Natarajan Shankar - Academia.edu (original) (raw)
Uploads
Papers by Natarajan Shankar
Code generation is gaining popularity as a technique to bridge the gap between high-level models ... more Code generation is gaining popularity as a technique to bridge the gap between high-level models and executable code. We describe the theory underlying the PVS2C code generator that translates functional programs written using the PVS specification language to standalone, efficiently executable C code. We outline a correctness argument for the code generator. The techniques used are quite generic and can be applied to transform programs written in functional languages into imperative code. We use a formal model of reference counting to capture memory management and safe destructive updates for a simple first-order functional language with arrays. We exhibit a bisimulation between the functional execution and the imperative execution. This bisimulation shows that the generated imperative program returns the same result as the functional program.
, 16completion analysis, 33CONJECTURE, 16conservative extension, 13constants, 12--13CONTAINING, 1... more , 16completion analysis, 33CONJECTURE, 16conservative extension, 13constants, 12--13CONTAINING, 18COROLLARY, 16curried applications, 25declarations, 9--16formulas, 16multiple, 9dependent types, 21--26empty types, 18enumeration types, 10, 12equality, 22EXISTS, 25exporting, 9expression, 29expressions, 22f91, 14FACT, 16FALSE, 22FORALL, 25formal parameters, see theory parametersFORMULA, 16formula declarations, 16function types, 19--20...
Computers & Mathematics with Applications, 1997
ACM Computing Surveys, 2009
... successors (WS2S) [Ohlbach et al. 2001]. Modal and temporal logics are surveyed by Goldblatt ... more ... successors (WS2S) [Ohlbach et al. 2001]. Modal and temporal logics are surveyed by Goldblatt [1992], Mints [1992], Emerson [1990], and Blackburn et al. [2002]. Applications. Propositional logic has innumerable applications ...
We describe how the PVS veri cation system has been used to verify a safety property of a widely ... more We describe how the PVS veri cation system has been used to verify a safety property of a widely studied garbage collection algorithm. The safety property asserts that \nothing but garbage is ever collected." The garbage collection algorithm and its composition with the user program can be regarded as a concurrent system with two processes working on a shared memory. Such concurrent systems are encoded in PVS as state transition systems using a model similar to TLA Lam94]. The safety criterion is formulated as a re nement and proved using re nement mappings. Russino Rus94] has veri ed the algorithm in the Boyer-Moore prover, but his proof is not based on re nement and safety property cannot be appreciated without a glass box view of the workings of the algorithm. Using re nement, however, the safety criterion makes sense independent of the garbage collection algorithm. As a by-product, we encode a a version of the theory of re nement mappings in PVS.
The attractiveness of using theorem provers for system design veri cation lies in their generalit... more The attractiveness of using theorem provers for system design veri cation lies in their generality. The major practical challenge confronting theorem proving technology is in combining this generality with an acceptable degree of automation. We describe an approach for enhancing the e ectiveness of theorem provers for hardware veri cation through the use of e cient automatic procedures for rewriting, arithmetic and equality reasoning, and an o -the-shelf BDD-based propositional simpli er. These automatic procedures can be combined into general-purpose proof strategies that can e ciently automate a number of proofs including those of hardware correctness. The inference procedures and proof strategies have been implemented in the PVS veri cation system. They are applied to several examples including an N-bit adder, the Saxe pipelined processor, and the benchmark Tamarack microprocessor design. These examples illustrate the basic design philosophy underlying PVS where powerful and e cient low-level inferences are employed within high-level user-de ned proof strategies. This approach is contrasted with approaches based on tactics or batch-oriented theorem proving.
Formal analyses can provide valuable assurance for high confidence software and systems. The anal... more Formal analyses can provide valuable assurance for high confidence software and systems. The analyses can range from strong typechecking through test case generation and static analysis to model checking and full verification. In all cases, the tools that support the analyses use formal deduction in some way or other. ICS is a fully automatic, high-performance decision procedure for a broad combination of theories that can be embedded in all tools of this kind to provide them with a core deductive capability of exceptional power and performance. We describe the design choices underlying ICS and the capabilities it provides.
Most verification approaches assume a mathematical formalism in which functionsare total, even th... more Most verification approaches assume a mathematical formalism in which functionsare total, even though partial functions occur naturally in many applications. Furthermore, although there have been various proposals for logics of partial functions, there is no consensus on which is" the right" logic to use for verification applications. In this paper, we propose using a three-valued Kleene logic, where partialfunctions return the" undefined" value when applied outside of their domains. Theparticular semantics are chosen according to the principle of ...
The past decade has seen tremendous progress in the application of formal methods for hardware de... more The past decade has seen tremendous progress in the application of formal methods for hardware design and verification. While a number of different techniques based on BDDs, symbolic simulation, special-purpose decision procedures, model checking, and theorem proving have been applied with varying degrees of success, no one technique by itself has proven to be effective enough to verify a complex
Although automated proof checking tools for general-purpose logics have been successfully employe... more Although automated proof checking tools for general-purpose logics have been successfully employed in the veri cation of digital systems, there are inherent limits to the e cient automation of expressive logics. If the expressiveness is constrained, there are useful logic fragments for which e cient decision procedures can be found. The model checking paradigm yields an important class of decision procedures for establishing temporal properties of nite-state systems. Model checking is remarkably e ective for automatically verifying nite automata with relatively small state spaces, but is inadequate when the state spaces are either too large or unbounded. For this reason, it is useful to integrate the complementary technologies of model checking and proof checking. Such an integration has to be carried out in a delicate manner in order to be more than just the sum of the techniques. We describe . We thank John Rushby (SRI) for encouraging us to write this paper and providing comments on earlier drafts of the paper. We are grateful to Geert Janssen (Eindhoven University of Technology) for supplying us the BDD-based mu-calculus model checker used in this work and going well beyond the call of duty in responding to our queries.
PVS stands for "Prototype Verification System." It consists of a specification language integrate... more PVS stands for "Prototype Verification System." It consists of a specification language integrated with support tools and a theorem prover. PVS tries to provide the mechanization needed to apply formal methods both rigorously and productively. This tutorial serves to introduce PVS and its use in the context of hardware verification. In the first section, we briefly sketch the purposes for which PVS is intended and the rationale behind its design, mention some of the uses that we and others are making of it. We give an overview of the PVS specification language and proof checker. The PVS language, system, and theorem prover each have their own reference manuals, 1,2,3 which you will need to study in order to make productive use of the system. A pocket reference card, summarizing all the features of the PVS language, system, and prover is also available. The purpose of this tutorial is not to describe in detail the features of PVS and how to use the system. Rather, its purpose is to introduce some of the more unique and powerful capabilities that are provided by PVS and demonstrate how these features can be used in the context of hardware verification. We present completely worked out proofs of two hardware examples. One of the examples is a pipelined microprocessor that has been used as benchmark for model checkers and the other is a parameterized implementation of an N-bit ripple-carry adder.
Natural language (supplemented with diagrams and some mathematical notations) is convenient for s... more Natural language (supplemented with diagrams and some mathematical notations) is convenient for succinct communication of technical descriptions between the various stakeholders (e.g., customers, designers, implementers) involved in the design of software systems. However, natural language descriptions can be informal, incomplete, imprecise and ambiguous, and cannot be processed easily by design and analysis tools. Formal languages, on the other hand, formulate design requirements in a precise and unambiguous mathematical notation, but are more difficult to master and use. We propose a methodology for connecting semi-formal requirements with formal descriptions through an intermediate representation. We have implemented this methodology in a research prototype called ARSENAL with the goal of constructing a robust, scalable, and trainable framework for bridging the gap between natural language requirements and formal tools. The main novelty of ARSENAL lies in its automated generation...
Code generation is gaining popularity as a technique to bridge the gap between high-level models ... more Code generation is gaining popularity as a technique to bridge the gap between high-level models and executable code. We describe the theory underlying the PVS2C code generator that translates functional programs written using the PVS specification language to standalone, efficiently executable C code. We outline a correctness argument for the code generator. The techniques used are quite generic and can be applied to transform programs written in functional languages into imperative code. We use a formal model of reference counting to capture memory management and safe destructive updates for a simple first-order functional language with arrays. We exhibit a bisimulation between the functional execution and the imperative execution. This bisimulation shows that the generated imperative program returns the same result as the functional program.
, 16completion analysis, 33CONJECTURE, 16conservative extension, 13constants, 12--13CONTAINING, 1... more , 16completion analysis, 33CONJECTURE, 16conservative extension, 13constants, 12--13CONTAINING, 18COROLLARY, 16curried applications, 25declarations, 9--16formulas, 16multiple, 9dependent types, 21--26empty types, 18enumeration types, 10, 12equality, 22EXISTS, 25exporting, 9expression, 29expressions, 22f91, 14FACT, 16FALSE, 22FORALL, 25formal parameters, see theory parametersFORMULA, 16formula declarations, 16function types, 19--20...
Computers & Mathematics with Applications, 1997
ACM Computing Surveys, 2009
... successors (WS2S) [Ohlbach et al. 2001]. Modal and temporal logics are surveyed by Goldblatt ... more ... successors (WS2S) [Ohlbach et al. 2001]. Modal and temporal logics are surveyed by Goldblatt [1992], Mints [1992], Emerson [1990], and Blackburn et al. [2002]. Applications. Propositional logic has innumerable applications ...
We describe how the PVS veri cation system has been used to verify a safety property of a widely ... more We describe how the PVS veri cation system has been used to verify a safety property of a widely studied garbage collection algorithm. The safety property asserts that \nothing but garbage is ever collected." The garbage collection algorithm and its composition with the user program can be regarded as a concurrent system with two processes working on a shared memory. Such concurrent systems are encoded in PVS as state transition systems using a model similar to TLA Lam94]. The safety criterion is formulated as a re nement and proved using re nement mappings. Russino Rus94] has veri ed the algorithm in the Boyer-Moore prover, but his proof is not based on re nement and safety property cannot be appreciated without a glass box view of the workings of the algorithm. Using re nement, however, the safety criterion makes sense independent of the garbage collection algorithm. As a by-product, we encode a a version of the theory of re nement mappings in PVS.
The attractiveness of using theorem provers for system design veri cation lies in their generalit... more The attractiveness of using theorem provers for system design veri cation lies in their generality. The major practical challenge confronting theorem proving technology is in combining this generality with an acceptable degree of automation. We describe an approach for enhancing the e ectiveness of theorem provers for hardware veri cation through the use of e cient automatic procedures for rewriting, arithmetic and equality reasoning, and an o -the-shelf BDD-based propositional simpli er. These automatic procedures can be combined into general-purpose proof strategies that can e ciently automate a number of proofs including those of hardware correctness. The inference procedures and proof strategies have been implemented in the PVS veri cation system. They are applied to several examples including an N-bit adder, the Saxe pipelined processor, and the benchmark Tamarack microprocessor design. These examples illustrate the basic design philosophy underlying PVS where powerful and e cient low-level inferences are employed within high-level user-de ned proof strategies. This approach is contrasted with approaches based on tactics or batch-oriented theorem proving.
Formal analyses can provide valuable assurance for high confidence software and systems. The anal... more Formal analyses can provide valuable assurance for high confidence software and systems. The analyses can range from strong typechecking through test case generation and static analysis to model checking and full verification. In all cases, the tools that support the analyses use formal deduction in some way or other. ICS is a fully automatic, high-performance decision procedure for a broad combination of theories that can be embedded in all tools of this kind to provide them with a core deductive capability of exceptional power and performance. We describe the design choices underlying ICS and the capabilities it provides.
Most verification approaches assume a mathematical formalism in which functionsare total, even th... more Most verification approaches assume a mathematical formalism in which functionsare total, even though partial functions occur naturally in many applications. Furthermore, although there have been various proposals for logics of partial functions, there is no consensus on which is" the right" logic to use for verification applications. In this paper, we propose using a three-valued Kleene logic, where partialfunctions return the" undefined" value when applied outside of their domains. Theparticular semantics are chosen according to the principle of ...
The past decade has seen tremendous progress in the application of formal methods for hardware de... more The past decade has seen tremendous progress in the application of formal methods for hardware design and verification. While a number of different techniques based on BDDs, symbolic simulation, special-purpose decision procedures, model checking, and theorem proving have been applied with varying degrees of success, no one technique by itself has proven to be effective enough to verify a complex
Although automated proof checking tools for general-purpose logics have been successfully employe... more Although automated proof checking tools for general-purpose logics have been successfully employed in the veri cation of digital systems, there are inherent limits to the e cient automation of expressive logics. If the expressiveness is constrained, there are useful logic fragments for which e cient decision procedures can be found. The model checking paradigm yields an important class of decision procedures for establishing temporal properties of nite-state systems. Model checking is remarkably e ective for automatically verifying nite automata with relatively small state spaces, but is inadequate when the state spaces are either too large or unbounded. For this reason, it is useful to integrate the complementary technologies of model checking and proof checking. Such an integration has to be carried out in a delicate manner in order to be more than just the sum of the techniques. We describe . We thank John Rushby (SRI) for encouraging us to write this paper and providing comments on earlier drafts of the paper. We are grateful to Geert Janssen (Eindhoven University of Technology) for supplying us the BDD-based mu-calculus model checker used in this work and going well beyond the call of duty in responding to our queries.
PVS stands for "Prototype Verification System." It consists of a specification language integrate... more PVS stands for "Prototype Verification System." It consists of a specification language integrated with support tools and a theorem prover. PVS tries to provide the mechanization needed to apply formal methods both rigorously and productively. This tutorial serves to introduce PVS and its use in the context of hardware verification. In the first section, we briefly sketch the purposes for which PVS is intended and the rationale behind its design, mention some of the uses that we and others are making of it. We give an overview of the PVS specification language and proof checker. The PVS language, system, and theorem prover each have their own reference manuals, 1,2,3 which you will need to study in order to make productive use of the system. A pocket reference card, summarizing all the features of the PVS language, system, and prover is also available. The purpose of this tutorial is not to describe in detail the features of PVS and how to use the system. Rather, its purpose is to introduce some of the more unique and powerful capabilities that are provided by PVS and demonstrate how these features can be used in the context of hardware verification. We present completely worked out proofs of two hardware examples. One of the examples is a pipelined microprocessor that has been used as benchmark for model checkers and the other is a parameterized implementation of an N-bit ripple-carry adder.
Natural language (supplemented with diagrams and some mathematical notations) is convenient for s... more Natural language (supplemented with diagrams and some mathematical notations) is convenient for succinct communication of technical descriptions between the various stakeholders (e.g., customers, designers, implementers) involved in the design of software systems. However, natural language descriptions can be informal, incomplete, imprecise and ambiguous, and cannot be processed easily by design and analysis tools. Formal languages, on the other hand, formulate design requirements in a precise and unambiguous mathematical notation, but are more difficult to master and use. We propose a methodology for connecting semi-formal requirements with formal descriptions through an intermediate representation. We have implemented this methodology in a research prototype called ARSENAL with the goal of constructing a robust, scalable, and trainable framework for bridging the gap between natural language requirements and formal tools. The main novelty of ARSENAL lies in its automated generation...