proofs harnessing smt solvers for tla
play

+ Proofs Harnessing SMT solvers for TLA Stephan Merz and Hern an - PowerPoint PPT Presentation

Mar 26, 2023 •311 likes •615 views

+ Proofs Harnessing SMT solvers for TLA Stephan Merz and Hern an Vanzetto + Workshop, Paris, France TLA August 27th, 2012 1 Introduction + proof language: TLA Hierarchical proof structure Top-down development: users refine assertions

  1. + Proofs Harnessing SMT solvers for TLA Stephan Merz and Hern´ an Vanzetto + Workshop, Paris, France TLA August 27th, 2012 1

  2. Introduction + proof language: TLA Hierarchical proof structure Top-down development: users refine assertions until they are “obvious” Leaf steps verified by automatic backend provers ◮ invoke proof method ◮ cite necessary assumptions and facts ◮ expand definitions + Proof System: TLA + proofs Mechanically checks TLA Currently proves only non-temporal fragment + Toolbox Supported by the TLA 2

  3. Architecture of TLAPS 3

  4. Current backend provers + Isabelle/TLA + over Isabelle’s meta-logic ◮ Faithful encoding of TLA ◮ Calls predefined Isabelle automatic proof methods ◮ Used to certify proofs of other backend provers 4

  5. Current backend provers + Isabelle/TLA + over Isabelle’s meta-logic ◮ Faithful encoding of TLA ◮ Calls predefined Isabelle automatic proof methods ◮ Used to certify proofs of other backend provers Zenon ◮ Tableau prover for first-order logic with equality + on sets, functions, ... ◮ Includes extensions for TLA ◮ Backend called by default ; proofs certified by Isabelle 4

  6. Current backend provers + Isabelle/TLA + over Isabelle’s meta-logic ◮ Faithful encoding of TLA ◮ Calls predefined Isabelle automatic proof methods ◮ Used to certify proofs of other backend provers Zenon ◮ Tableau prover for first-order logic with equality + on sets, functions, ... ◮ Includes extensions for TLA ◮ Backend called by default ; proofs certified by Isabelle SimpleArithmetic (obsolete) ◮ Cooper’s algorithm for Presburger arithmetic 4

  7. Current backend provers + Isabelle/TLA + over Isabelle’s meta-logic ◮ Faithful encoding of TLA ◮ Calls predefined Isabelle automatic proof methods ◮ Used to certify proofs of other backend provers Zenon ◮ Tableau prover for first-order logic with equality + on sets, functions, ... ◮ Includes extensions for TLA ◮ Backend called by default ; proofs certified by Isabelle SimpleArithmetic (obsolete) ◮ Cooper’s algorithm for Presburger arithmetic SMT ◮ Available since the last public version of TLAPS (v1.0) ◮ Based on type inference 4

  8. Motivation Typical proof obligations usually contain a mix of arithmetic, sets, functions, which the older backends were not able to handle at once SMT solvers offer a combination of: + First-order reasoning + Decision procedures for other theories (=, linear arithmetic, . . . ) SMT input languages: Based on many-sorted first-order logic Predefined Bool and integer sorts Uninterpreted functions, if-then-else function 5

  9. Table of Contents Introduction 1 First approach: SMT backend based on type inference 2 Second approach: untyped encoding 3 Experimental results 4 Conclusions 5 6

  10. First approach: a backend based on type inference 7

  11. First approach: a backend based on type inference + expressions Inference algorithm recurses over TLA + terms ◮ Ad-hoc type system for TLA (unspecified type ⊥ , integer type, sets, functions, . . . ) 7

  12. First approach: a backend based on type inference + expressions Inference algorithm recurses over TLA + terms ◮ Ad-hoc type system for TLA (unspecified type ⊥ , integer type, sets, functions, . . . ) Soundness: incorrect typing can make invalid theorems provable ◮ x / ∈ Int ⇒ x + 0 = x ; ( ¬¬ X ) = X 7

  13. First approach: a backend based on type inference + expressions Inference algorithm recurses over TLA + terms ◮ Ad-hoc type system for TLA (unspecified type ⊥ , integer type, sets, functions, . . . ) Soundness: incorrect typing can make invalid theorems provable ◮ x / ∈ Int ⇒ x + 0 = x ; ( ¬¬ X ) = X Safe types : ⊥ , set( ⊥ ), set(set( ⊥ )), . . . Typing hypotheses are available facts of the form y ∈ � x ≈ exp and ∀ � S : f ( � y ) ≈ exp with ≈ ∈ { = , ∈ , ⊆} 7

  14. First approach: a backend based on type inference + formulas are translated to SMT input formats Well-typed TLA + expressions contain only operators that have a Basic TLA direct representation in SMT formats (logical, arithm. and if s) Sets, functions, records, tuples encoded as uninterpreted functions Example x :: Z ⊢ x ∈ Int ⇒ x + 0 = x − → x + 0 = x a :: ⊥ ; S , T :: set ( ⊥ ) ⊢ a ∈ S ∪ T − → S ( a ) ∨ T ( a ) Type information for variables usually provided by type invariants 8

  15. Toy example axiom NatInduction ≡ assume new P ( ) , P (0) , ∀ n ∈ Nat : P ( n ) ⇒ P ( n + 1) ∀ n ∈ Nat : P ( n ) prove 9

  16. Toy example axiom NatInduction ≡ assume new P ( ) , P (0) , ∀ n ∈ Nat : P ( n ) ⇒ P ( n + 1) ∀ n ∈ Nat : P ( n ) prove theorem GeneralNatInduction ≡ assume new P ( ) , ∀ n ∈ Nat : P ( n ) ∈ boolean , (typing hypothesis) ∀ n ∈ Nat : ( ∀ m ∈ 0 .. ( n − 1) : P ( m )) ⇒ P ( n ) ∀ n ∈ Nat : P ( n ) prove � 1 � . define Q ( n ) ≡ ∀ m ∈ 0 .. n : P ( m ) � 1 � 1 . Q (0) by SMT � 1 � 2 . ∀ n ∈ Nat : Q ( n ) ⇒ Q ( n + 1) by SMT � 1 � 3 . ∀ n ∈ Nat : Q ( n ) by � 1 � 1 , � 1 � 2 , NatInduction , SMT � 1 � 4 . qed by � 1 � 3 , SMT 9

  17. Second approach: untyped encoding 10

  18. Second approach: untyped encoding + terms are mapped to a unique SMT sort U TLA Operators are uninterpreted functions or predicates ◮ union : U × U → U in : U × U → Bool Operators’ semantics are defined axiomatically ◮ Axiom for ∪ : ∀ x , S , T : U . ( x ∈ S ∪ T ) = ( x ∈ S ∨ x ∈ T ) ◮ Primitive operators ( ∈ , f [ x ], domain ) are left uninterpreted Functions are related to its argument by apply : U × U → U 10

  19. Encoding arithmetic Arithmetic expressions are lifted to elements on sort U Embedding function φ : Int → U (uninterpreted and injective) 42 is encoded as φ (42) x ∈ Int is encoded as ∃ n : Int . x = φ ( n ) 11

  20. Encoding arithmetic Arithmetic expressions are lifted to elements on sort U Embedding function φ : Int → U (uninterpreted and injective) 42 is encoded as φ (42) x ∈ Int is encoded as ∃ n : Int . x = φ ( n ) Arithmetic operators are homomorphically embedded using φ + U : U × U → U Axiom for +: ∀ m , n : Int . φ ( m ) + U φ ( n ) = φ ( m + n ) Example ∀ x ∈ Int : x + 0 = x − → ∀ x : U . ( ∃ n : Int . x = φ ( n )) ⇒ x + U φ (0) = x 11

  21. Normalisation: removing non-basic operators 1 Grounding expressions: rewrite based on operator semantics ◮ [ [ x ∈ e ] ] ≡ [ [ x ] ] ∈ [ [ e ] ] [ [ e 1 ∨ e 2 ] ] ≡ [ [ e 1 ] ] ∨ [ [ e 2 ] ] ◮ [ [ x ∈ e 1 ∪ e 2 ] ] ≡ [ [ x ∈ e 1 ∨ x ∈ e 2 ] ] ◮ [ [ S ⊆ T ] ] ≡ [ [ ∀ x : x ∈ S ⇒ x ∈ T ] ] 12

  22. Normalisation: removing non-basic operators 1 Grounding expressions: rewrite based on operator semantics ◮ [ [ x ∈ e ] ] ≡ [ [ x ] ] ∈ [ [ e ] ] [ [ e 1 ∨ e 2 ] ] ≡ [ [ e 1 ] ] ∨ [ [ e 2 ] ] ◮ [ [ x ∈ e 1 ∪ e 2 ] ] ≡ [ [ x ∈ e 1 ∨ x ∈ e 2 ] ] ◮ [ [ S ⊆ T ] ] ≡ [ [ ∀ x : x ∈ S ⇒ x ∈ T ] ] 2 Disambiguation of equalities by inferred kinds ◮ [ [ S = T ] ] ≡ ∀ x : [ [ x ∈ S ⇔ x ∈ T ] ] (when S , T are sets) ◮ S = { a } ∪ {} − → ∀ x : x ∈ S ⇔ x = a ∨ false 12

  23. Normalisation: removing non-basic operators 1 Grounding expressions: rewrite based on operator semantics ◮ [ [ x ∈ e ] ] ≡ [ [ x ] ] ∈ [ [ e ] ] [ [ e 1 ∨ e 2 ] ] ≡ [ [ e 1 ] ] ∨ [ [ e 2 ] ] ◮ [ [ x ∈ e 1 ∪ e 2 ] ] ≡ [ [ x ∈ e 1 ∨ x ∈ e 2 ] ] ◮ [ [ S ⊆ T ] ] ≡ [ [ ∀ x : x ∈ S ⇒ x ∈ T ] ] 2 Disambiguation of equalities by inferred kinds ◮ [ [ S = T ] ] ≡ ∀ x : [ [ x ∈ S ⇔ x ∈ T ] ] (when S , T are sets) ◮ S = { a } ∪ {} − → ∀ x : x ∈ S ⇔ x = a ∨ false 3 Term-rewriting of top-level equalities ◮ assume T = { 1 , 2 } − → ∀ x : ( x = 1 ∨ x = 2) ⇒ x ∈ Int T ⊆ Int prove 12

  24. Normalisation: removing non-basic operators 1 Grounding expressions: rewrite based on operator semantics ◮ [ [ x ∈ e ] ] ≡ [ [ x ] ] ∈ [ [ e ] ] [ [ e 1 ∨ e 2 ] ] ≡ [ [ e 1 ] ] ∨ [ [ e 2 ] ] ◮ [ [ x ∈ e 1 ∪ e 2 ] ] ≡ [ [ x ∈ e 1 ∨ x ∈ e 2 ] ] ◮ [ [ S ⊆ T ] ] ≡ [ [ ∀ x : x ∈ S ⇒ x ∈ T ] ] 2 Disambiguation of equalities by inferred kinds ◮ [ [ S = T ] ] ≡ ∀ x : [ [ x ∈ S ⇔ x ∈ T ] ] (when S , T are sets) ◮ S = { a } ∪ {} − → ∀ x : x ∈ S ⇔ x = a ∨ false 3 Term-rewriting of top-level equalities ◮ assume T = { 1 , 2 } − → ∀ x : ( x = 1 ∨ x = 2) ⇒ x ∈ Int T ⊆ Int prove 4 Abstraction of non-basic operators ◮ ∀ a : P ( { a }∪{} ) ⇔ P ( { a } ) − → ∀ a , s 1 , s 2 : ∧ s 1 = { a } ∪ {} ∧ s 2 = { a } ⇒ P ( s 1 ) ⇔ P ( s 2 ) 12

  25. Experimental results N -process Bakery algorithm ◮ includes some basic arithmetic Memoir security architecture ◮ mostly based on records Module Cardinality of finite sets Original Typed-SMT/Z3 Untyped-SMT/Z3 size time size time size time Bakery 120 15.66 3 2.76 4 0.67 Memoir 424 7.31 14 5.08 14 1.11 Cardinality 185 2.12 - - 54 0.88 (length = number of non-trivial proof-obligations ; time in seconds) + , SimpleArithmetic - Original = proof using Zenon, Isabelle/TLA 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Towards Bit-Width-Independent Proofs in SMT Solvers Aina Niemetz 1 Mathias Preiner 1 Andrew

Towards Bit-Width-Independent Proofs in SMT Solvers Aina Niemetz 1 Mathias Preiner 1 Andrew

Towards Bit-Width-Independent Proofs in SMT Solvers Aina Niemetz 1 Mathias Preiner 1 Andrew Reynolds 2 Yoni Zohar 1 Clark Barrett 1 Cesare Tinelli 2 1. Stanford University, Stanford, USA 2. The University of Iowa, Iowa City, USA 1 Towards

764 views • 32 slides
Introduction to SAT and SMT Solvers Interfacing Yosys and SMT Solvers for BMC and more using

Introduction to SAT and SMT Solvers Interfacing Yosys and SMT Solvers for BMC and more using

Introduction to SAT and SMT Solvers Interfacing Yosys and SMT Solvers for BMC and more using SMT-LIB 2.5 Clifford Wolf 1 Abstract Bounded model checking and other SAT-based formal methods are an important part of todays digital design

773 views • 52 slides
Extending ACL2 with SMT solvers Yan Peng & Mark Greenstreet University of British Columbia

Extending ACL2 with SMT solvers Yan Peng & Mark Greenstreet University of British Columbia

Motivation Integration architecture Customizing Smtlink Summary and Future work Extending ACL2 with SMT solvers Yan Peng & Mark Greenstreet University of British Columbia October 2nd, 2015 Smtlink handles tedious details of proofs so you

537 views • 38 slides
Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Euclid (300 BC) Proofs, Continued Today Proofs : A style guide Proofs should be easy to verify. All the cleverness goes into finding/writing the proof, not reading/verifying it! P vs. NP (informally) : P =

682 views • 21 slides
Satisfiability Modulo Theories SMT solvers are finding their way in many different application

Satisfiability Modulo Theories SMT solvers are finding their way in many different application

Applications of SMT solvers Alessandro Cimatti Embedded System Unit Fondazione Bruno Kessler Trento, Italy cimatti@fbk.eu Applications of SMT solvers @ SAT/SMT School, Helsinki, July 2013 Satisfiability Modulo Theories SMT solvers are

1.09k views • 27 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
Pluggable SAT-Solvers for SMT-Solvers Bas Schaafsma DISI, University of Trento & Fondazione

Pluggable SAT-Solvers for SMT-Solvers Bas Schaafsma DISI, University of Trento & Fondazione

Introduction The DPLL and DPLL( T ) algorithms Architecture & Implementation Experimental Evaluation Demo Conclusion & Future Work Pluggable SAT-Solvers for SMT-Solvers Bas Schaafsma DISI, University of Trento & Fondazione Bruno

516 views • 28 slides
SMT Solvers: A Disruptive Technology John Rushby Computer Science Laboratory SRI International

SMT Solvers: A Disruptive Technology John Rushby Computer Science Laboratory SRI International

SMT Solvers: A Disruptive Technology John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I SMT Solvers: 1 SMT Solvers SMT stands for Satisfiability Modulo Theories SMT solvers

770 views • 39 slides
OpenFOAMs basic solvers for linear systems of equations Solvers, preconditioners, smoothers

OpenFOAMs basic solvers for linear systems of equations Solvers, preconditioners, smoothers

Tim Behrens OpenFOAMs basic solvers for linear systems of equations Solvers, preconditioners, smoothers Linear Solvers in OpenFOAM 1 Tim Behrens What are we going to do? Look at the structure of lduMatrix Compare DIC/FDIC

495 views • 14 slides
SAT and SMT Murphy Berzish Overview Boolean Satisfiability (SAT) problem SAT solvers:

SAT and SMT Murphy Berzish Overview Boolean Satisfiability (SAT) problem SAT solvers:

SAT and SMT Murphy Berzish Overview Boolean Satisfiability (SAT) problem SAT solvers: basic algorithms, enhancements Limitations of SAT SMT solvers: overview Examples of SMT solvers (implementations) Practical applications

929 views • 43 slides
Math 211 Math 211 Lecture #14 M ATLAB s ODE Solvers September 26, 2003 2 Matlab Solvers

Math 211 Math 211 Lecture #14 M ATLAB s ODE Solvers September 26, 2003 2 Matlab Solvers

1 Math 211 Math 211 Lecture #14 M ATLAB s ODE Solvers September 26, 2003 2 Matlab Solvers Matlab Solvers M ATLAB has several solvers. Return 2 Matlab Solvers Matlab Solvers M ATLAB has several solvers. ode45 Return 2 Matlab Solvers

852 views • 42 slides
Tutorial on SAT Solvers Combinatorial Problem Solving (CPS) Enric Rodr guez-Carbonell May

Tutorial on SAT Solvers Combinatorial Problem Solving (CPS) Enric Rodr guez-Carbonell May

Tutorial on SAT Solvers Combinatorial Problem Solving (CPS) Enric Rodr guez-Carbonell May 26, 2020 SAT Solvers SAT solvers take as input a CNF formula F and return: sat (+ model): if F is satisfiable unsat : if F is unsatisfiable

273 views • 5 slides
Harnessing Harnessing Grid Resources with Grid Resources with Data- -Centric Task Farms

Harnessing Harnessing Grid Resources with Grid Resources with Data- -Centric Task Farms

Harnessing Harnessing Grid Resources with Grid Resources with Data- -Centric Task Farms Centric Task Farms Data Ioan Raicu Distributed Systems Laboratory Computer Science Department University of Chicago Committee Members: Ian Foster:

750 views • 58 slides
Using SMT solvers for binary analysis and exploitation A primer on SMT, SMT solvers, Z3 & angr

Using SMT solvers for binary analysis and exploitation A primer on SMT, SMT solvers, Z3 & angr

Using SMT solvers for binary analysis and exploitation A primer on SMT, SMT solvers, Z3 & angr Carl Svensson August 29, 2018 Nixucon 2018 About me Carl Svensson, 27 MSc in Computer Science, KTH Head of Security, KRY/LIVI

638 views • 49 slides
Tutorial on SMT Solvers Combinatorial Problem Solving (CPS) Enric Rodr guez-Carbonell April

Tutorial on SMT Solvers Combinatorial Problem Solving (CPS) Enric Rodr guez-Carbonell April

Tutorial on SMT Solvers Combinatorial Problem Solving (CPS) Enric Rodr guez-Carbonell April 23, 2019 SMT Solvers SMT solvers take as input a (quantifier-free) first-order logic formula F over a background theory T , and return: sat (+

207 views • 10 slides
Solvers Principles and Architecture (SPA) Part 2 SMT Solvers Master Sciences Informatique (Sif)

Solvers Principles and Architecture (SPA) Part 2 SMT Solvers Master Sciences Informatique (Sif)

Solvers Principles and Architecture (SPA) Part 2 SMT Solvers Master Sciences Informatique (Sif) September, 2019 Rennes Khalil Ghorbal k halil.ghorbal@inria.fr K. Ghorbal (INRIA) 1 SIF M2 1 / 17 Syntax Recall that logic is a pair of

336 views • 22 slides
Digital Logic Design: a rigorous approach c Chapter 13: Decoders and Encoders Guy Even Moti

Digital Logic Design: a rigorous approach c Chapter 13: Decoders and Encoders Guy Even Moti

Digital Logic Design: a rigorous approach c Chapter 13: Decoders and Encoders Guy Even Moti Medina School of Electrical Engineering Tel-Aviv Univ. May 13, 2020 Book Homepage: http://www.eng.tau.ac.il/~guy/Even-Medina 1 / 47 Buses

721 views • 47 slides
Finite State Machine (FSM) Consists of: CLK State register S S Next Current

Finite State Machine (FSM) Consists of: CLK State register S S Next Current

Finite State Machine (FSM) Consists of: CLK State register S S Next Current Stores current state State State Loads next state at clock edge Combinational logic Computes the next state Computes the outputs Next

412 views • 26 slides
OUTLOOK Rain Overcast Sunny TRANSPORTATION LESSON NO Uncovered Covered Theoretical

OUTLOOK Rain Overcast Sunny TRANSPORTATION LESSON NO Uncovered Covered Theoretical

Learning the concept Go to lesson OUTLOOK Rain Overcast Sunny TRANSPORTATION LESSON NO Uncovered Covered Theoretical Practical NO YES NO YES Decision trees encode logical formulas A decision tree represents a disjunction of

248 views • 4 slides
Bridges between Abstract Argumentation and Belief Revision Sylvie Coste-Marquis S ebastien

Bridges between Abstract Argumentation and Belief Revision Sylvie Coste-Marquis S ebastien

Bridges between Abstract Argumentation and Belief Revision Sylvie Coste-Marquis S ebastien Konieczny Jean-Guy Mailly Pierre Marquis Centre de Recherche en Informatique de Lens Universit e dArtois CNRS UMR 8188 2 nd Madeira

564 views • 44 slides
CS 188: Artificial Intelligence Spring 2007 Lecture 9: Logical Agents 2 2/13/2007 Srini

CS 188: Artificial Intelligence Spring 2007 Lecture 9: Logical Agents 2 2/13/2007 Srini

CS 188: Artificial Intelligence Spring 2007 Lecture 9: Logical Agents 2 2/13/2007 Srini Narayanan ICSI and UC Berkeley Many slides over the course adapted from Dan Klein, Stuart Russell or Andrew Moore PDF created with pdfFactory Pro

816 views • 46 slides
Statements and Control Flow The programs we have seen so far do exactly the same list of

Statements and Control Flow The programs we have seen so far do exactly the same list of

Statements and Control Flow The programs we have seen so far do exactly the same list of instructions every time What if we want to do different things for different inputs? Do some action only if a specified condition is met We

921 views • 52 slides
Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow refers to the specification of the order in which the individual statements, instructions or function calls of an imperative program are executed or

333 views • 19 slides
Widgets Components Widget toolkits Logical input devices MVC at widget-level 1 CS349 -

Widgets Components Widget toolkits Logical input devices MVC at widget-level 1 CS349 -

Widgets Components Widget toolkits Logical input devices MVC at widget-level 1 CS349 - Widgets Recall: Widget Widget is a generic name for parts of an interface that have their own behavior. e.g.: buttons, progress bars, sliders,

479 views • 37 slides

More recommend