(* Title: HOL/Tools/sat_funcs.ML 
2 
ID: $Id$ 

3 
Author: Stephan Merz and Alwen Tiu, QSL Team, LORIA (http://qsl.loria.fr) 

4 
Author: Tjark Weber 
5 
Copyright 20052006 
17618  6 

7 

8 
Proof reconstruction from SAT solvers. 

9 

10 
Description: 

11 
This file defines several tactics to invoke a proofproducing 

12 
SAT solver on a propositional goal in clausal form. 

13 

14 
We use a sequent presentation of clauses to speed up resolution 

17695  15 
proof reconstruction. 
16 
We call such clauses "raw clauses", which are of the form 

17 
x1; ...; xn; c1; c2; ...; ck  False 
18 
(note the use of  instead of ==>, i.e. of Isabelle's (meta)hyps here), 
17618  19 
where each clause ci is of the form 
20 
~ (l1  l2  ...  lm) ==> False, 
21 
where each xi and each li is a literal (see also comments in cnf_funcs.ML). 
17618  22 

23 
This does not work for goals containing schematic variables! 
24 

17618  25 
The tactic produces a clause representation of the given goal 
26 
in DIMACS format and invokes a SAT solver, which should return 

27 
a proof consisting of a sequence of resolution steps, indicating 

17695  28 
the two input clauses, and resulting in new clauses, leading to 
29 
the empty clause (i.e., False). The tactic replays this proof 

30 
in Isabelle and thus solves the overall goal. 

17618  31 

32 
There are two SAT tactics available. They differ in the CNF transformation 

33 
used. The "sat_tac" uses naive CNF transformation to transform the theorem 

17695  34 
to be proved before giving it to SAT solver. The naive transformation in 
17618  35 
some worst case can lead to explonential blow up in formula size. 
36 
The other tactic, the "satx_tac" uses the "definitional CNF transformation" 

37 
which produces formula of linear size increase compared to the input formula. 

38 
This transformation introduces new variables. See also cnf_funcs.ML for 

39 
more comments. 

40 

41 
Notes for the current revision: 

42 
 The current version supports only zChaff prover. 

43 
 The environment variable ZCHAFF_HOME must be set to point to 

44 
the directory where zChaff executable resides 

45 
 The environment variable ZCHAFF_VERSION must be set according to 

46 
the version of zChaff used. Current supported version of zChaff: 

47 
zChaff version 2004.11.15 

17695  48 
 zChaff must have been compiled with proof generation enabled 
49 
(#define VERIFY_ON). 

17618  50 
*) 
51 

52 
signature SAT = 

53 
sig 

54 
val trace_sat : bool ref (* print trace messages *) 
55 
val sat_tac : int > Tactical.tactic 
56 
val satx_tac : int > Tactical.tactic 
17843  57 
val counter : int ref (* number of resolution steps during last proof replay *) 
17618  58 
end 
59 

60 
functor SATFunc (structure cnf : CNF) : SAT = 
5d03a69481b6
code reformatted and restructured, many minor modifications
webertj
parents:
17618
diff
changeset

61 
struct 
17618  62 

63 
val trace_sat = ref false; 
5d03a69481b6
code reformatted and restructured, many minor modifications
webertj
parents:
17618
diff
changeset

64 

65 
val counter = ref 0; 
5d03a69481b6
code reformatted and restructured, many minor modifications
webertj
parents:
17618
diff
changeset

66 

67 
(* Thm.thm *) 
68 
val resolution_thm = (* "[ P ==> False; ~P ==> False ] ==> False" *) 
69 
let 
70 
val cterm = cterm_of (the_context ()) 
71 
val Q = Var (("Q", 0), HOLogic.boolT) 
72 
val False = HOLogic.false_const 
73 
in 
74 
Thm.instantiate ([], [(cterm Q, cterm False)]) case_split_thm 
75 
end; 
76 

77 
(*  *) 
78 
(* resolve_raw_clauses: given a nonempty list of raw clauses, we fold *) 
79 
(* resolution over the list (starting with its head), i.e. with two raw *) 
80 
(* clauses *) 
81 
(* [ x1; ... ; a; ...; xn ] ==> False *) 
82 
(* and *) 
83 
(* [ y1; ... ; a'; ...; ym ] ==> False *) 
84 
(* (where a and a' are dual to each other), we first convert the first *) 
85 
(* clause to *) 
86 
(* [ x1; ...; xn ] ==> a' *) 
87 
(* (using swap_prem and perhaps notnotD), and then do a resolution with *) 
88 
(* the second clause to produce *) 
89 
(* [ y1; ...; x1; ...; xn; ...; yn ] ==> False *) 
90 
(* amd finally remove duplicate literals. *) 
91 
(*  *) 
17618  92 

93 
(* Thm.thm list > Thm.thm *) 
94 

17809
95 
fun resolve_raw_clauses [] = 
96 
raise THM ("Proof reconstruction failed (empty list of resolvents)!", 0, []) 
97 
 resolve_raw_clauses (c::cs) = 
98 
let 
99 
fun dual (Const ("Not", _) $ x) = x 
100 
 dual x = HOLogic.Not $ x 
101 

102 
fun is_neg (Const ("Not", _) $ _) = true 
103 
 is_neg _ = false 
104 

105 
(* find out which two hyps are used in the resolution *) 
106 
(* Term.term list > Term.term list > Term.term * Term.term *) 
107 
fun res_hyps [] _ = 
108 
raise THM ("Proof reconstruction failed (no literal for resolution)!", 0, []) 
109 
 res_hyps _ [] = 
17809
110 
raise THM ("Proof reconstruction failed (no literal for resolution)!", 0, []) 
111 
 res_hyps ((Const ("Trueprop", _) $ x) :: xs) ys = 
112 
let val dx = dual x in 
113 
(* hyps are implemented as ordered list in the kernel, and *) 
114 
(* stripping 'Trueprop' should not change the order *) 
115 
if OrdList.member Term.fast_term_ord ys dx then 
116 
(x, dx) 
117 
else 
118 
res_hyps xs ys 
119 
end 
120 
 res_hyps (_ :: xs) ys = 
121 
(* hyps are implemented as ordered list in the kernel, all hyps are of *) 
122 
(* the form 'Trueprop $ lit' or 'implies $ (negated clause) $ False', *) 
123 
(* and the former are LESS than the latter according to the order  *) 
124 
(* therefore there is no need to continue the search via *) 
125 
(* 'res_hyps xs ys' here *) 
126 
raise THM ("Proof reconstruction failed (no literal for resolution)!", 0, []) 
127 

128 
(* Thm.thm > Thm.thm > Thm.thm *) 
129 
fun resolution c1 c2 = 
130 
let 
131 
val _ = if !trace_sat then 
132 
tracing ("Resolving clause: " ^ string_of_thm c1 ^ " (hyps: " ^ space_implode ", " (map (Sign.string_of_term (theory_of_thm c1)) (#hyps (rep_thm c1))) 
133 
^ ")\nwith clause: " ^ string_of_thm c2 ^ " (hyps: " ^ space_implode ", " (map (Sign.string_of_term (theory_of_thm c2)) (#hyps (rep_thm c2))) ^ ")") 
134 
else () 
135 

136 
(* Term.term list > Term.term list *) 
137 
fun dest_filter_Trueprop [] = [] 
138 
 dest_filter_Trueprop ((Const ("Trueprop", _) $ x) :: xs) = x :: dest_filter_Trueprop xs 
139 
 dest_filter_Trueprop (_ :: xs) = dest_filter_Trueprop xs 
140 

141 
val hyps1 = (#hyps o rep_thm) c1 
142 
(* minor optimization: dest/filter over the second list outside 'res_hyps' to do it only once *) 
143 
val hyps2 = (dest_filter_Trueprop o #hyps o rep_thm) c2 
144 

145 
val (l1, l2) = res_hyps hyps1 hyps2 (* the two literals used for resolution, with 'Trueprop' stripped *) 
146 
val is_neg = is_neg l1 
147 

148 
val c1' = Thm.implies_intr (cterm_of (theory_of_thm c1) (HOLogic.mk_Trueprop l1)) c1 (* Gamma1  l1 ==> False *) 
149 
val c2' = Thm.implies_intr (cterm_of (theory_of_thm c2) (HOLogic.mk_Trueprop l2)) c2 (* Gamma2  l2 ==> False *) 
17618  150 

151 
val res_thm = (*  (lit ==> False) ==> (~lit ==> False) ==> False *) 
152 
let 
153 
val P = Var (("P", 0), HOLogic.boolT) 
154 
val (lit, thy) = if is_neg then (l2, theory_of_thm c2') else (l1, theory_of_thm c1') 
155 
val cterm = cterm_of thy 
156 
in 
157 
Thm.instantiate ([], [(cterm P, cterm lit)]) resolution_thm 
158 
end 
159 

160 
val _ = if !trace_sat then 
161 
tracing ("Resolution theorem: " ^ string_of_thm res_thm) 
162 
else () 
163 

164 
val c_new = Thm.implies_elim (Thm.implies_elim res_thm (if is_neg then c2' else c1')) (if is_neg then c1' else c2') (* Gamma1, Gamma2  False *) 
165 

166 
val _ = if !trace_sat then 
167 
tracing ("Resulting clause: " ^ string_of_thm c_new ^ " (hyps: " ^ space_implode ", " (map (Sign.string_of_term (theory_of_thm c_new)) (#hyps (rep_thm c_new))) ^ ")") 
168 
else () 
169 
val _ = inc counter 
170 
in 
171 
c_new 
172 
end 
173 
in 
174 
fold resolution cs c 
175 
end; 
17618  176 

177 
(*  *) 
178 
(* replay_proof: replays the resolution proof returned by the SAT solver; *) 
179 
(* cf. SatSolver.proof for details of the proof format. Updates the *) 
180 
(* 'clauses' array with derived clauses, and returns the derived clause *) 
181 
(* at index 'empty_id' (which should just be "False" if proof *) 
182 
(* reconstruction was successful, with the used clauses as hyps). *) 
183 
(*  *) 
184 

17809
185 
(* Thm.thm option Array.array > SatSolver.proof > Thm.thm *) 
17618  186 

187 
fun replay_proof clauses (clause_table, empty_id) = 
changeset

188 
diff
changeset

190 
fun prove_clause id = 
191 
case Array.sub (clauses, id) of 
192 
SOME thm => 
193 
thm 
194 
 NONE => 
195 
let 
196 
val _ = if !trace_sat then tracing ("Proving clause #" ^ string_of_int id ^ " ...") else () 
197 
val ids = valOf (Inttab.lookup clause_table id) 
198 
val thm = resolve_raw_clauses (map prove_clause ids) 
199 
val _ = Array.update (clauses, id, SOME thm) 
200 
val _ = if !trace_sat then tracing ("Replay chain successful; clause stored at #" ^ string_of_int id) else () 
201 
in 
202 
thm 
203 
end 
17618  204 

205 
val _ = counter := 0 
206 
val empty_clause = prove_clause empty_id 
207 
val _ = if !trace_sat then tracing ("Proof reconstruction successful; " ^ string_of_int (!counter) ^ " resolution step(s) total.") else () 
208 
in 
209 
empty_clause 
210 
end; 
211 

212 
(* PropLogic.prop_formula > string *) 
213 
fun string_of_prop_formula PropLogic.True = "True" 
214 
 string_of_prop_formula PropLogic.False = "False" 
215 
 string_of_prop_formula (PropLogic.BoolVar i) = "x" ^ string_of_int i 
216 
 string_of_prop_formula (PropLogic.Not fm) = "~" ^ string_of_prop_formula fm 
217 
 string_of_prop_formula (PropLogic.Or (fm1, fm2)) = "(" ^ string_of_prop_formula fm1 ^ " v " ^ string_of_prop_formula fm2 ^ ")" 
218 
 string_of_prop_formula (PropLogic.And (fm1, fm2)) = "(" ^ string_of_prop_formula fm1 ^ " & " ^ string_of_prop_formula fm2 ^ ")"; 
219 

220 
(*  *) 
221 
(* rawsat_thm: run external SAT solver with the given clauses. Reconstructs *) 
222 
(* a proof from the resulting proof trace of the SAT solver. Each *) 
223 
(* premise in 'prems' that is not a clause is ignored, and the theorem *) 
224 
(* returned is just "False" (with some clauses as hyps). *) 
225 
(*  *) 
227 
(* Thm.thm list > Thm.thm *) 
228 

195045659c06
229 
fun rawsat_thm prems = 
230 
let 
231 
(* remove premises that equal "True" *) 
232 
val non_triv_prems = filter (fn thm => 
233 
(not_equal HOLogic.true_const o HOLogic.dest_Trueprop o prop_of) thm 
234 
handle TERM ("dest_Trueprop", _) => true) prems 
235 
(* remove nonclausal premises  of course this shouldn't actually *) 
236 
(* remove anything as long as 'rawsat_thm' is only called after the *) 
237 
(* premises have been converted to clauses *) 
238 
val clauses = filter (fn thm => 
239 
((cnf.is_clause o HOLogic.dest_Trueprop o prop_of) thm handle TERM ("dest_Trueprop", _) => false) 
240 
orelse (warning ("Ignoring nonclausal premise " ^ (string_of_cterm o cprop_of) thm); false)) non_triv_prems 
241 
(* remove trivial clauses  this is necessary because zChaff removes *) 
242 
(* trivial clauses during preprocessing, and otherwise our clause *) 
243 
(* numbering would be off *) 
244 
val non_triv_clauses = filter (not o cnf.clause_is_trivial o HOLogic.dest_Trueprop o prop_of) clauses 
245 
(* translate clauses from HOL terms to PropLogic.prop_formula *) 
246 
val (fms, atom_table) = fold_map (PropLogic.prop_formula_of_term o HOLogic.dest_Trueprop o prop_of) non_triv_clauses Termtab.empty 
247 
val _ = if !trace_sat then 
248 
tracing ("Invoking SAT solver on clauses:\n" ^ space_implode "\n" (map string_of_prop_formula fms)) 
249 
else () 
250 
val fm = PropLogic.all fms 
251 
(* unit > Thm.thm *) 
252 
fun make_quick_and_dirty_thm () = ( 
253 
if !trace_sat then 
254 
tracing "'quick_and_dirty' is set: proof reconstruction skipped, using oracle instead." 
255 
else (); 
256 
(* of course just returning "False" is unsound; what we should return *) 
257 
(* instead is "False" with all 'non_triv_clauses' as hyps  but this *) 
258 
(* might be rather slow, and it makes no real difference as long as *) 
259 
(* 'rawsat_thm' is only called from 'rawsat_tac' *) 
260 
SkipProof.make_thm (the_context ()) (HOLogic.Trueprop $ HOLogic.false_const) 
261 
) 
17618  262 
in 
17622
263 
case SatSolver.invoke_solver "zchaff_with_proofs" fm of 
17842
264 
SatSolver.UNSATISFIABLE (SOME (clause_table, empty_id)) => ( 
265 
if !trace_sat then 
266 
tracing ("Proof trace from SAT solver:\n" ^ 
267 
"clauses: [" ^ commas (map (fn (c, cs) => 
268 
"(" ^ string_of_int c ^ ", [" ^ commas (map string_of_int cs) ^ "])") (Inttab.dest clause_table)) ^ "]\n" ^ 
269 
"empty clause: " ^ string_of_int empty_id) 
270 
else (); 
271 
if !quick_and_dirty then 
272 
make_quick_and_dirty_thm () 
273 
else 
274 
let 
275 
(* initialize the clause array with the given clauses, *) 
276 
(* but converted to raw clause format *) 
277 
val max_idx = valOf (Inttab.max_key clause_table) 
278 
val clause_arr = Array.array (max_idx + 1, NONE) 
279 
val raw_clauses = map cnf.clause2raw_thm non_triv_clauses 
280 
(* Every raw clause has only its literals and itself as hyp, and hyps are *) 
281 
(* accumulated during resolution steps. Experimental results indicate *) 
282 
(* that it is NOT faster to weaken all raw_clauses to contain every *) 
283 
(* clause in the hyps beforehand. *) 
284 
val _ = fold (fn thm => fn idx => (Array.update (clause_arr, idx, SOME thm); idx+1)) raw_clauses 0 
changeset

285 
changeset

286 
changeset

287 
changeset

288 
289 
cnf.rawhyps2clausehyps_thm FalseThm 
290 
end) 
291 
 SatSolver.UNSATISFIABLE NONE => 
292 
if !quick_and_dirty then ( 
293 
warning "SAT solver claims the formula to be unsatisfiable, but did not provide a proof"; 
294 
make_quick_and_dirty_thm () 
295 
) else 
296 
raise THM ("SAT solver claims the formula to be unsatisfiable, but did not provide a proof", 0, []) 
297 
 SatSolver.SATISFIABLE assignment => 
298 
let 
299 
val msg = "SAT solver found a countermodel:\n" 
300 
^ (commas 
301 
o map (fn (term, idx) => 
302 
Sign.string_of_term (the_context ()) term ^ ": " 
303 
^ (case assignment idx of NONE => "arbitrary"  SOME true => "true"  SOME false => "false"))) 
304 
(Termtab.dest atom_table) 
305 
in 
306 
raise THM (msg, 0, []) 
307 
end 
308 
 SatSolver.UNKNOWN => 
309 
raise THM ("SAT solver failed to decide the formula", 0, []) 
310 
end; 
312 
(*  *) 
313 
(* Tactics *) 
314 
(*  *) 
17618  315 

17809
316 
(*  *) 
317 
(* rawsat_tac: solves the ith subgoal of the proof state; this subgoal *) 
318 
(* should be of the form *) 
319 
(* [ c1; c2; ...; ck ] ==> False *) 
320 
(* where each cj is a nonempty clause (i.e. a disjunction of literals) *) 
321 
(* or "True" *) 
322 
(*  *) 
323 

195045659c06
324 
(* int > Tactical.tactic *) 
325 

195045659c06
326 
fun rawsat_tac i = METAHYPS (fn prems => rtac (rawsat_thm prems) 1) i; 
328 
(*  *) 
329 
(* pre_cnf_tac: converts the ith subgoal *) 
330 
(* [ A1 ; ... ; An ] ==> B *) 
331 
(* to *) 
332 
(* [ A1; ... ; An ; ~B ] ==> False *) 
333 
(* (handling metalogical connectives in B properly before negating), *) 
334 
(* then replaces metalogical connectives in the premises (i.e. "==>", *) 
335 
(* "!!" and "==") by connectives of the HOL objectlogic (i.e. by *) 
336 
(* ">", "!", and "=") *) 
337 
(*  *) 
338 

195045659c06
339 
(* int > Tactical.tactic *) 
340 

195045659c06
341 
fun pre_cnf_tac i = rtac ccontr i THEN ObjectLogic.atomize_tac i; 
342 

195045659c06
343 
(*  *) 
344 
(* cnfsat_tac: checks if the empty clause "False" occurs among the premises; *) 
345 
(* if not, eliminates conjunctions (i.e. each clause of the CNF formula *) 
346 
(* becomes a separate premise), then applies 'rawsat_tac' to solve the *) 
347 
(* subgoal *) 
348 
(*  *) 
350 
(* int > Tactical.tactic *) 
351 

195045659c06
352 
fun cnfsat_tac i = (etac FalseE i) ORELSE (REPEAT_DETERM (etac conjE i) THEN rawsat_tac i); 
354 
(*  *) 
355 
(* cnfxsat_tac: checks if the empty clause "False" occurs among the *) 
356 
(* premises; if not, eliminates conjunctions (i.e. each clause of the *) 
357 
(* CNF formula becomes a separate premise) and existential quantifiers, *) 
358 
(* then applies 'rawsat_tac' to solve the subgoal *) 
359 
(*  *) 
360 

195045659c06
361 
(* int > Tactical.tactic *) 
362 

195045659c06
363 
fun cnfxsat_tac i = (etac FalseE i) ORELSE (REPEAT_DETERM (etac conjE i ORELSE etac exE i) THEN rawsat_tac i); 
365 
(*  *) 
366 
(* sat_tac: tactic for calling an external SAT solver, taking as input an *) 
367 
(* arbitrary formula. The input is translated to CNF, possibly causing *) 
368 
(* an exponential blowup. *) 
369 
(*  *) 
370 

195045659c06
371 
(* int > Tactical.tactic *) 
372 

195045659c06
373 
fun sat_tac i = pre_cnf_tac i THEN cnf.cnf_rewrite_tac i THEN cnfsat_tac i; 
374 

195045659c06
375 
(*  *) 
376 
(* satx_tac: tactic for calling an external SAT solver, taking as input an *) 
377 
(* arbitrary formula. The input is translated to CNF, possibly *) 
378 
(* introducing new literals. *) 
379 
(*  *) 
380 

195045659c06
381 
(* int > Tactical.tactic *) 
382 

195045659c06
fun satx_tac i = pre_cnf_tac i THEN cnf.cnfx_rewrite_tac i THEN cnfxsat_tac i; 
17618  384 

17622
385 
end; (* of structure *) 