## Fast Reflexive Arithmetic Tactics the linear case and beyond (2006)

### Cached

### Download Links

- [www.irisa.fr]
- [people.irisa.fr]
- [people.rennes.inria.fr]
- DBLP

### Other Repositories/Bibliography

Venue: | in "Types for Proofs and Programs (TYPES’06)", Lecture Notes in Computer Science |

Citations: | 15 - 5 self |

### BibTeX

@INPROCEEDINGS{Besson06fastreflexive,

author = {Frédéric Besson},

title = {Fast Reflexive Arithmetic Tactics the linear case and beyond},

booktitle = {in "Types for Proofs and Programs (TYPES’06)", Lecture Notes in Computer Science},

year = {2006},

pages = {48--62},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. When goals fall in decidable logic fragments, users of proofassistants expect automation. However, despite the availability of decision procedures, automation does not come for free. The reason is that decision procedures do not generate proof terms. In this paper, we show how to design efficient and lightweight reflexive tactics for a hierarchy of quantifier-free fragments of integer arithmetics. The tactics can cope with a wide class of linear and non-linear goals. For each logic fragment, off-the-shelf algorithms generate certificates of infeasibility that are then validated by straightforward reflexive checkers proved correct inside the proof-assistant. This approach has been prototyped using the Coq proofassistant. Preliminary experiments are promising as the tactics run fast and produce small proof terms. 1

### Citations

1497 |
Theory of Linear and Integer Programming
- Schrijver
- 1986
(Show Context)
Citation Context ...i = pi × lcm/qi and lcm is the least common multiple of the qis. Worst-case estimates of the size of the certificates are inherited from the theory of integer and linear programming (see for instance =-=[23]-=-). Theorem 2 (from [23] Corollary 10.2a) The bit size of the rational solution of a linear program is at most 4d 2 (d + 1)(σ + 1) where – d is the dimension of the problem; – σ is the number of bits o... |

1119 | Proof-carrying code
- Necula
- 1997
(Show Context)
Citation Context ...ntaine et al., [11] are using a similar approach to solve quantifier-free formulae with uninterpreted symbols by rerunning proof traces generated by the Harvey SMT prover [10]. In Proof Carrying Code =-=[18]-=-, a piece of code is downloaded packed with a checkable certificate – a proof accessing that it is not malicious. Certificate generation is done ahead-of-time while certificate checking is done at dow... |

799 | Positive-De¯nite Programming
- Vandenberghe, Boyd
- 1994
(Show Context)
Citation Context ... certificate amounts to finding polynomials (of known degree) that are sums of squares. This is a problem that can be solved efficiently (in polynomial time) by recasting it as a semidefinite program =-=[27]-=-. The key insight is that a polynomial q is a sum of square if and only if it can be written as q = ⎛ ⎝ m1 . . . mn ⎞ ⎠ t · Q · ⎛ ⎝ m1 . . . for some positive semidefinite matrix Q and some vector (m1... |

666 | A new polynomial-time algorithm for linear programming
- Karmarkar
- 1984
(Show Context)
Citation Context ...imises the certificate. To get small certificates, we propose to minimise the sum of the elements of the solution vector. Linear programs can be solved in polynomial time using interior point methods =-=[17]-=-. The Simplex method – despite its worst-case exponential complexity – is nonetheless a practical competitive choice. Linear programs are efficiently solved over the rationals. Nonetheless, an integer... |

572 |
A decision method for elementary algebra and geometry
- Tarski
- 1951
(Show Context)
Citation Context ...lication. e ∈ Expr ::= x | c | e1 + e2 | e1 × e2 As it reduces to solving diophantine equations, the logical fragment we consider is not decidable over the integers. However, it is a result by Tarski =-=[26]-=- that the first order logic 〈R, +, ∗, 0〉 is decidable. In the previous section, by lifting our problem over the rationals, we traded incompleteness for efficiency. Here, we trade incompleteness for de... |

487 |
Interactive Theorem Proving and Program Development, Coq’Art:the Calculus of Inductive Constructions
- Bertot, Castéran
- 2004
(Show Context)
Citation Context ...on 5 compares to related work and concludes. 2 Principle of reflection proofs Reflection proofs are a feature of proof-assistants embedding a programming language. (See Chapter 16 of the Coq’Art book =-=[2]-=- for a presentation of reflection proofs in Coq.) In essence, this technique is reducing a proof to a computation. Degenerated examples of this proof pattern are equality proofs of ground, i.e., varia... |

461 | The Omega test: a fast and practical integer programming algorithm for dependence analysis
- Pugh
- 1992
(Show Context)
Citation Context ...ive of this trend. The tactics is a decision procedure for quantifier-free linear integer arithmetics. It generates Coq proof terms from traces obtained from an instrumented version of the Omega test =-=[22]-=-. Another approach, implemented by the Coq ring tactics [13], is to prove correct the decision procedure inside the proof-assistant and use computational reflection. In this case, both the computation... |

344 |
On a routing problem
- Bellman
- 1958
(Show Context)
Citation Context ...− y + c ≥ 0. Deciding the infeasibility of conjunctions of such constraints amounts to finding a cycle of negative weight in a graph such that a edge x c → y corresponds to a constraint x − y + c ≥ 0 =-=[1, 21]-=- 1 . Theorem 1 ∃π ∈ Path, � ⎛ isCycle(π) ⎝ weight(π) < 0 π ⊆ ( �k i=1 {xi1 ⎞ ⎠ ⇒ ∀x1, . . . , xn, ¬( ci → xi2}) k� xi1−xi2+ci ≥ 0) Proof. Ad absurdum, we suppose that we have �k i=1 xi1 − xi2 + ci ≥ 0... |

232 | Semidefinite programming relaxations for semialgebraic problems
- Parrilo
(Show Context)
Citation Context ...t can be decomposed into a finite sum of products of the following form: cert ∈ � � qs × � � p where qs = p 2 1 + . . . + p 2 i s∈2 P p∈s p∈P is a sum of squares polynomial.sAs pointed out by Parrilo =-=[20]-=-, a layered certificate search can be carried out by increasing the formal degree of the certificate. For a given degree, finding a certificate amounts to finding polynomials (of known degree) that ar... |

105 | Validating SAT solvers using an independent resolution-based checker: Practical implementations and other applications
- Zhang, Malik
- 2003
(Show Context)
Citation Context ...s decision procedures get more and more sophisticated and fine-tuned, the need for trustworthy checkers has surged. For instance, the state-of-the-art zChaff SAT solver is now generating proof traces =-=[29]-=-. When proof traces exist, experiments show that they can be efficiently rerun inside a proof-assistant. Using Isabelle/HOL, Weber [28] reruns zChaff traces to solve problems that Isabelle/HOL decisio... |

72 |
Deciding Linear Inequalities by Computing Loop Residues
- Shostak
- 1981
(Show Context)
Citation Context ...2. verify that expressions form a cycle; 3. compute the total weight of the cycle and check its negativity This can be implemented in time linear in the size of the certificate. 1 As shown by Shostak =-=[24]-=-, this graph-based approach generalises to constraints of the form a × x − b × y + c ≥ 0.s3.2 Linear constraints The linear fragment of arithmetics might be the most widely used. It consists of formul... |

69 |
A nullstellensatz and positivstellensatz in semialgebraic geometry
- Stengle
- 1994
(Show Context)
Citation Context ...er the rationals, we traded incompleteness for efficiency. Here, we trade incompleteness for decidability. In 1974, Stengle generalises Hilbert’s nullstellenstaz to systems of polynomial inequalities =-=[25]-=-. As a matter of fact, this provides a positivstellensatz, i.e., a theorem of positivity, which states a necessary and sufficient condition for the existence of a solution to systems of polynomial ine... |

68 | A compiled implementation of strong reduction
- Grégoire, Leroy
(Show Context)
Citation Context ...ire et al., [14] check Pocklington certificates to get efficient reflexive Coq proofs that a number is prime. In both cases, the checkers benefit from the performance of the novel Coq virtual machine =-=[12]-=-. For Isabelle/HOL, recent works attest the efficiency of reflexive approaches. Chaieb and Nipkow have proved correct Cooper’s decision procedure for Presburger arithmetics [7]. To obtain fast reflexi... |

47 | Applying light-weight theorem proving to debugging and verifying pointer programs
- Déharbe, Ranise
- 2003
(Show Context)
Citation Context ...edure could not cope with. Fontaine et al., [11] are using a similar approach to solve quantifier-free formulae with uninterpreted symbols by rerunning proof traces generated by the Harvey SMT prover =-=[10]-=-. In Proof Carrying Code [18], a piece of code is downloaded packed with a checkable certificate – a proof accessing that it is not malicious. Certificate generation is done ahead-of-time while certif... |

44 | Extracting a data flow analyser in constructive logic
- Cachera, Jensen, et al.
- 2004
(Show Context)
Citation Context ...te generation is done ahead-of-time while certificate checking is done at download time. Previous work has shown how to bootstrap a PCC infrastructure using a general-purpose proof-assistant like Coq =-=[6, 3, 4]-=-. In this context, the triples (certificate,checkers,prover) defined here could be used to efficiently check arithmetic verification conditions arising from the analysis of programs. Acknowledgements ... |

39 | Two easy theories whose combination is hard
- Pratt
- 1977
(Show Context)
Citation Context ...− y + c ≥ 0. Deciding the infeasibility of conjunctions of such constraints amounts to finding a cycle of negative weight in a graph such that a edge x c → y corresponds to a constraint x − y + c ≥ 0 =-=[1, 21]-=- 1 . Theorem 1 ∃π ∈ Path, � ⎛ isCycle(π) ⎝ weight(π) < 0 π ⊆ ( �k i=1 {xi1 ⎞ ⎠ ⇒ ∀x1, . . . , xn, ¬( ci → xi2}) k� xi1−xi2+ci ≥ 0) Proof. Ad absurdum, we suppose that we have �k i=1 xi1 − xi2 + ci ≥ 0... |

29 | Proof-carrying code from certified abstract interpretation and fixpoint compression, Theor
- Besson, Jensen, et al.
(Show Context)
Citation Context ...te generation is done ahead-of-time while certificate checking is done at download time. Previous work has shown how to bootstrap a PCC infrastructure using a general-purpose proof-assistant like Coq =-=[6, 3, 4]-=-. In this context, the triples (certificate,checkers,prover) defined here could be used to efficiently check arithmetic verification conditions arising from the analysis of programs. Acknowledgements ... |

28 | Proving equalities in a commutative ring done right in Coq
- Grégoire, Mahboubi
- 2005
(Show Context)
Citation Context ...uantifier-free linear integer arithmetics. It generates Coq proof terms from traces obtained from an instrumented version of the Omega test [22]. Another approach, implemented by the Coq ring tactics =-=[13]-=-, is to prove correct the decision procedure inside the proof-assistant and use computational reflection. In this case, both the computational complexity ⋆ This work was partly funded by the IST-FET p... |

28 |
L.: A skeptic’s approach to combining HOL and Maple
- Harrison, Théry
- 1998
(Show Context)
Citation Context ...5 MOBIUS project.sof the decision procedure and the complexity of proving it correct are limiting factors. In this paper, we adhere to the so-called sceptical approach advocated by Harrison and Théry =-=[16]-=-. The key insight is to separate proof-search from proofchecking. Proof search is delegated to fine-tuned external tools which produce certificates to be checked by the proof-assistant. In this paper,... |

23 | Expressiveness + automation + soundness: Towards combining SMT solvers and interactive proof assistants
- Fontaine, Marion, et al.
- 2006
(Show Context)
Citation Context ...hey can be efficiently rerun inside a proof-assistant. Using Isabelle/HOL, Weber [28] reruns zChaff traces to solve problems that Isabelle/HOL decision procedure could not cope with. Fontaine et al., =-=[11]-=- are using a similar approach to solve quantifier-free formulae with uninterpreted symbols by rerunning proof traces generated by the Harvey SMT prover [10]. In Proof Carrying Code [18], a piece of co... |

14 | B.: A computational approach to pocklington certificates in type theory
- Grégoire, Théry, et al.
- 2006
(Show Context)
Citation Context ...ertificate generators are off-the-shelf decision procedures (or algorithms) and reflexive certificate checkers are proved correct inside the proof-assistant. Using the same approach, Grégoire et al., =-=[14]-=- check Pocklington certificates to get efficient reflexive Coq proofs that a number is prime. In both cases, the checkers benefit from the performance of the novel Coq virtual machine [12]. For Isabel... |

11 | Verifying and reflecting quantifier elimination for Presburger arithmetic
- Chaieb, Nipkow
- 2005
(Show Context)
Citation Context ...el Coq virtual machine [12]. For Isabelle/HOL, recent works attest the efficiency of reflexive approaches. Chaieb and Nipkow have proved correct Cooper’s decision procedure for Presburger arithmetics =-=[7]-=-. To obtain fast reflexive proofs, the HOL program is compiled into ML code and run inside the HOL kernel. Most related to ours is the work by Obua [19] which is using a reflexive checker to verify ce... |

9 | HOL Light Tutorial (for version 2.20
- Harrison
- 2007
(Show Context)
Citation Context ...inear goals, our certificates are produced by a handcrafted linear solver. For non-linear goals, we are using the full-fledged semidefinite programming solver Csdp [5] through its HOL Light interface =-=[15]-=-. Anyhow, whatever their origin, certificates are translated into Positivstellensatz certificates. 4.5 Experiments We have assessed the efficiency of micromega with respect to the existing Coq tactic ... |

9 | Proving bounds for real linear programs in isabelle/hol
- Obua
- 2005
(Show Context)
Citation Context ...’s decision procedure for Presburger arithmetics [7]. To obtain fast reflexive proofs, the HOL program is compiled into ML code and run inside the HOL kernel. Most related to ours is the work by Obua =-=[19]-=- which is using a reflexive checker to verify certificates generated by the Simplex. Our work extends this approach by considering more general certificates, namely positivstellensatz certificates. ch... |

6 | Using a SAT solver as a fast decision procedure for propositional logic in an LCF-style theorem prover
- Weber
(Show Context)
Citation Context ...tate-of-the-art zChaff SAT solver is now generating proof traces [29]. When proof traces exist, experiments show that they can be efficiently rerun inside a proof-assistant. Using Isabelle/HOL, Weber =-=[28]-=- reruns zChaff traces to solve problems that Isabelle/HOL decision procedure could not cope with. Fontaine et al., [11] are using a similar approach to solve quantifier-free formulae with uninterprete... |

5 | A pec architecture based on certified abstract Interpretation
- Besson, Jensen, et al.
- 2006
(Show Context)
Citation Context ...te generation is done ahead-of-time while certificate checking is done at download time. Previous work has shown how to bootstrap a PCC infrastructure using a general-purpose proof-assistant like Coq =-=[6, 3, 4]-=-. In this context, the triples (certificate,checkers,prover) defined here could be used to efficiently check arithmetic verification conditions arising from the analysis of programs. Acknowledgements ... |

5 |
Une procédure de décision réflexive pour un fragment de l’arithmétique de Presburger
- Crégut
- 2004
(Show Context)
Citation Context ... procedures can be understood as certificates. In this case, reflexive checkers are trace validators which verify the logical soundness of the proof steps recorded in the trace. The Coq romega tactic =-=[8]-=- is representative of this trace-based approach: traces generated by an instrumented version of the Omega test [22] act as certificates that are validated by a reflexive checker.The drawback of this m... |

3 |
2.3 user’s guide
- Csdp
- 1999
(Show Context)
Citation Context ...sitivstellensatz certificates. For linear goals, our certificates are produced by a handcrafted linear solver. For non-linear goals, we are using the full-fledged semidefinite programming solver Csdp =-=[5]-=- through its HOL Light interface [15]. Anyhow, whatever their origin, certificates are translated into Positivstellensatz certificates. 4.5 Experiments We have assessed the efficiency of micromega wit... |