Contents

• syllabus
• 2001-2002
• Médiathèque
• Session 1: Monday October 7, 2002 - Room TD 5
• Session 2: Monday October 14, 2002 - Room TD 5
• Session 3: Monday October 21, 2002 - Room TD 5
• Session 4: Monday October 28, 2002 - Room TD 5
• Session 5: Monday November 4, 2002 - Room TD 5
• Session 6: Monday November 18, 2002 - Room TD 5
• Session 7: Monday December 2, 2002 - Room TD 5
• Session 8: Evaluation Monday December 16, 2002 - Room TD 5

Mediathèque

• PVS language and proof system;
• some Bordeaux PVS applications;
• Alose (Automatisation de LOgigrammes de Sécurité), développé par Kaninda Musumbu et coll.: slide presentation;
• Alose PVS declarative (fixpoint) semantics - last year class project results;
• Fixpoint theory and PVS inductive sets;
• A PVS theory of well founded recursion;
• book available at ENSEIRB library:
The Foundations of Program Verification
Second Edition
Jacques Loeckx and Kurt Sieber
Wiley - Teubner Series in Computer Science

Session 1: Monday October 7, 2002 - Room TD 5

Evaluation will be based upon

• 50%: participation of students in a cooperative project (see syllabus for details),
• 50%: team mini-project: analysis of a small PVS theory, and a 30 minutes oral presentation on Friday february 8, 2002.

~gloess/pvs/2.4/count_ok/2.4.count_ok.12mar2002.dump.dump

One student asked whether it would be possible to prove that the count_ok function is optimal, meaning that it always yields an optimal solution.

Answer: we would have to specify what "optimal" means. For example "optimal" could mean "the shortest possible solution" (shortest length). The count_ok function as it is is probably not optimal.

Back to Top.

Session 2: Monday October 14, 2002 - Room TD 5

Rapid look at the "imperative program verification library", showing the proof of correctness of the "sqrt" example. This big library demonstrates the expressive power of PVS, which allowed us to actually define program correctness, develop and prove Hoare calculus, and corresponding strategies that provide a semi-automatic proof method.

Back to Top.

Session 3: Monday October 21, 2002 - Room TD 5

There is no bijection from A to [A -> bool] (in classical math, from A to 2^A).

~gloess/pvs/2.4/2.4.sets.21oct2002.bij.dump

• PVS language (slides 24--27): recursive functions and well founded relations;
• PVS inference (slides 28--29): well founded induction principle.

• PVS language (slides 28--30).

• "no syntax" approach to formalization of imperative programs, assertions,
• variables, terms, programs and assertions are directly semantic objects,
• assignment Hoare rule, formal substitution defined semantically, subsumes "substitution theorem",
• while statement and while Hoare rule: while is defined as a recursive function (owing to dependant types).

Session 4: Monday October 28, 2002 - Room TD 5

Fixpoint theory and PVS inductive sets.

Back to Top.

Session 5: Monday November 4, 2002 - Room TD 5

Then last year Alose project results are presented.

Thus, last year project main result was a fixpoint semantics of Alose (in the style of Prolog fixpoint semantics): all lemmas and proof obligations were completely proved.

This year, we'll aim at providing Alose with an operational semantics (a semantics that can be evaluated using PVS ground evaluator), and proving the equivalence between this operational semantics and the former fixpoint semantics.

Some additional work toward this goal was done by Paul Y Gloess, in april 2002:

• a library about confluent relations, with classical results such as:
• noetherian induction lemma;
• a locally confluent and noetherian relation is confluent;
• a confluent relation yields a unique normal form;
• see ~gloess/pvs/2.4/confluence/2.4.confluence.11apr2002.confluence.dump.

Back to Top.

Session 6: Monday November 18, 2002 - Room TD 5

The present goal (this year) - only two sessions are left! - is twofold:

• define an operational semantics for Alose, that is, a semantics that can be checked using PVS ground evaluator (which resembles a LISP evaluator);
• show the equivalence between
• Alose declarative semantics,
• and Alose operational semantics,
using the "unique normal form" theorem which applies to confluent relations.

• sets are not appropriate (even if we restrict ourselves to finite sets) and should be mapped into lists;
• we should use a concrete representation of rules and scripts, where sets are replaced with lists;
• equivalence between the declarative and operational semantics should take this mapping into account, and should assume a finite set of finite rules (infinite objects are not operational).

• two operational types have been defined:
• orule corresponding to rule;
• oscript corresponding to script;
• operational inference has been implemented in oinference theory:
• application of a rule requires two auxillary functions:
• assoc for getting the birthdate of an event in a script;
• a recursive apply function to check each rule condition against the script, and accumulate a maximum delay;
a potential problem (to be improved later) is that the property "script defines each event once only" is not maintained, because we used cons instead of a more sophisticated function to add something to the script;
• application of a list of rules to a script is straightforward;
• iterated application of a list of rules to a script uses an operational fixpoint (omu function in ofixpoint theory):
• termination of omu_prec function will have to be refined, as it will raise unprovable importing TCCs!
• PVS dumps:
• ~gloess/pvs/2.4/alose/2.4.alose.20nov2002.oinference.dump
• remark: the PVS bug encountered in class had nothing to do with naming conflicts: it came from misstyping NULL for null in CASES statements;
• ~gloess/pvs/2.4/alose/2.4.alose.20nov2002.oinference_eval.dump
• same as above dump, plus test examples of operational inference (added after class): oinference_eval theory.

---

Session 7: Monday December 2, 2002 - Room TD 5

• instead just consing the event (e, n) corresponding to successful application of a rule to the script s under consideration, we first check that (e, n) does not already belong to script s; otherwise, if some pair (e, n') already belongs to s, we replace it with (e, min(n, n'));
• implementation from Thomas Chatain, see comb function in oinference theory;
• with the above improvement, the operational fixpoint omu used in fc terminates; furthermore, the result does not seem to depend upon rule ordering;

• omu or omu_prec parameters do not restrict the type [T->T] of f function. Hence, there will be no way to prove omu_prec termination TCC, since nothing says that f(start) is smaller than start with respect to R well founded relation (passed as a parameter of ofixpoint theory);
• in order to get a provable termination TCC, we restrict the type of f to:
• f: {f: [T -> T] | (FORALL (start: T): f(start) = start  OR  R(f(start), start))} ;
• hence, either start is a fixpoint of f, or f(start) will get smaller than start w.r.t. R;
• this turns out to work better, although the termination TCC is still unprovable!
• the reason is that since f is the first theory parameter, it cannot depend on prec parameter; alternatively, we'll need to express some relation between prec and start parameters; we postpone the problem;

• we define a correspondance alpha (abstraction) from declarative concepts to operational concepts:
• the essential idea is to map each list into a (finite) set, using the list2set converter provided in PVS prelude;
• alpha(s: oscript): script = list2set(s)  % see oscripts theory;
• alpha(R: orule): orule  % defined in orules theory;
• alpha(Rs: list[orule]): [rule -> bool] = list2set(map(alpha, Rs)) % see orules theory;
• the main correctness theorem, see oinference theory, is:
fc_correct: THEOREM
    (FORALL (Rs: list[orule]): alpha(fc(Rs)) = fc(alpha(Rs))) ;

~gloess/pvs/2.4/alose/2.4.alose.3december2002.dump.dump

• I have come up to the conclusion that the theory of confluent rewriting systems would not help here, because we would need a unique relation R for both the declarative semantics and the operational semantics, so that we can get two normal forms
• empty script --R*--> s1 (irreducible) through declarative semantics;
• empty script --R*--> s2 (irreducible) through operational semantics;
and use the "unique normal form" theorem to equate s1 and s2. However, although we can easily define a relation R suitable for operational inference (R corresponds to application of a delay rule from the list Rs of rules), and we have
alpha(s) --R*--> alpha(pi(Rs)(s)),
this relation R does not work for declarative inference. We do not have
alpha(s) --R*--> lub(alpha(Rs))(alpha(s)).
In fact operational inference does not closely match declarative inference: it is more efficient! In general:
alpha(pi(Rs)(s))  >  lub(alpha(Rs))(alpha(s)).
• Hence the correctness proof will be based on fixpoint theory itself, rather than on the theory of confluent rewriting systems:
• Let Fs = {apply(r1), ..., apply(rn)} be the finite set of functions {f1, ..., fn} corresponding to the delay rules {r1, ..., rn};
• We have three fixpoint semantics:
• mu(lub(Fs)) where lub(Fs) can be understood as f1 U ... U fn, where (f U g)(s) is defined as f(s) U g(s): this is the declarative semantics;
• mu(pi(Fs)) where pi(Fs) denotes the composition product f1 o ... o fn of the list (: f1, ..., fn :) of functions: this is not strictly speaking the operational semantics, because we use the theoretical mu instead of the operational omu, but it is close to;
• omu(pi(Fs)): the operational semantics;
• The proof requires two main steps:
• mu(lub(Fs)) = mu(pi(Fs)):
• mu_lub_mu_pi manual proof, using related lemmas:
• mu is monotonic, see mu_monotonic manual proof;
• I < f AND  k > 1   =>  mu(f^k) = mu(f), see mu_power manual proof;
• mu(I U f) = mu(f), see mu_refl manual proof;
• mu(pi(Fs)) = omu(pi(Fs)):
• this should be easily achieved by showing that R is noetherian, and using the monotonicity of pi(Fs);

Back to Top.

Session 8: Evaluation Monday December 16, 2002 - Room TD 5

Le travail demandé à chaque élève est de l'ordre de 3 à 4 heures (hors soutenance orale de 30 minutes par groupe de 3):

• analyse d'une partie de la bibliothèque étudiée;
• approfondissement de certaines preuves essentielles (extraction de l'idée de la preuve à partir du scénario PVS);
• synthèse et préparation de l'exposé.

Une liste de sujets d'étude est proposée ci-dessous: il est demandé à l'ensemble des élèves (et au représentant en particulier) de me proposer par mail une répartition nominative, d'ici lundi 21 janvier 2002. Un autre sujet peut être étudié, avec mon accord.
 
 

Intitulé	Documents	Nombre de groupes de 3 élèves	Trinôme
combinations, C(p, n)	~gloess/pvs/combinations/combinations.30january2001.combinations.dump sous PVS 2.3 uniquement	1	Anoun Houda Elaimani Laila Amoudi Mariem
compiler	~gloess/pvs/2.4/compiler/2.4.compiler.24jan2002.dump.dump	1	Doolaeghe Bruno Andriambololona Mahery Georges Nicolas
les ensembles finis	/opt/pvs/2.?/lib/finite_sets/	2	Lansade Frédéric Galdos Caroline Baratta Romain Puyou Marion Aubert Flavien
les vecteurs de bits	/opt/pvs/2.?/lib/bitvectors/	2	Kim DANG Gauthier MATHIEU Fabien PAQUEREAU Alexandre RIBEIRO Julien SAZATORNIL Cyril VRILLAUD
fixpoint and Scott induction (inductive sets)	mucalculus theory in PVS prelude (use Meta-x<view-prelude-file> command from PVS) ~gloess/pvs/2.4/nasa/fixpoints/p24_fixedpoints.dmp ~gloess/pvs/2.4/scott/2.4.scott.6feb2002.induction.dump	1 or 2
permutations sur les listes	~gloess/pvs/permutations/permutations.18_april_2000.list_permutations.dump	1	Chatain Thomas Arab Rachid Dufour Armelle
properties of well founded relations	voir commentaires dans http://dept-info.labri.u-bordeaux.fr/~gloess/pvs/ et utiliser la dernière version (11 avril 2002) dans ~gloess/pvs/2.4/wf/2.4.wf.11april2002.wf_properties.dump	1
PVS model checker	voir documentation PVS	2

Back to Top.

© Copyright 2001-3000 Paul Y Gloess