Model Checking Failed Conjectures in Theorem Proving: A Case Study

• ABSTRACT:
  
  Interactive mechanical theorem proving can provide high assurance of correct design, but it can also be a slow iterative process. Much time is spent determining why a proof of a conjecture is not forthcoming. In some cases, the conjecture is false and in others, the attempted proof is insufficient. In this case study, we use the SAL family of model checkers to shed light on unproven conjectures generated in the mechanical theorem prover PVS. Specifically, we describe the translation of an undischarged proof obligation in PVS represented as a sequent in the Sequent Calculus into an LTL formula that we model check. The focus of our case study is the ROBUS Interactive Consistency Protocol. We combine the use of a mechanical theorem prover and a model checker to expose a subtle flaw in the protocol that occurs under a particular scenario of faults and processor states. Uncovering the flaw allows us to mend the protocol and its general verification in PVS. Our driving motivation is to make the practice of industrial formal methods more efficient and effective.

• BIBTEX:
  

    @TechReport{Pike_unproven,
    author =       {Lee Pike and Paul Miner and Wilfredo Torres},
    title =        {Model checking failed conjectures in theorem proving: a 
                    case study},
    institution =  {NASA Langley Research Center},
    year =         {2004},
    number =       {{NASA}/{TM}--2004--213278},
    month =        {November},
    note =         {Available at \url{https://leepike.github.io/pub_pages/unproven.html}}}
    

• PAPER DOWNLOAD: pdf

• FILES DOWNLOAD:
  
  
  • PVS files: PVS dump file
  • SAL file: SAL input file

• NOTES: A revised and shortened version of this memorandum is available here.