Pretending to be an SMT Solver with Vampire (and How We Do Instantiation)

Size: px

Start display at page:

Download "Pretending to be an SMT Solver with Vampire (and How We Do Instantiation)"

Horace Stokes
5 years ago
Views:

1 Pretending to be an SMT Solver with Vampire (and How We Do Instantiation) Giles Reger 1, Martin Suda 2, and Andrei Voronkov 1,2 1 School of Computer Science, University of Manchester, UK 2 TU Wien, Vienna, Austria SMT 2017 Heidelberg, July 22, /19

2 Introducing Vampire Automatic Theorem Prover (ATP) for first-order logic Main paradigm: superposition calculus + saturation a.k.f.: indexing, incomplete strategies, strategy scheduling 1/19

3 Introducing Vampire Automatic Theorem Prover (ATP) for first-order logic Main paradigm: superposition calculus + saturation a.k.f.: indexing, incomplete strategies, strategy scheduling 1/19

4 Introducing Vampire Automatic Theorem Prover (ATP) for first-order logic Main paradigm: superposition calculus + saturation a.k.f.: indexing, incomplete strategies, strategy scheduling Reasoning with Theories since 2010: progressively adding support for theories since 2016: participating in SMT-COMP 1/19

5 Reasoning with quantifiers and theories Two Dimensions of Complexity gnd Z/R: + / select/store 2/19

6 Reasoning with quantifiers and theories Two Dimensions of Complexity ATP gnd Z/R: + / select/store 2/19

7 Reasoning with quantifiers and theories Two Dimensions of Complexity ATP gnd SMT Z/R: + / select/store 2/19

8 Reasoning with quantifiers and theories Two Dimensions of Complexity ATP E SPASS VAMPIRE... CVC4 verit Z3... gnd SMT Z/R: + / select/store 2/19

9 Reasoning with quantifiers and theories Two Dimensions of Complexity ATP gnd SMT Z/R: + / select/store 2/19

10 Reasoning with quantifiers and theories Two Dimensions of Complexity ATP gnd SMT Instantiation... Z/R: + / select/store 2/19

11 Reasoning with quantifiers and theories Two Dimensions of Complexity ATP theory axioms... gnd SMT Instantiation... Z/R: + / select/store 2/19

12 Reasoning with quantifiers and theories Two Dimensions of Complexity ATP theory axioms...? gnd SMT Instantiation... Z/R: + / select/store 2/19

13 Outline 1 A Brief Introduction to Saturation-Based Proving 2 Theory Reasoning in Vampire 3 Theory Instantiation and Unification with Abstraction 4 Where We Currently Stand 3/19

14 Theorem Proving Pipeline in One Slide Standard form of the input: F := (Axiom 1... Axiom n ) Conjecture 4/19

15 Theorem Proving Pipeline in One Slide Standard form of the input: F := (Axiom 1... Axiom n ) Conjecture 1 Negate F to seek a refutation: F := Axiom 1... Axiom n Conjecture 4/19

16 Theorem Proving Pipeline in One Slide Standard form of the input: F := (Axiom 1... Axiom n ) Conjecture 1 Negate F to seek a refutation: F := Axiom 1... Axiom n Conjecture 2 Preprocess and transform F to clause normal form (CNF) S := {C 1,..., C n } 4/19

17 Theorem Proving Pipeline in One Slide Standard form of the input: F := (Axiom 1... Axiom n ) Conjecture 1 Negate F to seek a refutation: F := Axiom 1... Axiom n Conjecture 2 Preprocess and transform F to clause normal form (CNF) S := {C 1,..., C n } 3 saturate S with respect to the superposition calculus aiming to derive the obvious contradiction 4/19

18 Saturation = fixed-point computation Given Clause Algorithm: Active Passive Unprocessed set of active clauses is stored in indexing structures passive works like a priority queue the process is explosive in nature 5/19

19 Controlling the Growth of the Search Space Superposition rule l r C 1 L[s] p C 2 (L[r] p C 1 C 2)θ or l r C 1 t[s] p t C 2 (t[r] p t C 1 C 2)θ where θ = mgu(l, s) and rθ lθ and, for the left rule L[s] is not an equality literal, and for the right rule stands either for or and t θ t[s]θ, 6/19

20 Controlling the Growth of the Search Space Superposition rule l r C 1 L[s] p C 2 (L[r] p C 1 C 2)θ or l r C 1 t[s] p t C 2 (t[r] p t C 1 C 2)θ where θ = mgu(l, s) and rθ lθ and, for the left rule L[s] is not an equality literal, and for the right rule stands either for or and t θ t[s]θ, Saturation up to Redundancy redundant clauses can be safely removed subsumption - an example reduction: remove C in the presence of D such that Dσ C 6/19

21 Controlling the Growth of the Search Space Superposition rule l r C 1 L[s] p C 2 (L[r] p C 1 C 2)θ or l r C 1 t[s] p t C 2 (t[r] p t C 1 C 2)θ where θ = mgu(l, s) and rθ lθ and, for the left rule L[s] is not an equality literal, and for the right rule stands either for or and t θ t[s]θ, Saturation up to Redundancy redundant clauses can be safely removed subsumption - an example reduction: remove C in the presence of D such that Dσ C Completeness considerations 6/19

22 Outline 1 A Brief Introduction to Saturation-Based Proving 2 Theory Reasoning in Vampire 3 Theory Instantiation and Unification with Abstraction 4 Where We Currently Stand 7/19

23 Basic Support for Theories Normalization of interpreted operations, e.g. t 1 t 2 (t 1 < t 2 ) a b a + ( b) Evaluation of ground interpreted terms, e.g. f (1 + 2) f (3) f (x + 0) f (x) < 4 true Balancing interpreted literals, e.g. 4 = 2 (x + 1) (4 div 2) 1 = x x = 1 Interpreted operations treated specially by ordering 8/19

24 Adding Theory Axioms x + (y + z) = (x + y) + z x + 0 = x x + y = y + x (x + y) = ( x + y) x = x x + ( x) = 0 x 0 = 0 x (y z) = (x y) z x 1 = x x y = y x (x y) + (x z) = x (y + z) (x < y) (y < z) (x < z) x < y y < x x = y (x < y) (y < x + 1) (x < y) x + z < y + z (x < x) x < y y < x + 1 (for ints) x = 0 (y x)/x = y (for reals) a handcrafted set subsets added based on the signature ongoing research on how to tame them [IWIL17] 9/19

25 AVATAR modulo Theories The AVATAR architecture [Voronkov14] modern architecture of first-order theorem provers combines saturation with SAT-solving efficient realization of the clause splitting rule x, z, w. s(x) r(x, z) q(w) }{{}}{{} share x and z is disjoint propositional essence of the problem delegated to SAT solver 10/19

26 AVATAR modulo Theories The AVATAR architecture [Voronkov14] modern architecture of first-order theorem provers combines saturation with SAT-solving efficient realization of the clause splitting rule x, z, w. s(x) r(x, z) q(w) }{{}}{{} share x and z is disjoint propositional essence of the problem delegated to SAT solver AVATAR modulo Theories use an SMT solver instead of the SAT solver sub-problems considered are ground-theory-consistent implemented in Vampire using Z3 10/19

27 One Slightly Imprecise View of AVATAR Vampire Incremental Theory Solver for Quantified Formulas SMT Solver Theory Solver for Arithmetic Theory Solver for BitVectors Theory Solver for Uninterpreted Functions Core Quantifier Instantiation CDCL SAT Solver 11/19

28 One Slightly Imprecise View of AVATAR Vampire Incremental Theory Solver for Quantified Formulas SMT Solver Theory Solver for Arithmetic Theory Solver for BitVectors Theory Solver for Uninterpreted Functions Core Quantifier Instantiation CDCL SAT Solver... and please remember: Vampire is the boss here! 11/19

29 Outline 1 A Brief Introduction to Saturation-Based Proving 2 Theory Reasoning in Vampire 3 Theory Instantiation and Unification with Abstraction 4 Where We Currently Stand 12/19

30 Does Vampire Need Instantiation? Example Consider the conjecture ( x)(x + x 2) negated and clausified to x + x 2. It takes Vampire 15 s to solve using theory axioms deriving lemmas such as x + 1 y + 1 y + 1 x x + 1 y. 13/19

31 Does Vampire Need Instantiation? Example Consider the conjecture ( x)(x + x 2) negated and clausified to x + x 2. It takes Vampire 15 s to solve using theory axioms deriving lemmas such as x + 1 y + 1 y + 1 x x + 1 y. Heuristic instantiation would help, but normally any instance of a clause is immediately subsumed by the original! 13/19

32 Does Vampire Need Instantiation? Example Consider the conjecture ( x)(x + x 2) negated and clausified to x + x 2. It takes Vampire 15 s to solve using theory axioms deriving lemmas such as x + 1 y + 1 y + 1 x x + 1 y. Heuristic instantiation would help, but normally any instance of a clause is immediately subsumed by the original! Recall the abstraction rule L[t] C = x t L[x] C, where L is a theory literal, t a non-theory term, and x fresh. 13/19

33 The Theory Instantiation Instantiation which makes some theory literals immediately false 14/19

34 The Theory Instantiation Instantiation which makes some theory literals immediately false As an inference rule C (D[x])θ TheoryInst where T [x] D[x] is a (partial) abstraction of C and θ a substitution such thatt [x]θ is valid in the underlying theory 14/19

35 The Theory Instantiation Instantiation which makes some theory literals immediately false As an inference rule C (D[x])θ TheoryInst where T [x] D[x] is a (partial) abstraction of C and θ a substitution such thatt [x]θ is valid in the underlying theory Implementation: Abstract relevant literals Collect relevant pure theory literals L 1,..., L n Run an SMT solver on T [x] = L 1... L n If the SMT solver returns a model, transform it into a substitution θ and produce an instance 14/19

36 The Theory Instantiation Instantiation which makes some theory literals immediately false As an inference rule C (D[x])θ TheoryInst where T [x] D[x] is a (partial) abstraction of C and θ a substitution such thatt [x]θ is valid in the underlying theory Implementation: Abstract relevant literals Collect relevant pure theory literals L 1,..., L n Run an SMT solver on T [x] = L 1... L n If the SMT solver returns a model, transform it into a substitution θ and produce an instance 14/19

37 Unification with Abstraction Example Consider two clauses r(14y) r(x ) p(x) 15/19

38 Unification with Abstraction Example Consider two clauses r(14y) r(x ) p(x) We could fully abstract them to obtain: r(u) u 14y r(v) v x p(x), 15/19

39 Unification with Abstraction Example Consider two clauses r(14y) r(x ) p(x) We could fully abstract them to obtain: r(u) u 14y r(v) v x p(x), then resolve to get u 14y u x p(x) 15/19

40 Unification with Abstraction Example Consider two clauses r(14y) r(x ) p(x) We could fully abstract them to obtain: r(u) u 14y r(v) v x p(x), then resolve to get u 14y u x p(x) Finally, Theory Instantiation could produce p(7) 15/19

41 Unification with Abstraction Explicit abstraction may be harmful: fully abstracted clauses are typically much longer abstraction destroys ground literals theory part requires special treatment 16/19

42 Unification with Abstraction Explicit abstraction may be harmful: fully abstracted clauses are typically much longer abstraction destroys ground literals theory part requires special treatment Instead of full abstraction... incorporate the abstraction process into unification thus abstractions are on demand and lazy implemented by extending the substitution tree indexing 16/19

43 Outline 1 A Brief Introduction to Saturation-Based Proving 2 Theory Reasoning in Vampire 3 Theory Instantiation and Unification with Abstraction 4 Where We Currently Stand 17/19

44 SMT-COMP 2017 results problems Logic Vampire VeriT CVC4 Z3 ALIA AUFDTLIA AUFLIA AUFLIRA AUFNIRA LIA LRA NIA NRA UF UFDT UFDTLIA UFIDL UFLIA UFLRA UFNIA /19

45 Conclusion Thank you for your attention! 19/19

First-Order Theorem Proving and Vampire

First-Order Theorem Proving and Vampire Laura Kovács 1,2 and Martin Suda 2 1 TU Wien 2 Chalmers Outline Introduction First-Order Logic and TPTP Inference Systems Saturation Algorithms Redundancy Elimination