Proof translation from CVC3 to Hol light
Yeting GeAcsys
Mar 5, 2008
CVC3: a SMT solver CVC3 is complicated
SAT, decision procedures, …… About 400k lines of code in all
Are the results from CVC3 correct? Extremely difficult to verify CVC3 is correct Check the proofs from CVC3
CVC3 can produce a “proof” for a unsat case Proofs are big and a proof checker is needed
Is the proof checker correct? Have to check hundreds of proof rules
Outline SMT solvers and CVC3
SMT example Proofs in CVC3
HOL and Hol light Features Proofs in HOL
Translation from CVC3 into Hol light Boolean resolution Theory proof rules
SMT LIB benchmarks certification
SMT solver Satisfiability Modulo Theories
Arithmetic, bit vector, array, equality,…… Is satifisabile?
Abstraction
SAT solver
Arithmetic
Theory solver
Equality ……
),(),( abplusbaplus
SMT example To prove is
unsatisfiable ))()(()( bfafba
Abstraction
))()(()( bfafba
)()(:2
)(:1
bfafb
bab
)()( bfaf
ba
unsatT
21 bb
SAT solverTheory solver
} 2 ,1 { FbTb unsat
more No
Proofs in CVC3 Proofs from theory solvers Proofs from the SAT solver
Modern SAT solvers can dump proofs A tree of boolean resolutions
To prove ~A \/ B, ~A \/ ~B, A |- F
A:BOOLEAN;B:BOOLEAN;ASSERT(NOT A OR B);ASSERT((NOT A) OR (NOT B));ASSERT(A);QUERY(FALSE);DUMP_PROOF;
5 I : +2 -1 -3 : 6 I : +1 : 9 I : -2 -3 -4 :10 I : +4 :11 I : +3 :12 D : +2 : 5 -1 6 -3 1113 D : : 9 -2 12 -3 11 -4 10
5 I : B, ~(B \/ ~A), ~A 6 I : (B \/ ~A) 9 I : ~B, ~A, ~(~A \/ ~B)10 I : (~A \/ ~B)11 I : A12 D : B : B, ~A : 5 6 B : 11 13 D : : ~A, ~(~A \/ ~B) : 9 12 ~(~A \/ ~B) : 11 : : 10
~A \/ B, ~A \/ ~B, A |- F
1 : (B \/ ~A) 2 : B 3 : A 4 : (~A \/ ~B)
Boolean resolution
Dumped proof from minisat
Proof(minisat_proof(FALSE, bool_resolution(NOT (NOT A OR NOT B), bool_resolution(NOT A, bool_resolution(NOT B, CNF("or_final", (NOT A OR NOT B), (NOT A OR NOT B), 0), bool_resolution(NOT A, bool_resolution(NOT (B OR NOT A), CNF("or_final", (B OR NOT A), (B OR NOT A), 0), cnf_add_unit((B OR NOT A), iff_mp((NOT A OR B), (B OR NOT A), assump_23, rewrite_or((NOT A OR B), (B OR NOT A))))), cnf_add_unit(A, assump_25))), cnf_add_unit(A, assump_25)), cnf_add_unit((NOT A OR NOT B), assump_24))))
The proof from CVC3
Proofs from theory solvers Proof rules are much more complicated
than boolean resolution Over 400 proof rules in CVC3 Example: mult_eqn
|- (x = y) <=> (x * z = y * z) A proof checker must make sure that z is
not equivalent to 0 , which is not a easy job
Ideal proof checker for SMT solvers CNF clauses in CVC3
Orginal clauses (assumptions) CNF translation clauses
Tautologies (not always) Theory clauses
Extra clauses asserted by theory solvers
Can check boolean resolution and tautologies
Can handle all theory proof rules Theory specific calculations
HOL family of proof assistants Based on higher order logic (lambda calculus)
Powerful, can formalize most mathematics Simple and small core
only four kinds of terms
Definitional extension All theories (even /\ \/ ) are defined All theorems must be created in a constructive
way Soundness is guaranteed if the core is correct
Implemented in ML Programmable, easy to extend and include new
decision procedures
Hol light Minimized core
10 inference rules on equality 3 axioms (axiom of choice, infinity) about 400 lines of Ocaml
Chosen for a number of projects Verification of float point algorithm at Intel Kepler Conjecture
A group of experts spent five years, unable to verify the proof
Formalize the proof in Hol light
Includes theory of arithmetic
Proofs in Hol light All theorem are constructed by using
Hol proof rules
Derived proof rules are just Ocaml functions
#ASSUME `a:bool`;;val it : thm = a |- a
let PROVE_HYP ath bth = if exists (aconv (concl ath)) (hyp bth) then EQ_MP (DEDUCT_ANTISYM_RULE ath bth) ath else bth;;
Translate proofs into HOL light Instead of a proof checker, we propose
a translator of the proofs from CVC3 into Hol light
Proof checking is done by Hol Light If the translation is successful, then the
same theorem is proved in Hol light If a theorem is proved in Hol light, we
are more confident that the theorem is true
Translation into Hol light Hol light and CVC3 are connected
through C interface of Ocaml and CVC3 CVC3 terms are translated into Hol
terms CVC3 uninterpreted functions are translated
into combination For each CVC3 proof rules, we write a
Ocaml function Prove a higher order theorem, then
instantiate it
Translate boolean resolution Suppose two theorems, corresponding two
CNF clauses, have been proved in HOL(1) … |- A1 \/ (A2 \/ (A3 \/ ……)))
(2) … |- B1 \/ (~A2 \/ (B3 \/ ……)))
The desired theorem is:(3) …|- A1 \/ A3 \/ B1 \/ B3 \/ ……
The proof of (3) is time consuming Duplicated terms in the (3) must be removed
Change the representation(1)’ … ~A1 , ~A2 ,~A3 …… |- F
(2)’ … ~B1 , A2 , ~B3 …… |- F
hole5
255
155
37
2.8
Translate theory proof rules |- (x = y) <=> (x * z = y * z)
let x = translate_term vc (child expr 1) in let y = translate_term vc (child expr 2) in let z = translate_term vc (child expr 3) in let znz = prove_DIV_NOT_EQ_0 z inSPECL[x;y] (MATCH_MP REAL_NZ_RMUL znz)
# REAL_NZ_RMUL;;val it : thm = |- !x y z. ~(z = &0) ==> (x = y <=> x * z = y * z)
A problem CVC3 proves a theoem is translated into Hol light that
produces a theorem Are and the same theorem? A tentative solution:
Dump and into some canonical form
Compare the canonized theorems in syntax Dump from Hol light Translate back into CVC3 and dump it from
CVC3
3cvcT
holT3cvcT
holT 3cvcT
3cvcT holT
holTholT
SMT LIB benchmarks certification SMT LIB
A collection of smt benchmarks Arithmetic, Bit vector, array, unintepreted function,…… The ‘status’ in each case shows whether it is sat, unsat or
unknown SMT COMP
Annual competition for SMT solvers Are the answers from SMT solvers correct?
Are the ‘status’ fields in SMT LIB benchmarks show the correct results
We propose to prove these benchmarks in Hol lightA certificate to show a case is proved
Future work Prove more cases in Hol light Support more proof rules Define new theories in Hol light
theory of array are defined by a new axiom