Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Soundness bug: axioms are used wrongly during induction #108

Closed
meiersi opened this issue Aug 7, 2012 · 2 comments
Closed

Soundness bug: axioms are used wrongly during induction #108

meiersi opened this issue Aug 7, 2012 · 2 comments
Assignees
@meiersi
Labels
critical prover
Milestone
0.8.1.0

Comments

@meiersi
Copy link
Member

meiersi commented Aug 7, 2012

During polishing the section on trace induction in my thesis, I discovered a bug in the use of axioms during induction proofs. The problem is that axioms may filter the traces such that they are no longer prefix-closed. Trace induction is however only sound for prefix-closed sets of traces. Thus it is not sound to use the axioms as-is during the constraint solving, when using trace induction.

What we have to do is to extend the formula initially with all axioms in scope and then apply trace induction. This interacts however badly with the current implementation of precomputed case distinctions, which exploit all axioms in their original form.

The short-term fix is to add the axioms as additional conjuncts to the formula describing the counter-examples. Then, they will also be transformed by the application of trace induction. We can add axioms of the form All x1 ... xn. guards => no existential quantifier directly to the precomputed case distinctions, as these axioms leave the set of traces prefix-closed.

The long-term fix is to additionally refine the precomputed case distinctions with the local assumptions that are available. This requires changing the code for applying induction and inventing an additional user-interface for switching between using induction and not using it (for easy experimentation in the GUI).
@ghost ghost assigned meiersi Aug 7, 2012
meiersi added a commit that referenced this issue Aug 7, 2012
@meiersi
example illustrating soundness bug #108; i.e.,
a32cc3f 
that our current handling of axioms and trace induction is not sound.
@meiersi
Copy link
Member Author

meiersi commented Aug 7, 2012

Tamarin's current output:


==============================================================================
summary of summaries:

analyzed: examples/loops/Axioms_and_Induction.spthy

  NoStep_with_induction (all-traces): verified (5 steps)
  NoStep_without_induction (all-traces): falsified - found trace (4 steps)

==============================================================================

@meiersi
Copy link
Member Author

meiersi commented Aug 13, 2012

I implement the short-term fix with the twist that safety formulas are added directly to the precomputed case distinctions. This is OK, as safety formulas leave the set of traces prefix-close, which is the key requirement for induction.

cascremers pushed a commit to cascremers/tamarin-prover that referenced this issue Feb 26, 2024
@jdreier
Merge pull request tamarin-prover#108 from thgoebel/fix-link
c9e016e 
Fix outdated link
cascremers pushed a commit to cascremers/tamarin-prover that referenced this issue May 15, 2024
@jdreier
Merge pull request tamarin-prover#108 from thgoebel/fix-link
046f695 
Fix outdated link
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@meiersi meiersi

Labels
critical prover
Projects
None yet
Milestone
0.8.1.0
Development

No branches or pull requests
1 participant
@meiersi