smtcoq: skeptical cooperation between sat/smt solvers and...
TRANSCRIPT
![Page 1: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/1.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
SMTCoq: skeptical cooperation betweenSAT/SMT solvers and Coq
Michaël Armand Germain Faure Benjamin GrégoireChantal Keller Laurent Théry Benjamin Werner
INRIA � École Polytechnique
March, 30th 2013
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 1 / 30
![Page 2: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/2.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Motivation (1/2)
COQ AUTOMATIC
THEOREM PROVER
⇐==⇒
AUTOMATION SAFETY
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 2 / 30
![Page 3: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/3.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Motivation (1/2)
COQ AUTOMATIC
THEOREM PROVER
⇐==⇒
AUTOMATION SAFETY
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 2 / 30
![Page 4: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/4.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Motivation (1/2)
COQ AUTOMATIC
THEOREM PROVER
⇐==⇒
AUTOMATION SAFETY
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 2 / 30
![Page 5: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/5.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Motivation (1/2)
COQ AUTOMATIC
THEOREM PROVER
⇐=
=⇒
AUTOMATION
SAFETY
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 2 / 30
![Page 6: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/6.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Motivation (1/2)
COQ AUTOMATIC
THEOREM PROVER
⇐=
=⇒
AUTOMATION SAFETY
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 2 / 30
![Page 7: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/7.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Motivation (2/2)
Critical problem
SMT solver
yes no
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 3 / 30
![Page 8: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/8.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Motivation (2/2)
Critical problem
SMT solver
yes no
Coq checker
yes no
proof witness
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 3 / 30
![Page 9: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/9.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Architecture of SMTCoq
Coq checker
parser parser + preprocessor
SMT-LIB2 file SMT proof witness
yes no
input certificate
Can be used:
to certify SMT results
as Coq tactics
in larger developments (eg. DP using bit-blasting)
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 4 / 30
![Page 10: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/10.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Architecture of SMTCoq
Coq checker
parser parser + preprocessor
SMT-LIB2 file SMT proof witness
yes no
input certificate
Can be used:
to certify SMT results
as Coq tactics
in larger developments (eg. DP using bit-blasting)
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 4 / 30
![Page 11: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/11.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Architecture of SMTCoq
Coq checker
parser parser + preprocessor
SMT-LIB2 file SMT proof witness
yes no
input certificate
Can be used:
to certify SMT results
as Coq tactics
in larger developments (eg. DP using bit-blasting)
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 4 / 30
![Page 12: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/12.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Architecture of SMTCoq
Coq checker
parser parser + preprocessor
SMT-LIB2 file SMT proof witness
yes no
input certificate
Can be used:
to certify SMT results
as Coq tactics
in larger developments (eg. DP using bit-blasting)
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 4 / 30
![Page 13: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/13.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Architecture of SMTCoq
Coq checker
parser parser + preprocessor
SMT-LIB2 file SMT proof witness
yes no
input certificate
Can be used:
to certify SMT results
as Coq tactics
in larger developments (eg. DP using bit-blasting)
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 4 / 30
![Page 14: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/14.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Outline
1 Focus on certi�cates
2 Focus on the Coq checker
3 Coq tactics
4 Related works
5 Conclusion
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 5 / 30
![Page 15: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/15.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
SAT
SAT case
Decide propositional satis�ability of sets of clauses:
x ∨ y x ∨ y ∨ z x ∨ z z
Certi�cate:
If satis�able: assignment of the variables to > or ⊥If unsatis�able: proof by resolution of the empty clause
Resolution rule:
x ∨ C x ∨ D
C ∨ D
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 6 / 30
![Page 16: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/16.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
SAT
Examples
Satis�ability of: x ∨ y x ∨ y ∨ z x ∨ z
{x 7→ >, y 7→ ⊥, z 7→ >}
Unsatis�ability of: x ∨ y x ∨ y ∨ z x ∨ z z
x ∨ y
x ∨ y ∨ z z
x ∨ y
x
x ∨ z z
x
�
Resolution chain
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 7 / 30
![Page 17: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/17.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
SAT
Examples
Satis�ability of: x ∨ y x ∨ y ∨ z x ∨ z
{x 7→ >, y 7→ ⊥, z 7→ >}
Unsatis�ability of: x ∨ y x ∨ y ∨ z x ∨ z z
x ∨ y
x ∨ y ∨ z z
x ∨ y
x
x ∨ z z
x
�
Resolution chain
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 7 / 30
![Page 18: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/18.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
SAT
Examples
Satis�ability of: x ∨ y x ∨ y ∨ z x ∨ z
{x 7→ >, y 7→ ⊥, z 7→ >}
Unsatis�ability of: x ∨ y x ∨ y ∨ z x ∨ z z
x ∨ y
x ∨ y ∨ z z
x ∨ y
x
x ∨ z z
x
�
Resolution chain
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 7 / 30
![Page 19: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/19.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
SMT
SAT modulo Theories
Atoms are now formulas of some theories:
congruence closure
linear arithmetic
. . .
Certi�cate:
If satis�able: assignment of the variables
If unsatis�able: proof by resolution of the empty clause inwhich some leaves are theory lemmas
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 8 / 30
![Page 20: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/20.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
SMT
Examples
Satis�ability of: f (x) 6= f (y) f (x) = f (f (z))
{x 7→ f (a), y 7→ a, z 7→ a}
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y) x = y
f (x) = f (y) f (x) 6= f (y)
�
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 9 / 30
![Page 21: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/21.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
SMT
Examples
Satis�ability of: f (x) 6= f (y) f (x) = f (f (z))
{x 7→ f (a), y 7→ a, z 7→ a}
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y) x = y
f (x) = f (y) f (x) 6= f (y)
�
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 9 / 30
![Page 22: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/22.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
SMT
Examples
Satis�ability of: f (x) 6= f (y) f (x) = f (f (z))
{x 7→ f (a), y 7→ a, z 7→ a}
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y) x = y
f (x) = f (y) f (x) 6= f (y)
�
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 9 / 30
![Page 23: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/23.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Outline
1 Focus on certi�cates
2 Focus on the Coq checker
3 Coq tactics
4 Related works
5 Conclusion
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 10 / 30
![Page 24: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/24.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
A modular checker based on computational re�ection
CNF
resolution chains
EUF
LIA
Main checker
Coq checker
input certificate
yes no
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 11 / 30
![Page 25: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/25.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
A modular checker based on computational re�ection
CNF
resolution chains
EUF
LIA
Main checker
Coq checker
input certificate
yes no
CNF
resolution chains
EUF
LIA
Small checkers
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 11 / 30
![Page 26: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/26.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
The small checkers and the main checker
A small checker:
takes some clauses and a piece of certi�cate as arguments
returns a clause that is implied
The main checker:
maintains an array of clauses
sequentially shares out each certi�cate step between thecorresponding small checker
checks that the last obtained clause is the empty clause
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 12 / 30
![Page 27: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/27.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
The main checker by example
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y) x = y
f (x) = f (y) f (x) 6= f (y)
�
A set of clauses:
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 13 / 30
![Page 28: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/28.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
The main checker by example
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y) x = y
f (x) = f (y) f (x) 6= f (y)
�
A set of clauses:
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 13 / 30
![Page 29: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/29.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
The main checker by example
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y)
x = y
f (x) = f (y)
f (x) 6= f (y)
�
A set of clauses:
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 13 / 30
![Page 30: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/30.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
The main checker by example
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y)
x = y
f (x) = f (y)
f (x) 6= f (y)
�
A set of clauses:
f (x) 6= f (y) f (x) = f (f (z))
x = y
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 13 / 30
![Page 31: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/31.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
The main checker by example
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y) x = y
f (x) = f (y)
f (x) 6= f (y)
�
A set of clauses:
f (x) 6= f (y) f (x) = f (f (z))
x = y
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 13 / 30
![Page 32: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/32.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
The main checker by example
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y) x = y
f (x) = f (y)
f (x) 6= f (y)
�
A set of clauses:
f (x) 6= f (y) f (x) = f (f (z))
x = y x 6= y ∨ f (x) = f (y)
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 13 / 30
![Page 33: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/33.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
The main checker by example
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y) x = y
f (x) = f (y)
f (x) 6= f (y)
�
A set of clauses:
f (x) 6= f (y) f (x) = f (f (z))
x = y x 6= y ∨ f (x) = f (y)
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 13 / 30
![Page 34: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/34.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
The main checker by example
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y) x = y
f (x) = f (y)
f (x) 6= f (y)
�
A set of clauses:
f (x) 6= f (y) f (x) = f (f (z))
x = y x 6= y ∨ f (x) = f (y)
�
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 13 / 30
![Page 35: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/35.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
The main checker by example
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y) x = y
f (x) = f (y)
f (x) 6= f (y)
�
A set of clauses:
f (x) 6= f (y) f (x) = f (f (z))
x = y x 6= y ∨ f (x) = f (y)
�
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 13 / 30
![Page 36: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/36.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
Improvements
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y) x = y
f (x) = f (y) f (x) 6= f (y)
�
3 clauses alive at the same time:
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 14 / 30
![Page 37: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/37.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
Improvements
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y) x = y
f (x) = f (y) f (x) 6= f (y)
�
3 clauses alive at the same time:
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 14 / 30
![Page 38: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/38.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
Improvements
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y)
x = y
f (x) = f (y)
f (x) 6= f (y)
�
3 clauses alive at the same time:
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 14 / 30
![Page 39: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/39.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
Improvements
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y)
x = y
f (x) = f (y)
f (x) 6= f (y)
�
3 clauses alive at the same time:
f (x) 6= f (y) f (x) = f (f (z)) x = y
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 14 / 30
![Page 40: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/40.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
Improvements
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y) x = y
f (x) = f (y)
f (x) 6= f (y)
�
3 clauses alive at the same time:
f (x) 6= f (y) f (x) = f (f (z)) x = y
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 14 / 30
![Page 41: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/41.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
Improvements
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y) x = y
f (x) = f (y)
f (x) 6= f (y)
�
3 clauses alive at the same time:
f (x) 6= f (y) x 6= y ∨ f (x) = f (y) x = y
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 14 / 30
![Page 42: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/42.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
Improvements
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y) x = y
f (x) = f (y)
f (x) 6= f (y)
�
3 clauses alive at the same time:
f (x) 6= f (y) x 6= y ∨ f (x) = f (y) x = y
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 14 / 30
![Page 43: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/43.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
Improvements
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y) x = y
f (x) = f (y)
f (x) 6= f (y)
�
3 clauses alive at the same time:
f (x) 6= f (y) x 6= y ∨ f (x) = f (y) x = y
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 14 / 30
![Page 44: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/44.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
Improvements
Unsatis�ability of: f (x) 6= f (y) f (x) = f (f (z)) x = y
EUFx 6= y ∨ f (x) = f (y) x = y
f (x) = f (y)
f (x) 6= f (y)
�
3 clauses alive at the same time:
� x 6= y ∨ f (x) = f (y) x = y
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 14 / 30
![Page 45: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/45.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
The Coq checker
Small checkers
Current small checkers:
resolution chains
CNF computation
Equality of Uninterpreted Functions
Linear Integer Arithmetic (using an existing Coq decisionprocedure)
Simpli�cations (eg. x + 0 ; x)
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 15 / 30
![Page 46: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/46.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Outline
1 Focus on certi�cates
2 Focus on the Coq checker
3 Coq tactics
4 Related works
5 Conclusion
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 16 / 30
![Page 47: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/47.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Idea
Motivation
Example1:
Goal forall b1 b2 x1 x2,
(if b1 then 2 * x1 + 1 else 2 * x1) =
(if b2 then 2 * x2 + 1 else 2 * x2) ->
b1 = b2 /\ x1 = x2.
Proof.
verit.
Qed.
1Taken from CompCert.
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 17 / 30
![Page 48: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/48.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Idea
Proof by re�ection
Coq
OCaml SMT solver
(∀~x ,F ) is true ⇔ (∃~x ,¬F ) is false ⇔ (¬F ) is unsatis�able
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 18 / 30
![Page 49: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/49.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Idea
Proof by re�ection
Coq
OCaml SMT solver
goal
(∀~x ,F ) is true
⇔ (∃~x ,¬F ) is false ⇔ (¬F ) is unsatis�able
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 18 / 30
![Page 50: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/50.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Idea
Proof by re�ection
Coq
OCaml SMT solver
goalreification
formula
(∀~x ,F ) is true ⇔ (∃~x ,¬F ) is false
⇔ (¬F ) is unsatis�able
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 18 / 30
![Page 51: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/51.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Idea
Proof by re�ection
Coq
OCaml SMT solver
goalreification
formula set of clausestranslation
(∀~x ,F ) is true ⇔ (∃~x ,¬F ) is false ⇔ (¬F ) is unsatis�able
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 18 / 30
![Page 52: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/52.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Idea
Proof by re�ection
Coq
OCaml SMT solver
goalreification
formula set of clausestranslation
UNSAT
(∀~x ,F ) is true ⇔ (∃~x ,¬F ) is false ⇔ (¬F ) is unsatis�able
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 18 / 30
![Page 53: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/53.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Idea
Proof by re�ection
Coq
OCaml SMT solver
goalreification
formula set of clausestranslation
UNSATproof witness
checker call
(∀~x ,F ) is true ⇔ (∃~x ,¬F ) is false ⇔ (¬F ) is unsatis�able
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 18 / 30
![Page 54: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/54.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Idea
Proof by re�ection
Coq
OCaml SMT solver
goalreification
formula set of clausestranslation
UNSATproof witness
checker callgoal solved
(∀~x ,F ) is true ⇔ (∃~x ,¬F ) is false ⇔ (¬F ) is unsatis�able
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 18 / 30
![Page 55: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/55.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Idea
Proof by re�ection
Coq
OCaml SMT solver
goalreification
formula set of clausestranslation
UNSATproof witness
checker callgoal solved
SAT
(∀~x ,F ) is true ⇔ (∃~x ,¬F ) is false ⇔ (¬F ) is unsatis�able
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 18 / 30
![Page 56: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/56.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Idea
Proof by re�ection
Coq
OCaml SMT solver
goalreification
formula set of clausestranslation
UNSATproof witness
checker callgoal solved
SATassignment
counter ex.
(∀~x ,F ) is true ⇔ (∃~x ,¬F ) is false ⇔ (¬F ) is unsatis�able
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 18 / 30
![Page 57: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/57.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Idea
Proof by re�ection
goal
error message
goal solved
formula
counter ex.
checker call
translation
assignment
proof witness
set of clauses
SAT
UNSAT
reification
Coq
OCaml SMT solver
(∀~x ,F ) is true ⇔ (∃~x ,¬F ) is false ⇔ (¬F ) is unsatis�able
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 18 / 30
![Page 58: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/58.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Idea
What's next
Work in progress
accept goals in the sort of propositions ( 6= Booleans in Coq)
normalize the goal
Future directions
handle quanti�ers
encodings before sending to the SMT
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 19 / 30
![Page 59: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/59.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Outline
1 Focus on certi�cates
2 Focus on the Coq checker
3 Coq tactics
4 Related works
5 Conclusion
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 20 / 30
![Page 60: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/60.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Skeptical vs. autarkic
Another approach
Since Coq is a programming language:
implement a SMT solver inside
prove its correctness
↪→ followed by S. Lescuyer et al.: embedding Alt-Ergo in Coq (theergo tactic)
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 21 / 30
![Page 61: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/61.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Skeptical vs. autarkic
Pros and cons of ergo
Pros:
a fully certi�ed prover (not a posteriori)
which can be extracted
self-contained
Cons:
not robust to small changes
hard
likely to be less e�cient
does not bene�t from existing tools
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 22 / 30
![Page 62: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/62.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Proof reconstruction in HOL-like proof assistants
Proof reconstruction in Isabelle/HOL
Proof witness veri�cation:
implemented for zCha� and Z3 in Isabelle/HOL by S. Böhmeand T. Weber
integrated in Sledgehammer by J. Blanchette (currently farmore powerful than our tactics)
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 23 / 30
![Page 63: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/63.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Proof reconstruction in HOL-like proof assistants
Pros and cons of Isabelle/HOL
Pros:
no proof terms
smaller trusting base
Cons:
highly dependent on the format of proof witnesses (here Z3)
no computational re�ection
no extraction
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 24 / 30
![Page 64: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/64.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Proof reconstruction in HOL-like proof assistants
Benchmarks coming from the SMT-comp
veriT and Z3 on 2000 benchmarks from SMT-LIB
0
50
100
150
200
250
50 100 150 200 250 300 350 400
Tim
e (s
)
Number of benchmarks solved
IDL results
Z3veriT
Z3 + IsabelleveriT + Coq
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 25 / 30
![Page 65: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/65.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Outline
1 Focus on certi�cates
2 Focus on the Coq checker
3 Coq tactics
4 Related works
5 Conclusion
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 26 / 30
![Page 66: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/66.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Modularity at many levels
Conclusion
SMTCoq:
e�cient a posteriori veri�cation of SMT solvers
computational re�ection
careful choice of term representation
new decision procedure in Coq
modular at many levels
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 27 / 30
![Page 67: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/67.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Modularity at many levels
Small checkers
CNF
resolution chains
EUF
LIA
Main checker
Coq checker
input certificate
yes no
CNF
resolution chains
EUF
LIA
Small checkers
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 28 / 30
![Page 68: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/68.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Modularity at many levels
Integration of new solvers
Coq checker
parser parser + preprocessor
SMT-LIB2 file SMT proof witness
yes no
input certificate
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 29 / 30
![Page 69: SMTCoq: skeptical cooperation between SAT/SMT solvers and Coqargo.matf.bg.ac.rs/events/2013/pdp2013/slides/ChantalKeller.pdf · SMTCoq: skeptical cooperation between SAT/SMT solvers](https://reader036.vdocuments.site/reader036/viewer/2022070714/5ed68e085cd0d56eef02e65d/html5/thumbnails/69.jpg)
Focus on certi�cates Focus on the Coq checker Coq tactics Related works Conclusion
Advertisement
Advertisement
SMTCoq:
http://www.lix.polytechnique.fr/∼keller/Recherche/smtcoq.html
Certi�cates:
our format is a proposal to the SAT/SMT community
seems like a good balance
do not hesitate to use it, enhance it. . .
Perspectives:
many directions already discusses (new solvers, quanti�ers,new theories, encoding of more expressive Coq terms, decisionprocedure on 31bits integers. . . )
confront with applications!
SMTCoq: skeptical cooperation between SAT/SMT solvers and Coq Chantal Keller 30 / 30