partial clock functions in acl2
play

Partial Clock Functions in ACL2 John Matthews and Daron Vroon ACL2 - PowerPoint PPT Presentation

Apr 17, 2023 •152 likes •423 views

Partial Clock Functions in ACL2 John Matthews and Daron Vroon ACL2 Workshop 2004 Goals Given a state machine, we want : A termination proof: from a set of starting states, a desired goal state will always eventually be reached. An

  1. Partial Clock Functions in ACL2 John Matthews and Daron Vroon ACL2 Workshop 2004

  2. Goals • Given a state machine, we want : • A termination proof: from a set of starting states, a desired goal state will always eventually be reached. • An efficient simulator: a function that steps machine until desired goal state is reached • Modularity: Be able to compose subroutine proofs and simulators 2

  3. Goals • We don’t want to : • write a VCG (verification condition generator) • manually define a clock function • specify assertions or ordinal measures for every instruction in the subroutine • add a clock parameter to the simulator • Related work : • First three conditions above met for partial correctness [Moore 2003] • First two conditions above met for total correctness [Ray & Moore 2004] 3

  4. State machine model • State tuple: represents current machine state • Defined as a stobj • Program, program counter are part of the state (defstobj mstate (mem :type (array (signed-byte 32) (1024)) (progc :type integer) ...) • “next state” function: executes one machine step next : mstate => mstate 4

  5. State machine model • Machine simulator (with clock parameter): Executes machine for n steps • Returns current state if n is bogus (defun run (n mstate) (declare (xargs :stobjs (mstate) :guard (natp n))) (if (zp n) mstate (let ((mstate (next mstate))) (run (1- n) mstate)))) 5

  6. State machine model • State assertion : predicate about a machine state (defun entering-fib-routine (n mstate) (and (program-loaded *fib-addr* mstate) (equal (progc mstate) *fib-addr*) (equal (top-of-stack mstate) n))) (defun exiting-fib-routine (n mstate) (and (program-loaded *fib-addr* mstate) (equal (progc mstate) *fib-done-addr*) (equal (top-of-stack mstate) (fib n)))) 6

  7. State machine model • Cutpoints : Finite collection of state assertions • Every program loop should be broken by at least one cutpoint • Exitpoint : Desired end state assertion • Every exitpoint must be a cutpoint • Multiple exitpoints allowed • Exitpoints aren’t necessarily halting • Internal cutpoint : A cutpoint that is not an exitpoint 7

  8. Termination proof • Total correctness : Every cutpoint always leads to an exitpoint. • Proof method: • Assign an ordinal measure to every cutpoint cutpoint-measure : mstate => ordinal • Symbolically simulate each control path from an internal cutpoint until another cutpoint is reached • Show that the newly-reached cutpoint is smaller according to cutpoint-measure 8

  9. Symbolic simulation • Symbolic simulation automated via a partial clock function • Has a generic, tail-recursive definition • Returns number of steps (- n) until next valid cutpoint state, if one is reachable • Undefined if no cutpoint state is reachable • Can be made “Executable” (defpun steps-to-cutpoint-tail (n mstate) (if (at-cutpoint mstate) n (steps-to-cutpoint-tail (1+ n) (next mstate)))) 9

  10. Completed clock function • Partial clock function is logically extended to a total function: • Tests whether value returned by steps-to-cutpoint-tail is a cutpoint: • If so, then return that value • If not, then return ω (defun steps-to-cutpoint (mstate) (let ((steps (steps-to-cutpoint-tail 0 mstate))) (if (at-cutpoint (run steps mstate)) steps (omega)))) 10

  11. Clock function rewrites • Completed clock function has simpler rewrite rules • Rules use ordinal addition to handle unreachable cutpoints (defthm steps-to-cutpoint-zero (implies (at-cutpoint mstate) (equal (steps-to-cutpoint mstate) 0))) (defthm steps-to-cutpoint-nonzero-intro (implies (not (at-cutpoint mstate)) (equal (steps-to-cutpoint mstate) (o+ 1 (steps-to-cutpoint (next mstate)))))) 11

  12. Symbolic simulation • Check termination by symbolically simulating machine, from each internal cutpoint to its next reachable cutpoint (implies (and (at-cutpoint mstate) (not (at-exitpoint mstate))) (let* ((steps (steps-to-cutpoint (next mstate))) (cutpoint (run steps mstate))) (and (at-cutpoint cutpoint) (o< (cutpoint-measure cutpoint) (cutpoint-measure mstate))))) • But then machine gets simulated twice per internal cutpoint! • Once to compute number of steps to next cutpoint • Second time to compute next cutpoint’s state tuple 12

  13. Symbolic simulation • Solution: use clock function to define a next-cutpoint function • Returns next cutpoint, if it is reachable • Returns a non-cutpoint value, otherwise (defun next-cutpoint (mstate) (let ((steps (steps-to-cutpoint mstate))) (if (natp steps) (run steps mstate) nil))) 13

  14. Symbolic simulation • Next-cutpoint function agrees with machine simulator... (thm (implies (at-cutpoint (next-cutpoint mstate)) (equal (next-cutpoint mstate) (run (steps-to-cutpoint mstate) mstate))))) ...and still obeys good symbolic simulation rules (defthm next-cutpoint-at-cutpoint (implies (at-cutpoint mstate) (equal (next-cutpoint mstate) mstate))) (defthm next-cutpoint-intro-next (implies (not (at-cutpoint mstate)) (equal (next-cutpoint mstate) (next-cutpoint (next mstate))))) 14

  15. Symbolic simulation • Now termination check symbolically simulates machine only once per internal cutpoint. (implies (and (at-cutpoint mstate) (not (at-exitpoint mstate))) (let ((cutpoint (next-cutpoint (next mstate)))) (and (at-cutpoint cutpoint) (o< (cutpoint-measure cutpoint) (cutpoint-measure mstate))))) 15

  16. Termination • Can now define function to count steps from cutpoint to next exitpoint (defun steps-to-exitpoint-from-cutpoint (mstate) (declare (xargs :measure (cutpoint-measure mstate))) (cond ((not (at-cutpoint mstate)) 0) ((at-exitpoint mstate) 0) (t (+ 1 (steps-to-cutpoint (next mstate)) (steps-to-exitpoint-from-cutpoint (next-cutpoint (next mstate))))))) 16

  17. Termination • Main termination theorem: (defthm total-correctness-from-cutpoint (implies (at-cutpoint mstate) (at-exitpoint (run (steps-to-exitpoint-from-cutpoint mstate) mstate)))) 17

  18. Efficient simulator • Goal 2: Define an executable machine simulator function that doesn’t use a step counter • Simulator returns the first reachable exitpoint state • Simulator guard: input state must be a cutpoint 18

  19. Efficient simulator • Defining the simulator: • First define a cutpoint simulator , that steps the machine from one cutpoint to the next cutpoint • Main simulator calls cutpoint simulator until exitpoint is reached • Use cutpoint measure to prove termination • Main challenge: stobj syntactic restrictions 19

  20. Stobj restrictions • Want to use steps-to-cutpoint in guards, but not execute them :guard (at-cutpoint (run (steps-to-cutpoint mstate) mstate)) • Problem: ACL2 requires guards to be executable • Difficult to make guards stobj-compliant • This definition doesn’t work, since defpun not stobj-compliant: (defun steps-to-cutpoint (mstate) (declare (xargs :stobjs (mstate))) (let ((steps (steps-to-cutpoint-tail 0 mstate))) (if (at-cutpoint (run steps mstate)) steps (omega)))) 20

  21. Stobj restrictions • Need to write coercion functions between stobjs and ACL2 values logical-mstatep : * => bool copy-from-mstate : mstate => * copy-to-mstate : (* mstate) => mstate (defthm copy-from-mstate-correct (implies (mstatep mstate) (equal (copy-from-mstate mstate) mstate))) (defthm copy-to-mstate-correct (implies (and (mstatep mstate) (logical-mstatep copy)) (equal (copy-to-mstate copy mstate) copy))) 21

  22. Stobj restrictions • Next problem: guards are not allowed to modify stobjs (defun steps-to-cutpoint (mstate) (declare (xargs :stobjs (mstate))) (let* ((mstate-copy (copy-from-mstate mstate)) (steps (steps-to-cutpoint-tail 0 mstate-copy))) (if (at-cutpoint (run steps mstate)) steps (omega)))) • “ACL2 value” version of run requires “ACL2 value” next • Basically need to redefine the entire machine semantics 22

  23. Stobj restrictions • Solution: create a with-copy-of-stobj macro • allocates a local copy of stobj object • Executes a stobj-compliant mv-let form on the local copy • Discards the mv-let ’s final stobj • Returns the mv-let ’s final value • Modified steps-to-cutpoint function is now stobj-compliant • Can be used in guards • ACL2 runtime error if executed (but still sound) 23

  24. Efficient simulator • Clockless simulator, useful for cutpoint-induction proofs: • next-cutpoint-exec defined with stobj-compliant guard • called by cutpoint simulator cutpoint-to-cutpoint-exec • Main simulator calls cutpoint simulator until exitpoint (defun next-exitpoint-exec (mstate) (declare (xargs :stobjs (mstate) :measure (cutpoint-measure mstate) :guard (at-cutpoint mstate))) (if (mbt (at-cutpoint mstate)) (if (at-exitpoint mstate) mstate (let ((mstate (cutpoint-to-cutpoint-exec mstate))) (next-exitpoint-exec mstate))) (dummy-mstate mstate))) 24

  25. Efficient simulator • Clockless simulator, useful for efficient execution (not in supporting materials): (defun next-exitpoint-exec (mstate) (declare (xargs :stobjs (mstate) :guard (cutpoint-reachable mstate) :measure (steps-to-exitpoint mstate))) (if (mbt (and (mstatep mstate) (cutpoint-reachable mstate))) (if (at-exitpoint mstate) mstate (let ((mstate (next mstate))) (next-exitpoint-exec mstate))) mstate)) 25

Recommend

Consistently Adding Primitive Recursive Definitions in ACL2 by John Cowles University of

Consistently Adding Primitive Recursive Definitions in ACL2 by John Cowles University of

Consistently Adding Primitive Recursive Definitions in ACL2 by John Cowles University of Wyoming 1 defpun A macro for consistently introducing partial functions into CAL2. Described in Pete &amp; Js paper, Partial Functions in ACL2

295 views • 27 slides
Attaching Efficient Executability to Partial Functions in ACL2 Sandip Ray Department of Computer

Attaching Efficient Executability to Partial Functions in ACL2 Sandip Ray Department of Computer

Attaching Efficient Executability to Partial Functions in ACL2 Sandip Ray Department of Computer Science University of Texas at Austin Email: sandip@cs.utexas.edu web: http://www.cs.utexas.edu/users/sandip U NIVERSITY OF T EXAS AT A USTIN D

626 views • 35 slides
Flat Domains and Recursive Equations in ACL2 by John Cowles University of Wyoming 1 ACL2 is a

Flat Domains and Recursive Equations in ACL2 by John Cowles University of Wyoming 1 ACL2 is a

Flat Domains and Recursive Equations in ACL2 by John Cowles University of Wyoming 1 ACL2 is a logic of total functions. Some recursive equations have no satisfying ACL2 functions: No ACL2 function g satisfies this recursive equation

518 views • 35 slides
ACL2(ml): Machine-Learning for ACL2 J. Heras and E. Komendantskaya

ACL2(ml): Machine-Learning for ACL2 J. Heras and E. Komendantskaya

ACL2(ml): Machine-Learning for ACL2 J. Heras and E. Komendantskaya http://staff.computing.dundee.ac.uk/katya/acl2ml/ 12 July 2014 ACL214 J. Heras ACL2(ml): Machine-Learning for ACL2 1/23 Outline Some Challenges in ACL2 1 An overview of

871 views • 56 slides
Partial Functions and Domination C T Chong National University of Singapore

Partial Functions and Domination C T Chong National University of Singapore

Partial Functions and Domination C T Chong National University of Singapore chongct@math.nus.edu.sg CTFM, Tokyo 711 September 2015 Domination for Partial Functions Definition Let f , g be partial functions. Then g dominates f if

664 views • 28 slides
Partial Recursive Functions and Finality Gordon Plotkin Laboratory for the Foundations of

Partial Recursive Functions and Finality Gordon Plotkin Laboratory for the Foundations of

Introduction Natural numbers objects in monoidal categories Weak representability of partial recursive functions Strong representability of partial recursive functions Partial Recursive Functions and Finality Gordon Plotkin Laboratory for the

800 views • 58 slides
Partial Functions and Categories of Partial Maps Science Atlantic at Acadia University Darien

Partial Functions and Categories of Partial Maps Science Atlantic at Acadia University Darien

Motivation of Partial Functions Formally Defining Partial Functions Categories Restriction Categories Partial Functions and Categories of Partial Maps Science Atlantic at Acadia University Darien DeWolf October 24, 2015 Darien DeWolf

194 views • 17 slides
Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level

Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level

Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level Correctness Proof Wolfgang Goerigk Christian-Albrechts-Universit at zu Kiel, Germany wg@informatik.uni-kiel.de wg/

297 views • 28 slides
Real Vector Spaces, the Cauchy-Schwarz Inequality, &amp; Convex Functions in ACL2(r) Carl Kwan

Real Vector Spaces, the Cauchy-Schwarz Inequality, &amp; Convex Functions in ACL2(r) Carl Kwan

Real Vector Spaces, the Cauchy-Schwarz Inequality, &amp; Convex Functions in ACL2(r) Carl Kwan Mark R. Greenstreet University of British Columbia 15th International Workshop on the ACL2 Theorem Prover and Its Applications Carl Kwan &amp; Mark

383 views • 27 slides
Partial Recursive Functions Computation Theory , L 8 101/171 Aim A more abstract,

Partial Recursive Functions Computation Theory , L 8 101/171 Aim A more abstract,

Partial Recursive Functions Computation Theory , L 8 101/171 Aim A more abstract, machine-independent description of the collection of computable partial functions than provided by register/Turing machines: they form the smallest collection

349 views • 16 slides
Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming

Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming

Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming Introduction ACL2 ( r ) is a variant of ACL2 that supports the irrational numbers It is distributed with the ACL2 sources The foundations of ACL2

479 views • 29 slides
JUST THE MATHS SLIDES NUMBER 14.1 PARTIAL DIFFERENTIATION 1 (Partial derivatives of the

JUST THE MATHS SLIDES NUMBER 14.1 PARTIAL DIFFERENTIATION 1 (Partial derivatives of the

JUST THE MATHS SLIDES NUMBER 14.1 PARTIAL DIFFERENTIATION 1 (Partial derivatives of the first order) by A.J.Hobson 14.1.1 Functions of several variables 14.1.2 The definition of a partial derivative UNIT 14.1 PARTIAL DIFFERENTIATION

295 views • 8 slides
Double Rewriting for Equivalential Reasoning in ACL2 Matt Kaufmann and J Strother Moore ACL2

Double Rewriting for Equivalential Reasoning in ACL2 Matt Kaufmann and J Strother Moore ACL2

Double Rewriting for Equivalential Reasoning in ACL2 Matt Kaufmann and J Strother Moore ACL2 Workshop, FLoC, Seattle, August 16, 2006 1 Introduction ACL2 provides a powerful congruence-based rewriting capability. However, some have

537 views • 19 slides
The Representability of Partial Recursive Yan Steimle Functions in Arithmetical Theories and

The Representability of Partial Recursive Yan Steimle Functions in Arithmetical Theories and

Representing Recursive Functions The Representability of Partial Recursive Yan Steimle Functions in Arithmetical Theories and Definitions Main Categories theorems Statements Proof Total recursive functions Yan Steimle Conclusion

574 views • 32 slides
How Can I Do That with ACL2? Recent Enhancements to ACL2 Matt Kaufmann and J Strother Moore 1

How Can I Do That with ACL2? Recent Enhancements to ACL2 Matt Kaufmann and J Strother Moore 1

How Can I Do That with ACL2? Recent Enhancements to ACL2 Matt Kaufmann and J Strother Moore 1 Introduction (1) ACL2 Version 3.5 was released in May, 2009. Release note items (see :DOC release-notes) since then: (+ 41 ; 3.6 (8/2009) 3 ;

622 views • 49 slides
Partial Computable Functions: Analysis and Complexity Margarita Korovina IIS SbRAS, Novosibirsk

Partial Computable Functions: Analysis and Complexity Margarita Korovina IIS SbRAS, Novosibirsk

Partial Computable Functions: Analysis and Complexity Margarita Korovina IIS SbRAS, Novosibirsk Oleg Kudinov Inst. of Math SbRAS, Novosibirsk CCC 2017 Nancy, June 2017 Goals Does the class of partial computable functions have a universal

515 views • 23 slides
MATHEMATICS 1 CONTENTS Derivatives for functions of two variables Higher-order partial

MATHEMATICS 1 CONTENTS Derivatives for functions of two variables Higher-order partial

Partial derivatives BUSINESS MATHEMATICS 1 CONTENTS Derivatives for functions of two variables Higher-order partial derivatives Derivatives for functions of many variables Old exam question Further study 2 DERIVATIVES FOR FUNCTIONS OF TWO

472 views • 20 slides
A Simple Java Code Generator for ACL2 Based on a Deep Embedding of ACL2 in Java Alessandro

A Simple Java Code Generator for ACL2 Based on a Deep Embedding of ACL2 in Java Alessandro

A Simple Java Code Generator for ACL2 Based on a Deep Embedding of ACL2 in Java Alessandro Coglio Kestrel Institute Workshop 2018 ATJ Java code generator for ACL2 (ACL2 To Java) based on AIJ deep embedding of ACL2 in Java (ACL2 In Java)

901 views • 38 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (5/1/07) I E S R C E O V U

UMBC A B M A L T F O U M B C I M Y O R T 1 (5/1/07) I E S R C E O V U

Digital Systems Clock Distribution I CMPE 650 Clock Characteristics Clock signals must toggle twice (full cycle) for each single transition for data. Clock wires also tend to be very heavily loaded nets because they typically fan-out to every

490 views • 19 slides
Hygienic Macros for ACL2 Carl Eastlund Matthias Felleisen cce@ccs.neu.edu matthias@ccs.neu.edu

Hygienic Macros for ACL2 Carl Eastlund Matthias Felleisen cce@ccs.neu.edu matthias@ccs.neu.edu

Hygienic Macros for ACL2 Carl Eastlund Matthias Felleisen cce@ccs.neu.edu matthias@ccs.neu.edu Northeastern University Boston, MA, USA 1 ACL2 2 ACL2 Formal verification based on pure, first-order Common Lisp. Used to model critical

909 views • 61 slides
BEEM103 Optimization Techniques for Economists Level Curves Multivariate Functions Isoquants

BEEM103 Optimization Techniques for Economists Level Curves Multivariate Functions Isoquants

Functions in two variables Functions in two variables Partial derivatives Partial derivatives Optimization Optimization Unconstrained Optimization Unconstrained Optimization Second order conditions Second order conditions Functions in two

234 views • 20 slides
Hint Orchestration Using ACL2's Simplifier Sol Swords Centaur Technology, Inc. ACL2 Workshop

Hint Orchestration Using ACL2's Simplifier Sol Swords Centaur Technology, Inc. ACL2 Workshop

Hint Orchestration Using ACL2's Simplifier Sol Swords Centaur Technology, Inc. ACL2 Workshop 2018 This talk is for hint abusers This might be you if: You cant be bothered to figure out a good rewriting strategy You just dont know

541 views • 30 slides
Curried functions Currying and partial application and other tasty

Curried functions Currying and partial application and other tasty

10/8/15 More idioms for closures Function composition Curried functions Currying and partial application and other tasty closure recipes Callbacks (e.g., in reactive

672 views • 6 slides
Adding a typing Adding a typing mechanism to ACL2 mechanism to ACL2 Vernon Austel Vernon

Adding a typing Adding a typing mechanism to ACL2 mechanism to ACL2 Vernon Austel Vernon

Adding a typing Adding a typing mechanism to ACL2 mechanism to ACL2 Vernon Austel Vernon Austel IBM IBM Outline Outline What a typed ACL2 might look like Vague proposal concerning how to change ACL2 to allow experimentation with type

873 views • 19 slides

More recommend