1 / 43

Intelligent Systems

Intelligent Systems. Model Checking and Theorem Proving – Lecture 4 Prof. Dieter Fensel (& Gulay Unel ). Agenda. Model Checking Theorem Proving. Model Checking - Agenda. Motivation Models LTL CTL Other logics Model Checking. Motivation.

colin-schwartz
Télécharger la présentation

Intelligent Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intelligent Systems Model Checking and Theorem Proving – Lecture 4 Prof. Dieter Fensel (& Gulay Unel)

  2. Agenda • Model Checking • Theorem Proving

  3. Model Checking - Agenda • Motivation • Models • LTL • CTL • Other logics • Model Checking

  4. Motivation • Model checking is an automated technique that, given a finite-state model of a system and a formal property, checks whether this property holds for (a given state in) that model • Formally: M ⊨Ф where the model M represents a design, and the property Ф formalizes its correctness criteria • Model checking focuses mostly on automatic decision procedures • The model is often restricted to a finite state transition system • Properties are expressed in a propositional logic such as: LTL, CTL for which finite-state model checking is known to be decidable • Note that model checking problem is not limited to finite state systems or propositional logics

  5. Model: Transition System • A transition system TS is a tuple (S, →, I, AP, L) where • S is a set of states • → ⊆ S × S • I ⊆ S is a set of initial states • AP is a set of atomic propositions • L: S → 2AP is a labeling function • An execution: π = s0, s1, ... such that • for every i ≥ 0, si → si+1 • s0 ∈ I • Trace of an execution: sequence of sets of atomic propositions, trace (π) = L(s0), L(s1), ... • Traces(TS): set of all traces of all executions of TS, it defines the observable behaviour of TS

  6. Property: Temporal Logic • The properties of transition systems are expressed in temporal logics, most often in propositional: • Linear Time Temporal Logic (LTL) • Branching Time Temporal Logic (CTL) • In all of the logics the atomic formulas are the atomic propositions from AP • Each state s in a model TS has a set of atomic propositions L(s) that are true in that state, all the other atomic propositions are false in s

  7. Syntax of LTL • propositional logic • true • a, b, …∈ AP •  α, αβ • temporal operators • X α : neXt step fulfills α • F α : sometimes in the Future α will hold • G α : α Globally holds • α U β : α holds Until β holds • linear temporal logic is a logic for describing linear time properties

  8. Derived Operators false ≡ true α β ≡(α β) α β ≡α β α β ≡ (α β) (β  α) precedence order: the unary operators bind stronger than the binary ones. and X bind equally strong. U takes precedence over , , and  , X, F, G > U > , , , 

  9. Examples – Properties of a traffic light • the light is never red and green: (redgreen) • whenever the light is red, it cannot become green immediately afterwards: red  X green • eventually, the light becomes green: F green

  10. Practical properties in LTL • Reachability • reachability: F α • conditional reachability: α U β • reachability from any state: not expressible • Safety: G α • Liveness: G(α F β) and others • Fairness: G F α and others

  11. Semantics over Words The language induced by LTL formula α over AP = {a1, …, an} is: L(α) = { w ∈ (2AP)w | M ⊨α} where ⊨ is defined as follows: (let w=A0A1A2... and w[i] = AiAi+1Ai+2...) w ⊨ true w ⊨ ai iff ai∈ A0 w ⊨αβiff w ⊨α and w ⊨β w ⊨  α iff w ⊭α w ⊨ X α iff w[1]=A1A2A3... ⊨α w ⊨ F α iff j ≥ 0. w[j] ⊨α w ⊨ G α iff j ≥ 0. w[j] ⊨α w ⊨ α U β iff j ≥ 0. w[j] ⊨βand0 ≤ i < j. w[i] ⊨α

  12. Semantics for Transition Systems Semantics is defined via set inclusion, a system satisfies a formula iff all traces are allowed w.r.t. The formula TS ⊨ α iff Traces(TS) ⊆ L(α)

  13. CTL in a nutshell • Branching time model • Path quantifiers (in addition to LTL) • A = “for all future paths” • E = “for some future path” • Example: A F a = “inevitably a” a a A F a a

  14. Other logics : Mu - Calculus • Logic of relations with fixed point operator • Can express transitive closure • Good for describing algorithms

  15. Model Checking G(a Þ F b) • input: • temporal logic (property) • transition system (model) • output • yes • no + counterexample yes MC no a a b b

  16. LTL Model Checking • Vardi and Wolper • Apply Büchi’s technique to LTL • Automaton construction yields optimal decision algorithm • Kurshan • Specify properties directly as automata • example: infinitely often a (G F a) a Øa true

  17. CTL Model Checking • Reasoning about properties of non-deterministic programs • branching time properties of programs • fixed point characterizations (Tarski) • every monotonic function has least/greatest fixed point • key idea: apply to finite graphs, not infinite trees • can directly calculate Tarski fixed points • Applications • finite state machines in hardware • protocols • proved incorrectness of some published designs

  18. Theorem Proving (Resolution) - Agenda • Motivation • Proof System • Resolution • Heuristic Search • Applications • Other Topics

  19. Introduction Unlike in model checking, theorem proving solves the general validity of a formula (whether a formula α holds in all models) ⊨ α • Utilizes the proof inference technique in some proof system • Problem is transformed to a sequent, a working representation for the theorem proving problem • The simplest sequent used in natural deduction: ⊢ α • A sequent holds when it satisfies its intended semantics • For example, ⊢ α is derivable in natural deduction only if the formula α holds in any model

  20. Proof System A proof system is collection of inference rules of the form: P1 …    Pn name C where C is a conclusion sequent, and Pi‘s are premises sequents . If an infererence rule does not have any premises (called an axiom), its conclusion automatically holds.

  21. Proof Tree • A proof of a sequent is a proof tree whose nodes are sequents • The root is the sequent to be proven (the theorem) • For each sequent in the tree, all of its children are premises of some inference rule in which that sequent is a conclusion • A proof is complete when each sequent in the proof tree has an associated inference rule • There are two ways for building a proof tree: • Bottom-up • Top-down

  22. Proof by Refutation • (Proof by contradiction, reductio ad absurdum) • Method: • Negate the theorem statement & add to axioms • Show that this set of sentences is self-inconsistent • Use rules of inference to derive the False statement • This means that the sentences can’t all be true at same time • But the axioms are true • Hence the negated theorem must be false • Hence the theorem must be true

  23. The Resolution Method • Uses proof by refutation • Requires sentences to be in a particular format • Conjunctive Normal Form [CNF] • Uses a single inference rule • Generalised resolution rule • Need to understand the unification method (this lecture) • Method is refutation-complete • If a theorem is true and representable in first order logic • Then this method will prove it [amazing result by Robinson, 1965] • No guarantees given about how long it will take • Actually takes a long time to prove even fairly trivial theorems • Can use heuristics to speed it up

  24. The Resolution Method - Overview • Maintain a knowledge base of clauses • Start with the axioms and negation of theorem • Resolve pairs of clauses • Using single rule of inference (generalised resolution) • Resolved sentence contains fewer literals • Proof ends with the empty clause • Signifies a contradiction • Must mean the negated theorem is false • Because the axioms are consistent • Therefore the original theorem was true

  25. Resolution Rule • Takes two clauses in Conjunctive Normal Form • Finds a literal L1 in one and and a literal L2 in the other • Such that the L1 unifies with ¬L2 (with substitution mu) • In the resolved clause, L1 and L2 are omitted • And the substitution is applied to the whole disjunction p1∨ ... ∨ pj∨ ... ∨ pm,     q1∨ ... ∨ qk∨ ... ∨ qn, Subst(mu, (p1∨ ... ∨ pj-1 ∨ pj+1∨ ... ∨ pm∨ q1∨ ... qk-1∨ qk+1∨ ... ∨ qn))

  26. Empty Clause Signifies False • Resolution theorem proving ends • When the resolved clause has no literals (empty) • This can only be because: • Two unit clauses were resolved • One was the negation of the other (after substitution) • Example: q(X) and ¬q(X) or: p(X) and ¬p(simon) • Hence if we see the empty clause • This was because there was an inconsistency • Hence the proof by contradiction has occurred

  27. Aristotle Example • All men are mortal and Socrates is a man • Therefore Socrates is mortal • Initial Knowledge Base • is_man(X) → is_mortal(X) [universal quant. assumed] • is_man(socrates) • In Conjunctive Normal Form • ¬is_man(X) ∨ mortal(X) • is_man(socrates) • ¬is_mortal(socrates) [negation of theorem]

  28. Reading off a ProofBacktrack and then Read Forward • You said that all men were mortal. • That means that for all things X, either X is not a man, or X is mortal [CNF step]. • If we assume that Socrates is not mortal, then, given your previous statement, this means Socrates is not a man [first resolution step]. • But you said that Socrates is a man, which means that our assumption was false [second resolution step], so Socrates must be mortal.

  29. Alternative Search Tree How do you read the proof for this search tree?

  30. Dealing with EqualityApproach 1: Add Knowledge • Problem with equality: • was_president(george_bush) and was_president(g_bush) • will not unify (syntactically different constants) • unification algorithm does not allow this unification • Even if we add to the knowledge base: • george_bush = g_bush • One alternative: add extra knowledge to KB • Axioms of equality (X=X, X=Y → Y=X, etc.) • Equality statements for each predicate: • X = Y → P(X) = P(Y) • Must be done for all predicates

  31. Dealing with EqualityApproach 2: Add Demodulation rule • Demodulation rule of inference • Takes two input sentences, one expressing an equality • That sentence X = sentence Y • Finds a unification, mu, for X with a term, Z, in other clause • Applies mu to Y (not X) • Replaces occurrence of Z with Subst(mu, Y) X=Y, (…Z…) (…Subst(mu,Y)…)

  32. Heuristic Search Overview • Pure Resolution Search tends to be slow • For interesting problems • Lots of clauses in the initial knowledge base • Each step adds a new clause (which can be used) • The search space gets too big • We can choose any pair of clauses to try to resolve • Heuristic type 1: • Intelligently choose which pair to resolve at any time • Heuristic type 2: • Prune the space: • Don’t allow resolution with certain clauses

  33. Unit Preference Strategy • Greedy search • Prefer to resolve certain clause types when possible • Unit clauses: • Contain only a single literal, e.g., C = is_pm(tony) • Idea: • We are looking for the smallest (empty) clause • Resolving with the unit clause keeps clauses small • Effectiveness • Was very effective early on for simple problems • Doesn’t reduce branching rate for medium problems

  34. Set of Support Strategy • Maintain a set of (support) clauses, SOS • Only allow resolution steps involving members of SOS • Idea: choose clauses not in SOS to be consistent • Hence a clause in SOS must eventually be resolved • In order to find a path to the solution • In practice: • Initially choose the SOS to be the negated theorem • Add any newly resolved clause to the SOS • Otter theorem prover uses this strategy

  35. Input Resolution Strategy • Special case of the SOS strategy • Restrict the SOS to include • Only the clauses in the initial knowledge base • Clearly brings down the search space size • However, it is not complete for first order logic • But it is complete for • Horn-clause knowledge bases • such as Prolog programs

  36. Subsumption of Clauses • One clause, C, subsumes clause D • If D is more specific than C (or, C is more general) • Naïve check for subsumption • Find a unifying substitution • allowing us to write D as a subset of the literals of C • such that variables and constants in D become variables in C • Example: • p(george) ∨ q(X) is subsumed by p(A) ∨ q(B) ∨ r(C) • Substitution: {george/A, X/B} • Second clause is clearly more general

  37. Subsumption Strategy • Whenever a new clause is found • Check that there is no existing clause • which subsumes the new clause • Idea: removing more specific clauses • Will not change the inconsistency in the database • Because specific clauses can be inferred by the general ones • Hence the theorem will still be provable • But the search space will be reduced • Have to be careful: • Subsumption checking can be expensive • must be outweighed by the reduction in search space

  38. Applications of ResolutionAlgebraic Theorem Proving • Bill McCune and Larry Wos • Argonne National Laboratories • Writing first order provers such as EQP & Otter • Solution of the Robbins Problem (boolean algs) • Stated over 60 years ago, mathematicians tried & failed • EQP solved this in 8 days in 1996 (after much devel) • Also nice: axiomatisations of algebras • Attempt to find more succinct ways of describing algebras • Use Otter to prove that the new way • Is equivalent to the normal way of axiomatising algebras

  39. ApplicationsAutomated Conjecture Making • Automated Theory Formation (HR) • Used in mathematical (and bioinformatics) domains • Theories contain • concepts, examples, conjectures, proofs • HR uses Otter to prove its theorems • Effective in algebraic domains • See notes for anti-associative algebra results • In number theory • Otter is used as a filter (discard theorems it can prove) • Example conjectures made by HR (and proved by me): • Sum of divisors is prime → number of divisors is prime • Sum of divisors of a square is an odd number • Perfect numbers are pernicious [and many more…..]

  40. Other Topics in Automated Reasoning: Interactive Proving • Interactive theorem proving • Necessary to interact with humans in order to prove theorems of any difficulty • Two (of many) approaches: • Let a theorem prover do simple tasks while you develop a theory (e.g., Buchberger’s Theorema) • Allow user to follow a proof attempt and step in to guide the prover • Needs visualisation tools to draw and annotate proof trees

  41. Other TopicsHigher Order Theorem Proving • Exactly what you would expect • Expressing theorems in higher order logic • See lecture 4 • And proving them (possibly interactively) • HOL theorem prover • Larry Paulson’s group in cambridge • Has been used for verification tasks • type safety for Java • verification of crytographic protocols

  42. Other TopicsDatabases and Competitions • TPTP library by Geoff Sutcliffe & Christian Suttner • Thousands of problems for theorem provers • Used to benchmark first order theorem provers • Contains 6973 theorems at present • HR is only non-human to add to this library • CASC competition by Sutcliffe et al. • Every year: who has the fastest/most accurate first order theorem prover on the planet? • Uses blind test from the TPTP library • Current chamption: Vampire • By Voronkov and Riazonov in Manchester

  43. References • Model Checking and Theorem Proving: a Unified Framework, Thesis by Sergey Berezin, http://reports-archive.adm.cs.cmu.edu/anon/2002/CMU-CS-02-100.pdf. • A brief history of model checking, Talk by Ken McMillan, http://www.cs.uiowa.edu/~tinelli/classes/196/Spring07/notes/McMillan.pdf. • Artificial Intelligence, Course by Jeremy Gow, http://www.doc.ic.ac.uk/~sgc/teaching/v231/. • Introduction to Model Checking, Course by René Thiemann, http://cl-informatik.uibk.ac.at/teaching/ws07/imc/schedule.php .

More Related