The TLA + proof system

Similar documents
The TLA + Proof System

TLA + Proofs. 1 Introduction. Denis Cousineau 1, Damien Doligez 1,2, Leslie Lamport 3, Stephan Merz 4, Daniel Ricketts 5, and Hernán Vanzetto 1,4

TLA + Proofs. 1 Introduction. Denis Cousineau 1, Damien Doligez 2, Leslie Lamport 3, Stephan Merz 4, Daniel Ricketts 5, and Hernán Vanzetto 4

Damien Doligez INRIA. Abstract

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

Nunchaku: Flexible Model Finding for Higher-Order Logic

Abstractions and Decision Procedures for Effective Software Model Checking

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Temporal Logic of Actions

Formal Analysis of a Distributed Algorithm for Tracking Progress

Linear Temporal Logic and Büchi Automata

Diagram-based Formalisms for the Verication of. Reactive Systems. Anca Browne, Luca de Alfaro, Zohar Manna, Henny B. Sipma and Tomas E.

Reasoning with Higher-Order Abstract Syntax and Contexts: A Comparison

Towards a Mechanised Denotational Semantics for Modelica

arxiv: v1 [cs.lo] 29 May 2014

Verifying Temporal Properties of Reactive Systems: A STeP Tutorial *

Using the Prover I: Lee Pike. June 3, NASA Langley Formal Methods Group Using the Prover I:

Lecture 2: Symbolic Model Checking With SAT

Learning Goals of CS245 Logic and Computation

Relational Interfaces and Refinement Calculus for Compositional System Reasoning

Deductive Verification

Decomposing Specifications of Concurrent Systems

Validating QBF Invalidity in HOL4

Write your own Theorem Prover

A Constructor-Based Reachability Logic for Rewrite Theories

SAT, NP, NP-Completeness

Model Checking: An Introduction

Applied Logic. Lecture 1 - Propositional logic. Marcin Szczuka. Institute of Informatics, The University of Warsaw

HybridSAL Relational Abstracter

Exploiting symmetry in SMT problems

Easy Parameterized Verification of Biphase Mark and 8N1 Protocols

Ranking Verification Counterexamples: An Invariant guided approach

ArgoCaLyPso SAT-Inspired Coherent Logic Prover

Temporal Logic - Soundness and Completeness of L

Automated Reasoning in Quantified Non-Classical Logics

Beyond First-Order Logic

Tutorial 1: Modern SMT Solvers and Verification

Evidential Paradigm and Intelligent Mathematical Text Processing

Chapter 4: Computation tree logic

SAT-Based Verification with IC3: Foundations and Demands

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Lecture 10: Gentzen Systems to Refinement Logic CS 4860 Spring 2009 Thursday, February 19, 2009

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

- Introduction to propositional, predicate and higher order logics

Propositional Calculus - Hilbert system H Moonzoo Kim CS Division of EECS Dept. KAIST

Monadic Second Order Logic and Automata on Infinite Words: Büchi s Theorem

Theorem Proving for Verification

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Automata-Theoretic Model Checking of Reactive Systems

LOGIC PROPOSITIONAL REASONING

(La méthode Event-B) Proof. Thanks to Jean-Raymond Abrial. Language of Predicates.

Interactive Theorem Provers

Propositional Calculus - Natural deduction Moonzoo Kim CS Dept. KAIST

Model Checking. Boris Feigin March 9, University College London

Foundations of System Development

3 Propositional Logic

Notes. Corneliu Popeea. May 3, 2013

Proof Translation Study March 2000

Lecture Notes on Certifying Theorem Provers

IC3 and Beyond: Incremental, Inductive Verification

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

An Introduction to Z3

Propositional and Predicate Logic - V

02 Propositional Logic

Computable Analysis, Hybrid Automata, and Decision Procedures (Extended Thesis Abstract)

One Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:

SAT Solvers: Theory and Practice

Human-Readable Machine-Verifiable Proofs for Teaching Constructive Logic

Combinations of Theories for Decidable Fragments of First-order Logic

Linear-time Temporal Logic

A Semantic Criterion for Proving Infeasibility in Conditional Rewriting

Software Verification with Abstraction-Based Methods

Matching Logic: Syntax and Semantics

CS 486: Applied Logic Lecture 7, February 11, Compactness. 7.1 Compactness why?

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC

Explain: A Tool for Performing Abductive Inference

Propositional Logic: Evaluating the Formulas

Vinter: A Vampire-Based Tool for Interpolation

A Termination Checker for Isabelle Hoare Logic

Introduction to Kleene Algebra Lecture 14 CS786 Spring 2004 March 15, 2004

A Semantic Criterion for Proving Infeasibility in Conditional Rewriting

Ivy: Safety Verification by Interactive Generalization

Deductive Verification of Continuous Dynamical Systems

Introduction to Artificial Intelligence Propositional Logic & SAT Solving. UIUC CS 440 / ECE 448 Professor: Eyal Amir Spring Semester 2010

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Constraint Logic Programming and Integrating Simplex with DPLL(T )

Formal Methods in Software Engineering

Bounded Relational Analysis of Free Data Types

Proof Reconstruction for Z3 in Isabelle/HOL

System Description: ara An Automatic Theorem Prover for Relation Algebras

Euclid Writes an Algorithm: A Fairytale

KeYmaera: A Hybrid Theorem Prover for Hybrid Systems

Cardinality Networks: a Theoretical and Empirical Study

Synthesizing from Components: Building from Blocks

The Polyranking Principle

Towards Lightweight Integration of SMT Solvers

Computational Logic and the Quest for Greater Automation

An Introduction to Proof Assistants

NICTA Advanced Course. Theorem Proving Principles, Techniques, Applications. Gerwin Klein Formal Methods

Computer-Aided Program Design

Transcription:

The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA Nancy & INRIA-MSR Joint Centre, France Amir Pnueli Memorial Symposium New York University, May 8, 2010 Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 1 / 19

Amir Pnueli: Deduction is Forever (FM 99) Just as it was unavoidable, due to the growing complexity of circuits, that circuit manufacturers started to employ formal methods for verifying their designs, it is equally inevitable that more of the practicing verifiers will turn to deductive technologies, due to their significantly better scalability. Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 2 / 19

Amir Pnueli: Deduction is Forever (contd.) For verifying an invariant p over a finite-state system: it is usually much cheaper to check Θ ϕ ϕ ρ ϕ ϕ p than computing ρ ( p) by state space exploration. Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 3 / 19

Amir Pnueli: Deduction is Forever (contd.) For verifying an invariant p over a finite-state system: it is usually much cheaper to check Θ ϕ ϕ ρ ϕ ϕ p than computing ρ ( p) by state space exploration. Main differences between deduction and exploration: deduction is based on induction while exploration computes the set of reachable states, deduction uses a more expressive language including quantifiers, leading to succinct specification of parameterized systems, deduction requires user ingenuity and interaction. Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 3 / 19

Contents 1 Using the TLA + proof system for proving invariants 2 The TLA + proof language and system 3 Conclusion and outlook Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 4 / 19

Invariance proofs in TLA + Elementary rule for proving invariants I [N] v I I [N] v I THEOREM Inv1 = ASSUME STATE I, STATE v, ACTION N, I [N] v I PROVE I [N] v I Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 5 / 19

Invariance proofs in TLA + Elementary rule for proving invariants I [N] v I I [N] v I THEOREM Inv1 = ASSUME STATE I, STATE v, ACTION N, I [N] v I PROVE Schema for invariant proofs Spec = Init [Next] vars L THEOREM Spec Inv 1 1. Init Inv 1 2. Inv Next Inv I [N] v I 1 3. Inv UNCHANGED vars Inv 1 4. QED BY 1 1, 1 2, 1 3, Inv1 DEF Spec Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 5 / 19

Invariance proofs in TLA + Elementary rule for proving invariants I [N] v I I [N] v I THEOREM Inv1 = ASSUME STATE I, STATE v, ACTION N, I [N] v I PROVE Schema for invariant proofs I [N] v I Spec = Init [Next] vars L THEOREM Spec Inv 1 1. Init Inv 1 2. Inv Next Inv 1 3. Inv UNCHANGED vars Inv 1 4. QED BY 1 1, 1 2, 1 3, Inv1 DEF Spec no temporal logic here! Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 5 / 19

Reasoning about actions About 95% of proof steps do not involve temporal logic reasoning about state predicates or state transitions first-order reasoning where v and v are distinct variables Aim for as much automation as possible... open proof system: harness power of different prover back-ends first-order logic, rewriting, SAT and SMT solving etc. ensure overall correctness by proof certification... but encourage users to maintain readable proofs declarative, hierarchical proof language prefer an extra level of interaction over obscure automatic tactics Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 6 / 19

Proving trivial steps Expand definitions and discharge automatically Init Inv = pc = [i {0, 1} a0 ] turn = 0 flag = [i {0, 1} FALSE] = pc [{0, 1} { a0, a1, a2, a3a, a3b, cs, a4 }] turn {0, 1} flag [{0, 1} BOOLEAN] i {0, 1} : pc[i] { a2, a3a, a3b, cs, a4 } flag[i] pc[i] { cs, a4 } pc[1 i] / { cs, a4 } pc[1 i] { a3a, a3b } turn = i 1 1. Init Inv BY DEFS Init, Inv Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 7 / 19

When automatic proof fails... Decompose proof into a sequence of simpler steps Next = i {0, 1} : Proc(i) Proc(i) = a0(i) a1(i)... a4(i) 1 2. Inv Next Inv Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 8 / 19

When automatic proof fails... Decompose proof into a sequence of simpler steps Next = i {0, 1} : Proc(i) Proc(i) = a0(i) a1(i)... a4(i) 1 2. Inv Next Inv 2 1. SUFFICES ASSUME Inv, NEW i {0, 1}, Proc(i) PROVE Inv BY DEF Next 2 2. CASE a0(i) 2 3. CASE a1(i)... 2 8. CASE a4(i) 2 9. QED BY 2 2, 2 3,..., 2 8 DEF Proc Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 8 / 19

Contents 1 Using the TLA + proof system for proving invariants 2 The TLA + proof language and system 3 Conclusion and outlook Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 9 / 19

TLA + proof language Hierarchical, declarative proof linear representation of proof tree step labels d lbl (where d is the depth of the step) steps assert sequents ASSUME... PROVE... top-down development: refine assertions until they are obvious leaf: invoke proof method, citing necessary assumptions and facts Controlling the use of assumptions, facts, and definitions limit search space for automatic provers require explicit citation of assumptions, facts, and definitions...... or make them usable throughout the current scope Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 10 / 19

Example: proof of Cantor s theorem THEOREM ASSUME NEW S, NEW f [S SUBSET S] PROVE 1. DEFINE T = {z S : z / f [z]} 1 1. x S : f [x] = T A SUBSET S : x S : f [x] = A 1 2. QED BY 1 1 Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 11 / 19

Example: proof of Cantor s theorem THEOREM ASSUME NEW S, NEW f [S SUBSET S] PROVE A SUBSET S : x S : f [x] = A 1. DEFINE T = {z S : z / f [z]} 1 1. x S : f [x] = T 2 1. ASSUME NEW x S PROVE f [x] = T 2 2. QED BY 2 1 1 2. QED BY 1 1 Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 11 / 19

Example: proof of Cantor s theorem THEOREM ASSUME NEW S, NEW f [S SUBSET S] PROVE A SUBSET S : x S : f [x] = A 1. DEFINE T = {z S : z / f [z]} 1 1. x S : f [x] = T 2 1. ASSUME NEW x S PROVE f [x] = T 3 1. CASE x T OBVIOUS 3 2. CASE x / T OBVIOUS 3 3. QED BY 3 1, 3 2 2 2. QED BY 2 1 1 2. QED BY 1 1 Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 11 / 19

System architecture TLAPS proof manager TLA+ proof parse and compute proof obligations convert to constant level diagnostics certify proof (when possible) call backends to attempt proof Isabelle/TLA+ Zenon SMT solver Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 12 / 19

Proof Manager Interpret hierarchical TLA + proof manage assumptions and current goal expand operator definitions if they are USEd Rewrite proof obligations to constant level handle primed expressions such as Inv distribute prime over (constant-level) operators introduce distinct variables e and e for atomic state expression e Invoke back-end provers user chooses which prover to use (default: Zenon, then Isabelle) Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 13 / 19

Proof reconstruction Oracle: trusted external reasoner simple, but error-prone translation and backend part of trusted code base Proof reconstruction: skeptical integration replay proofs in trusted proof assistant (Isabelle/TLA + ) reconstruction should be cheap Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 14 / 19

Isabelle/TLA + Encoding of TLA + as Isabelle object logic TLA + is untyped: incompatible with existing object logics Isabelle/TLA + provides a library of standard data structures Instantiate automated proof methods exploit genericity of Isabelle as a logical framework tableau prover, rewriting engine, and combinations Trusted backend for proof reconstruction formal definition of (constant-level) TLA + semantics Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 15 / 19

Contents 1 Using the TLA + proof system for proving invariants 2 The TLA + proof language and system 3 Conclusion and outlook Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 16 / 19

Current state of the TLAPS First public release: april 2010 http://msr-inria.inria.fr/ doligez/tlaps/ binary release includes prover backends batch processing of proofs, Emacs interface Restricted to proving safety properties invariant and step simulation (refinement) proofs several examples provided in the distribution Looking forward to user feedback Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 17 / 19

Current work Support for temporal logic proofs (liveness properties) extend proof manager to track temporal contexts hierarchical proof language helps separating contexts encode semantics of temporal logic in Isabelle/TLA + TLA-specific proof rules decision procedure for propositional temporal logic Improve user interface integration with TLA + toolbox (Eclipse-based) focus on specific subproofs, selectively rerun proof fragments display and select usable assumptions Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 18 / 19

Amir Pnueli, again The previous examples indicated the great raw potential possessed by the deductive technology which can often be impressively utilized by experts. We also pointed out that user ingenuity is an essential ingredient in its application. The main challenge is to propose a working deductive tool and associated methodology which can be used by the masses. Automatic invariant generation Counter-examples from failed proof attempts Generic proof methods developed by experts Stephan Merz (INRIA Nancy) The TLA + proof system Amir Pnueli 2010 19 / 19

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback