240 likes | 370 Views
Theorem Proving Using PVS, I. Readings: Peled ch. 3, in particular 3.8 and 3.9 The PVS Tutorial section II.4 (pp. 57-76). Programs, Machines, Specifications. For now, take an abstract view: Machine M: Any computing device Program: Any computing device
E N D
Theorem Proving Using PVS, I • Readings: • Peled ch. 3, in particular 3.8 and 3.9 • The PVS Tutorial section II.4 (pp. 57-76)
Programs, Machines, Specifications For now, take an abstract view: Machine M: Any computing device Program: Any computing device Computing devices may input/output/turn switches on and off, send and receive, etc etc Specification: Set of computing devices M ² (M satisfies specification ) iff M 2
Specifications, Examples • : Any intuitively interesting “sharp” property of machines • M terminates on input n 2 Nat • M can reach a deadlocked state • M realises some specific function f : Nat ! Nat • M terminates on input n 2 Nat within time t • Whenever M receives a request on channel req then it sends an acknowledgement on channel ack • Etc. etc.
The Verification Problem The verification problem P: Does machine M satisfy specification ? Problem P is undecidable • i.e. there can be no computable function/automatable procedure taking as input pairs (M,) and delivers as outputs: • 1, if M satisfies • 0, if M does not satisfy So, if we want to verify programs/machines we need to resort to mathematics = theorem proving
Background: The Halting Problem Turing machine TM: A general computing device representable as a binary string List all TM’s as strings: M0, M1, M2, ... ,Mn, ... Define the function f(i,j) = 1, if Mi does not terminate on input Mj f(i,j) = 0, otherwise The function (i) = f(i,i) is not realisable by ANY TM Why? If was realisable we could also realise a machine M which on input Mi terminates iff Mi does not terminate on input Mi But M is different from all machines Mi on at least one input (which?)
Undecidability of the Verification Problem Problem on domain D: Function F : D ! {0,1} Church’s thesis - roughly: A problem F on domain D is decidable by an automatable procedure iff it can be realised by a Turing machine So the verification problem P is undecidable • If P was decidable then = {M | M does not terminate on M} would also be decidable • But this is impossible
Theorem Proving If there is no machine solving P we’ll have to do it by hand Tasks: • Formalisation of the problem • phrasing problem in mathematical terms • formalising the machine M + formalising the specification • Searching for a proof that M ² • If it succeeds we’re happy • If it does not: • Maybe M ² does not hold • Maybe M ² does hold but we just weren’t clever enough to find a proof
The PVS Proof Assistant Developed at SRI during early 90’es Based on higher order type theory • Very powerful definitional framework • Very powerful built-in logic Proof editor • Proofs are built incrementally using axioms and rules of inference • Can define proof search strategies • Decision procedures help with equational reasoning and arithmetic The PVS system • Features for creating and maintaining theories, collections of definitions, theorems, and proofs
PVS – the Main Idea Specifications are structured into theories Each theory determines some types (roughly: sets) • And some operations on that type Example: Can easily define (from Nat) a type of even natural numbers with operation of addition Also possible to make assumptions concerning • Which types are inhabited by which elements • Which statements are valid (AXIOM statements) and to define proof goals • The specifications to be verified of that theory A theory is proved when its proof goals are • And some type correctness properties are proven too
Related Systems Many rival proof editors have been built: • CoQ: The main French contender • HOL, Isabelle: • Slightly less expressive but still powerful • Many case studies in hardware verification, programming language formalisations etc. • AutoMATH: Project to formalise mathematics Different from automated theorem provers • Normally restricted to propositional or first-order logic
Proofs Proof tree: • Labelled tree • Nodes are labelled by proof goals G • Parent node follows from children by application of a proof rule Instance of axiom: - G7 G6 G7 G5 Instance of proof rule: G2 G3 G4 G1 G2 G3 G4 G1
Proof Editing in PVS Proofs are grown by successive applications of proof rules ”Current proof goal”: The unproven node currently in focus by the tool Proof commands are given in lisp-like syntax, e.g. (foobar ”var”) attempts to grow the tree at the current proof goal by means of the rule foobar with PVS term var as argument Commands can be basic, or derived (postpone) toggles between unproven nodes
Sequents Proof goals are sequents: A1,...,An` B1,...,Bm Antecedents Succeedents Meaning: A1Æ ... Æ An implies B1Ç ... Ç Bm Write also ` where and are sequences of formulas
Sequents in PVS PVS uses the notation {-1} A1 {-2} A2 {-3} A3 ... _____ {1} B1 {2} B2 {3} B3 .....
Sequent Calculus Sequent calculus has rules for • Manipulating sequents Called structural rules • Manipulating formulas Called logical rules The rules are very low level The basic rules of PVS defined on top
Structural Rules Weakening: (where: 1µ2, 1µ2) Contraction: (left) (right) Exchange: (left) (right) Axiom: (if A, B definitionally equal) Cut:
Use of Structural Rules Except Cut, the structural rules are mostly forgotten about: Weakening, contraction, exchange: • The ’s and ’s are really sets • (hide i) or (delete i) used occasionally to apply weakening Axiom is applied automatically by PVS whenever possible Cut is reminiscent of lemma introduction: • Instead of proving B (from the given assumptions) State and prove a lemma A And prove that B follows from the assumptions + lemma A In PVS Cut is (case ”pvs-expression”)
Propositional Rules And: (left) (right) Or: (left) (right) Implies: (left) (right) Not: (left) (right)
Use of Propositional Rules (flatten): • Recursively apply And-left, Or-right, Implies-right, Not-left, Not-right until no more applications are possible (split), (split i), (split +): • Recursively apply And-right, Or-left, Implies-left Examples
Quantifier Rules Substitution: • 8x: A, 9x.A bind x in A • Free occurrence: Occurrence of variable which is not bound • A[t/x]: A with t substituted for all free occurrences of variable x • Avoid capture of variables, e.g. (8 y: x = y)[y/x] 8 y: y = y Forall: (left) (right) Exists: (left) (right) In rules Forall-right and Exists-left a must be a new constant that does not appear in the conclusion sequent
Use of Quantifier Rules (skolem 2 (”foo” ”bar”)): • Check: • Formula 2 has the form (8x1,x2: A) • ”foo” and ”bar” are new constants • Then replace formula 2 by applying Forall-right • For antecedent formulas use Exists-left instead (skolem!): • Repeat skolemizing with automatically generated constants (inst 2 ”a+1” ”b+2”), (inst-cp 2 ”a+1” ”b+2”): • Check: • Formula 2 has the form (9x1,x2: A) • Then replace formula 2 by applying Exists-right using given terms • Inst-cp: Keeps formula 2 for future use
Rules for Equality These rules follow a different pattern: Reflexivity: (if a and b are definitionally equal) Replication: Examples: Symmetry, transitivity
Equational Reasoning in PVS Equational reasoning is PVS’s particular strength PVS implements a number of decision procedure for equational rewriting Manual rewriting is possible too, but not recommended unless absolutely necessary For the purpose of this course suffices to use (assert)to perform automatic rewrites with respect to a fixed preinstalled set of rewrite rules
Other Useful Proof Commands PVS has a large number of additional proof commands: (lift-if): Handles if-then-else’s (expand ”const”): Expands the definition of constant (lemma ”name”): Adds antecedent formula named ”name” Useful to add local axioms, lemmas, and theorems for equational rewriting (Try also the use command) (induct ”var”): Applies induction to var of type nat