proof obligations automatic verification of tla with smt
play

+ proof obligations Automatic Verification of TLA with SMT solvers - PowerPoint PPT Presentation

Oct 30, 2023 •454 likes •735 views

+ proof obligations Automatic Verification of TLA with SMT solvers Stephan Merz and Hern an Vanzetto LPAR-18, M erida, Venezuela March 12th, 2012 1 + language The TLA Specification and verification language for (concurrent and

  1. + proof obligations Automatic Verification of TLA with SMT solvers Stephan Merz and Hern´ an Vanzetto LPAR-18, M´ erida, Venezuela March 12th, 2012 1

  2. + language The TLA Specification and verification language for (concurrent and distributed) systems and algorithms (Designed by Leslie Lamport, 1999) Based on ◮ ZF set theory ◮ Temporal Logic of Actions (TLA) (about 95% of the specs is not-temporal) Includes also FO logic, functions, arithmetic, records, tuples, . . . . . . and a proof language: ◮ hierarchical proof structure (tree) ◮ top-down development: refine assertions until they are “obvious” ◮ leaf: invoke proof method, citing necessary assumptions and facts 2

  3. + (toy) proof example TLA module AbsoluteValue variables n, abs n ∈ Int , theorem assume abs = [ x ∈ Int �→ if x ≥ 0 then x else − x ] abs [ n ] ∈ Nat prove 3

  4. + (toy) proof example TLA module AbsoluteValue variables n, abs n ∈ Int , theorem assume abs = [ x ∈ Int �→ if x ≥ 0 then x else − x ] abs [ n ] ∈ Nat prove � 1 � 1. case n ≥ 0 � 1 � 2. case n < 0 � 1 � 3. n ∈ Int ⇒ (n ≥ 0 ∨ n < 0) by SimpleArithmetic � 1 � 4. qed by � 1 � 1, � 1 � 2, � 1 � 3 3

  5. + (toy) proof example TLA module AbsoluteValue variables n, abs n ∈ Int , theorem assume abs = [ x ∈ Int �→ if x ≥ 0 then x else − x ] abs [ n ] ∈ Nat prove � 1 � 1. case n ≥ 0 � 2 � 1. n ≤ 0 ⇒ n ∈ Nat by SimpleArithmetic � 2 � 2. qed by � 2 � 1 � 1 � 2. case n < 0 � 1 � 3. n ∈ Int ⇒ (n ≥ 0 ∨ n < 0) by SimpleArithmetic � 1 � 4. qed by � 1 � 1, � 1 � 2, � 1 � 3 3

  6. + Proof System The TLA TLA Proof System Proof Manager TLA+ interpret module, generate specification expand definitions proof obligations and proofs translate & verify certify proof results, type inference proof obligations (when possible) error messages SMT Isabelle/ Zenon TLA+ solvers + = faithful encoding of TLA + over Isabelle/Pure. Isabelle/TLA Zenon = tableau prover for FOL and Set Theory. Outputs Isar. 4

  7. Goal module AbsoluteValue variables n, abs n ∈ Int , theorem assume abs = [ x ∈ Int �→ if x ≥ 0 then x else − x ] abs [ n ] ∈ Nat prove by SMT 5

  8. Goal module AbsoluteValue variables n, abs n ∈ Int , theorem assume abs = [ x ∈ Int �→ if x ≥ 0 then x else − x ] abs [ n ] ∈ Nat prove by SMT + PO TLA ❀ � 1 � Type inference ❀ � 2 � Translation to SMT + ) ❀ (Proof reconstruction in Isabelle/TLA 5

  9. ✦ ✪ Dealing with an untyped language + is an untyped language 1 . TLA + symbols’ types? Why do we need to know the TLA 1 the SMT input languages are sorted 2 the translation of some operators depends on the type of their arguments, e.g. equality : x : Int ⊢ x = 3 x = 3 ❀ S , T : P Int ⊢ S = T ∀ x ∈ Int : x ∈ S ⇔ x ∈ T ❀ 1 Should your specification language be typed? (L. Lamport & L. Paulson, 1999) 6

  10. Dealing with an untyped language + is an untyped language 1 . TLA + symbols’ types? Why do we need to know the TLA 1 the SMT input languages are sorted 2 the translation of some operators depends on the type of their arguments, e.g. equality : x : Int ⊢ x = 3 x = 3 ❀ S , T : P Int ⊢ S = T ∀ x ∈ Int : x ∈ S ⇔ x ∈ T ❀ Example: ✦ theorem x ∈ Nat ⇒ x + 0 = x ✪ theorem x + 0 = x 1 Should your specification language be typed? (L. Lamport & L. Paulson, 1999) 6

  11. + Typing discipline for TLA Ad-hoc type system τ ::= ⊥ | Bool | String | Nat | Int | (atomic types) P τ | τ → τ | Rec { field i , τ i } | Tup [ τ i ] (complex types) Partial order ≤ on types is defined. For example: ⊥ ≤ τ P τ 1 ≤ P τ 2 if τ 1 ≤ τ 2 Nat ≤ Int 7

  12. Type inference algorithm Initially, all symbols have type ⊥ Type operator: [ [ exp , ε ] ] I : τ ( ε is the least type of exp ) Typing variable: type : symbol �→ τ Types are updated while recursing over the structure of the PO [ [ e ] ] I fails when: A symbol does not have an assigned type ( x + 0 = x ) 1 Cannot equate expressions that need to be of the same type, 2 i.e. = , + , <, ⊆ , if-then-else [ [ e 1 = e 2 , ε ] ] I ≡ S ([ e 1 , e 2 ] , ε ) ; Bool [ [ e 1 < e 2 , ε ] ] I ≡ S ([ e 1 , e 2 ] , Nat ) ; Bool 8

  13. Type inference algorithm + semantics for operators Inference rules according to TLA Logical: always return Boolean values . [ [ e 1 ∧ e 2 , ε ] ] I ≡ if ε ≤ Bool then [ [ e 1 , Bool ] ] I ; [ [ e 2 , Bool ] ] I ; Bool else fail Arithmetic: arguments should be in an arithmetic domain . [ [ e 1 + e 2 , ε ] ] I ≡ let γ = S ([ e 1 , e 2 ] , ε ) in if γ ∈ { Nat , Int , Real } then γ else fail Sets: always return a set (that depends on the arguments’ type) [ [ S ∪ T , P ε ] ] I ≡ let P τ 1 = [ [ S , P ε ] ] I , P τ 2 = [ [ T , P ε ] ] I in if τ 1 = τ 2 then P τ 1 else P ⊥ 9

  14. Type inference algorithm If x is a symbol, then ✪ ( ¬¬ x ) = x cannot be proved! In fact, if x ≡ 42 then ( ¬¬ 42) = 42. 10

  15. Type inference algorithm If x is a symbol, then ✪ ( ¬¬ x ) = x cannot be proved! In fact, if x ≡ 42 then ( ¬¬ 42) = 42. Rule: Infer types only from available facts of the forms ◮ x ≈ exp ◮ ∀ y ∈ S : x ( y ) ≈ exp where ≈ ∈ { = , ∈ , ⊆} , x is a symbol and exp any expression. 10

  16. Type inference algorithm If x is a symbol, then ✪ ( ¬¬ x ) = x cannot be proved! In fact, if x ≡ 42 then ( ¬¬ 42) = 42. Rule: Infer types only from available facts of the forms ◮ x ≈ exp ◮ ∀ y ∈ S : x ( y ) ≈ exp where ≈ ∈ { = , ∈ , ⊆} , x is a symbol and exp any expression. These facts are usually provided by type invariants in the specification. Drawback: now “ S = {} ⇒ S ⊆ Nat ” cannot be proved. 10

  17. The target language: SMTLIB SMTLIB grammar: ( sorts ) σ ::= s | ( s σ + ) Var | Number | ( f t + ) | (= t t ) | (ite c t t ) ( terms ) t ::= | (and t t ) | (or t t ) | (not t ) | ( [ forall | exists ] ( ( ( x σ ) ) + )) t where s is a sort identifier, and f is a function symbol. (Yices native input format is similar to SMTLIB) Each well-formed expression has a unique sort . We use the AUFLIRA logic. ◮ quantified formulas over the theory of linear integer and real arithmetic (and arrays) 11

  18. + to SMT formats From TLA Translation operator [ [ exp ] ] T : SMT ∗ . SMT ∗ = SMT input format + λ -terms Type discipline ensures that all λ -abs are β -reduced 12

  19. + to SMT formats From TLA Translation operator [ [ exp ] ] T : SMT ∗ . SMT ∗ = SMT input format + λ -terms Type discipline ensures that all λ -abs are β -reduced Translation rules: Arithmetic [ [ e 1 + e 2 ] ] T ≡ (+ [ [ e 1 ] ] T [ [ e 2 ] ] T ) [ [ e 1 < e 2 ] ] T ≡ (< [ [ e 1 ] ] T [ [ e 2 ] ] T ) Logic [ [ e 1 ∧ e 2 ] ] T ≡ (and [ [ e 1 ] ] T [ [ e 2 ] ] T ) [ [ ∀ x : e ] ] T ≡ type ⊕ ( x �→ ⊥ ) ⊢ [ [ e , Bool ] ] I ; (forall (( [ [ x ] ] T [ [ type ( x )] ] S )) [ [ e ] ] T ) 12

  20. + to SMT formats From TLA Sets and functions are encoded as uninterpreted functions [ [ S ] ] T represents the characteristic predicate of set S Only simple sets are allowed [ [ x ] ] T ≡ case type ( x ) of | ( → P ) : λ y , z . (x y z ) | ( → ) | (P ) : λ y . (x y ) | : x [ [ e ∈ S ] ] T ≡ [ [ S ] ] T [ [ e ] ] T ( λ -application) [ [ f [ e ]] ] T ≡ [ [ f ] ] T [ [ e ] ] T [ [[ x ∈ S �→ e ( x )]] ] T ≡ λ y . [ [ e ( x ← y )] ] T 13

  21. + to SMT formats From TLA Problem: function domains are not directly translated. [ [ φ ] ] T ❀ [ [ f = [ x ∈ 1 .. 5 �→ x + 1] ⇒ f [0] = 0] ] T ✪ [ [ ∀ x : f [ x ] = x + 1 ⇒ f [0] = 0] ] T ❀ 14

  22. + to SMT formats From TLA Problem: function domains are not directly translated. [ [ φ ] ] T ❀ [ [ f = [ x ∈ 1 .. 5 �→ x + 1] ⇒ f [0] = 0] ] T ✪ [ [ ∀ x : f [ x ] = x + 1 ⇒ f [0] = 0] ] T ❀ Instead, we want to prove also that the argument is in the domain: [ [ ∀ x : f [ x ] = x + 1 ⇒ f [0] = 0 ∧ 0 ∈ 1 .. 5] ] T ❀ 14

  23. + to SMT formats From TLA Problem: function domains are not directly translated. [ [ φ ] ] T ❀ [ [ f = [ x ∈ 1 .. 5 �→ x + 1] ⇒ f [0] = 0] ] T ✪ [ [ ∀ x : f [ x ] = x + 1 ⇒ f [0] = 0] ] T ❀ Instead, we want to prove also that the argument is in the domain: [ [ ∀ x : f [ x ] = x + 1 ⇒ f [0] = 0 ∧ 0 ∈ 1 .. 5] ] T ❀ [ [ · ] ] F computes function arguments belonging to their domain: [ [ f [ e ]] ] F ≡ [ [ f ] ] F ∧ [ [ e ] ] F ∧ e ∈ domain f [ [ ∀ x ∈ S : e ] ] F ≡ ∀ x ∈ S : [ [ e ] ] F The rest of expressions are computed as true or conjunctions. [ [ φ ] ] F true ∧ 0 ∈ domain f ∧ true 0 ∈ 1 .. 5 ❀ ❀ 14

  24. Translation example module AbsoluteValue variables n, abs n ∈ Int , theorem assume abs = [ x ∈ Int �→ if x ≥ 0 then x else − x ] abs [ n ] ∈ Nat prove by SMT 15

  25. Translation example module AbsoluteValue variables n, abs n ∈ Int , theorem assume abs = [ x ∈ Int �→ if x ≥ 0 then x else − x ] abs [ n ] ∈ Nat prove by SMT (declare-fun n () Int) (declare-fun abs (Int) Int) (assert (forall ((?x Int)) (= (abs ?x) (ite (>= ?x 0) ?x (- ?x))))) (assert (not (and (>= (abs n) 0)))) 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automatic Library Compilation and Proof Tree Visualisation for Coq Proof General Hendrik Tews

Automatic Library Compilation and Proof Tree Visualisation for Coq Proof General Hendrik Tews

Automatic Library Compilation Proof Tree Visualisation Conclusion Automatic Library Compilation and Proof Tree Visualisation for Coq Proof General Hendrik Tews Technische Universit at Dresden Third Coq Workshop, August 26, 2011 Hendrik

385 views • 16 slides
Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry 1 Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches HOL Light Floating point

366 views • 25 slides
Automatic Verification of Automatic Verification of Automatic Verification of Automatic

Automatic Verification of Automatic Verification of Automatic Verification of Automatic

Automatic Verification of Automatic Verification of Automatic Verification of Automatic Verification of Competitive Stochastic Systems Competitive Stochastic Systems Competitive Stochastic Systems Competitive Stochastic Systems Marta

500 views • 29 slides
Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic 1 Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal verification Machine-checked proof Automatic and interactive approaches HOL Light

539 views • 19 slides
TOURNAMENT PAPER WORK REVIEW TOURNAMENT PLAYER VERIFICATION FORM Proof of Age Proof of

TOURNAMENT PAPER WORK REVIEW TOURNAMENT PLAYER VERIFICATION FORM Proof of Age Proof of

TOURNAMENT PAPER WORK REVIEW TOURNAMENT PLAYER VERIFICATION FORM Proof of Age Proof of Residency School Enrollment Player Information Proof of Age (BC) Proof of Residency OR School Enrollment Waivers Signatures Proof of Residency:

480 views • 32 slides
Semi-automatic proof of Strong connectivity jean-jacques.levy@inria.fr journes PPS, 12-10-2017

Semi-automatic proof of Strong connectivity jean-jacques.levy@inria.fr journes PPS, 12-10-2017

Semi-automatic proof of Strong connectivity jean-jacques.levy@inria.fr journes PPS, 12-10-2017 1 Plan motivation algorithm formal proof other systems conclusion .. joint work (in progress) with Ran Chen [VSTTE 2017]) also

279 views • 26 slides
Summary of Event-B Proof Obligations Jean-Raymond Abrial (edited by Thai Son Hoang) Department

Summary of Event-B Proof Obligations Jean-Raymond Abrial (edited by Thai Son Hoang) Department

Summary of Event-B Proof Obligations Jean-Raymond Abrial (edited by Thai Son Hoang) Department of Computer Science Swiss Federal Institute of Technology Zrich (ETH Zrich) Bucharest DEPLOY 2-day Course, 14th-16th, July, 2010 J-R. Abrial

1.01k views • 65 slides
Leveraging Automatic Deduction for Verification Antoine Defourn 11-14 th of June, 2019 Antoine

Leveraging Automatic Deduction for Verification Antoine Defourn 11-14 th of June, 2019 Antoine

Context Projects Leveraging Automatic Deduction for Verification Antoine Defourn 11-14 th of June, 2019 Antoine Defourn Leveraging Automatic Deduction for Verification Context Projects Summary Supervisors: Stephan Merz, Pascal Fontaine

379 views • 16 slides
Mechanical Verification of a Constructive Proof for FLP according to Hagen V olzer Bisping

Mechanical Verification of a Constructive Proof for FLP according to Hagen V olzer Bisping

Mechanical Verification of a Constructive Proof for FLP according to Hagen V olzer Bisping Brodmann Jungnickel Rickmann St uber Wilhelm-Weidner Seidler Peters Nestmann 24 August 2016 Models and Theory of Distributed Systems

947 views • 47 slides
KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems Safety-critical Verification Proof assistance Proof assistants Proof experience 2/10 Proof Experience Issues High iteration cost

339 views • 10 slides
iCoq : Regression Proof Selection for Large-Scale Verification Projects Karl Palmskog University

iCoq : Regression Proof Selection for Large-Scale Verification Projects Karl Palmskog University

iCoq : Regression Proof Selection for Large-Scale Verification Projects iCoq : Regression Proof Selection for Large-Scale Verification Projects Karl Palmskog University of Illinois at Urbana-Champaign Joint work with Ahmet Celik and Milos

837 views • 45 slides
Automatic Verification of RMA Programs via Abstraction Extrapolation Cedric Baumann 1 , Andrei

Automatic Verification of RMA Programs via Abstraction Extrapolation Cedric Baumann 1 , Andrei

Automatic Verification of RMA Programs via Abstraction Extrapolation Cedric Baumann 1 , Andrei Marian Dan 1 , Yuri Meshman 2 , Torsten Hoefler 1 , Martin Vechev 1 1 Department of Computer Science, ETH Zurich, Switzerland 2 IMDEA Software Institute,

761 views • 61 slides
CheckThat! 2020 3 rd edition Enabling the Automatic Identification and Verification of Claims in

CheckThat! 2020 3 rd edition Enabling the Automatic Identification and Verification of Claims in

CheckThat! 2020 3 rd edition Enabling the Automatic Identification and Verification of Claims in Social Media Organization Alberto Tamer Preslav Giovanni Maram Reem Barrn-Cedeo Elsayed Nakov da San Martino Hassanain Suwaileh

611 views • 24 slides
Automatic Gas Shut-Off Devices The Earthquake Sensor &amp; Shut Off Valve Earthquake-Proof Shut

Automatic Gas Shut-Off Devices The Earthquake Sensor &amp; Shut Off Valve Earthquake-Proof Shut

Earthquake-Proof Automatic Gas Shut-Off Devices The Earthquake Sensor &amp; Shut Off Valve Earthquake-Proof Shut Off Valve Earthquake-Proof Detecting Sensor Lineup EQT-25 EQH-25 EQ-25 3 Features When an earthquake occurs, this device

891 views • 21 slides
Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS blanchet@di.ens.fr September 2011 Bruno Blanchet (INRIA) ProVerif September 2011

1.55k views • 143 slides
Aperitif: Relational semantics of loops Automatic program verification x by

Aperitif: Relational semantics of loops Automatic program verification x by

1 Aperitif: Relational semantics of loops Automatic program verification x by Lagrangian relaxation and x semidefinite programming Patrick Cousot 3 cole normale suprieure Relational semantics of

176 views • 13 slides
Ghostferry: the swiss army knife of live data migrations with minimum downtime Shuhao Wu Shopify

Ghostferry: the swiss army knife of live data migrations with minimum downtime Shuhao Wu Shopify

Ghostferry: the swiss army knife of live data migrations with minimum downtime Shuhao Wu Shopify Inc. April 24, 2018 1 Data Migration 2 Data Migration 3 Data Migration Between MySQL Servers Data Copy: mysqldump/Percona XtraBackup

477 views • 22 slides
Contents Lecture 1: Introducing UML for Mobility Lecture 2: Refining Mobility Designs

Contents Lecture 1: Introducing UML for Mobility Lecture 2: Refining Mobility Designs

Contents Lecture 1: Introducing UML for Mobility Lecture 2: Refining Mobility Designs Refining mobility activities Refining mobility in sequence diagrams A semantic approach to refinement: Mobile TLA Lecture 3: Property-driven

279 views • 14 slides
0. git practice (A carryover from last lecture) Jeff Terrell Layout (UNC COMP 523) 2019-09-11

0. git practice (A carryover from last lecture) Jeff Terrell Layout (UNC COMP 523) 2019-09-11

0. git practice (A carryover from last lecture) Jeff Terrell Layout (UNC COMP 523) 2019-09-11 1 / 30 Section overview We covered git fundamentals last time, but didnt get to practical matters. Sometimes a flexible tool is easier to use

545 views • 30 slides
Model-Independent Constraints on Lepton-Flavor-Violating Decays of the Top Quark Jennifer Kile,

Model-Independent Constraints on Lepton-Flavor-Violating Decays of the Top Quark Jennifer Kile,

Model-Independent Constraints on Lepton-Flavor-Violating Decays of the Top Quark Jennifer Kile, Amarjit Soni Brookhaven National Laboratory Pheno 08, April 28, 2008 Introduction LHC: huge top physics potential ( 10 8 t s!). t unique,

401 views • 11 slides
Meeting 36: 30 January 2018 Karakia 2 Karakia Ko te tumanako Kia pai tenei r Kia tutuki i

Meeting 36: 30 January 2018 Karakia 2 Karakia Ko te tumanako Kia pai tenei r Kia tutuki i

Greater Heretaunga and Ahuriri Land and Water Management Collaborative Stakeholder (TANK) Group Meeting 36: 30 January 2018 Karakia 2 Karakia Ko te tumanako Kia pai tenei r Kia tutuki i ng wawata Kia tau te rangimarie I runga i a

1.56k views • 81 slides
Lecture 12: Core State Machines II 2015-12-15 Prof. Dr. Andreas Podelski, Dr. Bernd Westphal

Lecture 12: Core State Machines II 2015-12-15 Prof. Dr. Andreas Podelski, Dr. Bernd Westphal

Software Design, Modelling and Analysis in UML Lecture 12: Core State Machines II 2015-12-15 Prof. Dr. Andreas Podelski, Dr. Bernd Westphal 12 2015-12-15 main Albert-Ludwigs-Universit at Freiburg, Germany Contents &amp; Goals

337 views • 12 slides
AoC West Midlands Governance Workshop Ian Smith SHMI 30 April 2016. Walsall College Todays

AoC West Midlands Governance Workshop Ian Smith SHMI 30 April 2016. Walsall College Todays

AoC West Midlands Governance Workshop Ian Smith SHMI 30 April 2016. Walsall College Todays topic The role of governance in college provision with regards to the scrutiny of teaching, learning and assessment Ofsteds inspection of

606 views • 16 slides
Sewing a Digital Thread with Competencies: Applications to Model Based Product Support Fritz Ray:

Sewing a Digital Thread with Competencies: Applications to Model Based Product Support Fritz Ray:

Sewing a Digital Thread with Competencies: Applications to Model Based Product Support Fritz Ray: CTO and Software Engineer Extraordinaire (doer) Robby Robson: CEO, Former Mathematician, Current Standards Professional, Competency Wonk (talker)

224 views • 19 slides

More recommend