## Section: Scientific Foundations

### Automated deduction

Participants : Sylvain Conchon, Évelyne Contejean, Stéphane Lescuyer, Claude Marché, Xavier Urbain.

Our group has a long tradition of research on automated reasoning, in
particular on equational logic, rewriting, and constraint solving.
The main topics that have been under study in recent years are termination
proofs techniques, the issue of combination of decision procedures,
and generation of proof traces. Our theoretical results are
mainly materialized inside our two automated provers CiME and *Alt-Ergo* .

#### Termination

On the termination topic, we have studied new techniques which can be
automated. A fundamental result of ours is a criterion for checking
termination *modularly* and
*incrementally* [110] , and further
generalizations [97] . These criteria and methods
have been implemented into the CiME2 rewrite
toolbox [4] . Around 2002, several projects of
development of termination tools arose in the world. We believe we
have been pioneer in this growth, and indeed we organized in 2004 the
first competition of such tools.

A direction of research on termination techniques was also to apply
our new approaches (for rewriting) to other computing formalisms,
first to Prolog programs [101] and then to
membership equational programs [84] , a paradigm used
in the *Maude* system [45] .

#### Decision Procedures

##### Combination

Our research related to combination of decision procedures was initiated by a result [86] obtained in collaboration with Shankar's group at SRI-international who develops the PVS environment, showing how decision procedures for disjoint theories can be combined as soon as each of them provides a so-called “canonizer” and a “solver”. Existing combination methods in the literature are generally not very well understood, and S. Conchon had a major contribution, in collaboration with Sava Krstić from OGI School of Science and Engineering (Oregon Health and Science University, USA), which is a uniform description of combination of decision procedures, by means of a system of inference rules, clearly distinguished from their strategy of application, allowing much clearer proofs of soundness and completeness [9] , [76] .

##### Polymorphic Logics

In the specific domain of program verification, the goals to be proved
are given as formulae in a polymorphic multi-sorted first-order logic.
Some of the sorts, such as integers and arrays, are built-in as they
come from the usual data-types of programming languages.
Polymorphism is used as a convenience for defining the memory models
of C and Java programs and is handled at the level of the *Why* tool.

In order to be able to use all the available automated theorem provers (Simplify, SMT provers), including those which handle only untyped formulae (Simplify), one has to provide a way to get rid of polymorphism.

S. Conchon and É. Contejean have proposed an encoding of polymorphic multi-sorted logic (PSL) into unsorted logic based on term transformation, rather than addition of sort predicates which was used till then. S. Lescuyer worked on this topic during his master thesis [92] .

##### The *Alt-Ergo* theorem prover

It would be more convenient to deal with polymorphism directly in the
theorem prover. There was no such prover available at the beginning of
2006, that is why S. Conchon and É. Contejean decided to develop a
new tool called *Alt-Ergo* which is dedicated to the resolution of
polymorphic and multi-sorted proof obligations and takes as input the
*Why* syntax. In 2009, *Alt-Ergo* is still the only existing prover
dealing with parametric polymorphism.

*Alt-Ergo* is based on CC(X) , a generic congruence closure algorithm
developed in the team, for deciding ground formulas in the combination
of the theory of equality with uninterpreted symbols and an arbitrary
built-in solvable theory X . Currently, CC(X) can be instantiated
by the empty equational theory, by the linear arithmetics and the
theory of constructors.

*Alt-Ergo* contains also a Fourier-Motzkin decision procedure for linear
arithmetics inequalities, a home-made SAT-solver and an instantiation
mechanism.

*Alt-Ergo* is safe and its architecture is modular: each part is
described by a small set of inference rules and is implemented as an
Ocaml functor. Moreover, the code is short (6500 lines).

The current experimentations are very promising with respect to speed and to the number of proof obligations automatically solved.

#### Automated proofs and certificates

A common issue to both termination techniques and decision procedures
is that automatic provers use complex algorithms for checking validity
of formula or termination of a computation, but when they answer that
the problem is solved, they do not give any more useful
information. It is highly desirable that they give a *proof
trace* , that is some kind of certificate that could be
double-checked by a third party, such as an interactive proof
assistant like *Coq* . Indeed *Coq* is based on a relatively small
and stable kernel, so that when it checks that a proof is valid, it
can be trusted. Morevoer, a subpart of Coq has been proven correct in
Coq [50] .

##### Coccinelle and CiME's traces

CiME implements in particular a semi-decision procedure for the
equality modulo a set of axioms, based on ordered completion. In 2005,
the former human readable proof traces have been replaced by *Coq*
certificates, based on reified proof objects for a FOL logic modelled
inside *Coq* [77] .

É. Contejean and the Cédric participants of the A3PAT project,
Pierre Courtieu, Olivier Pons (CNAM), Julien Forest, and Xavier Urbain
(ENSIIE) are currently developing a new version of the CiME tool
associated with a *Coq* library called Coccinelle developed by
É. Contejean. A trace generator outputs a trace for *Coq* in the
unified framework provided by the Coccinelle library
[80] [3] . Coccinelle
contains the corresponding modelling of terms algebras and rewriting
statements, and also some generic theorems which are needed for
establishing a rewriting property from a trace. For example, in order
to produce a certificate of termination for a rewriting system, one
may provide as a trace an ordering that contains the rewrite system,
but it is also needed to have a proof that this ordering is
well-founded. Such a proof (for RPO for instance) is part of
Coccinelle as a generic property. Coccinelle also contains as generic
theorems some powerful criteria of termination: dependency pairs
[47] , the main modularity theorem for termination
presented in the thesis of Urbain [110] as well as
innermost termination, dependency pairs for it and its equivalence
with standard termination in some specific cases
[87] .

The main improvement over the previous approach [77] is
that the *Coq* development is parameterized with respect to the equality
predicate (instead of using the *Coq* native equality). This allows to
deal uniformly with equality modulo a set of axioms, with termination
of a set of rewrite rules, and with rewriting modulo a set of
equations, such as associativity-commutativity.

Since 2007, the termination competition has a new category for certified termination proofs. CiME\Coccinelle ranked the second place among the three participants in this category.