Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Automated Theorem Proving: PVS Alexander Serebrenik.

Published byJanice Mason Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Automated Theorem Proving: PVS Alexander Serebrenik."— Presentation transcript:

1 1 Automated Theorem Proving: PVS Alexander Serebrenik

2 2 Before We Start PVS is installed at svstud. –no password for svstud? –contact Jan de Jong of the Notebook Service center: HG 8.86, tel. 2979 Install an X Windows client on your laptop –built-in for Linux –for Windows, e.g., Exceed (via BCF) On Wednesday we will meet in Auditorium 9 (laptop lecture hall).

3 3 Last Time Foundations of Automated Theorem Proving –soundness and completeness –Gentzen’s sequent –system G for propositional calculus first order logics first order logics with equality

4 4 Today PVS (Prototype Verification System) –Developed at SRI International –Open Source (GPL) since 1993 –Runs on Linux/Solaris/Mac –Uses Emacs as Interface –Supports System G reasoning… –and much, much more!

5 5 Applications of PVS Both academic and industrial: Verification of Javacard applets Hardware verification Protocol specification and verification Formal Mathematics Safety-critical systems... see http://pvs.csl.sri.com/users.shtml

6 6 First Example (3b)  xA(x)  xB(x)   x(A(x)  B(x)) ex3b: THEORY BEGIN T: TYPE some type x: VAR T variable of this type A,B: [T -> bool] predicate (function to booleans) statement: THEOREM ((FORALL x:A(x)) AND (FORALL x:B(x)) IMPLIES (FORALL x:(A(x) AND B(x)))) END ex3b

7 7 Sequent System G  A 1, …, A n    B 1, …, B m  PVS [-1] A 1, …, [-n] A n |-------- {1} B 1, …, [m] B m

8 8 Proof (1) |------- {1} ((FORALL x: A(x)) AND (FORALL x: B(x)) IMPLIES (FORALL x: (A(x) AND B(x)))) Rule? (flatten) [-1] (FORALL x: A(x)) [-2] (FORALL x: B(x)) |------- {1} (FORALL x: (A(x) AND B(x))) Rule? (skolem 1 “y1”) (skolem reference newname) [-1] (FORALL x: A(x)) [-2] (FORALL x: B(x)) |------- {1} (A(y1) AND B(y1)) Rule? (split) …yields 2 subgoals: statement.1 : [-1] (FORALL x: A(x)) [-2] (FORALL x: B(x)) |------- {1} A(y1) Rule? The second subgoal is postponed

9 9 Proof (2) [-1] (FORALL x: A(x)) [-2] (FORALL x: B(x)) |------- {1} A(y1) Rule? (inst -1 “y1”) (inst reference term) Instantiating the top quantifier in -1 with the terms: y1, This completes the proof of statement.1. statement.2 [-1] (FORALL x: A(x)) [-2] (FORALL x: B(x)) |------- {1} B(y1) Rule? The subgoal that we have postponed. (inst -2 “y1”) Instantiating the top quantifier in -2 with the terms: y1, This completes the proof of statement.2.Q.E.D.

10 10 PVS Proof Commands (flatten)formula to list of formulas (  :left), (  :right), (  :left), (  :right), (  :right), (  :left) (split)formula to a number of proof obligations (  :right), (  :left), (  :left), (  :right) (inst reference term) replace variable by a term (  :right), (  :left) (skolem reference newname) replace variable by a fresh variable (constant) (  :left), (  :right)

11 11 NB: Flatten and Split PVS is smarter than just one step of System G Flatten and split will apply the corresponding rules as long as they are applicable. |------- {1}(A IMPLIES B) IMPLIES ((A IMPLIES NOT B) IMPLIES NOT A) {-1} (A IMPLIES B) {-2} (A IMPLIES NOT B) {-3} A |------- flatten

12 12 PVS System Tour QQ: Watch the video. What steps did I perform?

13 13 PVS System Tour 1.Specify (any editor) 2.Parse ( M-x parse, M-x pa ) syntactic checks, e.g., misspellings done by the system automatically when needed 3.Type check ( M-x typecheck, M-x tc ) semantic checks, e.g., undeclared names builds Type Correctness Conditions should be proved! 4.Prove ( M-x prove, M-x pr ) that is what we have done before

14 14 QQ: First Steps with PVS Recall Exercise 1b from the Instruction: (A  B)  ((A  B)  A) Write a PVS specification, corresponding to this exercise ex1b: THEORY BEGIN A,B: bool statement: THEOREM (A IMPLIES B) IMPLIES ((A IMPLIES NOT B) IMPLIES NOT A) END ex1b

15 15 PVS Language ex3b: THEORY BEGIN T: TYPE x: VAR T A,B: [T -> bool] statement: THEOREM ((FORALL x:A(x)) AND (FORALL x:B(x)) IMPLIES (FORALL x:(A(x) AND B(x)))) END ex3b Theory identifier Type declaration Variable declaration Constant declarations Formula declaration

16 16 “Theory Header” Theory identifier ex3b: THEORY List of formal parameters stacks [t: TYPE+] : THEORY groups [G : TYPE, e : G, o : [G,G->G], inv : [G->G] ] : THEORY

17 17 Types (1) Uninterpreted types: –might be empty T: TYPE –non-empty T: TYPE+ Interpreted types: T : TYPE = type expression Subtypes: S: TYPE FROM T

18 18 Types (2) Type expressions –builtins bool, int –enumerated {r, g, b} –functions [int, bool -> int] –tuples [int, int] –predicate-based (p) shorthand for {x | p(x)}

19 19 Types: QQ Functional is a function that takes functions as its argument and returns a real number. Define the type of functionals for functions from T1 to T2 T1, T2: TYPE FT: TYPE = [[T1 -> T2] -> real]

20 20 Variable Declarations either with VAR –x: VAR bool or within a binding expression ( , , λ) –FORALL (x: int): (EXISTS (x: nat) p(x)) AND q(x))

21 21 Constant Declarations Constants: n: int, c: int = 3 –The underlying type should be non-empty Functions are also constants: –f: [int -> int] = (lambda (x: int): x+1) –f(x: int): int = x + 1 QQ: What does f(x:(p)): int = x+1 mean for a predicate p ? –(p) shorthand for {x | p(x)}

22 22 Boolean Functions a.k.a. predicates Can be written as subsets: –odd: [nat -> bool] = {n: nat | EXISTS (m: nat): n = 2 * m + 1} instead of –odd: [nat -> bool] = (LAMBDA (n: nat): EXISTS (m: nat): n = 2 * m + 1)

23 23 Recursive Functions No mutual recursion Function should be total Termination should be ensured: MEASURE fac(x: nat): RECURSIVE nat = IF x=0 THEN 1 ELSE x*fac(x-1) ENDIF MEASURE x

24 24 MEASURE Can be followed by any function: –MEASURE lambda (n: nat): n –MEASURE N-I QQ: Find an appropriate MEASURE for p(x:int): RECURSIVE int = (IF (x > 1 AND x < 1000) THEN p(x*x) ELSIF (x -1000) THEN p(-x*x) ELSE 0 ENDIF)

25 25 MEASURE : Solution p(x:int): RECURSIVE int = (IF (x > 1 AND x < 1000) THEN p(x*x) ELSIF (x -1000) THEN p(-x*x) ELSE 0 ENDIF) MEASURE pmeas pmeas(x: int): nat = (IF (x > 1 AND x < 1000) THEN 1000-x ELSIF (x -1000) THEN 1000+x ELSE 0 ENDIF)

26 26 Formula Declarations AXIOM is a formula that can be recalled at any moment of the proof. –use (lemma name ) THEOREM ( or LEMMA) is a formula one likes to prove. May contain free variables: p(x) is equivalent to (FORALL x: p(x))

27 27 AXIOM s in Practice pop_push: AXIOM pop(push(x, s)) = s pop2push2: THEOREM pop(pop(push(x, push(y, s)))) = s |------- {1} pop(pop(push(X, push(Y, S)))) = S Rule? Applying pop_push this simplifies to: {-1} FORALL (s: stack, x: t): pop(push(x, s)) = s |------- [1] pop(pop(push(X, push(Y, S)))) = S (lemma pop_push)

28 28 Functions Can Be Defined Using AXIOM s 1.f: [int -> int] = (lambda (x: int): x+1) 2.f: [int -> int] f: AXIOM f = (LAMBDA (x: int): x+1) NB! New declaration preserves consistency of the theory, new axiom might not!

29 29 Between AXIOM and THEOREM groups [G : TYPE, e : G, o : [G,G->G], inv : [G->G] ] : THEORY BEGIN ASSUMING a, b, c : VAR G associativity : ASSUMPTION a o (b o c) = (a o b) o c unit : ASSUMPTION e o a = a AND a o e = a inverse : ASSUMPTION inv(a) o a = e AND a o inv(a) = e ENDASSUMING

30 30 ASSUMPTION s Appear only between ASSUMING and ENDASSUMING Usually formulated in terms of parameters of the theory When the theory is used, e.g. IMPORTING[int, 0, +, -] assumptions become proof obligations (TCCs).

31 31 Theory Is Used? EXPORTING specifies names that should be visible to the IMPORTING theories –by default, all names are visible IMPORTING makes visible names of another theory available for the current one. –IMPORTING s are cumulative –Beware the name clashes

32 32 Summary So Far (1) Lifecycle of a PVS specification: specify, parse, type check, prove. Specification consists of the “header” followed by type, variable, constant and formula declarations. Types: uninterpreted, interpreted. –Type expressions: builtins, enumerated, functions, tuples, predicate-based

33 33 Summary So Far (2) Recursive functions should be provided by MEASURE. Formula declarations: AXIOM s, ASSUMPTION s and THEOREM s. –AXIOM s can be recalled using the lemma proof command. Adding a new AXIOM does not guarantee consistency of the theory. Theories can EXPORT and IMPORT names.

34 34 Type Check Executed upon M-x typecheck, or M-x tc. Generate additional proof obligations (theorems) ensuring –type correctness; –termination; –non-emptiness of a type, if constants of this type are being declared.

35 35 Closer Look at Factorial exfac typechecked in 0.27s: 2 TCCs, 0 proved, 0 subsumed, 2 unproved –TCC = type correctness condition M-x show-tccs fac(x: nat): RECURSIVE nat = IF x=0 THEN 1 ELSE x*fac(x-1) ENDIF MEASURE x % Subtype TCC for x - 1 fac_TCC1: OBLIGATION FORALL (x: nat): NOT x = 0 IMPLIES x - 1 >= 0; The argument of the recursive call should be a natural number as well. % Termination TCC for fac(x - 1) fac_TCC2: OBLIGATION FORALL (x: nat): NOT x = 0 IMPLIES x - 1 < x;

36 36 TCCs and Proofs TCCs can be postponed but ultimately should be proved. Failure to prove TCC might indicate that the statement is not valid! Automated attempt to prove the TCCs: M-x typecheck-prove (M-x tcp)

37 37 Summary: Prove Commands controlfail, postpone, undo, … structurecopy, hide, hide-all-but, reveal,… system Gsplit, flatten, inst, skolem,… decision procedures assert, grind, … definitions and lemmas lemma, expand, … miscellaneouscase, induct, replace, …

38 38 What If? PVS crashes in the middle of a proof: (restore) you do not know what to do: (help) or (help command) you want to stop the proof attempt: (quit) you want to go to next remaining goal: (postpone) you want to revise your last step: (undo)

39 39 Manipulating Sequents If some information is needed twice during the proof: (copy) If some information is no longer needed: (delete) If some information might be needed later but is cluttering now: (hide) If some hidden information is needed: M-x show-hidden followed by (reveal reference)

40 40 Example sum: THEORY BEGIN n: VAR nat sum(n): RECURSIVE nat = (IF n=0 THEN 0 ELSE n+sum(n-1) ENDIF) MEASURE (LAMBDA n:n) closed_form: THEOREM sum(n) = (n * (n+1))/2 END sum

41 41 closed_form : |------- {1} FORALL (n: nat): sum(n) = (n * (n + 1)) / 2 Rule? Inducting on n on formula 1,this yields 2 subgoals: closed_form.1 : |------- {1} sum(0) = (0 * (0 + 1)) / 2 Rule? (induct "n") QQ: What are the two subgoals? Induction base (expand “sum") Expanding the definition of sum, this simplifies to: closed_form.1 : |------- {1} 0 = 0 / 2 Rule? (assert) Simplifying, rewriting, and recording with decision procedures. This completes the proof of closed_form.1.

42 42 closed_form.2 : |------- {1} FORALL j: sum(j) = (j * (j + 1)) / 2 IMPLIES sum(j + 1) = ((j + 1) * (j + 1 + 1)) / 2 Rule? Induction step (skosimp) Skolemizing and flattening, this simplifies to: closed_form.2 : {-1} sum(j!1) = (j!1 * (j!1 + 1)) / 2 |------- {1} sum(j!1 + 1) = ((j!1 + 1) * (j!1 + 1 + 1)) / 2 Rule? skosimp = skolem using standard names + flatten We would like to use expand but only in the succedent! (expand “sum” +) Expanding the definition of sum, this simplifies to: closed_form.2 : [-1] sum(j!1) = (j!1 * (j!1 + 1)) / 2 |------- {1} 1 + sum(j!1) + j!1 = (2 + j!1 + (j!1 * j!1 + 2 * j!1)) / 2

43 43 Expanding the definition of sum, this simplifies to: closed_form.2 : [-1] sum(j!1) = (j!1 * (j!1 + 1)) / 2 |------- {1} 1 + sum(j!1) + j!1 = (2 + j!1 + (j!1 * j!1 + 2 * j!1)) / 2 Rule? (assert) Simplifying, rewriting, and recording with decision procedures, This completes the proof of closed_form.2. Q.E.D. Induction step

44 44 Proof Commands In the Example (induct n) – induction on variable n (expand “name” ref) – expand definition name in ref: –number –“-” all antecedents –“+” all succedents (skosimp) – skolem with standard names and (flatten) (assert) – prove or simplify using the builtin decision procedures

45 45 Replace {-1} X = Y |------- {1} Y = X Rule? (replace -1 1) Replacing using formula -1, this simplifies to: [-1] X = Y |------- {1} TRUE Replace the left-hand side of (-1) in (1) by the right-hand side of (-1). If you add rl: (replace -1 1 rl) the rewriting will go from right to left.

46 46 stacks [t: TYPE+] : THEORY BEGIN stack : TYPE+ s : VAR stack empty : stack nonemptystack?(s) : bool = s /= empty push :[t, stack -> (nonemptystack?)] pop : [(nonemptystack?) -> stack] x, y : VAR t pop_push : AXIOM pop(push(x, s)) = s pop2push2: THEOREM pop(pop(push(x, push(y, s)))) = s END stacks QQ: To prove pop2push2 you might like to use A.expand B. induct C. replace

47 47 More Proof Commands case - distinguish between different cases. propax – proves propositional axioms, i.e., –false as an antecedent, –true or t=t as a succedent –common formula for antecedent and succedent grind – “black magic” but often works: –rewrite using lemmas –simplify numerical expressions –performs equality substitutions –makes use, e.g., of assert and replace smash – propositional and ground simplification

48 48 Can’t See the Forest for the Trees? current goal part that has been proved part that still has to be proved M-x xpr

49 49 Can’t See the Forest for the Trees? current goal part that has been proved part that still has to be proved

50 50 And Even More You can also create LaTeX documentation: M-x latex-theory-view (M-x ltv) PS proofs can be generated from the graphic user interface. … or first in LaTeX: M-x latex-proof

51 51 Data So far: traditional algebraic specification Better: automated generation from a succinct description. stack [t: TYPE] : DATATYPE BEGIN empty : emptystack? push(top: t, pop: stack): nonemptystack? END stack constructors accessors recognizers M-x typecheck

52 52 What Is Generated From a Datatype? extensionality axioms for the constructors accessor/constructor axioms –stack_pop_push: AXIOM (FORALL (v1:t, v2: stack) pop(push(v1,v2)) = v2) induction scheme recursive combinator look at stack_adt.pvs

53 53 Example: Recursive Combinator reduce_nat(emptystack?_fun: nat, nonemptystack?_fun: [[t, nat] -> nat]): [stack -> nat] = LAMBDA (stack_var: stack): CASES stack_var OF empty: emptystack?_fun, push(push1_var, push2_var): nonemptystack?_fun(push1_var, reduce_nat(emptystack?_fun, nonemptystack?_fun)(push2_var)) ENDCASES QQ: What does the following call calculate: reduce_nat(0, (LAMBDA (x:t, n: nat): n+1))?

54 54 Cases? Pattern matching: CASES stack_var OF empty: …, push(push1_var,push2_var): …)) ENDCASES Can contain ELSE covers all constructors not covered before.

55 55 Putting It All Together stack: DATATYPE BEGIN empty : emptystack? push(top: t, pop: stack): nonemptystack? END stack length: THEORY BEGIN t: TYPE IMPORTING stack_adt[t] length(s: stack): nat = reduce_nat(0, (LAMBDA(x: t, n:nat): n+1))(s) l0: THEOREM (length(empty) = 0) END length

56 56 Many Data Types and Theories can be consulted by M-x vpt –view prelude theory are “built in” and described in the Prelude, include –logics, functions, numbers –relations, sets, sequences and lists –sum and quotient types –induction –μ-calculus and CTL

57 57 Summary: PVS PVS System: Linux/Unix, Emacs + GUI PVS Language: How to write a specification? –THEORY, TYPE, VAR, THEOREM, … –abstract data types PVS Proof Checker: How do we prove? –flatten, split, inst, skolem, expand, lemma… PVS Prelude: Built-in theories –there are even more theories in NASA libraries

58 58 Don’t Forget: Tomorrow No password for svstud? –contact Jan de Jong of the Notebook Service center: HG 8.86, tel. 2979 Install an X Windows client on your laptop –built-in for Linux –for Windows, e.g., Exceed (via BCF website) We meet at 8 45 in Auditorium 9.

Download ppt "1 Automated Theorem Proving: PVS Alexander Serebrenik."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Programmed Strategies for Program Verification Richard B. Kieburtz OHSU/OGI School of Science and Engineering and Portland State University.

Programmed Strategies for Program Verification Richard B. Kieburtz OHSU/OGI School of Science and Engineering and Portland State University.
Types and Programming Languages Lecture 4 Simon Gay Department of Computing Science University of Glasgow 2006/07.

Types and Programming Languages Lecture 4 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Types and Programming Languages Lecture 13 Simon Gay Department of Computing Science University of Glasgow 2006/07.

Types and Programming Languages Lecture 13 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Types and Programming Languages Lecture 7 Simon Gay Department of Computing Science University of Glasgow 2006/07.

Types and Programming Languages Lecture 7 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Proof checking with PVS Book: Chapter 3. A Theory Name: THEORY BEGIN Definitions (types, variables, constants) Axioms Lemmas (conjectures, theorems) END.

Proof checking with PVS Book: Chapter 3. A Theory Name: THEORY BEGIN Definitions (types, variables, constants) Axioms Lemmas (conjectures, theorems) END.
Type Inference David Walker COS 320. Criticisms of Typed Languages Types overly constrain functions & data polymorphism makes typed constructs useful.

Type Inference David Walker COS 320. Criticisms of Typed Languages Types overly constrain functions & data polymorphism makes typed constructs useful.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Inference and Reasoning. Basic Idea Given a set of statements, does a new statement logically follow from this. For example If an animal has wings and.

Inference and Reasoning. Basic Idea Given a set of statements, does a new statement logically follow from this. For example If an animal has wings and.
CSE 8389 Theorem Proving - Seidel Spring 2005 1 CSE 8389 Theorem Proving Peter-Michael Seidel.

CSE 8389 Theorem Proving - Seidel Spring CSE 8389 Theorem Proving Peter-Michael Seidel.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
74.757 Formal Logic Proof Methods Direct Proof / Natural Deduction Conditional Proof (Implication Introduction) Reductio ad Absurdum Resolution Refutation.

Formal Logic Proof Methods Direct Proof / Natural Deduction Conditional Proof (Implication Introduction) Reductio ad Absurdum Resolution Refutation.
School of Computing and Mathematics, University of Huddersfield CAS2545: WEEK 11 LECTURE: n The meaning of Algebraic Specifications TUTORIAL/PRACTICAL:

School of Computing and Mathematics, University of Huddersfield CAS2545: WEEK 11 LECTURE: n The meaning of Algebraic Specifications TUTORIAL/PRACTICAL:
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
Katz2004 236386--Formal Specifications Larch 1 Algebraic Specification and Larch Formal Specifications of Complex Systems 236368 Shmuel Katz The Technion.

Katz Formal Specifications Larch 1 Algebraic Specification and Larch Formal Specifications of Complex Systems Shmuel Katz The Technion.
Inference and Resolution for Problem Solving

Inference and Resolution for Problem Solving
1 Theorem proving Alexander Serebrenik. 2 TP for FM FM: proving properties of programs. Theorem proving: proving statements in first-order logics (FOL).

1 Theorem proving Alexander Serebrenik. 2 TP for FM FM: proving properties of programs. Theorem proving: proving statements in first-order logics (FOL).
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Type Inference David Walker COS 441. Criticisms of Typed Languages Types overly constrain functions & data polymorphism makes typed constructs useful.

Type Inference David Walker COS 441. Criticisms of Typed Languages Types overly constrain functions & data polymorphism makes typed constructs useful.

Similar presentations

Ads by Google