AltGr-Ergo, a Graphical User Interface for the SMT Solver Alt-Ergo SylvainConchon MohamedIguernlala AlainMebsout LRI,UniversitéParis-Sud OCamlProSAS TheUniversityofIowa Orsay,France Gif-sur-Yvette,France IowaCity,USA [email protected] [email protected] [email protected] Duetoundecidabilityandcomplexityoffirst-orderlogic,SMTsolversmaynotterminateonsome problemsorrequireaverylongtime. Whenthishappens,onewouldliketofindthereasonswhy thesolverfails. Tothisend,wehavedesignedAltGr-Ergo,aninteractivegraphicalinterfaceforthe SMTsolverAlt-Ergowhichallowsusersandtooldeveloperstohelpthesolverfinishsomeproofs. AltGr-Ergogivesrealtimefeedbackinordertoevaluateandquantifyprogressmadebythesolver,and alsooffersvarioussyntacticmanipulationoptionstoallowafinergrainedinteractionwithAlt-Ergo. Thispaperdescribesthesefeaturesandtheirimplementation,andgivesusagescenariosformostof them. 1 Introduction Alt-Ergo is an SMT solver designed for checking logical formulas generated by deductive program verificationframeworks. Forinstance,Alt-Ergoisusedasaback-endintheWhy3plateform[9]. Itisalso usedtodischargeformulasderivedfromCprogramsinFrama-C[11],fromAdaprogramsinSPARK[2] orfromBmachinesinAtelier-B[4,7]. TheAlt-Ergoinputfilesproducedbysuchtoolssharethesamestructure. Theystartwithaprelude thatcontainsasetofdefinitions(datatypesandlogicalsymbols)andaxiomsfortheencodingoftheories specific to program verification (complex data structures, memory models, etc.). The rest of the file containsaproofobligation(PO)generatedbyaweakestpreconditioncalculus. Alt-Ergocheckssuchinputfilesbytheuseofacombinationofdecisionprocedures(SAT,simplex, congruenceclosure,etc.) forreasoningaboutbuiltintheories(Booleans,arithmetics,equality,etc.) anda matchingalgorithmforinstantiatingquantifiedformulas. Duetoundecidabilityoffirst-orderlogic,Alt-Ergomaynotterminateonsomeproblems. Whenthis happens, one would like to find the reasons why the solver fails. Most of the time, Alt-Ergo is either overwhelmedbyahugenumberofuselessinstancesofaxioms(causingahighactivityinitsdecision procedures),oritfailstoproducethegoodinstancesoflemmasthataremandatorytoproveagoal. A possibility for inspecting the internals of the solver is to output debugging information. This is howeverimpracticalbecausethereissimplytoomanythingstodisplayandtheoutputrapidlybecomes unreadable. Tohelpusers(ordevelopers)findoutandunderstandwhatisgoingon,wehavedesigned AltGr-Ergo, agraphicaluserinterfaceforAlt-Ergo. AsshowninFigure1, ourGUIdisplaysatruntime crucialprofilinginformationabouttheinternalactivitiesofthesolver(timespentindecisionprocedures, numberofinstantiations,etc.). Someinteractionfeatureshavealsobeenaddedsothatonecanmanually helpthesolverproveagoal(manualinstancesoflemmas,selectionofhypotheses,etc.). The main features of AltGr-Ergo are described in the next sections. The interface can display the followingprofilinginformation: Autexier,S.andQuaresma,P.(Eds.):Proceedingsof12th InternationalWorkshoponUserInterfacesforTheoremProvers(UITP2016) EPTCS239,2017,pp.1–13,doi:10.4204/EPTCS.239.1 2 AltGr-Ergo • unsatcores(Section3.1) • numberofinstancesproducedbyaxiom(Section3.2) • timespentindecisionprocedures(Section3.3) Interactivefeaturesincludethefollowingsyntacticmanipulations: • pruningoperations(Sections4.1and4.2)fordeactivatingsomepartoftheprelude; • manualinstancesoflemmas(Section4.3); • selection and modification of triggers (Section 4.4) to change the heuristics used to guide the matchingalgorithm. Lastbutnotleast,AltGr-Ergoprovidesasessionmechanism(Section4.5)whichallowsausertosaveand replayallhismodifications(selections,manualinstances,etc.) onagivenproblem. Figure1: OverviewofAltGr-Ergo’sinterface S.Conchon,M.Iguernlala&A.Mebsout 3 2 A Short Introduction to Alt-Ergo Inordertounderstandsomeaspectsofthegraphicalinterface,webrieflypresentinthissectionAlt-Ergo’s syntaxandahighleveloverviewofitsmaincomponents. The input language of Alt-Ergo is an extension of first-order logic with builtin theories and prenex polymorphism1 àlaML[3]. Figure2showsasmallproofobligationwritteninAlt-Ergo’ssyntax: first, atypesymbolsetparameterizedbyatypevariableα isdeclared. Then,apolymorphicfunction(resp. predicate)symboladd(resp. mem)isintroduced. Afterthat,anaxiommem_addthatgivesthemeaning ofmembershipovertheaddsymbolisstated. Finally,twointegersymbolsaandb,twosetsofintegers symbolss1ands2,andagoalaregiven. In addition to the Boolean connective “→", the “toy goal” mixes symbols from two theories: the freetheoryofequality(mem,add,a,b,...),andlineararithmetic(+, -, 1). Itismadeoftwoparts: the hypothesesa = b + 1ands2 = add(b,s1),andtheconclusionmem(a - 1, add(b,si))wewould liketoprovevalid. Thankstothesecondhypothesisandagroundinstanceofaxiommem_add(where x is replaced by a - 1, y by b, s by s1 and α by int), the conclusion is equivalent to (a-1 = b ∨ mem(a-1, s1)). Moreover,thelatterformulaalwaysholdsbecausea - 1 = bisequivalenttothefirst hypothesismodulolineararithmetic. Wethusconcludethatthegoalisvalid. type α set logic add: α, α set → α set logic mem: α, α set → prop axiom mem_add: ∀ x, y: α. ∀ s: α set. mem(x, add(y, s)) ↔ (x = y ∨ mem(x, s)) logic a, b: int logic s1, s2: int set goal g: a = b + 1 → s2 = add(b,s1) → mem(a - 1, s2) Figure2: AnexampleprobleminAlt-Ergo’ssyntax Alt-Ergo handles such proof obligations following the architecture given in Figure 3. The solver canbecalledeitherviaitscommand-line“alt-ergo”orviaitsgraphicaluserinterface“altgr-ergo”. The front end provides some basic operations such as parsing, type-checking, triggers inference2 and translationofinputformulastoricherdatastructuresmanipulatedbybackendmodules. TheSATsolverplaysacentralroleinAlt-Ergo. Givenaformula,ittriestobuilda(partial)Boolean modelforthegroundpartthatisneithercontradictedbythedecisionprocedures,norbytheinstancesgen- eratedfrom(universallyquantified)axioms. Itsmainoperationsareguessingtruthvaluesof(immediate) sub-formulasappearingindisjunctions(decision)andpropagatingunitfactsthathavebeendeduced(bcp). 1Typevariables,ifany,areprenexandimplicitlyuniversallyquantified. 2thisnotioniscrucialtocontrolhowaxiomsareinstantiated,andisexplainedattheendofthissection 4 AltGr-Ergo problem .why AST GUI Frontend (AltGr-Ergo) Feedback axioms model? SAT solver Axioms Decision instances yes / no procedures SAT / UNSAT Figure3: Alt-Ergo’ssimplifiedarchitecture Atomicformulas(literals)aresentto“decisionprocedures”tocheckiftheyareconsistentintheunionof supportedtheories,anduniversallyquantifiedformulasaresenttoan“axiomsinstantiation”engine. Ifan inconsistencythatdoesnotinvolveanydecisionisdetected,thegivengoalisvalid3. Otherwise,whenthe SATreachesafix-point(i.e. succeedsinbuildingaBooleanmodel),itasksthe“axiomsinstantiation”part forsomenewgroundinstances. TheseinstancesareaddedtotheSAT’scontextandreasoningcontinues. Decisionprocedurescomponentprovidesacombinationofdecisionalgorithmsforacollectionof built-intheories. Alt-Ergosupportssometheoriesthatareusefulinthecontextofprogramverification, suchasthefreetheoryofequalitywithuninterpretedsymbols,lineararithmeticoverintegersandrationals, fragmentsofnon-lineararithmetic,polymorphicfunctionalarrayswithextensionality,enumeratedand record datatypes, and associative and commutative (AC) symbols. More details of our combination techniques,whicharenotnecessarytounderstandtherestofthepaper,canbefoundhere[6,5,10]. Toreasonaboutaxioms, Alt-ErgousesaninstantiationmechanismbasedonE-matching[12]tech- niques. Itgeneratesgroundconsequencesfromassumedaxiomsbasedonsomeheuristicsandinformation providedbytheSATsolverandthedecisionprocedures. Thechallengeistoheuristicallyproduceuseful instancesthatwillallowtodiscardthecurrentSAT’smodel,thusreducingthesearchspace,andhopefully deriveunsatisfiability(validity). Inadditiontoaxioms,theinstantiationenginerequiresasetofgroundterms,andtheirpartitioninto equivalence classes (computed by the decision procedures). In general, considered ground terms are thosethatappearinthedecisionproceduresenvironmentwheninstantiating. Ifthisdoesnotgenerate anyinstance,allthegroundtermsthatappearinthecurrentBooleanmodelareconsidered. Anotherkey ingredientistheuseofthenotionoftriggers(a.k.apatternsorfilters)toguesswhichinstancesmaybe relevantdependingontheSATanddecisionsprocedures’context. A trigger for an axiom ψ ≡∀(cid:126)x.φ((cid:126)x) is a term (or a set of terms) that usually appears in φ((cid:126)x) and whichcontainsallthe(term)variables(cid:126)xandallthetypevariablesinφ((cid:126)x). Weusethenotation ∀(cid:126)x[ p| p ,p ].φ((cid:126)x) 1 2 3Toprovevalidity,Alt-Ergointernallyassumesthenegationoftheconclusionandtriestodeduceunsatisfiability. S.Conchon,M.Iguernlala&A.Mebsout 5 toindicatethatψ isassociatedwithonemono-trigger{p},andonemulti-trigger{p ,p }. Triggerscan 1 2 eitherbeprovidedbytheuserwiththesyntaxabove,orheuristicallycomputedbyAlt-Ergo. Inthelatter case,Alt-Ergowillchooseatmosttwotriggersperaxiombydefault. Forinstance,possibletriggersforthe axiommem_addofFigure2are: {mem(x, add(y, s))} {add(y, s), add(x, s)} ··· {x, y, s} Thelatestmulti-triggerisaverybadchoiceandisneverselectedbyAlt-Ergo. Infact,itwouldgenerate aninstanceofmem_addforevery(well-typed)combinationoftermsappearinginthedecisionprocedures (resp. SAT’s model). The two first triggers seem to be good choices. However, only the first one will permit us to prove the validity of the example in Figure 2. Indeed, the ground term mem(a - 1, s2) matches the trigger mem(x, add(y, s)) modulo the equality s2 = add (b, s1). The E-matching processproducesthesubstitution{x(cid:55)→a−1, y(cid:55)→b, s(cid:55)→s1, α (cid:55)→int},whichallowsustogenerate theneededinstance. The rest of the paper describes the features (and their implementation) that AltGr-Ergo offers and showshowtheycanbeusefulbothfromanend-userperspectiveaswellasfromadeveloper’sperspective. 3 Feedback The first purpose of AltGr-Ergo is to provide feedback which can be useful at times to understand and evaluatewhatishappeninginsidethesolver. Feedbackisusefulforusersasavisualaidtomakesenseof thesolver’sprogress,butitisalsoaprecioustoolsfordeveloperstoprofileanddebugthesolver. 3.1 UnsatCoresandMinimalContextExtraction An unsatisfiable core in SMT, is a subset of the input formulas that make the problem unsatisfiable. Traditionally,SMTsolverswillreturnsetswheretheelementsaresomeoftheinput,top-levelformulas, identifiedbyauniquenameinthesource. Alt-Ergogoesabitfurtherandidentifiessub-formulasthatarise fromtheCNF(conjunctivenormalform)conversion. Thisallowstoidentifymorepreciselywhichpartof theformulaisactuallyusefulinprovingthegoal. UnsatcoresproductionisdeactivatedbydefaultwhenrunningAlt-Ergo,buttheinterfaceoffersaway tochangesolveroptionsonthefly,evenwhilethesolverisrunning. Intext,modeAlt-Ergowillspitunsat coresaspretty-printedformulasonitsoutput. Thiscanbecomelargeattimes. Theinterfacewilldisplay unsatcoresinamoreuser-friendlyway,visuallyidentifyingusefulpartsofthecontext,hypotheses,etc. byhighlightingthemingreen(seeFigure1forinstance). Differentshadesofgreenareusedtohighlightunsatcoresinthebufferwindow. Top-mostdeclarations anddefinitionswhichcontainpartoftheunsatcorewillbehighlightedinthelightestgreenand(sub-) formulas that appear more frequently in the unsat core will be highlighted with a darker shade. In particular,ifanaxiomisinstantiatedseveraltimesandthesamepartoftheresultinginstancesisactually usefultoprovethegoal,thentheuserwillbeabletoseethisinformationvisually. Thesefeaturesmakeit easytorapidlyidentifywhichpartsofthecontextareusefulandhowcrucialtheyaretoprovethegoal. Unsatcoresalsoserveanotherpurpose. Byidentifyingwhichpartofthecontextiseffectivelyused to prove the goal by the solver, we can remove any other information contained in the problem while stillhavingtheguaranteethatthegoalwillbeprovablebythesolver4. AltGr-Ergooffersabuttoninthe 4ThisguaranteemightbelostinsomeparticularcasesinAlt-Ergo,namelywhenaninstanceofauselessquantifiedaxiomis usedasasourceoftermstotriggertheinstantiationofanotherusefulaxiom. 6 AltGr-Ergo toolbartoquicklyremoveeverytop-leveldeclarationordefinitionthatdoesnotparticipateintheunsat core. Coupledwiththemechanismofsessions(seeSection4.5),thisallowstosaveandreplayalready provengoalsmuchmorerapidly. 3.2 Instantiation Asremarkedintheintroduction,quantifiedformulasareasourceofincompletenessandinefficienciesin mostSMTsolvers. Providingawaytoaccuratelyandconciselyexposeinformationaboutinstantiationis importantfortheuserexperience. AltGr-Ergodoessobydisplayingaxiomsinstantiated,inrealtime,ina sub-windowoftheinterfaceasshowninFigure4. Figure4: Instancesandmanuallimits Here we report the number of instances produced by each axiom. They are listed in decreasing orderofnumberofinstancesandtheirnames5 arecoloredinvaryingshadesofredtodenotefrequency of instantiation. Axioms whose name is of a more saturated red denote the ones which produce more instanceswithrespecttothetotalnumberofinstances(regardlessofitsorigin)generatedatthispointin timebythesolver. Thisallowstoquicklyidentifypotentiallyproblematicaxiomswhichgeneratetoo many ground instances. This feedback gives indication regarding the likely cause of problems in the instantiationmechanism. Whenthishappens,wealsoofferthepossibilitytolimitinstantiationofparticularquantifiedlemmas. Forexample,theleftreportofFigure4tellsusthatthelemmapermut_existswasinstantiated1322times, morethantwiceasmuchasanyotherlemma. Thisisthusagoodcandidatetolimitinstantiation. On therightscreencaptureofFigure4,welimitedtheinstancesofthisproblematiclemmato200andan associatedlemma(permut)to300(weperformedthisprocessiteratively,byfirstlimitinginstancesof permut_exists and looking at what other lemmas were problematic). Lemmas for which instantiation has reached its given limit are shown in blue. We can notice that the runtime of the solver is reduced subsequentlybyafactor3forthisparticularexample. 5Forlemmasthatarenestedinlargerformulas,wereportthetop-levelnamewithsomeindicationoftheirposition.However, userscanaccesstheircorrespondinglocationinthesourcecodebysimplydoubleclickingonthedisplayedname. S.Conchon,M.Iguernlala&A.Mebsout 7 3.3 Profiling Muchlikeinthespiritoftheprevioussection,thebottom-rightmostsub-windowoftheinterface(see Figure1)givesrealtimeprofilinginformationforthedifferentmodulesandtheoriesofAlt-Ergo. These include the time spent in the SAT solver, the matching procedure, the congruence closure algorithm (CC(X)), the builtin support for associative and commutative symbols (AC(X)) [5] and the theories of arithmetic,arrays,enumerateddata-types(Sum)andrecords. Figure5: Realtimeprofilinginformation Figure5showsthestateoftheprofilinginformationafterrunninganexample. Fromtheinformation displayedhere,wecanseethattheproblemmostlystressesthetheoryofarithmeticinthesolver. While the solver is running, users can see which part takes the most time and can follow the evolution. For instance,ifthetimereportedforthetheoryofarraysistoolargeinproportionandkeepsgrowing,this canindicatethatmaybetherearesomeaxiomsaboutarrayswhicharetoopermissive. Anotherusecase, fordevelopers,isthepossibilitytoidentifyproblemswherethesolverisstuckinaparticulardecision procedure(e.g.,ifonlythetimerforthistheoryincreases). 4 Syntactic Operations A lot of the time when trying to use SMT solvers on real world examples (coming from program verificationtoolsforinstance),thesizeofthelogicalcontextandthesometimesheavyaxiomatizations (thatmakeliberaluseofquantifiersatvaryingdegreeofalternation)maketheproblemhardforpurely automatedtools. However,onlyafractionoftheactualcontextisusuallynecessarytoprovethedesired goal. Identifyingusefulinformationinverylargeproblemscanbechallenging. Whentheinformation providedbythefeedbackfeaturesdescribedinSection3allowtoidentifyapotentialissue,AltGr-Ergo offers a number of functionalities to perform syntactic manipulations on the context that is shown in textual format. This allows for an iterative (and slightly interactive) approach to SMT solving, where userscanexperimentandquantifytheeffectofdifferentmanipulations. 4.1 Pruning PruningcanbeperformedveryeasilyinAltGr-Ergobysimplydouble-clickingonthetop-leveldeclaration orsub-formulathatonewantstodeactivate. Reactivatingpreviouslydeactivateditemsisalsopossibleby performingthesameaction. Mostofthetimepruningisnotdangerousfromasoundnesspointofview. Removinganaxiomonly under-constrainstheoriginalproblemwhichmeansthatanygoalprovedvalidwithoutsometop-level 8 AltGr-Ergo hypothesis is still valid with in the original context. However we also allow users to prune parts of a formula. Inthiscasevaliditycanbeaffecteddependingonthepolarityoftheremovedformula. Considertheoriginalgoal: logic P, Q : int → prop goal g: ∀ x, y: int. Q(x) ∨ P(y) → Q(x) ∧ P(y) whichistriviallyinvalid. RemovingP(y)ontheleftsideoftheimplicationorontherightsideofthe implication changes the validity of this goal. In fact removing both turns this goal into a valid one. AltGr-Ergo will allow users to perform these potentially unsafe operations but will notify the user by showingunsoundpruningsinred. Asessionthatcontainsunsoundpruningoperationscannotbesaved either. This feature is still useful from an end-user point of view because it allows to attempt proving goalsbystrengtheninghypothesesorweakeningthegoalitself. Forinstanceifthegoalisaconjunction,a usercantrytoproveonlypartoftheconjunctionandgatherinformationfromthisattempttohelpprove therest. 4.2 DependencyAnalysis AltGr-Ergomaintainsdependencyinformationbetweendeclarations,definitionsandtheiruse. Itispossible toremovethedeclarationofalogicalsymbolandalltop-leveldeclarationsthatmakeuseofitinasingle action. Conversely,reactivatingapreviouslyprunedformulaordeclarationthatusesasymbolwillalso reactivateitsdeclarationand/ordefinition. Ausagescenarioforthisfeature,istoquicklydisableasymbolforwhichweknowtheaxiomatization is problematic for the solver, then reactivate part of the axiomatization iteratively in the hope that the solverwillnotbeoverwhelmedanymore. 4.3 ManualInstances Quantifiers are notoriously difficult for most SMT solvers. Unfortunately some application domains suchasdeductiveprogramverificationmakeheavyuseofthisfeaturetoencodesomedomainspecific functions. ForinstanceFrama-Chasbuilt-inaxiomatizationsforvariousmemorymodelsofC.Theseare usuallyverylargeandcomplex. Quantifier instantiation is a heuristic process for SMT solvers in general (although there exists completetechniquesfordecidablefragments). Alt-Ergousesmatchingmoduloequality. Ontheotherside ofthespectrum,interactivetheoremproverslikeCoqorIsabellerequireuserstoperforminstantiation(i.e. application)entirelymanually. Thisisbecauseintraditionalbackwardreasoningdoneintheoremprovers, onlyrelativelyfewapplicationsarenecessaryandahumancanfigureoutwhichonetodobasedonthe goal,thecontextandknowledgeaboutthecurrentproofattempt. AltGr-Ergogivesusersthepossibilitytoperformsomeinstancesmanually. Thisisusefulforexample ifonehasknowledgethataparticulargoalcannotbesolvedwithoutusingspecificinstancesofalemma. AltGr-Ergowillaskfortermstouseintheinstantiation. Thesecanbeconstantsbutalsoothertermsfrom thecontext. Instancescanalsobepartial,whichmeansthatweallowthatonlysomeofthevariablesbe instantiated. Instances(partialornot)arefinallyaddedtothecontextashypotheses(theyareshowninthe topmostrightcornerofthewindow). Alloftheotherpresentedactionscanbeperformedoninstances. S.Conchon,M.Iguernlala&A.Mebsout 9 4.4 TriggersSelectionandModification As mentioned in section 2, Alt-Ergo computes triggers—i.e. patterns or filters used by the matching algorithmtoinstantiateaxioms—inaheuristicway. Forcertainrestrictedcategoriesofaxiomatizations, there exists techniques for computing triggers that make the instantiation mechanism complete [8], howeverthisisnotthecaseingeneralandcomingupwithgoodtriggersisadifficultproblem. Because they essentially control how instances are generated, triggers play an important role in provinggoalswithquantifiers. Forexample,considerthefollowingaxiom,wherefisanuninterpreted functionfromintegerstointegers. axiom idempotent : ∀ x : int. f(f(x)) = f(x) The trigger f(f(x)) is more restrictive than f(x). This means that only termst that appear in larger terms f(f(t)) will be used for instantiating this axiom. Having this trigger will thus make the solver generatelessinstancesofthisaxiomasopposedtotheotheronepossibility,f(x). Thereisabalancetobefoundwhencomingupwithtriggers,betweenrestrictivepatternsandliberal ones. In some cases, the solver can be overwhelmed by the instances generated if the triggers are not good,itwilllikelynotterminatefromauser’spointofview. Ifpatternsaretoorestrictive,orifAlt-Ergo cannotcomputeappropriatetriggers,theaffectedaxiomwilllikelynotbeinstantiatedenough,preventing thesolverofdiscoveringpotentialinconsistencies. Inthislattercase,Alt-Ergowillanswer“Idon’tknow” whichisusuallyunsatisfactoryfromanenduserperspective. TriggerscanbespecifiedbyhandinthesourceproblemforAlt-Ergo. TheinterfaceAltGr-Ergogoes astepfurtherbyallowingtriggerstobemodifiedontheflyinthesourcebufferwindow. Theproblem displayedtotheuserwillshowthetriggerscomputedbyAlt-Ergoitself(itwillalsowarntheuserifthe heuristiccouldnotcomeupwithappropriatetriggersforaquantifiedformula)asannotationsinthesource. These can be modified interactively when one figures that the heuristic did not produce the expected results. Considernowthefollowing,somewhatdegenerate,goal. axiom crazy : ∀ x, y : int. x + 1 = y goal indeed: false Alt-Ergowillnot computeany triggersforthe axiom. Bydefault, the solver rejects triggerscomposed ofsinglevariablesastheyareconsideredtoopermissive(anytermoftheappropriatetypecanbeused forinstantiation). Howeverinthisspecificcase,weneedtoinstantiatetheaxiomwithanytwointegers todiscovertheinconsistency. Figure6shows6 thefunctionality,rightclickingonthetriggerdisplaysa contextualmenutoaddtriggersinapop-upwindow. Theycanbeenteredbytheuser,andAltGr-Ergowill thenparseandtypecheckthepieceoftextcorrespondingtothetriggerusingthesameinternalfunctions (exposed) as the ones of Alt-Ergo. In this example we add the multi-trigger [x, y] which allows to conclude. Triggers can also be deactivated (i.e. removed from the axiom) by using the same deactivation mechanism as the one for formulas. With these possibilities, triggers can be modified at will without resortingoncomplexsolverparametersnorrelyingonheuristics. 6Goalsintheinterfaceareshownintheirnegatedform,astheywillbeseenbythesolver. 10 AltGr-Ergo Figure6: Addingnewtriggersbyhand 4.5 Sessions Becausethisinterfaceisdesignedtoprovideaslightincreaseininteractivityfortheuser, wewantall operationstobesavedinwhatwecallsessionsforlaterreplay. Inparticular,operationsthatmanipulate theproblemandcustomtuningcangreatlyhelpthesolverinitssearch. Whenauserishappywiththe stateofitsmodifications—forinstancewhentheyallowedtosuccessfullyprovethegoal—theinterface offersthepossibilitytosavetheinformationconcerningthesessionondisk. Thismechanismallowstoreplaysessionseveniftheoriginalproblemwasmodified. Apartfromthe listofactions,theonlyadditionalinformationthatissavedinthesessioninformationisanassociation tablebetweensymbolnamesfordeclarationsandtheiridentifiers(id). NodeidentifiersintheASTare sequentialintegersfollowingadepth-firstordering. Whenasessionfileisreadfromthedisk,theinterface computesoffsetsforidentifiersusingthisassociationtableinordertofigureoutthecorrectcorresponding onesforeachactioninthestack. Ofcoursethisispossibleonlyifmodificationsofthefilearerelatively minor. For instance, this will work if some axioms were removed or added, or if a modification was performedlocallyinadeclaration(e.g.,aformulawaschangedinsideanaxiom). Nevertheless,sessions willnotsurvivecompleterefactorings. Ifthemodificationsaretooimportant,thereplaywilltryitsbest followingthisoffsetstrategybutcandecidetoabortiftoomanyactionscannotbereplayed. Anotherusageofthesessionreplaymechanismistoreusesessionsbetweenproblemsthatsharealot ofcontext. Thisisusefulinascenariowhereauserfoundasatisfyingsetofmodificationsandtuning operationsonagivenproblem,andwantstotrythesameoperationsonasimilarproblem(e.g.,onewhere onlythegoalisdifferentbutthecontextisidentical). 5 Implementation AltGr-Ergo is designed as a new front end for the solver. As such it reuses part of Alt-Ergo’s front end andAlt-Ergo’sAPI.Theinterfaceisplacedatthelevelofthetypedabstractsyntaxtree(TypedASTon Figure7)andcanmanipulatethisrepresentationatwill. Thesolveritselfcommunicatesvariouspiecesof informationtotheinterface. ThegraphicalpartoftheinterfaceiswritteninGTK,usingtheOCamlbindingsLablGTKandruns inaseparatethread. WhenAlt-Ergoisstartedingraphicalmode,onethreadiscreatedfortheinterface, andonethreadiscreatedforeveryinstanceofthesolver(startedwiththebutton“Run”). Thesethreads communicateasynchronouslythroughsharedvariables,messagesorsignalsdependingonthefunctionality. For example, runs of the solver can be aborted at anytime by clicking the button “Abort”, a signal is emittedandcaughtbytheinterfaceandthesolverinstance. Mostoftheworkperformedbytheinterfaceisdoneonanannotated versionoftheAST.