Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Theorem Proving and Model Checking in PVS 15-820A Modeling Hardware and Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University.

Published byAlexander Parker Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Theorem Proving and Model Checking in PVS 15-820A Modeling Hardware and Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University."— Presentation transcript:

1 1 Theorem Proving and Model Checking in PVS 15-820A Modeling Hardware and Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University

2 2 Theorem Proving and Model Checking in PVS Outline PVS Language –Parameterized Theories Modeling Hardware with PVS –Combinatorial –Clocked Circuits Modeling Software with PVS –Sequential Software

3 3 Theorem Proving and Model Checking in PVS Outline Proofs –The Gentzen Sequent –Propositional Part –Quantifiers –Equality –Induction –Using Lemmas/Theorems –Rewriting –Model Checking –Strategies

4 4 Theorem Proving and Model Checking in PVS Example stacks4: THEORY BEGIN stack: TYPE = [# size: nat, elements: ARRAY[{i:nat|i int] #] empty: stack = (# size:=0, elements:=(LAMBDA (j:nat| FALSE): 0) #) push(x: int, s:stack): { s: stack | s`size>=1 } = (# size:=s`size+1, elements:=LAMBDA (j: below(s`size+1)): IF j<s`size THEN s`elements(j) ELSE x ENDIF #) pop(s:stack | s`size>=1): stack = (# size:=s`size-1, elements:=LAMBDA (j:nat|j<s`size-1): s`elements(j) #) END stacks4 What about the stacks of other types? A

5 5 Theorem Proving and Model Checking in PVS Example stacks4: THEORY BEGIN stack: TYPE = [# size: nat, elements: ARRAY[{i:nat|i int] #] empty: stack = (# size:=0, elements:=(LAMBDA (j:nat| FALSE): 0) #) push(x: int, s:stack): { s: stack | s`size>=1 } = (# size:=s`size+1, elements:=LAMBDA (j: below(s`size+1)): IF j<s`size THEN s`elements(j) ELSE x ENDIF #) pop(s:stack | s`size>=1): stack = (# size:=s`size-1, elements:=LAMBDA (j:nat|j<s`size-1): s`elements(j) #) END stacks4

6 6 Theorem Proving and Model Checking in PVS theory[T1: TYPE, T2: TYPE,...]: THEORY BEGIN... END theory Theory Parameters Idea: do something like a C++ template template <class T1, class T2,...> class stack {... }; A

7 7 Theorem Proving and Model Checking in PVS theory[T1: TYPE, T2: TYPE,...]: THEORY BEGIN... f(e: T1):bool;... END theory Theory Parameters Idea: do something like a C++ template template <class T1, class T2,...> class stack {... f(e: T1):bool;... };

8 8 Theorem Proving and Model Checking in PVS Example stacks4[T: NONEMPTY_TYPE]: THEORY BEGIN stack: TYPE = [# size: nat, elements: ARRAY[{i:nat|i T] #] e: T empty: stack = (# size:=0, elements:=(LAMBDA (j:nat| FALSE): e) #) push(x: T, s:stack): { s: stack | s`size>=1 } = (# size:=s`size+1, elements:=LAMBDA (j: below(s`size+1)): IF j<s`size THEN s`elements(j) ELSE x ENDIF #) pop(s:stack | s`size>=1): stack = (# size:=s`size-1, elements:=LAMBDA (j:nat|j<s`size-1): s`elements(j) #) END stacks4

9 9 Theorem Proving and Model Checking in PVS Example use_stack: THEORY BEGIN my_type: TYPE = [ posint, posint ] IMPORTING stacks5; s: stack[my_type]; x: my_type = (1, 2); d: stack[my_type] = push(x, s); END use_stack

10 10 Theorem Proving and Model Checking in PVS Theory Parameters PVS uses theory parameters for many definitions equalities [T: TYPE]: THEORY BEGIN =: [T, T -> boolean] END equalities PVS has many heuristics to automatically detect the right theory parameters a, b: posint; a=b same as =[posint](a,b)

11 11 Theorem Proving and Model Checking in PVS Useful Parameterized Theories PVS comes with several useful parameterized theories –Sets over elements of type T subsets, union, complement, power set, finite sets, … –Infinite Sequences –Finite Sequences –Lists –Bit vectors A

12 12 Theorem Proving and Model Checking in PVS Bit Vectors Bit Vectors are defined using an ARRAY type bv[N: nat]: THEORY BEGIN bvec : TYPE = [below(N) -> bit] A same as boolean 0, …, N-1

13 13 Theorem Proving and Model Checking in PVS Bit Vectors Extract a bit: bv^(i) i 2 { 0, …, N-1 } Vector extraction: bv^(m,n) n≤m<N b N : fill(b) Concatenation: bv1 o bv2 Bitwise: bv1 OR bv2 Conversion to integer: bv2nat(bv) Conversion from integer: nat2bv(bv)

14 14 Theorem Proving and Model Checking in PVS Bit Vector Arithmetic Requires IMPORTING bitvectors@bv_arith_nat *, +, -, =, Many other useful theories Look in pvs/lib/bitvectors

15 15 Theorem Proving and Model Checking in PVS Bit Vectors Example: bv_ex: THEORY BEGIN x: VAR bvec[32] zero_lemma: LEMMA bv2nat(x)=0 IFF x=fill(false) END bv_ex A How many bits?

16 16 Theorem Proving and Model Checking in PVS Bit Vectors Example: bv_ex: THEORY BEGIN x: VAR bvec[32] zero_lemma: LEMMA bv2nat[32](x)=0 IFF x=fill[32](false) END bv_ex

17 17 Theorem Proving and Model Checking in PVS PVS Workflow PVS File System Properties PROOFS Conversion of system (Program, circuit, protocol…) and property. Can be automated or done manually  Proof construction Interaction with the theorem prover  A

18 18 Theorem Proving and Model Checking in PVS Modeling Hardware with PVS Combinational Hardware –No latches –Circuit is loop-free –Examples: arithmetic circuits, ALUs, … Clocked Circuits –Combinational part + registers (latches) –Examples: Processors, Controllers,… A

19 19 Theorem Proving and Model Checking in PVS Modeling Hardware with PVS Idea: Model combinational circuits using functions on bit vectors f(A, B, reset: bit):bit= IF reset THEN (NOT A) OR B ELSE false ENDIF A Translation from/to Verilog, VHDL, etc. easy

20 20 Theorem Proving and Model Checking in PVS Modeling Hardware with PVS What is the Theorem Prover good for? –Equivalence checking? No. –Parameterized circuits Prove circuit with “N” bits –Arithmetic What is a correct adder? Integer? Floating Point? A purely propositional specification is not really useful A

21 21 Theorem Proving and Model Checking in PVS Parameterized Circuits A Binary tree for 8 inputs Parameterized for 2 k inputs

22 22 Theorem Proving and Model Checking in PVS Modeling Hardware with PVS A btree[T: TYPE, K: posnat, o: [T,T->T]]: THEORY BEGIN btree(k: nat, l:[below(exp2(k))->T]): RECURSIVE T = IF k=0 THEN l(0) ELSE btree(k-1, LAMBDA (i: below(exp2(k-1))): l(i)) o btree(k-1, LAMBDA (i: below(exp2(k-1))): l(i+exp2(k-1))) ENDIF MEASURE k btree(l:[below(exp2(K))->T]):T=btree(K, l) END btree Property?

23 23 Theorem Proving and Model Checking in PVS Modeling Hardware with PVS A btree[T: TYPE, K: posnat, o: [T,T->T]]: THEORY BEGIN... btree_correct: THEOREM btree(l) = l(0) o l(1) o... o l(exp(K)-1) END btree Dot dot dot?

24 24 Theorem Proving and Model Checking in PVS Modeling Hardware with PVS A btree[T: TYPE, K: posnat, o: [T,T->T]]: THEORY BEGIN... btree_correct: THEOREM btree(l) = l(0) o l(1) o... o l(exp(K)-1) seq(i: nat, l:[upto(i)->T]): RECURSIVE T = IF i=0 THEN l(0) ELSE seq (i-1, LAMBDA (j: below(i)): l(j)) o l(i) ENDIF MEASURE i Btree_correct: THEOREM btree(l) = seq(exp(K)-1, l) END btree Can you prove this? What is missing?

25 25 Theorem Proving and Model Checking in PVS Modeling Hardware with PVS A btree[T: TYPE, K: posnat, o: [T,T->T]]: THEORY BEGIN ASSUMING fassoc: ASSUMPTION associative?(o) ENDASSUMING... END btree This is NOT like an axiom! zerotester_imp(op): bit = NOT btree[bit, K, OR](op) PVS will make you prove here that OR is associative

26 26 Theorem Proving and Model Checking in PVS Arithmetic Circuits A One Bit Adder (oba) a,b,cin : VAR bit oba_sum(a,b,cin): bit = (a XOR b XOR cin) oba_cout(a,b,cin): bit = ((a AND b) OR (a AND cin) OR (b AND cin)) oba_correct: LEMMA a + b + cin = 2 * oba_cout(a,b,cin) + oba_sum(a,b,cin) Wait a second! You are adding bits here! Property?

27 27 Theorem Proving and Model Checking in PVS Conversions A oba_correct: LEMMA a + b + cin = 2 * oba_cout(a,b,cin) + oba_sum(a,b,cin) There is no addition on bits (or boolean )! bit : TYPE = bool nbit : TYPE = below(2) b2n(b:bool): nbit = IF b THEN 1 ELSE 0 ENDIF CONVERSION b2n below(2) is a subtype of the integer type, and we have addition for that.

28 28 Theorem Proving and Model Checking in PVS Arithmetic Circuits Carry Chain Adder

29 29 Theorem Proving and Model Checking in PVS Arithmetic Circuits A cout(n,a,b,a_cin): RECURSIVE bit = IF n=0 THEN oba_cout(a(0),b(0),a_cin) ELSE oba_cout(a(n),b(n), cout(n-1,a,b,a_cin)) ENDIF MEASURE n bv_adder(a,b,a_cin): bvec[N] = LAMBDA (i:below(N)): IF i=0 THEN oba_sum(a(0),b(0),a_cin) ELSE oba_sum(x(i),y(i), cout(i-1,x,y,a_cin)) ENDIF

30 30 Theorem Proving and Model Checking in PVS Arithmetic Circuits A bv_adder(a,b,a_cin): bvec[N] = LAMBDA (i:below(N)): IF i=0 THEN oba_sum(a(0),b(0),a_cin) ELSE oba_sum(x(i),y(i), cout(i-1,x,y,a_cin)) ENDIF adder_correct: THEOREM exp2(N)*cout(N-1,a,b,a_cin)+bv2nat(bv_adder(a,b,a_cin))= bv2nat(a) + bv2nat(b) + a_cin adder_is_add: THEOREM bv_adder(a,b,FALSE) = a + b

31 31 Theorem Proving and Model Checking in PVS Modeling Hardware with PVS Combinational Hardware –No latches –Circuit is loop-free –Examples: arithmetic circuits, ALUs, … Clocked Circuits –Combinational part + registers (latches) –Examples: Processors, Controllers,… A

32 32 Theorem Proving and Model Checking in PVS Clocked Circuits A TresetAB 01?? 1000 2010 3001 4011 5011 Configuration in cycle 4

33 33 Theorem Proving and Model Checking in PVS Clocked Circuits A t(c: C, i: I):C= (# A:= IF i`reset THEN false ELSE (NOT c`A) OR c`B ENDIF, B:= IF i`reset THEN false ELSE c`A OR c`B ENDIF #) C: TYPE = [# A, B: bit #] I: TYPE = [# reset: bit #] 1. Define Type for STATE and INPUTS 2. Define the Transition Function

34 34 Theorem Proving and Model Checking in PVS Clocked Circuits A c(T: nat):RECURSIVE C= IF T=0 THEN initial ELSE t(c(T-1), i(T-1)) ENDIF MEASURE T initial: C i: [nat -> I]; 3. Define Initial State and Inputs 4. Define the Configuration Sequence

35 35 Theorem Proving and Model Checking in PVS Clocked Circuits A c(T: nat):RECURSIVE C= IF T=0 THEN initial ELSE t(c(T-1), i(T-1)) ENDIF MEASURE T 5. Prove things about this sequence c_lem: LEMMA (i(0)`reset AND NOT i(1)`reset AND NOT i(2)`reset) => (c(2)`A AND NOT c(2)`B) You can also verify invariants, even temporal properties that way.

36 36 Theorem Proving and Model Checking in PVS Modeling Software with PVS (Software written in functional language) (Take a subset of PVS, and compile that) Software written in language like ANSI-C f(i: int):int= LET a1=LAMBDA (x: below(10)): 0 IN... LET a2=a1 WITH [(i):=5] IN... ai(0) int f(int i) { int a[10]={ 0, … };... a[i]=5;... return a[0]; } A What about loops?

37 37 Theorem Proving and Model Checking in PVS Modeling Software with PVS A C: TYPE = [# a: [below(10)->integer], i: nat #] 1. Define Type for STATE int a[10]; unsigned i; int main() {... } nat? Of course, bvec[32] is better

38 38 Theorem Proving and Model Checking in PVS Modeling Software with PVS A 2. Translate your program into goto program int a[10]; unsigned i,j,k; int main() { i=k=0; while(i<10) { i++; k+=2; } j=100; k++; } int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; }

39 39 Theorem Proving and Model Checking in PVS Modeling Software with PVS A 3. Partition your program into basic blocks int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; } L1(c: C):C= c WITH [i:=0, k:=0] L2(c: C):C= c L3(c: C):C= c WITH [i:=c`i+1, k:=c`k+2] L4(c: C):C= c WITH [j:=100, k:=c`k+1] 4. Write transition function for each basic block

40 40 Theorem Proving and Model Checking in PVS Modeling Software with PVS A 5. Combine transition functions using a program counter int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; } PCt: TYPE = { L1, L2, L3, L4, END } add PC: PCt to C t(c: C): C= CASES c`PC OF L1: L1(c) WITH [PC:=L2], L2: L2(c) WITH [PC:= IF NOT (c`i<10) THEN L4 ELSE L3 ENDIF, L3: L3(c) WITH [PC:=L2], L4: L4(c) WITH [PC:=END], END: c ENDCASES make sure the PC of the initial state is L1

41 41 Theorem Proving and Model Checking in PVS Modeling Software with PVS A Next week: –I/O in case of programs –Proving termination –Concurrent programs

42 42 Theorem Proving and Model Checking in PVS PVS Workflow PVS File System Properties PROOFS Conversion of system (Program, circuit, protocol…) and property. Can be automated or done manually  Proof construction Interaction with the theorem prover  A

43 43 Theorem Proving and Model Checking in PVS The Gentzen Sequent {-1} i(0)`reset {-2} i(4)`reset |------- {1} i(1)`reset {2} i(2)`reset {3} (c(2)`A AND NOT c(2)`B) Disjunction (Consequents) Conjunction (Antecedents)  Or: Reset in cycles 0, 4 is on, and off in 1, 2. Show that A and not B holds in cycle 2.

44 44 Theorem Proving and Model Checking in PVS The Gentzen Sequent COPY duplicates a formula Why? When you instantiate a quantified formula, the original one is lost DELETE removes unnecessary formulae – keep your proof easy to follow

45 45 Theorem Proving and Model Checking in PVS Propositional Rules BDDSIMP simplify propositional structure using BDDs CASE: case splitting usage: (CASE “i!1=5”) FLATTEN: Flattens conjunctions, disjunctions, and implications IFF: Convert a=b to a b for a, b boolean LIFT-IF move up case splits inside a formula

46 46 Theorem Proving and Model Checking in PVS Quantifiers INST: Instantiate Quantifiers –Do this if you have EXISTS in the consequent, or FORALL in the antecedent –Usage: (INST -10 “100+x”) SKOLEM!: Introduce Skolem Constants –Do this if you have FORALL in the consequent (and do not want induction), or EXISTS in the antecedent –If the type of the variable matters, use SKOLEM-TYPEPRED

47 47 Theorem Proving and Model Checking in PVS Equality REPLACE: If you have an equality in the antecedent, you can use REPLACE –Example: (REPLACE -1) {-1} l=r replace l by r –Example: (REPLACE -1 RL) {-1} l=r replace r by l

48 48 Theorem Proving and Model Checking in PVS Using Lemmas / Theorems EXPAND: Expand the definition –Example: (EXPAND “min”) LEMMA: add a lemma as antecedent –Example: (LEMMA “my_lemma”) –After that, instantiate the quantifiers with (INST -1 “x”) –Try (USE “my_lemma”). It will try to guess how you want to instantiate

49 49 Theorem Proving and Model Checking in PVS Induction INDUCT: Performs induction –Usage: (INDUCT “i”) –There should be a FORALL i: … equation in the consequent –You get two subgoals, one for the induction base and one for the step –PVS comes with many induction schemes. Look in the prelude for the full list

50 50 Theorem Proving and Model Checking in PVS What next… Webpage! –Installation instructions for PVS –Further reading –Homework assignment

Download ppt "1 Theorem Proving and Model Checking in PVS 15-820A Modeling Hardware and Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Proof checking with PVS Book: Chapter 3. A Theory Name: THEORY BEGIN Definitions (types, variables, constants) Axioms Lemmas (conjectures, theorems) END.

Proof checking with PVS Book: Chapter 3. A Theory Name: THEORY BEGIN Definitions (types, variables, constants) Axioms Lemmas (conjectures, theorems) END.
Chapter Three: Closure Properties for Regular Languages

Chapter Three: Closure Properties for Regular Languages
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.

Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
1 Theorem Proving and Model Checking in PVS 15-820A Proving Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University.

1 Theorem Proving and Model Checking in PVS A Proving Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Counting the bits Analysis of Algorithms Will it run on a larger problem? When will it fail?

Counting the bits Analysis of Algorithms Will it run on a larger problem? When will it fail?
CSE 8389 Theorem Proving - Seidel Spring 2005 1 CSE 8389 Theorem Proving Peter-Michael Seidel.

CSE 8389 Theorem Proving - Seidel Spring CSE 8389 Theorem Proving Peter-Michael Seidel.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
26.8.2004 Model Checking C++ Daniel Kroening. 26.8.2004 Daniel Kroening 2 Warning! No new research in this talk Talk is about doing existing stuff for.

Model Checking C++ Daniel Kroening Daniel Kroening 2 Warning! No new research in this talk Talk is about doing existing stuff for.
74.757 Formal Logic Proof Methods Direct Proof / Natural Deduction Conditional Proof (Implication Introduction) Reductio ad Absurdum Resolution Refutation.

Formal Logic Proof Methods Direct Proof / Natural Deduction Conditional Proof (Implication Introduction) Reductio ad Absurdum Resolution Refutation.
1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.
A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.

A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.
1 Introduction to Computability Theory Lecture4: Regular Expressions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture4: Regular Expressions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.
What’s left in the course. The course in a nutshell Logics Techniques Applications.

What’s left in the course. The course in a nutshell Logics Techniques Applications.
Katz2004 236386--Formal Specifications Larch 1 Algebraic Specification and Larch Formal Specifications of Complex Systems 236368 Shmuel Katz The Technion.

Katz Formal Specifications Larch 1 Algebraic Specification and Larch Formal Specifications of Complex Systems Shmuel Katz The Technion.

Similar presentations

Ads by Google