itpsession2-a.pdf
TRANSCRIPT
-
8/14/2019 ITPsession2-a.pdf
1/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Automated Specification Analysis Using anInteractive Theorem Prover
Harsh Raju Chamarthi and Pete Manolios
Northeastern University
October 31, 2011
1/101
-
8/14/2019 ITPsession2-a.pdf
2/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Motivation Teaching freshmen how to reason
about programs using ACL2s
2/101
-
8/14/2019 ITPsession2-a.pdf
3/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Motivation Teaching freshmen how to reason
about programs using ACL2s
Success of QuickCheck
Counterexamp
les!!
3/101
-
8/14/2019 ITPsession2-a.pdf
4/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Motivation Teaching freshmen how to reason
about programs using ACL2s
Success of QuickCheck
Combining testing and theorem-proving(ACL2 2011 Workshop)
Counterexam
ples!!
4/101
-
8/14/2019 ITPsession2-a.pdf
5/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Motivation Teaching freshmen how to reason
about programs using ACL2s
Success of QuickCheck
Combining testing and theorem-proving(ACL2 2011 Workshop)
Can we do even better?
Counterexam
ples!!
5/101
d l h l l d l
-
8/14/2019 ITPsession2-a.pdf
6/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Motivation Teaching freshmen how to reason
about programs using ACL2s
Success of QuickCheck
Combining testing and theorem-proving(ACL2 2011 Workshop)
Can we do even better? Apply technology behind ACL2 to help
the regular programmer
Counterexam
ples!!
6/101
I t d ti Al ith E i t l E l ti Di i d C l i
-
8/14/2019 ITPsession2-a.pdf
7/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Motivation Teaching freshmen how to reason
about programs using ACL2s
Success of QuickCheck
Combining testing and theorem-proving(ACL2 2011 Workshop)
Can we do even better? Apply technology behind ACL2 to help
the regular programmer
Counterexam
ples!!
7/101
I t d ti Al ith E i t l E l ti Di i d C l i
-
8/14/2019 ITPsession2-a.pdf
8/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Overview
GoalAnalyse specifications - Find counterexamples!
8/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
9/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Overview
GoalAnalyse specifications - Find counterexamples!
The problem
What to do when theSearch Procedure
doesnt return an answer?
9/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
10/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Overview
GoalAnalyse specifications - Find counterexamples!
The problem
What to do when theSearch Procedure
doesnt return an answer?
QuickCheck
10/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
11/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Overview
GoalAnalyse specifications - Find counterexamples!
The problem
What to do when theSearch Procedure
doesnt return an answer?
QuickCheck
Decision Procedure
Constraint Solver
11/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
12/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Overview
GoalAnalyse specifications - Find counterexamples!
The problem
What to do when theSearch Procedure
doesnt return an answer?
The main ideaReduce the search space and guide theprocedure towards a counterexample
QuickCheck
Decision Procedure
Constraint Solver
12/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
13/100
g p
The Main Idea
Property P Is P false?
Search Proc
13/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
14/100
g p
The Main Idea
Property P Is P false?
Search Proc
Yes
14/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
15/100
The Main Idea
Property P Is P false?
Search Proc
Yes
15/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
16/100
The Main Idea
Property P Is P false?
Search Proc
Dont Know
16/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
17/100
The Main Idea
Property P Is P false?
Search Proc
Dont Know
17/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
18/100
The Main Idea
Property P Is P false?
Search Procedure
18/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
19/100
The Main Idea
Property P
Guide
19/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
20/100
The Main Idea
Property P Is P false?
Guide
x1,x2, . . . ,xn
PP
20/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
21/100
The Main Idea
Property P Is P false?
Guide
Select var
x1,x2, . . . ,xn
P
21/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
22/100
The Main Idea
Property P Is P false?
Guide
Select var
Assign value
x1, 3, . . . ,xn
P
22/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
23/100
The Main Idea
Property P Is P false?
Guide
Select var
Assign value
Simplify using ITPx1, . . . ,xn
P
23/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
24/100
The Main Idea
Property P Is P false?
Guide
Select var
Assign value
Simplify using ITP
Inconsistent?
x1, . . . ,xn
P
24/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
25/100
The Main Idea
Property P Is P false?
Guide
Backtrack!!
x1,x2, . . . ,xn
P
25/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
26/100
The Main Idea
Property P Is P false?
Guide
Is P' false?
Searchx1, . . . ,xn
P
26/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
27/100
The Main Idea
Is P true?
ITP
P
27/101
-
8/14/2019 ITPsession2-a.pdf
28/100
-
8/14/2019 ITPsession2-a.pdf
29/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
30/100
The Main Idea
Is P true?
ITP
PDont Know
30/101
-
8/14/2019 ITPsession2-a.pdf
31/100
-
8/14/2019 ITPsession2-a.pdf
32/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
33/100
The Main Idea
Is P true?
ITP
P
p1
p2
...
pn
Is P false?
Search
33/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
34/100
Assumptions Specification languageL
Multi-sorted first-order logic Extensible Executable
34/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
35/100
Assumptions Specification languageL
Multi-sorted first-order logic Extensible Executable
35/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
36/100
Assumptions Specification languageL
Multi-sorted first-order logic Extensible -- can introduce new function and predicate symbols
using well-founded recursive definitions Executable
36/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
37/100
Assumptions Specification languageL
Multi-sorted first-order logic Extensible Executable
37/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
38/100
Assumptions Specification languageL
Multi-sorted first-order logic Extensible Executable
Properties of formhyp1 hypnconcl
No nested quantifiers Implicitly universally quantified
38/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
39/100
Assumptions Specification languageL
Multi-sorted first-order logic Extensible Executable
Properties of formhyp1 hypnconcl
No nested quantifiers Implicitly universally quantified
39/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
40/100
Assumptions Specification languageL
Multi-sorted first-order logic Extensible Executable
Properties of formhyp1 hypnconcl
No nested quantifiers Implicitly universally quantified
An Interactive Theorem Prover (ITP) that can reason aboutspecifications inL.
Smash
Simplify
40/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
41/100
Assumptions Specification languageL
Multi-sorted first-order logic Extensible Executable
Properties of formhyp1 hypnconcl
No nested quantifiers Implicitly universally quantified
An Interactive Theorem Prover (ITP) that can reason aboutspecifications inL.
Smash takes as input agoal, a formula written inL, and returns
a list of equi-validsubgoals. Simplify
41/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
42/100
Assumptions Specification languageL
Multi-sorted first-order logic Extensible Executable
Properties of formhyp1 hypnconcl
No nested quantifiers Implicitly universally quantified
An Interactive Theorem Prover (ITP) that can reason aboutspecifications inL.
Smash takes as input agoal, a formula written inL, and returns
a list of equi-validsubgoals. Simplify takes as input anL-formula,c, and a list of formulas,H,and returns asimplifiedformula that is equivalent tocassumingHare true.
42/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
43/100
Example
Property
x= hash(y)
y= hash(z)x+y=v2
z > 10
w < min(x,y)
w < z
P
Select?
A
43/101
-
8/14/2019 ITPsession2-a.pdf
44/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
45/100
Example
Property
x= hash(y)
y= hash(z)x+y=v2
z > 10
w < min(x,y)
w < z
P W
V
Y
Z
X
Equality dependency Graph
W
Z
V
Rest dependency G
Select?
A
45/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
46/100
Example
Property
x= hash(y)
y= hash(z)x+y=v2
z > 10
w < min(x,y)
w < z
P W
V
Y
Z
X
Equality dependency Graph
W
Z
V
Rest dependency G
Selectz
A
46/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
-
8/14/2019 ITPsession2-a.pdf
47/100
Example
W
V
Y
Z
X
Equality dependency Graph
W
Z
V
Rest dependency G
Property
x= hash(y)
y= hash(z)x+y=v2
z > 10
w < min(x,y)
w < z
P
Assign?
A
47/101
-
8/14/2019 ITPsession2-a.pdf
48/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
l
-
8/14/2019 ITPsession2-a.pdf
49/100
Example
Property
x= hash(y)y= hash(34)
x+y=v2
w < min(x,y)
w < 34
P'
Propagate with Simplify
A
49/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
E l
-
8/14/2019 ITPsession2-a.pdf
50/100
Example
Propagate with Simplify
A
Property
x= 3623878690
y= 268959709
x+ 268959709=v2
if(x < 268959709)
w < x
w < 268959709
w < 34
P'
50/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
E l
-
8/14/2019 ITPsession2-a.pdf
51/100
Example
A
Property
x= 3623878690
y= 268959709
x+ 268959709=v
2
if(x < 268959709)
w < x
w < 268959709
w < 34
P'
Inconsistent?
51/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
E l
-
8/14/2019 ITPsession2-a.pdf
52/100
Example
A
Property
x= 3623878690
y= 268959709
x+ 268959709=v
2
if(x < 268959709)
w < x
w < 268959709
w < 34
P'
Update Assignment
z= 34A
52/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Top le el Analyze algorithm
-
8/14/2019 ITPsession2-a.pdf
53/100
Top-level Analyze algorithm
Input: PropertyP, SummarysummaryOutput: Status, Summary of the analysis ofP
ifPis closed then return AnalyzeConst(P)
initializeSearch till ...ifStopCond(summary)then return (done,summary)
DecomposePinto subgoals using ITPIf progress then Recurse on each subgoalreturn (not-done,summary)
53/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Top level Analyze algorithm
-
8/14/2019 ITPsession2-a.pdf
54/100
Top-level Analyze algorithm
Input: PropertyP, SummarysummaryOutput: Status, Summary of the analysis ofP
ifPis closed then return AnalyzeConst(P)
initializeSearch till ...ifStopCond(summary)then return (done,summary)
DecomposePinto subgoals using ITPIf progress then Recurse on each subgoalreturn (not-done,summary)
54/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Top level Analyze algorithm
-
8/14/2019 ITPsession2-a.pdf
55/100
Top-level Analyze algorithm
Input: PropertyP, SummarysummaryOutput: Status, Summary of the analysis ofP
ifPis closed then return AnalyzeConst(P)
n,status:= 0, not-doneSearch till ...ifStopCond(summary)then return (done,summary)
DecomposePinto subgoals using ITPIf progress then Recurse on each subgoalreturn (not-done,summary)
55/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Top level Analyze algorithm
-
8/14/2019 ITPsession2-a.pdf
56/100
Top-level Analyze algorithm
Input: PropertyP, SummarysummaryOutput: Status, Summary of the analysis ofP
ifPis closed then return AnalyzeConst(P)
initializeSearch till...ifStopCond(summary)then return (done,summary)
DecomposePinto subgoals using ITPIf progress then Recurse on each subgoalreturn (not-done,summary)
56/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Top-level Analyze algorithm
-
8/14/2019 ITPsession2-a.pdf
57/100
Top-level Analyze algorithm
Input: PropertyP, SummarysummaryOutput: Status, Summary of the analysis ofP
ifPis closed then return AnalyzeConst(P)
initializewhileStopCond(summary) n slimitdo
A, n:= Search(P), n+ 1summary:= updateA(summary, P,A)
ifStopCond(summary)then return (done,summary)
DecomposePinto subgoals using ITPIf progress then Recurse on each subgoalreturn (not-done,summary)
57/101
-
8/14/2019 ITPsession2-a.pdf
58/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Top-level Analyze algorithm
-
8/14/2019 ITPsession2-a.pdf
59/100
Top level Analyze algorithm
Input: PropertyP, SummarysummaryOutput: Status, Summary of the analysis ofP
ifPis closed then return AnalyzeConst(P)
initializeSearch till ...ifStopCond(summary)then return (done,summary)
DecomposePinto subgoals using ITPIf progress then Recurse on each subgoalreturn (not-done,summary)
59/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Top-level Analyze algorithm
-
8/14/2019 ITPsession2-a.pdf
60/100
Top level Analyze algorithm
Input: PropertyP, SummarysummaryOutput: Status, Summary of the analysis ofP
ifPis closed then return AnalyzeConst(P)
initializeSearch till ...ifStopCond(summary)then return (done,summary)
S:= Smash(P)summary:= updateS(summary, P, S)If progress then Recurse on each subgoalreturn (not-done,summary)
60/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Top-level Analyze algorithm
-
8/14/2019 ITPsession2-a.pdf
61/100
Top level Analyze algorithm
Input: PropertyP, SummarysummaryOutput: Status, Summary of the analysis ofP
ifPis closed then return AnalyzeConst(P)
initializeSearch till ...ifStopCond(summary)then return (done,summary)
DecomposePinto subgoals ...If progress then Recurse on each subgoalreturn (not-done,summary)
61/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Top-level Analyze algorithm
-
8/14/2019 ITPsession2-a.pdf
62/100
Top level Analyze algorithm
Input: PropertyP, SummarysummaryOutput: Status, Summary of the analysis ofP
ifPis closed then return AnalyzeConst(P)
initializeSearch till ...ifStopCond(summary)then return (done,summary)
DecomposePinto subgoals ...ifS={P} then
for allp Sdostatus,summary:= Analyze(p,summary)ifstatus= done then return (done,summary)
return (not-done,summary)
62/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Top-level Analyze algorithm
-
8/14/2019 ITPsession2-a.pdf
63/100
op eve a y e a go t
Input: PropertyP, SummarysummaryOutput: Status, Summary of the analysis ofP
ifPis closed then return AnalyzeConst(P)
initializeSearch till ...ifStopCond(summary)then return (done,summary)
DecomposePinto subgoals ...If progress then Recurse on each subgoal ...return (not-done,summary)
63/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Search Algorithm
-
8/14/2019 ITPsession2-a.pdf
64/100
g
Input: PropertyPwith at least one free variableOutput: A counterexample (assignment) orfail
local StackAof (var, val, # assigns, type, property)Initialize and Select first variableIteratively construct counterexample orfail
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Search Algorithm
-
8/14/2019 ITPsession2-a.pdf
65/100
g
Input: PropertyPwith at least one free variableOutput: A counterexample (assignment) orfail
local StackAof (var, val, # assigns, type, property)Initialize and Select first variableIteratively construct counterexample orfail
-
8/14/2019 ITPsession2-a.pdf
66/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Search Algorithm
-
8/14/2019 ITPsession2-a.pdf
67/100
g
Input: PropertyPwith at least one free variableOutput: A counterexample (assignment) orfail
local StackAof (var, val, # assigns, type, property)A, i,x:= [], 0,Select(P)Iteratively construct counterexample orfail
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Search Algorithm
-
8/14/2019 ITPsession2-a.pdf
68/100
Input: PropertyPwith at least one free variableOutput: A counterexample (assignment) orfail
local StackAof (var, val, # assigns, type, property)A, i,x:= [], 0,Select(P)while true do
v, t:= Assign(x, P)P :=Propagate(x, v, P)ifinconsistent(P)then
Extend A, continue search if not doneelse ifA= []then
backtrackfailif ...
68/101
-
8/14/2019 ITPsession2-a.pdf
69/100
-
8/14/2019 ITPsession2-a.pdf
70/100
-
8/14/2019 ITPsession2-a.pdf
71/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Search Algorithm
-
8/14/2019 ITPsession2-a.pdf
72/100
Input: PropertyPwith at least one free variable
Output: A counterexample (assignment) orfaillocal StackAof (var, val, # assigns, type, property)
A, i,x:= [], 0,Select(P)while true do
v, t:= Assign(x, P)
P
:=Propagate(x, v, P)ifinconsistent(P)thenift= ``decision" theni:= i+ 1
A:= push((x, v, i, t, P),A)ifAis completethen returnA
i, P,x:= 0, P
,Select(P
)else ifA= []thenbacktrack
failif ...
72/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Search Algorithm
-
8/14/2019 ITPsession2-a.pdf
73/100
Input: PropertyPwith at least one free variableOutput: A counterexample (assignment) orfail
local StackAof (var, val, # assigns, type, property)A, i,x:= [], 0,Select(P)while true do
v, t:= Assign(x, P)P :=Propagate(x, v, P)ifinconsistent(P)then
Extend A, continue search if not doneelse ifA= []then
backtrackfailif ...
73/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Search Algorithm
-
8/14/2019 ITPsession2-a.pdf
74/100
Input: PropertyPwith at least one free variable
Output: A counterexample (assignment) orfaillocal StackAof (var, val, # assigns, type, property)
A, i,x:= [], 0,Select(P)while true do
v, t:= Assign(x, P)
P
:=Propagate(x, v, P)ifinconsistent(P)thenExtend A, continue search if not done
else ifA= []thenrepeat
(x, , i, t, P) :=head(A)A:= pop(A)
until(t= ``decision" i blimit) A= []
failif ...
74/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Search Algorithm
-
8/14/2019 ITPsession2-a.pdf
75/100
Input: PropertyPwith at least one free variableOutput: A counterexample (assignment) orfail
local StackAof (var, val, # assigns, type, property)A, i,x:= [], 0,Select(P)while true do
v, t:= Assign(x, P)P :=Propagate(x, v, P)ifinconsistent(P)then
Extend A, continue search if not doneelse ifA= []then
backtrackfailif ...
75/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Search Algorithm
-
8/14/2019 ITPsession2-a.pdf
76/100
Input: PropertyPwith at least one free variableOutput: A counterexample (assignment) orfail
local StackAof (var, val, # assigns, type, property)A, i,x:= [], 0,Select(P)while true do
v, t:= Assign(x, P)P :=Propagate(x, v, P)ifinconsistent(P)then
Extend A, continue search if not doneelse ifA= []then
backtrack
ifA= [] (t= ``implied" i > blimit)thenreturnfail
76/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Select AlgorithmI t P t P ith t l t f i bl
-
8/14/2019 ITPsession2-a.pdf
77/100
Input: PropertyPwith at least one free variableOutput: A free variable inP
ifh hyps(P)of formx= cthen returnx
77/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Select AlgorithmI t P t P ith t l t f i bl
-
8/14/2019 ITPsession2-a.pdf
78/100
Input: PropertyPwith at least one free variableOutput: A free variable inP
ifh hyps(P)of formx= cthen returnx
78/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Select AlgorithmI t: P t P ith t l t f i bl
-
8/14/2019 ITPsession2-a.pdf
79/100
Input: PropertyPwith at least one free variableOutput: A free variable inP
ifh hyps(P)of formx= cthen returnxG=:=EqualityDependencyGraph(P, vars(P))
1. Case:x = y. Addx y.
2. Case:x = ftermy freeVars(fterm)andx /freeVars(fterm)addx y
79/101
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Select AlgorithmInput: Property P with at least one free variable
-
8/14/2019 ITPsession2-a.pdf
80/100
Input: PropertyPwith at least one free variableOutput: A free variable inP
ifh hyps(P)of formx= cthen returnxG=:=EqualityDependencyGraph(P, vars(P))Do SCC onG=, collect the leaf components inL
leaves= :=pickxfrom eachl L
80/101 Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Select AlgorithmInput: Property P with at least one free variable
-
8/14/2019 ITPsession2-a.pdf
81/100
Input: PropertyPwith at least one free variableOutput: A free variable inP
ifh hyps(P)of formx= cthen returnxG=:=EqualityDependencyGraph(P, vars(P))SCC onG=G :=RestDependencyGraph(P, leaves=)
1. x ywhere {,}: No edge
2. x ftermsuch thatis a binary relation,y freeVars(fterm)andx /freeVars(fterm):Addx y
3. R(term1, term2, . . ., termn), such thatx freeVars(termi),y freeVars(termj),i=j,n 2andRis an arbitrary n-ary relation: Add
x y.
81/101 Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Select AlgorithmInput: Property P with at least one free variable
-
8/14/2019 ITPsession2-a.pdf
82/100
Input: PropertyPwith at least one free variableOutput: A free variable inP
ifh hyps(P)of formx= cthen returnxG=:=EqualityDependencyGraph(P, vars(P))SCC onG=G :=RestDependencyGraph(P, leaves=)Do SCC onGto get dagD
82/101 Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Select AlgorithmInput: Property P with at least one free variable
-
8/14/2019 ITPsession2-a.pdf
83/100
Input: PropertyPwith at least one free variableOutput: A free variable inP
ifh hyps(P)of formx= cthen returnxG=:=EqualityDependencyGraph(P, vars(P))SCC onG=G :=RestDependencyGraph(P, leaves=)Do SCC onGto get dagD
X:=the leaf inDwith maximumi=valuereturnX
i=(x) denotes number of nodes that canreach it inG=i=(X) denotes max value of i= amongnodes X
83/101 Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Hardware: Finding hazards in a pipeline
-
8/14/2019 ITPsession2-a.pdf
84/100
Analysing a 3-stage Pipeline
1. Fetch
2. Read
3. Execute/Write-back
84/101 Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Hardware: Finding hazards in a pipeline
-
8/14/2019 ITPsession2-a.pdf
85/100
Analysing a 3-stage Pipeline
1. Fetch
2. Read
3. Execute/Write-back
Primary Concern
Avoid resource conflicts (Data/Control hazards)
85/101 Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Hardware: Finding hazards in a pipeline
-
8/14/2019 ITPsession2-a.pdf
86/100
Analysing a 3-stage Pipeline
1. Fetch
2. Read
3. Execute/Write-back
Primary Concern
Avoid resource conflicts (Data/Control hazards)
Correctness
Show all behaviors of MA are observationally equivalent tobehaviors of ISA
86/101 Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Hardware: Finding hazards in a pipeline
-
8/14/2019 ITPsession2-a.pdf
87/100
Primary Concern
Avoid resource conflicts (Data/Control hazards)
CorrectnessShow all behaviors of MA are observationally equivalent tobehaviors of ISA
Can we find design errors that lead to hazards?
1. Assuming designer has modelled both ISA and MA
2. Formalize above correctness condition
3. Analyze it using our method (demo)
87/101 Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Hardware: Finding hazards in a pipeline
-
8/14/2019 ITPsession2-a.pdf
88/100
Primary Concern
Avoid resource conflicts (Data/Control hazards)
CorrectnessShow all behaviors of MA are observationally equivalent tobehaviors of ISA
Can we find design errors that lead to hazards?
Observations
1. No assertions were written
2. No lemmas were specified
3. No manual tests or test driver given.
88/101 Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Software: Comparison with Alloy
ll
-
8/14/2019 ITPsession2-a.pdf
89/100
Alloy
Alloy is a declarative modeling language based on sets andrelations (relational logic with transitive closure)
Used for describing and analyzing high-level specifications anddesigns.
Automatic Analysis
Given a bound on # model elements, calledscope, Alloy models (andits specifications) translated into Boolean formulas and shipped tooff-the-shelf SAT solvers.
89/101 Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Software: Comparison with Alloy
-
8/14/2019 ITPsession2-a.pdf
90/100
Alloy Analyzer Our method
Property Scope Time Result Time ResultdelUndoesAdd 25 26.41 -- 0.07 QEDaddIdempotent 25 37.76 -- 0.19 QED
addLocal 3 0.08 CE 1.35 CElookupYields 3 0.05 CE 0.83 CE
writeRead 34 99.69 -- 0.02 QED
writeIdempotent 33 44.13 -- 0.01 QEDhidePreservesInv 61 24.91 -- 0.26 QED
cutPaste 3 0.20 CE 0.49 CEpasteCut 3 0.20 CE 1.38 CE
pasteAffectsHidden 27 117.63 -- 0.42 QEDmarkSweepSound 8 47.34 -- 0.28 QED
markSweepComplete 7 58.12 -- 0.34 QED
Table: Comparison with Alloy Analyzer (AA)
90/101
-
8/14/2019 ITPsession2-a.pdf
91/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Software: Comparison with Alloy
M th d l
-
8/14/2019 ITPsession2-a.pdf
92/100
Methodology
Modeled above examples in ACL2, mimicking original formulation inAlloy.Usedsettypes andmaptypesi.e., binary relations, provided by ourdata definition framework.
92/101 Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Software: Comparison with Alloy
Ob ti
-
8/14/2019 ITPsession2-a.pdf
93/100
Observations
1. The ordered sets and records library in ACL2 distribution,powerful enough to prove all the properties that Alloy positsare true
2. No intermediate lemmas provided, no hint or guidance offered
to the theorem prover3. Highlights effectiveness of powerful libraries by the tool-writer
put to use by the choice of right abstractions by theprogrammer
93/101 Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Discussion on the advantages of using ITP
-
8/14/2019 ITPsession2-a.pdf
94/100
Prune away huge subspaces
Extensible
Domain-specific lemma libraries powerful domain-specificreasoning
User can also help formalize facts/insight
94/101 Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Discussion on the advantages of using ITP
-
8/14/2019 ITPsession2-a.pdf
95/100
Prune away huge subspaces
Extensible
Domain-specific lemma libraries powerful domain-specificreasoning
User can also help formalize facts/insight
95/101 Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Discussion on the advantages of using ITP
-
8/14/2019 ITPsession2-a.pdf
96/100
Prune away huge subspaces
Extensible
Domain-specific lemma libraries powerful domain-specificreasoning
User can also help formalize facts/insight
96/101 Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Discussion on the advantages of using ITP
h b
-
8/14/2019 ITPsession2-a.pdf
97/100
Prune away huge subspaces
Extensible
Domain-specific lemma libraries powerful domain-specificreasoning
User can also help formalize facts/insight
97/101 Introduction Algorithm Experimental Evaluation Discussion and Conclusions
Discussion on the advantages of using ITP
h b
-
8/14/2019 ITPsession2-a.pdf
98/100
Prune away huge subspaces
Extensible
Domain-specific lemma libraries powerful domain-specificreasoning
User can also help formalize facts/insight
98/101
-
8/14/2019 ITPsession2-a.pdf
99/100
Introduction Algorithm Experimental Evaluation Discussion and Conclusions
The End
-
8/14/2019 ITPsession2-a.pdf
100/100
Thank you
100/101