tlaps the tla proof system
play

TLAPS : The TLA + Proof System Stephan Merz joint work with K. - PowerPoint PPT Presentation

Oct 18, 2022 •118 likes •486 views

TLAPS : The TLA + Proof System Stephan Merz joint work with K. Chaudhuri, D. Cousineau, D. Doligez, L. Lamport INRIA Nancy Microsoft Research - INRIA Joint Centre Saclay http://www.msr-inria.inria.fr/Projects/tools-for-formal-specs Deduction

  1. TLAPS : The TLA + Proof System Stephan Merz joint work with K. Chaudhuri, D. Cousineau, D. Doligez, L. Lamport INRIA Nancy Microsoft Research - INRIA Joint Centre Saclay http://www.msr-inria.inria.fr/Projects/tools-for-formal-specs Deduction at Scale, Schloss Ringberg March 2011 TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 1 / 23

  2. Overview The TLA + Specification Language 1 Theorem Proving With TLAPS 2 The TLA + Proof Language 3 Conclusions 4 TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 2 / 23

  3. Euclid’s Algorithm in TLA + (1/2) We start by defining divisibility and GCD MODULE Euclid EXTENDS Naturals ∆ = Nat \ { 0 } PosInteger ∆ Maximum ( S ) = CHOOSE x ∈ S : ∀ y ∈ S : x ≥ y ∆ d | q = ∃ k ∈ 1 .. q : q = k ∗ d \ * definition of divisibility ∆ Divisors ( q ) = { d ∈ 1 .. q : d | q } \ * set of divisors ∆ GCD ( p , q ) = Maximum ( Divisors ( p ) ∩ Divisors ( q )) Standard mathematical definitions ◮ TLA + is based on (untyped) set theory ◮ simple module language for structuring larger specification ◮ import TLA + library module Naturals for basic arithmetic ◮ TLA + module contains declarations, assertions, and definitions TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 3 / 23

  4. Euclid’s Algorithm in TLA + (2/2) Now model the algorithm and assert its correctness CONSTANTS M, N ∆ = M ∈ PosInteger ∧ N ∈ PosInteger ASSUME Positive VARIABLES x, y ∆ Init = x = M ∧ y = N = x < y ∧ y ′ = y − x ∧ x ′ = x ∆ SubX = y < x ∧ x ′ = x − y ∧ y ′ = y ∆ SubY ∆ = Init ∧ � [ SubX ∨ SubY ] � x , y � Spec ∆ Correctness = x = y ⇒ x = GCD ( M , N ) THEOREM Spec ⇒ � Correctness Transitions represented by action formulas SubX , SubY Algorithm represented by initial condition and next-state relation Correctness expressed as TLA formula TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 4 / 23

  5. Euclid’s Algorithm in TLA + (2/2) Now model the algorithm and assert its correctness CONSTANTS M, N ∆ = M ∈ PosInteger ∧ N ∈ PosInteger constant formula ASSUME Positive VARIABLES x, y state formula ∆ Init = x = M ∧ y = N = x < y ∧ y ′ = y − x ∧ x ′ = x ∆ SubX action formulas = y < x ∧ x ′ = x − y ∧ y ′ = y ∆ SubY ∆ = Init ∧ � [ SubX ∨ SubY ] � x , y � Spec temporal formula ∆ Correctness = x = y ⇒ x = GCD ( M , N ) THEOREM Spec ⇒ � Correctness Transitions represented by action formulas SubX , SubY Algorithm represented by initial condition and next-state relation Correctness expressed as TLA formula TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 4 / 23

  6. Verification of Euclid’s Algorithm: Model Checking TLC : explicit-state model checker ◮ verify correctness properties for finite instances ◮ Euclid: fix concrete values for M and N ◮ check that the result is correct for these inputs Variation: verify correctness over fixed interval Invaluable for debugging TLA + models ◮ verify many seemingly trivial properties ◮ type correctness, executability of every individual action, . . . ◮ absence of deadlock, eventual response to requests, . . . ◮ reveal corner cases before attempting full correctness proof TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 5 / 23

  7. Overview The TLA + Specification Language 1 Theorem Proving With TLAPS 2 The TLA + Proof Language 3 Conclusions 4 TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 6 / 23

  8. Using TLAPS to Prove Euclid’s Algorithm Correct Verify correctness for all possible inputs TLAPS : proof assistant for verifying TLA + specifications ◮ interesting specifications cannot be verified fully automatically ◮ user provides proof (skeleton) to guide verification ◮ automatic back-end provers discharge leaf obligations TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 7 / 23

  9. Using TLAPS to Prove Euclid’s Algorithm Correct Verify correctness for all possible inputs TLAPS : proof assistant for verifying TLA + specifications ◮ interesting specifications cannot be verified fully automatically ◮ user provides proof (skeleton) to guide verification ◮ automatic back-end provers discharge leaf obligations Application to Euclid’s algorithm ◮ first step: strengthen correctness property � inductive invariant ∆ = ∧ x ∈ PosInteger InductiveInvariant ∧ y ∈ PosInteger ∧ GCD ( x , y ) = GCD ( M , N ) TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 7 / 23

  10. Underlying Data Properties The algorithm relies on the following properties of GCD ∆ THEOREM GCDSelf = ASSUME NEW p ∈ PosInteger GCD ( p , p ) = p PROVE ∆ THEOREM GCDSymm = ASSUME NEW p ∈ PosInteger , NEW q ∈ PosInteger GCD ( p , q ) = GCD ( q , p ) PROVE ∆ THEOREM GCDDiff = ASSUME NEW p ∈ PosInteger , NEW q ∈ PosInteger , p < q GCD ( p , q ) = GCD ( p , q − p ) PROVE ASSUME . . . PROVE : TLA + notation for sequents We won’t bother proving these properties here TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 8 / 23

  11. Proving an Invariant in TLA + Inv ∧ [ Next ] v ⇒ Inv ′ Init ⇒ Inv Inv ⇒ Corr Init ∧ � [ Next ] v ⇒ � Corr TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 9 / 23

  12. Proving an Invariant in TLA + Inv ∧ [ Next ] v ⇒ Inv ′ Init ⇒ Inv Inv ⇒ Corr Init ∧ � [ Next ] v ⇒ � Corr Representation as a TLA + sequent ∆ THEOREM ProveInv = ASSUME STATE Init , STATE Inv , STATE Corr , ACTION Next , STATE v , Init ⇒ Inv , Inv ∧ [ Next ] v ⇒ Inv ′ , Inv ⇒ Corr Init ∧ � [ Next ] v ⇒ � Corr PROVE Currently, TLAPS doesn’t handle temporal logic We’ll prove the non-temporal hypotheses TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 9 / 23

  13. Simple Proofs Prove that InductiveInvariant implies Correctness LEMMA InductiveInvariant ⇒ Correctness OBVIOUS TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 10 / 23

  14. Simple Proofs Prove that InductiveInvariant implies Correctness LEMMA InductiveInvariant ⇒ Correctness BY GCDSelf DEFS InductiveInvariant , Correctness ◮ by default, definitions and facts must be cited explicitly ◮ this helps manage the size of the search space for backend provers TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 10 / 23

  15. Simple Proofs Prove that InductiveInvariant implies Correctness LEMMA InductiveInvariant ⇒ Correctness BY GCDSelf DEFS InductiveInvariant , Correctness ◮ by default, definitions and facts must be cited explicitly ◮ this helps manage the size of the search space for backend provers Prove that Init implies InductiveInvariant LEMMA Init ⇒ InductiveInvariant BY Positive DEFS Init , InductiveInvariant To prove simple theorems, expand definitions and cite facts TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 10 / 23

  16. Hierarchical Proofs Complex proofs consist of a sequence of claims, ending with QED Prove that all transitions preserve InductiveInvariant LEMMA InductiveInvariant ∧ [ SubX ∨ SubY ] � x , y � ⇒ InductiveInvariant ′ TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 11 / 23

  17. Hierarchical Proofs Complex proofs consist of a sequence of claims, ending with QED Prove that all transitions preserve InductiveInvariant LEMMA InductiveInvariant ∧ [ SubX ∨ SubY ] � x , y � ⇒ InductiveInvariant ′ � 1 � USE DEF InductiveInvariant ◮ (scoped) USE DEF causes TLAPS to silently expand definitions TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 11 / 23

  18. Hierarchical Proofs Complex proofs consist of a sequence of claims, ending with QED Prove that all transitions preserve InductiveInvariant LEMMA InductiveInvariant ∧ [ SubX ∨ SubY ] � x , y � ⇒ InductiveInvariant ′ � 1 � USE DEF InductiveInvariant � 1 � 1. ASSUME InductiveInvariant , SubX InductiveInvariant ′ PROVE � 1 � 2. ASSUME InductiveInvariant , SubY InductiveInvariant ′ PROVE ◮ The steps � 1 � 1 and � 1 � 2 will be proved subsequently TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 11 / 23

  19. Hierarchical Proofs Complex proofs consist of a sequence of claims, ending with QED Prove that all transitions preserve InductiveInvariant LEMMA InductiveInvariant ∧ [ SubX ∨ SubY ] � x , y � ⇒ InductiveInvariant ′ � 1 � USE DEF InductiveInvariant � 1 � 1. ASSUME InductiveInvariant , SubX InductiveInvariant ′ PROVE � 1 � 2. ASSUME InductiveInvariant , SubY InductiveInvariant ′ PROVE � 1 � q . QED BY � 1 � 1, � 1 � 2 ◮ QED step verifies that the lemma follows from above steps — includes trivial case UNCHANGED � x , y � TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 11 / 23

  20. Hierarchical Proofs: Sublevels ( ... ) � 1 � 1. ASSUME InductiveInvariant , SubX InductiveInvariant ′ PROVE � 1 � 2. ASSUME InductiveInvariant , SubY InductiveInvariant ′ PROVE ( ... ) TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 12 / 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline TLAPS Basics 1 2 Tips and Best Practices for Using TLAPS 3 Temporal Reasoning in TLAPS

Outline TLAPS Basics 1 2 Tips and Best Practices for Using TLAPS 3 Temporal Reasoning in TLAPS

A Tutorial Introduction to TLAPS Jael Kriener 1 Tom Rodeheffer 2 Tomer Libal 1 1 2 TLA + Community Event, ABZ 2014 Toulouse, June 3, 2014 Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 1 / 52 Outline TLAPS Basics 1 2 Tips

1.7k views • 118 slides
The Resolution Proof System in Propositional Logic While the Hilbert proof system has the

The Resolution Proof System in Propositional Logic While the Hilbert proof system has the

The Resolution Proof System in Propositional Logic While the Hilbert proof system has the property that it reflects the methods by which humans commonly do mathematics, it is ill suited for use in automated reasoning, because of the infinite

590 views • 41 slides
A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte

A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte

Introduction Proof System Applications Experiments A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte Helmert University of Basel, Switzerland ICAPS 2018 Introduction Proof System Applications

325 views • 21 slides
Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and Interactions September 20, 2016 1/47 Introduction to SAT and QBF Proof Checking Clausal Proof Systems for SAT and QBF Abstract Proof System for SAT

924 views • 67 slides
3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

Griffith University 3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof by construction 2. Proof by equivalence 3. Proof by contradiction 4. Proof by case analysis 5. Proof by induction

549 views • 11 slides
Arend Proof Assistant Assisted Pegagogy A graphical proof assistant for undergraduate computer

Arend Proof Assistant Assisted Pegagogy A graphical proof assistant for undergraduate computer

Background Proof assistants in education Arend System description Implementation Future work Arend Proof Assistant Assisted Pegagogy A graphical proof assistant for undergraduate computer science education Andrew V. Clifton

564 views • 52 slides
The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA

The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA

The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA Nancy &amp; INRIA-MSR Joint Centre, France Amir Pnueli Memorial Symposium New York University, May 8, 2010 The TLA + proof system Stephan Merz (INRIA

646 views • 25 slides
Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy

Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy

Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 1 / 38 Contents Introduction 1 Groth-Sahai proof system 2 Non-Interactive Zero-Knowledge

879 views • 74 slides
The Nuprl Proof Development System Christoph Kreitz Department of Computer Science, Cornell

The Nuprl Proof Development System Christoph Kreitz Department of Computer Science, Cornell

The Nuprl Proof Development System Christoph Kreitz Department of Computer Science, Cornell University Ithaca, NY 14853 http://www.nuprl.org The Nuprl Project at Computational formal logics Type Theory Proof &amp;

1.24k views • 93 slides
Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on Admissible Rules and Unification II Les Diablerets, February 2, 2015 1 / 12 Proof systems An old question: When does a logic have a decent proof system? 2

624 views • 50 slides
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. 3. Each statement is derived via the derivation rules. Zero Knowledge Protocols 4. The proof is fixed, i.e, in any time,

642 views • 14 slides
Recovery Credit System : Proof of Concept for GCWA Brian

Recovery Credit System : Proof of Concept for GCWA Brian

Recovery Credit System : Proof of Concept for GCWA Brian Hays, Associate Director Ins8tute of Renewable Natural Resources Texas A&amp;M AgriLife Extension

506 views • 21 slides
The Naproche system: Proof-checking mathematical texts in controlled natural language Marcos

The Naproche system: Proof-checking mathematical texts in controlled natural language Marcos

Naproche system Dynamic Quantification Undefined terms and presuppositions Conclusion The Naproche system: Proof-checking mathematical texts in controlled natural language Marcos Cramer University of Luxembourg 18 July 2014 The Naproche

1.07k views • 50 slides
On some universal proof system for all versions of many-valued logics Department of Informatics

On some universal proof system for all versions of many-valued logics Department of Informatics

ANAHIT CHUBARYAN, ARTUR KHAMISYAN On some universal proof system for all versions of many-valued logics Department of Informatics and Applied Mathematics Yerevan State University 1 Main notions of k-valued logic. 1 k2 Let E k be the set

459 views • 17 slides
15-16/08/2009 Nicola Galesi 46 History Resolution is a proof system for DNF formulas or a

15-16/08/2009 Nicola Galesi 46 History Resolution is a proof system for DNF formulas or a

15-16/08/2009 Nicola Galesi 46 History Resolution is a proof system for DNF formulas or a refutational Systems for CNF formulas It was introduced by Blake in 1937 and then became important by a work Davis-Putnam and Robinson in the 60s in the

769 views • 75 slides
One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of steps starting with axioms. Each step must use a valid rule of inference and the final step must be X. All interesting logical systems are

112 views • 8 slides
Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems Challenge from last class Just like fishing, it can be frustrating at times most needed multiple attempts, which is fine casting

483 views • 19 slides
Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on

Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on

Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Part I: How to make software secure Something with implementations 2 Timing Attacks General idea of those attacks Secret

1.47k views • 65 slides
A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien

A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien

A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien Courouss, Jean-Louis Lanet and Ronan Lashermes July 27th 2016 A template attack against Verify PIN algorithms Le Bouder et al. July 27th 2016 1/23

590 views • 30 slides
Security best practices for Security best practices for Apache web services Apache web services

Security best practices for Security best practices for Apache web services Apache web services

Security best practices for Security best practices for Apache web services Apache web services Agenda Security Advisories @ Apache Issues associated with the advisory process Apache CXF advisories + lessons learned

394 views • 28 slides
Making TLA + Model Checking Symbolic Igor Konnov Joining Interchain Foundation in August Jure

Making TLA + Model Checking Symbolic Igor Konnov Joining Interchain Foundation in August Jure

Making TLA + Model Checking Symbolic Igor Konnov Joining Interchain Foundation in August Jure Kukovec Thanh-Hai Tran VeriDis + Matryoushka seminar, Amsterdam, June 2019 Why TLA + ? Rich specification language TLA + is used in industry, e.g.,

699 views • 46 slides
Model Checking TLA+ Specifications Shiji Bijo shijib@ifi.uio.no Institutt for informatikk,

Model Checking TLA+ Specifications Shiji Bijo shijib@ifi.uio.no Institutt for informatikk,

Model Checking TLA+ Specifications Shiji Bijo shijib@ifi.uio.no Institutt for informatikk, Universitetet i Oslo June 2, 2015 1 / 37 Introduction TLA: temporal logic of actions combination of Logic of actions standard temporal logics

597 views • 37 slides
Breakout Session Creating High-Quality Professional Learning: Enabling Choice, Ownership, and

Breakout Session Creating High-Quality Professional Learning: Enabling Choice, Ownership, and

Breakout Session Creating High-Quality Professional Learning: Enabling Choice, Ownership, and More Focused Support Beth Rabbitt, The Learning Accelerator Juliana Finegan, The Learning Accelerator Errika Baker, Chicago Public Schools Kristen

770 views • 36 slides
A High-Level Language for Modeling Algorithms and their Properties Sabina Akhtar Stephan Merz

A High-Level Language for Modeling Algorithms and their Properties Sabina Akhtar Stephan Merz

A High-Level Language for Modeling Algorithms and their Properties Sabina Akhtar Stephan Merz Martin Quinson LORIA INRIA Nancy Grand Est and Nancy University, Nancy, France SBMF 2010 1 / 55 Outline Introduction 1 Background

884 views • 55 slides

More recommend