Upload
elsie
View
28
Download
0
Tags:
Embed Size (px)
DESCRIPTION
CVCL Lite: An Efficient Theorem Prover Based on Combination of Decision Procedures. Presented by: Sergey Berezin Stanford University, U.S.A. People. Project leaders: Sergey Berezin, Clark Barrett, David Dill Developers and contributors:. Daniel Wichs Ying Hu Mark Zavislak Jim Zhuang. - PowerPoint PPT Presentation
Citation preview
CVCL Lite:An Efficient Theorem Prover Based on Combination of Decision Procedures
Presented by:
Sergey Berezin
Stanford University, U.S.A.
People
Project leaders:• Sergey Berezin, Clark Barrett, David Dill
Developers and contributors:•Daniel Wichs
•Ying Hu
•Mark Zavislak
•Jim Zhuang
•Deepak Goyal
•Jake Donham
•Sean McLaughlin
•Vijay Ganesh
•Mehul Trivedi
Outline• Theoretical Basis
• CVCL from User's Point of View– C++ library– Command line– Theory API
• Architecture and Design Decisions
• Information Flow in CVCL
• Other Functionality
What is CVC Lite?
• Validity Checker: ² – First-Order Logic with interpreted theories
• Arithmetic, uninterpreted functions, arrays, etc.
– Theorem Prover based on multiple DPs
Logic
• Many-sorted FOL + '=' + Theories
x=y ) a[i]+2*y < f(rec.f, 15-3*b[j+1])– Partial functions (e.g. x/y)– Quantifiers (experimental)
• Validity Problem:– Is valid under the set of assumptions ?
²
Theoretical Basis: Combination of Decision Procedures• Clark Barrett's thesis
– Fusion of Nelson-Oppen + Shostak methods
T1[ T2 ²
T1[ T2 [ :² ?
(T1[1) [ (T2[2) ² ?
– Search for an arrangement A over 0 such that
(T1[1) [ A and (T2[2) [ A are SAT
Theoretical Basis: Real Implementation
• Vijay Ganesh's extension of Ghilardi's method:
T1[ T2 ²
T1[ T2 [ :² ?
(T1[1) [ (T2[2) ² ?
Ti[i[ Ck ² Ck+1, i2{1,2}
Ck are positive ground clauses
Outline• Theoretical Basis
• CVCL from User's Point of View– C++ library– Command line– Theory API
• Architecture and Design Decisions
• Information Flow in CVCL
• Other Functionality
CVCL as C++ Library
• API: ValidityChecker class
• Provides functionality:– Create terms and formulas as CVCL Expr– Manipulate logical context – Solve ²
Command Line Executable
• PVS-like input language
• Parser and command processor– implemented on top of C++ API
CVCL Executable
CVCL library
Parser&
CommandProcessor
UserInput
CVCLAPI
Theory API(For New Decision Procedures)
• "Hackability" – very important!
• All functionality implemented locally in DP– No changes to the Core files
CVCL Core
Arith UFArrays
CVCLLibrary
Theory API
Outline• Theoretical Basis
• CVCL from User's Point of View– Command line– C++ library– Theory API
• Architecture and Design Decisions
• Information Flow in CVCL
• Other Functionality
CVCL Core
Arith UFArrays
CVC Lite Architecture
SATSolverFact
QueueUnion-Find
DBNotify List
Union-Find & Notify List
x'
y'
x' = y' => x = y
x
y
2*x + 3*y => 5*y
...
...
Setup / Update Mechanism
+
**
x2 3 y
x = y
2*x = 2*y
2*x + 3*y = 5*y
update(x=y, 2*x)
update(2*x=2*y, 2*x+3*y)
Soundness:Theorems and Proof Rules
• Computing with proof rules– Every proven formula is a Theorem object– Theorems are constructed with Proof Rules– Proof rules comprise Trusted Code
• Soundness checked on-the-fly• Transparent assumption tracking and proof
production– Automatically up-to-date
Computing with Proof Rules
Example: Fourier-Motzkin elimination
t1 · x, x · t2 => t1 · t2
Proof Rule:
t1 · x x · t2
t1 · t2
R
C++ Method: R(t1 · x, x · t2) { return t1 · t2; }
Theorem Class
Sequent: ² class Theorem {
// private constructors
Formula ;
Assumptions ;
Proof pf;
};
Trusted Code
R(Theorem(1 ² t1 · x), Theorem(2 ² y · t2))
{
check_sound(x == y);
Proof pf = ... // Compute the proof object
return Theorem(1 [ 2 ² t1 · t2, pf);
}1 ² t1 · x 2 ² x · t2
1 [ 2 ² t1 · t2
R
Outline• Theoretical Basis
• CVCL from User's Point of View– Command line– C++ library– Theory API
• Architecture and Design Decisions
• Information Flow in CVCL
• Other Functionality
SAT Solver + DPs(BCP; DP)* BCP: Unit Clauses
DP: Ti[i[ Ck ² Ck+1
(BCP; DP)*
?
s1
(BCP; DP)*s2
(BCP; DP)*s3
?
:s3
:s2
BacktrackingMechanism!
Backtracking Mechanism
• CDO -- generic backtracking object– read, assign
• CDList -- backtracking stack– push, read-only
• CDMap – backtracking STL-like map– add <key,value>, change value; [no deletion]
~1% CPU overhead
Completeness of CVC Lite
s1
(BCP; DP)*
(BCP; DP)*
(BCP; DP)*s2
(BCP; DP)*s3
SAT
T1[ T2 ²
T1[ T2 [ :² ?
(T1[1) [ (T2[2) ² ?
Ti[i[ Ck ² Ck+1, i2{1,2}
Derived 0 such that:• (Ti [ i) [ 0 ² 0
• ? 2 0
Therefore (T1 [ 1) [ (T2 [ 2) is SAT
Hence, T1[ T2 ²
Efficiency:Tracking Assumptions for Conflict
Analysis
Splitters: ²
assump
Typical Proof Rule: 1 ² 1 2 ² 2
1 [ 2 ² R
Assumptions are proof explications!
² ?
Implication Graph and Conflict Clauses
?
:ll
l1 l2 l3
l7l5l4 l6
l8
l9
Conflict Clause: (: l1 Ç : l6 Ç : l7)
Implication Graph from Theorems
?
y<xx<y
y<z z<x
x<y y<x?
LT?
y<z z<xy<x
R
Implication Graph from
² ?
x<y y<x?
LT?
y<z z<xy<x
R
² x<y ² y<x
² z<x² y<z
Outline• Theoretical Basis
• CVCL from User's Point of View
• Architecture and Design Decisions
• Information Flow in CVCL
• Other Functionality– Proofs– Quantifiers– Partial Functions
Proof Production
• pf[y<x] = R(pf[y<z], pf[z<y])
• Curry-Howard Isomorphism:– Proofs are terms– Formulas are types
• R: (y<z) £ (z<x) ! (y<x)
• Constructed in proof rules
y<z z<xy<x
R
Outline• Theoretical Basis
• CVCL from User's Point of View
• Architecture and Design Decisions
• Information Flow in CVCL
• Other Functionality– Proofs– Quantifiers– Partial Functions
Existential Quantifiers
• Add "axiom": (9 x. (x)) ) (a)– fresh Skolem constant a
• Skolemization by Modus Ponens
• Set of axioms is eliminated:
, ² ²
9E
Universal Quantifiers
• Instantiate:
• Search for terms in current context
• Cache useful instantiations– Those that derive ?
8 x. (x)(t)
8E
Outline• Theoretical Basis
• CVCL from User's Point of View
• Architecture and Design Decisions
• Information Flow in CVCL
• Other Functionality– Proofs– Quantifiers– Partial Functions
Partial Functions & Subtypes
True, False or Undefined?
x/y · x/y
x/y > x/y
: (y = 0) => x/y · x/y
: (x/y · x/y) => y = 0
x/y > x/y => y = 0
Kleene Semantics
• Values: T, F, ?• Connectives:
– F Æ ? ´ F, T Æ ? ´ ?– F Ç ? ´ ?, T Ç ? ´ T
• Most general– Agrees with classical logic– ´ ? iff value of depends on particular total
extension
Type Correctness Conditions (TCCs)
• TCC[] iff is defined (T or F)
• TCC[f(t)] = f(t) Æ TCC[t]
• TCC[1 Ç 2] =
(TCC[1] Æ TCC[2])
Ç (TCC[1] Æ 1)
Ç (TCC[2] Æ 2)
Total Extensions with TCCs
• If TCC[] ´ T,
• Then
M ² iff Mtotal ²
• E.g. arithmetic:
x / 0 = 0
Partial Functions with Subtypes
• Subtypes:
NAT = { x: REAL | int(x) Æ x ¸ 0 }
R0 = { x : REAL | x != 0 }
• x / y: REAL £ R0 ! REAL
• TCC[x/y] = (y != 0)
Example of TCC
• TCC[y=0 Ç x/y · x/y] ´(T Æ y != 0)
Ç (T Æ y=0)
Ç ( y != 0 Æ x/y · x/y)
´ T
• Therefore:
y!=0 ) x/y · x/y ´ T
Decision Procedure: Any Total Extension
CVCL Core
Arith UFArrays
CVCLLibrary
Theory API
TCCs
User Input
Hack to the Future• New Decision Procedures
– Bit Vectors, Datatypes
• Functionality– Symbolic Simulation– Interpolation? Predicate Abstraction?
• Interface– Multiple input languages
• Performance– Raw speed– SAT heuristics (DP-specific?)
CVCL
Theory
UI
Architecture
SAT
TCCs
8, 9C++ lib cvc.exe
Theory API
Core
DP DP DPTheorems ² Completeness
Impl Graph
Backtracking
x / 0NAT v INT
Kleene
Ti [ Ck ² Ck+1 ²
8 x. (x)(t) 8E
9 x. (x) ) (a)
Notify List
DPs: 2x+3y<8, f(x)=g(y), a[i], r.f, 8 x. (x)
Questions?
Thank you!
Other Important Features
• Efficient backtracking mechanism
• Partial Functions and Subtypes– Kleene semantics (most general)
• Quantifiers (experimental)
• Symbolic Simulator (in progress)
• Proof Production
Adding Decision Procedures
• Core files need not be modified• All functionality is coded locally in DP
– Type checking
– TCCs (partial functions)
– Specialized expressions
– Parsing aid
– Pretty-printing
• Distribution of responsibility among developers