ITPsession2-a.pdf

8/14/2019 ITPsession2-a.pdf

1/100

Introduction Algorithm Experimental Evaluation Discussion and Conclusions

Automated Specification Analysis Using anInteractive Theorem Prover

Harsh Raju Chamarthi and Pete Manolios

Northeastern University

October 31, 2011

1/101


2/100


Motivation Teaching freshmen how to reason

about programs using ACL2s

2/101


3/100




Success of QuickCheck

Counterexamp

les!!

3/101


4/100





Combining testing and theorem-proving(ACL2 2011 Workshop)

Counterexam

ples!!

4/101


5/100






Can we do even better?

Counterexam

ples!!

5/101

d l h l l d l


6/100






Can we do even better? Apply technology behind ACL2 to help

the regular programmer

Counterexam

ples!!

6/101

I t d ti Al ith E i t l E l ti Di i d C l i


7/100






Can we do even better? Apply technology behind ACL2 to help

the regular programmer

Counterexam

ples!!

7/101

I t d ti Al ith E i t l E l ti Di i d C l i


8/100


Overview

GoalAnalyse specifications - Find counterexamples!

8/101



9/100


Overview


The problem

What to do when theSearch Procedure

doesnt return an answer?

9/101



10/100


Overview


The problem



QuickCheck

10/101



11/100


Overview


The problem



QuickCheck

Decision Procedure

Constraint Solver

11/101



12/100


Overview


The problem



The main ideaReduce the search space and guide theprocedure towards a counterexample

QuickCheck

Decision Procedure

Constraint Solver

12/101



13/100

g p

The Main Idea

Property P Is P false?

Search Proc

13/101



14/100

g p

The Main Idea


Search Proc

Yes

14/101



15/100

The Main Idea


Search Proc

Yes

15/101



16/100

The Main Idea


Search Proc

Dont Know

16/101



17/100

The Main Idea


Search Proc

Dont Know

17/101



18/100

The Main Idea


Search Procedure

18/101



19/100

The Main Idea

Property P

Guide

19/101



20/100

The Main Idea


Guide

x1,x2, . . . ,xn

PP

20/101



21/100

The Main Idea


Guide

Select var

x1,x2, . . . ,xn

P

21/101



22/100

The Main Idea


Guide

Select var

Assign value

x1, 3, . . . ,xn

P

22/101



23/100

The Main Idea


Guide

Select var

Assign value

Simplify using ITPx1, . . . ,xn

P

23/101



24/100

The Main Idea


Guide

Select var

Assign value

Simplify using ITP

Inconsistent?

x1, . . . ,xn

P

24/101



25/100

The Main Idea


Guide

Backtrack!!

x1,x2, . . . ,xn

P

25/101



26/100

The Main Idea


Guide

Is P' false?

Searchx1, . . . ,xn

P

26/101



27/100

The Main Idea

Is P true?

ITP

P

27/101


28/100


29/100



30/100

The Main Idea

Is P true?

ITP

PDont Know

30/101


31/100


32/100



33/100

The Main Idea

Is P true?

ITP

P

p1

p2

...

pn

Is P false?

Search

33/101



34/100

Assumptions Specification languageL

Multi-sorted first-order logic Extensible Executable

34/101



35/100



35/101



36/100


Multi-sorted first-order logic Extensible -- can introduce new function and predicate symbols

using well-founded recursive definitions Executable

36/101



37/100



37/101



38/100



Properties of formhyp1 hypnconcl

No nested quantifiers Implicitly universally quantified

38/101



39/100





39/101



40/100





An Interactive Theorem Prover (ITP) that can reason aboutspecifications inL.

Smash

Simplify

40/101



41/100






Smash takes as input agoal, a formula written inL, and returns

a list of equi-validsubgoals. Simplify

41/101



42/100






Smash takes as input agoal, a formula written inL, and returns

a list of equi-validsubgoals. Simplify takes as input anL-formula,c, and a list of formulas,H,and returns asimplifiedformula that is equivalent tocassumingHare true.

42/101



43/100

Example

Property

x= hash(y)

y= hash(z)x+y=v2

z > 10

w < min(x,y)

w < z

P

Select?

A

43/101


44/100



45/100

Example

Property

x= hash(y)

y= hash(z)x+y=v2

z > 10

w < min(x,y)

w < z

P W

V

Y

Z

X

Equality dependency Graph

W

Z

V

Rest dependency G

Select?

A

45/101



46/100

Example

Property

x= hash(y)

y= hash(z)x+y=v2

z > 10

w < min(x,y)

w < z

P W

V

Y

Z

X


W

Z

V

Rest dependency G

Selectz

A

46/101



47/100

Example

W

V

Y

Z

X


W

Z

V

Rest dependency G

Property

x= hash(y)

y= hash(z)x+y=v2

z > 10

w < min(x,y)

w < z

P

Assign?

A

47/101


48/100


l


49/100

Example

Property

x= hash(y)y= hash(34)

x+y=v2

w < min(x,y)

w < 34

P'

Propagate with Simplify

A

49/101


E l


50/100

Example

Propagate with Simplify

A

Property

x= 3623878690

y= 268959709

x+ 268959709=v2

if(x < 268959709)

w < x

w < 268959709

w < 34

P'

50/101


E l


51/100

Example

A

Property

x= 3623878690

y= 268959709

x+ 268959709=v

2

if(x < 268959709)

w < x

w < 268959709

w < 34

P'

Inconsistent?

51/101


E l


52/100

Example

A

Property

x= 3623878690

y= 268959709

x+ 268959709=v

2

if(x < 268959709)

w < x

w < 268959709

w < 34

P'

Update Assignment

z= 34A

52/101


Top le el Analyze algorithm


53/100

Top-level Analyze algorithm

Input: PropertyP, SummarysummaryOutput: Status, Summary of the analysis ofP

ifPis closed then return AnalyzeConst(P)

initializeSearch till ...ifStopCond(summary)then return (done,summary)

DecomposePinto subgoals using ITPIf progress then Recurse on each subgoalreturn (not-done,summary)

53/101


Top level Analyze algorithm


54/100






54/101




55/100




n,status:= 0, not-doneSearch till ...ifStopCond(summary)then return (done,summary)


55/101




56/100




initializeSearch till...ifStopCond(summary)then return (done,summary)


56/101




57/100




initializewhileStopCond(summary) n slimitdo

A, n:= Search(P), n+ 1summary:= updateA(summary, P,A)

ifStopCond(summary)then return (done,summary)


57/101


58/100




59/100






59/101




60/100





S:= Smash(P)summary:= updateS(summary, P, S)If progress then Recurse on each subgoalreturn (not-done,summary)

60/101




61/100





DecomposePinto subgoals ...If progress then Recurse on each subgoalreturn (not-done,summary)

61/101




62/100





DecomposePinto subgoals ...ifS={P} then

for allp Sdostatus,summary:= Analyze(p,summary)ifstatus= done then return (done,summary)

return (not-done,summary)

62/101




63/100

op eve a y e a go t




DecomposePinto subgoals ...If progress then Recurse on each subgoal ...return (not-done,summary)

63/101


Search Algorithm


64/100

g

Input: PropertyPwith at least one free variableOutput: A counterexample (assignment) orfail

local StackAof (var, val, # assigns, type, property)Initialize and Select first variableIteratively construct counterexample orfail


Search Algorithm


65/100

g


local StackAof (var, val, # assigns, type, property)Initialize and Select first variableIteratively construct counterexample orfail


66/100


Search Algorithm


67/100

g


local StackAof (var, val, # assigns, type, property)A, i,x:= [], 0,Select(P)Iteratively construct counterexample orfail


Search Algorithm


68/100


local StackAof (var, val, # assigns, type, property)A, i,x:= [], 0,Select(P)while true do

v, t:= Assign(x, P)P :=Propagate(x, v, P)ifinconsistent(P)then

Extend A, continue search if not doneelse ifA= []then

backtrackfailif ...

68/101


69/100


70/100


71/100


Search Algorithm


72/100

Input: PropertyPwith at least one free variable

Output: A counterexample (assignment) orfaillocal StackAof (var, val, # assigns, type, property)

A, i,x:= [], 0,Select(P)while true do

v, t:= Assign(x, P)

P

:=Propagate(x, v, P)ifinconsistent(P)thenift= ``decision" theni:= i+ 1

A:= push((x, v, i, t, P),A)ifAis completethen returnA

i, P,x:= 0, P

,Select(P

)else ifA= []thenbacktrack

failif ...

72/101


Search Algorithm


73/100





backtrackfailif ...

73/101


Search Algorithm


74/100

Input: PropertyPwith at least one free variable

Output: A counterexample (assignment) orfaillocal StackAof (var, val, # assigns, type, property)

A, i,x:= [], 0,Select(P)while true do

v, t:= Assign(x, P)

P

:=Propagate(x, v, P)ifinconsistent(P)thenExtend A, continue search if not done

else ifA= []thenrepeat

(x, , i, t, P) :=head(A)A:= pop(A)

until(t= ``decision" i blimit) A= []

failif ...

74/101


Search Algorithm


75/100





backtrackfailif ...

75/101


Search Algorithm


76/100





backtrack

ifA= [] (t= ``implied" i > blimit)thenreturnfail

76/101


Select AlgorithmI t P t P ith t l t f i bl


77/100

Input: PropertyPwith at least one free variableOutput: A free variable inP

ifh hyps(P)of formx= cthen returnx

77/101


Select AlgorithmI t P t P ith t l t f i bl


78/100


ifh hyps(P)of formx= cthen returnx

78/101


Select AlgorithmI t: P t P ith t l t f i bl


79/100


ifh hyps(P)of formx= cthen returnxG=:=EqualityDependencyGraph(P, vars(P))

1. Case:x = y. Addx y.

2. Case:x = ftermy freeVars(fterm)andx /freeVars(fterm)addx y

79/101


Select AlgorithmInput: Property P with at least one free variable


80/100


ifh hyps(P)of formx= cthen returnxG=:=EqualityDependencyGraph(P, vars(P))Do SCC onG=, collect the leaf components inL

leaves= :=pickxfrom eachl L

80/101 Introduction Algorithm Experimental Evaluation Discussion and Conclusions



81/100


ifh hyps(P)of formx= cthen returnxG=:=EqualityDependencyGraph(P, vars(P))SCC onG=G :=RestDependencyGraph(P, leaves=)

1. x ywhere {,}: No edge

2. x ftermsuch thatis a binary relation,y freeVars(fterm)andx /freeVars(fterm):Addx y

3. R(term1, term2, . . ., termn), such thatx freeVars(termi),y freeVars(termj),i=j,n 2andRis an arbitrary n-ary relation: Add

x y.




82/100


ifh hyps(P)of formx= cthen returnxG=:=EqualityDependencyGraph(P, vars(P))SCC onG=G :=RestDependencyGraph(P, leaves=)Do SCC onGto get dagD




83/100


ifh hyps(P)of formx= cthen returnxG=:=EqualityDependencyGraph(P, vars(P))SCC onG=G :=RestDependencyGraph(P, leaves=)Do SCC onGto get dagD

X:=the leaf inDwith maximumi=valuereturnX

i=(x) denotes number of nodes that canreach it inG=i=(X) denotes max value of i= amongnodes X


Hardware: Finding hazards in a pipeline


84/100

Analysing a 3-stage Pipeline

1. Fetch

2. Read

3. Execute/Write-back




85/100


1. Fetch

2. Read


Primary Concern

Avoid resource conflicts (Data/Control hazards)




86/100


1. Fetch

2. Read


Primary Concern


Correctness

Show all behaviors of MA are observationally equivalent tobehaviors of ISA




87/100

Primary Concern


CorrectnessShow all behaviors of MA are observationally equivalent tobehaviors of ISA

Can we find design errors that lead to hazards?

1. Assuming designer has modelled both ISA and MA

2. Formalize above correctness condition

3. Analyze it using our method (demo)




88/100

Primary Concern


CorrectnessShow all behaviors of MA are observationally equivalent tobehaviors of ISA

Can we find design errors that lead to hazards?

Observations

1. No assertions were written

2. No lemmas were specified

3. No manual tests or test driver given.


Software: Comparison with Alloy

ll


89/100

Alloy

Alloy is a declarative modeling language based on sets andrelations (relational logic with transitive closure)

Used for describing and analyzing high-level specifications anddesigns.

Automatic Analysis

Given a bound on # model elements, calledscope, Alloy models (andits specifications) translated into Boolean formulas and shipped tooff-the-shelf SAT solvers.




90/100

Alloy Analyzer Our method

Property Scope Time Result Time ResultdelUndoesAdd 25 26.41 -- 0.07 QEDaddIdempotent 25 37.76 -- 0.19 QED

addLocal 3 0.08 CE 1.35 CElookupYields 3 0.05 CE 0.83 CE

writeRead 34 99.69 -- 0.02 QED

writeIdempotent 33 44.13 -- 0.01 QEDhidePreservesInv 61 24.91 -- 0.26 QED

cutPaste 3 0.20 CE 0.49 CEpasteCut 3 0.20 CE 1.38 CE

pasteAffectsHidden 27 117.63 -- 0.42 QEDmarkSweepSound 8 47.34 -- 0.28 QED

markSweepComplete 7 58.12 -- 0.34 QED

Table: Comparison with Alloy Analyzer (AA)

90/101


91/100



M th d l


92/100

Methodology

Modeled above examples in ACL2, mimicking original formulation inAlloy.Usedsettypes andmaptypesi.e., binary relations, provided by ourdata definition framework.



Ob ti


93/100

Observations

1. The ordered sets and records library in ACL2 distribution,powerful enough to prove all the properties that Alloy positsare true

2. No intermediate lemmas provided, no hint or guidance offered

to the theorem prover3. Highlights effectiveness of powerful libraries by the tool-writer

put to use by the choice of right abstractions by theprogrammer


Discussion on the advantages of using ITP


94/100

Prune away huge subspaces

Extensible

Domain-specific lemma libraries powerful domain-specificreasoning

User can also help formalize facts/insight




95/100


Extensible






96/100


Extensible





h b


97/100


Extensible





h b


98/100


Extensible



98/101


99/100


The End


100/100

Thank you

100/101

ITPsession2-a.pdf

Documents

Transcript of ITPsession2-a.pdf