using yices as an automated solver in isabelle hol
play

Using Yices as an automated solver in Isabelle/HOL Levent Erkk - PowerPoint PPT Presentation

Dec 21, 2022 •522 likes •1.18k views

Using Yices as an automated solver in Isabelle/HOL Levent Erkk John Matthews {levent.erkok,matthews}@galois.com AFM08: Automated Formal Methods 2008 Princeton, NJ July 2008 Motivation Providing strong assurance evidence for

  1. Using Yices as an automated solver in Isabelle/HOL Levent Erkök John Matthews {levent.erkok,matthews}@galois.com AFM’08: Automated Formal Methods 2008 Princeton, NJ July 2008

  2. Motivation Providing strong assurance evidence for certification Some properties are amenable for automated proof For others, manual intervention is a must Strategy: Use a theorem-proving framework High-level correctness and “deeper” results Aided by push-button techniques: When the subgoal is sufficiently simple ... but usually very tedious ... Use whatever tool works the best And combinations thereof 2/34

  3. The ismt tactic We use Isabelle/HOL Local expertise counts.. The ismt tactic out-sources proofs to Yices Directly supports a large chunk of HOL Uses “uninterpretation” for the rest Similar to the yices strategy in PVS 3/34

  4. Modes of integration Proof-replay mode Trust nothing; translate and replay the proof High assurance; Runs slow and is expensive to build. 4/34

  5. Modes of integration Proof-replay mode Trust nothing; translate and replay the proof High assurance; Runs slow and is expensive to build. Proof-check mode Do not replay, but “validate” the proof Medium (adjustable) assurance; Faster to run; Cheaper to build 4/34

  6. Modes of integration Proof-replay mode Trust nothing; translate and replay the proof High assurance; Runs slow and is expensive to build. Proof-check mode Do not replay, but “validate” the proof Medium (adjustable) assurance; Faster to run; Cheaper to build Oracle mode Trust everything! Lowest assurance; Runs fast and cheapest to build No proofs required from the external solver 4/34

  7. Modes of integration Proof-replay mode Trust nothing; translate and replay the proof High assurance; Runs slow and is expensive to build. Proof-check mode Do not replay, but “validate” the proof Medium (adjustable) assurance; Faster to run; Cheaper to build Oracle mode Trust everything! Lowest assurance; Runs fast and cheapest to build No proofs required from the external solver Proof generation for SMT solvers is still active research area Yices does not produce proofs; so oracle mode is the only choice 4/34

  8. Outline Introduction 1 Connecting Isabelle to Yices 2 Example Translations 3 Dealing with false alarms 4 Application: Verifying C programs 5 Summary 6 5/34

  9. How does ismt work Grab the top-most goal from the Isabelle goal stack Translate the types involved to Yices Might require “monomorphisation” Introduce uninterpreted types as needed Negate the subgoal, and translate it to a Yices term If no matching construct; uninterpret Pass the script to Yices If Yices decides the negation is unsatisfiable: Trigger oracle mechanism to assert the goal proven A “trust-tag” will be attached. 6/34

  10. How does ismt work Grab the top-most goal from the Isabelle goal stack Translate the types involved to Yices Might require “monomorphisation” Introduce uninterpreted types as needed Negate the subgoal, and translate it to a Yices term If no matching construct; uninterpret Pass the script to Yices If Yices decides the negation is unsatisfiable: Trigger oracle mechanism to assert the goal proven A “trust-tag” will be attached. What do we do if Yices returns a model? 6/34

  11. Interpreting Yices’s models Recall that the model is for the negation of the goal ..Hence, it is a counter-example to what we were trying to prove Typically indicates a bug found Models are translated back to Isabelle/HOL Provides very valuable feedback! 7/34

  12. Interpreting Yices’s models Recall that the model is for the negation of the goal ..Hence, it is a counter-example to what we were trying to prove Typically indicates a bug found Models are translated back to Isabelle/HOL Provides very valuable feedback! Not every counter-example is valid, however 7/34

  13. Two kinds of bogus counter-examples 1 Due to “Potential models” Caused by: Quantifiers λ -expressions These constructs render Yices’s logic incomplete Clearly marked by Yices and the translator 8/34

  14. Two kinds of bogus counter-examples 1 Due to “Potential models” Caused by: Quantifiers λ -expressions These constructs render Yices’s logic incomplete Clearly marked by Yices and the translator 2 Due to uninterpreted terms and types Caused by: Lack of “auxiliary” lemmata Lack of definitions of the functions used These are more problematic.. 8/34

  15. Outline Introduction 1 Connecting Isabelle to Yices 2 Example Translations 3 Dealing with false alarms 4 Application: Verifying C programs 5 Summary 6 9/34

  16. Basics Reflexivity lemma "x = x" by ismt 10/34

  17. Basics Reflexivity lemma "x = x" by ismt Generates (define-type ’a) (define x::’a) (assert (/= x x)) Monomorphisation in action! 10/34

  18. Simple arithmetic No odd number is a multiple of 2 lemma "a = (2::int) * n + 1 − → a � = 2 * m" by ismt 11/34

  19. Simple arithmetic No odd number is a multiple of 2 lemma "a = (2::int) * n + 1 − → a � = 2 * m" by ismt Generates (define a::int) (define n::int) (define m::int) (assert (not (=> (= a (+ (* 2 n) 1)) (/= a (* 2 m))))) 11/34

  20. Counter examples Absolute values lemma "abs (n::int) = n" by ismt 12/34

  21. Counter examples Absolute values lemma "abs (n::int) = n" by ismt Generates (define n::int) (assert (/= (if (< n 0) (- 0 n) n) n)) 12/34

  22. Counter examples Absolute values lemma "abs (n::int) = n" by ismt Generates (define n::int) (assert (/= (if (< n 0) (- 0 n) n) n)) Counter example A counter-example is found: n = -1 12/34

  23. Quantification and Higher order functions Quantifiers can render Yices incomplete Not a problem if in universal prenex form 13/34

  24. Quantification and Higher order functions Quantifiers can render Yices incomplete Not a problem if in universal prenex form A trivial lemma lemma " ∀ i f g. (f = g − → f i = g i)" 13/34

  25. Quantification and Higher order functions Quantifiers can render Yices incomplete Not a problem if in universal prenex form A trivial lemma lemma " ∀ i f g. (f = g − → f i = g i)" Generates (define-type ’a) (define-type ’b) (define i::’a) (define f::(-> ’a ’b)) (define g::(-> ’a ’b)) (assert (not (=> (= f g) (= (f i) (g i))))) automatically proven by Yices.. 13/34

  26. Quantification and Higher order functions (cont’d) Counter-examples lemma " ∀ i f g. (f i = g i − → f = g)" 14/34

  27. Quantification and Higher order functions (cont’d) Counter-examples lemma " ∀ i f g. (f i = g i − → f = g)" Generates (define-type ’a) (define-type ’b) (define i::’a) (define f::(-> ’a ’b)) (define g::(-> ’a ’b)) (assert (not (=> (= (f i) (g i)) (= f g)))) 14/34

  28. Quantification and Higher order functions (cont’d) Counter-examples lemma " ∀ i f g. (f i = g i − → f = g)" Generates (define-type ’a) (define-type ’b) (define i::’a) (define f::(-> ’a ’b)) (define g::(-> ’a ’b)) (assert (not (=> (= (f i) (g i)) (= f g)))) Not true! A counter-example is found: i = 1 f 1 = g 1 14/34

  29. Quantification and Higher order functions (cont’d) Counter-examples lemma " ∀ i f g. (f i = g i − → f = g)" Generates (define-type ’a) (define-type ’b) (define i::’a) (define f::(-> ’a ’b)) (define g::(-> ’a ’b)) (assert (not (=> (= (f i) (g i)) (= f g)))) Not true! A counter-example is found: i = ismt_const 1 f (ismt_const 1) = g (ismt_const 1) 14/34

  30. Parameterized datatypes Monomorphise as we go datatype (’a, ’b) Either = Left ’a | Right ’b 15/34

  31. Parameterized datatypes Monomorphise as we go datatype (’a, ’b) Either = Left ’a | Right ’b lemma "Left False � = Right (4::int) ∧ Left (1::nat) � = Right x" 15/34

  32. Parameterized datatypes Monomorphise as we go datatype (’a, ’b) Either = Left ’a | Right ’b lemma "Left False � = Right (4::int) ∧ Left (1::nat) � = Right x" Types involved: (bool × int) Either (nat × ’a) Either 15/34

  33. Parameterized datatypes (cont’d) Polymorphic Either datatype (’a, ’b) Either = Left ’a | Right ’b 16/34

  34. Parameterized datatypes (cont’d) Polymorphic Either datatype (’a, ’b) Either = Left ’a | Right ’b (bool × int) and (nat × ’a) instances (define-type Either-bool-int (datatype (Left-bool-int bool) (Right-bool-int int))) 16/34

  35. Parameterized datatypes (cont’d) Polymorphic Either datatype (’a, ’b) Either = Left ’a | Right ’b (bool × int) and (nat × ’a) instances (define-type Either-bool-int (datatype (Left-bool-int bool) (Right-bool-int int))) (define-type ’a) (define-type Either-nat-’a (datatype (Left-nat-’a nat) (Right-nat-’a ’a))) 16/34

  36. Parameterized datatypes (cont’d) Polymorphic Either datatype (’a, ’b) Either = Left ’a | Right ’b (bool × int) and (nat × ’a) instances (define-type Either-bool-int (datatype (Left-bool-int bool) (Right-bool-int int))) (define-type ’a) (define-type Either-nat-’a (datatype (Left-nat-’a nat) (Right-nat-’a ’a))) [automatically generated accessor functions not shown for clarity...] 16/34

Recommend

Yices 1.0: An Efficient SMT Solver SMT-COMP06 Leonardo de Moura joint work with Bruno

Yices 1.0: An Efficient SMT Solver SMT-COMP06 Leonardo de Moura joint work with Bruno

Yices 1.0: An Efficient SMT Solver SMT-COMP06 Leonardo de Moura joint work with Bruno Dutertre demoura@csl.sri.com Computer Science Laboratory SRI International Menlo Park, CA Yices: An Efficient Introduction Yices is a SMT Solver

429 views • 13 slides
Yices 1.0: An Efficient SMT Solver SMT-COMP06 Leonardo de Moura (joint work with Bruno

Yices 1.0: An Efficient SMT Solver SMT-COMP06 Leonardo de Moura (joint work with Bruno

Yices 1.0: An Efficient SMT Solver SMT-COMP06 Leonardo de Moura (joint work with Bruno Dutertre) { demoura, bruno } @csl.sri.com. Computer Science Laboratory SRI International Menlo Park, CA Yices: An Efficient SMT Solver p.1

691 views • 16 slides
Yices 1.0: An Efficient SMT Solver AFM06 Tutorial Leonardo de Moura (joint work with Bruno

Yices 1.0: An Efficient SMT Solver AFM06 Tutorial Leonardo de Moura (joint work with Bruno

Yices 1.0: An Efficient SMT Solver AFM06 Tutorial Leonardo de Moura (joint work with Bruno Dutertre) { demoura, bruno } @csl.sri.com. Computer Science Laboratory SRI International Menlo Park, CA Yices: An Efficient SMT Solver p.1

430 views • 27 slides
with the 3D solver OpenFOAM - A comparison of different electromagnetic models - Isabelle

with the 3D solver OpenFOAM - A comparison of different electromagnetic models - Isabelle

IIW Annual Assembly 2011 SG212: the physics of welding Electric welding arc modeling with the 3D solver OpenFOAM - A comparison of different electromagnetic models - Isabelle Choquet, Alireza J. Shirvan, and Hkan Nilsson University

1.47k views • 81 slides
Automated Sudoku Solver Marty Otzenberger EGGN 510 December 4, 2012 Outline Goal

Automated Sudoku Solver Marty Otzenberger EGGN 510 December 4, 2012 Outline Goal

Automated Sudoku Solver Marty Otzenberger EGGN 510 December 4, 2012 Outline Goal Problem Elements Initial Testing Test Images Approaches Final Algorithm Results/Statistics Conclusions Problems/Limits

498 views • 21 slides
13 Automated Reasoning 13.0 Introduction to Weak 13.3 PROLOG and Methods in Theorem

13 Automated Reasoning 13.0 Introduction to Weak 13.3 PROLOG and Methods in Theorem

13 Automated Reasoning 13.0 Introduction to Weak 13.3 PROLOG and Methods in Theorem Automated Reasoning Proving 13.4 Further Issues in 13.1 The General Problem Automated Reasoning Solver and Difference 13.5 Epilogue and Tables

775 views • 51 slides
Lecture 3: New Trade Theory Isabelle M ejean isabelle.mejean@polytechnique.edu

Lecture 3: New Trade Theory Isabelle M ejean isabelle.mejean@polytechnique.edu

Introduction Krugman, 1980 The Gravity Equation Lecture 3: New Trade Theory Isabelle M ejean isabelle.mejean@polytechnique.edu http://mejean.isabelle.googlepages.com/ Master Economics and Public Policy, International Macroeconomics October

763 views • 32 slides
Cosette: An Automated Solver for SQL Chenglong Shumo Konstantin Alvin Dan Wang Chu Weitz

Cosette: An Automated Solver for SQL Chenglong Shumo Konstantin Alvin Dan Wang Chu Weitz

Cosette: An Automated Solver for SQL Chenglong Shumo Konstantin Alvin Dan Wang Chu Weitz Cheung Suciu cosette.cs.washington.edu SELECT ... SELECT ... FROM ... FROM ... WHERE ... WHERE ... Q2 Q1 D . Q1(D) = Q2(D) D .

580 views • 19 slides
Software verification using Hoare logic in Isabelle Petros Papapanagiotou pe.p@ed.ac.uk 7

Software verification using Hoare logic in Isabelle Petros Papapanagiotou pe.p@ed.ac.uk 7

Automated R Reasoni ning ng Coursework Assignm nment nt 1 1 Software verification using Hoare logic in Isabelle Petros Papapanagiotou pe.p@ed.ac.uk 7 October 2013 Breakdown Part 1 : Natural Deduction (40 marks) 14 lemmas to

389 views • 22 slides
Isabelle/jEdit for seasoned Isabelle users Isabelle/jEdit NEWS Makarius Wenzel Univ. Paris-Sud,

Isabelle/jEdit for seasoned Isabelle users Isabelle/jEdit NEWS Makarius Wenzel Univ. Paris-Sud,

Isabelle/jEdit for seasoned Isabelle users Isabelle/jEdit NEWS Makarius Wenzel Univ. Paris-Sud, LRI 13-Jul-2014 There is nothing to prove or even to suppose that the Serbian government is accessory to the inducement for the crime, its

347 views • 30 slides
Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014, Vienna, 17 July 2014 Dynamic Symbolic Execution Automated program analysis technique that employs an SMT solver to systematically explore paths

503 views • 39 slides
The Nuts and Bolts of Yices Bruno Dutertre SRI International SMT 2016 Coimbra, Portugal

The Nuts and Bolts of Yices Bruno Dutertre SRI International SMT 2016 Coimbra, Portugal

Computer Science Laboratory, SRI International The Nuts and Bolts of Yices Bruno Dutertre SRI International SMT 2016 Coimbra, Portugal Computer Science Laboratory, SRI International Yices 2 Ancestors ICS (Rue &amp; de Moura, 2002)

345 views • 30 slides
Petros Papapanagiotou Automated Reasoning Lecture 9 What have you done so far? Done To Go 2

Petros Papapanagiotou Automated Reasoning Lecture 9 What have you done so far? Done To Go 2

Petros Papapanagiotou Automated Reasoning Lecture 9 What have you done so far? Done To Go 2 Learned new things!.. 3 ...and some (more) logic!.. 4 ...and practiced using Isabelle!.. 5 ...but why? 6 Where is the connection...

1.02k views • 66 slides
EFP 2.0: A MULTI-AGENT EPISTEMIC SOLVER WITH MULTIPLE E-STATE REPRESENTATIONS 30 th International

EFP 2.0: A MULTI-AGENT EPISTEMIC SOLVER WITH MULTIPLE E-STATE REPRESENTATIONS 30 th International

EFP 2.0: A MULTI-AGENT EPISTEMIC SOLVER WITH MULTIPLE E-STATE REPRESENTATIONS 30 th International Conference on Automated Planning and Scheduling Francesco Fabiano , Alessandro Burigana, Agostino Dovier and Enrico Pontelli University of Udine

580 views • 31 slides
Why Should You Care? Writing a CSP Solver in Understanding how the solver works 3 (or 4) Easy

Why Should You Care? Writing a CSP Solver in Understanding how the solver works 3 (or 4) Easy

Why Should You Care? Writing a CSP Solver in Understanding how the solver works 3 (or 4) Easy Lessons makes better models. Christopher Jefferson Minion already imposes this on you, University of Oxford through its low-level input

598 views • 27 slides
Adjoint Solver Workshop Why is an Adjoint Solver useful? Design and manufacture for better

Adjoint Solver Workshop Why is an Adjoint Solver useful? Design and manufacture for better

Adjoint Solver Workshop Why is an Adjoint Solver useful? Design and manufacture for better performance: e.g. airfoil, combustor, rotor blade, ducts, body shape, etc. by optimising a certain characteristic CFD has the capability to explore

426 views • 24 slides
Overview of Models in Yices Bruno Dutertre SRI International Dagstuhl Seminar 15381, September

Overview of Models in Yices Bruno Dutertre SRI International Dagstuhl Seminar 15381, September

Computer Science Laboratory, SRI International Overview of Models in Yices Bruno Dutertre SRI International Dagstuhl Seminar 15381, September 2015 Computer Science Laboratory, SRI International Models in Yices Internal Use SMT solvers

288 views • 24 slides
Isabelle Theories for Machine Words Jeremy Dawson 1 , 2 Logic and Computation Program, NICTA and

Isabelle Theories for Machine Words Jeremy Dawson 1 , 2 Logic and Computation Program, NICTA and

AVoCS 2007 Isabelle Theories for Machine Words Jeremy Dawson 1 , 2 Logic and Computation Program, NICTA and Automated Reasoning Group, Australian National University, Canberra, ACT 0200, Australia Abstract We describe a collection of

452 views • 15 slides
Asynchronous User Interaction and Tool Integration in Isabelle/PIDE Makarius Wenzel Univ.

Asynchronous User Interaction and Tool Integration in Isabelle/PIDE Makarius Wenzel Univ.

Asynchronous User Interaction and Tool Integration in Isabelle/PIDE Makarius Wenzel Univ. Paris-Sud, LRI July 2014 Project Paral-ITP ANR-11-INSE-001 Introduction Motivation General aims: renovate and reform interactive (and automated)

465 views • 32 slides
Induction in Isabelle: Lecture 14 1 Notation In lecture 14 we introduced some recursive

Induction in Isabelle: Lecture 14 1 Notation In lecture 14 we introduced some recursive

Induction in Isabelle: Lecture 14 1 Notation In lecture 14 we introduced some recursive definitions for lists. Isabelle has most of these already defined in a theory List.thy . This can be found locally at /usr/share/Isabelle/src/HOL There

411 views • 6 slides
Concrete Semantics with Isabelle/HOL Tobias Nipkow Fakult at f ur Informatik Technische

Concrete Semantics with Isabelle/HOL Tobias Nipkow Fakult at f ur Informatik Technische

Concrete Semantics with Isabelle/HOL Tobias Nipkow Fakult at f ur Informatik Technische Universit at M unchen 2017-3-8 1 Part I Isabelle 2 Chapter 2 Programming and Proving 3 1 Overview of Isabelle/HOL 2 Type and function

2.13k views • 186 slides
KY 1 Engineering 10 San Jose State University Solver The Solver is intended primarily for

KY 1 Engineering 10 San Jose State University Solver The Solver is intended primarily for

KY 1 Engineering 10 San Jose State University Solver The Solver is intended primarily for solving constrained optimization problems. For example, the goal could be to minimize the amount of material used to make the can while keeping the

209 views • 18 slides
Isabelle Theories for Machine Words Jeremy Dawson Logic and Computation Program, NICTA 1

Isabelle Theories for Machine Words Jeremy Dawson Logic and Computation Program, NICTA 1

Introduction The word- n theories Isabelle Theories for Machine Words Jeremy Dawson Logic and Computation Program, NICTA 1 Automated Reasoning Group, Australian National University, Canberra, ACT 0200, Australia http://users.rsise.anu.edu.au/

624 views • 31 slides
Functional Programming with Isabelle/HOL e H O l L l e b a s = I

Functional Programming with Isabelle/HOL e H O l L l e b a s = I

Functional Programming with Isabelle/HOL e H O l L l e b a s = I Florian Haftmann Technische Universit at M unchen January 2009 Overview Viewing Isabelle / HOL as a functional programming language: 1.

464 views • 34 slides

More recommend