15-820A%20Modeling%20Hardware%20and%20Software%20with%20PVS

1
15-820AModeling Hardware and Software with PVS

• Edmund Clarke
• Daniel Kroening
• Carnegie Mellon University

2
Outline

• PVS Language
• Parameterized Theories
• Modeling Hardware with PVS
• Combinatorial
• Clocked Circuits
• Modeling Software with PVS
• Sequential Software

3
Outline

• Proofs
• The Gentzen Sequent
• Propositional Part
• Quantifiers
• Equality
• Induction
• Using Lemmas/Theorems
• Rewriting
• Model Checking
• Strategies

4
Example
stacks4 THEORY BEGIN stack TYPE size
nat, elements ARRAYinatiltsize-gtint
empty stack ( size0, elements(LAMBDA
(jnat FALSE) 0) ) push(x int, sstack)
s stack ssizegt1 ( sizessize1,
elementsLAMBDA (j below(ssize1))
IF jltssize THEN selements(j) ELSE x ENDIF )
pop(sstack ssizegt1) stack (
sizessize-1, elementsLAMBDA
(jnatjltssize-1) selements(j) ) END stacks4
What about the stacks of other types?
A
5
Example
stacks4 THEORY BEGIN stack TYPE size
nat, elements ARRAYinatiltsize-gtint
empty stack ( size0, elements(LAMBDA
(jnat FALSE) 0) ) push(x int, sstack)
s stack ssizegt1 ( sizessize1,
elementsLAMBDA (j below(ssize1))
IF jltssize THEN selements(j) ELSE x ENDIF )
pop(sstack ssizegt1) stack (
sizessize-1, elementsLAMBDA
(jnatjltssize-1) selements(j) ) END stacks4
6
Theory Parameters

• Idea do something like a C template

theoryT1 TYPE, T2 TYPE, ...THEORY
BEGIN ... END theory
template ltclass T1, class T2,
...gt class stack ...
A
7
Theory Parameters

• Idea do something like a C template

theoryT1 TYPE, T2 TYPE, ...THEORY
BEGIN ... f(e T1)bool ... END theory
template ltclass T1, class T2,
...gt class stack ... f(e T1)bool
...
8
Example
stacks4T NONEMPTY_TYPE THEORY BEGIN
stack TYPE size nat, elements
ARRAYinatiltsize-gtT e T empty stack
( size0, elements(LAMBDA (jnat FALSE)
e) ) push(x T, sstack) s stack
ssizegt1 ( sizessize1,
elementsLAMBDA (j below(ssize1)) IF
jltssize THEN selements(j) ELSE x ENDIF )
pop(sstack ssizegt1) stack (
sizessize-1, elementsLAMBDA
(jnatjltssize-1) selements(j) ) END stacks4
9
Example
use_stack THEORY BEGIN my_type TYPE
posint, posint IMPORTING stacks5
s stackmy_type x my_type (1, 2)
d stackmy_type push(x , s) END use_stack
10
Theory Parameters

• PVS uses theory parameters for many definitions

PVS has many heuristics to automatically detect
the right theory parameters a, b posint ab
same as posint(a,b)
equalities T TYPE THEORY BEGIN T, T -gt
boolean END equalities
11
Useful Parameterized Theories

• PVS comes with several useful parameterized
  theories
• Sets over elements of type Tsubsets, union,
  complement, power set,finite sets,
• Infinite Sequences
• Finite Sequences
• Lists
• Bit vectors

A
12
Bit Vectors

• Bit Vectors are defined using an ARRAY type

bvN nat THEORY BEGIN bvec TYPE
below(N) -gt bit
same asboolean
0, , N-1
A
13
Bit Vectors

• Extract a bit bv(i) i 2 0, , N-1
• Vector extraction bv(m,n) nmltN
• bN fill(b)
• Concatenation bv1 o bv2
• Bitwise bv1 OR bv2
• Conversion to integer bv2nat(bv)
• Conversion from integer nat2bv(bv)

14
Bit Vector Arithmetic

• Requires
• IMPORTING bitvectors_at_bv_arith_nat
• , , -, lt, gt, lt, gt
• Many other useful theoriesLook in
  pvs/lib/bitvectors

15
Bit Vectors

• Example

bv_ex THEORY BEGIN x VAR bvec32
zero_lemma LEMMA bv2nat(x)0 IFF
xfill(false) END bv_ex
How many bits?
A
16
Bit Vectors

• Example

bv_ex THEORY BEGIN x VAR bvec32
zero_lemma LEMMA bv2nat32(x)0 IFF
xfill32(false) END bv_ex
17
PVS Workflow
System
PROOFS
PVS File
Properties
?
?
Conversion of system (Program, circuit,
protocol)and property. Can be automated or
donemanually
Proof construction Interaction with the theorem
prover
A
18
Modeling Hardware with PVS

• Combinational Hardware
• No latches
• Circuit is loop-free
• Examples arithmetic circuits, ALUs,
• Clocked Circuits
• Combinational part registers (latches)
• Examples Processors, Controllers,

A
19
Modeling Hardware with PVS

• Idea Model combinational circuits using
  functions on bit vectors

f(A, B, reset bit)bit IF reset THEN
(NOT A) OR B ELSE false ENDIF
Translation from/to Verilog, VHDL, etc. easy
A
20
Modeling Hardware with PVS

• What is the Theorem Prover good for?
• Equivalence checking? No.
• Parameterized circuits
• Prove circuit with N bits
• Arithmetic
• What is a correct adder? Integer? Floating Point?
• A purely propositional specification is not
  really useful

A
21
Parameterized Circuits
Binary tree for 8 inputs
Parameterized for 2k inputs
A
22
Modeling Hardware with PVS
btreeT TYPE, K posnat, o T,T-gtT THEORY
BEGIN btree(k nat, lbelow(exp2(k))-gtT)
RECURSIVE T IF k0 THEN l(0)ELSE
btree(k-1, LAMBDA (i below(exp2(k-1))) l(i)) o
btree(k-1, LAMBDA (i below(exp2(k-1)))
l(iexp2(k-1))) ENDIF MEASURE k btree(lbelow(exp
2(K))-gtT)Tbtree(K, l) END btree
Property?
A
23
Modeling Hardware with PVS
btreeT TYPE, K posnat, o T,T-gtT THEORY
BEGIN ... btree_correct THEOREM btree(l)
l(0) o l(1) o ... o l(exp(K)-1) END btree
Dot dot dot?
A
24
Modeling Hardware with PVS
btreeT TYPE, K posnat, o T,T-gtT THEORY
BEGIN ... btree_correct THEOREM btree(l)
l(0) o l(1) o ... o l(exp(K)-1) seq(i nat,
lupto(i)-gtT) RECURSIVE T IF i0 THEN
l(0) ELSE seq (i-1, LAMBDA
(j below(i)) l(j)) o l(i) ENDIF
MEASURE i Btree_correct THEOREM btree(l)
seq(exp(K)-1, l) END btree
Can you prove this?
What is missing?
A
25
Modeling Hardware with PVS
btreeT TYPE, K posnat, o T,T-gtT THEORY
BEGIN ASSUMING fassoc ASSUMPTION
associative?(o) ENDASSUMING ... END btree
This is NOT like an axiom!
zerotester_imp(op) bit NOT btreebit, K,
OR(op)
PVS will make you prove here that OR is
associative
A
26
Arithmetic Circuits
a,b,cin VAR bit oba_sum(a,b,cin) bit (a
XOR b XOR cin) oba_cout(a,b,cin) bit ((a
AND b) OR (a AND cin) OR (b AND cin))
Wait a second!You are adding bits here!
Property?
One Bit Adder (oba)
oba_correct LEMMA a b cin 2
oba_cout(a,b,cin) oba_sum(a,b,cin)
A
27
Conversions
oba_correct LEMMA a b cin 2
oba_cout(a,b,cin) oba_sum(a,b,cin)
There is no addition on bits (or boolean)!
bit TYPE bool nbit TYPE below(2)
b2n(bbool) nbit IF b THEN 1 ELSE 0 ENDIF
CONVERSION b2n
below(2) is a subtype of the integer type,and we
have addition for that.
A
28
Arithmetic Circuits
Carry Chain Adder
29
Arithmetic Circuits
cout(n,a,b,a_cin) RECURSIVE bit IF n0 THEN
oba_cout(a(0),b(0),a_cin) ELSE
oba_cout(a(n),b(n), cout(n-1,a,b,a_cin)
) ENDIF MEASURE n
bv_adder(a,b,a_cin) bvecN LAMBDA
(ibelow(N)) IF i0 THEN
oba_sum(a(0),b(0),a_cin) ELSE
oba_sum(x(i),y(i), cout(i-1,x,y,a_cin)
) ENDIF
A
30
Arithmetic Circuits
bv_adder(a,b,a_cin) bvecN LAMBDA
(ibelow(N)) IF i0 THEN
oba_sum(a(0),b(0),a_cin) ELSE
oba_sum(x(i),y(i), cout(i-1,x,y,a_cin)
) ENDIF
adder_correct THEOREM exp2(N)cout(N-1,a,b,a_ci
n)bv2nat(bv_adder(a,b,a_cin)) bv2nat(a)
bv2nat(b) a_cin
adder_is_add THEOREM bv_adder(a,b,FALSE) a
b
A
31
Modeling Hardware with PVS

• Combinational Hardware
• No latches
• Circuit is loop-free
• Examples arithmetic circuits, ALUs,
• Clocked Circuits
• Combinational part registers (latches)
• Examples Processors, Controllers,

A
32
Clocked Circuits
T reset A B
0 1 ? ?
1 0 0 0
2 0 1 0
3 0 0 1
4 0 1 1
5 0 1 1
Configuration in cycle 4
A
33
Clocked Circuits
1. Define Type for STATE and INPUTS
C TYPE A, B bit I TYPE reset
bit
2. Define the Transition Function
t(c C, i I)C ( A IF ireset THEN false
ELSE (NOT cA) OR cB ENDIF, B IF
ireset THEN false ELSE cA OR cB
ENDIF )
A
34
Clocked Circuits
3. Define Initial State and Inputs
initial C i nat -gt I
4. Define the Configuration Sequence
c(T nat)RECURSIVE C IF T0 THEN
initial ELSE t(c(T-1), i(T-1))
ENDIF MEASURE T
A
35
Clocked Circuits
5. Prove things about this sequence
c(T nat)RECURSIVE C IF T0 THEN
initial ELSE t(c(T-1), i(T-1))
ENDIF MEASURE T
c_lem LEMMA (i(0)reset AND NOT i(1)reset AND
NOT i(2)reset) gt (c(2)A AND NOT c(2)B)
You can also verify invariants, even temporal
properties that way.
A
36
Modeling Software with PVS

• (Software written in functional language)
• (Take a subset of PVS, and compile that)
• Software written in language like ANSI-C

f(i int)int LET a1LAMBDA (x below(10)) 0
IN ... LET a2a1 WITH (i)5 IN ...
ai(0)
int f(int i) int a10 0, ...
ai5 ... return a0
What about loops?
A
37
Modeling Software with PVS
int a10 unsigned i int main() . . .
1. Define Type for STATE
C TYPE a below(10)-gtinteger,
i nat
nat?Of course, bvec32 is better
A
38
Modeling Software with PVS
2. Translate your program into goto program
int a10 unsigned i,j,k int main()
ik0 while(ilt10) i k2
j100 k
int a10 unsigned i,j,k int main() L1
ik0 L2 if(!(ilt10)) goto L4 L3 i
k2 goto L2 L4 j100 k
A
39
Modeling Software with PVS
3. Partition your program into basic blocks
4. Write transition function for each basic block
L1(c C)C c WITH i0, k0 L2(c C)C
c L3(c C)C c WITH ici1,
kck2 L4(c C)C c WITH j100,
kck1
int a10 unsigned i,j,k int main() L1
ik0 L2 if(!(ilt10)) goto L4 L3 i
k2 goto L2 L4 j100
k
A
40
Modeling Software with PVS
addPC PCtto C
5. Combine transition functions using a program
counter
make sure the PC of the initial state is L1
PCt TYPE L1, L2, L3, L4, END
int a10 unsigned i,j,k int main() L1
ik0 L2 if(!(ilt10)) goto L4 L3 i
k2 goto L2 L4 j100
k
t(c C) C CASES cPC OF L1 L1(c) WITH
PCL2, L2 L2(c) WITH PC IF NOT
(cilt10) THEN L4 ELSE L3 ENDIF, L3
L3(c) WITH PCL2, L4 L4(c) WITH PCEND,
END c ENDCASES
A
41
Modeling Software with PVS

• Next week
• I/O in case of programs
• Proving termination
• Concurrent programs

A
42
PVS Workflow
System
PROOFS
PVS File
Properties
?
?
Conversion of system (Program, circuit,
protocol)and property. Can be automated or
donemanually
Proof construction Interaction with the theorem
prover
A
43
The Gentzen Sequent
-1 i(0)reset -2 i(4)reset ------- 1
i(1)reset 2 i(2)reset 3 (c(2)A AND
NOT c(2)B)
Conjunction (Antecedents)
?
Disjunction (Consequents)
Or Reset in cycles 0, 4 is on, and off in 1,
2.Show that A and not B holds in cycle 2.
44
The Gentzen Sequent

• COPY duplicates a formulaWhy? When you
  instantiate a quantified formula, the original
  one is lost
• DELETE removes unnecessary formulae keep your
  proof easy to follow

45
Propositional Rules

• BDDSIMP simplify propositional structure using
  BDDs
• CASE case splittingusage (CASE i!15)
• FLATTEN Flattens conjunctions, disjunctions, and
  implications
• IFF Convert ab to altgtb for a, b boolean
• LIFT-IF move up case splits inside a formula

46
Quantifiers

• INST Instantiate Quantifiers
• Do this if you have EXISTS in the consequent, or
  FORALL in the antecedent
• Usage (INST -10 100x)
• SKOLEM! Introduce Skolem Constants
• Do this if you have FORALL in the consequent (and
  do not want induction), or EXISTS in the
  antecedent
• If the type of the variable matters, use
  SKOLEM-TYPEPRED

47
Equality

• REPLACE If you have an equality in the
  antecedent, you can use REPLACE
• Example (REPLACE -1)-1 lr replace l by
  r
• Example (REPLACE -1 RL)-1 lr replace r
  by l

48
Using Lemmas / Theorems

• EXPAND Expand the definition
• Example (EXPAND min)
• LEMMA add a lemma as antecedent
• Example (LEMMA my_lemma)
• After that, instantiate the quantifiers with
  (INST -1 x)
• Try (USE my_lemma).It will try to guess how
  you want to instantiate

49
Induction

• INDUCT Performs induction
• Usage (INDUCT i)
• There should be a FORALL i equation in the
  consequent
• You get two subgoals, one for the induction base
  and one for the step
• PVS comes with many induction schemes. Look in
  the prelude for the full list

50
What next

• Webpage!
• Installation instructions for PVS
• Further reading
• Homework assignment