Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 8389 Theorem Proving - Seidel Spring 2005 1 CSE 8389 Theorem Proving Peter-Michael Seidel.

Published byMark Stephens Modified over 9 years ago

Similar presentations

Presentation on theme: "CSE 8389 Theorem Proving - Seidel Spring 2005 1 CSE 8389 Theorem Proving Peter-Michael Seidel."— Presentation transcript:

1 CSE 8389 Theorem Proving - Seidel Spring 2005 1 CSE 8389 Theorem Proving Peter-Michael Seidel

2 CSE 8389 Theorem Proving - Seidel Spring 2005 2 Syntax vs Semantics Syntax –a.k.a. “formation rules”; “grammar”; … –prescribes what a well-formed formula is (syntactically) Semantics –the “meaning” of well-formed formulas –defined via a mapping called interpretation

3 CSE 8389 Theorem Proving - Seidel Spring 2005 3 Propositional Logic: Syntax Logical symbols: –conjunction: , disjunction: , negation: , –implication: , equivalence: , parentheses:   Non-logical symbols: –propositional variables p, q, r,... –signature: set of propositional variables  = {p, q, r,...} Formation rules for well-formed formulas (wff) –an atomic formula (propositional variable) is a formula –if F, G are formulas, so are: F  G, F  G,  F, F  G, F  G,  F  propositional logic (or "propositional calculus") A system of symbolic logic using symbols to stand for whole propositions and logical connectives. Propositional logic only considers whether a proposition is true or false. In contrast to predicate logic, it does not consider the internal structure of propositions. http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?propositional+logic logicsymbolic logicpropositionslogical connectivespredicate logic

4 CSE 8389 Theorem Proving - Seidel Spring 2005 4 Propositional Logic: Semantics Propositions can be assigned a truth-value: –either true or false (classical 2-valued logic: tertium non datur) –other propositional logics exist: 3-valued, 4-valued, temporal, … (modal logics), …, fuzzy logic An interpretation I over a signature  is a mapping –I:   {true, false}, associating a truth value to every propositional variable Truth tables describe how to extend I from atomic to composite formulas (Boolean Algebra): –F  G, F  G,  F, F  G, F  G

5 CSE 8389 Theorem Proving - Seidel Spring 2005 5 Boolean Algebra, Truth Tables http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?two-valued+logic

6 CSE 8389 Theorem Proving - Seidel Spring 2005 6 Different Logical Bases Often: – , ,  Alternatively: – ,  – ,  –NAND –NOR –XOR –ite(A,B,C) if A then B else C ?

7 CSE 8389 Theorem Proving - Seidel Spring 2005 7 Reasoning in Propositional Logic A formula F is … –valid if it is true for all interpretations I –satisfiable if it is true for some interpretation I –unsatisfiable if it is true for no interpretation I Try these: 1.p  q 2.p   p 3.p   p 4.p  p 5.p   p 6.  p  p

8 CSE 8389 Theorem Proving - Seidel Spring 2005 8 Reasoning in Propositional Logic Def. “models” relationship “|=”: –If a formula F evaluates to true for an interpretation I then I is called a model of F; written I |= F –I is a model of {F 1,…, F k }, written I |= {F 1,…, F k },if I is a model of each F j Automated deduction setting: –Show that A 1,,…, A n (axioms) imply T (theorem), that is, every model of the axioms is also a model of the theorem: –That is: if I |= {A 1,,…, A n } then I |= T –Short: {A 1,,…, A n } |= T –Often: Show that A 1  …  A n   T is unsatisfiable For Automation a procedure / reasoning algorithm is needed: –Predicate Calculus (in fact calculi: resolution, tableaux, …)

9 CSE 8389 Theorem Proving - Seidel Spring 2005 9 Example {p, p  q } |= q –Truth table –Resolution –Tableaux –Reasoning with BDDs

10 CSE 8389 Theorem Proving - Seidel Spring 2005 10 Example: Reasoning with Binary Decision Trees (see also: Binary Decision Diagrams, or BDDs) 0 A 10 A 1 0 B 1 0 A 0 B 1 if-falseif-true false true A …  B A  B 0 A 1 0 B 1 A …  B A  B 0 B 1 1 1 A 0 if-falseif-true  A A A A true false

11 CSE 8389 Theorem Proving - Seidel Spring 2005 11 Syntax of First-Order Logic (FO) Logical symbols: – , , , , ,  ,  (“for all”),  (“exists”),... Non-logical symbols: A FO signature  consists of –constant symbols: a,b,c,... –function symbols: f, g,... –predicate (relation) symbols: p,q,r,.... function and predicate symbols have an associated arity; –we can write, e.g., p/3, f/2 to denote the ternary predicate p and the function f with two arguments First-order variables: x, y,... Formation rules for terms: –constants and variables are terms –if t 1,…,t k are terms and f is a k-ary function symbols then f(t 1,...,t k ) is a term

12 CSE 8389 Theorem Proving - Seidel Spring 2005 12 Syntax of First-Order Logic (FO) Formation rules for formulas: –if t 1,…, t k are terms and p/k is a predicate symbol (of arity k) then p(t 1, …, t k ) is an atomic formula (short: atom) all variable occurrences in p(t 1, …, t k ) are free – if F,G are formulas and x is a variable, then the following are formulas: – F  G, F  G,  F, F  G, F  G,  F , –  x: F (“for all x: F(x,...) is true”) –  x: F (“there exists x such that F(x,...) is true”) –the occurrences of a variable x within the scope of a quantifier are called bound occurrences.

13 CSE 8389 Theorem Proving - Seidel Spring 2005 13 Examples  x man(x)  person(x). man(bill). child(marriage(bill,hillary),chelsea). Variable: x Constants (0-ary function symbols): bill/0, hillary/0, chelsea/0 Function symbols: marriage/2 Predicate symbols: man/1, person/1, child/2

14 CSE 8389 Theorem Proving - Seidel Spring 2005 14 Semantics of Predicate Logic Let D be a non-empty domain (a.k.a. universe of discourse). A structure is a pair I = (D,I), with an interpretation I that maps... –each constant symbols c to an element I(c)  D –each predicate symbol p/k to a k-ary relation I(p)  D k, –each function symbol f/k to a k-ary function I(f): D k  D Let I be a structure,  : Vars  D a variable assignment. A valuation val I,  maps Term  to D and Fml  to {true, false} –val I,  (x) =  (x) ; for x  Vars –val I,  (f(t 1,...,t k )) = I(f)( val I,  (t 1 ),..., val I,  (t k ) ) ; for f(t 1,...,t k )  Term  –val I,  (p(t 1,...,t k )) = I(p)( val I,  (t 1 ),..., val I,  (t k ) ) ; for p(t 1,...,t k )  At  –val I,  (F  G) = val I,  (F) and val I,  (G) are true ; for F,G  Fml  –val I,  (F  G) = val I,  (F) or val I,  (G) is true ; for F,G  Fml  –val I,  (  F) = true (false) if val I,  (F) is false (true) ; for F  Fml  –val I,  (  x F) = val I,  [x/t] (F) is true for some t  D ; for F  Fml  –val I,  (  x F) = val I,  [x/t] (F) is true for all t  D ; for F  Fml 

15 CSE 8389 Theorem Proving - Seidel Spring 2005 15 Example Formula F =  x man(x)  person(x). Domain D = {b, h, c, d, e} Let’s pick an interpretation I: I(bill) = b, I(hillary) = h, I(chelsea) = c I(person) = {b, h, c} I(man) = {b} Under this I, the formula F evaluates to true. If we choose I’ like I but I’(man) = {b,d}, then F evaluates to false Thus, I is a model of F, while I’ is not: –I |= F I’ |=/= F

16 CSE 8389 Theorem Proving - Seidel Spring 2005 16 FO Semantics (cont’d) F entails G (G is a logical consequence of F) if every model of F is also a model of G: F |= G F is consistent or satisfiable if it has at least one model F is valid or a tautology if every interpretation of F is a model Proof Theory: Let F,G,... be FO sentences (no free variables). Then the following are equivalent: F_1,..., F_k |= G F_1 ...  F_k  G is valid F_1 ...  F_k   G is unsatisfiable (inconsistent)

17 CSE 8389 Theorem Proving - Seidel Spring 2005 17 Querying vs. Reasoning Querying: –given a DB instance I (= logic interpretation), evaluate a query expression (e.g. SQL, FO formula, Prolog program,...) –boolean query: check if I |=  (i.e., if I is a model of  ) –(ternary) query: { (X, Y, Z) | I |=  (X,Y,Z) } => check happyFathers in a given database Reasoning: –check if I |=  implies I |=  for all databases I, –i.e., if  =>  –undecidable for FO, F-logic, etc. –Descriptions Logics are decidable fragments  concept subsumption, concept hierarchy, classification  semantic tableaux, resolution, specialized algorithms

18 CSE 8389 Theorem Proving - Seidel Spring 2005 18 Reasoning Example (1) p(0) (2)  x p(x)  p(s(x)) (3) p(s(s(0))). We want to show that (1) &... & (2) implies (3) Approach: assume negation of (3) and show that it leads to a contradiction with {(1), (2)} –Question: Why is this sound?

19 CSE 8389 Theorem Proving - Seidel Spring 2005 19 Limitations Drawbacks of methods based on FOL/Predicate Logic: only small and medium size circuits can be verified most abstract representation view is gate level Complex circuits are hierarchically designed, but verification methods are not able to benefit from this to reduce the verification complexity Caused by limited expressiveness of underlying logic – one can not even argue about simple natural numbers Natural numbers useful to argue about discrete time parameterized circuits: FORALL n>0, FORALL a,b,c in B n : + = More expressive logic also needed to allow abstract descriptions (types) ADD(n) a b c

20 CSE 8389 Theorem Proving - Seidel Spring 2005 20 Sentences in First­Order Logic An atomic sentence is simply a predicate applied to a set of terms. –Owns(John,Car1) –Sold(John,Car1,Fred) Semantics is True or False depending on the interpretation, i.e. is the predicate true of these arguments. The standard propositional connectives (  ) can be used to construct complex sentences: –Owns(John,Car1)  Owns(Fred, Car1) –Sold(John,Car1,Fred)  ¬Owns(John, Car1) Semantics same as in propositional logic.

21 CSE 8389 Theorem Proving - Seidel Spring 2005 21 Review: Quantifiers Allow statements about entire collections of objects Universal quantifier:  x –Asserts that a sentence is true for all values of variable x  x Loves(x, FOPC)  x Whale(x)  Mammal(x)  x  y Dog(y)  Loves(x,y))   z Cat(z)  Hates(x,z)) Existential quantifier:  –Asserts that a sentence is true for at least one value of a variable x  x Loves(x, FOPC)  x(Cat(x)  Color(x,Black)  Owns(Mary,x))  x(  y Dog(y)  Loves(x,y))  (  z Cat(z)  Hates(x,z))

22 CSE 8389 Theorem Proving - Seidel Spring 2005 22 Review: Use of Quantifiers Universal quantification naturally uses implication: –  x Whale(x)  Mammal(x) Says that everything in the universe is both a whale and a mammal. Existential quantification naturally uses conjunction: –  x Owns(Mary,x)  Cat(x) Says either there is something in the universe that Mary does not own or there exists a cat in the universe. –  x Owns(Mary,x)  Cat(x) Says all Mary owns is cats (i.e. everthing Mary owns is a cat). Also true if Mary owns nothing. –  x Cat(x)  Owns(Mary,x) Says that Mary owns all the cats in the universe. Also true if there are no cats in the universe.

23 CSE 8389 Theorem Proving - Seidel Spring 2005 23 Nesting Quantifiers The order of quantifiers of the same type doesn't matter: –  x  y(Parent(x,y)  Male(y)  Son(y,x)) –  x  y(Loves(x,y)  Loves(y,x)) The order of mixed quantifiers does matter: –  x  y(Loves(x,y)) Says everybody loves somebody, i.e. everyone has someone whom they love. –  y  x(Loves(x,y)) Says there is someone who is loved by everyone in the universe. –  y  x(Loves(x,y)) Says everyone has someone who loves them. –  x  y(Loves(x,y)) Says there is someone who loves everyone in the universe.

24 CSE 8389 Theorem Proving - Seidel Spring 2005 24 Variable Scope The scope of a variable is the sentence to which the quantifier syntactically applies. As in a block structured programming language, a variable in a logical expression refers to the closest quantifier within whose scope it appears. –  x (Cat(x)   x(Black (x))) The x in Black(x) is universally quantified Says cats exist and everything is black In a well­formed formula (wff) all variables should be properly introduced: –  xP(y) not well­formed A ground expression contains no variables.

25 CSE 8389 Theorem Proving - Seidel Spring 2005 25 Relations Between Quantifiers Universal and existential quantification are logically related to each other: –  x ¬Love(x,Saddam)  ¬  x Loves(x,Saddam) –  x Love(x,Princess­Di)  ¬  x ¬Loves(x,Princess­Di) General Identities –  x ¬P  ¬  x P – ¬  x P   x ¬P –  x P  ¬  x ¬P –  x P  ¬  x ¬P –  x P(x)  Q(x)   x P(x)   x Q(x) –  x P(x)  Q(x)   x P(x)   x Q(x)

26 CSE 8389 Theorem Proving - Seidel Spring 2005 26 Equality Can include equality as a primitive predicate in the logic, or require it to be introduced and axiomatized as the identity relation. Useful in representing certain types of knowledge: –  x  y(Owns(Mary, x)  Cat(x)  Owns(Mary,y)  Cat(y) –  ¬(x=y)) –Mary owns two cats. Inequality needed to ensure x and y are distinct. –  x  y married(x, y)  z(married(x,z)  y=z) –Everyone is married to exactly one person. Second conjunct is needed to guarantee there is only one unique spouse.

27 CSE 8389 Theorem Proving - Seidel Spring 2005 27 Higher­Order Logic FOPC is called first­order because it allows quantifiers to range over objects (terms) but not properties, relations, or functions applied to those objects. Second­order logic allows quantifiers to range over predicates and functions as well: –  x  y [ (x=y)  (  p p(x)  p(y)) ] Says that two objects are equal if and only if they have exactly the same properties. –  f  g [ (f=g)  (  x f(x) = g(x)) ] Says that two functions are equal if and only if they have the same value for all possible arguments. Third­order would allow quantifying over predicates of predicates, etc. We will consider Higher-Order Logic = FOL & Second-order Logic & … allows to argue about infinite sets, use induction

28 CSE 8389 Theorem Proving - Seidel Spring 2005 28 Problems with Higher order Logic Higher-Order Logic is Undecidible Theorem Provers based on HOL have to be interactive. (Informal Version’s of) Russel’s Paradox In a certain town in Spain, there lives an excellent barber who shaves all the men who do not shave themselves. Who shaves the barber? Divide all adjectives into two groups: the group of adjectives which describe themselves and the group of adjectives which do not. Into which group does the adjective indescribable go? I am a liar. Russel’s Paradox can be resolved by introducing typed Higher-order logic

29 CSE 8389 Theorem Proving - Seidel Spring 2005 29 What is PVS? PVS = Prototype Verification System Formal specification language Model checker Theorem prover Documentation tools, etc.

30 CSE 8389 Theorem Proving - Seidel Spring 2005 30 Applications Academic and industrial applications –Hardware verification (e.g. VAMP – Verified Architecture Microprocessor) –Protocol verification –Verification of Javacard applets –Formal Mathematics –Safety-critical systems –… (see http://pvs.csl.sri.com/users.html)

31 CSE 8389 Theorem Proving - Seidel Spring 2005 31 The PVS Language There are two languages 1.The language to write definitions and theorems (“definition language“) 2.The language to prove theorems (“proof language”) They have nothing to do with each other The definition language looks like “normal math” (translator to Latex built in) The proof language looks like LISP

32 CSE 8389 Theorem Proving - Seidel Spring 2005 32 The PVS Definition Language Main language elements –Declarations Types Constants –Expressions over these types –Expressions of Boolean types may be a formula –Formulae are theorems or axioms –Declarations and formulae are grouped into theories

33 CSE 8389 Theorem Proving - Seidel Spring 2005 33 The PVS Definition Language class_theory: THEORY BEGIN my_type: NONEMPTY_TYPE constant1, constant2: my_type f1: THEOREM FORALL (a, b: integer): a+b=b+a f2: AXIOM constant1=constant2 END class_theory Type Declarations Expressions A

34 CSE 8389 Theorem Proving - Seidel Spring 2005 34 The PVS Definition Language class_theory: THEORY BEGIN my_type: NONEMPTY_TYPE constant1, constant2: my_type f1: THEOREM FORALL (a, b: integer): a+b=b+a f2: AXIOM constant1=constant2 END class_theory Formulae A

35 CSE 8389 Theorem Proving - Seidel Spring 2005 35 The PVS Definition Language class_theory: THEORY BEGIN my_type: NONEMPTY_TYPE constant1, constant2: my_type f1: THEOREM FORALL (a, b: integer): a+b=b+a f2: AXIOM constant1=constant2 END class_theory Declarations

36 CSE 8389 Theorem Proving - Seidel Spring 2005 36 Axioms vs. Theorems Axioms are assumed to be true Dangerous! Avoid axioms, use constant declarations instead: class_theory: THEORY BEGIN c: integer c: AXIOM c=3 END class_theory class_theory: THEORY BEGIN c: integer = 3 END class_theory Left hand side is conservative

37 CSE 8389 Theorem Proving - Seidel Spring 2005 37 Types PVS has a very rich type concept –Uninterpreted type declaration: numbers: TYPE numbers: NONEMPTY_TYPE –Interpreted type declaration Introduce names for type expressions posint: TYPE={ i: integer | i > 0}

38 CSE 8389 Theorem Proving - Seidel Spring 2005 38 Types PVS comes with boolean –FALSE, TRUE Number types –real, rational, integer, natural string Ordinals

39 CSE 8389 Theorem Proving - Seidel Spring 2005 39 Type Expressions Function Types [ t 1,…,t n -> t ] Alternative Syntax: FUNCTION[ t 1,…,t n -> t ] ARRAY[ t 1,…,t n -> t ] Note that t i and t may be function types as well!

40 CSE 8389 Theorem Proving - Seidel Spring 2005 40 Expressions Constants –Given by their name, as used in the declaration –Numbers (1, 2, 3, …) are actually identifiers and can even be overloaded –If name is ambiguous, use identifier::type

41 CSE 8389 Theorem Proving - Seidel Spring 2005 41 Expressions Function Applications f(x) –Tons of Syntactic variants exist to support intuition, don’t be confused –Binary operator symbols y * z is the same as *(y, z)

42 CSE 8389 Theorem Proving - Seidel Spring 2005 42 Expressions Functions PVS comes with –Boolean AND &, OR, IMPLIES =>, WHEN, IFF –IF c THEN a ELSE b IF: [boolean, T, T -> T] –Numeric operators +, -, *, /, ^,, >=

43 CSE 8389 Theorem Proving - Seidel Spring 2005 43 Expressions Binding Expressions –Quantifiers EXISTS (x: T): p(x) FORALL (y: T): q(y)

44 CSE 8389 Theorem Proving - Seidel Spring 2005 44 Expressions Binding Expressions –Lambda: unnamed functions LAMBDA (x: int): x+1 Type of that: [ int -> int ] class_theory: THEORY BEGIN f: [int->int] = LAMBDA (x: int): x+1 END class_theory class_theory: THEORY BEGIN f(x: int): int = x+1 END class_theory A

45 CSE 8389 Theorem Proving - Seidel Spring 2005 45 Recursion Lambda cannot be used for recursion Only named functions allow recursion No mutual recursion factorial(x: nat): RECURSIVE nat = IF x=0 THEN 1 ELSE factorial(x-1)*x ENDIF MEASURE (LAMBDA (x: nat): x) A Used to prove that the function is total

46 CSE 8389 Theorem Proving - Seidel Spring 2005 46 Expressions LET Expressions LET i:T=e 1 IN e 2 –Useful for avoiding redundancy if e 1 is used many times in e 2 –Example LET x=2 IN x*y is (LAMBDA x: x*y)(2)

47 CSE 8389 Theorem Proving - Seidel Spring 2005 47 Expressions Override Expressions e WITH [(i 1 ):=v 1, (i 2 ):=v 2, …] –Sugar for LAMBDA LAMBDA x:IF x=i 1 THEN v 1 ELSIF x=i 2 THEN v 2 … ELSE e(x) ENDIF –Also for records and tuples

48 CSE 8389 Theorem Proving - Seidel Spring 2005 48 Expressions LET and WITH useful for some sequential program constructs! f(i: int):int= LET a1=LAMBDA (x: below(10)): 0 IN... LET a2=a1 WITH [(i):=5] IN... aj(0) int f(int i) { int a[10]={ 0, … };... a[i]=5;... return a[0]; }

49 CSE 8389 Theorem Proving - Seidel Spring 2005 49 Expressions Set Expressions –In PVS, sets are represented using their characteristic function [ T -> boolean ] same as setof[T] –Set expressions: { x:T | p(x) } For sets a, b over T: Union: a OR b Intersection: a AND b

50 CSE 8389 Theorem Proving - Seidel Spring 2005 50 Some Additional Syntax Tuple types [ t 1,…,t n ] Tuple expressions ( e 1,…,e n ) Comes with projections PROJ_1, PROJ_2,..., PROJ_n

51 CSE 8389 Theorem Proving - Seidel Spring 2005 51 Example stacks1: THEORY BEGIN stack: TYPE = [int, ARRAY[int->int]] empty: stack = (0, (LAMBDA (j: int): 0)) size(s: stack):int = PROJ_1(s) elements(s: stack):ARRAY[int->int] = PROJ_2(s) push(x: int, s:stack): stack = (size(s)+1, elements(s) WITH [(size(s)):=x]) pop(s:stack): stack = (size(s)-1, elements(s)) END stacks1 How about a “struct”? A

52 CSE 8389 Theorem Proving - Seidel Spring 2005 52 Some Additional Syntax Record types [# a 1 :t 1,…,a n :t n #] Record expressions (# a 1 :=e 1,…,a n :=e n #) Comes with projections a 1, a 2,..., a n Or: e`a i

53 CSE 8389 Theorem Proving - Seidel Spring 2005 53 Example stacks2: THEORY BEGIN stack: TYPE = [# size: int, elements: ARRAY[int->int] #] empty: stack = (# size:=0, elements:=(LAMBDA (j: int): 0) #) push(x: int, s:stack): stack = (# size:=s`size+1, elements:=s`elements WITH [(s`size):=x] #) pop(s:stack): stack = (# size:=s`size-1, elements:=s`elements #) END stacks2 What about the empty stack? A

54 CSE 8389 Theorem Proving - Seidel Spring 2005 54 Subtypes { x: T | p(x)} p must be of type [ T -> boolean ] Alternative syntax: (p) This type contains all elements x of T for which p(x) is true E.g., define domain of integer division: { x: integer | x/=0 } Makes type equivalence undecidable

55 CSE 8389 Theorem Proving - Seidel Spring 2005 55 Subtypes Subtypes in binding expressions –Forall, exists: forall (i: int | i>10): … –Lambda: class_theory: THEORY BEGIN f: [ {x: int | x/=0 }->real] = LAMBDA (x: int | x/=0): 1/x END class_theory class_theory: THEORY BEGIN f(x: int | x/=0): real = 1/x END class_theory

56 CSE 8389 Theorem Proving - Seidel Spring 2005 56 Example stacks3: THEORY BEGIN stack: TYPE = [# size: nat, elements: ARRAY[nat->int] #] empty: stack = (# size:=0, elements:=(LAMBDA (j: nat): 0) #) push(x: int, s:stack): { s: stack | s`size>=1 } = (# size:=s`size+1, elements:=s`elements WITH [(s`size):=x] #) pop(s:stack | s`size>=1): stack = (# size:=s`size-1, elements:=s`elements #) END stacks3 Properties? A

57 CSE 8389 Theorem Proving - Seidel Spring 2005 57 Example stacks3: THEORY BEGIN stack: TYPE = [# size: nat, elements: ARRAY[nat->int] #] empty: stack = (# size:=0, elements:=(LAMBDA (j: nat): 0) #) push(x: int, s:stack): { s: stack | s`size>=1 } = (# size:=s`size+1, elements:=s`elements WITH [(s`size):=x] #) pop(s:stack | s`size>=1): stack = (# size:=s`size-1, elements:=s`elements #) push_pop: THEOREM FORALL (s: stack, x: int): pop(push(x, s))=s END stacks3 Does this work? A

58 CSE 8389 Theorem Proving - Seidel Spring 2005 58 Example stacks4: THEORY BEGIN stack: TYPE = [# size: nat, elements: ARRAY[{i:nat|i int] #] empty: stack = (# size:=0, elements:=(LAMBDA (j:nat| FALSE): 0) #) push(x: int, s:stack): { s: stack | s`size>=1 } = (# size:=s`size+1, elements:=LAMBDA (j: below(s`size+1)): IF j<s`size THEN s`elements(j) ELSE x ENDIF #) pop(s:stack | s`size>=1): stack = (# size:=s`size-1, elements:=LAMBDA (j:nat|j<s`size-1): s`elements(j) #) push_pop: THEOREM FORALL (s: stack, x: int): pop(push(x, s))=s END stacks4

59 CSE 8389 Theorem Proving - Seidel Spring 2005 59 Example stacks4: THEORY BEGIN stack: TYPE = [# size: nat, elements: ARRAY[{i:nat|i int] #] empty: stack = (# size:=0, elements:=(LAMBDA (j:nat| FALSE): 0) #) push(x: int, s:stack): { s: stack | s`size>=1 } = (# size:=s`size+1, elements:=LAMBDA (j: below(s`size+1)): IF j<s`size THEN s`elements(j) ELSE x ENDIF #) pop(s:stack | s`size>=1): stack = (# size:=s`size-1, elements:=LAMBDA (j:nat|j<s`size-1): s`elements(j) #) END stacks4 What about the stacks of other types? A

60 CSE 8389 Theorem Proving - Seidel Spring 2005 60 Example stacks4: THEORY BEGIN stack: TYPE = [# size: nat, elements: ARRAY[{i:nat|i int] #] empty: stack = (# size:=0, elements:=(LAMBDA (j:nat| FALSE): 0) #) push(x: int, s:stack): { s: stack | s`size>=1 } = (# size:=s`size+1, elements:=LAMBDA (j: below(s`size+1)): IF j<s`size THEN s`elements(j) ELSE x ENDIF #) pop(s:stack | s`size>=1): stack = (# size:=s`size-1, elements:=LAMBDA (j:nat|j<s`size-1): s`elements(j) #) END stacks4

61 CSE 8389 Theorem Proving - Seidel Spring 2005 61 theory[T1: TYPE, T2: TYPE,...]: THEORY BEGIN... END theory Theory Parameters Idea: do something like a C++ template template <class T1, class T2,...> class stack {... }; A

62 CSE 8389 Theorem Proving - Seidel Spring 2005 62 theory[T1: TYPE, T2: TYPE,...]: THEORY BEGIN... f(e: T1):bool;... END theory Theory Parameters Idea: do something like a C++ template template <class T1, class T2,...> class stack {... f(e: T1):bool;... };

63 CSE 8389 Theorem Proving - Seidel Spring 2005 63 Example stacks4[T: NONEMPTY_TYPE]: THEORY BEGIN stack: TYPE = [# size: nat, elements: ARRAY[{i:nat|i T] #] e: T empty: stack = (# size:=0, elements:=(LAMBDA (j:nat| FALSE): e) #) push(x: T, s:stack): { s: stack | s`size>=1 } = (# size:=s`size+1, elements:=LAMBDA (j: below(s`size+1)): IF j<s`size THEN s`elements(j) ELSE x ENDIF #) pop(s:stack | s`size>=1): stack = (# size:=s`size-1, elements:=LAMBDA (j:nat|j<s`size-1): s`elements(j) #) END stacks4

64 CSE 8389 Theorem Proving - Seidel Spring 2005 64 Example use_stack: THEORY BEGIN my_type: TYPE = [ posint, posint ] IMPORTING stacks5; s: stack[my_type]; x: my_type = (1, 2); d: stack[my_type] = push(x, s); END use_stack

65 CSE 8389 Theorem Proving - Seidel Spring 2005 65 Useful Parameterized Theories PVS comes with several useful parameterized theories –Sets over elements of type T subsets, union, complement, power set, finite sets, … –Infinite Sequences –Finite Sequences –Lists –Bit vectors A

66 CSE 8389 Theorem Proving - Seidel Spring 2005 66 Bit Vectors Bit Vectors are defined using an ARRAY type bv[N: nat]: THEORY BEGIN bvec : TYPE = [below(N) -> bit] A same as boolean 0, …, N-1

67 CSE 8389 Theorem Proving - Seidel Spring 2005 67 Bit Vectors Extract a bit: bv^(i) i  { 0, …, N-1 } Vector extraction: bv^(m,n) n≤m<N b N : fill(b) Concatenation: bv1 o bv2 Bitwise: bv1 OR bv2 Conversion to natural numbers: bv2nat(bv) Conversion from natural numbers: nat2bv(nat)

68 CSE 8389 Theorem Proving - Seidel Spring 2005 68 Bit Vector Arithmetic Requires IMPORTING bitvectors@bv_arith_nat *, +, -, =, Many other useful theories Look in pvs/lib/bitvectors

69 CSE 8389 Theorem Proving - Seidel Spring 2005 69 Bit Vectors Example: bv_ex: THEORY BEGIN x: VAR bvec[32] zero_lemma: LEMMA bv2nat(x)=0 IFF x=fill(false) END bv_ex A How many bits?

70 CSE 8389 Theorem Proving - Seidel Spring 2005 70 Bit Vectors Example: bv_ex: THEORY BEGIN x: VAR bvec[32] zero_lemma: LEMMA bv2nat[32](x)=0 IFF x=fill[32](false) END bv_ex

71 CSE 8389 Theorem Proving - Seidel Spring 2005 71 Modeling Combinational Hardware with PVS Idea: Model combinational circuits using functions on bit vectors f(A, B, reset: bit):bit= IF reset THEN FALSE ELSE (NOT A) OR B ENDIF A Translation from/to Verilog, VHDL, etc. easy

72 CSE 8389 Theorem Proving - Seidel Spring 2005 72 Parameterized Circuits A Binary tree for 8 inputs Parameterized for 2 k inputs

73 CSE 8389 Theorem Proving - Seidel Spring 2005 73 Modeling Hardware with PVS A btree[T: TYPE, K: posnat, o: [T,T->T]]: THEORY BEGIN btree(k: nat, l:[below(exp2(k))->T]): RECURSIVE T = IF k=0 THEN l(0) ELSE btree(k-1, LAMBDA (i: below(exp2(k-1))): l(i)) o btree(k-1, LAMBDA (i: below(exp2(k-1))): l(i+exp2(k-1))) ENDIF MEASURE k btree(l:[below(exp2(K))->T]):T=btree(K, l) END btree Property?

74 CSE 8389 Theorem Proving - Seidel Spring 2005 74 Modeling Hardware with PVS A btree[T: TYPE, K: posnat, o: [T,T->T]]: THEORY BEGIN... btree_correct: THEOREM btree(l) = l(0) o l(1) o... o l(exp(K)-1) END btree Dot dot dot?

75 CSE 8389 Theorem Proving - Seidel Spring 2005 75 Modeling Hardware with PVS A btree[T: TYPE, K: posnat, o: [T,T->T]]: THEORY BEGIN... btree_correct: THEOREM btree(l) = l(0) o l(1) o... o l(exp(K)-1) seq(i: nat, l:[upto(i)->T]): RECURSIVE T = IF i=0 THEN l(0) ELSE seq (i-1, LAMBDA (j: below(i)): l(j)) o l(i) ENDIF MEASURE i Btree_correct: THEOREM btree(l) = seq(exp(K)-1, l) END btree Can you prove this? What is missing?

76 CSE 8389 Theorem Proving - Seidel Spring 2005 76 Modeling Hardware with PVS A btree[T: TYPE, K: posnat, o: [T,T->T]]: THEORY BEGIN ASSUMING fassoc: ASSUMPTION associative?(o) ENDASSUMING... END btree This is NOT like an axiom! zerotester_imp(op): bit = NOT btree[bit, K, OR](op) PVS will make you prove here that OR is associative

77 CSE 8389 Theorem Proving - Seidel Spring 2005 77 Arithmetic Circuits A One Bit Adder (oba) a,b,cin : VAR bit oba_sum(a,b,cin): bit = (a XOR b XOR cin) oba_cout(a,b,cin): bit = ((a AND b) OR (a AND cin) OR (b AND cin)) oba_correct: LEMMA a + b + cin = 2 * oba_cout(a,b,cin) + oba_sum(a,b,cin) Wait a second! You are adding bits here! Property?

78 CSE 8389 Theorem Proving - Seidel Spring 2005 78 Conversions A oba_correct: LEMMA a + b + cin = 2 * oba_cout(a,b,cin) + oba_sum(a,b,cin) There is no addition on bits (or boolean )! bit : TYPE = bool nbit : TYPE = below(2) b2n(b:bool): nbit = IF b THEN 1 ELSE 0 ENDIF CONVERSION b2n below(2) is a subtype of the integer type, and we have addition for that.

79 CSE 8389 Theorem Proving - Seidel Spring 2005 79 Arithmetic Circuits Carry Chain Adder

80 CSE 8389 Theorem Proving - Seidel Spring 2005 80 Arithmetic Circuits A cout(n,a,b,a_cin): RECURSIVE bit = IF n=0 THEN oba_cout(a(0),b(0),a_cin) ELSE oba_cout(a(n),b(n), cout(n-1,a,b,a_cin)) ENDIF MEASURE n bv_adder(a,b,a_cin): bvec[N] = LAMBDA (i:below(N)): IF i=0 THEN oba_sum(a(0),b(0),a_cin) ELSE oba_sum(x(i),y(i), cout(i-1,x,y,a_cin)) ENDIF

81 CSE 8389 Theorem Proving - Seidel Spring 2005 81 Arithmetic Circuits A bv_adder(a,b,a_cin): bvec[N] = LAMBDA (i:below(N)): IF i=0 THEN oba_sum(a(0),b(0),a_cin) ELSE oba_sum(x(i),y(i), cout(i-1,x,y,a_cin)) ENDIF adder_correct: THEOREM exp2(N)*cout(N-1,a,b,a_cin)+bv2nat(bv_adder(a,b,a_cin))= bv2nat(a) + bv2nat(b) + a_cin adder_is_add: THEOREM bv_adder(a,b,FALSE) = a + b

82 CSE 8389 Theorem Proving - Seidel Spring 2005 82 PVS Workflow PVS File System Properties PROOFS Conversion of system (Program, circuit, protocol…) and property. Can be automated or done manually  Proof construction Interaction with the theorem prover  A

83 CSE 8389 Theorem Proving - Seidel Spring 2005 83 PVS Workflow PVS File System Properties PROOFS Conversion of system (Program, circuit, protocol…) and property. Can be automated or done manually  Proof construction Interaction with the theorem prover  A

84 CSE 8389 Theorem Proving - Seidel Spring 2005 84 The PVS Language There are two languages 1.The language to write definitions and theorems (“definition language“) 2.The language to prove theorems (“proof language”) They have nothing to do with each other The definition language looks like “normal math” (translator to Latex built in) The proof language looks like LISP

85 CSE 8389 Theorem Proving - Seidel Spring 2005 85 Theorem Proving The goal is to establish F 1,…, F k |= T Show that theorem T follows from the Assumptions & Axioms F 1,…, F k PVS operates on sequents of the form F 1,…, F k |– G 1,…, G l AntecedentsConsequents Meaning: The disjunction of the Consequents is a logical consequence of the conjunction of the Antecedents F 1  F 2  …  F k implies G 1  G 2  …  G l TheoremAxioms, Assumptions Antecedents and Consequents are HOL Formulas

86 CSE 8389 Theorem Proving - Seidel Spring 2005 86 Proof Trees Sequents can be modified by PVS proof commands F 1,…, F k |– G 1,…, G l AntecedentsConsequents The result of a proof command is a (possibly empty) set of subsequents Initial sequent (show Theorem): |- T The repeated application of proof commands on sequents defines a tree A proof branch is closed if a proof command generates an empty list of subsequents, i.e. PVS was able to validate this branch of the proof. A theorem T is proven if all proof branches are closed.

Download ppt "CSE 8389 Theorem Proving - Seidel Spring 2005 1 CSE 8389 Theorem Proving Peter-Michael Seidel."

Similar presentations

Predicate Logic Colin Campbell. A Formal Language Predicate Logic provides a way to formalize natural language so that ambiguity is removed. Mathematical.

Predicate Logic Colin Campbell. A Formal Language Predicate Logic provides a way to formalize natural language so that ambiguity is removed. Mathematical.
Completeness and Expressiveness

Completeness and Expressiveness
Brief Introduction to Logic. Outline Historical View Propositional Logic : Syntax Propositional Logic : Semantics Satisfiability Natural Deduction : Proofs.

Brief Introduction to Logic. Outline Historical View Propositional Logic : Syntax Propositional Logic : Semantics Satisfiability Natural Deduction : Proofs.
CSE 8389 Theorem Proving - Seidel Spring 2005 1 CSE 8389 Theorem Proving Peter-Michael Seidel.

CSE 8389 Theorem Proving - Seidel Spring CSE 8389 Theorem Proving Peter-Michael Seidel.
Copyright © Cengage Learning. All rights reserved.

Copyright © Cengage Learning. All rights reserved.
© by Kenneth H. Rosen, Discrete Mathematics & its Applications, Sixth Edition, Mc Graw-Hill, 2007 Chapter 1: (Part 2): The Foundations: Logic and Proofs.

© by Kenneth H. Rosen, Discrete Mathematics & its Applications, Sixth Edition, Mc Graw-Hill, 2007 Chapter 1: (Part 2): The Foundations: Logic and Proofs.
Knowledge Representation Methods

Knowledge Representation Methods
74.757 Formal Logic Proof Methods Direct Proof / Natural Deduction Conditional Proof (Implication Introduction) Reductio ad Absurdum Resolution Refutation.

Formal Logic Proof Methods Direct Proof / Natural Deduction Conditional Proof (Implication Introduction) Reductio ad Absurdum Resolution Refutation.
Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.

Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.
Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.

Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
EE1J2 - Slide 1 EE1J2 – Discrete Maths Lecture 6 Limitations of propositional logic Introduction to predicate logic Symbols, terms and formulae, Parse.

EE1J2 - Slide 1 EE1J2 – Discrete Maths Lecture 6 Limitations of propositional logic Introduction to predicate logic Symbols, terms and formulae, Parse.
Propositional Calculus Math Foundations of Computer Science.

Propositional Calculus Math Foundations of Computer Science.
1 First order theories. 2 Satisfiability The classic SAT problem: given a propositional formula , is  satisfiable ? Example:  Let x 1,x 2 be propositional.

1 First order theories. 2 Satisfiability The classic SAT problem: given a propositional formula , is  satisfiable ? Example:  Let x 1,x 2 be propositional.
FIRST ORDER LOGIC Levent Tolga EREN.

FIRST ORDER LOGIC Levent Tolga EREN.
1 Theorem Proving and Model Checking in PVS 15-820A Modeling Hardware and Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University.

1 Theorem Proving and Model Checking in PVS A Modeling Hardware and Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University.
3.9.2015Relation, function 1 Mathematical logic Lesson 5 Relations, mappings, countable and uncountable sets.

Relation, function 1 Mathematical logic Lesson 5 Relations, mappings, countable and uncountable sets.
Deciding a Combination of Theories - Decision Procedure - Changki pswlab Combination of Theories Daniel Kroening, Ofer Strichman Presented by Changki.

Deciding a Combination of Theories - Decision Procedure - Changki pswlab Combination of Theories Daniel Kroening, Ofer Strichman Presented by Changki.
Systems Architecture I1 Propositional Calculus Objective: To provide students with the concepts and techniques from propositional calculus so that they.

Systems Architecture I1 Propositional Calculus Objective: To provide students with the concepts and techniques from propositional calculus so that they.
1 Theorem Proving and Model Checking in PVS 15-820A PVS – An Introduction Edmund Clarke Daniel Kroening Carnegie Mellon University.

1 Theorem Proving and Model Checking in PVS A PVS – An Introduction Edmund Clarke Daniel Kroening Carnegie Mellon University.

Similar presentations

Ads by Google