Walking through the Forest: Fast EUF Proof-Checking Algorithms Frederic Besson 1 Pierre-Emmanuel Cornilleau 1 Ronan Saillard 1 Bretagne Atlantique , France Inria Rennes 2012 58 64

The quanti er-free logic of Equality with Uninterpreted Function symbols (EUF) is at the core of Satis ability Modulo Theory (SMT) solvers. There exist several competing proof formats for EUF proofs. We propose original proof formats obtained from proof forests that are the artifacts proposed by Nieuwenhuis and Oliveras to extract e ciently EUF unsatis able cores. Our proof formats can be generated by SMT solvers for almost free. Moreover, our preliminary experiments show that our novel veri ers outperform other existing EUF veri ers and that our proof formats appear to be more concise than existing EUF proofs.

 Introduction

the running time of all the veri ers is negligible w.r.t. the type-checking of the EUF proofs. Another result of our experiments is that proof forests veri ers are very fast and that (trimmed down) proof forests appear to be more concise than existing EUF proofs. Another advantage is that proof forests can be generated for almost free by SMT solvers based on proof forests.

The rest of the paper is organised as follows. Section 2 provides basic de nitions and known facts about the EUF logic. Section 3 recalls the nature of proof forests and explains the workings of our novel EUF proof veri ers. Section 4 is devoted to experiments. Section 5 concludes. 2

 Background

We write T ( ; V) the smallest set of terms built upon a set of variables V and a ranked alphabet of uninterpreted function symbols. For EUF, an atomic formula is of the form t = t0 for t, t0 2 T ( ; ;) and a literal is an atomic formula or its negation. Equality (=) is re exive, symmetric, transitive and closed under congruence: x = x x = y y = x x = y; y = z x = z

x1 = y1; : : : ; xn = yn f (x1; : : : ; xn) = f (y1; : : : ; yn)

Ackermann has proved using a reduction approach that the EUF logic is decidable [ 1 ]. The reduction consists in introducing for each term f (~x) a boolean variable f~x and encoding the congruence rule by adding the boolean formula x1 = y1 ^ : : : ^ xn = yn ) f~x = fy~ for each pair of terms f (~x), f (~y). This encoding is responsible for a quadratic blow up of the formula. Nelson has proposed an e cient decision procedure for deciding the satis ability of a set of EUF literals using a congruence closure algorithm [ 19 ]. Nieuwenhuis and Oliveras have shown how to e ciently generate unsatis able cores by instrumenting the congruence closure algorithm with a proof forest [ 20 ] gathering all the necessary information for generating proofs (see Section 3.1). 3

Walking through the proof forest

In the following, we assume w.l.o.g. that EUF terms are at and curried [20, Section 3.1] i.e., are of the form a or f (a1; a2) where f represents an explicit application symbol and a, a1 and a2 are constants. In the rest, we drop the f and write a1(a2) for f (a1; a2). These transformations can be performed in linear time and simplify the decision procedure. 3.1

Proof forest

Nieuwenhuis and Oliveras have proposed a proof-producing congruence closure algorithm for deciding EUF [ 20 ]. Their main contribution is an e cient Explain operation that outputs a (small) set of input equations E needed to deduce an equality, say a = b. If a 6= b is also part of the input, E [ a 6= b is a (small) unsatis able core that is used by the SMT solver for backtracking. As a result, SMT solvers using congruence closure run a variant of the Explain algorithm { whether or not they are proof producing.

The Explain algorithm is based on a speci c data structure: the proof forest. A proof forest is a collection of trees and each edge a ! b in the proof forest is labelled by a reason justifying why the equality a = b holds. A reason is either an input equation a = b or a pair of input equations a1(a2) = a and b1(b2) = b. For the second case, there must be justi cations in the forest for a1 = b1 and a2 = b2.

We give in Figure 1 a modi ed version of the original Explain algorithm. The NearestAncestor and Parent functions return (if it exists) respectively the nearest common ancestor of two nodes l e t E x p l a i n A l o n g P a t h ( a , c ) := a := H i g h e s t N o d e ( a ) ; c := H i g h e s t N o d e ( c ) ; i f a = c t h e n r e t u r n e l s e b:= P a r e n t ( a ) ; i f e d g e h a s form a a=!b b t h e n Output ( a = b ) e l s e f / e d g e h a s form a b1(b2)=!b b /

a1(a2)=a Output a1 ( a2)=a and b1 ( b2)=b ;

E x p l a i n ( a1 , b1 ) ; E x p l a i n ( a2 , b2 ) g ; Union ( a , b ) ; E x p l a i n A l o n g P a t h ( b , c ) (a) ExplainAlongPath l e t E x p l a i n ( a , b ) := c := N e a r e s t A n c e s t o r ( a , b ) ; E x p l a i n A l o n g P a t h ( a , c ) ; E x p l a i n A l o n g P a t h ( b , c )

(b) Explain in the proof forest and the parent of a node in the proof forest. A union- nd data structure [ 23 ] is also used: Union(a,b) merges the equivalence classes of a and b and Find(a) returns the current representive of the class of a. The HighestNode(c) operation returns the highest node (i.e., the node with minimal depth in the proof forest) belonging to the equivalence class of c.

Contrary to the original version, our algorithm is recursive. The Union operation has also been moved. As a consequence output equations are ordered di erently. This will ease our futur proof production. Another di erence is that the original algorithm always terminates but does not detect certain ill-formed proof forests e.g., a b=f(b!) b. In this case, the recursive a=f(a) algorithm does not terminate (this issue is dealt with in section 4.1). 3.2

 Proof forest veri er

The Explain algorithm of Figure 1 can be turned into a EUF proof veri er. The veri er is a version of Explain augmented with additional checks to ensure that the edges obtained from the SMT solver correspond to a well-formed proof forest. For instance, the veri er checks that edges are only labelled by input equations. Moreover, for edges of the form a b1(b2)=!b b, the recursive a1(a2)=a calls to Explain ensure that a1 = b1 and a2 = b2 have proofs in the proof forest i.e., a1 (resp. a2) is connected with b1 (resp. b2) by some valid path in the proof forest. For e ciency and simplicity, the least common ancestors are not computed by the veri er but used as untrusted hints. The soundness of the veri er does not depend on the validity of this information as the proposed least common ancestor is just used to guide the proof. If the return node is not a common ancestor, the veri er will simply fail.

For the veri er, a EUF proof is a pruned proof forest corresponding to the edges walked through during a preliminary run of Explain. As the SMT solver needs to traverse the proof forest to extract unsatis able core, we argue that the proof forest is a EUF proof that requires no extra-work from the SMT solver. l e t UFchecker i n p u t e d g e s ( x , y ) := f o r ( a = b ) 2 i n p u t do Union ( a , b ) done f o r a b1(b2)=!b b i n e d g e s do

a1(a2)=a i f ( a1 ( a2)=a ) 2 i n p u t & ( b1 ( b2)=b ) 2 i n p u t

& i s E q u a l ( a1 , b1 ) & i s E q u a l ( a2 , b2 ) t h e n Union ( a , b ) e l s e f a i l done r e t u r n i s E q u a l ( x , y ) To avoid traversing the same edge several times, the Explain algorithm and its veri er are using a union- nd data structure. Therefore, the Explain veri er implicitly embeds a decision procedure for the theory of equality. Our optimised veri er fully exploits this observation and starts by feeding all the input equalities of the form a = b into its union- nd. For the decision procedure, new equalities are obtained by applying the congruence rule and e ciency crucially depends on a clever indexing of the equations. The veri er does not require this costly machinery and takes as argument a trimmed down proof forest reduced to the list of edges of the forest of form a b1(b2)=!b b. The edge labels indicate the equations that need to be paired to derive a1(a2)=a a = b by the congruence rule. The algorithm of the veri er is given in Figure 2 where the predicate isEqual(a,b) checks whether a and b have the same representative in the union- nd i.e., Find(a) = Find(b). Once again, a preliminary run of Explain is su cient to generate a proof for this optimised veri er. 4 4.1

 Implementation and experiments EUF veri ers in Coq

Our veri ers are implemented using the native version of Coq [ 8 ] which features persistent arrays [ 13 ]. Persistent arrays are purely functional data-structures that ensure constant time accesses and updates of the array as soon as it is used in a monadic way. For maximum e ciency, all the veri ers make a pervasive use of those arrays that allow for an e cient unionnd implementation: union and nd have their logarithmic asymptotic complexity.

Compared to other languages, a constraint imposed by Coq is that all programs must be terminating. The UFchecker (see Section 3.3) is trivially terminating. Termination of the proof-forest veri er is more intricate because the Explain algorithm (see Figure 3.2) does not terminate if the proof forest is ill-formed e.g., has cycles. However, if the proof forest is wellformed, an edge is only traversed once. As a result, at each recursive call, our veri er decrements an integer initialised to the size of the proof forest. In Coq, the veri er fails after exhausting the maximum number of allowed recursive calls.

For the sake of comparison, we have also implemented the EUF proof format of Z3. Z3 refutations are also generated using Explain [14, Section 3.4.2]. Unlike our veri ers, Z3 proofs use explicit boolean reasoning and modus ponens. As a consequence formulae do not have 90 VeriT 80 Proof Forest

Z3

UFchecker 70 .)60 c (se50 e m itc40 q o c30 a constant size. As already noticed by others [ 9, 2 ], e cient veri ers require a careful handling of sharing. Our terms and formulae are hash-consed ; sharing is therefore maximum and comparison of terms or formulae is a constant-time operation. 4.2

Benchmarks

We have assessed the e ciency of our EUF veri ers on several families of handcrafted conjunctive EUF benchmarks. The benchmarks are large and all the literals are necessary to prove unsatis ability. The formulae are not representative of con ict clauses obtained from SMTLIB [ 3 ] benchmarks which are usually very small [ 7 ] and would not stress the scalability of the veri ers. For all our benchmarks the running time of the veri ers is negligible especially compared to the time spent type-checking the EUF proofs and the proof size is linear in the size of the formulae.

00 10000 20000 30000 40000 50000 60000 benchmark size (number of vari7a0b0le0s0) 80000 90000 100000 00 10000 20000 30000 40000 50000 60000 benchmark size (number of var7ia0b0l0e0s) 80000 90000 100000 (a) Total running time (b) Size of proofs 100 10 .) (scee 1 m it g n ikce 0.1 h c x0 = x1 x0 6= x(j+1) j f (xi j; xi j) = xi j+1 = ::: = xi j+j for i 2 f0 : : : jg The benchmarks are indexed by the number of EUF variables and the results are obtained using a Linux laptop with a processor Intel Core 2 Duo T9600 (2.80GHz) and 4GB of Ram. Figure 3a shows the time needed to construct and compile Coq proof terms. Figure 3b shows the size of the compiled proof terms. Figure 3c is focusing on the running time of the veri ers excluding the time needed to construct and dump proof terms.

For all our benchmarks, the UFchecker shows a noticeable advantage over the other veri ers. We can also remark that its behaviour is more predicable. The veriT veri er [ 2 ] is using proofs almost as small as proof forests but the traces generated by veriT are sometimes two orders of magnitude bigger. In the timings, the pre-processing needed to perform this impressive proof reduction is accounted for and might explain why the veriT veri er gets slower as the benchmark size grows. Remark also that for the biggest benchmarks, veriT fails to generate proofs.

Our Z3 veri er scales well despite being slightly but constantly outrun by the veri ers based on proof-forests. The running time of the di erent veri ers is given Figure 3c using a logarithmic scale. This emphases the fact that, except for the veriT veri er, the running time of the all the veri ers is below the second and is therefore not the limiting factor of the veri cation. Not surprisingly, the UFchecker requires smaller proofs and therefore its global checking time is also smaller. For big benchmarks, its running time also tends to be smaller than the running time of other veri ers. 5

 Conclusion

Proof generating SMT solvers such as Z3 [ 15 ], CVC3 [ 4 ] or veriT [ 10 ] routinely generate EUF proofs in various formats. Those formats have in common that proof-checking is essentially linear in the size of the proof. In theory, our EUF proofs cannot be checked in linear time and the veri ers need to embed a union- nd algorithm. In practice, our experiments conclude that our UFchecker veri er outperforms existing veri ers for EUF proofs and that succinct EUF proofs are the key for scalability. Embedding union- nd in EUF proofs was previously proposed by Conchon et al., [ 12 ]. However, in their approach, union- nd computations are interleaved with logic inferences that are responsible for an overhead that is absent from our veri ers. The importance of succinct proofs has been recognised by Stump [ 22 ] and its Logical Framework with Side Conditions (LFSC). Unlike LFSC proofs, our proofs are less exible but purely computational and use the principle of proof by re ection [5, Chapter 16]. As future work, we intend to integrate the UFchecker into the SMT proof veri er developed by several of the current authors [ 6 ] and extend its scope to the logic of constructors.

[1] W. Ackermann . Solvable Cases of the Decision Problem. Studies in Logic and the Foundations of Mathematics . North-Holland, Amsterdam, 1954 . [2] M. Armand , G. Faure , B. Gregoire , C. Keller, L. Thery, and B. Werner . A Modular Integration of SAT/SMT Solvers to Coq through Proof Witnesses . In CPP , volume 7086 of LNCS , pages 135 { 150 . Springer, 2011 . [3] C. Barret , A. Stump , and C. Tinelli . The SMT-LIB standard: Version 2.0 , 2010 . [4] C. Barrett and C. Tinelli . CVC3. In Proc. of CAV 2007 , volume 4590 of LNCS , pages 298 { 302 . Springer, 2007 . [5] Y. Bertot and P. Casteran . Interactive Theorem Proving and Program Development . Coq'Art: The Calculus of Inductive Constructions. Texts in Theoretical Computer Science . Springer, 2004 . [6] F. Besson , P-E. Cornilleau , and D. Pichardie . Modular SMT Proofs for Fast Re exive Checking Inside Coq . In CPP , volume 7086 of LNCS , pages 151 { 166 . Springer, 2011 . [7] F. Besson , P-E. Cornilleau , and D. Pichardie . A nelson-oppen based proof system using theory speci c proof systems . In PxTP 2011 , 2011 . [8] M. Boesp ug , M. Denes, and B. Gregoire . Full Reduction at Full Throttle. In CPP , volume 7086 of LNCS , pages 362 { 377 . Springer, 2011 . [9] S. Bo hme and T. Weber . Fast LCF-style Proof Reconstruction for Z3 . In Proc. of ITP 2010 , volume 6172 of LNCS , pages 179 { 194 . Springer, 2010 . [10] T. Bouton , D. C. B. de Oliveira , D. Deharbe , and P. Fontaine . veriT: an open, trustable and e cient SMT-solver . In Proc. of CADE 2009 , LNCS. Springer, 2009 . [11] E. Cohen , M. Dahlweid , M. A. Hillebrand , D. Leinenbach , M. Moskal , T. Santen , W. Schulte , and S. Tobies. VCC: A Practical System for Verifying Concurrent C . In TPHOLs, volume 5674 of LNCS , pages 23 { 42 . Springer, 2009 . [12] S. Conchon , E. Contejean , J. Kanig , and S. Lescuyer . Lightweight integration of the ergo theorem prover inside a proof assistant . In Proceedings of the second workshop on Automated formal methods, AFM '07 , pages 55 { 59 . ACM, 2007 . [13] S. Conchon and J-C. Fillia^tre. Semi-persistent Data Structures . In ESOP , volume 4960 of LNCS , pages 322 { 336 . Springer, 2008 . [14] L. M. de Moura and N. Bj rner. Proofs and Refutations, and Z3 . In Proc. of the LPAR 2008 Workshops, Knowledge Exchange: Automated Provers and Proof Assistants , volume 418 . CEURWS.org, 2008 . [15] L. M. de Moura and N. Bj rner. Z3: An e cient SMT solver . In Proc. of TACAS 2008 , volume 4963 of LNCS , pages 337 { 340 . Springer, 2008 . [16] B. Dutertre and L. de Moura. The Yices SMT solver . Tool paper at http://yices.csl.sri.com/toolpaper.pdf, 2006 . [17] J-C. Fillia^tre and C. Marche. The Why/Krakatoa/Caduceus Platform for Deductive Program Veri cation . In CAV , volume 4590 of LNCS , pages 173 { 177 , 2007 . [18] K. R. M. Leino . Dafny: An Automatic Program Veri er for Functional Correctness . In LPAR-16 , volume 6355 of LNCS , pages 348 { 370 . Springer, 2010 . [19] G. Nelson and D. C. Oppen . Fast decision procedures based on congruence closure . J. ACM , 27 ( 2 ): 356 { 364 , April 1980 . [20] R. Nieuwenhuis and A. Oliveras . Proof-Producing Congruence Closure . In Proc. of RTA 2005 , volume 3467 of LNCS , pages 453 { 468 . Springer, 2005 . [21] R. Saillard . EUF Veri ers in Coq. http://www.irisa.fr/celtique/ext/euf. [22] A. Stump . Proof checking technology for satis ability modulo theories . Electron. Notes Theor. Comput. Sci. , 228 : 121 { 133 , January 2009 . [23] R. E. Tarjan . E ciency of a good but not linear set union algorithm . J. ACM , 22 ( 2 ): 215 { 225 , April 1975 .