1/24 An Introduction to PVS Charngki PSWLAB An Introduction to PVS Judy Crow, Sam Owre, John Rushby,...

1/24 An Introduction to PVS Charngki Hong @ PSWLAB

An Introduction to PVS

Judy Crow, Sam Owre, John Rushby, Natarajan Shankar, Mandayam SrivasComputer Science Laboratory, SRI International


Table of Contents

Introduction A brief tour of PVS PVS language More examples References


Introduction PVS stands for “Prototype Verification System” PVS

consists of a specification language integrated with support tools and theorem prover

is both interactive and highly mechanized: the user chooses each proving step and PVS performs it, displays the result, and then waits for the next command

The goal of PVS PVS is designed to help in the detection of errors

as well as in the confirmation of correctness


Table of Contents



A brief tour of PVS PVS has three steps to prove target specifica-

tions1. Creating a specification2. Typechecking3. Proving


A brief tour of PVS Creating a specification

1. Use M-x new-pvs-file command to create a new PVS file, and type a name of the file

2. or you can simply load a existing PVS file using M-x find-pvs-file command


A brief tour of PVS Create a sum.pvs file

specification for summation of the first n natural numberssum : THEORY

BEGINn : VAR natsum (n) : RECURSIVE nat = (IF n = 0 THEN 0 ELSE n + sum(n-1) EN-

DIF) MEASURE (LAMBDA n: n) closed_form: THEOREM sum(n) = (n *

(n+1) ) / 2END sum

used to show that the definition termi-nates


A brief tour of PVS Typechecking

1. M-x typecheck command to typecheck 2. M-x show-tccs command to see TCCs3. M-x typecheck-prove to prove TCCs

TCC Type Correctness Condition TCCs must be proved in order to show that the

theory is type correct The proofs of the TCCs may be postponed indefi-

nately


A brief tour of PVS Typechecking

TCCs

sum takes an argument of type nat, but the type of the argument in the recursive call to sum is integer, since nat is not closed under subtraction

Since sum is recursive form, we need to ensure this function terminates

% Subtype TCC generated (line 7) for n-1% unchecked

sum_TCC1 : OBLIGATION (FORALL (n: nat): NOT n=0 IMPLIES n-1 >= 0)

% Termination TCC generated (line 7) for sum% unchecked

sum_TCC2 : OBLIGATION (FORALL (n: nat): NOT n=0 IMPLIES n-1 < n)


A brief tour of PVS Proving

Place the cursor on the line containing the theo-rem, and type M-x prove

A new buffer will pop up, the formula will be dis-played, and the cursor will appear at the Rule? prompt, indicating that users can interact with the prover

The proving process is completed if there are no more unproven subgoals



1. Prove formula by induction on n

Generate 2 subgoals 1. base case2. inductive step



simplifies the for-mula

send the proof to the PVS decision proce-dure



To eliminate the FORALL quantifier skolem! command

Provide new constants for the bound variables flatten command

break up the succedent into a new antecedent and conse-quent

antecedentconsequent


Table of Contents



PVS language A simple example : the rational numbers

predicate subtyperats : THEORY

BEGIN rat : TYPE zero : rat / : [rat, rat rat] * : [rat, rat rat] x, y : VAR rat left_canclelation : AXIOM x * (y/x) = y zero_times : AXIOM zero * x = zeroEND rats

We need to con-sider divide by zero


PVS language A simple example : the rational numbers

predicate subtypesrats : THEORY

BEGIN rat : TYPE zero : rat nonzero : TYPE = { x | x /= zero } / : [rat, nonzero rat] * : [rat, rat rat] x, y : VAR rat left_canclelation : AXIOM x /= zero IMPLIES x * (y/x) = y zero_times : AXIOM zero * x = zeroEND rats

predicate subtype


PVS language Example : Stacks

Generic typestacks [t : TYPE] : THEORY

BEGIN stack : TYPE empty : stack s : VAR stack x : VAR t push : [t, stack stack] pop : [stack stack] top : [stack t] pop_push : AXIOM pop(push(x, s)) = s top_push : AXIOM top(push(x, s)) = xEND stacks

Generic type


PVS language Example : factorial

Recursive

The MEASURE function is used to show that the definition terminates, by generating an obligation that the MEASURE decreases with each call

factorial : THEORYBEGIN fac(x: nat) : RECURSIVE nat =

IF x = 0 THEN 1 ELSE x * fac(x-1) ENDIF

MEASURE (LAMBDA (x: nat): x)END factorial


Table of Contents



More examples Quantifier Proof

Original goal : FORALL x : P(x) AND Q(x) (FORALL x : P(x)) AND (FORALL x : Q(x))

After split command Subgoal 1 : FORALL x : P(x) AND Q(x) (FORALL x : P(x)) Subgoal 2 : FORALL x : P(x) AND Q(x) (FORALL x : Q(x))

predicate : THEORYBEGIN T : TYPE x, y, z : VAR T P, Q : [T bool] pred_calc : THEOREM

(FORALL x : P(x) AND Q(x)) IMPLIES (FORALL x : P(x)) AND (FORALL x : Q(x))END predicate


More examples Decision Procedures

i + 8 can be expressed as 3*m + 5*n i + 8 + 1 = 3*m’ + 5*n’ case n=0

i + 8 + 1 = 3*(m-3) + 5*2 subgoal 2.1 case n>0

i + 8 + 1 = 3*(m+2) + 5(n-1) subgoal 2.2

stamps : THEORY BEGIN

i, three, five : VAR natstamps : THEOREM ( FORALL i : (EXISTS three, five : i+8 = 3

* three + 5 * five )) END stamps


Table of Contents



References A Tutorial Introduction to PVS by Judy Crow,

Sam Owre, John Rushby, Natarajan Shankar and Mandayam Srivas, WIFT ‘95

1/24 An Introduction to PVS Charngki PSWLAB An Introduction to PVS Judy Crow, Sam Owre, John Rushby,...

Documents

Transcript of 1/24 An Introduction to PVS Charngki PSWLAB An Introduction to PVS Judy Crow, Sam Owre, John Rushby,...