Article

Second-Order Functions and Theorems in ACL2

Authors:
To read the full-text of this research, you can request a copy directly from the author.

Abstract

SOFT ('Second-Order Functions and Theorems') is a tool to mimic second-order functions and theorems in the first-order logic of ACL2. Second-order functions are mimicked by first-order functions that reference explicitly designated uninterpreted functions that mimic function variables. First-order theorems over these second-order functions mimic second-order theorems universally quantified over function variables. Instances of second-order functions and theorems are systematically generated by replacing function variables with functions. SOFT can be used to carry out program refinement inside ACL2, by constructing a sequence of increasingly stronger second-order predicates over one or more target functions: the sequence starts with a predicate that specifies requirements for the target functions, and ends with a predicate that provides executable definitions for the target functions.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the author.

... In an interactive theorem prover like ACL2, stepwise program refinement can be carried out using predicates over (deeply or shallowly embedded) implementations as specifications s i and (reversed) implication as ↝ (an approach called 'pop-refinement') [4,5]; and c ↦ may be realized either as a ↝ sequence entirely in the logic of the prover [4], or via a more typical code generator [6] [23, Topic ATJ]. The APT (Automated Program Transformations) library [23, Topic APT] provides tools to carry out derivation steps s i ↝ s i+1 via automated transformations (as outlined above) in ACL2. ...
... to automatic propagation, including the predicate s i . 5 ...
... In the call (defiso isomap old new iso osi ...), isomap is such a name, and ... consists of hints and other optional inputs. 5 If X and Y are part of the required "interface" in s 0 of the program being derived, note that a wrapperf ≡ υ −1 ○ f ′ ○ ξ can be mechanically defined along with f ′ , provably satisfyingf = f . This is different from the definition of f ′ that includes the isomorphic conversions:f only converts the input once and the output once, while the definition of f ′ that includes the isomorphic conversions performs several conversions at each recursive call. ...
... In an interactive theorem prover like ACL2, stepwise program refinement can be carried out using predicates over (deeply or shallowly embedded) implementations as specifications s i and (reversed) implication as ↝ (an approach called 'pop-refinement') [4,5]; and c ↦ may be realized either as a ↝ sequence entirely in the logic of the prover [4], or via a more typical code generator [6] [23, Topic ATJ]. The APT (Automated Program Transformations) library [23, Topic APT] provides tools to carry out derivation steps s i ↝ s i+1 via automated transformations (as outlined above) in ACL2. ...
... to automatic propagation, including the predicate s i . 5 ...
... In the call (defiso isomap old new iso osi ...), isomap is such a name, and ... consists of hints and other optional inputs. 5 If X and Y are part of the required "interface" in s 0 of the program being derived, note that a wrapperf ≡ υ −1 ○ f ′ ○ ξ can be mechanically defined along with f ′ , provably satisfyingf = f . This is different from the definition of f ′ that includes the isomorphic conversions:f only converts the input once and the output once, while the definition of f ′ that includes the isomorphic conversions performs several conversions at each recursive call. ...
Preprint
Full-text available
In stepwise derivations of programs from specifications, data type refinements are common. Many data type refinements involve isomorphic mappings between the more abstract and more concrete data representations. Examples include refinement of finite sets to duplicate-free ordered lists or to bit vectors, adding record components that are functions of the other fields to avoid expensive recomputation, etc. This paper describes the APT (Automated Program Transformations) tools to carry out isomorphic data type refinements in the ACL2 theorem prover and gives examples of their use. Because of the inherent symmetry of isomorphisms, these tools are also useful to verify existing programs, by turning more concrete data representations into more abstract ones to ease verification. Typically, a data type will have relatively few interface functions that access the internals of the type. Once versions of these interface functions have been derived that work on the isomorphic type, higher-level functions can be derived simply by substituting the old functions for the new ones. We have implemented the APT transformations isodata to generate the former, and propagate-iso for generating the latter functions as well as theorems about the generated functions from the theorems about the original functions. Propagate-iso also handles cases where the type is a component of a more complex one such as a list of the type or a record that has a field of the type: the isomorphism on the component type is automatically lifted to an isomorphism on the more complex type. As with all APT transformations, isodata and propagate-iso generate proofs of the relationship of the transformed functions to the originals.
... The interrelated ideas of program refinement, program transformation, and program synthesis are not new [8,1,18,12,17,15], and neither is their realization in a theorem prover like ACL2 [3,4,14,5,6]. Syntheto builds on these ideas to provide a more accessible language and a more feature-rich IDE. ...
Preprint
Full-text available
Syntheto is a surface language for carrying out formally verified program synthesis by transformational refinement in ACL2 using the APT toolkit. Syntheto aims at providing more familiarity and automation, in order to make this technology more widely usable. Syntheto is a strongly statically typed functional language that includes both executable and non-executable constructs, including facilities to state and prove theorems and facilities to apply proof-generating transformations. Syntheto is integrated into an IDE with a notebook-style, interactive interface that translates Syntheto to ACL2 definitions and APT transformation invocations, and back-translates the prover's results to Syntheto; the bidirectional translation happens behind the scenes, with the user interacting solely with Syntheto.
... The interrelated ideas of program refinement, program transformation, and program synthesis are not new [8,1,18,12,17,15], and neither is their realization in a theorem prover like ACL2 [3,4,14,5,6]. Syntheto builds on these ideas to provide a more accessible language and a more feature-rich IDE. ...
Chapter
Construction of a formal model of a computing system is a necessary practice in formal verification. The results of formal analysis can only be valued to the same degree as the model itself. Model development is error-prone, not only due to the complexity of the system being modeled, but also because it involves addressing disparate requirements. For example, a formal model should be defined using simple constructs to enable efficient reasoning but it should also be optimized to offer fast concrete simulations. Models of large computing systems are themselves large software systems and must be subject to rigorous validation. We describe our formal, executable model of the x86 instruction-set architecture; we use our model to reason about x86 machine-code programs. Validation of our x86 ISA model is done by co-simulating it regularly against a physical x86 machine. We present design decisions made during model development to optimize both validation and verification, i.e., efficiency of both simulation and reasoning. Our engineering process provides insight into the development of a software verification and model animation framework from the points of view of accuracy, efficiency, scalability, maintainability, and usability.
Conference Paper
Full-text available
ACL2 allows users to define predicates whose logical behavior mimics that of universally or existentially quantified formulae. Proof support for such quantification, however, is quite limited. We present an ACL2 framework that employs tables, computed hints and clause processing to identify quantified formulae and to skolemize or instantiate them when possible. We demonstrate how the framework can be used to prove automatically the forall-p-append example presented in the ACL2 documentation.
Article
Full-text available
Even though the ACL2 logic is first order, the ACL2 system offers several mechanisms providing users with some operations akin to higher order logic ones. In this paper, we propose a macro, named instance-of-defspec, to ease the reuse of abstract functions and facts proven about them. Defspec is an ACL2 book allowing users to define constrained functions and their associated properties. It contains macros facilitating the definition of such abstract specifications and instances thereof. Currently, lemmas and theorems derived from these abstract functions are not automatically instantiated. This is exactly the purpose of our new macro. instance-of-defspec will not only instantiate functions and theorems within a specification but also many more functions and theorems built on top of the specification. As a working example, we describe various fold functions over monoids, which we gradually built from arbitrary functions.
Article
Full-text available
Among the standard books distributed with ACL2 is the consider-hint book in the hints subdirectory, which im-plements a heuristic for computing functional instantiations. The implementation of the hint involves four basic algo-rithms: a second-order pattern matching algorithm that can compute instantiations for constrained and defined functions that call constrained functions, a process for generating vari-ants of a term obtained by applying equations, a process for extending second-order matching through definitions so that when instantiating defined functions the algorithm can pick up appropriate bindings for the constrained functions inside the definitions, and an algorithm for sorting among likely functional substitutions. The second-order matching algo-rithm is an incomplete and slightly extended implementation of the Huet-Lang algorithm. We describe the four basic al-gorithms involved in guessing functional instantiations. We briefly suggest further work required to make the utility ro-bust and suggest a new feature that could be added to ACL2 if this utility were sufficiently robust. We hope that some enterprising user or student will take up these challenges.
Article
Full-text available
ion and Program Synthesis, volume 75: Math. Studies of Information Processing of Lecture Notes in Computer Science. Springer-Verlag, 1979. [Bjo80a] D. Bjorner, editor. Abstract Software Specifications, volume 86 of Lecture Notes in Computer Science. Springer-Verlag, 1980. [Bj80b] D. Bjrner. Application of formal models. In Data Bases. INFOTECH Proceedings, October 1980. [Bj80c] D. Bjrner. Experiments in block-structured goto-modelling: Exits vs. continuations. [Bjo80a], pages 216--247, 1980. [Bj80d] D. Bjrner. Formal description of programming concepts: a software engineering viewpoint. In MFCS '80, Lecture Notes Vol. 88, pages 1--21. Springer-Verlag, 1980. [Bj81] D. Bjrner. The VDM principles of software specification and program design. In TC2 Work.Conf. on Formalization of Programming Concepts, pages 44--74, LNCS Vol. 107, 1981. IFIP, Springer-Verlag. [BL84] R. Bahlke and T. Letschert. Ausfuhrbare denotationale semantik. In Proc. 4, pages 3--19. Gl-Fachgesprach Implementierung von...
Chapter
Full-text available
This paper presents a mechanizable framework for software development by refinement. The framework is based on a category of specifications. The key idea is representing knowledge about programming concepts, such as algorithm design, datatype refinement, and expression simplification, by means of taxonomies of specifications and morphisms. Examples are drawn from working systems Specware, Designware, and Planware.
Article
Trace properties, which have long been used for reasoning about systems, are sets of execution traces. Hyperproperties, introduced here, are sets of trace properties. Hyperproperties can express security policies, such as secure information flow and service level agreements, that trace properties cannot. Safety and liveness are generalized o hyperproperties, and every hyperproperty is shown to be the intersection of a safety hyperproperty and a liveness hyperproperty. A verification technique for safety hyperproperties is given and is shown to generalize prior techniques for verifying secure information flow. Refinement is shown to be applicable with safety hyperproperties. A topological characterization of hyperproperties is given.
Article
Tribute Foreword Introduction Part I. Mathematics: 1. Mathematical reasoning 2. Set notation 3. Mathematical objects Part II. Abstract Machines: 4. Introduction to abstract machines 5. Formal definition of abstract machines 6. Theory of abstract machines 7. Constructing large abstract machines 8. Examples of abstract machines Part III. Programming: 9. Sequencing and loop 10. Programming examples Part IV. Refinement: 11. Refinement 12. Constructing large software systems 13. Examples of refinement Appendixes Index.
Article
As an alternative to methods by which the correctness of given programs can be established a posteriori, this paper proposes to control the process of program generation such as to produce a priori correct programs. An example is treated to show the form that such a control might then take. This example comes from the field of parallel programming; the way in which it is treated is representative of the way in which a whole multiprogramming system has actually been constructed.
Book
The B method is a means for specifying, designing and coding software systems. The long-awaited B Book is the standard reference for everything concerning this method. It contains the mathematical basis on which it is founded, the precise definitions of the notations used, and a large number of examples illustrating its use in practice. J.-R. Abrial, the inventor of B, has written the book in such a way that it can be used for self-study or for reference. It is in four parts, the first dealing with the mathematical foundations, including a systematic construction of predicate logic and set theory, and the definition of the various mathematical structures that are needed to formalize software systems; the author places special emphasis on the notion of proof. The second part contains a presentation of the Generalized Substitution Language and of the Abstract Machine Notation, which are both used to specify software systems; the author gives examples to show how large specifications can be constructed systematically. The next part introduces the two basic programming features of sequencing and loop, with examples showing how to construct small algorithms. The last part covers the very important notion of refinement. It shows how to construct large software systems by means of layered architectures of modules. It culminates with the presentation of several examples of complete development with a special emphasis on the methodological approach. Finally, appendices give summaries of all the logical and mathematical definitions, and of all the rules and proof obligations. With the appearance of The B Book, formal methods practitioners, computer scientists, and systems developers at last will have access to the definitive account of what will become one of the standard approaches to the construction of software systems.
Article
A powerful method of simplifying the proofs of program correctness is suggested; and some new light is shed on the problem of functions with side-effects.
Article
Refinement mappings are used to prove that a lower-level specification correctly implements a higher-level one. We consider specifications consisting of a state machine (which may be infinite- state) that specifies safety requirements, and an arbitrary supplementary property that specifies liveness requirements. A refinement mapping from a lower-level specification S1 to a higher-level one S2 is a mapping from S1's state space to S2's state space. It maps steps of S1's state machine to steps of S2's state machine and maps behaviors allowed by S1 to behaviors allowed by S2. We show that, under reasonable assumptions about the specification, if S1 implements S2, then by adding auxiliary variables to S1 we can guarantee the existence of a refinement mapping. This provides a completeness result for a practical, hierarchical specification method.
Article
Contenido: Introducción; Cálculo proposicional; Lógica de primer orden; Probabilidad y refutabilidad; Otras cuestiones de lógica de primer orden; Teoría de tipos; Teoría formalizada de números; Estado incompleto e indecidibilidad.
Article
Experience has shown that large or multi-user interactive proof efforts can benefit significantly from structuring mechanisms, much like those available in many modern programming languages. Such a mechanism can allow some lemmas and definitions to be exported, and others not. In this paper we address two such structuring mechanisms for the ACL2 theorem prover: encapsulation and books. After presenting an introduction to ACL2, this paper justifies the implementation of ACL2's structuring mechanisms and, more generally, formulates and proves high-level correctness properties of ACL2. The issues in the present paper are relevant not only for ACL2 but also for other theorem-proving environments.
Article
We describe a method for introducing “partial functions” into ACL2, that is, functions not defined everywhere. The function “definitions” are actually admitted via the encapsulation principle: the new function symbol is constrained to satisfy the appropriate equation. This is permitted only when a witness function can be exhibited, establishing that the constraint is satisfiable. Of particular interest is the observation that every tail recursive definition can be witnessed in ACL2. We describe a macro that allows the convenient introduction of arbitrary tail recursive functions, and we discuss how such functions can be used to prove theorems about state machine models without reasoning about “clocks” or counting the number of steps until termination. Our macro for introducing “partial functions” also permits a variety of other recursive schemes, and we briefly illustrate some of them.
Pop-Refinement. Archive of Formal Proofs
  • Alessandro Coglio
Alessandro Coglio (2014): Pop-Refinement. Archive of Formal Proofs. http://afp.sf.net/entries/ Pop_Refinement.shtml, Formal proof development.