Ejemplo n.º 1
0
 def weaken(self, conjs = None, button=None):
     if conjs == None:
         udc = self.conjectures
         udc_text = [str(il.drop_universals(conj.to_formula())) for conj in udc]
         msg = "Select conjecture to remove:"
         cmd = lambda sel: self.weaken([udc[idx] for idx in sel])
         self.ui_parent.listbox_dialog(msg,udc_text,command=cmd,multiple=True)
     else:
         for conj in conjs:
             self.have_cti = False
             self.conjectures.remove(conj)
         self.ui_parent.text_dialog('Removed the following conjectures:',
                                    '\n'.join(str(conj) for conj in conjs))
Ejemplo n.º 2
0
 def weaken(self, conjs=None, button=None):
     if conjs == None:
         udc = self.conjectures
         udc_text = [
             str(il.drop_universals(conj.to_formula())) for conj in udc
         ]
         msg = "Select conjecture to remove:"
         cmd = lambda sel: self.weaken([udc[idx] for idx in sel])
         self.ui_parent.listbox_dialog(msg,
                                       udc_text,
                                       command=cmd,
                                       multiple=True)
     else:
         for conj in conjs:
             self.have_cti = False
             self.conjectures.remove(conj)
         self.ui_parent.text_dialog('Removed the following conjectures:',
                                    '\n'.join(str(conj) for conj in conjs))
Ejemplo n.º 3
0
def add_err_flag(action,erf,errconds):
    if isinstance(action,ia.AssertAction):
        errcond = ilu.dual_formula(il.drop_universals(action.args[0]))
        res = ia.AssignAction(erf,il.Or(erf,errcond))
        errconds.append(errcond)
        res.lineno = action.lineno
        return res
    if isinstance(action,ia.AssumeAction):
        res = ia.AssumeAction(il.Or(erf,action.args[0])) 
        res.lineno = action.lineno
        return res
    if isinstance(action,(ia.Sequence,ia.ChoiceAction,ia.EnvAction,ia.BindOldsAction)):
        return action.clone([add_err_flag(a,erf,errconds) for a in action.args])
    if isinstance(action,ia.IfAction):
        return action.clone([action.args[0]] + [add_err_flag(a,erf,errconds) for a in action.args[1:]])
    if isinstance(action,ia.LocalAction):
        return action.clone(action.args[:-1] + [add_err_flag(action.args[-1],erf,errconds)])
    return action
Ejemplo n.º 4
0
    def property_tactic(self, decls, proof):
        cut = proof.args[0]
        goal = decls[0]
        subgoal = goal_subst(goal, cut, cut.lineno)
        lhs = proof.args[1]
        if not isinstance(lhs, ia.NoneAST):
            fmla = il.drop_universals(cut.formula)
            if not il.is_exists(fmla) or len(fmla.variables) != 1:
                raise IvyError(proof, 'property is not existential')
            evar = list(fmla.variables)[0]
            rng = evar.sort
            vmap = dict((x.name, x) for x in lu.variables_ast(fmla))
            used = set()
            args = lhs.args
            targs = []
            for a in args:
                if a.name in used:
                    raise IvyError(lhs, 'repeat parameter: {}'.format(a.name))
                used.add(a.name)
                if a.name in vmap:
                    v = vmap[a.name]
                    targs.append(v)
                    if not (il.is_topsort(a.sort) or a.sort != v.sort):
                        raise IvyError(lhs, 'bad sort for {}'.format(a.name))
                else:
                    if il.is_topsort(a.sort):
                        raise IvyError(
                            lhs, 'cannot infer sort for {}'.format(a.name))
                    targs.append(a)
            for x in vmap:
                if x not in used:
                    raise IvyError(
                        lhs, '{} must be a parameter of {}'.format(x, lhs.rep))
            dom = [x.sort for x in targs]
            sym = il.Symbol(lhs.rep, il.FuncConstSort(*(dom + [rng])))
            if sym in self.stale or sym in goal_defns(goal):
                raise iu.IvyError(lhs, '{} is not fresh'.format(sym))
            term = sym(*targs) if targs else sym
            fmla = lu.substitute_ast(fmla.body, {evar.name: term})
            cut = clone_goal(cut, [], fmla)
            goal = goal_add_prem(goal, ia.ConstantDecl(sym), goal.lineno)

        return [goal_add_prem(goal, cut, cut.lineno)] + decls[1:] + [subgoal]
Ejemplo n.º 5
0
 def strengthen(self, button=None):
     conj = self.get_selected_conjecture()
     f = il.drop_universals(conj.to_formula())
     self.ui_parent.text_dialog('Add the following conjecture:',
                                str(f),
                                command=lambda: self.add_conjecture(conj))
Ejemplo n.º 6
0
def _write_conj(f, lab, fmla):
    fmla = il.drop_universals(fmla)
    if lab:
        f.write("invariant [{}] {}\n".format(lab, str(fmla)))
    else:
        f.write("invariant {}\n".format(str(fmla)))
Ejemplo n.º 7
0
    def check_inductiveness(self, button=None):
        import ivy_transrel
        from ivy_solver import get_small_model
        from proof import ProofGoal
        from ivy_logic_utils import Clauses, and_clauses, dual_clauses
        from random import randrange
        from ivy_art import AnalysisGraph

        with self.ui_parent.run_context():

            ag, succeed, fail = ivy_trace.make_check_art(
                precond=self.conjectures)

            to_test = [None] + list(self.conjectures)  # None = check safety

            while len(to_test) > 0:
                # choose randomly, so the user can get another result by
                # clicking again
                #                conj = to_test.pop(randrange(len(to_test)))
                conj = to_test.pop(0)
                assert conj == None or conj.is_universal_first_order()
                used_names = frozenset(x.name for x in il.sig.symbols.values())

                def witness(v):
                    c = lg.Const('@' + v.name, v.sort)
                    assert c.name not in used_names
                    return c

                # TODO: this is still a bit hacky, and without nice error reporting
                if self.relations_to_minimize.value == 'relations to minimize':
                    self.relations_to_minimize.value = ' '.join(
                        sorted(k for k, v in il.sig.symbols.iteritems() if (
                            type(v.sort) is lg.FunctionSort
                            and v.sort.range == lg.Boolean
                            and v.name not in self.transitive_relations
                            #                            and '.' not in v.name
                        )))

                if conj == None:  # check safety
                    clauses = ilu.true_clauses()
                    post = fail
                else:
                    clauses = dual_clauses(conj, witness)
                    post = succeed
                history = ag.get_history(post)
                rels_to_min = []
                for x in self.relations_to_minimize.value.split():
                    relation = il.sig.symbols[x]
                    relation = history.maps[0].get(relation, relation)
                    rels_to_min.append(relation)

                clauses.annot = ia.EmptyAnnotation()
                res = ivy_trace.check_final_cond(ag, post, clauses,
                                                 rels_to_min, True)
                #                    res = ag.bmc(post, clauses, None, None, _get_model_clauses)

                if res is not None:
                    self.current_conjecture = conj
                    assert len(res.states) == 2
                    self.g = res
                    self.rebuild()
                    self.view_state(self.g.states[0], reset=True)
                    self.show_used_relations(clauses)
                    #self.post_graph.selected = self.get_relevant_elements(self.post_state[2], clauses)
                    if conj == None:
                        self.ui_parent.ok_dialog(
                            'An assertion failed. A failing state is displayed. You can step into\nthe failing action to observe the failing execution. '
                        )
                    else:
                        self.ui_parent.text_dialog(
                            'The following conjecture is not relatively inductive:',
                            str(il.drop_universals(conj.to_formula())),
                            on_cancel=None)
                    self.have_cti = True
                    return False

    #        self.set_states(False, False)
            self.ui_parent.text_dialog(
                'Inductive invariant found:',
                '\n'.join(str(conj) for conj in self.conjectures))
            self.have_cti = False
            return True
Ejemplo n.º 8
0
def _write_conj(f,lab,fmla):
    fmla = il.drop_universals(fmla)
    if lab:
        f.write("conjecture [{}] {}\n".format(lab,str(fmla)))
    else:
        f.write("conjecture {}\n".format(str(fmla)))
Ejemplo n.º 9
0
def _write_conj(f, lab, fmla):
    fmla = il.drop_universals(fmla)
    if lab:
        f.write("conjecture [{}] {}\n".format(lab, str(fmla)))
    else:
        f.write("conjecture {}\n".format(str(fmla)))
Ejemplo n.º 10
0
def to_aiger(mod,ext_act):

    erf = il.Symbol('err_flag',il.find_sort('bool'))
    errconds = []
    add_err_flag_mod(mod,erf,errconds)

    # we use a special state variable __init to indicate the initial state

    ext_acts = [mod.actions[x] for x in sorted(mod.public_actions)]
    ext_act = ia.EnvAction(*ext_acts)

    init_var = il.Symbol('__init',il.find_sort('bool')) 
    init = add_err_flag(ia.Sequence(*([a for n,a in mod.initializers]+[ia.AssignAction(init_var,il.And())])),erf,errconds)
    action = ia.Sequence(ia.AssignAction(erf,il.Or()),ia.IfAction(init_var,ext_act,init))
    
    # get the invariant to be proved, replacing free variables with
    # skolems. First, we apply any proof tactics.

    pc = ivy_proof.ProofChecker(mod.axioms,mod.definitions,mod.schemata)
    pmap = dict((lf.id,p) for lf,p in mod.proofs)
    conjs = []
    for lf in mod.labeled_conjs:
        if lf.id in pmap:
            proof = pmap[lf.id]
            subgoals = pc.admit_proposition(lf,proof)
            conjs.extend(subgoals)
        else:
            conjs.append(lf)

    invariant = il.And(*[il.drop_universals(lf.formula) for lf in conjs])
#    iu.dbg('invariant')
    skolemizer = lambda v: ilu.var_to_skolem('__',il.Variable(v.rep,v.sort))
    vs = ilu.used_variables_in_order_ast(invariant)
    sksubs = dict((v.rep,skolemizer(v)) for v in vs)
    invariant = ilu.substitute_ast(invariant,sksubs)
    invar_syms = ilu.used_symbols_ast(invariant)
    
    # compute the transition relation

    stvars,trans,error = action.update(mod,None)
    

#    print 'action : {}'.format(action)
#    print 'annotation: {}'.format(trans.annot)
    annot = trans.annot
#    match_annotation(action,annot,MatchHandler())
    
    indhyps = [il.close_formula(il.Implies(init_var,lf.formula)) for lf in mod.labeled_conjs]
#    trans = ilu.and_clauses(trans,indhyps)

    # save the original symbols for trace
    orig_syms = ilu.used_symbols_clauses(trans)
    orig_syms.update(ilu.used_symbols_ast(invariant))
                     
    # TODO: get the axioms (or maybe only the ground ones?)

    # axioms = mod.background_theory()

    # rn = dict((sym,tr.new(sym)) for sym in stvars)
    # next_axioms = ilu.rename_clauses(axioms,rn)
    # return ilu.and_clauses(axioms,next_axioms)

    funs = set()
    for df in trans.defs:
        funs.update(ilu.used_symbols_ast(df.args[1]))
    for fmla in trans.fmlas:
        funs.update(ilu.used_symbols_ast(fmla))
#   funs = ilu.used_symbols_clauses(trans)
    funs.update(ilu.used_symbols_ast(invariant))
    funs = set(sym for sym in funs if  il.is_function_sort(sym.sort))
    iu.dbg('[str(fun) for fun in funs]')

    # Propositionally abstract

    # step 1: get rid of definitions of non-finite symbols by turning
    # them into constraints

    new_defs = []
    new_fmlas = []
    for df in trans.defs:
        if len(df.args[0].args) == 0 and is_finite_sort(df.args[0].sort):
            new_defs.append(df)
        else:
            fmla = df.to_constraint()
            new_fmlas.append(fmla)
    trans = ilu.Clauses(new_fmlas+trans.fmlas,new_defs)

    # step 2: get rid of ite's over non-finite sorts, by introducing constraints

    cnsts = []
    new_defs = [elim_ite(df,cnsts) for df in trans.defs]
    new_fmlas = [elim_ite(fmla,cnsts) for fmla in trans.fmlas]
    trans = ilu.Clauses(new_fmlas+cnsts,new_defs)
    
    # step 3: eliminate quantfiers using finite instantiations

    from_asserts = il.And(*[il.Equals(x,x) for x in ilu.used_symbols_ast(il.And(*errconds)) if
                            tr.is_skolem(x) and not il.is_function_sort(x.sort)])
    iu.dbg('from_asserts')
    invar_syms.update(ilu.used_symbols_ast(from_asserts))
    sort_constants = mine_constants(mod,trans,il.And(invariant,from_asserts))
    sort_constants2 = mine_constants2(mod,trans,invariant)
    print '\ninstantiations:'
    trans,invariant = Qelim(sort_constants,sort_constants2)(trans,invariant,indhyps)
    
    
#    print 'after qe:'
#    print 'trans: {}'.format(trans)
#    print 'invariant: {}'.format(invariant)

    # step 4: instantiate the axioms using patterns

    # We have to condition both the transition relation and the
    # invariant on the axioms, so we define a boolean symbol '__axioms'
    # to represent the axioms.

    axs = instantiate_axioms(mod,stvars,trans,invariant,sort_constants,funs)
    ax_conj = il.And(*axs)
    ax_var = il.Symbol('__axioms',ax_conj.sort)
    ax_def = il.Definition(ax_var,ax_conj)
    invariant = il.Implies(ax_var,invariant)
    trans = ilu.Clauses(trans.fmlas+[ax_var],trans.defs+[ax_def])
    
    # step 5: eliminate all non-propositional atoms by replacing with fresh booleans
    # An atom with next-state symbols is converted to a next-state symbol if possible

    stvarset = set(stvars)
    prop_abs = dict()  # map from atoms to proposition variables
    global prop_abs_ctr  # sigh -- python lameness
    prop_abs_ctr = 0   # counter for fresh symbols
    new_stvars = []    # list of fresh symbols

    # get the propositional abstraction of an atom
    def new_prop(expr):
        res = prop_abs.get(expr,None)
        if res is None:
            prev = prev_expr(stvarset,expr,sort_constants)
            if prev is not None:
#                print 'stvar: old: {} new: {}'.format(prev,expr)
                pva = new_prop(prev)
                res = tr.new(pva)
                new_stvars.append(pva)
                prop_abs[expr] = res  # prevent adding this again to new_stvars
            else:
                global prop_abs_ctr
                res = il.Symbol('__abs[{}]'.format(prop_abs_ctr),expr.sort)
#                print '{} = {}'.format(res,expr)
                prop_abs[expr] = res
                prop_abs_ctr += 1
        return res

    # propositionally abstract an expression
    global mk_prop_fmlas
    mk_prop_fmlas = []
    def mk_prop_abs(expr):
        if il.is_quantifier(expr) or len(expr.args) > 0 and any(not is_finite_sort(a.sort) for a in expr.args):
            return new_prop(expr)
        return expr.clone(map(mk_prop_abs,expr.args))

    
    # apply propositional abstraction to the transition relation
    new_defs = map(mk_prop_abs,trans.defs)
    new_fmlas = [mk_prop_abs(il.close_formula(fmla)) for fmla in trans.fmlas]

    # find any immutable abstract variables, and give them a next definition

    def my_is_skolem(x):
        res = tr.is_skolem(x) and x not in invar_syms
        return res    
    def is_immutable_expr(expr):
        res = not any(my_is_skolem(sym) or tr.is_new(sym) or sym in stvarset for sym in ilu.used_symbols_ast(expr))
        return res
    for expr,v in prop_abs.iteritems():
        if is_immutable_expr(expr):
            new_stvars.append(v)
            print 'new state: {}'.format(expr)
            new_defs.append(il.Definition(tr.new(v),v))

    trans = ilu.Clauses(new_fmlas+mk_prop_fmlas,new_defs)

    # apply propositional abstraction to the invariant
    invariant = mk_prop_abs(invariant)

    # create next-state symbols for atoms in the invariant (is this needed?)
    rn = dict((sym,tr.new(sym)) for sym in stvars)
    mk_prop_abs(ilu.rename_ast(invariant,rn))  # this is to pick up state variables from invariant

    # update the state variables by removing the non-finite ones and adding the fresh state booleans
    stvars = [sym for sym in stvars if is_finite_sort(sym.sort)] + new_stvars

#    iu.dbg('trans')
#    iu.dbg('stvars')
#    iu.dbg('invariant')
#    exit(0)

    # For each state var, create a variable that corresponds to the input of its latch
    # Also, havoc all the state bits except the init flag at the initial time. This
    # is needed because in aiger, all latches start at 0!

    def fix(v):
        return v.prefix('nondet')
    def curval(v):
        return v.prefix('curval')
    def initchoice(v):
        return v.prefix('initchoice')
    stvars_fix_map = dict((tr.new(v),fix(v)) for v in stvars)
    stvars_fix_map.update((v,curval(v)) for v in stvars if v != init_var)
    trans = ilu.rename_clauses(trans,stvars_fix_map)
#    iu.dbg('trans')
    new_defs = trans.defs + [il.Definition(ilu.sym_inst(tr.new(v)),ilu.sym_inst(fix(v))) for v in stvars]
    new_defs.extend(il.Definition(curval(v),il.Ite(init_var,v,initchoice(v))) for v in stvars if  v != init_var)
    trans = ilu.Clauses(trans.fmlas,new_defs)
    
    # Turn the transition constraint into a definition
    
    cnst_var = il.Symbol('__cnst',il.find_sort('bool'))
    new_defs = list(trans.defs)
    new_defs.append(il.Definition(tr.new(cnst_var),fix(cnst_var)))
    new_defs.append(il.Definition(fix(cnst_var),il.Or(cnst_var,il.Not(il.And(*trans.fmlas)))))
    stvars.append(cnst_var)
    trans = ilu.Clauses([],new_defs)
    
    # Input are all the non-defined symbols. Output indicates invariant is false.

#    iu.dbg('trans')
    def_set = set(df.defines() for df in trans.defs)
    def_set.update(stvars)
#    iu.dbg('def_set')
    used = ilu.used_symbols_clauses(trans)
    used.update(ilu.symbols_ast(invariant))
    inputs = [sym for sym in used if
              sym not in def_set and not il.is_interpreted_symbol(sym)]
    fail = il.Symbol('__fail',il.find_sort('bool'))
    outputs = [fail]
    

#    iu.dbg('trans')
    
    # make an aiger

    aiger = Encoder(inputs,stvars,outputs)
    comb_defs = [df for df in trans.defs if not tr.is_new(df.defines())]

    invar_fail = il.Symbol('invar__fail',il.find_sort('bool'))  # make a name for invariant fail cond
    comb_defs.append(il.Definition(invar_fail,il.Not(invariant)))

    aiger.deflist(comb_defs)
    for df in trans.defs:
        if tr.is_new(df.defines()):
            aiger.set(tr.new_of(df.defines()),aiger.eval(df.args[1]))
    miter = il.And(init_var,il.Not(cnst_var),il.Or(invar_fail,il.And(fix(erf),il.Not(fix(cnst_var)))))
    aiger.set(fail,aiger.eval(miter))

#    aiger.sub.debug()

    # make a decoder for the abstract propositions

    decoder = dict((y,x) for x,y in prop_abs.iteritems())
    for sym in aiger.inputs + aiger.latches:
        if sym not in decoder and sym in orig_syms:
            decoder[sym] = sym

    cnsts = set(sym for syms in sort_constants.values() for sym in syms)
    return aiger,decoder,annot,cnsts,action,stvarset
Ejemplo n.º 11
0
 def strengthen(self, button=None):
     conj = self.get_selected_conjecture()
     f = il.drop_universals(conj.to_formula())
     self.ui_parent.text_dialog('Add the following conjecture:',str(f),
                                command = lambda : self.add_conjecture(conj))
Ejemplo n.º 12
0
    def check_inductiveness(self, button=None):
        import ivy_transrel
        from ivy_solver import get_small_model
        from proof import ProofGoal
        from ivy_logic_utils import Clauses, and_clauses, dual_clauses
        from random import randrange
        from ivy_art import AnalysisGraph
        
        with self.ui_parent.run_context():

            ag = self.new_ag()

            pre = State()
            pre.clauses = and_clauses(*self.conjectures)

            action = im.module.actions['ext']
            with EvalContext(check=False): # don't check safety
                post = ag.execute(action, pre, None, 'ext')
            post.clauses = ilu.true_clauses()

            to_test =  [None] + list(self.conjectures)  # None = check safety

            while len(to_test) > 0:
                # choose randomly, so the user can get another result by
                # clicking again
#                conj = to_test.pop(randrange(len(to_test)))
                conj = to_test.pop(0)
                assert conj == None or conj.is_universal_first_order()
                used_names = frozenset(x.name for x in il.sig.symbols.values())
                def witness(v):
                    c = lg.Const('@' + v.name, v.sort)
                    assert c.name not in used_names
                    return c

                # TODO: this is still a bit hacky, and without nice error reporting
                if self.relations_to_minimize.value == 'relations to minimize':
                    self.relations_to_minimize.value = ' '.join(sorted(
                        k for k, v in il.sig.symbols.iteritems()
                        if (type(v.sort) is lg.FunctionSort and
                            v.sort.range == lg.Boolean and
                            v.name not in self.transitive_relations 
#                            and '.' not in v.name
                        )
                    ))

                if conj == None: # check safety
                    clauses = ilu.true_clauses()
                    rels_to_min = [il.sig.symbols[x] for x in self.relations_to_minimize.value.split()]
                else:
                    clauses = dual_clauses(conj, witness)
                    history = ag.get_history(post)
                    rels_to_min = []
                    for x in self.relations_to_minimize.value.split():
                        relation = il.sig.symbols[x]
                        relation = history.maps[0].get(relation, relation)
                        rels_to_min.append(relation)
                        
                _get_model_clauses = lambda clauses, final_cond=False: get_small_model(
                    clauses,
                    sorted(il.sig.sorts.values()),
                    rels_to_min,
                    final_cond = final_cond
                )

                if conj == None:
                    res = ag.check_bounded_safety(post, _get_model_clauses)
                else:
                    res = ag.bmc(post, clauses, None, None, _get_model_clauses)

                if res is not None:
                    self.current_conjecture = conj
                    assert len(res.states) == 2
    #                self.set_states(res.states[0], res.states[1])
    #                self.cti = self.ui_parent.add(res)

                    self.g = res
                    self.rebuild()
                    self.view_state(self.g.states[0], reset=True)
                    self.show_used_relations(clauses)
                    #self.post_graph.selected = self.get_relevant_elements(self.post_state[2], clauses)
                    if conj == None:
                        self.ui_parent.ok_dialog('An assertion failed. A failing state is displayed. You can decompose\nthe failing action to observe the failing execution. ')
                    else:
                        self.ui_parent.text_dialog('The following conjecture is not relatively inductive:',
                                                   str(il.drop_universals(conj.to_formula())),on_cancel=None)
                    self.have_cti = True
                    return False

    #        self.set_states(False, False)
            self.ui_parent.text_dialog('Inductive invariant found:',
                                       '\n'.join(str(conj) for conj in self.conjectures))
            self.have_cti = False
            return True