Team Proval

Overall Objectives
Scientific Foundations
Application Domains
New Results
Contracts and Grants with Industry
Other Grants and Activities

Section: Scientific Foundations

Automated deduction

Participants : Sylvain Conchon, Évelyne Contejean, Stéphane Lescuyer, Claude Marché, Xavier Urbain.

Our group has a long tradition of research on automated reasoning, in particular on equational logic, rewriting, and constraint solving. The main topics that have been under study in recent years are termination proofs techniques, the issue of combination of decision procedures, and generation of proof traces. Our theoretical results are mainly materialized inside our two automated provers CiME and Alt-Ergo .


On the termination topic, we have studied new techniques which can be automated. A fundamental result of ours is a criterion for checking termination modularly and incrementally   [110] , and further generalizations  [97] . These criteria and methods have been implemented into the CiME2 rewrite toolbox [4] . Around 2002, several projects of development of termination tools arose in the world. We believe we have been pioneer in this growth, and indeed we organized in 2004 the first competition of such tools.

A direction of research on termination techniques was also to apply our new approaches (for rewriting) to other computing formalisms, first to Prolog programs [101] and then to membership equational programs  [84] , a paradigm used in the Maude system  [45] .

Decision Procedures


Our research related to combination of decision procedures was initiated by a result [86] obtained in collaboration with Shankar's group at SRI-international who develops the PVS environment, showing how decision procedures for disjoint theories can be combined as soon as each of them provides a so-called “canonizer” and a “solver”. Existing combination methods in the literature are generally not very well understood, and S. Conchon had a major contribution, in collaboration with Sava Krstić from OGI School of Science and Engineering (Oregon Health and Science University, USA), which is a uniform description of combination of decision procedures, by means of a system of inference rules, clearly distinguished from their strategy of application, allowing much clearer proofs of soundness and completeness [9] , [76] .

Polymorphic Logics

In the specific domain of program verification, the goals to be proved are given as formulae in a polymorphic multi-sorted first-order logic. Some of the sorts, such as integers and arrays, are built-in as they come from the usual data-types of programming languages. Polymorphism is used as a convenience for defining the memory models of C and Java programs and is handled at the level of the Why tool.

In order to be able to use all the available automated theorem provers (Simplify, SMT provers), including those which handle only untyped formulae (Simplify), one has to provide a way to get rid of polymorphism.

S. Conchon and É. Contejean have proposed an encoding of polymorphic multi-sorted logic (PSL) into unsorted logic based on term transformation, rather than addition of sort predicates which was used till then. S. Lescuyer worked on this topic during his master thesis  [92] .

The Alt-Ergo theorem prover

It would be more convenient to deal with polymorphism directly in the theorem prover. There was no such prover available at the beginning of 2006, that is why S. Conchon and É. Contejean decided to develop a new tool called Alt-Ergo which is dedicated to the resolution of polymorphic and multi-sorted proof obligations and takes as input the Why syntax. In 2009, Alt-Ergo is still the only existing prover dealing with parametric polymorphism.

Alt-Ergo is based on CC(X) , a generic congruence closure algorithm developed in the team, for deciding ground formulas in the combination of the theory of equality with uninterpreted symbols and an arbitrary built-in solvable theory X . Currently, CC(X) can be instantiated by the empty equational theory, by the linear arithmetics and the theory of constructors.

Alt-Ergo contains also a Fourier-Motzkin decision procedure for linear arithmetics inequalities, a home-made SAT-solver and an instantiation mechanism.

Alt-Ergo is safe and its architecture is modular: each part is described by a small set of inference rules and is implemented as an Ocaml functor. Moreover, the code is short (6500 lines).

The current experimentations are very promising with respect to speed and to the number of proof obligations automatically solved.

Automated proofs and certificates

A common issue to both termination techniques and decision procedures is that automatic provers use complex algorithms for checking validity of formula or termination of a computation, but when they answer that the problem is solved, they do not give any more useful information. It is highly desirable that they give a proof trace , that is some kind of certificate that could be double-checked by a third party, such as an interactive proof assistant like Coq . Indeed Coq is based on a relatively small and stable kernel, so that when it checks that a proof is valid, it can be trusted. Morevoer, a subpart of Coq has been proven correct in Coq  [50] .

Coccinelle and CiME's traces

CiME implements in particular a semi-decision procedure for the equality modulo a set of axioms, based on ordered completion. In 2005, the former human readable proof traces have been replaced by Coq certificates, based on reified proof objects for a FOL logic modelled inside Coq   [77] .

É. Contejean and the Cédric participants of the A3PAT project, Pierre Courtieu, Olivier Pons (CNAM), Julien Forest, and Xavier Urbain (ENSIIE) are currently developing a new version of the CiME tool associated with a Coq library called Coccinelle developed by É. Contejean. A trace generator outputs a trace for Coq in the unified framework provided by the Coccinelle library [80] [3] . Coccinelle contains the corresponding modelling of terms algebras and rewriting statements, and also some generic theorems which are needed for establishing a rewriting property from a trace. For example, in order to produce a certificate of termination for a rewriting system, one may provide as a trace an ordering that contains the rewrite system, but it is also needed to have a proof that this ordering is well-founded. Such a proof (for RPO for instance) is part of Coccinelle as a generic property. Coccinelle also contains as generic theorems some powerful criteria of termination: dependency pairs [47] , the main modularity theorem for termination presented in the thesis of Urbain [110] as well as innermost termination, dependency pairs for it and its equivalence with standard termination in some specific cases [87] .

The main improvement over the previous approach  [77] is that the Coq development is parameterized with respect to the equality predicate (instead of using the Coq native equality). This allows to deal uniformly with equality modulo a set of axioms, with termination of a set of rewrite rules, and with rewriting modulo a set of equations, such as associativity-commutativity.

Since 2007, the termination competition has a new category for certified termination proofs. CiME\Coccinelle ranked the second place among the three participants in this category.


Logo Inria