customised induction rules for proving correctness of
play

Customised Induction Rules for Proving Correctness of Imperative - PowerPoint PPT Presentation

Jul 15, 2023 •477 likes •821 views

Customised Induction Rules for Proving Correctness of Imperative Programs Angela Wallenburg angelaw@cs.chalmers.se 4th International Symposium June 9, 2005, L okeberg Outline 1. Problem: Induction and Loops 2. First approach: Use idea

  1. Customised Induction Rules for Proving Correctness of Imperative Programs Angela Wallenburg angelaw@cs.chalmers.se 4th International Symposium June 9, 2005, L¨ okeberg

  2. Outline 1. Problem: Induction and Loops 2. First approach: Use idea from software testing to create induction rules 3. Next approach: Use to customise the rules instead and tie up loose ends 4. Ongoing work: Rippling – can it be used for the remaining challenges? Angela Wallenburg, Chalmers and G¨ oteborg University 2

  3. Problems in Semi-Interactive Theorem Proving 1. Level of automation (a lot of user-interaction) 2. User-interaction complicated Loops present the real challenge. • Induction used to prove loops in KeY • Induction hypothesis, required by the user • Can be rather complicated, everything at once • Recursion, similar problems This holds for ! Angela Wallenburg, Chalmers and G¨ oteborg University 3

  4. Motivating Example Proof obligation: ∀ i ∈ N · ϕ ( i ) , where ϕ ( i ) : ∀ c ∈ N · i ≥ 0 ∧ c ≥ 1 → � while (i > 0) { if (i > = c) { i = i − c; } else { i −− ; } } � i = 0 Angela Wallenburg, Chalmers and G¨ oteborg University 4

  5. Motivating Example Standard induction step: ∀ n ∈ N · ϕ ( n ) → ϕ ( n + 1) – Symbolic execution – Unwind loop – Two branches: (1) (2) i := i − c ; i − − ; ∀ n ∈ N · ϕ ( n ) ∧ n ≥ c → ϕ ( n + 1 − c ) ∀ n ∈ N · ϕ ( n ) ∧ n < c → ϕ ( n ) Problem! Angela Wallenburg, Chalmers and G¨ oteborg University 5

  6. Goal • Derive induction rule • Automatically • Program-specific induction rule • Minimise user-interaction , not necessarily interested in proof-strength Angela Wallenburg, Chalmers and G¨ oteborg University 6

  7. First Approach - Partition Testing as an Inspiration • Using technique from software testing: partitioning • Divide and Conquer! • Partition analysis can be performed automatically • White-box partition analysis using branch predicates • Partition the proof! Angela Wallenburg, Chalmers and G¨ oteborg University 7

  8. Example int russianMultiplication(int a,int b) { int z = 0; while (a != 0) { if (a mod 2 != 0) { z = z + b; } a = a/2; b = b*2; } return z; } Angela Wallenburg, Chalmers and G¨ oteborg University 8

  9. Example Partition Partition of domain of a ( N ), based on the branch predicates: D 1 = { x ∈ N | x = 0 } = { 0 } D 2 = { x ∈ N | x � = 0 ∧ x mod 2 � = 0 } D 3 = { x ∈ N | x � = 0 ∧ x mod 2 = 0 } Angela Wallenburg, Chalmers and G¨ oteborg University 9

  10. Overview of the method 1. Construct partition of induction variable’s domain – using branch predicates – automatically 2. Refine the partition – using implicit case distinctions of operators – desired format 3. Create new induction rule – based on refined partition – k base cases, matching finite subdomains – l step cases, matching infinite subdomains 4. Hopefully less user-interaction required Angela Wallenburg, Chalmers and G¨ oteborg University 10

  11. Method by Example The partitioned induction rule ϕ (0) (1) ∀ n ∈ N 1 · ϕ ( n ) → ϕ (2 ∗ n ) (2) ∀ n ∈ N · ϕ ( n ) → ϕ (2 ∗ n + 1) (3) to prove ∀ n ∈ N · ϕ ( n ) Angela Wallenburg, Chalmers and G¨ oteborg University 11

  12. Resulting User Interaction User interaction required with partitioned induction rule : • Instantiation • Induction rule application • Unwinding of the loop • Decision procedure • Arithmetic Angela Wallenburg, Chalmers and G¨ oteborg University 12

  13. Next Approach – Generate Partitions with Problems with the approach described so far: • Branch predicates might not be related to the update of the induction variable – resulting induction rule provides no simplification! • Relies on quite sophisticated refinement of the partitions. Rather we would like to: • Let the side effects on the induction variable performed inside loop decide the induction steps. • Use failed proof attempts and updates ! Angela Wallenburg, Chalmers and G¨ oteborg University 13

  14. Generate Partitions Using a Theorem Prover The productive use of failure: • perform an attempt at proving the loop • get stuck • figure out why • use this when starting over Use the machinery of semi-automatic theorem prover , in particular the updates , to do this. Angela Wallenburg, Chalmers and G¨ oteborg University 14

  15. Example of a Failed Proof Attempt with Update ⊢ ∀ il ∈ Z · il ≥ 0 → { i := il } � while (i > 0) { i = i - 2; } � i = 0 ∨ i = − 1 Stuck after unwinding of the loop: il c > 0 ⊢ { i := il c − 2 } � while (i > 0) { i = i - 2; } � i = 0 ∨ i = − 1 Angela Wallenburg, Chalmers and G¨ oteborg University 15

  16. Destructor Style Induction – Avoid inverting functions during creation of induction step – Use “predecessor functions”, starting “one step earlier” – Process of proving still the same: unwind right-hand side to attain syntactic equivalence – Computations only performed in the forwards direction Γ ⊢ ∀ i ∈ D b · ϕ ( i ) Γ ⊢ ∀ i ∈ D s · ϕ ( p ( i )) → ϕ ( i ) Γ ⊢ ∀ i ∈ N · ϕ ( i ) Angela Wallenburg, Chalmers and G¨ oteborg University 16

  17. Example Constructor versus Destructor Style Induction Induction rule for previous example, in constructor style: Γ ⊢ ∀ i ∈ D b · ϕ ( i ) Γ ⊢ ∀ i ∈ D s · ϕ ( i ) → ϕ ( i + 2) Γ ⊢ ∀ i ∈ Z · ϕ ( i ) and in destructor style: Γ ⊢ ∀ i ∈ D b · ϕ ( i ) Γ ⊢ ∀ i ∈ D s · ϕ ( i − 2) → ϕ ( i ) Γ ⊢ ∀ i ∈ Z · ϕ ( i ) Angela Wallenburg, Chalmers and G¨ oteborg University 17

  18. Soundness Customised induction rule so far: Γ ⊢ ∀ i · BC ( i ) → ϕ ( i ) Γ ⊢ ∀ i · BP 1 ( i ) ∧ ϕ ( p 1 ( i )) → ϕ ( i ) . . . Γ ⊢ ∀ i · BP n ( i ) ∧ ϕ ( p n ( i )) → ϕ ( i ) Γ ⊢ ∀ i · ϕ ( i ) (4) where BC ( i ) ↔ ¬ BP 1 ( i ) ∧ . . . ∧ ¬ BP n ( i ) . Noetherian induction: proving ∀ m ∈ M · ( ∀ k ∈ M · k ≺ M m → ϕ ( k )) → ϕ ( m ) (5) and that ( M, ≺ M ) is a well-founded set, together with the well-founded induction principle means that we have verified ∀ m ∈ M · ϕ ( m ) . Angela Wallenburg, Chalmers and G¨ oteborg University 18

  19. Soundness (ii) To ensure well-foundedness of the induction set we need some extra proof obligations: • Allow only predecessor functions that decrease the argument: ( ∀ i · BP 1 ( i ) → p 1 ( i ) < i ) ∧ . . . ∧ ( ∀ i · BP n ( i ) → p n ( i ) < i ) ∧ (6) ∀ i, j · BC ( i ) ∧ ¬ BC ( j ) → i < j • Make sure there exists some element in the domain of the base case: ∃ i · BC ( i ) (7) Angela Wallenburg, Chalmers and G¨ oteborg University 19

  20. The Customised Induction Rule Now this rule is sound (proof in thesis): Γ ⊢ ∀ i · BC ( i ) → ϕ ( i ) Γ ⊢ ∀ i · BP 1 ( i ) ∧ ϕ ( p 1 ( i )) → ϕ ( i ) . . . Γ ⊢ ∀ i · BP n ( i ) ∧ ϕ ( p n ( i )) → ϕ ( i ) Γ ⊢ ( ∀ i · � k =1 ...n BP k ( i ) → p k ( i ) < i ) ∧ ∀ i, j · BC ( i ) ∧ ¬ BC ( j ) → i < j ∨ ( ∀ i · � k =1 ...n BP k ( i ) → p k ( i ) > i ) ∧ ∀ i, j · BC ( i ) ∧ ¬ BC ( j ) → i > j Γ ⊢ ∃ i · BC ( i ) Γ ⊢ ∀ i · ϕ ( i ) (8) Angela Wallenburg, Chalmers and G¨ oteborg University 20

  21. Russian Multiplication Example Revisited Γ ⊢ ∀ i · i ≤ 0 → ϕ ( i ) Γ ⊢ ∀ i · i > 0 ∧ i mod 2 � = 0 ∧ ϕ ( i/ 2) → ϕ ( i ) Γ ⊢ ∀ i · i > 0 ∧ i mod 2 = 0 ∧ ϕ ( i/ 2) → ϕ ( i ) (( ∀ i · ( i > 0 ∧ i mod 2 � = 0 → i/ 2 < i ) ∧ ( i > 0 ∧ i mod 2 = 0 → i/ 2 < i )) ∧ ∀ i, j · i ≤ 0 ∧ ¬ j ≤ 0 → i < j ) ∨ Γ ⊢ (( ∀ i · ( i > 0 ∧ i mod 2 � = 0 → i/ 2 > i ) ∧ ( i > 0 ∧ i mod 2 = 0 → i/ 2 > i )) ∧ ∀ i, j · i ≤ 0 ∧ ¬ j ≤ 0 → i > j ) Γ ⊢ ∃ i · i ≤ 0 Γ ⊢ ∀ i · ϕ ( i ) Angela Wallenburg, Chalmers and G¨ oteborg University 21

  22. Comparison to Noetherian Induction Differences mainly in usability and interaction requirements, not proof-strength • WFI introduces only one new proof branch – at least four for PI • a failed proof attempt in PI is much easier to debug – PI separates the different concerns of the proof – PI “knows” more about the problem, presents the branches “up-front” • base case is separated in PI, implicit in WFI. • WFI beyond PI in application domain • additional well-foundedness-proof-obligations in PI Angela Wallenburg, Chalmers and G¨ oteborg University 22

  23. Customised Induction Rules – Summary • automatic creation of customised induction rules for proving the total correct- ness of loops • the resulting rules are – tailor-made for the respective loops to be verified – sound • in comparison to Peano induction or Noetherian induction, the customised induction rules significantly simplify the user interaction required • using a customised induction rule, the resulting proof becomes more modu- larised • a shift of focus for the user interacting with the prover Angela Wallenburg, Chalmers and G¨ oteborg University 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Foundations of Computer Science Lecture 5 Induction: Proving For All . . . Induction:

Foundations of Computer Science Lecture 5 Induction: Proving For All . . . Induction:

Foundations of Computer Science Lecture 5 Induction: Proving For All . . . Induction: What and Why? Induction: Good, Bad and Ugly Induction, Well-Ordering and the Smallest Counter-Example Last Time 1 Proving if . . . , then . . .

391 views • 18 slides
Foundations of Computer Science Lecture 5 Induction: Proving For All . . . Induction:

Foundations of Computer Science Lecture 5 Induction: Proving For All . . . Induction:

Foundations of Computer Science Lecture 5 Induction: Proving For All . . . Induction: What and Why? Induction: Good, Bad and Ugly Induction, Well-Ordering and the Smallest Counter-Example Last Time 1 Proving if . . . , then . . .

1.42k views • 98 slides
Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness:

Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness:

3/10/10 Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness: partial correctness + termination Partial correctness: Program implements its specification 1 3/10/10 Proving Partial Correctness

420 views • 13 slides
Induction and Its Applications Steve Tanimoto Winter 2016 This lecture material is based on

Induction and Its Applications Steve Tanimoto Winter 2016 This lecture material is based on

1/7/2016 Lecture Outline Proving the Correctness of Algorithms Preconditions and Postconditions Loop Invariants CSE373: Data Structures and Algorithms Induction Math Review Using Induction to Prove Algorithms

220 views • 6 slides
4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the

4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the

4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the correctness of grammars, i.e., for proving that grammars generate the languages we want them to. 1 / 21 Definition of Suppose G is a grammar and

324 views • 21 slides
Induction and Its Applications Example for Regular Induction: Correctness of a Decimal-

Induction and Its Applications Example for Regular Induction: Correctness of a Decimal-

10/3/2016 Lecture Outline Review of Induction and Strong Induction Example: A theorem about the first n natural numbers. CSE373: Data Structures and Algorithms Example for Strong Induction: Making Postage Induction and Its

498 views • 4 slides
Induction and Its Applications Part 1: Algorithm Correctness, Loop Invariants, and Induction

Induction and Its Applications Part 1: Algorithm Correctness, Loop Invariants, and Induction

10/3/2016 CSE373: Data Structures and Algorithms Induction and Its Applications Part 1: Algorithm Correctness, Loop Invariants, and Induction Steve Tanimoto Autumn 2016 The cover from Francesco Maurolico's Arithmeticorum Libri Duo (1575),

154 views • 3 slides
Proving Correctness of a KRK Chess Endgame Strategy by SAT-based Constraint Solving Marko

Proving Correctness of a KRK Chess Endgame Strategy by SAT-based Constraint Solving Marko

Introduction Reduction to SAT and URSA system Chess Endgame Strategies and Bratkos Strategy for KRK URSA Specification of KRK Endgame and of Strategy Correctness of Strategy Discussion and Conclusions Proving Correctness of a KRK Chess

390 views • 27 slides
1.2: Induction In the section, we consider several induction principles, i.e., methods for proving

1.2: Induction In the section, we consider several induction principles, i.e., methods for proving

1.2: Induction In the section, we consider several induction principles, i.e., methods for proving that every element x of some set A has some property P ( x ). 1 / 12 Principle of Mathematical Induction Theorem 1.2.1 (Principle of Mathematical

596 views • 12 slides
Proving Correctness of Graph Programs Relative to Recursively Nested Conditions Nils Erik Flick

Proving Correctness of Graph Programs Relative to Recursively Nested Conditions Nils Erik Flick

Proving Correctness of Graph Programs Relative to Recursively Nested Conditions Nils Erik Flick Universitt Oldenburg February 2017 Intro Correctness Results Rel. Work Conclusion Extras Outline Correctness and Graph Programs 1

354 views • 24 slides
Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level

Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level

Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level Correctness Proof Wolfgang Goerigk Christian-Albrechts-Universit at zu Kiel, Germany wg@informatik.uni-kiel.de wg/

297 views • 28 slides
CS 671 Automated Reasoning Tactical Theorem Proving in NuPRL 1. Basic Tactics 2. Tacticals 3.

CS 671 Automated Reasoning Tactical Theorem Proving in NuPRL 1. Basic Tactics 2. Tacticals 3.

CS 671 Automated Reasoning Tactical Theorem Proving in NuPRL 1. Basic Tactics 2. Tacticals 3. Advanced Tactics Chaining, Induction, Case Analysis Tactics: User-defined inference rules Meta-level programs built using Basic inference rules

427 views • 8 slides
Induction and Program Correctness Peter J. Haas INFO 150 Fall Semester 2019 Lecture 10 1/ 8

Induction and Program Correctness Peter J. Haas INFO 150 Fall Semester 2019 Lecture 10 1/ 8

Induction and Program Correctness Peter J. Haas INFO 150 Fall Semester 2019 Lecture 10 1/ 8 Overview Goal I Apply inductive reasoning to Java programs I In context of loops and recursion Lecture 10 2/ 8 Program Correctness Informally: A

143 views • 12 slides
Quicksort [4] In the last class Recursive Procedures Proving Correctness of Recursive

Quicksort [4] In the last class Recursive Procedures Proving Correctness of Recursive

Algorithm : Design &amp; Analysis Quicksort [4] In the last class Recursive Procedures Proving Correctness of Recursive Procedures Deriving recurrence equations Solution of the Recurrence equations Guess and proving

615 views • 38 slides
What problem did the paper address? Big Picture Problem Proving correctness of communication

What problem did the paper address? Big Picture Problem Proving correctness of communication

Review of Model Checking Large Network Protocol Implementations Madanlal Musuvathi Dawson Engler By Vamsi Kambhampati 7 th March 2006 What problem did the paper address? Big Picture Problem Proving correctness of communication protocols

341 views • 5 slides
Objec&amp;ves Proving correctness of Stable Matching algorithm Analyzing algorithms

Objec&amp;ves Proving correctness of Stable Matching algorithm Analyzing algorithms

1/12/18 Objec&amp;ves Proving correctness of Stable Matching algorithm Analyzing algorithms Asympto&amp;c running &amp;mes If youre interested, join the W&amp;L Computer Science Facebook Group! Jan 12, 2018 Sprenkle - CSCI211 1

319 views • 18 slides
ranges from 1 to the n um b er of i clauses | certainly ( n ), where = the O

ranges from 1 to the n um b er of i clauses | certainly ( n ), where = the O

Indep enden t Set Problem Input: a graph and a lo w er b ound . G k Output: \y es&quot; i there are at least k indep endent no des of G ; i.e., no des with no edges in terconnecting. Reduction from: 3SA

189 views • 5 slides
Recursion READING: LC textbook chapter 7 Recursion Recursive algorithms A

Recursion READING: LC textbook chapter 7 Recursion Recursive algorithms A

Summary Topics recursion overview simple examples Sierpinski gasket counting blobs in a grid csci 210: Data Structures Hanoi towers Recursion READING: LC textbook chapter 7 Recursion Recursive

308 views • 7 slides
Proving Correctness of Compilers Using Structured Graphs Patrick Bahr University of Copenhagen,

Proving Correctness of Compilers Using Structured Graphs Patrick Bahr University of Copenhagen,

u n i v e r s i t y o f c o p e n h a g e n d e p a r t m e n t o f c o m p u t e r s c i e n c e Faculty of Science Proving Correctness of Compilers Using Structured Graphs Patrick Bahr University of Copenhagen, Department of Computer

628 views • 21 slides
Partial and Total Correctness Natural semantics Example: ( y:=1; while (x=1) do (y:=y x;

Partial and Total Correctness Natural semantics Example: ( y:=1; while (x=1) do (y:=y x;

Partial and Total Correctness Natural semantics Example: ( y:=1; while (x=1) do (y:=y x; x:=x 1) , s ) s y:=1; while (x=1) do s y = ( s x )! and s x &gt; 0 (y:=y x; x:=x 1) Partial correctness: if initially

88 views • 6 slides
Encoding Induction in Correctness Proofs of Program Transformations as a Termination Problem

Encoding Induction in Correctness Proofs of Program Transformations as a Termination Problem

Encoding Induction in Correctness Proofs of Program Transformations as a Termination Problem Conrad Rau, David Sabel and Manfred Schmidt-Schau Goethe-University, Frankfurt am Main, Germany WST 2012, Obergurgl, Austria 1 Introduction

307 views • 26 slides
Combining Automated and Interactive Theorem Proving in Agda Anton Setzer (Joint work with Karim

Combining Automated and Interactive Theorem Proving in Agda Anton Setzer (Joint work with Karim

Combining Automated and Interactive Theorem Proving in Agda Anton Setzer (Joint work with Karim Kanso) May 21, 2010 1/ 38 1. An Introduction to Agda 2. Integrating Automated Theorem Proving into Agda 3. Defining the Mini SAT Solver in Agda

556 views • 38 slides
Lecture 06: DC Properties I 2014-05-22 Dr. Bernd Westphal 06 2014-05-22 main

Lecture 06: DC Properties I 2014-05-22 Dr. Bernd Westphal 06 2014-05-22 main

Real-Time Systems Lecture 06: DC Properties I 2014-05-22 Dr. Bernd Westphal 06 2014-05-22 main Albert-Ludwigs-Universit at Freiburg, Germany Contents &amp; Goals Last Lecture: DC Syntax and Semantics: Abbreviations

403 views • 21 slides
In proof based classes My Background 4x Intro to proofs course 2x Abstract algebra Intro

In proof based classes My Background 4x Intro to proofs course 2x Abstract algebra Intro

In proof based classes My Background 4x Intro to proofs course 2x Abstract algebra Intro to proofs: The Challenge The same question is relevant on day 1 and the last day of class. Example: Show that the sum of two odd integers is

424 views • 9 slides

More recommend