Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Theorem Proving and Model Checking in PVS 15-820A Proving Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University.

Published byGeorgia Billings Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Theorem Proving and Model Checking in PVS 15-820A Proving Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University."— Presentation transcript:

1 1 Theorem Proving and Model Checking in PVS 15-820A Proving Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University

2 2 Theorem Proving and Model Checking in PVS Outline Modeling Software with PVS –Complete Example for Sequential Software, including proof –The Magic GRIND –Modularization

3 3 Theorem Proving and Model Checking in PVS Modeling Software with PVS C: TYPE = [# a: [below(10)->integer], i: nat #] 1. Define Type for STATE int a[10]; unsigned i; int main() {... } A

4 4 Theorem Proving and Model Checking in PVS Modeling Software with PVS A 2. Translate your program into goto program int a[10]; unsigned i,j,k; int main() { i=k=0; while(i<10) { i++; k+=2; } j=100; k++; } int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; }

5 5 Theorem Proving and Model Checking in PVS Modeling Software with PVS A 3. Partition your program into basic blocks int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; } L1(c: C):C= c WITH [i:=0, k:=0] L2(c: C):C= c L3(c: C):C= c WITH [i:=c`i+1, k:=c`k+2] L4(c: C):C= c WITH [j:=100, k:=c`k+1] 4. Write transition function for each basic block

6 6 Theorem Proving and Model Checking in PVS Modeling Software with PVS 5. Combine transition functions using a program counter int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; } PCt: TYPE = { L1, L2, L3, L4, END } t(c: C): C= CASES c`PC OF L1: L1(c) WITH [PC:=L2], L2: L2(c) WITH [PC:= IF NOT (c`i<10) THEN L4 ELSE L3 ENDIF, L3: L3(c) WITH [PC:=L2], L4: L4(c) WITH [PC:=END], END: c ENDCASES A

7 7 Theorem Proving and Model Checking in PVS Modeling Software with PVS A 6. Define Configuration Sequence c(T: nat, initial: C):RECURSIVE C= IF T=0 THEN initial WITH [PC:=L1] ELSE t(c(T-1, initial)) ENDIF MEASURE T 7. Now prove properties about PC=LEND states program_correct: THEOREM FORALL (initial: C): FORALL (T: nat | c(T)`PC=LEND): c(T)`result=correct_result(initial)

8 8 Theorem Proving and Model Checking in PVS C: TYPE = [# size: nat, a: [nat -> integer], x: integer, i: nat, result: bool, PC: PCt #] Example I bool find_linear(unsigned size, const int a[], int x) { unsigned i; for(i=0; i<size; i++) if(a[i]==x) return TRUE; return FALSE; } A 1. Define Type for STATE

9 9 Theorem Proving and Model Checking in PVS bool find_linear(unsigned size, const int a[], int x) { L1: i=0; L2: if(!(i<size)) goto L8; L3: if(!(a[i]==x)) goto L6; L4: result=TRUE; L5: goto LEND; L6: i++; L7: goto L2; L8: result=FALSE; LEND:; return result; } Example II bool find_linear(unsigned size, const int a[], int x) { unsigned i; for(i=0; i<size; i++) if(a[i]==x) return TRUE; return FALSE; } A 2. Translate your program into goto program

10 10 Theorem Proving and Model Checking in PVS Example III/IV A 3. Partition your program into basic blocks L1(c: C):C=c WITH [i:=0] L2(c: C):C=c L3(c: C):C=c L4(c: C):C=c WITH [result:=TRUE] L5(c: C):C=c L6(c: C):C=c WITH [i:=c`i+1] L7(c: C):C=c L8(c: C):C=c WITH [result:=FALSE] 4. Write transition function for each basic block bool find_linear (unsigned size, const int a[], int x) { L1: i=0; L2: if(!(i<size)) goto L8; L3: if(!(a[i]==x)) goto L6; L4: result=TRUE; L5: goto LEND; L6: i++; L7: goto L2; L8: result=FALSE; LEND:; return result; }

11 11 Theorem Proving and Model Checking in PVS Example V 5. Combine transition functions using a program counter t(c: C):C=CASES c`PC OF L1: L1(c) WITH [PC:=L2], L2: L2(c) WITH [PC:= IF NOT c`i < c`size THEN L8 ELSE L3 ENDIF], L3: L3(c) WITH [PC:= IF NOT c`a(c`i)=c`x THEN L6 ELSE L4 ENDIF], L4: L4(c) WITH [PC:=L5], L5: L5(c) WITH [PC:=LEND], L6: L6(c) WITH [PC:=L7], L7: L7(c) WITH [PC:=L2], L8: L8(c) WITH [PC:=LEND], LEND: c ENDCASES A bool find_linear (unsigned size, const int a[], int x) { L1: i=0; L2: if(!(i<size)) goto L8; L3: if(!(a[i]==x)) goto L6; L4: result=TRUE; L5: goto LEND; L6: i++; L7: goto L2; L8: result=FALSE; LEND:; return result; }

12 12 Theorem Proving and Model Checking in PVS Example VI A 6. Define Configuration Sequence c(T: nat, initial: C):RECURSIVE C= IF T=0 THEN initial WITH [PC:=L1] ELSE t(c(T-1, initial)) ENDIF MEASURE T 7. Now prove properties about PC=LEND states program_correct: THEOREM FORALL (initial: C): FORALL (T: nat | c(T)`PC=LEND): c(T)`result=correct_result(initial) What is the correct result?

13 13 Theorem Proving and Model Checking in PVS C: TYPE = [# size: nat, a: [nat -> integer], x: integer, i: nat, result: bool, PC: PCt #] Example IV correct_result(c: C): bool= EXISTS (j: below(c`size)): c`a(j)=c`x A OK! LET’S PROVE THIS!

14 14 Theorem Proving and Model Checking in PVS C: TYPE = [# size: nat, a: [nat -> integer], x: integer, i: nat, result: bool, PC: PCt #] Something useful first… A program_correct: THEOREM FORALL (initial: C): FORALL (T: nat | c(T)`PC=LEND): c(T)`result=correct_result(initial) This relates initial state and final state We need to say: c(T)`a = initial`a Æ c(T)`x = initial`x Æ c(T)`size = initial`size OR: The program only changes i, result, PC We need to say: c(T)`a = initial`a Æ c(T)`x = initial`x Æ c(T)`size = initial`size OR: The program only changes i, result, PC

15 15 Theorem Proving and Model Checking in PVS invar_constants(T: nat, initial: C): bool= c(T, initial)`size=initial`size AND c(T, initial)`a =initial`a AND c(T, initial)`x =initial`x; constants: LEMMA FORALL (initial:C, T: nat): invar_constants(T, initial) Something useful first… A We need to say: c(T)`a = initial`a Æ c(T)`x = initial`x Æ c(T)`size = initial`size OR: The program only changes i, result, PC We need to say: c(T)`a = initial`a Æ c(T)`x = initial`x Æ c(T)`size = initial`size OR: The program only changes i, result, PC Proof: Induction on T + GRIND next: the real invariant…

16 16 Theorem Proving and Model Checking in PVS FORALL (j: below(c`i)): c`a(j)/=c`x Loop Invariant bool find_linear(unsigned size, const int a[], int x) { unsigned i; for(i=0; i<size; i++) if(a[i]==x) return TRUE; return FALSE; } A

17 17 Theorem Proving and Model Checking in PVS The Invariant A invar(c: C):bool=CASES c`PC OF L1: % i=0; L2: % if(!(i<size)) goto L8; L3: % if(!(a[i]==x)) goto L6; L4: % result=TRUE; L5: % goto LEND; L6: % i++; L7: % goto L2; L8: % result=FALSE; LEND: c`result EXISTS (j: below(c`size)): c`a(j)=c`x ENDCASES Beginning of the Loop End of the Loop

18 18 Theorem Proving and Model Checking in PVS The Invariant A invar(c: C):bool=CASES c`PC OF L1: % i=0; L2: FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(i<size)) goto L8; L3: % if(!(a[i]==x)) goto L6; L4: % result=TRUE; L5: % goto LEND; L6: % i++; L7: FORALL (j: below(c`i)): c`a(j)/=c`x, % goto L2; L8: % result=FALSE; LEND: c`result EXISTS (j: below(c`size)): c`a(j)=c`x ENDCASES What here?

19 19 Theorem Proving and Model Checking in PVS The Invariant A invar(c: C):bool=CASES c`PC OF L1: TRUE, % i=0; L2: FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(i<size)) goto L8; L3: % if(!(a[i]==x)) goto L6; L4: % result=TRUE; L5: % goto LEND; L6: % i++; L7: FORALL (j: below(c`i)): c`a(j)/=c`x, % goto L2; L8: % result=FALSE; LEND: c`result EXISTS (j: below(c`size)): c`a(j)=c`x ENDCASES Exiting the Loop Exiting the Loop Exiting the Loop Exiting the Loop

20 20 Theorem Proving and Model Checking in PVS The Invariant A invar(c: C):bool=CASES c`PC OF L1: TRUE, % i=0; L2: FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(i<size)) goto L8; L3: % if(!(a[i]==x)) goto L6; L4: % result=TRUE; L5: % goto LEND; L6: % i++; L7: FORALL (j: below(c`i)): c`a(j)/=c`x, % goto L2; L8: c`i>=c`size AND FORALL (j: below(c`i)): c`a(j)/=c`x, % result=FALSE; LEND: c`result EXISTS (j: below(c`size)): c`a(j)=c`x ENDCASES What here?

21 21 Theorem Proving and Model Checking in PVS The Invariant A invar(c: C):bool=CASES c`PC OF L1: TRUE, % i=0; L2: FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(i<size)) goto L8; L3: c`i<c`size AND FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(a[i]==x)) goto L6; L4: % result=TRUE; L5: % goto LEND; L6: % i++; L7: FORALL (j: below(c`i)): c`a(j)/=c`x, % goto L2; L8: c`i>=c`size AND FORALL (j: below(c`i)): c`a(j)/=c`x, % result=FALSE; LEND: c`result EXISTS (j: below(c`size)): c`a(j)=c`x ENDCASES What here?

22 22 Theorem Proving and Model Checking in PVS The Invariant A invar(c: C):bool=CASES c`PC OF L1: TRUE, % i=0; L2: FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(i<size)) goto L8; L3: c`i<c`size AND FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(a[i]==x)) goto L6; L4: % result=TRUE; L5: % goto LEND; L6: FORALL (j: below(c`i+1)): c`a(j)/=c`x, % i++; L7: FORALL (j: below(c`i)): c`a(j)/=c`x, % goto L2; L8: c`i>=c`size AND FORALL (j: below(c`i)): c`a(j)/=c`x, % result=FALSE; LEND: c`result EXISTS (j: below(c`size)): c`a(j)=c`x ENDCASES What here?

23 23 Theorem Proving and Model Checking in PVS The Invariant invar(c: C):bool=CASES c`PC OF L1: TRUE, % i=0; L2: FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(i<size)) goto L8; L3: c`i<c`size AND FORALL (j: below(c`i)): c`a(j)/=c`x, % if(!(a[i]==x)) goto L6; L4: c`i<c`size AND c`a(c`i)=c`x, % result=TRUE; L5: c`i<c`size AND c`a(c`i)=c`x AND c`result=true, % goto LEND; L6: FORALL (j: below(c`i+1)): c`a(j)/=c`x, % i++; L7: FORALL (j: below(c`i)): c`a(j)/=c`x, % goto L2; L8: c`i>=c`size AND FORALL (j: below(c`i)): c`a(j)/=c`x, % result=FALSE; LEND: c`result EXISTS (j: below(c`size)): c`a(j)=c`x ENDCASES

24 24 Theorem Proving and Model Checking in PVS The Invariant DARING CLAIM “Once you have found the invariant, the proof is done.” We now have the invariant. Lets do the actual proof. Who believes we are done? A

25 25 Theorem Proving and Model Checking in PVS The Gentzen Sequent {-1} i(0)`reset {-2} i(4)`reset |------- {1} i(1)`reset {2} i(2)`reset {3} (c(2)`A AND NOT c(2)`B) Disjunction (Consequents) Conjunction (Antecedents)  Or: Reset in cycles 0, 4 is on, and off in 1, 2. Show that A and not B holds in cycle 2.

26 26 Theorem Proving and Model Checking in PVS The Magic of (GRIND) Myth: Grind does it all… Reality: Use it when: –Case splitting, skolemization, expansion, and trivial instantiations are left Does not do induction Does not apply lemmas “... frequently used to automatically complete a proof branch…”

27 27 Theorem Proving and Model Checking in PVS The Magic of (GRIND) If it goes wrong… –you can get unprovable subgoals –it might expand recursions forever How to abort? –Hit Ctrl-C twice, then (restore) How to make it succeed? –Before running (GRIND), remove unnecessary parts of the sequent using (DELETE fnum). It will prevent that GRIND makes wrong instantiations and expands the wrong definitions.

28 28 Theorem Proving and Model Checking in PVS NOW LET’S PROVE THE INVARIANT

29 29 Theorem Proving and Model Checking in PVS A word on automation… A The generation of C, t, and c can be trivially automated Most of the invariant can be generated automatically – all but the actual loop invariant (case L7/L2) The proof is automatic unless quantifier instantiation is required

30 30 Theorem Proving and Model Checking in PVS Modularization t(c: C):C=CASES c`PC OF L1: L1(c) WITH [PC:=L2], L2: L2(c) WITH [PC:= IF NOT c`i < c`size THEN L8 ELSE L3 ENDIF], L3: L3(c) WITH [PC:= IF NOT c`a(c`i)=c`x THEN L6 ELSE L4 ENDIF], L4: L4(c) WITH [PC:=L5], L5: L5(c) WITH [PC:=LEND], L6: L6(c) WITH [PC:=L7], L7: L7(c) WITH [PC:=L2], L8: L8(c) WITH [PC:=LEND], LEND: c ENDCASES bool find_linear (unsigned size, const int a[], int x) { L1: i=0; L2: if(!(i<size)) goto L8; L3: if(!(a[i]==x)) goto L6; L4: result=TRUE; L5: goto LEND; L6: i++; L7: goto L2; L8: result=FALSE; LEND:; return result; } How about a program with a 1000 basic blocks? = 1000 cases? A Better not Remedy: Modularize the program and the proof Idea: find_linear is a function in the C program, make it a function in PVS as well C  C Functions in PVS must be total, thus, this requires proof of termination

31 31 Theorem Proving and Model Checking in PVS Modularization A epsilon_ax: AXIOM (EXISTS x: p(x)) => p(epsilon(p)) find_linear(start: C): C= c( epsilon! (T: nat): c(T, start)`PC=LEND, start) a T such that c(T, start)`PC=LEND "epsilon! (x:t): p(x)” is translated to "epsilon(LAMBDA (x:t): p(x))” THIS IS WHAT REQUIRES TERMINATION

32 32 Theorem Proving and Model Checking in PVS Modularization A termination: THEOREM FORALL (initial: C): EXISTS (T: nat): c(T, initial)`PC=LEND epsilon_ax: AXIOM (EXISTS x: p(x)) => p(epsilon(p)) allows to show the left hand side of the right hand side then says c(epsilon! (T: nat): c(T, start)`PC=LEND, start)`PC=LEND

33 33 Theorem Proving and Model Checking in PVS Modularization A find_linear(start: C): C= c( epsilon! (T: nat): c(T, start)`PC=LEND, start) What to prove about it? find_linear_correct: THEOREM FORALL (c: C): LET new=find_linear(c) IN new=c WITH [result:=correct_result(c)] ? ? What is missing?

34 34 Theorem Proving and Model Checking in PVS Modularization A find_linear(start: C): C= c( epsilon! (T: nat): c(T, start)`PC=LEND, start) What to prove about it? find_linear_correct: THEOREM FORALL (c: C): LET new=find_linear(c) IN new=c WITH [result:=correct_result(c), PC:=new`PC, i:=new`i] “All variables but result, PC, and i are unchanged, and result is the correct result.”

35 35 Theorem Proving and Model Checking in PVS NOW LET’S PROVE THE THEOREM

Download ppt "1 Theorem Proving and Model Checking in PVS 15-820A Proving Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University."

Similar presentations

For(int i = 1; i

For(int i = 1; i
Lesson 10.4: Mathematical Induction

Lesson 10.4: Mathematical Induction
Master Theorem Chen Dan Dong Feb. 19, 2013

Master Theorem Chen Dan Dong Feb. 19, 2013
School of Computing Clemson University Mathematical Reasoning  Goal: To prove correctness  Method: Use a reasoning table  Prove correctness on all valid.

School of Computing Clemson University Mathematical Reasoning  Goal: To prove correctness  Method: Use a reasoning table  Prove correctness on all valid.
8. 1+5+9+13+……+(4n-3) = n(2n-1) P 1 = 1(2(1)-1)=1 check.

……+(4n-3) = n(2n-1) P 1 = 1(2(1)-1)=1 check.
CSE 8389 Theorem Proving - Seidel Spring 2005 1 CSE 8389 Theorem Proving Peter-Michael Seidel.

CSE 8389 Theorem Proving - Seidel Spring CSE 8389 Theorem Proving Peter-Michael Seidel.
Sample Test 1 Question. A pattern of binary digits can be interpreted in several different ways. Show how the pattern 01011010 translates using each of.

Sample Test 1 Question. A pattern of binary digits can be interpreted in several different ways. Show how the pattern translates using each of.
2-7 Flow Proofs.

2-7 Flow Proofs.
Chapter 4.5 Notes: Prove Triangles Congruent by ASA and AAS Goal: You will use two more methods to prove congruences.

Chapter 4.5 Notes: Prove Triangles Congruent by ASA and AAS Goal: You will use two more methods to prove congruences.
Interpolants [Craig 1957] G(y,z) F(x,y)

Interpolants [Craig 1957] G(y,z) F(x,y)
Bit Vector Decision Procedures A Basis for Reasoning about Hardware & Software Randal E. Bryant Carnegie Mellon University.

Bit Vector Decision Procedures A Basis for Reasoning about Hardware & Software Randal E. Bryant Carnegie Mellon University.
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
What is the best way to start? 1.Plug in n = 1. 2.Factor 6n 2 + 5n + 4. 3.Let n be an integer. 4.Let n be an odd integer. 5.Let 6n 2 + 5n + 4 be an odd.

What is the best way to start? 1.Plug in n = 1. 2.Factor 6n 2 + 5n Let n be an integer. 4.Let n be an odd integer. 5.Let 6n 2 + 5n + 4 be an odd.
Vex 1.0 © 2005 Carnegie Mellon Robotics Academy Inc. Dimensioning the Vex Plus Gusset.

Vex 1.0 © 2005 Carnegie Mellon Robotics Academy Inc. Dimensioning the Vex Plus Gusset.
A practical approach to formal methods Lecturer: Ralph Back Place: A5059 Time:e very second Monday, 13 - 16 Dates: 28.1, 11.2, 25.2, 10.3, 31.3, 14.4,

A practical approach to formal methods Lecturer: Ralph Back Place: A5059 Time:e very second Monday, Dates: 28.1, 11.2, 25.2, 10.3, 31.3, 14.4,
The Rare Glitch Project: Verifying Bus Protocols for Embedded Systems Edmund Clarke, Daniel Kroening Carnegie Mellon University.

The Rare Glitch Project: Verifying Bus Protocols for Embedded Systems Edmund Clarke, Daniel Kroening Carnegie Mellon University.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.

Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Model Checking for Embedded Systems Edmund Clarke, CMU High-Confidence Embedded Systems Workshop, May 1 st.

Model Checking for Embedded Systems Edmund Clarke, CMU High-Confidence Embedded Systems Workshop, May 1 st.
1 Theorem Proving and Model Checking in PVS 15-820A Modeling Hardware and Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University.

1 Theorem Proving and Model Checking in PVS A Modeling Hardware and Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University.
PYTHAGOREAN THEOREAM

PYTHAGOREAN THEOREAM

Similar presentations

Ads by Google