Semi-automatic proof of Strong connectivity - PowerPoint PPT Presentation

Semi-automatic proof of Strong connectivity jean-jacques.levy@inria.fr journées PPS, 12-10-2017 1

Plan • motivation • algorithm • formal proof • other systems • conclusion .. joint work (in progress) with Ran Chen [VSTTE 2017]) also cooperation with Cyril Cohen, Laurent Théry, Stephan Merz 2

Motivation • nice algorithms simple formal proofs • fully published in articles or journals • how to publish formal proofs ? • formal proofs should be exact and readable (by human) • mix automatic and interactive proofs • first-order logic is easy to understand, but not expressive • algorithms on graphs = a good testbed 3

One - pass linear - time algorithm [tarjan 1972] 4

Depth - first - search 5 6 0 1 0 1 7 2 5 8 3 6 9 2 3 8 4 7 4 9 graph spanning tree (forest) 5

The algorithm ( 1 / 3 ) 5 6 0 1 0 1 7 2 5 8 3 6 9 2 3 8 4 7 4 9 3 SCCs ( strongly connected components ) 3 vertices are their bases 6

The algorithm ( 2 / 3 ) 0 1 1 0 1 1 1 5 4 1 1 2 5 8 8 8 2 5 2 4 5 1 1 3 6 9 3 6 9 3 9 2 5 2 4 7 4 7 4 ∗ LOWLINK ( x ) = min ( { num [ x ] } ∪ { num [ y ] | x = ⇒ , → y ∧ x and y are in same connected component } ) 7

The algorithm ( 3 / 3 ) successive values of the working stack 1 1 1 1 1 1 1 1 1 0 0 0 1 2 2 2 2 2 2 2 2 1 increasing rank 3 3 3 3 3 3 3 2 2 5 8 4 4 4 4 4 4 3 3 6 9 5 5 5 8 8 4 6 6 9 5 4 7 7 6 8

The program e l y t s e • print each component on a line v i t a r e p m I 9

Proof in algorithms books ( 1 / 2 ) • consider the spanning trees (forest) • tree structure of strongly connected components • 2-3 lemmas about ancestors in spanning trees ∗ LOWLINK ( x ) = min ( { num [ x ] } ∪ { num [ y ] | x = ⇒ , → y ∧ x and y are in same connected component } ) 10

Proof in algorithms book ( 2 / 2 ) • give the program • proof program • that part of the proof is very informal 11

e1.stack Our program ( 1 / 3 ) s3 x s2 g n i m m a r g o r p l a n o i t returns LOWLINK (x) and new environment c n u F 12

Formal proof 3 y h W g n i s u 13

Plan of proof ( 1 / 2 ) • define reachability in graphs and SCCs • prove a few lemmas about positions in stacks ( ranks ) • define invariants on environments • give pre-post conditions for functions • add a few intermediate assertions in function bodies • avoid paths, prefer edges 14

Plan of proof ( 2 / 2 ) • vertices have colors - white = unvisited - gray = being visited - black = visited • invariant on environment stack sccs increasing number increasing rank cc2 cc1 ccn vertex in stack reaches all vertices with higher rank 15

Invariants 16

Pre/Post - conditions e’.stack e.stack e.sccs e’.sccs ⊆ e.blacks e’.blacks ⊆ e.grays = e’.grays x 17

e1.stack Assertions s3 x s2 Coq [ http://jeanjacqueslevy.net/why3/graph/abs/scct/1-7/scc.html ] 18

s1=e1.stack Assertions s3 Coq • proof by contradiction: 9 y, in same scc y x ^ y 62 s 2 x reachable x x 0 ^ edge x 0 y 0 ^ reachable y 0 y ^ x 0 2 s 2 ^ y 0 62 s 2 • 9 x 0 y 0 , s2 • 3 cases: y 0 is white [1] y 0 is black then y 0 ∈ successors x x 0 = x x 0 6 = x then x 0 is black ¬ no black to white b 1 g 1 y 0 ∈ e1.sccs then in same scc y 0 x [2] x is black rank y 0 s 1 < rank x s 1 y 0 ∈ s 3 e1.num [ y 0 ] < e1.num [ x ] = e.num [ x ] = n [3] then y 0 ∈ successors x x 0 = x n 1 ≤ e1.num [ y 0 ] x 0 6 = x then xedge to s 1 ( Cons x s 3) y 0 19

Proof stats [ http://jeanjacqueslevy.net/why3/graph/abs/scct/1-7/scc.html ] 20

Other systems 21

Coq / ssreflect [cyril cohen, laurent théry, JJL] • port in 1 week • graphs and finite sets already in mathematical components • problems with termination (hacky & higher-order) • 920 lines [http://github.com/CohenCyril/tarjan] 22

Isabelle / HOL [stephan merz] • port in 1 month • use many strategies (metis, blast, sledgehammer) • still problems with proving termination • 31 pages [http://jeanjacqueslevy.net/why3/graph/abs/scct/isa/Tarjan.pdf] 23

F* [kenji maillard, catalin hritcu] • start discuss with them • Z3 single automatic prover • ?? 24

Conclusion 25

Future work • library for formal proofs on graphs • other graph algorithms • beyond graphs … • teaching formal methods on test cases • imperative programs [http://jeanjacqueslevy.net/why3] 26