CSE 8389 Theorem Proving Peter-Michael Seidel
description
Transcript of CSE 8389 Theorem Proving Peter-Michael Seidel
![Page 1: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/1.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 1
CSE 8389
Theorem Proving
Peter-Michael Seidel
![Page 2: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/2.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 2
PVS Workflow
PVS FilePVS File
System
Properties
PROOFSPROOFS
Conversion of system (Program, circuit, protocol…)and property.
Can be automated or donemanually
Proof construction
Interaction with the theorem prover
A
![Page 3: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/3.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 3
PVS Workflow
PVS FilePVS File
System
Properties
PROOFSPROOFS
Conversion of system (Program, circuit, protocol…)and property.
Can be automated or donemanually
Proof construction
Interaction with the theorem prover
A
![Page 4: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/4.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 4
The PVS Language
There are two languages
1. The language to write definitions and theorems (“definition language“)
2. The language to prove theorems(“proof language”)
They have nothing to do with each other
The definition language looks like “normal math” (translator to Latex built in)
The proof language looks like LISP
![Page 5: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/5.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 5
Theorem Proving
The goal is to show that theorem T is a tautology |= T
or follows from the Assumptions & Axioms F1,…, Fk
F1,…, Fk |= T
PVS operates on sequents of the form F1,…, Fk |– G1,…, Gl
Antecedents ConsequentsMeaning:
The disjunction of the Consequents is a logical consequence of the conjunction of the Antecedents
F1 F2 … Fk implies G1 G2 … Gl
Initial sequent (show Theorem): |- T
TheoremAxioms, Assumptions
Antecedents and Consequents are HOL Formulas
![Page 6: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/6.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 6
Proof Trees
Sequents can be modified by PVS proof commands F1,…, Fk |– G1,…, Gl
Antecedents Consequents
The result of a proof command is a (possibly empty) set of subsequents
Initial sequent (show Theorem): |- T
The repeated application of proof commands on sequents defines a
tree
A proof branch is closed if a proof command generates an empty list of subsequents, i.e. PVS was able to validate this branch of the proof.
A theorem T is proven if all proof branches are closed.
![Page 7: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/7.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 7
Sequents in PVS notation
{-1} i(0)`reset
{-2} i(4)`reset
|-------
{1} i(1)`reset
{2} i(2)`reset
{3} (c(2)`A AND NOT c(2)`B)
Disjunction (Consequents)
Conjunction (Antecedents)
Or: Reset in cycles 0, 4 is on, and off in 1, 2.Show that A and not B holds in cycle 2.
![Page 8: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/8.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 8
Example Gauss
Specifications (for any n > 0)
Sum(n) :=
Recsum(n) :=
Gauss(n) :=
n
i
i0
otherwise1)Recsum(n
0i if0
n
2
)1( nn
gauss: TheoryBegin
Importing bitvectors@sums
n, i: Var nat
sum(n): nat = sigma(0, n, Lambda i: i)
recsum(n): recursive nat = if n = 0 Then 0
Else n + recsum(n-1) endif measure n
gauss(n): real = n * (n + 1) / 2
end gauss
gauss: TheoryBegin
Importing bitvectors@sums
n, i: Var nat
sum(n): nat = sigma(0, n, Lambda i: i)
recsum(n): recursive nat = if n = 0 Then 0
Else n + recsum(n-1) endif measure n
gauss(n): real = n * (n + 1) / 2
end gauss
![Page 9: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/9.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 9
Example Gauss
Specifications (for any n > 0)
Sum(n) :=
Recsum(n) :=
Gauss(n) :=
TheoremsFor all n > 0:
Sum(n) = Recsum(n) = Gauss(n)
n
i
i0
otherwise1)Recsum(n
0i if0
n
2
)1( nn
![Page 10: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/10.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 10
Example Gauss
TheoremsFor all n > 0:
Sum(n) = Recsum(n) = Gauss(n)
gauss: Theory …
sum_is_recsum: Lemma sum(n) = recsum(n)
recsum_is_gauss: Lemma recsum(n) = gauss(n)
sum_is_gauss: Theorem sum(n) = gauss(n)
end gauss
gauss: Theory …
sum_is_recsum: Lemma sum(n) = recsum(n)
recsum_is_gauss: Lemma recsum(n) = gauss(n)
sum_is_gauss: Theorem sum(n) = gauss(n)
end gauss
![Page 11: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/11.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 11
Example Gauss
sum_is_recsum: Lemma sum(n) = recsum(n)
n
i
i0
otherwise1)Recsum(n
0i if0
nSum(n) := Recsum(n) :=
recursive definition suggests induction
Induction basis
![Page 12: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/12.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 12
Example Gauss
sum_is_recsum: Lemma sum(n) = recsum(n)
Definitions
n
i
i0
otherwise1)Recsum(n
0i if0
n
Sum(n) :=
Recsum(n) :=
Sum(0) = ?? Recsum(0) = ??
![Page 13: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/13.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 13
Example Gauss
sum_is_recsum: Lemma sum(n) = recsum(n)
Induction step
![Page 14: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/14.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 14
Example Gauss
sum_is_recsum: Lemma sum(n) = recsum(n)
![Page 15: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/15.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 15
Example Gauss
sum_is_recsum: Lemma sum(n) = recsum(n)
![Page 16: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/16.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 16
Example Gauss
sum_is_recsum: Lemma sum(n) = recsum(n)
![Page 17: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/17.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 17
Example Gauss
sum_is_recsum: Lemma sum(n) = recsum(n)
![Page 18: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/18.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 18
Example Gauss
sum_is_recsum: Lemma sum(n) = recsum(n)
![Page 19: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/19.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 19
Example Gauss
sum_is_recsum: Lemma sum(n) = recsum(n)
![Page 20: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/20.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 20
Example Gauss
sum_is_recsum: Lemma sum(n) = recsum(n)
![Page 21: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/21.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 21
Example Gauss
sum_is_recsum: Lemma sum(n) = recsum(n)
![Page 22: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/22.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 22
Example Gauss
sum_is_recsum: Lemma sum(n) = recsum(n)
![Page 23: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/23.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 23
Example Gauss
TheoremsFor all n > 0:
Sum(n) = Recsum(n) = Gauss(n)
gauss: Theory …
sum_is_recsum: Lemma sum(n) = recsum(n)
recsum_is_gauss: Lemma recsum(n) = gauss(n)
sum_is_gauss: Theorem sum(n) = gauss(n)
end gauss
gauss: Theory …
sum_is_recsum: Lemma sum(n) = recsum(n)
recsum_is_gauss: Lemma recsum(n) = gauss(n)
sum_is_gauss: Theorem sum(n) = gauss(n)
end gauss
![Page 24: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/24.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 24
Example Gauss
recsum_is_gauss: Lemma recsum(n) = gauss(n)
Definitions
otherwise1)Recsum(n
0i if0
nRecsum(n) :=
Gauss(n) :=2
)1( nn
recursive definition suggests induction
more powerful
![Page 25: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/25.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 25
Example Gauss
TheoremsFor all n > 0:
Sum(n) = Recsum(n) = Gauss(n)
gauss: Theory …
sum_is_recsum: Lemma sum(n) = recsum(n)
recsum_is_gauss: Lemma recsum(n) = gauss(n)
sum_is_gauss: Theorem sum(n) = gauss(n)
end gauss
gauss: Theory …
sum_is_recsum: Lemma sum(n) = recsum(n)
recsum_is_gauss: Lemma recsum(n) = gauss(n)
sum_is_gauss: Theorem sum(n) = gauss(n)
end gauss
![Page 26: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/26.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 26
Example Gauss
sum_is_gauss: Lemma sum(n) = gauss(n)
![Page 27: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/27.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 27
Proof Trees
recsum_is_gauss sum_is_gauss
sum_is_recsum
![Page 28: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/28.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 28
Proof commands
COPY duplicates a formula
Why? When you instantiate a quantified formula, the original one is lost
DELETE removes unnecessary formulae – keep your proof easy to follow
![Page 29: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/29.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 29
Propositional Rules
BDDSIMP simplify propositional structure using BDDs
CASE: case splittingusage: (CASE “i!1=5”)
FLATTEN: Flattens conjunctions, disjunctions, and implications
IFF: Convert a=b to a<=>b for a, b boolean
LIFT-IF move up case splits inside a formula
![Page 30: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/30.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 30
Quantifiers
INST: Instantiate Quantifiers– Do this if you have EXISTS in the consequent, or FORALL in the
antecedent– Usage: (INST -10 “100+x”)
SKOLEM!: Introduce Skolem Constants– Do this if you have FORALL in the consequent (and do not want
induction), or EXISTS in the antecedent– If the type of the variable matters, use SKOLEM-TYPEPRED
![Page 31: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/31.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 31
Equality
REPLACE: If you have an equality in the antecedent, you can use
REPLACE– Example: (REPLACE -1)
{-1} l=r replace l by r– Example: (REPLACE -1 RL)
{-1} l=r replace r by l
![Page 32: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/32.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 32
Using Lemmas / Theorems
EXPAND: Expand the definition– Example: (EXPAND “min”)
LEMMA: add a lemma as antecedent– Example: (LEMMA “my_lemma”)– After that, instantiate the quantifiers with (INST -1 “x”)– Try (USE “my_lemma”).
It will try to guess how you want to instantiate
![Page 33: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/33.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 33
Induction
INDUCT: Performs induction– Usage: (INDUCT “i”)– There should be a FORALL i: … equation in the consequent– You get two subgoals, one for the induction base and one for the
step– PVS comes with many induction schemes. Look in the prelude for
the full list
![Page 34: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/34.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 34
The Magic of (GRIND)
Myth: Grind does it all…
Reality:
Use it when:– Case splitting, skolemization, expansion, and trivial instantiations
are left
Does not do induction
Does not apply lemmas
“... frequently used to automatically complete a proof branch…”
![Page 35: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/35.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 35
The Magic of (GRIND)
If it goes wrong…– you can get unprovable subgoals
– it might expand recursions forever
How to abort?
– Hit Ctrl-C twice, then (restore)
How to make it succeed?
– Before running (GRIND), remove unnecessary parts of the sequent
using (DELETE fnum).
It will prevent that GRIND makes wrong instantiations and expands
the wrong definitions.
![Page 36: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/36.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 36
Proof Trees
Induction Proof
|- T( n: nat )
Induction basis Induction stepn=0 |- T(0) T(n*) |- T(n*+1)
![Page 37: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/37.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 37
Number representations
Natural number with binary representation :
PVS conversion bv2nat:
Range of numbers which have a binary representation of length n :
Integer with two’s complement representation :
PVS conversion bv2int:
Range of numbers with two’s complement representation of length n :
1
0
2)()(2n
i
iiaaanatbv
}12,,0{ n
][: nbveca
][: nbveca
)0,2(^2)1()int(2 1 nanaaabv n
}12,,2{ 11 nn
![Page 38: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/38.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 38
Lemmas from Bitvector Library
Lemma 1
Lemma 2
Lemma 3
Lemma 4
![Page 39: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/39.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 39
Lemmas from Bitvector Library
Lemma 5
Lemma 6
Lemma 7
Lemma 8
![Page 40: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/40.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 40
Lemmas from Bitvector Library
Lemma 9
Lemma 10
Lemma 11
Lemma 12
![Page 41: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/41.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 41
Ripple Carry Adder
incnbnans ]0:1[]0:1[]0:[
![Page 42: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/42.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 42
Ripple Carry Adder
in
in
in
cbanbna
cbnbana
cnbnans
]0[]0[2]1:1[2]1:1[
]0[2]1:1[]0[2]1:1[
]0:1[]0:1[]0:[
11
11
![Page 43: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/43.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 43
Ripple Carry Adder
])0[],1[(2]1:1[2]1:1[
]0[]0[2]1:1[2]1:1[
]0[2]1:1[]0[2]1:1[
]0:1[]0:1[]0:[
11
11
11
scnbna
cbanbna
cbnbana
cnbnans
in
in
in
![Page 44: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/44.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 44
Ripple Carry Adder
]0[2]1[]1:1[]1:1[
])0[],1[(2]1:1[2]1:1[
]0[]0[2]1:1[2]1:1[
]0[2]1:1[]0[2]1:1[
]0:1[]0:1[]0:[
1
11
11
11
scnbna
scnbna
cbanbna
cbnbana
cnbnans
in
in
in
![Page 45: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/45.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 45
Ripple Carry Adder
]0[2]1[2]2[]2:1[]2:1[
]0[2]1[]1:1[]1:1[
])0[],1[(2]1:1[2]1:1[
]0[]0[2]1:1[2]1:1[
]0[2]1:1[]0[2]1:1[
]0:1[]0:1[]0:[
1
1
11
11
11
sscnbna
scnbna
scnbna
cbanbna
cbnbana
cnbnans
in
in
in
![Page 46: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/46.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 46
Ripple Carry Adder
]0[2]1[2]2[]2:1[]2:1[
]0[2]1[2]2[]2:1[]2:1[
]0[2]1[]1:1[]1:1[
])0[],1[(2]1:1[2]1:1[
]0[]0[2]1:1[2]1:1[
]0[2]1:1[]0[2]1:1[
]0:1[]0:1[]0:[
12
1
1
11
11
11
sscnbna
sscnbna
scnbna
scnbna
cbanbna
cbnbana
cnbnans
in
in
in
![Page 47: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/47.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 47
Ripple Carry Adder
]0:1[2]2[]2:1[]2:1[
]0[2]1[2]2[]2:1[]2:1[
]0[2]1[2]2[]2:1[]2:1[
]0[2]1[]1:1[]1:1[
])0[],1[(2]1:1[2]1:1[
]0[]0[2]1:1[2]1:1[
]0[2]1:1[]0[2]1:1[
]0:1[]0:1[]0:[
2
12
1
1
11
11
11
scnbna
sscnbna
sscnbna
scnbna
scnbna
cbanbna
cbnbana
cnbnans
in
in
in
![Page 48: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/48.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 48
Ripple Carry Adder
]0:1[2][]:1[]:1[
]0:1[2]2[]2:1[]2:1[
]0[2]1[2]2[]2:1[]2:1[
]0[2]1[2]2[]2:1[]2:1[
]0[2]1[]1:1[]1:1[
])0[],1[(2]1:1[2]1:1[
]0[]0[2]1:1[2]1:1[
]0[2]1:1[]0[2]1:1[
]0:1[]0:1[]0:[
2
12
1
1
11
11
11
kskcknbkna
scnbna
sscnbna
sscnbna
scnbna
scnbna
cbanbna
cbnbana
cnbnans
k
in
in
in
![Page 49: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/49.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 49
Ripple Carry Adder
])0:1[],[(
]0:1[2][]:1[]:1[
]0:1[2]2[]2:1[]2:1[
]0[2]1[2]2[]2:1[]2:1[
]0[2]1[2]2[]2:1[]2:1[
]0[2]1[]1:1[]1:1[
])0[],1[(2]1:1[2]1:1[
]0[]0[2]1:1[2]1:1[
]0[2]1:1[]0[2]1:1[
]0:1[]0:1[]0:[
2
12
1
1
11
11
11
nsnc
kskcknbkna
scnbna
sscnbna
sscnbna
scnbna
scnbna
cbanbna
cbnbana
cnbnans
k
in
in
in
![Page 50: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/50.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 50
Conditional Sum Adder
Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0
Assume n is power of 2:
incnbnans ]0:1[]0:1[]0:[
![Page 51: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/51.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 51
Conditional Sum Adder
Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0
![Page 52: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/52.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 52
Conditional Sum Adder
Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0
Assume n is power of 2:
innn
in
cnbnnbnanna
cnbnans
]0:12/[2]2/:1[]0:12/[2]2/:1[
]0:1[]0:1[]0:[2/2/
![Page 53: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/53.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 53
Conditional Sum Adder
Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0
Assume n is power of 2:
inn
innn
in
cnbnannbnna
cnbnnbnanna
cnbnans
]0:12/[]0:12/[2]2/:1[]2/:1[
]0:12/[2]2/:1[]0:12/[2]2/:1[
]0:1[]0:1[]0:[
2/
2/2/
![Page 54: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/54.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 54
Conditional Sum Adder
Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0
Assume n is power of 2:
])0:12/[],2/[(2]2/:1[]2/:1[
]0:12/[]0:12/[2]2/:1[]2/:1[
]0:12/[2]2/:1[]0:12/[2]2/:1[
]0:1[]0:1[]0:[
2/
2/
2/2/
nsncnnbnna
cnbnannbnna
cnbnnbnanna
cnbnans
nin
nin
nnin
![Page 55: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/55.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 55
Conditional Sum Adder
Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0
Assume n is power of 2:
]0:12/[2]2/[2]2/:1[]2/:1[
])0:12/[],2/[(2]2/:1[]2/:1[
]0:12/[]0:12/[2]2/:1[]2/:1[
]0:12/[2]2/:1[]0:12/[2]2/:1[
]0:1[]0:1[]0:[
2/2/
2/
2/
2/2/
nsncnnbnna
nsncnnbnna
cnbnannbnna
cnbnnbnanna
cnbnans
nn
nin
nin
nnin
![Page 56: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/56.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 56
Conditional Sum Adder
Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0
Assume n is power of 2:
]0:12/[2]2/[]2/:1[]2/:1[
]0:12/[2]2/[2]2/:1[]2/:1[
])0:12/[],2/[(2]2/:1[]2/:1[
]0:12/[]0:12/[2]2/:1[]2/:1[
]0:12/[2]2/:1[]0:12/[2]2/:1[
]0:1[]0:1[]0:[
2/
2/2/
2/
2/
2/2/
nsncnnbnna
nsncnnbnna
nsncnnbnna
cnbnannbnna
cnbnnbnanna
cnbnans
n
nn
nin
nin
nnin
![Page 57: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/57.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 57
Conditional Sum Adder
Main principle: pre-computing upper sums for the cases: c[k]=1 and c[k]=0
Assume n is power of 2:
1]2/[
0]2/[
1]2/:1[]2/:1[
]2/:1[]2/:1[2]0:12/[
]0:12/[2]2/[]2/:1[]2/:1[
]0:12/[2]2/[2]2/:1[]2/:1[
])0:12/[],2/[(2]2/:1[]2/:1[
]0:12/[]0:12/[2]2/:1[]2/:1[
]0:12/[2]2/:1[]0:12/[2]2/:1[
]0:1[]0:1[]0:[
2/
2/
2/2/
2/
2/
2/2/
nc
nc
if
if
nnbnna
nnbnnans
nsncnnbnna
nsncnnbnna
nsncnnbnna
cnbnannbnna
cnbnnbnanna
cnbnans
n
n
nn
nin
nin
nnin
![Page 58: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/58.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 58
Conditional Sum Adder
![Page 59: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/59.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 59
Modeling Hardware with PVS
Combinational Hardware– No latches– Circuit is loop-free– Examples: arithmetic circuits, ALUs, …
Clocked Circuits– Combinational part + registers (latches)– Examples: Processors, Controllers,…
A
![Page 60: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/60.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 60
Modeling Hardware with PVS
Idea: Model combinational circuits using functions on bit vectors
f(A, B, reset: bit):bit= IF NOT(reset) THEN (NOT A) OR B ELSE false ENDIF
f(A, B, reset: bit):bit= IF NOT(reset) THEN (NOT A) OR B ELSE false ENDIF
A
Translation from/to Verilog, VHDL, etc. easy
![Page 61: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/61.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 61
Modeling Hardware with PVS
Combinational Hardware– No latches– Circuit is loop-free– Examples: arithmetic circuits, ALUs, …
Clocked Circuits– Combinational part + registers (latches)– Examples: Processors, Controllers,…
A
![Page 62: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/62.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 62
Clocked Circuits
A
T reset A B
0 1 ? ?
1 0 0 0
2 0 1 0
3 0 0 1
4 0 1 1
5 0 1 1Configuration in
cycle 4
Configuration in cycle 4
![Page 63: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/63.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 63
Clocked Circuits
A
t(c: C, i: I):C= (# A:= IF i`reset THEN false ELSE (NOT c`A) OR c`B ENDIF, B:= IF i`reset THEN false ELSE c`A OR c`B ENDIF #)
t(c: C, i: I):C= (# A:= IF i`reset THEN false ELSE (NOT c`A) OR c`B ENDIF, B:= IF i`reset THEN false ELSE c`A OR c`B ENDIF #)
C: TYPE = [# A, B: bit #] I: TYPE = [# reset: bit #]
C: TYPE = [# A, B: bit #] I: TYPE = [# reset: bit #]
1. Define Type for STATE and INPUTS
2. Define the Transition Function
![Page 64: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/64.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 64
Clocked Circuits
A
c(T: nat):RECURSIVE C= IF T=0 THEN initial ELSE t(c(T-1), i(T-1)) ENDIF MEASURE T
c(T: nat):RECURSIVE C= IF T=0 THEN initial ELSE t(c(T-1), i(T-1)) ENDIF MEASURE T
initial: C i: [nat -> I];
initial: C i: [nat -> I];
3. Define Initial State and Inputs
4. Define the Configuration Sequence
![Page 65: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/65.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 65
Clocked Circuits
A
c(T: nat):RECURSIVE C= IF T=0 THEN initial ELSE t(c(T-1), i(T-1)) ENDIF MEASURE T
c(T: nat):RECURSIVE C= IF T=0 THEN initial ELSE t(c(T-1), i(T-1)) ENDIF MEASURE T
5. Prove things about this sequence
c_lem: LEMMA (i(0)`reset AND NOT i(1)`reset AND NOT i(2)`reset) => (c(2)`A AND NOT c(2)`B)
c_lem: LEMMA (i(0)`reset AND NOT i(1)`reset AND NOT i(2)`reset) => (c(2)`A AND NOT c(2)`B)
You can also verify invariants, even temporal properties that way.
![Page 66: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/66.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 66
Modeling Software with PVS
(Software written in functional language)(Take a subset of PVS, and compile that)Software written in language like ANSI-C
f(i: int):int= LET a1=LAMBDA (x: below(10)): 0 IN ... LET a2=a1 WITH [(i):=5] IN ... ai(0)
f(i: int):int= LET a1=LAMBDA (x: below(10)): 0 IN ... LET a2=a1 WITH [(i):=5] IN ... ai(0)
int f(int i) { int a[10]={ 0, … }; ... a[i]=5; ... return a[0];}
int f(int i) { int a[10]={ 0, … }; ... a[i]=5; ... return a[0];}
A
What about loops?
What about loops?
![Page 67: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/67.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 67
Modeling Software with PVS
A
C: TYPE = [# a: [below(10)->integer], i: nat #]
C: TYPE = [# a: [below(10)->integer], i: nat #]
1. Define Type for STATEint a[10];unsigned i;
int main() { . . . }
int a[10];unsigned i;
int main() { . . . }
nat?Of course, bvec[32]
is better
nat?Of course, bvec[32]
is better
![Page 68: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/68.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 68
Modeling Software with PVS
A
2. Translate your program into goto program
int a[10];unsigned i,j,k;
int main() { i=k=0;
while(i<10) { i++; k+=2; }
j=100; k++;}
int a[10];unsigned i,j,k;
int main() { i=k=0;
while(i<10) { i++; k+=2; }
j=100; k++;}
int a[10];unsigned i,j,k;
int main() { L1: i=k=0;
L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2;
L4: j=100; k++;}
int a[10];unsigned i,j,k;
int main() { L1: i=k=0;
L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2;
L4: j=100; k++;}
![Page 69: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/69.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 69
Modeling Software with PVS
A
3. Partition your program into basic blocks
int a[10];unsigned i,j,k;
int main() { L1: i=k=0;
L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2;
L4: j=100; k++;}
int a[10];unsigned i,j,k;
int main() { L1: i=k=0;
L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2;
L4: j=100; k++;}
L1(c: C):C= c WITH [i:=0, k:=0]
L2(c: C):C= c
L3(c: C):C= c WITH [i:=c`i+1, k:=c`k+2]
L4(c: C):C= c WITH [j:=100, k:=c`k+1]
L1(c: C):C= c WITH [i:=0, k:=0]
L2(c: C):C= c
L3(c: C):C= c WITH [i:=c`i+1, k:=c`k+2]
L4(c: C):C= c WITH [j:=100, k:=c`k+1]
4. Write transition function for each basic block
![Page 70: CSE 8389 Theorem Proving Peter-Michael Seidel](https://reader035.fdocuments.in/reader035/viewer/2022062222/56814d4b550346895dba7752/html5/thumbnails/70.jpg)
CSE 8389 Theorem Proving - Seidel Spring 2005 70
Modeling Software with PVS
A
5. Combine transition functions using a program counter
int a[10];unsigned i,j,k;
int main() { L1: i=k=0;
L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2;
L4: j=100; k++;}
int a[10];unsigned i,j,k;
int main() { L1: i=k=0;
L2: if(!(i<10)) goto L4; L3: i++; k+=2; goto L2;
L4: j=100; k++;}
PCt: TYPE = { L1, L2, L3, L4, END }PCt: TYPE = { L1, L2, L3, L4, END }
addPC: PCt
to C
t(c: C): C= CASES c`PC OF L1: L1(c) WITH [PC:=L2], L2: L2(c) WITH [PC:= IF NOT (c`i<10) THEN L4 ELSE L3 ENDIF, L3: L3(c) WITH [PC:=L2], L4: L4(c) WITH [PC:=END], END: c ENDCASES
t(c: C): C= CASES c`PC OF L1: L1(c) WITH [PC:=L2], L2: L2(c) WITH [PC:= IF NOT (c`i<10) THEN L4 ELSE L3 ENDIF, L3: L3(c) WITH [PC:=L2], L4: L4(c) WITH [PC:=END], END: c ENDCASES
make sure the PC of the initial
state is L1