Formal Methods and Theorem Proving Using PVS

Similar documents
Using the Prover I: Lee Pike. June 3, NASA Langley Formal Methods Group Using the Prover I:

Applied Logic for Computer Scientists. Answers to Some Exercises

Equalities and Uninterpreted Functions. Chapter 3. Decision Procedures. An Algorithmic Point of View. Revision 1.0

Verification for ASP Denotational Semantics: a Case Study using the PVS Theorem Prover

02 Propositional Logic

03 Review of First-Order Logic

Computational Logic for Computer Science

Deductive Verification

Extending higher-order logic with predicate subtyping: application to PVS

Software Engineering using Formal Methods

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Automation of Termination: Abstracting Calling Contexts through Matrix-Weighted Graphs

First-Order Theorem Proving and Vampire. Laura Kovács (Chalmers University of Technology) Andrei Voronkov (The University of Manchester)

Fundamentals of Software Engineering

Fundamentals of Software Engineering

First-Order Theorem Proving and Vampire

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

An Introduction to Z3

The TLA + proof system

NICTA Advanced Course. Theorem Proving Principles, Techniques, Applications. Gerwin Klein Formal Methods

Nunchaku: Flexible Model Finding for Higher-Order Logic

A brief introduction to Logic. (slides from

Mechanically Assisted Examination of Begging the Question in Anselm s Ontological Argument

Learning Goals of CS245 Logic and Computation

Chapter 2. Reductions and NP. 2.1 Reductions Continued The Satisfiability Problem (SAT) SAT 3SAT. CS 573: Algorithms, Fall 2013 August 29, 2013

Verified Characteristic Formulae for CakeML. Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 18, 2017

Floyd-Hoare Style Program Verification

Chapter 2. Assertions. An Introduction to Separation Logic c 2011 John C. Reynolds February 3, 2011

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

Proof Translation Study March 2000

Automata-Theoretic Model Checking of Reactive Systems

TDDD08 Tutorial 1. Who? From? When? 6 september Victor Lagerkvist (& Wªodek Drabent)

Formal Methods in Software Engineering

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Intelligent Agents. Formal Characteristics of Planning. Ute Schmid. Cognitive Systems, Applied Computer Science, Bamberg University

Constraint Solving for Finite Model Finding in SMT Solvers

Matching Logic: Syntax and Semantics

NICTA Advanced Course. Theorem Proving Principles, Techniques, Applications

Comp487/587 - Boolean Formulas

EDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach

Introduction to Logic in Computer Science: Autumn 2006

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600 (Formal Methods for Software Engineering)

First-Order Logic First-Order Theories. Roopsha Samanta. Partly based on slides by Aaron Bradley and Isil Dillig

The Curry-Howard Isomorphism

Satisfiability Modulo Theories (SMT)

Automated Reasoning Lecture 5: First-Order Logic

A Short Introduction to Hoare Logic

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Automatic Deduction for Theories of. Algebraic Data Types. Igor A. Chikanian

WHAT IS AN SMT SOLVER? Jaeheon Yi - April 17, 2008

LOGIC. Mathematics. Computer Science. Stanley N. Burris

Hoare Logic (I): Axiomatic Semantics and Program Correctness

Beyond First-Order Logic

Computational Logic. Davide Martinenghi. Spring Free University of Bozen-Bolzano. Computational Logic Davide Martinenghi (1/30)

On the Complexity of the Reflected Logic of Proofs

Using Decision Procedures to Accelerate Domain-Specific Deductive Synthesis Systems

Logic Synthesis and Verification

Write your own Theorem Prover

Lecture Notes on Quantification

Discrete Mathematics

Proving Real-time Properties of Embedded Software Systems 0-0

Topics in Model-Based Reasoning

Proof Calculus for Partial Correctness

Mid-Semester Quiz Second Semester, 2012

Constraint Solving for Program Verification: Theory and Practice by Example

Human-Readable Machine-Verifiable Proofs for Teaching Constructive Logic

Artificial Intelligence Chapter 7: Logical Agents

Deciding Boolean Algebra with Presburger Arithmetic

Informal Statement Calculus

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Chapter 4: Computation tree logic

Formalization of Rewriting in PVS

Roy L. Crole. Operational Semantics Abstract Machines and Correctness. University of Leicester, UK

First-Order Logic. 1 Syntax. Domain of Discourse. FO Vocabulary. Terms

Abstractions and Decision Procedures for Effective Software Model Checking

Easy Parameterized Verification of Biphase Mark and 8N1 Protocols

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Model Checking. Boris Feigin March 9, University College London

Co-simulation of embedded systems: a PVS-Simulink integrated environment

Chapter 4, Logic using Propositional Calculus Handout

Introduction to Logic in Computer Science: Autumn 2007

Syntax of FOL. Introduction to Logic in Computer Science: Autumn Tableaux for First-order Logic. Syntax of FOL (2)

Ordering Constraints over Feature Trees

Chapter 6: Computation Tree Logic

CS632 Notes on Relational Query Languages I

Rigorous Software Development CSCI-GA

Syntax. Notation Throughout, and when not otherwise said, we assume a vocabulary V = C F P.

SAT, NP, NP-Completeness

Herbrand Theorem, Equality, and Compactness

Part 2: First-Order Logic

Probabilistic Guarded Commands Mechanized in HOL

Constraint Solving for Program Verification: Theory and Practice by Example

SMT BASICS WS 2017/2018 ( ) LOGIC SATISFIABILITY MODULO THEORIES. Institute for Formal Models and Verification Johannes Kepler Universität Linz

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

(La méthode Event-B) Proof. Thanks to Jean-Raymond Abrial. Language of Predicates.

540 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 43, NO. 4, APRIL Algorithmic Analysis of Nonlinear Hybrid Systems

CPSA and Formal Security Goals

Lecture Notes on Heyting Arithmetic

Notation Index. gcd(a, b) (greatest common divisor) NT-16

Hoare Logic and Model Checking

Transcription:

Formal Methods and Theorem Proving Using PVS Concetta Pilotto and Jerome White Caltech Infospheres Lab Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 1

PVS: Prototype Verification System Specification Language integrated with a interactive Theorem Prover Used for writing formal specifications and checking formal proofs. Free Software SRI International Solaris, Linux and MAC Implemented in LISP and interface Emacs Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 2

Outline PVS Specification Language Prover Commands Distributed System example: Local-Global Relations Theory PVS Specification PVS Proofs Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 3

A PVS Example sum: BEGIN THEORY n:var nat sum(n): RECURSIVE nat = (IF n = 0 THEN 0 ELSE n + sum(n-1) ENDIF ) MEASURE n square(n):nat = n*n sum_of_values: LEMMA FORALL (k:nat): sum(k)=k*(k+1)/2 END sum Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 4

A PVS Example sum: BEGIN THEORY Theory Definition n:var nat sum(n): RECURSIVE nat = (IF n = 0 THEN 0 ELSE n + sum(n-1) ENDIF ) MEASURE n square(n):nat = n*n sum_of_values: LEMMA FORALL (k:nat): sum(k)=k*(k+1)/2 END sum Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 5

Theories Theory: a collection of definitions, assumptions, axioms, and theorems. stored in a.pvs file (e.g. sum.pvs) Parametric Theories sum [N0:nat]: THEORY BEGIN <...> END Hierarchical Theories IMPORTING sum[10] Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 6

Built-in and Pre-Defined Theories Built-in Theories: Prelude E.g. integer, Boolean, real, list, set, finite set... http://www.cs.rug.nl/~grl/ar06/prelude.html M-x view-prelude-theory Pre-Defined Theories: NASA Langley PVS theories shemesh.larc.nasa.gov/fm/ftp/larc/pvs-library/pvslib.html E.g. algebra, complex numbers, graphs, logarithm and exponential Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 7

A PVS Example sum: BEGIN THEORY n:var nat Variable Declaration sum(n): RECURSIVE nat = (IF n = 0 THEN 0 ELSE n + sum(n-1) ENDIF ) MEASURE n square(n):nat = n*n sum_of_values: LEMMA FORALL (k:nat): sum(k)=k*(k+1)/2 END sum Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 8

Variables and Constants Variable Declarations n,m,p:var nat Constant Declaration and Definition n0:nat n0:nat = 10 Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 9

A PVS Example sum: BEGIN THEORY n:var nat sum(n): RECURSIVE nat = (IF n = 0 THEN 0 ELSE n + sum(n-1) ENDIF ) MEASURE n Function Declaration & Definition square(n):nat = n*n sum_of_values: LEMMA FORALL (k:nat): sum(k)=k*(k+1)/2 END sum Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 10

Functions Declarations square(n):nat Definitions square(n):int = n*n sum(n):recursive nat = (IF n=0 THEN 0 ELSE n+sum(n-1) ENDIF ) MEASURE n Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 11

A PVS Example sum: BEGIN THEORY n:var nat sum(n): RECURSIVE nat = (IF n = 0 THEN 0 ELSE n + sum(n-1) ENDIF ) MEASURE n square(n):nat = n*n sum_of_values: LEMMA FORALL (k:nat): END sum sum(k)=k*(k+1)/2 Formula Declaration Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 12

Formulas Formula Declarations sum_of_values: LEMMA FORALL (k:nat) : sum(k)=k*(k+1)/2 Others: CLAIM,FACT,THEOREM,PROPOSITION,... Expressions Boolean =,/=,TRUE,FALSE,AND,OR,IMPLIES,IFF Numeric 0, 1,...,+,,/,,<,>,... Binding (local scope for variables) FORALL,EXISTS Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 13

A PVS Example sum: BEGIN THEORY n:var nat sum(n):recursive nat = (IF n = 0 THEN 0 ELSE n + sum(n-1) ENDIF ) MEASURE n square(n):nat = n*n sum_of_values: LEMMA FORALL (k:nat): sum(k)=k*(k+1)/2 END sum Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 14

PVS Types Type System combined with higher order logic Base and Build-in types bool, int, real, nat,... User-defined types: Keyword: TYPE Uninterpreted Type Type1:TYPE Defined equality predicate. Interpreted Function Type Type2:TYPE = [int,int->int] Type3:TYPE = FUNCTION[int,int->int] Type4:TYPE = ARRAY[int,int->int] Type2,Type3,Type4 are equivalent Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 15

Type Checking Undecidable Generate proofs obligations: TCCs: Type-Correctness Conditions Running PVS Type check: M-x tc Show TCCs: M-x show-tccs Many of these proof obligations can be discharged automatically: M-x tcp Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 16

TCCs of sum theory %Subtype TCC generated (at line 7, column 32) for n-1 %expected type nat %proved - complete sum_tcc1:obligation FORALL (n:nat): NOT n=0 IMPLIES n-1>=0; %Termination TCC generated (at line 7, column 28) for sum(n-1) %proved - complete sum_tcc2:obligation FORALL (n:nat): NOT n=0 IMPLIES n-1<n; sum(n): RECURSIVE nat = (IF n = 0 THEN 0 ELSE n + sum(n-1) ENDIF ) MEASURE n Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 17

Function Evaluation Execute functions M-x pvs-ground-evaluator New Buffer with the process <GndEval>... Example <GndEval> square(3) cpu time 0 msec user, 0 msec system real time 0 msec space: 3 cons cells, 0 other bytes, 0 static bytes ==> 9 Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 18

Using PVS Interactive Proof Checker Combine basic deductive steps and user-defined procedures Proofs stored in file.prf Proofs are stored as a sequence of rules M-x show-proof M-x install-proof M-x edit-proof Maintain a Proof Tree M-x x-show-proof Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 19

Proofs Consider the lemma sum_of_values: LEMMA FORALL (k:nat): M-x prove, M-x pr {-1} A [-2] B {-3} C -------------- [1] P {2} Q Rule? sum(k)=k*(k+1)/2 A,B,C antecedents P,Q consequents A AND B AND C IMPLIES P OR Q [n]: formula n is unaffected by the last proof step Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 20

Sum of Values Lemma (M-x xpr) sum_of_values : (expand "sum" 1) (induct "k") (skolem!) - {1} FORALL (k: nat): sum(k) = (k * (k + 1)) / 2 Rule? (induct k ) Inducting on k on formula 1,this yields 2 subgoals: sum_of_values.1 : (assert) (flatten) (expand "sum" 1) - {1} sum(0) = (0 * (0 + 1)) / 2 Rule? (expand sum 1) Expanding the definition of sum, this simplifies to: sum_of_values.1 : (assert) - {1} 0 = 0 / 2 Rule? (assert) Simplifying, rewriting, and recording with decision procedures, This completes the proof of sum_of_values.1. Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 21

Rule Syntax Surrounded by Parenthesis Can have arguments and change only parts of the formulas Examples (assert),(undo),(quit) (expand sum +) (expand sum -) (expand sum (-1,-2,2)) (induct "k") (expand "sum" 1) (skolem!) (assert) (flatten) (expand "sum" 1) (assert) Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 22

Distributed System Example Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 23

Correctness of Distributed Systems Global properties to maintain Invariants h(s) = h(s ) Lyapunov g(s) > g(s ) Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 24

Correctness of Distributed Systems Global properties to maintain Invariants h(s) = h(s ) e.g. avg(s) = avg(s ) Lyapunov g(s) > g(s ) e.g. sos(s) > sos(s ) Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 24

Correctness of Distributed Systems Global properties to maintain Invariants h(s) = h(s ) e.g. avg(s) = avg(s ) Lyapunov g(s) > g(s ) e.g. sos(s) > sos(s ) Local interactions agent local interactions Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 24

Correctness of Distributed Systems Global properties to maintain Invariants h(s) = h(s ) e.g. avg(s) = avg(s ) Lyapunov g(s) > g(s ) e.g. sos(s) > sos(s ) Local interactions post interaction state Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 24

Correctness of Distributed Systems Global properties to maintain Invariants h(s) = h(s ) e.g. avg(s) = avg(s ) Lyapunov g(s) > g(s ) e.g. sos(s) > sos(s ) Local interactions next set of local interactions Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 24

Correctness of Distributed Systems Global properties to maintain Invariants h(s) = h(s ) e.g. avg(s) = avg(s ) Lyapunov g(s) > g(s ) e.g. sos(s) > sos(s ) Local interactions next set of local interactions Goal: Develop theories and proofs of distributed systems captured by local interactions Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 24

Stages of Refinement Abstract Interactions Refined Interactions Example Interactions Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 25

Stages of Refinement Abstract Interactions Refined Interactions Example Interactions Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 25

Local-Global Relations Relates global state to local interactions j / K : S K S K S(j) = S (j) = ( ) ( ) S K {j} S K {j} is a transitive binary relation K is a nonempty subset of agents K j Average S 10 6 2 14 3 S K = 8 S 9 2 7 14 3 S K = 8 relation maintained Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 26

System Specification Agents A, each with a value of type T agent: TYPE, T: TYPE States S, S S S : A T, thus S(k) is agent state state: TYPE = FUNCTION[agent -> T] Let f be a function over sets of agents f : S A + T where A + is the power set of A f: FUNCTION[state, finite_set[agent] -> T] Notation: S K f(s, K) K A Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 27

Generalized Local-Global Relations Local-global relations over the entire state S K S K j / K : S(j) = S (j) = S A S A K nonempty set of agents K K S S = Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 28

Generalized Local-Global Relations Local-global relations over the entire state S K S K j / K : S(j) = S (j) = S A S A K nonempty set of agents In PVS 1 >: FUNCTION[T, T -> bool] 2 3 lg_relation: LEMMA 4 f(pre, K) > f(post, K) % S_K > S _K 5 AND (FORALL (j: A NOT member(j, K)): 6 pre(j) = post(j)) % S(j) = S (j) 7 IMPLIES 8 f(pre, fullset) > f(post, fullset) % S_A > S _A Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 28

Examples Minimum 3 4 6 2 8 2 3 4 2 9 4 2 Universal Quantification T T F F T F T F F T T F min = Sum of Squares Convex Hull 6 36 7 49 8 64 4 16 3 9 174 6 36 7 49 5 25 2 4 3 9 123 Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 29

Law of Local-Global Relations S S denotes transition from S to S Restrict attention to systems where S S = S A S A conserved t > 0 : S 0 A St A where S t system state after t transitions For example Conservation where is = Nonincreasing where is Strictly Decreasing where is > Follows from transitivity of Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 30

Stages of Refinement Abstract Interactions Refined Interactions Example Interactions Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 31

Local-Global Operator Refinement Let be a binary operator over T with identity element 0 In PVS : T T T (a 0 = a) ( 0 a = a) 1 o: VAR FUNCTION[T, T -> T] 2 zero: VAR T 3 4 identity?(o, zero): bool = 5 FORALL (x: T): 6 x o zero = x AND zero o x = x Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 32

Local-Global Operator Refinement Define fold fold(s,k, ) = { 0 if K =, S(k) fold(s,k \ {k}, ) otherwise, where k is some element in K. Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 32

Local-Global Operator Refinement Define fold fold(s,k, ) = { 0 if K =, S(k) fold(s,k \ {k}, ) otherwise, where k is some element in K. In PVS 1 fold(s: state, 2 K: finite_set[agent]): RECURSIVE T = 3 IF empty?(k) THEN zero 4 ELSE S(choose(K)) o fold(s, rest(k)) 5 ENDIF 6 MEASURE card(k) Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 32

Local-Global Proof Obligations Would like to show that fold maintains our local global relation Required to prove that the definition is satisfied j / K : fold(s,k, ) fold(s,k, ) S(j) = S (j) = fold(s,k {j}, ) fold(s,k {j}, ) Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 33

Local-Global in PVS 1 local_global[ 2 agent: TYPE, 3 T: TYPE, 4 f: FUNCTION[state, finite_set[agent] -> T], 5 >: FUNCTION[T, T -> bool]]: THEORY BEGIN 6 ASSUMING 7 R_transitive: ASSUMPTION transitive?(>) 8 f_local_global: ASSUMPTION 9 FORALL (pre, post: state, 10 K: finite_set[agent], 11 k: agent NOT member(k, K)): 12 f(pre, K) > f(post, K) AND pre(k) = post(k) IMPLIES 13 f(pre, add(k, K)) > f(post, add(k, K)) 14 ENDASSUMING Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 34

fold Theory in PVS Must discharge assumption on IMPORT 1 fold[ 2 agent: TYPE, 3 T: TYPE, 4 o: FUNCTION[T, T -> T], 5 zero: T, 6 >: FUNCTION[T, T -> bool] 7 ]: THEORY BEGIN 8 fold(s: state, K: finite_set[agent]): T 9 10 IMPORTING local_global[agent, T, fold, >] 11 END fold Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 35

TCCs of Local-Global 1 % Assuming TCC generated (at line 57, column 12) for 2 % local_global[agent, T, fold, >] 3 % generated from assumption local_global.f_local_global 4 % proved - complete 5 IMP_local_global_TCC1: OBLIGATION 6 FORALL (pre, post: state, K: finite_set[agent]): 7 FORALL (k: agent NOT member(k, K)): 8 (fold(pre, K) > fold(post, K) AND pre(k) = post(k) IMPLIES 9 fold(pre, add(k, K)) > fold(post, add(k, K))); Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 36

Proving Local-Global If (T, ) is a commutative monoid with identity element 0 and is monotonic, then (fold, ) is local-global A monoid is (a b) c = a (b c) (a 0 = a) ( 0 a = a) a,b T (a b) = c = c T Monotonicity is a,b,c T : a b = (a c) (b c) Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 37

PVS Assumptions on 1 fold[agent: TYPE, T: TYPE, o: FUNCTION[T, T -> T], 2 zero: T, >: FUNCTION[T, T -> bool]]: THEORY BEGIN 3 ASSUMING 4 zero_identity: ASSUMPTION identity?(o)(zero) 5 o_associative: ASSUMPTION associative?(o) 6 o_commutative: ASSUMPTION commutative?(o) 7 o_closed: ASSUMPTION closed?(o) 8 o_monotonic: ASSUMPTION 9 FORALL (u, v, w: T): u > v IMPLIES u o w > v o w 10 ENDASSUMING 11 fold(s: state, K: finite_set[agent]): T 12 IMPORTING local_global[agent, T, fold, >] 13 END fold Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 38

Stages of Refinement Abstract Interactions Refined Interactions Example Interactions Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 39

Example: Consensus Given a distributed system with n agents System state is an array S where S(j) is the state of agent j Initial system state: S 0 Action: k K : S(k) = f(s,k) Desired final state: S where j A : S (j) = f(s 0 ) Example f s: Minimum Maximum Greatest common divisor Least common multiple Convex hull Consider generic f s: fold, Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 40

Theory Instantiation Example: min consensus s K 6 10 s 5 10 8 5 8 min=5 8 5 5 min=5 Proof obligation: operators fit our fold assumption Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 41

In PVS Importing fold 1 min: THEORY 2 BEGIN 3 min(m, n: real): {p: real p <= m AND p <= n} = 4 IF m > n THEN n ELSE m ENDIF 5 % Recall: fold[agent, T, o, zero, >] 6 IMPORTING fold[posnat, real, min, posinf, >=] 7 END min Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 42

In PVS Importing fold 1 min: THEORY 2 BEGIN 3 min(m, n: real): {p: real p <= m AND p <= n} = 4 IF m > n THEN n ELSE m ENDIF 5 % Recall: fold[agent, T, o, zero, >] 6 IMPORTING fold[posnat, real, min, posinf, >=] 7 END min Enforces assumptions (e.g. monotonicity): 1 % Assuming TCC generated (at line 10, column 12) for 2 % fold[posnat, real, min, posinf, >=] 3 % generated from assumption fold.o_monotonic 4 IMP_fold_TCC5: OBLIGATION 5 FORALL (u, v, w: real): u >= v IMPLIES 6 min(u, w) >= min(v, w); Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 42

Conclusion Steep learning curve Forces a focus on structure and proof details Modularity is rewarded efficient for proving efficient for implementing Theory hierarchy maps to Java Object hierarchy Operator FoldableOperator min max gcd lcm Min Max Gcd Lcm Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 43

Stages of Refinement Abstract Interactions Refined Interactions Example Interactions PVS http://www.infospheres.caltech.edu/muri2009 Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 44

Appendix Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 45

Install and Run PVS Download from http://pvs.csl.sri.com/download.shtml Latest (4.2) pvs-4.2-ix86-linux-allegro.tgz From shell run $PVS/bin/relocate to set path Run $PVS/pvs Overview of the commands: M-x pvs-help (C-h p) M-x exit-pvs (C-x C-c) Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 46

Applications Examples Hardware verification Sequential and Distributed algorithms verification Critical real-time systems verification Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 47

PVS Types Base and Build-in types bool, int, real, nat,... User-defined types: Keyword: TYPE or TYPE+ (non empty) Uninterpreted Type Type1:TYPE Defined equality predicate. Given two elements, whether they are the same or not Subtype Type2:TYPE = {x:nat x>0 } Type3(n:int):TYPE = { i:nat i>=n } Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 48

PVS Types Enumeration Type Type4:TYPE = {Type1, Type2} Function Type Type5:TYPE = [int -> int] Type6:TYPE = FUNCTION [int -> int] Type7:TYPE = ARRAY [int -> int] Type5,Type6,Type7 are equivalent Type8:TYPE = [int, int -> int] Record Types Type9:TYPE = [# t1:type1, t2:type2 #] Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 48

Declarations Variable Declarations n,m,p:var nat Constant Declarations k: nat sum(i,j:nat):nat k:nat = 10 next(n):int = n+1 Less_than_10?(m):bool = m<10 fact(n):recursive nat = IF n=0 THEN 1 ELSE n*fact(n-1) ENDIF MEASURE n Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 49

Declarations Formula Declarations transitive: AXIOM n<m AND m<p IMPLIES n<p Others: CLAIM, FACT, LEMMA, PROPOSITION, THEOREM,... Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 49

Expressions Boolean =,/= TRUE,FALSE,AND,OR,IMPLIES,IFF If-then-else IF cond THEN exp1 ELSE exp2 ENDIF Numeric 0, 1,...,+,,/,,<,>,... Binding (local scope for variables) FORALL,EXISTS Records l:list = (# node:=val1, nxt:=val2 #) Accessors: l node, node(l), l nxt, nxt(l) Update: l WITH [node:=val3,nxt:= val4] Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 50

Some Rules Propositional Rules flatten: disjunctive simplification case: case splitting prop: propositional simplification Quantifier Rules skolem: skolemize a universally quantified variable inst: instantiate an existentially quantified variable Induction rules induct: invoke induction scheme Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 51

Some Rules Rules for using definitions and lemmas expand: expanding a function or type definition lemma: introduce the statement of a lemma as an assumption Rules for simplification assert, bddsimp: simplify smash, grind: lift-it, rewrite, and repeatedly simplify Control quit, postpone, undo Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 51

Strategies and Automation User-defined strategies: Saved in pvs-strategies (DEFSTEP strategy-name (parameters) strategy-expression documentation-string format-string ) (try step1 step2 step3) Applies step1 to the current goal. If step1 succeeds and generate sub-goals, then step2 is applied; otherwise step3 is applied to the current goal. (repeat step1) Examples (ground) (try (flatten) (propax) (split)) (try (try (flatten) (fail) (skolem 1 ( a b ))) (postpone)) Formal Methods and Theorem Proving Using PVS 16 September 2009 p. 52

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback