Section: New Results

Automated and Interactive Theorem Proving

Participants : Jasmin Christian Blanchette, Martin Bromberger, Antoine Defourné, Daniel El Ouraoui, Alberto Fiori, Mathias Fleury, Pascal Fontaine, Stephan Merz, Hamid Rahkooy, Hans-Jörg Schurr, Sorin Stratulat, Thomas Sturm, Sophie Tourret, Marco Voigt, Uwe Waldmann, Christoph Weidenbach.

Combination of Satisfiability Procedures

Joint work with Christophe Ringeissen (Inria Nancy – Grand Est, Pesto) and Paula Chocron (Insikt Intelligence, Spain).

A satisfiability problem is often expressed in a combination of theories, and a natural approach consists in solving the problem by combining the satisfiability procedures available for the component theories. This is the purpose of the combination method introduced by Nelson and Oppen. However, in its initial presentation, the Nelson-Oppen combination method requires the theories to be signature-disjoint and stably infinite. The design of a generic combination method for non-disjoint unions of theories is difficult, but it is worth exploring simple non-disjoint combinations that appear frequently in verification. An example is the case of shared sets, where sets are represented by unary predicates. Another example is the case of bridging functions between data structures and a target theory (e.g., a fragment of arithmetic).

In 2015, we defined a sound and complete combination procedure à la Nelson-Oppen for the theory of absolutely free data structures (including lists and trees) connected to another theory via bridging functions [59]. This combination procedure has also been refined for standard interpretations. The resulting theory has a nice politeness property, enabling combinations with arbitrary decidable theories of elements. We also investigated other theories [60] amenable to similar combinations: this class includes the theory of equality, the theory of absolutely free data structures, and all the theories in between.

In 2018 and 2019, we have been improving the framework and unified both results. This was published in the Journal of Automated Reasoning in 2019 [19].

Quantifier Handling in SMT

Joint work with Cezary Kaliszyk (Univ. of Innsbruck).

SMT solvers generally rely on various instantiation techniques for handling quantifiers. We built a unifying framework encompassing quantified formulas with equality and uninterpreted functions, such that the major instantiation techniques in SMT solving can be cast in that framework. It is based on the problem of E-ground (dis)unification, a variation of the classic Rigid E-unification problem. We introduced a sound and complete calculus to solve this problem in practice: Congruence Closure with Free Variables (CCFV). Experimental evaluations of implementations of CCFV demonstrate notable improvements in the state-of-the-art solver CVC4 and make the solver veriT competitive with state-of-the-art solvers for several benchmark libraries, in particular those originating in verification problems.

In 2019, we investigated machine learning techniques for predicting the usefulness of an instance in order to decrease the number of instances passed to the SMT solver. For this, we proposed a meaningful way to characterize the state of an SMT solver, to collect instantiation learning data, and to integrate a predictor in the core of a state-of-the-art SMT solver. This ultimately leads to more efficient SMT solving for quantified problems.

Higher-Order SMT

Joint work with Haniel Barbosa, Andrew Reynolds, Cesare Tinelli (Univ. of Iowa), and Clark Barrett (Stanford)

SMT solvers have throughout the years been able to cope with increasingly expressive formulas, from ground logics to full first-order logic (FOL). In contrast, the extension of SMT solvers to higher-order logic (HOL) was mostly unexplored. We proposed a pragmatic extension for SMT solvers to support HOL reasoning natively without compromising performance on FOL reasoning, thus leveraging the extensive research and implementation efforts dedicated to efficient SMT solving. We showed how to generalize data structures and the ground decision procedure to support partial applications and extensionality, as well as how to reconcile quantifier instantiation techniques with higher-order variables. We also discussed a separate approach for redesigning an SMT solver for higher-order logic from the ground up via new data structures and algorithms. We applied our pragmatic extension to the CVC4 SMT solver and discussed a redesign of the veriT SMT solver. Our evaluation showed that they are competitive with state-of-the-art HOL provers and often outperform the traditional encoding into FOL.

This result was published at CADE 2019 [27]. We are also currently investigating extending the CCFV algorithm to higher-order logic.

Proofs for SMT

We have previously developed a framework for processing formulas in automatic theorem provers, with generation of detailed proofs that can be checked by external tools, including skeptical proof assistants. The main components are a generic contextual recursion algorithm and an extensible set of inference rules. Clausification, skolemization, theory-specific simplifications, and expansion of `let' expressions are instances of this framework. With suitable data structures, proof generation adds only a linear-time overhead, and proofs can be checked in linear time. We implemented the approach in the SMT solver veriT. This allowed us to dramatically simplify the code base while increasing the number of problems for which detailed proofs can be produced. In 2019, the format of proof output was further improved, while also improving the reconstruction procedure in the proof assistant Isabelle/HOL. This allowed the tactic using SMT with proofs to be regularly suggested by Sledgehammer as the fastest method to automatically solve proof goals. This was the subject of a workshop publication [36].

Clause Learning from Simple Models

The goal of this research is to guide inferences in expressive logics via simple models. Intuitively, a model is simple if computations with respect to the model can be done in polynomial time. We have shown that for first-order logic, models built from ground literals are sufficient to guide resolution inferences between non-ground clauses [35]. We have also investigated the expressivity of model representation formalisms in general [41]. Model representation formalisms built on atoms with only linear variable occurrences have the finite model property. Hence, they cannot represent infinite models.


We have further developed our CDCL(T) solver SPASS-SATT. It is the combination of our SAT solver SPASS-SAT with highly efficient theory solvers for linear arithmetic [31]. SPASS-SATT showed good performance at the SMT competition 2019 where it won the category on linear rational arithmetic and scored second on linear integer arithmetic. The winner of the linear integer arithmetic category was a portfolio solver including SPASS-SATT. Our main improvements are due to an advanced clause normal form translation, a close interaction between the theory solvers and the SAT solver SPASS-SAT, and and a new transformation turning unbounded integer problems into bounded integer problems.

Extension of a Highly Efficient Prover to λ-free Higher-Order Logic

Joint work with Simon Cruanes (Aesthetic Integration), Stephan Schulz (DHBW Stuttgart), and Petar Vukmirović (VU Amsterdam).

Superposition-based provers, such as E, SPASS, and Vampire, are among the most successful reasoning systems for first-order logic. They serve as backends in various frameworks, including software verifiers, automatic higher-order theorem provers, and one-click “hammers” in proof assistants. Decades of research have gone into refining calculi, devising efficient data structures and algorithms, and developing heuristics to guide proof search. This work has mostly focused on first-order logic with equality, with or without arithmetic.

To obtain better performance, we propose to start with a competitive first-order prover and extend it to full higher-order logic one feature at a time. Our goal is a graceful extension, in keeping with the zero-overhead principle: What you don't use, you don't pay for.

As a stepping stone towards full higher-order logic, we initially restricted our focus to a higher-order logic without λ-expressions. Compared with first-order logic, its distinguishing features are partial application and applied variables. Our vehicle is E, a prover developed primarily by Schulz. It is written in C and offers good performance. E regularly scores among the top systems at the CASC competition, and usually is the strongest open source prover in the relevant divisions. It also serves as a backend for competitive higher-order provers.

Our experiments show that the λ-free higher-order version of E is practically as fast as E on first-order problems and can also prove higher-order problems that do not require synthesizing λ-terms. As a next step, we plan to add support for λ-terms and higher-order unification. This work is described in a TACAS 2019 conference paper [42]; an extended version of this paper has been invited to a special issue of the International Journal on Software Tools for Technology Transfer.

Extension of the Superposition Calculus with λ-Abstractions

Joint work with Alexander Bentkamp (VU Amsterdam) and Petar Vukmirović (VU Amsterdam).

We designed a superposition calculus for a clausal fragment of extensional polymorphic higher-order logic that includes anonymous functions but excludes Booleans. The inference rules work on βη-equivalence classes of λ-terms and rely on higher-order unification to achieve refutational completeness.

We implemented the calculus in the Zipperposition prover. Our empirical evaluation includes benchmarks from the TPTP (Thousands of Problems for Theorem Provers) and interactive verification problems exported from Isabelle/HOL. The results appear promising and suggest that an optimized implementation inside a competitive prover such as E, SPASS, or Vampire would outperform existing higher-order automatic provers. This research was presented at the CADE 2019 conference [28].

Automated Reasoning over Biological Networks

[54] study toricity of steady state ideals of biological models. From a computational point of view, models identified as toric allow to employ tools from toric geometry for a complexity reduction step. From a scientific point of view, toric models are known to have scale invariant multistationarity in the space of linear conserved quantities. This can be interpreted as a dimension reduction of the multistationarity problem. We propose a generalization of the notion of toricity, compatible with our above remarks, in terms of the geometry of the variety instead of the syntactic shape of generators of the ideal. We consider 129 models from the BioModels repository [67], for which ODEbase (http://odebase.cs.uni-bonn.de/) provides input data directly usable for symbolic computation. While the existing literature was mostly limited to the complex numbers, we use real quantifier elimination methods to treat also the real case, which is clearly the relevant domain from a scientific point of view. In practice, our real computations in Redlog [4] can compete with our complex ones. In theory we show that our real algorithms are in EXPTIME while Gröbner bases, which are typically used when working with ideal generators, are EXPSPACE-complete [68]. To our knowledge, this is the first time that such a comprehensive set of biomodels has been systematically processed using symbolic methods.

Towards an Improved Encoding of TLA+ Proof Obligations

We reconsider the encoding of proof obligations that arise in proofs about TLA+ specifications in multi-sorted first-order logic, and specifically their translations to SMT solvers. Our previous work [69] relied on type inference for identifying expressions having atomic types such as integers but did not exploit more complex types, even if such types were constructed during type inference. A more pervasive use of types for translating set-theoretic expressions to the input language of SMT solvers appears promising in order to reduce the use of type injections and quantifiers and thus simplify the proof obligations passed to the solver, but it raises non-trivial soundness and completeness issues. Techniques of gradual typing designed for programming languages where type inference is not fully possible statically may be helpful in this context. A related problem is support for instantiation hints for quantified formulas given by the user. A first paper will be presented at JFLA 2020.

Formal Proofs of Tarjan's Algorithm

Joint work with Ran Chen (Chinese Academy of Sciences), Cyril Cohen and Laurent Théry (Inria Sophia Antipolis Méditerranée, Stamp), and Jean-Jacques Lévy (Inria Paris, Pi.r2).

We consider Tarjan's classical algorithm for computing strongly connected components in a graph as a case study of intermediate complexity for comparing interactive proof assistants. Representing the algorithm as a functional program (rather than its more conventional imperative representation), we proved its correctness in three different proof assistants (Coq, Isabelle/HOL, and Why3). The proofs are based on essentially the same formulation of the algorithm and of its invariants, allowing us to compare differences due to idiosyncracies of the proof assistants, such as their ability to handle mutually recursive function definitions, proving termination beyond syntactic criteria, and their degree of automation. Our results were presented at ITP 2019 [33].

Implementation of an Efficient Validation of FOLID Cyclic Induction Reasoning

Checking the soundness of cyclic induction reasoning for first-order logic with inductive definitions (FOLID) is decidable but the standard checking method is based on an exponential complement operation for Büchi automata. We devised a polynomial method “semi-deciding” this problem; its most expensive steps are reminiscent of the comparisons with multiset path orderings. In practice, it has been integrated in the Cyclist prover and successfully checked all the proofs included in its distribution. The work was presented at the CiSS2019 conference (Circularity in Syntax and Semantics) and the software is available at https://members.loria.fr/SStratulat/files/e-cyclist.zip.