Strategies for Verification

Dick KieburtzOGI School of Science & Engineering

July 15, 2003

An Automatic Verification Server

for Programatica• Intended for use by the sophisticated user of

Programatica– who comprehends both Haskell and P-logic– who wants machine-checked verification of asserted

properties– But who doesn’t want to construct proofs herself– And doesn’t wish to translate programs and properties

to the logic of an interactive theorem prover

• An automatic verification server, given an assertion– Will construct a proof and tell the user when it succeeds– Or will fail and tell the user what properties it failed to

prove during the attempt

However,Automatic Verification is

Incomplete• And thus some interaction with a user should

be supported to mitigate user frustration– Tell a user what verification conditions the verifier

fails to discharge during an attempt at proof construction

– Support verification of properties implied by hypotheses

– Encourage a user to strengthen hypotheses for an asserted property

Roadmap for the Rest of this Talk

• Structure of a proof• Proof construction by term-

rewriting• Normal forms • Strategies for achieving them• Equalities and congruence closure• Patterns and variable-splitting• Programming proof search• Stratego as a tool for programming

a theorem prover

Propositions, Sequents and Proof Rules

• Propositional forms:– Quant([Qvars],Prop)– Equal(HTerm,HTerm)– Has(HTerm,Pred) — syntax for unary predicate application– Pred ( [HTerm] ) — syntax for n-ary predicate application– Conj([Prop]), Disj([Prop]), Neg(Prop),

Implies([Prop],Prop)– True, False

• Sequent form:– Consequence( Type-env,[Prop], [Prop] )

• A list of assumptions (implicit conjunction) implies a list of conclusions (implicit disjunction) in a given type environment

• Proof Rule:[ Sequent ]

Sequentconsequent

antecedents

Proofs• A proof is a finite tree whose

– nodes are labeled by instances of proof rules– arcs are labeled by sequents

such that:

from a node whose label is seq1, seq2 … seqn

seq0

there are arcs labeled by seqk, (1 k n) each

connecting to a node whose label has consequent seqk

• A leaf of a proof tree is a proof rule with an empty list of antecedents– Either an explicit axiom of the logic– Or an axiom implied by a theorem of a decidable subtheory

Proof Construction by Term Rewriting

• Sequents, Types, Props, Preds, HTerms are all represented as terms of a multi-sorted abstract syntax– Application of a proof rule is enabled by pattern matching

and rewrites a sequent term (goal) to zero or more sequents, called verification conditions

• Pattern matching may be with respect to any or all of the structure of Sequent, Prop, Type, HTerm, Pred, or Assumptions– As a rewriting system, P-logic rules are not confluent

• Rules may overlap — more than one rule may apply to a term• The order in which rules are applied can affect whether or not

an attempted proof construction will ultimately succeed– Choice of which rules to try can be encoded in the rules

themselves;• which is the conditional rewriting approach

– Or the choice may be programmed• which is the strategy-driven rewriting approach

Stratego — the language of choice for programming

strategies“if you have a hammer, all the world looks like a nail”• Strategies generalize patterns

– Primitive strategies are patterns, ?T and term constructors, !T

• Patterns are not restricted to be linear — they may contain repeated occurrences of the same variable

• Compound strategies are constructed with:– A sequential composition operator “;”– Choice operators “+” (symmetric choice), “<+” (left

choice)– Term congruences, C(s) where C is a data constructor– Recursion, rec x (s), where x may occur in s– Strategy definition,

strategies sname(x) = sbody, where x may occur in sbody

– Strategy application, sname(foo), where foo is a strategy

Rewriting respects Congruences

a

a b

b

Thus, strategies that normalizeterms of specific sorts can be used

But Rewriting may also be Context-Sensitive

a b

Rewrite is not enabled in a different context

a b

Beta-reduction of Haskell terms

• Beta-reduction induces a congruence relation– Satisfiability of a P-logic property by a Haskell term is

preserved under -conversion -reduction in Haskell involves Haskell’s pattern-matching

• A useful strategy is to reduce applicative terms whenever possible– Reduction may be possible a priori– Or after unfolding of a definition– Or after variable-splitting introduces a structured term

• There are useful congruence relations on restricted classes of terms– e.g., propositional formulas, Boolean expressions, datatype

expressions– Strategies attempt to reach normal forms in which

congruences can more easily be recognized, or further strategies can be applied

• Conjunctive or disjunctive normal forms for booleans • Conjunctive or disjunctive clause form for propositions• Weak or strong head normal forms for applicative expressions

Weak head normal form• A pair of strategies defining weak head

normal form of Haskell terms:is-wvalue = HAbs(id,id) + HCon(id,id) + HTuple(id) + HLit(id)is-whnf = is-value + rec r (HVar(id) + HIte(r,id,id) + HCase(r,id) + HApp(r,id) + HApp(HAbs(is-structured-pat,id),HVar(id)))whereis-structured-pat = rec r (AsPattern(id,r) <+ not(VarPat(id)))

Renaming bound variablesRename(RnVar,RnBinding,RnApply) :: Term TermWhere Env = [(string,Term)]

RnVar(is-var) :: (Term,Env) Term uses an Env to rename occurrences of variables

RnBinding(bindvars) :: (Term,Env) (Term,Env)applies bindvars :: Term (Term,Env) at bindingsites to extend an environment, binding globally freshnames to locally bound variables

prnApply(bndpats, bndvars) :: Term Term uses bndpats to rename variables in patterns and uses bndvars to rename use occurrences of variables

Both bndpats and bndvars explicitly embed the current EnvRename, RnVar and RnBinding are generic (not term-grammar-

specific)

Renaming bound variables (2)

Rename(is-var,bindvars,prnApply) =\ t (t,[]) \ ;rec r (env-alltd (RnVar(is-var) <+

RnBinding(bindvars); \ (t,env) prnApply(\ u r (u,env’) where map((id,var2pat)) env env’

\, \ u r (u,env’) \ ) \ )))where env-alltd(s) = rec x (s <+ dist(x)) and dist(s) : (t,env) all(\ x s (x,env) \ ) t

Renaming bound variables (3)

Rename (Hvar(id), HBnd, HprnApply)

where HBnd = rec r (\ HAbs(p,_) r p \ + \ HBranch(p,_) r p \ + \ VarPat(x) [x] \ + \ TuplePat(xs) map(r) xs; concat + \ HCon(_,xs) map(r) xs; concat + \ TwiddlePat(p) r p \ + \ AsPattern(_,p) r p \ <+ ![ ])

and HprnApply(bndpats,bndvars) = HAbs(bndpats,bndvars) +

Hbranch(bndpats,bndvars) + Hdef(bndpats,bndvars)

Quantified Variables• Universally quantified variables are renamed

to unique (fresh) names• Existentially quantified variables are replaced

by Skolem constants – uninterpreted functions of the universally quantified

variables that scope over them

Eliminating Disjunctive Conclusions

• A list of conclusions in a sequent is an implicit disjunction of propositions– Rewrite to a list of alternative sequents, each

containing a single proposition as its conclusion

Eliminating An Implicative Conclusion

• A sequent with an implicative conclusion, Assumptions P1 P2 … Pn Q

Is rewritten by moving the implicands to the list of assumptions:

P1, P2, …, Pn, Assumptions Q

Factoring Congruence Equalities

• Replace an assumed equality of constructed data

C(t1,…,tk) = C(t1’,…,tk’)

by the list of individual equalities t1 = t1’, … , tk = tk’

Propagating Equalities• A list of assumptions often contains a number of term

equalities– Q: How can a finite set of assumed equalities be propagated

to all relevant subterms in an asserted conclusion?– A: By a congruence closure algorithm

• Step 1: Variable abstraction– Construct an environment mapping every term that is an argument of

an equality or of a function symbol in an assumption to a unique, fresh identifier

• Step 2: Rewrite the assumptions, replacing terms by variables, using the environment constructed at step 1.

Every equation now has the form HVar(I) = HVar(j)• Step 3: Orient the equations and calculate their symmetric,

transitive closure, thus mapping each variable to a unique representative of its equivalence class. (Union-Find algorithm)

• Step 4: Rewrite the conclusion of the sequent, replacing each term (subterm) matched in the environment of step 1 by the unique variable that represents its equivalence class.

Propagating Equalities — Example

a===(u,v), b===a ( \(x,y) x) b === u• Constructed environment map (association list)

[((u,v),a)] • Variables replaced by equivalence-class

representatives[((u,v),a)], a===a, a===a ( \(x,y) x) a === u

• Application with patterned abstraction triggers substitution of expression for argument variable in conclusion of sequent

[((u,v),a)], a===a, a===a ( \(x,y) x) (u,v) === u

Variable Splitting• When a tuple abstraction is applied to a variable, it

cannot be reduced ( \(x,y) x ) z

• But if the variable given as an argument has a Strong property, it must be equivalent to a tuple of the same shape as is given in the abstraction (typing guarantee)

• Introduce a pair of fresh variables, (u,v)– Add to the current assumptions the equation z = (u,v)– Substitute the pair for the variable argument in the

application: ( \(x,y) x ) (u,v)

– allowing a -reduction step to succeed

• Add as a verification condition… current assumptions z ::: $Univ

If-then-else reduction

• An if-then-else expression whose boolean test reduces to a value can be simplified

assumptions if True then e1 else e2 ::: P

is rewritten to assumptions e1 ::: P

and

assumptions if False then e1 else e2 ::: P

is rewritten toassumptions e2 ::: P

by strategies that implement rules of P-logic

If-then-else splitting• When a property is asserted of a conditional

expression, assumptions if b then e1 else e2 ::: P

– the boolean expression, b, may not be reducible to a value– But if the expression, b, has a strong property, it has either

the value True or the value False (type guarantee)

• Rewrite the assertion to the following three verification conditions (implicitly conjoined):

bool-to-prop b, assumptions e1::: P

bool-to-prop (not b), assumptions e2 ::: P assumptions b ::: $Univ

– where bool-to-prop :: Term Prop is a strategy that either transforms a boolean expression to a proposition valid in exactly those environments in which the expression evaluates to True, or else the strategy fails (i.e. the strategy is incomplete)

• In any of the three V.C. fails to be discharged, the if-then-else split fails, restoring the original sequent

If-then-else resolution• Sometimes an if-then-else branch can be resolved by proof• Strategies:

assumptions if b then e1 else e2 ::: Pis rewritten to the set of three verification conditions:

assumptions bool-to-prop b assumptions e1 ::: P

assumptions b ::: $Univ• If any of the V.C. fail to discharge, rewrite the original

assertion to assumptions bool-to-prop (not b) assumptions e2 ::: P assumptions b ::: $Univ

and try to discharge these V.C.• We try if-then-else reduction <+ if-then-else resolution <+

if-then-else splitting

Strategies for Let Expressions

• A Haskell let expression is a set of equational definitions that scope over a following expression– All of the defined identifiers are also in scope over all the right-

hand sides, and thus are potentially mutually recursive– Bummer! I wanted to inline the definitions

• Strategy: calculate a dependency relation among the definitions of a Let expression

• Reorder the definitions in a list consistent with the dependencies– A clique of one or more mutually dependent definitions forms a

knot in the list– A definitions in an unknotted segment of the list can be inlined in

the defnitions that follow and in the scoped-over expression– Any property of an identifier defined in a knotted definition must

be proved by a fixed-point strategy (not yet implemented, but see the P-logic report)

Discharge Strategies

• Primitive discharge looks for an exact match of an asserted conclusion in a list of assumptions– Implements the “trivial sequent” by sequential search

of the contextual assumptions

• A strength assertion, assumptions b ::: $Univ is discharged if b has any strong property assumed of it, or if assumptions x ::: $Univ is discharged for everyx strictVars bwhere strictVars is a strategy that performs a liberally-

safe strictness analysis, returning a list of variables in which the argument term may be strict, or fails

A Hierarchy of Pattern Matches

• Strategies are triggered by pattern matches– Outermost patterns are the structure of assertions– Then by quantification of the conclusion– Next, by the structure of formulas (conjunction,

implication)– Next, the structure of properties (unary, equality, k-

ary)– Then by the structure of predicate formulas– Then by the structure of individual predicates– Finally, by the structure of individual Hterms

Proof Search (Equality)• Simplify assumptions and take congruence

closure of assumed equalities• Try Discharge strategies in listed order

– Trivial discharge– Intensional equality of two HAbs terms– Equality involving a strict HAbs by application and

reduction (recursive strategy)– First, simplify expressions by reduction, and

• Try variable-splitting; tuple factoring • Trivial discharge (now after term reduction)• If-then-else resolution• If-then-else splitting• Split disjunctive assumptions or conjunctive conclusions • map discharge strategy over resulting V.C.

Field Trials• Strategy development has been directed initially

towards proving the assertions of the Channel Separation chip model’s Memory module

• It has not been necessary to enrich P-logic’s actual proof rules as formulated in the report

• It has been necessary to strengthen some of the assertions given with the Memory module– Principally to add definedness assertions for several

universally quantified variables– Without the addition of definedness assertions, the

Memory module assertions were not true as originally stated!

• All properties asserted in the Memory module have been verified.

Work Remaining to be Done

• Type-cognizant strategies– The current implementation includes no strategies for

overloaded operators • comparison operators (==, /=, <, <=, >, >=) are assumed to

be those defined in the Prelude for Eq and Ord types

– We need strategies for monad instances, in particular– Strategies to comprehend Haskell data definitions

• Derive rules for data type homomorphisms, structural induction

• Cooperating decision procedures– Incorporate decision procedures for boolean expressions,

Pressburger arithmetic, and lists, in addition to equalities

• Implement strategies for recursive let definitions• Implement strategies for coinductive properties• Build a user interface• Link to pfe tools as a proof server• Release and evaluate!