Project Team Proval

Members
Overall Objectives
Scientific Foundations
Application Domains
Software
New Results
Contracts and Grants with Industry
Partnerships and Cooperations
Dissemination
Bibliography
PDF e-pub XML


Section: Scientific Foundations

Automated deduction

Participants : Sylvain Conchon, Évelyne Contejean, Claire Dross, Mohamed Iguernelala, Stéphane Lescuyer, Claude Marché, Alain Mebsout, Andrei Paskevich, Xavier Urbain.

Our group has a long tradition of research on automated reasoning, in particular on equational logic, rewriting, and constraint solving. The main topics that have been under study in recent years are termination proofs techniques, the issue of combination of decision procedures, and generation of proof traces. Our theoretical results are mainly materialized inside our two automated provers CiME and Alt-Ergo.

Termination

On the termination topic, we have studied new techniques which can be automated. A fundamental result of ours is a criterion for checking termination modularly and incrementally  [94] , and further generalizations  [84] . These criteria and methods have been implemented into the CiME2 rewrite toolbox  [63] . Around 2002, several projects of development of termination tools arose in the world. We believe we have been pioneer in this growth, and indeed we organized in 2004 the first competition of such tools.

A direction of research on termination techniques was also to apply our new approaches (for rewriting) to other computing formalisms, first to Prolog programs [89] and then to membership equational programs  [67] , a paradigm used in the Maude system  [45] .

Decision Procedures

Combination

Our research related to combination of decision procedures was initiated by a result [70] obtained in collaboration with Shankar's group at SRI-international who develops the PVS environment, showing how decision procedures for disjoint theories can be combined as soon as each of them provides a so-called “canonizer” and a “solver”. Existing combination methods in the literature are generally not very well understood, and S. Conchon had a major contribution, in collaboration with Sava Krstić from OGI School of Science and Engineering (Oregon Health and Science University, USA), which is a uniform description of combination of decision procedures, by means of a system of inference rules, clearly distinguished from their strategy of application, allowing much clearer proofs of soundness and completeness [9] , [60] .

Polymorphic Logics

In the specific domain of program verification, the goals to be proved are given as formulae in a polymorphic multi-sorted first-order logic. Some of the sorts, such as integers and arrays, are built-in as they come from the usual data-types of programming languages. Polymorphism is used as a convenience for defining the memory models of C and Java programs and is handled at the level of the Why tool.

In order to be able to use all the available automated theorem provers (Simplify, SMT provers), including those which handle only untyped formulae (Simplify), one has to provide a way to get rid of polymorphism.

S. Conchon and É. Contejean have proposed an encoding of polymorphic multi-sorted logic (PSL) into unsorted logic based on term transformation, rather than addition of sort predicates which was used till then. This approach was extended further by S. Lescuyer  [79] , J.-F. Couchot  [65] , N. Stouls  [64] .

The Alt-Ergo theorem prover

It would be more convenient to deal with polymorphism directly in the theorem prover. There was no such prover available at the beginning of 2006, that is why S. Conchon and É. Contejean decided to develop a new tool called Alt-Ergo which is dedicated to the resolution of polymorphic and multi-sorted proof obligations and takes as input the Why syntax. In 2011, Alt-Ergo is still the only existing prover dealing with parametric polymorphism.

Alt-Ergo is based on CC(X[3] , a generic congruence closure algorithm developed in the team, for deciding ground formulas in the combination of the theory of equality with uninterpreted symbols and an arbitrary built-in solvable theory X. Currently, CC(X) can be instantiated by the empty equational theory, by the linear arithmetics and the theory of constructors.

Alt-Ergo contains also a Fourier-Motzkin decision procedure for linear arithmetics inequalities, a home-made SAT-solver and an instantiation mechanism.

The architecture of Alt-Ergo is modular: each part is described by a small set of inference rules and is implemented as an OCaml functor. Moreover, the code is short ( 10000 lines).

Automated proofs and certificates

A common issue to both termination techniques and decision procedures is that automatic provers use complex algorithms for checking validity of formula or termination of a computation, but when they answer that the problem is solved, they do not give any more useful information. It is highly desirable that they give a proof trace, that is some kind of certificate that could be double-checked by a third party, such as an interactive proof assistant like Coq. Indeed Coq is based on a relatively small and stable kernel, so that when it checks that a proof is valid, it can be trusted. Morevoer, a subpart of Coq has been proven correct in Coq  [52] .

Coccinelle and CiME's traces

In addition to efficient termination techniques, CiME implements in particular a semi-decision procedure for the equality modulo a set of axioms, based on ordered completion. In 2005, the former human readable proof traces have been replaced by Coq certificates, based on reified proof objects for a FOL logic modelled inside Coq  [61] .

É. Contejean, A. Paskevich, X. Urbain and the Cédric participants of the A3PAT project, Pierre Courtieu, Olivier Pons (CNAM), and Julien Forest, (ENSIIE) develop the new version of the CiME tool, CiME 3, associated with a Coq library called Coccinelle developed by É. Contejean. A trace generator outputs a trace for Coq in the unified framework provided by the Coccinelle library [62] [4] . Coccinelle contains the corresponding modelling of terms algebras and rewriting statements, and also some generic theorems which are needed for establishing a rewriting property from a trace. For example, in order to produce a certificate of termination for a rewriting system, one may provide as a trace an ordering that contains the rewrite system, but it is also needed to have a proof that this ordering is well-founded. Such a proof (for RPO for instance) is part of Coccinelle as a generic property. Coccinelle also contains as generic theorems some powerful criteria of termination: dependency pairs [48] , the main modularity theorem for termination presented in the thesis of Urbain [94] as well as innermost termination, dependency pairs for it and its equivalence with standard termination in some specific cases [72] .

The main improvement over the previous approach  [61] is that the Coq development is parameterized with respect to the equality predicate (instead of using the Coq native equality). This allows to deal uniformly with equality modulo a set of axioms, with termination of a set of rewrite rules, and with rewriting modulo a set of equations, such as associativity-commutativity.

Certifying termination proofs gained interest in the term rewriting community. Groups are either developing their own certifier, or producing traces for other's, thanks to a shared XML format. Since 2007, the termination competition has a category for certified termination proofs.

Further note that our efforts are not limited to termination proofs, and to date CiME 3 is the only tool able to prove and to certify confluence of term rewriting systems [25] .

The ergo tactics

In his thesis [14] , S. Lescuyer proposed new automation capabilities for the Coq proof assistant. He obtains this mechanization via an integration into Coq of decision procedures for propositional logic, equality reasoning and linear arithmetic which make up the core of the Alt-Ergo SMT solver. This integration is achieved through the reflection technique, which consists in implementing and formally proving these algorithms in Coq in order to execute them directly in the proof assistant. Because the algorithms formalized in Coq are exactly those in use in Alt-Ergo's kernel, this work significantly increases our trust in the solver. In particular, it embeds an original algorithm for combining equality modulo theory reasoning, called CC(X) and inspired by the Shostak combination algorithm, and whose justification is quite complex.

The Coq implementation of S. Lescuyer is available in the form of tactics which allow one to automatically solve formulae combining propositional logic, equality and arithmetic. In order to make these tactics as efficient as may be, he has taken special care with performance in his implementation, in particular through the use of classical efficient data structures, which we provide as a separate library.