src/HOL/SMT.thy
 author blanchet Wed Apr 08 18:47:38 2015 +0200 (2015-04-08) changeset 59960 372ddff01244 parent 59381 de4218223e00 child 60201 90e88e521e0e permissions -rw-r--r--
updated SMT module and Sledgehammer to fully open source Z3
1 (*  Title:      HOL/SMT.thy
2     Author:     Sascha Boehme, TU Muenchen
3 *)
5 section {* Bindings to Satisfiability Modulo Theories (SMT) solvers based on SMT-LIB 2 *}
7 theory SMT
8 imports Divides
9 keywords "smt_status" :: diag
10 begin
12 subsection {* A skolemization tactic and proof method *}
14 lemma choices:
15   "\<And>Q. \<forall>x. \<exists>y ya. Q x y ya \<Longrightarrow> \<exists>f fa. \<forall>x. Q x (f x) (fa x)"
16   "\<And>Q. \<forall>x. \<exists>y ya yb. Q x y ya yb \<Longrightarrow> \<exists>f fa fb. \<forall>x. Q x (f x) (fa x) (fb x)"
17   "\<And>Q. \<forall>x. \<exists>y ya yb yc. Q x y ya yb yc \<Longrightarrow> \<exists>f fa fb fc. \<forall>x. Q x (f x) (fa x) (fb x) (fc x)"
18   "\<And>Q. \<forall>x. \<exists>y ya yb yc yd. Q x y ya yb yc yd \<Longrightarrow>
19      \<exists>f fa fb fc fd. \<forall>x. Q x (f x) (fa x) (fb x) (fc x) (fd x)"
20   "\<And>Q. \<forall>x. \<exists>y ya yb yc yd ye. Q x y ya yb yc yd ye \<Longrightarrow>
21      \<exists>f fa fb fc fd fe. \<forall>x. Q x (f x) (fa x) (fb x) (fc x) (fd x) (fe x)"
22   "\<And>Q. \<forall>x. \<exists>y ya yb yc yd ye yf. Q x y ya yb yc yd ye yf \<Longrightarrow>
23      \<exists>f fa fb fc fd fe ff. \<forall>x. Q x (f x) (fa x) (fb x) (fc x) (fd x) (fe x) (ff x)"
24   "\<And>Q. \<forall>x. \<exists>y ya yb yc yd ye yf yg. Q x y ya yb yc yd ye yf yg \<Longrightarrow>
25      \<exists>f fa fb fc fd fe ff fg. \<forall>x. Q x (f x) (fa x) (fb x) (fc x) (fd x) (fe x) (ff x) (fg x)"
26   by metis+
28 lemma bchoices:
29   "\<And>Q. \<forall>x \<in> S. \<exists>y ya. Q x y ya \<Longrightarrow> \<exists>f fa. \<forall>x \<in> S. Q x (f x) (fa x)"
30   "\<And>Q. \<forall>x \<in> S. \<exists>y ya yb. Q x y ya yb \<Longrightarrow> \<exists>f fa fb. \<forall>x \<in> S. Q x (f x) (fa x) (fb x)"
31   "\<And>Q. \<forall>x \<in> S. \<exists>y ya yb yc. Q x y ya yb yc \<Longrightarrow> \<exists>f fa fb fc. \<forall>x \<in> S. Q x (f x) (fa x) (fb x) (fc x)"
32   "\<And>Q. \<forall>x \<in> S. \<exists>y ya yb yc yd. Q x y ya yb yc yd \<Longrightarrow>
33     \<exists>f fa fb fc fd. \<forall>x \<in> S. Q x (f x) (fa x) (fb x) (fc x) (fd x)"
34   "\<And>Q. \<forall>x \<in> S. \<exists>y ya yb yc yd ye. Q x y ya yb yc yd ye \<Longrightarrow>
35     \<exists>f fa fb fc fd fe. \<forall>x \<in> S. Q x (f x) (fa x) (fb x) (fc x) (fd x) (fe x)"
36   "\<And>Q. \<forall>x \<in> S. \<exists>y ya yb yc yd ye yf. Q x y ya yb yc yd ye yf \<Longrightarrow>
37     \<exists>f fa fb fc fd fe ff. \<forall>x \<in> S. Q x (f x) (fa x) (fb x) (fc x) (fd x) (fe x) (ff x)"
38   "\<And>Q. \<forall>x \<in> S. \<exists>y ya yb yc yd ye yf yg. Q x y ya yb yc yd ye yf yg \<Longrightarrow>
39     \<exists>f fa fb fc fd fe ff fg. \<forall>x \<in> S. Q x (f x) (fa x) (fb x) (fc x) (fd x) (fe x) (ff x) (fg x)"
40   by metis+
42 ML {*
43 fun moura_tac ctxt =
44   Atomize_Elim.atomize_elim_tac ctxt THEN'
45   SELECT_GOAL (Clasimp.auto_tac (ctxt addSIs @{thms choice choices bchoice bchoices}) THEN
46     ALLGOALS (Metis_Tactic.metis_tac (take 1 ATP_Proof_Reconstruct.partial_type_encs)
47         ATP_Proof_Reconstruct.default_metis_lam_trans ctxt [] ORELSE'
48       blast_tac ctxt))
49 *}
51 method_setup moura = {*
52  Scan.succeed (SIMPLE_METHOD' o moura_tac)
53 *} "solve skolemization goals, especially those arising from Z3 proofs"
55 hide_fact (open) choices bchoices
58 subsection {* Triggers for quantifier instantiation *}
60 text {*
61 Some SMT solvers support patterns as a quantifier instantiation
62 heuristics. Patterns may either be positive terms (tagged by "pat")
63 triggering quantifier instantiations -- when the solver finds a
64 term matching a positive pattern, it instantiates the corresponding
65 quantifier accordingly -- or negative terms (tagged by "nopat")
66 inhibiting quantifier instantiations. A list of patterns
67 of the same kind is called a multipattern, and all patterns in a
68 multipattern are considered conjunctively for quantifier instantiation.
69 A list of multipatterns is called a trigger, and their multipatterns
70 act disjunctively during quantifier instantiation. Each multipattern
71 should mention at least all quantified variables of the preceding
72 quantifier block.
73 *}
75 typedecl 'a symb_list
77 consts
78   Symb_Nil :: "'a symb_list"
79   Symb_Cons :: "'a \<Rightarrow> 'a symb_list \<Rightarrow> 'a symb_list"
81 typedecl pattern
83 consts
84   pat :: "'a \<Rightarrow> pattern"
85   nopat :: "'a \<Rightarrow> pattern"
87 definition trigger :: "pattern symb_list symb_list \<Rightarrow> bool \<Rightarrow> bool" where
88   "trigger _ P = P"
91 subsection {* Higher-order encoding *}
93 text {*
94 Application is made explicit for constants occurring with varying
95 numbers of arguments. This is achieved by the introduction of the
96 following constant.
97 *}
99 definition fun_app :: "'a \<Rightarrow> 'a" where "fun_app f = f"
101 text {*
102 Some solvers support a theory of arrays which can be used to encode
103 higher-order functions. The following set of lemmas specifies the
104 properties of such (extensional) arrays.
105 *}
107 lemmas array_rules = ext fun_upd_apply fun_upd_same fun_upd_other  fun_upd_upd fun_app_def
110 subsection {* Normalization *}
112 lemma case_bool_if[abs_def]: "case_bool x y P = (if P then x else y)"
113   by simp
115 lemmas Ex1_def_raw = Ex1_def[abs_def]
116 lemmas Ball_def_raw = Ball_def[abs_def]
117 lemmas Bex_def_raw = Bex_def[abs_def]
118 lemmas abs_if_raw = abs_if[abs_def]
119 lemmas min_def_raw = min_def[abs_def]
120 lemmas max_def_raw = max_def[abs_def]
123 subsection {* Integer division and modulo for Z3 *}
125 text {*
126 The following Z3-inspired definitions are overspecified for the case where @{text "l = 0"}. This
127 Schönheitsfehler is corrected in the @{text div_as_z3div} and @{text mod_as_z3mod} theorems.
128 *}
130 definition z3div :: "int \<Rightarrow> int \<Rightarrow> int" where
131   "z3div k l = (if l \<ge> 0 then k div l else - (k div - l))"
133 definition z3mod :: "int \<Rightarrow> int \<Rightarrow> int" where
134   "z3mod k l = k mod (if l \<ge> 0 then l else - l)"
136 lemma div_as_z3div:
137   "\<forall>k l. k div l = (if l = 0 then 0 else if l > 0 then z3div k l else z3div (- k) (- l))"
138   by (simp add: z3div_def)
140 lemma mod_as_z3mod:
141   "\<forall>k l. k mod l = (if l = 0 then k else if l > 0 then z3mod k l else - z3mod (- k) (- l))"
142   by (simp add: z3mod_def)
145 subsection {* Setup *}
147 ML_file "Tools/SMT/smt_util.ML"
148 ML_file "Tools/SMT/smt_failure.ML"
149 ML_file "Tools/SMT/smt_config.ML"
150 ML_file "Tools/SMT/smt_builtin.ML"
151 ML_file "Tools/SMT/smt_datatypes.ML"
152 ML_file "Tools/SMT/smt_normalize.ML"
153 ML_file "Tools/SMT/smt_translate.ML"
154 ML_file "Tools/SMT/smtlib.ML"
155 ML_file "Tools/SMT/smtlib_interface.ML"
156 ML_file "Tools/SMT/smtlib_proof.ML"
157 ML_file "Tools/SMT/smtlib_isar.ML"
158 ML_file "Tools/SMT/z3_proof.ML"
159 ML_file "Tools/SMT/z3_isar.ML"
160 ML_file "Tools/SMT/smt_solver.ML"
161 ML_file "Tools/SMT/cvc4_interface.ML"
162 ML_file "Tools/SMT/cvc4_proof_parse.ML"
163 ML_file "Tools/SMT/verit_proof.ML"
164 ML_file "Tools/SMT/verit_isar.ML"
165 ML_file "Tools/SMT/verit_proof_parse.ML"
166 ML_file "Tools/SMT/conj_disj_perm.ML"
167 ML_file "Tools/SMT/z3_interface.ML"
168 ML_file "Tools/SMT/z3_replay_util.ML"
169 ML_file "Tools/SMT/z3_replay_rules.ML"
170 ML_file "Tools/SMT/z3_replay_methods.ML"
171 ML_file "Tools/SMT/z3_replay.ML"
172 ML_file "Tools/SMT/smt_systems.ML"
174 method_setup smt = {*
175   Scan.optional Attrib.thms [] >>
176     (fn thms => fn ctxt =>
177       METHOD (fn facts => HEADGOAL (SMT_Solver.smt_tac ctxt (thms @ facts))))
178 *} "apply an SMT solver to the current goal"
181 subsection {* Configuration *}
183 text {*
184 The current configuration can be printed by the command
185 @{text smt_status}, which shows the values of most options.
186 *}
189 subsection {* General configuration options *}
191 text {*
192 The option @{text smt_solver} can be used to change the target SMT
193 solver. The possible values can be obtained from the @{text smt_status}
194 command.
195 *}
197 declare [[smt_solver = z3]]
199 text {*
200 Since SMT solvers are potentially nonterminating, there is a timeout
201 (given in seconds) to restrict their runtime.
202 *}
204 declare [[smt_timeout = 20]]
206 text {*
207 SMT solvers apply randomized heuristics. In case a problem is not
208 solvable by an SMT solver, changing the following option might help.
209 *}
211 declare [[smt_random_seed = 1]]
213 text {*
214 In general, the binding to SMT solvers runs as an oracle, i.e, the SMT
215 solvers are fully trusted without additional checks. The following
216 option can cause the SMT solver to run in proof-producing mode, giving
217 a checkable certificate. This is currently only implemented for Z3.
218 *}
220 declare [[smt_oracle = false]]
222 text {*
223 Each SMT solver provides several commandline options to tweak its
224 behaviour. They can be passed to the solver by setting the following
225 options.
226 *}
228 declare [[cvc3_options = ""]]
229 declare [[cvc4_options = "--full-saturate-quant --inst-when=full-last-call --inst-no-entail --term-db-mode=relevant"]]
230 declare [[verit_options = ""]]
231 declare [[z3_options = ""]]
233 text {*
234 The SMT method provides an inference mechanism to detect simple triggers
235 in quantified formulas, which might increase the number of problems
236 solvable by SMT solvers (note: triggers guide quantifier instantiations
237 in the SMT solver). To turn it on, set the following option.
238 *}
240 declare [[smt_infer_triggers = false]]
242 text {*
243 Enable the following option to use built-in support for datatypes,
244 codatatypes, and records in CVC4. Currently, this is implemented only
245 in oracle mode.
246 *}
248 declare [[cvc4_extensions = false]]
250 text {*
251 Enable the following option to use built-in support for div/mod, datatypes,
252 and records in Z3. Currently, this is implemented only in oracle mode.
253 *}
255 declare [[z3_extensions = false]]
258 subsection {* Certificates *}
260 text {*
261 By setting the option @{text smt_certificates} to the name of a file,
262 all following applications of an SMT solver a cached in that file.
263 Any further application of the same SMT solver (using the very same
264 configuration) re-uses the cached certificate instead of invoking the
265 solver. An empty string disables caching certificates.
267 The filename should be given as an explicit path. It is good
268 practice to use the name of the current theory (with ending
269 @{text ".certs"} instead of @{text ".thy"}) as the certificates file.
270 Certificate files should be used at most once in a certain theory context,
271 to avoid race conditions with other concurrent accesses.
272 *}
274 declare [[smt_certificates = ""]]
276 text {*
277 The option @{text smt_read_only_certificates} controls whether only
278 stored certificates are should be used or invocation of an SMT solver
279 is allowed. When set to @{text true}, no SMT solver will ever be
280 invoked and only the existing certificates found in the configured
281 cache are used;  when set to @{text false} and there is no cached
282 certificate for some proposition, then the configured SMT solver is
283 invoked.
284 *}
286 declare [[smt_read_only_certificates = false]]
289 subsection {* Tracing *}
291 text {*
292 The SMT method, when applied, traces important information. To
293 make it entirely silent, set the following option to @{text false}.
294 *}
296 declare [[smt_verbose = true]]
298 text {*
299 For tracing the generated problem file given to the SMT solver as
300 well as the returned result of the solver, the option
301 @{text smt_trace} should be set to @{text true}.
302 *}
304 declare [[smt_trace = false]]
307 subsection {* Schematic rules for Z3 proof reconstruction *}
309 text {*
310 Several prof rules of Z3 are not very well documented. There are two
311 lemma groups which can turn failing Z3 proof reconstruction attempts
312 into succeeding ones: the facts in @{text z3_rule} are tried prior to
313 any implemented reconstruction procedure for all uncertain Z3 proof
314 rules;  the facts in @{text z3_simp} are only fed to invocations of
315 the simplifier when reconstructing theory-specific proof steps.
316 *}
318 lemmas [z3_rule] =
319   refl eq_commute conj_commute disj_commute simp_thms nnf_simps
320   ring_distribs field_simps times_divide_eq_right times_divide_eq_left
321   if_True if_False not_not
322   NO_MATCH_def
324 lemma [z3_rule]:
325   "(P \<and> Q) = (\<not> (\<not> P \<or> \<not> Q))"
326   "(P \<and> Q) = (\<not> (\<not> Q \<or> \<not> P))"
327   "(\<not> P \<and> Q) = (\<not> (P \<or> \<not> Q))"
328   "(\<not> P \<and> Q) = (\<not> (\<not> Q \<or> P))"
329   "(P \<and> \<not> Q) = (\<not> (\<not> P \<or> Q))"
330   "(P \<and> \<not> Q) = (\<not> (Q \<or> \<not> P))"
331   "(\<not> P \<and> \<not> Q) = (\<not> (P \<or> Q))"
332   "(\<not> P \<and> \<not> Q) = (\<not> (Q \<or> P))"
333   by auto
335 lemma [z3_rule]:
336   "(P \<longrightarrow> Q) = (Q \<or> \<not> P)"
337   "(\<not> P \<longrightarrow> Q) = (P \<or> Q)"
338   "(\<not> P \<longrightarrow> Q) = (Q \<or> P)"
339   "(True \<longrightarrow> P) = P"
340   "(P \<longrightarrow> True) = True"
341   "(False \<longrightarrow> P) = True"
342   "(P \<longrightarrow> P) = True"
343   "(\<not> (A \<longleftrightarrow> \<not> B)) \<longleftrightarrow> (A \<longleftrightarrow> B)"
344   by auto
346 lemma [z3_rule]:
347   "((P = Q) \<longrightarrow> R) = (R | (Q = (\<not> P)))"
348   by auto
350 lemma [z3_rule]:
351   "(\<not> True) = False"
352   "(\<not> False) = True"
353   "(x = x) = True"
354   "(P = True) = P"
355   "(True = P) = P"
356   "(P = False) = (\<not> P)"
357   "(False = P) = (\<not> P)"
358   "((\<not> P) = P) = False"
359   "(P = (\<not> P)) = False"
360   "((\<not> P) = (\<not> Q)) = (P = Q)"
361   "\<not> (P = (\<not> Q)) = (P = Q)"
362   "\<not> ((\<not> P) = Q) = (P = Q)"
363   "(P \<noteq> Q) = (Q = (\<not> P))"
364   "(P = Q) = ((\<not> P \<or> Q) \<and> (P \<or> \<not> Q))"
365   "(P \<noteq> Q) = ((\<not> P \<or> \<not> Q) \<and> (P \<or> Q))"
366   by auto
368 lemma [z3_rule]:
369   "(if P then P else \<not> P) = True"
370   "(if \<not> P then \<not> P else P) = True"
371   "(if P then True else False) = P"
372   "(if P then False else True) = (\<not> P)"
373   "(if P then Q else True) = ((\<not> P) \<or> Q)"
374   "(if P then Q else True) = (Q \<or> (\<not> P))"
375   "(if P then Q else \<not> Q) = (P = Q)"
376   "(if P then Q else \<not> Q) = (Q = P)"
377   "(if P then \<not> Q else Q) = (P = (\<not> Q))"
378   "(if P then \<not> Q else Q) = ((\<not> Q) = P)"
379   "(if \<not> P then x else y) = (if P then y else x)"
380   "(if P then (if Q then x else y) else x) = (if P \<and> (\<not> Q) then y else x)"
381   "(if P then (if Q then x else y) else x) = (if (\<not> Q) \<and> P then y else x)"
382   "(if P then (if Q then x else y) else y) = (if P \<and> Q then x else y)"
383   "(if P then (if Q then x else y) else y) = (if Q \<and> P then x else y)"
384   "(if P then x else if P then y else z) = (if P then x else z)"
385   "(if P then x else if Q then x else y) = (if P \<or> Q then x else y)"
386   "(if P then x else if Q then x else y) = (if Q \<or> P then x else y)"
387   "(if P then x = y else x = z) = (x = (if P then y else z))"
388   "(if P then x = y else y = z) = (y = (if P then x else z))"
389   "(if P then x = y else z = y) = (y = (if P then x else z))"
390   by auto
392 lemma [z3_rule]:
393   "0 + (x::int) = x"
394   "x + 0 = x"
395   "x + x = 2 * x"
396   "0 * x = 0"
397   "1 * x = x"
398   "x + y = y + x"
399   by (auto simp add: mult_2)
401 lemma [z3_rule]:  (* for def-axiom *)
402   "P = Q \<or> P \<or> Q"
403   "P = Q \<or> \<not> P \<or> \<not> Q"
404   "(\<not> P) = Q \<or> \<not> P \<or> Q"
405   "(\<not> P) = Q \<or> P \<or> \<not> Q"
406   "P = (\<not> Q) \<or> \<not> P \<or> Q"
407   "P = (\<not> Q) \<or> P \<or> \<not> Q"
408   "P \<noteq> Q \<or> P \<or> \<not> Q"
409   "P \<noteq> Q \<or> \<not> P \<or> Q"
410   "P \<noteq> (\<not> Q) \<or> P \<or> Q"
411   "(\<not> P) \<noteq> Q \<or> P \<or> Q"
412   "P \<or> Q \<or> P \<noteq> (\<not> Q)"
413   "P \<or> Q \<or> (\<not> P) \<noteq> Q"
414   "P \<or> \<not> Q \<or> P \<noteq> Q"
415   "\<not> P \<or> Q \<or> P \<noteq> Q"
416   "P \<or> y = (if P then x else y)"
417   "P \<or> (if P then x else y) = y"
418   "\<not> P \<or> x = (if P then x else y)"
419   "\<not> P \<or> (if P then x else y) = x"
420   "P \<or> R \<or> \<not> (if P then Q else R)"
421   "\<not> P \<or> Q \<or> \<not> (if P then Q else R)"
422   "\<not> (if P then Q else R) \<or> \<not> P \<or> Q"
423   "\<not> (if P then Q else R) \<or> P \<or> R"
424   "(if P then Q else R) \<or> \<not> P \<or> \<not> Q"
425   "(if P then Q else R) \<or> P \<or> \<not> R"
426   "(if P then \<not> Q else R) \<or> \<not> P \<or> Q"
427   "(if P then Q else \<not> R) \<or> P \<or> R"
428   by auto
430 hide_type (open) symb_list pattern
431 hide_const (open) Symb_Nil Symb_Cons trigger pat nopat fun_app z3div z3mod
433 end