Dissertation
Automating interactive theorem provers and certifying automated theorem provers
University of Iowa
Doctor of Philosophy (PhD), University of Iowa
Autumn 2024
DOI: 10.25820/etd.007744
Abstract
As software grows increasingly pervasive in our everyday lives, it is important to ensure that the software we rely on, especially in safety-critical systems, behaves as expected. Whereas software testing is a useful approach for detecting the presence of bugs, formal methods offer tools and techniques to prove the absence of bugs. One class of such tools is theorem provers — computer programs capable of proving mathematical theorems. Among other things, theorem provers are used to prove the correctness of software with respect to a specification, in an attempt to prevent buggy software.
Theorem provers are commonly classified as automated or interactive. Automated theorem provers (ATPs) such as satisfiability modulo theories (SMT) solvers aim to prove logical formulas quickly and without human intervention. To this end, they rely on various heuristics, decision procedures, and optimizations. Consequentially, ATPs are typically large software systems and therefore prone to bugs themselves. On the other hand, interactive theorem provers (ITPs), or proof assistants, restrict themselves to a (relatively) small trusted computing base (TCB), giving strong guarantees of the proofs performed. They do so at the cost of automation, and require elaborate proofs and higher user involvement.
Given ATPs’ and ITPs’ relative pros and cons, there are multiple avenues for leveraging the strengths of one to address the weaknesses of the other. We discuss three such possibilities, and our contributions to each kind, in the following.1. External ATPs can be used to automate sub-goals within ITPs.
SMTCoq is one such tool that is able to dispatch subgoals to an external SMT solver without extending the Coq proof assistant’s TCB. In a traditional interaction, SMTCoq relies on the SMT solver’s ability to do deductive reasoning — a call to a solver either succeeds with a proof in Coq, or fails with a possible counterexample. We enhance this interaction with an SMT solver capable of performing abductive reasoning so that in cases of failure, the solver may ask for additional facts that can convert a failure to a success.
2. An ATP’s result can be certified by checking it in an ITP.
We adapt SMTCoq to check more refined proofs from SMT solvers. We do this through the alethe proof format which is supported by both the cvc5 and veriT SMT solvers. This has the added benefit of increasing goal coverage by external SMT solvers in Coq, which also categorizes it as a contribution previously discussed in 1.
3. An ATP can be certified by checking its algorithm (or modular parts thereof ) in an ITP.
In this direction, we verify results called invertibility conditions, that are critical to the operation of some SMT solvers, in Coq. Such solvers use a set of these invertibility conditions during solving in the theory of quantified bit-vectors. We prove a previously unverified subset of these conditions, increasing confidence in the results of bit-vector solvers that use invertibility conditions for quantified formulas.
Details
- Title: Subtitle
- Automating interactive theorem provers and certifying automated theorem provers
- Creators
- Arjun Viswanathan
- Contributors
- Cesare Tinelli (Advisor)Omar Chowdhury (Committee Member)Chantal Keller (Committee Member)Garrett Morris (Committee Member)Alberto Maria Segre (Committee Member)
- Resource Type
- Dissertation
- Degree Awarded
- Doctor of Philosophy (PhD), University of Iowa
- Degree in
- Computer Science
- Date degree season
- Autumn 2024
- DOI
- 10.25820/etd.007744
- Publisher
- University of Iowa
- Number of pages
- x, 115 pages
- Copyright
- Copyright 2024 Arjun Viswanathan
- Language
- English
- Date submitted
- 08/08/2024
- Description illustrations
- illustrations (some color)
- Description bibliographic
- Includes bibliographical references (pages 107-115).
- Public Abstract (ETD)
Computers are ubiquitous in today's world and have been integrated into every aspect of our lives and work. They have wide-ranging applications such as in defense systems, healthcare systems, banking, and infrastructure. A computer is operated using interfaces called software. It is important to ensure that a software behaves as it is instructed to. When a software produces undesirable behavior, we call the source of this behavior a bug. Avoiding software bugs is especially important in safety-critical systems — computer systems whose misbehavior could result in serious injury or loss of life. Examples of these include software that runs airplane systems, drones, cars, medical devices, and power plants.
Given (i) a specification of how a software should behave, as a set of logical formulas, and (ii) either a model or an implementation of the software, a theorem prover is a tool that can be used to ensure that the software behaves as it's supposed to. Theorem provers can be broadly classified as automated or interactive. Automated theorem provers (ATPs) aim to prove logical formulas quickly without external human help. Achieving this takes a substantial amount of code, which makes ATPs typically large computer software that are themselves prone to bugs. On the other hand, interactive theorem provers (ITPs) are smaller pieces of software that strictly follow certain principles that prevent bugs in their code. However, they provide a limited amount of automation, and hence, proving logical formulas in an ITP requires significantly more effort from a user. An ideal tool for software verification would offer both proof automation and strict guarantees of software correctness. This thesis presents three integrations between ATPs and ITPs that leverage the higher level of automation in ATPs and the higher level of trust in the proofs produced by ITPs to offer faster and more reliable provers for software systems. Provers integrated in these ways would prevent bugs in our software.
1. External ATPs can be used within ITPs to automate proofs. Such an integration can preserve the high level of trust in the ITP by internally following the steps taken by the ATP to prove the formula. Often, an external ATP can fail in such an integration because the ATP does not have sufficient information from the ITP to prove a formula. The first contribution of this thesis enhances a typical ATP-ITP integration so that the ATP can ask for extra information to prove a currently failing goal. Our work's experimental evaluation suggests that such an enhancement reduces the number of failures that can occur when an ITP calls an external ATP to automatically prove formulas for it.
2. An ATP's result can be externally verified by checking it in an ITP. This increases trust in the results produced by an ATP. ATPs that produce additional certificates can have their results verified in an ITP. The second contribution of this thesis generates an ITP checker for certificates produced by two distinct ATPs. Our experimental evaluation argues that this checker is more complete in its coverage than previous ITP checkers for ATPs.
3. An ATP can be verified within an ITP. Although the size of modern ATPs makes this a very challenging goal, ATPs can be separated into independent modules. The final contribution of this thesis is to verify a set of results, called invertibility conditions in an ITP. For ATPs that use them, the correct operation of one of their modules depends on the correctness of these invertibility conditions. The verification of these conditions in an ITP increases the reliability of the corresponding module of the ATP that relies on them.
- Academic Unit
- Computer Science
- Record Identifier
- 9984774960602771
Metrics
2 File views/ downloads
24 Record Views