A Less Elementary Tutorial for the PVS Specification and Verification System

PVS is a veri cation system that provides a speci cation language integrated with support tools and a theorem-prover. It has been used at SRI and elsewhere to perform veri cations of several signi cant algorithms (primarily for faulttolerance) and large hardware designs. This tutorial introduces some of the more powerful strategies provided by the PVS theorem prover. It consists of two parts: the rst extends a previous tutorial by Ricky Butler[But93], demonstrating how his proofs may be performed in a more automated manner; the second uses the \unwinding theorem" from the noninterference formulation of security to introduce theorem-proving strategies for induction that cannot be demonstrated in the framework of Ricky Butler's example. Using the more powerful strategies of PVS to automate easy proofs (and the easy parts of hard proofs) frees users to concentrate on truly di cult proofs. Automation also makes proofs more robust to changes in the speci cation, thereby facilitating active design exploration and adaptation to changed requirements. This tutorial also shows how speci cations and proofs may be better presented using the LaTEX and PostScript generating facilities of PVS. The PVS les for these examples are available at http://www.csl.sri.com/pvs/examples/ csl-95-10.html.