the tla proof system
play

The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien - PowerPoint PPT Presentation

Dec 02, 2022 •389 likes •646 views

The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA Nancy & INRIA-MSR Joint Centre, France Amir Pnueli Memorial Symposium New York University, May 8, 2010 The TLA + proof system Stephan Merz (INRIA

  1. The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA Nancy & INRIA-MSR Joint Centre, France Amir Pnueli Memorial Symposium New York University, May 8, 2010 The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 1 / 19

  2. Amir Pnueli: Deduction is Forever (FM’99) Just as it was unavoidable, due to the growing complexity of circuits, that circuit manufacturers started to employ formal methods for verifying their designs, it is equally inevitable that more of the practicing verifiers will turn to deductive technologies, due to their significantly better scalability. The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 2 / 19

  3. Amir Pnueli: Deduction is Forever (contd.) For verifying an invariant p over a finite-state system: ◮ it is usually much cheaper to check ϕ ∧ ρ ⇒ ϕ ′ Θ ⇒ ϕ ϕ ⇒ p ◮ than computing ρ ∗ ( ¬ p ) by state space exploration. The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 3 / 19

  4. Amir Pnueli: Deduction is Forever (contd.) For verifying an invariant p over a finite-state system: ◮ it is usually much cheaper to check ϕ ∧ ρ ⇒ ϕ ′ Θ ⇒ ϕ ϕ ⇒ p ◮ than computing ρ ∗ ( ¬ p ) by state space exploration. Main differences between deduction and exploration: ◮ deduction is based on induction while exploration computes the set of reachable states, ◮ deduction uses a more expressive language including quantifiers, leading to succinct specification of parameterized systems, ◮ deduction requires user ingenuity and interaction. The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 3 / 19

  5. Contents Using the TLA + proof system for proving invariants 1 The TLA + proof language and system 2 Conclusion and outlook 3 The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 4 / 19

  6. Invariance proofs in TLA + I ∧ [ N ] v ⇒ I ′ Elementary rule for proving invariants I ∧ � [ N ] v ⇒ � I ∆ THEOREM Inv 1 = ASSUME STATE I , STATE v , ACTION N , I ∧ [ N ] v ⇒ I ′ I ∧ � [ N ] v ⇒ � I PROVE The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 5 / 19

  7. Invariance proofs in TLA + I ∧ [ N ] v ⇒ I ′ Elementary rule for proving invariants I ∧ � [ N ] v ⇒ � I ∆ THEOREM Inv 1 = ASSUME STATE I , STATE v , ACTION N , I ∧ [ N ] v ⇒ I ′ I ∧ � [ N ] v ⇒ � I PROVE Schema for invariant proofs ∆ Spec = Init ∧ � [ Next ] vars ∧ L THEOREM Spec ⇒ Inv � 1 � 1. Init ⇒ Inv � 1 � 2. Inv ∧ Next ⇒ Inv ′ � 1 � 3. Inv ∧ UNCHANGED vars ⇒ Inv ′ � 1 � 4. QED BY � 1 � 1, � 1 � 2, � 1 � 3, Inv 1 DEF Spec The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 5 / 19

  8. Invariance proofs in TLA + I ∧ [ N ] v ⇒ I ′ Elementary rule for proving invariants I ∧ � [ N ] v ⇒ � I ∆ THEOREM Inv 1 = ASSUME STATE I , STATE v , ACTION N , I ∧ [ N ] v ⇒ I ′ I ∧ � [ N ] v ⇒ � I PROVE Schema for invariant proofs ∆ Spec = Init ∧ � [ Next ] vars ∧ L THEOREM Spec ⇒ Inv no temporal � 1 � 1. Init ⇒ Inv logic here! � 1 � 2. Inv ∧ Next ⇒ Inv ′ � 1 � 3. Inv ∧ UNCHANGED vars ⇒ Inv ′ � 1 � 4. QED BY � 1 � 1, � 1 � 2, � 1 � 3, Inv 1 DEF Spec The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 5 / 19

  9. Reasoning about actions About 95% of proof steps do not involve temporal logic ◮ reasoning about state predicates or state transitions ◮ first-order reasoning where v and v ′ are distinct variables Aim for as much automation as possible . . . ◮ open proof system: harness power of different prover back-ends ◮ first-order logic, rewriting, SAT and SMT solving etc. ◮ ensure overall correctness by proof certification . . . but encourage users to maintain readable proofs ◮ declarative, hierarchical proof language ◮ prefer an extra level of interaction over obscure automatic tactics The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 6 / 19

  10. Proving trivial steps Expand definitions and discharge automatically ∆ = ∧ pc = [ i ∈ { 0, 1 } �→ “a0” ] Init ∧ turn = 0 ∧ flag = [ i ∈ { 0, 1 } �→ FALSE ] ∆ Inv = ∧ pc ∈ [ { 0, 1 } → { “a0” , “a1” , “a2” , “a3a” , “a3b” , “cs” , “a4” } ] ∧ turn ∈ { 0, 1 } ∧ flag ∈ [ { 0, 1 } → BOOLEAN ] ∧ ∀ i ∈ { 0, 1 } : ∧ pc [ i ] ∈ { “a2” , “a3a” , “a3b” , “cs” , “a4” } ⇒ flag [ i ] ∧ pc [ i ] ∈ { “cs” , “a4” } ⇒ ∧ pc [ 1 − i ] / ∈ { “cs” , “a4” } ∧ pc [ 1 − i ] ∈ { “a3a” , “a3b” } ⇒ turn = i � 1 � 1. Init ⇒ Inv BY DEFS Init , Inv The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 7 / 19

  11. When automatic proof fails . . . Decompose proof into a sequence of “simpler” steps ∆ = ∃ i ∈ { 0, 1 } : Proc ( i ) Next ∆ Proc ( i ) = a 0 ( i ) ∨ a 1 ( i ) ∨ . . . ∨ a 4 ( i ) � 1 � 2. Inv ∧ Next ⇒ Inv ′ The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 8 / 19

  12. When automatic proof fails . . . Decompose proof into a sequence of “simpler” steps ∆ = ∃ i ∈ { 0, 1 } : Proc ( i ) Next ∆ Proc ( i ) = a 0 ( i ) ∨ a 1 ( i ) ∨ . . . ∨ a 4 ( i ) � 1 � 2. Inv ∧ Next ⇒ Inv ′ � 2 � 1. SUFFICES ASSUME Inv , NEW i ∈ { 0, 1 } , Proc ( i ) Inv ′ PROVE BY DEF Next � 2 � 2. CASE a 0 ( i ) � 2 � 3. CASE a 1 ( i ) . . . � 2 � 8. CASE a 4 ( i ) � 2 � 9. QED BY � 2 � 2, � 2 � 3, . . . , � 2 � 8 DEF Proc The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 8 / 19

  13. Contents Using the TLA + proof system for proving invariants 1 The TLA + proof language and system 2 Conclusion and outlook 3 The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 9 / 19

  14. TLA + proof language Hierarchical, declarative proof ◮ linear representation of proof tree ◮ step labels � d � lbl (where d is the depth of the step) ◮ steps assert sequents ASSUME . . . PROVE . . . ◮ top-down development: refine assertions until they are “obvious” ◮ leaf: invoke proof method, citing necessary assumptions and facts Controlling the use of assumptions, facts, and definitions ◮ limit search space for automatic provers ◮ require explicit citation of assumptions, facts, and definitions . . . ◮ . . . or make them usable throughout the current scope The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 10 / 19

  15. Example: proof of Cantor’s theorem THEOREM ASSUME NEW S , NEW f ∈ [ S → SUBSET S ] ∃ A ∈ SUBSET S : ∀ x ∈ S : f [ x ] � = A PROVE ∆ � 1 � . DEFINE T = { z ∈ S : z / ∈ f [ z ] } � 1 � 1. ∀ x ∈ S : f [ x ] � = T � 1 � 2. QED BY � 1 � 1 The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 11 / 19

  16. Example: proof of Cantor’s theorem THEOREM ASSUME NEW S , NEW f ∈ [ S → SUBSET S ] ∃ A ∈ SUBSET S : ∀ x ∈ S : f [ x ] � = A PROVE ∆ � 1 � . DEFINE T = { z ∈ S : z / ∈ f [ z ] } � 1 � 1. ∀ x ∈ S : f [ x ] � = T � 2 � 1. ASSUME NEW x ∈ S PROVE f [ x ] � = T � 2 � 2. QED BY � 2 � 1 � 1 � 2. QED BY � 1 � 1 The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 11 / 19

  17. Example: proof of Cantor’s theorem THEOREM ASSUME NEW S , NEW f ∈ [ S → SUBSET S ] ∃ A ∈ SUBSET S : ∀ x ∈ S : f [ x ] � = A PROVE ∆ � 1 � . DEFINE T = { z ∈ S : z / ∈ f [ z ] } � 1 � 1. ∀ x ∈ S : f [ x ] � = T � 2 � 1. ASSUME NEW x ∈ S PROVE f [ x ] � = T � 3 � 1. CASE x ∈ T OBVIOUS � 3 � 2. CASE x / ∈ T OBVIOUS � 3 � 3. QED BY � 3 � 1, � 3 � 2 � 2 � 2. QED BY � 2 � 1 � 1 � 2. QED BY � 1 � 1 The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 11 / 19

  18. System architecture TLAPS proof manager parse and compute convert to TLA+ proof proof obligations constant level certify proof call backends to diagnostics (when possible) attempt proof Isabelle/TLA+ SMT solver Zenon The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 12 / 19

  19. Proof Manager Interpret hierarchical TLA + proof ◮ manage assumptions and current goal ◮ expand operator definitions if they are USE d Rewrite proof obligations to constant level ◮ handle primed expressions such as Inv ′ ◮ distribute prime over (constant-level) operators ◮ introduce distinct variables e and e ′ for atomic state expression e Invoke back-end provers ◮ user chooses which prover to use (default: Zenon, then Isabelle) The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 13 / 19

  20. Proof reconstruction Oracle: trusted external reasoner ◮ simple, but error-prone ◮ translation and backend part of trusted code base Proof reconstruction: skeptical integration ◮ replay proofs in trusted proof assistant (Isabelle/TLA + ) ◮ reconstruction should be cheap The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 14 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Resolution Proof System in Propositional Logic While the Hilbert proof system has the

The Resolution Proof System in Propositional Logic While the Hilbert proof system has the

The Resolution Proof System in Propositional Logic While the Hilbert proof system has the property that it reflects the methods by which humans commonly do mathematics, it is ill suited for use in automated reasoning, because of the infinite

590 views • 41 slides
A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte

A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte

Introduction Proof System Applications Experiments A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte Helmert University of Basel, Switzerland ICAPS 2018 Introduction Proof System Applications

325 views • 21 slides
Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and Interactions September 20, 2016 1/47 Introduction to SAT and QBF Proof Checking Clausal Proof Systems for SAT and QBF Abstract Proof System for SAT

924 views • 67 slides
3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

Griffith University 3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof by construction 2. Proof by equivalence 3. Proof by contradiction 4. Proof by case analysis 5. Proof by induction

549 views • 11 slides
Arend Proof Assistant Assisted Pegagogy A graphical proof assistant for undergraduate computer

Arend Proof Assistant Assisted Pegagogy A graphical proof assistant for undergraduate computer

Background Proof assistants in education Arend System description Implementation Future work Arend Proof Assistant Assisted Pegagogy A graphical proof assistant for undergraduate computer science education Andrew V. Clifton

564 views • 52 slides
Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy

Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy

Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 1 / 38 Contents Introduction 1 Groth-Sahai proof system 2 Non-Interactive Zero-Knowledge

879 views • 74 slides
The Nuprl Proof Development System Christoph Kreitz Department of Computer Science, Cornell

The Nuprl Proof Development System Christoph Kreitz Department of Computer Science, Cornell

The Nuprl Proof Development System Christoph Kreitz Department of Computer Science, Cornell University Ithaca, NY 14853 http://www.nuprl.org The Nuprl Project at Computational formal logics Type Theory Proof &

1.24k views • 93 slides
Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on Admissible Rules and Unification II Les Diablerets, February 2, 2015 1 / 12 Proof systems An old question: When does a logic have a decent proof system? 2

624 views • 50 slides
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. 3. Each statement is derived via the derivation rules. Zero Knowledge Protocols 4. The proof is fixed, i.e, in any time,

642 views • 14 slides
Recovery Credit System : Proof of Concept for GCWA Brian

Recovery Credit System : Proof of Concept for GCWA Brian

Recovery Credit System : Proof of Concept for GCWA Brian Hays, Associate Director Ins8tute of Renewable Natural Resources Texas A&M AgriLife Extension

506 views • 21 slides
The Naproche system: Proof-checking mathematical texts in controlled natural language Marcos

The Naproche system: Proof-checking mathematical texts in controlled natural language Marcos

Naproche system Dynamic Quantification Undefined terms and presuppositions Conclusion The Naproche system: Proof-checking mathematical texts in controlled natural language Marcos Cramer University of Luxembourg 18 July 2014 The Naproche

1.07k views • 50 slides
On some universal proof system for all versions of many-valued logics Department of Informatics

On some universal proof system for all versions of many-valued logics Department of Informatics

ANAHIT CHUBARYAN, ARTUR KHAMISYAN On some universal proof system for all versions of many-valued logics Department of Informatics and Applied Mathematics Yerevan State University 1 Main notions of k-valued logic. 1 k2 Let E k be the set

459 views • 17 slides
15-16/08/2009 Nicola Galesi 46 History Resolution is a proof system for DNF formulas or a

15-16/08/2009 Nicola Galesi 46 History Resolution is a proof system for DNF formulas or a

15-16/08/2009 Nicola Galesi 46 History Resolution is a proof system for DNF formulas or a refutational Systems for CNF formulas It was introduced by Blake in 1937 and then became important by a work Davis-Putnam and Robinson in the 60s in the

769 views • 75 slides
One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of steps starting with axioms. Each step must use a valid rule of inference and the final step must be X. All interesting logical systems are

462 views • 6 slides
One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of steps starting with axioms. Each step must use a valid rule of inference and the final step must be X. All interesting logical systems are

112 views • 8 slides
One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of steps starting with axioms. Each step must use a valid rule of inference and the final step must be X. All interesting logical systems are

451 views • 7 slides
Model Checking TLA+ Specifications Shiji Bijo shijib@ifi.uio.no Institutt for informatikk,

Model Checking TLA+ Specifications Shiji Bijo shijib@ifi.uio.no Institutt for informatikk,

Model Checking TLA+ Specifications Shiji Bijo shijib@ifi.uio.no Institutt for informatikk, Universitetet i Oslo June 2, 2015 1 / 37 Introduction TLA: temporal logic of actions combination of Logic of actions standard temporal logics

597 views • 37 slides
Making TLA + Model Checking Symbolic Igor Konnov Joining Interchain Foundation in August Jure

Making TLA + Model Checking Symbolic Igor Konnov Joining Interchain Foundation in August Jure

Making TLA + Model Checking Symbolic Igor Konnov Joining Interchain Foundation in August Jure Kukovec Thanh-Hai Tran VeriDis + Matryoushka seminar, Amsterdam, June 2019 Why TLA + ? Rich specification language TLA + is used in industry, e.g.,

699 views • 46 slides
TLAPS : The TLA + Proof System Stephan Merz joint work with K. Chaudhuri, D. Cousineau, D.

TLAPS : The TLA + Proof System Stephan Merz joint work with K. Chaudhuri, D. Cousineau, D.

TLAPS : The TLA + Proof System Stephan Merz joint work with K. Chaudhuri, D. Cousineau, D. Doligez, L. Lamport INRIA Nancy Microsoft Research - INRIA Joint Centre Saclay http://www.msr-inria.inria.fr/Projects/tools-for-formal-specs Deduction

486 views • 36 slides
Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems Challenge from last class Just like fishing, it can be frustrating at times most needed multiple attempts, which is fine casting

483 views • 19 slides
Breakout Session Creating High-Quality Professional Learning: Enabling Choice, Ownership, and

Breakout Session Creating High-Quality Professional Learning: Enabling Choice, Ownership, and

Breakout Session Creating High-Quality Professional Learning: Enabling Choice, Ownership, and More Focused Support Beth Rabbitt, The Learning Accelerator Juliana Finegan, The Learning Accelerator Errika Baker, Chicago Public Schools Kristen

770 views • 36 slides
A High-Level Language for Modeling Algorithms and their Properties Sabina Akhtar Stephan Merz

A High-Level Language for Modeling Algorithms and their Properties Sabina Akhtar Stephan Merz

A High-Level Language for Modeling Algorithms and their Properties Sabina Akhtar Stephan Merz Martin Quinson LORIA INRIA Nancy Grand Est and Nancy University, Nancy, France SBMF 2010 1 / 55 Outline Introduction 1 Background

884 views • 55 slides
Electrum Lightweight specification of behavioral models with rich configurations Julien Brunel 1

Electrum Lightweight specification of behavioral models with rich configurations Julien Brunel 1

Electrum Lightweight specification of behavioral models with rich configurations Julien Brunel 1 , David Chemouil 1 , Alcino Cunha 2 , Nuno Macedo 2 et al. Workshop on the Future of Alloy, April 30 & May 1, 2018, MIT. 1 ONERA/DTIS &

209 views • 7 slides
Model-Independent Constraints on Lepton-Flavor-Violating Decays of the Top Quark Jennifer Kile,

Model-Independent Constraints on Lepton-Flavor-Violating Decays of the Top Quark Jennifer Kile,

Model-Independent Constraints on Lepton-Flavor-Violating Decays of the Top Quark Jennifer Kile, Amarjit Soni Brookhaven National Laboratory Pheno 08, April 28, 2008 Introduction LHC: huge top physics potential ( 10 8 t s!). t unique,

401 views • 11 slides

More recommend