Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Artificial Intelligence

TEST_VCG_TAC

advertisement 
\DOC TEST_VCG_TAC
\TYPE {TEST_VCG_TAC : tactic}
\SYNOPSIS
Reduces a program total correctness goal to a set of verification
conditions.
\LIBRARY vcg
\DESCRIBE
TEST_VCG_TAC reduces a total correctness goal for a program written in
the
Sunrise programming language to a set of verification conditions, as
computed by the Verification Condition Generator for this language
as described in the references below, in particular the first paper [1].
It does this by running both VCG_TAC and FAST_VCG_TAC, and compares
their results. Since the VCG_TAC results must always be correct, this
functions as a test of FAST_VCG_TAC, which is not secure.
In addition, this tactic performs some timing tests to compare the
two tactics.
TEST_VCG_TAC uses only the results of VCG_TAC to be its own results,
and hence is completely secure.
In the following diagram, pi is a Sunrise program (suitably annotated),
q is a postcondiion, and pi[q] is a total correctness goal that every
execution of the program pi will achieve the postcondition q upon
termination, and in fact it will always terminate. This goal would
normally be created by the Sunrise language parser from text. The vci's
are the n verification conditions produced by the VCG, converted from
the Sunrise assertion language into the HOL Object Language.
{
A ?- pi[q]
==============================
A ?- vc1
...
A ?- vcn
TEST_VCG_TAC
}
Please see the example below and the descriptions of VCG_TAC and
FAST_VCG_TAC for further informaton.
References:
[1] Peter V. Homeier and David F. Martin, "Mechanical Verification of
Total
Correctness Through Diversion Verification Conditions," Eleventh
International Conference on Theorem Proving in Higher Order Logics
(TPHOLs'98), The Australian National University (ANU), Canberra,
Australia,
September 28 - October 1, 1998, Lecture Notes in Computer Science
Vol. 1479, Springer-Verlag, pages 189-206.
[2] Peter V. Homeier and David F. Martin, "Mechanical Verification of
Mutually
Recursive Procedures," in Proceedings of the 13th International
Conference
on Automated Deduction (CADE-13), eds. M. A. McRobbie and J. K.
Slaney,
Rutgers University, New Brunswick, NJ, USA, July 30-August 3, 1996,
Lecture Notes in Artificial Intelligence Vol. 1104, Springer-Verlag,
pages 201-215.
[3] Peter V. Homeier and David F. Martin, "A Mechanically Verified
Verification Condition Generator," The Computer Journal,
Vol. 38, No. 2, July 1995, pages 131-141.
[4] Peter V. Homeier, Trustworthy Tools for Trustworthy Programs:
A Mechanically Verified Verification Condition Generator for the
Total
Correctness of Procedures, (Ph.D. Dissertation), Department of
Computer
Science, University of California, Los Angeles, June 1995.
[5] Peter V. Homeier and David F. Martin, "Trustworthy Tools for
Trustworthy
Programs: A Verified Verification Condition Generator," in
Proceedings of
the 7th International Workshop on Higher Order Logic Theorem Proving
and
its Applications, eds. Thomas Melham and Juanito Camilleri, Valletta,
Malta, September 19-22, 1994, Lecture Notes in Computer Science Vol.
859,
Springer-Verlag, pages 269-284.
\FAILURE
fails if goal is not a total correctness specification with a Sunrise
program and specification. Also fails if the program is not well-formed.
Note that the program need not be correct, nor the annotations
or specification, for TEST_VCG_TAC to complete successfully.
If these parts are not correct, the verification conditions
produced will not all be provable.
\EXAMPLE
- g `^(||` program
procedure p91a(var
global a,b,c,d;
pre c = 3 /\
post (a = 'a /\
(a < x =>
calls p91a with
recurses
with
y; val x);
d = (c - 1)
b = 'b /\ c
y = x - b
a + 1 - x <
a + 1 - x <
if a < x then y := x - b
else
* b + 1;
= 'c /\ d = 'd /\ x = 'x) /\
| y = a + 1 - b);
'a + 1 - 'x;
'z;
y := x + d;
p91a(y; y);
p91a(y; y);
p91a(y; y)
fi
end procedure;
a := 100;
b := 10;
c := 3;
d := 21;
p91a(y; 77)
end program
[ y = 91 ]
`||)`;
val it =
Status: 1 proof.
1. Incomplete:
Initial goal:
``program
procedure p91a(var y;val x);
global a,b,c,d;
pre c = 3 /\ d = (c - 1) * b + 1;
post
((((a = 'a /\ b = 'b) /\ c = 'c) /\ d = 'd) /\ x = 'x)
/\
(a < x => y = x - b | y = (a + 1) - b);
calls p91a with (a + 1) - x < ('a + 1) - 'x;
recurses with (a + 1) - x < 'z;
if a < x then y := x - b
else y := x + d; p91a(y;y); p91a(y;y); p91a(y;y)
fi
end procedure;
a := 100; b := 10; c := 3; d := 21; p91a(y;77)
end program
[y = 91]``
: proofs
- e(TEST_VCG_TAC);
OK..
CPU: usr: 1.750 s
sys: 0.010 s
gc: 0.020 s
is time for secure well-foundedness theorem.
This program is well formed.
CPU: usr: 0.000 s
sys: 0.000 s
gc: 0.000 s
is time for insecure well-foundedness theorem.
CPU: usr: 98.370 s
sys: 0.430 s
gc: 3.130 s
is time for secure vcg computation theorem.
CPU: usr: 0.170 s
sys: 0.000 s
gc: 0.000 s
is time for insecure vcg computation theorem.
The insecure well-foundedness theorem is EXACTLY the same as the secure
one.
The insecure vcg computation theorem is EXACTLY the same as the secure
one.
We here use only the secure
3 subgoals:
val it =
``(21 = (3 - 1) * 10 + 1)
(!y x1 a1 b1 c1 d1.
(((((a1 = 100) /\ (b1
77)) /\
((a1 < x1) => (y = x1
(y = 91))``
results.
/\
= 10)) /\ (c1 = 3)) /\ (d1 = 21)) /\ (x1 =
- b1) | (y = (a1 + 1) - b1)) ==>
``!c d b a x 'z.
((c = 3) /\ (d = (c - 1) * b + 1)) /\ ((a + 1) - x = 'z) ==>
(!x1 a1. (a1 + 1) - x1 < (a + 1) - x ==> (a1 + 1) - x1 < 'z)``
``!'y y 'x x 'a a 'b b 'c c 'd d.
(('y = y) /\ ('x = x) /\ ('a = a) /\ ('b = b) /\ ('c = c) /\ ('d =
d)) /\
(c = 3) /\
(d = (c - 1) * b + 1) ==>
((a < x)
=> ((((((a = 'a) /\ (b = 'b)) /\ (c = 'c)) /\ (d = 'd)) /\ (x =
'x)) /\
((a < x) => T | (x - b = (a + 1) - b)))
| ((((c = 3) /\ (d = (c - 1) * b + 1)) /\
(a + 1) - (x + d) < ('a + 1) - 'x) /\
(!y1 x2 a1 b1 c1 d1.
(((((a1 = a) /\ (b1 = b)) /\ (c1 = c)) /\ (d1 = d)) /\
(x2 = x + d)) /\
((a1 < x2) => (y1 = x2 - b1) | (y1 = (a1 + 1) - b1)) ==>
(((c1 = 3) /\ (d1 = (c1 - 1) * b1 + 1)) /\
(a1 + 1) - y1 < ('a + 1) - 'x) /\
(!y2 x2' a2 b2 c2 d2.
(((((a2 = a1) /\ (b2 = b1)) /\ (c2 = c1)) /\ (d2 = d1)) /\
(x2' = y1)) /\
((a2 < x2') => (y2 = x2' - b2) | (y2 = (a2 + 1) - b2)) ==>
(((c2 = 3) /\ (d2 = (c2 - 1) * b2 + 1)) /\
(a2 + 1) - y2 < ('a + 1) - 'x) /\
(!y3 x2'' a3 b3 c3 d3.
(((((a3 = a2) /\ (b3 = b2)) /\ (c3 = c2)) /\ (d3 = d2))
/\
(x2'' = y2)) /\
((a3 < x2'') => (y3 = x2'' - b3) | (y3 = (a3 + 1) - b3))
==>
(((((a3 = 'a) /\ (b3 = 'b)) /\ (c3 = 'c)) /\ (d3 = 'd))
/\
(x = 'x)) /\
((a3 < x) => (y3 = x - b3) | (y3 = (a3 + 1) - b3)))))))``
: goalstack
\SEEALSO
VCG_TAC FAST_VCG_TAC
\ENDDOC
Related documents
FAST_VCG_TAC.doc
FAST_VCG_TAC.doc
our information session slide deck here
our information session slide deck here
Methods Used to Estimate Achievement Effects in Personalized Learning Schools Working Paper
Methods Used to Estimate Achievement Effects in Personalized Learning Schools Working Paper
The TAC independence claims initiative
The TAC independence claims initiative
Math 180: Fundamental Theorem of Calculus
Math 180: Fundamental Theorem of Calculus
Handling Self-Interest in Groups, with Minimal Cost Ruggiero Cavallo
Handling Self-Interest in Groups, with Minimal Cost Ruggiero Cavallo
ppt
ppt
Opportunities to work with health and disability providers
Opportunities to work with health and disability providers
Power Point Slides - Cambrian Explosion
Power Point Slides - Cambrian Explosion
Online Ad Auctions: An Experiment ∗ Kevin McLaughlin Daniel Friedman
Online Ad Auctions: An Experiment ∗ Kevin McLaughlin Daniel Friedman
Download
advertisement