CVCL Lite: An Efficient Theorem Prover Based on Combination of Decision Procedures Presented by: Sergey Berezin Stanford University, U.S.A.

People Project leaders: Sergey Berezin, Clark Barrett, David Dill Developers and contributors: Daniel Wichs Ying Hu Mark Zavislak Jim Zhuang Deepak Goyal Jake Donham Sean McLaughlin Vijay Ganesh Mehul Trivedi

Outline Theoretical Basis CVCL from User's Point of View –C++ library –Command line –Theory API Architecture and Design Decisions Information Flow in CVCL Other Functionality

What is CVC Lite? Validity Checker:  ²  –First-Order Logic with interpreted theories Arithmetic, uninterpreted functions, arrays, etc. –Theorem Prover based on multiple DPs

Logic Many-sorted FOL + '=' + Theories x=y ) a[i]+2*y < f(rec.f, 15-3*b[j+1]) –Partial functions (e.g. x/y) –Quantifiers (experimental) Validity Problem: –Is  valid under the set of assumptions  ?  ² 

Theoretical Basis: Combination of Decision Procedures Clark Barrett's thesis –Fusion of Nelson-Oppen + Shostak methods T 1 [ T 2 ²  T 1 [ T 2 [ :  ² ? (T 1 [  1 ) [ (T 2 [  2 ) ² ? –Search for an arrangement A over  0 such that (T 1 [  1 ) [ A and (T 2 [  2 ) [ A are SAT

Theoretical Basis: Real Implementation Vijay Ganesh's extension of Ghilardi's method: T 1 [ T 2 ²  T 1 [ T 2 [ :  ² ? (T 1 [  1 ) [ (T 2 [  2 ) ² ? T i [  i [ C k ² C k+1, i 2 {1,2} C k are positive ground clauses

Outline Theoretical Basis CVCL from User's Point of View –C++ library –Command line –Theory API Architecture and Design Decisions Information Flow in CVCL Other Functionality

CVCL as C++ Library API: ValidityChecker class Provides functionality: –Create terms and formulas as CVCL Expr –Manipulate logical context  –Solve  ² 

Command Line Executable PVS-like input language Parser and command processor –implemented on top of C++ API CVCL Executable CVCL library Parser & Command Processor User Input CVCL API

Theory API (For New Decision Procedures) "Hackability" – very important! All functionality implemented locally in DP –No changes to the Core files CVCL Core ArithUFArrays CVCL Library Theory API

Outline Theoretical Basis CVCL from User's Point of View –Command line –C++ library –Theory API Architecture and Design Decisions Information Flow in CVCL Other Functionality

CVCL Core ArithUFArrays CVC Lite Architecture SAT Solver Fact Queue Union-Find DB Notify List

Union-Find & Notify List x' y' x' = y' => x = y x y 2*x + 3*y => 5*y

... Setup / Update Mechanism + * * x 2 3 y x = y 2*x = 2*y 2*x + 3*y = 5*y update(x=y, 2*x) update(2*x=2*y, 2*x+3*y)

Soundness: Theorems and Proof Rules Computing with proof rules –Every proven formula is a Theorem object –Theorems are constructed with Proof Rules –Proof rules comprise Trusted Code Soundness checked on-the-fly Transparent assumption tracking and proof production –Automatically up-to-date

Computing with Proof Rules Example: Fourier-Motzkin elimination t 1 · x, x · t 2 => t 1 · t 2 Proof Rule: t 1 · x x · t 2 t 1 · t 2 R C++ Method: R(t 1 · x, x · t 2 ) { return t 1 · t 2 ; }

Theorem Class Sequent:  ²  class Theorem { // private constructors Formula  ; Assumptions  ; Proof pf; };

Trusted Code R(Theorem(  1 ² t 1 · x), Theorem(  2 ² y · t 2 )) { check_sound(x == y); Proof pf =... // Compute the proof object return Theorem(  1 [  2 ² t 1 · t 2, pf); }  1 ² t 1 · x  2 ² x · t 2  1 [  2 ² t 1 · t 2 R

Outline Theoretical Basis CVCL from User's Point of View –Command line –C++ library –Theory API Architecture and Design Decisions Information Flow in CVCL Other Functionality

SAT Solver + DPs (BCP; DP)* BCP: Unit Clauses DP: T i [  i [ C k ² C k+1 (BCP; DP)* ? s1s1 s2s2 s3s3 ? :s3:s3 :s2:s2 Backtracking Mechanism!

Backtracking Mechanism CDO -- generic backtracking object –read, assign CDList -- backtracking stack –push, read-only CDMap – backtracking STL-like map –add, change value; [no deletion] ~1% CPU overhead

Completeness of CVC Lite s1s1 (BCP; DP)* s2s2 s3s3 SAT T 1 [ T 2 ²  T 1 [ T 2 [ :  ² ? (T 1 [  1 ) [ (T 2 [  2 ) ² ? T i [  i [ C k ² C k+1, i 2 {1,2} Derived  0 such that: (T i [  i ) [  0 ²  0 ? 2  0 Therefore (T 1 [  1 ) [ (T 2 [  2 ) is SAT Hence, T 1 [ T 2 ² 

Efficiency: Tracking Assumptions for Conflict Analysis Splitters:  ²  ²  assump Typical Proof Rule:  1 ²  1  2 ²  2  1 [  2 ²  R Assumptions are proof explications!  ² ?

Implication Graph and Conflict Clauses ? :l:l ll1l1 l2l2 l3l3 l7l7 l5l5 l4l4 l6l6 l8l8 l9l9 Conflict Clause: ( : l 1 Ç : l 6 Ç : l 7 )

Implication Graph from Theorems ? y<x x<yy<zz<x x<y y<x ? LT ? y<z z<x y<x R

Implication Graph from  ² ?² ? x<y y<x ? LT ? y<z z<x y<x R ² x<y ² y<x ² z<x ² y<z

Outline Theoretical Basis CVCL from User's Point of View Architecture and Design Decisions Information Flow in CVCL Other Functionality –Proofs –Quantifiers –Partial Functions

Proof Production pf[y<x] = R(pf[y<z], pf[z<y]) Curry-Howard Isomorphism: –Proofs are terms –Formulas are types R: (y<z) £ (z<x) ! (y<x) Constructed in proof rules y<z z<x y<x R

Outline Theoretical Basis CVCL from User's Point of View Architecture and Design Decisions Information Flow in CVCL Other Functionality –Proofs –Quantifiers –Partial Functions

Existential Quantifiers Add "axiom": ( 9 x.  (x)) )  (a) –fresh Skolem constant a Skolemization by Modus Ponens Set of axioms  is eliminated: ,  ²   ²  9E9E

Universal Quantifiers Instantiate: Search for terms in current context Cache useful instantiations –Those that derive ? 8 x.  (x)  (t) 8E8E

Outline Theoretical Basis CVCL from User's Point of View Architecture and Design Decisions Information Flow in CVCL Other Functionality –Proofs –Quantifiers –Partial Functions

Partial Functions & Subtypes True, False or Undefined? x/y · x/y x/y > x/y : (y = 0) => x/y · x/y : (x/y · x/y) => y = 0 x/y > x/y => y = 0

Kleene Semantics Values: T, F, ? Connectives: –F Æ ? ´ F, T Æ ? ´ ? –F Ç ? ´ ?, T Ç ? ´ T Most general –Agrees with classical logic –  ´ ? iff value of  depends on particular total extension

Type Correctness Conditions (TCCs) TCC[  ] iff  is defined (T or F) TCC[f(t)] =  f (t) Æ TCC[t] TCC[  1 Ç  2 ] = (TCC[  1 ] Æ TCC[  2 ]) Ç (TCC[  1 ] Æ  1 ) Ç (TCC[  2 ] Æ  2 )

Total Extensions with TCCs If TCC[  ] ´ T, Then M ²  iff M total ²  E.g. arithmetic: x / 0 = 0

Partial Functions with Subtypes Subtypes: NAT = { x: REAL | int(x) Æ x ¸ 0 } R 0 = { x : REAL | x != 0 } x / y: REAL £ R 0 ! REAL TCC[x/y] = (y != 0)

Example of TCC TCC[y=0 Ç x/y · x/y] ´ (T Æ y != 0) Ç (T Æ y=0) Ç ( y != 0 Æ x/y · x/y) ´ T´ T Therefore: y!=0 ) x/y · x/y ´ T

Decision Procedure: Any Total Extension CVCL Core ArithUFArrays CVCL Library Theory API TCCs User Input

Hack to the Future New Decision Procedures –Bit Vectors, Datatypes Functionality –Symbolic Simulation –Interpolation? Predicate Abstraction? Interface –Multiple input languages Performance –Raw speed –SAT heuristics (DP-specific?)

CVCL Theory UI Architecture SAT TCCs 8, 9 C++ lib cvc.exe Theory API Core DP Theorems  ²  Completeness Impl Graph Backtracking x / 0 NAT v INT Kleene T i [ C k ² C k+1  ²  ²  8 x.  (x)  (t) 8E8E 9 x.  (x) )  (a) Notify List DPs: 2x+3y<8, f(x)=g(y), a[i], r.f, 8 x.  (x) Questions?

Thank you!

Other Important Features Efficient backtracking mechanism Partial Functions and Subtypes –Kleene semantics (most general) Quantifiers (experimental) Symbolic Simulator (in progress) Proof Production

Adding Decision Procedures Core files need not be modified All functionality is coded locally in DP –Type checking –TCCs (partial functions) –Specialized expressions –Parsing aid –Pretty-printing Distribution of responsibility among developers