CSE 8389 Theorem Proving PeterMichael Seidel

1
CSE 8389Theorem ProvingPeter-Michael Seidel

2
Syntax vs Semantics

• Syntax
• a.k.a. formation rules grammar
• prescribes what a well-formed formula is
  (syntactically)
• Semantics
• the meaning of well-formed formulas
• defined via a mapping called interpretation

3
Propositional Logic Syntax
propositional logic ltlogicgt (or "propositional
calculus") A system of symbolic logic using
symbols to stand for whole propositions and
logical connectives. Propositional logic only
considers whether a proposition is true or false.
In contrast to predicate logic, it does not
consider the internal structure of propositions.
http//wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?propo
sitionallogic

• Logical symbols
• conjunction ?, disjunction ?, negation ?,
• implication ?, equivalence ?, parentheses ? ?
• Non-logical symbols
• propositional variables p, q, r, ...
• signature set of propositional variables ? p,
  q, r, ...
• Formation rules for well-formed formulas (wff)
• an atomic formula (propositional variable) is a
  formula
• if F, G are formulas, so are
• F?G, F ? G, ? F, F?G , F?G, ? F ?

4
Propositional Logic Semantics

• Propositions can be assigned a truth-value
• either true or false (classical 2-valued logic
  tertium non datur)
• other propositional logics exist 3-valued,
  4-valued, temporal, (modal logics), , fuzzy
  logic
• An interpretation I over a signature ? is a
  mapping
• I ? ? true, false , associating a truth
  value to every propositional variable
• Truth tables describe how to extend I from atomic
  to composite formulas (Boolean Algebra)
• F?G, F ? G, ? F, F?G , F?G

5
Boolean Algebra, Truth Tables
http//wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?two-v
aluedlogic
6
Different Logical Bases

• Often
• ?, ? , ?
• Alternatively
• ?, ?
• ? , ?
• NAND
• NOR
• XOR
• ite(A,B,C) if A then B else C ?

7
Reasoning in Propositional Logic

• A formula F is
• valid if it is true for all interpretations I
• satisfiable if it is true for some interpretation
  I
• unsatisfiable if it is true for no interpretation
  I
• Try these
• p ? q
• p ? ?p
• p ? ?p
• p ? p
• p ? ?p
• ? p ? p

8
Reasoning in Propositional Logic

• Def. models relationship
• If a formula F evaluates to true for an
  interpretation I then I is called a model of F
  written I F
• I is a model of F1,, Fk, written I F1,,
  Fk,if I is a model of each Fj
• Automated deduction setting
• Show that A1,,, An (axioms) imply T (theorem),
  that is, every model of the axioms is also a
  model of the theorem
• That is if I A1,,, An then I T
• Short A1,,, An T
• Often Show that A1 ? ? An ? ?T is
  unsatisfiable
• For Automation a procedure / reasoning algorithm
  is needed
• Predicate Calculus (in fact calculi resolution,
  tableaux, )

9
Example

• p, p ? q q
• Truth table
• Resolution
• Tableaux
• Reasoning with BDDs

10
Example Reasoning with Binary Decision
Trees(see also Binary Decision Diagrams, or
BDDs)
? B
A ? B
A
A
A
A
if-false
if-true
0
1
0
1
B
0
B
false
true
0
1
0
1
? A
? B
A ? B
A
A
A
if-false
if-true
1
0
0
1
B
B
1
false
true
0
1
0
1
11
Syntax of First-Order Logic (FO)

• Logical symbols
• ?, ?, ?, ?, ?, ? ?, ? (for all), ?
  (exists), ...
• Non-logical symbols A FO signature ? consists of
• constant symbols a,b,c, ...
• function symbols f, g, ...
• predicate (relation) symbols p,q,r, ....
• function and predicate symbols have an associated
  arity
• we can write, e.g., p/3, f/2 to denote the
  ternary predicate p and the function f with two
  arguments
• First-order variables x, y, ...
• Formation rules for terms
• constants and variables are terms
• if t1,,tk are terms and f is a k-ary function
  symbols then f(t1,...,tk) is a term

12
Syntax of First-Order Logic (FO)

• Formation rules for formulas
• if t1,, tk are terms and p/k is a predicate
  symbol (of arity k) then p(t1, , tk) is an
  atomic formula (short atom)
• all variable occurrences in p(t1, , tk) are free
• if F,G are formulas and x is a variable, then
  the following are formulas
• F?G, F ? G, ? F, F?G , F?G, ? F ?,
• ?x F (for all x F(x,...) is true)
• ?x F (there exists x such that F(x,...) is
  true)
• the occurrences of a variable x within the scope
  of a quantifier are called bound occurrences.

13
Examples

• ?x man(x) ? person(x).
• man(bill).
• child(marriage(bill,hillary),chelsea).
• Variable x
• Constants (0-ary function symbols) bill/0,
  hillary/0, chelsea/0
• Function symbols marriage/2
• Predicate symbols man/1, person/1, child/2

14
Semantics of Predicate Logic

• Let D be a non-empty domain (a.k.a. universe of
  discourse). A structure is a pair I (D,I), with
  an interpretation I that maps ...
• each constant symbols c to an element I(c)? D
• each predicate symbol p/k to a k-ary relation
  I(p) ? Dk,
• each function symbol f/k to a k-ary function
  I(f) Dk?D
• Let I be a structure, ? Vars ? D a variable
  assignment. A valuation valI,? maps Term? to D
  and Fml? to true, false
• valI,? (x) ? (x) for x ? Vars
• valI,? (f(t1,...,tk)) I(f)( valI,? (t1),...,
  valI,? (tk) ) for f(t1,...,tk) ?
  Term?
• valI,? (p(t1,...,tk)) I(p)( valI,? (t1),...,
  valI,? (tk) ) for p(t1,...,tk) ? At?
• valI,? (F ? G) valI,? (F) and valI,? (G) are
  true for F,G ?Fml?
• valI,? (F ? G) valI,? (F) or valI,? (G) is
  true for F,G ?Fml?
• valI,? (? F) true (false) if valI,? (F) is
  false (true) for F?Fml?
• valI,? (? x F) valI,?x/t (F) is true for some
  t ? D for F?Fml?
• valI,? (? x F) valI,?x/t (F) is true for all
  t ? D for F?Fml?

15
Example

• Formula F ?x man(x) ? person(x).
• Domain D b, h, c, d, e
• Lets pick an interpretation I
• I(bill) b, I(hillary) h, I(chelsea) c
• I(person) b, h, c
• I(man) b
• Under this I, the formula F evaluates to true.
• If we choose I like I but I(man) b,d, then
  F evaluates to false
• Thus, I is a model of F, while I is not
• I F I / F

16
FO Semantics (contd)

• F entails G (G is a logical consequence of F) if
  every model of F is also a model of G F
  G
• F is consistent or satisfiable if it has at least
  one model
• F is valid or a tautology if every interpretation
  of F is a model
• Proof Theory
• Let F,G, ... be FO sentences (no free variables).
  
• Then the following are equivalent
• F_1, ..., F_k G
• F_1 ? ... ? F_k ? G is valid
• F_1 ? ... ? F_k ? ? G is unsatisfiable
  (inconsistent)

17
Querying vs. Reasoning

• Querying
• given a DB instance I ( logic interpretation),
  evaluate a query expression (e.g. SQL, FO
  formula, Prolog program, ...)
• boolean query check if I ? (i.e.,
  if I is a model of ?)
• (ternary) query (X, Y, Z) I ?
  (X,Y,Z)
• gt check happyFathers in a given database
• Reasoning
• check if I ? implies I ? for all
  databases I,
• i.e., if ? gt ?
• undecidable for FO, F-logic, etc.
• Descriptions Logics are decidable fragments
• concept subsumption, concept hierarchy,
  classification
• semantic tableaux, resolution, specialized
  algorithms

18
Reasoning Example

• (1) p(0)
• (2) ?x p(x) ? p(s(x))
• (3) p(s(s(0))).
• We want to show that (1) ... (2) implies (3)
• Approach assume negation of (3) and show that it
  leads to a contradiction with (1), (2)
• Question Why is this sound?

19
Limitations

• Drawbacks of methods based on FOL/Predicate
  Logic
• only small and medium size circuits can be
  verified
• most abstract representation view is gate level
• Complex circuits are hierarchically designed,
  but verification methods are not able to benefit
  from this to reduce the verification complexity
• Caused by limited expressiveness of underlying
  logic
• one can not even argue about simple natural
  numbers
• Natural numbers useful to argue about
• discrete time
• parameterized circuits
• FORALL ngt0, FORALL a,b,c in Bn ltagt ltbgt
  ltcgt
• More expressive logic also needed to allow
  abstract descriptions (types)

a
b
ADD(n)
c
20
Sentences in FirstOrder Logic

• An atomic sentence is simply a predicate applied
  to a set of terms.
• Owns(John,Car1)
• Sold(John,Car1,Fred)
• Semantics is True or False depending on the
  interpretation, i.e. is the predicate true of
  these arguments.
• The standard propositional connectives ( Ú Ù
  ÞÛ) can be used to construct complex sentences
• Owns(John,Car1) Ú Owns(Fred, Car1)
• Sold(John,Car1,Fred) Þ Owns(John, Car1)
• Semantics same as in propositional logic.

21
Review Quantifiers

• Allow statements about entire collections of
  objects
• Universal quantifier "x
• Asserts that a sentence is true for all values of
  variable x
• "x Loves(x, FOPC)
• "x Whale(x) Þ Mammal(x)
• "x ("y Dog(y) Þ Loves(x,y)) Þ ("z Cat(z) Þ
  Hates(x,z))
• Existential quantifier
• Asserts that a sentence is true for at least one
  value of a variable x
• x Loves(x, FOPC)
• x(Cat(x) Ù Color(x,Black) Ù Owns(Mary,x))
• x("y Dog(y) Þ Loves(x,y)) Ù ("z Cat(z) Þ
  Hates(x,z))

22
Review Use of Quantifiers

• Universal quantification naturally uses
  implication
• "x Whale(x) Ù Mammal(x)
• Says that everything in the universe is both a
  whale and a mammal.
• Existential quantification naturally uses
  conjunction
• x Owns(Mary,x) Þ Cat(x)
• Says either there is something in the universe
  that Mary does not own or there exists a cat in
  the universe.
• "x Owns(Mary,x) Þ Cat(x)
• Says all Mary owns is cats (i.e. everthing Mary
  owns is a cat). Also true if Mary owns nothing.
• "x Cat(x) Þ Owns(Mary,x)
• Says that Mary owns all the cats in the universe.
  Also true if there are no cats in the universe.

23
Nesting Quantifiers

• The order of quantifiers of the same type doesn't
  matter
• "x"y(Parent(x,y) Ù Male(y) Þ Son(y,x))
• xy(Loves(x,y) Ù Loves(y,x))
• The order of mixed quantifiers does matter
• "xy(Loves(x,y))
• Says everybody loves somebody, i.e. everyone has
  someone whom they love.
• y"x(Loves(x,y))
• Says there is someone who is loved by everyone in
  the universe.
• "yx(Loves(x,y))
• Says everyone has someone who loves them.
• x"y(Loves(x,y))
• Says there is someone who loves everyone in the
  universe.

24
Variable Scope

• The scope of a variable is the sentence to which
  the quantifier syntactically applies.
• As in a block structured programming language, a
  variable in a logical expression refers to the
  closest quantifier within whose scope it appears.
  
• x (Cat(x) Ù "x(Black (x)))
• The x in Black(x) is universally quantified
• Says cats exist and everything is black
• In a wellformed formula (wff) all variables
  should be properly introduced
• xP(y) not wellformed
• A ground expression contains no variables.

25
Relations Between Quantifiers

• Universal and existential quantification are
  logically related to each other
• "x Love(x,Saddam) Û x Loves(x,Saddam)
• "x Love(x,PrincessDi) Û x Loves(x,PrincessDi
  )
• General Identities
• "x P Û x P
• "x P Û x P
• "x P Û x P
• x P Û "x P
• "x P(x) Ù Q(x) Û "x P(x) Ù "x Q(x)
• x P(x) Ú Q(x) Û x P(x) Ú x Q(x)

26
Equality

• Can include equality as a primitive predicate in
  the logic, or require it to be introduced and
  axiomatized as the identity relation.
• Useful in representing certain types of
  knowledge
• xy(Owns(Mary, x) Ù Cat(x) Ù Owns(Mary,y) Ù
  Cat(y)
• Ù (xy))
• Mary owns two cats. Inequality needed to ensure x
  and y are distinct.
• "x y married(x, y) Ù "z(married(x,z) Þ yz)
• Everyone is married to exactly one person. Second
  conjunct is needed to guarantee there is only one
  unique spouse.

27
HigherOrder Logic

• FOPC is called firstorder because it allows
  quantifiers to range over objects (terms) but not
  properties, relations, or functions applied to
  those objects.
• Secondorder logic allows quantifiers to range
  over predicates and functions as well
• " x " y (xy) Û (" p p(x) Û p(y))
• Says that two objects are equal if and only if
  they have exactly the same properties.
• " f " g (fg) Û (" x f(x) g(x))
• Says that two functions are equal if and only if
  they have the same value for all possible
  arguments.
• Thirdorder would allow quantifying over
  predicates of predicates, etc.
• We will consider Higher-Order Logic FOL
  Second-order Logic
• allows to argue about infinite sets, use
  induction

28
Problems with Higher order Logic

• Higher-Order Logic is Undecidible
• Theorem Provers based on HOL have to be
  interactive.
• (Informal Versions of) Russels Paradox
• In a certain town in Spain, there lives an
  excellent barber who shaves all the men who do
  not shave themselves. Who shaves the barber?
• Divide all adjectives into two groups the group
  of adjectives which describe themselves and the
  group of adjectives which do not. Into which
  group does the adjective indescribable go?
• I am a liar.
• Russels Paradox can be resolved by introducing
  typed Higher-order logic

29
What is PVS?

• PVS Prototype Verification System
• Formal specification language
• Model checker
• Theorem prover
• Documentation tools, etc.

30
Applications

• Academic and industrial applications
• Hardware verification (e.g. VAMP Verified
  Architecture Microprocessor)
• Protocol verification
• Verification of Javacard applets
• Formal Mathematics
• Safety-critical systems
• (see http//pvs.csl.sri.com/users.html)

31
The PVS Language

• There are two languages
• The language to write definitions and theorems
  (definition language)
• The language to prove theorems(proof language)
• They have nothing to do with each other
• The definition language looks like normal math
• (translator to Latex built in)
• The proof language looks like LISP

32
The PVS Definition Language

• Main language elements
• Declarations
• Types
• Constants
• Expressions over these types
• Expressions of Boolean types may be a formula
• Formulae are theorems or axioms
• Declarations and formulae are grouped into
  theories

33
The PVS Definition Language
class_theory THEORY BEGIN my_type
NONEMPTY_TYPE constant1, constant2
my_type f1 THEOREM FORALL (a, b
integer) abba f2 AXIOM
constant1constant2 END class_theory
TypeDeclarations
Expressions
A
34
The PVS Definition Language
class_theory THEORY BEGIN my_type
NONEMPTY_TYPE constant1, constant2
my_type f1 THEOREM FORALL (a, b
integer) abba f2 AXIOM
constant1constant2 END class_theory
Formulae
A
35
The PVS Definition Language
class_theory THEORY BEGIN my_type
NONEMPTY_TYPE constant1, constant2
my_type f1 THEOREM FORALL (a, b
integer) abba f2 AXIOM
constant1constant2 END class_theory
Declarations
36
Axioms vs. Theorems

• Axioms are assumed to be true
• Dangerous!
• Avoid axioms, use constant declarations instead

class_theory THEORY BEGIN c integer c
AXIOM c3 END class_theory
class_theory THEORY BEGIN c integer
3 END class_theory
Left hand side is conservative
37
Types

• PVS has a very rich type concept
• Uninterpreted type declaration numbers
  TYPE numbers NONEMPTY_TYPE
• Interpreted type declarationIntroduce names for
  type expressions
• posint TYPE i integer i gt 0

38
Types PVS comes with

• boolean
• FALSE, TRUE
• Number types
• real, rational, integer, natural
• string
• Ordinals

39
Type Expressions

• Function Types
• t1,,tn -gt t
• Alternative Syntax
• FUNCTION t1,,tn -gt t
• ARRAY t1,,tn -gt t
• Note that ti and t may be function types as well!

40
Expressions

• Constants
• Given by their name, as used in the declaration
• Numbers (1, 2, 3, ) are actually identifiers and
  can even be overloaded
• If name is ambiguous, use
• identifiertype

41
Expressions

• Function Applications
• f(x)
• Tons of Syntactic variants exist to support
  intuition, dont be confused
• Binary operator symbols
• y z is the same as (y, z)

42
Expressions

• Functions PVS comes with
• Boolean
• AND , OR, IMPLIES gt,
• WHEN, IFF ltgt
• IF c THEN a ELSE b
• IF boolean, T, T -gt T
• Numeric operators
• , -, , /, , lt, lt, gt, gt

43
Expressions

• Binding Expressions
• Quantifiers
• EXISTS (x T) p(x)
• FORALL (y T) q(y)

44
Expressions

• Binding Expressions
• Lambda unnamed functions
• LAMBDA (x int) x1
• Type of that int -gt int

class_theory THEORYBEGIN f int-gtint
LAMBDA (x int) x1 END class_theory
class_theory THEORYBEGIN f(x int) int
x1 END class_theory
A
45
Recursion

• Lambda cannot be used for recursion
• Only named functions allow recursion
• No mutual recursion

factorial(x nat) RECURSIVE nat IF x0 THEN
1 ELSE factorial(x-1)x ENDIF
MEASURE (LAMBDA (x nat) x)
Used to prove that the function is total
A
46
Expressions

• LET Expressions
• LET iTe1 IN e2
• Useful for avoiding redundancy if e1 is used many
  times in e2
• Example
• LET x2 IN xy
• is
• (LAMBDA x xy)(2)

47
Expressions

• Override Expressions
• e WITH (i1)v1, (i2)v2,
• Sugar for LAMBDA
• LAMBDA x IF xi1 THEN v1 ELSIF xi2
  THEN v2 ELSE e(x) ENDIF
• Also for records and tuples

48
Expressions

• LET and WITH useful for some sequential program
  constructs!

f(i int)int LET a1LAMBDA (x below(10)) 0
IN ... LET a2a1 WITH (i)5 IN ...
aj(0)
int f(int i) int a10 0, ...
ai5 ... return a0
49
Expressions

• Set Expressions
• In PVS, sets are represented using their
  characteristic function
• T -gt boolean same as setofT
• Set expressions
• xT p(x)
• For sets a, b over T
• Union a OR b
• Intersection a AND b

50
Some Additional Syntax

• Tuple types
• t1,,tn
• Tuple expressions
• ( e1,,en )
• Comes with projections
• PROJ_1, PROJ_2, ..., PROJ_n

51
Example
stacks1 THEORY BEGIN stack TYPE int,
ARRAYint-gtint empty stack (0, (LAMBDA (j
int) 0)) size(s stack)int PROJ_1(s)
elements(s stack)ARRAYint-gtint PROJ_2(s)
push(x int, sstack) stack (size(s)1,
elements(s) WITH (size(s))x) pop(sstack)
stack (size(s)-1, elements(s)) END stacks1
How abouta struct?
A
52
Some Additional Syntax

• Record types
• a1t1,,antn
• Record expressions
• ( a1e1,,anen )
• Comes with projections
• a1, a2, ..., an
• Or eai

53
Example
stacks2 THEORY BEGIN stack TYPE size
int, elements ARRAYint-gtint empty stack
( size0, elements(LAMBDA (j int) 0) )
push(x int, sstack) stack (
sizessize1, elementsselements WITH
(ssize)x ) pop(sstack) stack (
sizessize-1, elementsselements
) END stacks2
What about the empty stack?
A
54
Subtypes

• x T p(x)
• p must be of type T -gt boolean
• Alternative syntax
• (p)
• This type contains all elements x of T for which
  p(x) is true
• E.g., define domain of integer division
• x integer x/0
• Makes type equivalence undecidable

55
Subtypes

• Subtypes in binding expressions
• Forall, exists forall (i int igt10)
• Lambda

class_theory THEORYBEGIN f x int
x/0 -gtreal LAMBDA (x int x/0)
1/x END class_theory
class_theory THEORYBEGIN f(x int x/0)
real 1/x END class_theory
56
Example
stacks3 THEORY BEGIN stack TYPE size
nat, elements ARRAYnat-gtint empty stack
( size0, elements(LAMBDA (j nat) 0) )
push(x int, sstack) s stack ssizegt1
( sizessize1,
elementsselements WITH (ssize)x )
pop(sstack ssizegt1) stack (
sizessize-1, elementsselements
) END stacks3
Properties?
A
57
Example
stacks3 THEORY BEGIN stack TYPE size
nat, elements ARRAYnat-gtint empty stack
( size0, elements(LAMBDA (j nat) 0) )
push(x int, sstack) s stack ssizegt1
( sizessize1,
elementsselements WITH (ssize)x )
pop(sstack ssizegt1) stack (
sizessize-1, elementsselements )
push_pop THEOREM FORALL (s stack, x int)
pop(push(x, s))s END stacks3
Does this work?
A
58
Example
stacks4 THEORY BEGIN stack TYPE size
nat, elements ARRAYinatiltsize-gtint
empty stack ( size0, elements(LAMBDA
(jnat FALSE) 0) ) push(x int, sstack)
s stack ssizegt1 ( sizessize1,
elementsLAMBDA (j below(ssize1))
IF jltssize THEN selements(j) ELSE x ENDIF )
pop(sstack ssizegt1) stack (
sizessize-1, elementsLAMBDA
(jnatjltssize-1) selements(j) ) push_pop
THEOREM FORALL (s stack, x int)
pop(push(x, s))s END stacks4
59
Example
stacks4 THEORY BEGIN stack TYPE size
nat, elements ARRAYinatiltsize-gtint
empty stack ( size0, elements(LAMBDA
(jnat FALSE) 0) ) push(x int, sstack)
s stack ssizegt1 ( sizessize1,
elementsLAMBDA (j below(ssize1))
IF jltssize THEN selements(j) ELSE x ENDIF )
pop(sstack ssizegt1) stack (
sizessize-1, elementsLAMBDA
(jnatjltssize-1) selements(j) ) END stacks4
What about the stacks of other types?
A
60
Example
stacks4 THEORY BEGIN stack TYPE size
nat, elements ARRAYinatiltsize-gtint
empty stack ( size0, elements(LAMBDA
(jnat FALSE) 0) ) push(x int, sstack)
s stack ssizegt1 ( sizessize1,
elementsLAMBDA (j below(ssize1))
IF jltssize THEN selements(j) ELSE x ENDIF )
pop(sstack ssizegt1) stack (
sizessize-1, elementsLAMBDA
(jnatjltssize-1) selements(j) ) END stacks4
61
Theory Parameters

• Idea do something like a C template

theoryT1 TYPE, T2 TYPE, ...THEORY
BEGIN ... END theory
template ltclass T1, class T2,
...gt class stack ...
A
62
Theory Parameters

• Idea do something like a C template

theoryT1 TYPE, T2 TYPE, ...THEORY
BEGIN ... f(e T1)bool ... END theory
template ltclass T1, class T2,
...gt class stack ... f(e T1)bool
...
63
Example
stacks4T NONEMPTY_TYPE THEORY BEGIN
stack TYPE size nat, elements
ARRAYinatiltsize-gtT e T empty stack
( size0, elements(LAMBDA (jnat FALSE)
e) ) push(x T, sstack) s stack
ssizegt1 ( sizessize1,
elementsLAMBDA (j below(ssize1)) IF
jltssize THEN selements(j) ELSE x ENDIF )
pop(sstack ssizegt1) stack (
sizessize-1, elementsLAMBDA
(jnatjltssize-1) selements(j) ) END stacks4
64
Example
use_stack THEORY BEGIN my_type TYPE
posint, posint IMPORTING stacks5
s stackmy_type x my_type (1, 2)
d stackmy_type push(x , s) END use_stack
65
Useful Parameterized Theories

• PVS comes with several useful parameterized
  theories
• Sets over elements of type Tsubsets, union,
  complement, power set,finite sets,
• Infinite Sequences
• Finite Sequences
• Lists
• Bit vectors

A
66
Bit Vectors

• Bit Vectors are defined using an ARRAY type

bvN nat THEORY BEGIN bvec TYPE
below(N) -gt bit
same asboolean
0, , N-1
A
67
Bit Vectors

• Extract a bit bv(i) i ? 0, , N-1
• Vector extraction bv(m,n) nmltN
• bN fill(b)
• Concatenation bv1 o bv2
• Bitwise bv1 OR bv2
• Conversion to natural numbers bv2nat(bv)
• Conversion from natural numbers nat2bv(nat)

68
Bit Vector Arithmetic

• Requires
• IMPORTING bitvectors_at_bv_arith_nat
• , , -, lt, gt, lt, gt
• Many other useful theories Look in
  pvs/lib/bitvectors

69
Bit Vectors

• Example

bv_ex THEORY BEGIN x VAR bvec32
zero_lemma LEMMA bv2nat(x)0 IFF
xfill(false) END bv_ex
How many bits?
A
70
Bit Vectors

• Example

bv_ex THEORY BEGIN x VAR bvec32
zero_lemma LEMMA bv2nat32(x)0 IFF
xfill32(false) END bv_ex
71
Modeling Combinational Hardware with PVS

• Idea Model combinational circuits using
  functions on bit vectors

f(A, B, reset bit)bit IF reset
THEN FALSE ELSE (NOT A) OR B ENDIF
Translation from/to Verilog, VHDL, etc. easy
A
72
Parameterized Circuits
Binary tree for 8 inputs
Parameterized for 2k inputs
A
73
Modeling Hardware with PVS
btreeT TYPE, K posnat, o T,T-gtT THEORY
BEGIN btree(k nat, lbelow(exp2(k))-gtT)
RECURSIVE T IF k0 THEN l(0)ELSE
btree(k-1, LAMBDA (i below(exp2(k-1))) l(i)) o
btree(k-1, LAMBDA (i below(exp2(k-1)))
l(iexp2(k-1))) ENDIF MEASURE k btree(lbelow(exp
2(K))-gtT)Tbtree(K, l) END btree
Property?
A
74
Modeling Hardware with PVS
btreeT TYPE, K posnat, o T,T-gtT THEORY
BEGIN ... btree_correct THEOREM btree(l)
l(0) o l(1) o ... o l(exp(K)-1) END btree
Dot dot dot?
A
75
Modeling Hardware with PVS
btreeT TYPE, K posnat, o T,T-gtT THEORY
BEGIN ... btree_correct THEOREM btree(l)
l(0) o l(1) o ... o l(exp(K)-1) seq(i nat,
lupto(i)-gtT) RECURSIVE T IF i0 THEN
l(0) ELSE seq (i-1, LAMBDA
(j below(i)) l(j)) o l(i) ENDIF
MEASURE i Btree_correct THEOREM btree(l)
seq(exp(K)-1, l) END btree
Can you prove this?
What is missing?
A
76
Modeling Hardware with PVS
btreeT TYPE, K posnat, o T,T-gtT THEORY
BEGIN ASSUMING fassoc ASSUMPTION
associative?(o) ENDASSUMING ... END btree
This is NOT like an axiom!
zerotester_imp(op) bit NOT btreebit, K,
OR(op)
PVS will make you prove here that OR is
associative
A
77
Arithmetic Circuits
a,b,cin VAR bit oba_sum(a,b,cin) bit (a
XOR b XOR cin) oba_cout(a,b,cin) bit ((a
AND b) OR (a AND cin) OR (b AND cin))
Wait a second!You are adding bits here!
Property?
One Bit Adder (oba)
oba_correct LEMMA a b cin 2
oba_cout(a,b,cin) oba_sum(a,b,cin)
A
78
Conversions
oba_correct LEMMA a b cin 2
oba_cout(a,b,cin) oba_sum(a,b,cin)
There is no addition on bits (or boolean)!
bit TYPE bool nbit TYPE below(2)
b2n(bbool) nbit IF b THEN 1 ELSE 0 ENDIF
CONVERSION b2n
below(2) is a subtype of the integer type,and we
have addition for that.
A
79
Arithmetic Circuits
Carry Chain Adder
80
Arithmetic Circuits
cout(n,a,b,a_cin) RECURSIVE bit IF n0 THEN
oba_cout(a(0),b(0),a_cin) ELSE
oba_cout(a(n),b(n), cout(n-1,a,b,a_cin)
) ENDIF MEASURE n
bv_adder(a,b,a_cin) bvecN LAMBDA
(ibelow(N)) IF i0 THEN
oba_sum(a(0),b(0),a_cin) ELSE
oba_sum(x(i),y(i), cout(i-1,x,y,a_cin)
) ENDIF
A
81
Arithmetic Circuits
bv_adder(a,b,a_cin) bvecN LAMBDA
(ibelow(N)) IF i0 THEN
oba_sum(a(0),b(0),a_cin) ELSE
oba_sum(x(i),y(i), cout(i-1,x,y,a_cin)
) ENDIF
adder_correct THEOREM exp2(N)cout(N-1,a,b,a_ci
n)bv2nat(bv_adder(a,b,a_cin)) bv2nat(a)
bv2nat(b) a_cin
adder_is_add THEOREM bv_adder(a,b,FALSE) a
b
A
82
PVS Workflow
System
PROOFS
PVS File
Properties
?
?
Conversion of system (Program, circuit,
protocol)and property. Can be automated or
donemanually
Proof construction Interaction with the theorem
prover
A
83
PVS Workflow
System
PROOFS
PVS File
Properties
?
?
Conversion of system (Program, circuit,
protocol)and property. Can be automated or
donemanually
Proof construction Interaction with the theorem
prover
A
84
The PVS Language

• There are two languages
• The language to write definitions and theorems
  (definition language)
• The language to prove theorems(proof language)
• They have nothing to do with each other
• The definition language looks like normal math
• (translator to Latex built in)
• The proof language looks like LISP

85
Theorem Proving

• The goal is to establish
• F1,, Fk T
• Show that theorem T follows from the Assumptions
  Axioms F1,, Fk
• PVS operates on sequents of the form
• F1,, Fk G1,, Gl
• Antecedents Consequents
• Meaning
• The disjunction of the Consequents is a logical
  consequence of the conjunction of the Antecedents
• F1 ? F2 ? ? Fk implies G1 ? G2
  ? ? Gl

Theorem
Axioms, Assumptions
Antecedents and Consequents are HOL Formulas
86
Proof Trees

• Sequents can be modified by PVS proof commands
• F1,, Fk G1,, Gl
• Antecedents Consequents
• The result of a proof command is a (possibly
  empty) set of subsequents
• Initial sequent (show Theorem)
• - T
• The repeated application of proof commands on
  sequents defines a tree
• A proof branch is closed if a proof command
  generates an empty list of subsequents, i.e. PVS
  was able to validate this branch of the proof.
• A theorem T is proven if all proof branches are
  closed.