refactor: sat trace functionality and bmc_sat

This changes the goal generated by `sat trace` to clearly state
what is actually checked. Previously, we universally quantified
over the `type`s and type class instance assumptions, but that
wasn't actually what the SMT query meant, which was confusing.

Now the goal shown to the user exactly matches what is checked.

Moreover, this commit prints models on `sat trace` queries.

Author: dranov

Test/BmcSat.lean

@@ -0,0 +1,36 @@
+import Veil
+
+veil module BmcSat
+
+individual flag : Prop
+
+#gen_state
+
+after_init {
+  flag := False
+}
+
+action set_flag = {
+  flag := True;
+}
+
+invariant ¬ flag
+
+#gen_spec
+
+#guard_msgs(drop warning) in
+sat trace { } by bmc_sat
+
+#guard_msgs(drop warning, drop info) in
+sat trace {
+  set_flag
+  set_flag
+} by bmc_sat
+
+/-- error: the goal is false -/
+#guard_msgs in
+sat trace {
+  assert False
+} by bmc_sat
+
+end BmcSat

Veil/DSL/Trace/Main.lean

@@ -127,11 +127,12 @@ def elabTraceSpec (r : TSyntax `expected_smt_result) (name : Option (TSyntax `id
     -- unsat trace -> ∀ states, ¬ (conjunction of assertions)
     let stateTp ← getStateTpStx
     let binderNames : Array (TSyntax ``Lean.binderIdent) := stateNames.map toBinderIdent
+    let vdE ← vd.mapM toExplicitBinders
     let assertion ← match r with
-    | `(expected_smt_result| unsat) => `(∀ ($[$stateNames]* : $stateTp), ¬ $conjunction)
-    | `(expected_smt_result| sat) => `(∃ ($[$binderNames]* : $stateTp), $conjunction)
+    | `(expected_smt_result| unsat) => `(∀ $[$vd]* ($[$stateNames]* : $stateTp), ¬ $conjunction)
+    | `(expected_smt_result| sat) => `(∃ $[$vdE]* ($[$binderNames]* : $stateTp), $conjunction)
     | _ => dbg_trace "expected result is neither sat nor unsat!" ; unreachable!
-    `(theorem $th_id $[$vd]* : $assertion := by exact $pf)
+    `(theorem $th_id : $assertion := by exact $pf)
   elabCommand $ th
 
 elab_rules : command

Veil/SMT/Main.lean

@@ -77,37 +77,4 @@ def failureGoalStr : String := "solver invocation failed"
     | .Failure reason => throwError "{failureGoalStr}{if reason.isSome then s!": {reason.get!}" else ""}"
     | .Unsat => mv.admit (synthetic := false)
 
-
-open Lean.Meta in
-/-- UNSAFE: Switches the goal with its negation!
-    This is unsound unless we use `admit_if_satisfiable` on the resulting goal! -/
-elab "negate_goal" : tactic => withMainContext do
-  let goal ← getMainGoal
-  let goalType ← getMainTarget
-  let negatedGoalType ← mkAppM `Not #[goalType]
-  let negatedGoal ← mkFreshExprMVar $ negatedGoalType
-  goal.admit (synthetic := false)
-  setGoals [negatedGoal.mvarId!]
-
-syntax (name := admit_if_satisfiable) "admit_if_satisfiable" Smt.Tactic.smtHints Smt.Tactic.smtTimeout : tactic
-
-open Lean.Meta in
-/-- UNSAFE: admits the goal if it is satisfiable.
-    This is unsound unless we use `negate_goal` on the goal first!
-    MOREOVER, we need to pass in all the hypotheses in the context.
--/
-@[tactic admit_if_satisfiable] def evalAdmitIfSat : Tactic := fun stx => withMainContext do
-  let mv ← Tactic.getMainGoal
-  let hs ← Smt.Tactic.parseHints ⟨stx[1]⟩
-  let withTimeout ← parseTimeout ⟨stx[2]⟩
-  let cmdString ← Veil.SMT.prepareLeanSmtQuery mv hs
-  let res ← Veil.SMT.querySolver cmdString withTimeout (retryOnUnknown := true)
-  match res with
-  | .Sat _ =>
-    trace[veil.smt.result] "The negation of the goal is satisfiable, hence the goal is valid."
-    mv.admit (synthetic := false)
-  | .Unsat => throwError "the goal is false"
-  | .Unknown _ => throwError "the solver returned {res}"
-  | .Failure _ => throwError "solver invocation {res}"
-
 end Veil.SMT

Veil/SMT/Quantifiers/Elimination.lean

@@ -69,7 +69,10 @@ def HO_exists_push_left_impl : Simp.Simproc := fun e => do
   -- The body of an `∃` is a lambda
   let step : Simp.Step ← lambdaBoundedTelescope eBody (maxFVars := 1) (fun ks lBody => do
       let_expr Exists t' eBody' := lBody | return .continue
-      if (← isHigherOrder t') && !(← isHigherOrder t) then
+      -- We only want to push HO types left over non-HO types. But we must be
+      -- careful: if `t'` depends on the value of the previous binder, we cannot
+      -- swap them.
+      if (← isHigherOrder t') && !(← isHigherOrder t) && !(dependsOn t' ks)  then
         let step : Simp.Step ← lambdaBoundedTelescope eBody' (maxFVars := 1) (fun ks' lBody' => do
           -- swap the quantifiers
           let innerExists := mkAppN e.getAppFn #[t, ← mkLambdaFVars ks lBody']
@@ -82,6 +85,9 @@ def HO_exists_push_left_impl : Simp.Simproc := fun e => do
         return .continue
   )
   return step
+where
+  dependsOn (child : Expr) (deps : Array Expr) : Bool :=
+    child.find? (fun e => deps.contains e) != none
 
 simproc HO_exists_push_left (∃ _ _, _) := HO_exists_push_left_impl
 attribute [quantifierSimp] HO_exists_push_left

Veil/Tactic/Main.lean

@@ -319,25 +319,74 @@ elab "bmc" : tactic => withMainContext do
   trace[veil.smt] "{tac}"
   evalTactic $ tac
 
-/-- Tactic to solve `sat_trace` goals. -/
-elab "bmc_sat" : tactic => withMainContext do
-  let prep_tac ← `(tactic|
-    (try simplify_all);
-    (try
-      negate_goal;
-      simp only [Classical.exists_elim, Classical.not_not];
-      (unhygienic intros);
-      sdestruct_hyps);
-    (try simplify_all);
-    /- Needed to work around [lean-smt#100](https://github.com/ufmg-smite/lean-smt/issues/100) -/
-    (try rename_binders)
-  )
-  trace[veil.smt] "{prep_tac}"
-  evalTactic prep_tac
-  if (← getUnsolvedGoals).length != 0 then
-    /- After preparing the context, call `sauto` on it. -/
-    withMainContext do
-    let idents ← getPropsInContext
-    let auto_tac ← `(tactic| admit_if_satisfiable [$[$idents:ident],*])
-    trace[veil.smt] "{auto_tac}"
-    evalTactic auto_tac
+open Lean.Meta in
+def bmcSat : TacticM Unit := withMainContext do
+  let originalGoal ← Tactic.getMainGoal
+  -- Operate on a duplicated goal
+  let goal' ← mkFreshExprMVar (← Tactic.getMainTarget)
+  replaceMainGoal [goal'.mvarId!]
+  run `(tactic| simplify_all)
+  if (← getUnsolvedGoals).length == 0 then
+    trace[veil.info] "goal is solved by initial simplification"
+    originalGoal.admit (synthetic := false)
+  else
+    trace[veil.info] "goal is not solved by initial simplification"
+    existIntoForall
+    let simpLemmas := mkSimpLemmas $ #[`smtSimp].map mkIdent
+    withMainContext do run `(tactic| unhygienic intros; sdestruct_hyps; (try simp only [$simpLemmas,*]))
+    if (← getUnsolvedGoals).length == 0 then
+      trace[veil.info] "goal is solved by existential elimination"
+      originalGoal.admit (synthetic := false)
+    else
+      trace[veil.info] "proceeding with SMT"
+      trace[veil.info] "goal: {← Tactic.getMainTarget}"
+      admitIfSat
+      if (← getUnsolvedGoals).length == 0 then
+        originalGoal.admit (synthetic := false)
+      else
+        throwError "goal is not solved by SMT"
+where
+  existIntoForall := withMainContext do
+    let goalType' ← turnExistsIntoForall (← Tactic.getMainTarget)
+    let goal' ← mkFreshExprMVar goalType'
+    replaceMainGoal [goal'.mvarId!]
+  /-- UNSAFE: admits the goal if it is satisfiable, taking into account
+  all hypotheses in the context. -/
+  admitIfSat : TacticM Unit := withMainContext do
+  let opts ← getOptions
+  let mv ← Tactic.getMainGoal
+  let idents ← getPropsInContext
+  let hints ← `(Smt.Tactic.smtHints|[$[$idents:ident],*])
+  let hs ← Smt.Tactic.parseHints ⟨hints⟩
+  let withTimeout := veil.smt.timeout.get opts
+  -- IMPORTANT: `prepareLeanSmtQuery` (in `Smt.prepareSmtQuery`) negates
+  -- the goal (it's designed for validity checking), so we negate it here
+  -- to counter-act this.
+  -- NOTE: we don't respect `veil.smt.translator` here, since we want to
+  -- print a readable model, which requires `lean-smt`.
+  let mv' ← mkFreshExprMVar (mkNot $ ← Tactic.getMainTarget)
+  let leanSmtQueryString ← Veil.SMT.prepareLeanSmtQuery mv'.mvarId! hs
+  let res ← Veil.SMT.querySolver leanSmtQueryString withTimeout (retryOnUnknown := true)
+  match res with
+  | .Sat .none => mv.admit (synthetic := false)
+  | .Sat (some modelString) =>
+    -- try to generate a readable model, using `lean-smt`
+    let resStr := match ← Veil.SMT.getReadableModel leanSmtQueryString withTimeout (minimize := veil.smt.model.minimize.get opts) with
+    | .some fostruct => s!"{fostruct}"
+    | .none => s!"(could not get readable model)\n{modelString}"
+    logInfo resStr
+    mv.admit (synthetic := false)
+  | .Unknown reason => throwError "{Veil.SMT.unknownGoalStr}{if reason.isSome then s!": {reason.get!}" else ""}"
+  | .Failure reason => throwError "{Veil.SMT.failureGoalStr}{if reason.isSome then s!": {reason.get!}" else ""}"
+  | .Unsat => throwError "{Veil.SMT.satGoalStr}"
+
+/-- Tactic to solve `sat trace` goals.
+
+Given a goal of the form `∃ x, P x` (valid), we prove it by showing `P c`
+is _satisfiable_ for some constant `c`.
+
+In principle, we could use the model returned by the SMT solver to
+instantiate the existential quantifiers, and thus avoid the need to
+trust the solver, but this is not implemented yet.
+-/
+elab "bmc_sat" : tactic => bmcSat

Veil/Util/Meta.lean

@@ -44,6 +44,14 @@ def toBracketedBinderArray (stx : TSyntax `Lean.explicitBinders) : MetaM (TSynta
       pure ()
     | _ => throwError "unexpected syntax in explicit binder: {stx}"
     return binders
+/-- Convert definition binders into existential binders. -/
+def toExplicitBinders [Monad m] [MonadError m] [MonadQuotation m] (stx : TSyntax `Lean.Parser.Term.bracketedBinder) : m (TSyntax `Lean.bracketedExplicitBinders) := do
+  match stx with
+  | `(bracketedBinder| ($id:ident : $tp:term))
+  | `(bracketedBinder| [$id:ident : $tp:term])
+  | `(bracketedBinder| {$id:ident : $tp:term}) =>
+    return ← `(bracketedExplicitBinders|($(toBinderIdent id) : $tp))
+  | _ => throwError "unexpected syntax in explicit binder: {stx}"
 
 /-- Convert existential binders into function binders. -/
 def toFunBinderArray (stx : TSyntax `Lean.explicitBinders) : MetaM (TSyntaxArray `Lean.Parser.Term.funBinder) := do
@@ -241,3 +249,12 @@ def combineLemmas (op : Name) (exps: List Expr) (vs : Array Expr) (name : String
         exps <- mkAppM op #[exp, exps]
       mkLambdaFVars args exps
     instantiateLambda exps vs
+
+open Meta in
+partial def turnExistsIntoForall (e : Expr) : MetaM Expr := do
+  match_expr e with
+  | Exists _t eBody =>
+  lambdaBoundedTelescope eBody (maxFVars := 1) (fun ks lBody => do
+    mkForallFVars ks (← turnExistsIntoForall lBody)
+  )
+  | _ => return e

Veil/Util/Quantifiers.lean

@@ -220,7 +220,7 @@ abbrev QuantElimM := StateT QEState n
 
 def isHigherOrder (e : Expr) : MetaM Bool := do
   let t ← inferType e
-  let isHO := !t.isProp && (e.isArrow || e.isAppOf (← getStateName))
+  let isHO := (!t.isProp) && (e.isArrow || e.isAppOf (← getStateName))
   return isHO
 
 partial def forEachExprSane'