Formally verified constraint solvers Catherine Dubois 1 Sourour - - PowerPoint PPT Presentation

Formally verified constraint solvers

Catherine Dubois1 Sourour Elloumi1 Arnaud Gotlieb2

• 1. CEDRIC-ENSIIE, ´

Evry, France

• 2. Certus V&V Center, SIMULA RESEARCH LAB., Lysaker, Norway

Dagstuhl Seminar 15381 1 / 23

Formally verified constraint solvers

Catherine Dubois1 Sourour Elloumi1 Arnaud Gotlieb2

• 1. CEDRIC-ENSIIE, ´

Evry, France

• 2. Certus V&V Center, SIMULA RESEARCH LAB., Lysaker, Norway

Finite Domains (FD) constraint solvers

Dagstuhl Seminar 15381 1 / 23

Do you trust your solver (SAT/SMT/FD/ATP etc.) ?

More confidence .... Why ?

◮ Crucial when used to verify safety/business-critical software ◮ Necessary if integrated into a skeptical proof assistant as a decision

procedure

Dagstuhl Seminar 15381 2 / 23

How ? Different approaches exist, e.g.

◮ The solver produces an answer (yes/no, sat/unsat, sol/unsat etc) +

evidence/proof witness/trace more or less informative A trusted checker verifies the trace (e.g. Isabelle/Z3, Coq/VeriT, ...)

◮ Verify the code of an existing solver itself : forget it ! ◮ Produce a formally verified solver : correct by construction

Sat solvers in PVS (Shankar, Vaucher 2011), Isabelle/HOL (Maric, 2010) , Incremental Simplex Algorithm Isabelle/HOL (Spasic Maric 2012), Ergo in Coq (Lescuyer Conchon 2008) LTL model checker in Isabelle (Esparza et al 2013) . . .

Dagstuhl Seminar 15381 3 / 23

A family of verified solvers

Our contribution

− → through a modular and generic architecture for the solver − → high parametricity : constraints, local consistency, variable-value choices, representation issues . . . − → developed within the Coq proof assistant − → written in OCaml, extracted from Coq − → featuring a raisonnable efficiency − → to serve as a verified reference implementation

Dagstuhl Seminar 15381 4 / 23

Definition of a (FD) CSP

CSP : Constraint Satisfaction Problem A CSP (or constraint network) is a triple (X, C, D) where X : a set of variables, C : a set of constraints (relations btw variables) over variables of X, D : a function that maps each variable of X to its domain (finite set

• f possible values).

A solution of (X, C, D) is a valid (compatible with D) assignment defined for all the variables in X that satisfies all the constraints in C A constraint system is unsatisfiable when it has no solution

Dagstuhl Seminar 15381 5 / 23

A verified solver : what does it mean ?

Let us define a Coq function solve that solves a csp Either solve csp = Some a (a is provided as a solution) or solve csp = None (no solution) Prove soundness

∀ csp, ∀ a, wellformed csp → solve csp = Some a → is solution a csp. ∀ csp, wellformed csp→ solve csp = None → ∀ a, ¬(is solution a csp)

Prove completeness

∀ csp, ∀ a, wellformed csp → is solution a csp → ∃a′, solve csp = Some a’ ∀ csp, wellformed csp → (∀ a, ¬(is solution a csp)) → solve csp = None

Extract OCaml code

Dagstuhl Seminar 15381 6 / 23

CSP solving

Main idea of solving algorithms = repeatedly pruning of inconsistent values from the domains Constraint filtering Constraint propagation Variable labeling

Dagstuhl Seminar 15381 7 / 23

CSP solving

Main idea of solving algorithms = repeatedly pruning of inconsistent values from the domains Constraint filtering Constraint propagation Variable labeling local consistency

Dagstuhl Seminar 15381 7 / 23

CSP solving

Main idea of solving algorithms = repeatedly pruning of inconsistent values from the domains Constraint filtering Constraint propagation Variable labeling local consistency Local consistency : arc-consistency, hyper-arc consistency, bound consistency, etc. A constraint is bound consistent (BC) iff when a variable is assigned the minimum or maximum value in its domain, there exist compatible values for all the other variables.

Dagstuhl Seminar 15381 7 / 23

Coq formalization of a CSP

A key feature : genericity variable : any type equipped with a decidable equality value : any type with a decidable equality constraint : also an abstract type, we ask for 2 functions : Parameter interp : constraint → value → value → bool. It gives the semantics of the constraints Parameter get vars : constraint → variable × variable. It allows us to retrieve the variables of a constraint NB : here definition for binary constraints

Dagstuhl Seminar 15381 8 / 23

Record network : Type := Make csp { CVars : list variable ; Doms : mapdomain ; Csts : list constraint }. with mapdomain : type of maps indexed by variables with values as list (without replicates) of elements of type value (built from the Coq map module)

Dagstuhl Seminar 15381 9 / 23

Well-formedness of a constraint network Record network inv csp : Prop := Make csp inv { Dwf : ∀ x, In x (Doms csp) ↔ In x (CVars csp) ; The map of domains is defined on the variables of the csp and only those

• nes.

Cwf1 : ∀ (c :constraint) (x1 x2 : variable), c ∈ (Csts csp) → get vars c = (x1, x2) → x1 ∈ (CVars csp) ∧ x2 ∈ (CVars csp) ; The variables appearing in the constraints are variables of the csp. Cwf2 : ∀ x, x ∈ (CVars csp) → ∃ c,c ∈ (Csts csp) ∧ (fst (get vars c) = x ∨ snd (get vars c) = x) ; Each variable is used at least in one constraint. Norm : ∀ c c’, c ∈ (Csts csp) → c’ ∈ (Csts csp) → get vars c = get vars c’ → c = c’ Two different constraints share at most one variable. }.

Dagstuhl Seminar 15381 10 / 23

A very general/generic propagation engine

.... A formulation close to AC3 (Mackworth 77). .... Function propagate (doms : mapdomain) (qu : queue elem) {wf propagate wf (doms, qu)} : option mapdomain := if empty(qu) then Some (doms) else let p := next(qu) in let (doms’, lvars) := filter p doms in if (notempty lvars) then if has empty dom lvars doms’ then None else propagate doms’ ((remove qu p) ⊕ (visit again p lvars)) else propagate doms (remove qu p) end with red types and functions as generic parameters (and also constraints, values, domains)

Dagstuhl Seminar 15381 11 / 23

Termination of propagate

We show that each recursive call has decreasing arguments according to some order − → Lexicographic order propagate wf defined on pairs (doms, qu) from the 2 following measures :

• n qu = number of elements,
• n doms = sum of lengths of domains.

− → The termination proof is also generic : it relies on the fact that when lvars is not empty, some domains strictly decrease (property of filter, aka monotonic propagators)

Property filter true : ∀ p doms doms’ lvars, compat p doms → filter p doms = (doms’, lvars) → notempty lvars = true → (∀ v, In v lvars → doms’[v] ⊂ doms[v]).

Dagstuhl Seminar 15381 12 / 23

Example : binary constraints and arc-consistency

Each constraint c(x,y) is seen as 2 edges in the constraint graph.

x y z c1 c3 c2

Definition

c(x, y) is arc-consistent wrt (X, C, D) iff for all u ∈ D(x), there exists at least a value (support) v ∈ D(y) such that c(x := u, y := v) is satisfied. c ≡ x ≥ y arc-consistent

1 2 3 4 D(x) 1 2 3 4 D(y)

support of x=2

c ≡ x > y non arc-consistent

1 2 3 4 D(x) 1 2 3 4 D(y)

No support for x=1

Dagstuhl Seminar 15381 13 / 23

filter (u, c, v) doms : prune the domain of u such that arc-consistency is achieved for c visit again c(u, v) lvars (here lvars=[v]) : computes the list of the arcs (in blue below) whose arc-consistency may have been modified

u v c

Dagstuhl Seminar 15381 14 / 23

Soundness and completeness of propagation

. . . according to a local consistency property

The local consistency property is here a parameter : loc consistent c doms : the constraint c is locally consistent with respect to the domains of its variables

Dagstuhl Seminar 15381 15 / 23

Soundness and completeness of propagation

. . . according to a local consistency property

The local consistency property is here a parameter : loc consistent c doms : the constraint c is locally consistent with respect to the domains of its variables

• Soundness theorem : local consistency is established for all constraints

when fixpoint is achieved Theorem propagate sound : ∀ csp d’, wellformed csp → propagate (Doms csp) (full queue csp) = Some d’ → (∀c, c ∈ (Csts csp) → loc consistent c d’).

Dagstuhl Seminar 15381 16 / 23

• Completeness theorem : all the pruned values were inconsistent for some

constraint Theorem propagate complete : ∀ csp d’, wellformed csp → propagate d (full queue csp) = Some d’ → (∀x, d(x) = d’(x) → (∀ v, v ∈ d’(x)-d(x), ∃ c, ¬(loc consistent c dx

v))).

where d = Doms csp and dx

v defined such that dx v(x)={v} and dx v(y)=d(y) for y = x

Dagstuhl Seminar 15381 17 / 23

Both theorems require soundness and completeness of filter and also the following property : Property not visit again : ∀ csp p doms doms’, filter p doms = (doms’, lvars) → notempty lvars = true → (∀ p’, p’ / ∈ (visit again p lvars) → loc consistent p p’ doms → loc consistent p p’ doms’). − → justify what is -not- added in the worklist after a filtering step

Dagstuhl Seminar 15381 18 / 23

Current status

A first solver based on Coq and extracted from Coq : binary constraints, arc-consistency, domains as finite lists, elementary heuristic for labeling already generic : parameterized by the type of values, variables featuring AC3/AC2001 propagation 8500 LOC Coq published in FM 2012, http://www.ensiie.fr/˜dubois/CoqsolverFD Extension for taking into account bound-consistency : mimic and update the previous Coq files Verified decomposition of ternary constraints into binary constraints − → generic architecture (n-ary constraints, local consistency) : under construction

Dagstuhl Seminar 15381 19 / 23

Extension 1 : the alldiff global constraint

alldiff(x1, . . . xn) : all variables x1 . . . xn must be pairwise different. Decomposition into a set of binary inequalities :

1≤i<j≤n{xi = xj}

− → loss in filtering level. − → dedicated filtering/propagation algorithms (e.g. Regin 94) Example : alldiff(x1, x2, x3) avec D(x1) = D(x2) = {1, 2} et D(x3) = {2, 3} Binary decomposition : nothing to filter Global constraint (AC) : D(x3) = {✁ 2, 3}

Dagstuhl Seminar 15381 20 / 23

Filtering algorithm (Regin 94) relies on : graph theory, maximal matching, connected components, Berge’s theorem etc

Theorem (Berge (1957))

A matching m in a graph is maximum iff there is no augmenting path for m in g x1 x3 x2 3 1 2 A matching

Dagstuhl Seminar 15381 21 / 23

Filtering algorithm (Regin 94) relies on : graph theory, maximal matching, connected components, Berge’s theorem etc

Theorem (Berge (1957))

A matching m in a graph is maximum iff there is no augmenting path for m in g x1 x3 x2 3 1 2 A matching x1 x3 x2 3 1 2 An augmenting path

Dagstuhl Seminar 15381 21 / 23

Filtering algorithm (Regin 94) relies on : graph theory, maximal matching, connected components, Berge’s theorem etc

Theorem (Berge (1957))

A matching m in a graph is maximum iff there is no augmenting path for m in g x1 x3 x2 3 1 2 A matching x1 x3 x2 3 1 2 An augmenting path turned into a maximum matching

Dagstuhl Seminar 15381 21 / 23

Work in progress : computation of a maximum matching : verification a posteriori : development of a verified checker (JFLA 2015) Witness = vertex cover - Verification that the matching and the vertex cover are 2 sets with the same cardinality verification of the algorithm in Coq : proof of the Berge’s theorem : in progress

Dagstuhl Seminar 15381 22 / 23

Extension 2 : FD constraints solving as Coq tactics

One or several reflexive tactics to :

• solve a (FD) CSP
• strengthen domains of variables
• prove by contradiction

Lemma L1: forall x y: nat, 0<=x<=5 -> 0<=y<= 5 -> x<y -> P Proof. intros. assert (0<=x< 5 /\ 0 < y <= 5).

• mega.

...

Or with a filtering tactic :

Lemma L1: forall x y: nat, 0<=x<=5 -> 0<=y<= 5 -> x<y -> P Proof. intros. filter on x y. ... H : 0 <= x < 5 H0 : 0 < y <= 5 H1 : x < y ___________________________ P

Dagstuhl Seminar 15381 23 / 23