Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Artificial Intelligence

FAST_VCG_TAC.doc

advertisement 
\DOC FAST_VCG_TAC
\TYPE {FAST_VCG_TAC : tactic}
\SYNOPSIS
Reduces a program total correctness goal to a set of verification
conditions.
\LIBRARY vcg
\DESCRIBE
FAST_VCG_TAC reduces a total correctness goal for a program written in
the
Sunrise programming language to a set of verification conditions, as
computed by the Verification Condition Generator for this language
as described in the references below, in particular the first paper [1].
The subgoals produced are normal HOL goals, without any mention of
programming language phrases or concepts.
This is very similar to VCG_TAC, except for the following points:
1) FAST_VCG_TAC is considerably faster than VCG_TAC, by as much as
three orders of magnitude in some cases.
2) FAST_VCG_TAC is NOT SECURE. It computes by insecure ML code,
rather than by secure proof within HOL, as VCG_TAC does. Thus, it
is possible that FAST_VCG_TAC may introduce unsoundness to HOL.
3) No tracing is provided of the work of FAST_VCG_TAC.
In the following diagram, pi is a Sunrise program (suitably annotated),
q is a postcondiion, and pi[q] is a total correctness goal that every
execution of the program pi will achieve the postcondition q upon
termination, and in fact it will always terminate. This goal would
normally be created by the Sunrise language parser from text. The vci's
are the n verification conditions produced by the VCG, converted from
the Sunrise assertion language into the HOL Object Language.
{
A ?- pi[q]
==============================
A ?- vc1
...
A ?- vcn
FAST_VCG_TAC
}
The tactic takes no arguments, but is controlled by a set of globals,
with the following initial (default) values, and their significance:
Global
Default Value
-----------------print_vcg
true
print_subst
false
debug_vcg
false
caching
true
Significance
-------------------------------------------when true, causes tracing of the VCG's work.
when true, causes tracing of substitutions.
when true, causes deep tracing of the VCG.
when true, causes caching of some theorems.
debug_cache
timing
new_graph
false
false
true
when true, causes deep tracing of the cache.
when true, causes timing of the VCG's work.
when true, prints diagram of graph analysis.
Of these, only print_vcg and perhaps caching will be of interest to most
users. To turn off the printing of the trace of the VCG's work, set
print_vcg := false. To disable the theorem cache in order to experiment
with performance, set caching := false.
References:
[1] Peter V. Homeier and David F. Martin, "Mechanical Verification of
Total
Correctness Through Diversion Verification Conditions," Eleventh
International Conference on Theorem Proving in Higher Order Logics
(TPHOLs'98), The Australian National University (ANU), Canberra,
Australia,
September 28 - October 1, 1998, Lecture Notes in Computer Science
Vol. 1479, Springer-Verlag, pages 189-206.
[2] Peter V. Homeier and David F. Martin, "Mechanical Verification of
Mutually
Recursive Procedures," in Proceedings of the 13th International
Conference
on Automated Deduction (CADE-13), eds. M. A. McRobbie and J. K.
Slaney,
Rutgers University, New Brunswick, NJ, USA, July 30-August 3, 1996,
Lecture Notes in Artificial Intelligence Vol. 1104, Springer-Verlag,
pages 201-215.
[3] Peter V. Homeier and David F. Martin, "A Mechanically Verified
Verification Condition Generator," The Computer Journal,
Vol. 38, No. 2, July 1995, pages 131-141.
[4] Peter V. Homeier, Trustworthy Tools for Trustworthy Programs:
A Mechanically Verified Verification Condition Generator for the
Total
Correctness of Procedures, (Ph.D. Dissertation), Department of
Computer
Science, University of California, Los Angeles, June 1995.
[5] Peter V. Homeier and David F. Martin, "Trustworthy Tools for
Trustworthy
Programs: A Verified Verification Condition Generator," in
Proceedings of
the 7th International Workshop on Higher Order Logic Theorem Proving
and
its Applications, eds. Thomas Melham and Juanito Camilleri, Valletta,
Malta, September 19-22, 1994, Lecture Notes in Computer Science Vol.
859,
Springer-Verlag, pages 269-284.
\FAILURE
Fails if goal is not a total correctness specification with a Sunrise
program and specification. Also fails if the program is not well-formed.
Note that the program need not be correct, nor the annotations or
specification, for FAST_VCG_TAC to complete successfully.
If these parts are not correct, the verification conditions produced
will not all be provable.
\EXAMPLE
g `^(||` program
procedure quotient_remainder (var q,r; val x,y);
pre 0 < y;
post 'x = q * 'y + r /\ r < 'y;
r := x;
q := 0;
assert 'x = q * 'y + r /\ 0 < y /\ 'y = y
with r < 'r
while ~(r < y) do
r := r - y;
q := ++q
od
end procedure;
quotient_remainder(q,r;7,3)
end program
[ q = 2 /\ r = 1 ]
`||)`;
e(FAST_VCG_TAC);
OK..
4 subgoals:
val it =
``0 < 3 /\ (!q r. (7 = q * 3 + r) /\ r < 3 ==> (q = 2) /\ (r = 1))``
``!'x q 'y r y.
((('x = q * 'y + r) /\ 0 < y) /\ ('y = y)) /\ r < y ==>
('x = q * 'y + r) /\ r < 'y``
``!'x q 'y r y 'r.
(((('x = q * 'y + r) /\ 0 < y) /\ ('y = y)) /\ ~(r < y)) /\ (r =
'r) ==>
((('x = (q + 1) * 'y + (r - y)) /\ 0 < y) /\ ('y = y)) /\ r - y <
'r``
``!'q q 'r r 'x x 'y y.
(('q = q) /\ ('r = r) /\ ('x = x) /\ ('y = y)) /\ 0 < y ==>
(('x = 0 * 'y + x) /\ 0 < y) /\ ('y = y)``
: goalstack
\SEEALSO
VCG_TAC TEST_VCG_TAC
\ENDDOC
Related documents
Exercise Sheet 5
Exercise Sheet 5
TEST_VCG_TAC
TEST_VCG_TAC
our information session slide deck here
our information session slide deck here
BWM Award 2016 Application
BWM Award 2016 Application
Methods Used to Estimate Achievement Effects in Personalized Learning Schools Working Paper
Methods Used to Estimate Achievement Effects in Personalized Learning Schools Working Paper
Document11206560 11206560
Document11206560 11206560
Download
advertisement