SMTCoq, a plug-in for the trustworthyintegration of SAT/SMT solvers into Coq

Cesare Tinelli

Big Proof ProgrammeJuly 16, 2017

Credits

Joint work with

Burak Ekici, Alain Mebsout, Chantal Keller, Guy Katz,Andrew Reynolds, and Clark Barrett

Based on earlier work on by

Chantal Keller with Michaël Armand, Germain Faure,Benjamin Grégoire, Laurent Théry, and BenjaminWerner

2

Main Goal

Increase level of automation in Coq [BBC+00]

by

• bringing in the power of SMT solvers• while maintaining high-level of trustworthiness

Side effect: Stand-alone certified Coq checker for SMT solver proofs

3

Main Goal

Increase level of automation in Coq [BBC+00]

by

• bringing in the power of SMT solvers• while maintaining high-level of trustworthiness

Side effect: Stand-alone certified Coq checker for SMT solver proofs

3

Main Goal

Increase level of automation in Coq [BBC+00]

by

• bringing in the power of SMT solvers• while maintaining high-level of trustworthiness

Side effect: Stand-alone certified Coq checker for SMT solver proofs

3

Realization of the goal

SMTCoq [AFG+11]: A Coq plugin with

• a converter from Coq goals to SMT formulas

• a certified checker for SMT proof certificates

• a set of tactics putting everything together

4

Proof assistants vs SMT solvers

Expressiveness

Soundness Automation5

Proof assistants vs SMT solvers

Expressiveness

Soundness Automation5

Proof assistants vs SMT solvers

Expressiveness

Soundness Automation5

Effects of SMTCoq

Expressiveness

Soundness Automation

+ SMTCoq

6

Effects of SMTCoq

Expressiveness

Soundness Automation

+ SMTCoq

6

SMTCoq

SMTCoq: a certified checker for SMT

Idea

• Dispatch Coq goal to proof producing SMT solvers

• Get proof certificate

• Check certificate

• Construct Coq theorem (by reflection)

• Benefit

8

SMTCoq: a certified checker for SMT

Idea

• Dispatch Coq goal to proof producing SMT solvers

• Get proof certificate

• Check certificate

• Construct Coq theorem (by reflection)

• Benefit

8

SMTCoq: a certified checker for SMT

Idea

• Dispatch Coq goal to proof producing SMT solvers

• Get proof certificate

• Check certificate

• Construct Coq theorem (by reflection)

• Benefit

8

SMTCoq: a certified checker for SMT

Idea

• Dispatch Coq goal to proof producing SMT solvers

• Get proof certificate

• Check certificate

• Construct Coq theorem (by reflection)

• Benefit

8

SMTCoq: a certified checker for SMT

Idea

• Dispatch Coq goal to proof producing SMT solvers

• Get proof certificate

• Check certificate

• Construct Coq theorem (by reflection)

• Benefit

8

SMTCoq: a certified checker for SMT

Idea

• Dispatch Coq goal to proof producing SMT solvers

• Get proof certificate

• Check certificate

• Construct Coq theorem (by reflection)

• Benefit

8

SMTCoq as a stand-alone checker

SMTCoq

Preprocessor

SMT solver

Proofwitness

Coq checker

Certificate

SMT-LIB 2 parser

Formula

Yes No

SMT-LIB 2 problem

Legend:

9

SMTCoq as a stand-alone checker

SMTCoq

Preprocessor

SMT solver

Proofwitness

Coq checker

Certificate

SMT-LIB 2 parser

Formula

Yes No

SMT-LIB 2 problem

Legend:

Certified

Coq checker

9

SMTCoq as a stand-alone checker

SMTCoq

Preprocessor

SMT solver

Proofwitness

Coq checker

Certificate

SMT-LIB 2 parser

Formula

Yes No

SMT-LIB 2 problem

Legend:

Certified

Coq checker

Trusted!

SMT-LIB 2 parser

9

SMTCoq as a stand-alone checker

SMTCoq

Preprocessor

SMT solver

Proofwitness

Coq checker

Certificate

SMT-LIB 2 parser

Formula

Yes No

SMT-LIB 2 problem

Legend:

Certified

Coq checker

Trusted!

SMT-LIB 2 parser

Untrusted

Preprocessor

SMT solver

9

SMTCoq from within Coq

SMTCoq

Proofwitness

Certificate

Formula

Coqgoal

Legend:

Coq checker + Soundess

Preprocessor

SMT solver

Certified

Trusted!

Untrusted

Coq

Reification

Theorem

Qed.

10

SMTCoq from within Coq

SMTCoq

Proofwitness

Certificate

Formula

Coqgoal

Legend:

Coq checker + Soundess

Preprocessor

SMT solver

Certified

Trusted!

Untrusted

Coq

Reification

Theorem

Qed.

Nox ≜ 1f ≜ λ a ⇒ a+1

counter-example

10

Certified checker

Coq checker

Mainchecker

CNF

Resolution chains

EUF

LIA

formula certificate

yes no11

Certified checker

Coq checker

Mainchecker

CNF

Resolution chains

EUF

LIA

formula certificate

yes no

Bit-vectors

Functional arrays

11

Certified checker

Coq checker

Mainchecker

CNF

Resolution chains

EUF

LIA

formula certificate

yes no

Bit-vectors

Functional arrays

Small checkers

11

Checker soundness [Kel13]

Signature of checker

checker : formula → certificate → B

formula = (deep) embedding in Coq of SMT formulascertificate = SMTCoq’s certificate format

InterpretationFunction from embedded SMT formulas to Coq termsJ _ K : formula → B

Soundness lemma

Lemma checker_sound : ∀ f c, checker f c → JfK

12

Checker soundness [Kel13]

Signature of checker

checker : formula → certificate → B

InterpretationFunction from embedded SMT formulas to Coq termsJ _ K : formula → B

Soundness lemma

Lemma checker_sound : ∀ f c, checker f c → JfK

12

Checker soundness [Kel13]

Signature of checker

checker : formula → certificate → B

InterpretationFunction from embedded SMT formulas to Coq termsJ _ K : formula → B

Soundness lemma

Lemma checker_sound : ∀ f c, checker f c → JfK12

Supported solvers/theories [MFM04, BdODF09, BCD+11]

SAT solver SMT solvers

Theory zChaff veriT CVC4

Propositional logic ✓ ✓ ✓EUF ✓ ✓Linear integer arithmetic ✓ ✓Fixed-width bit-vectors ✓Functional Arrays ✓

SMTCoq scope: universal goals over the combination of thesetheories in classical FOL

13

Supported solvers/theories [MFM04, BdODF09, BCD+11]

SAT solver SMT solvers

Theory zChaff veriT CVC4

Propositional logic ✓ ✓ ✓EUF ✓ ✓Linear integer arithmetic ✓ ✓Fixed-width bit-vectors ✓Functional Arrays ✓

SMTCoq scope: universal goals over the combination of thesetheories in classical FOL

13

Adding support for CVC4

CVC4

• Widely used, award-winning SMT solver [BCD+11]

• Jointly developed at Stanford and Iowa

• Multiple built-in theoriesuninterpreted functions, integer and real arithmetic,arrays, bit-vectors, strings, algebraic datatypes, finite setsand relations, …

• Large system (250kloc C++)

• Proof producing (detailed proofs in LFSC format)

15

LFSC

Logical Framework with Side Conditions [SOR+13]

• Based on Edinburgh LF [HHP93] + computational sideconditions

• Extensible logic/proof system

• Comes with its own proof checker generator

• Nested proofs / trees

More expressive than SMTCoq’s certificates

16

LFSC

Logical Framework with Side Conditions [SOR+13]

• Based on Edinburgh LF [HHP93] + computational sideconditions

• Extensible logic/proof system

• Comes with its own proof checker generator

• Nested proofs / trees

More expressive than SMTCoq’s certificates

16

From Coq to CVC4 and back: An example

Coq goal:

Goal ∀ (a b c d: B),(a ∧ b) → (c ∨ d) → (c ∨ a ∧ b ∧ d)

∵cvc4.

■

17

From Coq to CVC4 and back: An example

Corresponding SMT-LIB 2 [BST10] script:

(declare-fun a () Bool)(declare-fun b () Bool)(declare-fun c () Bool)(declare-fun d () Bool)(assert (and a b))(assert (or c d))(assert (not (or c (and a (and b d)))))(check-sat)

17

From Coq to CVC4 and back: An example

(Nested) LFSC proof certificate from CVC4:(check;; Declarations(% d (term Bool)(% c (term Bool)(% b (term Bool)(% a (term Bool)(% A3 (th_holds true)(% A2 (th_holds (not (or (p_app c) (and (p_app a) (and (p_app b) (p_app d))))))(% A1 (th_holds (or (p_app c) (p_app d)))(% A0 (th_holds (and (p_app a) (p_app b)))(: (holds cln)

;; Printing the global let map(@ let1 (p_app a)(@ let2 (p_app b)(@ let3 (p_app c)(@ let4 (p_app d)

;; In the preprocessor we trust(th_let_pf _ (trust_f (iff (not (or let3 (and let1 (and let2 let4)))) (not (or let3 (and let1 (and let2 let4 ))))))(\ .PA229

;; Printing mapping from preprocessed assertions into atoms(decl_atom let1 (\ .v2 (\ .a2(decl_atom let2 (\ .v3 (\ .a3(decl_atom let3 (\ .v4 (\ .a4(decl_atom let4 (\ .v5 (\ .a5(satlem _ _ (ast _ _ _ .a5 (\ .l11 (ast _ _ _ .a3 (\ .l7 (ast _ _ _ .a2 (\ .l5 (clausify_false (contra _ .l11 (or_elim_1 _

_ (not_not_intro _ .l7) (not_and_elim _ _ (or_elim_1 _ _ (not_not_intro _ .l5) (not_and_elim _ _ (and_elim_2 _ _(not_or_elim _ _ (or_elim_1 _ _ (not_not_intro _ A2) (iff_elim_1 _ _ .PA229)))))))))))))))) (\ .pb8

(satlem _ _ (asf _ _ _ .a5 (\ .l10 (asf _ _ _ .a4 (\ .l8 (clausify_false (contra _ (or_elim_1 _ _ .l8 A1) .l10)))))) (\ .pb6(satlem _ _ (ast _ _ _ .a4 (\ .l9 (clausify_false (contra _ .l9 (and_elim_1 _ _ (not_or_elim _ _ (or_elim_1 _ _

(not_not_intro _ A2) (iff_elim_1 _ _ .PA229)))))))) (\ .pb7(satlem _ _ (asf _ _ _ .a3 (\ .l6 (clausify_false (contra _ (and_elim_2 _ _ A0) .l6)))) (\ .pb5(satlem _ _ (asf _ _ _ .a2 (\ .l4 (clausify_false (contra _ (and_elim_1 _ _ A0) .l4)))) (\ .pb4

;; SAT proof(satlem_simplify _ _ _ (R _ _ .pb6 .pb7 .v4) (\ .cl9(satlem_simplify _ _ _ (Q _ _ (Q _ _ (Q _ _ .pb8 .cl9 .v5) .pb5 .v3) .pb4 .v2) (\ empty

empty)))))))))))))))))))))))))))))))))))))))))) 17

From Coq to CVC4 and back: An example

Corresponding SMTCoq proof certificate (in veriTformat [BFT11]):1:(input ((not #1:(or c #2:(and a #3:(and b d))))))2:(input (#4:(or c d)))3:(input (#5:(and a b)))4:(hole (#6:(= (not #1) (not #1))))5:(equiv1 ((not (not #1)) (not #1)) 4)6:(not_or ((not #2)) 1 1)7:(not_and ((not a) (not #3)) 6)8:(and_neg (#3 (not b) (not d)))9:(resolution () 8 7)10:(weaken ((not a) (not b) (not d)) 9)11:(or (c d) 2)12:(not_or ((not c)) 1 0)13:(and (b) 3 1)14:(and (a) 3 0)15:(resolution (d) 11 12)16:(resolution () 10 15 13 14)

17

Bit-vectors and Arrays in SMTCoq

Why?

Useful theories for reasoning about programs

Bit-vectors:

• machine level words and operations• machine integers, floating point numbers, …• hardware designs

Arrays:

• actual programming languages arrays• model memory• other data-structures

19

Bit-vectors

Developed Coq library formalizing fix-width bit-vectors(with dependent types)

Parameter bitvector : N → Type.

Implementation:

Record bitvector_ (n:N) : Type ≜{ bv :> list B; wf : size bv = n }.

Judgment for bit-blasting:

bbT n x t

t is the bit-level interpretation corresponding to the termx representing a bit-vector of size n

20

Bit-vectors

Developed Coq library formalizing fix-width bit-vectors(with dependent types)

Parameter bitvector : N → Type.

Implementation:

Record bitvector_ (n:N) : Type ≜{ bv :> list B; wf : size bv = n }.

Judgment for bit-blasting:

bbT n x t

t is the bit-level interpretation corresponding to the termx representing a bit-vector of size n

20

Small checkers for bit-blasting rules (examples)

BbEqbbT n x [x1; . . . ; xn] bbT n y [y1; . . . ; yn](bveq x y) ↔ (x1 ↔ y1 ∧ . . . ∧ xn ↔ yn)

Coq (program) small checker:

Definition check_bbEq p1 p2 res : clause ≜ ...

Small checker soundness:

Lemma valid_check_bbEq : ∀ ρ p1 p2 res,C.valid ρ (check_bbEq p1 p2 res).

21

Small checkers for bit-blasting rules (examples)

BbAndbbT n x [x1; . . . ; xn] bbT n y [y1; . . . ; yn]bbT n (bvand x y) [x1 ∧ y1; . . . ; xn ∧ yn]

Coq (program) small checker:

Definition check_bbAnd p1 p2 res : clause ≜ ...

Small checker soundness:

Lemma valid_check_bbAnd : ∀ ρ p1 p2 res,C.valid ρ (check_bbAnd p1 p2 res).

22

Small checkers for bit-blasting rules (examples)

BbAndbbT n x [x1; . . . ; xn] bbT n y [y1; . . . ; yn]bbT n (bvand x y) [x1 ∧ y1; . . . ; xn ∧ yn]

Coq (program) small checker:

Definition check_bbAnd p1 p2 res : clause ≜ ...

Small checker soundness:

Lemma valid_check_bbAnd : ∀ ρ p1 p2 res,C.valid ρ (check_bbAnd p1 p2 res).

22

Small checkers for bit-blasting rules

Certified small checkers for bit-blasting of:

• bit-wise operators (bvand, bvor, bvxor, bvnot)• equality• variables• constants• extraction• concatenation• arithmetic operations (addition, negation, multiplication)• comparison predicates (signed/unsigned)• extensions (zero/signed)

23

Functional arrays with extensionality

Coq library for unbounded functional arrays (with typeclasses).Definition farray (key elt: Type) : Type ≜ ...

Realized by (immutable) finite maps with additionalconstraints:

• key and element types are a total order• element type is inhabited ( providing a default value)• map is sorted• contains no mappings to default value• contains no repetitions

Constraints enable decidable (extensional) equality

24

Functional arrays with extensionality

Coq library for unbounded functional arrays (with typeclasses).Definition farray (key elt: Type) : Type ≜ ...

Realized by (immutable) finite maps with additionalconstraints:

• key and element types are a total order• element type is inhabited ( providing a default value)• map is sorted• contains no mappings to default value• contains no repetitions

Constraints enable decidable (extensional) equality

24

Small checkers for arrays

Based on these rules:

ReadOverWriteSamea[ i← v ][ i ] = v

ReadOverWriteOtheri ̸= j

a[ i← v ][ j ] = a[ j ]

Extensionality∀k. a[ k ] = b[ k ]

a = b

25

Small checkers for arrays

Based on these rules:

ReadOverWriteSamea[ i← v ][ i ] = v

ReadOverWriteOtheri ̸= j

a[ i← v ][ j ] = a[ j ]

Extensionalitya ̸= b

∃k. a[ k ] ̸= b[ k ]

25

Demo

Conclusion

• Modular integration of SMT solvers in Coq

• Fairly efficient1: reflexive checker↪→ Proof construction in Coq is mostly computational

• Supports multiple SAT/SMT solvers

• Various useful theories (e.g., for program verification)↪→ First certified checker for bit-vectors and arrays

• Provides automated and semi-automated Coq tactics

1Based on initial experimental evaluation27

Try it!

SMTCoq is open-source, with a very liberal license

Original SMTCoq downloadable fromhttps://smtcoq.github.io/

Extended version described here available athttps://github.com/LFSC/smtcoq

28

Ongoing and future work

1. Improve tactic support for Prop goals

2. Offer alternative realizations for bit-vectors• Bedrock’s words• Native 31 bits integers of Coq (used in CompCert)

3. Support goals with quantifier alternations

4. Support conditional proofs

(For last two, CVC4 must be extended first)

29

Thank you

30

References I

Michaël Armand, Germain Faure, Benjamin Grégoire,Chantal Keller, Laurent Théry, and Benjamin Werner.A Modular Integration of SAT/SMT Solvers to Coq throughProof Witnesses.In Jean-Pierre Jouannaud and Zhong Shao, editors, CPP,volume 7086 of Lecture Notes in Computer Science, pages135–150. Springer, 2011.

B. Barras, S. Boutin, C. Cornes, J. Courant, J.C. Filliâtre,E. Gimenez, H. Herbelin, G. Huet, C. Muñoz, C. Murthy, et al.The Coq proof assistant: reference manual.Technical report, INRIA, 2000.

31

References II

Clark Barrett, Christopher Conway, Morgan Deters, LianaHadarean, Dejan Jovanović, Tim King, Andrew Reynolds,and Cesare Tinelli.CVC4.In Proc. Computer Aided Verification (CAV), pages 171–177,2011.T. Bouton, D.C.B. de Oliveira, D. Déharbe, and P. Fontaine.veriT: An Open, Trustable and Efficient SMT-Solver.In Proc. 22nd Int. Conf. on Automated Deduction (CADE),pages 151–156, 2009.

32

References III

F. Besson, P. Fontaine, and L. Théry.A Flexible Proof Format for SMT: a Proposal.In Proc. 1st Int. Workshop on Proof eXchange for TheoremProving (PxTP), pages 15–26, 2011.

Clark Barrett, Aaron Stump, and Cesare Tinelli.The SMT-LIB Standard: Version 2.0.In Proc. 8th Int. Workshop on Satisfiability Modulo Theories(SMT), page 14, 2010.

Robert Harper, Furio Honsell, and Gordon Plotkin.A Framework for Defining Logics.J. ACM, 40(1):143–184, 1993.

33

References IV

C. Keller.A Matter of Trust: Skeptical Communication Between Coqand External Provers.PhD thesis, École Polytechnique, June 2013.

Yogesh Mahajan, Zhaohui Fu, and Sharad Malik.Zchaff2004: An Efficient SAT Solver.In Proc. 7th Int. Conf. on Theory and Applications ofSatisfiability Testing (SAT), pages 360–375, 2004.

34

References V

Aaron Stump, Duckki Oe, Andrew Reynolds, LianaHadarean, and Cesare Tinelli.SMT Proof Checking Using a Logical Framework.Formal Methods in System Design, 41(1):91–118, February2013.

35