using yices as an automated solver in isabelle hol
play

Using Yices as an automated solver in Isabelle/HOL Levent Erkk - PowerPoint PPT Presentation

Dec 21, 2022 •522 likes •1.18k views

Using Yices as an automated solver in Isabelle/HOL Levent Erkk John Matthews {levent.erkok,matthews}@galois.com AFM08: Automated Formal Methods 2008 Princeton, NJ July 2008 Motivation Providing strong assurance evidence for

  1. Using Yices as an automated solver in Isabelle/HOL Levent Erkök John Matthews {levent.erkok,matthews}@galois.com AFM’08: Automated Formal Methods 2008 Princeton, NJ July 2008

  2. Motivation Providing strong assurance evidence for certification Some properties are amenable for automated proof For others, manual intervention is a must Strategy: Use a theorem-proving framework High-level correctness and “deeper” results Aided by push-button techniques: When the subgoal is sufficiently simple ... but usually very tedious ... Use whatever tool works the best And combinations thereof 2/34

  3. The ismt tactic We use Isabelle/HOL Local expertise counts.. The ismt tactic out-sources proofs to Yices Directly supports a large chunk of HOL Uses “uninterpretation” for the rest Similar to the yices strategy in PVS 3/34

  4. Modes of integration Proof-replay mode Trust nothing; translate and replay the proof High assurance; Runs slow and is expensive to build. 4/34

  5. Modes of integration Proof-replay mode Trust nothing; translate and replay the proof High assurance; Runs slow and is expensive to build. Proof-check mode Do not replay, but “validate” the proof Medium (adjustable) assurance; Faster to run; Cheaper to build 4/34

  6. Modes of integration Proof-replay mode Trust nothing; translate and replay the proof High assurance; Runs slow and is expensive to build. Proof-check mode Do not replay, but “validate” the proof Medium (adjustable) assurance; Faster to run; Cheaper to build Oracle mode Trust everything! Lowest assurance; Runs fast and cheapest to build No proofs required from the external solver 4/34

  7. Modes of integration Proof-replay mode Trust nothing; translate and replay the proof High assurance; Runs slow and is expensive to build. Proof-check mode Do not replay, but “validate” the proof Medium (adjustable) assurance; Faster to run; Cheaper to build Oracle mode Trust everything! Lowest assurance; Runs fast and cheapest to build No proofs required from the external solver Proof generation for SMT solvers is still active research area Yices does not produce proofs; so oracle mode is the only choice 4/34

  8. Outline Introduction 1 Connecting Isabelle to Yices 2 Example Translations 3 Dealing with false alarms 4 Application: Verifying C programs 5 Summary 6 5/34

  9. How does ismt work Grab the top-most goal from the Isabelle goal stack Translate the types involved to Yices Might require “monomorphisation” Introduce uninterpreted types as needed Negate the subgoal, and translate it to a Yices term If no matching construct; uninterpret Pass the script to Yices If Yices decides the negation is unsatisfiable: Trigger oracle mechanism to assert the goal proven A “trust-tag” will be attached. 6/34

  10. How does ismt work Grab the top-most goal from the Isabelle goal stack Translate the types involved to Yices Might require “monomorphisation” Introduce uninterpreted types as needed Negate the subgoal, and translate it to a Yices term If no matching construct; uninterpret Pass the script to Yices If Yices decides the negation is unsatisfiable: Trigger oracle mechanism to assert the goal proven A “trust-tag” will be attached. What do we do if Yices returns a model? 6/34

  11. Interpreting Yices’s models Recall that the model is for the negation of the goal ..Hence, it is a counter-example to what we were trying to prove Typically indicates a bug found Models are translated back to Isabelle/HOL Provides very valuable feedback! 7/34

  12. Interpreting Yices’s models Recall that the model is for the negation of the goal ..Hence, it is a counter-example to what we were trying to prove Typically indicates a bug found Models are translated back to Isabelle/HOL Provides very valuable feedback! Not every counter-example is valid, however 7/34

  13. Two kinds of bogus counter-examples 1 Due to “Potential models” Caused by: Quantifiers λ -expressions These constructs render Yices’s logic incomplete Clearly marked by Yices and the translator 8/34

  14. Two kinds of bogus counter-examples 1 Due to “Potential models” Caused by: Quantifiers λ -expressions These constructs render Yices’s logic incomplete Clearly marked by Yices and the translator 2 Due to uninterpreted terms and types Caused by: Lack of “auxiliary” lemmata Lack of definitions of the functions used These are more problematic.. 8/34

  15. Outline Introduction 1 Connecting Isabelle to Yices 2 Example Translations 3 Dealing with false alarms 4 Application: Verifying C programs 5 Summary 6 9/34

  16. Basics Reflexivity lemma "x = x" by ismt 10/34

  17. Basics Reflexivity lemma "x = x" by ismt Generates (define-type ’a) (define x::’a) (assert (/= x x)) Monomorphisation in action! 10/34

  18. Simple arithmetic No odd number is a multiple of 2 lemma "a = (2::int) * n + 1 − → a � = 2 * m" by ismt 11/34

  19. Simple arithmetic No odd number is a multiple of 2 lemma "a = (2::int) * n + 1 − → a � = 2 * m" by ismt Generates (define a::int) (define n::int) (define m::int) (assert (not (=> (= a (+ (* 2 n) 1)) (/= a (* 2 m))))) 11/34

  20. Counter examples Absolute values lemma "abs (n::int) = n" by ismt 12/34

  21. Counter examples Absolute values lemma "abs (n::int) = n" by ismt Generates (define n::int) (assert (/= (if (< n 0) (- 0 n) n) n)) 12/34

  22. Counter examples Absolute values lemma "abs (n::int) = n" by ismt Generates (define n::int) (assert (/= (if (< n 0) (- 0 n) n) n)) Counter example A counter-example is found: n = -1 12/34

  23. Quantification and Higher order functions Quantifiers can render Yices incomplete Not a problem if in universal prenex form 13/34

  24. Quantification and Higher order functions Quantifiers can render Yices incomplete Not a problem if in universal prenex form A trivial lemma lemma " ∀ i f g. (f = g − → f i = g i)" 13/34

  25. Quantification and Higher order functions Quantifiers can render Yices incomplete Not a problem if in universal prenex form A trivial lemma lemma " ∀ i f g. (f = g − → f i = g i)" Generates (define-type ’a) (define-type ’b) (define i::’a) (define f::(-> ’a ’b)) (define g::(-> ’a ’b)) (assert (not (=> (= f g) (= (f i) (g i))))) automatically proven by Yices.. 13/34

  26. Quantification and Higher order functions (cont’d) Counter-examples lemma " ∀ i f g. (f i = g i − → f = g)" 14/34

  27. Quantification and Higher order functions (cont’d) Counter-examples lemma " ∀ i f g. (f i = g i − → f = g)" Generates (define-type ’a) (define-type ’b) (define i::’a) (define f::(-> ’a ’b)) (define g::(-> ’a ’b)) (assert (not (=> (= (f i) (g i)) (= f g)))) 14/34

  28. Quantification and Higher order functions (cont’d) Counter-examples lemma " ∀ i f g. (f i = g i − → f = g)" Generates (define-type ’a) (define-type ’b) (define i::’a) (define f::(-> ’a ’b)) (define g::(-> ’a ’b)) (assert (not (=> (= (f i) (g i)) (= f g)))) Not true! A counter-example is found: i = 1 f 1 = g 1 14/34

  29. Quantification and Higher order functions (cont’d) Counter-examples lemma " ∀ i f g. (f i = g i − → f = g)" Generates (define-type ’a) (define-type ’b) (define i::’a) (define f::(-> ’a ’b)) (define g::(-> ’a ’b)) (assert (not (=> (= (f i) (g i)) (= f g)))) Not true! A counter-example is found: i = ismt_const 1 f (ismt_const 1) = g (ismt_const 1) 14/34

  30. Parameterized datatypes Monomorphise as we go datatype (’a, ’b) Either = Left ’a | Right ’b 15/34

  31. Parameterized datatypes Monomorphise as we go datatype (’a, ’b) Either = Left ’a | Right ’b lemma "Left False � = Right (4::int) ∧ Left (1::nat) � = Right x" 15/34

  32. Parameterized datatypes Monomorphise as we go datatype (’a, ’b) Either = Left ’a | Right ’b lemma "Left False � = Right (4::int) ∧ Left (1::nat) � = Right x" Types involved: (bool × int) Either (nat × ’a) Either 15/34

  33. Parameterized datatypes (cont’d) Polymorphic Either datatype (’a, ’b) Either = Left ’a | Right ’b 16/34

  34. Parameterized datatypes (cont’d) Polymorphic Either datatype (’a, ’b) Either = Left ’a | Right ’b (bool × int) and (nat × ’a) instances (define-type Either-bool-int (datatype (Left-bool-int bool) (Right-bool-int int))) 16/34

  35. Parameterized datatypes (cont’d) Polymorphic Either datatype (’a, ’b) Either = Left ’a | Right ’b (bool × int) and (nat × ’a) instances (define-type Either-bool-int (datatype (Left-bool-int bool) (Right-bool-int int))) (define-type ’a) (define-type Either-nat-’a (datatype (Left-nat-’a nat) (Right-nat-’a ’a))) 16/34

  36. Parameterized datatypes (cont’d) Polymorphic Either datatype (’a, ’b) Either = Left ’a | Right ’b (bool × int) and (nat × ’a) instances (define-type Either-bool-int (datatype (Left-bool-int bool) (Right-bool-int int))) (define-type ’a) (define-type Either-nat-’a (datatype (Left-nat-’a nat) (Right-nat-’a ’a))) [automatically generated accessor functions not shown for clarity...] 16/34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Yices 1.0: An Efficient SMT Solver SMT-COMP06 Leonardo de Moura joint work with Bruno

Yices 1.0: An Efficient SMT Solver SMT-COMP06 Leonardo de Moura joint work with Bruno

Yices 1.0: An Efficient SMT Solver SMT-COMP06 Leonardo de Moura joint work with Bruno Dutertre demoura@csl.sri.com Computer Science Laboratory SRI International Menlo Park, CA Yices: An Efficient Introduction Yices is a SMT Solver

429 views • 13 slides
Yices 1.0: An Efficient SMT Solver SMT-COMP06 Leonardo de Moura (joint work with Bruno

Yices 1.0: An Efficient SMT Solver SMT-COMP06 Leonardo de Moura (joint work with Bruno

Yices 1.0: An Efficient SMT Solver SMT-COMP06 Leonardo de Moura (joint work with Bruno Dutertre) { demoura, bruno } @csl.sri.com. Computer Science Laboratory SRI International Menlo Park, CA Yices: An Efficient SMT Solver p.1

691 views • 16 slides
Yices 1.0: An Efficient SMT Solver AFM06 Tutorial Leonardo de Moura (joint work with Bruno

Yices 1.0: An Efficient SMT Solver AFM06 Tutorial Leonardo de Moura (joint work with Bruno

Yices 1.0: An Efficient SMT Solver AFM06 Tutorial Leonardo de Moura (joint work with Bruno Dutertre) { demoura, bruno } @csl.sri.com. Computer Science Laboratory SRI International Menlo Park, CA Yices: An Efficient SMT Solver p.1

430 views • 27 slides
with the 3D solver OpenFOAM - A comparison of different electromagnetic models - Isabelle

with the 3D solver OpenFOAM - A comparison of different electromagnetic models - Isabelle

IIW Annual Assembly 2011 SG212: the physics of welding Electric welding arc modeling with the 3D solver OpenFOAM - A comparison of different electromagnetic models - Isabelle Choquet, Alireza J. Shirvan, and Hkan Nilsson University

1.47k views • 81 slides
Automated Sudoku Solver Marty Otzenberger EGGN 510 December 4, 2012 Outline Goal

Automated Sudoku Solver Marty Otzenberger EGGN 510 December 4, 2012 Outline Goal

Automated Sudoku Solver Marty Otzenberger EGGN 510 December 4, 2012 Outline Goal Problem Elements Initial Testing Test Images Approaches Final Algorithm Results/Statistics Conclusions Problems/Limits

498 views • 21 slides
13 Automated Reasoning 13.0 Introduction to Weak 13.3 PROLOG and Methods in Theorem

13 Automated Reasoning 13.0 Introduction to Weak 13.3 PROLOG and Methods in Theorem

13 Automated Reasoning 13.0 Introduction to Weak 13.3 PROLOG and Methods in Theorem Automated Reasoning Proving 13.4 Further Issues in 13.1 The General Problem Automated Reasoning Solver and Difference 13.5 Epilogue and Tables

775 views • 51 slides
Lecture 3: New Trade Theory Isabelle M ejean isabelle.mejean@polytechnique.edu

Lecture 3: New Trade Theory Isabelle M ejean isabelle.mejean@polytechnique.edu

Introduction Krugman, 1980 The Gravity Equation Lecture 3: New Trade Theory Isabelle M ejean isabelle.mejean@polytechnique.edu http://mejean.isabelle.googlepages.com/ Master Economics and Public Policy, International Macroeconomics October

763 views • 32 slides
Cosette: An Automated Solver for SQL Chenglong Shumo Konstantin Alvin Dan Wang Chu Weitz

Cosette: An Automated Solver for SQL Chenglong Shumo Konstantin Alvin Dan Wang Chu Weitz

Cosette: An Automated Solver for SQL Chenglong Shumo Konstantin Alvin Dan Wang Chu Weitz Cheung Suciu cosette.cs.washington.edu SELECT ... SELECT ... FROM ... FROM ... WHERE ... WHERE ... Q2 Q1 D . Q1(D) = Q2(D) D .

580 views • 19 slides
Software verification using Hoare logic in Isabelle Petros Papapanagiotou pe.p@ed.ac.uk 7

Software verification using Hoare logic in Isabelle Petros Papapanagiotou pe.p@ed.ac.uk 7

Automated R Reasoni ning ng Coursework Assignm nment nt 1 1 Software verification using Hoare logic in Isabelle Petros Papapanagiotou pe.p@ed.ac.uk 7 October 2013 Breakdown Part 1 : Natural Deduction (40 marks) 14 lemmas to

389 views • 22 slides
Isabelle/jEdit for seasoned Isabelle users Isabelle/jEdit NEWS Makarius Wenzel Univ. Paris-Sud,

Isabelle/jEdit for seasoned Isabelle users Isabelle/jEdit NEWS Makarius Wenzel Univ. Paris-Sud,

Isabelle/jEdit for seasoned Isabelle users Isabelle/jEdit NEWS Makarius Wenzel Univ. Paris-Sud, LRI 13-Jul-2014 There is nothing to prove or even to suppose that the Serbian government is accessory to the inducement for the crime, its

347 views • 30 slides
Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014, Vienna, 17 July 2014 Dynamic Symbolic Execution Automated program analysis technique that employs an SMT solver to systematically explore paths

503 views • 39 slides
The Nuts and Bolts of Yices Bruno Dutertre SRI International SMT 2016 Coimbra, Portugal

The Nuts and Bolts of Yices Bruno Dutertre SRI International SMT 2016 Coimbra, Portugal

Computer Science Laboratory, SRI International The Nuts and Bolts of Yices Bruno Dutertre SRI International SMT 2016 Coimbra, Portugal Computer Science Laboratory, SRI International Yices 2 Ancestors ICS (Rue &amp; de Moura, 2002)

345 views • 30 slides
Petros Papapanagiotou Automated Reasoning Lecture 9 What have you done so far? Done To Go 2

Petros Papapanagiotou Automated Reasoning Lecture 9 What have you done so far? Done To Go 2

Petros Papapanagiotou Automated Reasoning Lecture 9 What have you done so far? Done To Go 2 Learned new things!.. 3 ...and some (more) logic!.. 4 ...and practiced using Isabelle!.. 5 ...but why? 6 Where is the connection...

1.02k views • 66 slides
EFP 2.0: A MULTI-AGENT EPISTEMIC SOLVER WITH MULTIPLE E-STATE REPRESENTATIONS 30 th International

EFP 2.0: A MULTI-AGENT EPISTEMIC SOLVER WITH MULTIPLE E-STATE REPRESENTATIONS 30 th International

EFP 2.0: A MULTI-AGENT EPISTEMIC SOLVER WITH MULTIPLE E-STATE REPRESENTATIONS 30 th International Conference on Automated Planning and Scheduling Francesco Fabiano , Alessandro Burigana, Agostino Dovier and Enrico Pontelli University of Udine

580 views • 31 slides
Why Should You Care? Writing a CSP Solver in Understanding how the solver works 3 (or 4) Easy

Why Should You Care? Writing a CSP Solver in Understanding how the solver works 3 (or 4) Easy

Why Should You Care? Writing a CSP Solver in Understanding how the solver works 3 (or 4) Easy Lessons makes better models. Christopher Jefferson Minion already imposes this on you, University of Oxford through its low-level input

598 views • 27 slides
Adjoint Solver Workshop Why is an Adjoint Solver useful? Design and manufacture for better

Adjoint Solver Workshop Why is an Adjoint Solver useful? Design and manufacture for better

Adjoint Solver Workshop Why is an Adjoint Solver useful? Design and manufacture for better performance: e.g. airfoil, combustor, rotor blade, ducts, body shape, etc. by optimising a certain characteristic CFD has the capability to explore

426 views • 24 slides
Automorphisms of Divisible Rigid Groups Denis Ovchinnikov Novosibirsk State University, Russia

Automorphisms of Divisible Rigid Groups Denis Ovchinnikov Novosibirsk State University, Russia

Contents Introduction Main Results Automorphisms of Divisible Rigid Groups Denis Ovchinnikov Novosibirsk State University, Russia May, 29, 2013 Contents Introduction Main Results Introduction 1 Main Results 2 Contents Introduction

442 views • 21 slides
GI using Deep Parameter Tuning Mark Fan Wu Wes Weimer Yue Jia Jens Krinke Harman Why GI for

GI using Deep Parameter Tuning Mark Fan Wu Wes Weimer Yue Jia Jens Krinke Harman Why GI for

GI using Deep Parameter Tuning Mark Fan Wu Wes Weimer Yue Jia Jens Krinke Harman Why GI for non-functional properties Non-Functional Functional Requirements Requirements humans have to a machine can define these optimise these

678 views • 43 slides
Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures Dahmun Goudarzi, Matthieu Rivain, Srinivas Vivek, and Damien Vergnaud Background 2 Secure Software S-box Implementations Higher-Order

636 views • 25 slides
Supplemental notes: Kuhn-Tucker first-order conditions P. Dybvig Minimization problem (like in

Supplemental notes: Kuhn-Tucker first-order conditions P. Dybvig Minimization problem (like in

Supplemental notes: Kuhn-Tucker first-order conditions P. Dybvig Minimization problem (like in the slides): Choose x N to minimize f ( x ) subject to ( i E ) g i ( x ) = 0, and ( i I ) g i ( x ) 0. x = ( x 1 , ..., x N

359 views • 3 slides
Questions (and Answers) on the Semantic Web Oslo, Norway, 2006-09-20 Ivan Herman, W3C Ivan

Questions (and Answers) on the Semantic Web Oslo, Norway, 2006-09-20 Ivan Herman, W3C Ivan

Questions (and Answers) on the Semantic Web Oslo, Norway, 2006-09-20 Ivan Herman, W3C Ivan Herman, W3C We all know that, right? The Semantic Web Artificial Intelligence on the Web It relies on centrally controlled ontologies for meaning

1.34k views • 82 slides
Narrative hierarchy Semester projects The Plan The Plan Principles of Complex Systems

Narrative hierarchy Semester projects The Plan The Plan Principles of Complex Systems

Semester projects Semester projects Narrative hierarchy Semester projects The Plan The Plan Principles of Complex Systems Suggestions for Suggestions for CSYS/MATH 300, Fall, 2010 Projects Projects Presenting at many scales: References

493 views • 9 slides
The socio-economic impact of large-scale research infrastructures: LHC and CNAO Massimo Florio

The socio-economic impact of large-scale research infrastructures: LHC and CNAO Massimo Florio

The socio-economic impact of large-scale research infrastructures: LHC and CNAO Massimo Florio Department of Economics, Management and Quantitative Methods University of Milan ALBA Barcelona, 7 th October 2016 WHY A CBA MODEL FOR RDI:

599 views • 43 slides
CEE/EHS 597B Meeting #2: Treatment for Small Water Systems Dave Reckhow David Reckhow CEE/EHS

CEE/EHS 597B Meeting #2: Treatment for Small Water Systems Dave Reckhow David Reckhow CEE/EHS

Print version CEE/EHS 597B Meeting #2: Treatment for Small Water Systems Dave Reckhow David Reckhow CEE/EHS 597B 1 Purposes for Water Treatment Disinfection Removal of Turbidity Removal of Color, and Tastes &amp; Odors

745 views • 61 slides

More recommend