1 automated theorem proving: pvs alexander serebrenik
TRANSCRIPT
1
Automated Theorem Proving: PVS
Alexander Serebrenik
2
Before We StartBefore We Start
• PVS is installed at svstud. – no password for svstud? – contact Jan de Jong of the Notebook Service
center: HG 8.86, tel. 2979
• Install an X Windows client on your laptop – built-in for Linux– for Windows, e.g., Exceed (via BCF)
• On Wednesday we will meet in Auditorium 9 (laptop lecture hall).
3
Last TimeLast Time
• Foundations of Automated Theorem Proving– soundness and completeness– Gentzen’s sequent– system G for
• propositional calculus• first order logics• first order logics with equality
4
TodayToday
• PVS (Prototype Verification System)– Developed at SRI International – Open Source (GPL) since 1993– Runs on Linux/Solaris/Mac– Uses Emacs as Interface
– Supports System G reasoning…– and much, much more!
5
Applications of PVSApplications of PVS
• Both academic and industrial:
• Verification of Javacard applets
• Hardware verification
• Protocol specification and verification
• Formal Mathematics
• Safety-critical systems
• . . . see http://pvs.csl.sri.com/users.shtml
6
First Example (3b)First Example (3b)
xA(x)xB(x) x(A(x)B(x))
ex3b: THEORYBEGIN
T: TYPE some typex: VAR T variable of this typeA,B: [T -> bool] predicate (function to booleans)
statement: THEOREM ((FORALL x:A(x)) AND (FORALL x:B(x)) IMPLIES (FORALL x:(A(x) AND
B(x))))
END ex3b
7
Sequent
System GA1, …, An B1, …, Bm
PVS[-1] A1,
…,
[-n] An
|--------
{1} B1,
…,
[m] Bm
8
Proof (1)
))()((
)()(
xBxAx
xxBxxA
|-------{1} ((FORALL x: A(x)) AND (FORALL x: B(x)) IMPLIES (FORALL x: (A(x) AND B(x))))
Rule?
):( right
(flatten)
))()((
)()(
xBxAx
xxBxxA
[-1] (FORALL x: A(x))[-2] (FORALL x: B(x)) |-------{1} (FORALL x: (A(x) AND B(x)))
Rule?
):( left))()((
)(),(
xBxAx
xxBxxA
):( right
(skolem 1 “y1”)
(skolem reference newname)
)1()1(
)(),(
yByA
xxBxxA
[-1] (FORALL x: A(x))[-2] (FORALL x: B(x)) |-------{1} (A(y1) AND B(y1))Rule?
):( right
)1( )(),(
)1( )(),(
yBxxBxxA
yAxxBxxA
(split)
…yields 2 subgoals: statement.1 :[-1] (FORALL x: A(x))[-2] (FORALL x: B(x)) |-------{1} A(y1)Rule?
The second subgoal is postponed
9
Proof (2)
)1( )(),( yAxxBxxA
[-1] (FORALL x: A(x))[-2] (FORALL x: B(x)) |-------{1} A(y1)Rule?
xAin [y1/x]
):(
left
)1( )(),1( yAxxByA axiom
(inst -1 “y1”)
(inst reference term)
Instantiating the top quantifier in -1 with the terms: y1,
This completes the proof of statement.1.
statement.2[-1] (FORALL x: A(x))[-2] (FORALL x: B(x)) |-------{1} B(y1)Rule?
)1( )(),( yBxxBxxA
The subgoal that we have postponed.
xBin [y1/x]
):(
left
)1( )1(),( yByBxxA axiom
(inst -2 “y1”)
Instantiating the top quantifier in -2 with the terms: y1,
This completes the proof of statement.2.
Q.E.D.Q.E.D.
10
PVS Proof CommandsPVS Proof Commands
(flatten) formula to list of formulas
(:left), (:right), (:left), (:right), (:right), (:left)
(split) formula to a number of proof obligations
(:right), (:left), (:left), (:right)
(inst reference term)
replace variable by a term
(:right), (:left)
(skolem reference newname)
replace variable by a fresh variable (constant)
(:left), (:right)
11
NB: Flatten and SplitNB: Flatten and Split
• PVS is smarter than just one step of System G
• Flatten and split will apply the corresponding rules as long as they are applicable.
|-------{1}(A IMPLIES B) IMPLIES ((A IMPLIES NOT B) IMPLIES NOT A)
{-1} (A IMPLIES B){-2} (A IMPLIES NOT B){-3} A |-------
flatten
12
PVS System TourPVS System Tour
• QQ: Watch the video. What steps did I perform?
13
PVS System TourPVS System Tour
1. Specify (any editor)2. Parse (M-x parse, M-x pa)
• syntactic checks, e.g., misspellings• done by the system automatically when needed
3. Type check (M-x typecheck, M-x tc)• semantic checks, e.g., undeclared names• builds Type Correctness Conditions
• should be proved!
4. Prove (M-x prove, M-x pr)• that is what we have done before
14
QQQQ: First Steps with PVS: First Steps with PVS
• Recall Exercise 1b from the Instruction: (AB)((AB)A)
• Write a PVS specification, corresponding to this exercise
ex1b: THEORYBEGIN
A,B: boolstatement: THEOREM (A IMPLIES B) IMPLIES ((A IMPLIES NOT B) IMPLIES NOT A)
END ex1b
15
PVS LanguagePVS Language
ex3b: THEORYBEGIN
T: TYPEx: VAR T A,B: [T -> bool]
statement: THEOREM ((FORALL x:A(x)) AND (FORALL x:B(x)) IMPLIES (FORALL x:(A(x) AND B(x))))
END ex3b
Theory identifier
Type declaration
Variable declarationConstant declarations
Formula declaration
16
““Theory Header”Theory Header”
• Theory identifier ex3b: THEORY• List of formal parameters
stacks [t: TYPE+] : THEORY
groups [G : TYPE,
e : G,
o : [G,G->G],
inv : [G->G] ] : THEORY
17
Types (1)Types (1)
• Uninterpreted types: – might be empty T: TYPE– non-empty T: TYPE+
• Interpreted types: T: TYPE = type expression
• Subtypes: S: TYPE FROM T
18
Types (2)Types (2)
• Type expressions– builtins bool, int– enumerated {r, g, b}– functions [int, bool -> int]– tuples [int, int]– predicate-based (p)
• shorthand for {x | p(x)}
19
Types: Types: QQQQ
• Functional is a function that takes functions as its argument and returns a real number.
• Define the type of functionals for functions from T1 to T2
T1, T2: TYPE
FT: TYPE = [[T1 -> T2] -> real]
20
Variable DeclarationsVariable Declarations
• either with VAR– x: VAR bool
• or within a binding expression (, , λ) – FORALL (x: int): (EXISTS (x: nat) p(x)) AND q(x))
21
Constant DeclarationsConstant Declarations
• Constants: n: int, c: int = 3– The underlying type should be non-empty
• Functions are also constants:– f: [int -> int] = (lambda (x: int): x+1)– f(x: int): int = x + 1
• QQ: What does f(x:(p)): int = x+1 mean for a predicate p?– (p)shorthand for {x | p(x)}
22
Boolean FunctionsBoolean Functions
• a.k.a. predicates
• Can be written as subsets:– odd: [nat -> bool] = {n: nat | EXISTS (m: nat): n = 2 * m + 1}
instead of– odd: [nat -> bool] = (LAMBDA (n: nat): EXISTS (m: nat): n = 2 * m + 1)
23
Recursive FunctionsRecursive Functions
• No mutual recursion• Function should be total• Termination should be ensured: MEASURE
fac(x: nat): RECURSIVE nat = IF x=0 THEN 1 ELSE x*fac(x-1) ENDIF
MEASURE x
24
MEASUREMEASURE
• Can be followed by any function:– MEASURE lambda (n: nat): n– MEASURE N-I
• QQ: Find an appropriate MEASURE for
p(x:int): RECURSIVE int = (IF (x > 1 AND x < 1000) THEN p(x*x) ELSIF (x < -1 AND x > -1000) THEN p(-x*x) ELSE 0 ENDIF)
25
MEASUREMEASURE: Solution: Solution
p(x:int): RECURSIVE int = (IF (x > 1 AND x < 1000) THEN p(x*x) ELSIF (x < -1 AND x > -1000) THEN p(-x*x) ELSE 0 ENDIF)MEASURE pmeas
pmeas(x: int): nat = (IF (x > 1 AND x < 1000) THEN 1000-x ELSIF (x < -1 AND x > -1000) THEN 1000+x ELSE 0 ENDIF)
26
Formula DeclarationsFormula Declarations
• AXIOM is a formula that can be recalled at any moment of the proof.– use (lemma name <substitution>)
• THEOREM (or LEMMA) is a formula one likes to prove.
• May contain free variables: p(x) is equivalent to (FORALL x: p(x))
27
AXIOMAXIOMs in Practices in Practicepop_push: AXIOM pop(push(x, s)) = spop2push2: THEOREM pop(pop(push(x, push(y, s)))) = s
|-------{1} pop(pop(push(X, push(Y, S)))) = S
Rule? Applying pop_push this simplifies to:
{-1} FORALL (s: stack, x: t): pop(push(x, s)) = s |-------[1] pop(pop(push(X, push(Y, S)))) = S
(lemma pop_push)
28
Functions Can Be Defined Using Functions Can Be Defined Using AXIOMAXIOMss
1. f: [int -> int] = (lambda (x: int): x+1)
2. f: [int -> int] f: AXIOM f = (LAMBDA (x: int): x+1)
NB! New declaration preserves consistency of the theory, new axiom might not!
29
Between Between AXIOMAXIOM and and THEOREMTHEOREM
groups [G : TYPE, e : G, o : [G,G->G], inv : [G->G] ] : THEORY
BEGIN ASSUMING a, b, c : VAR G associativity : ASSUMPTION a o (b o c)
= (a o b) o c unit : ASSUMPTION e o a = a AND a o e = a inverse : ASSUMPTION inv(a) o a = e
AND a o inv(a) = e ENDASSUMING
30
ASSUMPTIONASSUMPTIONss
• Appear only between ASSUMING and ENDASSUMING
• Usually formulated in terms of parameters of the theory
• When the theory is used, e.g. IMPORTING[int, 0, +, -] assumptions become proof obligations (TCCs).
31
Theory Is Used?Theory Is Used?
• EXPORTING specifies names that should be visible to the IMPORTING theories– by default, all names are visible
• IMPORTING makes visible names of another theory available for the current one. – IMPORTINGs are cumulative– Beware the name clashes
32
Summary So Far (1)Summary So Far (1)
• Lifecycle of a PVS specification: specify, parse, type check, prove.
• Specification consists of the “header” followed by type, variable, constant and formula declarations.
• Types: uninterpreted, interpreted.– Type expressions: builtins, enumerated,
functions, tuples, predicate-based
33
Summary So Far (2)Summary So Far (2)
• Recursive functions should be provided by MEASURE.
• Formula declarations: AXIOMs, ASSUMPTIONs and THEOREMs.– AXIOMs can be recalled using the lemma proof
command.
• Adding a new AXIOM does not guarantee consistency of the theory.
• Theories can EXPORT and IMPORT names.
34
Type CheckType Check
• Executed upon M-x typecheck, or M-x tc.
• Generate additional proof obligations (theorems) ensuring– type correctness;– termination;– non-emptiness of a type, if constants of this
type are being declared.
35
Closer Look at FactorialCloser Look at Factorial
• exfac typechecked in 0.27s: 2 TCCs, 0 proved, 0 subsumed, 2 unproved– TCC = type correctness condition
• M-x show-tccs
fac(x: nat): RECURSIVE nat = IF x=0 THEN 1 ELSE x*fac(x-1)
ENDIFMEASURE x
% Subtype TCC for x - 1 fac_TCC1: OBLIGATION FORALL (x: nat): NOT x = 0 IMPLIES x - 1 >= 0;
The argument of the recursive call should be a natural number as well.
% Termination TCC for fac(x - 1)fac_TCC2: OBLIGATION FORALL (x: nat): NOT x = 0 IMPLIES x - 1 < x;
36
TCCs and ProofsTCCs and Proofs
• TCCs can be postponed but ultimately should be proved.
• Failure to prove TCC might indicate that the statement is not valid!
• Automated attempt to prove the TCCs: M-x typecheck-prove (M-x tcp)
37
Summary: Prove CommandsSummary: Prove Commands
control fail, postpone, undo, …
structure copy, hide, hide-all-but, reveal,…
system G split, flatten, inst, skolem,…
decision procedures
assert, grind, …
definitions and lemmas
lemma, expand, …
miscellaneous case, induct, replace, …
38
What If?What If?
• PVS crashes in the middle of a proof: (restore)
• you do not know what to do: (help) or (help command)
• you want to stop the proof attempt: (quit)
• you want to go to next remaining goal: (postpone)
• you want to revise your last step: (undo)
39
Manipulating SequentsManipulating Sequents
• If some information is needed twice during the proof: (copy)
• If some information is no longer needed: (delete)
• If some information might be needed later but is cluttering now: (hide)
• If some hidden information is needed: M-x show-hidden followed by (reveal reference)
40
ExampleExample
sum: THEORYBEGIN n: VAR nat sum(n): RECURSIVE nat = (IF n=0 THEN 0 ELSE n+sum(n-1) ENDIF) MEASURE (LAMBDA n:n) closed_form: THEOREM sum(n) = (n * (n+1))/2END sum
41
closed_form : |-------{1} FORALL (n: nat): sum(n) = (n * (n + 1)) / 2
Rule?
Inducting on n on formula 1,this yields 2 subgoals:closed_form.1 : |-------{1} sum(0) = (0 * (0 + 1)) / 2
Rule?
(induct "n")
QQ: What are the two subgoals?Induction base
(expand “sum")
Expanding the definition of sum, this simplifies to:closed_form.1 : |-------{1} 0 = 0 / 2
Rule? (assert)Simplifying, rewriting, and recording with decision procedures.
This completes the proof of closed_form.1.
42
closed_form.2 : |-------{1} FORALL j: sum(j) = (j * (j + 1)) / 2 IMPLIES sum(j + 1) = ((j + 1) * (j + 1 + 1)) / 2
Rule?
Induction step
(skosimp)
Skolemizing and flattening, this simplifies to:closed_form.2 :{-1} sum(j!1) = (j!1 * (j!1 + 1)) / 2 |-------{1} sum(j!1 + 1) = ((j!1 + 1) * (j!1 + 1 + 1)) / 2
Rule?
skosimp = skolem using standard names + flatten
We would like to use expand but only in the succedent!(expand “sum” +)
Expanding the definition of sum, this simplifies to:closed_form.2 :[-1] sum(j!1) = (j!1 * (j!1 + 1)) / 2 |-------{1} 1 + sum(j!1) + j!1 = (2 + j!1 + (j!1 * j!1 + 2 * j!1)) / 2
43
Expanding the definition of sum, this simplifies to:
closed_form.2 :
[-1] sum(j!1) = (j!1 * (j!1 + 1)) / 2 |-------{1} 1 + sum(j!1) + j!1 = (2 + j!1 + (j!1 * j!1 + 2 * j!1)) / 2
Rule? (assert)
Simplifying, rewriting, and recording with decision procedures,
This completes the proof of closed_form.2.
Q.E.D.
Induction step
44
Proof Commands In the ExampleProof Commands In the Example
• (induct n) – induction on variable n• (expand “name” ref) – expand definition name
in ref:– number– “-” all antecedents– “+” all succedents
• (skosimp) – skolem with standard names and (flatten)
• (assert) – prove or simplify using the builtin decision procedures
45
ReplaceReplace
{-1} X = Y |-------{1} Y = X
Rule? (replace -1 1)Replacing using formula -1, this simplifies to:
[-1] X = Y |-------{1} TRUE
Replace the left-hand side of (-1) in (1) by the right-hand side of (-1).
If you add rl:
(replace -1 1 rl)
the rewriting will go from right to left.
46
stacks [t: TYPE+] : THEORYBEGINstack : TYPE+s : VAR stackempty : stacknonemptystack?(s) : bool = s /= emptypush :[t, stack -> (nonemptystack?)]pop : [(nonemptystack?) -> stack]
x, y : VAR t
pop_push : AXIOM pop(push(x, s)) = spop2push2: THEOREM
pop(pop(push(x, push(y, s)))) = sEND stacks
QQ: To prove pop2push2 you might like to use
A.expand B. induct C. replace
47
More Proof CommandsMore Proof Commands
• case - distinguish between different cases.• propax – proves propositional axioms, i.e.,
– false as an antecedent,– true or t=t as a succedent– common formula for antecedent and succedent
• grind – “black magic” but often works:– rewrite using lemmas– simplify numerical expressions– performs equality substitutions– makes use, e.g., of assert and replace
• smash – propositional and ground simplification
48
Can’t See the Forest for the Trees?Can’t See the Forest for the Trees?
current goalpart that
has been proved
part that still has to be proved
M-x xpr
49
Can’t See the Forest for the Trees?Can’t See the Forest for the Trees?
current goalpart that
has been proved
part that still has to be proved
50
And Even More
• You can also create LaTeX documentation: M-x latex-theory-view (M-x ltv)
• PS proofs can be generated from the graphic user interface.
• … or first in LaTeX: M-x latex-proof
51
DataData
• So far: traditional algebraic specification• Better: automated generation from a succinct
description.
stack [t: TYPE] : DATATYPE
BEGIN
empty : emptystack?
push(top: t, pop: stack): nonemptystack?
END stack
constructorsaccessors
recognizers
M-x typecheck
52
What Is Generated From a What Is Generated From a Datatype?Datatype?
• extensionality axioms for the constructors• accessor/constructor axioms
– stack_pop_push: AXIOM
(FORALL (v1:t, v2: stack) pop(push(v1,v2)) = v2)
• induction scheme• recursive combinator• look at stack_adt.pvs
53
Example: Recursive CombinatorExample: Recursive Combinatorreduce_nat(emptystack?_fun: nat, nonemptystack?_fun: [[t, nat] -> nat]):
[stack -> nat] = LAMBDA (stack_var: stack): CASES stack_var OF
empty: emptystack?_fun,push(push1_var, push2_var):nonemptystack?_fun(push1_var, reduce_nat(emptystack?_fun, nonemptystack?_fun)(push2_var))
ENDCASES
QQ: What does the following call calculate: reduce_nat(0, (LAMBDA (x:t, n: nat): n+1))?
54
Cases?Cases?
• Pattern matching:
CASES stack_var OFempty: …,push(push1_var,push2_var):…))
ENDCASES
• Can contain ELSE covers all constructors not covered before.
55
Putting It All Togetherstack: DATATYPEBEGIN
empty : emptystack?push(top: t, pop: stack): nonemptystack?
END stack
length: THEORYBEGIN
t: TYPEIMPORTING stack_adt[t]
length(s: stack): nat =reduce_nat(0, (LAMBDA(x: t, n:nat): n+1))(s)
l0: THEOREM (length(empty) = 0)END length
56
Many Data Types and TheoriesMany Data Types and Theories
• can be consulted by M-x vpt – view prelude theory
• are “built in” and described in the Prelude, include– logics, functions, numbers– relations, sets, sequences and lists– sum and quotient types– induction– μ-calculus and CTL
57
Summary: PVSSummary: PVS
• PVS System: Linux/Unix, Emacs + GUI
• PVS Language: How to write a specification?– THEORY, TYPE, VAR, THEOREM, …– abstract data types
• PVS Proof Checker: How do we prove?– flatten, split, inst, skolem, expand, lemma…
• PVS Prelude: Built-in theories– there are even more theories in NASA libraries
58
Don’t Forget: TomorrowDon’t Forget: Tomorrow
• No password for svstud? – contact Jan de Jong of the Notebook Service
center: HG 8.86, tel. 2979
• Install an X Windows client on your laptop – built-in for Linux– for Windows, e.g., Exceed (via BCF website)
• We meet at 845 in Auditorium 9.