15-820A PVS

1
15-820APVS An Introduction

• Edmund Clarke
• Daniel Kroening
• Carnegie Mellon University

2
Outline

• Theorem provers
• Why PVS?
• Topics for this semester
• Short introduction to the PVS language
• The PVS workflow
• A short proof

3
Theorem Provers

• Stores theorems and establishes their correctness
• What kind of theorems?
• First order
• Second order / higher order
• How to establish the correctness?
• Completely automated
• Semi-automated
• Interactive (manual)

4
Theorem Provers

• There is a wide range of theorem
• provers
• Higher order ALF, Alfa, Coq, HOL, PVS
• Logical Frameworks Isabelle, LF, Twelf
• Inductive ACL2, Inka
• Automated Gandalf, TPS, Otter, Setheo, SPASS
• EQP, Maude

5
Theorem Provers

• The most commonly used Theorem Provers,from
  systems verification point of view
• HOL Floating Point Verification (Intel)
• ACL2 Floating Point Verification (AMD)
• PVS NASA/DoD, e.g., Space Shuttle flight control
  requirements specificationIt also does Floating
  Point Units.
• PVS is
• Higher order
• Interactive

6
PVS Workflow
System
PROOFS
PVS File
Properties
?
?
Conversion of system (Program, circuit,
protocol)and property. Can be automated or
donemanually
Proof construction Interaction with the theorem
prover
A
7
Why PVS?

• Why PVS and not some other theorem prover?

From PVS website PVS is a large and complex
system and it takes a long while to learn to use
it effectively. You should be prepared to invest
six months to become a moderately skilled user
A
8
Why PVS?

• Why PVS and not some other theorem prover?
• Other (strong) theorem provers probably worse
• The PVS language is close to normal notation
• Not LISP!
• PVS is interactive why not an automated theorem
  prover?
• Decidable logics often not rich enough, or
  inconvenient
• Semi-automated theorem provers usually dont tell
  what is wrong, experience and knowledge about
  internals required

9
Topics for this Semester

• PVS
• Installation
• Proof Interaction
• Language Basics
• Types
• Type Checking
• Recursion
• Lambda Notation
• Abstract Data Types

10
Topics for this Semester

• Specification using PVS
• Prelude, Libraries
• State Machines
• Tabular Specifications
• How to get systems into PVS
• Hardware
• Software

11
Topics for this Semester

• Proofs
• Induction
• Real Numbers
• Abstraction of Infinite State Transition Systems
• Proof Automation
• Rewriting
• Write your own decision procedure!
• Model Checking as Rule of Inference

12
The PVS Language

• There are two languages
• The language to write definitions and theorems
  (definition language)
• The language to prove theorems(proof language)
• They have nothing to do with each other
• The definition language looks likenormal math
  (translator to Latex built in)
• The proof language looks like LISP

13
The PVS Definition Language

• Main language elements
• Declarations
• Types
• Constants
• Expressions over these types
• Expressions of Boolean types may be a formula
• Formulae are theorems or axioms
• Declarations and formulae are grouped into
  theories

14
The PVS Definition Language
class_theory THEORY BEGIN my_type
NONEMPTY_TYPE constant1, constant2
my_type f1 THEOREM FORALL (a, b
integer) abba f2 AXIOM
constant1constant2 END class_theory
TypeDeclarations
Expressions
A
15
The PVS Definition Language
class_theory THEORY BEGIN my_type
NONEMPTY_TYPE constant1, constant2
my_type f1 THEOREM FORALL (a, b
integer) abba f2 AXIOM
constant1constant2 END class_theory
Formulae
A
16
The PVS Definition Language
class_theory THEORY BEGIN my_type
NONEMPTY_TYPE constant1, constant2
my_type f1 THEOREM FORALL (a, b
integer) abba f2 AXIOM
constant1constant2 END class_theory
Declarations
17
Axioms vs. Theorems

• Axioms are assumed to be true
• Dangerous!
• Avoid axioms, use constant declarations instead

class_theory THEORY BEGIN c integer c
AXIOM c3 END class_theory
class_theory THEORY BEGIN c integer
3 END class_theory
Left hand side is conservative
18
Types

• PVS has a very rich type concept
• Uninterpreted type declaration
• numbers TYPE
• numbers NONEMPTY_TYPE
• Interpreted type declarationIntroduce names for
  type expressions
• posint TYPE i integer i gt 0

19
Types PVS comes with

• boolean
• FALSE, TRUE
• Number types
• real, rational, integer, natural
• string
• Ordinals

20
Type Expressions

• Function Types
• t1,,tn -gt t
• Sugar for that
• FUNCTION t1,,tn -gt t
• ARRAY t1,,tn -gt t
• Note that ti and t may be function types as well!

21
Expressions

• Constants
• Given by their name, as used in the declaration
• Numbers (1, 2, 3, ) are actually identifiers and
  can even be overloaded
• If name is ambiguous, use
• identifiertype

22
Expressions

• Function Applications
• f(x)
• Tons of Syntactic sugar for that, dont be
  confused
• Binary operator symbols
• y z is the same as (y, z)

23
Expressions

• Functions PVS comes with
• Boolean
• AND , OR, IMPLIES gt,
• WHEN, IFF ltgt
• IF c THEN a ELSE b
• IF boolean, T, T -gt T
• (COND sugar for IF THEN ELSE)
• Numeric operators
• , -, , /, , lt, lt, gt, gt

24
Expressions

• Binding Expressions
• Quantifiers
• EXISTS (x T) p(x)
• FORALL (y T) q(y)

25
Expressions

• Binding Expressions
• Lambda unnamed functions
• LAMBDA (x int) x1
• Type of that int -gt int

class_theory THEORYBEGIN f int-gtint
LAMBDA (x int) x1 END class_theory
class_theory THEORYBEGIN f(x int) int
x1 END class_theory
A
26
Recursion

• Lambda cannot be used for recursion
• Only named functions allow recursion
• No mutual recursion

factorial(x nat) RECURSIVE nat IF x0 THEN
1 ELSE factorial(x-1)x ENDIF
MEASURE (LAMBDA (x nat) x)
Used to prove that the function is total
A
27
Expressions

• LET Expressions
• LET iTe1 IN e2
• Useful for avoiding redundancy if e1 is used many
  times in e2
• Sugar for LAMBDA
• (LAMBDA (i T) e2)(e1)
• Example
• LET x2 IN xy
• is
• (LAMBDA x xy)(2)

28
Expressions

• Override Expressions
• e WITH (i1)v1, (i2)v2,
• Sugar for LAMBDA
• LAMBDA x IF xi1 THEN v1 ELSIF xi2 THEN
  v2 ELSE e(x) ENDIF
• Also for records and tuples

29
Expressions

• LET and WITH useful for some sequential program
  constructs!

f(i int)int LET a1LAMBDA (x below(10)) 0
IN ... LET a2a1 WITH (i)5 IN ...
ai(0)
int f(int i) int a10 0, ...
ai5 ... return a0
30
Expressions

• Set Expressions
• In PVS, sets are represented using their
  characteristic function
• T -gt boolean same as setofT
• Set expressions
• xT p(x)
• For sets a, b over T
• Union a OR b
• Intersection a AND b

31
Some Syntactic Sugar

• Tuple types
• t1,,tn
• Tuple expressions
• ( e1,,en )
• Comes with projections
• PROJ_1, PROJ_2, ..., PROJ_n

32
Example
stacks1 THEORY BEGIN stack TYPE int,
ARRAYint-gtint empty stack (0, (LAMBDA (j
int) 0)) size(s stack)int PROJ_1(s)
elements(s stack)ARRAYint-gtint PROJ_2(s)
push(x int, sstack) stack (size(s)1,
elements(s) WITH (size(s))x) pop(sstack)
stack (size(s)-1, elements(s)) END stacks1
How abouta struct?
A
33
Some Syntactic Sugar

• Record types
• a1t1,,antn
• Record expressions
• ( a1e1,,anen )
• Comes with projections
• a1, a2, ..., an
• Or eai

34
Example
stacks2 THEORY BEGIN stack TYPE size
int, elements ARRAYint-gtint empty stack
( size0, elements(LAMBDA (j int) 0) )
push(x int, sstack) stack (
sizessize1, elementsselements WITH
(ssize)x ) pop(sstack) stack (
sizessize-1, elementsselements
) END stacks2
What about the empty stack?
A
35
Subtypes

• x T p(x)
• p must be of type T -gt boolean
• Sugar for that
• (p)
• This type contains all elements x of Tfor which
  p(x) is true
• E.g., define domain of integer division
• x integer x/0
• Makes type equivalence undecidable

36
Subtypes

• Subtypes in binding expressions
• Forall, exists forall (i int igt10)
• Lambda

class_theory THEORYBEGIN f x int
x/0 -gtreal LAMBDA (x int x/0)
1/x END class_theory
class_theory THEORYBEGIN f(x int x/0)
real 1/x END class_theory
37
Example
stacks3 THEORY BEGIN stack TYPE size
nat, elements ARRAYnat-gtint empty stack
( size0, elements(LAMBDA (j nat) 0) )
push(x int, sstack) s stack ssizegt1
( sizessize1,
elementsselements WITH (ssize)x )
pop(sstack ssizegt1) stack (
sizessize-1, elementsselements
) END stacks3
Properties?
A
38
Example
stacks3 THEORY BEGIN stack TYPE size
nat, elements ARRAYnat-gtint empty stack
( size0, elements(LAMBDA (j nat) 0) )
push(x int, sstack) s stack ssizegt1
( sizessize1,
elementsselements WITH (ssize)x )
pop(sstack ssizegt1) stack (
sizessize-1, elementsselements )
push_pop THEOREM FORALL (s stack, x int)
pop(push(x, s))s END stacks3
Does this work?
A
39
Example
stacks4 THEORY BEGIN stack TYPE size
nat, elements ARRAYinatiltsize-gtint
empty stack ( size0, elements(LAMBDA
(jnat FALSE) 0) ) push(x int, sstack)
s stack ssizegt1 ( sizessize1,
elementsLAMBDA (j below(ssize1))
IF jltssize THEN selements(j) ELSE x ENDIF )
pop(sstack ssizegt1) stack (
sizessize-1, elementsLAMBDA
(jnatjltssize-1) selements(j) ) push_pop
THEOREM FORALL (s stack, x int)
pop(push(x, s))s END stacks4
40
Proof?

• How to argue?
• pop(push(x, s)) s
• Lets to the size component and the elements
  component separately
• Size
• pop(push(x, s))size ssize
• Expand definition of pop
• push(x, s)size - 1 ssize
• Expanding the definition of push results in
• ssize1-1ssize

41
Proof? (2)

• Elements
• pop(push(x, s))elements selements
• Expand definition of pop
• (?(jnatjltpush(x, s)size-1)push(x,
  s)elements(j)) selements
• Expanding the definition of push results in
• (?(jnatjltssize)IF jltssize THEN
  selements(j)ELSE x ENDIF selements
• Obviously, the condition of the IF is always true

42
What next

• Webpage!
• Installation instructions for PVS
• Further reading
• Homework assignment