Download Proof translation for CVC3

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
Document related concepts

Turing's proof wikipedia , lookup

Axiom of reducibility wikipedia , lookup

Truth-bearer wikipedia , lookup

Set theory wikipedia , lookup

Model theory wikipedia , lookup

Gödel's incompleteness theorems wikipedia , lookup

Sequent calculus wikipedia , lookup

Laws of Form wikipedia , lookup

Naive set theory wikipedia , lookup

Georg Cantor's first set theory article wikipedia , lookup

List of first-order theories wikipedia , lookup

Foundations of mathematics wikipedia , lookup

Mathematical logic wikipedia , lookup

Boolean satisfiability problem wikipedia , lookup

Natural deduction wikipedia , lookup

Curry–Howard correspondence wikipedia , lookup

Theorem wikipedia , lookup

Mathematical proof wikipedia , lookup

Transcript 
Proof translation
from CVC3 to Hol light
Yeting Ge
Acsys
Mar 5, 2008
CVC3: a SMT solver

CVC3 is complicated



SAT, decision procedures, ……
About 400k lines of code in all
Are the results from CVC3 correct?


Extremely difficult to verify CVC3 is correct
Check the proofs from CVC3



CVC3 can produce a “proof” for a unsat case
Proofs are big and a proof checker is needed
Is the proof checker correct?

Have to check hundreds of proof rules
Outline

SMT solvers and CVC3



HOL and Hol light



Features
Proofs in HOL
Translation from CVC3 into Hol light



SMT example
Proofs in CVC3
Boolean resolution
Theory proof rules
SMT LIB benchmarks certification
SMT solver

Satisfiability Modulo Theories


Arithmetic, bit vector, array, equality,……
Is plus (a, b)  plus (b, a) satifisabile?
Abstraction
Theory solver
SAT solver
Equality
Arithmetic
……
SMT example

To prove (a  b)  ( f (a)  f (b)) is unsatisfiable
Abstraction
(a  b)  ( f (a)  f (b))
b1 : (a  b)
b2 : f (a)  f (b)
Theory solver
SAT solver
unsat
b1  b2
No more
{ b1  T , b2  F }
ab
f (a )  f (b)
T  unsat
Proofs in CVC3



Proofs from theory solvers
Proofs from the SAT solver
 Modern SAT solvers can dump proofs
 A tree of boolean resolutions
To prove ~A \/ B, ~A \/ ~B, A |- F
A:BOOLEAN;
B:BOOLEAN;
ASSERT(NOT A OR B);
ASSERT((NOT A) OR (NOT B));
ASSERT(A);
QUERY(FALSE);
DUMP_PROOF;
Boolean resolution
~A \/ B, ~A \/ ~B, A |- F
Dumped proof from minisat
5
6
9
10
11
12
13
I
I
I
I
I
D
D
: +2 -1 -3 :
: +1 :
: -2 -3 -4 :
: +4 :
: +3 :
: +2 : 5 -1 6 -3 11
: : 9 -2 12 -3 11 -4 10
1
2
3
4
:
:
:
:
5I
6I
9I
10 I
11 I
12 D
(B \/ ~A)
B
A
(~A \/ ~B)
:
:
:
:
:
:
B, ~(B \/ ~A), ~A
(B \/ ~A)
~B, ~A, ~(~A \/ ~B)
(~A \/ ~B)
A
B:
B, ~A : 5 6
B : 11
13 D : :
~A, ~(~A \/ ~B) : 9 12
~(~A \/ ~B) : 11
: : 10
The proof from CVC3
Proof(minisat_proof(FALSE,
bool_resolution(NOT (NOT A OR NOT B),
bool_resolution(NOT A,
bool_resolution(NOT B,
CNF("or_final", (NOT A OR NOT B), (NOT A OR NOT B), 0),
bool_resolution(NOT A,
bool_resolution(NOT (B OR NOT A),
CNF("or_final", (B OR NOT A), (B OR NOT A), 0),
cnf_add_unit((B OR NOT A),
iff_mp((NOT A OR B), (B OR NOT A), assump_23,
rewrite_or((NOT A OR B), (B OR NOT A))))),
cnf_add_unit(A, assump_25))),
cnf_add_unit(A, assump_25)),
cnf_add_unit((NOT A OR NOT B), assump_24))))
Proofs from theory solvers



Proof rules are much more complicated than
boolean resolution
Over 400 proof rules in CVC3
Example: mult_eqn


|- (x = y) <=> (x * z = y * z)
A proof checker must make sure that z is not
equivalent to 0 , which is not a easy job
Ideal proof checker for SMT
solvers

CNF clauses in CVC3


Orginal clauses (assumptions)
CNF translation clauses


Theory clauses



Tautologies (not always)
Extra clauses asserted by theory solvers
Can check boolean resolution and tautologies
Can handle all theory proof rules

Theory specific calculations
HOL family of proof assistants

Based on higher order logic (lambda calculus)


Powerful, can formalize most mathematics
Simple and small core


Definitional extension




only four kinds of terms
All theories (even /\ \/ ) are defined
All theorems must be created in a constructive way
Soundness is guaranteed if the core is correct
Implemented in ML

Programmable, easy to extend and include new
decision procedures
Hol light

Minimized core




10 inference rules on equality
3 axioms (axiom of choice, infinity)
about 400 lines of Ocaml
Chosen for a number of projects


Verification of float point algorithm at Intel
Kepler Conjecture



A group of experts spent five years, unable to verify the proof
Formalize the proof in Hol light
Includes theory of arithmetic
Proofs in Hol light

All theorem are constructed by using Hol
proof rules
#ASSUME `a:bool`;;
val it : thm = a |- a

Derived proof rules are just Ocaml functions
let PROVE_HYP ath bth =
if exists (aconv (concl ath)) (hyp bth)
then EQ_MP (DEDUCT_ANTISYM_RULE ath
bth) ath
else bth;;
Translate proofs into HOL light




Instead of a proof checker, we propose a
translator of the proofs from CVC3 into Hol
light
Proof checking is done by Hol Light
If the translation is successful, then the same
theorem is proved in Hol light
If a theorem is proved in Hol light, we are
more confident that the theorem is true
Translation into Hol light


Hol light and CVC3 are connected through C
interface of Ocaml and CVC3
CVC3 terms are translated into Hol terms


CVC3 uninterpreted functions are translated into
combination
For each CVC3 proof rules, we write a Ocaml
function

Prove a higher order theorem, then instantiate it
Translate boolean resolution

Suppose two theorems, corresponding two CNF
clauses, have been proved in HOL
(1) … |- A1 \/ (A2 \/ (A3 \/ ……)))
(2) … |- B1 \/ (~A2 \/ (B3 \/ ……)))
The desired theorem is:
(3) …|- A1 \/ A3 \/ B1 \/ B3 \/ ……

The proof of (3) is time consuming


Duplicated terms in the (3) must be removed
Change the representation
(1)’
(2)’
… ~A1 , ~A2 ,~A3 …… |- F
… ~B1 , A2 , ~B3 …… |- F
hole5
Translate theory proof rules

|- (x = y) <=> (x * z = y * z)
let x = translate_term vc (child expr 1) in
let y = translate_term vc (child expr 2) in
let z = translate_term vc (child expr 3) in
let znz = prove_DIV_NOT_EQ_0 z in
SPECL[x;y] (MATCH_MP REAL_NZ_RMUL znz)
# REAL_NZ_RMUL;;
val it : thm = |- !x y z. ~(z = &0) ==> (x = y <=> x * z = y * z)
A problem




CVC3 proves a theoem Tcvc 3
Tcvc 3 is translated into Hol light that produces
a theorem Thol
Are Thol and Tcvc 3 the same theorem?
A tentative solution:


Dump Tcvc 3 and Thol into some canonical form
Compare the canonized theorems in syntax


Dump Thol from Hol light
Translate Thol back into CVC3 and dump it from CVC3
SMT LIB benchmarks certification

SMT LIB




SMT COMP


A collection of smt benchmarks
Arithmetic, Bit vector, array, unintepreted function,……
The ‘status’ in each case shows whether it is sat, unsat
or unknown
Annual competition for SMT solvers
Are the answers from SMT solvers correct?

Are the ‘status’ fields in SMT LIB benchmarks show the
correct results
We propose to prove these benchmarks in Hol light
A certificate to show a case is proved
Future work



Prove more cases in Hol light
Support more proof rules
Define new theories in Hol light

theory of array are defined by a new axiom
Related documents
RTF
RTF
functional programming in practice
functional programming in practice
In Class Slides
In Class Slides
5.2 - shilepsky.net
5.2 - shilepsky.net
Word document
Word document
ANALYSIS I A Number Called e
ANALYSIS I A Number Called e
Discrete Computational Structures (CS 225) Definition of Formal Proof
Discrete Computational Structures (CS 225) Definition of Formal Proof
9/24 Intro to Proof notes File
9/24 Intro to Proof notes File
Semester 1 Final Exam Topics(Geom. 236)
Semester 1 Final Exam Topics(Geom. 236)
Five Proofs for the Existence of God – by St. Thomas Aquinas
Five Proofs for the Existence of God – by St. Thomas Aquinas