Model Elimination with Simplification and its Application to Software Verification

Software verification is known to be a notoriously difficult application area for automated theorem provers. Consequently, this is the domain of interactive systems, such as KIV [Reif et al., 1997], HOL [Gordon and Melham, 1993], Isabelle [Nipkow and Paulson, 1992] and PVS [Owre et al., 1992]. The work described here aims to demonstrate that automated theorem provers (ATPs) can be successfully incorporated into such systems in order to relieve the user from some interactions. More specifically, we describe our approach of coupling the interactive program verification system KIV [Reif et al., 1997] with our automated theorem prover PROTEIN [Baumgartner and Furbach, 1994]. The KIV system [Reif et al., 1997] is a professionally engineered software verification system based on dynamic logic. Verification usually is done interactively by constructing a proof tree in a respective sequent calculus. However, the user can decide to attempt automated proofs for proof obligations which are “simple” enough. As a preliminary step then, a relevancy analysis tries to minimize the formulae necessary to prove the obligation submitted to the automated prover. Unlike typical benchmark problems used in ATP, these problems quite often contain redundant axioms, and hence having a goal-oriented prover like PROTEIN better supports focusing on the relevant ones than bottom-up methods. Currently there are two ways of proof automatization in KIV. The first way is to call an external prover (currently only 3TAP is fully coupled). Proof obligations are sorted first-order formulae with equality then. The second, built-in way is by simplifier rules: these are Gentzen sequents which, by a special syntax, contain information how to use them, namely as conditional rewrite rules. It is assumed and pragmatically justified that simplifier rules are a terminating, but not necessarily confluent rewrite system. Simplifier rules are conditional equations, conditional implications or equivalences. They are used from left to right, based on matching. One useful application of simplifier rules is to express a definition like in XS YS XS YS XS YS . By this rule, all occurrences of “ ”-literals can be eliminated. Besides lemmas, quite often axioms are treated as simplifier rules. Simplifier rules are used to reduce a goal sequent to a normal form, either at the predicate or term level, depending on the type of the rule. At best, reduction arrives at an axiom in order to have a proof. Simplifier rules usually dominate the input clause set by far, they are user given, carefully selected and a highlight in KIV. They turned out to be very useful and efficient in practice, but still “too incomplete”; hence, there is the need to substitute user interactions by calls to an ATP.