Proving invariants: how many times a program should be unfolded ? Paul Caspi, Jan Miká � VERIMAG – Grenoble
Problem definition 1 A closed system state space S initial state I is a predicate on S transition relation T is a predicate on S x S sequence of states X 0 ,X 1 ,X 2 ,...X n ,... such that I(X 0 ) and T(X n ,X n+1 ) hold Properties strongest invariant of the system X = I ∪ ∪ ∪ ∪ T[ X ] (fix) an invariant property P: X � � � � P ? Induction I P P T[P] X � � � � P
Problem definition 2 Induction n unfoldings I P P T[P] X � � � � P I P, I P, I P, I P, T[I] P, ..., T[I] P, ..., T[I] P, ..., T[I] P, ..., T n-1 [I] P T n-1 [I] P T n-1 [I] P T n-1 [I] P P ∧ P ∧ P ∧ ∧ T[P] ∧ ∧ T[P] ∧ ∧ T[P] ∧ ∧ ... ∧ ∧ ... ∧ ∧ ... ∧ ∧ T n-1 [P] T[P] ∧ ∧ T n-1 [P] T[P] ∧ ∧ T n-1 [P] T[P] ∧ ∧ ... ∧ ∧ ... ∧ ∧ ... ∧ ∧ T n [P] ∧ T n [P] ∧ T n [P] P ∧ ∧ T[P] ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ... ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ T n-1 [P] T n [P] ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ... ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ T[P] ∧ ∧ (X � � � � P) ∧ ∧ ∧ ∧ ... ∧ X � X � X � ∧ ∧ (T n [ X ] � ∧ � � � � � � � � � P P P � � � P) What is a ``good'' value for n ? ``Good'' means easy to find (by a machine) likely to work number of variables of the system
Problem definition 2 Induction proof n unfoldings I P P T[P] proof I P, T[I] P I P, T[I] P, T 2 [I] P proof X � � � P � P ∧ ∧ ∧ ∧ T[P] T 2 [P] P ∧ ∧ T[P] ∧ ∧ ∧ ∧ ∧ T 2 [P] T 3 [P] ∧ I P, I P, I P, I P, T[I] P, ..., T[I] P, ..., T[I] P, ..., T[I] P, ..., T n-1 [I] P T n-1 [I] P T n-1 [I] P T n-1 [I] P proof X � � � � P X � � � � P P ∧ P ∧ P ∧ ∧ T[P] ∧ ∧ T[P] ∧ ∧ T[P] ∧ ∧ ... ∧ ∧ ... ∧ ∧ ... ∧ ∧ T n-1 [P] T[P] ∧ ∧ T n-1 [P] T[P] ∧ ∧ T n-1 [P] T[P] ∧ ∧ ... ∧ ∧ ... ∧ ∧ ... ∧ ∧ T n [P] ∧ T n [P] ∧ T n [P] P ∧ ∧ ∧ ∧ ∧ T[P] ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ... ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ T n-1 [P] T n [P] ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ... ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ T[P] ∧ (X � � � � P) ∧ ∧ ∧ ∧ ... ∧ X � X � X � ∧ ∧ (T n [ X ] � ∧ � � � � � � � � � P P P � � � P) What is a ``good'' value for n ? ``Good'' means easy to find (by a machine) likely to work number of variables of the system
Small example 1 f = 1.(f + g) 1 1 2 2 4 ... g = 0.(f – g) 0 1 0 2 0 ... prove All f+g > 0 n = 1 n = 2 f+g > 0 f+g > 0 1.(2f) > 0 1.(f+g)+0.(f-g) > 0 1.2.(2f + 2g)>0 impossible to prove provable g = 1.(f + g) 1 1 0 -2 -4 ... f = 0.(f – g) 0 -1 -2 -2 0 ... f =-1.(f + g) -1 1 -2 2 -4 ... g = 2.(f – g) 2 -3 4 -6 8 ...
Small examples 2 fibo = 1.(fibo + g) 1 1 2 3 5 8 ... g = 0.fibo 0 1 1 2 3 5 ... prove All fibo > 0 n = 2 fibo > 0 1.(fibo + g) > 0 provable 1.(1.(fibo+g) + 0.fibo)>0 fibo = 1.(fibo + 0.fibo) prove All fibo > 0 n = 1 fibo > 0 provable 1.(fibo + 0.fibo) > 0
Small example 3 1 1 3 4 9 14 ... f = 1.(f + g) 0 2 1 5 5 14 ... g = 0.(f + h) 1 0 2 1 5 5 ... h = 1.g prove All f > 0 n = ? f > 0 1.(f + g) > 0 1.1.(2f+g+h) > 0 1.1.3.(3f+3g+h) > 0 1.1.3.4.(6f+4g+3h) > 0 1.1.3.4.9.(10f+9g+4h) > 0 ... ... ...
Example conclusion What is a ``good'' value for n ? ``Good'' is easy to find (by a machine) likely to work number of variables of the system In fact we want : dimension of the system. Number of variables mostly � dimension Number of variables is easy to find Unfold < n times : can work (property holds on a whole class) Unfold n times : works because all information is used Unfold n times : if it doesn't work, we have no other limit
Example of synchronizer Paul Miner & Steven Johnson Verification of an Optimized Fault-Tolerant Clock Synchronization Circuit Normal circuit Optimized circuit rd f1 nf 0 rd + f1 + /2 nf norm opt
Example of synchronizer Paul Miner & Steven Johnson Verification of an Optimized Fault-Tolerant Clock Synchronization Circuit rd=0 -> if R then 0 else pre rd+1 ; rd=0.(if tl (R) then 0 else rd+1) nor=(t1 + tn) div 2 ; nor=(t1 + tn) div 2 t1=0->if R then 0 else (if f1 then pre t1 else rd); t1=0.(if tl (R) then 0 else (if tl (f1) then t1 else tl (rd))) tn=0->if R then 0 else (if nf then pre tn else rd); tn=0.(if R then 0 else (if tl (nf) then tn else tl (rd))) h =false -> (not R) and f1 and (not pre h) ; h=false.((not tl (R)) and tl (f1) and (not h)) cin=false -> (pre h) and not nf ; cin=false.(h and not tl (nf)) opt=0 -> if R then 0 else (if f1 then opt=0.(if tl (R) then 0 else (if tl (f1) then (if cin then 1 else 0) + pre opt else rd); (if tl (cin) then 1 else 0) + opt else tl (rd))) assert R -> true ; assert R.true assert nf => f1 ; assert nf => f1 assert not f1 -> true ; assert (not f1).true assert true -> R or (pre nf => nf) ; assert true.( tl (R) or (nf => tl (nf))) assert R => (not f1) ; assert R => (not f1)
Example of synchronizer Paul Miner & Steven Johnson Verification of an Optimized Fault-Tolerant Clock Synchronization Circuit rd=0 -> if R then 0 else pre rd+1 ; assert R -> true ; assert nf => f1 ; nor=(t1 + tn) div 2 ; assert not f1 -> true ; t1=0->if R then 0 else (if f1 then pre t1 else rd); assert true -> R or (pre nf => nf) ; tn=0->if R then 0 else (if nf then pre tn else rd); assert R => (not f1) ; h =false -> (not R) and f1 and (not pre h) ; cin=false -> (pre h) and not nf ; opt=0 -> if R then 0 else (if f1 then nor = opt (if cin then 1 else 0) + pre opt else rd); n unfoldings (infinite � finite) list induction (finite � scalar) PVS proof obligations (scalar) gloups
Conclusion Proving invariants: how many times a program should be unfolded ? I P, T[I] P, ..., T n-1 [I] P P ∧ ∧ ∧ T[P] ∧ ∧ ∧ ∧ ... ∧ ∧ ∧ ∧ ∧ T n-1 [P] T n [P] ∧ ∧ ... ∧ ∧ ∧ ∧ ∧ T[P] ∧ X � � � � P What is a ``good'' value for n ? ``Good'' means easy to find (by a machine) likely to work number of variables of the system
Perspectives Prove Time-Trigered Protocole Membership Algorithm (Next-TTA) Difficult problem Space requirements Modular proofs Explore link refinement-unfolding Proving refinements (vertical modularity) Evolution of the number of unfoldings during the refinement Questions ?
Recommend
More recommend
