Alt-Ergo

An SMT Solver for Software Verification

Mohamed Iguernelala — OCamlPro SAS

About ...

2 / 35

About the Spearker

Who am I ?

I Mohamed Iguernelala

I Senior R&D engineer at OCamlPro SAS

I Research associate in the VALS team, LRI

My Research topics

I Satisfiability Modulo Theories (SMT)

I Combining rewriting and SMT techniques

I Designing and combining decision procedures for SMT

Formerly, I was a PhD student in the VALS team

Maintainer of the Alt-Ergo SMT solver at OCamlPro

3 / 35

About OCamlPro

Help companies to use OCaml in industrial projects ...

Developments on demand in OCaml

Developments to promote the use of OCaml

I OPAM package manager

I the Typerex toolbox (IDE, memory/GC profilers, libs, ...)

Code analysis and optimization

I analysis of OCaml code

I introduction of new optimization passes in OCaml compiler

I tools for numerical calculus (Scilab, Modelica)

Formal methods

I maintenance and improvement of Alt-Ergo4 / 35

The Origins of Alt-Ergo ...

5 / 35

History of Alt-Ergo

Preliminary work by Sylvain Conchon in 2002 on decisionprocedures and their combination :

I Combining Shostak theories

I Generic framework for combining decision procedures a laNelson-Oppen

SMT solvers at that time :

I Simplify (DEC/Compaq/HP)

I SVC, CVC (Stanford)

I ICS (SRI)

I UCLID (Berkeley)

6 / 35

History of Alt-Ergo : Motivations

Deductive program verification plateforms at that time

I ESC/Java (DEC/Compaq/HP)

I Why/Caduceus/Krakatoa (LRI)

Main motivations :

I An automatic theorem prover for Why

I Polymorphic first-order logic with built-in theories (freeequality, linear arithmetic) similar to Why’s syntax

I Certification (in Coq)

7 / 35

History of Alt-Ergo : First Release in 2006

70’s : Stanford Pascal Verifier (Nelson-Oppen combination)1984 : Shostak algorithm1992 : Simplify1995 : SVC2001 : ICS2002 : CVC, UCLID2004 : CVC Lite2005 : Barcelogic, MathSAT2005 : Yices

2006 : CVC3, Alt-Ergo

2007 : Z3, MathSAT42008 : Boolector, OpenSMT, Beaver,Yices22009 : STP, VeriT2010 : MathSAT5, SONOLAR2011 : STP2, SMTInterpol2012 : CVC4

8 / 35

Tools Using Alt-Ergo Today

SPARK 2014, EasyCrypt and Atelier-B use it via Why39 / 35

Alt-Ergo : Contributors

Project leaders :

I Sylvain Conchon

I Evelyne Contejean

PhD students :

I Stephane Lescuyer (reflexive Coq tactic)

I Mohamed Igernelala (AC, arithmetic, SAT)

I Claire Dross (quantifiers, user-defined axiomatic theories)

Post-docs, interns, engineers :

I Francois Bobot (arithmetic, case-split analysis)

I Denis Cousineau (prototype of a lightweight Coq traces)

I Johannes Kanig (Coq traces)

I Alain Mebsout (altgr-ergo, DO-178C)

I Cody Roux (prototype of a floating-point theory)

10 / 35

Alt-Ergo @ OCamlPro ...

11 / 35

What Can OCamlPro Do For Alt-Ergo

at OCamlPro

I Better reactivity for bugs fixes

I Improving performances and expressiveness, even if there areno research challenges

I Commercial support and services on demand

in collaboration with the VALS team

I Exploring research/theoretical aspects such as designing newdecision procedures and their combination

12 / 35

Alt-Ergo @ OCamlPro : Code Base

13 / 35

Alt-Ergo @ OCamlPro : Devel & Release Processes

14 / 35

Releases Since September 2013

Septembre 2013 public release 0.95.2

Octobre 2013 private release 0.99

Juillet 2014 Try Alt-Ergo 0.99

Decembre 2014 public release 0.99.1

Decembre 2014 private release 1.00-beta

January 2015 private release 1.00

January 2015 Try Alt-Ergo 1.00

15 / 35

Under the Hood ...

16 / 35

General Architecture (Alt-Ergo 1.00)

17 / 35

Input Language : Similar to (Old) Why’s Syntax

(* this is a comment *)

type ’a list (* abstract parametric type *)

logic nil: ’a list (* function symbol of arity 0 *)

logic cons: ’a, ’a list -> ’a list

logic length: ’a list -> int

(* implicit quantification over a type variable ’a *)

axiom a1: length(nil) = 0

axiom a2:

forall x:’a. forall l:’a list.

length(cons(x,l)) = 1 + length(l)

goal g: forall x:’a. length(cons(x,nil)) = 1

18 / 35

Frontend

Typing : a la ML, with prenex polymorphism

Triggers inference :

I Compute triggers (“guards”) that will be used to generateground instances from universally quantified formulas

Example axiom a2:

forall x:’a. forall l:’a list.

length(cons(x,l)) = 1 + length(l)

I The type variable ’a is implicitly universally quantified

I Possible “good” triggers are cons(x , l) and length(cons(x , l)).They cover all variables and type variables

No additional pre-processing steps in Alt-Ergo’s frontend !

19 / 35

SAT Solver(s)

A “default” DPLL solver, coded in a functional style :

I Efficient in the context of deductive program verification

I No “clauses learning” when backjumping

I BCP modulo theories

I Lazy CNF conversion

I Generated instances in a branch of the SAT are ignored whenlooking for a model in another branch

A CDCL solver inspired by minisat, coded in an imperative style :

I Efficient when a complex propositional reasoning is needed

I Clauses learning when backjumping

I All the instances generated during the matching process arekept in the SAT’s environment

20 / 35

Matching

Generates ground “consequences” from universally quantifiedformulas

Works by Matching techniques :

I if a universally quantified formula ∀x .F (x) is “guarded“ by atrigger g(h(x))

I if some ground term g(h(a)) is present in decision procedures’environment

I then, add the instance F (a) to the SAT solver’s context

21 / 35

Matching Modulo

The Matching process is done :

(1) modulo the equalities that are true when matching :

I the trigger g(h(x)) “matches” the term g(c) modulo theequality c = h(b).

I the resulting substitution is {x 7→ b}

(2) modulo the theory of records :

I the trigger {field1 = x ; field2 = y} “matches” any groundterms r in decision procedures’ context of the same type.

I the resulting substitution is : {x 7→ r .field1 ; y 7→ r .field2}

22 / 35

Decision Procedures : Supported Theories

I The free theory of equality with uninterpreted symbols

I Linear arithmetic over integers and rationals

I Non-linear arithmetic

I Polymorphic functional arrays

I Enumerated datatypes

I Record datatypes

I Associative and commutative (AC) symbols

I Fixed-size bit-vectors with concatenation and extraction

23 / 35

Decision Procedures : Combination Architecture (1/3)

Convex equational theories

I Produces a union-find data structure modulo theories

24 / 35

Decision Procedures : Combination Architecture (2/3)

Non convex or non equational theories

I This part has access to the union-find data structureconstructed so far

I Case-split analysis over finite domains is needed forcompleteness

25 / 35

Decision Procedures : Combination Architecture (3/3)

I The case-split module maintains two environmentsI real theory envI real theory env + guesses (for values over finite domains)

I All components are implemented in a pure functional style,which facilitates backtracking

26 / 35

Decision Procedures : Theoretical Foundations

I CC(X) : Semantical Combination of Congruence Closure withSolvable Theories.

I AC(X) : Canonized Rewriting and Ground AC CompletionModulo Shostak Theories

I A Simplex-based extension of Fourier-Motzkin for solvinglinear integer arithmetic

I A Collaborative Framework for Non-Linear Integer ArithmeticReasoning in Alt-Ergo

I Combining Shostak Theories (Work In Progress)

More on alt-ergo.lri.fr

27 / 35

Current Funding / R&D Projects ...

28 / 35

OCamlPro / BWare (2012 — 2016)

Extend Atelier-B with state-of-the-art automatic solvers

I We did a lot of optimizations in different parts of Alt-Ergo tomake it scale on B proof obligations

I We developed profiling tools to monitor the solver and quicklydetect the parts that need improvements

I We identified some theoretical challenges on which we arecurrently working

29 / 35

OCamlPro / SOPRANO (2014 — 2018)

Explore new combination schemes and tackle hard theories

I Integrate floating-point arithmetic in Alt-Ergo

I Extend the theory of bit-vectors (bitwise operators, conversionfrom/to bounded integers, ...)

I Generate models when formulas are satisfiable

30 / 35

Performances of Alt-Ergo 1.00 ...

31 / 35

Quick Comparison Between Different Versions

public public privaterelease release release0.95.2 0.99.1 1.00

Proved valid 15980 16334 17638

Proved valid (%) 84,01 % 85,77 % 92,62 %

Required time 10831 10504 9767(seconds)

Average speed 1,47 1,55 1,81(formulas / second)

I timeout = 60 seconds, benchmark of 19044 formulas

I some formulas are known to be invalid

I some formulas need inductive reasoning

32 / 35

Zoom on BWare Benchmarks (1/2)

before the private 1.00 +project started release dedicated

(v. 0.95.1) 1.00 options

Proved valid 5696 10287 10422

Proved valid (%) 53,73 % 97,03 % 98,30 %

Required time 4081 5578 3045(seconds)

Average speed 1,40 1,84 3,43(formulas / second)

I timeout = 60 seconds, benchmark of 10602 formulasI success rate of Atelier-B’s automatic prover = 86 %I remaining formulas (14%) proved interactivelyI dedicated options : no E-Matching, one trigger per axiom

(default value is 2)

33 / 35

Zoom on BWare Benchmarks (2/2)

34 / 35

Main Changes in Version 1.00 (w.r.t. 0.99.x)

I 20 bugs fixes

I Two new OCamlPro plugins (profiling and linear integerarithmetic inequalities)

I A lot of improvements in different data structures

I Improvements/rewriting/simplification of many componentsand algorithms

I Enhancement of SAT and instantiation heuristics

I ...

More on http://www.ocamlpro.com/blog/index.html

35 / 35