1 / 48

Program Specialisation, Inductive Theorem Proving and Infinite State Model Checking

Program Specialisation, Inductive Theorem Proving and Infinite State Model Checking. Michael Leuschel (joint work with Helko Lehmann). Invited Talk Lopstr’03 - Uppsala. Program Specialisation. Inductive Theorem Proving. Infinite Model checking. 1. Overview

amato
Download Presentation

Program Specialisation, Inductive Theorem Proving and Infinite State Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Program Specialisation,Inductive Theorem Proving and Infinite State Model Checking Michael Leuschel (joint work with Helko Lehmann) Invited Talk Lopstr’03 - Uppsala

  2. Program Specialisation Inductive Theorem Proving Infinite Model checking 1. Overview 2. Program Specialisation & Partial Deduction (PD) 3. Infinite State Model Checking (ISMC) by PD 4. Inductive Theorem Proving by Conjunctive PD 5. Putting everything together 6. Conclusion & Outlook

  3. Overview Program Specialisation Inductive Theorem Proving Infinite Model checking

  4. Infinite State System Key Points CTL Model Checker Ecce Specialisation Result Point 1: Finite Abstraction of infinite state space correspondence between existing algorithms for PS & ISMC Point 2: Schema for an inductive proof similarity between ITP & PS control  cross-fertilisation ?

  5. Program Specialisation Inductive Theorem Proving Infinite Model checking 1. Overview 2. Program Specialisation & Partial Deduction (PD) 3. Infinite State Model Checking (ISMC) by PD 4. Inductive Theorem Proving by Conjunctive PD 5. Putting everything together 6. Conclusion & Outlook

  6. Output Partial Query Another Query Rest of Query Specialised Prolog Program Program Specialiser (Logic) Program Specialisation Query Prolog Source Program

  7. Digression on Names • Partial Evaluation • Specialisation by “partially” evaluating expressions • Partial Deduction • Partial evaluation of pure logic programs • Logic Program Specialisation • Partial evaluation + … (e.g. abstract interpretation)

  8. Basic Principle: Instead of building one complete SLD-tree:Build a finite number of finite “SLD- trees” ! SLD-trees can be incomplete Clauses of specialised program extracted from branches All calls in the leaves must be “covered” 4 types of derivations in SLD-trees: Successful, failed, infinite Incomplete: no literal selected Partial Deduction

  9. {L/[],R/[]} {L/[H|L’],R/[PH|R’]}   C=..[inv,H,PH], call(C),map(inv,L’,R’) {C/inv(H,PH)}  call(inv(H,PH)),map(inv,L’,R’) inv(H,PH),map(inv,L’,R’) {H/0,PH/1} {H/1,PH/0}  map(inv,L’,R’)  map(inv,L’,R’) An Example  map (inv,L,R) map(P,[],[]). map(P,[H|T],[PH|PT]) :- C=..[P,H,PH], call(C),map(P,T,PT). inv(0,1). inv(1,0). Overhead removed: 2 faster map(inv,[],[]). map(inv,[0|L’],[1|R’]) :- map(inv,L’,R’). map(inv,[1|L’],[0|R’]) :- map(inv,L’,R’). map_1([],[]). map_1([0|L’],[1|R’]) :- map_1(L’,R’). map_1([1|L’],[0|R’]) :- map_1(L’,R’).

  10. Control A1 A2 A3 A4 ... • Local Control • Determinacy • Well-founded Orders • Well-Quasi Orders • Homeomorphic embedding • Global Control • Whistle: Well-Quasi Orders • Generalisation • msg (most specific generalisation) • Characteristic Trees

  11. Existing Systems • Online • Mixtus (Sahlin) • Paddy (Prestwich) • SP (Gallagher) • Ecce (Leuschel) • Offline (control decisions made offline) • Logimix (Mogensen) • Logen (Leuschel & Jørgensen)

  12. Ecce & Logen Demo • Simple Examples • Map - Ecce • Lambda Interpreter - Logen

  13. Program Specialisation Inductive Theorem Proving Infinite Model checking 1. Overview 2. Program Specialisation & Partial Deduction (PD) 3. Infinite State Model Checking (ISMC) by PD 4. Inductive Theorem Proving by Conjunctive PD 5. Putting everything together 6. Conclusion & Outlook

  14. erified ∞ Model Checking • Check that a system is a model for a temporal logic formula (CTL, LTL, …) • Most useful temporal formulas are safety properties • Decidable for finite state systems • For infinite state systems: • Decidability results for certain systems & properties • Abstraction a key issue

  15. Petri Nets • Petri Nets • Places: contain tokens • Transitions: consume & produce tokens • Marking: • A particular state of a Petri net • Vector of natural numbers • Usually: infinite number of markings reachable

  16. 0,1,0,0,0,0,0,0,0,0 0,0,1,0,0,0,0,0,0,0 0,0,0,1,0,0,0,0,0,0 0,0,0,0,1,0,0,0,0,0 0,0,0,0,0,1,0,0,0,0 0,0,0,0,0,0,0,1,0,0 0,0,0,0,0,0,0,0,1,0 0,1,0,0,0,0,0,0,0,1 RTP ExampleReceiver of Transmission ProtocolFrom Babylon library of benchmarks Reachable Markings: 1,0,0,0,0,0,0,0,0,0

  17. Coverability of Petri Nets 0,2,0,1,1 • Marking m covers m’ if m≥m’ • Question: • Starting from an initial state m0can we reach a marking mn which covers some given m ? • Decidable by computing • Karp-Miller Tree or • Finkel’s minimal coverability graphs 0,1,0,2,0

  18. 0,1,0,0,0,0,0,0,0,n 0,0,1,0,0,0,0,0,0,n 0,0,0,1,0,0,0,0,0,n 0,0,0,0,1,0,0,0,0,n 0,0,0,0,0,1,0,0,0,n 0,0,0,0,0,0,0,1,0,n 0,0,0,0,0,0,0,0,1,n 0,1,0,0,0,0,0,0,0,n+1 RTP - CoverabilityCan we cover: /* Specialised Predicates: ssat__0__1 :- ssat__0. sat__1__2 :- sat__1(s(0),0,0,0,0,0,0,0,0,0). sat_eu__2__3 :- sat_eu__2(s(0),0,0,0,0,0,0,0,0,0). sat_eu__2__4(A) :- sat_eu__2(0,s(0),0,0,0,0,0,0,0,A). sat_eu__2__5(A) :- sat_eu__2(0,0,s(0),0,0,0,0,0,0,A). sat_eu__2__6(A) :- sat_eu__2(0,0,0,s(0),0,0,0,0,0,A). sat_eu__2__7(A) :- sat_eu__2(0,0,0,0,s(0),0,0,0,0,A). sat_eu__2__8(A) :- sat_eu__2(0,0,0,0,0,0,0,0,s(0),A). sat_eu__2__9(A) :- sat_eu__2(0,0,0,0,0,s(0),0,0,0,A). sat_eu__2__10(A) :- sat_eu__2(0,0,0,0,0,0,s(0),0,0,A). sat_eu__2__11(A) :- sat_eu__2(0,0,0,0,0,0,0,s(0),0,A). */ ssat__0 :- fail. ssat__0__1 :- fail. sat__1__2 :- fail. sat_eu__2__3 :- fail. sat_eu__2__4(A) :- fail. sat_eu__2__5(A) :- fail. sat_eu__2__6(A) :- fail. sat_eu__2__7(A) :- fail. sat_eu__2__8(A) :- fail. sat_eu__2__9(A) :- fail. sat_eu__2__10(A) :- fail. sat_eu__2__11(A) :- fail. 0,0,0,0,0,0,0,1,1,0 Reachable Markings: …

  19. More about the Ecce Postprocessor • Determinate post-unfolding • Reducing unnecessary polyvariance • … • Most Specific Version (MSV) Computation • [Marriot,Naish,Lassez88] • Bottom-up abstract interpretation: • Compose TP with predicate-wise msg • For every body atom of the program: • unify with an element of S • if none exists: clause can be removed !

  20. /* Specialised Predicates: ssat__0__1 :- ssat__0. sat__1__2 :- sat__1(s(0),0,0,0,0,0,0,0,0,0). sat_eu__2__3 :- sat_eu__2(s(0),0,0,0,0,0,0,0,0,0). sat_eu__2__4(A) :- sat_eu__2(0,s(0),0,0,0,0,0,0,0,A). sat_eu__2__5(A) :- sat_eu__2(0,0,s(0),0,0,0,0,0,0,A). sat_eu__2__6(A) :- sat_eu__2(0,0,0,s(0),0,0,0,0,0,A). sat_eu__2__7(A) :- sat_eu__2(0,0,0,0,s(0),0,0,0,0,A). sat_eu__2__8(A) :- sat_eu__2(0,0,0,0,0,0,0,0,s(0),A). sat_eu__2__9(A) :- sat_eu__2(0,0,0,0,0,s(0),0,0,0,A). sat_eu__2__10(A) :- sat_eu__2(0,0,0,0,0,0,s(0),0,0,A). sat_eu__2__11(A) :- sat_eu__2(0,0,0,0,0,0,0,s(0),0,A). */ ssat__0 :- fail. ssat__0__1 :- fail. sat__1__2 :- fail. sat_eu__2__3 :- fail. sat_eu__2__4(A) :- fail. sat_eu__2__5(A) :- fail. sat_eu__2__6(A) :- fail. sat_eu__2__7(A) :- fail. sat_eu__2__8(A) :- fail. sat_eu__2__9(A) :- fail. sat_eu__2__10(A) :- fail. sat_eu__2__11(A) :- fail. Ecce + MSV RTP: Ecce & MSV ssat__0 :- ssat__0__1. ssat__0__1 :- sat__1__2. sat__1__2 :- sat_eu__2__3. sat_eu__2__3 :- sat_eu__2__4(0). sat_eu__2__4(A) :- sat_eu__2__5(A). sat_eu__2__5(A) :- sat_eu__2__6(A). sat_eu__2__6(A) :- sat_eu__2__7(A). sat_eu__2__6(A) :- sat_eu__2__8(A). sat_eu__2__7(A) :- sat_eu__2__9(A). sat_eu__2__8(A) :- sat_eu__2__4(s(A)). sat_eu__2__9(A) :- sat_eu__2__8(A). sat_eu__2__9(A) :- sat_eu__2__10(A). sat_eu__2__9(A) :- sat_eu__2__11(A). sat_eu__2__10(A) :- sat_eu__2__8(A). sat_eu__2__11(A) :- sat_eu__2__8(A). Ecce

  21. ∞ Model Checking by PD • When does it work ? • Decision procedure for some problems • Extends existing algorithms for some specific classes of systems & properties ![LeuschelLehmann:CL2000 & PPDP’00, LehmannLeuschel:LPAR2000] • Always safe, but may answer “don’t know” • Flexible system: various formalisms, properties, algorithms (backwards/forwards/combined,…) • Again: this must come at the price of efficiency!? • After all Ecce & Logen were not designed for Model Checking • How much do we pay ?

  22. Some IMC Experiments:Comparing some tools • Hytech • Polyhedra, for hybrid systems • CST (Covering Sharing Tree) • “Attacking Symbolic Explosion,” Delzanno, Raskin, Van Begin, CAV’01 • Compact representation for (infinite) upwards-closed sets • Symbolic, backwards, uses pre-computed structural invariants to cut search space • Ecce (+ Logen) • Settings: Finkel

  23. Reader/Writer FMS Dekker Babylon Benchmarks CSM

  24. A more complicated Example:CSM - Specialisation Result

  25. Some Experiments inInfinite State Model Checking *** = out of memory -- = not possible Timings: AMD Athlon 900Mhz, 1.5Gb RAM *=using old version, new 2 times faster?

  26. CSM: The full picture

  27. Some Conclusions • Ecce surprisingly fast for infinite MC • Better than Hytech, sometimes better than CST • Ecce (unsurprisingly) slow for finite MC • Future Work: Combine XTL with Ecce • Infinite MC can be faster than finite MC • What is the price we pay for implementing a flexible system in Prolog and reusing general purpose program manipulation tools? • Good performance (compared to other tools)!

  28. Program Specialisation Inductive Theorem Proving Infinite Model checking 1. Overview 2. Program Specialisation & Partial Deduction (PD) 3. Infinite State Model Checking (ISMC) by PD 4. Inductive Theorem Proving by Conjunctive PD 5. Putting everything together 6. Conclusion & Outlook

  29. Theorem Proving & Program Specialisation/Transformation • Lot of interest: • Supercompilation • Turchin, Glück&Jørgensen • Unfold/Fold • Pettorossi & Proietti, … • GPC • Futamura, …

  30. ProofAssistantIsabelle

  31. A simple Example theory Mirror = PreList: datatype 'a tree = Tip ("[]") | Node "'a tree" 'a "'a tree" consts mirror :: "'a tree => 'a tree" primrec "mirror([]) = []" "mirror((Node ls x rs)) = Node (mirror(rs)) x (mirror(ls))" lemma mirror_mirror [simp]: "mirror(mirror(xs)) = xs" apply(induct_tac xs) ML"set trace_simp" apply(simp) apply(auto) done proof (prove): step 1 fixed variables: xs goal (lemma (mirror_mirror), 2 subgoals): 1. mirror (mirror []) = [] 2. !!tree1 a tree2. [| mirror (mirror tree1) = tree1; mirror (mirror tree2) = tree2 |] ==> mirror (mirror (Node tree1 a tree2)) = Node tree1 a tree2 where we can rewrite: mirror (mirror (Node tree1 a tree2)) = Node tree1 a tree2 into mirror (Node (mirror tree2) a (mirror tree1)) = Node tree1 a tree2 further into Node (mirror(mirror tree1)) a (mirror(mirror tree2)) = Node tree1 a tree2 and by the induction hypothesis 1 we can simplify into: Node (tree1 a (mirror(mirror tree2)) = Node tree1 a tree2 and by the induction hypothesis 2 we can simplify into: Node (tree1 a tree2) = Node tree1 a tree2 QED Can Ecce Do this ???

  32. Conjunctive Partial Deduction • Given a set S = {C1,…,Cn} of atoms: • Build finite, possibly incomplete SLD-trees for each  Ci • For every non-failing branch: • generate 1 specialised formula CiL bycomputing the resultants • To get Horn clauses • Rename conjunctions into atoms !  Assign every Ci an atom with the same variables and each with a different predicate name

  33. Ecce Demo • Inductive Theorem Proving • Even odd • Mirror_mirror

  34. Specialisation Tree as Induction Schema proof (prove): step 1 fixed variables: xs goal (lemma (mirror_mirror), 2 subgoals): 1. mirror (mirror []) = [] 2. !!tree1 a tree2. [| mirror (mirror tree1) = tree1; mirror (mirror tree2) = tree2 |] ==> mirror (mirror (Node tree1 a tree2)) = Node tree1 a tree2 Goal 2. Rewritten into mirror (Node (mirror tree2) a (mirror tree1)) = Node tree1 a tree2 further into Node (mirror(mirror tree1)) a (mirror(mirror tree2)) = Node tree1 a tree2 and by the induction hypothesis 1 we can simplify into: Node (tree1 a (mirror(mirror tree2)) = Node tree1 a tree2 and by the induction hypothesis 2 we can simplify into: Node (tree1 a tree2) = Node tree1 a tree2 QED Can you find the correspondence?

  35. CPD vs ITP • Find a set H of induction hypotheses so • we can transform the induction hypotheses for n+1so as to re-use the induction hypotheses ≤n • Find a set S of conjunctions so that • they can be unfolded in such a way that all leaves can be folded back on S

  36. Program Specialisation Inductive Theorem Proving Infinite Model checking 1. Overview 2. Program Specialisation & Partial Deduction (PD) 3. Infinite State Model Checking (ISMC) by PD 4. Inductive Theorem Proving by Conjunctive PD 5. Putting everything together 6. Conclusion & Outlook

  37. CTL Model Checker (Prolog Source) Isabelle ECCE Validation Specialisation Result Proof Script Ecce Postprocessor Verification Result

  38. A Simple Example basicME Target: x3 >= 1, x4 >= 1

  39. Results • Ecce specialisation tree can be automatically transformed into a valid induction schema for Isabelle • Ecce result can by validated • Checking the proof in Isabelle is several orders of magnitude slower than Ecce • (proof script still at a too high level ?)

  40. Program Specialisation Inductive Theorem Proving Infinite Model checking 1. Overview 2. Program Specialisation & Partial Deduction (PD) 3. Infinite State Model Checking (ISMC) by PD 4. Inductive Theorem Proving by Conjunctive PD 5. Putting everything together 6. Conclusion & Outlook

  41. erified ∞ Conclusion I • Relationship between Infinite state model checking and program specialisation • PS can be used for ISMC • Efficiency seems to be good! • Equivalence & decidability results

  42. Conclusion II • Relationship between inductive theorem proving & program specialisation • PS can be used for some ITP tasks • For one application: automatic translation of PS output into ITP proof script • But: • No equivalence between ITP & PS techniques • E.g., what about rippling ? • ITP & PS communities should look at each other’s work! • Some ITP tasks are very, very hard

  43. Thank you

  44. Supplementary Slides

  45. RTP ExampleReceiver of Transmission ProtocolFrom Babylon library of benchmarks

  46. Classical Applications of CPD:Tupling & Deforestation

  47. CTL model checking /* :- table sat_eu/3.*/ /* tabulation to compute least-fixed point */ sat_eu(E,_F,G) :- /* exists until */ sat(E,G). sat_eu(E,F,G) :- /* exists until */ sat(E,F), trans(_Act,E,E2), sat_eu(E2,F,G). /* :- table sat_noteg/2.*/ /* tabulation to compute least-fixed point */ sat_noteg(E,F) :- sat(E,not(F)). sat_noteg(E,F) :- not( (trans(_Act,E,E2),not(sat_noteg(E2,F)))). /* encoding of the system (here: a Petri net): */ trans(enter_cs,[s(X),s(Sema),CritSec,Y,C], [X,Sema,s(CritSec),Y,C]). trans(exit_cs,[X,Sema,s(CritSec),Y,C], [X,s(Sema),CritSec,s(Y),C]). trans(restart,[X,Sema,CritSec,s(Y),ResetCtr], [s(X),Sema,CritSec,Y,s(ResetCtr)]). prop([X,Sema,s(s(CritSec)),Y,C],unsafe). prop([0,Sema,0,0,C],deadlock). prop([X,0,0,0,C],deadlock). /* A Model Checker for CTL fomulas */ /* written for XSB-Prolog */ /* by Michael Leuschel, Thierry Massart */ sat(_E,true). sat(_E,false) :- fail. sat(E,p(P)) :- prop(E,P). /* proposition */ sat(E,and(F,G)) :- sat(E,F), sat(E,G). sat(E,or(F,_G)) :- sat(E,F). sat(E,or(_F,G)) :- sat(E,G). sat(E,not(F)) :- not(sat(E,F)). sat(E,en(F)) :- /* exists next */ trans(_Act,E,E2),sat(E2,F). sat(E,an(F)) :- /* always next */ not(sat(E,en(not(F)))). sat(E,eu(F,G)) :- /* exists until */ sat_eu(E,F,G). sat(E,au(F,G)) :- /* always until */ sat(E,not(eu(not(G),and(not(F),not(G))))), sat_noteg(E,not(G)). sat(E,ef(F)) :- /* exists future */ sat(E,eu(true,F)). sat(E,af(F)) :- /* always future */ sat_noteg(E,not(F)). sat(E,eg(F)) :- /* exists global */ not(sat_noteg(E,F)). /* we want gfp -> negate lfp of negation */ sat(E,ag(F)) :- /* always global */ sat(E,not(ef(not(F)))). 2) ECCE - ABSTRACTION /* Transformation time: 617 ms */ sat__0([A,s(0),0,0,0]) :- sat__0__1(A). sat__0__1(s(s(A))) :- sat_eu__1__2(A). sat__0__1(s(A)) :- sat_eu__1__3(A). sat_eu__1__2(A) :- sat_eu__1__9(A). sat_eu__1__2(A) :- sat_eu__1__10(A). sat_eu__1__3(s(A)) :- sat_eu__1__4(A). sat_eu__1__4(A) :- sat_eu__1__5(A). sat_eu__1__4(A) :- sat_eu__1__6(A). sat_eu__1__5(s(A)) :- sat_eu__1__7(A,s(s(0))). sat_eu__1__5(A) :- sat_eu__1__6(A). … sat_eu__1__11(A,B) :- sat_eu__1__12(A,s(B)). sat_eu__1__11(A,s(B)) :- sat_eu__1__11(s(A),B). sat_eu__1__12(s(A),B) :- sat_eu__1__11(A,B). sat_eu__1__12(A,s(B)) :- sat_eu__1__12(s(A),B). 1) LOGEN - COMPILATION /* file: ctl.pe.sat__ */ /* benchmark info: 0 ms */ /* atom specialised: sat(_10048,ef(p(unsafe))) */ sat_eu__1([B,C,s(s(D)),E,F]). sat_eu__1([s(G),s(H),I,J,K]) :- sat_eu__1([G,H,s(I),J,K]). sat_eu__1([L,M,s(N),O,P]) :- sat_eu__1([L,s(M),N,s(O),P]). sat_eu__1([Q,R,S,s(T),U]) :- sat_eu__1([s(Q),R,S,T,s(U)]). sat__0(B) :- sat_eu__1(B). 3) MSV - ANALYSIS sat__0([A,s(0),0,0,0]) :- fail. sat__0__1(s(s(A))) :- fail. sat__0__1(s(A)) :- fail. sat_eu__1__2(A) :- fail. ...

More Related