Program Specialisation, Inductive Theorem Proving and Infinite State Model Checking

Program Specialisation,Inductive Theorem Proving and Infinite State Model Checking

Michael Leuschel(joint work with Helko

Lehmann)Invited Talk

Lopstr’03 - Uppsala

1. Overview2. Program Specialisation & Partial Deduction (PD)3. Infinite State Model Checking (ISMC) by PD4. Inductive Theorem Proving by Conjunctive PD5. Putting everything together6. Conclusion & Outlook

InfiniteModel checking

InductiveTheoremProving

ProgramSpecialisation


Overview



Ecce

CTLModel Checker

Point 1: Finite Abstraction of infinite state space correspondence between existing algorithms for PS & ISMC

Point 2: Schema for an inductive proof similarity between ITP & PS control cross-fertilisation ?

SpecialisationResult

Infinite State System

Key Points





Query

(Logic) Program Specialisation

PrologSource

Program

PartialQuery

Rest ofQuery

ProgramSpecialiser

SpecialisedProlog

ProgramOutput

AnotherQuery

Digression on Names

• Partial Evaluation– Specialisation by “partially”

evaluating expressions• Partial Deduction

– Partial evaluation of pure logic programs

• Logic Program Specialisation– Partial evaluation + … (e.g. abstract

interpretation)

Partial Deduction

• Basic Principle:– Instead of building one complete SLD-tree:

Build a finite number of finite “SLD- trees” !– SLD-trees can be incomplete– Clauses of specialised program extracted

from branches– All calls in the leaves must be “covered”

• 4 types of derivations in SLD-trees:– Successful, failed, infinite– Incomplete: no literal selected

An Example

map(P,[],[]).map(P,[H|T],[PH|PT]) :- C=..[P,H,PH], call(C),map(P,T,PT).inv(0,1).inv(1,0).

map (inv,L,R)

{L/[],R/[]}

C=..[inv,H,PH], call(C),map(inv,L’,R’)

{L/[H|L’],R/[PH|R’]}

inv(H,PH),map(inv,L’,R’)

call(inv(H,PH)),map(inv,L’,R’)

{C/inv(H,PH)}

map(inv,[],[]).map(inv,[0|L’],[1|R’]) :- map(inv,L’,R’).map(inv,[1|L’],[0|R’]) :- map(inv,L’,R’). map(inv,L’,R’)

{H/0,PH/1}

map(inv,L’,R’)

{H/1,PH/0}

Overhead removed: 2 faster

map_1([],[]).map_1([0|L’],[1|R’]) :- map_1(L’,R’).map_1([1|L’],[0|R’]) :- map_1(L’,R’).

Control

• Local Control– Determinacy– Well-founded Orders– Well-Quasi Orders

• Homeomorphic embedding

• Global Control– Whistle: Well-Quasi Orders– Generalisation

• msg (most specific generalisation)• Characteristic Trees

A1 A2 A3 A4 ...

Existing Systems

• Online– Mixtus (Sahlin)– Paddy (Prestwich)– SP (Gallagher)– Ecce (Leuschel)

• Offline (control decisions made offline)– Logimix (Mogensen)– Logen (Leuschel & Jørgensen)

Ecce & Logen Demo

• Simple Examples– Map - Ecce– Lambda Interpreter - Logen

QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.





Model Checking

• Check that a system is a model for a temporal logic formula (CTL, LTL, …)– Most useful temporal formulas are safety

properties

• Decidable for finite state systems• For infinite state systems:

– Decidability results for certain systems & properties

– Abstraction a key issue

erified

∞

Petri Nets

• Petri Nets– Places: contain tokens– Transitions: consume & produce

tokens• Marking:

– A particular state of a Petri net– Vector of natural numbers– Usually: infinite number of markings

reachable

RTP ExampleReceiver of Transmission ProtocolFrom Babylon library of benchmarks

1,0,0,0,0,0,0,0,0,0

0,1,0,0,0,0,0,0,0,0

0,0,1,0,0,0,0,0,0,0

0,0,0,1,0,0,0,0,0,0

Reachable Markings:

0,0,0,0,1,0,0,0,0,0

0,0,0,0,0,1,0,0,0,0

0,0,0,0,0,0,0,1,0,0

0,0,0,0,0,0,0,0,1,00,1,0,0,0,0,0,0,0,1

Coverability of Petri Nets

• Marking m covers m’ if m≥m’• Question:

– Starting from an initial state m0

can we reach a marking mn which covers some given m ?

• Decidable by computing– Karp-Miller Tree or– Finkel’s minimal coverability graphs

0,2,0,1,1

0,1,0,2,0

RTP - CoverabilityCan we cover:

0,1,0,0,0,0,0,0,0,n

0,0,1,0,0,0,0,0,0,n

0,0,0,1,0,0,0,0,0,n

Reachable Markings:

0,0,0,0,1,0,0,0,0,n

0,0,0,0,0,1,0,0,0,n

0,0,0,0,0,0,0,1,0,n

0,0,0,0,0,0,0,0,1,n0,1,0,0,0,0,0,0,0,n+1

…

/* Specialised Predicates: ssat__0__1 :- ssat__0.sat__1__2 :- sat__1(s(0),0,0,0,0,0,0,0,0,0).sat_eu__2__3 :- sat_eu__2(s(0),0,0,0,0,0,0,0,0,0).sat_eu__2__4(A) :- sat_eu__2(0,s(0),0,0,0,0,0,0,0,A).sat_eu__2__5(A) :- sat_eu__2(0,0,s(0),0,0,0,0,0,0,A).sat_eu__2__6(A) :- sat_eu__2(0,0,0,s(0),0,0,0,0,0,A).sat_eu__2__7(A) :- sat_eu__2(0,0,0,0,s(0),0,0,0,0,A).sat_eu__2__8(A) :- sat_eu__2(0,0,0,0,0,0,0,0,s(0),A).sat_eu__2__9(A) :- sat_eu__2(0,0,0,0,0,s(0),0,0,0,A).sat_eu__2__10(A) :- sat_eu__2(0,0,0,0,0,0,s(0),0,0,A).sat_eu__2__11(A) :- sat_eu__2(0,0,0,0,0,0,0,s(0),0,A).*/

ssat__0 :- fail.ssat__0__1 :- fail.sat__1__2 :- fail.sat_eu__2__3 :- fail.sat_eu__2__4(A) :- fail.sat_eu__2__5(A) :- fail.sat_eu__2__6(A) :- fail.sat_eu__2__7(A) :- fail.sat_eu__2__8(A) :- fail.sat_eu__2__9(A) :- fail.sat_eu__2__10(A) :- fail.sat_eu__2__11(A) :- fail.

0,0,0,0,0,0,0,1,1,0


More about the Ecce Postprocessor

• Determinate post-unfolding• Reducing unnecessary polyvariance• …• Most Specific Version (MSV)

Computation– [Marriot,Naish,Lassez88]– Bottom-up abstract interpretation:

• Compose TP with predicate-wise msg

– For every body atom of the program:• unify with an element of S • if none exists: clause can be removed !

ssat__0 :- ssat__0__1.ssat__0__1 :- sat__1__2.

sat__1__2 :- sat_eu__2__3.

sat_eu__2__3 :- sat_eu__2__4(0).

sat_eu__2__4(A) :- sat_eu__2__5(A).

sat_eu__2__5(A) :- sat_eu__2__6(A).

sat_eu__2__6(A) :- sat_eu__2__7(A).sat_eu__2__6(A) :- sat_eu__2__8(A).

sat_eu__2__7(A) :- sat_eu__2__9(A).

sat_eu__2__8(A) :- sat_eu__2__4(s(A)).

sat_eu__2__9(A) :- sat_eu__2__8(A).sat_eu__2__9(A) :- sat_eu__2__10(A).sat_eu__2__9(A) :- sat_eu__2__11(A).

sat_eu__2__10(A) :- sat_eu__2__8(A).

sat_eu__2__11(A) :- sat_eu__2__8(A).

RTP: Ecce & MSV/* Specialised Predicates: ssat__0__1 :- ssat__0.sat__1__2 :- sat__1(s(0),0,0,0,0,0,0,0,0,0).sat_eu__2__3 :- sat_eu__2(s(0),0,0,0,0,0,0,0,0,0).sat_eu__2__4(A) :- sat_eu__2(0,s(0),0,0,0,0,0,0,0,A).sat_eu__2__5(A) :- sat_eu__2(0,0,s(0),0,0,0,0,0,0,A).sat_eu__2__6(A) :- sat_eu__2(0,0,0,s(0),0,0,0,0,0,A).sat_eu__2__7(A) :- sat_eu__2(0,0,0,0,s(0),0,0,0,0,A).sat_eu__2__8(A) :- sat_eu__2(0,0,0,0,0,0,0,0,s(0),A).sat_eu__2__9(A) :- sat_eu__2(0,0,0,0,0,s(0),0,0,0,A).sat_eu__2__10(A) :- sat_eu__2(0,0,0,0,0,0,s(0),0,0,A).sat_eu__2__11(A) :- sat_eu__2(0,0,0,0,0,0,0,s(0),0,A). */

ssat__0 :- fail.ssat__0__1 :- fail.sat__1__2 :- fail.sat_eu__2__3 :- fail.sat_eu__2__4(A) :- fail.sat_eu__2__5(A) :- fail.sat_eu__2__6(A) :- fail.sat_eu__2__7(A) :- fail.sat_eu__2__8(A) :- fail.sat_eu__2__9(A) :- fail.sat_eu__2__10(A) :- fail.sat_eu__2__11(A) :- fail.

Ecce + MSV

Ecce

∞ Model Checking by PD

• When does it work ?– Decision procedure for some problems – Extends existing algorithms for some specific classes

of systems & properties ![LeuschelLehmann:CL2000 & PPDP’00, LehmannLeuschel:LPAR2000]

– Always safe, but may answer “don’t know”– Flexible system: various formalisms, properties,

algorithms (backwards/forwards/combined,…)

• Again: this must come at the price of efficiency!?– After all Ecce & Logen were not designed for Model

Checking– How much do we pay ?

Some IMC Experiments:Comparing some tools

• Hytech– Polyhedra, for hybrid systems

• CST (Covering Sharing Tree)– “Attacking Symbolic Explosion,”

Delzanno, Raskin, Van Begin, CAV’01– Compact representation for (infinite) upwards-closed sets– Symbolic, backwards, uses pre-computed structural

invariants to cut search space

• Ecce (+ Logen)– Settings: Finkel


CSM

Dekker

Reader/Writer

FMS

Babylon Benchmarks

A more complicated Example:

CSM - Specialisation Result

Some Experiments inInfinite State Model

CheckingCST CST

woEcce Hytech

backHytechfwd

CSM 0.08 0.19 0.13 6.32 ∞

FMS 39.6* 3.50 ? ***

RW -- -- 0.05 ? ***

Dekker(2) 5.4 0.43 >30min 1

*** = out of memory-- = not possible *=using old version, new 2 times faster?

Timings: AMD Athlon 900Mhz, 1.5Gb RAM


CSM: The full picture

FDR Spin XTL CST CST-wo Ecce Hytech-back Hytech-fwd2 0.10 0.03 0.01 0.08 0.19 0.53 6.32 0.504 0.25 0.03 0.02 0.08 0.19 9.70 6.32 2.868 1.80 0.12 0.15 0.08 0.19 466.96 6.32 30.91

16 35.64 0.91 1.27 0.08 0.19 6.32 695.5324 out of mem 3.48 32.04 0.08 0.19 6.3232 9.21 220.36 0.08 0.19 6.3240 20.80 746.85 0.08 0.19 6.3248 out of mem out of mem 0.08 0.19 6.32

infty - - - 0.08 0.19 0.13 6.32 infty


Some Conclusions

• Ecce surprisingly fast for infinite MC– Better than Hytech, sometimes better than CST

• Ecce (unsurprisingly) slow for finite MC– Future Work: Combine XTL with Ecce

• Infinite MC can be faster than finite MC

• What is the price we pay for implementing a flexible system in Prolog and reusing general purpose program manipulation tools?– Good performance (compared to other tools)!






Theorem Proving & Program

Specialisation/Transformation• Lot of interest:

– Supercompilation• Turchin, Glück&Jørgensen

– Unfold/Fold• Pettorossi & Proietti, …

– GPC• Futamura, …

ProofAssistantIsabelle


A simple Exampletheory Mirror = PreList: datatype 'a tree = Tip ("[]") | Node "'a tree" 'a "'a tree" consts mirror :: "'a tree => 'a tree" primrec "mirror([]) = []" "mirror((Node ls x rs)) = Node (mirror(rs)) x (mirror(ls))"

lemma mirror_mirror [simp]: "mirror(mirror(xs)) = xs"apply(induct_tac xs)ML "set trace_simp"apply(simp)apply(auto)done

proof (prove): step 1 fixed variables: xsgoal (lemma (mirror_mirror), 2 subgoals): 1. mirror (mirror []) = [] 2. !!tree1 a tree2. [| mirror (mirror tree1) = tree1; mirror (mirror tree2) = tree2 |] ==> mirror (mirror (Node tree1 a tree2)) = Node tree1 a tree2

where we can rewrite: mirror (mirror (Node tree1 a tree2)) = Node tree1 a tree2into mirror (Node (mirror tree2) a (mirror tree1)) = Node tree1 a tree2further into Node (mirror(mirror tree1)) a (mirror(mirror tree2)) = Node tree1 a tree2and by the induction hypothesis 1 we can simplify into: Node (tree1 a (mirror(mirror tree2)) = Node tree1 a tree2and by the induction hypothesis 2 we can simplify into: Node (tree1 a tree2) = Node tree1 a tree2 QED

Can EcceDo this ???

Conjunctive Partial Deduction

• Given a set S = {C1,…,Cn} of atoms:• Build finite, possibly incomplete SLD-trees

for each Ci

• For every non-failing branch:– generate 1 specialised formula Ci L by

computing the resultants

• To get Horn clauses– Rename conjunctions into atoms ! Assign every Ci an atom with the same

variables and each with a different predicate name

Ecce Demo

• Inductive Theorem Proving– Even odd– Mirror_mirror


Specialisation Tree as Induction Schema

proof (prove): step 1 fixed variables: xsgoal (lemma (mirror_mirror), 2 subgoals): 1. mirror (mirror []) = [] 2. !!tree1 a tree2. [| mirror (mirror tree1) = tree1; mirror (mirror tree2) = tree2 |] ==> mirror (mirror (Node tree1 a tree2)) = Node tree1 a tree2Goal 2. Rewritten into mirror (Node (mirror tree2) a (mirror tree1)) = Node tree1 a tree2further into Node (mirror(mirror tree1)) a (mirror(mirror tree2)) = Node tree1 a tree2and by the induction hypothesis 1 we can simplify into: Node (tree1 a (mirror(mirror tree2)) = Node tree1 a tree2and by the induction hypothesis 2 we can simplify into: Node (tree1 a tree2) = Node tree1 a tree2 QED

Can you find thecorrespondence?

CPD vs ITP

– Find a set H of induction hypotheses so• we can transform the induction

hypotheses for n+1so as to re-use the induction hypotheses ≤n

– Find a set S of conjunctions so that• they can be unfolded in such a way that

all leaves can be folded back on SITP CPD

Simplify Unfold

Reuse hypotheses in HCondition: ≤ n

Fold on conjunctions in SCondition: instance

QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.





SpecialisationResult

CTLModel Checker(Prolog Source)

EccePostprocessor

Verification

Result

ProofScript

Validation

Isabelle

ECCE

A Simple Example

Target: x3 >= 1, x4 >= 1

basicME


Results

• Ecce specialisation tree can be automatically transformed into a valid induction schema for Isabelle

• Ecce result can by validated• Checking the proof in Isabelle is

several orders of magnitude slower than Ecce– (proof script still at a too high level ?)






Conclusion I

• Relationship between Infinite state model checking and program specialisation– PS can be used for ISMC

• Efficiency seems to be good!

– Equivalence & decidability results

erified

∞

Conclusion II

• Relationship between inductive theorem proving & program specialisation– PS can be used for some ITP tasks– For one application: automatic translation of

PS output into ITP proof script

• But:– No equivalence between ITP & PS techniques

• E.g., what about rippling ?• ITP & PS communities should look at each other’s

work!

– Some ITP tasks are very, very hard


QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.Thankyou

Supplementary Slides

RTP ExampleReceiver of Transmission ProtocolFrom Babylon library of benchmarks

Classical Applications of CPD:

Tupling & Deforestation

CTL model checking/* A Model Checker for CTL fomulas *//* written for XSB-Prolog *//* by Michael Leuschel, Thierry Massart */

sat(_E,true).sat(_E,false) :- fail.sat(E,p(P)) :- prop(E,P). /* proposition */sat(E,and(F,G)) :- sat(E,F), sat(E,G).sat(E,or(F,_G)) :- sat(E,F).sat(E,or(_F,G)) :- sat(E,G).sat(E,not(F)) :- not(sat(E,F)).sat(E,en(F)) :- /* exists next */ trans(_Act,E,E2),sat(E2,F).sat(E,an(F)) :- /* always next */ not(sat(E,en(not(F)))).sat(E,eu(F,G)) :- /* exists until */ sat_eu(E,F,G).sat(E,au(F,G)) :- /* always until */ sat(E,not(eu(not(G),and(not(F),not(G))))), sat_noteg(E,not(G)).sat(E,ef(F)) :- /* exists future */ sat(E,eu(true,F)).sat(E,af(F)) :- /* always future */ sat_noteg(E,not(F)).sat(E,eg(F)) :- /* exists global */ not(sat_noteg(E,F))./* we want gfp -> negate lfp of negation */sat(E,ag(F)) :- /* always global */ sat(E,not(ef(not(F)))).

/* :- table sat_eu/3.*//* tabulation to compute least-fixed point */ sat_eu(E,_F,G) :- /* exists until */ sat(E,G).sat_eu(E,F,G) :- /* exists until */ sat(E,F), trans(_Act,E,E2), sat_eu(E2,F,G).

/* :- table sat_noteg/2.*//* tabulation to compute least-fixed point */

sat_noteg(E,F) :- sat(E,not(F)).sat_noteg(E,F) :- not( (trans(_Act,E,E2),not(sat_noteg(E2,F)))).

/* encoding of the system (here: a Petri net): */

trans(enter_cs,[s(X),s(Sema),CritSec,Y,C], [X,Sema,s(CritSec),Y,C]).

trans(exit_cs,[X,Sema,s(CritSec),Y,C], [X,s(Sema),CritSec,s(Y),C]).

trans(restart,[X,Sema,CritSec,s(Y),ResetCtr], [s(X),Sema,CritSec,Y,s(ResetCtr)]).

prop([X,Sema,s(s(CritSec)),Y,C],unsafe).prop([0,Sema,0,0,C],deadlock).prop([X,0,0,0,C],deadlock).

1) LOGEN - COMPILATION/* file: ctl.pe.sat__ *//* benchmark info: 0 ms *//* atom specialised: sat(_10048,ef(p(unsafe))) */

sat_eu__1([B,C,s(s(D)),E,F]).sat_eu__1([s(G),s(H),I,J,K]) :- sat_eu__1([G,H,s(I),J,K]).sat_eu__1([L,M,s(N),O,P]) :- sat_eu__1([L,s(M),N,s(O),P]).sat_eu__1([Q,R,S,s(T),U]) :- sat_eu__1([s(Q),R,S,T,s(U)]).sat__0(B) :- sat_eu__1(B).

2) ECCE - ABSTRACTION /* Transformation time: 617 ms */sat__0([A,s(0),0,0,0]) :- sat__0__1(A).sat__0__1(s(s(A))) :- sat_eu__1__2(A).sat__0__1(s(A)) :- sat_eu__1__3(A).sat_eu__1__2(A) :- sat_eu__1__9(A).sat_eu__1__2(A) :- sat_eu__1__10(A).sat_eu__1__3(s(A)) :- sat_eu__1__4(A).sat_eu__1__4(A) :- sat_eu__1__5(A).sat_eu__1__4(A) :- sat_eu__1__6(A).sat_eu__1__5(s(A)) :- sat_eu__1__7(A,s(s(0))).sat_eu__1__5(A) :- sat_eu__1__6(A).

…

sat_eu__1__11(A,B) :- sat_eu__1__12(A,s(B)).sat_eu__1__11(A,s(B)) :- sat_eu__1__11(s(A),B).sat_eu__1__12(s(A),B) :- sat_eu__1__11(A,B).sat_eu__1__12(A,s(B)) :- sat_eu__1__12(s(A),B).

3) MSV - ANALYSISsat__0([A,s(0),0,0,0]) :- fail.sat__0__1(s(s(A))) :- fail.sat__0__1(s(A)) :- fail.sat_eu__1__2(A) :- fail....

Documents

Program Specialisation, Inductive Theorem Proving and Infinite State Model Checking