partial clock functions in acl2
play

Partial Clock Functions in ACL2 John Matthews and Daron Vroon ACL2 - PowerPoint PPT Presentation

Apr 17, 2023 •152 likes •423 views

Partial Clock Functions in ACL2 John Matthews and Daron Vroon ACL2 Workshop 2004 Goals Given a state machine, we want : A termination proof: from a set of starting states, a desired goal state will always eventually be reached. An

  1. Partial Clock Functions in ACL2 John Matthews and Daron Vroon ACL2 Workshop 2004

  2. Goals • Given a state machine, we want : • A termination proof: from a set of starting states, a desired goal state will always eventually be reached. • An efficient simulator: a function that steps machine until desired goal state is reached • Modularity: Be able to compose subroutine proofs and simulators 2

  3. Goals • We don’t want to : • write a VCG (verification condition generator) • manually define a clock function • specify assertions or ordinal measures for every instruction in the subroutine • add a clock parameter to the simulator • Related work : • First three conditions above met for partial correctness [Moore 2003] • First two conditions above met for total correctness [Ray & Moore 2004] 3

  4. State machine model • State tuple: represents current machine state • Defined as a stobj • Program, program counter are part of the state (defstobj mstate (mem :type (array (signed-byte 32) (1024)) (progc :type integer) ...) • “next state” function: executes one machine step next : mstate => mstate 4

  5. State machine model • Machine simulator (with clock parameter): Executes machine for n steps • Returns current state if n is bogus (defun run (n mstate) (declare (xargs :stobjs (mstate) :guard (natp n))) (if (zp n) mstate (let ((mstate (next mstate))) (run (1- n) mstate)))) 5

  6. State machine model • State assertion : predicate about a machine state (defun entering-fib-routine (n mstate) (and (program-loaded *fib-addr* mstate) (equal (progc mstate) *fib-addr*) (equal (top-of-stack mstate) n))) (defun exiting-fib-routine (n mstate) (and (program-loaded *fib-addr* mstate) (equal (progc mstate) *fib-done-addr*) (equal (top-of-stack mstate) (fib n)))) 6

  7. State machine model • Cutpoints : Finite collection of state assertions • Every program loop should be broken by at least one cutpoint • Exitpoint : Desired end state assertion • Every exitpoint must be a cutpoint • Multiple exitpoints allowed • Exitpoints aren’t necessarily halting • Internal cutpoint : A cutpoint that is not an exitpoint 7

  8. Termination proof • Total correctness : Every cutpoint always leads to an exitpoint. • Proof method: • Assign an ordinal measure to every cutpoint cutpoint-measure : mstate => ordinal • Symbolically simulate each control path from an internal cutpoint until another cutpoint is reached • Show that the newly-reached cutpoint is smaller according to cutpoint-measure 8

  9. Symbolic simulation • Symbolic simulation automated via a partial clock function • Has a generic, tail-recursive definition • Returns number of steps (- n) until next valid cutpoint state, if one is reachable • Undefined if no cutpoint state is reachable • Can be made “Executable” (defpun steps-to-cutpoint-tail (n mstate) (if (at-cutpoint mstate) n (steps-to-cutpoint-tail (1+ n) (next mstate)))) 9

  10. Completed clock function • Partial clock function is logically extended to a total function: • Tests whether value returned by steps-to-cutpoint-tail is a cutpoint: • If so, then return that value • If not, then return ω (defun steps-to-cutpoint (mstate) (let ((steps (steps-to-cutpoint-tail 0 mstate))) (if (at-cutpoint (run steps mstate)) steps (omega)))) 10

  11. Clock function rewrites • Completed clock function has simpler rewrite rules • Rules use ordinal addition to handle unreachable cutpoints (defthm steps-to-cutpoint-zero (implies (at-cutpoint mstate) (equal (steps-to-cutpoint mstate) 0))) (defthm steps-to-cutpoint-nonzero-intro (implies (not (at-cutpoint mstate)) (equal (steps-to-cutpoint mstate) (o+ 1 (steps-to-cutpoint (next mstate)))))) 11

  12. Symbolic simulation • Check termination by symbolically simulating machine, from each internal cutpoint to its next reachable cutpoint (implies (and (at-cutpoint mstate) (not (at-exitpoint mstate))) (let* ((steps (steps-to-cutpoint (next mstate))) (cutpoint (run steps mstate))) (and (at-cutpoint cutpoint) (o< (cutpoint-measure cutpoint) (cutpoint-measure mstate))))) • But then machine gets simulated twice per internal cutpoint! • Once to compute number of steps to next cutpoint • Second time to compute next cutpoint’s state tuple 12

  13. Symbolic simulation • Solution: use clock function to define a next-cutpoint function • Returns next cutpoint, if it is reachable • Returns a non-cutpoint value, otherwise (defun next-cutpoint (mstate) (let ((steps (steps-to-cutpoint mstate))) (if (natp steps) (run steps mstate) nil))) 13

  14. Symbolic simulation • Next-cutpoint function agrees with machine simulator... (thm (implies (at-cutpoint (next-cutpoint mstate)) (equal (next-cutpoint mstate) (run (steps-to-cutpoint mstate) mstate))))) ...and still obeys good symbolic simulation rules (defthm next-cutpoint-at-cutpoint (implies (at-cutpoint mstate) (equal (next-cutpoint mstate) mstate))) (defthm next-cutpoint-intro-next (implies (not (at-cutpoint mstate)) (equal (next-cutpoint mstate) (next-cutpoint (next mstate))))) 14

  15. Symbolic simulation • Now termination check symbolically simulates machine only once per internal cutpoint. (implies (and (at-cutpoint mstate) (not (at-exitpoint mstate))) (let ((cutpoint (next-cutpoint (next mstate)))) (and (at-cutpoint cutpoint) (o< (cutpoint-measure cutpoint) (cutpoint-measure mstate))))) 15

  16. Termination • Can now define function to count steps from cutpoint to next exitpoint (defun steps-to-exitpoint-from-cutpoint (mstate) (declare (xargs :measure (cutpoint-measure mstate))) (cond ((not (at-cutpoint mstate)) 0) ((at-exitpoint mstate) 0) (t (+ 1 (steps-to-cutpoint (next mstate)) (steps-to-exitpoint-from-cutpoint (next-cutpoint (next mstate))))))) 16

  17. Termination • Main termination theorem: (defthm total-correctness-from-cutpoint (implies (at-cutpoint mstate) (at-exitpoint (run (steps-to-exitpoint-from-cutpoint mstate) mstate)))) 17

  18. Efficient simulator • Goal 2: Define an executable machine simulator function that doesn’t use a step counter • Simulator returns the first reachable exitpoint state • Simulator guard: input state must be a cutpoint 18

  19. Efficient simulator • Defining the simulator: • First define a cutpoint simulator , that steps the machine from one cutpoint to the next cutpoint • Main simulator calls cutpoint simulator until exitpoint is reached • Use cutpoint measure to prove termination • Main challenge: stobj syntactic restrictions 19

  20. Stobj restrictions • Want to use steps-to-cutpoint in guards, but not execute them :guard (at-cutpoint (run (steps-to-cutpoint mstate) mstate)) • Problem: ACL2 requires guards to be executable • Difficult to make guards stobj-compliant • This definition doesn’t work, since defpun not stobj-compliant: (defun steps-to-cutpoint (mstate) (declare (xargs :stobjs (mstate))) (let ((steps (steps-to-cutpoint-tail 0 mstate))) (if (at-cutpoint (run steps mstate)) steps (omega)))) 20

  21. Stobj restrictions • Need to write coercion functions between stobjs and ACL2 values logical-mstatep : * => bool copy-from-mstate : mstate => * copy-to-mstate : (* mstate) => mstate (defthm copy-from-mstate-correct (implies (mstatep mstate) (equal (copy-from-mstate mstate) mstate))) (defthm copy-to-mstate-correct (implies (and (mstatep mstate) (logical-mstatep copy)) (equal (copy-to-mstate copy mstate) copy))) 21

  22. Stobj restrictions • Next problem: guards are not allowed to modify stobjs (defun steps-to-cutpoint (mstate) (declare (xargs :stobjs (mstate))) (let* ((mstate-copy (copy-from-mstate mstate)) (steps (steps-to-cutpoint-tail 0 mstate-copy))) (if (at-cutpoint (run steps mstate)) steps (omega)))) • “ACL2 value” version of run requires “ACL2 value” next • Basically need to redefine the entire machine semantics 22

  23. Stobj restrictions • Solution: create a with-copy-of-stobj macro • allocates a local copy of stobj object • Executes a stobj-compliant mv-let form on the local copy • Discards the mv-let ’s final stobj • Returns the mv-let ’s final value • Modified steps-to-cutpoint function is now stobj-compliant • Can be used in guards • ACL2 runtime error if executed (but still sound) 23

  24. Efficient simulator • Clockless simulator, useful for cutpoint-induction proofs: • next-cutpoint-exec defined with stobj-compliant guard • called by cutpoint simulator cutpoint-to-cutpoint-exec • Main simulator calls cutpoint simulator until exitpoint (defun next-exitpoint-exec (mstate) (declare (xargs :stobjs (mstate) :measure (cutpoint-measure mstate) :guard (at-cutpoint mstate))) (if (mbt (at-cutpoint mstate)) (if (at-exitpoint mstate) mstate (let ((mstate (cutpoint-to-cutpoint-exec mstate))) (next-exitpoint-exec mstate))) (dummy-mstate mstate))) 24

  25. Efficient simulator • Clockless simulator, useful for efficient execution (not in supporting materials): (defun next-exitpoint-exec (mstate) (declare (xargs :stobjs (mstate) :guard (cutpoint-reachable mstate) :measure (steps-to-exitpoint mstate))) (if (mbt (and (mstatep mstate) (cutpoint-reachable mstate))) (if (at-exitpoint mstate) mstate (let ((mstate (next mstate))) (next-exitpoint-exec mstate))) mstate)) 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Consistently Adding Primitive Recursive Definitions in ACL2 by John Cowles University of

Consistently Adding Primitive Recursive Definitions in ACL2 by John Cowles University of

Consistently Adding Primitive Recursive Definitions in ACL2 by John Cowles University of Wyoming 1 defpun A macro for consistently introducing partial functions into CAL2. Described in Pete &amp; Js paper, Partial Functions in ACL2

295 views • 27 slides
Attaching Efficient Executability to Partial Functions in ACL2 Sandip Ray Department of Computer

Attaching Efficient Executability to Partial Functions in ACL2 Sandip Ray Department of Computer

Attaching Efficient Executability to Partial Functions in ACL2 Sandip Ray Department of Computer Science University of Texas at Austin Email: sandip@cs.utexas.edu web: http://www.cs.utexas.edu/users/sandip U NIVERSITY OF T EXAS AT A USTIN D

626 views • 35 slides
Flat Domains and Recursive Equations in ACL2 by John Cowles University of Wyoming 1 ACL2 is a

Flat Domains and Recursive Equations in ACL2 by John Cowles University of Wyoming 1 ACL2 is a

Flat Domains and Recursive Equations in ACL2 by John Cowles University of Wyoming 1 ACL2 is a logic of total functions. Some recursive equations have no satisfying ACL2 functions: No ACL2 function g satisfies this recursive equation

518 views • 35 slides
ACL2(ml): Machine-Learning for ACL2 J. Heras and E. Komendantskaya

ACL2(ml): Machine-Learning for ACL2 J. Heras and E. Komendantskaya

ACL2(ml): Machine-Learning for ACL2 J. Heras and E. Komendantskaya http://staff.computing.dundee.ac.uk/katya/acl2ml/ 12 July 2014 ACL214 J. Heras ACL2(ml): Machine-Learning for ACL2 1/23 Outline Some Challenges in ACL2 1 An overview of

871 views • 56 slides
Partial Functions and Domination C T Chong National University of Singapore

Partial Functions and Domination C T Chong National University of Singapore

Partial Functions and Domination C T Chong National University of Singapore chongct@math.nus.edu.sg CTFM, Tokyo 711 September 2015 Domination for Partial Functions Definition Let f , g be partial functions. Then g dominates f if

664 views • 28 slides
Partial Recursive Functions and Finality Gordon Plotkin Laboratory for the Foundations of

Partial Recursive Functions and Finality Gordon Plotkin Laboratory for the Foundations of

Introduction Natural numbers objects in monoidal categories Weak representability of partial recursive functions Strong representability of partial recursive functions Partial Recursive Functions and Finality Gordon Plotkin Laboratory for the

800 views • 58 slides
Partial Functions and Categories of Partial Maps Science Atlantic at Acadia University Darien

Partial Functions and Categories of Partial Maps Science Atlantic at Acadia University Darien

Motivation of Partial Functions Formally Defining Partial Functions Categories Restriction Categories Partial Functions and Categories of Partial Maps Science Atlantic at Acadia University Darien DeWolf October 24, 2015 Darien DeWolf

194 views • 17 slides
Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level

Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level

Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level Correctness Proof Wolfgang Goerigk Christian-Albrechts-Universit at zu Kiel, Germany wg@informatik.uni-kiel.de wg/

297 views • 28 slides
Real Vector Spaces, the Cauchy-Schwarz Inequality, &amp; Convex Functions in ACL2(r) Carl Kwan

Real Vector Spaces, the Cauchy-Schwarz Inequality, &amp; Convex Functions in ACL2(r) Carl Kwan

Real Vector Spaces, the Cauchy-Schwarz Inequality, &amp; Convex Functions in ACL2(r) Carl Kwan Mark R. Greenstreet University of British Columbia 15th International Workshop on the ACL2 Theorem Prover and Its Applications Carl Kwan &amp; Mark

383 views • 27 slides
Partial Recursive Functions Computation Theory , L 8 101/171 Aim A more abstract,

Partial Recursive Functions Computation Theory , L 8 101/171 Aim A more abstract,

Partial Recursive Functions Computation Theory , L 8 101/171 Aim A more abstract, machine-independent description of the collection of computable partial functions than provided by register/Turing machines: they form the smallest collection

349 views • 16 slides
Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming

Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming

Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming Introduction ACL2 ( r ) is a variant of ACL2 that supports the irrational numbers It is distributed with the ACL2 sources The foundations of ACL2

479 views • 29 slides
JUST THE MATHS SLIDES NUMBER 14.1 PARTIAL DIFFERENTIATION 1 (Partial derivatives of the

JUST THE MATHS SLIDES NUMBER 14.1 PARTIAL DIFFERENTIATION 1 (Partial derivatives of the

JUST THE MATHS SLIDES NUMBER 14.1 PARTIAL DIFFERENTIATION 1 (Partial derivatives of the first order) by A.J.Hobson 14.1.1 Functions of several variables 14.1.2 The definition of a partial derivative UNIT 14.1 PARTIAL DIFFERENTIATION

295 views • 8 slides
Double Rewriting for Equivalential Reasoning in ACL2 Matt Kaufmann and J Strother Moore ACL2

Double Rewriting for Equivalential Reasoning in ACL2 Matt Kaufmann and J Strother Moore ACL2

Double Rewriting for Equivalential Reasoning in ACL2 Matt Kaufmann and J Strother Moore ACL2 Workshop, FLoC, Seattle, August 16, 2006 1 Introduction ACL2 provides a powerful congruence-based rewriting capability. However, some have

537 views • 19 slides
The Representability of Partial Recursive Yan Steimle Functions in Arithmetical Theories and

The Representability of Partial Recursive Yan Steimle Functions in Arithmetical Theories and

Representing Recursive Functions The Representability of Partial Recursive Yan Steimle Functions in Arithmetical Theories and Definitions Main Categories theorems Statements Proof Total recursive functions Yan Steimle Conclusion

574 views • 32 slides
How Can I Do That with ACL2? Recent Enhancements to ACL2 Matt Kaufmann and J Strother Moore 1

How Can I Do That with ACL2? Recent Enhancements to ACL2 Matt Kaufmann and J Strother Moore 1

How Can I Do That with ACL2? Recent Enhancements to ACL2 Matt Kaufmann and J Strother Moore 1 Introduction (1) ACL2 Version 3.5 was released in May, 2009. Release note items (see :DOC release-notes) since then: (+ 41 ; 3.6 (8/2009) 3 ;

622 views • 49 slides
Partial Computable Functions: Analysis and Complexity Margarita Korovina IIS SbRAS, Novosibirsk

Partial Computable Functions: Analysis and Complexity Margarita Korovina IIS SbRAS, Novosibirsk

Partial Computable Functions: Analysis and Complexity Margarita Korovina IIS SbRAS, Novosibirsk Oleg Kudinov Inst. of Math SbRAS, Novosibirsk CCC 2017 Nancy, June 2017 Goals Does the class of partial computable functions have a universal

515 views • 23 slides
Lecture 20: Satisfiability Steven Skiena Department of Computer Science State University of New

Lecture 20: Satisfiability Steven Skiena Department of Computer Science State University of New

Lecture 20: Satisfiability Steven Skiena Department of Computer Science State University of New York Stony Brook, NY 117944400 http://www.cs.sunysb.edu/ skiena Problem of the Day Suppose we are given a subroutine which can solve the

361 views • 25 slides
Day 5: Subroutines Suggested reading: Learning Perl (4th Ed.) Chapter 4, Subroutines 2012 Summer

Day 5: Subroutines Suggested reading: Learning Perl (4th Ed.) Chapter 4, Subroutines 2012 Summer

Computer Sciences 368 Introduction to Perl Day 5: Subroutines Suggested reading: Learning Perl (4th Ed.) Chapter 4, Subroutines 2012 Summer Cartwright 1 Computer Sciences 368 Introduction to Perl Turn In Homework 2012 Summer Cartwright 2

408 views • 25 slides
The Stack and Subroutines The Stack p. 1/9 The Subroutine Allow re-use of code Write

The Stack and Subroutines The Stack p. 1/9 The Subroutine Allow re-use of code Write

Systems Architecture The Stack and Subroutines The Stack p. 1/9 The Subroutine Allow re-use of code Write (and debug) code once, use it many times A subroutine is called Subroutine will return on completion Defer

623 views • 23 slides
Computer Systems Lecture 12 Subroutines CS 230 - Spring 2020 2-1 Subroutines Also called

Computer Systems Lecture 12 Subroutines CS 230 - Spring 2020 2-1 Subroutines Also called

CS 230 Introduction to Computers and Computer Systems Lecture 12 Subroutines CS 230 - Spring 2020 2-1 Subroutines Also called functions, methods, or procedures all the same thing in assembly language examples from C: sqrt()

798 views • 46 slides
POINTERS IN C, PASSING POINTERS TO FUNCTIONS CSSE 120Rose-Hulman Institute of Technology

POINTERS IN C, PASSING POINTERS TO FUNCTIONS CSSE 120Rose-Hulman Institute of Technology

POINTERS IN C, PASSING POINTERS TO FUNCTIONS CSSE 120Rose-Hulman Institute of Technology Parameter Passing in Python In Python, parameters are passed two ways: For numbers, a copy of the number is passed to the function For

325 views • 14 slides
CS 188: Artificial Intelligence Lecture 6 and 7: Search for Games Pieter Abbeel UC Berkeley

CS 188: Artificial Intelligence Lecture 6 and 7: Search for Games Pieter Abbeel UC Berkeley

CS 188: Artificial Intelligence Lecture 6 and 7: Search for Games Pieter Abbeel UC Berkeley Many slides adapted from Dan Klein 1 Overview Deterministic zero-sum games Minimax Limited depth and evaluation functions for

454 views • 21 slides
C Programming for Engineers Functions &amp; Recursions ICEN 360 Spring 2017 Prof. Dola Saha

C Programming for Engineers Functions &amp; Recursions ICEN 360 Spring 2017 Prof. Dola Saha

C Programming for Engineers Functions &amp; Recursions ICEN 360 Spring 2017 Prof. Dola Saha 1 Classwork Assignment Compute rim area of a flat washer using function to calculate the area. 2 Writing a function to calculate area 3

340 views • 32 slides
Quicksort Proposed by C.A.R. Hoare in 1962. Divide-and-conquer algorithm. Sorts

Quicksort Proposed by C.A.R. Hoare in 1962. Divide-and-conquer algorithm. Sorts

CS 3343 -- Spring 2009 Quicksort Proposed by C.A.R. Hoare in 1962. Divide-and-conquer algorithm. Sorts in place (like insertion sort, but not like merge sort). Very practical (with tuning). Quicksort Carola Wenk Slides

277 views • 13 slides

More recommend