Why higher-order logic? Higher-Order logic Expressive Mathematics - - PowerPoint PPT Presentation

Extending SMT solvers to higher-order logic∗

Haniel Barbosa Andrew Reynolds Cesare Tinelli Daniel El Ouraoui Clark Barrett SMT 2019

2019–07–07, Lisbon, PT

∗To be published in the proceedings of CADE 2019

Why higher-order logic?

Higher-Order logic

⊲ Expressive

◮ Mathematics ◮ Verification conditions

⊲ The language of proof assistants

◮ Isabelle, Coq, Lean, ...

Automation

⊲ Reducing the burden of proof on users

Extending SMT solvers to higher-order logic 1 / 16

State of the art of HOL automation

⊲ Higher-order provers

Leo-III, Satalax, ... ◮ Scalability issues on problems with large FO component

⊲ Hammers

HOLyHammer, MizAR, Sledgehammer, ... ◮ Issues with performance, soundness, or completeness

Extending SMT solvers to higher-order logic 2 / 16

State of the art of HOL automation

⊲ Higher-order provers

Leo-III, Satalax, ... ◮ Scalability issues on problems with large FO component

⊲ Hammers

HOLyHammer, MizAR, Sledgehammer, ... ◮ Issues with performance, soundness, or completeness

“Timeouts into quick unsats”

f(λx. g(x) + h(x)) ≃ f(λx. h(x) + g(x)) ↓ cong, ext (∀x. g(x) + h(x) ≃ h(x) + g(x)) ⇒ f(λx. g(x) + h(x)) ≃ f(λx. h(x) + g(x)) ↓ ¬, CNF g(sk) + h(sk) ≃ h(sk) + g(sk) f(λx. g(x) + h(x)) ≃ f(λx. h(x) + g(x))

Extending SMT solvers to higher-order logic 2 / 16

Outline

⊲ What we mean by higher-order logic ⊲ Extending an SMT solver pragmatically ⊲ Extending an SMT solver via redesign ⊲ Evaluation

Fragments of interest

Features FOL λfHOL HOL function

• quantification on objects
• quantification on functions

✗

• partial applications

✗

• anonymous functions

✗ ✗

• ⊲ Henkin semantics

◮ Function interpretations restricted to terms expressible in formula’s signature

⊲ Extensionality ∀¯

• x. f(¯

x) ≃ g(¯ x) ↔ f ≃ g

Extending SMT solvers to higher-order logic 3 / 16

Fragments of interest

Features FOL λfHOL HOL function

• quantification on objects
• quantification on functions

✗

• partial applications

✗

• anonymous functions

✗ ✗

• ⊲ Henkin semantics

◮ Function interpretations restricted to terms expressible in formula’s signature

⊲ Extensionality ∀¯

• x. f(¯

x) ≃ g(¯ x) ↔ f ≃ g Goal: simplicity, practicality, and effectiveness

Extending SMT solvers to higher-order logic 3 / 16

A CDCL(T ) SMT solver

SMT formula Model UNSAT

SMT solver Instantiation module

Instance Assignment

Ground solver Rewriter

⊲ Rewriter simplifies terms

x + 0 → x a ≃ a → ⊥ (str.replace x (str.++ x x) y) → x

⊲ Ground solver enumerates assignments E ∪ Q

◮ E is a set of ground literals

{a ≤ b, b ≤ a + x, x ≃ 0, f(a) ≃ f(b)}

◮ Q is a set of quantified clauses

{∀xyz. f(x) ≃ f(z) ∨ g(y) ≃ h(z)}

⊲ Instantiation module generates instances of Q

f(a) ≃ f(b) ∨ g(a) ≃ h(b)

Extending SMT solvers to higher-order logic 4 / 16

A pragmatic extension

⊲ Preprocessing

◮ Totalizing applications of theory symbols ϕ[1+] ϕ[λx. 1 + x] ◮ λ-lifting ϕ[λx. t] ϕ[f(t)] ∧ ∀x. f(x) ≃ t

⊲ Ground EUF solver

◮ Lazy applicative encoding ◮ Extensionality lemmas ◮ Polynomial model construction for partial functions

⊲ Instantiation module

◮ Extending E-matching ◮ Adding expressivity via axioms

Extending SMT solvers to higher-order logic 5 / 16

Applicative encoding

⊲ Every functional sort converted into an atomic sort ⊲ Every n-ary function symbol converted into a constant ⊲ Every function application converted into @ applications ϕ[f(t1, . . . , tn)] ϕ[@(. . . (@(f, t1), . . .), tn)] f(a) ≃ g ∧ f(a, a) ≃ g(a) ∧ g(a) ≃ h(a) ↓ ↓ ↓ @(f, a) ≃ g ∧ @(@(f, a), a) ≃ @(g, a) ∧ @(g, a) ≃ @(h, a)

Extending SMT solvers to higher-order logic 6 / 16

Lazy applicative encoding

⊲ Encode partial applications eagerly ⊲ Apply regular congruence closure ⊲ Lazily encode relevant applications

1 E = {@(f, a) ≃ g, f(a, a) ≃ g(a), g(a) ≃ h(a)} is satisfiable

E | = f(a, a) ≃ g(a)

Lazy applicative encoding

⊲ Encode partial applications eagerly ⊲ Apply regular congruence closure ⊲ Lazily encode relevant applications

1 E = {@(f, a) ≃ g, f(a, a) ≃ g(a), g(a) ≃ h(a)} is satisfiable

E | = f(a, a) ≃ g(a)

2 Applications of f and g need to be encoded

Lazy applicative encoding

⊲ Encode partial applications eagerly ⊲ Apply regular congruence closure ⊲ Lazily encode relevant applications

1 E = {@(f, a) ≃ g, f(a, a) ≃ g(a), g(a) ≃ h(a)} is satisfiable

E | = f(a, a) ≃ g(a)

2 Applications of f and g need to be encoded 3 E′ = E ∪ {@(@(f, a), a) ≃ f(a, a), @(g, a) ≃ g(a)} is unsatisfiable

E′ | = f(a, a) ≃ g(a) Note that h(a) is not encoded!

Extending SMT solvers to higher-order logic 7 / 16

Handling extensionality

∀¯

• x. f(¯

x) ≃ g(¯ x) ↔ f ≃ g ⊲ “←” handled by lazy encoding and congruence

f ≃ g Cong @(f, t1) ≃ @(g, t1) Cong . . . Cong @(. . . (@(f, t1), . . .), tn) ≃ @(. . . (@(g, t1), . . .), tn)

⊲ “→” handled by

f ≃ g Extensionality f(sk1, . . . , skn) ≃ g(sk1, . . . , skn)

Extending SMT solvers to higher-order logic 8 / 16

Avoiding exponential model construction

Functions are interpreted as if-then-else:

M(f) = λx. ite(x ≃ t1, s1, . . . ite(x ≃ tn−1, sn−1, sn) . . .)

Partial applications can lead to exponentially many cases!

f1(a) ≃ f1(b) ∧ f1(b) ≃ f2 ∧ f2(a) ≃ f2(b) ∧ f2(b) ≃ f3 ∧ f3(a) ≃ f3(b) ∧ f3(b) ≃ c

8 ite entries to model that f1(x, y, z) ≃ c, for x, y, z ∈ {a, b}

Extending SMT solvers to higher-order logic 9 / 16

Avoiding exponential model construction

Functions are interpreted as if-then-else:

M(f) = λx. ite(x ≃ t1, s1, . . . ite(x ≃ tn−1, sn−1, sn) . . .)

Partial applications can lead to exponentially many cases!

f1(a) ≃ f1(b) ∧ f1(b) ≃ f2 ∧ f2(a) ≃ f2(b) ∧ f2(b) ≃ f3 ∧ f3(a) ≃ f3(b) ∧ f3(b) ≃ c

8 ite entries to model that f1(x, y, z) ≃ c, for x, y, z ∈ {a, b}

Polynomial construction in the “depth” of functions chain

M(f1) = λxyz. ite(x ≃ a, M(f2)(y, z), ite(x ≃ b, M(f2)(y, z), ))

Avoiding exponential model construction

Functions are interpreted as if-then-else:

M(f) = λx. ite(x ≃ t1, s1, . . . ite(x ≃ tn−1, sn−1, sn) . . .)

Partial applications can lead to exponentially many cases!

f1(a) ≃ f1(b) ∧ f1(b) ≃ f2 ∧ f2(a) ≃ f2(b) ∧ f2(b) ≃ f3 ∧ f3(a) ≃ f3(b) ∧ f3(b) ≃ c

8 ite entries to model that f1(x, y, z) ≃ c, for x, y, z ∈ {a, b}

Polynomial construction in the “depth” of functions chain

M(f1) = λxyz. ite(x ≃ a, M(f2)(y, z), ite(x ≃ b, M(f2)(y, z), )) M(f2) = λxy. ite(x ≃ a, M(f3)(y), ite(x ≃ b, M(f3)(y), ))

Avoiding exponential model construction

Functions are interpreted as if-then-else:

M(f) = λx. ite(x ≃ t1, s1, . . . ite(x ≃ tn−1, sn−1, sn) . . .)

Partial applications can lead to exponentially many cases!

f1(a) ≃ f1(b) ∧ f1(b) ≃ f2 ∧ f2(a) ≃ f2(b) ∧ f2(b) ≃ f3 ∧ f3(a) ≃ f3(b) ∧ f3(b) ≃ c

8 ite entries to model that f1(x, y, z) ≃ c, for x, y, z ∈ {a, b}

Polynomial construction in the “depth” of functions chain

M(f1) = λxyz. ite(x ≃ a, M(f2)(y, z), ite(x ≃ b, M(f2)(y, z), )) M(f2) = λxy. ite(x ≃ a, M(f3)(y), ite(x ≃ b, M(f3)(y), )) M(f3) = λx. ite(x ≃ a, c, ite(x ≃ b, c, ))

Extending SMT solvers to higher-order logic 9 / 16

Extending E-matching

⊲ Since @ is overloaded, matching must account for types of arguments

◮ @(x, a) can’t match @(f, a) if x and f of different types

⊲ Indexing robust to mixed partial/total applications

◮ In HOL applications with different heads can be equal @(f, a) ≃ g allows matching g(x) with f(a, b)

⊲ HO-E-matching left for future work

Extending SMT solvers to higher-order logic 10 / 16

Using well-chosen axioms

⊲ Store axiom ∀F. ∀x, y. ∃G. ∀z. G(z) ≃ ite(z ≃ x, y, F(z)) ⊲ Instances from the larger set of functions representable in the signature a ≃ b ∧ ∀F, G. F ≃ G is unsatisfiable ⊲ Requires F → (λw. a), G → (λw. b) ⊲ E-matching can’t derive this instantiation

Extending SMT solvers to higher-order logic 11 / 16

Redesigning the SMT solver

⊲ Simpler and more flexible congruence closure

◮ Graph representation rather than UNION-FIND ◮ Quadratic instead of O(n log n)

⊲ Ground solver uses two term representations

◮ Curried for EUF ◮ Regular for the rest

⊲ Theory combination and instantiation operate via interface

Extending SMT solvers to higher-order logic 12 / 16

Evaluation

⊲ Pragmatic cvc4 and redesigned veriT ⊲ Benchmarks

◮ Monomorphic TPTP-THF ◮ Benchmarks from Sledghammer, with 32, 512 and 1024 axioms

⊲ Compared against

◮ Full encoding-based versions of cvc4 and veriT ◮ HO-provers Leo-III and Satallax ◮ λfHO-prover Ehoh

Extending SMT solvers to higher-order logic 13 / 16

Evaluation

1400 1600 1800 2000 2200 2400 2600 10

1

100 101 @cvc-sax Ehoh cvc-sax Leo-III vt @vt Satallax

⊲ Solved problems among 5,543 benchmarks supported by all solvers ⊲ 60s timeout

Extending SMT solvers to higher-order logic 14 / 16

Evaluation

⊲ Extended cvc4 complementary to its encoding-based counterpart ⊲ Both versions of cvc4 on par with Ehoh ⊲ Extended veriT clearly ahead of its encoding-based counterpart ⊲ Leo-III and Satallax much ahead on THF, but fail to scale on Sledghammer problems ⊲ FO-performance of the extensions is not compromised

Extending SMT solvers to higher-order logic 15 / 16

Conclusions

⊲ Successful extensions of SMT solvers to HOL ⊲ On par with encoding-based approach

Future work

⊲ Tackle HO-unification

◮ Will allow extending conflict-based instantiation

⊲ Implement dedicated simplifications

Extending SMT solvers to higher-order logic 16 / 16