Interactive Formal Verifjcation Welcome Dr. Dominic P. Mulligan - - PowerPoint PPT Presentation

interactive formal verifjcation
SMART_READER_LITE
LIVE PREVIEW

Interactive Formal Verifjcation Welcome Dr. Dominic P. Mulligan - - PowerPoint PPT Presentation

Mar 31, 2024 15 likes •335 views

Interactive Formal Verifjcation Welcome Dr. Dominic P. Mulligan Programming, Logic, and Semantics Group, University of Cambridge Academic year 20172018 1 Administrivia Course usually lectured by Prof. Lawrence Paulson Sabattical leave

slide-1
SLIDE 1

Interactive Formal Verifjcation

Welcome

  • Dr. Dominic P. Mulligan

Programming, Logic, and Semantics Group, University of Cambridge

Academic year 2017–2018

1

slide-2
SLIDE 2

Administrivia

Course usually lectured by Prof. Lawrence Paulson Sabattical leave this year My offjce: FS16

  • Until start of November
  • Then at ARM, but will return to fjnish course

My e-mail: dominic.p.mulligan@gmail.com Course lab assistant: Dr. Victor Gomes Victor’s e-mail: vb358@cam.ac.uk

2

slide-3
SLIDE 3

Administrivia

Course usually lectured by Prof. Lawrence Paulson Sabattical leave this year My offjce: FS16

  • Until start of November
  • Then at ARM, but will return to fjnish course

My e-mail: dominic.p.mulligan@gmail.com Course lab assistant: Dr. Victor Gomes Victor’s e-mail: vb358@cam.ac.uk

2

slide-4
SLIDE 4

Administrivia

Course usually lectured by Prof. Lawrence Paulson Sabattical leave this year My offjce: FS16

  • Until start of November
  • Then at ARM, but will return to fjnish course

My e-mail: dominic.p.mulligan@gmail.com Course lab assistant: Dr. Victor Gomes Victor’s e-mail: vb358@cam.ac.uk

2

slide-5
SLIDE 5

Administrivia

Course website: https://www.cl.cam.ac.uk/teaching/1718/L21/ Course consists of 16 hours of contact time:

  • 12 hours of lab-based lecturing,
  • 4 hours of lab-based practicals

Assessed via two practical exercises:

  • First (computer science) on parser combinators
  • Second (maths) on metric spaces

3

slide-6
SLIDE 6

Administrivia

Course website: https://www.cl.cam.ac.uk/teaching/1718/L21/ Course consists of 16 hours of contact time:

  • 12 hours of lab-based lecturing,
  • 4 hours of lab-based practicals

Assessed via two practical exercises:

  • First (computer science) on parser combinators
  • Second (maths) on metric spaces

3

slide-7
SLIDE 7

Administrivia

Course website: https://www.cl.cam.ac.uk/teaching/1718/L21/ Course consists of 16 hours of contact time:

  • 12 hours of lab-based lecturing,
  • 4 hours of lab-based practicals

Assessed via two practical exercises:

  • First (computer science) on parser combinators
  • Second (maths) on metric spaces

3

slide-8
SLIDE 8

IMPORTANT

All lecturing materials developed using Isabelle2016-1 Isabelle2017 about to be released imminently Make sure you use Isabelle2016-1 for this course! I recommend you install a local copy (ASAP) to follow along

4

slide-9
SLIDE 9

Obtaining Isabelle

For your own machines: check course website For lab machines see: /auto/groups/acs-software/L21/Isabelle2016-1/ Contains Isabelle2016-1_app.tar.gz for installation in home directory Also can start Isabelle2016-1 from your machine via: /auto/groups/acs-software/L21/Isabelle2016-1/ Isabelle2016-1/Isabelle2016-1

5

slide-10
SLIDE 10

Course text

Free! See: http://concrete-semantics.org/ A stripped down version is distributed with Isabelle

6

slide-11
SLIDE 11

Motivation

slide-12
SLIDE 12

Developing software is hard

Most software (and hardware) has bugs Bugs are costly, and potentially dangerous IDEA: treat program as a formal mathematical object Prove relevant properties about model and obtain certifjed implementation thereafter Increases confjdence in software/hardware implementation

7

slide-13
SLIDE 13

Developing software is hard

Most software (and hardware) has bugs Bugs are costly, and potentially dangerous IDEA: treat program as a formal mathematical object Prove relevant properties about model and obtain certifjed implementation thereafter Increases confjdence in software/hardware implementation

7

slide-14
SLIDE 14

Developing software is hard

Most software (and hardware) has bugs Bugs are costly, and potentially dangerous IDEA: treat program as a formal mathematical object Prove relevant properties about model and obtain certifjed implementation thereafter Increases confjdence in software/hardware implementation

7

slide-15
SLIDE 15

Writing and checking proofs is hard

Proofs in mathematics and computer science may:

  • Be tedious to check
  • Contain subtle mistakes
  • Be controversial (due to e.g. size, inability to review adequately)

IDEA: have a computer check that proof is valid Increases confjdence in proof

8

slide-16
SLIDE 16

Writing and checking proofs is hard

Proofs in mathematics and computer science may:

  • Be tedious to check
  • Contain subtle mistakes
  • Be controversial (due to e.g. size, inability to review adequately)

IDEA: have a computer check that proof is valid Increases confjdence in proof

8

slide-17
SLIDE 17

Writing and checking proofs is hard

Proofs in mathematics and computer science may:

  • Be tedious to check
  • Contain subtle mistakes
  • Be controversial (due to e.g. size, inability to review adequately)

IDEA: have a computer check that proof is valid Increases confjdence in proof

8

slide-18
SLIDE 18

Interactive theorem proving

Want to work in an expressive logic (which?) The more expressive our logic the worse it behaves computationally Proof search undecidable, intractable even in decidable fragments IDEA: have the computer and a human work together Human guides the proof search with computer:

  • Checking that the human’s reasoning is valid
  • Helping when it can: (semi-)decision procedures,

counterexample fjnders...

9

slide-19
SLIDE 19

Interactive theorem proving

Want to work in an expressive logic (which?) The more expressive our logic the worse it behaves computationally Proof search undecidable, intractable even in decidable fragments IDEA: have the computer and a human work together Human guides the proof search with computer:

  • Checking that the human’s reasoning is valid
  • Helping when it can: (semi-)decision procedures,

counterexample fjnders...

9

slide-20
SLIDE 20

Interactive theorem proving

Want to work in an expressive logic (which?) The more expressive our logic the worse it behaves computationally Proof search undecidable, intractable even in decidable fragments IDEA: have the computer and a human work together Human guides the proof search with computer:

  • Checking that the human’s reasoning is valid
  • Helping when it can: (semi-)decision procedures,

counterexample fjnders...

9

slide-21
SLIDE 21

Isabelle, and Isabelle/HOL

slide-22
SLIDE 22

Isabelle: a generic proof assistant

Isabelle initially written by Paulson starting mid 80s Nipkow, Wenzel and others in Munich and elsewhere now a major development force Written in Standard ML, follows LCF design philosophy Isabelle is a logical framework:

  • Provides a relatively weak base (meta) logic
  • More interesting (object) logics can be embedded in it
  • Provides common reasoning tools, document preparation, and so
  • n

10

slide-23
SLIDE 23

Isabelle: a generic proof assistant

Isabelle initially written by Paulson starting mid 80s Nipkow, Wenzel and others in Munich and elsewhere now a major development force Written in Standard ML, follows LCF design philosophy Isabelle is a logical framework:

  • Provides a relatively weak base (meta) logic
  • More interesting (object) logics can be embedded in it
  • Provides common reasoning tools, document preparation, and so
  • n

10

slide-24
SLIDE 24

Many instantiations

Many different object logic embeddings:

  • ZF set theory
  • First-order logic
  • Martin-Löf type theory

In this course:

  • (Mostly) ignore Isabelle’s status as a logical framework
  • Focus on one object logic: HOL
  • Show off Isabelle/HOL as an interactive proof assistant for HOL

11

slide-25
SLIDE 25

Many instantiations

Many different object logic embeddings:

  • ZF set theory
  • First-order logic
  • Martin-Löf type theory

In this course:

  • (Mostly) ignore Isabelle’s status as a logical framework
  • Focus on one object logic: HOL
  • Show off Isabelle/HOL as an interactive proof assistant for HOL

11

slide-26
SLIDE 26

Gordon’s higher-order logic (HOL)

HOL = Church’s Simple Theory of Types + type polymorphism Suggested by Mike Gordon as a suitable logic for hardware verifjcation Implemented in HOL4, HOL Light, ProofPower HOL, HOL Zero ...and of course Isabelle/HOL

12

slide-27
SLIDE 27

Gordon’s higher-order logic (HOL)

HOL = Church’s Simple Theory of Types + type polymorphism Suggested by Mike Gordon as a suitable logic for hardware verifjcation Implemented in HOL4, HOL Light, ProofPower HOL, HOL Zero ...and of course Isabelle/HOL

12

slide-28
SLIDE 28

Gordon’s higher-order logic (HOL)

HOL = Church’s Simple Theory of Types + type polymorphism Suggested by Mike Gordon as a suitable logic for hardware verifjcation Implemented in HOL4, HOL Light, ProofPower HOL, HOL Zero ...and of course Isabelle/HOL

12

slide-29
SLIDE 29

HOL

HOL as a logic:

  • Is polymorphically typed (as opposed to e.g. ACL2)
  • Does not have type-dependency (as opposed to e.g. Coq or Agda)
  • Is higher-order (as opposed to e.g. ACL2, or tools like Vampire)
  • Strikes a good middle ground between expressivity and ability to

interact with external tools (e.g. FOTPs, SMT solvers, etc.) As a functional programmer HOL will “feel” very familiar No need to learn a radically different way of doing things

13

slide-30
SLIDE 30

HOL

HOL as a logic:

  • Is polymorphically typed (as opposed to e.g. ACL2)
  • Does not have type-dependency (as opposed to e.g. Coq or Agda)
  • Is higher-order (as opposed to e.g. ACL2, or tools like Vampire)
  • Strikes a good middle ground between expressivity and ability to

interact with external tools (e.g. FOTPs, SMT solvers, etc.) As a functional programmer HOL will “feel” very familiar No need to learn a radically different way of doing things

13

slide-31
SLIDE 31

First taste of Isabelle/HOL

slide-32
SLIDE 32

See associated theory...

14