1 Automated Theorem Proving: PVS Alexander Serebrenik.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Programmed Strategies for Program Verification Richard B. Kieburtz OHSU/OGI School of Science and Engineering and Portland State University.
Types and Programming Languages Lecture 4 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Types and Programming Languages Lecture 13 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Types and Programming Languages Lecture 7 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Proof checking with PVS Book: Chapter 3. A Theory Name: THEORY BEGIN Definitions (types, variables, constants) Axioms Lemmas (conjectures, theorems) END.
Type Inference David Walker COS 320. Criticisms of Typed Languages Types overly constrain functions & data polymorphism makes typed constructs useful.
Semantics Static semantics Dynamic semantics attribute grammars
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Inference and Reasoning. Basic Idea Given a set of statements, does a new statement logically follow from this. For example If an animal has wings and.
CSE 8389 Theorem Proving - Seidel Spring CSE 8389 Theorem Proving Peter-Michael Seidel.
ISBN Chapter 3 Describing Syntax and Semantics.
Formal Logic Proof Methods Direct Proof / Natural Deduction Conditional Proof (Implication Introduction) Reductio ad Absurdum Resolution Refutation.
School of Computing and Mathematics, University of Huddersfield CAS2545: WEEK 11 LECTURE: n The meaning of Algebraic Specifications TUTORIAL/PRACTICAL:
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
Katz Formal Specifications Larch 1 Algebraic Specification and Larch Formal Specifications of Complex Systems Shmuel Katz The Technion.
Inference and Resolution for Problem Solving
1 Theorem proving Alexander Serebrenik. 2 TP for FM FM: proving properties of programs. Theorem proving: proving statements in first-order logics (FOL).
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Type Inference David Walker COS 441. Criticisms of Typed Languages Types overly constrain functions & data polymorphism makes typed constructs useful.
After today Week 9 –Tu: Pat Rondon –Th: Ravi/Nathan Week 10 –Tu: Nathan/Ravi –Th: Class canceled Finals week –Th: Zach, John.
Describing Syntax and Semantics
Introduction to Logic for Artificial Intelligence Lecture 2 Erik Sandewall 2010.
1 Theorem Proving and Model Checking in PVS A Modeling Hardware and Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University.
Equational Reasoning Math Foundations of Computer Science.
Computer Science School of Computing Clemson University Discrete Math and Reasoning about Software Correctness Murali Sitaraman
The ACL2 Proof Assistant Formal Methods Jeremy Johnson.
CAS- 734 (Presentation -1) By : Vasudha Kapil
1 Theorem Proving and Model Checking in PVS A PVS – An Introduction Edmund Clarke Daniel Kroening Carnegie Mellon University.
Mathematical Modeling and Formal Specification Languages CIS 376 Bruce R. Maxim UM-Dearborn.
0 REVIEW OF HASKELL A lightening tour in 45 minutes.
© Kenneth C. Louden, Chapter 11 - Functional Programming, Part III: Theory Programming Languages: Principles and Practice, 2nd Ed. Kenneth C. Louden.
Pushdown Automata (PDAs)
CSE 311 Foundations of Computing I Lecture 8 Proofs and Set Theory Spring
Computer Science School of Computing Clemson University Discrete Math and Reasoning about Software Correctness Joseph E. Hollingsworth
Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.
Second-Order Functions and Theorems in ACL2 Alessandro Coglio Workshop 2015 Kestrel Institute.
Propositional Calculus CS 270: Mathematical Foundations of Computer Science Jeremy Johnson.
© Kenneth C. Louden, Chapter 11 - Functional Programming, Part III: Theory Programming Languages: Principles and Practice, 2nd Ed. Kenneth C. Louden.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University.
Chapter 3 Part II Describing Syntax and Semantics.
CSE Winter 2008 Introduction to Program Verification January 31 proofs through simplification.
CS 103 Discrete Structures Lecture 13 Induction and Recursion (1)
Types and Programming Languages Lecture 11 Simon Gay Department of Computing Science University of Glasgow 2006/07.
CMSC 330: Organization of Programming Languages Operational Semantics a.k.a. “WTF is Project 4, Part 3?”
Advanced Formal Methods Lecture 4: Isabelle – Types and Terms Mads Dam KTH/CSC Course 2D1453, Some material from Paulson.
Semantics of Predicate Calculus For the propositional calculus, an interpretation was simply an assignment of truth values to the proposition letters of.
CS412/413 Introduction to Compilers Radu Rugina Lecture 13 : Static Semantics 18 Feb 02.
1/24 An Introduction to PVS Charngki PSWLAB An Introduction to PVS Judy Crow, Sam Owre, John Rushby, Natarajan Shankar, Mandayam Srivas Computer.
CS104:Discrete Structures Chapter 2: Proof Techniques.
CSE 311: Foundations of Computing Fall 2013 Lecture 8: Proofs and Set theory.
CMSC 330: Organization of Programming Languages Operational Semantics.
1 Lecture 5 PVS commands. 2 Last week Logical formalisms, first-order logic (syntax, semantics). Introduction to PVS. Language of PVS. Proving sequents.
Faithful mapping of model classes to mathematical structures Ádám Darvas ETH Zürich Switzerland Peter Müller Microsoft Research Redmond, WA, USA SAVCBS.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
Process Algebra (2IF45) Basic Process Algebra Dr. Suzana Andova.
1 Section 7.1 First-Order Predicate Calculus Predicate calculus studies the internal structure of sentences where subjects are applied to predicates existentially.
Interface specifications At the core of each Larch interface language is a model of the state manipulated by the associated programming language. Each.
Copyright 1999Paul F. Reynolds, Jr. Foundations of Logic Programming.
1 Proving Properties of Recursive List Functions CS 270 Math Foundations of CS Jeremy Johnson.
Lecture 11: Proof by Reflection
Introduction to Logic for Artificial Intelligence Lecture 2
Spring 2017 Program Analysis and Verification
A lightening tour in 45 minutes
Proving Properties of Recursive List Functions
MA/CSSE 474 More Math Review Theory of Computation
Computer Security: Art and Science, 2nd Edition
Protocols CS 4311 Wirfs Brock et al., Designing Object-Oriented Software, Prentice Hall, (Chapter 8) Meyer, B., Applying design by contract, Computer,
Search techniques.
Algebraic Specification Software Specification Lecture 34
Presentation transcript:

1 Automated Theorem Proving: PVS Alexander Serebrenik

2 Before We Start PVS is installed at svstud. –no password for svstud? –contact Jan de Jong of the Notebook Service center: HG 8.86, tel Install an X Windows client on your laptop –built-in for Linux –for Windows, e.g., Exceed (via BCF) On Wednesday we will meet in Auditorium 9 (laptop lecture hall).

3 Last Time Foundations of Automated Theorem Proving –soundness and completeness –Gentzen’s sequent –system G for propositional calculus first order logics first order logics with equality

4 Today PVS (Prototype Verification System) –Developed at SRI International –Open Source (GPL) since 1993 –Runs on Linux/Solaris/Mac –Uses Emacs as Interface –Supports System G reasoning… –and much, much more!

5 Applications of PVS Both academic and industrial: Verification of Javacard applets Hardware verification Protocol specification and verification Formal Mathematics Safety-critical systems... see

6 First Example (3b)  xA(x)  xB(x)   x(A(x)  B(x)) ex3b: THEORY BEGIN T: TYPE some type x: VAR T variable of this type A,B: [T -> bool] predicate (function to booleans) statement: THEOREM ((FORALL x:A(x)) AND (FORALL x:B(x)) IMPLIES (FORALL x:(A(x) AND B(x)))) END ex3b

7 Sequent System G  A 1, …, A n    B 1, …, B m  PVS [-1] A 1, …, [-n] A n | {1} B 1, …, [m] B m

8 Proof (1) | {1} ((FORALL x: A(x)) AND (FORALL x: B(x)) IMPLIES (FORALL x: (A(x) AND B(x)))) Rule? (flatten) [-1] (FORALL x: A(x)) [-2] (FORALL x: B(x)) | {1} (FORALL x: (A(x) AND B(x))) Rule? (skolem 1 “y1”) (skolem reference newname) [-1] (FORALL x: A(x)) [-2] (FORALL x: B(x)) | {1} (A(y1) AND B(y1)) Rule? (split) …yields 2 subgoals: statement.1 : [-1] (FORALL x: A(x)) [-2] (FORALL x: B(x)) | {1} A(y1) Rule? The second subgoal is postponed

9 Proof (2) [-1] (FORALL x: A(x)) [-2] (FORALL x: B(x)) | {1} A(y1) Rule? (inst -1 “y1”) (inst reference term) Instantiating the top quantifier in -1 with the terms: y1, This completes the proof of statement.1. statement.2 [-1] (FORALL x: A(x)) [-2] (FORALL x: B(x)) | {1} B(y1) Rule? The subgoal that we have postponed. (inst -2 “y1”) Instantiating the top quantifier in -2 with the terms: y1, This completes the proof of statement.2.Q.E.D.

10 PVS Proof Commands (flatten)formula to list of formulas (  :left), (  :right), (  :left), (  :right), (  :right), (  :left) (split)formula to a number of proof obligations (  :right), (  :left), (  :left), (  :right) (inst reference term) replace variable by a term (  :right), (  :left) (skolem reference newname) replace variable by a fresh variable (constant) (  :left), (  :right)

11 NB: Flatten and Split PVS is smarter than just one step of System G Flatten and split will apply the corresponding rules as long as they are applicable. | {1}(A IMPLIES B) IMPLIES ((A IMPLIES NOT B) IMPLIES NOT A) {-1} (A IMPLIES B) {-2} (A IMPLIES NOT B) {-3} A | flatten

12 PVS System Tour QQ: Watch the video. What steps did I perform?

13 PVS System Tour 1.Specify (any editor) 2.Parse ( M-x parse, M-x pa ) syntactic checks, e.g., misspellings done by the system automatically when needed 3.Type check ( M-x typecheck, M-x tc ) semantic checks, e.g., undeclared names builds Type Correctness Conditions should be proved! 4.Prove ( M-x prove, M-x pr ) that is what we have done before

14 QQ: First Steps with PVS Recall Exercise 1b from the Instruction: (A  B)  ((A  B)  A) Write a PVS specification, corresponding to this exercise ex1b: THEORY BEGIN A,B: bool statement: THEOREM (A IMPLIES B) IMPLIES ((A IMPLIES NOT B) IMPLIES NOT A) END ex1b

15 PVS Language ex3b: THEORY BEGIN T: TYPE x: VAR T A,B: [T -> bool] statement: THEOREM ((FORALL x:A(x)) AND (FORALL x:B(x)) IMPLIES (FORALL x:(A(x) AND B(x)))) END ex3b Theory identifier Type declaration Variable declaration Constant declarations Formula declaration

16 “Theory Header” Theory identifier ex3b: THEORY List of formal parameters stacks [t: TYPE+] : THEORY groups [G : TYPE, e : G, o : [G,G->G], inv : [G->G] ] : THEORY

17 Types (1) Uninterpreted types: –might be empty T: TYPE –non-empty T: TYPE+ Interpreted types: T : TYPE = type expression Subtypes: S: TYPE FROM T

18 Types (2) Type expressions –builtins bool, int –enumerated {r, g, b} –functions [int, bool -> int] –tuples [int, int] –predicate-based (p) shorthand for {x | p(x)}

19 Types: QQ Functional is a function that takes functions as its argument and returns a real number. Define the type of functionals for functions from T1 to T2 T1, T2: TYPE FT: TYPE = [[T1 -> T2] -> real]

20 Variable Declarations either with VAR –x: VAR bool or within a binding expression ( , , λ) –FORALL (x: int): (EXISTS (x: nat) p(x)) AND q(x))

21 Constant Declarations Constants: n: int, c: int = 3 –The underlying type should be non-empty Functions are also constants: –f: [int -> int] = (lambda (x: int): x+1) –f(x: int): int = x + 1 QQ: What does f(x:(p)): int = x+1 mean for a predicate p ? –(p) shorthand for {x | p(x)}

22 Boolean Functions a.k.a. predicates Can be written as subsets: –odd: [nat -> bool] = {n: nat | EXISTS (m: nat): n = 2 * m + 1} instead of –odd: [nat -> bool] = (LAMBDA (n: nat): EXISTS (m: nat): n = 2 * m + 1)

23 Recursive Functions No mutual recursion Function should be total Termination should be ensured: MEASURE fac(x: nat): RECURSIVE nat = IF x=0 THEN 1 ELSE x*fac(x-1) ENDIF MEASURE x

24 MEASURE Can be followed by any function: –MEASURE lambda (n: nat): n –MEASURE N-I QQ: Find an appropriate MEASURE for p(x:int): RECURSIVE int = (IF (x > 1 AND x < 1000) THEN p(x*x) ELSIF (x -1000) THEN p(-x*x) ELSE 0 ENDIF)

25 MEASURE : Solution p(x:int): RECURSIVE int = (IF (x > 1 AND x < 1000) THEN p(x*x) ELSIF (x -1000) THEN p(-x*x) ELSE 0 ENDIF) MEASURE pmeas pmeas(x: int): nat = (IF (x > 1 AND x < 1000) THEN 1000-x ELSIF (x -1000) THEN 1000+x ELSE 0 ENDIF)

26 Formula Declarations AXIOM is a formula that can be recalled at any moment of the proof. –use (lemma name ) THEOREM ( or LEMMA) is a formula one likes to prove. May contain free variables: p(x) is equivalent to (FORALL x: p(x))

27 AXIOM s in Practice pop_push: AXIOM pop(push(x, s)) = s pop2push2: THEOREM pop(pop(push(x, push(y, s)))) = s | {1} pop(pop(push(X, push(Y, S)))) = S Rule? Applying pop_push this simplifies to: {-1} FORALL (s: stack, x: t): pop(push(x, s)) = s | [1] pop(pop(push(X, push(Y, S)))) = S (lemma pop_push)

28 Functions Can Be Defined Using AXIOM s 1.f: [int -> int] = (lambda (x: int): x+1) 2.f: [int -> int] f: AXIOM f = (LAMBDA (x: int): x+1) NB! New declaration preserves consistency of the theory, new axiom might not!

29 Between AXIOM and THEOREM groups [G : TYPE, e : G, o : [G,G->G], inv : [G->G] ] : THEORY BEGIN ASSUMING a, b, c : VAR G associativity : ASSUMPTION a o (b o c) = (a o b) o c unit : ASSUMPTION e o a = a AND a o e = a inverse : ASSUMPTION inv(a) o a = e AND a o inv(a) = e ENDASSUMING

30 ASSUMPTION s Appear only between ASSUMING and ENDASSUMING Usually formulated in terms of parameters of the theory When the theory is used, e.g. IMPORTING[int, 0, +, -] assumptions become proof obligations (TCCs).

31 Theory Is Used? EXPORTING specifies names that should be visible to the IMPORTING theories –by default, all names are visible IMPORTING makes visible names of another theory available for the current one. –IMPORTING s are cumulative –Beware the name clashes

32 Summary So Far (1) Lifecycle of a PVS specification: specify, parse, type check, prove. Specification consists of the “header” followed by type, variable, constant and formula declarations. Types: uninterpreted, interpreted. –Type expressions: builtins, enumerated, functions, tuples, predicate-based

33 Summary So Far (2) Recursive functions should be provided by MEASURE. Formula declarations: AXIOM s, ASSUMPTION s and THEOREM s. –AXIOM s can be recalled using the lemma proof command. Adding a new AXIOM does not guarantee consistency of the theory. Theories can EXPORT and IMPORT names.

34 Type Check Executed upon M-x typecheck, or M-x tc. Generate additional proof obligations (theorems) ensuring –type correctness; –termination; –non-emptiness of a type, if constants of this type are being declared.

35 Closer Look at Factorial exfac typechecked in 0.27s: 2 TCCs, 0 proved, 0 subsumed, 2 unproved –TCC = type correctness condition M-x show-tccs fac(x: nat): RECURSIVE nat = IF x=0 THEN 1 ELSE x*fac(x-1) ENDIF MEASURE x % Subtype TCC for x - 1 fac_TCC1: OBLIGATION FORALL (x: nat): NOT x = 0 IMPLIES x - 1 >= 0; The argument of the recursive call should be a natural number as well. % Termination TCC for fac(x - 1) fac_TCC2: OBLIGATION FORALL (x: nat): NOT x = 0 IMPLIES x - 1 < x;

36 TCCs and Proofs TCCs can be postponed but ultimately should be proved. Failure to prove TCC might indicate that the statement is not valid! Automated attempt to prove the TCCs: M-x typecheck-prove (M-x tcp)

37 Summary: Prove Commands controlfail, postpone, undo, … structurecopy, hide, hide-all-but, reveal,… system Gsplit, flatten, inst, skolem,… decision procedures assert, grind, … definitions and lemmas lemma, expand, … miscellaneouscase, induct, replace, …

38 What If? PVS crashes in the middle of a proof: (restore) you do not know what to do: (help) or (help command) you want to stop the proof attempt: (quit) you want to go to next remaining goal: (postpone) you want to revise your last step: (undo)

39 Manipulating Sequents If some information is needed twice during the proof: (copy) If some information is no longer needed: (delete) If some information might be needed later but is cluttering now: (hide) If some hidden information is needed: M-x show-hidden followed by (reveal reference)

40 Example sum: THEORY BEGIN n: VAR nat sum(n): RECURSIVE nat = (IF n=0 THEN 0 ELSE n+sum(n-1) ENDIF) MEASURE (LAMBDA n:n) closed_form: THEOREM sum(n) = (n * (n+1))/2 END sum

41 closed_form : | {1} FORALL (n: nat): sum(n) = (n * (n + 1)) / 2 Rule? Inducting on n on formula 1,this yields 2 subgoals: closed_form.1 : | {1} sum(0) = (0 * (0 + 1)) / 2 Rule? (induct "n") QQ: What are the two subgoals? Induction base (expand “sum") Expanding the definition of sum, this simplifies to: closed_form.1 : | {1} 0 = 0 / 2 Rule? (assert) Simplifying, rewriting, and recording with decision procedures. This completes the proof of closed_form.1.

42 closed_form.2 : | {1} FORALL j: sum(j) = (j * (j + 1)) / 2 IMPLIES sum(j + 1) = ((j + 1) * (j )) / 2 Rule? Induction step (skosimp) Skolemizing and flattening, this simplifies to: closed_form.2 : {-1} sum(j!1) = (j!1 * (j!1 + 1)) / 2 | {1} sum(j!1 + 1) = ((j!1 + 1) * (j! )) / 2 Rule? skosimp = skolem using standard names + flatten We would like to use expand but only in the succedent! (expand “sum” +) Expanding the definition of sum, this simplifies to: closed_form.2 : [-1] sum(j!1) = (j!1 * (j!1 + 1)) / 2 | {1} 1 + sum(j!1) + j!1 = (2 + j!1 + (j!1 * j!1 + 2 * j!1)) / 2

43 Expanding the definition of sum, this simplifies to: closed_form.2 : [-1] sum(j!1) = (j!1 * (j!1 + 1)) / 2 | {1} 1 + sum(j!1) + j!1 = (2 + j!1 + (j!1 * j!1 + 2 * j!1)) / 2 Rule? (assert) Simplifying, rewriting, and recording with decision procedures, This completes the proof of closed_form.2. Q.E.D. Induction step

44 Proof Commands In the Example (induct n) – induction on variable n (expand “name” ref) – expand definition name in ref: –number –“-” all antecedents –“+” all succedents (skosimp) – skolem with standard names and (flatten) (assert) – prove or simplify using the builtin decision procedures

45 Replace {-1} X = Y | {1} Y = X Rule? (replace -1 1) Replacing using formula -1, this simplifies to: [-1] X = Y | {1} TRUE Replace the left-hand side of (-1) in (1) by the right-hand side of (-1). If you add rl: (replace -1 1 rl) the rewriting will go from right to left.

46 stacks [t: TYPE+] : THEORY BEGIN stack : TYPE+ s : VAR stack empty : stack nonemptystack?(s) : bool = s /= empty push :[t, stack -> (nonemptystack?)] pop : [(nonemptystack?) -> stack] x, y : VAR t pop_push : AXIOM pop(push(x, s)) = s pop2push2: THEOREM pop(pop(push(x, push(y, s)))) = s END stacks QQ: To prove pop2push2 you might like to use A.expand B. induct C. replace

47 More Proof Commands case - distinguish between different cases. propax – proves propositional axioms, i.e., –false as an antecedent, –true or t=t as a succedent –common formula for antecedent and succedent grind – “black magic” but often works: –rewrite using lemmas –simplify numerical expressions –performs equality substitutions –makes use, e.g., of assert and replace smash – propositional and ground simplification

48 Can’t See the Forest for the Trees? current goal part that has been proved part that still has to be proved M-x xpr

49 Can’t See the Forest for the Trees? current goal part that has been proved part that still has to be proved

50 And Even More You can also create LaTeX documentation: M-x latex-theory-view (M-x ltv) PS proofs can be generated from the graphic user interface. … or first in LaTeX: M-x latex-proof

51 Data So far: traditional algebraic specification Better: automated generation from a succinct description. stack [t: TYPE] : DATATYPE BEGIN empty : emptystack? push(top: t, pop: stack): nonemptystack? END stack constructors accessors recognizers M-x typecheck

52 What Is Generated From a Datatype? extensionality axioms for the constructors accessor/constructor axioms –stack_pop_push: AXIOM (FORALL (v1:t, v2: stack) pop(push(v1,v2)) = v2) induction scheme recursive combinator look at stack_adt.pvs

53 Example: Recursive Combinator reduce_nat(emptystack?_fun: nat, nonemptystack?_fun: [[t, nat] -> nat]): [stack -> nat] = LAMBDA (stack_var: stack): CASES stack_var OF empty: emptystack?_fun, push(push1_var, push2_var): nonemptystack?_fun(push1_var, reduce_nat(emptystack?_fun, nonemptystack?_fun)(push2_var)) ENDCASES QQ: What does the following call calculate: reduce_nat(0, (LAMBDA (x:t, n: nat): n+1))?

54 Cases? Pattern matching: CASES stack_var OF empty: …, push(push1_var,push2_var): …)) ENDCASES Can contain ELSE covers all constructors not covered before.

55 Putting It All Together stack: DATATYPE BEGIN empty : emptystack? push(top: t, pop: stack): nonemptystack? END stack length: THEORY BEGIN t: TYPE IMPORTING stack_adt[t] length(s: stack): nat = reduce_nat(0, (LAMBDA(x: t, n:nat): n+1))(s) l0: THEOREM (length(empty) = 0) END length

56 Many Data Types and Theories can be consulted by M-x vpt –view prelude theory are “built in” and described in the Prelude, include –logics, functions, numbers –relations, sets, sequences and lists –sum and quotient types –induction –μ-calculus and CTL

57 Summary: PVS PVS System: Linux/Unix, Emacs + GUI PVS Language: How to write a specification? –THEORY, TYPE, VAR, THEOREM, … –abstract data types PVS Proof Checker: How do we prove? –flatten, split, inst, skolem, expand, lemma… PVS Prelude: Built-in theories –there are even more theories in NASA libraries

58 Don’t Forget: Tomorrow No password for svstud? –contact Jan de Jong of the Notebook Service center: HG 8.86, tel Install an X Windows client on your laptop –built-in for Linux –for Windows, e.g., Exceed (via BCF website) We meet at 8 45 in Auditorium 9.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.