1 / 70

CSE 8389 Theorem Proving Peter-Michael Seidel

CSE 8389 Theorem Proving Peter-Michael Seidel. PVS Workflow. System. PROOFS. PVS File. Properties. . . Conversion of system (Program, circuit, protocol…) and property . Can be automated or done manually. Proof construction Interaction with the theorem prover. A. PVS Workflow.

paulos
Télécharger la présentation

CSE 8389 Theorem Proving Peter-Michael Seidel

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSE8389Theorem ProvingPeter-Michael Seidel

  2. PVS Workflow System PROOFS PVS File Properties   Conversion of system (Program, circuit, protocol…)and property. Can be automated or donemanually Proof construction Interaction with the theorem prover A Spring 2005

  3. PVS Workflow System PROOFS PVS File Properties   Conversion of system (Program, circuit, protocol…)and property. Can be automated or donemanually Proof construction Interaction with the theorem prover A Spring 2005

  4. The PVS Language • There are two languages • The language to write definitions and theorems (“definition language“) • The language to prove theorems(“proof language”) • They have nothing to do with each other • The definition language looks like “normal math” • (translator to Latex built in) • The proof language looks like LISP Spring 2005

  5. Theorem Proving • The goal is to show that theorem T is a tautology |= T • or follows from the Assumptions & Axioms F1,…, Fk • F1,…, Fk |= T • PVS operates on sequents of the form • F1,…, Fk |– G1,…, Gl Antecedents Consequents Meaning: The disjunction of the Consequents is a logical consequence of the conjunction of the Antecedents • F1  F2  …  Fk implies G1  G2  …  Gl • Initial sequent (show Theorem): • |- T Axioms, Assumptions Theorem • Antecedents and Consequents are HOL Formulas Spring 2005

  6. Proof Trees • Sequents can be modified by PVS proof commands • F1,…, Fk |– G1,…, Gl Antecedents Consequents • The result of a proof command is a (possibly empty) set of subsequents • Initial sequent (show Theorem): • |- T • The repeated application of proof commands on sequents defines a tree • A proof branch is closed if a proof command generates an empty list of subsequents, i.e. PVS was able to validate this branch of the proof. • A theorem T is proven if all proof branches are closed. Spring 2005

  7. Sequents in PVS notation {-1} i(0)`reset {-2} i(4)`reset |------- {1} i(1)`reset {2} i(2)`reset {3} (c(2)`A AND NOT c(2)`B) Conjunction (Antecedents) Disjunction (Consequents) Or: Reset in cycles 0, 4 is on, and off in 1, 2.Show that A and not B holds in cycle 2. Spring 2005

  8. Example Gauss • Specifications (for any n > 0) • Sum(n) := • Recsum(n) := • Gauss(n) := gauss: Theory Begin Importing bitvectors@sums n, i: Var nat sum(n): nat = sigma(0, n, Lambda i: i) recsum(n): recursive nat = if n = 0 Then 0 Else n + recsum(n-1) endif measure n gauss(n): real = n * (n + 1) / 2 end gauss Spring 2005

  9. Example Gauss • Specifications (for any n > 0) • Sum(n) := • Recsum(n) := • Gauss(n) := • Theorems • For all n > 0: • Sum(n) = Recsum(n) = Gauss(n) Spring 2005

  10. Example Gauss • Theorems • For all n > 0: • Sum(n) = Recsum(n) = Gauss(n) gauss: Theory … sum_is_recsum: Lemma sum(n) = recsum(n) recsum_is_gauss: Lemma recsum(n) = gauss(n) sum_is_gauss: Theorem sum(n) = gauss(n) end gauss Spring 2005

  11. Sum(n) := Recsum(n) := Example Gauss • sum_is_recsum: Lemma sum(n) = recsum(n) recursive definition suggests induction Induction basis Spring 2005

  12. Definitions Sum(n) := Recsum(n) := Example Gauss • sum_is_recsum: Lemma sum(n) = recsum(n) Sum(0) = ?? Recsum(0) = ?? Spring 2005

  13. Example Gauss • sum_is_recsum: Lemma sum(n) = recsum(n) Induction step Spring 2005

  14. Example Gauss • sum_is_recsum: Lemma sum(n) = recsum(n) Spring 2005

  15. Example Gauss • sum_is_recsum: Lemma sum(n) = recsum(n) Spring 2005

  16. Example Gauss • sum_is_recsum: Lemma sum(n) = recsum(n) Spring 2005

  17. Example Gauss • sum_is_recsum: Lemma sum(n) = recsum(n) Spring 2005

  18. Example Gauss • sum_is_recsum: Lemma sum(n) = recsum(n) Spring 2005

  19. Example Gauss • sum_is_recsum: Lemma sum(n) = recsum(n) Spring 2005

  20. Example Gauss • sum_is_recsum: Lemma sum(n) = recsum(n) Spring 2005

  21. Example Gauss • sum_is_recsum: Lemma sum(n) = recsum(n) Spring 2005

  22. Example Gauss • sum_is_recsum: Lemma sum(n) = recsum(n) Spring 2005

  23. Example Gauss • Theorems • For all n > 0: • Sum(n) = Recsum(n) = Gauss(n) gauss: Theory … sum_is_recsum: Lemma sum(n) = recsum(n) recsum_is_gauss: Lemma recsum(n) = gauss(n) sum_is_gauss: Theorem sum(n) = gauss(n) end gauss Spring 2005

  24. Definitions Recsum(n) := Gauss(n) := Example Gauss • recsum_is_gauss: Lemma recsum(n) = gauss(n) recursive definition suggests induction more powerful Spring 2005

  25. Example Gauss • Theorems • For all n > 0: • Sum(n) = Recsum(n) = Gauss(n) gauss: Theory … sum_is_recsum: Lemma sum(n) = recsum(n) recsum_is_gauss: Lemma recsum(n) = gauss(n) sum_is_gauss: Theorem sum(n) = gauss(n) end gauss Spring 2005

  26. Example Gauss • sum_is_gauss: Lemma sum(n) = gauss(n) Spring 2005

  27. Proof Trees sum_is_gauss recsum_is_gauss sum_is_recsum Spring 2005

  28. Proof commands • COPY duplicates a formulaWhy? When you instantiate a quantified formula, the original one is lost • DELETE removes unnecessary formulae – keep your proof easy to follow Spring 2005

  29. Propositional Rules • BDDSIMP simplify propositional structure using BDDs • CASE: case splittingusage: (CASE “i!1=5”) • FLATTEN: Flattens conjunctions, disjunctions, and implications • IFF: Convert a=b to a<=>b for a, b boolean • LIFT-IF move up case splits inside a formula Spring 2005

  30. Quantifiers • INST: Instantiate Quantifiers • Do this if you have EXISTS in the consequent, or FORALL in the antecedent • Usage: (INST -10 “100+x”) • SKOLEM!: Introduce Skolem Constants • Do this if you have FORALL in the consequent (and do not want induction), or EXISTS in the antecedent • If the type of the variable matters, use SKOLEM-TYPEPRED Spring 2005

  31. Equality • REPLACE: If you have an equality in the antecedent, you can use • REPLACE • Example: (REPLACE -1){-1} l=r replace l by r • Example: (REPLACE -1 RL){-1} l=r replace r by l Spring 2005

  32. Using Lemmas / Theorems • EXPAND: Expand the definition • Example: (EXPAND “min”) • LEMMA: add a lemma as antecedent • Example: (LEMMA “my_lemma”) • After that, instantiate the quantifiers with (INST -1 “x”) • Try (USE “my_lemma”).It will try to guess how you want to instantiate Spring 2005

  33. Induction • INDUCT: Performs induction • Usage: (INDUCT “i”) • There should be a FORALL i: … equation in the consequent • You get two subgoals, one for the induction base and one for the step • PVS comes with many induction schemes. Look in the prelude for the full list Spring 2005

  34. The Magic of (GRIND) • Myth: Grind does it all… • Reality: • Use it when: • Case splitting, skolemization, expansion, and trivial instantiations are left • Does not do induction • Does not apply lemmas “... frequently used to automatically complete a proof branch…” Spring 2005

  35. The Magic of (GRIND) • If it goes wrong… • you can get unprovable subgoals • it might expand recursions forever • How to abort? • Hit Ctrl-C twice, then (restore) • How to make it succeed? • Before running (GRIND), remove unnecessary parts of the sequent using (DELETE fnum).It will prevent that GRIND makes wrong instantiations and expands the wrong definitions. Spring 2005

  36. Proof Trees • Induction Proof • |- T( n: nat ) • Induction basis Induction step • n=0 |- T(0) T(n*) |- T(n*+1) Spring 2005

  37. Number representations • Natural number with binary representation : • PVS conversion • bv2nat: • Range of numbers which have a binary representation of length n : • Integer with two’s complement representation : • PVS conversion • bv2int: • Range of numbers with two’s complement representation of length n : Spring 2005

  38. Lemmas from Bitvector Library Lemma 1 Lemma 2 Lemma 3 Lemma 4 Spring 2005

  39. Lemmas from Bitvector Library Lemma 5 Lemma 6 Lemma 7 Lemma 8 Spring 2005

  40. Lemmas from Bitvector Library Lemma 9 Lemma 10 Lemma 11 Lemma 12 Spring 2005

  41. Ripple Carry Adder Spring 2005

  42. Ripple Carry Adder Spring 2005

  43. Ripple Carry Adder Spring 2005

  44. Ripple Carry Adder Spring 2005

  45. Ripple Carry Adder Spring 2005

  46. Ripple Carry Adder Spring 2005

  47. Ripple Carry Adder Spring 2005

  48. Ripple Carry Adder Spring 2005

  49. Ripple Carry Adder Spring 2005

  50. Conditional Sum Adder • Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0 • Assume n is power of 2: Spring 2005

More Related