CSE 8389 Theorem Proving Peter-Michael Seidel

CSE 8389 Theorem Proving - Seidel Spring 2005 1

CSE 8389

Theorem Proving

Peter-Michael Seidel


PVS Workflow

PVS FilePVS File

System

Properties

PROOFSPROOFS

Conversion of system (Program, circuit, protocol…)and property.

Can be automated or donemanually

Proof construction

Interaction with the theorem prover

A


PVS Workflow

PVS FilePVS File

System

Properties

PROOFSPROOFS

Conversion of system (Program, circuit, protocol…)and property.

Can be automated or donemanually

Proof construction

Interaction with the theorem prover

A


The PVS Language

There are two languages

1. The language to write definitions and theorems (“definition language“)

2. The language to prove theorems(“proof language”)

They have nothing to do with each other

The definition language looks like “normal math” (translator to Latex built in)

The proof language looks like LISP


Theorem Proving

The goal is to show that theorem T is a tautology |= T

or follows from the Assumptions & Axioms F1,…, Fk

F1,…, Fk |= T

PVS operates on sequents of the form F1,…, Fk |– G1,…, Gl

Antecedents ConsequentsMeaning:

The disjunction of the Consequents is a logical consequence of the conjunction of the Antecedents

F1 F2 … Fk implies G1 G2 … Gl

Initial sequent (show Theorem): |- T

TheoremAxioms, Assumptions

Antecedents and Consequents are HOL Formulas


Proof Trees

Sequents can be modified by PVS proof commands F1,…, Fk |– G1,…, Gl

Antecedents Consequents

The result of a proof command is a (possibly empty) set of subsequents

Initial sequent (show Theorem): |- T

The repeated application of proof commands on sequents defines a

tree

A proof branch is closed if a proof command generates an empty list of subsequents, i.e. PVS was able to validate this branch of the proof.

A theorem T is proven if all proof branches are closed.


Sequents in PVS notation

{-1} i(0)`reset

{-2} i(4)`reset

|-------

{1} i(1)`reset

{2} i(2)`reset

{3} (c(2)À AND NOT c(2)`B)

Disjunction (Consequents)

Conjunction (Antecedents)

Or: Reset in cycles 0, 4 is on, and off in 1, 2.Show that A and not B holds in cycle 2.


Example Gauss

Specifications (for any n > 0)

Sum(n) :=

Recsum(n) :=

Gauss(n) :=

n

i

i0

otherwise1)Recsum(n

0i if0

n

2

)1( nn

gauss: TheoryBegin

Importing bitvectors@sums

n, i: Var nat

sum(n): nat = sigma(0, n, Lambda i: i)

recsum(n): recursive nat = if n = 0 Then 0

Else n + recsum(n-1) endif measure n

gauss(n): real = n * (n + 1) / 2

end gauss

gauss: TheoryBegin

Importing bitvectors@sums

n, i: Var nat

sum(n): nat = sigma(0, n, Lambda i: i)

recsum(n): recursive nat = if n = 0 Then 0

Else n + recsum(n-1) endif measure n

gauss(n): real = n * (n + 1) / 2

end gauss


Example Gauss

Specifications (for any n > 0)

Sum(n) :=

Recsum(n) :=

Gauss(n) :=

TheoremsFor all n > 0:

Sum(n) = Recsum(n) = Gauss(n)

n

i

i0

otherwise1)Recsum(n

0i if0

n

2

)1( nn


Example Gauss



gauss: Theory …

sum_is_recsum: Lemma sum(n) = recsum(n)

recsum_is_gauss: Lemma recsum(n) = gauss(n)

sum_is_gauss: Theorem sum(n) = gauss(n)

end gauss

gauss: Theory …




end gauss


Example Gauss


n

i

i0

otherwise1)Recsum(n

0i if0

nSum(n) := Recsum(n) :=

recursive definition suggests induction

Induction basis


Example Gauss


Definitions

n

i

i0

otherwise1)Recsum(n

0i if0

n

Sum(n) :=

Recsum(n) :=

Sum(0) = ?? Recsum(0) = ??


Example Gauss


Induction step


Example Gauss



Example Gauss



Example Gauss



Example Gauss



Example Gauss



Example Gauss



Example Gauss



Example Gauss



Example Gauss



Example Gauss



gauss: Theory …




end gauss

gauss: Theory …




end gauss


Example Gauss


Definitions

otherwise1)Recsum(n

0i if0

nRecsum(n) :=

Gauss(n) :=2

)1( nn

recursive definition suggests induction

more powerful


Example Gauss



gauss: Theory …




end gauss

gauss: Theory …




end gauss


Example Gauss

sum_is_gauss: Lemma sum(n) = gauss(n)


Proof Trees

recsum_is_gauss sum_is_gauss

sum_is_recsum


Proof commands

COPY duplicates a formula

Why? When you instantiate a quantified formula, the original one is lost

DELETE removes unnecessary formulae – keep your proof easy to follow


Propositional Rules

BDDSIMP simplify propositional structure using BDDs

CASE: case splittingusage: (CASE “i!1=5”)

FLATTEN: Flattens conjunctions, disjunctions, and implications

IFF: Convert a=b to a<=>b for a, b boolean

LIFT-IF move up case splits inside a formula


Quantifiers

INST: Instantiate Quantifiers– Do this if you have EXISTS in the consequent, or FORALL in the

antecedent– Usage: (INST -10 “100+x”)

SKOLEM!: Introduce Skolem Constants– Do this if you have FORALL in the consequent (and do not want

induction), or EXISTS in the antecedent– If the type of the variable matters, use SKOLEM-TYPEPRED


Equality

REPLACE: If you have an equality in the antecedent, you can use

REPLACE– Example: (REPLACE -1)

{-1} l=r replace l by r– Example: (REPLACE -1 RL)

{-1} l=r replace r by l


Using Lemmas / Theorems

EXPAND: Expand the definition– Example: (EXPAND “min”)

LEMMA: add a lemma as antecedent– Example: (LEMMA “my_lemma”)– After that, instantiate the quantifiers with (INST -1 “x”)– Try (USE “my_lemma”).

It will try to guess how you want to instantiate


Induction

INDUCT: Performs induction– Usage: (INDUCT “i”)– There should be a FORALL i: … equation in the consequent– You get two subgoals, one for the induction base and one for the

step– PVS comes with many induction schemes. Look in the prelude for

the full list


The Magic of (GRIND)

Myth: Grind does it all…

Reality:

Use it when:– Case splitting, skolemization, expansion, and trivial instantiations

are left

Does not do induction

Does not apply lemmas

“... frequently used to automatically complete a proof branch…”


The Magic of (GRIND)

If it goes wrong…– you can get unprovable subgoals

– it might expand recursions forever

How to abort?

– Hit Ctrl-C twice, then (restore)

How to make it succeed?

– Before running (GRIND), remove unnecessary parts of the sequent

using (DELETE fnum).

It will prevent that GRIND makes wrong instantiations and expands

the wrong definitions.


Proof Trees

Induction Proof

|- T( n: nat )

Induction basis Induction stepn=0 |- T(0) T(n*) |- T(n*+1)


Number representations

Natural number with binary representation :

PVS conversion bv2nat:

Range of numbers which have a binary representation of length n :

Integer with two’s complement representation :

PVS conversion bv2int:

Range of numbers with two’s complement representation of length n :

1

0

2)()(2n

i

iiaaanatbv

}12,,0{ n

][: nbveca

][: nbveca

)0,2(^2)1()int(2 1 nanaaabv n

}12,,2{ 11 nn


Lemmas from Bitvector Library

Lemma 1

Lemma 2

Lemma 3

Lemma 4



Lemma 5

Lemma 6

Lemma 7

Lemma 8



Lemma 9

Lemma 10

Lemma 11

Lemma 12


Ripple Carry Adder

incnbnans ]0:1[]0:1[]0:[


Ripple Carry Adder

in

in

in

cbanbna

cbnbana

cnbnans

]0[]0[2]1:1[2]1:1[

]0[2]1:1[]0[2]1:1[

]0:1[]0:1[]0:[

11

11


Ripple Carry Adder

])0[],1[(2]1:1[2]1:1[

]0[]0[2]1:1[2]1:1[

]0[2]1:1[]0[2]1:1[

]0:1[]0:1[]0:[

11

11

11

scnbna

cbanbna

cbnbana

cnbnans

in

in

in


Ripple Carry Adder

]0[2]1[]1:1[]1:1[

])0[],1[(2]1:1[2]1:1[

]0[]0[2]1:1[2]1:1[

]0[2]1:1[]0[2]1:1[

]0:1[]0:1[]0:[

1

11

11

11

scnbna

scnbna

cbanbna

cbnbana

cnbnans

in

in

in


Ripple Carry Adder

]0[2]1[2]2[]2:1[]2:1[

]0[2]1[]1:1[]1:1[

])0[],1[(2]1:1[2]1:1[

]0[]0[2]1:1[2]1:1[

]0[2]1:1[]0[2]1:1[

]0:1[]0:1[]0:[

1

1

11

11

11

sscnbna

scnbna

scnbna

cbanbna

cbnbana

cnbnans

in

in

in


Ripple Carry Adder

]0[2]1[2]2[]2:1[]2:1[

]0[2]1[2]2[]2:1[]2:1[

]0[2]1[]1:1[]1:1[

])0[],1[(2]1:1[2]1:1[

]0[]0[2]1:1[2]1:1[

]0[2]1:1[]0[2]1:1[

]0:1[]0:1[]0:[

12

1

1

11

11

11

sscnbna

sscnbna

scnbna

scnbna

cbanbna

cbnbana

cnbnans

in

in

in


Ripple Carry Adder

]0:1[2]2[]2:1[]2:1[

]0[2]1[2]2[]2:1[]2:1[

]0[2]1[2]2[]2:1[]2:1[

]0[2]1[]1:1[]1:1[

])0[],1[(2]1:1[2]1:1[

]0[]0[2]1:1[2]1:1[

]0[2]1:1[]0[2]1:1[

]0:1[]0:1[]0:[

2

12

1

1

11

11

11

scnbna

sscnbna

sscnbna

scnbna

scnbna

cbanbna

cbnbana

cnbnans

in

in

in


Ripple Carry Adder

]0:1[2][]:1[]:1[

]0:1[2]2[]2:1[]2:1[

]0[2]1[2]2[]2:1[]2:1[

]0[2]1[2]2[]2:1[]2:1[

]0[2]1[]1:1[]1:1[

])0[],1[(2]1:1[2]1:1[

]0[]0[2]1:1[2]1:1[

]0[2]1:1[]0[2]1:1[

]0:1[]0:1[]0:[

2

12

1

1

11

11

11

kskcknbkna

scnbna

sscnbna

sscnbna

scnbna

scnbna

cbanbna

cbnbana

cnbnans

k

in

in

in


Ripple Carry Adder

])0:1[],[(

]0:1[2][]:1[]:1[

]0:1[2]2[]2:1[]2:1[

]0[2]1[2]2[]2:1[]2:1[

]0[2]1[2]2[]2:1[]2:1[

]0[2]1[]1:1[]1:1[

])0[],1[(2]1:1[2]1:1[

]0[]0[2]1:1[2]1:1[

]0[2]1:1[]0[2]1:1[

]0:1[]0:1[]0:[

2

12

1

1

11

11

11

nsnc

kskcknbkna

scnbna

sscnbna

sscnbna

scnbna

scnbna

cbanbna

cbnbana

cnbnans

k

in

in

in


Conditional Sum Adder

Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0

Assume n is power of 2:

incnbnans ]0:1[]0:1[]0:[








innn

in

cnbnnbnanna

cnbnans

]0:12/[2]2/:1[]0:12/[2]2/:1[

]0:1[]0:1[]0:[2/2/





inn

innn

in

cnbnannbnna

cnbnnbnanna

cnbnans

]0:12/[]0:12/[2]2/:1[]2/:1[

]0:12/[2]2/:1[]0:12/[2]2/:1[

]0:1[]0:1[]0:[

2/

2/2/





])0:12/[],2/[(2]2/:1[]2/:1[

]0:12/[]0:12/[2]2/:1[]2/:1[

]0:12/[2]2/:1[]0:12/[2]2/:1[

]0:1[]0:1[]0:[

2/

2/

2/2/

nsncnnbnna

cnbnannbnna

cnbnnbnanna

cnbnans

nin

nin

nnin





]0:12/[2]2/[2]2/:1[]2/:1[

])0:12/[],2/[(2]2/:1[]2/:1[

]0:12/[]0:12/[2]2/:1[]2/:1[

]0:12/[2]2/:1[]0:12/[2]2/:1[

]0:1[]0:1[]0:[

2/2/

2/

2/

2/2/

nsncnnbnna

nsncnnbnna

cnbnannbnna

cnbnnbnanna

cnbnans

nn

nin

nin

nnin





]0:12/[2]2/[]2/:1[]2/:1[

]0:12/[2]2/[2]2/:1[]2/:1[

])0:12/[],2/[(2]2/:1[]2/:1[

]0:12/[]0:12/[2]2/:1[]2/:1[

]0:12/[2]2/:1[]0:12/[2]2/:1[

]0:1[]0:1[]0:[

2/

2/2/

2/

2/

2/2/

nsncnnbnna

nsncnnbnna

nsncnnbnna

cnbnannbnna

cnbnnbnanna

cnbnans

n

nn

nin

nin

nnin





1]2/[

0]2/[

1]2/:1[]2/:1[

]2/:1[]2/:1[2]0:12/[

]0:12/[2]2/[]2/:1[]2/:1[

]0:12/[2]2/[2]2/:1[]2/:1[

])0:12/[],2/[(2]2/:1[]2/:1[

]0:12/[]0:12/[2]2/:1[]2/:1[

]0:12/[2]2/:1[]0:12/[2]2/:1[

]0:1[]0:1[]0:[

2/

2/

2/2/

2/

2/

2/2/

nc

nc

if

if

nnbnna

nnbnnans

nsncnnbnna

nsncnnbnna

nsncnnbnna

cnbnannbnna

cnbnnbnanna

cnbnans

n

n

nn

nin

nin

nnin




Modeling Hardware with PVS

Combinational Hardware– No latches– Circuit is loop-free– Examples: arithmetic circuits, ALUs, …

Clocked Circuits– Combinational part + registers (latches)– Examples: Processors, Controllers,…

A



Idea: Model combinational circuits using functions on bit vectors

f(A, B, reset: bit):bit= IF NOT(reset) THEN (NOT A) OR B ELSE false ENDIF

f(A, B, reset: bit):bit= IF NOT(reset) THEN (NOT A) OR B ELSE false ENDIF

A

Translation from/to Verilog, VHDL, etc. easy



Combinational Hardware– No latches– Circuit is loop-free– Examples: arithmetic circuits, ALUs, …

Clocked Circuits– Combinational part + registers (latches)– Examples: Processors, Controllers,…

A


Clocked Circuits

A

T reset A B

0 1 ? ?

1 0 0 0

2 0 1 0

3 0 0 1

4 0 1 1

5 0 1 1Configuration in

cycle 4

Configuration in cycle 4


Clocked Circuits

A

t(c: C, i: I):C= (# A:= IF i`reset THEN false ELSE (NOT cÀ) OR c`B ENDIF, B:= IF i`reset THEN false ELSE cÀ OR c`B ENDIF #)

t(c: C, i: I):C= (# A:= IF i`reset THEN false ELSE (NOT cÀ) OR c`B ENDIF, B:= IF i`reset THEN false ELSE cÀ OR c`B ENDIF #)

C: TYPE = [# A, B: bit #] I: TYPE = [# reset: bit #]

C: TYPE = [# A, B: bit #] I: TYPE = [# reset: bit #]

1. Define Type for STATE and INPUTS

2. Define the Transition Function


Clocked Circuits

A

c(T: nat):RECURSIVE C= IF T=0 THEN initial ELSE t(c(T-1), i(T-1)) ENDIF MEASURE T


initial: C i: [nat -> I];

initial: C i: [nat -> I];

3. Define Initial State and Inputs

4. Define the Configuration Sequence


Clocked Circuits

A



5. Prove things about this sequence

c_lem: LEMMA (i(0)`reset AND NOT i(1)`reset AND NOT i(2)`reset) => (c(2)À AND NOT c(2)`B)

c_lem: LEMMA (i(0)`reset AND NOT i(1)`reset AND NOT i(2)`reset) => (c(2)À AND NOT c(2)`B)

You can also verify invariants, even temporal properties that way.


Modeling Software with PVS

(Software written in functional language)(Take a subset of PVS, and compile that)Software written in language like ANSI-C

f(i: int):int= LET a1=LAMBDA (x: below(10)): 0 IN ... LET a2=a1 WITH [(i):=5] IN ... ai(0)

f(i: int):int= LET a1=LAMBDA (x: below(10)): 0 IN ... LET a2=a1 WITH [(i):=5] IN ... ai(0)

int f(int i) { int a[10]={ 0, … }; ... a[i]=5; ... return a[0];}

int f(int i) { int a[10]={ 0, … }; ... a[i]=5; ... return a[0];}

A

What about loops?

What about loops?



A

C: TYPE = [# a: [below(10)->integer], i: nat #]

C: TYPE = [# a: [below(10)->integer], i: nat #]

1. Define Type for STATEint a[10];unsigned i;

int main() { . . . }

int a[10];unsigned i;

int main() { . . . }

nat?Of course, bvec[32]

is better

nat?Of course, bvec[32]

is better



A

2. Translate your program into goto program

int a[10];unsigned i,j,k;

int main() { i=k=0;

while(i<10) { i++; k+=2; }

j=100; k++;}


int main() { i=k=0;

while(i<10) { i++; k+=2; }

j=100; k++;}


int main() { L1: i=k=0;

L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2;

L4: j=100; k++;}




L4: j=100; k++;}



A

3. Partition your program into basic blocks




L4: j=100; k++;}




L4: j=100; k++;}

L1(c: C):C= c WITH [i:=0, k:=0]

L2(c: C):C= c

L3(c: C):C= c WITH [i:=cì+1, k:=c`k+2]

L4(c: C):C= c WITH [j:=100, k:=c`k+1]

L1(c: C):C= c WITH [i:=0, k:=0]

L2(c: C):C= c

L3(c: C):C= c WITH [i:=cì+1, k:=c`k+2]

L4(c: C):C= c WITH [j:=100, k:=c`k+1]

4. Write transition function for each basic block



A

5. Combine transition functions using a program counter




L4: j=100; k++;}




L4: j=100; k++;}

PCt: TYPE = { L1, L2, L3, L4, END }PCt: TYPE = { L1, L2, L3, L4, END }

addPC: PCt

to C

t(c: C): C= CASES c`PC OF L1: L1(c) WITH [PC:=L2], L2: L2(c) WITH [PC:= IF NOT (cì<10) THEN L4 ELSE L3 ENDIF, L3: L3(c) WITH [PC:=L2], L4: L4(c) WITH [PC:=END], END: c ENDCASES

t(c: C): C= CASES c`PC OF L1: L1(c) WITH [PC:=L2], L2: L2(c) WITH [PC:= IF NOT (cì<10) THEN L4 ELSE L3 ENDIF, L3: L3(c) WITH [PC:=L2], L4: L4(c) WITH [PC:=END], END: c ENDCASES

make sure the PC of the initial

state is L1

Documents

CSE 8389 Theorem Proving Peter-Michael Seidel