Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to ACL2 CS 680 Formal Methods for Computer Verification Jeremy Johnson Drexel University.

Published byCordelia Crawford Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to ACL2 CS 680 Formal Methods for Computer Verification Jeremy Johnson Drexel University."— Presentation transcript:

1 Introduction to ACL2 CS 680 Formal Methods for Computer Verification Jeremy Johnson Drexel University

2 ACL2 www.cs.utexas.edu/~moore/acl2 ACL2 is a programming language, logic, and theorem prover/checker based on Common Lisp. ACL2 is a powerful system for integrated modeling, simulation, and inductive reasoning. Under expert control, it has been used to verify some of the most complex theorems to have undergone mechanical verification. 1

3 ACL2s (acl2s.ccs.neu.edu) Eclipse plugin (sedan version) Pure functional subset Ensure valid input Different operational modes Termination analysis Random testing and bug generation Install and test and read (ACL2s Programming Language) 2

4 Read-Eval-Print-Loop (REPL) ACL2s reads inputs, evaluates them and prints the result ACL2S BB !>VALUE (* 2 3) 6 ACL2S BB !> 2/11/2009Goldwasser3

5 A Pure Functional Language x 1 = y 1,…,x n =y n  f(x 1,…,x n ) = f(y 1,…,y n ) No side-effects, no assignments, no state, no loops Use recursion instead of iteration Still Turing complete Makes reasoning about programs easier 4

6 C++ Function with Side-Effects #include using namespace std; int cc() { static int x = 0; return ++x; } int main() { cout << "cc() = " << cc() << endl; } 5 % g++ count.c %./a.out cc() = 1 cc() = 2 cc() = 3

7 ACL2 Syntax and Semantics Atoms (symbols, booleans, rationals, strings) predicates Lists ((1 2) 3) nil, cons, first and rest Functions and function application (* 2 (+ 1 2)) if expressions (if test then else) 6

8 ACL2 Atoms Rationals: For example, 11,−7, 3/2,−14/15 Symbols: For example, x, var, lst, t, nil Booleans: There are two Booleans, t, denoting true and nil, denoting false Strings: For example, “hello”, “good bye” 7

9 Function Application (* 2 3) 6 (* 2 (+ 1 2)) 6 (numerator 2/3) 2 (f x 1 … x n ) [applicative order] 8

10 if expressions if : Boolean × All × All → All (if test then else) (if test then else) = then, when test = t (if test then else) = else, when test = nil 9

11 Example if expressions (if t nil t) (if nil 3 4) (if (if t nil t) 1 2) 10

12 Equal equal : All × All → Boolean (equal x y) is t if x = y and nil otherwise. (equal 3 nil) = nil (equal 0 0) = t (equal (if t nil t) nil) = t 11

13 Predicates All → Boolean booleanp symbolp integerp rationalp 12

14 Defining Functions (defun booleanp (x) (if (equal x t) t (equal x nil))) 13

15 Input/Output Contracts (defunc booleanp (x) :input-contract t :output-contract (booleanp (booleanp x)) (if (equal x t) t (equal x nil))) 14

16 Input/Output Contracts ic ⇒ oc For booleanp (type checking) ∀ x :: t ⇒ (booleanp (booleanp x)) ∀ x :: (if t (booleanp (booleanp x)) t) ∀ x :: (booleanp (booleanp x)) 15

17 Contract Checking ACL2s will not admit a function unless it can prove that every function call in its body satisfies its contract (body contract checking) and can show that it satisfies its contract (contract checking) 16

18 Contract Violations ACL2S BB !>VALUE (unary-/ 0) ACL2 Error in ACL2::TOP-LEVEL: The guard for the function call (UNARY-/ X), which is (COMMON-LISP::AND (RATIONALP X) (COMMON-LISP::NOT (EQUAL X 0))), is violated by the arguments in the call (UNARY-/ 0). 17

19 Contract Checking Example (defunc foo (a) :input-contract (integerp a) :output-contract (booleanp (foo a)) (if (posp a) (foo (- a 1)) (rest a))) 18

20 Boolean Functions And : Boolean × Boolean → Boolean (defunc and (a b) :input-contract (if (booleanp a) (booleanp b) nil) :output-contract (booleanp (and a b)) (if a b nil)) Or Not Implies Iff Xor 19

21 Numbers *, +, <, unary--, unary-/ (defunc unary-/ (a) :input-contract (and (rationalp a) (not (equal a 0)))...) Numerator, Denominator Exercise: Subtraction and Division 20

22 posp (defunc posp (a) :input-contract t :output-contract (booleanp (posp a)) (if (integerp a) (< 0 a) nil)) 21

23 Incorrect posp (defunc posp (a) :input-contract t :output-contract (booleanp (posp a)) (and (integerp a) (< 0 a))) 22

24 Termination? ACL2 will only accept functions that it can prove terminate for all inputs Does the following always terminate? ;; Given integer n, return 0+1+2+...+n (defunc sum-n (n) :input-contract (integerp n) :output-contract (integerp (sum-n n)) (if (equal n 0) 0 (+ n (sum-n (- n 1))))) 23

25 Termination? Modify the input-contract so that sum-n does terminate for all inputs ;; Given integer n, return 0+1+2+...+n (defunc sum-n (n) :input-contract (integerp n) :output-contract (integerp (sum-n n)) (if (equal n 0) 0 (+ n (sum-n (- n 1))))) 24

26 Termination? Modify the input-contract so that sum-n does terminate for all inputs ;; Given integer n, return 0+1+2+...+n (defunc sum-n (n) :input-contract (natpp n) :output-contract (integerp (sum-n n)) (if (equal n 0) 0 (+ n (sum-n (- n 1))))) 25

27 natp ;; Test whether the input is a natural number (integer  0) (defunc natp (a) :input-contract t :output-contract (booleanp (natp a)) (if (integerp a) (or (< 0 a) (equal a 0)) nil)) 26

28 Lists: L = (x 1 … x n ) A list is either empty () [same as nil] or made up of Cons cells consp : All → Boolean cons : All × List → Cons (cons x L) = (x x 1 … x n ) first : Cons → All (first (cons x L)) = x rest : Cons → List (rest (cons x L)) = L 27

29 List Examples (list x 1 … x n ) [macro – variable # of args] (cons x 1 (cons x 2 … (cons x n nil)…)) (consp ()) = nil (cons 1 ()) = (1) (consp (cons 1 ())) = t (cons 1 (cons 2 (cons 3 ()))) = (1 2 3) (list 1 2 3) = (1 2 3) (cons (cons 1 ()) ()) = ((1)) 28

30 Exercise How do you construct the list ((1) 2)? 29

31 Exercise How do you construct the list ((1) 2)? (cons 1 ()) = (1) (cons 2 ()) = (2) Want (cons x y) where x = (1) and y = (2) (cons (cons 1 ()) (cons 2 ())) = ((1) 2) Test this (and try additional examples) in ACL2 REPL 30

32 More About cons A cons cell contains two fields first [also called car] rest [also called cdr] For a list the rest field must be a list Generally both fields of a cons  All (cons 1 2) = (1. 2) Called a dotted pair 31

33 List Processing Recursive Definition List : nil | cons All List Process lists using these two cases and use recursion to recursively process lists in cons Use first and rest to access components of cons 32

34 Recursion and listp 1 (defunc listp (l) :input-contract t :output-contract (booleanp (listp l)) (if (consp l) (listp (rest l)) (equal l () ))) 1. listp is a built-in function in the full ACL2 mode that only checks for consp. True-listp behaves as above. 33

35 Incorrect listp Nonterminating ACL will not accept functions it can not prove terminate (defunc listp (a) :input-contract t :output-contract (booleanp (listp a)) (if (consp a) (listp a) (equal a nil))) 34

36 Version 2 of listp (defunc listp (l) :input-contract t :output-contract (booleanp (listp l)) (if (equal l nil) t (if (consp l) (listp (rest l)) nil))) 35

37 Version 3 of listp (defunc listp (l) :input-contract t :output-contract (booleanp (listp l)) (cond ((equal l nil) t) ((consp l) (listp (rest l))) nil)) 36

38 Length 1 (defun length (l) :input-contract (true-listp l) :output-contract (natp (length l)) (if (equal l nil) 0 ( ) )) 1. Length is a built-in function in the full ACL2 mode 37

39 Length (defun length (l) :input-contract (true-listp l) :output-contract (natp (length l)) (if (equal l nil) 0 (+ 1 (length (rest l))) )) The recursive function can be “thought of” as a definition of length 38

40 Member 1 (defunc member (x l) :input-contract (true-listp l) :output-contract (booleanp (member x l)) (cond ((equal l nil) nil) ( … ) ( … ))) 1. Member is a built-in function in the full ACL2 mode 39

41 Member (defun member (x l) :input-contract (true-listp l) :output-contract (booleanp (member x l)) (cond ((equal l nil) nil) ((equal x (first l)) t) ((member x (rest l)))) 40

42 Append 1 (defun append (x y) :input-contract (and (true-listp x) (true-listp y)) :output-contract (true-listp (append x y)) … ) (append ‘(1 2 3) ‘(4 5 6))  (1 2 3 4 5 6) Recurse on the first input 1. Append is a built-in function in the full ACL2 mode 41

43 Append (defun append (x y) :input-contract (if (equal x nil) y (cons (first x) (append (rest x) y)))) 42

44 Reverse 1 (defun reverse (l) :input-contract (true-listp l) :output-contract (true-listp (reverse l)) … ) (reverse ‘(1 2 3))  (3 2 1) 1. Reverse is a built-in function in the full ACL2 mode 43

45 Reverse (defun reverse (l) :input-contract (true-listp l) :output-contract (true-listp (reverse l)) (if (equal l nil) nil (append (reverse (rest l)) (cons (first l) nil)))) 44

46 Numatoms (defun atomp (x) :input-contract t :output-contract (booleanp (atomp x)) (not (consp x))) (defun numatoms (x) :input-contract t :output-contract (natp (numatoms x)) (cond ((equal x nil) 0) ((atomp x) 1) ((+ (numatoms (first x)) (numatoms (rest x)))))) 45

47 Shallow vs Deep Recursion Length and Member only recurse on the rest field for lists that are conses Such recursion is called shallow – it does not matter whether the lists contain atoms or lists (length ‘((1 2) 3 4)) = 3 Numatoms recurses in both the first and rest fields Such recursion is called deep – it completely traverses the list when elements are lists (numatoms ‘((1 2) 3 4)) = 4 46

Download ppt "Introduction to ACL2 CS 680 Formal Methods for Computer Verification Jeremy Johnson Drexel University."

Similar presentations

Lisp. Versions of LISP Lisp is an old language with many variants Lisp is alive and well today Most modern versions are based on Common Lisp LispWorks.

Lisp. Versions of LISP Lisp is an old language with many variants Lisp is alive and well today Most modern versions are based on Common Lisp LispWorks.
Lists in Lisp and Scheme a. Lists are Lisp’s fundamental data structures, but there are others – Arrays, characters, strings, etc. – Common Lisp has moved.

Lists in Lisp and Scheme a. Lists are Lisp’s fundamental data structures, but there are others – Arrays, characters, strings, etc. – Common Lisp has moved.
CSE 3341/655; Part 4 55 A functional program: Collection of functions A function just computes and returns a value No side-effects In fact: No program.

CSE 3341/655; Part 4 55 A functional program: Collection of functions A function just computes and returns a value No side-effects In fact: No program.
Lisp II. How EQUAL could be defined (defun equal (x y) ; this is how equal could be defined (cond ((numberp x) (= x y)) ((atom x) (eq x y)) ((atom y)

Lisp II. How EQUAL could be defined (defun equal (x y) ; this is how equal could be defined (cond ((numberp x) (= x y)) ((atom x) (eq x y)) ((atom y)
Functional Programming. Pure Functional Programming Computation is largely performed by applying functions to values. The value of an expression depends.

Functional Programming. Pure Functional Programming Computation is largely performed by applying functions to values. The value of an expression depends.
1 Programming Languages and Paradigms Lisp Programming.

1 Programming Languages and Paradigms Lisp Programming.
Lisp II. How EQUAL could be defined (defun equal (x y) ; this is how equal could be defined (cond ((numberp x) (= x y)) ((atom x) (eq x y)) ((atom y)

Lisp II. How EQUAL could be defined (defun equal (x y) ; this is how equal could be defined (cond ((numberp x) (= x y)) ((atom x) (eq x y)) ((atom y)
Lambda Calculus and Lisp PZ03J. Lambda Calculus The lambda calculus is a model for functional programming like Turing machines are models for imperative.

Lambda Calculus and Lisp PZ03J. Lambda Calculus The lambda calculus is a model for functional programming like Turing machines are models for imperative.
Chapter 3 Functional Programming. Outline Introduction to functional programming Scheme: an untyped functional programming language.

Chapter 3 Functional Programming. Outline Introduction to functional programming Scheme: an untyped functional programming language.
Termination Analysis Math Foundations of Computer Science.

Termination Analysis Math Foundations of Computer Science.
Slide 1 Summary Two basic concepts: variables and assignments Some C++ practical issues: division rule, operator precedence  Sequential structure of a.

Slide 1 Summary Two basic concepts: variables and assignments Some C++ practical issues: division rule, operator precedence  Sequential structure of a.
Defining functions in lisp In lisp, all programming is in terms of functions A function is something which –takes some arguments as input –does some computing.

Defining functions in lisp In lisp, all programming is in terms of functions A function is something which –takes some arguments as input –does some computing.
Lisp. Versions of LISP Lisp is an old language with many variants –LISP is an acronym for List Processing language Lisp is alive and well today Most modern.

Lisp. Versions of LISP Lisp is an old language with many variants –LISP is an acronym for List Processing language Lisp is alive and well today Most modern.
First Lecture on Introductory Lisp Yun Peng. Why Lisp? Because it’s the most widely used AI programming language Because AI researchers and theoreticians.

First Lecture on Introductory Lisp Yun Peng. Why Lisp? Because it’s the most widely used AI programming language Because AI researchers and theoreticians.
CS 330 Programming Languages 11 / 20 / 2007 Instructor: Michael Eckmann.

CS 330 Programming Languages 11 / 20 / 2007 Instructor: Michael Eckmann.
CMSC 471 LISP. Why Lisp? Because it’s the most widely used AI programming language Because it’s good for writing production software (Graham article)

CMSC 471 LISP. Why Lisp? Because it’s the most widely used AI programming language Because it’s good for writing production software (Graham article)
Artificial Intelligence and Lisp Lecture 6 LiU Course TDDC65 Autumn Semester, 2010

Artificial Intelligence and Lisp Lecture 6 LiU Course TDDC65 Autumn Semester, 2010
Functional programming: LISP Originally developed for symbolic computing First interactive, interpreted language Dynamic typing: values have types, variables.

Functional programming: LISP Originally developed for symbolic computing First interactive, interpreted language Dynamic typing: values have types, variables.
LISP A brief overview. Lisp stands for “LISt Process” –Invented by John McCarthy (1958) –Simple data structure (atoms and lists) –Heavy use of recursion.

LISP A brief overview. Lisp stands for “LISt Process” –Invented by John McCarthy (1958) –Simple data structure (atoms and lists) –Heavy use of recursion.
COMP 205 – Week 11 Dr. Chunbo Chu. Intro Lisp stands for “LISt Process” Invented by John McCarthy (1958) Simple data structure (atoms and lists) Heavy.

COMP 205 – Week 11 Dr. Chunbo Chu. Intro Lisp stands for “LISt Process” Invented by John McCarthy (1958) Simple data structure (atoms and lists) Heavy.

Similar presentations

Ads by Google