Nunchaku: Flexible Model Finding for Higher-Order Logic

Similar documents
The TLA + proof system

Model Finding for Recursive Functions in SMT

The syntactic guard condition of Coq

Interactive Theorem Provers

Beyond First-Order Logic

Lecture Notes on Data Abstraction

Automated Reasoning Lecture 5: First-Order Logic

Limitations of OCAML records

Operational Semantics Using the Partiality Monad

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

Towards Higher-Order Superposition and SMT. Jasmin Blanchette

Formalising the Completeness Theorem of Classical Propositional Logic in Agda (Proof Pearl)

Existence and Consistency in Bounded Arithmetic

Applied Logic for Computer Scientists. Answers to Some Exercises

Type Inference. For the Simply-Typed Lambda Calculus. Peter Thiemann, Manuel Geffken. Albert-Ludwigs-Universität Freiburg. University of Freiburg

The Locally Nameless Representation

Introduction to lambda calculus Part 6

logical verification lecture program extraction and prop2

EDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach

The Curry-Howard Isomorphism

NICTA Advanced Course. Theorem Proving Principles, Techniques, Applications. Gerwin Klein Formal Methods

Safety Analysis versus Type Inference

Abstract model theory for extensions of modal logic

Reasoning with Higher-Order Abstract Syntax and Contexts: A Comparison

Automated Program Verification and Testing 15414/15614 Fall 2016 Lecture 8: Procedures for First-Order Theories, Part 2

Code Generation for a Simple First-Order Prover

INDUCTIVE DEFINITION

CS 4110 Programming Languages & Logics. Lecture 16 Programming in the λ-calculus

Chapter 4: Computation tree logic

Learning Goals of CS245 Logic and Computation

Programming with Dependent Types in Coq

Hoare Logic: Reasoning About Imperative Programs

SMT BASICS WS 2017/2018 ( ) LOGIC SATISFIABILITY MODULO THEORIES. Institute for Formal Models and Verification Johannes Kepler Universität Linz

An Introduction to Z3

Review. Principles of Programming Languages. Equality. The Diamond Property. The Church-Rosser Theorem. Corollaries. CSE 230: Winter 2007

Combined Satisfiability Modulo Parametric Theories

Finding Conflicting Instances of Quantified Formulas in SMT. Andrew Reynolds Cesare Tinelli Leonardo De Moura July 18, 2014

Analyse et Conception Formelle. Lesson 4. Proofs with a proof assistant

Using the Prover I: Lee Pike. June 3, NASA Langley Formal Methods Group Using the Prover I:

Verified Characteristic Formulae for CakeML. Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 18, 2017

Logic: The Big Picture

Midterm Exam Types and Programming Languages Frank Pfenning. October 18, 2018

A New Look At Generalized Rewriting in Type Theory

A New Look at Generalized Rewriting in Type Theory

7. Propositional Logic. Wolfram Burgard and Bernhard Nebel

Typed Arithmetic Expressions

Classical First-Order Logic

Towards Lightweight Integration of SMT Solvers

What are the recursion theoretic properties of a set of axioms? Understanding a paper by William Craig Armando B. Matos

Structure. Background. them to their higher order equivalents. functionals in Standard ML source code and converts

The SMT-LIB Standard: Version 1.1

WHAT IS AN SMT SOLVER? Jaeheon Yi - April 17, 2008

CS558 Programming Languages

Static Program Analysis

Depending on equations

Information Flow Inference for ML

Program-ing in Coq. Matthieu Sozeau under the direction of Christine Paulin-Mohring

Chapter 6: Computation Tree Logic

Tutorial 1: Modern SMT Solvers and Verification

Principles of Program Analysis: Control Flow Analysis

Deductive Verification

Lecture 13: Soundness, Completeness and Compactness

VeriML: Typed Computation of Logical Terms inside a Language with Effects

From Operational Semantics to Abstract Machines

First Order Logic: Syntax and Semantics

The SMT-LIB Standard: Version 1.2

F-in Coq: A Deep Embedding

Propositional and Predicate Logic - XIII

Propositional Logic: Models and Proofs

Logic. proof and truth syntacs and semantics. Peter Antal

Clausal Presentation of Theories in Deduction Modulo

Applied Logic. Lecture 1 - Propositional logic. Marcin Szczuka. Institute of Informatics, The University of Warsaw

Comp487/587 - Boolean Formulas

Computational Logic for Computer Science

0.1 Random useful facts. 0.2 Language Definition

Logical Agents. Outline

Cylindrical Algebraic Decomposition in Coq

A Principled Approach to Ornamentation in ML

Bound and Free Variables. Theorems and Proofs. More valid formulas involving quantifiers:

Logical Agents. Santa Clara University

First-Order Logic. Chapter Overview Syntax

Evidential Paradigm and Intelligent Mathematical Text Processing

Prefixed Tableaus and Nested Sequents

Examples: P: it is not the case that P. P Q: P or Q P Q: P implies Q (if P then Q) Typical formula:

The LCF Approach to Theorem Proving

Foundations of Artificial Intelligence

Foundations of Artificial Intelligence

Propositional Logic: Syntax

First-Order Theorem Proving and Vampire. Laura Kovács (Chalmers University of Technology) Andrei Voronkov (The University of Manchester)

Constraint Solving for Finite Model Finding in SMT Solvers

Relations to first order logic

Lecture 1: Logical Foundations

Proof Techniques (Review of Math 271)

Introduction to Isabelle/HOL

COMPUTER SCIENCE TRIPOS

First Class Traversal Idioms with Nested Attribute Grammars

23.1 Gödel Numberings and Diagonalization

A Principled approach to Ornamentation in ML

Cylindrical Algebraic Decomposition in Coq

Normalization by Evaluation

Transcription:

Nunchaku: Flexible Model Finding for Higher-Order Logic Simon Cruanes, Jasmin Blanchette, Andrew Reynolds Veridis, Inria Nancy https://cedeela.fr/~simon/ April 7th, 2016 1 / 21

Summary Introduction Nunchaku as a Blackbox Encodings Implementation Conclusion 1 / 21

Nitpick: the current titleholder Tool integrated in Isabelle/HOL 2 / 21

Issues with Nitpick hard to maintain (according to Jasmin) deeply tied to Isabelle (shared structures, poly/ml,... ) relies exclusively on Kodkod, good but old-ish tied to a single backend we want to leverage modern research on SMT (CVC4) 3 / 21

The genesis of Nunchaku Goals useful for proof assistant users (not pure research prototype) standalone tool in OCaml clean architecture, focus on maintainability and correctness rich input language for expressing problems support multiple frontends (Isabelle, Coq, TLA+,... ) support multiple backends (CVC4, probably kodkod, HBMC,... ) Who stronger/more accurate encodings Jasmin Blanchette (lead, maintainer of Nitpick) Simon Cruanes (main developer) Andrew Reynolds (maintains finite-model finding in CVC4) 4 / 21

The genesis of Nunchaku Goals useful for proof assistant users (not pure research prototype) standalone tool in OCaml clean architecture, focus on maintainability and correctness rich input language for expressing problems support multiple frontends (Isabelle, Coq, TLA+,... ) support multiple backends (CVC4, probably kodkod, HBMC,... ) Who stronger/more accurate encodings Jasmin Blanchette (lead, maintainer of Nitpick) Simon Cruanes (main developer) Andrew Reynolds (maintains finite-model finding in CVC4) 4 / 21

Summary Introduction Nunchaku as a Blackbox Encodings Implementation Conclusion 4 / 21

Input Language data nat := Z S nat. data term := Var nat Lam term App term term. rec bump : nat (nat term) nat term := forall n ρ. bump n ρ Z = Var n; forall n ρ m. bump n ρ (S m) = bump (S n) ρ m. rec subst : (nat term) term term := forall ρ j. subst ρ (Var j) = ρ j; forall ρ t. subst ρ (Lam t) = Lam (subst (bump (S Z) ρ) t); forall ρ t u. subst ρ (App t u) = App (subst ρ t) (subst ρ u). goal exists t ρ. subst ρ t!= t. ML-like typed higher-order syntax Here, find a non-closed term t and substitution ρ capturing one of its variables 5 / 21

Input Language: Codatatypes val u : type. codata tree := leaf u node (llist u) and llist a := lnil lcons a (llist a). goal exists x y z. x = node (lcons (leaf y) (lcons (leaf z) (lcons x lnil))). Here, we ask Nunchaku to find the (infinite) tree µx.node [leaf y, leaf z, x] where y and z are arbitrary values of type u. 6 / 21

Input Logic Features higher-order (with λ, partial application, etc.) polymorphic types (co)datatypes + pattern matching recursive definitions, axioms, (co)inductive predicates... extensionality, choice a type prop for formulas, with the usual connectives 7 / 21

Obtaining a Model We obtain finite fragments of infinite models (after decoding) Here: finite model of even and odd (= decision tree) SAT: { val m := Succ Zero. val even := fun (v_0/104 : nat). if v_0/104 = Succ (Succ Zero) then true else if v_0/104 = Zero then true else? (even v_0/104). val odd := fun (v_0/105 : nat). if v_0/105 = Succ Zero then true else? (odd v_0/105). } The? is an undefined value that is specific to this model. 8 / 21

Obtaining a Model We obtain finite fragments of infinite models (after decoding) Here: finite model of even and odd (= decision tree) SAT: { val m := Succ Zero. val even := fun (v_0/104 : nat). if v_0/104 = Succ (Succ Zero) then true else if v_0/104 = Zero then true else? (even v_0/104). val odd := fun (v_0/105 : nat). if v_0/105 = Succ Zero then true else? (odd v_0/105). } The? is an undefined value that is specific to this model. 8 / 21

Summary Introduction Nunchaku as a Blackbox Encodings Implementation Conclusion 8 / 21

The Big Picture Bidirectional pipeline (composition of transformations) forward: translate problem into simpler logic backward: translate model back into original logic Current Pipeline (simplified) 1. type inference 2. monomorphization 3. specialization 4. polarization 5. elimination of inductive predicates 6. elimination of higher-order functions 7. elimination of recursive functions 8. backend (CVC4) 9 / 21

The Big Picture Bidirectional pipeline (composition of transformations) forward: translate problem into simpler logic backward: translate model back into original logic Current Pipeline (simplified) 1. type inference 2. monomorphization 3. specialization 4. polarization 5. elimination of inductive predicates 6. elimination of higher-order functions 7. elimination of recursive functions 8. backend (CVC4) 9 / 21

Monomorphization from polymorphic logic to simply-typed logic only keep useful definitions instantiate polymorphic formulas, definitions, etc. with ground types incomplete in some cases (polymorphic recursion depth limit) 10 / 21

Specialization Specialize some higher-order functions on a static subset of their args Goal: make the problem less higher-order rec map : (a a) list list := forall f. map f nil = nil; forall f x l. map f (cons x l) = cons (f x) (map f l). map (fun x. x + f y + z) l We specialize map on its first argument: rec map32 : a a list list := forall y z. map32 y z nil = nil; forall x y z l. map32 (cons x l) = cons (x + f y + z) (map32 y z l). map32 y z l (careful: need proper closure) 11 / 21

Specialization Specialize some higher-order functions on a static subset of their args Goal: make the problem less higher-order rec map : (a a) list list := forall f. map f nil = nil; forall f x l. map f (cons x l) = cons (f x) (map f l). map (fun x. x + f y + z) l We specialize map on its first argument: rec map32 : a a list list := forall y z. map32 y z nil = nil; forall x y z l. map32 (cons x l) = cons (x + f y + z) (map32 y z l). map32 y z l (careful: need proper closure) 11 / 21

Specialization Specialize some higher-order functions on a static subset of their args Goal: make the problem less higher-order rec map : (a a) list list := forall f. map f nil = nil; forall f x l. map f (cons x l) = cons (f x) (map f l). map (fun x. x + f y + z) l We specialize map on its first argument: rec map32 : a a list list := forall y z. map32 y z nil = nil; forall x y z l. map32 (cons x l) = cons (x + f y + z) (map32 y z l). map32 y z l (careful: need proper closure) 11 / 21

Polarization Predicate p becomes p + and p (positive occurrences/negative occurrences). in some case, gain precision transform into more accurate Skolemization unpolarized context (under, say): p + x asserting p + x = p x 12 / 21

Elimination of Inductive Predicates + Unrolling pred odd : nat prop := odd (Succ Zero); forall n. odd n odd n; # not well-founded! forall n. odd n odd (Succ (Succ n)). becomes: rec odd : nat nat prop := forall decr n. odd decr n = exists pred_decr. decr = Succ pred_decr ( n = Succ Zero odd pred_decr n exists m. n = Succ (Succ m) odd pred_decr m) pred_decr: unrolling (ensure WF) transform predicate into regular recursive function solver picks initial value of decr 13 / 21

Elimination of Inductive Predicates + Unrolling pred odd : nat prop := odd (Succ Zero); forall n. odd n odd n; # not well-founded! forall n. odd n odd (Succ (Succ n)). becomes: rec odd : nat nat prop := forall decr n. odd decr n = exists pred_decr. decr = Succ pred_decr ( n = Succ Zero odd pred_decr n exists m. n = Succ (Succ m) odd pred_decr m) pred_decr: unrolling (ensure WF) transform predicate into regular recursive function solver picks initial value of decr 13 / 21

Elimination of HOF λ-lifting Transform C[λx. x + g y + a] into C[f 37 y] where f 37 y x := x + g y + a Introduction of Application symbols Replace f : τ 1 τ 2 by the constant f : to τ 1 τ 2 and app f : to τ 1 τ 2 τ 1 τ 2 add guards and extensionality axioms to preserve semantics. 14 / 21

Elimination of HOF λ-lifting Transform C[λx. x + g y + a] into C[f 37 y] where f 37 y x := x + g y + a Introduction of Application symbols Replace f : τ 1 τ 2 by the constant f : to τ 1 τ 2 and app f : to τ 1 τ 2 τ 1 τ 2 add guards and extensionality axioms to preserve semantics. 14 / 21

Elimination of Recursive Functions Recursive function x : τ. f x :=... f y... intractable for finite model finding if card(τ) = quantify over α τ, an unspecified finite subset of τ a : α τ. f (γ τ a) :=... (f y asserting b : α τ. y = γ τ b)... CVC4 supports quantification over finite types! transformation critical in practice (many recursive functions!) also work for productive functions on codata, tailrec functions... (publications: SMT2015, IJCAR2016) 15 / 21

Backend (CVC4) send first-order problem to CVC4 (using SMTLIB syntax) CVC4 supports finite model finding, (co)datatypes,... try different sets of options in parallel parse result (including model, if any) end of pipeline: easily replaced by another backend We will soon add other backends! In some sense, Nunchaku is to become a unified language for model finders! 16 / 21

Summary Introduction Nunchaku as a Blackbox Encodings Implementation Conclusion 16 / 21

Nunchaku: the software free software (BSD license) on the Inria forge and github modular OCaml code base one transformation = one module most functionality in a library, independent of CLI tool dead simple input parser few dependencies communication with backends via text and subprocesses 17 / 21

Transformations Each transformation as a pair of function encode: α β st (encode + return some state) decode: st γ δ (decode using previously returned state) type (α, β, γ, δ, st) transformation_inner = { name : string; encode : α (β st); decode : st γ δ; (... ) } type (α, β, γ, δ) transformation = Ex : (α, β, γ, δ, st) transformation_inner (α, β, γ, δ) t Example val monomorphization : (poly_pb, mono_pb, mono_model, poly_model) transformation 18 / 21

Transformations Each transformation as a pair of function encode: α β st (encode + return some state) decode: st γ δ (decode using previously returned state) type (α, β, γ, δ, st) transformation_inner = { name : string; encode : α (β st); decode : st γ δ; (... ) } type (α, β, γ, δ) transformation = Ex : (α, β, γ, δ, st) transformation_inner (α, β, γ, δ) t Example val monomorphization : (poly_pb, mono_pb, mono_model, poly_model) transformation 18 / 21

The Pipeline The pipeline is a composition of transformations val id : (α, α, β, β) pipe val compose : (α, β, e, f) transformation (β, γ, δ, e) pipe (α, γ, δ, f) pipe This way, many pipelines for different backends can be built safely, by mere composition. 19 / 21

The Pipeline The pipeline is a composition of transformations val id : (α, α, β, β) pipe val compose : (α, β, e, f) transformation (β, γ, δ, e) pipe (α, γ, δ, f) pipe This way, many pipelines for different backends can be built safely, by mere composition. 19 / 21

Summary Introduction Nunchaku as a Blackbox Encodings Implementation Conclusion 19 / 21

Future Ongoing Work Lots of things! 1. currently: finishing support for HOF 2. next: multi backends 3. dependent types in input? ( Coq, lean... ) 4. more accurate translations 5.... (research!) 20 / 21

21 / 21 Thank you for your attention! Questions?

Model for the "De Bruijn" problem } SAT: { val _witness_of (exists t/240:term (ρ/241:nat term). ~ ((subst ρ/241 t/240) = t/240)) := Var Z. val bump := fun (v_0/234 : nat) (v_1/235 : nat term) (v_1/236 : nat). if v_0/234 = S Z v_1/235 = $to_nat_term_0 v_1/236 = Z then Var (S Z) else? (bump v_0/234 v_1/235 v_1/236). val subst := fun (v_0/237 : nat term) (v_1/238 : term). if v_0/237 = $to_nat_term_0 v_1/238 = Var Z then Var (S Z) else? (subst v_0/237 v_1/238). val _witness_of (exists (ρ/104:nat term). ~ ((subst ρ/104 t/103) = t/103)) := fun (v_1/239 : nat). if v_1/239 = Z then Var (S Z) else? (nun_sk_1 v_1/239). 22 / 21

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback