tlaps the tla proof system
play

TLAPS : The TLA + Proof System Stephan Merz joint work with K. - PowerPoint PPT Presentation

Oct 18, 2022 •118 likes •486 views

TLAPS : The TLA + Proof System Stephan Merz joint work with K. Chaudhuri, D. Cousineau, D. Doligez, L. Lamport INRIA Nancy Microsoft Research - INRIA Joint Centre Saclay http://www.msr-inria.inria.fr/Projects/tools-for-formal-specs Deduction

  1. TLAPS : The TLA + Proof System Stephan Merz joint work with K. Chaudhuri, D. Cousineau, D. Doligez, L. Lamport INRIA Nancy Microsoft Research - INRIA Joint Centre Saclay http://www.msr-inria.inria.fr/Projects/tools-for-formal-specs Deduction at Scale, Schloss Ringberg March 2011 TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 1 / 23

  2. Overview The TLA + Specification Language 1 Theorem Proving With TLAPS 2 The TLA + Proof Language 3 Conclusions 4 TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 2 / 23

  3. Euclid’s Algorithm in TLA + (1/2) We start by defining divisibility and GCD MODULE Euclid EXTENDS Naturals ∆ = Nat \ { 0 } PosInteger ∆ Maximum ( S ) = CHOOSE x ∈ S : ∀ y ∈ S : x ≥ y ∆ d | q = ∃ k ∈ 1 .. q : q = k ∗ d \ * definition of divisibility ∆ Divisors ( q ) = { d ∈ 1 .. q : d | q } \ * set of divisors ∆ GCD ( p , q ) = Maximum ( Divisors ( p ) ∩ Divisors ( q )) Standard mathematical definitions ◮ TLA + is based on (untyped) set theory ◮ simple module language for structuring larger specification ◮ import TLA + library module Naturals for basic arithmetic ◮ TLA + module contains declarations, assertions, and definitions TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 3 / 23

  4. Euclid’s Algorithm in TLA + (2/2) Now model the algorithm and assert its correctness CONSTANTS M, N ∆ = M ∈ PosInteger ∧ N ∈ PosInteger ASSUME Positive VARIABLES x, y ∆ Init = x = M ∧ y = N = x < y ∧ y ′ = y − x ∧ x ′ = x ∆ SubX = y < x ∧ x ′ = x − y ∧ y ′ = y ∆ SubY ∆ = Init ∧ � [ SubX ∨ SubY ] � x , y � Spec ∆ Correctness = x = y ⇒ x = GCD ( M , N ) THEOREM Spec ⇒ � Correctness Transitions represented by action formulas SubX , SubY Algorithm represented by initial condition and next-state relation Correctness expressed as TLA formula TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 4 / 23

  5. Euclid’s Algorithm in TLA + (2/2) Now model the algorithm and assert its correctness CONSTANTS M, N ∆ = M ∈ PosInteger ∧ N ∈ PosInteger constant formula ASSUME Positive VARIABLES x, y state formula ∆ Init = x = M ∧ y = N = x < y ∧ y ′ = y − x ∧ x ′ = x ∆ SubX action formulas = y < x ∧ x ′ = x − y ∧ y ′ = y ∆ SubY ∆ = Init ∧ � [ SubX ∨ SubY ] � x , y � Spec temporal formula ∆ Correctness = x = y ⇒ x = GCD ( M , N ) THEOREM Spec ⇒ � Correctness Transitions represented by action formulas SubX , SubY Algorithm represented by initial condition and next-state relation Correctness expressed as TLA formula TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 4 / 23

  6. Verification of Euclid’s Algorithm: Model Checking TLC : explicit-state model checker ◮ verify correctness properties for finite instances ◮ Euclid: fix concrete values for M and N ◮ check that the result is correct for these inputs Variation: verify correctness over fixed interval Invaluable for debugging TLA + models ◮ verify many seemingly trivial properties ◮ type correctness, executability of every individual action, . . . ◮ absence of deadlock, eventual response to requests, . . . ◮ reveal corner cases before attempting full correctness proof TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 5 / 23

  7. Overview The TLA + Specification Language 1 Theorem Proving With TLAPS 2 The TLA + Proof Language 3 Conclusions 4 TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 6 / 23

  8. Using TLAPS to Prove Euclid’s Algorithm Correct Verify correctness for all possible inputs TLAPS : proof assistant for verifying TLA + specifications ◮ interesting specifications cannot be verified fully automatically ◮ user provides proof (skeleton) to guide verification ◮ automatic back-end provers discharge leaf obligations TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 7 / 23

  9. Using TLAPS to Prove Euclid’s Algorithm Correct Verify correctness for all possible inputs TLAPS : proof assistant for verifying TLA + specifications ◮ interesting specifications cannot be verified fully automatically ◮ user provides proof (skeleton) to guide verification ◮ automatic back-end provers discharge leaf obligations Application to Euclid’s algorithm ◮ first step: strengthen correctness property � inductive invariant ∆ = ∧ x ∈ PosInteger InductiveInvariant ∧ y ∈ PosInteger ∧ GCD ( x , y ) = GCD ( M , N ) TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 7 / 23

  10. Underlying Data Properties The algorithm relies on the following properties of GCD ∆ THEOREM GCDSelf = ASSUME NEW p ∈ PosInteger GCD ( p , p ) = p PROVE ∆ THEOREM GCDSymm = ASSUME NEW p ∈ PosInteger , NEW q ∈ PosInteger GCD ( p , q ) = GCD ( q , p ) PROVE ∆ THEOREM GCDDiff = ASSUME NEW p ∈ PosInteger , NEW q ∈ PosInteger , p < q GCD ( p , q ) = GCD ( p , q − p ) PROVE ASSUME . . . PROVE : TLA + notation for sequents We won’t bother proving these properties here TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 8 / 23

  11. Proving an Invariant in TLA + Inv ∧ [ Next ] v ⇒ Inv ′ Init ⇒ Inv Inv ⇒ Corr Init ∧ � [ Next ] v ⇒ � Corr TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 9 / 23

  12. Proving an Invariant in TLA + Inv ∧ [ Next ] v ⇒ Inv ′ Init ⇒ Inv Inv ⇒ Corr Init ∧ � [ Next ] v ⇒ � Corr Representation as a TLA + sequent ∆ THEOREM ProveInv = ASSUME STATE Init , STATE Inv , STATE Corr , ACTION Next , STATE v , Init ⇒ Inv , Inv ∧ [ Next ] v ⇒ Inv ′ , Inv ⇒ Corr Init ∧ � [ Next ] v ⇒ � Corr PROVE Currently, TLAPS doesn’t handle temporal logic We’ll prove the non-temporal hypotheses TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 9 / 23

  13. Simple Proofs Prove that InductiveInvariant implies Correctness LEMMA InductiveInvariant ⇒ Correctness OBVIOUS TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 10 / 23

  14. Simple Proofs Prove that InductiveInvariant implies Correctness LEMMA InductiveInvariant ⇒ Correctness BY GCDSelf DEFS InductiveInvariant , Correctness ◮ by default, definitions and facts must be cited explicitly ◮ this helps manage the size of the search space for backend provers TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 10 / 23

  15. Simple Proofs Prove that InductiveInvariant implies Correctness LEMMA InductiveInvariant ⇒ Correctness BY GCDSelf DEFS InductiveInvariant , Correctness ◮ by default, definitions and facts must be cited explicitly ◮ this helps manage the size of the search space for backend provers Prove that Init implies InductiveInvariant LEMMA Init ⇒ InductiveInvariant BY Positive DEFS Init , InductiveInvariant To prove simple theorems, expand definitions and cite facts TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 10 / 23

  16. Hierarchical Proofs Complex proofs consist of a sequence of claims, ending with QED Prove that all transitions preserve InductiveInvariant LEMMA InductiveInvariant ∧ [ SubX ∨ SubY ] � x , y � ⇒ InductiveInvariant ′ TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 11 / 23

  17. Hierarchical Proofs Complex proofs consist of a sequence of claims, ending with QED Prove that all transitions preserve InductiveInvariant LEMMA InductiveInvariant ∧ [ SubX ∨ SubY ] � x , y � ⇒ InductiveInvariant ′ � 1 � USE DEF InductiveInvariant ◮ (scoped) USE DEF causes TLAPS to silently expand definitions TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 11 / 23

  18. Hierarchical Proofs Complex proofs consist of a sequence of claims, ending with QED Prove that all transitions preserve InductiveInvariant LEMMA InductiveInvariant ∧ [ SubX ∨ SubY ] � x , y � ⇒ InductiveInvariant ′ � 1 � USE DEF InductiveInvariant � 1 � 1. ASSUME InductiveInvariant , SubX InductiveInvariant ′ PROVE � 1 � 2. ASSUME InductiveInvariant , SubY InductiveInvariant ′ PROVE ◮ The steps � 1 � 1 and � 1 � 2 will be proved subsequently TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 11 / 23

  19. Hierarchical Proofs Complex proofs consist of a sequence of claims, ending with QED Prove that all transitions preserve InductiveInvariant LEMMA InductiveInvariant ∧ [ SubX ∨ SubY ] � x , y � ⇒ InductiveInvariant ′ � 1 � USE DEF InductiveInvariant � 1 � 1. ASSUME InductiveInvariant , SubX InductiveInvariant ′ PROVE � 1 � 2. ASSUME InductiveInvariant , SubY InductiveInvariant ′ PROVE � 1 � q . QED BY � 1 � 1, � 1 � 2 ◮ QED step verifies that the lemma follows from above steps — includes trivial case UNCHANGED � x , y � TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 11 / 23

  20. Hierarchical Proofs: Sublevels ( ... ) � 1 � 1. ASSUME InductiveInvariant , SubX InductiveInvariant ′ PROVE � 1 � 2. ASSUME InductiveInvariant , SubY InductiveInvariant ′ PROVE ( ... ) TLAPS : The TLA + Proof System Stephan Merz (INRIA Nancy) Deduction at Scale, 03/2011 12 / 23

Recommend

Outline TLAPS Basics 1 2 Tips and Best Practices for Using TLAPS 3 Temporal Reasoning in TLAPS

Outline TLAPS Basics 1 2 Tips and Best Practices for Using TLAPS 3 Temporal Reasoning in TLAPS

A Tutorial Introduction to TLAPS Jael Kriener 1 Tom Rodeheffer 2 Tomer Libal 1 1 2 TLA + Community Event, ABZ 2014 Toulouse, June 3, 2014 Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 1 / 52 Outline TLAPS Basics 1 2 Tips

1.7k views • 118 slides
The Resolution Proof System in Propositional Logic While the Hilbert proof system has the

The Resolution Proof System in Propositional Logic While the Hilbert proof system has the

The Resolution Proof System in Propositional Logic While the Hilbert proof system has the property that it reflects the methods by which humans commonly do mathematics, it is ill suited for use in automated reasoning, because of the infinite

590 views • 41 slides
A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte

A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte

Introduction Proof System Applications Experiments A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte Helmert University of Basel, Switzerland ICAPS 2018 Introduction Proof System Applications

325 views • 21 slides
Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and Interactions September 20, 2016 1/47 Introduction to SAT and QBF Proof Checking Clausal Proof Systems for SAT and QBF Abstract Proof System for SAT

924 views • 67 slides
3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

Griffith University 3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof by construction 2. Proof by equivalence 3. Proof by contradiction 4. Proof by case analysis 5. Proof by induction

549 views • 11 slides
Arend Proof Assistant Assisted Pegagogy A graphical proof assistant for undergraduate computer

Arend Proof Assistant Assisted Pegagogy A graphical proof assistant for undergraduate computer

Background Proof assistants in education Arend System description Implementation Future work Arend Proof Assistant Assisted Pegagogy A graphical proof assistant for undergraduate computer science education Andrew V. Clifton

564 views • 52 slides
The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA

The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA

The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA Nancy &amp; INRIA-MSR Joint Centre, France Amir Pnueli Memorial Symposium New York University, May 8, 2010 The TLA + proof system Stephan Merz (INRIA

646 views • 25 slides
Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy

Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy

Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 1 / 38 Contents Introduction 1 Groth-Sahai proof system 2 Non-Interactive Zero-Knowledge

879 views • 74 slides
The Nuprl Proof Development System Christoph Kreitz Department of Computer Science, Cornell

The Nuprl Proof Development System Christoph Kreitz Department of Computer Science, Cornell

The Nuprl Proof Development System Christoph Kreitz Department of Computer Science, Cornell University Ithaca, NY 14853 http://www.nuprl.org The Nuprl Project at Computational formal logics Type Theory Proof &amp;

1.24k views • 93 slides
Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on Admissible Rules and Unification II Les Diablerets, February 2, 2015 1 / 12 Proof systems An old question: When does a logic have a decent proof system? 2

624 views • 50 slides
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. 3. Each statement is derived via the derivation rules. Zero Knowledge Protocols 4. The proof is fixed, i.e, in any time,

642 views • 14 slides
Recovery Credit System : Proof of Concept for GCWA Brian

Recovery Credit System : Proof of Concept for GCWA Brian

Recovery Credit System : Proof of Concept for GCWA Brian Hays, Associate Director Ins8tute of Renewable Natural Resources Texas A&amp;M AgriLife Extension

506 views • 21 slides
The Naproche system: Proof-checking mathematical texts in controlled natural language Marcos

The Naproche system: Proof-checking mathematical texts in controlled natural language Marcos

Naproche system Dynamic Quantification Undefined terms and presuppositions Conclusion The Naproche system: Proof-checking mathematical texts in controlled natural language Marcos Cramer University of Luxembourg 18 July 2014 The Naproche

1.07k views • 50 slides
On some universal proof system for all versions of many-valued logics Department of Informatics

On some universal proof system for all versions of many-valued logics Department of Informatics

ANAHIT CHUBARYAN, ARTUR KHAMISYAN On some universal proof system for all versions of many-valued logics Department of Informatics and Applied Mathematics Yerevan State University 1 Main notions of k-valued logic. 1 k2 Let E k be the set

459 views • 17 slides
15-16/08/2009 Nicola Galesi 46 History Resolution is a proof system for DNF formulas or a

15-16/08/2009 Nicola Galesi 46 History Resolution is a proof system for DNF formulas or a

15-16/08/2009 Nicola Galesi 46 History Resolution is a proof system for DNF formulas or a refutational Systems for CNF formulas It was introduced by Blake in 1937 and then became important by a work Davis-Putnam and Robinson in the 60s in the

769 views • 75 slides
One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of steps starting with axioms. Each step must use a valid rule of inference and the final step must be X. All interesting logical systems are

112 views • 8 slides
One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of steps starting with axioms. Each step must use a valid rule of inference and the final step must be X. All interesting logical systems are

451 views • 7 slides
One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of steps starting with axioms. Each step must use a valid rule of inference and the final step must be X. All interesting logical systems are

462 views • 6 slides
CS 671 Automated Reasoning Proof Automation in First Order Logic 1. Tactic-based proof search 2.

CS 671 Automated Reasoning Proof Automation in First Order Logic 1. Tactic-based proof search 2.

CS 671 Automated Reasoning Proof Automation in First Order Logic 1. Tactic-based proof search 2. Complete proof search with JProver Tactic-based proof search Sort rule applications by cost of induced proof search let simple prover = Repeat (

562 views • 9 slides
5G CHAMPION 28 GHz 5G Proof-of-Concepts at 2018 Winter Olympic games The first 5G system PoC

5G CHAMPION 28 GHz 5G Proof-of-Concepts at 2018 Winter Olympic games The first 5G system PoC

5G CHAMPION 28 GHz 5G Proof-of-Concepts at 2018 Winter Olympic games The first 5G system PoC in conjunction with the PyeongChang winter Olympics Dr. Emilio Calvanese Strinati, CEA-LETI 5G CHAMPION EU project coordinator Race to 5G

412 views • 22 slides
Interactive Proof System We have seen interactive proofs, in various disguised forms, in the

Interactive Proof System We have seen interactive proofs, in various disguised forms, in the

Interactive Proof System We have seen interactive proofs, in various disguised forms, in the definitions of NP , OTM, Cook reduction and PH . We will see that interactive proofs have fundamental connections to cryptography and approximation

1.46k views • 107 slides
Designing Reliable, High-Performance Networks . . . with the Nuprl Proof Development System

Designing Reliable, High-Performance Networks . . . with the Nuprl Proof Development System

Designing Reliable, High-Performance Networks . . . with the Nuprl Proof Development System Christoph Kreitz Department of Computer Science, Cornell University Ithaca, NY 14853 The Nuprl Project Computational Formal

338 views • 23 slides
PROOF installation/usage Attila Krasznahorkay for the Tier3 PROOF WG Wednesday, June 9, 2010

PROOF installation/usage Attila Krasznahorkay for the Tier3 PROOF WG Wednesday, June 9, 2010

PROOF installation/usage Attila Krasznahorkay for the Tier3 PROOF WG Wednesday, June 9, 2010 Overview PROOF recap The work done in the WG WG Recommendations PROOF installation/configuration Using PROOF efficiently Usage

773 views • 28 slides
A Direct Proof of Schwichtenbergs Bar Recursion Closure Theorem Silvia Steila on-going work

A Direct Proof of Schwichtenbergs Bar Recursion Closure Theorem Silvia Steila on-going work

A Direct Proof of Schwichtenbergs Bar Recursion Closure Theorem Silvia Steila on-going work with Paulo Oliva and Stefano Berardi Universit at Bern May 27th, 2016 System T System T consists of the simply typed -calculus, enriched

369 views • 18 slides

More recommend