A Constructor-Based Reachability Logic for Rewrite Theories

Similar documents
Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Matching Logic: Syntax and Semantics

The Underlying Semantics of Transition Systems

Equational Abstractions

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Temporal Logic of Actions

Verifying Temporal Properties of Reactive Systems: A STeP Tutorial *

Introduction to Logic in Computer Science: Autumn 2006

First-Order Logic First-Order Theories. Roopsha Samanta. Partly based on slides by Aaron Bradley and Isil Dillig

Order-Sorted Equality Enrichments Modulo Axioms

Dipartimento di Scienze dell Informazione

Constraint Solving for Finite Model Finding in SMT Solvers

The State Explosion Problem

Automata-Theoretic Model Checking of Reactive Systems

Theorem Proving for Verification

Chapter 5: Linear Temporal Logic

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Proving Safety Properties of Rewrite Theories

Learning Goals of CS245 Logic and Computation

Formal Methods for Java

LTCS Report. Blocking and Pinpointing in Forest Tableaux. LTCS-Report 08-02

The Impact of Craig s Interpolation Theorem. in Computer Science

Floyd-Hoare Style Program Verification

On the Complexity of the Reflected Logic of Proofs

Lecture Notes on Software Model Checking

The TLA + proof system

Handout: Proof of the completeness theorem

The assertional versus Tarskian methods

Automatic Proof-Search Heuristics in the Maude Invariant Analyzer Tool

Program verification using Hoare Logic¹

3 Propositional Logic

Evaluation Driven Proof-Search in Natural Deduction Calculi for Intuitionistic Propositional Logic

Lecture Notes on Loop Variants and Convergence

Applied Logic. Lecture 1 - Propositional logic. Marcin Szczuka. Institute of Informatics, The University of Warsaw

Tackling Fibonacci words puzzles by finite countermodels

Notes. Corneliu Popeea. May 3, 2013

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Hoare Logic and Model Checking

Hoare Logic: Reasoning About Imperative Programs

Advanced Topics in LP and FP

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Understanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55

Lecture 2: Symbolic Model Checking With SAT

A General Framework for Architecture Composability

WHAT IS AN SMT SOLVER? Jaeheon Yi - April 17, 2008

From Rewriting Logic Executable Semantics to Matching Logic Program Verification

Language Definitions as Rewrite Theories

Model for reactive systems/software

Revising UNITY Programs: Possibilities and Limitations 1

Automated Synthesis of Tableau Calculi

185.A09 Advanced Mathematical Logic

Temporal Logic - Soundness and Completeness of L

Herbrand Theorem, Equality, and Compactness

Trace Diagnostics using Temporal Implicants

Recent Developments in and Around Coaglgebraic Logics

Hoare Logic (I): Axiomatic Semantics and Program Correctness

The Mother of All Paradoxes

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

Chapter 4: Computation tree logic

Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

Syntax. Notation Throughout, and when not otherwise said, we assume a vocabulary V = C F P.

Propositional Reasoning

Deductive Verification

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

Computer-Aided Program Design

From Hoare Logic to Matching Logic

Validating QBF Invalidity in HOL4

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Logic: Propositional Logic Truth Tables

Modal logics: an introduction

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Krivine s Intuitionistic Proof of Classical Completeness (for countable languages)

Characterizing Fault-Tolerant Systems by Means of Simulation Relations

Propositional and Predicate Logic - V

Safety and Liveness Properties

Formal Verification of Observational Transition Systems with CafeOBJ CITP

Applied Logic for Computer Scientists. Answers to Some Exercises

First-order resolution for CTL

Chapter 3: Linear temporal logic

LOGIC PROPOSITIONAL REASONING

SAT-Based Verification with IC3: Foundations and Demands

Safety Analysis versus Type Inference

A Goal-Oriented Algorithm for Unification in EL w.r.t. Cycle-Restricted TBoxes

Recent results on Timed Systems

Computer-Checked Meta-Logic

hal , version 1-21 Oct 2009

An Introduction to Modal Logic III

Abstractions and Decision Procedures for Effective Software Model Checking

First-Order Logic. 1 Syntax. Domain of Discourse. FO Vocabulary. Terms

IC3 and Beyond: Incremental, Inductive Verification

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Propositional Logic Language

The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability

Combined Satisfiability Modulo Parametric Theories

Propositional and Predicate Logic. jean/gbooks/logic.html

SMT-Based Verification of Parameterized Systems

Computational Logic. Davide Martinenghi. Spring Free University of Bozen-Bolzano. Computational Logic Davide Martinenghi (1/30)

Completeness Theorems and λ-calculus

Lecture 2: Syntax. January 24, 2018

Transcription:

A Constructor-Based Reachability Logic for Rewrite Theories Stephen Skeirik, Andrei Stefanescu, Jose Meseguer October 10th, 2017

Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

Introduction Origins of Reachability Logic Reachability Logic (RL) was originally proposed by Rosu et. al to verify programs in K based on a rewriting logic (RWL) definition of language L s semantics generalizes both Hoare Logic and Separation Logic language-generic: a prover can be generated for each language L from its rewriting logic semantics R L 1 / 22

Introduction From Language-generic to Theory-generic RL This work addresses the following open problems: 1 Can we develop a reachability logic for general rewrite theories, i.e. RL(R) generalizing RL(R L )?...will allow us to move from verifying code to verifying distributed system designs 2 How can we maximize automation in RL proofs? 3 How can we use RL to prove invariants (invariant paradox)? 2 / 22

Introduction From Language-generic to Theory-generic RL We address questions (1)-(3) via: 1 developing a new RWL-theory based RL semantics and very simple proof system, 2 utilizing RWL concepts (e.g. constructors, variants) in our proof system as well as a equational-theory-generic SMT solver as a backend based on variant satisfiability 3 and applying an appropriate RWL theory transformation to prove invariants. 3 / 22

Introduction A Running Example: QLOCK The mutual exclusion protocol QLOCK has five rewrite rules: n2w : < n i w c q > < n w i c q ; i > w2c : < n w i c i ; q > < n w c i i ; q > c2n : < n w c i i ; q > < n i w c q > join : < n w c q > < n i w c q > if φ exit : < n i w c q > < n w c q > where φ dup(n w c i) tt. QLOCK s specification is R QLOCK = (Σ, E B, R) with R the above rules, B the axioms ACU for and A for ; and, E the equation dup(s s s ) = tt. 4 / 22

Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

Reachability Logic Semantics Constrained Constructor Patterns Definition Let (Σ, B, E) be sufficiently complete w.r.t. constructors Ω. A constrained constructor pattern is a pair: u ϕ such that u T Ω (X) ϕ QFForm(Σ) The set PatPred(Ω, Σ) contains and all constrained constructor patterns, and is closed under ( ) and ( ) The semantics of predicate A is A C Σ/E,B where: 1 = 2 u ϕ = {[(uρ)!] BΩ C Σ/E,B ρ [X T Ω ] E B = ϕρ}. 3 A B = A B 4 A B = A B 5 / 22

Reachability Logic Semantics Reachability Formulas Definition Given patterns u φ and v i ψ i, a reachability formula has form: u ϕ i v i ψ i Example. 1 < n w c q > dup(n w c) tt 2 < n w c q > dup(n w c) tt < n w c q > dup(n w c ) tt 6 / 22

Reachability Logic Semantics Intuitive Semantics Q: What does the relation A B mean? A: Suppose we have: (1) a rewrite theory R (2) pattern fomulas A, B (3) and terminating states T Then A B means: for each state [t] A and rewrite path p from [t], either: (1) p crosses B or (2) p is infinite - - - indicates counterex. - - - satisfies A B - - - vacuously satisfies 7 / 22

Reachability Logic Semantics Formal Semantics Definition Let R = (Σ, E B, R) have (a) good executability conditions, (b) constructor subsignature Ω, (c) and top sort State of states. Let C R denote the canonical reachability model. R = A B iff: For each concrete state [u 0 ] C R,State A and; terminating sequence [u 0 ] R [u 1 ] [u n 1 ] R [u n ] There exists 0 j n with [u j ] B N.B.: expressible as LTL formula A ( enabled) B 8 / 22

Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

The Invariant Paradox Introduction Recall our example theory QLOCK. Q: How to express mutual exclusion invariant by A B? A: Since: 1 A B just means A ( enabled) B, 2 and QLOCK is never terminating, then all formulas A B are satisfied, so we cannot. (Paradox!!). 9 / 22

The Invariant Paradox Solving the Invariant Paradox (I) Recall the structure of the rewrite rules in QLOCK: n2w : < n i w c q > < n w i c q ; i > Each rule is topped with a State constructor < >. Let s add rule: stop : < n w c q > [ n w i c q ] Note that the stop rule can terminate from any state in the combined theory QLOCK-stop. If B =... ϕ, let [B] denote the predicate [B] = [...] ϕ. Fact. B is an invariant from initial states S 0 in QLOCK iff S 0 [B] holds in QLOCK-stop. 10 / 22

The Invariant Paradox Solving the Invariant Paradox (II) Let R be a rewrite theory; assume a single State constructor,..., : w State and all rules have terms of sort State. Let R stop extend R by adding: (i) fresh [,..., ] : w State, and (ii) a stop rule x : w [ x : w]. Then: Theorem B is an invariant for R from S 0 iff S 0 [B] holds in R stop. Corollary If S 0 B and B [B] holds in R stop, then B is an invariant for R from initial sates S 0. Example. Mutual exclusion in QLOCK can be given by Mutex = n w i i ; q dup(n w c i) tt n w q dup(n w c) tt. Prove: (i) n nil Mutex (ii) Mutex [Mutex]. 11 / 22

Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

Inference System Introduction (I) Q: Then given RWL theory R, how do we prove A B? A: Perhaps surprisingly, two proof rules are enough: A rule that traces rewrite steps of symbolic states in R A rule that internalizes terminating-path-length induction on R We call these two rules: Step+Subsumption Axiom 12 / 22

Inference System Introduction (II) The key ideas are: 1 Proving A B may require some auxiliary lemmas; Let C denote the formula A B plus these lemmas 2 For each formula in C, start with labeled sequents: [, C] T u ϕ i v i ψ i 3 1 st part ( ) is formulas to be assumed as axioms (none); 4 2 nd part (C) is formulas to prove that cannot yet be assumed 5 the Step+Subsumption rule allows us to inductively assume C after a rewrite step with rules R = {l j r j if φ j }. 13 / 22

Reachability Logic Proof Rules (I): Step+Subsumption Rule (j,α) unify(u ϕ,r)[a C, ] T (r j ϕ φ j )α i (v i ψ i )α [A, C] T u ϕ i v i ψ i with ϕ = ϕ (i,β) match(u,{v i }) (ψ iβ) and R = {l j r j if φ j } Note. proof rule performs all possible narrowing steps with rules R goals u φ B with unsatisfiable φ are implicitly removed 14 / 22

Reachability Logic Proof Rules (II): The Axiom Rule [{u ϕ j j v j ψ j} A, ] T v jα ϕ ψ jα i v i ψ i [{u ϕ j v j ψ j} A, ] T u ϕ i v i ψ i where α with u = EΩ B Ω u α and T Σ/E B = ϕ ϕ α 15 / 22

Reachability Logic Soundness Theorem (Soundness) Let R be a rewrite theory, and C a finite set of reachability formulas. If R proves [, C] T C then R = T C 16 / 22

Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

Implementation and Case Studies Reflective Implementation The proof system has been implemented in Maude. Some notes: 1 RWL is reflective, Maude s META-LEVEL library support was used which supports reasoning over RWL theories and terms 2 Maude s built-in support for narrowing modulo axioms was used to compute successors in the RWL theory R 3 An implementation of a variant satisfiability-based, theory-generic SMT solver was used to discharge satisfiability and validity proof obligations 17 / 22

Implementation and Case Studies Case Studies Example Choice Comm. Protocol 1 Comm. Protocol 2 Dijkstra Fixed-Size Token Ring QLOCK Readers/Writers Lamport s Bakery Thermostat Description of the System/Property Nondeterministically throws away elements from a multiset/eventually only one element left Simple communication protocol/received data is always a prefix of the data to be sent Fault-tolerant communication protocol/all data is eventually received in-order Dijkstra s mutual exclusion alg./mutual exclusion 2-Token ring mutual exclusion alg./mutual exclusion QLOCK mutual exclusion alg./mutual exclusion Readers-writers mutual exclusion alg./mutual exclusion Unbounded Lamport s bakery/mutual exclusion Open system that dynamically responds to temperature/temperature remains in preset bounds 18 / 22

Implementation and Case Studies Example Proof Fragment T 1 { [C, ] [] [n 3 w 3 q 3 ] dup(n w p) tt dup(n 3 w 3 ) tt [Mutex 1 ] [Mutex 2 ] sub(p 1, α) T 1 T 2 axiom(g 2, α) [C, ] [] <n w p q > dup(n w p) tt [Mutex 1 ] [Mutex 2 ] [, C] [] <n w q > dup(n w ) tt [Mutex 1 ] [Mutex 2 ] step(n2w, θ) where G i Mutex i [Mutex], C {G 1, G 2 } 19 / 22

Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox 4 Inference System 5 Implementation and Case Studies 6 Conclusions and Future Work

Conclusions We have presented our new theory and implementation of a RL semantics and inference system where: 1 our system is rewrite-theory-generic, so it can be applied to analyze distributed system designs 2 our implementation uses a theory-generic, variant satisfiability SMT solver underneath 3 we applied RWL theory transformations in order to specify and verify invariants 20 / 22

Future Work At this point, there are a two clear directions for future work: 1 our variant satisfiability implementation currently supports rewrite theories whose equational fragment is decidable we are developing heuristics for undecidable theories 2 we are developing larger, more interesting case studies to provide further validation for our reachability logic tool 21 / 22

The End Any Questions? 22 / 22

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback