Mahadevan Subramaniam

Lemma Discovery in Automated Induction

Speculating intermediate lemmas is one of the main reason of user interaction/guidance while mechanically attempting proofs by induction. An approach for generating intermediate lemmas is developed, and its effectiveness is demonstrated while proving properties of recursively defined functions. The approach is guided by the paradigm of attempting to generate a proof of the conclusion subgoal in an induction step by the application of an induction hypothesis (es). Generation of intermediate conjectures is motivated by attempts to find appropriate instantiations for non-induction variables in the main conjecture. In case, the main conjecture does not have any non-induction variables, such variables are introduced by attempting its generalization. A constraint based paradigm is proposed for guessing the missing side of an intermediate conjecture by identifying constraints on the term schemes introduced for the missing side. Definitions and properties of functions are judiciously used for generating instantiations and intermediate conjectures. Heuristics are identified for performing such analysis. The approach fails if appropriate instantiations of non-induction variables cannot be generated. Otherwise, proofs of intermediate conjectures are attempted and the proposed method is recursively applied. The method has proven to be surprisingly effective in speculating intermediate lemmas for tail-recursive programs.

Mechanically Verifying a Family of Multiplier Circuits

A methodology for mechanically verifying a family of parameterized multiplier circuits, including many well-known multiplier circuits such as the linear array, the Wallace tree and the 7-3 multiplier is proposed. A top level specification for these multipliers is obtained by abstracting the commonality in their behavior. The behavioral correctness of any multiplier in the family can be mechanically verified by a uniform proof strategy. Proofs of properties are done by rewriting and induction using an automated theorem prover RRL (Rewrite Rule Laboratory). The behavioral correctness of the circuits is established with respect to addition and multiplication on numbers. The automated proofs involve minimal user intervention in terms of intermediate lemmas required. Generic hardware components are used to segregate the specification and the implementation aspects, enabling verification of circuits in terms of behavioral constraints that can be realized in different ways. The use of generic components aids reuse of proofs and helps modularize the correctness proofs, allowing verification to go hand in hand with the hardware design process in a hierarchical fashion.

New Uses of Linear Arithmetic in Automated Theorem Proving by Induction

Zhang, Kapur, and Krishnamoorthy introduced a cover set method for designing induction schemes for automating proofs by induction from specifications expressed as equations and conditional equations. This method has been implemented in the theorem prover Rewrite Rule Laboratory (RRL) and a proof management system Tecton built on top of RRL, and it has been used to prove many nontrivial theorems and reason about sequential as well as parallel programs. The cover set method is based on the assumption that a function symbol is defined by using a finite set of terminating (conditional or unconditional) rewrite rules. The termination ordering employed in orienting the rules is used to perform proofs by well-founded induction. The left sides of the rules are used to design different cases of an induction sheme, and recursive calls to the function made in the right side can be used to design appropriate instantiations for generating induction hypotheses. A weakness of this method is that it relies on syntactic unification for generating an induction scheme for a conjecture. This paper goes a step further by proposing semantic analysis for generating an induction scheme for a conjecture from a cover set. We discuss the use of a decision procedure for Presburger arithmetic (quantifier-free theory of numbers with the addition operation and relational predicates >, <, ≠, =, ⩾, ⩽) for performing semantic analysis about numbers. The decision procedure is used to generate appropriate induction schemes for a conjecture by using cover sets of function taking numbers as arguments. This extension of the cover set method automates proofs of many theorems that otherwise require human guidance and hints. The effectiveness of the method is demonstrated by using some examples that commonly arise in reasoning about specifications and programs. It is also shown how semantic analysis using a Presburger arithmetic decision procedure can be used for checking the completeness of a cover set of a function defined by using operations such as + and — on numbers. With this check, many function definitions used in a proof of the prime factorization theorem stating that every number can be factored uniquely into prime factors, which had to be checked manually, an now be checked automatically in RRL. The use of the decision procedure for guiding generalization for generating conjectures and merging induction schemes is also illustrated.

Using an induction prover for verifying arithmetic circuits

Abstract.We show that existing theorem proving technology can be used effectively for mechanically verifying a family of arithmetic circuits. A theorem prover implementing: (i) a decision procedure for quantifier-free Presburger arithmetic with uninterpreted function symbols; (ii) conditional rewriting; and (iii) heuristics for carefully selecting induction schemes from terminating recursive function definitions; and (iv) well integrated with backtracking, can automatically verify number-theoretic properties of parameterized and generic adders, multipliers and division circuits. This is illustrated using our theorem prover Rewrite Rule Laboratory (RRL). To our knowledge, this is the first such demonstration of the capabilities of a theorem prover mechanizing induction.The above features of RRL are briefly discussed using illustrations from the verification of adder, multiplier and division circuits. Extensions to the prover likely to make it even more effective for hardware verification are discussed. Furthermore, it is believed that these results are scalable, and the proposed approach is likely to be effective for other arithmetic circuits as well.

Mechanical Verification of Adder Circuits using Rewrite RuleLaboratory

A methodology for mechanically verifying generic adder circuits is proposed using the rewrite-rule based theorem prover Rewrite Rule Laboratory (RRL). Proofs of properties of adder circuit descriptions are done by rewriting and induction. Carry lookahead adder circuit is described using powerlists, a data structure introduced by Misra to support divide-and-conquer strategy used for designing data-parallel algorithms. This description uses an algorithm for parallel prefix computation on powerlists due to Adams. Reasoning about properties of this algorithm can be of independent interest since parallel prefix operator has been found useful in many data-parallel algorithms. The correctness of the carry-lookahead adder (i.e., the adder indeed implements addition on numbers) is established by showing its equivalence to a recursive description of the ripple-carry adder, which is shown to correctly implement addition on natural numbers. The ripple carry adde r circuit is described in two different but equivalent ways: using powerlists employing the divide-and-conquer strategy, as well as using linear lists employing the linear decomposition strategy. The description of the ripple carry adder using powerlists is useful for showing equivalence of its input-output behavior to that of carry lookahead adder, whereas the description using linear lists is useful for showing its correctness with respect to addition on natural numbers. Descriptions of adder circuits using powerlists are based on Adams work who also gave a hand proof of their correctness using the powerlist algebra. The emphasis in this paper is to generate proofs mechanically by a theorem prover . RRL exploits the algebraic laws of the powerlist algebra as rewrite rules, and uses heuristics for mechanizing proofs by induction using the cover set method to generate such proofs. The regularity in hardware circuits gets refl ected in compact descriptions generated using the divide-and-conquer strategy as well as in mechanically generated proofs by induction. Mechanical proofs generated by RRL closely follow the well-crafted hand-proofs which is quite encouraging. A comparison with Adams hand generated proof is also made. There is strong evidence that the proposed methodology for generating proofs should scale up for large circuits exhibiting regularity that can be described using divide-and-conquer strategy in terms of powerlists.

Mechanizing Verification of Arithmetic Circuits: SRT Division

The use of a rewrite-based theorem prover for verifying properties of arithmetic circuits is discussed. A prover such as Rewrite Rule Laboratory (RRL) can be used effectively for establishing numbertheoretic properties of adders, multipliers and dividers. Since verification of adders and multipliers has been discussed elsewhere in earlier papers, the focus in this paper is on a divider circuit. An SRT division circuit similar to the one used in the Intel Pentium processor is mechanically verified using RRL. The number-theoretic correctness of the division circuit is established from its equational specification. The proof is generated automatically, and follows easily using the inference procedures for contextual rewriting and a decision procedure for the quantifier-free theory of numbers (Presburger arithmetic) already implemented in RRL. Additional enhancements to rewrite-based provers such as RRL that would further facilitate verifying properties of circuits with structure similar to that of the SRT division circuit are discussed.

Automating induction over mutually recursive functions

In order to automate proofs by induction a crucial problem that needs to be addressed is to decide on an induction scheme that leads to appropriate induction hypotheses for carrying out the proof. Boyer and Moore proposed in [5] the use of terminating function definitions for generating induction schemes. Inspired by Boyer and Moores work, Zhang, Kapur and Krishnamoorthy introduced the cover set induction method for mechanizing induction for equational specifications in [14]. Both these approaches do not consider interaction among function definitions. Induction schemes are generated by considering function definitions in isolation, one at a time. In applications involving mutually recursive definitions, exploiting interactions among the definitions seems crucial. The cover set method implemented in the theorem prover RRL [13] as well as the methods implemented for induction in Boyer and Moores theorem prover Nqthm based on the above approaches, do not perform well when the definitions involved are mutually recursive. Proving even very simple properties over such definitions by these methods requires some form of user intervention. We discuss how the cover set induction method implemented in RRL can be extended to automatically prove inductive properties of mutual recursive functions. An algorithm for generating cover sets from mutually recursive definitions is given. The proposed method has been implemented in the theorem prover RRL and has been extensively experimented with good results. The effectiveness of the method is illustrated using a nontrivial example of showing the equivalence of the call by value and call by name bottom-up evaluation of arithmetic expressions. A comparison of the method with those employed in Nqthm and also with an approach based on implicit induction [7, 3, 2] implemented in the theorem prover Spike is given.

Automated Reasoning About Parallel Algorithms Using Powerlists

Misra [Mi] recently introduced a regular data structure, called powerlists , using which he showed how many data parallel algorithms, including Batchers merge sort, bitonic sort, fast Fourier transform, prefix sum, can be described concisely using recursion. The elegance of these recursive descriptions is further reflected in deducing properties of these algorithms. It is shown in this paper how such proofs can be easily automated in a theorem prover RRL (Rewrite Rule Laboratory) based on equational and rewriting techniques. In particular, the cover set method for automating proofs by induction in RRL generates proofs which preserve the clarity and succinctness, to a large extant, of hand proofs given in [Mi]. This is illustrated using a correctness proof of Batchers merge sort algorithm. Mechanically generated proofs from specifications of powerlists and parallel algorithms using different approaches are contrasted. It is shown that one gets longer, complex proofs with many cases if powerlists are modeled as a subtype of lists. However, if powerlists are specified using a proposal by Kapur [Kapur] in which the algebraic specification method is extended to associate applicability conditions with functions of a data type thus allowing constructors of a data structure to be partial, then one gets compact and elegant proofs, similar to the ones reported in [Mi]. Applicability conditions can be used to provide contexts for axioms and proofs just like type information. The effectiveness of the proposed axiomatic method becomes all the more evident while reasoning about nested powerlists for modeling n-dimensional arrays, for example, in specifying and reasoning about a transformation for embedding a multi-dimensional array into a hypercube such that adjacency of nodes is preserved by the transformation. A mechanically generated proof of this property of the embedding transformation, which was not proved in Misras paper, is discussed in detail. This problem was presented as a challenge by Misra in private communication to test the effectiveness of the proposed approach. This suggests that the proposed approach for automating reasoning about data parallel algorithms and hardware circuits described recursively using powerlists should scale up, especially if structural properties of nested powerlists are built into RRL.

Mechanizing Reasoning about Large Finite Tables in a Rewrite Based Theorem Prover

Finite tables are commonly used in many hardware and software applications. In most theorem provers, tables are typically axiomatized using predicates over the table indices. For proving conjectures expressed using such tables, provers often have to resort to brute force case analysis, usually based on indices of a table. Resulting proofs can be unnecessarily complicated and lengthy. They are often inefficient to generate as well as difficult to understand. Large tables are often manually abstracted using predicates, which is error-prone; furthermore, the correctness of abstractions must be ensured. An approach for modeling finite tables as a special data structure is proposed for use in Rewrite Rule Laboratory (RRL), a theorem prover for mechanizing equational reasoning and induction based on rewrite techniques. Dontcare entries in tables can be handled explicitly. This approach allows tables to be handled directly without having to resort to any abstraction mechanism. For efficiently processing large tables, concepts of a sparse and weakly sparse tables are introduced based on how frequently particular values appear as table entries. Sparsity in the tables is exploited in correctness proofs by doing case analyses on the table entries rather on the indices. The generated cases are used to deduce constraints on the table indices. Additional domain information about table indices can then be used to further simplify constraints on indices and check them. The methodology is illustrated using a nontrivial correctness proof of the hardware SRT division circuit performed in RRL. 1536 cases originally needed in the correctness proof are reduced to 12 top level cases by using the proposed approach. Each individual top level case generated is much simpler, even though it may have additional subcases. The proposed approach is likely to provide similar gains for applications such as hardware circuits for square root and other arithmetic functions, in which much larger and multiple lookup tables, having structure similar to the sparse structure of the SRT table, are used

Using Linear Arithmetic Procedure for Generating Induction Schemes

Inspired by Boyer and Moores approach for generating induction schemes based on terminating function definitions, Zhang, Kapur and Krishnamoorthy introduced a cover set method for designing induction schemes for automating proofs by induction from specifications expressed as equations and conditional equations. This method has been implemented in the theorem prover Rewrite Rule Laboratory (RRL) and a proof management system Tecton built on top of RRL, and it has been used to prove many nontrivial theorems and reason about sequential as well as parallel programs. The cover set method is based on the assumption that a function symbol is defined using a finite set of terminating (conditional or unconditional) rewrite rules. The left side of the rules are used to design different cases of an induction scheme, and recursive calls to the function made in the right side can be used to design appropriate instantiations for generating induction hypotheses. A weakness of this method is that it relies on syntactic unification for generating an induction scheme for a conjecture. This paper goes a step further by proposing semantic analysis for generating an induction scheme for a conjecture from a cover set. The use of a decision procedure for Presburger arithmetic (quantifier-free theory of numbers with the addition operation and relational predicates , , =, ) is discussed for performing semantic analysis about numbers. The focus in this paper is on the use of the decision procedure for generating appropriate induction schemes from a conjecture and cover sets. This extension of the cover set method automates proofs of many theorems which otherwise, require human guidance and hints. The effectiveness of the method is demonstrated using simple examples which commonly arise in reasoning about specifications and programs. It is shown how semantic analysis using a Presburger arithmetic decision procedure can be used for checking the completeness of a cover set of a function defined using operations such as + and - on numbers. Using this check, the completeness of many function definitions used in a proof of the prime factorization theorem stating that every number can be factored uniquely into prime factors, which had to be checked manually, can now be checked automatically in RRL .