Why higher-order logic? Higher-Order logic Expressive Mathematics - PowerPoint PPT Presentation

Extending SMT solvers to higher-order logic ∗ Haniel Barbosa Andrew Reynolds Daniel El Ouraoui Clark Barrett Cesare Tinelli SMT 2019 2019–07–07, Lisbon, PT ∗ To be published in the proceedings of CADE 2019

Why higher-order logic? Higher-Order logic ⊲ Expressive ◮ Mathematics ◮ Verification conditions ⊲ The language of proof assistants ◮ Isabelle, Coq, Lean, ... Automation ⊲ Reducing the burden of proof on users Extending SMT solvers to higher-order logic 1 / 16

State of the art of HOL automation ⊲ Higher-order provers Leo-III, Satalax, ... ◮ Scalability issues on problems with large FO component ⊲ Hammers HOL y Hammer, Miz AR , Sledgehammer, ... ◮ Issues with performance, soundness, or completeness Extending SMT solvers to higher-order logic 2 / 16

State of the art of HOL automation ⊲ Higher-order provers Leo-III, Satalax, ... ◮ Scalability issues on problems with large FO component ⊲ Hammers HOL y Hammer, Miz AR , Sledgehammer, ... ◮ Issues with performance, soundness, or completeness “Timeouts into quick unsats” f ( λx. g ( x ) + h ( x )) ≃ f ( λx. h ( x ) + g ( x )) ↓ cong, ext ( ∀ x. g ( x ) + h ( x ) ≃ h ( x ) + g ( x )) ⇒ f ( λx. g ( x ) + h ( x )) ≃ f ( λx. h ( x ) + g ( x )) ↓ ¬ , CNF g ( sk ) + h ( sk ) �≃ h ( sk ) + g ( sk ) f ( λx. g ( x ) + h ( x )) �≃ f ( λx. h ( x ) + g ( x )) Extending SMT solvers to higher-order logic 2 / 16

Outline ⊲ What we mean by higher-order logic ⊲ Extending an SMT solver pragmatically ⊲ Extending an SMT solver via redesign ⊲ Evaluation

Fragments of interest Features FOL λ fHOL HOL function � � � quantification on objects � � � quantification on functions ✗ � � partial applications � � ✗ anonymous functions ✗ ✗ � ⊲ Henkin semantics ◮ Function interpretations restricted to terms expressible in formula’s signature ⊲ Extensionality ∀ ¯ x. f (¯ x ) ≃ g (¯ x ) ↔ f ≃ g Extending SMT solvers to higher-order logic 3 / 16

Fragments of interest Features FOL λ fHOL HOL function � � � quantification on objects � � � quantification on functions ✗ � � partial applications � � ✗ anonymous functions ✗ ✗ � ⊲ Henkin semantics ◮ Function interpretations restricted to terms expressible in formula’s signature ⊲ Extensionality ∀ ¯ x. f (¯ x ) ≃ g (¯ x ) ↔ f ≃ g Goal: simplicity , practicality , and effectiveness Extending SMT solvers to higher-order logic 3 / 16

A CDCL( T ) SMT solver SMT solver Instantiation module Model SMT formula Assignment Instance UNSAT Ground Rewriter solver ⊲ Rewriter simplifies terms x + 0 → x a �≃ a → ⊥ (str . replace x (str . ++ x x ) y ) → x ⊲ Ground solver enumerates assignments E ∪ Q ◮ E is a set of ground literals { a ≤ b , b ≤ a + x, x ≃ 0 , f ( a ) �≃ f ( b ) } ◮ Q is a set of quantified clauses {∀ xyz. f ( x ) �≃ f ( z ) ∨ g ( y ) ≃ h ( z ) } ⊲ Instantiation module generates instances of Q f ( a ) �≃ f ( b ) ∨ g ( a ) ≃ h ( b ) Extending SMT solvers to higher-order logic 4 / 16

A pragmatic extension ⊲ Preprocessing ϕ [1+] ◮ Totalizing applications of theory symbols ϕ [ λx. 1 + x ] ϕ [ λx. t ] ◮ λ -lifting ϕ [ f ( t )] ∧ ∀ x. f ( x ) ≃ t ⊲ Ground EUF solver ◮ Lazy applicative encoding ◮ Extensionality lemmas ◮ Polynomial model construction for partial functions ⊲ Instantiation module ◮ Extending E -matching ◮ Adding expressivity via axioms Extending SMT solvers to higher-order logic 5 / 16

Applicative encoding ⊲ Every functional sort converted into an atomic sort ⊲ Every n -ary function symbol converted into a constant ⊲ Every function application converted into @ applications ϕ [ f ( t 1 , . . . , t n )] ϕ [@( . . . (@( f , t 1 ) , . . . ) , t n )] f ( a ) ≃ g ∧ f ( a , a ) �≃ g ( a ) ∧ g ( a ) ≃ h ( a ) ↓ ↓ ↓ @( f , a ) ≃ g ∧ @(@( f , a ) , a ) �≃ @( g , a ) ∧ @( g , a ) ≃ @( h , a ) Extending SMT solvers to higher-order logic 6 / 16

Lazy applicative encoding ⊲ Encode partial applications eagerly ⊲ Apply regular congruence closure ⊲ Lazily encode relevant applications 1 E = { @( f , a ) ≃ g , f ( a , a ) �≃ g ( a ) , g ( a ) ≃ h ( a ) } is satisfiable E �| = f ( a , a ) ≃ g ( a )

Lazy applicative encoding ⊲ Encode partial applications eagerly ⊲ Apply regular congruence closure ⊲ Lazily encode relevant applications 1 E = { @( f , a ) ≃ g , f ( a , a ) �≃ g ( a ) , g ( a ) ≃ h ( a ) } is satisfiable E �| = f ( a , a ) ≃ g ( a ) 2 Applications of f and g need to be encoded

Lazy applicative encoding ⊲ Encode partial applications eagerly ⊲ Apply regular congruence closure ⊲ Lazily encode relevant applications 1 E = { @( f , a ) ≃ g , f ( a , a ) �≃ g ( a ) , g ( a ) ≃ h ( a ) } is satisfiable E �| = f ( a , a ) ≃ g ( a ) 2 Applications of f and g need to be encoded 3 E ′ = E ∪ { @(@( f , a ) , a ) ≃ f ( a , a ) , @( g , a ) ≃ g ( a ) } is unsatisfiable E ′ | = f ( a , a ) ≃ g ( a ) Note that h ( a ) is not encoded! Extending SMT solvers to higher-order logic 7 / 16

Handling extensionality ∀ ¯ x. f (¯ x ) ≃ g (¯ x ) ↔ f ≃ g ⊲ “ ← ” handled by lazy encoding and congruence f ≃ g Cong @( f , t 1 ) ≃ @( g , t 1 ) Cong . . . Cong @( . . . (@( f , t 1 ) , . . . ) , t n ) ≃ @( . . . (@( g , t 1 ) , . . . ) , t n ) ⊲ “ → ” handled by f �≃ g Extensionality f ( sk 1 , . . . , sk n ) �≃ g ( sk 1 , . . . , sk n ) Extending SMT solvers to higher-order logic 8 / 16

Avoiding exponential model construction Functions are interpreted as if-then-else: M ( f ) = λx. ite ( x ≃ t 1 , s 1 , . . . ite ( x ≃ t n − 1 , s n − 1 , s n ) . . . ) Partial applications can lead to exponentially many cases! f 1 ( a ) ≃ f 1 ( b ) ∧ f 1 ( b ) ≃ f 2 ∧ f 2 ( a ) ≃ f 2 ( b ) ∧ f 2 ( b ) ≃ f 3 ∧ f 3 ( a ) ≃ f 3 ( b ) ∧ f 3 ( b ) ≃ c 8 ite entries to model that f 1 ( x, y, z ) ≃ c, for x, y, z ∈ { a , b } Extending SMT solvers to higher-order logic 9 / 16

Avoiding exponential model construction Functions are interpreted as if-then-else: M ( f ) = λx. ite ( x ≃ t 1 , s 1 , . . . ite ( x ≃ t n − 1 , s n − 1 , s n ) . . . ) Partial applications can lead to exponentially many cases! f 1 ( a ) ≃ f 1 ( b ) ∧ f 1 ( b ) ≃ f 2 ∧ f 2 ( a ) ≃ f 2 ( b ) ∧ f 2 ( b ) ≃ f 3 ∧ f 3 ( a ) ≃ f 3 ( b ) ∧ f 3 ( b ) ≃ c 8 ite entries to model that f 1 ( x, y, z ) ≃ c, for x, y, z ∈ { a , b } Polynomial construction in the “depth” of functions chain M ( f 1 ) = λxyz. ite ( x ≃ a , M ( f 2 )( y, z ) , ite ( x ≃ b , M ( f 2 )( y, z ) , ))

Avoiding exponential model construction Functions are interpreted as if-then-else: M ( f ) = λx. ite ( x ≃ t 1 , s 1 , . . . ite ( x ≃ t n − 1 , s n − 1 , s n ) . . . ) Partial applications can lead to exponentially many cases! f 1 ( a ) ≃ f 1 ( b ) ∧ f 1 ( b ) ≃ f 2 ∧ f 2 ( a ) ≃ f 2 ( b ) ∧ f 2 ( b ) ≃ f 3 ∧ f 3 ( a ) ≃ f 3 ( b ) ∧ f 3 ( b ) ≃ c 8 ite entries to model that f 1 ( x, y, z ) ≃ c, for x, y, z ∈ { a , b } Polynomial construction in the “depth” of functions chain M ( f 1 ) = λxyz. ite ( x ≃ a , M ( f 2 )( y, z ) , ite ( x ≃ b , M ( f 2 )( y, z ) , )) M ( f 2 ) = λxy. ite ( x ≃ a , M ( f 3 )( y ) , ite ( x ≃ b , M ( f 3 )( y ) , ))

Avoiding exponential model construction Functions are interpreted as if-then-else: M ( f ) = λx. ite ( x ≃ t 1 , s 1 , . . . ite ( x ≃ t n − 1 , s n − 1 , s n ) . . . ) Partial applications can lead to exponentially many cases! f 1 ( a ) ≃ f 1 ( b ) ∧ f 1 ( b ) ≃ f 2 ∧ f 2 ( a ) ≃ f 2 ( b ) ∧ f 2 ( b ) ≃ f 3 ∧ f 3 ( a ) ≃ f 3 ( b ) ∧ f 3 ( b ) ≃ c 8 ite entries to model that f 1 ( x, y, z ) ≃ c, for x, y, z ∈ { a , b } Polynomial construction in the “depth” of functions chain M ( f 1 ) = λxyz. ite ( x ≃ a , M ( f 2 )( y, z ) , ite ( x ≃ b , M ( f 2 )( y, z ) , )) M ( f 2 ) = λxy. ite ( x ≃ a , M ( f 3 )( y ) , ite ( x ≃ b , M ( f 3 )( y ) , )) M ( f 3 ) = λx. ite ( x ≃ a , c , ite ( x ≃ b , c , )) Extending SMT solvers to higher-order logic 9 / 16

Extending E -matching ⊲ Since @ is overloaded, matching must account for types of arguments ◮ @( x, a ) can’t match @( f , a ) if x and f of different types ⊲ Indexing robust to mixed partial/total applications ◮ In HOL applications with different heads can be equal @( f , a ) ≃ g allows matching g ( x ) with f ( a , b ) ⊲ HO- E -matching left for future work Extending SMT solvers to higher-order logic 10 / 16

Using well-chosen axioms ⊲ Store axiom ∀ F. ∀ x, y. ∃ G. ∀ z. G ( z ) ≃ ite ( z ≃ x, y, F ( z )) ⊲ Instances from the larger set of functions representable in the signature a �≃ b ∧ ∀ F, G. F ≃ G is unsatisfiable ⊲ Requires F �→ ( λw. a ) , G �→ ( λw. b ) ⊲ E -matching can’t derive this instantiation Extending SMT solvers to higher-order logic 11 / 16

Redesigning the SMT solver ⊲ Simpler and more flexible congruence closure ◮ Graph representation rather than UNION-FIND ◮ Quadratic instead of O ( n log n ) ⊲ Ground solver uses two term representations ◮ Curried for EUF ◮ Regular for the rest ⊲ Theory combination and instantiation operate via interface Extending SMT solvers to higher-order logic 12 / 16