View
218
Download
0
Category
Preview:
DESCRIPTION
3/24 An Introduction to PVSCharngki PSWLAB Introduction PVS stands for “Prototype Verification System” PVS consists of a specification language integrated with support tools and theorem prover is both interactive and highly mechanized: the user chooses each proving step and PVS performs it, displays the result, and then waits for the next command The goal of PVS PVS is designed to help in the detection of errors as well as in the confirmation of correctness
Citation preview
1/24 An Introduction to PVS Charngki Hong @ PSWLAB
An Introduction to PVS
Judy Crow, Sam Owre, John Rushby, Natarajan Shankar, Mandayam SrivasComputer Science Laboratory, SRI International
2/24 An Introduction to PVS Charngki Hong @ PSWLAB
Table of Contents
Introduction A brief tour of PVS PVS language More examples References
3/24 An Introduction to PVS Charngki Hong @ PSWLAB
Introduction PVS stands for “Prototype Verification System” PVS
consists of a specification language integrated with support tools and theorem prover
is both interactive and highly mechanized: the user chooses each proving step and PVS performs it, displays the result, and then waits for the next command
The goal of PVS PVS is designed to help in the detection of errors
as well as in the confirmation of correctness
4/24 An Introduction to PVS Charngki Hong @ PSWLAB
Table of Contents
Introduction A brief tour of PVS PVS language More examples References
5/24 An Introduction to PVS Charngki Hong @ PSWLAB
A brief tour of PVS PVS has three steps to prove target specifica-
tions1. Creating a specification2. Typechecking3. Proving
6/24 An Introduction to PVS Charngki Hong @ PSWLAB
A brief tour of PVS Creating a specification
1. Use M-x new-pvs-file command to create a new PVS file, and type a name of the file
2. or you can simply load a existing PVS file using M-x find-pvs-file command
7/24 An Introduction to PVS Charngki Hong @ PSWLAB
A brief tour of PVS Create a sum.pvs file
specification for summation of the first n natural numberssum : THEORY
BEGINn : VAR natsum (n) : RECURSIVE nat = (IF n = 0 THEN 0 ELSE n + sum(n-1) EN-
DIF) MEASURE (LAMBDA n: n) closed_form: THEOREM sum(n) = (n *
(n+1) ) / 2END sum
used to show that the definition termi-nates
8/24 An Introduction to PVS Charngki Hong @ PSWLAB
A brief tour of PVS Typechecking
1. M-x typecheck command to typecheck 2. M-x show-tccs command to see TCCs3. M-x typecheck-prove to prove TCCs
TCC Type Correctness Condition TCCs must be proved in order to show that the
theory is type correct The proofs of the TCCs may be postponed indefi-
nately
9/24 An Introduction to PVS Charngki Hong @ PSWLAB
A brief tour of PVS Typechecking
TCCs
sum takes an argument of type nat, but the type of the argument in the recursive call to sum is integer, since nat is not closed under subtraction
Since sum is recursive form, we need to ensure this function terminates
% Subtype TCC generated (line 7) for n-1% unchecked
sum_TCC1 : OBLIGATION (FORALL (n: nat): NOT n=0 IMPLIES n-1 >= 0)
% Termination TCC generated (line 7) for sum% unchecked
sum_TCC2 : OBLIGATION (FORALL (n: nat): NOT n=0 IMPLIES n-1 < n)
10/24 An Introduction to PVS Charngki Hong @ PSWLAB
A brief tour of PVS Proving
Place the cursor on the line containing the theo-rem, and type M-x prove
A new buffer will pop up, the formula will be dis-played, and the cursor will appear at the Rule? prompt, indicating that users can interact with the prover
The proving process is completed if there are no more unproven subgoals
11/24 An Introduction to PVS Charngki Hong @ PSWLAB
A brief tour of PVS Proving
1. Prove formula by induction on n
Generate 2 subgoals 1. base case2. inductive step
12/24 An Introduction to PVS Charngki Hong @ PSWLAB
A brief tour of PVS Proving
simplifies the for-mula
send the proof to the PVS decision proce-dure
13/24 An Introduction to PVS Charngki Hong @ PSWLAB
A brief tour of PVS Proving
To eliminate the FORALL quantifier skolem! command
Provide new constants for the bound variables flatten command
break up the succedent into a new antecedent and conse-quent
antecedentconsequent
14/24 An Introduction to PVS Charngki Hong @ PSWLAB
A brief tour of PVS Proving
15/24 An Introduction to PVS Charngki Hong @ PSWLAB
Table of Contents
Introduction A brief tour of PVS PVS language More examples References
16/24 An Introduction to PVS Charngki Hong @ PSWLAB
PVS language A simple example : the rational numbers
predicate subtyperats : THEORY
BEGIN rat : TYPE zero : rat / : [rat, rat rat] * : [rat, rat rat] x, y : VAR rat left_canclelation : AXIOM x * (y/x) = y zero_times : AXIOM zero * x = zeroEND rats
We need to con-sider divide by zero
17/24 An Introduction to PVS Charngki Hong @ PSWLAB
PVS language A simple example : the rational numbers
predicate subtypesrats : THEORY
BEGIN rat : TYPE zero : rat nonzero : TYPE = { x | x /= zero } / : [rat, nonzero rat] * : [rat, rat rat] x, y : VAR rat left_canclelation : AXIOM x /= zero IMPLIES x * (y/x) = y zero_times : AXIOM zero * x = zeroEND rats
predicate subtype
18/24 An Introduction to PVS Charngki Hong @ PSWLAB
PVS language Example : Stacks
Generic typestacks [t : TYPE] : THEORY
BEGIN stack : TYPE empty : stack s : VAR stack x : VAR t push : [t, stack stack] pop : [stack stack] top : [stack t] pop_push : AXIOM pop(push(x, s)) = s top_push : AXIOM top(push(x, s)) = xEND stacks
Generic type
19/24 An Introduction to PVS Charngki Hong @ PSWLAB
PVS language Example : factorial
Recursive
The MEASURE function is used to show that the definition terminates, by generating an obligation that the MEASURE decreases with each call
factorial : THEORYBEGIN fac(x: nat) : RECURSIVE nat =
IF x = 0 THEN 1 ELSE x * fac(x-1) ENDIF
MEASURE (LAMBDA (x: nat): x)END factorial
20/24 An Introduction to PVS Charngki Hong @ PSWLAB
Table of Contents
Introduction A brief tour of PVS PVS language More examples References
21/24 An Introduction to PVS Charngki Hong @ PSWLAB
More examples Quantifier Proof
Original goal : FORALL x : P(x) AND Q(x) (FORALL x : P(x)) AND (FORALL x : Q(x))
After split command Subgoal 1 : FORALL x : P(x) AND Q(x) (FORALL x : P(x)) Subgoal 2 : FORALL x : P(x) AND Q(x) (FORALL x : Q(x))
predicate : THEORYBEGIN T : TYPE x, y, z : VAR T P, Q : [T bool] pred_calc : THEOREM
(FORALL x : P(x) AND Q(x)) IMPLIES (FORALL x : P(x)) AND (FORALL x : Q(x))END predicate
22/24 An Introduction to PVS Charngki Hong @ PSWLAB
More examples Decision Procedures
i + 8 can be expressed as 3*m + 5*n i + 8 + 1 = 3*m’ + 5*n’ case n=0
i + 8 + 1 = 3*(m-3) + 5*2 subgoal 2.1 case n>0
i + 8 + 1 = 3*(m+2) + 5(n-1) subgoal 2.2
stamps : THEORY BEGIN
i, three, five : VAR natstamps : THEOREM ( FORALL i : (EXISTS three, five : i+8 = 3
* three + 5 * five )) END stamps
23/24 An Introduction to PVS Charngki Hong @ PSWLAB
Table of Contents
Introduction A brief tour of PVS PVS language More examples References
24/24 An Introduction to PVS Charngki Hong @ PSWLAB
References A Tutorial Introduction to PVS by Judy Crow,
Sam Owre, John Rushby, Natarajan Shankar and Mandayam Srivas, WIFT ‘95
Recommended