Presentation is loading. Please wait.

Presentation is loading. Please wait.

15-820A Modeling Hardware and Software with PVS

Published byLudo Ziegler Modified over 5 years ago

Similar presentations

Presentation on theme: "15-820A Modeling Hardware and Software with PVS"— Presentation transcript:

1 15-820A Modeling Hardware and Software with PVS
Edmund Clarke Daniel Kroening Carnegie Mellon University

2 Outline PVS Language Modeling Hardware with PVS
Parameterized Theories Modeling Hardware with PVS Combinatorial Clocked Circuits Modeling Software with PVS Sequential Software

3 Outline Proofs The Gentzen Sequent Propositional Part Quantifiers
Equality Induction Using Lemmas/Theorems Rewriting Model Checking Strategies

4 What about the stacks of other types?
Example stacks4: THEORY BEGIN stack: TYPE = [# size: nat, elements: ARRAY[{i:nat|i<size}->int] #] empty: stack = (# size:=0, elements:=(LAMBDA (j:nat| FALSE): 0) #) push(x: int, s:stack): { s: stack | s`size>=1 } = (# size:=s`size+1, elements:=LAMBDA (j: below(s`size+1)): IF j<s`size THEN s`elements(j) ELSE x ENDIF #) pop(s:stack | s`size>=1): stack = (# size:=s`size-1, elements:=LAMBDA (j:nat|j<s`size-1): s`elements(j) #) END stacks4 What about the stacks of other types? A

5 Example stacks4: THEORY BEGIN
stack: TYPE = [# size: nat, elements: ARRAY[{i:nat|i<size}->int] #] empty: stack = (# size:=0, elements:=(LAMBDA (j:nat| FALSE): 0) #) push(x: int, s:stack): { s: stack | s`size>=1 } = (# size:=s`size+1, elements:=LAMBDA (j: below(s`size+1)): IF j<s`size THEN s`elements(j) ELSE x ENDIF #) pop(s:stack | s`size>=1): stack = (# size:=s`size-1, elements:=LAMBDA (j:nat|j<s`size-1): s`elements(j) #) END stacks4

6 Theory Parameters Idea: do something like a C++ template
template <class T1, class T2, ...> class stack { ... }; theory[T1: TYPE, T2: TYPE, ...]: THEORY BEGIN ... END theory A

7 Theory Parameters Idea: do something like a C++ template
template <class T1, class T2, ...> class stack { ... f(e: T1):bool; }; theory[T1: TYPE, T2: TYPE, ...]: THEORY BEGIN ... f(e: T1):bool; END theory

8 Example stacks4[T: NONEMPTY_TYPE]: THEORY BEGIN
stack: TYPE = [# size: nat, elements: ARRAY[{i:nat|i<size}->T] #] e: T empty: stack = (# size:=0, elements:=(LAMBDA (j:nat| FALSE): e) #) push(x: T, s:stack): { s: stack | s`size>=1 } = (# size:=s`size+1, elements:=LAMBDA (j: below(s`size+1)): IF j<s`size THEN s`elements(j) ELSE x ENDIF #) pop(s:stack | s`size>=1): stack = (# size:=s`size-1, elements:=LAMBDA (j:nat|j<s`size-1): s`elements(j) #) END stacks4

9 Example use_stack: THEORY BEGIN my_type: TYPE = [ posint, posint ]
IMPORTING stacks5; s: stack[my_type]; x: my_type = (1, 2); d: stack[my_type] = push(x , s); END use_stack

10 Theory Parameters PVS uses theory parameters for many definitions
PVS has many heuristics to automatically detect the right theory parameters a, b: posint; a=b same as =[posint](a,b) equalities [T: TYPE]: THEORY BEGIN =: [T, T -> boolean] END equalities

11 Useful Parameterized Theories
PVS comes with several useful parameterized theories Sets over elements of type T subsets, union, complement, power set, finite sets, … Infinite Sequences Finite Sequences Lists Bit vectors A

12 Bit Vectors Bit Vectors are defined using an ARRAY type
bv[N: nat]: THEORY BEGIN bvec : TYPE = [below(N) -> bit] same as boolean 0, …, N-1 A

13 Bit Vectors Extract a bit: bv^(i) i 2 { 0, … , N-1 }
Vector extraction: bv^(m,n) n≤m<N bN: fill(b) Concatenation: bv1 o bv2 Bitwise: bv1 OR bv2 Conversion to integer: bv2nat(bv) Conversion from integer: nat2bv(bv)

14 IMPORTING bitvectors@bv_arith_nat
Bit Vector Arithmetic Requires IMPORTING *, +, -, <=, >=, <, > Many other useful theories Look in pvs/lib/bitvectors

15 Bit Vectors Example: How many bits? bv_ex: THEORY BEGIN
x: VAR bvec[32] zero_lemma: LEMMA bv2nat(x)=0 IFF x=fill(false) END bv_ex How many bits? A

16 Bit Vectors Example: bv_ex: THEORY BEGIN x: VAR bvec[32]
zero_lemma: LEMMA bv2nat[32](x)=0 IFF x=fill[32](false) END bv_ex

17 PVS Workflow   PROOFS System PVS File Properties
Conversion of system (Program, circuit, protocol…) and property. Can be automated or done manually Proof construction Interaction with the theorem prover A

18 Modeling Hardware with PVS
Combinational Hardware No latches Circuit is loop-free Examples: arithmetic circuits, ALUs, … Clocked Circuits Combinational part + registers (latches) Examples: Processors, Controllers,… A

19 Modeling Hardware with PVS
Idea: Model combinational circuits using functions on bit vectors f(A, B, reset: bit):bit= IF reset THEN (NOT A) OR B ELSE false ENDIF Translation from/to Verilog, VHDL, etc. easy A

20 Modeling Hardware with PVS
What is the Theorem Prover good for? Equivalence checking? No. Parameterized circuits Prove circuit with “N” bits Arithmetic What is a correct adder? Integer? Floating Point? A purely propositional specification is not really useful A

21 Parameterized Circuits
Binary tree for 8 inputs Parameterized for 2k inputs A

22 Modeling Hardware with PVS
btree[T: TYPE, K: posnat, o: [T,T->T]]: THEORY BEGIN btree(k: nat, l:[below(exp2(k))->T]): RECURSIVE T = IF k=0 THEN l(0) ELSE btree(k-1, LAMBDA (i: below(exp2(k-1))): l(i)) o btree(k-1, LAMBDA (i: below(exp2(k-1))): l(i+exp2(k-1))) ENDIF MEASURE k btree(l:[below(exp2(K))->T]):T=btree(K, l) END btree Property? A

23 Modeling Hardware with PVS
btree[T: TYPE, K: posnat, o: [T,T->T]]: THEORY BEGIN ... btree_correct: THEOREM btree(l) = l(0) o l(1) o ... o l(exp(K)-1) END btree Dot dot dot? A

24 Modeling Hardware with PVS
btree[T: TYPE, K: posnat, o: [T,T->T]]: THEORY BEGIN ... btree_correct: THEOREM btree(l) = l(0) o l(1) o ... o l(exp(K)-1) seq(i: nat, l:[upto(i)->T]): RECURSIVE T = IF i=0 THEN l(0) ELSE seq (i-1, LAMBDA (j: below(i)): l(j)) o l(i) ENDIF MEASURE i Btree_correct: THEOREM btree(l) = seq(exp(K)-1, l) END btree What is missing? Can you prove this? A

25 Modeling Hardware with PVS
btree[T: TYPE, K: posnat, o: [T,T->T]]: THEORY BEGIN ASSUMING fassoc: ASSUMPTION associative?(o) ENDASSUMING ... END btree This is NOT like an axiom! zerotester_imp(op): bit = NOT btree[bit, K, OR](op) PVS will make you prove here that OR is associative A

26 Wait a second! You are adding bits here!
Arithmetic Circuits a,b,cin : VAR bit oba_sum(a,b,cin): bit = (a XOR b XOR cin) oba_cout(a,b,cin): bit = ((a AND b) OR (a AND cin) OR (b AND cin)) Wait a second! You are adding bits here! Property? One Bit Adder (oba) oba_correct: LEMMA a + b + cin = 2 * oba_cout(a,b,cin) + oba_sum(a,b,cin) A

27 Conversions There is no addition on bits (or boolean)!
oba_correct: LEMMA a + b + cin = 2 * oba_cout(a,b,cin) + oba_sum(a,b,cin) There is no addition on bits (or boolean)! bit : TYPE = bool nbit : TYPE = below(2) b2n(b:bool): nbit = IF b THEN 1 ELSE 0 ENDIF CONVERSION b2n below(2) is a subtype of the integer type, and we have addition for that. A

28 Arithmetic Circuits Carry Chain Adder

29 Arithmetic Circuits cout(n,a,b,a_cin): RECURSIVE bit = IF n=0 THEN
oba_cout(a(0),b(0),a_cin) ELSE oba_cout(a(n),b(n), cout(n-1,a,b,a_cin)) ENDIF MEASURE n bv_adder(a,b,a_cin): bvec[N] = LAMBDA (i:below(N)): IF i=0 THEN oba_sum(a(0),b(0),a_cin) ELSE oba_sum(x(i),y(i), cout(i-1,x,y,a_cin)) ENDIF A

30 Arithmetic Circuits bv_adder(a,b,a_cin): bvec[N] =
LAMBDA (i:below(N)): IF i=0 THEN oba_sum(a(0),b(0),a_cin) ELSE oba_sum(x(i),y(i), cout(i-1,x,y,a_cin)) ENDIF adder_correct: THEOREM exp2(N)*cout(N-1,a,b,a_cin)+bv2nat(bv_adder(a,b,a_cin))= bv2nat(a) + bv2nat(b) + a_cin adder_is_add: THEOREM bv_adder(a,b,FALSE) = a + b A

31 Modeling Hardware with PVS
Combinational Hardware No latches Circuit is loop-free Examples: arithmetic circuits, ALUs, … Clocked Circuits Combinational part + registers (latches) Examples: Processors, Controllers,… A

32 Configuration in cycle 4
Clocked Circuits T reset A B 1 ? 2 3 4 5 Configuration in cycle 4 A

33 Clocked Circuits 1. Define Type for STATE and INPUTS
C: TYPE = [# A, B: bit #] I: TYPE = [# reset: bit #] 2. Define the Transition Function t(c: C, i: I):C= (# A:= IF i`reset THEN false ELSE (NOT c`A) OR c`B ENDIF, B:= IF i`reset THEN false ELSE c`A OR c`B ENDIF #) A

34 Clocked Circuits 3. Define Initial State and Inputs
initial: C i: [nat -> I]; 4. Define the Configuration Sequence c(T: nat):RECURSIVE C= IF T=0 THEN initial ELSE t(c(T-1), i(T-1)) ENDIF MEASURE T A

35 Clocked Circuits 5. Prove things about this sequence
c(T: nat):RECURSIVE C= IF T=0 THEN initial ELSE t(c(T-1), i(T-1)) ENDIF MEASURE T c_lem: LEMMA (i(0)`reset AND NOT i(1)`reset AND NOT i(2)`reset) => (c(2)`A AND NOT c(2)`B) You can also verify invariants, even temporal properties that way. A

36 Modeling Software with PVS
(Software written in functional language) (Take a subset of PVS, and compile that) Software written in language like ANSI-C int f(int i) { int a[10]={ 0, … }; ... a[i]=5; ... return a[0]; } f(i: int):int= LET a1=LAMBDA (x: below(10)): 0 IN ... LET a2=a1 WITH [(i):=5] IN ... ai(0) What about loops? A

37 Modeling Software with PVS
int a[10]; unsigned i; int main() { . . . } 1. Define Type for STATE C: TYPE = [# a: [below(10)->integer], i: nat #] nat? Of course, bvec[32] is better A

38 Modeling Software with PVS
2. Translate your program into goto program int a[10]; unsigned i,j,k; int main() { i=k=0; while(i<10) { i++; k+=2; } j=100; k++; int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; } A

39 Modeling Software with PVS
3. Partition your program into basic blocks 4. Write transition function for each basic block L1(c: C):C= c WITH [i:=0, k:=0] L2(c: C):C= c L3(c: C):C= c WITH [i:=c`i+1, k:=c`k+2] L4(c: C):C= c WITH [j:=100, k:=c`k+1] int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; } A

40 Modeling Software with PVS
add PC: PCt to C 5. Combine transition functions using a program counter make sure the PC of the initial state is L1 PCt: TYPE = { L1, L2, L3, L4, END } int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; } t(c: C): C= CASES c`PC OF L1: L1(c) WITH [PC:=L2], L2: L2(c) WITH [PC:= IF NOT (c`i<10) THEN L ELSE L3 ENDIF, L3: L3(c) WITH [PC:=L2], L4: L4(c) WITH [PC:=END], END: c ENDCASES A

41 Modeling Software with PVS
Next week: I/O in case of programs Proving termination Concurrent programs A

42 PVS Workflow   PROOFS System PVS File Properties
Conversion of system (Program, circuit, protocol…) and property. Can be automated or done manually Proof construction Interaction with the theorem prover A

43 The Gentzen Sequent {-1} i(0)`reset {-2} i(4)`reset | {1} i(1)`reset {2} i(2)`reset {3} (c(2)`A AND NOT c(2)`B) Conjunction (Antecedents) Disjunction (Consequents) Or: Reset in cycles 0, 4 is on, and off in 1, 2. Show that A and not B holds in cycle 2.

44 The Gentzen Sequent COPY duplicates a formula Why? When you instantiate a quantified formula, the original one is lost DELETE removes unnecessary formulae – keep your proof easy to follow

45 Propositional Rules BDDSIMP simplify propositional structure using BDDs CASE: case splitting usage: (CASE “i!1=5”) FLATTEN: Flattens conjunctions, disjunctions, and implications IFF: Convert a=b to a<=>b for a, b boolean LIFT-IF move up case splits inside a formula

46 Quantifiers INST: Instantiate Quantifiers
Do this if you have EXISTS in the consequent, or FORALL in the antecedent Usage: (INST -10 “100+x”) SKOLEM!: Introduce Skolem Constants Do this if you have FORALL in the consequent (and do not want induction), or EXISTS in the antecedent If the type of the variable matters, use SKOLEM-TYPEPRED

47 Equality REPLACE: If you have an equality in the antecedent, you can use REPLACE Example: (REPLACE -1) {-1} l=r replace l by r Example: (REPLACE -1 RL) {-1} l=r replace r by l

48 Using Lemmas / Theorems
EXPAND: Expand the definition Example: (EXPAND “min”) LEMMA: add a lemma as antecedent Example: (LEMMA “my_lemma”) After that, instantiate the quantifiers with (INST -1 “x”) Try (USE “my_lemma”). It will try to guess how you want to instantiate

49 Induction INDUCT: Performs induction Usage: (INDUCT “i”)
There should be a FORALL i: … equation in the consequent You get two subgoals, one for the induction base and one for the step PVS comes with many induction schemes. Look in the prelude for the full list

50 What next… Webpage! Installation instructions for PVS Further reading
Homework assignment

Download ppt "15-820A Modeling Hardware and Software with PVS"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Proof checking with PVS Book: Chapter 3. A Theory Name: THEORY BEGIN Definitions (types, variables, constants) Axioms Lemmas (conjectures, theorems) END.

Proof checking with PVS Book: Chapter 3. A Theory Name: THEORY BEGIN Definitions (types, variables, constants) Axioms Lemmas (conjectures, theorems) END.
Chapter Three: Closure Properties for Regular Languages

Chapter Three: Closure Properties for Regular Languages
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.

Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.
1 Theorem Proving and Model Checking in PVS 15-820A Proving Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University.

1 Theorem Proving and Model Checking in PVS A Proving Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
CSE 8389 Theorem Proving - Seidel Spring 2005 1 CSE 8389 Theorem Proving Peter-Michael Seidel.

CSE 8389 Theorem Proving - Seidel Spring CSE 8389 Theorem Proving Peter-Michael Seidel.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
74.757 Formal Logic Proof Methods Direct Proof / Natural Deduction Conditional Proof (Implication Introduction) Reductio ad Absurdum Resolution Refutation.

Formal Logic Proof Methods Direct Proof / Natural Deduction Conditional Proof (Implication Introduction) Reductio ad Absurdum Resolution Refutation.
1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture4: Regular Expressions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture4: Regular Expressions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.
What’s left in the course. The course in a nutshell Logics Techniques Applications.

What’s left in the course. The course in a nutshell Logics Techniques Applications.
Katz2004 236386--Formal Specifications Larch 1 Algebraic Specification and Larch Formal Specifications of Complex Systems 236368 Shmuel Katz The Technion.

Katz Formal Specifications Larch 1 Algebraic Specification and Larch Formal Specifications of Complex Systems Shmuel Katz The Technion.
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
Logic in Computer Science Transparency No. 3.3-1 Chapter 3 Propositional Logic 3.6. Propositional Resolution 3.7. Natural Deduction.

Logic in Computer Science Transparency No Chapter 3 Propositional Logic 3.6. Propositional Resolution 3.7. Natural Deduction.
Administrative stuff On Thursday, we will start class at 11:10, and finish at 11:55 This means that each project will get a 10 minute presentation + 5.

Administrative stuff On Thursday, we will start class at 11:10, and finish at 11:55 This means that each project will get a 10 minute presentation + 5.
Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.

Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.

Similar presentations

Ads by Google