Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick...
Transcript of Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick...
![Page 1: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/1.jpg)
Towards Higher-Order Superposition and SMT
Jasmin Blanchette
![Page 2: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/2.jpg)
Outline
Counterexample Generation 1. Nitpick 2. Nunchaku
Proof Search 3. Sledgehammer 4. Matryoshka
![Page 3: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/3.jpg)
1. Nitpick 1. A (countermodel) finder1. for Isabelle/HOL
Joint work withAlexander Krauss and Tobias Nipkow
![Page 4: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/4.jpg)
![Page 5: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/5.jpg)
Architecture
HOLFORL
SAT
Isabelle Nitpick .Kodkod.. .SAT solver
![Page 6: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/6.jpg)
Translation
fixed finite cardinalities:try all cards. ≤ K for base types
τ1 ! ⋅ ⋅ ⋅ ! τn ! bool A1 × ⋅ ⋅ ⋅ × An⟼
τ1 ! ⋅ ⋅ ⋅ ! τn ! τ A1 × ⋅ ⋅ ⋅ × An × A+constraint
⟼
first-order
σ ! τ A × ⋅ ⋅ ⋅ × A
|σ|times{⟼higher-order
??
![Page 7: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/7.jpg)
datatypes codatatypes
inductive preds. coinductive preds.
Con
3
Nil
Con
0
Con
2
Con
3
Nil
Con
0
Con
2
p = F p
p0 = (λx. False) pi+1 = F pi
p = F p
p0 = (λx. True) pi+1 = F pi
Translation
![Page 8: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/8.jpg)
2. Nunchaku 2. A modular model finder2. for higher-order logic
Ongoing joint work withSimon Cruanes, Andrew Reynolds, and Cesare Tinelli
![Page 9: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/9.jpg)
multiple frontendsIsabelle/HOL, TLAPS, Coq, Lean, …
multiple backendsCVC4, Kodkod, Paradox, SMBC, Leon, Vampire, …
more precisionby better approximations
more efficiencyby using better backends andby letting them enumerate cardinalities
![Page 10: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/10.jpg)
Simplified Translation Pipeline
1. Monomorphize 2. Specialize 3. Polarize 4. Encode (co)inductive predicates 5. Encode (co)recursive functions 6. Encode higher-order functions
![Page 11: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/11.jpg)
Actual Translation Pipeline
$ nunchaku --print-pipeline Pipeline: | ty_infer ➜ convert ➜ skolem ➜ | fork { | | mono ➜ elim_infinite ➜ elim_copy ➜ elim_multi_eqns ➜ specialize ➜ elim_match ➜ elim_codata ➜ | | polarize ➜ unroll ➜ skolem ➜ elim_ind_pred ➜ elim_quant ➜ lift_undefined ➜ model_clean ➜| | close {smbc ➜ id} | | mono ➜ elim_infinite ➜ elim_copy ➜ elim_multi_eqns ➜ specialize ➜ elim_match ➜ | | fork { | | | elim_codata ➜ polarize ➜ unroll ➜ skolem ➜ elim_ind_pred ➜ elim_data ➜ lambda_lift ➜ elim_hof ➜ | | | elim_rec ➜ intro_guards ➜ elim_prop_args ➜ | | | fork { | | | | elim_types ➜ model_clean ➜ close {to_fo ➜ elim_ite ➜ conv_tptp ➜ paradox ➜ id} | | | | model_clean ➜ close {to_fo ➜ fo_to_rel ➜ kodkod ➜ id} | | | } | | | polarize ➜ unroll ➜ skolem ➜ elim_ind_pred ➜ lambda_lift ➜ elim_hof ➜ | | | elim_rec ➜ intro_guards ➜ model_clean ➜ close {to_fo ➜ flatten {cvc4 ➜ id}} | | } | }
![Page 12: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/12.jpg)
OCaml for Translation Pipeline
. . .
![Page 13: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/13.jpg)
Encoding of higher-order functionsA simple approach
Replace HO σ → τ by hσ,τ
Add extensionality axiom
Add guards whenever app is used
Introduce appσ,τ : hσ,τ → σ → τand ασ,τ
![Page 14: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/14.jpg)
Encoding of higher-order functions
∀x. f x = g x ?
f = g
rec fact x = (if x > 0 then x· fact (x – 1) else 1)
rec bad x = (if x = 666 then x else fact x)
fact = bad ?
An annoying imprecision
![Page 15: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/15.jpg)
Encoding of higher-order functionsA more precise approach
Also introduce protoσ,τ : hσ,τ → σ
If (h, protoσ,τ h) in ασ,τ,then protoσ,τ h gives default value
f = g ∧ HAS_PROTO f
![Page 16: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/16.jpg)
Encoding of higher-order functionsA more precise approach
HAS_PROTO h := ∃a : α. γ(a) = (h, proto h)
APP h s := if ∃a : α. γ(a) = (h, s) then app h s else app h (proto h) asserting HAS_PROTO h
![Page 17: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/17.jpg)
3. Sledgehammer 2. Automatic proof search 2. for Isabelle/HOL
Joint work withSascha Böhme, Jia Meng, Tobias Nipkow,Larry Paulson, Makarius Wenzel, and many others
![Page 18: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/18.jpg)
Does there exist a function f from reals to reals such that for all x and y, f(x + y2) − f(x) ≥ y?
let lemma = prove(`!f:real->real. ~(!x y. f(x + y * y) - f(x) >= y)`, REWRITE_TAC[real_ge] THEN REPEAT STRIP_TAC THEN SUBGOAL_THEN `!n x y. &n * y <= f(x + &n * y * y) - f(x)` MP_TAC THENL [MATCH_MP_TAC num_INDUCTION THEN SIMP_TAC[REAL_MUL_LZERO; REAL_ADD_RID] THEN REWRITE_TAC[REAL_SUB_REFL; REAL_LE_REFL; GSYM REAL_OF_NUM_SUC] THEN GEN_TAC THEN REPEAT(MATCH_MP_TAC MONO_FORALL THEN GEN_TAC) THEN FIRST_X_ASSUM(MP_TAC o SPECL [`x + &n * y * y`; `y:real`]) THEN SIMP_TAC[REAL_ADD_ASSOC; REAL_ADD_RDISTRIB; REAL_MUL_LID] THEN REAL_ARITH_TAC; X_CHOOSE_TAC `m:num` (SPEC `f(&1) - f(&0):real` REAL_ARCH_SIMPLE) THEN DISCH_THEN(MP_TAC o SPECL [`SUC m EXP 2`; `&0`; `inv(&(SUC m))`]) THEN REWRITE_TAC[REAL_ADD_LID; GSYM REAL_OF_NUM_SUC; GSYM REAL_OF_NUM_POW] THEN REWRITE_TAC[REAL_FIELD `(&m + &1) pow 2 * inv(&m + &1) = &m + &1`; REAL_FIELD `(&m + &1) pow 2 * inv(&m + &1) * inv(&m + &1) = &1`] THEN ASM_REAL_ARITH_TAC]);;
John Harrison
![Page 19: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/19.jpg)
Does there exist a function f from reals to reals such that for all x and y, f(x + y2) − f(x) ≥ y?
[1] f(x + y2) − f(x) ≥ y for any x and y (given)
[2] f(x + n y2) − f(x) ≥ n y for any x, y, and natural number n (by an easy induction using [1] for the step case)
[3] f(1) − f(0) ≥ m + 1 for any natural number m (set n = (m + 1)2, x = 0, y = 1/(m + 1) in [2])
[4] Contradiction of [3] and the Archimedean property of the reals
John Harrison
![Page 20: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/20.jpg)
intermediateproperties
generated automatically
manual
![Page 21: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/21.jpg)
![Page 22: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/22.jpg)
![Page 23: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/23.jpg)
![Page 24: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/24.jpg)
![Page 25: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/25.jpg)
![Page 26: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/26.jpg)
vs.
well suited for large formalizations
but require intensive manual labor
fully automatic
but no proof
management
Sledge- hammer
Proof assistants Automatic provers
h A
�=Isa
belle
`
_
Isabe
lle Vampire
![Page 27: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/27.jpg)
� �
�=Isa
belle
�
�
HOL
select lemmas + translate to FOL
reconstruct proof
superposition
SMT
![Page 28: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/28.jpg)
superposition SMT
refutational
resolution rule
term ordering
equality reasoning
E, SPASS, Vampire, …
redundancy criterion
refutational
SAT solver
+ congruence closure
+ quantifier instantiation
CVC4, veriT, Yices, Z3, …
+ other theories (e.g. LIA, LRA)
![Page 29: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/29.jpg)
Other hammers in proof assistants
pre-SledgehammerOtter in ACL2 Bliksem in Coq Gandalf in HOL98 DISCOUNT, SPASS, etc., in ILF Otter, SPASS, etc., in KIV LEO, SPASS, etc., in ΩMEGA E, Vampire, etc., in Naproche ...
post-Sledgehammer
HOLyHammer for HOLs MizAR for Mizar SMTCoq/CVC4Coq for Coq SMT integration in TLAPS ...
![Page 30: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/30.jpg)
HOL FOL
⟼ t(app(t(suc, fun(nat, nat)), t(n, nat)), nat)
⟼ app(suc, n)Suc n
higher-order features (e.g., currying)
⟼ t(suc(t(n, nat)), nat)Suc n
types (possibly polymorphic)xTraditional encodings of HOL in FOL
are inefficient
![Page 31: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/31.jpg)
More efficient encodings ofhigher-order features are possible
FOL
Suc x
map f [x] = [ f x]
λ x y. y + x
HOL
p (x = x)
⟼ suc(x)
⟼ map(f, [x]) = [app(f, x)]
⟼ c(plus)
⟼ p(eq(x, x))
![Page 32: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/32.jpg)
More efficient encodings oftypes are possible
Suc x
Nil ≠ Cons x xs
x ≠ y
HOL FOL
x = off
⟼ suc(x)
⟼ nil ≠ cons(A, x, xs)
⟼ x ≠ y
⟼ t(x, state) = off
![Page 33: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/33.jpg)
Upon success,proofs are translated to Isabelle
one-line detailed (Isar)
![Page 34: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/34.jpg)
lemma "length (tl xs) ≤ length xs" by (metis diff_le_self length_tl)
⊕ usually fast and reliable
⊕ lightweight
⊖ cryptic
⊖ sometimes slow (several seconds)
⊖ often cannot deal with theories
proof method lemmas
One-line proofs
![Page 35: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/35.jpg)
lemma "length (tl xs) ≤ length xs" proof - have "⋀x1 x2. (x1∷nat) - x2 - x1 = 0 - x2" by (metis comm_monoid_diff_class.diff_cancel diff_right_commute) hence "length xs - 1 - length xs = 0" by (metis zero_diff) hence "length xs - 1 ≤ length xs" by (metis diff_is_0_eq) thus "length (tl xs) ≤ length xs" by (metis length_tl) qed
⊕ faster than one-liners
⊕ higher reconstruction success rate
⊕ self-explanatory
⊖ technically more challenging⊖ not always so self-explanatory
Detailed (Isar) proofs
![Page 36: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/36.jpg)
![Page 37: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/37.jpg)
I have recently been working on a new development. Sledgehammer has found some simply incredible proofs. I would estimate the improvement in productivity as a factor of at least three, maybe five.
Sledgehammers … have led to visible success. Fully automated procedures can prove … 47% of the HOL
Light/Flyspeck libraries, with comparable rates in Isabelle. These automation rates represent an
enormous saving in human labor.
Developing proofs without Sledgehammer is like walking as opposed to running.
Sledgehammer really works
Larry Paulson
Thomas Hales
Tobias Nipkow
![Page 38: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/38.jpg)
Isabelle’s pros and cons,according to my students
11.5 Sledgehammer 4 Nitpick 4 Isar 2.5 automation 2 IDE 1 Quickcheck 1 set theory 1 schematic variables 1 structural induction 1 classical logic 1 function induction 1 infix operators 1 "qed auto"
⊕ 5 goal/assumption handling 4 weak logic (props as types, types as terms) 3 Sledgehammer on lists, HO goals, or induction 1 automatic induction 1 Sledgehammer-generated Isar 1 arithmetic 1 Isar 1 opaque proofs 1 double quotes around inner syntax 1 underdeveloped "fset" 1 proof reuse 1 no hnf for statements, not even definitions 1 guaranteed computability 1 forward "apply" in assumptions (drule?) 1 error messages in inner syntax 1 ltac (Eisbach?) 1 cannot click on fun to see definition (?) 1 tooltips for built-in functions etc.
⊖
![Page 39: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/39.jpg)
Sledgehammer's main 3 weaknesses
⊖ Higher-order "lost in translation"
⊖ No induction
⊖ Explosive search space
![Page 40: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/40.jpg)
4. Matryoshka 2. Higher-order automatic 2. provers for proof assistants
Ongoing joint work withAlex Bentkamp, Pascal Fontaine,Johannes Hölzl, Rob Lewis, Stephan Schulz,Uwe Waldmann, and many others
![Page 41: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/41.jpg)
Vision: Take the Hard Labor out ofVision: Interactive Verification
Push button automation for proof assistants (e.g. Coq) based on efficient higher-order (HO) provers
{}
Σλ∫
Π
λ∫ {}
ΣΠ
4
super-position
prover
HOSMT
solver
Discover ProofUsing HO Provers
HO
![Page 42: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/42.jpg)
First-Order Provers via SLEDGEHAMMER
Induction Rule
Simplifier
Arithmetic Procedure
General Reasoner
“PC members cannot review papers if they have a conflict of interest”
Proof today:using assms proof induction case (Step s a) thus ?case proof (cases a) case (Cact ca) show ?thesis using Step pref_Conflict_isRev reach.Step by simp next case (Uact ua) show ?thesis proof (cases ua) case (uPref confID uID p paperID pref) thus ?thesis using Step unfolding Uact uPref isRev_def2 by (blast dest: pref_Conflict_isRevNth reach.Step) qed (insert Step, simp add: Uact isRev_def2 u_defs pref_Conflict_isRevNth_def)+ next case (UUact uua) show ?thesis using Step unfolding UUact isRev_def2 by (meson IO_Automaton.reach.Step pref_Conflict_isRevNth) qed simp+ qed (simp add: istate_def)
fully automatic5
Application: A Verified “EasyChair”
![Page 43: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/43.jpg)
First-Order Provers via SLEDGEHAMMER
Induction Rule
Simplifier
Arithmetic Procedure
General Reasoner
Proof today:using assms proof induction case (Step s a) thus ?case proof (cases a) case (Cact ca) show ?thesis using Step pref_Conflict_isRev reach.Step by simp next case (Uact ua) show ?thesis proof (cases ua) case (uPref confID uID p paperID pref) thus ?thesis using Step unfolding Uact uPref isRev_def2 by (blast dest: pref_Conflict_isRevNth reach.Step) qed (insert Step, simp add: Uact isRev_def2 u_defs pref_Conflict_isRevNth_def)+ next case (UUact uua) show ?thesis using Step unfolding UUact isRev_def2 by (meson IO_Automaton.reach.Step pref_Conflict_isRevNth) qed simp+ qed (simp add: istate_def)
fully automatic5
Application: A Verified “EasyChair”
“PC members cannot review papers if they have a conflict of interest”
First-Order Provers via SLEDGEHAMMER
![Page 44: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/44.jpg)
Induction Rule
Simplifier
Arithmetic Procedure
General Reasoner
Proof today:
fully automatic
manual hints
6
using assms proof induction case (Step s a) thus ?case proof (cases a) case (Cact ca) show ?thesis using Step pref_Conflict_isRev reach.Step by simp next case (Uact ua) show ?thesis proof (cases ua) case (uPref confID uID p paperID pref) thus ?thesis using Step unfolding Uact uPref isRev_def2 by (blast dest: pref_Conflict_isRevNth reach.Step) qed (insert Step, simp add: Uact isRev_def2 u_defs pref_Conflict_isRevNth_def)+ next case (UUact uua) show ?thesis using Step unfolding UUact isRev_def2 by (meson IO_Automaton.reach.Step pref_Conflict_isRevNth) qed simp+ qed (simp add: istate_def)
First-Order Provers via SLEDGEHAMMER
Application: A Verified “EasyChair”
“PC members cannot review papers if they have a conflict of interest”
boilerplate
![Page 45: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/45.jpg)
Discover ProofUsing HO Provers
using assms proof induction case (Step s a) thus ?case proof (cases a) case (Cact ca) show ?thesis using Step pref_Conflict_isRev reach.Step by simp next case (Uact ua) show ?thesis proof (cases ua) case (uPref confID uID p paperID pref) thus ?thesis using Step unfolding Uact uPref isRev_def2 by (blast dest: pref_Conflict_isRevNth reach.Step) qed (insert Step, simp add: Uact isRev_def2 u_defs pref_Conflict_isRevNth_def)+ next case (UUact uua) show ?thesis using Step unfolding UUact isRev_def2 by (meson IO_Automaton.reach.Step pref_Conflict_isRevNth) qed simp+ qed (simp add: istate_def)
Proof after Matryoshka:
fully automatic
Discover ProofUsing HO Provers
7
missing proof
Application: A Verified “EasyChair”
{}Σ λ∫Π
λ ∫ {}Σ Π
“PC members cannot review papers if they have a conflict of interest”
![Page 46: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/46.jpg)
Extend superposition and SMT to higher-order logicSO1.
Design practical methods and heuristics based on benchmarksSO2.
Conceive stratified architectures to build higher-order proversSO3.
Integrate our provers into proof assistants (Coq, Isabelle, TLA+)SO4.
My Grand Challenge
Create efficient proof calculi and higher-order proverstargeting proof assistants and their applications tosoftware and hardware development
Scientific Objectives
by fusing and extending two lines of research:automatic proving & interactive proving
‣
8
![Page 47: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/47.jpg)
SO1—Higher-Order Superposition (λSUP)
9
A "counterexample": a =β (λx. a) (f a) > f a > a
The problem is not so much λ as β.
![Page 48: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/48.jpg)
SO1—Higher-Order Superposition (λSUP)
9
σ = mgu(t, u) u is not a variable tσ ≰ t'σ sσ ≰ s'σ ≰ (t ≈ t' )σ is strictly maximal in (D' ⋁ t ≈ t' )σ and no selection ≰ (s ≉ s' )σ is maximal in (C' ⋁ s ≉ s' )σ or selected ≰
where
First-order rule:
D' ⋁ t ≈ t'
(D' ⋁ C' ⋁ s[t'] ≉ s')σSUP-Left
C' ⋁ s[u] ≉ s'
![Page 49: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/49.jpg)
9
σ = mgu(t, u) u is not a variable tσ ≰ t'σ sσ ≰ s'σ ≰ (t ≈ t' )σ is strictly maximal in (D' ⋁ t ≈ t' )σ and no selection ≰ (s ≉ s' )σ is maximal in (C' ⋁ s ≉ s' )σ or selected ≰
where σ = mgu(t, u)
We need sequences of unifiers ‣
SO1—Higher-Order Superposition (λSUP)
First-order rule:
D' ⋁ t ≈ t'
(D' ⋁ C' ⋁ s[t'] ≉ s')σSUP-Left
C' ⋁ s[u] ≉ s'
![Page 50: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/50.jpg)
9
D' ⋁ t ≈ t'
(D' ⋁ C' ⋁ s[t'] ≉ s')σSUP-Left
C' ⋁ s[u] ≉ s'
σ = mgu(t, u) u is not a variable tσ ≰ t'σ sσ ≰ s'σ ≰ (t ≈ t' )σ is strictly maximal in (D' ⋁ t ≈ t' )σ and no selection ≰ (s ≉ s' )σ is maximal in (C' ⋁ s ≉ s' )σ or selected≰ ≰
where
We need sequences of unifiers ‣
σ = mgu(t, u)
We need higher-order term ordering ‣
tσ ≰ t'σ sσ ≰ s'σ
We also want proof-assistant-style HO rewriting ‣
SO1—Higher-Order Superposition (λSUP)
First-order rule:
![Page 51: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/51.jpg)
10
SO1—Higher-Order Term Orderings
Well-foundedness
Transitivity
Stability under substitution
FO subterm property
Totality for ground terms
KBO
✔
✔
✔
✔
✔
✔
LPO
✔
✔
✔
✔
✔
✔
Compat. with FO contexts
First-order
![Page 52: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/52.jpg)
10
SO1—Higher-Order Term Orderings
Well-foundedness
Transitivity
HO subterm property
Compat. with HO contexts
Stability under substitution
FO subterm property
Totality for ground terms
KBO
✔
✔
✔
✔
✔
✔
LPO
✔
✔
✔
✔
✔
✔
Compat. with FO contexts
CPO/ HORPO
✔
✘
✔
✔
✘
?
✘
?
λfKBO
✔
✔
✔
✔
✔
✔
(✔)
λfLPO
✔
✔
✔
(✔)
✔
✔
✔
✔ ✔
First-order Higher-order
![Page 53: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/53.jpg)
SO3—Stratified Architecture
11
rulesFO
formulasFO
rulesHO
formulasHO
main loop
Inspired by Nelson–Oppen (SMT)
Base FO provers: E & veriT
Some scientific challenges:
How to exploit derived FO formulas and/or candidate models to guideHO quantifier instantiation?
‣
How to generate certificates forreconstruction in proof assistants?
‣
Matryoshka Prover (e.g. veriHOT)First-Order Prover (e.g. veriT)
![Page 54: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/54.jpg)
SO3—Higher-Order SMT
12
First-order quantifier instantiation (QI):
E-matching (triggers) ‣Model-based QI ‣
Congruence closure with free variables ‣Conflict-guided instantiation ‣
We need to extend these strategiesto higher-order logic
‣
FOQI
HO QI
loopmain
Matryoshka Prover (e.g. veriHOT)First-Order Prover (e.g. veriT)
SAT Solver (e.g. MiniSat)
![Page 55: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/55.jpg)
Proof Assistant (e.g. Coq) 13
Matryoshka Prover (e.g. veriHOT)First-Order Prover (e.g. veriT)
SAT Solver (e.g. MiniSat)
SO4—Connection with Proof Assistants
![Page 56: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/56.jpg)
SO4—Connection with Proof Assistants
14
DependentType Theory
ClassicalHigher-Order Logic
Set Theory
Coq Isabelle/HOL TLA+
… … …
Agda HOL4 Isabelle/ZFLean HOL Light Mizar
Matita PVS Rodin (Event-B)
veriHOT
HOE
veriHOT
HOE
veriHOT
HOE
![Page 57: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/57.jpg)
The Team
15
Associated Members:Other Collaborators:
Scientific Leader:Senior Collaborator:
Postdoctoral Researchers:
Ph.D. Students:
Jasmin BlanchettePascal FontaineJohannes HölzlRob LewisAlex BentkampDaniel El Ouraoui Hans-Jörg Schurr Petar Vukmirović
Stephan SchulzUwe WaldmannHaniel BarbosaSimon CruanesSimon Robillard& more
Adam NcyAdam Adam Adam Ncy Ncy Adam
Stgt SBNcy Ncy Gbg
m a t r y o s h k a
y
λm a t r y o s h k a
![Page 58: Towards Higher-Order Superposition and SMTschulzef/puma2017/blanchette_puma_2017.pdf · 1. Nitpick 1. A (countermodel) finder 1. for Isabelle/HOL Joint work with Alexander Krauss](https://reader033.fdocuments.net/reader033/viewer/2022041900/5e600baafeec55343e69b2f0/html5/thumbnails/58.jpg)
Matryoshka in one Slide
Grand Challenge & Outcome
Create efficient proof calculi (λSUP & λSMT) andstratified higher-order provers (HO E & veriHOT)to dramatically improve automation in proof assistants
RisksEfficient HO automation is a long-standing open problem ‣Proposed stratified architecture has never been tried ‣
ImpactThe project will recast the methods of automatic provingto reach the goals of interactive provingInteractive verification will become a cost-effective optionfor building software & hardware of the highest quality
‣
‣
16
m a t r y o s h k a
y
λm a t r y o s h k a