strategies for verification dick kieburtz ogi school of science & engineering july 15, 2003
Post on 04-Jan-2016
219 Views
Preview:
TRANSCRIPT
Strategies for Verification
Dick KieburtzOGI School of Science & Engineering
July 15, 2003
An Automatic Verification Server
for Programatica• Intended for use by the sophisticated user of
Programatica– who comprehends both Haskell and P-logic– who wants machine-checked verification of asserted
properties– But who doesn’t want to construct proofs herself– And doesn’t wish to translate programs and properties
to the logic of an interactive theorem prover
• An automatic verification server, given an assertion– Will construct a proof and tell the user when it succeeds– Or will fail and tell the user what properties it failed to
prove during the attempt
However,Automatic Verification is
Incomplete• And thus some interaction with a user should
be supported to mitigate user frustration– Tell a user what verification conditions the verifier
fails to discharge during an attempt at proof construction
– Support verification of properties implied by hypotheses
– Encourage a user to strengthen hypotheses for an asserted property
Roadmap for the Rest of this Talk
• Structure of a proof• Proof construction by term-
rewriting• Normal forms • Strategies for achieving them• Equalities and congruence closure• Patterns and variable-splitting• Programming proof search• Stratego as a tool for programming
a theorem prover
Propositions, Sequents and Proof Rules
• Propositional forms:– Quant([Qvars],Prop)– Equal(HTerm,HTerm)– Has(HTerm,Pred) — syntax for unary predicate application– Pred ( [HTerm] ) — syntax for n-ary predicate application– Conj([Prop]), Disj([Prop]), Neg(Prop),
Implies([Prop],Prop)– True, False
• Sequent form:– Consequence( Type-env,[Prop], [Prop] )
• A list of assumptions (implicit conjunction) implies a list of conclusions (implicit disjunction) in a given type environment
• Proof Rule:[ Sequent ]
Sequentconsequent
antecedents
Proofs• A proof is a finite tree whose
– nodes are labeled by instances of proof rules– arcs are labeled by sequents
such that:
from a node whose label is seq1, seq2 … seqn
seq0
there are arcs labeled by seqk, (1 k n) each
connecting to a node whose label has consequent seqk
• A leaf of a proof tree is a proof rule with an empty list of antecedents– Either an explicit axiom of the logic– Or an axiom implied by a theorem of a decidable subtheory
Proof Construction by Term Rewriting
• Sequents, Types, Props, Preds, HTerms are all represented as terms of a multi-sorted abstract syntax– Application of a proof rule is enabled by pattern matching
and rewrites a sequent term (goal) to zero or more sequents, called verification conditions
• Pattern matching may be with respect to any or all of the structure of Sequent, Prop, Type, HTerm, Pred, or Assumptions– As a rewriting system, P-logic rules are not confluent
• Rules may overlap — more than one rule may apply to a term• The order in which rules are applied can affect whether or not
an attempted proof construction will ultimately succeed– Choice of which rules to try can be encoded in the rules
themselves;• which is the conditional rewriting approach
– Or the choice may be programmed• which is the strategy-driven rewriting approach
Stratego — the language of choice for programming
strategies“if you have a hammer, all the world looks like a nail”• Strategies generalize patterns
– Primitive strategies are patterns, ?T and term constructors, !T
• Patterns are not restricted to be linear — they may contain repeated occurrences of the same variable
• Compound strategies are constructed with:– A sequential composition operator “;”– Choice operators “+” (symmetric choice), “<+” (left
choice)– Term congruences, C(s) where C is a data constructor– Recursion, rec x (s), where x may occur in s– Strategy definition,
strategies sname(x) = sbody, where x may occur in sbody
– Strategy application, sname(foo), where foo is a strategy
Rewriting respects Congruences
a
a b
b
Thus, strategies that normalizeterms of specific sorts can be used
But Rewriting may also be Context-Sensitive
a b
Rewrite is not enabled in a different context
a b
Beta-reduction of Haskell terms
• Beta-reduction induces a congruence relation– Satisfiability of a P-logic property by a Haskell term is
preserved under -conversion -reduction in Haskell involves Haskell’s pattern-matching
• A useful strategy is to reduce applicative terms whenever possible– Reduction may be possible a priori– Or after unfolding of a definition– Or after variable-splitting introduces a structured term
• There are useful congruence relations on restricted classes of terms– e.g., propositional formulas, Boolean expressions, datatype
expressions– Strategies attempt to reach normal forms in which
congruences can more easily be recognized, or further strategies can be applied
• Conjunctive or disjunctive normal forms for booleans • Conjunctive or disjunctive clause form for propositions• Weak or strong head normal forms for applicative expressions
Weak head normal form• A pair of strategies defining weak head
normal form of Haskell terms:is-wvalue = HAbs(id,id) + HCon(id,id) + HTuple(id) + HLit(id)is-whnf = is-value + rec r (HVar(id) + HIte(r,id,id) + HCase(r,id) + HApp(r,id) + HApp(HAbs(is-structured-pat,id),HVar(id)))whereis-structured-pat = rec r (AsPattern(id,r) <+ not(VarPat(id)))
Renaming bound variablesRename(RnVar,RnBinding,RnApply) :: Term TermWhere Env = [(string,Term)]
RnVar(is-var) :: (Term,Env) Term uses an Env to rename occurrences of variables
RnBinding(bindvars) :: (Term,Env) (Term,Env)applies bindvars :: Term (Term,Env) at bindingsites to extend an environment, binding globally freshnames to locally bound variables
prnApply(bndpats, bndvars) :: Term Term uses bndpats to rename variables in patterns and uses bndvars to rename use occurrences of variables
Both bndpats and bndvars explicitly embed the current EnvRename, RnVar and RnBinding are generic (not term-grammar-
specific)
Renaming bound variables (2)
Rename(is-var,bindvars,prnApply) =\ t (t,[]) \ ;rec r (env-alltd (RnVar(is-var) <+
RnBinding(bindvars); \ (t,env) prnApply(\ u r (u,env’) where map((id,var2pat)) env env’
\, \ u r (u,env’) \ ) \ )))where env-alltd(s) = rec x (s <+ dist(x)) and dist(s) : (t,env) all(\ x s (x,env) \ ) t
Renaming bound variables (3)
Rename (Hvar(id), HBnd, HprnApply)
where HBnd = rec r (\ HAbs(p,_) r p \ + \ HBranch(p,_) r p \ + \ VarPat(x) [x] \ + \ TuplePat(xs) map(r) xs; concat + \ HCon(_,xs) map(r) xs; concat + \ TwiddlePat(p) r p \ + \ AsPattern(_,p) r p \ <+ ![ ])
and HprnApply(bndpats,bndvars) = HAbs(bndpats,bndvars) +
Hbranch(bndpats,bndvars) + Hdef(bndpats,bndvars)
Quantified Variables• Universally quantified variables are renamed
to unique (fresh) names• Existentially quantified variables are replaced
by Skolem constants – uninterpreted functions of the universally quantified
variables that scope over them
Eliminating Disjunctive Conclusions
• A list of conclusions in a sequent is an implicit disjunction of propositions– Rewrite to a list of alternative sequents, each
containing a single proposition as its conclusion
Eliminating An Implicative Conclusion
• A sequent with an implicative conclusion, Assumptions P1 P2 … Pn Q
Is rewritten by moving the implicands to the list of assumptions:
P1, P2, …, Pn, Assumptions Q
Factoring Congruence Equalities
• Replace an assumed equality of constructed data
C(t1,…,tk) = C(t1’,…,tk’)
by the list of individual equalities t1 = t1’, … , tk = tk’
Propagating Equalities• A list of assumptions often contains a number of term
equalities– Q: How can a finite set of assumed equalities be propagated
to all relevant subterms in an asserted conclusion?– A: By a congruence closure algorithm
• Step 1: Variable abstraction– Construct an environment mapping every term that is an argument of
an equality or of a function symbol in an assumption to a unique, fresh identifier
• Step 2: Rewrite the assumptions, replacing terms by variables, using the environment constructed at step 1.
Every equation now has the form HVar(I) = HVar(j)• Step 3: Orient the equations and calculate their symmetric,
transitive closure, thus mapping each variable to a unique representative of its equivalence class. (Union-Find algorithm)
• Step 4: Rewrite the conclusion of the sequent, replacing each term (subterm) matched in the environment of step 1 by the unique variable that represents its equivalence class.
Propagating Equalities — Example
a===(u,v), b===a ( \(x,y) x) b === u• Constructed environment map (association list)
[((u,v),a)] • Variables replaced by equivalence-class
representatives[((u,v),a)], a===a, a===a ( \(x,y) x) a === u
• Application with patterned abstraction triggers substitution of expression for argument variable in conclusion of sequent
[((u,v),a)], a===a, a===a ( \(x,y) x) (u,v) === u
Variable Splitting• When a tuple abstraction is applied to a variable, it
cannot be reduced ( \(x,y) x ) z
• But if the variable given as an argument has a Strong property, it must be equivalent to a tuple of the same shape as is given in the abstraction (typing guarantee)
• Introduce a pair of fresh variables, (u,v)– Add to the current assumptions the equation z = (u,v)– Substitute the pair for the variable argument in the
application: ( \(x,y) x ) (u,v)
– allowing a -reduction step to succeed
• Add as a verification condition… current assumptions z ::: $Univ
If-then-else reduction
• An if-then-else expression whose boolean test reduces to a value can be simplified
assumptions if True then e1 else e2 ::: P
is rewritten to assumptions e1 ::: P
and
assumptions if False then e1 else e2 ::: P
is rewritten toassumptions e2 ::: P
by strategies that implement rules of P-logic
If-then-else splitting• When a property is asserted of a conditional
expression, assumptions if b then e1 else e2 ::: P
– the boolean expression, b, may not be reducible to a value– But if the expression, b, has a strong property, it has either
the value True or the value False (type guarantee)
• Rewrite the assertion to the following three verification conditions (implicitly conjoined):
bool-to-prop b, assumptions e1::: P
bool-to-prop (not b), assumptions e2 ::: P assumptions b ::: $Univ
– where bool-to-prop :: Term Prop is a strategy that either transforms a boolean expression to a proposition valid in exactly those environments in which the expression evaluates to True, or else the strategy fails (i.e. the strategy is incomplete)
• In any of the three V.C. fails to be discharged, the if-then-else split fails, restoring the original sequent
If-then-else resolution• Sometimes an if-then-else branch can be resolved by proof• Strategies:
assumptions if b then e1 else e2 ::: Pis rewritten to the set of three verification conditions:
assumptions bool-to-prop b assumptions e1 ::: P
assumptions b ::: $Univ• If any of the V.C. fail to discharge, rewrite the original
assertion to assumptions bool-to-prop (not b) assumptions e2 ::: P assumptions b ::: $Univ
and try to discharge these V.C.• We try if-then-else reduction <+ if-then-else resolution <+
if-then-else splitting
Strategies for Let Expressions
• A Haskell let expression is a set of equational definitions that scope over a following expression– All of the defined identifiers are also in scope over all the right-
hand sides, and thus are potentially mutually recursive– Bummer! I wanted to inline the definitions
• Strategy: calculate a dependency relation among the definitions of a Let expression
• Reorder the definitions in a list consistent with the dependencies– A clique of one or more mutually dependent definitions forms a
knot in the list– A definitions in an unknotted segment of the list can be inlined in
the defnitions that follow and in the scoped-over expression– Any property of an identifier defined in a knotted definition must
be proved by a fixed-point strategy (not yet implemented, but see the P-logic report)
Discharge Strategies
• Primitive discharge looks for an exact match of an asserted conclusion in a list of assumptions– Implements the “trivial sequent” by sequential search
of the contextual assumptions
• A strength assertion, assumptions b ::: $Univ is discharged if b has any strong property assumed of it, or if assumptions x ::: $Univ is discharged for everyx strictVars bwhere strictVars is a strategy that performs a liberally-
safe strictness analysis, returning a list of variables in which the argument term may be strict, or fails
A Hierarchy of Pattern Matches
• Strategies are triggered by pattern matches– Outermost patterns are the structure of assertions– Then by quantification of the conclusion– Next, by the structure of formulas (conjunction,
implication)– Next, the structure of properties (unary, equality, k-
ary)– Then by the structure of predicate formulas– Then by the structure of individual predicates– Finally, by the structure of individual Hterms
Proof Search (Equality)• Simplify assumptions and take congruence
closure of assumed equalities• Try Discharge strategies in listed order
– Trivial discharge– Intensional equality of two HAbs terms– Equality involving a strict HAbs by application and
reduction (recursive strategy)– First, simplify expressions by reduction, and
• Try variable-splitting; tuple factoring • Trivial discharge (now after term reduction)• If-then-else resolution• If-then-else splitting• Split disjunctive assumptions or conjunctive conclusions • map discharge strategy over resulting V.C.
Field Trials• Strategy development has been directed initially
towards proving the assertions of the Channel Separation chip model’s Memory module
• It has not been necessary to enrich P-logic’s actual proof rules as formulated in the report
• It has been necessary to strengthen some of the assertions given with the Memory module– Principally to add definedness assertions for several
universally quantified variables– Without the addition of definedness assertions, the
Memory module assertions were not true as originally stated!
• All properties asserted in the Memory module have been verified.
Work Remaining to be Done
• Type-cognizant strategies– The current implementation includes no strategies for
overloaded operators • comparison operators (==, /=, <, <=, >, >=) are assumed to
be those defined in the Prelude for Eq and Ord types
– We need strategies for monad instances, in particular– Strategies to comprehend Haskell data definitions
• Derive rules for data type homomorphisms, structural induction
• Cooperating decision procedures– Incorporate decision procedures for boolean expressions,
Pressburger arithmetic, and lists, in addition to equalities
• Implement strategies for recursive let definitions• Implement strategies for coinductive properties• Build a user interface• Link to pfe tools as a proof server• Release and evaluate!
top related