## Modular SMT Proofs for Fast Reflexive Checking inside Coq (2011)

### Cached

### Download Links

Venue: | FIRST INTERNATIONAL CONFERENCE ON CERTIFIED PROGRAMS AND PROOFS |

Citations: | 8 - 2 self |

### BibTeX

@MISC{Besson11modularsmt,

author = {Frédéric Besson and Pierre-emmanuel Cornilleau and David Pichardie},

title = {Modular SMT Proofs for Fast Reflexive Checking inside Coq },

year = {2011}

}

### OpenURL

### Abstract

We present a new methodology for exchanging unsatisfiability proofs between an untrusted SMT solver and a sceptical proof assistant with computation capabilities like Coq. We advocate modular SMT proofs that separate boolean reasoning and theory reasoning; and structure the communication between theories using Nelson-Oppen combination scheme. We present the design and implementation of a Coq reflexive verifier that is modular and allows for fine-tuned theory-specific verifiers. The current verifier is able to verify proofs for quantifier-free formulae mixing linear arithmetic and uninterpreted functions. Our proof generation scheme benefits from the efficiency of state-of-the-art SMT solvers while being independent from a specific SMT solver proof format. Our only requirement for the SMT solver is the ability to extract unsat cores and generate boolean models. In practice, unsat cores are relatively small and their proof is obtained with a modest overhead by our proof-producing prover. We present experiments assessing the feasibility of the approach for benchmarks obtained from the SMT competition.

### Citations

1469 |
Theory of Linear and Integer Programming
- Schrijver
- 1996
(Show Context)
Citation Context ...eory conjunctions. Each part of the NO proof is theory-specific: each theory must justify either the equalities exchanged or the contradiction found. A LRA proof of a = b is made of two Farkas proofs =-=[27]-=- of b − a ≥ 0 and a − b ≥ 0. Each inequality is obtained by a linear combination of hypotheses that preserves signs. For example, the previous certificate cert LRA 1 explains that hypothesis (7) gives... |

451 | The Omega test: a fast and practical integer programming algorithm for dependence analysis
- Pugh
- 1991
(Show Context)
Citation Context ... new equalities between variables. In this case again, the two expected Farkas certificates are read from the current tableau, up to trivial manipulations. For LIA, we use a variant of the Omega test =-=[26]-=-. The Omega test lacks a way to derive equalities but the number of shared variables is sufficiently small to allow an exhaustive search. Moreover, an effective heuristics is to pick as potential equa... |

430 | Z3: An efficient SMT solver
- Moura, Bjørner
- 2008
(Show Context)
Citation Context ...th ⋆ This work was partly funded by the ANR DeCert, FNRAE ASCERT and Région Bretagne CertLogS projects.the advances in SAT-solving techniques, has greatly influenced the design of modern SMT solvers =-=[11, 4, 8]-=-. Nowadays, these solvers are able to discharge enormous formulae in a few milliseconds. A proof assistant like Coq would gain a lot in usability with only a small fraction of this speed and automatio... |

399 | Simplification by cooperating decision procedures
- Nelson, Oppen
- 1979
(Show Context)
Citation Context ...t, efficient algorithms exist to combine decision procedures for arithmetic and equational reasoning. During the late ’70s, Nelson and Oppen have proposed a cooperation schema for decision procedures =-=[23]-=-. This seminal work, joint with ⋆ This work was partly funded by the ANR DeCert, FNRAE ASCERT and Région Bretagne CertLogS projects.the advances in SAT-solving techniques, has greatly influenced the ... |

355 | Simplify: A theorem prover for program checking
- Detlefs, Nelson, et al.
(Show Context)
Citation Context ... a literal is a linear constraint c0+c1·x1+· · ·+ cn·xn ✶ 0 where (ci)i=0..n ∈ Q is a sequence of rational coefficients, (xi)i=1..n is a sequence of real unknowns and ✶∈ {=, >, ≥}. Following Simplify =-=[14]-=-, disequality is managed on the UF side. Therefore, a formula is a conjunction of positive literals. From input formula to unsat multi-theory conjunctions. The lazy SMT solver approach [13] abstracts ... |

223 | Formal Certification of a Compiler Back-End, or: Programming a Compiler with a Proof Assistant - Leroy - 2006 |

139 | Compiling with Proofs
- Necula
- 1998
(Show Context)
Citation Context ...omemade optimised versions of a few Coq tactics. 7 Related Work The area of proof-generating decision procedure has been pioneered by Boulton for the HOL system [7] and Necula for Proof Carrying Code =-=[21]-=-. In the context of the latter, the Touchstone theorem prover [22] generates LF proof terms. In our approach, each decision procedure comes with its own certificate language, and a reflexive checker. ... |

74 | Lazy theorem proving for bounded model checking over infinite domains
- Moura, Ruess, et al.
- 2002
(Show Context)
Citation Context ...g Simplify [14], disequality is managed on the UF side. Therefore, a formula is a conjunction of positive literals. From input formula to unsat multi-theory conjunctions. The lazy SMT solver approach =-=[13]-=- abstracts each atom of the unsatisfiable input formula by a distinct propositional variable, uses a SAT solver to find a propositional model of the formula, and then checks that model against the the... |

67 | X.: A compiled implementation of strong reduction
- Grégoire, Leroy
- 2002
(Show Context)
Citation Context ...han a genuine proof term. This last point is especially useful when a reasoning takes more time to explain than the time to directly perform it in the Coq engine. Recall that the Coq reduction engine =-=[16]-=- allows the evaluation of Coq programs with the same efficiency as OCaml programs. This design allows us to find a good trade-off between proof time checking and proof size. The mainstream approach fo... |

66 |
A nullstellensatz and a positivstellensatz in semialgebraic geometry. Mathematische Annalen
- Stengle
- 1973
(Show Context)
Citation Context ...maintaining and enhancing reflexive tactics for real arithmetic (psatz) and linear integer arithmetic (lia). Those tactics, which are now part of the Coq code-base, are based on the Positivstellensatz=-=[28]-=-, a rich proof system which is complete for non-linear (real) polynomial arithmetic. Those reflexive verifiers are at the core of our current theory verifiers for linear real arithmetic (LRA) and line... |

43 | Integrating Gandalf and HOL
- Hurd
- 1999
(Show Context)
Citation Context ...) in Coq. Several approaches have been proposed to integrate new decision procedures in sceptical proof assistants for various theories. First-order provers have been integrated in Isabelle [25], HOL =-=[18]-=- or Coq [9]. These works rely generally on resolution proof trees. Similar proof formats have been considered to integrate Boolean satisfiability checking in a proof assistant. Armand et al. [2] have ... |

35 | The SMT-LIB standard : Version 2.0
- Barrett, Stump, et al.
- 2010
(Show Context)
Citation Context .... (3)Generation of SMT proofs. To generate our SMT proof format, we implement the simple SMT loop discussed earlier using SMT-LIB 2 scripts to interface with off-the-shelf SMT solvers. The SMT-LIB 2 =-=[3]-=- exposes a rich API for SMT solvers that makes this approach feasible. More precisely, SMT-LIB 2 defines scripts that are sequence of commands to be run by SMT solvers. The asserts f command adds the ... |

31 | Proof-producing Congruence Closure
- Nieuwenhuis, Oliveras
- 2005
(Show Context)
Citation Context ... list cert of commands. The certificate UF False(i, cert) deduces a contradiction if Γ (i) ↦→ x ̸= y and the certificate UF Eq(cert) deduces the equality x = y. Certificate generation follows closely =-=[24]-=- where the certifying prover maintains a proof forest that keeps track of the reasons why two nodes are merged. Besides the usual merge and find operations, the data structure has a new operator expla... |

27 | Proving equalities in a commutative ring done right in Coq
- Grégoire, Mahboubi
- 2005
(Show Context)
Citation Context ...nguage than Coq, that builds a Coq proof term for each formula it can prove. The main limit of this approach is the size of the exchanged proof term, especially when many rewriting steps are required =-=[17]-=-. Second, we can verify the prover by directly programming it in Coq and mechanically proving its soundness. Each formula is then proved by running the prover inside Coq. Such a reflexive approach [17... |

23 |
A modular integration of SAT/SMT solvers to Coq through proof witnesses
- Armand, Faure, et al.
- 2011
(Show Context)
Citation Context ...n of a simplex prover for linear arithmetic and a congruence closure engine for uninterpreted functions. To discharge SAT proofs, we use the reflexive boolean SAT verifier developed by Armand et. al. =-=[2, 1]-=-. We only consider ground formula and therefore quantifier instantiation is not in the scope of this paper. Our Coq development, our proof-producing prover and the benchmarks of Section 6 are availabl... |

23 | Efficiency in a Fully-Expansive Theorem Prover
- Boulton
- 1993
(Show Context)
Citation Context ... enough for this application, and use homemade optimised versions of a few Coq tactics. 7 Related Work The area of proof-generating decision procedure has been pioneered by Boulton for the HOL system =-=[7]-=- and Necula for Proof Carrying Code [21]. In the context of the latter, the Touchstone theorem prover [22] generates LF proof terms. In our approach, each decision procedure comes with its own certifi... |

22 | Cooperating theorem provers: A case study combining HOL-Light and CVC Lite
- McLaughlin, Barrett, et al.
(Show Context)
Citation Context ...f Coq programs with the same efficiency as OCaml programs. This design allows us to find a good trade-off between proof time checking and proof size. The mainstream approach for validating SMT proofs =-=[15, 20, 6]-=- requires a tight integration with an explanation-producing SMT solver. The drawbacks are that explanations may contain too much or too little details and are solver specific. Despite on-going efforts... |

22 | Fast LCF-style proof reconstruction for Z3 - Böhme, Weber - 2010 |

18 |
Extending Coq with Imperative Features and Its Application to SAT Veri cation
- Armand, Grégoire, et al.
(Show Context)
Citation Context ...n of a simplex prover for linear arithmetic and a congruence closure engine for uninterpreted functions. To discharge SAT proofs, we use the reflexive boolean SAT verifier developed by Armand et. al. =-=[2, 1]-=-. We only consider ground formula and therefore quantifier instantiation is not in the scope of this paper. Our Coq development, our proof-producing prover and the benchmarks of Section 6 are availabl... |

17 | veriT: An Open, Trustable and Efficient SMT-Solver
- Bouton, Oliveira, et al.
- 2009
(Show Context)
Citation Context ...th ⋆ This work was partly funded by the ANR DeCert, FNRAE ASCERT and Région Bretagne CertLogS projects.the advances in SAT-solving techniques, has greatly influenced the design of modern SMT solvers =-=[11, 4, 8]-=-. Nowadays, these solvers are able to discharge enormous formulae in a few milliseconds. A proof assistant like Coq would gain a lot in usability with only a small fraction of this speed and automatio... |

16 | Proof generation in the Touchstone theorem prover
- Necula, Lee
- 2000
(Show Context)
Citation Context ...e area of proof-generating decision procedure has been pioneered by Boulton for the HOL system [7] and Necula for Proof Carrying Code [21]. In the context of the latter, the Touchstone theorem prover =-=[22]-=- generates LF proof terms. In our approach, each decision procedure comes with its own certificate language, and a reflexive checker. It allows us to choose the level of details of the certificates wi... |

16 | K.W.: Source-level proof reconstruction for interactive theorem proving
- Paulson, Susanto
- 2007
(Show Context)
Citation Context ...executable) in Coq. Several approaches have been proposed to integrate new decision procedures in sceptical proof assistants for various theories. First-order provers have been integrated in Isabelle =-=[25]-=-, HOL [18] or Coq [9]. These works rely generally on resolution proof trees. Similar proof formats have been considered to integrate Boolean satisfiability checking in a proof assistant. Armand et al.... |

15 | Fast reflexive arithmetic tactics the linear case and beyond
- Besson
- 2007
(Show Context)
Citation Context ...hmetic and describe its certifying prover. Literals are of the form e ✶ 0 with e a linear expression manipulated in (Horner) normal form and ✶∈ {≥, >, =}. Certificate language. Since our initial work =-=[5]-=-, we are maintaining and enhancing reflexive tactics for real arithmetic (psatz) and linear integer arithmetic (lia). Those tactics, which are now part of the Coq code-base, are based on the Positivst... |

14 | Justifying equality
- Moura, Rueß, et al.
- 2005
(Show Context)
Citation Context ...s with its own certificate language, and a reflexive checker. It allows us to choose the level of details of the certificates without compromising correctness. Several authors have examined UF proofs =-=[12, 24]-=-. They extend a pre-existing decision procedure with proofproducing mechanism without degrading its complexity and achieving a certain level of irredundancy. However, their notion of proof is reduced ... |

12 |
Efficiently checking propositional refutations in HOL theorem provers
- Weber, Amjad
- 2007
(Show Context)
Citation Context ...tended the Coq programming language with machine integers and persistent array and have used these new features to directly program in Coq a reflexive SAT checker. On a similar topic, Weber and Amjad =-=[29]-=- have integrated a stateof-the-art SAT solver in Isabelle/HOL, HOL4 and HOL Light using translation from SAT resolution proofs to LCF-style proof objects. Previous work has been devoted to reconstruct... |

9 | Reflecting proofs in first-order logic with equality
- Contejean, Corbineau
- 2005
(Show Context)
Citation Context ...veral approaches have been proposed to integrate new decision procedures in sceptical proof assistants for various theories. First-order provers have been integrated in Isabelle [25], HOL [18] or Coq =-=[9]-=-. These works rely generally on resolution proof trees. Similar proof formats have been considered to integrate Boolean satisfiability checking in a proof assistant. Armand et al. [2] have extended th... |

1 |
Expressiveness+automation+soundness: Towards combining SMT solvers and interactive proof assistants
- Fontaine, Marion, et al.
- 2006
(Show Context)
Citation Context ...f Coq programs with the same efficiency as OCaml programs. This design allows us to find a good trade-off between proof time checking and proof size. The mainstream approach for validating SMT proofs =-=[15, 20, 6]-=- requires a tight integration with an explanation-producing SMT solver. The drawbacks are that explanations may contain too much or too little details and are solver specific. Despite on-going efforts... |