1 / 20

Proof translation from CVC3 to Hol light

Proof translation from CVC3 to Hol light. Yeting Ge Acsys Mar 5, 2008. CVC3: a SMT solver. CVC3 is complicated SAT, decision procedures, …… About 400k lines of code in all Are the results from CVC3 correct? Extremely difficult to verify CVC3 is correct Check the proofs from CVC3

henrik
Download Presentation

Proof translation from CVC3 to Hol light

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Proof translation from CVC3 to Hol light YetingGe Acsys Mar 5, 2008

  2. CVC3: a SMT solver • CVC3 is complicated • SAT, decision procedures, …… • About 400k lines of code in all • Are the results from CVC3 correct? • Extremely difficult to verify CVC3 is correct • Check the proofs from CVC3 • CVC3 can produce a “proof” for a unsat case • Proofs are big and a proof checker is needed • Is the proof checker correct? • Have to check hundreds of proof rules

  3. Outline • SMT solvers and CVC3 • SMT example • Proofs in CVC3 • HOL and Hol light • Features • Proofs in HOL • Translation from CVC3 into Hol light • Boolean resolution • Theory proof rules • SMT LIB benchmarks certification

  4. SMT solver • Satisfiability Modulo Theories • Arithmetic, bit vector, array, equality,…… • Is satifisabile? Abstraction Theory solver SAT solver Equality Arithmetic ……

  5. SMT example • To prove is unsatisfiable Abstraction Theory solver SAT solver

  6. Proofs in CVC3 • Proofs from theory solvers • Proofs from the SAT solver • Modern SAT solvers can dump proofs • A tree of boolean resolutions • To prove ~A \/ B, ~A \/ ~B, A |- F A:BOOLEAN; B:BOOLEAN; ASSERT(NOT A OR B); ASSERT((NOT A) OR (NOT B)); ASSERT(A); QUERY(FALSE); DUMP_PROOF;

  7. Boolean resolution 1 : (B \/ ~A) 2 : B 3 : A 4 : (~A \/ ~B) ~A \/ B, ~A \/ ~B, A |- F Dumped proof from minisat 5 I : B, ~(B \/ ~A), ~A 6 I : (B \/ ~A) 9 I : ~B, ~A, ~(~A \/ ~B) 10 I : (~A \/ ~B) 11 I : A 12 D : B : B, ~A : 5 6 B : 11 13 D : : ~A, ~(~A \/ ~B) : 9 12 ~(~A \/ ~B) : 11 : : 10 5 I : +2 -1 -3 : 6 I : +1 : 9 I : -2 -3 -4 : 10 I : +4 : 11 I : +3 : 12 D : +2 : 5 -1 6 -3 11 13 D : : 9 -2 12 -3 11 -4 10

  8. The proof from CVC3 Proof(minisat_proof(FALSE, bool_resolution(NOT (NOT A OR NOT B), bool_resolution(NOT A, bool_resolution(NOT B, CNF("or_final", (NOT A OR NOT B), (NOT A OR NOT B), 0), bool_resolution(NOT A, bool_resolution(NOT (B OR NOT A), CNF("or_final", (B OR NOT A), (B OR NOT A), 0), cnf_add_unit((B OR NOT A), iff_mp((NOT A OR B), (B OR NOT A), assump_23, rewrite_or((NOT A OR B), (B OR NOT A))))), cnf_add_unit(A, assump_25))), cnf_add_unit(A, assump_25)), cnf_add_unit((NOT A OR NOT B), assump_24))))

  9. Proofs from theory solvers • Proof rules are much more complicated than boolean resolution • Over 400 proof rules in CVC3 • Example: mult_eqn • |- (x = y) <=> (x * z = y * z) • A proof checker must make sure that z is not equivalent to 0, which is not a easy job

  10. Ideal proof checker for SMT solvers • CNF clauses in CVC3 • Orginal clauses (assumptions) • CNF translation clauses • Tautologies (not always) • Theory clauses • Extra clauses asserted by theory solvers • Can check boolean resolution and tautologies • Can handle all theory proof rules • Theory specific calculations

  11. HOL family of proof assistants • Based on higher order logic (lambda calculus) • Powerful, can formalize most mathematics • Simple and small core • only four kinds of terms • Definitional extension • All theories (even /\ \/ ) are defined • All theorems must be created in a constructive way • Soundness is guaranteed if the core is correct • Implemented in ML • Programmable, easy to extend and include new decision procedures

  12. Hol light • Minimized core • 10 inference rules on equality • 3 axioms (axiom of choice, infinity) • about 400 lines of Ocaml • Chosen for a number of projects • Verification of float point algorithm at Intel • Kepler Conjecture • A group of experts spent five years, unable to verify the proof • Formalize the proof in Hol light • Includes theory of arithmetic

  13. Proofs in Hol light • All theorem are constructed by using Hol proof rules • Derived proof rules are just Ocaml functions #ASSUME `a:bool`;; val it : thm = a |- a let PROVE_HYP athbth = if exists (aconv (conclath)) (hypbth) then EQ_MP (DEDUCT_ANTISYM_RULE athbth) ath else bth;;

  14. Translate proofs into HOL light • Instead of a proof checker, we propose a translator of the proofs from CVC3 into Hol light • Proof checking is done by Hol Light • If the translation is successful, then the same theorem is proved in Hol light • If a theorem is proved in Hol light, we are more confident that the theoremis true

  15. Translation into Hol light • Hol light and CVC3 are connected through C interface of Ocaml and CVC3 • CVC3 terms are translated into Holterms • CVC3 uninterpreted functions are translated into combination • For each CVC3 proof rules, we write a Ocaml function • Prove a higher order theorem, then instantiate it

  16. Translate boolean resolution • Suppose two theorems, corresponding two CNF clauses, have been proved in HOL (1) … |- A1 \/ (A2 \/ (A3 \/ ……))) (2) … |- B1 \/ (~A2 \/ (B3 \/ ……))) The desired theorem is: (3) …|- A1 \/ A3 \/ B1 \/ B3 \/ …… • The proof of (3) is time consuming • Duplicated terms in the (3) must be removed • Change the representation (1)’ … ~A1 , ~A2 ,~A3 …… |- F (2)’ … ~B1 , A2 , ~B3 …… |- F

  17. Translate theory proof rules • |- (x = y) <=> (x * z = y * z) let x = translate_termvc (child expr 1) in let y = translate_termvc (child expr 2) in let z = translate_termvc (child expr 3) in let znz = prove_DIV_NOT_EQ_0 z in SPECL[x;y] (MATCH_MP REAL_NZ_RMUL znz) # REAL_NZ_RMUL;; val it : thm = |- !x y z. ~(z = &0) ==> (x = y <=> x * z = y * z)

  18. A problem • CVC3 proves a theoem • is translated into Hol light that produces a theorem • Are and the same theorem? • A tentative solution: • Dump and into some canonical form • Compare the canonized theorems in syntax • Dump from Hol light • Translate back into CVC3 and dump it from CVC3

  19. SMT LIB benchmarks certification • SMT LIB • A collection of smt benchmarks • Arithmetic, Bit vector, array, unintepreted function,…… • The ‘status’ in each case shows whether it is sat, unsat or unknown • SMT COMP • Annual competition for SMT solvers • Are the answers from SMT solvers correct? • Are the ‘status’ fields in SMT LIB benchmarks show the correct results We propose to prove these benchmarks in Hol light A certificate to show a case is proved

  20. Future work • Prove more cases in Hol light • Support more proof rules • Define new theories in Hol light • theory of array are defined by a new axiom

More Related