15-820A-pvs-2 - Carnegie Mellon University

Theorem Proving and Model Checking in PVS
15-820A
Modeling Hardware and
Software with PVS
Edmund Clarke
Daniel Kroening
Carnegie Mellon University
1
Theorem Proving and Model Checking in PVS
Outline
• PVS Language
– Parameterized Theories
• Modeling Hardware with PVS
– Combinatorial
– Clocked Circuits
• Modeling Software with PVS
– Sequential Software
2
Theorem Proving and Model Checking in PVS
Outline
• Proofs
–
–
–
–
–
–
–
–
–
The Gentzen Sequent
Propositional Part
Quantifiers
Equality
Induction
Using Lemmas/Theorems
Rewriting
Model Checking
Strategies
3
Theorem Proving and Model Checking in PVS
Example
stacks4: THEORY BEGIN
stack: TYPE = [# size: nat, elements: ARRAY[{i:nat|i<size}->int] #]
empty: stack = (# size:=0, elements:=(LAMBDA (j:nat| FALSE): 0) #)
push(x: int, s:stack): { s: stack | s`size>=1 } =
(# size:=s`size+1,
elements:=LAMBDA (j: below(s`size+1)):
IF j<s`size THEN sèlements(j) ELSE x ENDIF #)
What about the
pop(s:stack | s`size>=1): stack =
stacks of other
(# size:=s`size-1,
types?
elements:=LAMBDA (j:nat|j<s`size-1): sèlements(j)
#)
END stacks4
4
A
Theorem Proving and Model Checking in PVS
Example
stacks4: THEORY BEGIN
stack: TYPE = [# size: nat, elements: ARRAY[{i:nat|i<size}->int] #]
empty: stack = (# size:=0, elements:=(LAMBDA (j:nat| FALSE): 0) #)
push(x: int, s:stack): { s: stack | s`size>=1 } =
(# size:=s`size+1,
elements:=LAMBDA (j: below(s`size+1)):
IF j<s`size THEN sèlements(j) ELSE x ENDIF #)
pop(s:stack | s`size>=1): stack =
(# size:=s`size-1,
elements:=LAMBDA (j:nat|j<s`size-1): sèlements(j) #)
END stacks4
5
Theorem Proving and Model Checking in PVS
Theory Parameters
• Idea: do something like a C++ template
theory[T1: TYPE,
T2: TYPE, ...]:
THEORY BEGIN
template <class T1,
class T2, ...>
class stack
{
...
};
...
END theory
6
A
Theorem Proving and Model Checking in PVS
Theory Parameters
• Idea: do something like a C++ template
template <class T1,
class T2, ...>
class stack
{
...
f(e: T1):bool;
...
};
theory[T1: TYPE,
T2: TYPE, ...]:
THEORY BEGIN
...
f(e: T1):bool;
...
END theory
7
Theorem Proving and Model Checking in PVS
Example
stacks4[T: NONEMPTY_TYPE]: THEORY BEGIN
stack: TYPE = [# size: nat, elements: ARRAY[{i:nat|i<size}->T] #]
e: T
empty: stack = (# size:=0, elements:=(LAMBDA (j:nat| FALSE): e) #)
push(x: T, s:stack): { s: stack | s`size>=1 } =
(# size:=s`size+1,
elements:=LAMBDA (j: below(s`size+1)):
IF j<s`size THEN sèlements(j) ELSE x ENDIF #)
pop(s:stack | s`size>=1): stack =
(# size:=s`size-1,
elements:=LAMBDA (j:nat|j<s`size-1): sèlements(j) #)
END stacks4
8
Theorem Proving and Model Checking in PVS
Example
use_stack: THEORY BEGIN
my_type: TYPE = [ posint, posint ]
IMPORTING stacks5;
s: stack[my_type];
x: my_type = (1, 2);
d: stack[my_type] = push(x , s);
END use_stack
9
Theorem Proving and Model Checking in PVS
Theory Parameters
• PVS uses theory parameters for many
definitions
equalities [T: TYPE]:
THEORY BEGIN
PVS has many heuristics to
automatically detect the right
theory parameters
=: [T, T -> boolean]
END equalities
a, b: posint;
a=b same as =[posint](a,b)
10
Theorem Proving and Model Checking in PVS
Useful Parameterized Theories
• PVS comes with several useful
parameterized theories
– Sets over elements of type T
subsets, union, complement, power set,
finite sets, …
– Infinite Sequences
– Finite Sequences
– Lists
– Bit vectors
11
A
Theorem Proving and Model Checking in PVS
Bit Vectors
• Bit Vectors are defined using an ARRAY
type
bv[N: nat]: THEORY
BEGIN
bvec : TYPE = [below(N) -> bit]
0, …, N-1
12
same as
boolean
A
Theorem Proving and Model Checking in PVS
Bit Vectors
•
•
•
•
•
•
•
Extract a bit: bv^(i) i 2 { 0, … , N-1 }
Vector extraction: bv^(m,n) n≤m<N
bN: fill(b)
Concatenation: bv1 o bv2
Bitwise: bv1 OR bv2
Conversion to integer: bv2nat(bv)
Conversion from integer: nat2bv(bv)
13
Theorem Proving and Model Checking in PVS
Bit Vector Arithmetic
• Requires
IMPORTING bitvectors@bv_arith_nat
• *, +, -, <=, >=, <, >
• Many other useful theories
Look in pvs/lib/bitvectors
14
Theorem Proving and Model Checking in PVS
Bit Vectors
• Example:
bv_ex: THEORY BEGIN
x: VAR bvec[32]
zero_lemma: LEMMA bv2nat(x)=0 IFF x=fill(false)
END bv_ex
How many
bits?
15
A
Theorem Proving and Model Checking in PVS
Bit Vectors
• Example:
bv_ex: THEORY BEGIN
x: VAR bvec[32]
zero_lemma: LEMMA bv2nat[32](x)=0 IFF x=fill[32](false)
END bv_ex
16
Theorem Proving and Model Checking in PVS
PVS Workflow
System
PVS File
PROOFS
Properties
of system
Proof construction
 Conversion

(Program, circuit, protocol…)
Interaction with the theorem
prover
and property.
Can be automated or done
manually
17
A
Theorem Proving and Model Checking in PVS
Modeling Hardware with PVS
• Combinational Hardware
– No latches
– Circuit is loop-free
– Examples: arithmetic circuits, ALUs, …
• Clocked Circuits
– Combinational part + registers (latches)
– Examples: Processors, Controllers,…
18
A
Theorem Proving and Model Checking in PVS
Modeling Hardware with PVS
• Idea: Model combinational circuits using
functions on bit vectors
f(A, B, reset: bit):bit=
IF reset THEN
(NOT A) OR B
ELSE
false
ENDIF
Translation from/to Verilog, VHDL, etc. easy
19
A
Theorem Proving and Model Checking in PVS
Modeling Hardware with PVS
• What is the Theorem Prover good for?
– Equivalence checking? No.
– Parameterized circuits
• Prove circuit with “N” bits
– Arithmetic
• What is a correct adder? Integer? Floating Point?
• A purely propositional specification is not really
useful
20
A
Theorem Proving and Model Checking in PVS
Parameterized Circuits
Parameterized for 2k inputs
Binary tree for 8 inputs
21
A
Theorem Proving and Model Checking in PVS
Modeling Hardware with PVS
btree[T: TYPE, K: posnat, o: [T,T->T]]: THEORY BEGIN
btree(k: nat, l:[below(exp2(k))->T]):
RECURSIVE T =
IF k=0 THEN
l(0)
ELSE
btree(k-1, LAMBDA (i: below(exp2(k-1))): l(i)) o
btree(k-1, LAMBDA (i: below(exp2(k-1))): l(i+exp2(k-1)))
ENDIF MEASURE k
btree(l:[below(exp2(K))->T]):T=btree(K, l)
END btree
Property?
22
A
Theorem Proving and Model Checking in PVS
Modeling Hardware with PVS
btree[T: TYPE, K: posnat, o: [T,T->T]]: THEORY BEGIN
...
btree_correct: THEOREM
btree(l) = l(0) o l(1) o ... o l(exp(K)-1)
END btree
Dot dot dot?
23
A
Theorem Proving and Model Checking in PVS
Modeling Hardware with PVS
btree[T: TYPE, K: posnat, o: [T,T->T]]: THEORY BEGIN
...
btree_correct: THEOREM
btree(l) = l(0) o l(1) o ... o l(exp(K)-1)
seq(i: nat, l:[upto(i)->T]): RECURSIVE T =
IF i=0 THEN
l(0)
ELSE
seq (i-1, LAMBDA (j: below(i)): l(j)) o l(i)
ENDIF
MEASURE i
Btree_correct: THEOREM
btree(l) = seq(exp(K)-1, l)
Can
Whatyou
is
prove
missing?
this?
END btree
24
A
Theorem Proving and Model Checking in PVS
Modeling Hardware with PVS
btree[T: TYPE, K: posnat, o: [T,T->T]]: THEORY BEGIN
ASSUMING
fassoc: ASSUMPTION associative?(o)
ENDASSUMING
This is NOT
like an axiom!
...
END btree
zerotester_imp(op): bit =
NOT btree[bit, K, OR](op)
PVS will make you prove
here that OR is associative
25
A
Theorem Proving and Model Checking in PVS
Arithmetic Circuits
a,b,cin : VAR bit
oba_sum(a,b,cin): bit =
(a XOR b XOR cin)
Wait a second!
bit =
Youoba_cout(a,b,cin):
are
adding
bits
here!
((a AND b) OR
(a AND cin) OR
(b AND cin))
One Bit Adder (oba)
Property?
oba_correct: LEMMA
a + b + cin = 2 * oba_cout(a,b,cin) + oba_sum(a,b,cin)
26
A
Theorem Proving and Model Checking in PVS
Conversions
oba_correct: LEMMA
a + b + cin = 2 * oba_cout(a,b,cin) + oba_sum(a,b,cin)
There is no addition on bits (or boolean)!
bit : TYPE = bool
nbit : TYPE = below(2)
b2n(b:bool): nbit = IF b THEN 1 ELSE 0 ENDIF
CONVERSION b2n
below(2) is a subtype of the integer type,
and we have addition for that.
27
A
Theorem Proving and Model Checking in PVS
Arithmetic Circuits
Carry Chain Adder
28
Theorem Proving and Model Checking in PVS
Arithmetic Circuits
cout(n,a,b,a_cin): RECURSIVE bit =
IF n=0 THEN
oba_cout(a(0),b(0),a_cin)
ELSE
oba_cout(a(n),b(n),
cout(n-1,a,b,a_cin))
ENDIF MEASURE n
bv_adder(a,b,a_cin): bvec[N] =
LAMBDA (i:below(N)):
IF i=0 THEN
oba_sum(a(0),b(0),a_cin)
ELSE
oba_sum(x(i),y(i),
cout(i-1,x,y,a_cin))
ENDIF
29
A
Theorem Proving and Model Checking in PVS
Arithmetic Circuits
bv_adder(a,b,a_cin): bvec[N] =
LAMBDA (i:below(N)):
IF i=0 THEN
oba_sum(a(0),b(0),a_cin)
ELSE
oba_sum(x(i),y(i),
cout(i-1,x,y,a_cin))
ENDIF
adder_correct: THEOREM
exp2(N)*cout(N-1,a,b,a_cin)+bv2nat(bv_adder(a,b,a_cin))=
bv2nat(a) + bv2nat(b) + a_cin
adder_is_add: THEOREM
bv_adder(a,b,FALSE) = a + b
30
A
Theorem Proving and Model Checking in PVS
Modeling Hardware with PVS
• Combinational Hardware
– No latches
– Circuit is loop-free
– Examples: arithmetic circuits, ALUs, …
• Clocked Circuits
– Combinational part + registers (latches)
– Examples: Processors, Controllers,…
31
A
Theorem Proving and Model Checking in PVS
Clocked Circuits
Configuration in
cycle 4
32
T
reset
A
B
0
1
?
?
1
0
0
0
2
0
1
0
3
0
0
1
4
0
1
1
5
0
1
1
A
Theorem Proving and Model Checking in PVS
Clocked Circuits
1. Define Type for STATE and INPUTS
C: TYPE = [# A, B: bit #]
I: TYPE = [# reset: bit #]
2. Define the Transition Function
t(c: C, i: I):C= (#
A:= IF i`reset THEN false
ELSE (NOT cÀ) OR c`B
ENDIF,
B:= IF i`reset THEN false
ELSE cÀ OR c`B
ENDIF #)
33
A
Theorem Proving and Model Checking in PVS
Clocked Circuits
3. Define Initial State and Inputs
initial: C
i: [nat -> I];
4. Define the Configuration Sequence
c(T: nat):RECURSIVE C=
IF T=0 THEN
initial
ELSE
t(c(T-1), i(T-1))
ENDIF MEASURE T
34
A
Theorem Proving and Model Checking in PVS
Clocked Circuits
5. Prove things about this sequence
c(T: nat):RECURSIVE C=
IF T=0 THEN
initial
ELSE
t(c(T-1), i(T-1))
ENDIF MEASURE T
c_lem: LEMMA
(i(0)`reset AND NOT i(1)`reset AND NOT i(2)`reset)
=> (c(2)À AND NOT c(2)`B)
You can also verify invariants, even temporal properties that way.
35
A
Theorem Proving and Model Checking in PVS
Modeling Software with PVS
• (Software written in functional language)
• (Take a subset of PVS, and compile that)
• Software written in language like ANSI-C
int f(int i) {
int a[10]={ 0, … };
...
a[i]=5;
...
return a[0];
}
f(i: int):int=
LET a1=LAMBDA (x: below(10)): 0 IN
...
LET a2=a1 WITH [(i):=5] IN
...
ai(0)
What about
loops?
36
A
Theorem Proving and Model Checking in PVS
Modeling Software with PVS
int a[10];
unsigned i;
int main() {
. . .
}
1. Define Type for STATE
C: TYPE = [#
a: [below(10)->integer],
i: nat
#]
nat?
Of course,
bvec[32]
is better
37
A
Theorem Proving and Model Checking in PVS
Modeling Software with PVS
2. Translate your program into goto program
int a[10];
unsigned i,j,k;
int a[10];
unsigned i,j,k;
int main() {
i=k=0;
int main() {
L1: i=k=0;
}
while(i<10) {
i++;
k+=2;
}
L2: if(!(i<10)) goto L4;
L3: i++;
k+=2;
goto L2;
j=100;
k++;
L4: j=100;
k++;
}
38
A
Theorem Proving and Model Checking in PVS
Modeling Software with PVS
3. Partition your program into
basic blocks
4. Write transition function for
each basic block
int a[10];
unsigned i,j,k;
L1(c: C):C=
c WITH [i:=0, k:=0]
int main() {
L1: i=k=0;
L2(c: C):C=
c
L3(c: C):C=
c WITH [i:=cì+1,
k:=c`k+2]
L2: if(!(i<10)) goto L4;
L3: i++;
k+=2;
goto L2;
L4(c: C):C=
c WITH [j:=100,
k:=c`k+1]
L4: j=100;
k++;
}
39
A
Theorem Proving and Model Checking in PVS
Modeling Software with PVS
5. Combine transition functions using a program counter
make sure the
PC of the initial
int a[10];
state is L1
unsigned i,j,k;
int main() {
L1: i=k=0;
L2: if(!(i<10)) goto L4;
L3: i++;
k+=2;
goto L2;
L4: j=100;
k++;
}
add
PC: PCt
to C
PCt: TYPE =
{ L1, L2, L3, L4, END }
t(c: C): C=
CASES c`PC OF
L1: L1(c) WITH [PC:=L2],
L2: L2(c) WITH [PC:=
IF NOT (cì<10) THEN L4
ELSE L3 ENDIF,
L3: L3(c) WITH [PC:=L2],
L4: L4(c) WITH [PC:=END],
END: c
ENDCASES
40
A
Theorem Proving and Model Checking in PVS
Modeling Software with PVS
• Next week:
– I/O in case of programs
– Proving termination
– Concurrent programs
41
A
Theorem Proving and Model Checking in PVS
PVS Workflow
System
PVS File
PROOFS
Properties
of system
Proof construction
 Conversion

(Program, circuit, protocol…)
Interaction with the theorem
prover
and property.
Can be automated or done
manually
42
A
Theorem Proving and Model Checking in PVS
The Gentzen Sequent
Conjunction
(Antecedents)

Disjunction
(Consequents)
{-1}
i(0)`reset
{-2}
i(4)`reset
|------{1}
i(1)`reset
{2}
i(2)`reset
{3}
(c(2)À AND NOT c(2)`B)
Or: Reset in cycles 0, 4 is on, and off in 1, 2.
Show that A and not B holds in cycle 2.
43
Theorem Proving and Model Checking in PVS
The Gentzen Sequent
• COPY duplicates a formula
Why? When you instantiate a
quantified formula, the original one is
lost
• DELETE removes unnecessary
formulae – keep your proof easy to
follow
44
Theorem Proving and Model Checking in PVS
Propositional Rules
• BDDSIMP simplify propositional structure
using BDDs
• CASE: case splitting
usage: (CASE “i!1=5”)
• FLATTEN: Flattens conjunctions,
disjunctions, and implications
• IFF: Convert a=b to a<=>b for a, b boolean
• LIFT-IF move up case splits inside a formula
45
Theorem Proving and Model Checking in PVS
Quantifiers
• INST: Instantiate Quantifiers
– Do this if you have EXISTS in the
consequent, or FORALL in the antecedent
– Usage: (INST -10 “100+x”)
• SKOLEM!: Introduce Skolem Constants
– Do this if you have FORALL in the
consequent (and do not want induction), or
EXISTS in the antecedent
– If the type of the variable matters, use
SKOLEM-TYPEPRED
46
Theorem Proving and Model Checking in PVS
Equality
• REPLACE: If you have an equality in the
antecedent, you can use REPLACE
– Example: (REPLACE -1)
{-1} l=r
replace l by r
– Example: (REPLACE -1 RL)
{-1} l=r
replace r by l
47
Theorem Proving and Model Checking in PVS
Using Lemmas / Theorems
• EXPAND: Expand the definition
– Example: (EXPAND “min”)
• LEMMA: add a lemma as antecedent
– Example: (LEMMA “my_lemma”)
– After that, instantiate the quantifiers with
(INST -1 “x”)
– Try (USE “my_lemma”).
It will try to guess how you want to instantiate
48
Theorem Proving and Model Checking in PVS
Induction
• INDUCT: Performs induction
– Usage: (INDUCT “i”)
– There should be a FORALL i: … equation in
the consequent
– You get two subgoals, one for the induction
base and one for the step
– PVS comes with many induction schemes.
Look in the prelude for the full list
49
Theorem Proving and Model Checking in PVS
What next…
• Webpage!
– Installation instructions for PVS
– Further reading
– Homework assignment
50

Download Report

15-820A-pvs-2 - Carnegie Mellon University

Paperzz.com

Your Paperzz