1 / 38

Integrating Math Units and Proof Checking for Specification and Verification

SAVCBS Workshop 2008 SIGSOFT 2008 / FSE 16 November 9th, 2008. Integrating Math Units and Proof Checking for Specification and Verification. Hampton Smith Kim Roche Murali Sitaraman Clemson University. Joan Krone Denison University. William F. Ogden Ohio State University. Overview.

uta
Download Presentation

Integrating Math Units and Proof Checking for Specification and Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAVCBS Workshop 2008 SIGSOFT 2008 / FSE 16 November 9th, 2008 Integrating Math Units and Proof Checking for Specification and Verification Hampton Smith Kim Roche Murali Sitaraman Clemson University Joan Krone Denison University William F. Ogden Ohio State University

  2. Overview • RESOLVE Verification System  • Role of Proof Checker in Verification System • Requirements of a Proof Checker in such a system 2

  3. Overview • RESOLVE Verification System • Role of Proof Checker in Verification System • Requirements of a Proof Checker in such a system • Issues • Solutions • Issues • Solutions 2

  4. RESOLVE Verification System 3

  5. RESOLVE • Reusable Software Research Group at Clemson • Integrated Programming, Specification, and Proof Language • Full end-to-end verification • Scalability • Performance • Isabelle Backend cs.clemson.edu/~resolve 4

  6. Proof Checkers in a Verification System 5

  7. PROOF OBLIGATIONS 6

  8. Precondition 6

  9. Precondition Postcondition 6

  10. Precondition Postcondition Invariant 6

  11. Enhancement for Stacks Enhancement Flipping_Capability for Stack_Template; Operation Flip( updates S : Stack ); ensures S = Rev( #S ); end Flipping_Capability; 7

  12. Implementation of Flipping Realization Obvious_Flipping_Realization for         Flipping_Capability of Stack_Template; Procedure Flip ( updates S : Stack ); Var Next_Entry : Entry; Var S_Flipped : Stack; While ( Depth( S ) /= 0 )‏ changing S, Next_Entry, S_Flipped; maintaining #S = Rev( S_Flipped ) o S; decreasing |S|; do             Pop( Next_Entry, S );             Push( Next_Entry, S_Flipped); end;         S :=: S_Flipped; end Flip; end Obvious_Flipping_Realization; 8

  13. Verification Condition ((|S| <= Max_Depth) and (S = (Rev(?S_Flipped) o ??S) and (|??S| /= 0 and ??S = (<?Next_Entry> o ?S))))‏ ============================> (Rev(?S_Flipped) o ??S) =  (Rev(<?Next_Entry> o ?S_Flipped) o ?S)‏ 9

  14. A little help 10

  15. Precondition Math Results Postcondition Invariant 11

  16. Precondition Math Results Postcondition Invariant 12

  17. Automated Prover Precondition Math Results Postcondition Invariant 12

  18. Automated Prover Precondition Math Results Postcondition Invariant User Provided Proof + Proof Checker 12

  19. Verification System "Requiring programmers to engage in a fine level of proof activity is unlikely to lead to wide-spread verification .... [T]he limitations of automated theorem proving often require substantial human intervention." 13

  20. Clear division between verification conditions and math results. Rethink the latter as a job for trained mathematicians.  Verification System "Requiring programmers to engage in a fine level of proof activity is unlikely to lead to wide-spread verification .... [T]he limitations of automated theorem proving often require substantial human intervention." 13

  21. Requirements for such a Proof Checker 14

  22. Automated Prover Precondition Math Results Postcondition Invariant User Provided Proof + Proof Checker 15

  23. Proof Language Reusability Programming Language • Abstraction • Modules • Interfaces • Readability 16

  24. Proof Language Abstraction Modules Interfaces Readability Reusability Programming Language • Abstraction • Modules • Interfaces • Readability 16

  25. Abstraction and Modules Stack Queue List ... String Theory ... 17

  26. Consumers of Theories • Proof Checker • Automated Prover • Mathematicians • Programmers 18

  27. Précis vs. Proof Units Header file for theories. 19

  28. Précis vs. Proof Units Précis Natural_Number_Theory;uses Basic_Function_Properties,     Monogenerator_Theory... Inductive Definition on i : N of             (a : N) + (b) : N is (i) a + 0 = a; (ii) a + suc(b) = suc(a + b); Theorem N1:         Is_Associative( + );     ... end Natural_Number_Theory; 20

  29. Proof unit Natural_Number_Theory_Proofs for Natural_Number_Theory;     Uses ... Proof of Theorem N1: Goal for all k, m, n: N,             k + (m + n) = (k + m) + n; Definition S1: Powerset(N) =              {n : N, for all k, m : N,              k + (m + n) = (k + m) + n};     ... Précis vs. Proof Units Précis Natural_Number_Theory;uses Basic_Function_Properties,     Monogenerator_Theory...     Inductive Definition on i : N of             (a : N) + (b) : N is         (i) a + 0 = a;         (ii) a + suc(b) = suc(a + b);     Theorem N1:         Is_Associative( + );     ... end Natural_Number_Theory; 20

  30. Automated Prover Precondition Math Results Postcondition Invariant User Provided Proof + Proof Checker 21

  31. Coq  [1] Variables A B C : Prop. Lemma and_commutative :         (A /\ B) -> (B /\ A).     intro.     elim H.     split.     exact H1.     exact H0. Save. Popular Proof Checkers Isabelle  [2] lemma assumes AB:     "large_A /\ large_B"     shows          "large_B /\ large_A"          ( is "?B /\ ?A" )‏     using AB proof     assume "?A" "?B"      show ?thesis .. qed 22

  32. Mathematical Proof Supposition k, m: N      Goal k + (m + 0) = (k + m) + 0      k + (m + 0) = k + m by (i) of Definition +      k + m = (k + m) + 0 by (i) of Definition +     Deduction if k ∈ N and m ∈ N then         k + (m + 0) = (k + m) + 0     [ZeroAssociativity] For all k: N, for all m: N,         k + (m + 0) = (k + m) + 0 by universal generalization 23

  33. RESOLVE Proof Language Supposition k, m: N; Goal k + (m + 0) = (k + m) + 0;      k + (m + 0) = k + m by (i) of Definition +;      k + m = (k + m) + 0 by (i) of Definition +; Deduction if k is_in N and m is_in N then        k + (m + 0) = (k + m) + 0; [ZeroAssociativity]For all k: N, for all m: N,         k + (m + 0) = (k + m) + 0 by universal generalization; 24

  34. Demo Corollary Identity: a : N and      a + 0 = a;Proof of Theorem Nothing:    Supposition k, m: N;                (k + m) + 0 = k + m by Corollary Identity & equality;     Deduction if k is_in N and          m is_in N then        (k + m) + 0 = k + m;QED 25

  35. Error: Simple.mt(10):    Could not apply substitution to the justified expression.    (k + m) + 0 = m + 0  by Corollary Identity & equality; Demo Corollary Identity: a : N and      a + 0 = a;Proof of Theorem Nothing:    Supposition k, m: N;                (k + m) + 0 = m + 0 by Corollary Identity & equality;     Deduction if k is_in N and          m is_in N then        (k + m) + 0 = k + m;QED 26

  36. Error: Simple.mt(10):    Could not apply the rule Or Rule to the proof expression.      (k + m) + 0 = k + m  by Corollary Identity & or rule; Demo Corollary Identity: a : N and      a + 0 = a;Proof of Theorem Nothing:    Supposition k, m: N;                (k + m) + 0 = k + m by Corollary Identity & or rule;     Deduction if k is_in N and          m is_in N then        (k + m) + 0 = k + m;QED 27

  37. Conclusions • A clearer distinction is required between those proof obligations that we expect to be dispatched by an automated prover, and those for which we intend to furnish a proof. • Programmers should not be required to provide proofs. • Robust mathematical library of theories is required. • Techniques from programming languages should be applied to mitigate the complexity of such theories. 28

  38. References [1] G. Huet, G. Kahn, and C. Paulin-Mohring, “The Coq Proof Assistant: A Tutorial.” INRIA, 2004, pp. 3-18; 45-47. [2] T. Nipkow. “A Tutorial Introduction to Structured Isar Proofs,” http://www.cl.cam.ac.uk/research/hvg/Isabelle/dist/Isabelle/doc/isar-overview.pdf. 28

More Related