+ Proofs Harnessing SMT solvers for TLA Stephan Merz and Hern an - PowerPoint PPT Presentation

+ Proofs Harnessing SMT solvers for TLA Stephan Merz and Hern´ an Vanzetto + Workshop, Paris, France TLA August 27th, 2012 1

Introduction + proof language: TLA Hierarchical proof structure Top-down development: users refine assertions until they are “obvious” Leaf steps verified by automatic backend provers ◮ invoke proof method ◮ cite necessary assumptions and facts ◮ expand definitions + Proof System: TLA + proofs Mechanically checks TLA Currently proves only non-temporal fragment + Toolbox Supported by the TLA 2

Architecture of TLAPS 3

Current backend provers + Isabelle/TLA + over Isabelle’s meta-logic ◮ Faithful encoding of TLA ◮ Calls predefined Isabelle automatic proof methods ◮ Used to certify proofs of other backend provers 4

Current backend provers + Isabelle/TLA + over Isabelle’s meta-logic ◮ Faithful encoding of TLA ◮ Calls predefined Isabelle automatic proof methods ◮ Used to certify proofs of other backend provers Zenon ◮ Tableau prover for first-order logic with equality + on sets, functions, ... ◮ Includes extensions for TLA ◮ Backend called by default ; proofs certified by Isabelle 4

Current backend provers + Isabelle/TLA + over Isabelle’s meta-logic ◮ Faithful encoding of TLA ◮ Calls predefined Isabelle automatic proof methods ◮ Used to certify proofs of other backend provers Zenon ◮ Tableau prover for first-order logic with equality + on sets, functions, ... ◮ Includes extensions for TLA ◮ Backend called by default ; proofs certified by Isabelle SimpleArithmetic (obsolete) ◮ Cooper’s algorithm for Presburger arithmetic 4

Current backend provers + Isabelle/TLA + over Isabelle’s meta-logic ◮ Faithful encoding of TLA ◮ Calls predefined Isabelle automatic proof methods ◮ Used to certify proofs of other backend provers Zenon ◮ Tableau prover for first-order logic with equality + on sets, functions, ... ◮ Includes extensions for TLA ◮ Backend called by default ; proofs certified by Isabelle SimpleArithmetic (obsolete) ◮ Cooper’s algorithm for Presburger arithmetic SMT ◮ Available since the last public version of TLAPS (v1.0) ◮ Based on type inference 4

Motivation Typical proof obligations usually contain a mix of arithmetic, sets, functions, which the older backends were not able to handle at once SMT solvers offer a combination of: + First-order reasoning + Decision procedures for other theories (=, linear arithmetic, . . . ) SMT input languages: Based on many-sorted first-order logic Predefined Bool and integer sorts Uninterpreted functions, if-then-else function 5

Table of Contents Introduction 1 First approach: SMT backend based on type inference 2 Second approach: untyped encoding 3 Experimental results 4 Conclusions 5 6

First approach: a backend based on type inference 7

First approach: a backend based on type inference + expressions Inference algorithm recurses over TLA + terms ◮ Ad-hoc type system for TLA (unspecified type ⊥ , integer type, sets, functions, . . . ) 7

First approach: a backend based on type inference + expressions Inference algorithm recurses over TLA + terms ◮ Ad-hoc type system for TLA (unspecified type ⊥ , integer type, sets, functions, . . . ) Soundness: incorrect typing can make invalid theorems provable ◮ x / ∈ Int ⇒ x + 0 = x ; ( ¬¬ X ) = X 7

First approach: a backend based on type inference + expressions Inference algorithm recurses over TLA + terms ◮ Ad-hoc type system for TLA (unspecified type ⊥ , integer type, sets, functions, . . . ) Soundness: incorrect typing can make invalid theorems provable ◮ x / ∈ Int ⇒ x + 0 = x ; ( ¬¬ X ) = X Safe types : ⊥ , set( ⊥ ), set(set( ⊥ )), . . . Typing hypotheses are available facts of the form y ∈ � x ≈ exp and ∀ � S : f ( � y ) ≈ exp with ≈ ∈ { = , ∈ , ⊆} 7

First approach: a backend based on type inference + formulas are translated to SMT input formats Well-typed TLA + expressions contain only operators that have a Basic TLA direct representation in SMT formats (logical, arithm. and if s) Sets, functions, records, tuples encoded as uninterpreted functions Example x :: Z ⊢ x ∈ Int ⇒ x + 0 = x − → x + 0 = x a :: ⊥ ; S , T :: set ( ⊥ ) ⊢ a ∈ S ∪ T − → S ( a ) ∨ T ( a ) Type information for variables usually provided by type invariants 8

Toy example axiom NatInduction ≡ assume new P ( ) , P (0) , ∀ n ∈ Nat : P ( n ) ⇒ P ( n + 1) ∀ n ∈ Nat : P ( n ) prove 9

Toy example axiom NatInduction ≡ assume new P ( ) , P (0) , ∀ n ∈ Nat : P ( n ) ⇒ P ( n + 1) ∀ n ∈ Nat : P ( n ) prove theorem GeneralNatInduction ≡ assume new P ( ) , ∀ n ∈ Nat : P ( n ) ∈ boolean , (typing hypothesis) ∀ n ∈ Nat : ( ∀ m ∈ 0 .. ( n − 1) : P ( m )) ⇒ P ( n ) ∀ n ∈ Nat : P ( n ) prove � 1 � . define Q ( n ) ≡ ∀ m ∈ 0 .. n : P ( m ) � 1 � 1 . Q (0) by SMT � 1 � 2 . ∀ n ∈ Nat : Q ( n ) ⇒ Q ( n + 1) by SMT � 1 � 3 . ∀ n ∈ Nat : Q ( n ) by � 1 � 1 , � 1 � 2 , NatInduction , SMT � 1 � 4 . qed by � 1 � 3 , SMT 9

Second approach: untyped encoding 10

Second approach: untyped encoding + terms are mapped to a unique SMT sort U TLA Operators are uninterpreted functions or predicates ◮ union : U × U → U in : U × U → Bool Operators’ semantics are defined axiomatically ◮ Axiom for ∪ : ∀ x , S , T : U . ( x ∈ S ∪ T ) = ( x ∈ S ∨ x ∈ T ) ◮ Primitive operators ( ∈ , f [ x ], domain ) are left uninterpreted Functions are related to its argument by apply : U × U → U 10

Encoding arithmetic Arithmetic expressions are lifted to elements on sort U Embedding function φ : Int → U (uninterpreted and injective) 42 is encoded as φ (42) x ∈ Int is encoded as ∃ n : Int . x = φ ( n ) 11

Encoding arithmetic Arithmetic expressions are lifted to elements on sort U Embedding function φ : Int → U (uninterpreted and injective) 42 is encoded as φ (42) x ∈ Int is encoded as ∃ n : Int . x = φ ( n ) Arithmetic operators are homomorphically embedded using φ + U : U × U → U Axiom for +: ∀ m , n : Int . φ ( m ) + U φ ( n ) = φ ( m + n ) Example ∀ x ∈ Int : x + 0 = x − → ∀ x : U . ( ∃ n : Int . x = φ ( n )) ⇒ x + U φ (0) = x 11

Normalisation: removing non-basic operators 1 Grounding expressions: rewrite based on operator semantics ◮ [ [ x ∈ e ] ] ≡ [ [ x ] ] ∈ [ [ e ] ] [ [ e 1 ∨ e 2 ] ] ≡ [ [ e 1 ] ] ∨ [ [ e 2 ] ] ◮ [ [ x ∈ e 1 ∪ e 2 ] ] ≡ [ [ x ∈ e 1 ∨ x ∈ e 2 ] ] ◮ [ [ S ⊆ T ] ] ≡ [ [ ∀ x : x ∈ S ⇒ x ∈ T ] ] 12

Normalisation: removing non-basic operators 1 Grounding expressions: rewrite based on operator semantics ◮ [ [ x ∈ e ] ] ≡ [ [ x ] ] ∈ [ [ e ] ] [ [ e 1 ∨ e 2 ] ] ≡ [ [ e 1 ] ] ∨ [ [ e 2 ] ] ◮ [ [ x ∈ e 1 ∪ e 2 ] ] ≡ [ [ x ∈ e 1 ∨ x ∈ e 2 ] ] ◮ [ [ S ⊆ T ] ] ≡ [ [ ∀ x : x ∈ S ⇒ x ∈ T ] ] 2 Disambiguation of equalities by inferred kinds ◮ [ [ S = T ] ] ≡ ∀ x : [ [ x ∈ S ⇔ x ∈ T ] ] (when S , T are sets) ◮ S = { a } ∪ {} − → ∀ x : x ∈ S ⇔ x = a ∨ false 12

Normalisation: removing non-basic operators 1 Grounding expressions: rewrite based on operator semantics ◮ [ [ x ∈ e ] ] ≡ [ [ x ] ] ∈ [ [ e ] ] [ [ e 1 ∨ e 2 ] ] ≡ [ [ e 1 ] ] ∨ [ [ e 2 ] ] ◮ [ [ x ∈ e 1 ∪ e 2 ] ] ≡ [ [ x ∈ e 1 ∨ x ∈ e 2 ] ] ◮ [ [ S ⊆ T ] ] ≡ [ [ ∀ x : x ∈ S ⇒ x ∈ T ] ] 2 Disambiguation of equalities by inferred kinds ◮ [ [ S = T ] ] ≡ ∀ x : [ [ x ∈ S ⇔ x ∈ T ] ] (when S , T are sets) ◮ S = { a } ∪ {} − → ∀ x : x ∈ S ⇔ x = a ∨ false 3 Term-rewriting of top-level equalities ◮ assume T = { 1 , 2 } − → ∀ x : ( x = 1 ∨ x = 2) ⇒ x ∈ Int T ⊆ Int prove 12

Normalisation: removing non-basic operators 1 Grounding expressions: rewrite based on operator semantics ◮ [ [ x ∈ e ] ] ≡ [ [ x ] ] ∈ [ [ e ] ] [ [ e 1 ∨ e 2 ] ] ≡ [ [ e 1 ] ] ∨ [ [ e 2 ] ] ◮ [ [ x ∈ e 1 ∪ e 2 ] ] ≡ [ [ x ∈ e 1 ∨ x ∈ e 2 ] ] ◮ [ [ S ⊆ T ] ] ≡ [ [ ∀ x : x ∈ S ⇒ x ∈ T ] ] 2 Disambiguation of equalities by inferred kinds ◮ [ [ S = T ] ] ≡ ∀ x : [ [ x ∈ S ⇔ x ∈ T ] ] (when S , T are sets) ◮ S = { a } ∪ {} − → ∀ x : x ∈ S ⇔ x = a ∨ false 3 Term-rewriting of top-level equalities ◮ assume T = { 1 , 2 } − → ∀ x : ( x = 1 ∨ x = 2) ⇒ x ∈ Int T ⊆ Int prove 4 Abstraction of non-basic operators ◮ ∀ a : P ( { a }∪{} ) ⇔ P ( { a } ) − → ∀ a , s 1 , s 2 : ∧ s 1 = { a } ∪ {} ∧ s 2 = { a } ⇒ P ( s 1 ) ⇔ P ( s 2 ) 12

Experimental results N -process Bakery algorithm ◮ includes some basic arithmetic Memoir security architecture ◮ mostly based on records Module Cardinality of finite sets Original Typed-SMT/Z3 Untyped-SMT/Z3 size time size time size time Bakery 120 15.66 3 2.76 4 0.67 Memoir 424 7.31 14 5.08 14 1.11 Cardinality 185 2.12 - - 54 0.88 (length = number of non-trivial proof-obligations ; time in seconds) + , SimpleArithmetic - Original = proof using Zenon, Isabelle/TLA 13