Practical proof reconstruction for first-order logic and - - PowerPoint PPT Presentation

practical proof reconstruction for first order logic and
SMART_READER_LITE
LIVE PREVIEW

Practical proof reconstruction for first-order logic and - - PowerPoint PPT Presentation

Sep 07, 2023 577 likes •1.03k views

Practical proof reconstruction for first-order logic and set-theoretical constructions Cl ement Hurlin January 25, 2007 Outline 1 Introduction Two different worlds Proof reconstruction General procedure Targeted languages 2 Quantifier

slide-1
SLIDE 1

Practical proof reconstruction for first-order logic and set-theoretical constructions

Cl´ ement Hurlin January 25, 2007

slide-2
SLIDE 2

Outline

1 Introduction

Two different worlds Proof reconstruction General procedure Targeted languages

2 Quantifier free first-order logic 3 First-order logic without existential quantifiers 4 Full first-order logic 5 Set-theoretical constructions

Tactic-style Reflection Performances

6 Conclusion and further work

2

slide-3
SLIDE 3

Introduction

Two different worlds

1

Automatic tools

First-order logic (FOL). Very efficient. Large piece of code: difficult to prove soundness.

Interactive tools

Higher order logic. A few automatic tactics. Yet, does not handle big formulas. High degree of confidence (e.g. Isabelle or Coq).

3

slide-4
SLIDE 4

Introduction

Proof reconstruction

1

Proof search in a tool and verification in another one. Combination of an automatic and an interactive tool. Advantages:

◮ automation of the first. ◮ soundness and expressiveness of the latter.

Very generic approach. In our work: integration of haRVey within Isabelle.

4

slide-5
SLIDE 5

Introduction

General procedure

1 Isabelle haRVey F ¬F

proof search

  • proof trace

proof certified

  • proof trace
  • Procedure

5

slide-6
SLIDE 6

Introduction

General procedure

1

Isabelle F (validity)

  • haRVey

¬F (satisfiability)

  • ¬F unsatisfiable
  • ¬F satisfiable
  • Isabelle

reconstruction failure

The proof is entirely certified by the Isabelle kernel. The proof trace must be expressive enough for an automatic certification. Thus, no user interaction at all.

6

slide-7
SLIDE 7

Introduction

Targeted languages

1

First-order logic. Set-theoretical constructions: (X ∩ Y = ∅) ∧ (X \ Z = X) ∧ (Y ∩ Z = ∅) − → X ∩ (Y ∪ Z) = ∅, With a few restrictions, set-theoretical constructions can be reduced to first-order logic. They are encountered when using B or TLA+.

7

slide-8
SLIDE 8

Introduction

Targeted languages

1

A ⊂ ({a, b} ∩ D) (SET) ∀x.[A(x) − → (x = a ∨ x = b) ∧ D(x)]∧ ∃x.[¬A(x) ∧ (x = a ∨ x = b) ∧ D(x)] (FOL) ∀x.[A(x) − → (x = a ∨ x = b) ∧ D(x)]∧

  • ¬A(c) ∧ (c = a ∨ c = b) ∧ D(c)
  • (∀FOL)
  • A(a) −

→ (a = a ∨ a = b) ∧ D(a)

  • A(b) −

→ (b = a ∨ b = b) ∧ D(b)

  • A(c) −

→ (c = a ∨ c = b) ∧ D(c)

  • ¬A(c) ∧ (c = a ∨ c = b) ∧ D(c)
  • (QF-FOL)

8

slide-9
SLIDE 9

Quantifier free first-order logic

2

Previous work by Pascal Fontaine, Stephan Merz et al. Uses a congruence closure algorithm. This algorithm decide satisfiability of formulas containing uninterpreted symbols and equalities. It builds equivalence classes between equal terms.

9

slide-10
SLIDE 10

Quantifier free first-order logic

2

Previous work by Pascal Fontaine, Stephan Merz et al. Uses a congruence closure algorithm. This algorithm decide satisfiability of formulas containing uninterpreted symbols and equalities. It builds equivalence classes between equal terms. Given the following hypotheses : a = b, f(b) = f(c). a b c f(a) f(b) f(c)

9

slide-11
SLIDE 11

Quantifier free first-order logic

2

Previous work by Pascal Fontaine, Stephan Merz et al. Uses a congruence closure algorithm. This algorithm decide satisfiability of formulas containing uninterpreted symbols and equalities. It builds equivalence classes between equal terms. Given the following hypotheses : a = b, f(b) = f(c). a b c f(a) f(b) f(c)

9

slide-12
SLIDE 12

Quantifier free first-order logic

2

Previous work by Pascal Fontaine, Stephan Merz et al. Uses a congruence closure algorithm. This algorithm decide satisfiability of formulas containing uninterpreted symbols and equalities. It builds equivalence classes between equal terms. Given the following hypotheses : a = b, f(b) = f(c). a b c f(a)

C

f(b) f(c)

9

slide-13
SLIDE 13

Quantifier free first-order logic

2

Properties

Reasoning is reconstructed by following the path between terms. This allows to reconstruct the proof in a straight-forward way. Reasoning can be decomposed into 4 simple rules:

10

slide-14
SLIDE 14

Quantifier free first-order logic

2

Properties

Reasoning is reconstructed by following the path between terms. This allows to reconstruct the proof in a straight-forward way. Reasoning can be decomposed into 4 simple rules:

1 substitution and contradiction [

[s = t; P(s); ¬P(t)] ] = ⇒ False.

10

slide-15
SLIDE 15

Quantifier free first-order logic

2

Properties

Reasoning is reconstructed by following the path between terms. This allows to reconstruct the proof in a straight-forward way. Reasoning can be decomposed into 4 simple rules:

1 substitution and contradiction [

[s = t; P(s); ¬P(t)] ] = ⇒ False.

2 contradiction [

[s = t; s = t] ] = ⇒ False.

10

slide-16
SLIDE 16

Quantifier free first-order logic

2

Properties

Reasoning is reconstructed by following the path between terms. This allows to reconstruct the proof in a straight-forward way. Reasoning can be decomposed into 4 simple rules:

1 substitution and contradiction [

[s = t; P(s); ¬P(t)] ] = ⇒ False.

2 contradiction [

[s = t; s = t] ] = ⇒ False.

3 congruence [

[f = g; x = y] ] = ⇒ f(x) = g(y).

10

slide-17
SLIDE 17

Quantifier free first-order logic

2

Properties

Reasoning is reconstructed by following the path between terms. This allows to reconstruct the proof in a straight-forward way. Reasoning can be decomposed into 4 simple rules:

1 substitution and contradiction [

[s = t; P(s); ¬P(t)] ] = ⇒ False.

2 contradiction [

[s = t; s = t] ] = ⇒ False.

3 congruence [

[f = g; x = y] ] = ⇒ f(x) = g(y).

4 reflexivity, symmetry and transitivity of equality

[ [a = b; c = b] ] = ⇒ a = c.

10

slide-18
SLIDE 18

Quantifier free first-order logic

2 Isabelle haRVey F ∈ QF-FOL ¬F

proof search

  • proof trace

CC certified

  • proof trace
  • Procedure for QF-FOL

11

slide-19
SLIDE 19

First-order logic without existential quantifiers

3

Brute force instantiation of universal quantifiers:

  • ∀x.P(x)

→ P(a1) ∧ · · · ∧ P(an) where {a1, . . . , an} is the Herbrand universe. Terminates if:

(i) Instantiations are selected in a fair way. (ii) Formula is unsatisfiable.

12

slide-20
SLIDE 20

First-order logic without existential quantifiers

3

Brute force instantiation of universal quantifiers:

  • ∀x.P(x)

→ P(a1) ∧ · · · ∧ P(an) where {a1, . . . , an} is the Herbrand universe. Terminates if:

(i) Instantiations are selected in a fair way. (ii) Formula is unsatisfiable.

Efficiency: certifying instantiations does not deal with the logical structure of the formula. a = b∧

  • (P ∧ ¬Q) ∨ ∀x.x = a
  • 12
slide-21
SLIDE 21

First-order logic without existential quantifiers

3

Brute force instantiation of universal quantifiers:

  • ∀x.P(x)

→ P(a1) ∧ · · · ∧ P(an) where {a1, . . . , an} is the Herbrand universe. Terminates if:

(i) Instantiations are selected in a fair way. (ii) Formula is unsatisfiable.

Efficiency: certifying instantiations does not deal with the logical structure of the formula. a = b∧

  • (P ∧ ¬Q) ∨ ∀x.x = a
  • becomes

a = b∧

  • (P ∧ ¬Q) ∨ ∀x.x = a

∧(∀x.[x = a] − → a = a) ∧ (∀x.[x = a] − → b = a)

12

slide-22
SLIDE 22

First-order logic without existential quantifiers

3

A boolean abstraction mechanism is used to handle the boolean structure of the formula This stage is reconstructed by calling a SAT solver (previous work by Tjark Weber): a = b∧

  • (P ∧ ¬Q) ∨ ∀x.x = a
  • becomes

a = b∧

  • (P ∧ ¬Q) ∨ ∀x.x = a

(∀x.[x = a] − → a = a) ∧ (∀x.[x = a] − → b = a)

13

slide-23
SLIDE 23

First-order logic without existential quantifiers

3

A boolean abstraction mechanism is used to handle the boolean structure of the formula This stage is reconstructed by calling a SAT solver (previous work by Tjark Weber): a = b∧

  • (P ∧ ¬Q) ∨ ∀x.x = a
  • becomes

a = b

¬A

  • (P ∧ ¬Q) ∨ ∀x.x = a
  • B

(∀x.[x = a]

  • B

− → a = a

C

) ∧ (∀x.[x = a]

  • B

− → b = a

A

)

13

slide-24
SLIDE 24

First-order logic without existential quantifiers

3 Isabelle haRVey F

′ ∈ ∀FOL

¬F

instantiations

  • F

CC certified

  • F ∈ QF-FOL

CC

  • proof trace

instantiations certified

  • proof trace
  • Procedure for ∀FOL

14

slide-25
SLIDE 25

First-order logic without existential quantifiers

3

With a proof trace consisting solely of strings, most of the time was spent parsing the trace! The proof trace is now written in ML.

example

However formulas are still strings (thus frequent calls to the Isabelle parser) Currently, arguing between Nancy and Munich to switch to a proof trace completely in ML or in XML format.

15

slide-26
SLIDE 26

Full first-order logic

4

Universal and existential quantifiers. Pre-processing: existential quantifiers removed by skolemization. haRVey’s implements inner skolemization.

16

slide-27
SLIDE 27

Full first-order logic

4

Universal and existential quantifiers. Pre-processing: existential quantifiers removed by skolemization. haRVey’s implements inner skolemization. Given a formula φ each occurrence of a sub-formula of the form ∃x.ψ(x) is replaced by ψ{x/f(y1, . . . , yn)} where : (i) f is a new symbol function. (ii) {y1, . . . , yn} is the set of free variables of the sub-formula ∃x.ψ(x).

16

slide-28
SLIDE 28

Full first-order logic

4

Universal and existential quantifiers. Pre-processing: existential quantifiers removed by skolemization. haRVey’s implements inner skolemization. Given a formula φ each occurrence of a sub-formula of the form ∃x.ψ(x) is replaced by ψ{x/f(y1, . . . , yn)} where : (i) f is a new symbol function. (ii) {y1, . . . , yn} is the set of free variables of the sub-formula ∃x.ψ(x). This transformation involves: a sub-formula. a set of free variables.

16

slide-29
SLIDE 29

Full first-order logic

4

In Isabelle, skolemization is done with the rule choice : Γ, ∃f.∀x.P(x, f(x)) ⊢ ∆

choice

Γ, ∀x.∃y.P(x, y) ⊢ ∆ This rule has a purely local behavior: Γ, ∀x.P ∧ Q

  • x, f(x)
  • ⊢ ∆

∃ elimination

Γ, ∃f.∀x.P ∧ Q

  • x, f(x))
  • ⊢ ∆

choice

Γ, ∀x.∃y.P ∧ Q(x, y) ⊢ ∆

extra-scope ∃

Γ, ∀x.P ∧ ∃y.Q(x, y) ⊢ ∆

17

slide-30
SLIDE 30

Full first-order logic

4

Inner skolemization cannot be simulated with choice. Thus, inner skolemization not re-playable as it in Isabelle. In the implementation, skolemization done directly in Isabelle (by successive applications of choice). Preceded by a mini-scoping step, this technique gives good results.

18

slide-31
SLIDE 31

Full first-order logic

4 Isabelle haRVey F

′′ ∈ FOL

skolemization

  • F

′ ∈ ∀FOL

¬F

instantiations

  • F

CC certified

  • F ∈ QF-FOL

CC

  • proof trace

instantiations certified

  • proof trace
  • Procedure for FOL

19

slide-32
SLIDE 32

Set-theoretical constructions

5

Transformation from SET to FOL by considering sets by their characteristic predicates: a ∈ A ∧ A ⊆ B ˘ A(a) ∧ ∀x. ˘ A(x) − → ˘ B(x) a ∈ (A \ B) ∧ ∅ ⊆ {a} ( ˘ A(a) ∧ ¬ ˘ B(a)) ∧ (∀x.⊥ − → x = a)

20

slide-33
SLIDE 33

Set-theoretical constructions

5

Transformation from SET to FOL by considering sets by their characteristic predicates: a ∈ A ∧ A ⊆ B ˘ A(a) ∧ ∀x. ˘ A(x) − → ˘ B(x) a ∈ (A \ B) ∧ ∅ ⊆ {a} ( ˘ A(a) ∧ ¬ ˘ B(a)) ∧ (∀x.⊥ − → x = a) In haRVey, this transformation is done by rewriting set symbols: λ-terms and quantifiers appear. β-reduction and application of extensionality terminates on a FOL formula.

20

slide-34
SLIDE 34

Set-theoretical constructions

5

Transformation from SET to FOL by considering sets by their characteristic predicates: a ∈ A ∧ A ⊆ B ˘ A(a) ∧ ∀x. ˘ A(x) − → ˘ B(x) a ∈ (A \ B) ∧ ∅ ⊆ {a} ( ˘ A(a) ∧ ¬ ˘ B(a)) ∧ (∀x.⊥ − → x = a) In haRVey, this transformation is done by rewriting set symbols: λ-terms and quantifiers appear. β-reduction and application of extensionality terminates on a FOL formula. It has been written in two manners: A classical tactic-based method. A method relying partially on reflection (up to 10 times faster).

20

slide-35
SLIDE 35

Set-theoretical constructions

Tactic-style

5

For the logical structure (symbols =, ∧, ∨, − →), the following theorem is used: P = P ′, Q = Q′ ⊢ P ′ α Q′ ⊢ P α Q For formulas involving sets (symbols ∈, ⊆, ⊂, =) the following theorems are used: ⊢ ˘ A(a) ⊢ a ∈ A ⊢ ∀x. ˘ A(x) − → ˘ B(x) ⊢ A ⊆ B ⊢ ∀x.[ ˘ A(x) − → ˘ B(x)] ∧ ∃x.[ ˘ B(x) ∧ ¬ ˘ A(x)] ⊢ A ⊂ B ⊢ ∀x. ˘ A(x) = ˘ B(x) ⊢ A = B

21

slide-36
SLIDE 36

Set-theoretical constructions

Tactic-style

5

Handling the structure of sets involved in the goal is done with the following theorems: ⊢ ∀x. ˘ A(x) ∧ ˘ B(x) ⊢ ∀x.x ∈ (A ∩ B) ⊢ ∀x. ˘ A(x) ∨ ˘ B(x) ⊢ ∀x.x ∈ (A ∪ B) ⊢ ∀x. ˘ A(x) ∧ ¬ ˘ B(x) ⊢ ∀x.x ∈ (A \ B)

22

slide-37
SLIDE 37

Set-theoretical constructions

Reflection

5

Partial: Only terms representing sets are reflected (not formulas). The transformation to predicates is done using Isabelle’s simplifier

◮ Better performance could be obtained by code extraction. 23

slide-38
SLIDE 38

Set-theoretical constructions

Performances

5

test # size induction (sec) reflection (sec) 1 3401 2,13 0,72 2 3908 15,69 1,56 3 7071 4,11 2,08 4 4603 4,01 2,40 5 5906 59,12 2,85 6 7388 failure 1,02 7 12666 65,30 6,99 8 11722 7,44 2,85 Induction vs reflection

24

slide-39
SLIDE 39

Set-theoretical constructions

Performances

5 Isabelle haRVey G ∈ SET

set2fol

  • F

′′ ∈ FOL

skolemization

  • F

′ ∈ ∀FOL

¬F

instantiations

  • F

CC certified

  • F ∈ QF-FOL

CC

  • proof trace

instantiations certified

  • proof trace
  • Complete procedure

25

slide-40
SLIDE 40

Conclusion and further work

6

Contributions

This method brings expressiveness, automation, and soundness together. Working implementation proof reconstruction for an expressive language. It can be adapted to other tools.

26

slide-41
SLIDE 41

Conclusion and further work

6

Contributions

This method brings expressiveness, automation, and soundness together. Working implementation proof reconstruction for an expressive language. It can be adapted to other tools. Going further: Enhancement of the proof trace format. Heuristics to select instantiations efficiently. Adaptation to other theories such as arithmetic. Definition of a standard trace format ?

26

slide-42
SLIDE 42

Annex

6

Reflection consists in replacing proof search by computation : SET formulas are reflected by formulas SET thanks to reify : SET − → SET and set2fol : SET − → FOL. We prove : ∀S. ( |set2fol(S)| ) = [ [S] ] (1) Beginning with a SET formula S′, we obtain a FOL formula F :

1 reify is applied to S′ and yields S belonging to SET . We prove

( |S′| ) = [ [S] ].

2 set2fol is applied to S and yields a formula F belonging to FOL.

By instantiating (1), we have [ [S] ] = ( |F| ). By transitivity ( |S′| ) = ( |F| ).

27

slide-43
SLIDE 43

Annex

6

ML types : rv proof inst: string list

back

rv proof congr:((string * string) list * string) list

(rv_proof_inst := [ "((ALL (x::’a). ((b::’a) = ((g::’a => ’a)(x::’a)))) -->((b::’a) = ((g::’a => ’a)((g::’a => ’a)(b::’a)))))", "((ALL (x::’a). ((b::’a) = ((g::’a => ’a)(x::’a)))) -->((b::’a) = ((g::’a => ’a)((f::’a => ’a)(a::’a)))))", "((ALL (x::’a). ((b::’a) = ((g::’a => ’a)(x::’a)))) -->((b::’a) = ((g::’a => ’a)(a::’a))))", "((ALL (x::’a). ((b::’a) = ((g::’a => ’a)(x::’a)))) -->((b::’a) = ((g::’a => ’a)(b::’a))))" ]; rv_proof_congr := [ ( [ ("INEQ" , "[| ((b::’a) = ((f::’a => ’a)(a::’a))); (~ ((b::’a) = ((f::’a => ’a)(a::’a)))) |] ==> False"), ("TRANS", "[| ((b::’a) = ((g::’a => ’a)(a::’a))); (((g::’a => ’a)(b::’a)) = ((g::’a => ’a)(a::’a))); (((f ==> ((b::’a) = ((f::’a => ’a)(a::’a)))"), ("CONGR", "[| ((a::’a) = (b::’a)) |] ==> (((g::’a => ’a)(b::’a)) = ((g::’a => ’a)(a::’a)))") ], "((b::’a) = ((f::’a => ’a)(a::’a))) | (~ ((b::’a) = ((g::’a => ’a)(a::’a)))) | (~ (((f::’a => ’a)(a::’a)) = ((g::’a => ’a)(b::’a)))) | (~ ((a::’a) = (b::’a)))" ) ]) 28