src/HOL/SMT.thy
author blanchet
Mon Nov 24 12:35:13 2014 +0100 (2014-11-24)
changeset 59036 ce58eb744e38
parent 59035 3a2153676705
child 59037 650dcf624729
permissions -rw-r--r--
one more CVC4 option that helps
     1 (*  Title:      HOL/SMT.thy
     2     Author:     Sascha Boehme, TU Muenchen
     3 *)
     4 
     5 section {* Bindings to Satisfiability Modulo Theories (SMT) solvers based on SMT-LIB 2 *}
     6 
     7 theory SMT
     8 imports Divides
     9 keywords "smt_status" :: diag
    10 begin
    11 
    12 subsection {* A skolemization tactic and proof method *}
    13 
    14 lemma choices:
    15   "\<And>Q. \<forall>x. \<exists>y ya. Q x y ya \<Longrightarrow> \<exists>f fa. \<forall>x. Q x (f x) (fa x)"
    16   "\<And>Q. \<forall>x. \<exists>y ya yb. Q x y ya yb \<Longrightarrow> \<exists>f fa fb. \<forall>x. Q x (f x) (fa x) (fb x)"
    17   "\<And>Q. \<forall>x. \<exists>y ya yb yc. Q x y ya yb yc \<Longrightarrow> \<exists>f fa fb fc. \<forall>x. Q x (f x) (fa x) (fb x) (fc x)"
    18   "\<And>Q. \<forall>x. \<exists>y ya yb yc yd. Q x y ya yb yc yd \<Longrightarrow>
    19      \<exists>f fa fb fc fd. \<forall>x. Q x (f x) (fa x) (fb x) (fc x) (fd x)"
    20   "\<And>Q. \<forall>x. \<exists>y ya yb yc yd ye. Q x y ya yb yc yd ye \<Longrightarrow>
    21      \<exists>f fa fb fc fd fe. \<forall>x. Q x (f x) (fa x) (fb x) (fc x) (fd x) (fe x)"
    22   "\<And>Q. \<forall>x. \<exists>y ya yb yc yd ye yf. Q x y ya yb yc yd ye yf \<Longrightarrow>
    23      \<exists>f fa fb fc fd fe ff. \<forall>x. Q x (f x) (fa x) (fb x) (fc x) (fd x) (fe x) (ff x)"
    24   "\<And>Q. \<forall>x. \<exists>y ya yb yc yd ye yf yg. Q x y ya yb yc yd ye yf yg \<Longrightarrow>
    25      \<exists>f fa fb fc fd fe ff fg. \<forall>x. Q x (f x) (fa x) (fb x) (fc x) (fd x) (fe x) (ff x) (fg x)"
    26   by metis+
    27 
    28 lemma bchoices:
    29   "\<And>Q. \<forall>x \<in> S. \<exists>y ya. Q x y ya \<Longrightarrow> \<exists>f fa. \<forall>x \<in> S. Q x (f x) (fa x)"
    30   "\<And>Q. \<forall>x \<in> S. \<exists>y ya yb. Q x y ya yb \<Longrightarrow> \<exists>f fa fb. \<forall>x \<in> S. Q x (f x) (fa x) (fb x)"
    31   "\<And>Q. \<forall>x \<in> S. \<exists>y ya yb yc. Q x y ya yb yc \<Longrightarrow> \<exists>f fa fb fc. \<forall>x \<in> S. Q x (f x) (fa x) (fb x) (fc x)"
    32   "\<And>Q. \<forall>x \<in> S. \<exists>y ya yb yc yd. Q x y ya yb yc yd \<Longrightarrow>
    33     \<exists>f fa fb fc fd. \<forall>x \<in> S. Q x (f x) (fa x) (fb x) (fc x) (fd x)"
    34   "\<And>Q. \<forall>x \<in> S. \<exists>y ya yb yc yd ye. Q x y ya yb yc yd ye \<Longrightarrow>
    35     \<exists>f fa fb fc fd fe. \<forall>x \<in> S. Q x (f x) (fa x) (fb x) (fc x) (fd x) (fe x)"
    36   "\<And>Q. \<forall>x \<in> S. \<exists>y ya yb yc yd ye yf. Q x y ya yb yc yd ye yf \<Longrightarrow>
    37     \<exists>f fa fb fc fd fe ff. \<forall>x \<in> S. Q x (f x) (fa x) (fb x) (fc x) (fd x) (fe x) (ff x)"
    38   "\<And>Q. \<forall>x \<in> S. \<exists>y ya yb yc yd ye yf yg. Q x y ya yb yc yd ye yf yg \<Longrightarrow>
    39     \<exists>f fa fb fc fd fe ff fg. \<forall>x \<in> S. Q x (f x) (fa x) (fb x) (fc x) (fd x) (fe x) (ff x) (fg x)"
    40   by metis+
    41 
    42 ML {*
    43 fun moura_tac ctxt =
    44   Atomize_Elim.atomize_elim_tac ctxt THEN'
    45   SELECT_GOAL (Clasimp.auto_tac (ctxt addSIs @{thms choice choices bchoice bchoices}) THEN
    46     ALLGOALS (Metis_Tactic.metis_tac (take 1 ATP_Proof_Reconstruct.partial_type_encs)
    47         ATP_Proof_Reconstruct.default_metis_lam_trans ctxt [] ORELSE'
    48       blast_tac ctxt))
    49 *}
    50 
    51 method_setup moura = {*
    52  Scan.succeed (SIMPLE_METHOD' o moura_tac)
    53 *} "solve skolemization goals, especially those arising from Z3 proofs"
    54 
    55 hide_fact (open) choices bchoices
    56 
    57 
    58 subsection {* Triggers for quantifier instantiation *}
    59 
    60 text {*
    61 Some SMT solvers support patterns as a quantifier instantiation
    62 heuristics. Patterns may either be positive terms (tagged by "pat")
    63 triggering quantifier instantiations -- when the solver finds a
    64 term matching a positive pattern, it instantiates the corresponding
    65 quantifier accordingly -- or negative terms (tagged by "nopat")
    66 inhibiting quantifier instantiations. A list of patterns
    67 of the same kind is called a multipattern, and all patterns in a
    68 multipattern are considered conjunctively for quantifier instantiation.
    69 A list of multipatterns is called a trigger, and their multipatterns
    70 act disjunctively during quantifier instantiation. Each multipattern
    71 should mention at least all quantified variables of the preceding
    72 quantifier block.
    73 *}
    74 
    75 typedecl 'a symb_list
    76 
    77 consts
    78   Symb_Nil :: "'a symb_list"
    79   Symb_Cons :: "'a \<Rightarrow> 'a symb_list \<Rightarrow> 'a symb_list"
    80 
    81 typedecl pattern
    82 
    83 consts
    84   pat :: "'a \<Rightarrow> pattern"
    85   nopat :: "'a \<Rightarrow> pattern"
    86 
    87 definition trigger :: "pattern symb_list symb_list \<Rightarrow> bool \<Rightarrow> bool" where
    88   "trigger _ P = P"
    89 
    90 
    91 subsection {* Higher-order encoding *}
    92 
    93 text {*
    94 Application is made explicit for constants occurring with varying
    95 numbers of arguments. This is achieved by the introduction of the
    96 following constant.
    97 *}
    98 
    99 definition fun_app :: "'a \<Rightarrow> 'a" where "fun_app f = f"
   100 
   101 text {*
   102 Some solvers support a theory of arrays which can be used to encode
   103 higher-order functions. The following set of lemmas specifies the
   104 properties of such (extensional) arrays.
   105 *}
   106 
   107 lemmas array_rules = ext fun_upd_apply fun_upd_same fun_upd_other  fun_upd_upd fun_app_def
   108 
   109 
   110 subsection {* Normalization *}
   111 
   112 lemma case_bool_if[abs_def]: "case_bool x y P = (if P then x else y)"
   113   by simp
   114 
   115 lemmas Ex1_def_raw = Ex1_def[abs_def]
   116 lemmas Ball_def_raw = Ball_def[abs_def]
   117 lemmas Bex_def_raw = Bex_def[abs_def]
   118 lemmas abs_if_raw = abs_if[abs_def]
   119 lemmas min_def_raw = min_def[abs_def]
   120 lemmas max_def_raw = max_def[abs_def]
   121 
   122 
   123 subsection {* Integer division and modulo for Z3 *}
   124 
   125 text {*
   126 The following Z3-inspired definitions are overspecified for the case where @{text "l = 0"}. This
   127 Schönheitsfehler is corrected in the @{text div_as_z3div} and @{text mod_as_z3mod} theorems.
   128 *}
   129 
   130 definition z3div :: "int \<Rightarrow> int \<Rightarrow> int" where
   131   "z3div k l = (if l \<ge> 0 then k div l else - (k div - l))"
   132 
   133 definition z3mod :: "int \<Rightarrow> int \<Rightarrow> int" where
   134   "z3mod k l = k mod (if l \<ge> 0 then l else - l)"
   135 
   136 lemma div_as_z3div:
   137   "\<forall>k l. k div l = (if l = 0 then 0 else if l > 0 then z3div k l else z3div (- k) (- l))"
   138   by (simp add: z3div_def)
   139 
   140 lemma mod_as_z3mod:
   141   "\<forall>k l. k mod l = (if l = 0 then k else if l > 0 then z3mod k l else - z3mod (- k) (- l))"
   142   by (simp add: z3mod_def)
   143 
   144 
   145 subsection {* Setup *}
   146 
   147 ML_file "Tools/SMT/smt_util.ML"
   148 ML_file "Tools/SMT/smt_failure.ML"
   149 ML_file "Tools/SMT/smt_config.ML"
   150 ML_file "Tools/SMT/smt_builtin.ML"
   151 ML_file "Tools/SMT/smt_datatypes.ML"
   152 ML_file "Tools/SMT/smt_normalize.ML"
   153 ML_file "Tools/SMT/smt_translate.ML"
   154 ML_file "Tools/SMT/smtlib.ML"
   155 ML_file "Tools/SMT/smtlib_interface.ML"
   156 ML_file "Tools/SMT/smtlib_proof.ML"
   157 ML_file "Tools/SMT/smtlib_isar.ML"
   158 ML_file "Tools/SMT/z3_proof.ML"
   159 ML_file "Tools/SMT/z3_isar.ML"
   160 ML_file "Tools/SMT/smt_solver.ML"
   161 ML_file "Tools/SMT/cvc4_interface.ML"
   162 ML_file "Tools/SMT/cvc4_proof_parse.ML"
   163 ML_file "Tools/SMT/verit_proof.ML"
   164 ML_file "Tools/SMT/verit_isar.ML"
   165 ML_file "Tools/SMT/verit_proof_parse.ML"
   166 ML_file "Tools/SMT/z3_interface.ML"
   167 ML_file "Tools/SMT/z3_replay_util.ML"
   168 ML_file "Tools/SMT/z3_replay_literals.ML"
   169 ML_file "Tools/SMT/z3_replay_rules.ML"
   170 ML_file "Tools/SMT/z3_replay_methods.ML"
   171 ML_file "Tools/SMT/z3_replay.ML"
   172 ML_file "Tools/SMT/smt_systems.ML"
   173 
   174 method_setup smt = {*
   175   Scan.optional Attrib.thms [] >>
   176     (fn thms => fn ctxt =>
   177       METHOD (fn facts => HEADGOAL (SMT_Solver.smt_tac ctxt (thms @ facts))))
   178 *} "apply an SMT solver to the current goal"
   179 
   180 
   181 subsection {* Configuration *}
   182 
   183 text {*
   184 The current configuration can be printed by the command
   185 @{text smt_status}, which shows the values of most options.
   186 *}
   187 
   188 
   189 subsection {* General configuration options *}
   190 
   191 text {*
   192 The option @{text smt_solver} can be used to change the target SMT
   193 solver. The possible values can be obtained from the @{text smt_status}
   194 command.
   195 
   196 Due to licensing restrictions, Z3 is not enabled by default. Z3 is free
   197 for non-commercial applications and can be enabled by setting Isabelle
   198 system option @{text z3_non_commercial} to @{text yes}.
   199 *}
   200 
   201 declare [[smt_solver = z3]]
   202 
   203 text {*
   204 Since SMT solvers are potentially nonterminating, there is a timeout
   205 (given in seconds) to restrict their runtime.
   206 *}
   207 
   208 declare [[smt_timeout = 20]]
   209 
   210 text {*
   211 SMT solvers apply randomized heuristics. In case a problem is not
   212 solvable by an SMT solver, changing the following option might help.
   213 *}
   214 
   215 declare [[smt_random_seed = 1]]
   216 
   217 text {*
   218 In general, the binding to SMT solvers runs as an oracle, i.e, the SMT
   219 solvers are fully trusted without additional checks. The following
   220 option can cause the SMT solver to run in proof-producing mode, giving
   221 a checkable certificate. This is currently only implemented for Z3.
   222 *}
   223 
   224 declare [[smt_oracle = false]]
   225 
   226 text {*
   227 Each SMT solver provides several commandline options to tweak its
   228 behaviour. They can be passed to the solver by setting the following
   229 options.
   230 *}
   231 
   232 declare [[cvc3_options = ""]]
   233 declare [[cvc4_options = "--full-saturate-quant --inst-when=full-last-call --inst-no-entail"]]
   234 declare [[verit_options = ""]]
   235 declare [[z3_options = ""]]
   236 
   237 text {*
   238 The SMT method provides an inference mechanism to detect simple triggers
   239 in quantified formulas, which might increase the number of problems
   240 solvable by SMT solvers (note: triggers guide quantifier instantiations
   241 in the SMT solver). To turn it on, set the following option.
   242 *}
   243 
   244 declare [[smt_infer_triggers = false]]
   245 
   246 text {*
   247 Enable the following option to use built-in support for datatypes,
   248 codatatypes, and records in CVC4. Currently, this is implemented only
   249 in oracle mode.
   250 *}
   251 
   252 declare [[cvc4_extensions = false]]
   253 
   254 text {*
   255 Enable the following option to use built-in support for div/mod, datatypes,
   256 and records in Z3. Currently, this is implemented only in oracle mode.
   257 *}
   258 
   259 declare [[z3_extensions = false]]
   260 
   261 
   262 subsection {* Certificates *}
   263 
   264 text {*
   265 By setting the option @{text smt_certificates} to the name of a file,
   266 all following applications of an SMT solver a cached in that file.
   267 Any further application of the same SMT solver (using the very same
   268 configuration) re-uses the cached certificate instead of invoking the
   269 solver. An empty string disables caching certificates.
   270 
   271 The filename should be given as an explicit path. It is good
   272 practice to use the name of the current theory (with ending
   273 @{text ".certs"} instead of @{text ".thy"}) as the certificates file.
   274 Certificate files should be used at most once in a certain theory context,
   275 to avoid race conditions with other concurrent accesses.
   276 *}
   277 
   278 declare [[smt_certificates = ""]]
   279 
   280 text {*
   281 The option @{text smt_read_only_certificates} controls whether only
   282 stored certificates are should be used or invocation of an SMT solver
   283 is allowed. When set to @{text true}, no SMT solver will ever be
   284 invoked and only the existing certificates found in the configured
   285 cache are used;  when set to @{text false} and there is no cached
   286 certificate for some proposition, then the configured SMT solver is
   287 invoked.
   288 *}
   289 
   290 declare [[smt_read_only_certificates = false]]
   291 
   292 
   293 subsection {* Tracing *}
   294 
   295 text {*
   296 The SMT method, when applied, traces important information. To
   297 make it entirely silent, set the following option to @{text false}.
   298 *}
   299 
   300 declare [[smt_verbose = true]]
   301 
   302 text {*
   303 For tracing the generated problem file given to the SMT solver as
   304 well as the returned result of the solver, the option
   305 @{text smt_trace} should be set to @{text true}.
   306 *}
   307 
   308 declare [[smt_trace = false]]
   309 
   310 
   311 subsection {* Schematic rules for Z3 proof reconstruction *}
   312 
   313 text {*
   314 Several prof rules of Z3 are not very well documented. There are two
   315 lemma groups which can turn failing Z3 proof reconstruction attempts
   316 into succeeding ones: the facts in @{text z3_rule} are tried prior to
   317 any implemented reconstruction procedure for all uncertain Z3 proof
   318 rules;  the facts in @{text z3_simp} are only fed to invocations of
   319 the simplifier when reconstructing theory-specific proof steps.
   320 *}
   321 
   322 lemmas [z3_rule] =
   323   refl eq_commute conj_commute disj_commute simp_thms nnf_simps
   324   ring_distribs field_simps times_divide_eq_right times_divide_eq_left
   325   if_True if_False not_not
   326   NO_MATCH_def
   327 
   328 lemma [z3_rule]:
   329   "(P \<and> Q) = (\<not> (\<not> P \<or> \<not> Q))"
   330   "(P \<and> Q) = (\<not> (\<not> Q \<or> \<not> P))"
   331   "(\<not> P \<and> Q) = (\<not> (P \<or> \<not> Q))"
   332   "(\<not> P \<and> Q) = (\<not> (\<not> Q \<or> P))"
   333   "(P \<and> \<not> Q) = (\<not> (\<not> P \<or> Q))"
   334   "(P \<and> \<not> Q) = (\<not> (Q \<or> \<not> P))"
   335   "(\<not> P \<and> \<not> Q) = (\<not> (P \<or> Q))"
   336   "(\<not> P \<and> \<not> Q) = (\<not> (Q \<or> P))"
   337   by auto
   338 
   339 lemma [z3_rule]:
   340   "(P \<longrightarrow> Q) = (Q \<or> \<not> P)"
   341   "(\<not> P \<longrightarrow> Q) = (P \<or> Q)"
   342   "(\<not> P \<longrightarrow> Q) = (Q \<or> P)"
   343   "(True \<longrightarrow> P) = P"
   344   "(P \<longrightarrow> True) = True"
   345   "(False \<longrightarrow> P) = True"
   346   "(P \<longrightarrow> P) = True"
   347   by auto
   348 
   349 lemma [z3_rule]:
   350   "((P = Q) \<longrightarrow> R) = (R | (Q = (\<not> P)))"
   351   by auto
   352 
   353 lemma [z3_rule]:
   354   "(\<not> True) = False"
   355   "(\<not> False) = True"
   356   "(x = x) = True"
   357   "(P = True) = P"
   358   "(True = P) = P"
   359   "(P = False) = (\<not> P)"
   360   "(False = P) = (\<not> P)"
   361   "((\<not> P) = P) = False"
   362   "(P = (\<not> P)) = False"
   363   "((\<not> P) = (\<not> Q)) = (P = Q)"
   364   "\<not> (P = (\<not> Q)) = (P = Q)"
   365   "\<not> ((\<not> P) = Q) = (P = Q)"
   366   "(P \<noteq> Q) = (Q = (\<not> P))"
   367   "(P = Q) = ((\<not> P \<or> Q) \<and> (P \<or> \<not> Q))"
   368   "(P \<noteq> Q) = ((\<not> P \<or> \<not> Q) \<and> (P \<or> Q))"
   369   by auto
   370 
   371 lemma [z3_rule]:
   372   "(if P then P else \<not> P) = True"
   373   "(if \<not> P then \<not> P else P) = True"
   374   "(if P then True else False) = P"
   375   "(if P then False else True) = (\<not> P)"
   376   "(if P then Q else True) = ((\<not> P) \<or> Q)"
   377   "(if P then Q else True) = (Q \<or> (\<not> P))"
   378   "(if P then Q else \<not> Q) = (P = Q)"
   379   "(if P then Q else \<not> Q) = (Q = P)"
   380   "(if P then \<not> Q else Q) = (P = (\<not> Q))"
   381   "(if P then \<not> Q else Q) = ((\<not> Q) = P)"
   382   "(if \<not> P then x else y) = (if P then y else x)"
   383   "(if P then (if Q then x else y) else x) = (if P \<and> (\<not> Q) then y else x)"
   384   "(if P then (if Q then x else y) else x) = (if (\<not> Q) \<and> P then y else x)"
   385   "(if P then (if Q then x else y) else y) = (if P \<and> Q then x else y)"
   386   "(if P then (if Q then x else y) else y) = (if Q \<and> P then x else y)"
   387   "(if P then x else if P then y else z) = (if P then x else z)"
   388   "(if P then x else if Q then x else y) = (if P \<or> Q then x else y)"
   389   "(if P then x else if Q then x else y) = (if Q \<or> P then x else y)"
   390   "(if P then x = y else x = z) = (x = (if P then y else z))"
   391   "(if P then x = y else y = z) = (y = (if P then x else z))"
   392   "(if P then x = y else z = y) = (y = (if P then x else z))"
   393   by auto
   394 
   395 lemma [z3_rule]:
   396   "0 + (x::int) = x"
   397   "x + 0 = x"
   398   "x + x = 2 * x"
   399   "0 * x = 0"
   400   "1 * x = x"
   401   "x + y = y + x"
   402   by (auto simp add: mult_2)
   403 
   404 lemma [z3_rule]:  (* for def-axiom *)
   405   "P = Q \<or> P \<or> Q"
   406   "P = Q \<or> \<not> P \<or> \<not> Q"
   407   "(\<not> P) = Q \<or> \<not> P \<or> Q"
   408   "(\<not> P) = Q \<or> P \<or> \<not> Q"
   409   "P = (\<not> Q) \<or> \<not> P \<or> Q"
   410   "P = (\<not> Q) \<or> P \<or> \<not> Q"
   411   "P \<noteq> Q \<or> P \<or> \<not> Q"
   412   "P \<noteq> Q \<or> \<not> P \<or> Q"
   413   "P \<noteq> (\<not> Q) \<or> P \<or> Q"
   414   "(\<not> P) \<noteq> Q \<or> P \<or> Q"
   415   "P \<or> Q \<or> P \<noteq> (\<not> Q)"
   416   "P \<or> Q \<or> (\<not> P) \<noteq> Q"
   417   "P \<or> \<not> Q \<or> P \<noteq> Q"
   418   "\<not> P \<or> Q \<or> P \<noteq> Q"
   419   "P \<or> y = (if P then x else y)"
   420   "P \<or> (if P then x else y) = y"
   421   "\<not> P \<or> x = (if P then x else y)"
   422   "\<not> P \<or> (if P then x else y) = x"
   423   "P \<or> R \<or> \<not> (if P then Q else R)"
   424   "\<not> P \<or> Q \<or> \<not> (if P then Q else R)"
   425   "\<not> (if P then Q else R) \<or> \<not> P \<or> Q"
   426   "\<not> (if P then Q else R) \<or> P \<or> R"
   427   "(if P then Q else R) \<or> \<not> P \<or> \<not> Q"
   428   "(if P then Q else R) \<or> P \<or> \<not> R"
   429   "(if P then \<not> Q else R) \<or> \<not> P \<or> Q"
   430   "(if P then Q else \<not> R) \<or> P \<or> R"
   431   by auto
   432 
   433 hide_type (open) symb_list pattern
   434 hide_const (open) Symb_Nil Symb_Cons trigger pat nopat fun_app z3div z3mod
   435 
   436 end