Proof translation from CVC3 to Hol light Yeting Ge Acsys Mar 5, 2008

CVC3: a SMT solver CVC3 is complicated SAT, decision procedures, …… About 400k lines of code in all Are the results from CVC3 correct? Extremely difficult to verify CVC3 is correct Check the proofs from CVC3 CVC3 can produce a “proof” for a unsat case Proofs are big and a proof checker is needed Is the proof checker correct? Have to check hundreds of proof rules

Outline SMT solvers and CVC3 SMT example Proofs in CVC3 HOL and Hol light Features Proofs in HOL Translation from CVC3 into Hol light Boolean resolution Theory proof rules SMT LIB benchmarks certification

SMT solver Satisfiability Modulo Theories Arithmetic, bit vector, array, equality,…… Is satifisabile? Abstraction SAT solver Arithmetic Theory solver Equality ……

SMT example To prove is unsatisfiable Abstraction SAT solver Theory solver

Proofs in CVC3 Proofs from theory solvers Proofs from the SAT solver Modern SAT solvers can dump proofs A tree of boolean resolutions To prove ~A \/ B, ~A \/ ~B, A |- F A:BOOLEAN; B:BOOLEAN; ASSERT(NOT A OR B); ASSERT((NOT A) OR (NOT B)); ASSERT(A); QUERY(FALSE); DUMP_PROOF;

5 I : : 6 I : +1 : 9 I : : 10 I : +4 : 11 I : +3 : 12 D : +2 : D : : I : B, ~(B \/ ~A), ~A 6 I : (B \/ ~A) 9 I : ~B, ~A, ~(~A \/ ~B) 10 I : (~A \/ ~B) 11 I : A 12 D : B : B, ~A : 5 6 B : D : : ~A, ~(~A \/ ~B) : 9 12 ~(~A \/ ~B) : 11 : : 10 ~A \/ B, ~A \/ ~B, A |- F 1 : (B \/ ~A) 2 : B 3 : A 4 : (~A \/ ~B) Boolean resolution Dumped proof from minisat

Proof(minisat_proof(FALSE, bool_resolution(NOT (NOT A OR NOT B), bool_resolution(NOT A, bool_resolution(NOT B, CNF("or_final", (NOT A OR NOT B), (NOT A OR NOT B), 0), bool_resolution(NOT A, bool_resolution(NOT (B OR NOT A), CNF("or_final", (B OR NOT A), (B OR NOT A), 0), cnf_add_unit((B OR NOT A), iff_mp((NOT A OR B), (B OR NOT A), assump_23, rewrite_or((NOT A OR B), (B OR NOT A))))), cnf_add_unit(A, assump_25))), cnf_add_unit(A, assump_25)), cnf_add_unit((NOT A OR NOT B), assump_24)))) The proof from CVC3

Proofs from theory solvers Proof rules are much more complicated than boolean resolution Over 400 proof rules in CVC3 Example: mult_eqn |- (x = y) (x * z = y * z) A proof checker must make sure that z is not equivalent to 0, which is not a easy job

Ideal proof checker for SMT solvers CNF clauses in CVC3 Orginal clauses (assumptions) CNF translation clauses Tautologies (not always) Theory clauses Extra clauses asserted by theory solvers Can check boolean resolution and tautologies Can handle all theory proof rules Theory specific calculations

HOL family of proof assistants Based on higher order logic (lambda calculus) Powerful, can formalize most mathematics Simple and small core only four kinds of terms Definitional extension All theories (even /\ \/ ) are defined All theorems must be created in a constructive way Soundness is guaranteed if the core is correct Implemented in ML Programmable, easy to extend and include new decision procedures

Hol light Minimized core 10 inference rules on equality 3 axioms (axiom of choice, infinity) about 400 lines of Ocaml Chosen for a number of projects Verification of float point algorithm at Intel Kepler Conjecture A group of experts spent five years, unable to verify the proof Formalize the proof in Hol light Includes theory of arithmetic

Proofs in Hol light All theorem are constructed by using Hol proof rules Derived proof rules are just Ocaml functions #ASSUME `a:bool`;; val it : thm = a |- a let PROVE_HYP ath bth = if exists (aconv (concl ath)) (hyp bth) then EQ_MP (DEDUCT_ANTISYM_RULE ath bth) ath else bth;;

Translate proofs into HOL light Instead of a proof checker, we propose a translator of the proofs from CVC3 into Hol light Proof checking is done by Hol Light If the translation is successful, then the same theorem is proved in Hol light If a theorem is proved in Hol light, we are more confident that the theorem is true

Translation into Hol light Hol light and CVC3 are connected through C interface of Ocaml and CVC3 CVC3 terms are translated into Hol terms CVC3 uninterpreted functions are translated into combination For each CVC3 proof rules, we write a Ocaml function Prove a higher order theorem, then instantiate it

Translate boolean resolution Suppose two theorems, corresponding two CNF clauses, have been proved in HOL (1) … |- A 1 \/ (A 2 \/ (A 3 \/ ……))) (2) … |- B 1 \/ (~A 2 \/ (B 3 \/ ……))) The desired theorem is: (3) …|- A 1 \/ A 3 \/ B 1 \/ B 3 \/ …… The proof of (3) is time consuming Duplicated terms in the (3) must be removed Change the representation (1)’ … ~A 1, ~A 2,~A 3 …… |- F (2)’ … ~B 1, A 2, ~B 3 …… |- F

Translate theory proof rules |- (x = y) (x * z = y * z) let x = translate_term vc (child expr 1) in let y = translate_term vc (child expr 2) in let z = translate_term vc (child expr 3) in let znz = prove_DIV_NOT_EQ_0 z in SPECL[x;y] (MATCH_MP REAL_NZ_RMUL znz) # REAL_NZ_RMUL;; val it : thm = |- !x y z. ~(z = &0) ==> (x = y x * z = y * z)

A problem CVC3 proves a theoem is translated into Hol light that produces a theorem Are and the same theorem? A tentative solution: Dump and into some canonical form Compare the canonized theorems in syntax Dump from Hol light Translate back into CVC3 and dump it from CVC3

SMT LIB benchmarks certification SMT LIB A collection of smt benchmarks Arithmetic, Bit vector, array, unintepreted function,…… The ‘status’ in each case shows whether it is sat, unsat or unknown SMT COMP Annual competition for SMT solvers Are the answers from SMT solvers correct? Are the ‘status’ fields in SMT LIB benchmarks show the correct results We propose to prove these benchmarks in Hol light A certificate to show a case is proved

Future work Prove more cases in Hol light Support more proof rules Define new theories in Hol light theory of array are defined by a new axiom