Program Specialisation, Inductive Theorem Proving and Infinite State Model Checking

1
Program Specialisation,Inductive Theorem Proving
and Infinite State Model Checking

• Michael Leuschel
• (joint work with Helko Lehmann)

Invited Talk Lopstr03 - Uppsala
2
1. Overview 2. Program Specialisation Partial
Deduction (PD) 3. Infinite State Model Checking
(ISMC) by PD 4. Inductive Theorem Proving by
Conjunctive PD 5. Putting everything together 6.
Conclusion Outlook
3
Overview
Program Specialisation
Inductive Theorem Proving
Infinite Model checking
4
Infinite State System
Key Points
CTL Model Checker
Ecce
Specialisation Result
Point 1 Finite Abstraction of infinite state
space correspondence between existing
algorithms for PS ISMC Point 2 Schema for an
inductive proof similarity between ITP PS
control ? cross-fertilisation ?
5
1. Overview 2. Program Specialisation Partial
Deduction (PD) 3. Infinite State Model Checking
(ISMC) by PD 4. Inductive Theorem Proving by
Conjunctive PD 5. Putting everything together 6.
Conclusion Outlook
6
(Logic) Program Specialisation
Query
Prolog Source Program
7
Digression on Names

• Partial Evaluation
• Specialisation by partially evaluating
  expressions
• Partial Deduction
• Partial evaluation of pure logic programs
• Logic Program Specialisation
• Partial evaluation (e.g. abstract
  interpretation)

8
Partial Deduction

• Basic Principle
• Instead of building one complete SLD-treeBuild
  a finite number of finite SLD- trees !
• SLD-trees can be incomplete
• Clauses of specialised program extracted from
  branches
• All calls in the leaves must be covered
• 4 types of derivations in SLD-trees
• Successful, failed, infinite
• Incomplete no literal selected

9
An Example
? map (inv,L,R)
map(P,,). map(P,HT,PHPT) -
C..P,H,PH, call(C),map(P,T,PT). inv(0,1).
inv(1,0).
Overhead removed 2? faster
map(inv,,). map(inv,0L,1R) -
map(inv,L,R). map(inv,1L,0R) -
map(inv,L,R).
map_1(,). map_1(0L,1R) -
map_1(L,R). map_1(1L,0R) -
map_1(L,R).
10
Control
A1 A2 A3 A4 ...

• Local Control
• Determinacy
• Well-founded Orders
• Well-Quasi Orders
• Homeomorphic embedding
• Global Control
• Whistle Well-Quasi Orders
• Generalisation
• msg (most specific generalisation)
• Characteristic Trees

11
Existing Systems

• Online
• Mixtus (Sahlin)
• Paddy (Prestwich)
• SP (Gallagher)
• Ecce (Leuschel)
• Offline (control decisions made offline)
• Logimix (Mogensen)
• Logen (Leuschel Jørgensen)

12
Ecce Logen Demo

• Simple Examples
• Map - Ecce
• Lambda Interpreter - Logen

13
1. Overview 2. Program Specialisation Partial
Deduction (PD) 3. Infinite State Model Checking
(ISMC) by PD 4. Inductive Theorem Proving by
Conjunctive PD 5. Putting everything together 6.
Conclusion Outlook
14
Model Checking

• Check that a system is a model for a temporal
  logic formula (CTL, LTL, )
• Most useful temporal formulas are safety
  properties
• Decidable for finite state systems
• For infinite state systems
• Decidability results for certain systems
  properties
• Abstraction a key issue

15
Petri Nets

• Petri Nets
• Places contain tokens
• Transitions consume produce tokens
• Marking
• A particular state of a Petri net
• Vector of natural numbers
• Usually infinite number of markings reachable

16
RTP ExampleReceiver of Transmission
ProtocolFrom Babylon library of benchmarks
Reachable Markings
1,0,0,0,0,0,0,0,0,0
17
Coverability of Petri Nets
0,2,0,1,1

• Marking m covers m if mm
• Question
• Starting from an initial state m0can we reach a
  marking mn which covers some given m ?
• Decidable by computing
• Karp-Miller Tree or
• Finkels minimal coverability graphs

0,1,0,2,0
18
RTP - CoverabilityCan we cover
/ Specialised Predicates ssat__0__1 -
ssat__0. sat__1__2 - sat__1(s(0),0,0,0,0,0,0,0,0,
0). sat_eu__2__3 - sat_eu__2(s(0),0,0,0,0,0,0,0,0
,0). sat_eu__2__4(A) - sat_eu__2(0,s(0),0,0,0,0,0
,0,0,A). sat_eu__2__5(A) - sat_eu__2(0,0,s(0),0,0
,0,0,0,0,A). sat_eu__2__6(A) -
sat_eu__2(0,0,0,s(0),0,0,0,0,0,A). sat_eu__2__7(A)
- sat_eu__2(0,0,0,0,s(0),0,0,0,0,A). sat_eu__2__
8(A) - sat_eu__2(0,0,0,0,0,0,0,0,s(0),A). sat_eu_
_2__9(A) - sat_eu__2(0,0,0,0,0,s(0),0,0,0,A). sat
_eu__2__10(A) - sat_eu__2(0,0,0,0,0,0,s(0),0,0,A)
. sat_eu__2__11(A) - sat_eu__2(0,0,0,0,0,0,0,s(0)
,0,A). / ssat__0 - fail. ssat__0__1 -
fail. sat__1__2 - fail. sat_eu__2__3 -
fail. sat_eu__2__4(A) - fail. sat_eu__2__5(A)
- fail. sat_eu__2__6(A) -
fail. sat_eu__2__7(A) - fail. sat_eu__2__8(A)
- fail. sat_eu__2__9(A) -
fail. sat_eu__2__10(A) - fail. sat_eu__2__11(
A) - fail.
0,0,0,0,0,0,0,1,1,0
Reachable Markings

19
More about the Ecce Postprocessor

• Determinate post-unfolding
• Reducing unnecessary polyvariance
• Most Specific Version (MSV) Computation
• Marriot,Naish,Lassez88
• Bottom-up abstract interpretation
• Compose TP with predicate-wise msg
• For every body atom of the program
• unify with an element of S
• if none exists clause can be removed !

20
RTP Ecce MSV
/ Specialised Predicates ssat__0__1 -
ssat__0. sat__1__2 - sat__1(s(0),0,0,0,0,0,0,0,0,
0). sat_eu__2__3 - sat_eu__2(s(0),0,0,0,0,0,0,0,0
,0). sat_eu__2__4(A) - sat_eu__2(0,s(0),0,0,0,0,0
,0,0,A). sat_eu__2__5(A) - sat_eu__2(0,0,s(0),0,0
,0,0,0,0,A). sat_eu__2__6(A) -
sat_eu__2(0,0,0,s(0),0,0,0,0,0,A). sat_eu__2__7(A)
- sat_eu__2(0,0,0,0,s(0),0,0,0,0,A). sat_eu__2__
8(A) - sat_eu__2(0,0,0,0,0,0,0,0,s(0),A). sat_eu_
_2__9(A) - sat_eu__2(0,0,0,0,0,s(0),0,0,0,A). sat
_eu__2__10(A) - sat_eu__2(0,0,0,0,0,0,s(0),0,0,A)
. sat_eu__2__11(A) - sat_eu__2(0,0,0,0,0,0,0,s(0)
,0,A). / ssat__0 - fail. ssat__0__1 -
fail. sat__1__2 - fail. sat_eu__2__3 -
fail. sat_eu__2__4(A) - fail. sat_eu__2__5(A)
- fail. sat_eu__2__6(A) -
fail. sat_eu__2__7(A) - fail. sat_eu__2__8(A)
- fail. sat_eu__2__9(A) -
fail. sat_eu__2__10(A) - fail. sat_eu__2__11(
A) - fail.
Ecce MSV
ssat__0 - ssat__0__1. ssat__0__1 -
sat__1__2. sat__1__2 - sat_eu__2__3. sat_eu__
2__3 - sat_eu__2__4(0). sat_eu__2__4(A) -
sat_eu__2__5(A). sat_eu__2__5(A) -
sat_eu__2__6(A). sat_eu__2__6(A) -
sat_eu__2__7(A). sat_eu__2__6(A) -
sat_eu__2__8(A). sat_eu__2__7(A) -
sat_eu__2__9(A). sat_eu__2__8(A) -
sat_eu__2__4(s(A)). sat_eu__2__9(A) -
sat_eu__2__8(A). sat_eu__2__9(A) -
sat_eu__2__10(A). sat_eu__2__9(A) -
sat_eu__2__11(A). sat_eu__2__10(A) -
sat_eu__2__8(A). sat_eu__2__11(A) -
sat_eu__2__8(A).
Ecce
21
8 Model Checking by PD

• When does it work ?
• Decision procedure for some problems
• Extends existing algorithms for some specific
  classes of systems properties
  !LeuschelLehmannCL2000 PPDP00,
  LehmannLeuschelLPAR2000
• Always safe, but may answer dont know
• Flexible system various formalisms, properties,
  algorithms (backwards/forwards/combined,)
• Again this must come at the price of
  efficiency!?
• After all Ecce Logen were not designed for
  Model Checking
• How much do we pay ?

22
Some IMC ExperimentsComparing some tools

• Hytech
• Polyhedra, for hybrid systems
• CST (Covering Sharing Tree)
• Attacking Symbolic Explosion, Delzanno,
  Raskin, Van Begin, CAV01
• Compact representation for (infinite)
  upwards-closed sets
• Symbolic, backwards, uses pre-computed structural
  invariants to cut search space
• Ecce ( Logen)
• Settings Finkel

23
Reader/Writer
Dekker
FMS
Babylon Benchmarks
CSM
24
A more complicated ExampleCSM - Specialisation
Result
25
Some Experiments inInfinite State Model Checking
CST CST wo Ecce Hytech back Hytech fwd
CSM 0.08 0.19 0.13 6.32 8
FMS 39.6 3.50 ?
RW -- -- 0.05 ?
Dekker(2) 5.4 0.43 gt30min 1
out of memory -- not possible
Timings AMD Athlon 900Mhz, 1.5Gb RAM
using old version, new 2 times faster?
26
CSM The full picture
27
Some Conclusions

• Ecce surprisingly fast for infinite MC
• Better than Hytech, sometimes better than CST
• Ecce (unsurprisingly) slow for finite MC
• Future Work Combine XTL with Ecce
• Infinite MC can be faster than finite MC
• What is the price we pay for implementing a
  flexible system in Prolog and reusing general
  purpose program manipulation tools?
• Good performance (compared to other tools)!

28
1. Overview 2. Program Specialisation Partial
Deduction (PD) 3. Infinite State Model Checking
(ISMC) by PD 4. Inductive Theorem Proving by
Conjunctive PD 5. Putting everything together 6.
Conclusion Outlook
29
Theorem Proving Program Specialisation/Transform
ation

• Lot of interest
• Supercompilation
• Turchin, GlückJørgensen
• Unfold/Fold
• Pettorossi Proietti,
• GPC
• Futamura,

30
ProofAssistantIsabelle
31
A simple Example
theory Mirror PreList datatype 'a tree Tip
("") Node
"'a tree" 'a "'a tree" consts mirror "'a tree
gt 'a tree" primrec "mirror() "
"mirror((Node ls x rs)) Node (mirror(rs)) x
(mirror(ls))" lemma mirror_mirror simp
"mirror(mirror(xs)) xs" apply(induct_tac xs) ML
"set trace_simp" apply(simp) apply(auto) done
proof (prove) step 1 fixed variables xs goal
(lemma (mirror_mirror), 2 subgoals) 1. mirror
(mirror ) 2. !!tree1 a tree2.
mirror (mirror tree1) tree1 mirror (mirror
tree2) tree2 gt mirror (mirror (Node
tree1 a tree2)) Node tree1 a tree2 where we
can rewrite mirror (mirror (Node tree1 a
tree2)) Node tree1 a tree2 into mirror (Node
(mirror tree2) a (mirror tree1)) Node tree1 a
tree2 further into Node (mirror(mirror tree1))
a (mirror(mirror tree2)) Node tree1 a tree2 and
by the induction hypothesis 1 we can simplify
into Node (tree1 a (mirror(mirror tree2))
Node tree1 a tree2 and by the induction
hypothesis 2 we can simplify into Node (tree1
a tree2) Node tree1 a tree2 QED
Can Ecce Do this ???
32
Conjunctive Partial Deduction

• Given a set S C1,,Cn of atoms
• Build finite, possibly incomplete SLD-trees for
  each ? Ci
• For every non-failing branch
• generate 1 specialised formula Ci ?L
  bycomputing the resultants
• To get Horn clauses
• Rename conjunctions into atoms !
• ? Assign every Ci an atom with the same
  variables and each with a different predicate name

33
Ecce Demo

• Inductive Theorem Proving
• Even odd
• Mirror_mirror

34
Specialisation Tree as Induction Schema
proof (prove) step 1 fixed variables xs goal
(lemma (mirror_mirror), 2 subgoals) 1. mirror
(mirror ) 2. !!tree1 a tree2.
mirror (mirror tree1) tree1 mirror (mirror
tree2) tree2 gt mirror (mirror (Node
tree1 a tree2)) Node tree1 a tree2 Goal 2.
Rewritten into mirror (Node (mirror tree2) a
(mirror tree1)) Node tree1 a tree2 further
into Node (mirror(mirror tree1)) a
(mirror(mirror tree2)) Node tree1 a tree2 and
by the induction hypothesis 1 we can simplify
into Node (tree1 a (mirror(mirror tree2))
Node tree1 a tree2 and by the induction
hypothesis 2 we can simplify into Node (tree1
a tree2) Node tree1 a tree2 QED
Can you find the correspondence?
35
CPD vs ITP

• Find a set H of induction hypotheses so
• we can transform the induction hypotheses for
  n1so as to re-use the induction hypotheses n
• Find a set S of conjunctions so that
• they can be unfolded in such a way that all
  leaves can be folded back on S

ITP CPD
Simplify Unfold
Reuse hypotheses in HCondition n Fold on conjunctions in S Condition instance
36
1. Overview 2. Program Specialisation Partial
Deduction (PD) 3. Infinite State Model Checking
(ISMC) by PD 4. Inductive Theorem Proving by
Conjunctive PD 5. Putting everything together 6.
Conclusion Outlook
37
CTL Model Checker (Prolog Source)
Isabelle
ECCE
Validation
Specialisation Result
Proof Script
Ecce Postprocessor
Verification Result
38
A Simple Example
basicME
Target x3 gt 1, x4 gt 1
39
Results

• Ecce specialisation tree can be automatically
  transformed into a valid induction schema for
  Isabelle
• Ecce result can by validated
• Checking the proof in Isabelle is several orders
  of magnitude slower than Ecce
• (proof script still at a too high level ?)

40
1. Overview 2. Program Specialisation Partial
Deduction (PD) 3. Infinite State Model Checking
(ISMC) by PD 4. Inductive Theorem Proving by
Conjunctive PD 5. Putting everything together 6.
Conclusion Outlook
41
Conclusion I

• Relationship between Infinite state model
  checking and program specialisation
• PS can be used for ISMC
• Efficiency seems to be good!
• Equivalence decidability results

42
Conclusion II

• Relationship between inductive theorem proving
  program specialisation
• PS can be used for some ITP tasks
• For one application automatic translation of PS
  output into ITP proof script
• But
• No equivalence between ITP PS techniques
• E.g., what about rippling ?
• ITP PS communities should look at each others
  work!
• Some ITP tasks are very, very hard

43
Thank you
44
Supplementary Slides
45
(No Transcript)
46
RTP ExampleReceiver of Transmission
ProtocolFrom Babylon library of benchmarks
47
Classical Applications of CPDTupling
Deforestation
48
CTL model checking
/ - table sat_eu/3./ / tabulation to compute
least-fixed point / sat_eu(E,_F,G) - /
exists until / sat(E,G). sat_eu(E,F,G) - /
exists until / sat(E,F), trans(_Act,E,E2),
sat_eu(E2,F,G). / - table sat_noteg/2./ /
tabulation to compute least-fixed point
/ sat_noteg(E,F) - sat(E,not(F)). sat_noteg(
E,F) - not( (trans(_Act,E,E2),not(sat_noteg(E2
,F)))). / encoding of the system (here a
Petri net) / trans(enter_cs,s(X),s(Sema),CritS
ec,Y,C, X,Sema,s(CritSec),Y,C). trans(exi
t_cs,X,Sema,s(CritSec),Y,C,
X,s(Sema),CritSec,s(Y),C). trans(restart,X,Sema
,CritSec,s(Y),ResetCtr, s(X),Sema,CritSec,Y
,s(ResetCtr)). prop(X,Sema,s(s(CritSec)),Y,C,u
nsafe). prop(0,Sema,0,0,C,deadlock). prop(X,0,0
,0,C,deadlock).
/ A Model Checker for CTL fomulas / / written
for XSB-Prolog / / by Michael Leuschel, Thierry
Massart / sat(_E,true). sat(_E,false) -
fail. sat(E,p(P)) - prop(E,P). / proposition
/ sat(E,and(F,G)) - sat(E,F),
sat(E,G). sat(E,or(F,_G)) - sat(E,F). sat(E,or(_F
,G)) - sat(E,G). sat(E,not(F)) -
not(sat(E,F)). sat(E,en(F)) - / exists next /
trans(_Act,E,E2),sat(E2,F). sat(E,an(F)) - /
always next / not(sat(E,en(not(F)))). sat(E,e
u(F,G)) - / exists until /
sat_eu(E,F,G). sat(E,au(F,G)) - / always until
/ sat(E,not(eu(not(G),and(not(F),not(G))))),
sat_noteg(E,not(G)). sat(E,ef(F)) - / exists
future / sat(E,eu(true,F)). sat(E,af(F)) - /
always future / sat_noteg(E,not(F)). sat(E,eg(F
)) - / exists global / not(sat_noteg(E,F)). /
we want gfp -gt negate lfp of negation
/ sat(E,ag(F)) - / always global /
sat(E,not(ef(not(F)))).
2) ECCE - ABSTRACTION / Transformation time
617 ms / sat__0(A,s(0),0,0,0) -
sat__0__1(A). sat__0__1(s(s(A))) -
sat_eu__1__2(A). sat__0__1(s(A)) -
sat_eu__1__3(A). sat_eu__1__2(A) -
sat_eu__1__9(A). sat_eu__1__2(A) -
sat_eu__1__10(A). sat_eu__1__3(s(A)) -
sat_eu__1__4(A). sat_eu__1__4(A) -
sat_eu__1__5(A). sat_eu__1__4(A) -
sat_eu__1__6(A). sat_eu__1__5(s(A)) -
sat_eu__1__7(A,s(s(0))). sat_eu__1__5(A) -
sat_eu__1__6(A). sat_eu__1__11(A,B) -
sat_eu__1__12(A,s(B)). sat_eu__1__11(A,s(B)) -
sat_eu__1__11(s(A),B). sat_eu__1__12(s(A),B)
- sat_eu__1__11(A,B). sat_eu__1__12(A,s(B))
- sat_eu__1__12(s(A),B).
1) LOGEN - COMPILATION / file ctl.pe.sat__
/ / benchmark info 0 ms / / atom
specialised sat(_10048,ef(p(unsafe)))
/ sat_eu__1(B,C,s(s(D)),E,F). sat_eu__1(s(G)
,s(H),I,J,K) - sat_eu__1(G,H,s(I),J,K). sat
_eu__1(L,M,s(N),O,P) - sat_eu__1(L,s(M),N,s
(O),P). sat_eu__1(Q,R,S,s(T),U) -
sat_eu__1(s(Q),R,S,T,s(U)). sat__0(B) -
sat_eu__1(B).
3) MSV - ANALYSIS sat__0(A,s(0),0,0,0) -
fail. sat__0__1(s(s(A))) -
fail. sat__0__1(s(A)) - fail. sat_eu__1__2(A
) - fail. ...