational Logic Design
Maria-Cristina Marinescu Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology A Synthesis Algorithm for Modular Design of.
Equational Reasoning Math Foundations of Computer Science.
HOW TO SOLVE IT? Algorithms. An Algorithm An algorithm is any well-defined (computational) procedure that takes some value, or set of values, as input.
Divide-and-Conquer 7 2  9 4   2   4   7
Functional Programming 02 Lists
Specifications and Morphisms Spec Partial-Order sort E op _le_: E, E  Boolean axiom reflexive x le x axiom transitive x le y  y le z  x le z axiom antisymmetric.
The ACL2 Proof Assistant Formal Methods Jeremy Johnson.
Induction Schemes Math Foundations of Computer Science.
Mitthögskolan 10/8/ Common Lisp LISTS. Mitthögskolan 10/8/2015 2Lists n Lists are one of the fundamental data structures in Lisp. n However, it.
1 Teaching Software Correctness May 13-15, 2008, University of Oklahoma Rex Page, U Assistants Carl Eastlund (lead), Northeastern
IFIP WG2.1 meeting, 京都市, Sep Refinement and Transformations in Specware A progress report Alessandro Coglio, Kestrel Institute Stephen Westfold,
1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.
Analyzing Complexity of Lists OperationSorted Array Sorted Linked List Unsorted Array Unsorted Linked List Search( L, x ) O(logn) O( n ) O( n ) Insert(
1 Lecture 16: Lists and vectors Binary search, Sorting.
TSC Workshop, May 2008, U Oklahoma 1 Teaching Software Correctness May 13-15, 2008, University of Oklahoma Rex Page, U Assistants Carl.
Major objective of this course is: Design and analysis of modern algorithms Different variants Accuracy Efficiency Comparing efficiencies Motivation thinking.
Divide & Conquer  Themes  Reasoning about code (correctness and cost)  recursion, induction, and recurrence relations  Divide and Conquer  Examples.
Second-Order Functions and Theorems in ACL2 Alessandro Coglio Workshop 2015 Kestrel Institute.
CSCI 3160 Design and Analysis of Algorithms Tutorial 10 Chengyu Lin.
Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.
These courseware materials are to be used in conjunction with Software Engineering: A Practitioner’s Approach, 6/e and are provided with permission by.
Introduction to ACL2 CS 680 Formal Methods for Computer Verification Jeremy Johnson Drexel University.
Semantics In Text: Chapter 3.
LISP Data Types Functional Programming Academic Year Alessandro Cimatti
Introduction to LISP. Lisp Extensible: It lets you define new operators yourself Lisp programs are expressed as lisp data structures –You can write programs.
Basic Introduction to Lisp
Formal Verification. Background Information Formal verification methods based on theorem proving techniques and model­checking –To prove the absence of.
Duminda WijesekeraSWSE 623: Introduction1 Introduction to Formal and Semi- formal Methods Based on A Specifier's Introduction to Formal Methods (J. Wing)
Lecture 2 Algorithm Analysis Arne Kutzner Hanyang University / Seoul Korea.
CMPSC 16 Problem Solving with Computers I Spring 2014 Instructor: Tevfik Bultan Lecture 4: Introduction to C: Control Flow.
An ACL2 Library for Bags (Multisets) Eric Smith*, Serita Nelesen*, David Greve, Matthew Wilding, and Raymond Richards Rockwell Collins Advanced Technology.
Adding Parallelism Capabilities to ACL2 August 16, 2006 David L. Rager.
Object Design More Design Patterns Object Constraint Language Object Design Specifying Interfaces Review Exam 2 CEN 4010 Class 18 – 11/03.
Certifying and Synthesizing Membership Equational Proofs Patrick Lincoln (SRI) joint work with Steven Eker (SRI), Jose Meseguer (Urbana) and Grigore Rosu.
1 Interactive Computer Theorem Proving CS294-9 October 19, 2006 Adam Chlipala UC Berkeley Lecture 9: Beyond Primitive Recursion.
Functional Programming in ACL2 Jeremy Johnson Kurt Schmidt Drexel University.
Lecture 2 Algorithm Analysis
Unit 1. Sorting and Divide and Conquer
The DE Language Erik Reeber 6/30/04.
Logical architecture refinement
Programming Languages and Compilers (CS 421)
J.E. Spragg Mitthögskolan 1997
Divide-and-Conquer 7 2  9 4   2   4   7
Semantics In Text: Chapter 3.
Divide-and-Conquer 7 2  9 4   2   4   7
OBJ first-order functional language based on equational logic
Programming Languages and Compilers (CS 421)
Divide-and-Conquer 7 2  9 4   2   4   7
Presentation transcript:

Software Synthesis with ACL2 Eric Smith Kestrel Institute ACL2 Workshop 2015

Outline Overview of Refinement-Based Synthesis Proof-Emitting Transformations Specs and Morphisms Joint work with Alessandro Coglio and others.

Refinement-Based Synthesis Derive an implementation from a specification via a sequence of provably correct refinement steps. – Each step represents a design decision Not a new idea, e.g., – Z notation – B method – VDM (Vienna Development Method) – Specware – defspec / defrefine / … New implementation in ACL2

Part 1: Proof-Producing Transformations make-tail-rec – assoc – monoid – nats counting down – bit vectors counting down finite-difference remove-cdring expand-lets letify simplify-body rewrite-body drop-function-from-nest drop-irrelevant-params flatten-params homogenize-tail-rec flip-if rename-params reorder-params restructure-elseif make-do-while lift-condition weaken strengthen wrap-output wrap-input undo-finite-difference undo-make-tail-rec define-op copy-spec spec substitution decrease-and-conquer divide-and-conquer

Make-tail-rec Transformation (defun sum-squares (n) (if (zp n) 0 (+ (* n n) (sum-squares (- n 1))))) (defun sum-squares (n) (if (zp n) 0 (+ (* n n) (sum-squares (- n 1))))) (DEFUN SUM-SQUARES$1 (N ACC) (IF (ZP N) ACC (SUM-SQUARES$1 (- N 1) (+ ACC (* N N))))) (DEFUN SUM-SQUARES$1-WRAPPER (N) (SUM-SQUARES$1 N 0)) (DEFTHM SUM-SQUARES-IS-SUM-SQUARES$1-WRAPPER (EQUAL (SUM-SQUARES N) (SUM-SQUARES$1-WRAPPER N))) (DEFUN SUM-SQUARES$1 (N ACC) (IF (ZP N) ACC (SUM-SQUARES$1 (- N 1) (+ ACC (* N N))))) (DEFUN SUM-SQUARES$1-WRAPPER (N) (SUM-SQUARES$1 N 0)) (DEFTHM SUM-SQUARES-IS-SUM-SQUARES$1-WRAPPER (EQUAL (SUM-SQUARES N) (SUM-SQUARES$1-WRAPPER N))) (make-tail-rec-monoid sum-squares :domain natp)

(DEFUN SUM-SQUARES$2 (N ACC N*N) (IF (ZP N) ACC (SUM-SQUARES$2 (- N 1) (+ ACC N*N) (+ N*N (- N) (- N) 1)))) (DEFUN SUM-SQUARES$2-WRAPPER (N ACC) (SUM-SQUARES$2 N ACC (* N N))) (DEFTHM SUM-SQUARES$1-BECOMES-SUM-SQUARES$2 (EQUAL (SUM-SQUARES$1 N ACC) (SUM-SQUARES$2-WRAPPER N ACC)) (DEFUN SUM-SQUARES$2 (N ACC N*N) (IF (ZP N) ACC (SUM-SQUARES$2 (- N 1) (+ ACC N*N) (+ N*N (- N) (- N) 1)))) (DEFUN SUM-SQUARES$2-WRAPPER (N ACC) (SUM-SQUARES$2 N ACC (* N N))) (DEFTHM SUM-SQUARES$1-BECOMES-SUM-SQUARES$2 (EQUAL (SUM-SQUARES$1 N ACC) (SUM-SQUARES$2-WRAPPER N ACC)) Finite-differencing Transformation (DEFUN SUM-SQUARES$1 (N ACC) (IF (ZP N) ACC (SUM-SQUARES$1 (- N 1) (+ ACC (* N N))))) (DEFUN SUM-SQUARES$1 (N ACC) (IF (ZP N) ACC (SUM-SQUARES$1 (- N 1) (+ ACC (* N N))))) (finite-difference sum-squares$1 (* n n) *math-rules*) Maintain invariant for n*n: (* (- n 1) (- n 1) = (+ (* n n) (- n) (- n) (* -1 -1)) = (+ (* n n) (- n) (- n) 1) = (+ n*n (- n) (- n) 1) Maintain invariant for n*n: (* (- n 1) (- n 1) = (+ (* n n) (- n) (- n) (* -1 -1)) = (+ (* n n) (- n) (- n) 1) = (+ n*n (- n) (- n) 1)

(DEFUN MEMBERP$1 (A X N) (IF (NOT (NATP N)) ; should never happen T (IF (CONSP (NTHCDR N X)) (IF (EQUAL A (CAR (NTHCDR N X))) T (MEMBERP$1 A X (+ 1 N))) NIL))) (DEFUN MEMBERP$1-WRAPPER (A X) (MEMBERP$1 A X 0)) (DEFTHM MEMBERP-BECOMES-MEMBERP$1-WRAPPER (EQUAL (MEMBERP A X) (MEMBERP$1-WRAPPER A X))) (DEFUN MEMBERP$1 (A X N) (IF (NOT (NATP N)) ; should never happen T (IF (CONSP (NTHCDR N X)) (IF (EQUAL A (CAR (NTHCDR N X))) T (MEMBERP$1 A X (+ 1 N))) NIL))) (DEFUN MEMBERP$1-WRAPPER (A X) (MEMBERP$1 A X 0)) (DEFTHM MEMBERP-BECOMES-MEMBERP$1-WRAPPER (EQUAL (MEMBERP A X) (MEMBERP$1-WRAPPER A X))) Remove-cdring Transformation (DEFUN MEMBERP (A X) (IF (CONSP X) (IF (EQUAL A (CAR X)) T (MEMBERP A (CDR X))) NIL)) (DEFUN MEMBERP (A X) (IF (CONSP X) (IF (EQUAL A (CAR X)) T (MEMBERP A (CDR X))) NIL)) (remove-cdring memberp)

Implementation of Transformations Use macros / make-event – Look up the target function in the logical world – Generate new function(s) – Generate correctness theorems Carefully control the proofs All transformations prove correctness of their output – “Verifying compiler” approach

Part 2: Specs and Morphisms Specware-style refinement in ACL2

Specs Spec: a logical theory – collection of ‘ops’ (functions), constraints (axioms), theorems, and imports of other specs Example: (spec sorting (op my-sort (l)) (axiom my-sort-correct (implies (true-listp l) (sorted-permutationp (my-sort l) l)))) (spec sorting (op my-sort (l)) (axiom my-sort-correct (implies (true-listp l) (sorted-permutationp (my-sort l) l))))

Morphisms Morphism: a theory interpretation – i.e., a property-preserving mapping between specs. – Maps names to names – Proof obligation: Axioms in source spec must be theorems in target spec

Trivial Example (spec s1 (op foo (x)) (op bar (x)) (axiom foo-bar (<= (foo x) (bar x)))) (spec s1 (op foo (x)) (op bar (x)) (axiom foo-bar (<= (foo x) (bar x)))) (spec s2 (op foo2 (x)) (axiom natp-of-foo2 (natp (foo2 x))) (op bar2 (x) (* 2 (foo2 x)))) (spec s2 (op foo2 (x)) (axiom natp-of-foo2 (natp (foo2 x))) (op bar2 (x) (* 2 (foo2 x)))) (morphism m (s1 s2) ((foo foo2) (bar bar2))) Proof Obligation: (<= (foo2 x) (bar2 x))

ACL2 Implementation Uses macros and make-event – Track everything with tables Spec: basically an encapsulate – Specs can import other specs (allows hierarchy) – No witness needed for consistency (next slide…) – But still get a conservative extension of the ACL2 world Morphism: basically the obligations for a functional instantiation

Avoiding Giving Witnesses Encapsulate requires witnesses for the constrained functions – Ensures the constraints are satisfiable – Amounts to writing and proving an implementation But this is what refinement will ultimately do! Specs don’t require witnesses – Every spec with axioms gets a 0-ary “witness predicate” Added as a constrained function in the encapsulate Locally defined to be false Added as an assumption for every axiom and theorem – Morphism maps source witness predicate to target witness predicate – A fully-defined spec (last refinement step) doesn’t have a witness predicate The final morphism maps the witness predicate to true.

Spec Substitution Spec Substitution: Specialize/Concretize a spec by applying a morphism – Related to a categorical “push-out” Implementation: Basically a functional instantiation

(spec divide-and-conquer-problem (op problemp (x)) (op solutionp (solution problem)) (op directly-solvablep (problem)) (op solve-directly (problem)) (op divide (problem) :output (mv * *)) (op combine (solution1 solution2))... (axiom solve-directly-correct (implies (and (problemp problem) (directly-solvablep problem)) (solutionp (solve-directly problem) problem))) (axiom combine-correct (implies (and (problemp problem) (not (directly-solvablep problem)) (solutionp solution0 (mv-nth '0 (divide problem))) (solutionp solution1 (mv-nth '1 (divide problem)))) (solutionp (combine solution0 solution1) problem)))...) (spec divide-and-conquer-problem (op problemp (x)) (op solutionp (solution problem)) (op directly-solvablep (problem)) (op solve-directly (problem)) (op divide (problem) :output (mv * *)) (op combine (solution1 solution2))... (axiom solve-directly-correct (implies (and (problemp problem) (directly-solvablep problem)) (solutionp (solve-directly problem) problem))) (axiom combine-correct (implies (and (problemp problem) (not (directly-solvablep problem)) (solutionp solution0 (mv-nth '0 (divide problem))) (solutionp solution1 (mv-nth '1 (divide problem)))) (solutionp (combine solution0 solution1) problem)))...) Divide and Conquer

(spec divide-and-conquer-problem (op problemp (x)) (op solutionp (solution problem)) (op directly-solvablep (problem)) (op solve-directly (problem)) (op divide (problem) :output (mv * *)) (op combine (solution1 solution2))... (axiom solve-directly-correct (implies (and (problemp problem) (directly-solvablep problem)) (solutionp (solve-directly problem) problem))) (axiom combine-correct (implies (and (problemp problem) (not (directly-solvablep problem)) (solutionp solution0 (mv-nth '0 (divide problem))) (solutionp solution1 (mv-nth '1 (divide problem)))) (solutionp (combine solution0 solution1) problem)))...) (spec divide-and-conquer-problem (op problemp (x)) (op solutionp (solution problem)) (op directly-solvablep (problem)) (op solve-directly (problem)) (op divide (problem) :output (mv * *)) (op combine (solution1 solution2))... (axiom solve-directly-correct (implies (and (problemp problem) (directly-solvablep problem)) (solutionp (solve-directly problem) problem))) (axiom combine-correct (implies (and (problemp problem) (not (directly-solvablep problem)) (solutionp solution0 (mv-nth '0 (divide problem))) (solutionp solution1 (mv-nth '1 (divide problem)))) (solutionp (combine solution0 solution1) problem)))...) (spec divide-and-conquer-solution (import divide-and-conquer-problem) (op solve (problem) (if (not (problemp problem)) :default-value ;should never happen. (if (directly-solvablep problem) (solve-directly problem) (mv-let (first-subproblem second-subproblem) (divide problem) (combine (solve first-subproblem) (solve second-subproblem)))))) (theorem solve-correct (implies (problemp problem) (solutionp (solve problem) problem)))) (spec divide-and-conquer-solution (import divide-and-conquer-problem) (op solve (problem) (if (not (problemp problem)) :default-value ;should never happen. (if (directly-solvablep problem) (solve-directly problem) (mv-let (first-subproblem second-subproblem) (divide problem) (combine (solve first-subproblem) (solve second-subproblem)))))) (theorem solve-correct (implies (problemp problem) (solutionp (solve problem) problem)))) Divide and Conquer

(spec merge-sort-problem ;;Returns (mv part1 part2) (op split-list (lst) (if (endp lst) (mv nil nil) (if (endp (rest lst)) (mv (list (first lst)) nil) (mv-let (part1 part2) (split-list (rest (rest lst))) (mv (cons (first lst) part1) (cons (second lst) part2)))))) ;; Merge the sorted lists LST1 and LST2 into a sorted list. (op merge-lists (lst1 lst2) (declare (xargs :measure (+ (len lst1) (len lst2)))) (if (endp lst1) lst2 (if (endp lst2) lst1 (if (< (first lst1) (first lst2)) (cons (first lst1) (merge-lists (rest lst1) lst2)) (cons (first lst2) (merge-lists lst1 (rest lst2))))))) ;;Recognizes directly solvable instances: (op short-listp (lst) (< (len lst) 2)) ;; A list of length 0 or 1 is already sorted: (op do-nothing (lst) lst)...) (spec merge-sort-problem ;;Returns (mv part1 part2) (op split-list (lst) (if (endp lst) (mv nil nil) (if (endp (rest lst)) (mv (list (first lst)) nil) (mv-let (part1 part2) (split-list (rest (rest lst))) (mv (cons (first lst) part1) (cons (second lst) part2)))))) ;; Merge the sorted lists LST1 and LST2 into a sorted list. (op merge-lists (lst1 lst2) (declare (xargs :measure (+ (len lst1) (len lst2)))) (if (endp lst1) lst2 (if (endp lst2) lst1 (if (< (first lst1) (first lst2)) (cons (first lst1) (merge-lists (rest lst1) lst2)) (cons (first lst2) (merge-lists lst1 (rest lst2))))))) ;;Recognizes directly solvable instances: (op short-listp (lst) (< (len lst) 2)) ;; A list of length 0 or 1 is already sorted: (op do-nothing (lst) lst)...) Merge Sort

Applying Divide and Conquer Step 1 (prove the morphism) (spec divide-and-conquer-problem (op divide …) (op combine …) (axiom …) …) (spec divide-and-conquer-problem (op divide …) (op combine …) (axiom …) …) (spec merge-sort-problem (op split-list …) (op merge-lists …) …) (spec merge-sort-problem (op split-list …) (op merge-lists …) …) (morphism … ((problemp true-listp) (solutionp sorted-permutationp) (directly-solvablep short-listp) (solve-directly do-nothing) (divide split-list) (combine merge-lists) …) (theorem merge-sort-solve-directly-correct (implies (and (true-listp lst) (short-listp lst)) (sorted-permutationp (do-nothing lst) lst))) (theorem merge-lists-correct (implies (and (true-listp problem) (not (short-listp problem)) (sorted-permutationp solution0 (mv-nth 0 (split-list problem))) (sorted-permutationp solution1 (mv-nth 1 (split-list problem)))) (sorted-permutationp (merge-lists solution0 solution1) problem)))... Proof Obligations:

Applying Divide and Conquer Step 1 (apply Spec Substitution) (spec divide-and-conquer-problem (op divide …) (op combine …) (axiom …) …) (spec divide-and-conquer-problem (op divide …) (op combine …) (axiom …) …) (spec divide-and-conquer-solution (op solve …) (theorem solve-correct …)) (spec divide-and-conquer-solution (op solve …) (theorem solve-correct …)) (spec merge-sort-problem (op split-list …) (op merge-lists …) …) (spec merge-sort-problem (op split-list …) (op merge-lists …) …) import morphism (spec merge-sort-solution (op merge-sort …) (theorem merge-sort-correct …)) (spec merge-sort-solution (op merge-sort …) (theorem merge-sort-correct …)) import Generated by spec substitution Proof is done by functional instantiation. Normally, a derivation would have more than one step.

Conclusion Software Synthesis in ACL2 – Stepwise Refinement – Transformations – Specs and Morphisms Correct-by-construction Code Variations: – Generate diverse versions – Verify existing code

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.