Towards an effective formally certified constraint solver
Catherine Dubois1
Arnaud Gotlieb2
1. CEDRIC-ENSIIE, Évry, France
2. Certus V&V Center, SIMULA RESEARCH LAB., Lysaker, Norway
CP meets Verification 2014 Workshop
September 9, 2014 - Lyon
1 / 17
Do you trust your solver (SAT/SMT/FD etc.) ?
More confidence ....
Why ?
I
Crucial when used in safety/business-critical software (software
verification, applications such as auction trading, airspace deconfliction)
I
Necessary if integrated into a skeptical proof assistant as a decision
procedure
CP meets Verification 2014 Workshop
September 9, 2014 - Lyon
2 / 17
How ?
Different approaches exist, e.g.
I
The solver produces an answer (yes/no, sat/unsat, sol/unsat etc) +
evidence/proof witness/trace more or less informative
A trusted checker verifies the trace (e.g. Isabelle/Z3, Coq/VeriT, ...)
I
Verify the code of an existing solver itself: forget it !
I
Produce a formally verified solver : correct by construction
Sat solvers in PVS (Shankar, Vaucher 2011), Isabelle/HOL (Maric,
2010) , Incremental Simplex Algorithm Isabelle/HOL (Spasic Maric
2012), Ergo in Coq (Lescuyer Conchon 2008) 2013) . . .
CP meets Verification 2014 Workshop
September 9, 2014 - Lyon
3 / 17
Towards a generic verified CP-solver
Our contribution
We propose not only one verified solver but a family of verified solvers
−→ modular and generic architecture for the solver
−→ high parametricity: constraints, local consistency, variable-value
choices, representation issues . . .
−→ developed within the Coq proof assistant
−→ written in OCaml, extracted from Coq
−→ featuring a raisonnable efficiency
CP meets Verification 2014 Workshop
September 9, 2014 - Lyon
4 / 17
A very quick tour of Coq
What is Coq ?
A functional programming language (recursion, algebraic datatypes,
pattern-matching, types)
A specification language (higher order, inductive predicates à la
Prolog)
An interactive prover
A proof checker
A recognized tool used in some industries and education
A tool we can trust (its kernel has been formally verified)
...
To do what ?
Formalize and verify theorems (4 colors (2005) - Feit-Thompson
(2012))
Build formally verified software (the C compiler Compcert (2008))
CP meets Verification 2014 Workshop
September 9, 2014 - Lyon
5 / 17
But it is not ....
An automatic prover (however some decision procedures exist)
An oracle
Easy to use (unfortunately)
CP meets Verification 2014 Workshop
September 9, 2014 - Lyon
6 / 17
Extraction/Synthesis of programs
A mechanism provided by Coq to produce standalone functional
programs (OCaml, Haskell) from Coq code (functions +
specifications + proofs)
Erasure of logical parts in the Coq code
Typical example: euclidian division
In Coq:
Lemma eucl div : ∀ x y: nat, y 6= 0 → ∃ q r, x = q * y + r ∧ 0 ≤ r < y.
Proof.
....
Extraction eucl div.
In Ocaml
div_eucl: nat -> nat -> nat*nat
Common practice (Compcert)
CP meets Verification 2014 Workshop
September 9, 2014 - Lyon
7 / 17
A verified solver: what does it mean?
Let us define a Coq function solve that solves a csp
Either solve csp = Some a (a is provided as a solution) or
solve csp = None (no solution)
Prove soundness
∀ csp, ∀ a, wellformed csp →
solve csp = Some a → is solution a csp.
∀ csp, wellformed csp→
solve csp = None → ∀ a, ¬(is solution a csp)
Prove completeness (if it is !)
∀ csp, ∀ a, wellformed csp →
is solution a csp → ∃a0 , solve csp = Some a’
∀ csp, wellformed csp →
(∀ a, ¬(is solution a csp)) → solve csp = None
Extract OCaml code
CP meets Verification 2014 Workshop
September 9, 2014 - Lyon
8 / 17
CP solving
Soundness and completeness of the solver rely on soundness and
completeness of filtering and propagation.
Constraint filtering
Constraint propagation
Variable labeling
Filtering: arc-consistency, bound-consistency for binary constraints: proved
in Coq
Propagation: AC3 and AC2001: proved in Coq
Labeling: elementary choice variable-value in a backtracking process:
proved in Coq
CP meets Verification 2014 Workshop
September 9, 2014 - Lyon
9 / 17
A very general/generic propagation engine
.... A formulation close to AC3 ....
Function propagate (doms: mapdomain) (qu: queue elem)
{wf propagate wf (doms, qu)}: option mapdomain :=
if empty(qu) then Some (doms)
else let p := next(qu) in
let (doms’, lvars) := filter p doms in
if (notempty lvars) then
if has empty dom lvars doms’ then None
else propagate doms’ ((remove qu p) ⊕ (visit again p lvars))
else propagate doms (remove qu p)
end
with red types and functions as generic parameters (and also constraints, values,
domains)
CP meets Verification 2014 Workshop
September 9, 2014 - Lyon
10 / 17
Termination of propagate
We show that each recursive call has decreasing arguments according to
some order
−→ Lexicographic order propagate wf defined on pairs (doms, qu) from
the 2 following measures :
on qu = number of elements,
on doms = sum of lengths of domains.
−→ The termination proof is also generic: it relies on the fact that when
lvars is not empty, some domains strictly decrease (property of filter , aka
monotonic propagators)
Property filter true: ∀ p doms doms’ lvars,
compat p doms →
filter p doms = (doms’, lvars) → notempty lvars = true →
(∀ v, In v lvars → doms’[v] ⊂ doms[v]).
CP meets Verification 2014 Workshop
September 9, 2014 - Lyon
11 / 17
Example: binary constraints and arc-consistency
c1
y
x
Each constraint c(x,y) is seen as 2
edges in the constraint graph.
c2
c3
z
Type elem = arc = an edge labelled by the constraint = (v, c, w) where v
6= w, v,w ∈ {x,y} and c(x,y)
filter (u, c, v) doms: prune the domain of u such that arc-consistency is
achieved for c
visit again (u, c, v) lvars (here lvars=[v]): computes the list of the arcs (in
blue below) whose arc-consistency may have been modified
c
u
CP meets Verification 2014 Workshop
v
September 9, 2014 - Lyon
12 / 17
Soundness and completeness of propagation
. . . according to a local consistency property
The local consistency property is here a parameter:
loc consistent c doms: the constraint c is locally consistent with respect
to the domains of its variables
... More precisely, loc consistent p is required.
Some examples:
Arc-consistency for binary constraints
loc consistent c doms := loc consistent p (x, c, y) doms ∧
loc consistent p (y, c, x) doms ∧ c(x,y)
loc consistent p (x, c, y) doms := ∀ v ∈ doms[x], ∃ u in doms[y],
c(v,u)=true
Hyper-arc consistency: generalization of the previous one
Bound-consistency
CP meets Verification 2014 Workshop
September 9, 2014 - Lyon
13 / 17
- Soundness theorem: local consistency is established for all constraints
when fixpoint is achieved
Theorem propagate sound : ∀ csp d’, wellformed csp →
propagate (Doms csp) (full queue csp) = Some d’ →
(∀c, c ∈ (Csts csp) → loc consistent c d’).
- Completeness theorem: all the pruned values were inconsistent for some
constraint
Theorem propagate complete : ∀ csp d’, wellformed csp →
propagate d (full queue csp) = Some d’ →
(∀x, d[x] 6= d’[x] → (∀ v, v ∈ d’[x]-d[x], ∃ c, ¬(loc consistent c dxv ))).
where d = Doms csp and
dxv defined such that dxv [x]={v} and dxv [y]=d[y] for y 6= x
(not formalized like that in the previous developments)
CP meets Verification 2014 Workshop
September 9, 2014 - Lyon
14 / 17
Both theorems require soundness and completeness of filter and also the
following property:
Property not visit again : ∀ csp p doms doms’,
filter p doms = (doms’, lvars) → notempty lvars = true →
(∀ p’, p’ ∈
/ (visit again p lvars) → loc consistent p p’ doms →
loc consistent p p’ doms’).
−→ justify what is -not- added in the worklist after a filtering step
CP meets Verification 2014 Workshop
September 9, 2014 - Lyon
15 / 17
Current status
A first solver based on Coq and extracted from Coq:
binary constraints, arc-consistency, domains as finite lists, elementary
heuristic for labeling
already generic: parameterized by the type of values, variables
featuring AC3/AC2001 propagation
published in FM 2012, http://www.ensiie.fr/˜dubois/CoqsolverFD
Extension for taking into account bound-consistency:
mimic and update the previous Coq files
published in JFPC 2013
Extension to the alldiff constraint:
filtering relies on graph algorithms: maximal matching, connected
components (Regin 1994)
much work to formalize matching and all that in Coq
work in progress
Verified decomposition of ternary constraints into binary constraints
−→ 15.000 LOC Coq / 3 years of development
CP meets Verification 2014 Workshop
September 9, 2014 - Lyon
16 / 17
Conclusion
We have proposed some verified solvers, they are operational but not as
competitive (in terms of efficiency) as the existant solvers
Proposition: use our solvers as second shot solvers
to verify a solution obtained by your favorite solver
to verify the UNSAT answer of your favorite solver
Previous solvers do not fit in our modular and generic vision.
So let us start again ! Join us ? you are welcome !
CP meets Verification 2014 Workshop
September 9, 2014 - Lyon
17 / 17