Counter-Example Guided Proof Repair

• The paper presents a certified, fully automated method for debugging conditional correctness proofs through counter-example extraction from Herbrand trees.
• It formalizes contradictory universal theories in first-order logic, leveraging a constructive proof of Herbrand’s theorem within Coq for efficient diagnostics.
• The approach extracts executable code to dynamically diagnose faulty library functions, enabling precise and systematic proof repair.

Counter-Example Guided Proof Repair is a certified and fully automated method for debugging conditional correctness proofs in software verification, especially in scenarios where external libraries are assumed to satisfy given specifications but may not. This methodology is formalized through Herbrand tree construction for contradictory universal theories within the Coq proof assistant framework. By extracting executable code from a constructive proof of Herbrand’s theorem, the workflow pinpoints precisely which library function and input causes a violation of the expected specifications, thus yielding concrete counter-examples that facilitate the repair of proofs contingent on external code correctness (Rieg, 2013).

1. Logical Encoding of Contradictory Universal Theories

The process begins with the formalization of the target theory in first-order logic. Given a signature $\Sigma$ comprising function symbols ($f, g, \dots$) and predicate symbols ($P, Q, \dots$), the universal theory

$$U = \{\,\forall \vec{x}. C_j(\vec{x}) \mid j = 1\dots n \}$$

consists of universal axioms where each $C_j(\vec{x})$ is a quantifier-free compound statement built from atomic formulas via conjunction, disjunction, and negation.

A Herbrand interpretation uses the Herbrand universe (set of all ground terms) for its domain, interpreting predicates as arbitrary Boolean functions. Key abstractions:

• Atoms: All ground atomic formulas are aggregated into a type $\Atom$.
• Indices: Every instantiation of an axiom $j$ with concrete parameters $t$ is enumerated by $\Index$.
• Compound Formulas: Encoded as an inductive type compound in Coq, allowing the representation of arbitrary Boolean combinations of atoms.
• Ground Evaluation: Given $\val:\Atom\to\bool$, the evaluation $\eval(\val, c):\option\,\bool$ recursively defines the truth value of each compound $c$.

Inconsistency is then encoded by asserting the non-existence of any total interpretation satisfying all ground instances of the axioms: $\neg\bigl(\exists\,\val: \Atom\to\bool.\;\forall i:\Index.\;\eval(\val, \Th(i)) = \texttt{Some true}\bigr)$

2. Herbrand’s Theorem: Coq Formalization and Proof Principles

Herbrand’s theorem connects unsatisfiability of a set of universal axioms to the existence of a finite Herbrand tree, which systematically organizes all possible valuation branches and localizes the failure. In Coq, the theorem is stated as:

Theorem Herbrand : forall `{Atom} `{Index} `{ThType}, exists t : Tree, Htree Th t = true.

where Tree is an inductive datatype:

Inductive Tree : Set := | Contrad : Index -> Tree | Exp : atom -> Tree -> Tree -> Tree.

The proof avoids black-box applications of König’s lemma, instead using reductio ad absurdum and inductive reasoning on paths in the Herbrand universe. The predicate good p captures the property of a partial interpretation (path) leading to a contradiction, facilitating explicit tree construction. The use of classical logic is restricted to minimal principles for atom selection and the elimination of non-existence hypotheses via contradiction.

3. Extraction Pipeline via Krivine’s Classical Realizability

The translation from constructive proof to executable code employs a two-stage pipeline:

1. K-extraction: The Coq proof term $M$ for the existence of the Herbrand tree is mechanically transformed (via Krivine’s $\lambda_c$-calculus) into a classical realizer $M^*$. This transformation introduces callcc to handle classical reasoning constructs and erases pure logical arguments.
2. Witness Extraction: A wrapper $T$ (storage operator plus stopping primitive) is applied to $M^*$ so that evaluation in Krivine’s Abstract Machine materializes the Herbrand tree.

The top-level extracted function is:

val extract_herbrand : (atom -> atom -> bool) -> (* atom-equality *) (index -> index -> bool) -> (* index-ordering *) (index -> compound) -> tree

This function, fed with suitable equality/order functions and the axiom mapping, constructs the binary decision tree needed for proof repair.

4. Herbrand Tree Data Structures and Semantics

The Herbrand tree structures are defined both in Coq and the extracted OCaml code:

Structure	Coq Definition	OCaml/Pseudo-code
Path	`Inductive path := Top	Left a p
Tree	`Contrad i	Exp a t1 t2`

Graphically, each Herbrand tree $T$ is: $T ::= \Contrad(i) \mid \Exp(a, T_{\mathrm{true}}, T_{\mathrm{false}})$ Given any total assignment $\val:\Atom\to\{0,1\}$, traversal of $\Exp(a,\cdot,\cdot)$ depends on $\val(a)$, reaching a contradiction index $i$ when the corresponding clause fails. The resulting tree is interpretable as a binary decision diagram for diagnostics.

5. Counter-Example Extraction and Proof Repair Algorithm

The practical procedure for counter-example guided proof repair is a traversal of the Herbrand tree, dynamically querying the external functions behind each atomic predicate. For each atomic test, the associated library function is called. The traversal records the growing assignment. On reaching a contradiction leaf $\Contrad(i)$, the algorithm analyzes the failed clause:

• Extract all atoms from the clause.
• For each, compare the result of the runtime test to the expected truth from the clause for the given assignment.
• The first discrepancy identifies the concrete function and input triggering the specification violation.

Pseudocode from the extracted OCaml implementation:

let rec locate_failure (t:tree) (path_assign: atom->bool option) = match t with | Contrad i -> ... (* pinpoint faulty function/argument *) | Exp (a, left, right) -> let b = test_atom a in let path_assign' = fun x -> if x = a then Some b else path_assign x in if b then locate_failure left path_assign' else locate_failure right path_assign'

This approach is systematic, precise, and leverages the explicit binary structure of the Herbrand tree.

6. Concrete Example: Diagnosis for a Pseudo-Induction Theory

Consider a theory with

• $f: \mathbb{N} \to \mathbb{N}$
• $P: \mathbb{N} \to \text{bool}$

with axioms: $$\begin{array}{ll} (1)&\forall n.\;P(n)\Longrightarrow P(f(n)) \ (2)&\forall n.\;\lnot P(f(n))\Longrightarrow \lnot P(n) \ (3)&P(0)=\text{true} \ (4)&P(f(f(0)))=\text{false} \end{array}$$ In Coq notation, atoms $a_n \equiv P(f^n(0))$, indices encode axiom/parameter pairs. The extracted Herbrand tree reflects the logical dependency of $P$ and $f$ evaluations. Traversal with runtime tests determines whether the observed behaviors match the specifications. Contradiction leaves identify either faulty results from $P$ or incorrect application of $f$, associating concrete arguments with the failed clause. Thus, the method isolates precisely which library function and input failed, enabling direct repair.

7. Summary and Significance

Counter-Example Guided Proof Repair as realized through Herbrand tree extraction in Coq provides a certified, fully automated strategy for localizing specification failures in conditional software proofs. The workflow integrates formal encoding, constructive existence proofs, classical extraction via Krivine’s realizability, and dynamic tree-guided diagnostics—yielding a “static debugger” for Coq correctness proofs reliant on external libraries. This approach is traceable, rigorously specified, and offers explicit counter-examples that facilitate the systematic diagnosis and repair of defective assumptions (Rieg, 2013).