The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA Nancy & INRIA-MSR Joint Centre, France Amir Pnueli Memorial Symposium New York University, May 8, 2010 The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 1 / 19
Amir Pnueli: Deduction is Forever (FM’99) Just as it was unavoidable, due to the growing complexity of circuits, that circuit manufacturers started to employ formal methods for verifying their designs, it is equally inevitable that more of the practicing verifiers will turn to deductive technologies, due to their significantly better scalability. The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 2 / 19
Amir Pnueli: Deduction is Forever (contd.) For verifying an invariant p over a finite-state system: ◮ it is usually much cheaper to check ϕ ∧ ρ ⇒ ϕ ′ Θ ⇒ ϕ ϕ ⇒ p ◮ than computing ρ ∗ ( ¬ p ) by state space exploration. The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 3 / 19
Amir Pnueli: Deduction is Forever (contd.) For verifying an invariant p over a finite-state system: ◮ it is usually much cheaper to check ϕ ∧ ρ ⇒ ϕ ′ Θ ⇒ ϕ ϕ ⇒ p ◮ than computing ρ ∗ ( ¬ p ) by state space exploration. Main differences between deduction and exploration: ◮ deduction is based on induction while exploration computes the set of reachable states, ◮ deduction uses a more expressive language including quantifiers, leading to succinct specification of parameterized systems, ◮ deduction requires user ingenuity and interaction. The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 3 / 19
Contents Using the TLA + proof system for proving invariants 1 The TLA + proof language and system 2 Conclusion and outlook 3 The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 4 / 19
Invariance proofs in TLA + I ∧ [ N ] v ⇒ I ′ Elementary rule for proving invariants I ∧ � [ N ] v ⇒ � I ∆ THEOREM Inv 1 = ASSUME STATE I , STATE v , ACTION N , I ∧ [ N ] v ⇒ I ′ I ∧ � [ N ] v ⇒ � I PROVE The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 5 / 19
Invariance proofs in TLA + I ∧ [ N ] v ⇒ I ′ Elementary rule for proving invariants I ∧ � [ N ] v ⇒ � I ∆ THEOREM Inv 1 = ASSUME STATE I , STATE v , ACTION N , I ∧ [ N ] v ⇒ I ′ I ∧ � [ N ] v ⇒ � I PROVE Schema for invariant proofs ∆ Spec = Init ∧ � [ Next ] vars ∧ L THEOREM Spec ⇒ Inv � 1 � 1. Init ⇒ Inv � 1 � 2. Inv ∧ Next ⇒ Inv ′ � 1 � 3. Inv ∧ UNCHANGED vars ⇒ Inv ′ � 1 � 4. QED BY � 1 � 1, � 1 � 2, � 1 � 3, Inv 1 DEF Spec The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 5 / 19
Invariance proofs in TLA + I ∧ [ N ] v ⇒ I ′ Elementary rule for proving invariants I ∧ � [ N ] v ⇒ � I ∆ THEOREM Inv 1 = ASSUME STATE I , STATE v , ACTION N , I ∧ [ N ] v ⇒ I ′ I ∧ � [ N ] v ⇒ � I PROVE Schema for invariant proofs ∆ Spec = Init ∧ � [ Next ] vars ∧ L THEOREM Spec ⇒ Inv no temporal � 1 � 1. Init ⇒ Inv logic here! � 1 � 2. Inv ∧ Next ⇒ Inv ′ � 1 � 3. Inv ∧ UNCHANGED vars ⇒ Inv ′ � 1 � 4. QED BY � 1 � 1, � 1 � 2, � 1 � 3, Inv 1 DEF Spec The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 5 / 19
Reasoning about actions About 95% of proof steps do not involve temporal logic ◮ reasoning about state predicates or state transitions ◮ first-order reasoning where v and v ′ are distinct variables Aim for as much automation as possible . . . ◮ open proof system: harness power of different prover back-ends ◮ first-order logic, rewriting, SAT and SMT solving etc. ◮ ensure overall correctness by proof certification . . . but encourage users to maintain readable proofs ◮ declarative, hierarchical proof language ◮ prefer an extra level of interaction over obscure automatic tactics The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 6 / 19
Proving trivial steps Expand definitions and discharge automatically ∆ = ∧ pc = [ i ∈ { 0, 1 } �→ “a0” ] Init ∧ turn = 0 ∧ flag = [ i ∈ { 0, 1 } �→ FALSE ] ∆ Inv = ∧ pc ∈ [ { 0, 1 } → { “a0” , “a1” , “a2” , “a3a” , “a3b” , “cs” , “a4” } ] ∧ turn ∈ { 0, 1 } ∧ flag ∈ [ { 0, 1 } → BOOLEAN ] ∧ ∀ i ∈ { 0, 1 } : ∧ pc [ i ] ∈ { “a2” , “a3a” , “a3b” , “cs” , “a4” } ⇒ flag [ i ] ∧ pc [ i ] ∈ { “cs” , “a4” } ⇒ ∧ pc [ 1 − i ] / ∈ { “cs” , “a4” } ∧ pc [ 1 − i ] ∈ { “a3a” , “a3b” } ⇒ turn = i � 1 � 1. Init ⇒ Inv BY DEFS Init , Inv The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 7 / 19
When automatic proof fails . . . Decompose proof into a sequence of “simpler” steps ∆ = ∃ i ∈ { 0, 1 } : Proc ( i ) Next ∆ Proc ( i ) = a 0 ( i ) ∨ a 1 ( i ) ∨ . . . ∨ a 4 ( i ) � 1 � 2. Inv ∧ Next ⇒ Inv ′ The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 8 / 19
When automatic proof fails . . . Decompose proof into a sequence of “simpler” steps ∆ = ∃ i ∈ { 0, 1 } : Proc ( i ) Next ∆ Proc ( i ) = a 0 ( i ) ∨ a 1 ( i ) ∨ . . . ∨ a 4 ( i ) � 1 � 2. Inv ∧ Next ⇒ Inv ′ � 2 � 1. SUFFICES ASSUME Inv , NEW i ∈ { 0, 1 } , Proc ( i ) Inv ′ PROVE BY DEF Next � 2 � 2. CASE a 0 ( i ) � 2 � 3. CASE a 1 ( i ) . . . � 2 � 8. CASE a 4 ( i ) � 2 � 9. QED BY � 2 � 2, � 2 � 3, . . . , � 2 � 8 DEF Proc The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 8 / 19
Contents Using the TLA + proof system for proving invariants 1 The TLA + proof language and system 2 Conclusion and outlook 3 The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 9 / 19
TLA + proof language Hierarchical, declarative proof ◮ linear representation of proof tree ◮ step labels � d � lbl (where d is the depth of the step) ◮ steps assert sequents ASSUME . . . PROVE . . . ◮ top-down development: refine assertions until they are “obvious” ◮ leaf: invoke proof method, citing necessary assumptions and facts Controlling the use of assumptions, facts, and definitions ◮ limit search space for automatic provers ◮ require explicit citation of assumptions, facts, and definitions . . . ◮ . . . or make them usable throughout the current scope The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 10 / 19
Example: proof of Cantor’s theorem THEOREM ASSUME NEW S , NEW f ∈ [ S → SUBSET S ] ∃ A ∈ SUBSET S : ∀ x ∈ S : f [ x ] � = A PROVE ∆ � 1 � . DEFINE T = { z ∈ S : z / ∈ f [ z ] } � 1 � 1. ∀ x ∈ S : f [ x ] � = T � 1 � 2. QED BY � 1 � 1 The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 11 / 19
Example: proof of Cantor’s theorem THEOREM ASSUME NEW S , NEW f ∈ [ S → SUBSET S ] ∃ A ∈ SUBSET S : ∀ x ∈ S : f [ x ] � = A PROVE ∆ � 1 � . DEFINE T = { z ∈ S : z / ∈ f [ z ] } � 1 � 1. ∀ x ∈ S : f [ x ] � = T � 2 � 1. ASSUME NEW x ∈ S PROVE f [ x ] � = T � 2 � 2. QED BY � 2 � 1 � 1 � 2. QED BY � 1 � 1 The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 11 / 19
Example: proof of Cantor’s theorem THEOREM ASSUME NEW S , NEW f ∈ [ S → SUBSET S ] ∃ A ∈ SUBSET S : ∀ x ∈ S : f [ x ] � = A PROVE ∆ � 1 � . DEFINE T = { z ∈ S : z / ∈ f [ z ] } � 1 � 1. ∀ x ∈ S : f [ x ] � = T � 2 � 1. ASSUME NEW x ∈ S PROVE f [ x ] � = T � 3 � 1. CASE x ∈ T OBVIOUS � 3 � 2. CASE x / ∈ T OBVIOUS � 3 � 3. QED BY � 3 � 1, � 3 � 2 � 2 � 2. QED BY � 2 � 1 � 1 � 2. QED BY � 1 � 1 The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 11 / 19
System architecture TLAPS proof manager parse and compute convert to TLA+ proof proof obligations constant level certify proof call backends to diagnostics (when possible) attempt proof Isabelle/TLA+ SMT solver Zenon The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 12 / 19
Proof Manager Interpret hierarchical TLA + proof ◮ manage assumptions and current goal ◮ expand operator definitions if they are USE d Rewrite proof obligations to constant level ◮ handle primed expressions such as Inv ′ ◮ distribute prime over (constant-level) operators ◮ introduce distinct variables e and e ′ for atomic state expression e Invoke back-end provers ◮ user chooses which prover to use (default: Zenon, then Isabelle) The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 13 / 19
Proof reconstruction Oracle: trusted external reasoner ◮ simple, but error-prone ◮ translation and backend part of trusted code base Proof reconstruction: skeptical integration ◮ replay proofs in trusted proof assistant (Isabelle/TLA + ) ◮ reconstruction should be cheap The TLA + proof system Stephan Merz (INRIA Nancy) Amir Pnueli 2010 14 / 19
Recommend
More recommend