cvcl lite: an efficient theorem prover based on combination of decision procedures

CVCL Lite:An Efficient Theorem Prover Based on Combination of Decision Procedures

Presented by:

Sergey Berezin

Stanford University, U.S.A.

People

Project leaders:• Sergey Berezin, Clark Barrett, David Dill

Developers and contributors:•Daniel Wichs

•Ying Hu

•Mark Zavislak

•Jim Zhuang

•Deepak Goyal

•Jake Donham

•Sean McLaughlin

•Vijay Ganesh

•Mehul Trivedi

Outline• Theoretical Basis

• CVCL from User's Point of View– C++ library– Command line– Theory API

• Architecture and Design Decisions

• Information Flow in CVCL

• Other Functionality

What is CVC Lite?

• Validity Checker: ² – First-Order Logic with interpreted theories

• Arithmetic, uninterpreted functions, arrays, etc.

– Theorem Prover based on multiple DPs

Logic

• Many-sorted FOL + '=' + Theories

x=y ) a[i]+2*y < f(rec.f, 15-3*b[j+1])– Partial functions (e.g. x/y)– Quantifiers (experimental)

• Validity Problem:– Is valid under the set of assumptions ?

²

Theoretical Basis: Combination of Decision Procedures• Clark Barrett's thesis

– Fusion of Nelson-Oppen + Shostak methods

T1[ T2 ²

T1[ T2 [ :² ?

(T1[1) [ (T2[2) ² ?

– Search for an arrangement A over 0 such that

(T1[1) [ A and (T2[2) [ A are SAT

Theoretical Basis: Real Implementation

• Vijay Ganesh's extension of Ghilardi's method:

T1[ T2 ²

T1[ T2 [ :² ?

(T1[1) [ (T2[2) ² ?

Ti[i[ Ck ² Ck+1, i2{1,2}

Ck are positive ground clauses


• CVCL from User's Point of View– C++ library– Command line– Theory API




CVCL as C++ Library

• API: ValidityChecker class

• Provides functionality:– Create terms and formulas as CVCL Expr– Manipulate logical context – Solve ²

Command Line Executable

• PVS-like input language

• Parser and command processor– implemented on top of C++ API

CVCL Executable

CVCL library

Parser&

CommandProcessor

UserInput

CVCLAPI

Theory API(For New Decision Procedures)

• "Hackability" – very important!

• All functionality implemented locally in DP– No changes to the Core files

CVCL Core

Arith UFArrays

CVCLLibrary

Theory API


• CVCL from User's Point of View– Command line– C++ library– Theory API




CVCL Core

Arith UFArrays

CVC Lite Architecture

SATSolverFact

QueueUnion-Find

DBNotify List

Union-Find & Notify List

x'

y'

x' = y' => x = y

x

y

2*x + 3*y => 5*y

...

...

Setup / Update Mechanism

+

**

x2 3 y

x = y

2*x = 2*y

2*x + 3*y = 5*y

update(x=y, 2*x)

update(2*x=2*y, 2*x+3*y)

Soundness:Theorems and Proof Rules

• Computing with proof rules– Every proven formula is a Theorem object– Theorems are constructed with Proof Rules– Proof rules comprise Trusted Code

• Soundness checked on-the-fly• Transparent assumption tracking and proof

production– Automatically up-to-date

Computing with Proof Rules

Example: Fourier-Motzkin elimination

t1 · x, x · t2 => t1 · t2

Proof Rule:

t1 · x x · t2

t1 · t2

R

C++ Method: R(t1 · x, x · t2) { return t1 · t2; }

Theorem Class

Sequent: ² class Theorem {

// private constructors

Formula ;

Assumptions ;

Proof pf;

};

Trusted Code

R(Theorem(1 ² t1 · x), Theorem(2 ² y · t2))

{

check_sound(x == y);

Proof pf = ... // Compute the proof object

return Theorem(1 [ 2 ² t1 · t2, pf);

}1 ² t1 · x 2 ² x · t2

1 [ 2 ² t1 · t2

R


• CVCL from User's Point of View– Command line– C++ library– Theory API




SAT Solver + DPs(BCP; DP)* BCP: Unit Clauses

DP: Ti[i[ Ck ² Ck+1

(BCP; DP)*

?

s1

(BCP; DP)*s2

(BCP; DP)*s3

?

:s3

:s2

BacktrackingMechanism!

Backtracking Mechanism

• CDO -- generic backtracking object– read, assign

• CDList -- backtracking stack– push, read-only

• CDMap – backtracking STL-like map– add <key,value>, change value; [no deletion]

~1% CPU overhead

Completeness of CVC Lite

s1

(BCP; DP)*

(BCP; DP)*

(BCP; DP)*s2

(BCP; DP)*s3

SAT

T1[ T2 ²

T1[ T2 [ :² ?

(T1[1) [ (T2[2) ² ?

Ti[i[ Ck ² Ck+1, i2{1,2}

Derived 0 such that:• (Ti [ i) [ 0 ² 0

• ? 2 0

Therefore (T1 [ 1) [ (T2 [ 2) is SAT

Hence, T1[ T2 ²

Efficiency:Tracking Assumptions for Conflict

Analysis

Splitters: ²

assump

Typical Proof Rule: 1 ² 1 2 ² 2

1 [ 2 ² R

Assumptions are proof explications!

² ?

Implication Graph and Conflict Clauses

?

:ll

l1 l2 l3

l7l5l4 l6

l8

l9

Conflict Clause: (: l1 Ç : l6 Ç : l7)

Implication Graph from Theorems

?

y<xx<y

y<z z<x

x<y y<x?

LT?

y<z z<xy<x

R

Implication Graph from

² ?

x<y y<x?

LT?

y<z z<xy<x

R

² x<y ² y<x

² z<x² y<z


• CVCL from User's Point of View



• Other Functionality– Proofs– Quantifiers– Partial Functions

Proof Production

• pf[y<x] = R(pf[y<z], pf[z<y])

• Curry-Howard Isomorphism:– Proofs are terms– Formulas are types

• R: (y<z) £ (z<x) ! (y<x)

• Constructed in proof rules

y<z z<xy<x

R

Existential Quantifiers

• Add "axiom": (9 x. (x)) ) (a)– fresh Skolem constant a

• Skolemization by Modus Ponens

• Set of axioms is eliminated:

, ² ²

9E

Universal Quantifiers

• Instantiate:

• Search for terms in current context

• Cache useful instantiations– Those that derive ?

8 x. (x)(t)

8E

Partial Functions & Subtypes

True, False or Undefined?

x/y · x/y

x/y > x/y

: (y = 0) => x/y · x/y

: (x/y · x/y) => y = 0

x/y > x/y => y = 0

Kleene Semantics

• Values: T, F, ?• Connectives:

– F Æ ? ´ F, T Æ ? ´ ?– F Ç ? ´ ?, T Ç ? ´ T

• Most general– Agrees with classical logic– ´ ? iff value of depends on particular total

extension

Type Correctness Conditions (TCCs)

• TCC[] iff is defined (T or F)

• TCC[f(t)] = f(t) Æ TCC[t]

• TCC[1 Ç 2] =

(TCC[1] Æ TCC[2])

Ç (TCC[1] Æ 1)

Ç (TCC[2] Æ 2)

Total Extensions with TCCs

• If TCC[] ´ T,

• Then

M ² iff Mtotal ²

• E.g. arithmetic:

x / 0 = 0

Partial Functions with Subtypes

• Subtypes:

NAT = { x: REAL | int(x) Æ x ¸ 0 }

R0 = { x : REAL | x != 0 }

• x / y: REAL £ R0 ! REAL

• TCC[x/y] = (y != 0)

Example of TCC

• TCC[y=0 Ç x/y · x/y] ´(T Æ y != 0)

Ç (T Æ y=0)

Ç ( y != 0 Æ x/y · x/y)

´ T

• Therefore:

y!=0 ) x/y · x/y ´ T

Decision Procedure: Any Total Extension

CVCL Core

Arith UFArrays

CVCLLibrary

Theory API

TCCs

User Input

Hack to the Future• New Decision Procedures

– Bit Vectors, Datatypes

• Functionality– Symbolic Simulation– Interpolation? Predicate Abstraction?

• Interface– Multiple input languages

• Performance– Raw speed– SAT heuristics (DP-specific?)

CVCL

Theory

UI

Architecture

SAT

TCCs

8, 9C++ lib cvc.exe

Theory API

Core

DP DP DPTheorems ² Completeness

Impl Graph

Backtracking

x / 0NAT v INT

Kleene

Ti [ Ck ² Ck+1 ²

8 x. (x)(t) 8E

9 x. (x) ) (a)

Notify List

DPs: 2x+3y<8, f(x)=g(y), a[i], r.f, 8 x. (x)

Questions?

Thank you!

Other Important Features

• Efficient backtracking mechanism

• Partial Functions and Subtypes– Kleene semantics (most general)

• Quantifiers (experimental)

• Symbolic Simulator (in progress)

• Proof Production

Adding Decision Procedures

• Core files need not be modified• All functionality is coded locally in DP

– Type checking

– TCCs (partial functions)

– Specialized expressions

– Parsing aid

– Pretty-printing

• Distribution of responsibility among developers

cvcl lite: an efficient theorem prover based on combination of decision procedures

Documents

y proof pf

theoremg2 y t2

return t1 t2

trusted codertheoremg1

y frec

theoremg1 g2 t1 t2

proof rulescomputing

proof rulesexample