Program Specialisation,Inductive Theorem Proving and Infinite State Model Checking
Michael Leuschel(joint work with Helko
Lehmann)Invited Talk
Lopstr’03 - Uppsala
1. Overview2. Program Specialisation & Partial Deduction (PD)3. Infinite State Model Checking (ISMC) by PD4. Inductive Theorem Proving by Conjunctive PD5. Putting everything together6. Conclusion & Outlook
InfiniteModel checking
InductiveTheoremProving
ProgramSpecialisation
InfiniteModel checking
Overview
InductiveTheoremProving
ProgramSpecialisation
Ecce
CTLModel Checker
Point 1: Finite Abstraction of infinite state space correspondence between existing algorithms for PS & ISMC
Point 2: Schema for an inductive proof similarity between ITP & PS control cross-fertilisation ?
SpecialisationResult
Infinite State System
Key Points
InfiniteModel checking
InductiveTheoremProving
ProgramSpecialisation
1. Overview2. Program Specialisation & Partial Deduction (PD)3. Infinite State Model Checking (ISMC) by PD4. Inductive Theorem Proving by Conjunctive PD5. Putting everything together6. Conclusion & Outlook
Query
(Logic) Program Specialisation
PrologSource
Program
PartialQuery
Rest ofQuery
ProgramSpecialiser
SpecialisedProlog
ProgramOutput
AnotherQuery
Digression on Names
• Partial Evaluation– Specialisation by “partially”
evaluating expressions• Partial Deduction
– Partial evaluation of pure logic programs
• Logic Program Specialisation– Partial evaluation + … (e.g. abstract
interpretation)
Partial Deduction
• Basic Principle:– Instead of building one complete SLD-tree:
Build a finite number of finite “SLD- trees” !– SLD-trees can be incomplete– Clauses of specialised program extracted
from branches– All calls in the leaves must be “covered”
• 4 types of derivations in SLD-trees:– Successful, failed, infinite– Incomplete: no literal selected
An Example
map(P,[],[]).map(P,[H|T],[PH|PT]) :- C=..[P,H,PH], call(C),map(P,T,PT).inv(0,1).inv(1,0).
map (inv,L,R)
{L/[],R/[]}
C=..[inv,H,PH], call(C),map(inv,L’,R’)
{L/[H|L’],R/[PH|R’]}
inv(H,PH),map(inv,L’,R’)
call(inv(H,PH)),map(inv,L’,R’)
{C/inv(H,PH)}
map(inv,[],[]).map(inv,[0|L’],[1|R’]) :- map(inv,L’,R’).map(inv,[1|L’],[0|R’]) :- map(inv,L’,R’). map(inv,L’,R’)
{H/0,PH/1}
map(inv,L’,R’)
{H/1,PH/0}
Overhead removed: 2 faster
map_1([],[]).map_1([0|L’],[1|R’]) :- map_1(L’,R’).map_1([1|L’],[0|R’]) :- map_1(L’,R’).
Control
• Local Control– Determinacy– Well-founded Orders– Well-Quasi Orders
• Homeomorphic embedding
• Global Control– Whistle: Well-Quasi Orders– Generalisation
• msg (most specific generalisation)• Characteristic Trees
A1 A2 A3 A4 ...
Existing Systems
• Online– Mixtus (Sahlin)– Paddy (Prestwich)– SP (Gallagher)– Ecce (Leuschel)
• Offline (control decisions made offline)– Logimix (Mogensen)– Logen (Leuschel & Jørgensen)
Ecce & Logen Demo
• Simple Examples– Map - Ecce– Lambda Interpreter - Logen
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
InfiniteModel checking
InductiveTheoremProving
ProgramSpecialisation
1. Overview2. Program Specialisation & Partial Deduction (PD)3. Infinite State Model Checking (ISMC) by PD4. Inductive Theorem Proving by Conjunctive PD5. Putting everything together6. Conclusion & Outlook
Model Checking
• Check that a system is a model for a temporal logic formula (CTL, LTL, …)– Most useful temporal formulas are safety
properties
• Decidable for finite state systems• For infinite state systems:
– Decidability results for certain systems & properties
– Abstraction a key issue
erified
∞
Petri Nets
• Petri Nets– Places: contain tokens– Transitions: consume & produce
tokens• Marking:
– A particular state of a Petri net– Vector of natural numbers– Usually: infinite number of markings
reachable
RTP ExampleReceiver of Transmission ProtocolFrom Babylon library of benchmarks
1,0,0,0,0,0,0,0,0,0
0,1,0,0,0,0,0,0,0,0
0,0,1,0,0,0,0,0,0,0
0,0,0,1,0,0,0,0,0,0
Reachable Markings:
0,0,0,0,1,0,0,0,0,0
0,0,0,0,0,1,0,0,0,0
0,0,0,0,0,0,0,1,0,0
0,0,0,0,0,0,0,0,1,00,1,0,0,0,0,0,0,0,1
Coverability of Petri Nets
• Marking m covers m’ if m≥m’• Question:
– Starting from an initial state m0
can we reach a marking mn which covers some given m ?
• Decidable by computing– Karp-Miller Tree or– Finkel’s minimal coverability graphs
0,2,0,1,1
0,1,0,2,0
RTP - CoverabilityCan we cover:
0,1,0,0,0,0,0,0,0,n
0,0,1,0,0,0,0,0,0,n
0,0,0,1,0,0,0,0,0,n
Reachable Markings:
0,0,0,0,1,0,0,0,0,n
0,0,0,0,0,1,0,0,0,n
0,0,0,0,0,0,0,1,0,n
0,0,0,0,0,0,0,0,1,n0,1,0,0,0,0,0,0,0,n+1
…
/* Specialised Predicates: ssat__0__1 :- ssat__0.sat__1__2 :- sat__1(s(0),0,0,0,0,0,0,0,0,0).sat_eu__2__3 :- sat_eu__2(s(0),0,0,0,0,0,0,0,0,0).sat_eu__2__4(A) :- sat_eu__2(0,s(0),0,0,0,0,0,0,0,A).sat_eu__2__5(A) :- sat_eu__2(0,0,s(0),0,0,0,0,0,0,A).sat_eu__2__6(A) :- sat_eu__2(0,0,0,s(0),0,0,0,0,0,A).sat_eu__2__7(A) :- sat_eu__2(0,0,0,0,s(0),0,0,0,0,A).sat_eu__2__8(A) :- sat_eu__2(0,0,0,0,0,0,0,0,s(0),A).sat_eu__2__9(A) :- sat_eu__2(0,0,0,0,0,s(0),0,0,0,A).sat_eu__2__10(A) :- sat_eu__2(0,0,0,0,0,0,s(0),0,0,A).sat_eu__2__11(A) :- sat_eu__2(0,0,0,0,0,0,0,s(0),0,A).*/
ssat__0 :- fail.ssat__0__1 :- fail.sat__1__2 :- fail.sat_eu__2__3 :- fail.sat_eu__2__4(A) :- fail.sat_eu__2__5(A) :- fail.sat_eu__2__6(A) :- fail.sat_eu__2__7(A) :- fail.sat_eu__2__8(A) :- fail.sat_eu__2__9(A) :- fail.sat_eu__2__10(A) :- fail.sat_eu__2__11(A) :- fail.
0,0,0,0,0,0,0,1,1,0
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
More about the Ecce Postprocessor
• Determinate post-unfolding• Reducing unnecessary polyvariance• …• Most Specific Version (MSV)
Computation– [Marriot,Naish,Lassez88]– Bottom-up abstract interpretation:
• Compose TP with predicate-wise msg
– For every body atom of the program:• unify with an element of S • if none exists: clause can be removed !
ssat__0 :- ssat__0__1.ssat__0__1 :- sat__1__2.
sat__1__2 :- sat_eu__2__3.
sat_eu__2__3 :- sat_eu__2__4(0).
sat_eu__2__4(A) :- sat_eu__2__5(A).
sat_eu__2__5(A) :- sat_eu__2__6(A).
sat_eu__2__6(A) :- sat_eu__2__7(A).sat_eu__2__6(A) :- sat_eu__2__8(A).
sat_eu__2__7(A) :- sat_eu__2__9(A).
sat_eu__2__8(A) :- sat_eu__2__4(s(A)).
sat_eu__2__9(A) :- sat_eu__2__8(A).sat_eu__2__9(A) :- sat_eu__2__10(A).sat_eu__2__9(A) :- sat_eu__2__11(A).
sat_eu__2__10(A) :- sat_eu__2__8(A).
sat_eu__2__11(A) :- sat_eu__2__8(A).
RTP: Ecce & MSV/* Specialised Predicates: ssat__0__1 :- ssat__0.sat__1__2 :- sat__1(s(0),0,0,0,0,0,0,0,0,0).sat_eu__2__3 :- sat_eu__2(s(0),0,0,0,0,0,0,0,0,0).sat_eu__2__4(A) :- sat_eu__2(0,s(0),0,0,0,0,0,0,0,A).sat_eu__2__5(A) :- sat_eu__2(0,0,s(0),0,0,0,0,0,0,A).sat_eu__2__6(A) :- sat_eu__2(0,0,0,s(0),0,0,0,0,0,A).sat_eu__2__7(A) :- sat_eu__2(0,0,0,0,s(0),0,0,0,0,A).sat_eu__2__8(A) :- sat_eu__2(0,0,0,0,0,0,0,0,s(0),A).sat_eu__2__9(A) :- sat_eu__2(0,0,0,0,0,s(0),0,0,0,A).sat_eu__2__10(A) :- sat_eu__2(0,0,0,0,0,0,s(0),0,0,A).sat_eu__2__11(A) :- sat_eu__2(0,0,0,0,0,0,0,s(0),0,A). */
ssat__0 :- fail.ssat__0__1 :- fail.sat__1__2 :- fail.sat_eu__2__3 :- fail.sat_eu__2__4(A) :- fail.sat_eu__2__5(A) :- fail.sat_eu__2__6(A) :- fail.sat_eu__2__7(A) :- fail.sat_eu__2__8(A) :- fail.sat_eu__2__9(A) :- fail.sat_eu__2__10(A) :- fail.sat_eu__2__11(A) :- fail.
Ecce + MSV
Ecce
∞ Model Checking by PD
• When does it work ?– Decision procedure for some problems – Extends existing algorithms for some specific classes
of systems & properties ![LeuschelLehmann:CL2000 & PPDP’00, LehmannLeuschel:LPAR2000]
– Always safe, but may answer “don’t know”– Flexible system: various formalisms, properties,
algorithms (backwards/forwards/combined,…)
• Again: this must come at the price of efficiency!?– After all Ecce & Logen were not designed for Model
Checking– How much do we pay ?
Some IMC Experiments:Comparing some tools
• Hytech– Polyhedra, for hybrid systems
• CST (Covering Sharing Tree)– “Attacking Symbolic Explosion,”
Delzanno, Raskin, Van Begin, CAV’01– Compact representation for (infinite) upwards-closed sets– Symbolic, backwards, uses pre-computed structural
invariants to cut search space
• Ecce (+ Logen)– Settings: Finkel
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
CSM
Dekker
Reader/Writer
FMS
Babylon Benchmarks
A more complicated Example:
CSM - Specialisation Result
Some Experiments inInfinite State Model
CheckingCST CST
woEcce Hytech
backHytechfwd
CSM 0.08 0.19 0.13 6.32 ∞
FMS 39.6* 3.50 ? ***
RW -- -- 0.05 ? ***
Dekker(2) 5.4 0.43 >30min 1
*** = out of memory-- = not possible *=using old version, new 2 times faster?
Timings: AMD Athlon 900Mhz, 1.5Gb RAM
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
CSM: The full picture
FDR Spin XTL CST CST-wo Ecce Hytech-back Hytech-fwd2 0.10 0.03 0.01 0.08 0.19 0.53 6.32 0.504 0.25 0.03 0.02 0.08 0.19 9.70 6.32 2.868 1.80 0.12 0.15 0.08 0.19 466.96 6.32 30.91
16 35.64 0.91 1.27 0.08 0.19 6.32 695.5324 out of mem 3.48 32.04 0.08 0.19 6.3232 9.21 220.36 0.08 0.19 6.3240 20.80 746.85 0.08 0.19 6.3248 out of mem out of mem 0.08 0.19 6.32
infty - - - 0.08 0.19 0.13 6.32 infty
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
Some Conclusions
• Ecce surprisingly fast for infinite MC– Better than Hytech, sometimes better than CST
• Ecce (unsurprisingly) slow for finite MC– Future Work: Combine XTL with Ecce
• Infinite MC can be faster than finite MC
• What is the price we pay for implementing a flexible system in Prolog and reusing general purpose program manipulation tools?– Good performance (compared to other tools)!
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
InfiniteModel checking
InductiveTheoremProving
ProgramSpecialisation
1. Overview2. Program Specialisation & Partial Deduction (PD)3. Infinite State Model Checking (ISMC) by PD4. Inductive Theorem Proving by Conjunctive PD5. Putting everything together6. Conclusion & Outlook
Theorem Proving & Program
Specialisation/Transformation• Lot of interest:
– Supercompilation• Turchin, Glück&Jørgensen
– Unfold/Fold• Pettorossi & Proietti, …
– GPC• Futamura, …
ProofAssistantIsabelle
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
A simple Exampletheory Mirror = PreList: datatype 'a tree = Tip ("[]") | Node "'a tree" 'a "'a tree" consts mirror :: "'a tree => 'a tree" primrec "mirror([]) = []" "mirror((Node ls x rs)) = Node (mirror(rs)) x (mirror(ls))"
lemma mirror_mirror [simp]: "mirror(mirror(xs)) = xs"apply(induct_tac xs)ML "set trace_simp"apply(simp)apply(auto)done
proof (prove): step 1 fixed variables: xsgoal (lemma (mirror_mirror), 2 subgoals): 1. mirror (mirror []) = [] 2. !!tree1 a tree2. [| mirror (mirror tree1) = tree1; mirror (mirror tree2) = tree2 |] ==> mirror (mirror (Node tree1 a tree2)) = Node tree1 a tree2
where we can rewrite: mirror (mirror (Node tree1 a tree2)) = Node tree1 a tree2into mirror (Node (mirror tree2) a (mirror tree1)) = Node tree1 a tree2further into Node (mirror(mirror tree1)) a (mirror(mirror tree2)) = Node tree1 a tree2and by the induction hypothesis 1 we can simplify into: Node (tree1 a (mirror(mirror tree2)) = Node tree1 a tree2and by the induction hypothesis 2 we can simplify into: Node (tree1 a tree2) = Node tree1 a tree2 QED
Can EcceDo this ???
Conjunctive Partial Deduction
• Given a set S = {C1,…,Cn} of atoms:• Build finite, possibly incomplete SLD-trees
for each Ci
• For every non-failing branch:– generate 1 specialised formula Ci L by
computing the resultants
• To get Horn clauses– Rename conjunctions into atoms ! Assign every Ci an atom with the same
variables and each with a different predicate name
Ecce Demo
• Inductive Theorem Proving– Even odd– Mirror_mirror
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
Specialisation Tree as Induction Schema
proof (prove): step 1 fixed variables: xsgoal (lemma (mirror_mirror), 2 subgoals): 1. mirror (mirror []) = [] 2. !!tree1 a tree2. [| mirror (mirror tree1) = tree1; mirror (mirror tree2) = tree2 |] ==> mirror (mirror (Node tree1 a tree2)) = Node tree1 a tree2Goal 2. Rewritten into mirror (Node (mirror tree2) a (mirror tree1)) = Node tree1 a tree2further into Node (mirror(mirror tree1)) a (mirror(mirror tree2)) = Node tree1 a tree2and by the induction hypothesis 1 we can simplify into: Node (tree1 a (mirror(mirror tree2)) = Node tree1 a tree2and by the induction hypothesis 2 we can simplify into: Node (tree1 a tree2) = Node tree1 a tree2 QED
Can you find thecorrespondence?
CPD vs ITP
– Find a set H of induction hypotheses so• we can transform the induction
hypotheses for n+1so as to re-use the induction hypotheses ≤n
– Find a set S of conjunctions so that• they can be unfolded in such a way that
all leaves can be folded back on SITP CPD
Simplify Unfold
Reuse hypotheses in HCondition: ≤ n
Fold on conjunctions in SCondition: instance
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
InfiniteModel checking
InductiveTheoremProving
ProgramSpecialisation
1. Overview2. Program Specialisation & Partial Deduction (PD)3. Infinite State Model Checking (ISMC) by PD4. Inductive Theorem Proving by Conjunctive PD5. Putting everything together6. Conclusion & Outlook
SpecialisationResult
CTLModel Checker(Prolog Source)
EccePostprocessor
Verification
Result
ProofScript
Validation
Isabelle
ECCE
A Simple Example
Target: x3 >= 1, x4 >= 1
basicME
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
Results
• Ecce specialisation tree can be automatically transformed into a valid induction schema for Isabelle
• Ecce result can by validated• Checking the proof in Isabelle is
several orders of magnitude slower than Ecce– (proof script still at a too high level ?)
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
InfiniteModel checking
InductiveTheoremProving
ProgramSpecialisation
1. Overview2. Program Specialisation & Partial Deduction (PD)3. Infinite State Model Checking (ISMC) by PD4. Inductive Theorem Proving by Conjunctive PD5. Putting everything together6. Conclusion & Outlook
Conclusion I
• Relationship between Infinite state model checking and program specialisation– PS can be used for ISMC
• Efficiency seems to be good!
– Equivalence & decidability results
erified
∞
Conclusion II
• Relationship between inductive theorem proving & program specialisation– PS can be used for some ITP tasks– For one application: automatic translation of
PS output into ITP proof script
• But:– No equivalence between ITP & PS techniques
• E.g., what about rippling ?• ITP & PS communities should look at each other’s
work!
– Some ITP tasks are very, very hard
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.Thankyou
Supplementary Slides
RTP ExampleReceiver of Transmission ProtocolFrom Babylon library of benchmarks
Classical Applications of CPD:
Tupling & Deforestation
CTL model checking/* A Model Checker for CTL fomulas *//* written for XSB-Prolog *//* by Michael Leuschel, Thierry Massart */
sat(_E,true).sat(_E,false) :- fail.sat(E,p(P)) :- prop(E,P). /* proposition */sat(E,and(F,G)) :- sat(E,F), sat(E,G).sat(E,or(F,_G)) :- sat(E,F).sat(E,or(_F,G)) :- sat(E,G).sat(E,not(F)) :- not(sat(E,F)).sat(E,en(F)) :- /* exists next */ trans(_Act,E,E2),sat(E2,F).sat(E,an(F)) :- /* always next */ not(sat(E,en(not(F)))).sat(E,eu(F,G)) :- /* exists until */ sat_eu(E,F,G).sat(E,au(F,G)) :- /* always until */ sat(E,not(eu(not(G),and(not(F),not(G))))), sat_noteg(E,not(G)).sat(E,ef(F)) :- /* exists future */ sat(E,eu(true,F)).sat(E,af(F)) :- /* always future */ sat_noteg(E,not(F)).sat(E,eg(F)) :- /* exists global */ not(sat_noteg(E,F))./* we want gfp -> negate lfp of negation */sat(E,ag(F)) :- /* always global */ sat(E,not(ef(not(F)))).
/* :- table sat_eu/3.*//* tabulation to compute least-fixed point */ sat_eu(E,_F,G) :- /* exists until */ sat(E,G).sat_eu(E,F,G) :- /* exists until */ sat(E,F), trans(_Act,E,E2), sat_eu(E2,F,G).
/* :- table sat_noteg/2.*//* tabulation to compute least-fixed point */
sat_noteg(E,F) :- sat(E,not(F)).sat_noteg(E,F) :- not( (trans(_Act,E,E2),not(sat_noteg(E2,F)))).
/* encoding of the system (here: a Petri net): */
trans(enter_cs,[s(X),s(Sema),CritSec,Y,C], [X,Sema,s(CritSec),Y,C]).
trans(exit_cs,[X,Sema,s(CritSec),Y,C], [X,s(Sema),CritSec,s(Y),C]).
trans(restart,[X,Sema,CritSec,s(Y),ResetCtr], [s(X),Sema,CritSec,Y,s(ResetCtr)]).
prop([X,Sema,s(s(CritSec)),Y,C],unsafe).prop([0,Sema,0,0,C],deadlock).prop([X,0,0,0,C],deadlock).
1) LOGEN - COMPILATION/* file: ctl.pe.sat__ *//* benchmark info: 0 ms *//* atom specialised: sat(_10048,ef(p(unsafe))) */
sat_eu__1([B,C,s(s(D)),E,F]).sat_eu__1([s(G),s(H),I,J,K]) :- sat_eu__1([G,H,s(I),J,K]).sat_eu__1([L,M,s(N),O,P]) :- sat_eu__1([L,s(M),N,s(O),P]).sat_eu__1([Q,R,S,s(T),U]) :- sat_eu__1([s(Q),R,S,T,s(U)]).sat__0(B) :- sat_eu__1(B).
2) ECCE - ABSTRACTION /* Transformation time: 617 ms */sat__0([A,s(0),0,0,0]) :- sat__0__1(A).sat__0__1(s(s(A))) :- sat_eu__1__2(A).sat__0__1(s(A)) :- sat_eu__1__3(A).sat_eu__1__2(A) :- sat_eu__1__9(A).sat_eu__1__2(A) :- sat_eu__1__10(A).sat_eu__1__3(s(A)) :- sat_eu__1__4(A).sat_eu__1__4(A) :- sat_eu__1__5(A).sat_eu__1__4(A) :- sat_eu__1__6(A).sat_eu__1__5(s(A)) :- sat_eu__1__7(A,s(s(0))).sat_eu__1__5(A) :- sat_eu__1__6(A).
…
sat_eu__1__11(A,B) :- sat_eu__1__12(A,s(B)).sat_eu__1__11(A,s(B)) :- sat_eu__1__11(s(A),B).sat_eu__1__12(s(A),B) :- sat_eu__1__11(A,B).sat_eu__1__12(A,s(B)) :- sat_eu__1__12(s(A),B).
3) MSV - ANALYSISsat__0([A,s(0),0,0,0]) :- fail.sat__0__1(s(s(A))) :- fail.sat__0__1(s(A)) :- fail.sat_eu__1__2(A) :- fail....