Download Session03TheMethodImport

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
Document related concepts
no text concepts found
Transcript 
Session 03 — 1:30-2:30, May 13
Teaching Software Correctness
May 13-15, 2008, University of Oklahoma
http://www.cs.ou.edu/~rlpage/SEcollab/tsc
Rex Page, U Oklahoma
Assistants
Carl Eastlund (lead), Northeastern U
Ryan Ralston, U Oklahoma
Zac White, U Oklahoma
[email protected]
[email protected]
[email protected]
[email protected]
Collaboration with Matthias Felleisen - NSF/DUE 0633664, 0813529, 0632872
TSC Workshop, May 2008, U Oklahoma
1
The Method
using lemmas to guide ACL2
 Project - numeric domain (since it’s familiar territory)
 Define avg and var
 (avg xs) = average of xs, where xs is a sequence of numbers
 (var xs) = variance of xs, where xs is a sequence of numbers
 Verify these properties
 (avg xs) is a rational number
 (var xs) is a non-negative, rational number
 Function definitions
 Average = sum / number of numbers in the list
 (len xs) = number of numbers in xs (an ACL2 intrinsic)
 (sum xs) = sum of numbers in xs (not intrinsic, need def’n)
 Variance = average squared difference, (x - m)2
 Where x comes from xs, m = (avg xs)
 So, can use avg in definition of
TSC Workshop, May 2008, U Oklahoma
2
Average
 Project - numeric domain (since it’s familiar territory)
induc def’n
 Define avg and var
 (avg xs) = average of xs, where xs is a sequence of numbers
 (var xs) = variance of xs, where xs is a sequence of numbers
 Verify these properties
 (avg xs) is a rational number
 (var xs) is a non-negative, rational number
 Definition of avg properties sum must satisfy (axioms)
(defun sum (xs)
(sum nil) = 0
(if (endp xs)
(sum (list x1 x2 …)) =
0
(+ x1 (sum (list x1 x2 …))
(+ (car xs) (sum (cdr xs)))))
(defun avg (xs)
(avg xs) = (sum xs)/(len xs)
(/ (sum xs) (len xs)))
TSC Workshop, May 2008, U Oklahoma
3
Average
 Project - numeric domain (since it’s familiar territory)
induc def’n
 Define avg and var
 (avg xs) = average of xs, where xs is a sequence of numbers
 (var xs) = variance of xs, where xs is a sequence of numbers
 Verify these properties
 (avg xs) is a rational number
 (var xs) is a non-negative, rational number
 Definition of avg properties sum must satisfy (axioms)
(defun sum (xs)
(sum nil) = 0
(if (endp xs)
(sum (list x1 x2 …)) =
0
(+ x1 (sum (list x1 x2 …))
(+ (car xs) (sum (cdr xs)))))
(defun avg (xs)
(avg xs) = (sum xs)/(len xs)
(/ (sum xs) (len xs)))
(defthm avg-is-rational
property we want to derive
(rationalp (avg xs)))
(avg xs) is rational
TSC Workshop, May 2008, U Oklahoma
4
Average
 Project - numeric domain (since it’s familiar territory)
induc def’n
 Define avg and var
 (avg xs) = average of xs, where xs is a sequence of numbers
 (var xs) = variance of xs, where xs is a sequence of numbers
 Verify these properties
 (avg xs) is a rational number
 (var xs) is a non-negative, rational number
 Definition of avg properties sum must satisfy (axioms)
(defun sum (xs)
(sum nil) = 0
(if (endp xs)
(sum (list x1 x2 …)) =
0
(+ x1 (sum (list x1 x2 …))
(+ (car xs) (sum (cdr xs)))))
(defun avg (xs)
(avg xs) = (sum xs)/(len xs)
(/ (sum xs) (len xs)))
(defthm avg-is-rational
property we want to derive
(rationalp (avg xs)))
(avg xs) is rational
Let’s propose it to ACL2
TSC Workshop, May 2008, U Oklahoma
5
Average
 Project - numeric domain (since it’s familiar territory)
 Define avg and var
 (avg xs) = average of xs, where xs is a sequence of numbers
 (var xs) = variance of xs, where xs is a sequence of numbers
 Verify these properties
 (avg xs) is a rational number
 (var xs) is a non-negative, rational number
induc def’n
 Definition of avg
(defun sum (xs)
(if (endp xs)
0
(+ (car xs) (sum (cdr xs)))))
(defun avg (xs)
Subgoal *1/2'''
(/ (sum xs) (len xs)))
(IMPLIES (AND (CONSP XS)
(CDR
(defthm avg-is-rational
Eh? (STRINGP
(NOT (STRINGP
(rationalp (avg xs)))
(ACL2-NUMBERP
XS))
XS))
(CAR XS)))
(RATIONALP (CAR XS)))
******** FAILED ********
TSC Workshop, May 2008, U Oklahoma
6
Average
 Project - numeric domain (since it’s familiar territory)
 Define avg and var
 (avg xs) = average of xs, where xs is a sequence of numbers
 (var xs) = variance of xs, where xs is a sequence of numbers
 Verify these properties
 (avg xs) is a rational number
 (var xs) is a non-negative, rational number
induc def’n
 Definition of avg
(defun sum (xs)
(if (endp xs)
0
(+ (car xs) (sum (cdr xs)))))
Subgoal *1/2'''
(defun avg (xs)
(IMPLIES (AND (CONSP XS)
(/ (sum xs) (len xs)))
(CDR XS))
Eh? (STRINGP
(defthm avg-is-rational
(NOT (STRINGP XS))
(implies (rational-listp xs)
(ACL2-NUMBERP (CAR
(RATIONALP (CAR XS)))
(rationalp (avg xs))))
XS)))
******** FAILED ********
TSC Workshop, May 2008, U Oklahoma
7
Average
 Project - numeric domain (since it’s familiar territory)
 Define avg and var
 (avg xs) = average of xs, where xs is a sequence of numbers
 (var xs) = variance of xs, where xs is a sequence of numbers
 Verify these properties
 (avg xs) is a rational number
 (var xs) is a non-negative, rational number
induc def’n
 Definition of avg
(defun sum (xs)
(if (endp xs)
0
(+ (car xs) (sum (cdr xs)))))
Subgoal *1/2'''
(defun avg (xs)
(IMPLIES (AND (CONSP XS)
(/ (sum xs) (len xs)))
(CDR XS))
Eh? (STRINGP
(defthm avg-is-rational
(NOT (STRINGP XS))
(implies (rational-listp xs)
(ACL2-NUMBERP (CAR
(RATIONALP (CAR XS)))
(rationalp (avg xs))))
XS)))
********
Let’sFAILED
give ********
ACL2 another
TSC Workshop, May 2008, U Oklahoma
8
go
Variance
 Variance = average squared difference, (x - m)2
 Where x comes from xs, m = (avg xs) (list x1 x2 …) - m =
(list (x1 - m) (x2 - m) …)
 var xs = avg( (list x1 x2 …) - m)2 )
(list y1 y2 …)2 = (list y12 y22 …)
TSC Workshop, May 2008, U Oklahoma
9
Variance
 Variance = average squared difference, (x - m)2
 Where x comes from xs, m = (avg xs) (list x1 x2 …) - m =
(list (x1 - m) (x2 - m) …)
 var xs = avg( (list x1 x2 …) - m)2 )
(list y1 y2 …)2 = (list y12 y22 …)
induc def’n
properties v-s must satisfy (axioms)
(defun v-s (xs s)
(if (endp xs)
nil
; (v-s nil) = nil
(cons (- (car xs) s)
; (v-s (list x1 x2 …)) =
(v-s (cdr xs) s))))
; (cons (- x1 s) (v-s (list x2 …)))
induc def’n
 Vector minus scalar, vector squared
properties v^2 must satisfy (axioms)
(defun v^2 (xs)
(if (endp xs)
nil
; (v^2 nil) = nil
(cons (* (car xs) (car xs) )
; (v^2 (list x1 x2 …)) =
(v^2 (cdr xs)))))
; (cons (* x1 x1) (v^2 (list x2 …)))
TSC Workshop, May 2008, U Oklahoma
10
Variance
 Variance = average squared difference, (x - m)2
 Where x comes from xs, m = (avg xs)
 So, can use avg in definition of
induc def’n
properties v-s must satisfy (axioms)
(defun v-s (xs s)
(if (endp xs)
nil
; (v-s nil) = nil
(cons (- (car xs) s)
; (v-s (list x1 x2 …)) =
(v-s (cdr xs) s))))
; (cons (- x1 s) (v-s (list x2 …)))
induc def’n
 Vector minus scalar, vector squared
properties v^2 must satisfy (axioms)
(defun v^2 (xs)
(if (endp xs)
nil
; (v^2 nil) = nil
(cons (* (car xs) (car xs) )
; (v^2 (list x1 x2 …)) =
(v^2 (cdr xs)))))
; (cons (* x1 x2)(v^2 (list x2 …)))
(defun var (xs)
; var xs = avg((xs - (avg xs))2)
(avg (v^2 xs (v-s) xs (avg xs)))))
TSC Workshop, May 2008, U Oklahoma
11
Avg-Var Book
packaging collections of functions or theorems
(in-package
importable module
(in-package "ACL2")
"ACL2")
(defun sum (xs)
Save as "avg-var.lisp"
(if (null xs)
0
Import to other modules:
(+ (car xs) (sum (cdr xs)))))
(include-book "avg-var.lisp")
(defun avg (xs)
For DrACuLa purposes:
(/ (sum xs) (len xs)))
save avg-var.lisp in same directory as
(defun v-s (xs s)
module that imports it (or sub-directory)
(if (endp xs)
nil
; (v-s nil) = nil
(cons (- (car xs) s)
; (v-s (list x1 x2 …)) =
(v-s (cdr xs) s))))
; (cons (- x1 s) (v-s (list x2 …))
(defun v^2 (xs)
(if (endp xs)
nil
; (v^2 nil) = nil
(cons (* (car xs) (car xs) )
; (v^2 (list x1 x2 …)) =
(v^2 (cdr xs)))))
; (cons (* x1 x2)(v^2 (list x2 …)))
(defun var (xs)
; var xs = avg((xs - (avg xs))2)
(avg (v^2 xs (avg xs))))
TSC Workshop, May 2008, U Oklahoma
12
Variance - Derived Properties
(defun v-s (xs s)
(if (endp xs)
nil
(cons (- (car xs) s)
(v-s (cdr xs) s))))
(defun v^2 (xs)
(if (endp xs)
nil
(cons (* (car xs) (car xs) )
(v^2 (cdr xs)))))
(defun var (xs)
(avg (v^2 xs (avg xs))))
derived properties of var
(defthm var-is-rational
(implies (rational-listp xs)
(rationalp (var xs))))
; (v-s nil) = nil
; (v-s (list x1 x2 …)) =
; (cons (- x1 s) (v-s (list x2 …))
;
;
;
;
(v^2 nil) = nil
(v^2 (list x1 x2 …)) =
(cons (* x1 x2)(v^2 (list x2 …)))
var xs = avg((xs - (avg xs))2)
derived prop of avg
(defthm avg-is-rational
(implies (rational-listp xs)
(rationalp (avg xs))))
TSC Workshop, May 2008, U Oklahoma
13
Variance - Derived Properties
(defun v-s (xs s)
(if (endp xs)
nil
; (v-s nil) = nil
(cons (- (car xs) s)
; (v-s (list x1 x2 …)) =
(v-s (cdr xs) s))))
; (cons (- x1 s) (v-s (list x2 …))
(defun v^2 (xs)
(if (endp xs)
nil
; (v^2 nil) = nil
(cons (* (car xs) (car xs) )
; (v^2 (list x1 x2 …)) =
(v^2 (cdr xs)))))
; (cons (* x1 x2)(v^2 (list x2 …)))
(defun var (xs)
; var xs = avg((xs - (avg xs))2)
(avg (v^2 xs (avg xs))))
derived properties of var
derived prop of avg
(defthm avg-is-rational
(defthm var-is-rational
(implies (rational-listp xs)
(implies (rational-listp xs)
(rationalp (avg xs))))
(rationalp (var xs))))
(defthm var-is-positive
(implies (rational-listp xs)
(>= (var xs) 0)))
TSC Workshop, May 2008, U Oklahoma
14
Variance - Derived Properties
(defun v-s (xs s)
(if (endp xs)
nil
; (v-s nil) = nil
(cons (- (car xs) s)
; (v-s (list x1 x2 …)) =
(v-s (cdr xs) s))))
; (cons (- x1 s) (v-s (list x2 …))
(defun v^2 (xs)
(if (endp xs)
nil
; (v^2 nil) = nil
(cons (* (car xs) (car xs) )
; (v^2 (list x1 x2 …)) =
(v^2 (cdr xs)))))
; (cons (* x1 x2)(v^2 (list x2 …)))
(defun var (xs)
; var xs = avg((xs - (avg xs))2)
(avg (v^2 xs (avg xs))))
derived properties of var
derived prop of avg
(defthm avg-is-rational
(defthm avg-is-rational
(implies (rational-listp xs)
(implies (rational-listp xs)
(rationalp (avg xs))))
(rationalp (var xs))))
(defthm avg-is-positive
(implies (rational-listp xs)
Let’s propose it to ACL2
(>= (var xs) 0)))
TSC Workshop, May 2008, U Oklahoma
15
Variance - Derived Properties
(defun v-s (xs s)
(if (endp xs)
nil
; (v-s nil) = nil
(cons (- (car xs) s)
; (v-s (list x1 x2 …)) =
(v-s (cdr xs) s))))
; (cons (- x1 s) (v-s (list x2 …))
(defun v^2 (xs)
(if (endp xs)
nil
; (v^2 nil) = nil
(cons (* (car xs) (car xs) )
; (v^2 (list x1 x2 …)) =
(v^2 (cdr xs)))))
; (cons (* x1 x2)(v^2 (list x2 …)))
(defun var (xs)
; var xs = avg((xs - (avg xs))2)
(avg (v^2 xs (avg xs))))
derived properties of var
derived prop of avg
(defthm avg-is-rational
(defthm var-is-rational
(implies (rational-listp xs)
(implies (rational-listp xs)
(rationalp (avg xs))))
(rationalp (var xs))))
(defthm var-is-positive
(implies (rational-listp xs)
Let’s propose it to ACL2
(>= (var xs) 0)))
TSC Workshop, May 2008, U Oklahoma
16
Where the proof goes wrong
 What we’re trying to prove
(defthm var-is-positive
(implies (rational-listp xs)
(>= (var xs) 0)))
 Proof generates this odd subgoal
Subgoal *1.1/1'''
(IMPLIES (RATIONALP XS1)
(<= 0
(AVG (V^2 (V-S (LIST XS1) (AVG (LIST XS1))))))).
 Why is it worrying about with a one-element list?
 Because of this:
(defthm avg-of-pos-is-pos
(implies (and (true-listp xs)
(rational-listp xs)
(not (null xs))
(positive-listp xs))
(>= (avg xs) 0))
Unnecessary condition
- thm is too specialized
More gen’l thm easier
TSC Workshop, May 2008, U Oklahoma
17
Keep on Truckin’
another little project
 Compress — remove identical adjacent list elements
 (compress (list 1 1 2 2 2 3 4 4 5 1 1)) = (list 1 2 3 4 5 1)
 Some simple properties of the compress function
axioms
inductive
definition
 (compress nil) = nil
0 or 1 elements:
 (compress (list x)) = (list x) compressed list identical to input
 (compress (list x1 x2 x3 …))
A list that's empty with
its first element removed:
x 1 = x2
x1  x2
(null (cdr xs))
(cons x1 (compress (list x2 x3 …)))
(compress (list x2 x3 …))
(defun compress (xs)
(if (endp (cdr xs))
0 or 1 element
xs
(if (equal (car xs) (cadr xs))
(compress (cdr xs))
1st two elems same
(cons (car xs) (compress (cdr xs))))) 1st two elems differ
TSC Workshop, May 2008, U Oklahoma
18
Derived Properties for Compress
(compress (list 1 1 2 2 2 3 4 4 5 1 1)) = (list 1 2 3 4 5 1)
 Correctness properties
We've seen these before
… Goes thru easily
 Compress delivers true-list
 Conservation of values
Goes thru easily
 Values that were in list, remain
… but worth looking stating
 No new values appear
This is the hard part
 No adjacent duplicates
 Other derived properties important in some contexts
 Compress delivers a value no longer than its argument
 Compress delivers a value shorter than an arg with adjacent dups
 Some of these are harder to derive than others
TSC Workshop, May 2008, U Oklahoma
19
Conservation of Values
 Values in list before compression remain in list
after compression, and vice versa
(defthm compress-conserves-elements
(implies (true-listp xs)
(iff (member-equal x xs)
(member-equal x (compress xs)))))
TSC Workshop, May 2008, U Oklahoma
20
Adjacent Duplicates Predicate
Inductive definition
(defun adjacent-duplicatep (xs)
0 or 1 element
(and (not (endp (cdr xs)))
1st 2 elements same
(or (equal (car xs) (cadr xs))
dups in cdr
(adjacent-duplicatep (cdr xs)))))
How do we know this definition is right?
 Part of the story
(defthm no-adj-dups-implies-no-two-adj-elems-same
(implies (and (true-listp xs)
(not (adjacent-duplicatep xs))
(natp n)
(< n (1- (len xs))))
(not (equal (Nth n xs)
(Nth (1+ n) xs)))))
 Converse is other part of story
TSC Workshop, May 2008, U Oklahoma
21
Compressed List Has No Adjacent Dups
 Statement of theorem
(defthm compressed-list-has-no-adjacent-duplicates
(implies (true-listp xs)
(not (adjacent-duplicatep (compress xs)))))
 Doesn't go through without help
 Lemma: inductive case
(defthm compressed-list-has-no-adj-dups-inductive-case
(implies (and (true-listp xs)
(not (adjacent-duplicatep (compress (cdr xs)))))
(not (adjacent-duplicatep (compress xs)))))
Excerpt from proof attempt
problems with first element
Subgoal *1.1/2
(IMPLIES (AND (CONSP XS4)
(NOT (CONSP
(TRUE-LISTP
(NOT (EQUAL
(NOT (TRUE-LISTP
(CDR XS4)))
XS4)
L1 (CAR XS4))))
(CONS (CAR XS4) XS4))))
 Proof of lemma needs help, too
(defthm 1st-elem-is-1st-compressed-elem
(implies (true-listp xs)
Lemma for lemma
(equal (car xs)
goes through
(car
(compress
xs)))))
TSC Workshop, May 2008, U Oklahoma
22
Force Use of Lemma
use-instance hint
 Use-lemma directive for inductive case
(defthm compressed-list-has-no-adj-dups-inductive-case ;
lemma
(implies (and (true-listp xs)
(not (adjacent-duplicatep (compress (cdr xs)))))
(not (adjacent-duplicatep (compress xs))))
:hints
Substitute (cdr xs) from theorem
for xs in lemma
(("Goal"
:use (:instance 1st-elem-is-1st-compressed-elem
(xs (cdr xs))))))
Must be using it too much, now
Excerpt from proof attempt
Disable at lower levels
ACL2 Warning [Use] in
(DEFTHM COMPRESSED-LIST-HAS-NO-ADJ-DUPS-INDUCTIVE-CASE ...):
It is unusual to :USE an enabled :REWRITE or :DEFINITION
rule, so you may want to consider disabling
(:REWRITE |1ST-ELEM-IS-1ST-COMPRESSED-ELEM|).
TSC Workshop, May 2008, U Oklahoma
23
Disable Lemma at Lower Levels in Proof
disable, in theory
 Use-lemma directive for inductive case
(defthm compressed-list-has-no-adj-dups-inductive-case ;
lemma
(implies (and (true-listp xs)
(not (adjacent-duplicatep (compress (cdr xs)))))
(not (adjacent-duplicatep (compress xs))))
:hints
(("Goal"
:use (:instance 1st-elem-is-1st-compressed-elem
(xs (cdr xs)))
:in-theory (disable 1st-elem-is-1st-compressed-elem))))
Use at top level
Substitute (cdr xs) from theorem
Disable at lower levels
for xs in lemma
(defthm 1st-elem-is-1st-compressed-elem
(implies (true-listp xs)
Now, inductive-case
(equal (car xs)
Lemma goes through
(car (compress xs)))))
And, so does theorem
TSC Workshop, May 2008, U Oklahoma
24
Is That All There Is?
What about big programs?
What was the first program you wrote?
 Hello World
Learning to use a tool like ACL2 takes a
similar amount of effort as learning to use a
language like Java or C or Lisp
Lots of software components dist’d with ACL2
 :System “books”
 ACL2 workshop books - a growing resource
Software components critical to applications
are good targets for analysis through ACL2
Increment of effort in software development
 Learning curve - less steep than widely believed
 Rough guess - doubles engineering time
TSC Workshop, May 2008, U Oklahoma
25
Learning to Use ACL2
Kaufmann/Moore/Maniolios Textbook
ACL2 Website – just Google ACL2
Computer-Aided Reasoning – An Approach
 Excellent explanations of deep, important material
ACL2 Website
 Tutorials, examples, wealth of information
Online help
 World-class experts reachable by email
 Great response times, great help
Teaching Software Correctness website
 http://www.cs.ou.edu/~rlpage/SEcollab/tsc/
 Teaching/Learning resource — a useful one, we hope!
TSC Workshop, May 2008, U Oklahoma
26
The End
TSC Workshop, May 2008, U Oklahoma
27
Related documents