diff options
author | ckeller <ckeller@users.noreply.github.com> | 2019-01-28 23:19:12 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-01-28 23:19:12 +0100 |
commit | 7021c53d4ecf97c82ccebb6bb45f5305d8b482ea (patch) | |
tree | ba7537e1e813cabf9ee0d910f845c71fa5f446e7 /doc | |
parent | 36548d6634864a131cc83ce21491c797163de305 (diff) | |
download | smtcoq-7021c53d4ecf97c82ccebb6bb45f5305d8b482ea.tar.gz smtcoq-7021c53d4ecf97c82ccebb6bb45f5305d8b482ea.zip |
Merge from LFSC (#26)
* Showing models as coq counter examples in tactic without constructing coq terms
* also read models when calling cvc4 with a file (deactivated because cvc4 crashes)
* Show counter examples with variables in the order they are quantified in the Coq goal
* Circumvent issue with ocamldep
* fix issue with dependencies
* fix issue with dependencies
* Translation and OCaml support for extract, zero_extend, sign_extend
* Show run times of components
* print time on stdout instead
* Tests now work with new version (master) of CVC4
* fix small printing issue
* look for date on mac os x
* proof of valid_check_bbShl: some cases to prove.
* full proof of "left shift checker".
* full proof of "rigth shift checker".
* Support translation of terms bvlshr, bvshl but LFSC rules do not exists at the moment
Bug fix for bitvector extract (inverted arguments)
* Typo
* More modularity on the format of traces depending on the version of coq
* More straightforward definitions in Int63Native_standard
* Use the Int31 library with coq-8.5
* Use the most efficient operations of Int31
* Improved performance with coq-8.5
* Uniform treatment of sat and smt tactics
* Hopefully solved the problem with universes for the tactic
* Updated the installation instructions
* Holes for unsupported bit blasting rules
* Cherry-picking from smtcoq/smtcoq
* bug fix hole for bitblast
* Predefined arrays are not required anymore
* fix issue with coq bbT and bitof construction from ocaml
* bug fix in smtAtom for uninterpreted functions
fix verit test file
* fix issue with smtlib2 extract parsing
* It looks like we still need the PArray function instances for some examples (see vmcai_bytes.smt2)
* Solver specific reification:
Each solver has a list of supported theories which is passed to Atom.of_coq, this function creates uninterpreted functions / sorts for unsupported features.
* show counter-examples with const_farray instead of const for constant array definitions
* Vernacular commands to debug checkers.
Verit/Lfsc_Checker_Debug will always fail, reporting the first proof step of the certificate that failed be checked
* Update INSTALL.md
* show smtcoq proof when converting
* (Hopefully) repared the universes problems
* Corrected a bug with holes in proofs
* scripts for tests:
create a folder "work" under "lfsc/tests/", locate the benchmarks there.
create a folder "results" under "lfsc/tests/work/" in which you'll find the results of ./cvc4tocoq.
* make sure to give correct path for your benchs...
* Checker for array extensionality modulo symmetry of equality
* fix oversight with bitvectors larger than 63 bits
* some printing functions for smt2 ast
* handle smtlib2 files with more complicated equivalence with (= ... )
* revert: ./cvc4tocoq does not output lfsc proofs...
* bug fix one input was ignored
* Don't show verit translation of LFSC proof if environment variable DONTSHOWVERIT is set
(e.g. put export DONTSHOWVERIT="" in your .bashrc or .bashprofile)
* Also sort names of introduced variables when showing counter-example
* input files for which SMTCoq retuns false.
* input files for which SMTCoq retuns false.
* use debug checker for debug file
* More efficient debug checker
* better approximate number of failing step of certificate in debug checker
* fix mistake in ml4
* very first attempt to support goals in Prop
* bvs: comparison predicates in Prop and their <-> proofs with the ones in bool
farrays: equality predicate in Prop and its <-> proof with the one in bool.
* unit, Bool, Z, Pos: comparison and equality predicates in Prop.
* a typo fixed.
* an example of array equality in Prop (converted into Bool by hand)...
TODO: enhance the search space of cvc4 tactic.
* first version of cvc4' tactic: "solves" the goals in Prop.
WARNING: supports only bv and array goals and might not be complete
TODO: add support for lia goals
* cvc4' support for lia
WARNING: might not be complete!
* small fix in cvc4' and some variations of examples
* small fix + support for goals in Bool and Bool = true + use of solve tactical
WARNING: does not support UF and INT63 goals in Prop
* cvc4': better arrangement
* cvc4': Prop2Bool by context search...
* cvc4': solve tactial added -> do not modify unsolved goals.
* developer documentation for the smtcoq repo
* cvc4': rudimentary support for uninterpreted function goals in Prop.
* cvc4': support for goals with Leibniz equality...
WARNING: necessary use of "Grab Existential Variables." to instantiate variable types for farrays!
* cvc4': Z.lt adapted + better support from verit...
* cvc4': support for Z.le, Z.ge, Z.gt.
* Try arrays with default value (with a constructor for constant arrays), but extensionality is not provable
* cvc4': support for equality over uninterpreted types
* lfsc demo: goals in Coq's Prop.
* lfsc demo: goals in Bool.
* Fix issue with existential variables generated by prop2bool.
- prop2bool tactic exported by SMTCoq
- remove useless stuff
* update usage and installation instructions
* Update INSTALL.md
* highlighting
* the tactic: bool2prop.
* clean up
* the tactic smt: very first version.
* smt: return unsolved goals in Prop.
* Show when a certificate cannot be checked when running the tactic instead of at Qed
* Tactic improvements
- Handle negation/True/False in prop/bool conversions tactic.
- Remove alias for farray (this caused problem for matching on this type in tactics).
- Tactic `smt` that combines cvc4 and veriT.
- return subgoals in prop
* test change header
* smt: support for negated goals + some reorganization.
* conflicts resolved + some reorganization.
* a way to solve the issue with ambiguous coercions.
* reorganization.
* small change.
* another small change.
* developer documentation of the tactics.
* developer guide: some improvements.
* developer guide: some more improvements.
* developer guide: some more improvements.
* developer guide: some more improvements.
* pass correct environment for conversion + better error messages
* cleaning
* ReflectFacts added.
* re-organizing developers' guide.
* re-organizing developers' guide.
* re-organizing developers' guide.
* removing unused maps.
* headers.
* artifact readme getting started...
* first attempt
* second...
* third...
* 4th...
* 5th...
* 6th...
* 7th...
* 8th...
* 9th...
* 10th...
* 11th...
* 12th...
* 13th...
* 14th...
* 15th...
* 16th...
* 17th...
* Update artifact.md
Use links to lfsc repository like in the paper
* 18th...
* 19th...
* 20th...
* 21st...
* 22nd...
* 23rd...
* 24th...
* 25th...
* 26th...
* 27th...
* 28th...
* Update artifact.md
Small reorganization
* minor edits
* More minor edits
* revised description of tactics
* Final pass
* typo
* name changed: artifact-readme.md
* file added...
* passwd chaged...
* links...
* removal
* performance statement...
* typos...
* the link to the artifact image updated...
* suggestions by Guy...
* aux files removed...
* clean-up...
* clean-up...
* some small changes...
* small fix...
* additional information on newly created files after running cvc4tocoq script...
* some small fix...
* another small fix...
* typo...
* small fix...
* another small fix...
* fix...
* link to the artifact image...
* We do not want to force vm_cast for the Theorem commands
* no_check variants of the tactics
* TODO: a veriT test does not work anymore
* Compiles with both versions of Coq
* Test of the tactics in real conditions
* Comment on this case study
* an example for the FroCoS paper.
* Fix smt tactic that doesn't return cvc4's subgoals
* readme modifications
* readme modifications 2
* small typo in readme.
* small changes in readme.
* small changes in readme.
* typo in readme.
* Sync with https://github.com/LFSC/smtcoq
* Port to Coq 8.6
* README
* README
* INSTALL
* Missing file
* Yves' proposition for installation instructions
* Updated link to CVC4
* Compiles again with native-coq
* Compiles with both versions of Coq
* Command to bypass typechecking when generating a zchaff theorem
* Solved bug on cuts from Hole
* Counter-models for uninterpreted sorts (improves issue #13)
* OCaml version note (#15)
* update .gitignore
* needs OCaml 4.04.0
* Solving merge issues (under progress)
* Make SmtBtype compile
* Compilation of SmtForm under progress
* Make SmtForm compile
* Make SmtCertif compile
* Make SmtTrace compile
* Make SatAtom compile
* Make smtAtom compile
* Make CnfParser compile
* Make Zchaff compile
* Make VeritSyntax compile
* Make VeritParser compile
* Make lfsc/tosmtcoq compile
* Make smtlib2_genconstr compile
* smtCommand under progress
* smtCommands and verit compile again
* lfsc compiles
* ml4 compiles
* Everything compiles
* All ZChaff unit tests and most verit unit tests (but taut5 and un_menteur) go through
* Most LFSC tests ok; some fail due to the problem of verit; a few fail due to an error "Not_found" to investigate
* Authors and headings
* Compiles with native-coq
* Typo
Diffstat (limited to 'doc')
-rw-r--r-- | doc/artifact-readme.md | 257 | ||||
-rw-r--r-- | doc/sources.md | 661 |
2 files changed, 918 insertions, 0 deletions
diff --git a/doc/artifact-readme.md b/doc/artifact-readme.md new file mode 100644 index 0000000..47c6332 --- /dev/null +++ b/doc/artifact-readme.md @@ -0,0 +1,257 @@ +# SMTCoq artifact + +SMTCoq is a Coq tool that can be used to dispatch goals to external SAT and SMT solvers +or simply to check proof witnesses produced by them. +It currenly supports the quantifier free fragments of the SMT-LIB theories of fixed-sized bit-vectors (`QF_BV`), +functional arrays (`QF_A`), linear integer arithmetic (`QF_LIA`), equality over uninterpreted functions +(`QF_EUF`), and their combinations. + +This document describes the organization of the SMTCoq artifact submission for CAV 2017. + +## How to download the artifact + +To get the artifact, please browse [here](https://drive.google.com/file/d/0BzDtBR99eKp9WVNNLTlBQy1Lc28/view) +and download the `SMTCoq.ova` which is an image of an +Ubuntu 16.04 LTS running virtual machine with approximately 3.6GB size +(using 8GB memory, single processor which runs at the same frequency with the host processor, +and approximately 63GB virtual disk space once imported). +Then, please run [VirtualBox](https://www.virtualbox.org/wiki/VirtualBox); +from the `File` top-down menu click on `Import Appliance...` and locate the `SMTCoq.ova` +image. This will create you a virtual machine named `SMTCoq`. To run it, simply click on `Start`. +The login (and super user) password is `123`. + + +## How to install the artifact + +Once logged into the virtual machine, you will find SMTCoq installed. +If you want to install it on a separate machine, please check the SMTCoq +[installation guide](https://github.com/lfsc/smtcoq/blob/master/INSTALL.md). + + +## How to run the artifact + +There are two use-cases of SMTCoq: + - `within a Coq tactic`: we can give a Coq goal to an external solver and get a +proof certificate for it. If the checker can validate the certificate, +the soundness of the checker allow us to establish a proof of the initial goal +(by `computational reflection`). +In this use case, the trusted base consists only of Coq: if something else goes wrong +(e.g., the checker cannot validate the certificate), the tactic will fail, but +nothing unsound will be added to the system. + - `correct-by-construction checker`: the idea is to check the +validity of a proof witness, or proof certificate, produced by an external SMT solver +for some input problem. In this use case, the +trusted base is both Coq and the parser of the input problem. + +### Within a Coq tactic + +Once logged into the virtual machine, open a terminal and go to `unit-tests` directory +by typing `cd Desktop/smtcoq/unit-tests` from home. It contains a test file (`Tests_lfsc.v`) which makes +use of the new SMTCoq tactics inside Coq, to discharge goals with the aid of various SMT +solvers. + +#### Running everything with a single command + +You can run Coq in batch mode on our test file (once you are in the correct +directory) by simply running the following command: + +``` +coqc Tests_lfsc.v +``` + +The return code should be 0 to indicate that Coq typed-checked everything correctly. The batch +compiler `coqc` tries to compile `Tests_lfsc.v` file into `Test_lfsc.vo`. Please refer to +[Coq reference manual](https://coq.inria.fr/refman/Reference-Manual008.html#compiled) for details. + +#### Interactive session through CoqIDE + +In the `unit-test` directory, open the test file by running + +``` +coqide Tests_lfsc.v +``` + +in the terminal. This will load in `CoqIDE` (the Coq interactive development environment) +the file where we use SMTCoq within a Coq tactic called `smt`. +Within the CoqIDE, use `Forward one command` button (downarrow on the top-left corner) to +navigate through the source since `Go to end` button uses a parallelization strategy +which is not yet supported by SMTCoq. + +If the background becomes green after going one command forward, this means +that Coq has accepted the statement. At the end of the session the whole file should be green. +If Coq fails to accept any statement, you will see a brief reason of the failure in the +bottom-right rectangle within the `Errors` tab. + + + +#### Understanding the test file + +```coq +Require Import SMTCoq. +``` + +loads the SMTCoq module. It might be interesting to check out the implementation +details (with pointers to source codes) of the module +[here](https://github.com/lfsc/smtcoq/blob/master/doc/sources.md). + +Similarly, + +```coq +Require Import Bool PArray Int63 List ZArith Logic. +``` + +loads above-mentioned modules from the Coq standard library. + +```coq +Infix "-->" := implb (at level 60, right associativity) : bool_scope. +``` + +introduces a new notation `-->` for the boolean implication. + +Using + +```coq +Section BV. +``` +we open a new section to prove theorems from the theory of fixed-size bitvectors. + +```coq +Import BVList.BITVECTOR_LIST. +Local Open Scope bv_scope. +``` + +are to load our own [bitvector module](https://github.com/lfsc/smtcoq/blob/master/src/bva/BVList.v) +(called BITVECTOR_LIST in BVList.v file) +to be able to use theorems proven and notations introduced there. Note that to end a +section `XX` you need to type + +```coq +End XX. +``` + +Now, we can state goals and prove them automatically. For instance, the goal + +```coq + Goal forall (a b c: bitvector 4), + (c = (bv_and a b)) -> + ((bv_and (bv_and c a) b) = c). +``` + +is proven by the `smt` tactic which subsumes the powers of the tactics `cvc4` and `verit`: +```coq + Proof. + smt. + Qed. +``` + +Here are some more detailed explanation of the tactics: + + - `verit` -> applies to Coq goals of type `Prop`: + it first calls `prop2bool` on the goal, converting the goal to a term of type `bool`, + it then calls the reification tactic `verit_bool` (which applies only to Boolean goals), + and it finally converts the goals back to `Prop`, by calling `bool2prop`, if it is not + solved. + +- `cvc4` -> applies to Coq goals of type `Prop`: + it first calls `prop2bool` on the goal, converting the goal to a term of type `bool`, + it then calls the reification tactic `cvc4_bool` (which applies only to Boolean goals), + and it finally converts any unsolved subgoals returned by CVC4 back to `Prop`, + by calling `bool2prop`. + +- `smt` -> has the combined effect of the `cvc4` and `verit` tactics: + it first calls `prop2bool` on the goal, it then calls either of the `cvc4_bool` and + `verit_bool` tactics, and it finally converts any unsolved subgoals back to `Prop`, + by calling `bool2prop`. + +The reification tactics `cvc4_bool` and `verit_bool`, implemented in OCaml, do most of the work: +calling the external solvers (`CVC4` and `veriT` respectively), getting a +proof certificate, and if SMTCoq's checker can validate the certificate, establishing the proof +of the initial goal. The translation tactics `prop2bool` and `bool2prop` are implemented in Coq using +the Ltac language. + +NB: all of the above tactics perform better on a "standard" machine compared to the VM. + +Another example of a goal in the theory of bit-vectors is the following: + +```coq + Goal forall (bv1 bv2 bv3: bitvector 4), + bv1 = #b|0|0|0|0| /\ + bv2 = #b|1|0|0|0| /\ + bv3 = #b|1|1|0|0| -> + bv_ultP bv1 bv2 /\ bv_ultP bv2 bv3. + Proof. + smt. + Qed. +``` + +This goal uses three bit-vectors of size four: `bv1`, `bv2` and `bv3` then sets them to +`0000`, `1000` and `1100` in the given order (`#b|1|0|...|` is the notation for bit-vector +constants, where `0` stands for `false` and `1` is for `true`). Finally, it states +that `bv1` is less than (unsigned less than over bit-vectors) `bv2` and (propositional) +`bv2` is less than `bv3`. The tactic `smt` suffices to solve the goal. + + +The following sections `Arrays`, `LIA`, `EUF`, `PR`and `A_BV_EUF_LIA_PR` in the Coq file include goals that +can be proven by the `smt` tactic from the theories of functional arrays; linear integer +arithmetic; uninterpreted functions; propositional reasoning and the combination of functional +arrays, fixed-size bit-vectors, uninterpreted functions, linear integer arithmetic and +propositional reasoning; respectively. + + +The example that appears in the paper can be found in the section `A_BV_EUF_LIA_PR`: + +```coq +Goal forall (a b: farray Z Z) (v w x y: Z) + (r s: bitvector 4) + (f: Z -> Z) + (g: farray Z Z -> Z) + (h: bitvector 4 -> Z), + a[x <- v] = b /\ a[y <- w] = b -> + r = s /\ h r = v /\ h s = y -> + v < x + 1 /\ v > x - 1 -> + f (h r) = f (h s) \/ g a = g b. + Proof. + smt. (** "cvc4. verit." also solves the goal *) + Qed. +``` + +It introduces two arrays `a` and `b` of type `farray Z Z` (the type of integer arrays +with integer indices); four integers `v`, `w`, `x` and `y`; three uninterpreted fuctions +`f`, `g` and `h`. +Notice that `a[i]` is used to select the value stored in the `i^th^` index of the array `a` +while `a[x <- v]` is used to store the value `v` in `a[x]`, `x^th^` index of array `a`. + + + +### Correct-by-construction checker + +Using SMTCoq as a `correct-by-construction checker` means that it is possible to start with +a problem in SMT-LIB standard, call an external solver (CVC4 or veriT) on it, get the +unsatisfiability proof and certify it using the certified "small checkers" of SMTCoq. + +To test that, in a terminal go to `tests` directory (from home) by typing +`cd Desktop/smtcoq/src/lfsc/tests`. Run the shell script `cvc4tocoq` providing +an input file (i.e., `uf1.smt2`) by typing `./cvc4tocoq uf1.smt2`. +This will call `CVC4`, get the proof in `LFSC` format, type check and convert it (using a converter +written in OCaml) into SMTCoq format (which is very close to the proof format of `veriT`) and call +the SMTCoq checker. If the checker returns `true` that means that SMTCoq indeed agreed that the proof of +the input problem is correct. If it returns `false`, that means either that the proof is incorrect +or that the OCaml converter is mistaken/incomplete. Note that you can replace `uf1.smt2` +with any `.smt2` extended file under +`tests` directory (`/home/Desktop/smtcoq/src/lfsc/tests`). + +Feel free to generate your own problem files but please recall that the input problems should be from the +supported theories: `QF_A`, `QF_BV`, `QF_LIA`, `QF_EUF`, and their combinations. + +NB: The successful execution of the `./cvc4tocoq XX.smt2` script outputs some new +files: +- `XX.lfsc` -> the file includes the `LFSC` style unsatisfiability proof of the input problem `XX.smt2`. +- `XX_lfsc.v` -> Coq source file that calls the Coq checkers to validate the proof`XX.lfsc`. +- `XX_lfsc.glob` -> the file includes the globals of the source `XX_lfsc.v`. +- `XX_lfsc.vo` -> compliled module file of the source `XX_lfsc.v`, it is used when to load the modules from the source `XX_lfsc.v`. + + + + + + diff --git a/doc/sources.md b/doc/sources.md new file mode 100644 index 0000000..55d2cec --- /dev/null +++ b/doc/sources.md @@ -0,0 +1,661 @@ +# SMTCoq sources + +This document describes the organization of the SMTCoq repository and locations +of source code and modules. + +Sources are contained in the directory [src](../src) which can be found at +top-level. The directories [examples](../examples) and +[unit-tests](../unit-tests) contain respectively example files of usage for +SMTCoq and regression tests for the different tactics and vernacular commands +that the plugin provides. + +The rest of the document describes the organization of `src`. + + +## Top-level architecture of SMTCoq + +SMTCoq sources are contained in this directory. A few Coq files can be found at +top-level. + +### [configure.sh](../src/configure.sh) + +This script is meant to be run when compiling SMTCoq for the first time. It +should also be run every time the Makefile is modified. It takes as argument an +optional flag `-native` which, when present, will set up the sources to use the +*native Coq* libraries. Otherwise the standard version 8.5 of Coq is used. See +section [versions](#versions). + +### [SMTCoq.v](../src/SMTCoq.v) + +This is the main SMTCoq entry point, it is meant to be imported by users that +want to use SMTCoq in their Coq developments. It provides (exports) the other +SMTCoq modules as well as declares the OCaml plugin for adding the new +vernacular commands and tactics. + +### [Trace.v](../src/Trace.v) + +This file defines the types of certificates and steps (atomic certificate +pieces) as well as the *main checkers*. + +The first section `trace` gives a generic definition of a main checker +parameterized by the type of individual steps and a function to check +individual steps `check_step` (small checkers). Correctness of the main checker +is proved under the assumption that the small checker is correct. + +These generic definitions are applied to construct main checkers for resolution +(module `Sat_Checker`), CNF conversion (module `Cnf_Checker`) and +satisfiability modulo theories (module `Euf_Checker`). They each define an +inductive type `step` to represent certificate steps. For instance, in the case +of the resolution checker, the only possible step is to apply the resolution +rule so steps are defined as: + +```coq +Inductive step := + | Res (_:int) (_:resolution). +``` + +The main theorems for these modules are named `checker_*correct`. For instance +the main result for the SMT checker (`Euf_Checker`) is formulated as follows: + +```coq +Lemma checker_correct : forall d used_roots c, + checker d used_roots c = true -> + ~ valid t_func t_atom t_form d. +``` + +which means that if the checker returns true on the formula `d` and the +certificate `c` then `d` is not valid (*i.e.* `c` is a refutation proof +certificate for `d`). + + + +### [State.v](../src/State.v) + +This module is used to define representations for the global state of the +checker. + +A state is an array of clauses: + +```coq +Module S. + Definition t := array C.t. +... +End S. +``` + +on which we define resolution chain operations `set_resolve` that modify the +state. + +Variables, literals and clauses are defined respectively in modules `Var`, +`Lit` and `C`. Binary resolution is defined between two clauses in `C.resolve`. + + + +### [SMT_terms.v](../src/SMT_terms.v) + +This Coq module defines reification types for formulas (`Form.form`), types +(`Typ.type`) and atoms/terms (`Atom.atom`). Formulas are given an +interpretation in Coq's Booleans, types are interpreted in Coq types (for +instance, type `TZ` is interpreted as Coq's mathematical integers `Z`) and +atoms are interpreted as Coq terms of type the interpretation of their type +(for instance an atom whose type is `TZ` is interpreted as an integer of `Z`). + + +**Some important lemmas:** + +A function `cast` allows to change the encoded type of a term of type +`Typ.type` when we know two types are equal (the inductive `cast_result` +provides the conversion function). + +```coq +Fixpoint cast_refl A: + cast A A = Cast (fun P (H : P A) => H). +``` + +This is the lemma to use to remove cast constructions during the proofs. + + + +```coq +Lemma i_eqb_spec : forall t x y, i_eqb t x y <-> x = y. +``` + +This other lemma says that Boolean equality over interpretation of types is the +equivalent to Leibniz equality. This is useful to allow rewriting. + + +Atom (as well as formulas) are encoded by integers, and mapping is preserved by +an array `t_atom`. Another array maintains interpretations of encodings. The +following lemma states that these two relates: + +```coq +Lemma t_interp_wf : forall i, + t_interp.[i] = interp_aux (PArray.get t_interp) (t_atom.[i]). +``` + + + + +### [Misc.v](../src/Misc.v) + +This module contains miscellaneous general lemmas that are used in several +places throughout the development of SMTCoq. + + +### [versions](../src/versions) + +This directory contains everything that is dependent on the version of Coq that +one wants to use. `standard` contains libraries for the standard version of Coq +and `native` contains everything related to native Coq. Note that some +libraries are already present in the default libraries of native Coq, in this +case they have a counterpart in `standard` that replicates the functionality +(without using native integers or native arrays). + +A particular point of interest is the files +[smtcoq_plugin_standard.ml4](../src/versions/standard/smtcoq_plugin_standard.ml4) +and +[smtcoq_plugin_native.ml4](../src/versions/native/smtcoq_plugin_native.ml4). They +provide extension points for Coq by defining new vernacular commands and new +tactics. For instance the tactic `verit` tells Coq to call the OCaml function +`verit.tactic` (which in turns uses the Coq API to manipulate the goals and +call the certified checkers). + +```ocaml +TACTIC EXTEND Tactic_verit +| [ "verit" ] -> [ Verit.tactic () ] +END +``` + + + +### [spl](../src/spl) + +This directory contains everything related to simplifications of input +formulas as well as the Coq machinery to handle step checkers that use +assumptions (and generate sub-goals). + +- [Arithmetic.v](../src/spl/Arithmetic.v): Arithmetic simplifications +- [Operators.v](../src/spl/Operators.v): Simplifications of SMT-LIB 2 operators + (atomic disequalities and distinct operators) +- [Syntactic.v](../src/spl/Syntactic.v): Flattening and normalization of + propositional structures +- [Assumptions.v](../src/spl/Assumptions.v): Small checker for assumptions + + + +### [extraction](../src/extraction) + +This is the extracted version of the SMTCoq checker, that can be run outside +Coq. It still needs to be fixed for the new additions and extensions. + + + +### [classes](../src/classes) + + +The definitions of interpretations of terms and types of SMTCoq requires some +additional constraints that are encoded as Coq type-classes. This directory +contains definitions and properties of these classes +[SMT_classes.v](../src/classes/SMT_classes.v) as well as predefined useful +instances of these classes +[SMT_classes_instances.v](../src/classes/SMT_classes_instances.v). + +These classes are: + +- `EqbType`: types with a Boolean equality that reflects in Leibniz equality +- `DecType`: types with a decidable equality +- `OrdType`: class of types with a partial order +- `Comparable`: augmentation of class of partial order with a compare function + to obtain a total order +- `Inhabited`: class of inhabited types (used to obtain default values for + types) +- `CompDec`: a class that merges all previous classes + + + +## Small checkers + +Small Coq checkers are organized in sub-directories that reflect the theories +they handle. Small checkers for propositional logic, equality over +uninterpreted functions and linear integer arithmetic all use preexisting +standard Coq libraries (Bool, Arith, Z, BinPos, ...) to formalize the +underlying interpretation of these theories. The theories of fixed-width +bit-vectors and functional unbounded arrays are formalized in new custom Coq +libraries (that are distributed with SMTCoq). + + +Computational small checkers have the following signature: + +```coq +Definition checker (s : S.t) (p1 ... pn : int) (l1 ... lm : lit) : C.t := ... +``` + +where `s` is the state of the main checker, `p1`, ..., `pn` are positions +(there can be none) of deduced clauses that appear in the state `s` and `l1`, +..., `lm` are literals. The function `checker` returns a clause that is +`deducible` from the already deduced clauses in the state `s`. + +Correctness of checkers are specified (and proven) through lemmas of the form: + +```coq +Lemma valid_checker : forall s rho p1 ... pm l1 ... lm, + C.valid rho (checker s p1 ... pm l1 ... lm). +``` + +It states that the clause returned by `checker` is valid. In most cases for the +small checkers, when they fail they return a trivially true clause (`C._true`). + + +### [cnf](../src/cnf) + +Small checkers for CNF (conjunctive normal form) are defined in the module +[Cnf.v](../src/cnf/Cnf.v). In essence they implement a Tseitin conversion. + +For instance, the checker `check_BuildDef` returns a tautology in clausal form +(the validity of the clause is not dependent on the validity of the state) and +the checker `check_ImmBuildDef` is a generic encoding of conversion rules that +have a premise (which appears in the state). + + + +### [euf](../src/euf) + +The checkers for EUF (equality over uninterpreted functions) are defined in the +module [Euf.v](../src/euf/Euf.v). + +The first one checks application of the rule of transitivity. `check_trans` +takes as argument the result of the rule application as well as list of +equalities of the form `a = b`, `b = c`, ..., `x = y`, `y = z`. + +The other checker takes care of applications of the congruence rule. Functions +in SMT-LIB have a given arity and they are interpreted as Coq functions. The +checker for congruence can check rule applications with a number of equalities +corresponding to the arity of the function. + + +### [lia](../src/lia) + +Checking linear arithmetic lemmas that come from the SMT solver is performed +using the already existing `Micromega` solver of Coq. The corresponding +checker is implemented in module [Lia.v](../src/lia/Lia.v). + + + + + +### [bva](../src/bva) + +The small checkers for bit-vector operations can be found in module +[Bva_checker.v](../src/bva/Bva_checker.v). They implement the rules for +bit-blasting operators of the theory of fixed width bit-vector. + +There are small checkers for: + +- bit-wise operators (`bvand`, `bvor`, `bvxor`, `bvnot`) +- equality +- variables +- constants +- extraction +- concatenation +- arithmetic operations (addition, negation, multiplication) +- comparison predicates (signed/unsigned) +- extensions (zero/signed) + + +The theory of fixed width is realized by an implementation provided in +[BVList.v](../src/bva/BVList.v). There, bit-vectors are interpreted by lists of +Booleans. The type of bit-vectors is a dependent type: + +```coq +Parameter bitvector : N -> Type. +``` + +In the implementation, a bit-vector is a record that contains a list of +Booleans `bv`, *i.e.* the lists of its bits, as well as a proof of well +formedness `wf`, *i.e.* a proof that the size of the list `bv` is the parameter +`n` of the type. + +```coq +Record bitvector_ (n:N) : Type := + MkBitvector + { bv :> M.bitvector; + wf : M.size bv = n + }. +``` + + + +### [array](../src/array) + +The theory of unbounded functional arrays with extensionality is realized in +Coq by a custom type that can be found in [FArray.v](../src/array/FArray.v). + +```coq +Definition farray (key elt : Type) _ _ := +``` + +The type `farray` is parameterized by the type of keys (or indexes) of the +array and the type of the elements. `key` must be a type equipped with a +partial order and `elt` must be inhabited. + + +```coq +Record slist := + {this :> Raw.farray key elt; + sorted : sort (Raw.ltk key_ord) this; + nodefault : NoDefault this + }. + +Definition farray := slist. +``` + +An array is represented internally by an association list for its mappings with +additional constraints that encode the fact that the list is sorted and that +there are no mapping to the default value. + +Computable equality and comparison functions require additional constraints on +the types `key` and `elt` (for instance they need to have a total order, +*etc.*). + +This library also provides useful properties on these arrays. Notably +extensionality which is required by the theory of arrays in SMT solvers: + +```coq +Lemma extensionnality : forall a b, (forall i, select a i = select b i) -> a = b. +``` + +The extensionality rule that is used by the checker is a bit different and +requires classical axioms to be proven. This is done in section +```Classical_extensionnality``` which provides an alternative version without +contaminating uses of the library. + +There are three small checkers for arrays. They check application of the axioms +(in the theory sense) of the theory of arrays, two for *read over write* and +one for *extensionality* + + +## OCaml implementation of the plugin + +Part of SMTCoq is implemented in OCaml. These concern functionality which are +not certified such as the reification mechanism, the parsers, pre-processors +and the definitions of tactics. + +This part communicates directly with Coq by using the OCaml Coq API. + + +### [trace](../src/trace) + +This directory contain the implementation of certificates and the +representation of SMT-LIB formulas in SMTCoq. + +[coqTerms.ml](../src/trace/coqTerms.ml) contains imports from Coq of terms to +be used directly in OCaml. These include usual Coq terms but also ones specific +to SMTCoq. + +[smtAtom.mli](../src/trace/smtAtom.mli) contains the definitions for the types +of atoms in SMTCoq but also provides smart constructors for them. The modules +defined in this file have functions to reify Coq terms in OCaml and to +translate back OCaml atoms and types to their Coq counterpart interpretation. + +[smtForm.mli](../src/trace/smtForm.mli) plays the same role as `smtAtom` but on +the level of formulas. + +[smtCertif.ml](../src/trace/smtCertif.ml) contains definitions for an OCaml +version of the steps of the certificate. These are the objects that are +constructed when importing a certificate from an SMT solver for instance. + +[smtTrace.ml](../src/trace/smtTrace.ml) contains functions to build the Coq +version of the certificate from the OCaml one. + +[smtCommands.ml](../src/trace/smtCommands.ml) constitute the bulk of the +implementation of the plugin. It contains the OCaml functions that are used to +build the Coq vernacular commands (`Verit_checker`, `Lfsc_checker`, ...) and +the tactics. It also contains functions to reconstruct Coq counter-examples +from models returned by the SMT solver. + +[smtCnf.ml](../src/trace/smtCnf.ml) implements a CNF conversion on the type of +SMTCoq formulas. + +[smtMisc.ml](../src/trace/smtMisc.ml) contains miscellaneous functions used in +the previous modules. + + + +### [smtlib2](../src/smtlib2) + +This directory contains utilities to communicate directly with SMT +solvers. This includes a lexer/parser for the SMT-LIB 2 format +([smtlib2_parse.mly](../src/smtlib2/smtlib2_parse.mly)) a conversion module +from SMT-LIB 2 to formulas and atoms of SMTCoq +([smtlib2_genConstr.ml](../src/smtlib2/smtlib2_genConstr.ml)) and a way to call +and communicate with SMT solvers through pipes +([smtlib2_solver.mli](../src/smtlib2/smtlib2_solver.mli)). + + + +### [zchaff](../src/zchaff) + +Files in this directory allow to call the SAT solver ZChaff. It contains a +parser for the sat solver input files and ZChaff certificates. The +implementation for the Coq tactic `zchaff` can be found in +[zchaff.ml](../src/zchaff/zchaff.ml). + + + +### [verit](../src/verit) + +This directory contains the necessary modules to support the SMT solver veriT. +In particular it contains a parser for the format of certificates of veriT +([veritParser.mly](../src/verit/veritParser.mly)) and an intermediate +representation of those certificates +([veritSyntax.mli](../src/verit/veritSyntax.mli)). This module also implements +a conversion function from veriT certificates to SMTCoq format of +certificates. This pre-processor is a simple one-to-one conversion. + +The file ([verit.ml](../src/verit/verit.ml)) contains the functions to invoke +veritT and create SMT-LIB 2 scripts. This is used by the definition of the +tactic `verit` of the same file. + + + +### [lfsc](../src/lfsc) + +This directory contains the pre-processor for LFSC proofs to SMTCoq +certificates (as well as veriT certificates). The files +[ast.ml](../src/lfsc/ast.ml) and [builtin.ml](../src/lfsc/builtin.ml) contain +an OCaml implementation of a type checker for LFSC proofs. This directory also +contains a parser and lexer for LFSC (*c.f.*, +[lfscParser.mly](../src/lfsc/lfscParser.mly)). + +The pre-processor is implemented in the module +[converter.ml](../src/lfsc/converter.ml)) as a *functor*. Depending on the +module (for terms and clauses conversions) that is passed in the functor +application, we obtain either a pre-processor from LFSC proofs to SMTCoq +certificates directly or a converter from LFSC proofs to veriT certificates. + +> **Note:** You can obtain a standalone version of the converter by issuing +> `make` in this directory. This produces a binary `lfsctosmtcoq.native` that +> can be run with an LFSC proof as argument and produces a veriT certificate +> on the standard output. + +Finally, the tactic `cvc4_bool` is implemented in the file +[lfsc.ml](../src/lfsc/lfsc.ml)). It contains functions to call the SMT solver +CVC4, convert its proof and call the base tactic of `smtCommands`. + + +## Tactics: proof search + +### [BoolToProp.v](../src/BoolToProp.v) +This module includes the tactic `bool2prop` that converts a goal, if Boolean, into +a goal in Coq's `Prop`, after introducing universally quantified variables into the +context. + +It simply performs a search in the goal and does the mentioned conversion step by step +benefitting the `reflect` predicate popularized by the `SSReflect` library: + +```coq +Inductive reflect (P : Prop) : bool -> Set := + | ReflectT : P -> reflect P true + | ReflectF : ~ P -> reflect P false. +``` + +In fact, the predicate `reflect` returns the Boolean counterpart of a proposition. +Besides, it makes below lemma easily provable: + +```coq +Lemma reflect_iff : forall P b, (P<->b=true) -> reflect P b. +``` + +This simply says that if a Coq proposition `P` is equivalent to some Boolean +`b` being `true` then `b` is indeed the Boolean counterpart of `P`. + +Now, let's exemplify how the tactic `bool2prop` benefits above steps: + +Imagine a very simple goal that embodies the `or` connective + +```coq +G0 || G1 +``` + +for some Booleans `G0` and `G1`. Then, the tactic performes the following +rewrite step on the goal + +```coq +rewrite <- (@reflect_iff (G0 = true \/ G1 = true) (G0 || G1)). +``` + +which turns it into: + +```coq +G0 = true \/ G1 = true +``` + +together with introducing an additional goal: + +```coq +reflect (G0 = true \/ G1 = true) (G0 || G1) +``` + +The first goal is indeed the intended one. However, the tactic can still go a step further +putting the goal into the following shape: + +```coq +H0 \/ H1 +``` + +for some propositions `H0` and `H1`. This is indeed the case for Boolean equality and comparison over bit-vectors, +Boolean equality and comparison over Coq intergers `Z`, and Boolean equality over fuctional arrays; +since the corresponding propositional predicates are proven to be equivalent. E.g., + +```coq +Lemma bv_ult_B2P: forall n (a b: bitvector n), bv_ult a b = true <-> bv_ultP a b. +``` +where `bv_ult: bitvector n -> bitvector n -> bool` and `bv_ultP: bitvector n -> bitvector n -> Prop`. + +However, the second one must somehow be solved. This is indeed not so hard: +it suffices to apply the below lemma which has already been proven again by benefitting the `reflect` predicate: + + +```coq +Lemma orP : forall (a b: bool), reflect (a = true \/ b = true) (a || b). +``` + +Notice that the same sort of conversion steps for the other Boolean connectives are also handled +by the tactic `bool2prop`. + +### [PropToBool.v](../src/PropToBool.v) +This module includes the tactic `prop2bool` that converts a goal, if in Coq's `Prop`, into +a Boolean goal, after introducing universally quantified variables into the context. +It is, in fact, the inverse of the above explained `bool2prop` tactic. + +It simply performs a search in the goal and does the mentioned conversion step by step +benefitting the `reflect` predicate (see above `BoolToProp.v`). The predicate `reflect` +makes the following goal easily proveable: + +```coq +Lemma reflect_iff : forall P b, reflect P b -> (P<->b=true). +``` + +This basically tells us that if `b` is the Boolean counterpart of some proposition `P`, +then `P` is indeed equivalent to `b` being `true`. + +Now, let's exemplify how the tactic `prop2bool` benefits above steps: + +Imagine a very simple goal that embodies the `or` connective as + +```coq +H0 \/ H1 +``` + +for some propositions `H0` and `H1`. At this point, the tactic needs to go a step further and +puts the goal into the following shape to be able to make use of the `reflect_iff` fact: + +```coq +G0 = true \/ G1 = true +``` + +for some Booleans `G0` and `G1`. This step is indeed doable for propositional equality and comparison over +bit-vectors, propsitional equality and comparison over Coq intergers `Z`, and propositional equality over +fuctional arrays, since the corresponding Boolean predicates are proven to be equivalent. E.g., + +```coq +Lemma bv_ult_B2P: forall n (a b: bitvector n), bv_ult a b = true <-> bv_ultP a b. +``` +where `bv_ult: bitvector n -> bitvector n -> bool` and `bv_ultP: bitvector n -> bitvector n -> Prop`. + + +Then, the tactic performes the following rewrite step on the goal + +```coq +rewrite (@reflect_iff (G0 = true \/ G1 = true) (G0 || G1)) +``` + +which turns it into: + +```coq +G0 || G1 = true +``` + +together with introducing an additional goal: + +```coq +reflect (G0 = true \/ G1 = true) (G0 || G1) +``` + +The first goal is indeed the intended one. So that the tactic leaves the goal as it is. But the second +one must somehow be solved. In fact, this not so hard: it suffices to apply the below lemma which +has already been proven again by benefitting the `reflect` predicate: + +```coq +Lemma orP : forall (a b: bool), reflect (a = true \/ b = true) (a || b). +``` + +Notice that the same sort of conversion steps for the other propositional connectives are also handled +by the tactic `prop2bool`. + +### [Tactics.v](../src/Tactics.v) +This file includes four tactics that are written in `Ltac` language: + + - `zchaff` -> can function on the goals in Coq's `Prop`: + first calls `prop2bool` on the goal, getting the goal in `bool`, + then calls the reificiation tactic `zchaff_bool` (which can only function on Boolean goals), + and finally puts the goal back in Coq's `Prop`, by calling `bool2prop`, if not solved. + + - `verit` -> can function on the goals in Coq's `Prop`: + first calls `prop2bool` on the goal, getting the goal in `bool`, + then calls the reificiation tactic `verit_bool` (can only function on Boolean goals), + and finally puts the goal back in Coq's `Prop`, by calling `bool2prop`, if not solved. + + - `cvc4` -> can function on the goals in Coq's `Prop`: + first calls `prop2bool` on the goal, getting the goal in `bool`, + then calls the reificiation tactic `cvc4_bool` (can only function on Boolean goals), + and finally puts the goal(s) back in Coq's `Prop`, by calling `bool2prop`, in case it is not solved or additional goals returned. + + - `smt` -> subsumes the powers of `cvc4` and `verit` tactics: + first calls `prop2bool` on the goal, getting the goal in `bool`, + then calls either of the reificiation tactics `cvc4_bool`, `verit_bool` (can only function on Boolean goals), + and finally puts the goal(s) back in Coq's `Prop`, by calling `bool2prop`, in case it is not solved or additional goals returned. + + + + |