Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 8389 Theorem Proving - Seidel Spring 2005 1 CSE 8389 Theorem Proving Peter-Michael Seidel.

Published byGavin Heyne Modified over 9 years ago

Similar presentations

Presentation on theme: "CSE 8389 Theorem Proving - Seidel Spring 2005 1 CSE 8389 Theorem Proving Peter-Michael Seidel."— Presentation transcript:

1 CSE 8389 Theorem Proving - Seidel Spring 2005 1 CSE 8389 Theorem Proving Peter-Michael Seidel

2 CSE 8389 Theorem Proving - Seidel Spring 2005 2 PVS Workflow PVS File System Properties PROOFS Conversion of system (Program, circuit, protocol…) and property. Can be automated or done manually  Proof construction Interaction with the theorem prover  A

3 CSE 8389 Theorem Proving - Seidel Spring 2005 3 PVS Workflow PVS File System Properties PROOFS Conversion of system (Program, circuit, protocol…) and property. Can be automated or done manually  Proof construction Interaction with the theorem prover  A

4 CSE 8389 Theorem Proving - Seidel Spring 2005 4 The PVS Language There are two languages 1.The language to write definitions and theorems (“definition language“) 2.The language to prove theorems (“proof language”) They have nothing to do with each other The definition language looks like “normal math” (translator to Latex built in) The proof language looks like LISP

5 CSE 8389 Theorem Proving - Seidel Spring 2005 5 Theorem Proving The goal is to show that theorem T is a tautology |= T or follows from the Assumptions & Axioms F 1,…, F k F 1,…, F k |= T PVS operates on sequents of the form F 1,…, F k |– G 1,…, G l AntecedentsConsequents Meaning: The disjunction of the Consequents is a logical consequence of the conjunction of the Antecedents F 1  F 2  …  F k implies G 1  G 2  …  G l Initial sequent (show Theorem): |- T TheoremAxioms, Assumptions Antecedents and Consequents are HOL Formulas

6 CSE 8389 Theorem Proving - Seidel Spring 2005 6 Proof Trees Sequents can be modified by PVS proof commands F 1,…, F k |– G 1,…, G l AntecedentsConsequents The result of a proof command is a (possibly empty) set of subsequents Initial sequent (show Theorem): |- T The repeated application of proof commands on sequents defines a tree A proof branch is closed if a proof command generates an empty list of subsequents, i.e. PVS was able to validate this branch of the proof. A theorem T is proven if all proof branches are closed.

7 CSE 8389 Theorem Proving - Seidel Spring 2005 7 Sequents in PVS notation {-1} i(0)`reset {-2} i(4)`reset |------- {1} i(1)`reset {2} i(2)`reset {3} (c(2)`A AND NOT c(2)`B) Disjunction (Consequents) Conjunction (Antecedents) Or: Reset in cycles 0, 4 is on, and off in 1, 2. Show that A and not B holds in cycle 2.

8 CSE 8389 Theorem Proving - Seidel Spring 2005 8 Example Gauss Specifications (for any n > 0) Sum(n) := Recsum(n) := Gauss(n) := gauss: Theory Begin Importing bitvectors@sums n, i: Var nat sum(n): nat = sigma(0, n, Lambda i: i) recsum(n): recursive nat = if n = 0 Then 0 Else n + recsum(n-1) endif measure n gauss(n): real = n * (n + 1) / 2 end gauss

9 CSE 8389 Theorem Proving - Seidel Spring 2005 9 Example Gauss Specifications (for any n > 0) Sum(n) := Recsum(n) := Gauss(n) := Theorems For all n > 0: Sum(n) = Recsum(n) = Gauss(n)

10 CSE 8389 Theorem Proving - Seidel Spring 2005 10 Example Gauss Theorems For all n > 0: Sum(n) = Recsum(n) = Gauss(n) gauss: Theory … sum_is_recsum: Lemma sum(n) = recsum(n) recsum_is_gauss: Lemma recsum(n) = gauss(n) sum_is_gauss: Theorem sum(n) = gauss(n) end gauss

11 CSE 8389 Theorem Proving - Seidel Spring 2005 11 Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n) Sum(n) := Recsum(n) := recursive definition suggests induction Induction basis

12 CSE 8389 Theorem Proving - Seidel Spring 2005 12 Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n) Definitions Sum(n) := Recsum(n) := Sum(0) = ?? Recsum(0) = ??

13 CSE 8389 Theorem Proving - Seidel Spring 2005 13 Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n) Induction step

14 CSE 8389 Theorem Proving - Seidel Spring 2005 14 Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

15 CSE 8389 Theorem Proving - Seidel Spring 2005 15 Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

16 CSE 8389 Theorem Proving - Seidel Spring 2005 16 Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

17 CSE 8389 Theorem Proving - Seidel Spring 2005 17 Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

18 CSE 8389 Theorem Proving - Seidel Spring 2005 18 Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

19 CSE 8389 Theorem Proving - Seidel Spring 2005 19 Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

20 CSE 8389 Theorem Proving - Seidel Spring 2005 20 Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

21 CSE 8389 Theorem Proving - Seidel Spring 2005 21 Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

22 CSE 8389 Theorem Proving - Seidel Spring 2005 22 Example Gauss sum_is_recsum: Lemma sum(n) = recsum(n)

23 CSE 8389 Theorem Proving - Seidel Spring 2005 23 Example Gauss Theorems For all n > 0: Sum(n) = Recsum(n) = Gauss(n) gauss: Theory … sum_is_recsum: Lemma sum(n) = recsum(n) recsum_is_gauss: Lemma recsum(n) = gauss(n) sum_is_gauss: Theorem sum(n) = gauss(n) end gauss

24 CSE 8389 Theorem Proving - Seidel Spring 2005 24 Example Gauss recsum_is_gauss: Lemma recsum(n) = gauss(n) Definitions Recsum(n) := Gauss(n) := recursive definition suggests induction more powerful

25 CSE 8389 Theorem Proving - Seidel Spring 2005 25 Example Gauss Theorems For all n > 0: Sum(n) = Recsum(n) = Gauss(n) gauss: Theory … sum_is_recsum: Lemma sum(n) = recsum(n) recsum_is_gauss: Lemma recsum(n) = gauss(n) sum_is_gauss: Theorem sum(n) = gauss(n) end gauss

26 CSE 8389 Theorem Proving - Seidel Spring 2005 26 Example Gauss sum_is_gauss: Lemma sum(n) = gauss(n)

27 CSE 8389 Theorem Proving - Seidel Spring 2005 27 Proof Trees recsum_is_gauss sum_is_gauss sum_is_recsum

28 CSE 8389 Theorem Proving - Seidel Spring 2005 28 Proof commands COPY duplicates a formula Why? When you instantiate a quantified formula, the original one is lost DELETE removes unnecessary formulae – keep your proof easy to follow

29 CSE 8389 Theorem Proving - Seidel Spring 2005 29 Propositional Rules BDDSIMP simplify propositional structure using BDDs CASE: case splitting usage: (CASE “i!1=5”) FLATTEN: Flattens conjunctions, disjunctions, and implications IFF: Convert a=b to a b for a, b boolean LIFT-IF move up case splits inside a formula

30 CSE 8389 Theorem Proving - Seidel Spring 2005 30 Quantifiers INST: Instantiate Quantifiers –Do this if you have EXISTS in the consequent, or FORALL in the antecedent –Usage: (INST -10 “100+x”) SKOLEM!: Introduce Skolem Constants –Do this if you have FORALL in the consequent (and do not want induction), or EXISTS in the antecedent –If the type of the variable matters, use SKOLEM-TYPEPRED

31 CSE 8389 Theorem Proving - Seidel Spring 2005 31 Equality REPLACE: If you have an equality in the antecedent, you can use REPLACE –Example: (REPLACE -1) {-1} l=r replace l by r –Example: (REPLACE -1 RL) {-1} l=r replace r by l

32 CSE 8389 Theorem Proving - Seidel Spring 2005 32 Using Lemmas / Theorems EXPAND: Expand the definition –Example: (EXPAND “min”) LEMMA: add a lemma as antecedent –Example: (LEMMA “my_lemma”) –After that, instantiate the quantifiers with (INST -1 “x”) –Try (USE “my_lemma”). It will try to guess how you want to instantiate

33 CSE 8389 Theorem Proving - Seidel Spring 2005 33 Induction INDUCT: Performs induction –Usage: (INDUCT “i”) –There should be a FORALL i: … equation in the consequent –You get two subgoals, one for the induction base and one for the step –PVS comes with many induction schemes. Look in the prelude for the full list

34 CSE 8389 Theorem Proving - Seidel Spring 2005 34 The Magic of (GRIND) Myth: Grind does it all… Reality: Use it when: –Case splitting, skolemization, expansion, and trivial instantiations are left Does not do induction Does not apply lemmas “... frequently used to automatically complete a proof branch…”

35 CSE 8389 Theorem Proving - Seidel Spring 2005 35 The Magic of (GRIND) If it goes wrong… –you can get unprovable subgoals –it might expand recursions forever How to abort? –Hit Ctrl-C twice, then (restore) How to make it succeed? –Before running (GRIND), remove unnecessary parts of the sequent using (DELETE fnum). It will prevent that GRIND makes wrong instantiations and expands the wrong definitions.

36 CSE 8389 Theorem Proving - Seidel Spring 2005 36 Proof Trees Induction Proof |- T( n: nat ) Induction basisInduction step n=0 |- T(0) T(n*) |- T(n*+1)

37 CSE 8389 Theorem Proving - Seidel Spring 2005 37 Number representations Natural number with binary representation: PVS conversion bv2nat: Range of numbers which have a binary representation of length n : Integer with two’s complement representation : PVS conversion bv2int: Range of numbers with two’s complement representation of length n :

38 CSE 8389 Theorem Proving - Seidel Spring 2005 38 Lemmas from Bitvector Library Lemma 1 Lemma 2 Lemma 3 Lemma 4

39 CSE 8389 Theorem Proving - Seidel Spring 2005 39 Lemmas from Bitvector Library Lemma 5 Lemma 6 Lemma 7 Lemma 8

40 CSE 8389 Theorem Proving - Seidel Spring 2005 40 Lemmas from Bitvector Library Lemma 9 Lemma 10 Lemma 11 Lemma 12

41 CSE 8389 Theorem Proving - Seidel Spring 2005 41 Ripple Carry Adder

42 CSE 8389 Theorem Proving - Seidel Spring 2005 42 Ripple Carry Adder

43 CSE 8389 Theorem Proving - Seidel Spring 2005 43 Ripple Carry Adder

44 CSE 8389 Theorem Proving - Seidel Spring 2005 44 Ripple Carry Adder

45 CSE 8389 Theorem Proving - Seidel Spring 2005 45 Ripple Carry Adder

46 CSE 8389 Theorem Proving - Seidel Spring 2005 46 Ripple Carry Adder

47 CSE 8389 Theorem Proving - Seidel Spring 2005 47 Ripple Carry Adder

48 CSE 8389 Theorem Proving - Seidel Spring 2005 48 Ripple Carry Adder

49 CSE 8389 Theorem Proving - Seidel Spring 2005 49 Ripple Carry Adder

50 CSE 8389 Theorem Proving - Seidel Spring 2005 50 Conditional Sum Adder Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0 Assume n is power of 2:

51 CSE 8389 Theorem Proving - Seidel Spring 2005 51 Conditional Sum Adder Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0

52 CSE 8389 Theorem Proving - Seidel Spring 2005 52 Conditional Sum Adder Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0 Assume n is power of 2:

53 CSE 8389 Theorem Proving - Seidel Spring 2005 53 Conditional Sum Adder Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0 Assume n is power of 2:

54 CSE 8389 Theorem Proving - Seidel Spring 2005 54 Conditional Sum Adder Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0 Assume n is power of 2:

55 CSE 8389 Theorem Proving - Seidel Spring 2005 55 Conditional Sum Adder Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0 Assume n is power of 2:

56 CSE 8389 Theorem Proving - Seidel Spring 2005 56 Conditional Sum Adder Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0 Assume n is power of 2:

57 CSE 8389 Theorem Proving - Seidel Spring 2005 57 Conditional Sum Adder Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0 Assume n is power of 2:

58 CSE 8389 Theorem Proving - Seidel Spring 2005 58 Conditional Sum Adder

59 CSE 8389 Theorem Proving - Seidel Spring 2005 59 Modeling Hardware with PVS Combinational Hardware –No latches –Circuit is loop-free –Examples: arithmetic circuits, ALUs, … Clocked Circuits –Combinational part + registers (latches) –Examples: Processors, Controllers,… A

60 CSE 8389 Theorem Proving - Seidel Spring 2005 60 Modeling Hardware with PVS Idea: Model combinational circuits using functions on bit vectors f(A, B, reset: bit):bit= IF NOT(reset) THEN (NOT A) OR B ELSE false ENDIF A Translation from/to Verilog, VHDL, etc. easy

61 CSE 8389 Theorem Proving - Seidel Spring 2005 61 Modeling Hardware with PVS Combinational Hardware –No latches –Circuit is loop-free –Examples: arithmetic circuits, ALUs, … Clocked Circuits –Combinational part + registers (latches) –Examples: Processors, Controllers,… A

62 CSE 8389 Theorem Proving - Seidel Spring 2005 62 Clocked Circuits A TresetAB 01?? 1000 2010 3001 4011 5011 Configuration in cycle 4

63 CSE 8389 Theorem Proving - Seidel Spring 2005 63 Clocked Circuits A t(c: C, i: I):C= (# A:= IF i`reset THEN false ELSE (NOT c`A) OR c`B ENDIF, B:= IF i`reset THEN false ELSE c`A OR c`B ENDIF #) C: TYPE = [# A, B: bit #] I: TYPE = [# reset: bit #] 1. Define Type for STATE and INPUTS 2. Define the Transition Function

64 CSE 8389 Theorem Proving - Seidel Spring 2005 64 Clocked Circuits A c(T: nat):RECURSIVE C= IF T=0 THEN initial ELSE t(c(T-1), i(T-1)) ENDIF MEASURE T initial: C i: [nat -> I]; 3. Define Initial State and Inputs 4. Define the Configuration Sequence

65 CSE 8389 Theorem Proving - Seidel Spring 2005 65 Clocked Circuits A c(T: nat):RECURSIVE C= IF T=0 THEN initial ELSE t(c(T-1), i(T-1)) ENDIF MEASURE T 5. Prove things about this sequence c_lem: LEMMA (i(0)`reset AND NOT i(1)`reset AND NOT i(2)`reset) => (c(2)`A AND NOT c(2)`B) You can also verify invariants, even temporal properties that way.

66 CSE 8389 Theorem Proving - Seidel Spring 2005 66 Modeling Software with PVS (Software written in functional language) (Take a subset of PVS, and compile that) Software written in language like ANSI-C f(i: int):int= LET a1=LAMBDA (x: below(10)): 0 IN... LET a2=a1 WITH [(i):=5] IN... ai(0) int f(int i) { int a[10]={ 0, … };... a[i]=5;... return a[0]; } A What about loops?

67 CSE 8389 Theorem Proving - Seidel Spring 2005 67 Modeling Software with PVS A C: TYPE = [# a: [below(10)->integer], i: nat #] 1. Define Type for STATE int a[10]; unsigned i; int main() {... } nat? Of course, bvec[32] is better

68 CSE 8389 Theorem Proving - Seidel Spring 2005 68 Modeling Software with PVS A 2. Translate your program into goto program int a[10]; unsigned i,j,k; int main() { i=k=0; while(i<10) { i++; k+=2; } j=100; k++; } int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; }

69 CSE 8389 Theorem Proving - Seidel Spring 2005 69 Modeling Software with PVS A 3. Partition your program into basic blocks int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; } L1(c: C):C= c WITH [i:=0, k:=0] L2(c: C):C= c L3(c: C):C= c WITH [i:=c`i+1, k:=c`k+2] L4(c: C):C= c WITH [j:=100, k:=c`k+1] 4. Write transition function for each basic block

70 CSE 8389 Theorem Proving - Seidel Spring 2005 70 Modeling Software with PVS A 5. Combine transition functions using a program counter int a[10]; unsigned i,j,k; int main() { L1: i=k=0; L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2; L4: j=100; k++; } PCt: TYPE = { L1, L2, L3, L4, END } add PC: PCt to C t(c: C): C= CASES c`PC OF L1: L1(c) WITH [PC:=L2], L2: L2(c) WITH [PC:= IF NOT (c`i<10) THEN L4 ELSE L3 ENDIF, L3: L3(c) WITH [PC:=L2], L4: L4(c) WITH [PC:=END], END: c ENDCASES make sure the PC of the initial state is L1

Download ppt "CSE 8389 Theorem Proving - Seidel Spring 2005 1 CSE 8389 Theorem Proving Peter-Michael Seidel."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Programmed Strategies for Program Verification Richard B. Kieburtz OHSU/OGI School of Science and Engineering and Portland State University.

Programmed Strategies for Program Verification Richard B. Kieburtz OHSU/OGI School of Science and Engineering and Portland State University.
Some important properties Lectures of Prof. Doron Peled, Bar Ilan University.

Some important properties Lectures of Prof. Doron Peled, Bar Ilan University.
Proof checking with PVS Book: Chapter 3. A Theory Name: THEORY BEGIN Definitions (types, variables, constants) Axioms Lemmas (conjectures, theorems) END.

Proof checking with PVS Book: Chapter 3. A Theory Name: THEORY BEGIN Definitions (types, variables, constants) Axioms Lemmas (conjectures, theorems) END.
Chapter Three: Closure Properties for Regular Languages

Chapter Three: Closure Properties for Regular Languages
1 Theorem Proving and Model Checking in PVS 15-820A Proving Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University.

1 Theorem Proving and Model Checking in PVS A Proving Software with PVS Edmund Clarke Daniel Kroening Carnegie Mellon University.
Recursive Definitions and Structural Induction

Recursive Definitions and Structural Induction
74.757 Formal Logic Proof Methods Direct Proof / Natural Deduction Conditional Proof (Implication Introduction) Reductio ad Absurdum Resolution Refutation.

Formal Logic Proof Methods Direct Proof / Natural Deduction Conditional Proof (Implication Introduction) Reductio ad Absurdum Resolution Refutation.
A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.

A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.
What’s left in the course. The course in a nutshell Logics Techniques Applications.

What’s left in the course. The course in a nutshell Logics Techniques Applications.
Katz2004 236386--Formal Specifications Larch 1 Algebraic Specification and Larch Formal Specifications of Complex Systems 236368 Shmuel Katz The Technion.

Katz Formal Specifications Larch 1 Algebraic Specification and Larch Formal Specifications of Complex Systems Shmuel Katz The Technion.
Discrete Mathematics Lecture 4 Harper Langston New York University.

Discrete Mathematics Lecture 4 Harper Langston New York University.
1 Theorem proving Alexander Serebrenik. 2 TP for FM FM: proving properties of programs. Theorem proving: proving statements in first-order logics (FOL).

1 Theorem proving Alexander Serebrenik. 2 TP for FM FM: proving properties of programs. Theorem proving: proving statements in first-order logics (FOL).
Logic in Computer Science Transparency No. 3.3-1 Chapter 3 Propositional Logic 3.6. Propositional Resolution 3.7. Natural Deduction.

Logic in Computer Science Transparency No Chapter 3 Propositional Logic 3.6. Propositional Resolution 3.7. Natural Deduction.
CS5371 Theory of Computation Lecture 1: Mathematics Review I (Basic Terminology)

CS5371 Theory of Computation Lecture 1: Mathematics Review I (Basic Terminology)
Computer ArchitectureFall 2008 © August 25, 2008 www.qatar.cmu.edu/~msakr/15447-f08/ CS 447 – Computer Architecture Lecture 3 Computer Arithmetic (1)

Computer ArchitectureFall 2008 © August 25, CS 447 – Computer Architecture Lecture 3 Computer Arithmetic (1)
CSE115/ENGR160 Discrete Mathematics 03/31/11

CSE115/ENGR160 Discrete Mathematics 03/31/11
Natural deduction  ` A  ` B  ` A Æ B  ` A  ` A Æ B  ` B  ` B  ` A ) B  ` A  ` A ) B  ` B  ` A ÆIÆI ÆE1ÆE1 ÆE2ÆE2 Assume )I)I.

Natural deduction  ` A  ` B  ` A Æ B  ` A  ` A Æ B  ` B  ` B  ` A ) B  ` A  ` A ) B  ` B  ` A ÆIÆI ÆE1ÆE1 ÆE2ÆE2 Assume )I)I.
CSE20 Lecture 3 Number Systems: Negative Numbers 1.Sign and Magnitude Representation 2.1’s Complement Representation 3.2’s Complement Representation 1.

CSE20 Lecture 3 Number Systems: Negative Numbers 1.Sign and Magnitude Representation 2.1’s Complement Representation 3.2’s Complement Representation 1.
Lecture 11 1.5, 3.1 Methods of Proof. Last time in 1.5 To prove theorems we use rules of inference such as: p, p  q, therefore, q NOT q, p  q, therefore.

Lecture , 3.1 Methods of Proof. Last time in 1.5 To prove theorems we use rules of inference such as: p, p  q, therefore, q NOT q, p  q, therefore.

Similar presentations

Ads by Google