Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis and J. van Leeuwen
1690
3 Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Singapore Tokyo
Yves Bertot Gilles Dowek Andr´e Hirschowitz Christine Paulin Laurent Th´ery (Eds.)
Theorem Proving in Higher Order Logics 12th International Conference, TPHOLs ’99 Nice, France, September 1417, 1999 Proceedings
13
Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands
Volume Editors Yves Bertot Gilles Dowek Laurent Th´ery INRIA Sophia Antipolis 2004 Route des Lucioles, F06902 Sophia Antipolis Cedex, France Andr´e Hirschowitz University of Nice  Sophia Antipolis Parc Valrose, F06108 Nice Cedex 2, France Christine Paulin University of Paris XI 15, rue Georges Clemenceau, F91405 Orsay Cedex, France
CataloginginPublication data applied for Die Deutsche Bibliothek  CIPEinheitsaufnahme Theorem proving in higher order logics : 12th international conference ; proceedings / TPHOLs ’99, Nice, France, September 14  17, 1999 / Yves Bertot . . . (ed.).  Berlin ; Heidelberg ; New York ; Barcelona ; Hong Kong ; London ; Milan ; Paris ; Singapore ; Tokyo : Springer, 1999 (Lecture notes in computer science ; Vol. 1690) ISBN 3540664637
CR Subject Classification (1998): F.4.1, F.3.1, I.2.3, D.2.4, B.6.3 ISSN 03029743 ISBN 3540664637 SpringerVerlag Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from SpringerVerlag. Violations are liable for prosecution under the German Copyright Law. c SpringerVerlag Berlin Heidelberg 1999 Printed in Germany Typesetting: Cameraready by author SPIN 10704460 06/3142 – 5 4 3 2 1 0
Printed on acidfree paper
Pref ce
This book contains the proceedin s of the 12th International Conference on Theorem Provin in Hi her Order Lo ics (TPHOLs’99), which was held in Nice at the University of NiceSophia Antipolis, September 14 17, 1999. Thirty ve papers were submitted as completed research, and each of them was refereed by at least three reviewers appointed by the pro ram committee. Twenty papers were selected for publication in this volume. Followin a wellestablished tradition in this series of conferences, a number of researchers also came to discuss work in pro ress, usin short talks and displays at a poster session. These papers are included in a supplementary proceedin s volume. These supplementary proceedin s take the form of a book published by INRIA in its series of research reports, under the followin title : Theorem Provin in Hi her Order Lo ics: Emer in Trends 1999. The or anizers were pleased that Dominique Boli nano, Arjeh Cohen, and Thomas Kropf accepted invitations to be uest speakers for TPHOLs’99. For several years, D. Boli nano has been the leader of the VIP team in the Dyade consortium between INRIA and Bull and is now at the head of a company Trusted Logic. His team has been concentratin on the use of formal methods for the e ective veri cation of security properties for protocols used in electronic commerce. A. Cohen has had a key influence on the development of computer al ebra in The Netherlands and his contribution has been of particular importance to researchers interested in combinin the several known methods of usin computers to perform mathematical investi ations. T. Kropf is an important actor in the Europewide project PROSPER, which aims to deliver the benets of mechanized formal analysis to system builders in industry. Alto ether, these invited speakers ave us a panorama of applications for theorem provin and discussed its impact on the pro ress of scienti c investi ation as well as technolo ical advances. This year has con rmed the evolution of the conference from HOLusers’ meetin to conference with a lar er scope, spannin over uses of a variety of theorem provin systems, such as Coq, Isabelle, Lambda, Le o, NuPrl, or PVS, as can be seen from the fact that the or anizers do not belon to the HOLuser community. Since 1993, the proceedin s have been published by Sprin erVerla as Volumes 780, 859, 971, 1125, 1275, 1479, and 1690 of Lecture Notes in Computer Science. The conference was sponsored by the laboratory of mathematics of the University of NiceSophia Antipolis, Intel, France Telecom, and INRIA. September 1999
Yves Bertot, Gilles Dowek, Andre Hirschowitz, Christine Paulin, Laurent Thery
Or anization
Yves Bertot (INRIA) Gilles Dowek (INRIA) Andre Hirschowitz (Universite de Nice) Christine Paulin (Universite de ParisSud) Laurent Thery (INRIA)
Pro ram Committee Mark Aa aard (Intel) Sten A erholm (IFAD) David Basin (Freibur ) Yves Bertot (INRIA) Richard Boulton (Edinbur h) Gilles Dowek (INRIA) Mike Gordon (Cambrid e) Jim Grundy (ANU) Elsa Gunter (Lucent) Joshua Guttman (Mitre) John Harrison (Intel) Dou Howe (Lucent)
Bart Jacobs (Nijme en) Sara Kalvala (Warwick) Tom Melham (Glas ow) Paul Miner (NASA) Malcolm Newey (ANU) Topbias Nipkow (Munich) Sam Owre (SRI) Christine PaulinMohrin (Paris, Cha r) Lawrence Paulson (Cambrid e) So ene Tahar (Concordia)
Invited Speakers Dominique Boli nano (Trusted Lo ic) Arjeh M. Cohen (T.U. Eindhoven) Thomas Kropf (T¨ ubin en)
Additional Reviewers O. AitMohamed C. Ballarin G. Bella J. Courant P. Curzon D. Cyrluk P. Dybjer J.C. Filliatre
M.S. Jahanpour F. Kamm¨ uller P. Lincoln A. Mader O. M¨ uller A. Pitts E. Poll H. Rue
K. Sunesen D. Syme H. Tews J. Thayer M. Wenzel
Table of Contents
Recent Advancements in Hardware Veriﬁcation – How to Make Theorem Proving Fit for an Industrial Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Thomas Kropf
1
Disjoint Sums over Type Classes in HOL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Norbert V¨ olker
5
Inductive Datatypes in HOL – Lessons Learned in FormalLogic Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Stefan Berghofer and Markus Wenzel Isomorphisms – A Link Between the Shallow and the Deep . . . . . . . . . . . . . . 37 Thomas Santen Polytypic Proof Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Holger Pfeifer and Harald Rueß Recursive Function Deﬁnition over Coinductive Types . . . . . . . . . . . . . . . . . . 73 John Matthews Hardware Veriﬁcation Using Coinduction in COQ . . . . . . . . . . . . . . . . . . . . . 91 Solange Coupet–Grimal and Line Jakubiec Connecting Proof Checkers and Computer Algebra Using OpenMath . . . . . 109 Olga Caprotti and Arjeh M. Cohen A MachineChecked Theory of Floating Point Arithmetic . . . . . . . . . . . . . . . 113 John Harrison Universal Algebra in Type Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Venanzio Capretta Locales – A Sectioning Concept for Isabelle . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Florian Kamm¨ uller, Markus Wenzel, and Lawrence C. Paulson Isar – A Generic Interpretative Approach to Readable Formal Proof Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Markus Wenzel On the Implementation of an Extensible Declarative Proof Language . . . . . 185 Vincent Zammit Three Tactic Theorem Proving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Don Syme
VIII
Table of Contents
Mechanized Operational Semantics via (Co)Induction . . . . . . . . . . . . . . . . . . 221 Simon J. Ambler and Roy L. Crole Representing WP Semantics in Isabelle/ZF . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Mark Staples A HOL Conversion for Translating Linear Time Temporal Logic to ωAutomata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Klaus Schneider and Dirk W. Hoﬀmann From I/O Automata to Timed I/O Automata . . . . . . . . . . . . . . . . . . . . . . . . . 273 Bernd Grobauer and Olaf M¨ uller Formal Methods and Security Evaluation (Invited Talk) . . . . . . . . . . . . . . . . . 291 Dominique Bolignano Importing MDG Veriﬁcation Results into HOL . . . . . . . . . . . . . . . . . . . . . . . . 293 Haiyan Xiong, Paul Curzon, and Soﬁ´ene Tahar Integrating Gandalf and HOL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Joe Hurd LiftedFL: A Pragmatic Implementation of Combined Model Checking and Theorem Proving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Mark D. Aagaard, Robert B. Jones, and CarlJohan H. Seger Symbolic Functional Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Nancy A. Day and Jeﬀrey J. Joyce
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Recent Advancements in Hardware Veri cation How to Make Theorem Provin Fit for an Industrial Usa e Thomas Kropf WilhelmSchickardInstitut f¨ ur Informatik, Universit¨ at T¨ ubin en, Sand 13, D72076 T¨ ubin en, Germany
[email protected] en.de
1
Motivation
One of the predominant applications of formal methods includin theorem provin is the veri cation of both software and hardware. However, whereas software veri cation must still be considered mainly as an academic exercise, hardware veri cation has become an established technique in industry. Commercial hardware veri cation tools are available from leadin EDA (electronic desi n automation) tool vendors and are an essential part of many established di ital desi n flows. This contrasts to the fact that software veri cation has been an on oin research topic for a considerably lon er time compared to activities in hardware veri cation. Where does this di erence in acceptance come from? The key components for a new approach to be successful in practice are: a suitable theoretical foundation, the existence of tools, the acceptance of the tar et users, a smooth inte ration into existent work flows as well as the applicability to realworld examples, to ether leadin to a measurable productivity increase. Undoubtedly, the simplicity of the theories necessary for many tasks in hardware veri cation, i.e., propositional lo ic and nite state machines, justify a ood part of its success. The available decision procedures allow fully automated tools which can be easily used also by nonlo icians. However, lookin at the commercially successful hardware veri cation tools like equivalence checkers or model checkers, it becomes visible that the other aspects also play a si ni cant role. The tools are applicable to hardware desi ns, written in standardized hardware description lan ua es like Verilo or VHDL. Hence, they can be easily inte rated into existent desi n flows to ether with other validation tools like simulators. They are tar eted at the veri cation of lar e circuits at the expense of proof power, e. ., often only a simple equivalence check of two combinational circuits can be performed but on very lar e circuits. Moreover, it has turned out that the usual application scenario is not the successful correctness proof of a nished hardware component. It is rather the case that almost all veri cation runs fail due to wron speci cations or due to desi n errors still present in the module. Thus, veri cation is mainly treated as an debu in aid. As a consequence, an inte ral part of a veri cation tool consists Y. Bertot et al. (Eds.): TPHOLs’99, LNCS 1690, pp. 1 4, 1999. c Sprin erVerla Berlin Heidelber 1999
2
Thomas Kropf
of means to trace down potential error sources. The usual approach allows the eneration of counterexamples, i.e., input patterns or sequences which lead to an erroneous output behavior. Althou h bein very successful from a commercial point of view, the currently available hardware veri cation tools still have many de ciencies. Althou h applicable to circuits of considerable size, they still do not scaleup in a su cient way, e. ., by a suitable use of divideandconquer strate ies. As soon as they o beyond a simple equivalence check, formal speci cations have to be iven which in most cases exceed the capabilities of industrial hardware desi ners. Moreover, the tools are tar eted only at speci c veri cation tasks, e. ., the veri cation of controllers or the veri cation of arithmetic data paths. Thus, they are unable to verify circuits containin both kind of modules. The counterexamples produced in case of a failed veri cation run still require a tedious simulationbased search of the real fault cause.
2
Solutions
2.1
Key Components
The de ciencies described above require the creation of a new eneration of veri cation environments. Whereas fully automated tools each rely on a certain decision procedure, a divideandconquer approach requires the use of inference rules, provided by theorem provin systems. In contrast to existent systems an industrially usable theorem provin approach must be applicable to lar e problems and must be usable without much knowled e of the underlyin formal system. Hence, means to hide the theorem provin part from the user have to be found. Besides suitable user interfaces this also comprises new way to state formal speci cations in an informal way. As stated above complex hardware desi ns may require the combined usa e of di erent veri cation tools. This requires the en ineerin of proper interaction means both from a semantic and from a tool pro rammin point of view. The last point concerns the ndin of errors. The derivation of counterexamples, i.e., input stimuli, is only based on a functional view of the circuit under consideration and does not take into account the known topolo ical structure of the hardware desi n to narrow down the error source to certain components. 2.2
The PROSPER Project
The PROSPER project (Proof and Speci cation Assisted Desi n Environments)1 , funded by the European Commission as part of the ESPRIT Framework IV pro ram2 , addresses all of the issue described in the last section. It is aimed at the research and development of the technolo y needed to deliver the bene ts of mechanized formal speci cation and veri cation to system desi ners 1 2
http://www.dcs. la.ac.uk/prosper/ ESPRIT project LTR 26241
Recent Advancements in Hardware Veri cation
3
in industry. The project partners3 will try to provide examples of the next eneration of EDA and CASE tools, incorporatin userfriendly access to formal techniques. The key component of PROSPER is an open proof architecture, created around a theorem prover, called the core proof en ine (CPE). This en ine is based on hi herorder lo ic and on many principles of the HOL theorem provin system. It is enriched by a standardized interface for other proof tools, which can be added as plu ins to enhance the proof power and the de ree of automation of the CPE. This also allows the combined use of di erent proof tools to tackle a certain veri cation task. The interface has been desi ned in such a way that already existent proof tools like model checkers or rstorder theorem provers can be easily added to the overall system. It is currently based on a communication via sockets and on standardized abstract data types, the latter based on a HOL syntax of terms. The CPE and the proof tool plu ins to ether may then be used as the formal methods component within a commercial EDA desi n tool or a CASE tool. The intended example applications are a hardware veri cation workbench and a VDMSL tool box. To ease the use of formal methods for pro rammers and hardware desi ners with only limited knowled e of formal methods, another important part is the en ineerin of suitable interfaces. This comprises approaches to translate natural lan ua e descriptions of circuit speci cations into temporal lo ic as well as new means in identifyin faulty circuit components in case of a failed veri cation run. 2.
The Hardware Veri cation Part of PROSPER
One exemplar application of the PROSPER concept is the creation of a hardware veri cation workbench. It is able to provide correctness proofs for hardware systems, described in the standardized hardware description lan ua e VHDL and Verilo . This application is ideally suited to demonstrate the interplay between the CPE and proof plu ins like tautolo y checkers or model checkers, all needed to play to ether to verify complex di ital circuits. To be able to provide one uniform proof environment, the common semantic basis of both lan ua es VHDL and Verilo is identi ed and formalized by an intermediate lan ua e IL. Thus, by rst translatin a iven circuit description into IL, the same proof strate ies may be used for both lan ua es. The actual proof is usually performed with decision procedures, usin the CPE mainly to decompose complex proof oals. It has turned out that often a simple counterexample eneration is insu cient to easily nd faulty components. As part of the PROSPER project new techniques are established to analyze the structure of a iven circuit with re ard to a iven functional speci cation. This allows to automatically identify and to correct faulty components in case the circuit does not behave accordin to the speci cation. 3
The current project partners are the Universities of Glas ow, Cambrid e, Edinbur h (all UK),Tbin en (Germany) as well as IFAD (Denmark) and Prover Technolo y (Sweden).
4
Thomas Kropf
It is hoped that the PROSPER approach will lead theorem provin to a similar acceptance in industry as equivalence checkin and model checkin techniques have already today.
Disjoint Sums over Type Classes in HOL Norber V¨ olker University of Essex, En land
[email protected] Abs rac . The standard versions of HOL only support disjoint sums over nite families of types. This paper introduces disjoint sums over type classes containin possibly a countably in nite number of monomorphic types. The result is a monomorphic sum type to ether with an overloaded function which represents the family of injections. Modeltheoretic reasonin shows the soundness of the construction. In order to axiomatize the disjoint sums in HOL, datatypes are introduced which mirror the syntactic structure of type classes. The association of a type with its ima e in the sum type is represented by a HOL function carrier . This allows a translation of the settheoretic axiomatization of disjoint sums to HOL. As an application, a sum type U is presented which contains isomorphic copies of many familiar HOL types. Finally, a Z universe is constructed which can server as the basis of a HOL model of the Z schema calculus.
1
Introduction
Gordon’s version of higher order logic is wellknown as he logic underlying he HOL heorem proving assis an [3]. I fea ures a polymorphic ype sys em which was ex ended in Isabelle/HOL [12] o include overloading con rolled by ype classes. Al hough his is qui e an expressive ype sys em, here are applica ions for which i can be oo rigid. This has promp ed research in o he rela ionship of ype heory and un yped se heories [9, 15] and possible combina ions of he wo [2]. Ins ead of urning o se heory, his paper ries o ex end he expressiveness of HOL by in roducing disjoin sums over ype classes. The approach applies o syn ac ic ype classes genera ed from a ni e number of ype cons ruc ors. Given such a class C, he disjoin sum consis s of a new ype V oge her wi h an overloaded func ion emb which injec s each ype of C in o V . Fur hermore, V is he disjoin union of he embimages of he ypes in C. The exis ence of isomorphic copies of di eren ypes wi hin one ype makes cons ruc ions possible which are o herwise problema ic due o yping res ricions. In par icular, i suppor s he de ni ion of ypes which can serve as semanical domains for o her formalisms. For example, in Sec ion 8, a Z universe is cons ruc ed. The la er should be useful as he basis of a HOL model of he Z schema calculus which is more fai hful han previous approaches. Y. Bertot et al. (Eds.): TPHOLs’99, LNCS 1690, pp. 5 18, 1999. c Sprin erVerla Berlin Heidelber 1999
6
2
Norbert V¨ olker
Syntactic Type Classes
In Isabelle, ype classes were added o HOL as a way of con rolling he ins an ia ion of ype variables. This was originally inspired by he syn ac ic view of ype classes in programming languages such as Haskell [6]. Subsequen ly, axioma ic ype classes [16] have been in roduced in Isabelle/HOL. In his paper, only syn ac ic, nonaxioma ic ype classes are considered. The membership of a ype T o a class C is wri en as T :: C. A class is speci ed by a ni e number of syn ac ic arity declarations. As an example, consider a class N wi h wo ari y declara ions:1: nat :: N fun :: (N N ) N The rs ari y declara ions means ha he na ural number ype nat is in class N . The second ari y declara ion says ha class N is closed under he forma ion of func ion spaces, i.e. given A :: N and B :: N , he func ion space A B is also in class N . Some monomorphic ypes in N are nat , nat nat and (nat nat ) nat . Polymorphic ypes belonging o a cer ain class can be formed wi h he help of ype variables res ric ed o ha class. For example, class N con ains he res ric ion ( :: N ) of ype variable o N . Ano her example for a polymorphic ype in N is ( :: N ) nat. Classres ric ed ype variables are he only means o build ypes in HOL wi h ype classes which is no available in HOL wi hou ype classes . The ype cons ruc ors nat and fun genera e he monomorphic ypes in N similar o he way an induc ive da a ype is genera ed by i s cons ruc ors. In view of his analogy, i is emp ing o speak of inductive type classes. Compared o Isabelle’s (nonaxioma ic) ype classes, his paper makes a number of simplifying assump ions. These are mainly for presen a ion reasons. Note 1. Type classes are assumed o be nonemp y and s a ic. Each ype class is hus speci ed by a xed, ni e number of ari y declara ions. Issues concerning class inclusion and ordering will be disregarded. Note 2. Type class N is special in so far as i s ari y declara ions do no involve o her ype classes. Only such homogeneous classes will be considered. By HOL’s ype ins an ia ion rule, ype variables in a heorem can be ins an ia ed o o her ypes under cer ain provisos. In HOL wi h ype classes, his rule is amended so ha a subs i u ion of a classres ric ed ype variable has o respec i s class, i.e. a subs i u ion of ( :: N ) by a ype T requires T o be of class N . This amendmen of he ype ins an ia ion rule is he only change o HOL’s basic axioms caused by he in roduc ion of ype classes. 1
The function space type constructor is usually written in in xform, i.e. ( ( )
)fun =
Disjoint Sums over Type Classes in HOL
7
Overloading can be expressed by polymorphic cons an s whose ype con ains classres ric ed ype variables. As an example, he symbol is declared o be a binary rela ion on he ype class N : :: [ :: N
]
bool
The induc ive genera ion of ype classes from ype cons an s and polymorphic ype cons ruc ors gives rise o a de ni ion principle2 . For example, he rela ion can be speci ed on N by: (a :: nat) b (f :: ( :: N )
( :: N ))
a f
b = ( n b = a + n) =( xf x x)
Similar o he de ni ion of primi ive recursive func ions on da a ypes, i can be shown ha under sui able condi ions here exis s a unique cons an or func ion which solves such equa ions [16]. In general his requires as many equa ions as here are ari y declara ions for he ype class. For a da a ype, s ruc ural induc ion and he principle of primi ive recursive func ion de ni ion can be expressed direc ly as HOL heorems. This is no possible for HOL classes. Consider for example induc ion on class N : (n :: nat) P n ( :: N ) ( :: N ) ( (x :: ) P x) ( :: N ) (x :: ) P x
( (y :: ) P y)
(z ::
) P z
There are wo problems wi h formula ing his induc ion principle as a HOL heorem: 1. In HOL formulas, ype variables are always universally quan i ed a he ou ermos level. There is no nes ing of quan i ers such as in Sys em F [1]. This makes i impossible o express ha he second premise has o be rue for all ypes :: N and :: N . 2. In a HOL heorem, he predica e P would be a (universally quan i ed) bound variable whose occurrences are of di eren ypes. Such polymorphic bound variables are no permi ed in HOL. 3 In Isabelle/HOL, he lack of explici induc ion heorems for ype classes is compensa ed mos ly by axioma ic ype classes. Problems only seem o occur wi h he curren res ric ion o axioms wi h a mos one ype variable. In Sec ion 6 i is shown ha he disjoin sum cons ruc ion can provide al erna ives for reasoning wi h ype classes. The res ric ion of a polymorphic func ion f :: ( :: C) o some ype T :: C is deno ed by fT . Unless o herwise s a ed explici ly, he erm HOL refers in he sequel o higher order logic wi h syn ac ic ype classes as ske ched above. 2 3
Called primitive recursion over types in [16] This is exploited in the Isabelle implementation of terms: the representation of bound variables is untyped.
8
3
Norbert V¨ olker
Representation of Type Syntax within HOL
The axioma iza ion of disjoin sums will make i necessary o cons ruc HOL formulas which concern all monomorphic ypes in a cer ain class. As seen in he previous sec ion, his can be di cul due o he limi a ions of HOL’s polymorphism. The key s ep in our approach is a represen a ion of he syn ax of he monomorphic ypes in classes by HOL da a ypes. In he case of he example class N , a corresponding da a ype N y is de ned by: N y = nat y fun y N y N y The monomorphic ypes in class N and he elemen s of he da a ype N y are obviously in a one oone correspondence. The same cons ruc ion is possible for any ype class C. I is assumed ha cons ruc or names are chosen appropria ely in order o avoid name clashes wi h exis ing cons an s. De nition 1. Let C be some type class. Then C y denotes a datatype which contains for every nary type constructor of C a correspondin nary datatype constructor y . Proposition 1. The bijection between the type constructors of a class C and the constructors of the associated datatype C y extends to a bijection between the monomorphic types in C and the elements of C y . The elemen of C y corresponding o some monomorphic ype T :: C is deno ed by T y . By associa ing ype variables wi h HOL variables, i would be possible o ex end Proposi ion 1 o polymorphic ypes. Of course, he mapping from ypes o heir represen a ion is no a HOL func ion. However, using primi ive recursion over ypes, i is possible o de ne an overloaded HOL func ion tof (shor for ype of ) which akes he elemen s of he ypes in C o he represen a ion of heir ypes: De nition 2. Let C be some type class with correspondin datatype C y as in De nition 1. The function tof :: ( :: C)
Cy
is de ned by primitive recursion over the type class C as follows: 1. For a 0ary type constructor
:: C: tof (x :: ) =
2. and for an nary type constructor tof (x :: (
1
n)
) =
y
:: (C
y
)C with n > 0:
(tof (arbitrary ::
1 ))
(tof (arbitrary ::
where (arbitrary :: ) denotes some unspeci ed element of type .
n ))
Disjoint Sums over Type Classes in HOL
9
A concre e de ni ion of (arbitrary :: ) could be given using he HOL version of Hilber ’s opera or, of en called selec or choice . Note 3. The func ion tof de ned above depends on he class C and he da a ype C y . This could be documen ed by a subscrip , i.e. by wri ing tof C . For he sake of be er readabili y, we will refrain here and in he sequel from such indexing as long as he dependencies are clear from he con ex . For class N , De ni ion 2 amoun s o: tof :: ( :: N ) Ny tof (x :: nat) = nat y tof (x :: (
)) = fun y (tof (arbitrary :: )) (tof (arbitrary :: ))
This implies for example: tof (x :: nat
nat) = fun y nat y nat y
(1)
Proposition 2. Let C, C y and tof be as in De nition 2. Then for any monomorphic type T :: C: tof (x :: T ) = T y
(2)
Proof. The s a emen follows from he de ni ion of he func ion tof and he mapping on ypes by induc ion over he s ruc ure of T . No e ha (2) is no a HOL formula. This is a consequence of he fac ha he associa ion of he ype T wi h i s represen a ion T y is no a HOL func ion. However, for any speci c monomorphic ype T :: C, he T ins ance of (2) can be s a ed and proven in HOL, see for example (1). Corollary 1. Assume C, C y and tof as in De nition 2. Then the function tof is constant on every type: tof (x :: ) = tof (y :: )
(3)
Al hough (3) is a valid HOL formula, i s proof requires s ruc ural induc ion over he ypes in C. In heorem provers which do no provide his or an equivalen me hod of proof, he equa ion can no be es ablished. In his case, i would be possible o add i as an axiom. Of course, as wi h (2), all monomorphic ins ances of (3) can be proven easily in HOL. In order for a ype V and an overloaded func ion emb :: ( :: C) V o be he disjoin sum over a ype class C, i is necessary ha he embimages of he monomorphic ypes T :: C are disjoin . If he ype class C con ains an in ni e number of (monomorphic) ypes, hen i is no possible o cap ure his requiremen direc ly by lis ing all ins ances. As a way ou of his dilemma, he ypeindexed se family (ran e emb T )T ::C will be represen ed by a HOL func ion named carrier which opera es on he da a ype associa ed wi h he class C.
10
Norbert V¨ olker
De nition 3. Let C be some type class with associated datatype C y and function tof as in De nition 2. Further, let f :: ( :: C) T be an overloaded function from the types in C to some type T . The function carrierf is de ned by: carrierf :: C y
T set
carrierf (tof (x :: )) = ran e f
(4)
Equa ion (4) de nes he func ion carrier f uniquely. This follows from Proposiion 2 and he fac ha tof (x :: ) ranges over all of C y when ranges over he ypes in C. Applying Proposi ion 2 o (4) yields for monomorphic ypes T :: C: carrier f T y = ran e fT
(5)
A concre e ins ance of his equa ion for he class N and some overloaded func ion f is: carrier f (fun y nat y nat y ) = ran e fnat !nat
(6)
No e ha similar o he case of equa ion (2), equa ion (5) is no a HOL formula because i con ains he erm T y . Again, any monomorphic ins ance can be s a ed and proven in HOL, see for example (6).
4
Extension of HOL’s Semantic Foundation
Disjoin sums are a wellknown mechanism for in roducing new objec s in se heory or ca egory heory. In s andard HOL, only he disjoin sum of a ni e number of HOL ypes can be formed. As a rs s ep owards a remedy of his si ua ion, he seman ic founda ion of HOL is ex ended. Recall ha he HOL seman ics in [3] is based on a universe U of nonemp y se s which ful lls a number of closure proper ies. This includes closure wi h respec o he forming of nonemp y subse s, ni e car esian produc s and powerse . We add a fur her axiom o U, namely ha i is closed under coun able produc s: For any coun ably in ni e family (A ) 2 2 A is also a member of U.
of se s in U, he produc
The exis ence of such a universe U can be shown in ZFC. Jus as in he case of he s andard HOL universe [3], one could choose U o be he nonemp y se s in he von Neumann cumula ive hierarchy before s age + . The same ex ension of U was previously used by Regensburger for he cons ruc ion of inverse limi s [13]. Proposition 3. HOL is sound with respect to the enlar ed universe U. Proof. (Ske ch) I is known ha HOL wi hou ype classes is sound wi h respec o any universe which ful lls he closure proper ies s a ed in [3]. The resul can be ex ended o HOL wi h ype classes. Essen ially, given a model M, he
Disjoint Sums over Type Classes in HOL
11
meaning of a erm con aining a classres ric ed ype variable :: C is ob ained by considering all ins an ia ions of wi h elemen s of U which are in erpre a ions in M of a monomorphic ype in class C. Adding a fur her closure requiremen on he underlying universe does no invalida e soundness. be the projection from De nition 4. For a family (A ) 2I of sets in U, let A to its i’th component A . The sum of the family (A ) 2I is the product 2I de ned by: A = x 2I
i
I
a
A x = (y j)
A)
(
I
(y) = a
j=i
2I
Proposition 4. The extended universe U is closed under nite and countably in nite sums, i.e. for any nite or countably in nite family (A ) 2I of sets with I and all A in U, the sum 2I A is also an element of U. Proof. The sum is per de ni ion a nonemp y subse of IP (( 2I A ) I). Hence he s a emen follows from he closure proper ies of U wi h respec o ni e and coun ably in ni e produc s, nonemp y subse s and he powerse cons ruc ion.
5
Disjoint Sums over Type Classes
Wha does i mean ha a ype V oge her wi h an overloaded func ion emb :: ( :: C) V is a disjoin sum over a ype class C? A considera ion of se heory sugges s he following hree requiremen s: 1. For every monomorphic ype T :: C, he mapping emb T should be injec ive. 2. The images of di eren injec ions should be disjoin , i.e. for all monomorphic ran e emb B = ypes A :: C, B :: C wi h A=B: ran e emb A 3. V should be he union of he images of he monomorphic ypes T of class C, i.e.: v V T :: C v ran e emb T Unfor una ely, no all of hese requiremen s ransla e direc ly o HOL formulas. In fac , while he rs requiremen can be represen ed easily in HOL by he simple formula inj emb, i is no clear how he remaining wo requiremen s can be formula ed in HOL. Af er all, nei her he inequali y of wo HOL ypes nor he exis ence of a cer ain HOL ype are HOL formulas. No e in par icular ha he formula: v v ran e emb is not a valid formula ion of he requiremen ha every elemen v :: V of he disjoin sum ype V lies in he range of emb T for some ype T :: C. Ins ead, due o he implici universal quan i ca ion over ype variables in HOL, his formula would demand every elemen v :: V o lie in he range of all mappings emb T
12
Norbert V¨ olker
for T :: C. For ype classes C con aining wo or more ypes, his con radic s he disjoin ness requiremen . The wo problema ic disjoin sum requiremen s pu condi ions on he se s (ran e emb T ) where T is a monomorphic ype of class C. These condi ions become expressible in HOL if he indexing of hese se s by ypes is replaced by an indexing wi h he elemen s of he da a ype associa ed wi h C. This was he reason for he in roduc ion of he func ion carrier in Sec ion 3. Wi h he help of his func ion, he charac eriza ion of disjoin sums in HOL becomes s raigh forward. De nition 5. Let C be some type class and emb :: ( :: C) function from the types in C to some type V . Let C y , tof and
V an overloaded
carrier = carrieremb be as in De nition 1, 2 and 3. Then (V emb) is a disjoint sum over class C provided the followin three HOL formulas are valid: inj emb AB A = B x
T x
carrier A
carrier T
carrier B =
(7) (8) (9)
Proposition 5. Let (V emb) be a disjoint sum over a type class C. Then V and emb ful ll the three requirements for disjoint sums stated above. Proof. The s a emen follows immedia ely from he de ni ion of C y , tof and carrier and equa ion (5). The exis ence of disjoin sums over ype classes follows from he exis ence of sums in he (ex ended) underlying se model of HOL: Proposition 6. Let C be a nonempty type class in some HOL theory T. Then it is possible to extend T by a new type V and an overloaded mappin emb :: ( :: C) V such that V is the disjoint sum of the types in C with embeddin emb. Furthermore, if the ori inal theory T has a standard model, then this can be extended to a standard model of the extended theory. Proof. (Sketch.) Choose he name of he new ype V and he overloaded cons an emb in such a way ha clashes wi h he names of exis ing ypes and cons an s are avoided. Assume a s andard model M of he heory T including meanings of he class C and he cons an s tof and carrier . The family of meanings M (T ) of monomorphic ypes T :: C forms a coun able family of se s in U. According o Proposi ion 4, he disjoin sum S over his family exis s in U. A meaning for he ype V and he cons an emb is given in M by associa ing: (i) V wi h he sum S and (ii) emb :: ( :: C) V wi h a (dependen ly yped) func ion which given a se M (T ) yields he inclusion func ion from ha se in o S. The la er is jus i ed because each possible meaning of a ype variable :: C is of he form M (T ) for some monomorphic ype T :: C. The validi y of he condi ions (7) (9) in he model M follows from (5) and De ni ion 4.
Disjoint Sums over Type Classes in HOL
13
Since he exis ence of a s andard model implies consis ency, i follows ha he ex ension of heories by disjoin sums over ype classes does no compromise consis ency. No e ha he disjoin sum ype V i self is no a member of he class C. Hence, here is no selfreference in he cons ruc ion of V . This is reminiscen of he ex ension of he Calculus of Cons ruc ions by  ypes in [10]: he predica ivi y makes he heory ex ension safe and allows he formula ion of a se  heore ic seman ics. As an ex reme case of an applica ion of Proposi ion 6, le CT be he class of all ypes which can be formed in some HOL heory T. Then he proposi ion jus i es he ex ension of T by a universe VT which is he disjoin sum of all monomorphic ypes in T. The di cul ies wi h he HOL formula ion are no in rinsic o he se  heore ic charac eriza ion of disjoin sums. Suppose one ried ins ead a ca egory heory inspired axioma iza ion which works on he level of func ions. In his approach, one would replace he hree disjoin sum requiremen s above by he single requiremen ha for every overloaded func ion :: ( :: C) , here exis s a unique func ion f :: V wi h = f emb. Alas, a direc HOL formula ion of his requiremen leads o he same wo problems of missing nes ed quan i caion and disallowed polymorphic variables which hindered previously he HOL formula ion of he induc ion principle for ype classes on page 7. I should be s ressed ha o her axioma iza ions of disjoin sums over ype classes in HOL are possible. For example, one could pos ula e he exis ence of sui able cons an s which permi a primi ive recursive de ni ion of he carrier func ion. The axioma iza ion presen ed above aims o be a rela ively s raigh forward ransla ion of he usual se  heore ic formula ion.
6
First Developments
In he following, le (V emb) be a disjoin sum over a ype class C wi h associa ed da a ype C y and func ions tof and carrier as in De ni ion 5. Since he carrier se s par i ion he ype V , a func ion type of can be de ned which associa es each elemen v :: V wi h he represen a ion of he ype in whose carrier i lies: type of :: V
Cy
type of v = ( T v
carrier T )
The deno es Hilber ’s choice opera or. Using he rules (8) and (9), he following proper ies of type of can be proven easily in HOL: (x
carrier T ) = (type of x = T )
type of (emb x) = tof x Equivalence (10) implies fur her: x
carrier (type of x)
(10)
14
Norbert V¨ olker
From he induc ion heorem of he da a ype C y , an induc ion heorem for V based on he func ion carrier can be derived. The heorem is s a ed here only for he example ype class N : a carrier nat y P a; A B c [ c carrier (fun y A B); a carrier A P a; b carrier B P b ] ] P x
[
P c
The func ions tof and type of are an example of a more general correspondence be ween overloaded func ions on class C and func ions on he disjoin sum ype V . Given any overloaded func ion f :: ( :: C) , he axioms of V imply he exis ence of a unique func ion :: V such ha : f=
emb
(11)
Conversely, given any func ion :: V , he corresponding overloaded func ion f :: ( :: C) is rivially de ermined by (11). This correspondence of func ions can be used for example o give a simple de ni ion of a equali y rela ion eq across ypes in class N : eq :: [ :: N :: N ] x eq y = (emb x = emb y)
bool
Al erna ively, he rela ion eq could be de ned by primi ive recursion over he ypes in N . However, proving proper ies of eq such as symme ry: (x eq y) = (y eq x) based on he primi ive recursive de ni ion requires some sor of s ruc ural induc ion over ype classes, be i in he form of axioma ic ypes wi h axioms which are parame erized by wo ype variables. In comparison, he above de ni ion of eq via he disjoin sum ype makes he proof of symme ry rivial.
7
A Universe for Many HOL Types
Before he cons ruc ion of he universe, i is convenien minology.
o in roduce some er
De nition 6. Let A and B be HOL types. Then we say that A can be embedded in B, provided there exists an injection from A to B. No e ha ypes.
he de ni ion applies bo h o monomorphic and polymorphic HOL
De nition 7. Let be a type constructor of some arity n 0. Then we say B1 fn :: An Bn , that is monotonic, if iven n injections f1 :: A1 An ) into (B1 Bn ) . there exists an injection from (A1
Disjoint Sums over Type Classes in HOL
15
As a special case of De ni ion 7, 0ary ype cons ruc ors are also mono onic. Proposition 7. The function space type constructor is monotonic. Proof. The s a emen follows from he HOL heorem: inj f
inj ( h
inj
h
f −1 )
Proposition 8. Datatype type constructors are monotonic. Proof. Every da a ype ype cons ruc or can be associa ed wi h a func ion map which is func orial in all argumen s, i.e.: map id
id
= id
n
map (f1
1)
(fn
Hence he injec ivi y of f1
n)
= map f1
fn
map
1
fn implies he injec ivi y of map f1
n
fn .
Proposition 9. Let C be some type class containin only monotonic type constructors and let D be the extension of C by an nary monotonic type constructor . Let 1 n be n distinct type variables and assume that ( 1 n ) can be embedded in some type of class C. Then every type T in class D can be embedded in a type of class C Proof. Suppose rs ha is of ari y 0. Then he s a emen follows from he mono onici y of he ype cons ruc ors by induc ion over he s ruc ure of ype T . This leaves he case of a polymorphic ype cons ruc or of ari y n > 0. The proof is again by induc ion on he s ruc ure of T . For he induc ion s ep, he case of a ype T wi h an ou ermos ype cons ruc or unequal follows An ) where he ypes by mono onici y. This leaves he case of T = (A1 An can be embedded in ypes B1 Bn of class C. By mono onici y A1 Bn ) . Since ( 1 can be of , T can be embedded in T 0 = (B1 n) embedded in some ype D of class D, he ins an ia ion of ha embedding o T 0 provides an embedding of T 0 in o an ins an ia ion of D which is of class C. Le H be he ype class genera ed by he hree basic, mono onic ype cons rucors bool , fun and ind . Mos ype cons ruc ors in he libraries coming wi h he HOL sys em or Isabelle/HOL are mono onic and are in roduced by an embedding in o an already exis ing ype or as a ype abbrevia ion. I follows by induc ion from Proposi ion 9 ha many HOL ypes used in prac ice can be embedded in o a ype of class H. In par icular, his includes all ypes which can be formed from he ype cons ruc ors bool , ind , fun, set and da a ypes such as lis s or binary rees. Fur hermore, if (U emb) is a disjoin sum over H, hen all hese ypes can even be embedded in he single monomorphic ype U . In many applica ions of HOL, i is possible o res ric he ype sys em o ypes which can be embedded in U . In his case, he ype U can serve as a universe which suppor s generic cons ruc ions such as he de ni ion of da a ypes and coda a ypes. This hen allevia es he need for special universes such as he one employed by Paulson in his cons ruc ion of HOL da a ypes [11].
16
8
Norbert V¨ olker
A Semantical Domain for Z
Embedding a speci ca ion formalism such as Z [14] in higher order logic is a rac ive because of he au oma ion provided by heorem prover ools like he HOL sys em and Isabelle/HOL. In order o keep he embedding simple, i is advisable o reuse HOL’s infras ruc ure as much as possible. For yped formalisms, his means ha i s yping sys em should ideally be represen ed by ha of HOL. This is a problem in he case of Z as i would require record ypes no presen in HOL. Previous work [7, 8] on Z embeddings has sides epped his problem by encoding schemas before analyzing hem in HOL. This resul ed in shallow embeddings well sui ed for reasoning abou individual speci ca ions. However, he encoding made i di cul o derive general heorems abou he Z schema calculus i self. I also causes some duplica ion in proof e or s. As an al erna ive, we will represen Z values as elemen s of a single, monomorphic ype ZU . While his means ha Z yping has o be performed explici ly by induc ion in HOL, i provides a basis for a more fai hful model of he Z schema calculus in HOL. Following [5], we consider Z o be a yped se heory wi h na ural numbers as he only primi ive ype. Type forming opera ions are se s, binary produc s and records. In he con ex of Z, he la er are of en called schemas. As a rs s ep, he syn ac ical ype s ruc ure of Z is represen ed by a da a ype ZT : ZT = NatT SetT ZT PrdT ZT ZT RcdT (ZT rcd)
(12)
Here rcd is a 1ary ype cons ruc or of ypehomogeneous records. In o her words, rcd is he ype of all ni e mappings from some ype of iden i ers o . Such a ype cons ruc or can be de ned easily in HOL via a bijec ion wi h he se of all ni e, univalen rela ions of ype (strin ) set . Because of he ni eness, he recursion over his ype cons ruc or in (12) poses no problem, c.f. [11]. In order o apply he disjoin sum cons ruc ion, a class is required which con ains a  no necessarily unique  represen a ion of every Z value. As a rs a emp , we consider a class Z0 wi h ari y declara ions which follow he s ruc ure of he da a ype ZT : nat :: Z0 set :: (Z0 ) Z0 prd :: (Z0 Z0 ) Z0 rcd :: (Z0 ) Z0 Unfor una ely, he resul ing class Z0 does not con ain a fai hful represen a ion of all Z values. This is because he elds of a record in Z0 are all of he same ype, while for Z schemas, here is no such res ric ion. Ins ead, our approach relies on an encoding of records as labelled binary produc s. The corresponding ype cons ruc or lprd is: lprd = strin
Disjoint Sums over Type Classes in HOL
17
The emp y record is represen ed as he only elemen () of he oneelemen ype unit. As an example, here is he represen a ion of a record r which consis s of wo elds h and p associa ed wi h he values 1 and (2 3): r = < h = 1 p = (2 3) > = ( h 1 ( p (2 3) ())) The encoding of records is made unique by requiring ha labels occur a mos once and are sor ed in lexicographical order. Fur hermore, in order o dis inguish emp y se s of he same HOL ype bu di eren Z ype, se s will be labelled wi h heir Z ype. This relies on a ype cons ruc or tset such ha : tset =
set
ZT
The cons ruc ion of he Z universe is based on he following ype class Z: nat tset prd unit lprd
:: Z :: (Z) Z :: (Z Z) Z :: Z :: (Z Z) Z
While every Z value has a unique represen a ion in his class, here are elemen s of Z which do no represen a Z value: 1. Z con ains labelled produc s wi h duplica e or unsor ed labels. 2. Z con ains se s labelled wi h a Z ype which does no agree wi h he Z ype of all i s argumen s. Le (V emb) be a disjoin sum over Z. Then he spurious elemen s can be l ered ou wi h he help of appropria e predica es on V . The remaining subse of V s ill con ains a unique represen a ion of every Z value. In roducing a new ype ZU via an isomorphism wi h his subse yields a seman ic domain for Z in HOL.
9
Concludin Remarks
Disjoin sums are a familiar cons ruc ion in se heory. By represen ing inclusions as overloaded func ions, i becomes feasible o add disjoin sums over ype classes o HOL. From a model heore ic poin of view, his ex ension is s raigh forward. In par icular, i does no compromise consis ency. The key o a HOL axioma iza ion of he sum ypes lies in mirroring he ype s ruc ure of classes by HOL da a ypes. This hen allows a HOL de ni ion of he carrier of a ype. Using his func ion, he se  heore ic charac eriza ion of disjoin sums can be ransla ed easily o HOL. A similar developmen should be possible for produc s over ype classes. Two primary applica ions of he disjoin sum ypes are he suppor for generic cons ruc ions such as da a ypes and embeddings of formalisms wi h powerful ype sys ems. The la er was ske ched for he case of he speci ca ion language
18
Norbert V¨ olker
Z. I would be in eres ing o inves iga e he usefulness of he approach for o her generic cons ruc ions such as Sco ’s inverse limi s. Acknowled ments. Mos of he work described in his paper was carried ou as par of he projec Implemen ing Cons ruc ive Z , EPSRC research gran GR/L57913. Elwood Wilkins, Ray Turner and Mar in Henson have provided valuable feedback on previous versions of his paper. The anonymous referees deserve hanks for heir cons ruc ive cri icism.
References [1] J.Y. Girard. The system F of variable types, fteen years later. Theoretical Computer Science, 45:159 192, 1986. [2] M.J.C. Gordon. Set Theory, Hi her Order Lo ic or Both? In Gunter and Felty [4], pa es 191 201. [3] M.J.C. Gordon and T.F. Melham. Introduction to HOL. Cambrid e University Press, 1993. [4] E. L. Gunter and A. Felty, editors. Proceedin s of the 10th International Conference on Theorem Provin in Hi her Order Lo ics (TPHOLs’97), LNCS 1275. Sprin erVerla , 1997. [5] M.C. Henson and S. Reeves. A lo ic for the schema calculus. In J. P. Bowen, A. Fett, and M. G. Hinchey, editors, ZUM’98: The Z Formal Speci cation Notation, LNCS 1493, pa es 172 191. Sprin erVerla , 1998. [6] S.P. Jones and J. Hu hes, editors. HASKELL98: A Nonstrict, Purely Functional Lan ua e, February 1999. Online available via http://haskell.or /. [7] J.P.Bowen and M.J.C. Gordon. Z and HOL. In J.P. Bowen and J.A. Hall, editors, Z User Workshop, Cambrid e 1994, Workshops in Computin , pa es 141 167. Sprin erVerla , 1994. [8] Kolyan , T. Santen, and B. Wol . A Structure Preservin Encodin of Z in Isabelle/HOL. In J. von Wri ht, J. Grundy, and J. Harrison, editors, Theorem Provin in Hi her Order Lo ics 9th International Conference, LNCS 1125, pa es 283 298. Sprin er Verla , 1996. [9] L. Lamport and L.C. Paulson. Should your speci cation lan ua e be typed? Technical Report 425, Computer Laboratory, University of Cambrid e, May 1997. [10] Zhaohui Luo. A hi herorder calculus and theory abstraction. Information and Computation, 90(1):107 137, 1991. [11] L.C. Paulson. A xedpoint approach to implementin (co)inductive de nitions. In A. Bundy, editor, Automated Deduction CADE12, LNAI 814, pa es 148 161. Sprin erVerla , 1994. [12] L.C. Paulson. Isabelle: A Generic Theorem Prover. LNCS 828. Sprin erVerla , 1994. [13] F. Re ensbur er. HOLCF: Eine konservative Erweiterun von HOL um LCF. Dissertation an der Technischen Universit¨ at M¨ unchen, 1994. [14] J.M. Spivey. Understandin Z: a speci cation lan ua e and its formal semantics. Cambrid e Tracts in Theoretical Computer Science 3. Cambrid e University Press, 1988. [15] R. Turner. Sets, types and typecheckin . Journal of Lo ic and Computation, To Appear. [16] M. Wenzel. Type classes and overloadin in hi herorder lo ic. In Gunter and Felty [4], pa es 307 322.
Inductive Datatypes in HOL Lessons Learned in FormalLo ic En ineerin S efan Berghofer and Markus Wenzel Technische Universi ¨ a M¨ unchen Ins i u f¨ ur Informa ik, Arciss ra e 21, 80290 M¨ unchen, Germany http://www.in.tum.de/ ber hofe/ http://www.in.tum.de/ wenzelm/
Abstract. Isabelle/HOL has recen ly acquired new versions of de niional packages for induc ive da a ypes and primi ive recursive funcions. In con ras o i s predecessors and mos o her implemen a ions, Isabelle/HOL da a ypes may be mu ually and indirec recursive, even in ni ely branching. We also suppor inver ed da a ype de ni ions for charac erizing exis ing ypes as being induc ive ones la er. All our cons ruc ions are fully de ni ional according o es ablished HOL radi ion. S epping back from he logical de ails, we also see his work as a ypical example of wha could be called FormalLogic Engineering . We observe ha building realis ic heorem proving environmen s involves fur her issues ra her han pure logic only.
1
Introduction
Theorem proving sys ems for higherorder logics, such as HOL [5], Coq [4], PVS [15], and Isabelle [18], have reached a reasonable level of ma uri y o suppor non rivial applica ions. As an arbi rary example, consider Isabelle/Bali [14], which is an ex ensive formaliza ion of subs an ial par s of he Java ype sys em and opera ional seman ics under aken in Isabelle/HOL. Never heless, he curren s a eof hear is no he nal word on heorem proving echnology. Experience from sizable projec s such as Isabelle/Bali shows ha here are qui e a lo of requiremen s ha are only par ially me by exis ing sys ems. Focusing on he ac ual core sys em only, and ignoring fur her issues such as user in erfaces for heorem provers, here are several layers of concep s of varying logical s a us o be considered. This includes purely syn ac ic ools (parser, pre y prin er, macros), ype checking and ype inference, basic deducive ools such as (higherorder) uni ca ion or ma ching, proof procedures (bo h simple and au oma ic ones), and search u ili ies jus o name a few. Seen from a wider perspec ive, he ac ual underlying logic (se heory, ype heory e c.) becomes only one elemen of a much larger pic ure. Consequen ly, making a heorem proving sys em a success involves more han being good in he pure logic ra ing. There is a big di erence of being able o express cer ain concep s in principle in some given logic vs. o ering our cus omers scalable mechanisms for actually doin i in he sys em. Y. Bertot et al. (Eds.): TPHOLs’99, LNCS 1690, pp. 19 36, 1999. c Sprin erVerla Berlin Heidelber 1999
20
S efan Berghofer and Markus Wenzel
Advanced de nitional mechanisms are a par icularly impor an aspec of any realis ic formallogic environmen . While working in he pure logic would be su cien in principle, ac ual applica ions demand no only ex ensive libraries of derived concep s, bu also general mechanisms for in roducing cer ain kinds of ma hema ical objec s. A ypical example of he la er would be induc ive se s and ypes, oge her wi h recursive func ion de ni ions. According o folklore, heorem proving is similar o programming, bu sligh ly more di cul . Apparen ly, he same holds for he corresponding developmen ools, wi h an even more severe gap of sophis ica ion, hough. For example, consider he presen s andard in in erac ive heorem proving echnology rela ed o ha of incremen al compilers for languages such as ML or Haskell. Apparen ly, our heorem provers are s ill much more primi ive and inaccessible o a wider audience han advanced programming language compilers. In par icular, de ni ional mechanisms, which are in fac resembling a heory compiler qui e closely, are of en much less advanced han our users would expec . An obvious way o amend for his, we argue, would be o ransfer general concep s and me hodologies from he es ablished disciplines of Sof ware and Sys ems Engineering o ha of heorem proving sys ems, even ually resul ing in wha could be called FormalLo ic En ineerin . Ge ing back o rm grounds, and he main focus of his paper, we discuss he new versions of advanced de ni ional mechanisms ha Isabelle/HOL has acquired recen ly: inductive or coinductive de ni ions of se s (via he usual Knas erTarski cons ruc ion, cf. [17]), induc ive da a ypes, and primi ive recursive func ions. Our primary e or s wen in o he datatype and primrec mechanisms [2], achieving a considerably more powerful sys em han had been available before. In par icular, da a ypes may now involve mutual and indirect recursion, and arbitrary branchin over exis ing ypes.1 Fur hermore, da a ype de ni ions may now be inverted in he sense ha exis ing ypes (such as na ural numbers) may be charac erized la er on as being induc ive, oo. The new packages have been designed for coopera ion wi h fur her subsysems of Isabelle/HOL already in mind: recdef for general wellfounded func ions [21, 22], and record for singleinheri ance ex ensible records [13]. Unques ionably, more such applica ions will emerge in he fu ure. The hierarchy of curren Isabelle/HOL de ni ional packages is illus ra ed below. No e ha constdef and typedef refer o HOL primi ives [5], and axclass o axioma ic ype classes [24]. constdef " b " bb " axclass coinductive inductive
"" recdef 1
"
datatype primrec
typedef ""
" b
bb record
Arbi rary (in ni e) branching is no ye suppor ed in Isabelle981.
Induc ive Da a ypes in HOL
21
The basic mode of opera ion of any advanced de ni ional package such as datatype is as follows: given a simple descrip ion of he desired resul heory by he user, he sys em au oma ically genera es a sizable amoun of charac eris ic heorems and derived no ions undernea h. There are di eren approaches, s emming from di eren logical radi ions, of how his is achieved exac ly. These approaches can be roughly charac erized as follows. Axiomatic The resul ing proper ies are genera ed syn ac ically only, and inroduced in o he heory as axioms (e.g. [16]). Inherent The underlying lo ic is extended in order o suppor he desired objec s in a very direc way (e.g. [20]). De nitional Taking an exis ing logic for gran ed, he new objec s are represen ed in erms of exis ing concep s, and he desired proper ies are derived from the de nitions wi hin he sys em (e.g. [2]). Any of hese approaches have wellknown advan ages and disadvan ages. For example, he de ni ional way is cer ainly a very hard one, demanding qui e a lo of special purpose heorem proving work of he package implemen a ion. On he o her hand, i is possible o achieve a very high quali y of he resul ing sys em bo h in he purely logical sense meaning ha no wrong axioms are asser ed and in a wider sense of heorem proving sys em echnology in general. The res of his paper is s ruc ured as follows. Sec ion 2 presen s some examples illus ra ing he userlevel view of Isabelle/HOL’s new datatype and primrec packages. Sec ion 3 briefly reviews formallogic preliminaries relevan for our work: HOL basics, simple de ni ions, induc ive se s. Sec ion 4 describes in de ail he class of admissible datatype speci ca ions, observing fundamen al limi a ions of classical se heory. Sec ion 5 recoun s echniques for cons ruc ing mu ually and indirec ly recursive, in ni ely branching da a ypes in HOL, including principles for induc ion and recursion. Sec ion 6 discusses some issues of in egra ing he purelylogical achievemen s in o a scalable working environmen .
2
Examples
As our rs oy example, we will formalize some aspec s of a very simple funcional programming language, consis ing of ari hme ic and boolean expressions formalized as ypes aexp and bexp (parame er is for program variables). datatype
and
aexp = If ( bexp) ( aexp) ( aexp) Sum ( aexp) ( aexp) Var Num nat bexp = Less ( aexp) ( aexp) And ( bexp) ( bexp)
This speci ca ion emi s qui e a lo of ma erial in o he curren heory con ex , rs of all injec ive func ions Sum :: aexp aexp aexp e c. for any of he da a ype cons ruc ors. Each valid expression of our programming language
22
S efan Berghofer and Markus Wenzel
is deno ed by a well yped cons ruc or erm. Func ions on induc ive ypes are ypically de ned by primi ive recursion. We now de ne evalua ion func ions for ari hme ic and boolean expressions, depending on an environmen e :: nat. consts evala :: ( nat) aexp nat evalb :: ( nat) bexp bool pr mrec evala e (If b a1 a2 ) = (if evalb e b then evala e a1 else evala e a2 ) evala e (Sum a1 a2 ) = evala e a1 + evala e a2 evala e (Var v) = e v evala e (Num n) = n evalb e (Less a1 a2 ) = (evala e a1 < evala e a2 ) evalb e (And b1 b2 ) = (evalb e b1 evalb e b2 )
Similarly, we may de ne subs i u ion func ions for expressions. The mapping s :: aexp given as a parame er is lif ed canonically on aexp and bexp. consts substa :: ( aexp) aexp aexp substb :: ( aexp) bexp bexp pr mrec substa s (If b a1 a2 ) = If (substb s b) (substa s a1 ) (substa s a2 ) substa s (Sum a1 a2 ) = Sum (substa s a1 ) (substa s a2 ) substa s (Var v) = s v substa s (Num n) = Num n substb s (Less a1 a2 ) = Less (substa s a1 ) (substa s a2 ) substb s (And b1 b2 ) = And (substb s b1 ) (substb s b2 )
The rela ionship be ween subs i u ion and evalua ion can be expressed by: lemma evala e (substa s a) = evala ( x evala e (s x)) a evalb e (substb s b) = evalb ( x evala e (s x)) b
We can prove his heorem by s raigh forward reasoning involving mutual s rucural induc ion on a and b, which is expressed by he following rule: b a1 a2 Q b
P a1
P a2 =
a1 a2 P a 1
P a2
=
P a
P (If b a1 a2 ) Q (Less a1 a2 )
Qb
As a sligh ly more advanced example we now consider he ype ( γ)tree, which is made arbi rarily branching by nes ing an appropria e func ion ype. datatype (
γ)tree = Atom
Branch
(γ
(
γ)tree)
Here s ands for leaf values, for branch values, γ for sub ree indexes. I is impor an o no e ha γ may be any ype, including an in ni e one such as nat; i need no even be a da a ype. The induc ion rule for ( γ)tree is a P (Atom a)
b f ( x P (f x)) = P t
P (Branch b f )
Induc ive Da a ypes in HOL
23
No e how we may assume ha he predica e P holds for all values of f , all subrees, in order o show P (Branch b f ). Using his induc ion rule, Isabelle/HOL au oma ically proves he exis ence of combina or treerec for primi ive recursion: treerec :: ( ) ( (γ ( γ)tree) (γ ) treerec f1 f2 (Atom a) = f1 a treerec f1 f2 (Branch b f ) = f2 b f ((treerec f1 f2 ) f )
)
(
γ)tree
In he case of Branch, he func ion treerec f1 f2 is recursively applied o all funcion values of f , i.e. o all sub rees. As an example primi ive recursive func ion on ype tree, consider he func ion member c which checks whe her a ree con ains some Atom c. I could be expressed as treerec ( a a = c) ( b f f 0 x f 0 x). Isabelle/HOL’s primrec package provides a more accessible in erface: pr mrec member c (Atom a) = (a = c) member c (Branch b f ) = ( x member c (f x))
3 3.1
FormalLo ic Preliminaries The Lo ic of Choice?
This ques ion is a ra her sub le one. Ac ually, when i comes o real applica ions wi hin a large sys em developed over several years, here is no much choice lef abou he underlying logic. Changing he very founda ions of your world may be a very bad idea, if one cares for he exis ing base of libraries and applica ions. HOL [5], s emming from Church’s Simple Theory of Types [3] has proven a robus base over he years. Even if simplis ic in some respec s, HOL proved capable of many sophis ica ed cons ruc ions, some imes even because of seeming weaknesses. For example, due o simple ypes HOL admi s in eres ing concep s such as in ralogical overloading [24] or objec orien ed fea ures [13]. Our cons ruc ions for induc ive ypes only require plain simply yped se heory, hough. 3.2
Isabelle/HOL
SimplyTyped Set Theory
The syn ax of HOL is ha of simply yped calculus. Types are ei her variables , or applica ions ( 1 n )t, including func ion ypes 1 2 (righ associaive in x). Terms are ei her yped cons an s c or variables x , applica ions (t u) or abs rac ions x t. Terms have o be well yped according o s andard rules. Theories consis of a signa ure of ypes and cons an s, and axioms. Any heory induces a se of derivable heorems , depending on a xed se of deduc ion rules ha s a e several obvious fac s of classical se heory. S ar ing from a minimalis ic basis heory, all fur her concep s are developed de nitionally. Isabelle/HOL provides many s andard no ions of classical se  heory. Se s are of ype set; in x f A refers o he image, vima e f A o he reverse image of f on A; inv f inver s a func ion; lfp F and fp F are he leas and grea es xpoin s of F on he powerse la ice. The sum ype + has cons ruc ors Inl and Inr. Mos o her opera ions use s andard ma hema ical no a ion.
24
3.3
S efan Berghofer and Markus Wenzel
Simple De nitions
The HOL me hodology dic a es ha only de nitional heory ex ension mechanisms may be used. HOL provides wo primi ive mechanisms: constant de nitions and type de nitions [5], fur her de ni ional packages are buil on op. Constant de nition We may add a new cons an c o he signa ure and vn t, provided ha c does no in roduce an axiom of he form c v1 vn . occur in t, TV (t) TV (c) and FV (t) v1 Type de nition Le trep be a erm of ype set describing a nonemp y se , i.e. u trep for some u. Moreover, require TV (trep) 1 n . We may hen add he ype ( 1 n )t and he following cons an s Abst :: Rept :: (
( 1
n )t
1
(
n )t
Abst
1
n )t
Rept
o he signa ure and in roduce he axioms Abst (Rept x) = x y trep = Rept (Abst y) = y Rept x trep

trep
(Reptinverse) (Abstinverse) (Rept)
Type de ni ions are a sligh ly peculiar fea ure of HOL. The idea is o represen new ypes by subse s of already exis ing ones. The axioms above s a e ha here is a bijec ion (isomorphism) be ween he se trep and he new ype ( 1 n )t. This is jus i ed by he s andard se  heore ic seman ics of HOL [5].
3.4
Inductive De nitions
An inductive [17] de ni ion speci es he least se closed under cer ain introduction rules generally, here are many such closed se s. Essen ially, an induc ively de ned se is he leas xpoin lfp F of a cer ain mono one func ion F , where lfp F = x F x x . The KnasterTarski heorem s a es ha lfp F is indeed a xpoin and ha i is he leas one, i.e. F (lfp F ) = lfp F and F P lfp F
P P
F (lfp F P ) lfp F P
P
where P is he se of all elemen s sa isfying a cer ain predica e. Bo h rules embody an induc ion principle for he se lfp F . The second (s ronger) rule is easily derived from he rs one, because F is mono one. See [17] for more de ailes on how o de ermine a sui able func ion F from a given se of in roduc ion rules. Sn , one rs builds he sum When de ning several mutually inductive sets S1 T of hese and hen ex rac s se s S from T wi h he help of he inverse image opera or vima e, i.e. S = vima e in T , where in is a sui able injec ion.
Induc ive Da a ypes in HOL
4
25
Datatype Speci cations
4.1
General Form
A general datatype speci ca ion in Isabelle/HOL is of he following form: datatype (
1
h )t1
= C11
1 11
1 1 m1 1
and
1
h )tn
= C1n
n 11
n 1 mn 1
(
Ck11
1 k1 1
Cknn
j
1 k1 m1
k1
n kn 1
n kn mn
kn
j
where are ype variables, cons ruc ors C are dis inc , and 0 are admissible j ypes con aining a mos he ype variables 1 0 occurring h . Some ype j ( 1 in such a speci ca ion is admissible i ( 1 0 h )t1 h )tn where is induc ively de ned by he following rules: Γ nonrecursive occurrences: where is nonrecursive, i.e. does no con ain any of he newly de ned tn ype cons ruc ors t1 recursive occurrences: Γ nested recursion involvin function types: Γ Γ
where is nonrecursive nested recursion involvin existin datatypes: (
1
h
)t 1
(
1
h
)t n
Γ
1 11
(
1
h
)t 1
(
1
h
)t n
Γ
n kn mn
Γ
1
kn
(
1
h
1
h
1
h
1
h
h
)t j 0
where tj 0 is he ype cons ruc or of an exis ing da a ype speci ed by datatype (
1
h )t 1
= D11
1 11
1 1 m1 1
and
1
h )t n
= D1n
n 11
n 1 mn 1
(
Dk1
1
Dkn
n
1 k1 1 n kn 1
1 k1 m1
k1
n kn mn
kn
I is impor an o no e ha he admissibili y rela ion is no de ned wi hin HOL, bu as an ex ralogical concep . Before a emp ing o cons ruc a da a ype, an ML func ion of he datatype package checks if he user inpu respec s he rules described above. The poin of his check is not o ensure correc ness of he cons ruc ion, bu o provide highlevel error messages. Nonemptiness HOL does no admi emp y ypes. Each of he new da a ypes j n is guaran eed o be nonemp y i i has a con( 1 h )tj wi h 1 j s ruc or C wi h he following proper y: for all argumen ypes j 0 of he form ( 1 h )tj 0 he da a ype ( 1 h )tj 0 is nonemp y. If here are no nes ed occurrences of he newly de ned da a ypes, obviously a leas one of he newly de ned da a ypes ( 1 h )tj mus have a cons ruc or
26
S efan Berghofer and Markus Wenzel
C j wi hou recursive argumen s, a base case, o ensure ha he new ypes are nonemp y. If here are nes ed occurrences, a da a ype can even be nonemp y wi hou having a base case i self. For example, wi h list being a nonemp y da a ype, datatype t = C (t list) is nonemp y as well. Jus like described above, nonemp iness of da a ypes is checked by an ML func ion before invoking he ac ual HOL typedef primi ive, which would never accep emp y ypes in he rs place, bu repor a lowlevel error. 4.2
Limitations of SetTheoretic Datatypes
Cons ruc ing da a ypes in se  heory has some wellknown limi a ions wr . nes ing of he full func ion space. This is reflec ed in he de ni ion of admissible ypes given above. The las wo cases of rela e o nested (or indirect ) occurrences of some of he newly de ned ypes ( 1 h )tj 0 in a ype expression )t0 , where t0 may ei her be he ype of he form ( ( 1 h )tj 0 cons ruc or of an already exis ing da a ype or he ype cons ruc or for he full func ion space. In he la er case, none of he newly de ned ypes may occur in he rs argumen of he ype cons ruc or , i.e. all occurrences mus be strictly positive. If we were o drop his res ric ion, he da a ype could no be cons ruc ed (cf. [6]). Recall ha in classical se  heory here is no injec ion of ype (t ) , t according o Cantor’s theorem, if has more han one elemen ; ) , (( t) ), because here is an here is an injec ion in1 :: (t injec ion ( c x c) :: t , ( t); ) , ((t ) ), if has more han one here is an injec ion in2 :: (t elemen , since ( x y x = y) :: (t ) , ((t ) bool) is an injec ion and here is an injec ion bool , . Thus da a ypes wi h any cons ruc ors of he following form datatype t = C (t
bool)
D ((bool
t)
bool)
E ((t
bool)
bool)
canno be cons ruc ed, because we would have injec ions C, D in1 and E in2 of ype (t bool) , t, in con radic ion o Can or’s heorem. In par icular, induc ive ypes in se  heory do not admi only weakly posi ive occurrences of nes ed func ion spaces. Moreover, nes ing via da a ypes exposes ano her sub le poin when ins an ia ing even nonrecursive occurrences of func ion ypes: while datatype ( )t = C ( bool) D ( list) is legal, he speci ca ion of datatype γ u = E ((γ u γ)t) F is no , because i would yield he injec ion E C :: (γ u bool) , γ u; datatype γ u = E ((γ γ u)t) F is again legal. Recall ha our no ion of admissible da a ype speci ca ions is an ex ralogical one reflec ing he way nes ing is handled in he cons ruc ion (see 5.4). In con ras , [23] internalizes nes ed da a ypes in o he logic, wi h he unexpec ed e ec ha even nonrecursive func ion spaces have o be excluded. The choice of in ernalizing vs. ex ernalizing occurs very of en when designing logical sys ems. In fac , an impor an aspec of formallogic engineering is o ge he overall arrangemen of concep s a di erent layers done righ . The no ions of deep vs. shallow embeddin can be seen as a special case of his principle.
Induc ive Da a ypes in HOL
5
27
Constructin Datatypes in HOL
We now discuss he cons ruc ion of he class of induc ive ypes given in 4.1. According o 3.3, new ypes are de ned in HOL seman ically by exhibi ing a sui able represen ing se . S ar ing wi h a universe ha is closed wr . cer ain injec ive opera ions, we cu ou he represen ing se s of da a ypes induc ively using KnasterTarski (cf. [17]). Thus having ob ained free induc ive ypes, we cons ruc several derived concep s, in par icular primi ive recursion. 5.1
Universes for Representin Recursive Types
We describe he ype ( )dtree of rees, which is a varian of he universe formalized by Paulson [19], ex ended o suppor arbi rary branching. Type dtree provides he following opera ions: Leaf ::
(
In0 In1 :: ( Pair :: (
)dtree )dtree
)dtree
Lim :: (
(
( (
)dtree)
)dtree )dtree (
(
)dtree
)dtree
embedding nonrecursive occurrences of ypes modeling dis inc cons ruc ors modeling cons ruc ors wi h mul iple argumen s embedding func ion ypes (in ni ary produc s)
All opera ions are injec ive, e.g. Pair t1 t2 = Pair t01 t02 t1 = t01 t2 = t02 0 0 0 and Lim f = Lim f f = f . Fur hermore, In0 t = In1 t for any t and t0 . Modelin Trees in HOL Settheory A ree essen ially is a se of nodes. Each node has a value and can be accessed via a unique path. A pa h can be modeled by a func ion ha , given a cer ain depth index of ype nat, re urns a branching label (e.g. also nat). The gure below shows a ni e ree and i s represen a ion.
d a
d
d
a4
@ ,2 a2 1 @ , , @ ,2 a1 1 @, ,2
[email protected] @,
d
T = (f1 a1 ) (f2 a2 ) (f a ) (f4 a4 )
where f1 f2 f f4
= = = =
(1 (2 (2 (2
0 1 2 2
0 ) 0 0 ) 1 0 0 ) 2 0 0 )
Here, a branching label of 0 indica es endofpa h. In he sequel, we will allow a node o have ei her a value of ype bool or any ype . As branching labels, we will admi elemen s of ype nat or any ype . Hence we de ne ype abbrevia ions ( (
)node = (nat ( + nat)) )dtree = (( )node)set
( + bool)
28
S efan Berghofer and Markus Wenzel
where he rs componen of a node represen s he pa h and he second componen represen s i s value. We can now de ne opera ions push :: ( + nat) ( )node ( )node push x n ( i (case i of 0 x Suc j fst n j) snd n) Pair :: ( )dtree ( )dtree ( )dtree Pair t1 t2 (push (Inr 1) t1 ) (push (Inr 2) t2 )
The func ion push adds a new head elemen push x ((y0 y1
) a) = ((x y0 y1
o he pa h of a node, i.e.
) a)
The func ion Pair joins wo rees t1 and t2 by adding he dis inc elemen s 1 and 2 o he pa hs of all nodes in t1 and t2 , respec ively, and hen forming he union of he resul ing se s of nodes. Fur hermore, we de ne func ions Leaf and Ta for cons ruc ing a omic rees of dep h 0: Leaf :: Leaf a
( )dtree ( x Inr 0 Inl a)
Ta :: bool ( )dtree Ta b ( x Inr 0 Inr b)
Basic se  heore ic reasoning shows ha Pair, Leaf and Ta are indeed injec ive. We also de ne In0 and In1 which urn ou o be injec ive and dis inc . In0 :: ( )dtree ( )dtree In0 t Pair (Ta false) t
In1 :: ( )dtree ( In1 t Pair (Ta true) t
)dtree
Func ions (i.e. in ni ary produc s) are embedded via Lim as follows:
Lim Lim f
:: (
( z
)dtree) ( )dtree x z = push (Inl x) (f x)
AA f x1 AA f x2 A A A A Q Q x1QQ x2 Q Q
Tha is, for all x he pre x x is added o he pa h of all nodes in f x, and he union of he resul ing se s is formed. No e ha some elemen s of ( )dtree, such as rees wi h nodes of in ni e dep h, do no represen proper elemen s of da a ypes. However, hese junk elemen s are excluded when induc ively de ning he represen ing se of a da a ype. 5.2
Constructin an Example Datatype
As a simple example, we will now describe he cons ruc ion of he ype speci ed by datatype list = Nil Cons ( list).
list,
The Representin Set The da a ype list will be represen ed by he se listrep :: (( unit)dtree)set. Since is he only ype occurring nonrecursively in he speci ca ion of list, he rs argumen of dtree is jus . If more ypes would occur nonrecursively, he rs argumen would be he sum of hese ypes. Since
Induc ive Da a ypes in HOL
29
here is no nes ed recursion involving func ion ypes, he second argumen of dtree is jus he dummy ype unit. We de ne listrep induc ively: Nilrep
listrep
ys listrep Consrep y ys listrep
Nilrep Consrep y ys
In0 dummy In1 (Pair (Leaf y) ys)
Constructors Invoking he ype de ni ion mechanism described in 3.3 in roduces he abs rac ion and represen a ion func ions Abslist :: ( unit)dtree list Replist :: list ( unit)dtree
as well as he axioms Replistinverse, Abslistinverse and Replist. Using hese func ions, we can now de ne he cons ruc ors Nil and Cons: Nil Cons x xs
Abslist Nilrep Abslist (Consrep x (Replist xs))
Freeness We can now prove ha Nil and Cons are dis inc and ha Cons is x = x0 xs = xs 0 . injec ive, i.e. Nil = Cons x xs and Cons x xs = Cons x0 xs 0 Because of he isomorphism be ween list and listrep, he former easily follows from he fac ha In0 and In1 are dis inc , while he la er is a consequence of he injec ivi y of In0, In1 and Pair. Structural Induction For P Nil
x xs P xs = P xs
list an induc ion rule of he form
P (Cons x xs)
(listind)
can be proved using he induc ion rule Q Nilrep
y ys Q ys ys listrep = Q (Consrep y ys) (listrepind ) ys listrep = Q ys
for he represen ing se listrep derived by he induc ive de ni ion package from he rules described in 3.4. To prove listind, we show ha P xs can be deduced from he assump ions P Nil and x xs P xs = P (Cons x xs) by he deriva ion = P (Cons y (Abslist ys)) = P (Abslist (Consrep y (Replist (Abslist ys)))) y ys P (Abslist ys) ys listrep = P (Abslist (Consrep y ys)) Replist xs listrep = P (Abslist (Replist xs)) P xs
S ar ing wi h he goal P xs, we rs use he axioms Replistinverse and Replist , in roducing he local assump ion Replist xs listrep and unfolding xs o Abslist (Replist xs). Now listrepind can be applied, where Q and ys are ins an ia ed wi h P Abslist and Replist xs, respec ively. This yields wo new subgoals, one for he Nilrep case and one for he Consrep case. We will only consider he Consrep case here: using axiom Abslistinverse oge her wi h he local assump ion ys listrep, we unfold ys o Replist (Abslist ys). Applying he de ni ion of Cons, we fold Abslist (Consrep y (Replist (Abslist ys))) o
30
S efan Berghofer and Markus Wenzel
Cons y (Abslist ys). Obviously, P (Cons y (Abslist ys)) follows from he local assump ion P (Abslist ys) using he assump ion x xs P xs = P (Cons x xs). In principle, induc ive ypes are already fully de ermined by freeness and s ruc ural induc ion. Applica ions demand addi ional derived concep s, of course, such as case analysis, size func ions, and primi ive recursion. Primitive Recursion A func ion on lis s is primitive recursive i expressed by a sui able ins an ia ion of he recursion combina or
i can be
listrec :: ( list ) list listrec f1 f2 Nil = f1 listrec f1 f2 (Cons x xs) = f2 x xs (listrec f1 f2 xs)
As has been poin ed ou in [8], a ra her elegan way of cons ruc ing he func ion listrec is o build up i s graph listrel by an induc ive de ni ion and hen de ne listrec in erms of listrel using Hilber ’s choice opera or : (Nil f1 )
listrel f1 f2
listrec f1 f2 xs
(xs y) listrel f1 f2 (Cons x xs f2 x xs y) listrel f1 f2
y (xs y)
listrel f1 f2
To derive he charac eris ic equa ions for listrec given above, we show ha listrel does indeed represen a o al func ion, i.e. for every lis xs here is a unique y such ha (xs y) listrel f1 f2 . The proof is by s ruc ural induc ion on xs. 5.3
Mutual Recursion
Mu ually recursive da a ypes, such as aexp and bexp in roduced in 2 are rea ed qui e similarly as above. Their represen ing se s aexprep and bexprep of ype (( unit)dtree)set as well as he graphs aexprel and bexprel of he primi ive recursion combina ors are de ned by mutual induc ion. For example, he rules for cons ruc or Less are: b1 aexprep b2 aexprep In0 (Pair b1 b2 ) bexprep
5.4
(x1 y1 ) aexprel f1 f6 (x2 y2 ) aexprel f1 f6 (Less x1 x2 f5 x1 x2 y1 y2 ) bexprel f1 f6
Nested Recursion
Da a ype (
)term is a ypical example for nes ed (or indirec ) recursion:
datatype (
)term = Var
App
(((
)term)list)
As poin ed ou in [6, 7], da a ype speci ca ions wi h nested recursion can concepually be unfolded o equivalen mutual da a ype speci ca ions wi hou nes ing. We also follow his ex ralogical approach, avoiding he complica ions of in ernalized nes ing [23]. Unfolding he above speci ca ion would yield: datatype ( and (
)term = Var )termlist = Nil
App (( )termlist) Cons (( )term) (( )termlist)
Induc ive Da a ypes in HOL
31
However, i would be a bad idea o ac ually in roduce he ype ( )termlist and he cons ruc ors Nil0 and Cons0 , because his would preven us from reusing common lis lemmas in proofs abou erms. Ins ead, we will prove ha he represen ing se of ( )termlist is isomorphic o he ype (( )term)list. The Representin Set We induc ively de ne he se s termrep and termlistrep of ype (( + unit)dtree)set by he rules In0 (Leaf (Inl a))
termrep
ts termlistrep In1 (Pair (Leaf (Inr b)) ts) termrep t
In0 dummy
termlistrep
termrep ts termlistrep In1 (Pair t ts) termlistrep
Since here are wo ypes occurring nonrecursively in he da a ype speci ca ion, namely and , he rs argumen of dtree becomes + . De nin a Representation Function Invoking he ype de ni ion mechanism for term in roduces he func ions Absterm :: ( + unit)dtree Repterm :: ( )term ( +
( )term unit)dtree
for abs rac ing elemen s of termrep and for ob aining he represen a ion of elemen s of ( )term. To ge he represen a ion of a lis of erms we now de ne Reptermlist :: (( )term)list ( + unit)dtree Reptermlist Nil = In0 dummy Reptermlist (Cons t ts) = In1 (Pair (Repterm t) (Reptermlist ts))
De ermining he represen a ion of Nil is rivial. To ge he represen a ion of Cons t ts, we need he represen a ions of t and ts. The former can be ob ained using he func ion Repterm in roduced above, while he la er is ob ained by a recursive call of Reptermlist. Obviously, Reptermlist is primi ive recursive and can herefore be de ned using he combina or listrec: Reptermlist Abstermlist
listrec (In0 dummy) ( t ts y In1 (Pair (Repterm t) y)) inv Reptermlist
I is a key observa ion ha Abstermlist and Reptermlist have he proper ies Abstermlist (Reptermlist xs) = xs ys termlistrep = Reptermlist (Abstermlist ys) = ys Reptermlist xs termlistrep
i.e. (( )term)list and termlistrep are isomorphic, which can be proved by s ruc ural induc ion on list and by induc ion on reptermlist. Looking a he HOL ype de ni ion mechanism once again ( 3.3), we no ice ha hese proper ies have exac ly he same form as he axioms which are in roduced for ac ual newly de ned ypes. Therefore, all of he following proofs are he same as in he case of mu ual recursion wi hou nes ing, which simpli es ma ers considerably. Constructors Finally, we can de ne he cons ruc ors for term: Var a App b ts
Absterm (In0 (Leaf (Inl a))) Absterm (In1 (Pair (Leaf (Inr b)) (Reptermlist ts)))
32
5.5
S efan Berghofer and Markus Wenzel
In nitely Branchin Types γ)tree, cf. 2.
We show how o cons ruc in ni ely branching ypes such as (
The Representin Set treerep will be of ype (( + γ)dtree)set. Since he wo ypes and occur nonrecursively in he speci ca ion, he rs argumen of dtree is he sum + of hese ypes. The only branching ype, i.e. a ype occurring on he lef of some , is γ. Therefore, γ is he second argumen of dtree. We de ne treerep induc ively by he rules In0 (Leaf (Inl a))
g Funs treerep In1 (Pair (Leaf (Inr b)) (Lim g))
treerep
treerep
where he premise g Funs treerep means ha all func ion values of g represen rees. The monotone func ion Funs is de ned by Funs :: Funs S
set ( g ran e g
)set S
Constructors We de ne he cons ruc ors of tree by Atom a Branch b f
Abstree (In0 (Leaf (Inl a))) Abstree (In1 (Pair (Leaf (Inr b)) (Lim (Reptree f ))))
The de ni ion of Atom is s raigh forward. To form a Branch from elemen b and sub rees deno ed by f , we rs de ermine he represen a ion of he sub rees by composing f wi h Reptree and hen represen he resul ing func ion using Lim. Structural Induction The induc ion rule for ype tree shown in 2 can be derived from he corresponding induc ion rule for he represen ing se treerep by ins an ia ing Q and u wi h P Abstree and Reptree, respec ively: a Q (In0 (Leaf (Inl a))) bg g
Funs (treerep
x Qx )= u
Q (In1 (Pair (Leaf (Inr b)) (Lim g)))
treerep =
Qu
The unfold/fold proof echnique already seen in 5.2 can also be ex ended o func ions: if g Funs treerep, hen g = Reptree (Abstree g). Primitive Recursion Again, we de ne he treerec combina or given in 2 by cons ruc ing i s graph treerel induc ively: f (Atom a f1 a)
treerel f1 f2
compose f (treerel f1 f2 )
(Branch b f f2 b f f )
treerel f1 f2
The monotone func ion compose used in he second rule is de ned by compose :: ( compose f R f
) ( γ)set ( x (f x f x) R
γ)set
The se compose f R consis s of all func ions ha can be ob ained by composing he func ion f wi h he rela ion R. Since R may no necessarily represen a o al func ion, compose f R can also be emp y or con ain more han one func ion.
Induc ive Da a ypes in HOL
33
However, if for every x here is a unique y such ha (f x y) treerel f1 f2 , hen here is a unique f 0 wi h f 0 compose f (treerel f1 f2 ). This is he key proper y used o prove ha treerel f1 f2 represen s a o al func ion. Even More Complex Function Types The cons ruc ion described above can be made sligh ly more general. Assume we wan o de ne he da a ype t, whose t, where datatype speci ca ion con ains func ion ypes 1 mi 1 i n. The represen ing se trep hen has he ype ((
(
1 1
1 m1 )
+
n 1
+(
n mn ))dtree)set
The represen a ion of a func ion f ::
Lim (sumcase dummy dummy (Rept ((uncurry i−1
imes
t is
mi
1
uncurry) fi )) dummy
mi −1
imes
n−i
dummy) imes
where uncurry :: ( sumcase :: (
γ) 1
)
γ (
n
)
1
+
+
n
are injec ive, i.e. uncurry f = uncurry g i f = g, and sumcase f1 gn i f1 = g1 fn = gn . sumcase g1
6 6.1
fn =
Buildin a Workin Environment Invertin Datatype De nitions
The hierarchy of de ni ional packages, as illus ra ed in 1, and he dependency of auxiliary heories used for he cons ruc ion are of en in conflic . For example, we have used basic ypes such as nat, + , for he universe underlying da a ypes. Any of hese could be charac erized as induc ive ypes, bu had o be buil manually , because datatype had no ye been available a ha s age. Of course, we would like o keep he Isabelle/HOL s andard library free of any such acciden al arrangemen s due o bootstrap problems of he HOL logic. No e ha wi h mos ypes being ac ual da a ypes o ering he s andard reper oire of derived concep s such as induc ion, recursion, pa ern ma ching by cases e c. he resul ing sys em would become concep ually much simpler, wi h less special cases. Fur hermore, proper da a ypes may again par ake in indirec recursion. Users cer ainly expec o be able o nes ypes via + and . We propose inverted datatype de nitions as an answer o he above problem. Given a ype oge her wi h freeness and induc ion heorems, he repdatatype mechanism gures ou he se of cons ruc ors and does all he res of s andard da a ype cons ruc ions au oma ically. Thus we avoid cycles in heory/package dependencies in a clean way. No e ha he same mechanism is used in ernally when unwinding indirec recursion (reconsider termlist vs. term list in 5.4). From a purely logical poin of view one would probably approach boo s rap issues di eren ly. For example, [8] provides a very careful developmen of he
34
S efan Berghofer and Markus Wenzel
heory underlying he da a ype cons ruc ion, reducing he requiremen s o a bare minimum, even avoiding na ural numbers. In eres ingly he ac ual implemen a ion does no fully follow his scheme, bu does use na ural numbers. 6.2
Cooperation of De nitional Packa es
As depic ed in 1, some Isabelle/HOL packages are buil on op of each o her. For example, record [13] cons ruc s ex ensible records by de ning a separa e (nonrecursive) da a ype for any record eld. O her packages such as recdef [21, 22] refer o cer ain informa ion abou da a ypes which are involved in wellfounded recursion (e.g. size func ions). We see ha some provisions have o be made in order o suppor cooperation of de ni ional packages properly. In par icular, here should be means o s ore auxiliary informa ion in heories. Then packages such as datatype would associa e su cien source level informa ion wi h any ype, such as he se of cons ruc ors, induc ion rule, and primrec combina or. Thus we ge a more robus and scalable sys em han by rying o weed hrough he primi ive logical declara ions emi ed by he package. Isabelle981 does already suppor an appropria e heory da a concep .2 Wi h ex ralogical informa ion associa ed wi h logical objec s, we may also o er users a more uniform view o cer ain general principles. For example, proof by induc ion or case analysis may be applied o some x, wi h he ac ual ac ic gured ou in ernally. Also no e ha by deriving de ni ional mechanisms from o hers, such as record from datatype, hese opera ions are inherited. Thus case analysis e c. on record elds would become he same as on plain da a ypes.
7
Conclusion and Related Work
We have discussed Isabelle/HOL’s new de ni ional packages for induc ive ypes and (primi ive) recursive func ions (see also [2]) a wo di eren levels of concep . A he logical level, we have reviewed a se  heore ic cons ruc ion of mu ual, nes ed, arbi rarily branching ypes oge her wi h primi ive recursion combinaors. S ar ing wi h a schema ic universe of rees similar o [19], bu ex ended o suppor in ni ely branching we have cu ou represen ing se s for induc ive ypes using he usual Knas erTarski xedpoin approach [17, 8]. S epping back from he pure logic a bi , we have also discussed fur her issues we considered impor an o achieve a scalable and robus working environmen . While his cer ainly does no ye cons i u e a sys ema ic discipline of FormalLogic Engineering , we argue ha i is an impor an line o follow in order o provide heorem proving sys ems ha are successful a a larger scale. Wi h a sligh ly di eren focus, [1] discusses approaches o Proof Engineering . The impor ance of advanced de ni ional mechanisms for applica ions has already been observed many years ago. Melham [12] pioneers a HOL da a ype 2
In eres ingly, while admi ing arbi rary ML values o be s ored, his mechanism can be made typesafe wi hin ML (see also [11]).
Induc ive Da a ypes in HOL
35
package (wi hou nes ing), ex ended la er by Gun er [6, 7] o more general branching. Paulson [17] es ablishes Knas erTarski as he primary principle underlying (co)induc ive ypes; he implemen a ion in Isabelle/ZF se  heory also suppor s in ni e branching. V¨ olker [23] proposes a version of da a ypes for Isabelle/HOL wi h nes ed recursion internalized in o he logic, resul ing in some unexpec ed res ric ions of nonrecursive occurrences of func ion spaces. Harrison [8] under akes a very careful logical developmen of mu ual da a ypes based on cardinali y reasoning, aiming o reduce he auxiliary heory requiremen s o a minimum. The implemen a ion (HOL Ligh ) has recen ly acquired nes ing, oo. Our Isabelle/HOL packages for datatype and primrec have been carefully designed o suppor a superse of func ionali y, bo h wi h respec o he purely logical vir ues and as i s in egra ion in o a scalable sys em. This is in ended no as he end of he s ory, bu he beginning of he nex s age. Codatatypes would follow from Knas erTarski by duali y qui e na urally (e.g. [17]), as long as simple cases are considered. Nes ing coda a ypes, or even mixing da a ypes and coda a ypes in a useful way is very di cul . While [10] proposes a way of doing his, i is unclear how he informal ca egorical reasoning is o be ransferred in o he formal se  heory of HOL (or even ZF). Nonfreely enerated ypes would indeed be very useful if made available for nes ing. Typical applica ions refer o some ype ha con ains a ni ary environmen of i self. Curren ly his is usually approxima ed by nes ing ( ) list. Ac ual combination of de nitional packages would be ano her impor an s ep owards more sophis ica ed s andards, as are es ablished in func ional language compiler echnology, for example. While we have already achieved decen coopera ion of packages ha are buil on op of each o her, here is s ill a signi can gap owards arbi rary combina ion (mu ual and nes ed use) of separa e packages. In curren Haskell compilers, for example, any module (read heory ) may consis of arbi rary declara ions of classes, ypes, func ions e c. all of which may be referred o mu ually recursive. Obviously, heorem prover echnology will s ill need some ime o reach ha level, aking in o accoun ha compila ion means ac ual heorem proving work o be provided by he de ni ional packages.
References [1] H. P. Barendreg . The ques for correc ness. In Ima es of SMC Research, pages 39 58. S ich ing Ma hema isch Cen rum, Ams erdam, 1996. [2] S. Berghofer. De ni orische Kons ruk ion induk iver Da en ypen in Isabelle/HOL (in German). Mas er’s hesis, Technische Universi ¨ a M¨ unchen, 1998. [3] A. Church. A formula ion of he simple heory of ypes. Journal of Symbolic Lo ic, pages 56 68, 1940. [4] C. Cornes, J. Couran , J.C. Fillia re, G. Hue , P. Manoury, and C. Munoz. The Coq Proof Assistant User’s Guide, version 6.1. INRIARocquencour e CNRSENS Lyon, 1996. [5] M. J. C. Gordon and T. F. Melham (edi ors). Introduction to HOL: A theorem provin environment for hi her order lo ic. Cambridge Universi y Press, 1993.
36
S efan Berghofer and Markus Wenzel
[6] E. L. Gun er. Why we can’ have SML s yle datatype declara ions in HOL. In L. J. M. Claesen and M. J. C. Gordon, edi ors, Hi her Order Lo ic Theorem Provin and Its Applications, volume A20 of IFIP Transactions, pages 561 568. Nor hHolland Press, 1992. [7] E. L. Gun er. A broader class of rees for recursive ype de ni ions for HOL. In J. Joyce and C. Seger, edi ors, Hi her Order Lo ic Theorem Provin and Its Applications, volume 780 of LNCS, pages 141 154. Springer, 1994. [8] J. Harrison. Induc ive de ni ions: au oma ion and applica ion. In P. J. Windley, T. Schuber , and J. AlvesFoss, edi ors, Hi her Order Lo ic Theorem Provin and Its Applications: Proceedin s of the 8th International Workshop, volume 971 of LNCS, pages 200 213, Aspen Grove, U ah, 1995. Springer. [9] J. Harrison. HOL done righ . Unpublished draf , 1996. [10] U. Hensel and B. Jacobs. Proof principles for da a ypes wi h i era ed recursion. In E. Moggi and G. Rosolini, edi ors, Cate ory Theory and Computer Science, volume 1290 of LNCS, pages 220 241. Springer, 1997. [11] F. Kamm¨ uller and M. Wenzel. Locales a sec ioning concep for Isabelle. Technical Repor 449, Universi y of Cambridge, Compu er Labora ory, Oc ober 1998. [12] T. F. Melham. Au oma ing recursive ype de ni ions in higher order logic. In G. Bir wis le and P. A. Subrahmanyam, edi ors, Current Trends in Hardware Veri cation and Automated Theorem Provin , pages 341 386. Springer, 1989. [13] W. Naraschewski and M. Wenzel. Objec orien ed veri ca ion based on record sub yping in higherorder logic. In J. Grundy and M. Newey, edi ors, Theorem Provin in Hi her Order Lo ics, volume 1479 of LNCS. Springer, 1998. [14] T. Nipkow and D. von Oheimb. Java i ht is ypesafe de ni ely. In Proc. 25th ACM Symp. Principles of Pro rammin Lan ua es. ACM Press, New York, 1998. [15] S. Owre, S. Rajan, J. M. Rushby, N. Shankar, and M. Srivas. PVS: combining speci ca ion, proof checking, and model checking. In R. Alur and T. A. Henzinger, edi ors, Computer Aided Veri cation, volume 1102 of LNCS. Springer, 1996. [16] S. Owre and N. Shankar. Abs rac da a ypes in PVS. Technical Repor CSL939R, Compu er Science Labora ory, SRI In erna ional, 1993. [17] L. C. Paulson. A xedpoin approach o implemen ing (co)induc ive de ni ions. In A. Bundy, edi or, Proceedin s of the 12th International Conference on Automated Deduction, volume 814 of LNAI, pages 148 161, Nancy, France, 1994. Springer. [18] L. C. Paulson. Isabelle: A Generic Theorem Prover, volume 828 of LNCS. Springer, 1994. [19] L. C. Paulson. Mechanizing coinduc ion and corecursion in higherorder logic. Journal of Lo ic and Computation, 7(2):175 204, 1997. [20] F. Pfenning and C. PaulinMohring. Induc ively de ned ypes in he Calculus of Cons ruc ions. In Proceedin s of Mathematical Foundations of Pro rammin Semantics, volume 442 of LNCS. Springer, 1990. [21] K. Slind. Func ion de ni ion in higher order logic. In J. Wrigh , J. Grundy, and J. Harrison, edi ors, 9th International Conference on Theorem Provin in Hi her Order Lo ics, TPHOLs’96, volume 1125 of LNCS. Springer, 1996. [22] K. Slind. Deriva ion and use of induc ion schemes in higherorder logic. In 10th International Conference on Theorem Provin in Hi her Order Lo ics, TPHOLs’97, volume 1275 of LNCS. Springer, 1997. [23] N. V¨ olker. On he represen a ion of da a ypes in Isabelle/HOL. In L. C. Paulson, edi or, First Isabelle Users Workshop, 1995. [24] M. Wenzel. Type classes and overloading in higherorder logic. In 10th International Conference on Theorem Provin in Hi her Order Lo ics, TPHOLs’97, volume 1275 of LNCS. Springer, 1997.
Isomorphisms – A Link Between the Shallow and the Deep Thomas Santen Softwaretechnik, FR 56 Fachbereich Informatik Technische Universit¨at Berlin Franklinstraße 28/29, D10587 Berlin, Germany
[email protected] Abstract. We present a theory of isomorphisms between typed sets in Isabelle/ HOL. Those isomorphisms can serve to link a shallow embedding with a theory that defines certain concepts directly in HOL. Thus, it becomes possible to use the advantage of a shallow embedding that it allows for efficient proofs about concrete terms of the embedded formalism with the advantage of a deeper theory that establishes general abstract propositions about the key concepts of the embedded formalism as theorems in HOL.
1 Introduction A strong and decidable type system is one of the distinguishing features of the versions of higherorder logic that are implemented in systems such as HOL [4] and Isabelle/HOL [15]. The implicit propositions that types represent keep the concrete syntax of terms simple. Decidable typechecking is an efficient means of finding errors early when developing a theory. Proofs in those logics tend to be shorter and are more easily automated than the corresponding ones in untyped theories – at least at the current state of the art [8]. However, types become an obstacle when one wishes to capture concepts formally whose definitions inherently need to abstract from types. The kind of polymorphism that HOL1 provides to abstract from types often is too weak to express the independence of those concepts from specific types in its full generality. Apparently general theories turn out to be less generally applicable than one might naively expect, because the definitions of their foundational concepts are “only” polymorphic. For example, theories of concurrent processes [10, 20] use definitions that are polymorphic in the type of data (channels, actions) that processes exchange. Operations on several processes, such as their parallel composition, then require the involved processes to work on the same type of data. In theorems about concepts such as refinement, type unification often forces the involved processes to have the same type, because a polymorphic variable must have the same type at all of its occurrences in a theorem. Consequently, (straightforward) applications of those theories are restricted to systems that exchange a single type of 1
From now on, we use HOL as a synonym for the logic, not the HOL system.
Y. Bertot et al. (Eds.): TPHOLs’99, LNCS 1690, pp. 37–54, 1999. c SpringerVerlag Berlin Heidelberg 1999
38
Thomas Santen
data. This restriction is not a fault of the designers of those theories but an immediate consequence of the type system of HOL. There is no clearcut borderline between shallow and deep embeddings. In the following, we discuss some aspects of that distinction that are important in the context of the present paper (see [1] for another view on “shallow vs. deep”). A shallow embedding of a typed language in HOL identifies the types of the embedded language with types of HOL. Such an embedding has the advantage that proving theorems about particular sentences of the language directly corresponds to a proof about the corresponding HOL term and is thus as efficient as proving any other proposition in HOL. A shallow embedding does not restrict the types in applications in the way the “deeper” theories do that we mentioned before. At a closer look, the reason for that “advantage” turns into a major drawback of shallow embeddings: they do not provide definitions of the foundational concepts of the embedded language at all. Therefore, it usually is impossible reason about those concepts in general. Facts about them must be reproven for each particular instance. If the proofs of these facts are involved, reproving them over and over again may considerably diminish the advantage of efficiency in practical applications that a shallow embedding promises. For example, shallow embeddings of objectoriented concepts [5, 12] in higherorder logic do not define the concepts of a class or an object in general. LOOP [5], an embedding of coalgebraic specifications in PVS [14], generates definitions and proof scripts for each particular class specification that introduce general concepts, such as bisimilarity, and derive properties about them that hold for any class. The more complex the theory encoded in those proof scripts is, the more effort is needed to represent a particular class specification: the effort depends not only on the size of the class but also on the complexity of the general theory of classes. A deep embedding, in contrast, provides definitions of the key concepts of the embedded formalisms in HOL. In the example, a deep embedding defines the type of a class and the set of objects induced by a class in HOL. More complex definitions, such as class refinement, can be based on the definitions of classes. Furthermore, a HOLtheory about those concepts can be developed that establishes theorems in the logic that a shallow embedding, such as LOOP, can use metalogically, in the form of tactics, only. Unfortunately, as mentioned before, the theorems of a deeper embedding usually are not directly applicable to concrete entities (e.g. classes) that are represented by a shallow embedding. A very general solution to this dilemma and to other problems that arise from the type discipline of HOL would combine higherorder logic and an axiomatic set theory such as ZF in such a way that the set theory could be used to reason about concepts that do not fit well with the type system of HOL [3]. In the present paper, we propose a specific solution within HOL that addresses the combination of deep and shallow embeddings to obtain the best of both worlds in applications. We use a type of isomorphisms between sets, which we define in Isabelle/HOL, to formally capture the idea that definitions in HOL, such as the ones referred to before, restrict the general intuitive concepts behind them “without loss of generality” to specializations that polymorphism can express. Concealing type differences of entities that a shallow embedding produces, e.g. by constructing the sum of all involved types, and substituting isomorphisms for equal
Isomorphisms – A Link Between the Shallow and the Deep
39
ities makes a general theory developed in HOL applicable to specific problems that are represented via the shallow embedding. In Sect. 2, we introduce our notation of Isabelle/HOL terms, and briefly recapitulate the type definition mechanism as it is implemented in Isabelle/HOL. In Sect. 3, we further motivate the use of isomorphisms to link a shallow embedding with a more general theory by the example of combining a HOLtheory of objectoriented specification with a shallow embedding of the specification language Z. In Sect. 4, we present the basic idea of modeling bijections between sets in HOL. Sect. 5 introduces partial equivalence relations and quotients as a means to describe the type of isomorphisms in Sect. 6, where we also define the basic operations on isomorphisms. In Sect. 7, we define functors that map isomorphisms to isomorphisms, in particular by “lifting” them to type constructors. Section 8 applies those functors to lift isomorphisms to predicates. We need this construction in Sect. 9 to precisely characterize isomorphic representations of “the same” class specification in the example of Sect. 3. We sketch how those isomorphisms allow us to derive properties of class refinement as HOLtheorems and to apply those theorems to concrete class specifications whose components are specified in Z. Pointing out more general applications of the theory of isomorphisms, we conclude in Sect. 10.
2 Notation In our notation of HOL terms as defined in Isabelle/HOL, we use the standard graphical symbols. For two types and , is the Cartesian product type, and is the type of (total) functions with domain and range . We denote a constant definition by a declaration c :: and a defining equation def def t . The symbol indicates that the defining equation is checked by Isabelle to c preserve consistency of the theory. A type definition introduces a new type constant that is isomorphic to a set B of elements of some other type. An axiom asserting the existence of a bijection between B and the elements of the new type establishes that isomorphism. In addition to some technical conditions concerning polymorphism, we have to prove that B is nonempty to be sure that the type definition preserves the existence of standard models. In Isabelle/HOL, the new type is defined by stating that it is isomorphic to a non, empty set B of elements of some (already defined) type . Two functions :: , the representation function, describe the the abstraction function, and :: isomorphism. They are characterized by the axioms ( a) b
B
B
(1)
( ( a)) = a
(2)
( ( b)) = b
(3)
The representation function maps the elements of to members of the set B . On the set B , abstraction and representation functions are inverses of each other. The condition b B of (3) accounts for the totality of . We use the following notation for a type definition: typ
typ = B
justified by witness thm
40
Thomas Santen
It declares the new type typ, the abstraction function typ :: typ and the repre. It introduces three axioms corresponding to (1), (2), sentation function typ :: typ and (3). Processing the type definition, Isabelle proves that B is nonempty, using the derived theorem witness thm in the process. In contrast to a type definition, a type synonym does not introduce a new type but syn defines just a syntactic abbreviation of a type expression. The type equation the type constructor to be equal to the type , which contains the type variable .
3 Example: Class Specifications We illustrate the use of isomorphisms to link a shallow embedding with an abstract theory by the example of a theory of specifications of objectoriented systems. In earlier work [16], we presented a theory of modelbased specifications of objectoriented systems that relies on the shallow embedding HOLZ [7] of Z [19] in Isabelle/HOL for specifying the components of a class. The concept of a class (and of the set of objects induced by a class) are defined in HOL. This allows us to build an abstract theory of properties of classes, such as behavioral conformance,2 and apply the theorems of that theory to concrete classes whose components are specified in HOLZ. To show its practical applicability, we applied an extended version of that theory [18] to analyze the conformance relationships in the Eiffel data structure libraries [9]. In the following, we very briefly sketch the basic idea of linking HOLZ with the abstract theory of objectoriented concepts. The specifics of that theory (and of the shallow embedding of Z) are irrelevant for the present paper. We refer the curious reader to [16, 18] for more details. The type ( ) Class describes class specifications over a type of method identifiers , of constants , of (mutable) states , of inputs , and of outputs . The state of an object has a constant and a mutable part. Thus, it is of the type . (
typ
) Class = (C S I M H ) (C :: (I :: [ (H :: [
bool ) (S :: [ bool ) bool ) (M :: ( ) Methods) bool ) Cls 3 C S I M H
A class specification consists of five components: predicates describing the admissible constants (C ) and mutable states (S ), the initialization condition for object creation (I ), a history constraint (H ), which is a relation on states, and a method suite (M ) that maps method identifiers to operation specifications. According to the specification paradigm of Z, an operation specification is a relation on prestates, inputs, poststates, and outputs. Relating the components of a class specification, the predicate Cls 3 ensures that they conform to the intuition of “describing a class”. For our purpose, it is important to note that the components are predicates, i.e. functions to the boolean values, and that the typing rules of HOL force all operation specifications of a method suite M to have the same types of input and output. Because it is a shallow embedding, HOLZ maps the types of Z to types of HOL. This is justified, because the type systems of the two languages are very similar [17]. In 2
Behavioral conformance is a variant of data refinement [6] that takes the specifics of objectoriented systems into account.
Isomorphisms – A Link Between the Shallow and the Deep
41
HOLZ, the types of different operation specifications that describe the methods of a class, in general, differ in the types of inputs and outputs. The operation Cls (id op) adds an operation specification op as a method called id to a class specification Cls. Its declaration shows the key idea of linking the shallow embedding with the abstract theory of classes:
:: [ (
) Class (
+
(
) Op
+ ) Class
Forming the sums 0 + and 0 + of the input and output types of Cls and op, Cls (id op) produces a class specification that works on larger types of inputs and outputs than Cls. Its definition transforms the method suite of Cls and the operation specification op such that their input and output parameters are injected into the appropriate summand of those sum types. This definition captures the idea of much theoretical work that “without loss of generality” one can restrict an investigation to a singlesorted case, because it is always possible to reduce the manysorted case to the singlesorted one by combining the relevant sorts in a disjoint sum. For the practical work with a theory in a theorem prover, however, it is important to link the abstract theory and the shallow embedding in a way that conveniently handles the many different types arising. For example, adding two operations in a different order to a class specification, e.g. Cls (id1 op1 ) (id2 op2 ) and Cls (id2 op2 ) (id1 op1 ), yields specifications of “the same” class that are not even comparable in HOL, because they have different types. Furthermore, relations, such as behavioral conformance, must be defined for classes of different types. At first sight, this makes it impossible to profit from an abstract calculus of relations, such as the square calculus of [13], when reasoning about classes. The theory of isomorphisms that we present in this paper allows us to formally characterize that two class specifications specify “the same” class, and it allows us to map the classes of a (finite) system to a single type, thus making general concepts applicable that require identical types of the involved classes.
4 Bijections We wish to characterize bijections between two sets A :: set and B :: set whose elements are of different types and . In axiomatic set theory, the situation is clear: an injective function with domain A and range B is a bijection between A and B . If such a function exists, then A and B are isomorphic sets. In HOL, all functions are total. Thus, given a function f :: , there is no point in requiring that the “domain” of f be the set A. Requiring that f is injective would be too strong, because this would imply that the cardinality of the type must not be greater than the cardinality of the type . We are just interested in the relationship between the sets A and B , not their underlying types. Therefore, card A card , but not card card is a necessary condition for a bijection between A and B to exist. For A and B to be isomorphic, it suffices to require that f is injective on the set A, i.e. that the images of two distinct elements of A under f are distinct, and that the image of A under f is equal to B , f ( A ) B . The predicate inj onto captures injectivity on a set formally.
42
Thomas Santen inj onto :: [
set
def
inj onto f A =
x
A
bool A f x =f y
y
x =y
We are not just interested in the fact that A and B have the same cardinality, but we also wish to convert the elements of one set to the corresponding elements of the other. Therefore, we need to know the bijection f and the coimages of the elements of B under f . The function Inv maps a function to one of its inverses using Hilbert’s choice def ( y x f x y). operator: Inv f Because we cannot require that f is injective on the entire type , and because B may encompass all elements of , i.e. B UNIV , the function f , in general, maps several elements of to the same element of B . Let, for example, f a b and f x b. For b B , it is not necessarily true that Inv f b A, because there are models in which ( z f z b) x for x A. The function inv on chooses an inverse that maps elements into a given set whenever possible. inv on :: [
set
def
inv on A f = ( y ( x f x = y
(y
f (A)
x
A)))
In general, there are many bijections of isomorphic sets A and B that differ on the complement of A only. The relation eq on A characterizes the functions that are equal on A. It abstracts from differences on the complement of A. eq on :: [ eq on A f
def
=
set x
bool A fx =
x
With these preliminaries, we can characterize an isomorphism of the sets A and B by the set of all functions that are injective onto A, whose image of A is equal to B , and which are equal on A. This characterization is the basis to define a type of isomorphisms in Section 6.
5 Partial Equivalences, Quotients, and Congruences We base our definition of isomorphisms on a theory of relations on sets that introduces equivalence relations, quotients, and congruences. This theory is a slight modification of a standard Isabelle/HOL theory that has been adapted from Isabelle/ZF. Our modification takes congruences with respect to polymorphic binary relations into account. A relation r is an equivalence relation with domain A, equiv A r , if it is reflexive on A, symmetric, and transitive. A quotient A r of a set A and a relation r is the set of relational images of the singletons of P A. equiv :: [
set (
) set
bool
:: [
equiv A r = refl A r
sym r
trans r
A r =
def
def
set (
[
x A
) set
r( x )
set set
Isomorphisms – A Link Between the Shallow and the Deep
43
Although the relation r in the quotient usually is an equivalence relation, it is not necessary to require that property in the definition. For an equivalence relation r , the set r ( a ) denotes the equivalence class of a with respect to r . Note that we use the same notation for the image of a set A under a function f , f ( A ), and the image of A under a relation r :: ( ) set , r ( A ). The following two facts allow us to reduce a proposition about the member sets of a quotient to representatives of equivalence classes. First, two equivalence classes of a relation r are equal if and only if two representatives are in the relation r . equiv A r x A y A (r ( x ) = r ( y )) = ((x y) r )
Second, the class of x
(4)
A with respect to a relation r is an element the quotient A r . x A r( x ) A r
(5)
If r is an equivalence class, then an operation on the quotient A r is usually defined by a corresponding operation on representatives of equivalence classes of r . Such a definition is wellformed if it is independent of the particular representatives of equivalence classes it refers to. Then r is a congruence relation with respect to the operation. The following predicates characterize congruences with respect to unary and binary operations. con ruent :: [ ( def
con ruent r b =
) set y z (y z )
con ruent2 :: [ ( def
con ruent2 r r b =
) set (
bool r
(6)
by =bz ) set [
y1 z1 y2 z2 (y1 z1 )
bool (y2 z2 )
r
(7)
r
b y1 y2 = b z1 z2
The direct transcription of the ZF definition of congruences with respect to binary operations uses only one parameter relation: con ruent2m :: [ ( con
ruent2m
def
rb =
) set [ y1 z1 y2 z2 (y1 z1 )
bool r
(y2 z2 )
r
(8)
b y1 y2 = b z1 z2
This definition requires that both parameters of b are of the same type . The more liberal definition (7) of con ruent2 allows the parameters of b to be of different types. To achieve this, con ruent2 needs two parameter relations of different types. Using only one relation as in the defining axiom of (8) would force the parameter types of b to be identical by type unification.
44
Thomas Santen
In practice, both parameter relations r and r 0 of con ruent2 will be different polymorphic instances of the same (polymorphically defined) relation. The seemingly unnecessary duplication of the parameter relations is a consequence of the weak polymorphism of HOL. The type variables of an axiom are constants for the type inference in the axiom, because they do not denote universal quantifications over types [2]. At some places where a naive intuition would expect one parameter to suffice, we are forced to supply as parameters several structurally equal terms that differ only in their types. Congruences show that the definitions of operations on equivalence classes are independent of the choice of representatives. The following fact captures this property formally for a common construction. If r is a congruence with respect to a setvalued operation b, then the union of the images of b applied to the elements of an equivalence class is just the image of a representative of that class.
S
equiv A r
con ruent r b
x r( a )
bx
a
A
(9)
=ba
Similar statements hold for the other constructions that we use to define operations on isomorphisms in the following section.
6 The Type of Isomorphisms The type ( ) iso is the type of isomorphisms between sets of type set and sets of type set . The characterizing set of ( ) iso is a quotient: an isomorphism is an equivalence class of pairs of functions and domains. For each pair (f A) in a class, f is injective onto A. Two pairs are equivalent if the domains are equal and the functions are equal on the domains. (
syn
) isopair = ( iso iso
:: (( def
) ( set) ) isopair
= p pf
(
) isopair ) set
A B p = ((f A) (
inj onto f A (
(10)
B ))
A=B
(11)
eq on A f
typ
) iso = (f A) f A inj onto f A
iso
(12)
The notation x x y z P x y z is syntactic sugar for t x y z t x P x y z . The type ( ) iso is welldefined because the characterizing set contains at least the class of bijections on the empty set. The relation iso is an equivalence relation on the set (f A) f A inj onto f A . Requiring inj onto f A in the definition of iso and also in the quotient construction (12) may seem redundant, but it simplifies congruence lemmas, as we will see in (13). The basic operations on an isomorphism apply it to an element of its domain, determine its domain and range, invert it or compose it with another isomorphism. We define those operations in the following. For each of them, we must show that they are welldefined, i.e. that iso is a congruence with respect to their defining terms.
Isomorphisms – A Link Between the Shallow and the Deep
45
The application f = x of an isomorphism f to an element x of its domain is the application of a bijection of one of the representatives of f to x . If x is not in the domain of f , then the application yields the fixed element a ( x false) of the range type of f : a. The definition does not fix a representative of f to apply to x , but considers f =x the bijections of all representatives of f . It maps them to functions that are identical to a outside the domain of f , and chooses one of those functions to apply it to x . We define a function fun = that maps isomorphisms to HOL functions. The function choice chooses an arbitrary member of a set. fun= :: ( fun= f
) iso
0 [ = choice @
def
p
( (f A) ( x if x
1 A then f x else a) ) p A
iso f
We use the infix notation f = x as a syntactic variant of the term fun = f x , which is easy to define in Isabelle/HOL. The application is welldefined, because all members (f A) of an equivalence class representing an isomorphisms agree on A, i.e. the argument to choice is a singleton. In the following definitions, we use the representation function iso and the abstraction function iso that are induced by the type definition (12) (c.f. Sect. 2). The domain dom = f of an isomorphism f is the second component of one of its representatives. The range ran = f is the image of the domain of f under f . dom= :: (
) iso
ran= :: (
set
def
) iso
set
def
dom= f = choice (snd ( iso f ))
ran= f = fun= f ( dom= f )
We obtain the inverse of an isomorphism by inverting its representing bijections on their domain. inv= :: (
) iso
0 ( @ [ (
def
inv= f = iso
p
) iso (f A)
iso
( (inv on A f f ( A ))
1 )) p A
iso f
To define the composition of two isomorphisms j and k , we consider all pairs (f A) representing j and ( B ) representing k . A bijection representing the composition of j and k is the functional composition f . The domain of the composed isomorphism is the inverse image of the part of the range f ( A ) of j that is in the domain B of k . o 9=
j
o 9=
:: [ (
) iso (
[
def
k = iso p
iso j q
γ) iso
[
(
γ) iso
( (f A) ( (
B)
!
iso k
iso
( (
f (inv on A f )( f ( A )
B )) )) q) p
46
Thomas Santen
The relation representatives. con ruent2
iso
iso
is a congruence with respect to the defining function of
o 9 =
on
iso
( p q ( (f A) ( (
B)
iso
( (
f inv on A f ( f ( A )
B )) )) q) p)
(13)
Lemma (13) illustrates the use of having two equivalence relations as parameters to con ruent2 . The three occurrences of iso in (13) all have different types: the first is a relation on ( ) isopair , the second on ( γ) isopair , and the third (in the body of the term) on ( γ) isopair . The proof of (13) depends on the following fact about the composition of functions: inj onto f A inj onto B inj onto ( f )((inv on A f ) ( f ( A )
B ))
(14)
Lemma (14) shows why it is convenient to restrict iso to injective functions (onto sets). Lemma (14) assumes injectivity of f on A. Because the two pairs (f A) and ( B ) mentioned in (13) are bound variables, it is technically complex to assume that f and are injective onto A and B , respectively – and thus to state the congruence proposition as a lemma. The local context of proofs that use that lemma guarantees that the arguments to the second parameter satisfy inj onto, because the quotient construction in (12) considers only pairs that satisfy it. That knowledge, however, does not help us to state the congruence proposition as an independent lemma. The application of isomorphisms is a “partial” concept. Therefore, an equality ininv x , must be guarded volving applications, such as x dom =f =f = (f =x) by premises ensuring that the isomorphisms are applied to members of their domain only. The domain, composition, and inverses of isomorphisms have the nice algebraic f holds unconditionally. properties one would expect. For example, inv = (inv =f) This is a payoff of the relatively complex type definition. The quotient construction with iso ensures that the operations on isomorphisms are “total” – as long as no applications of isomorphisms are involved.
7 Functors To link a shallow embedding and a general theory by isomorphisms, the basic operations defined in the preceding section do not suffice. We additionally need mechanisms to “lift” isomorphisms on the sets of relevant parameter data to isomorphisms on (sets of elements of) more complex types. In the example of Sect. 3, consider the input parameters of an operation that is included at two different positions in two class specifications representing the same class. The set of its input parameters are thus isomorphic to the ranges of injections into the types of input parameters of the two class specifications. If we wish to express formally that the two specifications are isomorphic, then we must, first, construct isomorphisms from the injections in the two sum types, and second, map those isomorphisms to an isomorphism that maps the first class specification to the second. In the present section, we define functors mapping isomorphisms to isomorphisms on complex types. We consider product types, function spaces, ranges of injections, and type definitions.
Isomorphisms – A Link Between the Shallow and the Deep
47
Products. Given two isomorphisms, f and , it is easy to construct the product isomorphism f = whose domain is the Cartesian product of their domains: the product isomorphism relates two pairs if the two parameter isomorphisms relate the components of the pairs. The basic functions on isomorphisms distribute over product isomorphisms in the way one expects. The following fact illustrates that for the application of a product isomorphism. x x
dom= (f
=
)
f
=
=
x = (f
=
fst x
=
snd x )
(15)
Function Spaces. We construct isomorphisms of – total – functions from isomorphisms that relate subsets of their domain and range types. Given an isomorphism f with domain A and range A0 , and an isomorphism with domain B and range B 0 , we wish to construct an isomorphism of the functions mapping A to B and the functions mapping A0 to B 0 . Speaking settheoretically, the construction is a functor from the category of sets to the category of settheoretic functions (where we consider only isomorphisms in both categories). Thus, if h is a function from A to B , we construct a function k from A0 to B 0 by making the functions on the sets A, A0 , B , and B 0 commute. However, the need to work with total HOLfunctions complicates the definition, because we must define the value of function applications outside their “domains”. The 0 , in general, are not isomorphic. Therefore, HOLfunction spaces and 0 we consider only functions that are constant on the complements of A and B (if the complements are nonempty). To be able to control the values of the functions in the domain of a lifted isomorphisms in that way, we supply the image values c :: of h and d :: 0 of k outside their domains as parameters to the functor. The set A is the complement of A. lift= :: [ lift= c d f
(
def
= iso p
[
) iso (
[
iso f q iso
) iso
(
( (f A) ( (
) iso B)
iso
( (( h x if x
f ( A ) then ( else d )
h h h( A )
B
h( A )
h
(inv on A f ))x
?
c
!
) ) )q)p
The following lemmas establish equalities for the domain, inverse, and the application of the lifting of isomorphisms to function spaces. dom= (lift= c d f ) = h
h h ( dom= f )
dom=
h ( dom= f )
?
c
inv= (lift= c d f ) = lift= d c (inv= f )(inv= )
(17)
?
lift= c d f
h ( dom= f ) dom= h ( dom= f ) c h = ( a if a ran f then h(inv = = = =f
(16)
=
a ) else d )
(18)
Proving those lemmas with Isabelle/HOL is remarkably complex. Although the properties of lifting isomorphisms are not mathematically deep theorems, we must formulate them carefully to account not only for the – mostly obvious – “normal” cases that
48
Thomas Santen
deal with the relation of the involved functions on the domains and ranges of the lifted isomorphisms, but we must also consider their “totalization” on the complements of those sets. The parts of the proofs dealing with the complements of domains and ranges are the technically difficult ones. Here, the prover needs guidance to find appropriate witnesses, and to establish contradictions. The need to apply the extensionality rule of functions further reduces the degree of automation, because automatically applying that rule would lead to an explosion of the search space. Ranges of Injections. Two embeddings of a type into types and , such as injections of a type in two different sum types in Sect. 3, induce an isomorphism on the ranges of the embeddings. If two functions f and are injective, then the ranges of f and are isomorphic and we can construct a canonic bijection h f −1 between the two ranges that makes the diagram commute. Generalizing to possibly noninjective functions, we use the maximal set onto which a function f is injective toSdetermine the bijection. That set is the union of all sets onto which f is injective: ( (Collect (inj onto f ))). If A is the maximal subset of onto which both, f and , are injective, then the images of A under f and are isomorphic. A bijection between the images is the composition of with the inverse of f onto the set on which f is S injective, (inv on ( (Collect (inj onto f ))) f ). Capturing this idea formally, we define a function ( . & ) that maps two functions with the same domain type to an isomorphism of their range types. ( f
= =
) :: [
, = iso
def
γ
iso
(
γ) iso
S (Collect (inj onto f ))) f ) S S ( Collect (inj onto f ( ( Collect (inj onto f ))
( (
(inv on (
)) ) ) )
We are interested primarily in range isomorphisms f . & where both, f and , are injective on the whole type. Nevertheless, we must define f . & for arbitrary f and . The following lemmas show the interesting properties of injection isomorphisms that are constructed from injective functions. inj f dom= (f =
inj ) = ran e f
inj f ran= (f =
inj ) = ran e
inj f (f = inv= (f
inj )
=
inj f =
x ran e f x = (Inv f x ) inj )=
= f
Type Definitions. We saw in Sect. 2 that a type definition introduces three constants along with the new type: the representing set R, the abstraction function Abs, and the representation function Rep. The functions Abs and Rep establish a bijection between R and the new type. The axioms (1), (2), and (3) capture that property. We introduce a predicate is typabs that characterizes the triples (R Rep Abs) that establish a type definition according to (1), (2), and (3). and is typabs R . Let h be an Consider two type definitions, is typabs D isomorphism mapping elements of D to elements of R. It induces an isomorphism
Isomorphisms – A Link Between the Shallow and the Deep
49
typ h on the types and that maps an element a :: to an element (c :: ) = ( (h = ( a)), where we use the fact that is the inverse of on R. We do not require h , in the domain of h to comprise the entire set D . Therefore, the domain of typ = general, is not the entire type but the subset of that is the coimage of the intersection of the domain of h and D under the abstraction function . To define the function typ = , we first introduce injection isomorphisms, which are a special case of range isomorphisms, where the first argument is the identity function: def
inj= f = ( u u) = f
The injection isomorphism of a representation function, such as , maps the entire type to its representing set, because the representation function is injective. The lifting of an isomorphism h via two type definitions, therefore, is the composition of the injection isomorphism of the representation function whose range type is the domain type of h with h and the inverse of the injection isomorphism of the representation function whose range type is the range of h. typ= :: [ def
(
typ= Rl h Rr = (inj= Rl ) o9= (h
) iso o 9=
(
) iso
(inv= (inj= Rr )))
It is advantageous to use the injection isomorphisms of the representation functions in the definition of typ = , because composing them with h appropriately constrains the domain of the lifted isomorphism. In a typical application, the representation functions Rl and Rr are instances of the same polymorphic representation function R, because the lifted isomorphism relates instances of a single polymorphic type.
8 Predicate Isomorphisms The components of a class specification in the example of Sect. 3 are basically predicates (the operation specifications in the method suite are also predicates). To construct an isomorphism between class specifications from isomorphisms on their parameter data, i.e. the constants, states, inputs, and outputs, we need to lift those isomorphisms to isomorphisms on predicates. Conceptually, this is an easy application of the lifting of isomorphisms to function spaces. Establishing the necessary theorems in Isabelle/HOL, however, turned out to harder than expected. Consider an isomorphism f that relates two sets A and A0 of some arbitrary types and 0 . The lifting isomorphism of f and the identity isomorphism id = on bool maps a predicate h on to a predicate k on 0 . We assume that the domain of f comprises the extension Collect h of h. Under that assumption, we require the lifting isomorphism to preserve the extension of predicates, because otherwise the lifting isomorphism would not preserve the information provided by the predicates in its domain. (For the components of class schemas, this requirement ensures that specifications such as the constraints on the constants of the objects of a class are preserved.) The lifting isomorphism must map each predicate h in its domain to a predicate k that is constantly false outside the range of f . Providing false as the first two arguments to the lifting function lift = , we
50
Thomas Santen
enforce both, the assumption on the functions in the domain of the lifting isomorphism, and the requirement on the functions in its range. These considerations lead us to define lifting isomorphisms of (unary) predicates as follows: = =
:: (
) iso
(
bool ) iso
bool
def
f = lift= false false f id=
The domain of the lifting of an isomorphism f to unary predicates is the set of all predicates P whose extensions are in the power set of the domain of f , i.e. a predicate P is in the domain of = f if and only if the extension of P is a subset of the domain of f . For all P in the domain of = f , the extensions of P and of =f = P are isomorphic (and related by f ). Consequently, the predicates P and = f = P are equivalent modulo renaming their parameters by f . Collect P dom= f P dom= ( = f )
Collect P dom= f x P x = ( = f = P )(f
P dom= ( = f ) Collect P dom= f
dom= f ( x ran= f
Collect P
dom= f x)
= =
f
=
P) x
Conceptually, it is easy to extend the lifting of unary predicates to predicates with several parameters. For binary predicates, we define =f .
= :: [ (
= f
) iso (
) iso
([
def
= lift= ( x false) ( x false) f (
bool [ =
bool ) iso
)
The lifting operation = for ternary predicates have = and the similarly defined shown before. The premises of those rules, however, properties similar to the ones of = require the domains of the parameter isomorphisms to be supersets of projections of the extensions of the involved binary or ternary predicates. For example, the rule establishreads as follows: ing the equivalence of a predicate P and its image under =f x xy Pxy
dom= f
y xy Pxy
dom=
x dom= f y dom= Pxy =( =f = P ) (f = x ) (
=
y)
Facts about = are remarkably hard to establish in Isabelle. Whereas the = and proofs about = involve few trivial interactions, the proofs of the corresponding lem= , in particular the ones concerning containment in the domains mas about = and of the lifted isomorphisms and membership in the ranges of the lifted isomorphisms require considerable guidance to constrain the search space of automatic tactics. We needed to supply witnesses for most of the existential propositions, because the existential quantifiers are nested, and the automatic tactics try to find witnesses for the outermost quantifiers first. When proving theorems about projections to the second or third argument of predicates, that proof strategy leads to a combinatorial explosion of cases. In other lemmas, several premises stating subset relations lead to a combinatory explosion. To make use of the premises, we had to supply appropriate members
Isomorphisms – A Link Between the Shallow and the Deep
51
of those sets explicitly, because the automatic proof tactics would not find them automatically. Some proofs led to subgoals with premises that are subset relations between sets of functions, or involved equalities between predicates. To prove those subgoals, we had to supply functional witnesses or use the extensionality rule of functions. The implemented tactics would not succeed in doing so automatically.
9 Abstract and Concrete Reasoning About Classes With the theory of isomorphisms developed in the preceding sections, we can now define a lifting of isomorphisms on the parameter data of a class specification. We lift isomorphisms Ci, Si, Ii, and Oi on the parameter data of a class specification to isomorphisms on the component predicates. The product of those isomorphisms (lifted via the type definition of class specifications) yields an isomorphism on class specifications. C =
:: [ (
) iso ( ((
C =
, Ci Si Ii Oi = let C def
S I M H
) iso (
) iso (
) iso
) Class ( = = = = =
) Class) iso
( = Ci); ( = Ci Si); ( = Ci Si); (map= ( M = Ci Si Ii Oi)); ( = Ci Si Si)
in typ= Class (C
=
S
=
I
=
M
=
H ) Class
The functor M = maps an isomor= lifts isomorphisms to methods. The functor map phism to one on finite mappings: the resulting isomorphism relates mappings with identical domains and isomorphic ranges. What is the domain of an isomorphism on class specifications produced by such a lifting? A class specification Cls is in the domain of C = Ci Si Ii Oi if the relevant parameter data, i.e. the data for which one of the component predicates of Cls is true, is in the domain of the appropriate parameter isomorphism. For example, the set of admissible states of Cls must be a subset of the domain of Si. The theory of isomorphisms precisely captures the property of class specifications representing the same class. It also allows us to unify the types of an arbitrary finite number of class specifications. Consider, for example, the two class specifications A :: ( 1 1 1 1 ) Class and B :: ( 2 2 2 2 ) Class. Similar to the construction of a method suite from operation specifications in Sect. 3, we map both class specifications to the type of class specifications ( 1+ 2 1+ 2 1+ 2 1 + 2 ) Class whose parameter types are the sums of the parameter types of A and B , where Inl and Inr are the usual injection functions into a sum type: A =
C =
(inj= Inl ) (inj= Inl ) (inj= Inl ) (inj= Inl )
B =
C =
(inj= Inr ) (inj= Inr ) (inj= Inr ) (inj= Inr )
=
A =
B
The use of such an embedding of class specifications into the same type lies in the possibility to derive abstract, general theorems about classes and apply them to
52
Thomas Santen
the specifications of a concrete system. Consider, for example, the refinement relation A R ( ) B on class schemas A and B (of possibly different types), which we define in [18]. The predicate R relates the object states of A and B , maps the method identifiers of A to the ones of B , and is a family of isomorphisms on the input/output types of the method suites of A and B that relates the valid I/O of the methods of A to the valid I/O of the methods of B that refine the ones of A (as indicated by ). Proving A R ( ) B for concrete classes A and B amounts to reducing the proposition to verification conditions on the component schemas of A and B , which are stated in the HOLZ encoding of Z. Tactics accomplish that reduction uniformly. They also synthesize the isomorphisms in automatically. Because HOLZ is a shallow embedding, the proofs of those verification conditions are “ordinary” proofs in HOL that can make use of the standard proof procedures implemented in Isabelle. Refinement proofs for concrete classes are costly. It is therefore advantageous to derive theorems about the refinement relation in general such that they can be applied with relatively little effort to concrete specifications, instead of implementing tactics that derive an instance of a general theorem anew for each concrete instance. In the context of a nontrivial software development, two properties of refinement, transitivity and compositionality, are of particular importance, because they allow developers to refine classes independently of their application context in a stepwise manner. For our definition of refinement, it is possible to state the transitivity proposition such that the three involved classes have arbitrary, possibly different types. If we wish to define the reflexive and transitive closure , however, type constraints force all involved classes to have the same type. Compositionality ensures that classes can be refined within a context of their use. For example, it is desirable that replacing the class of an aggregated object by a refining class yields a refinement of the aggregating context also. Formally, this means that the context F is monotonic with respect to refinement: A
R (
)
B
F (A)
R0 (id id)
F (B )
(19)
Stating (19) in HOL forces A and B to have the same type. The context F is a HOLfunction that, in general, refers to the methods of its parameter class. Because method invocation is one of the points where the deep encoding of class specifications is linked with the shallow embedding of HOLZ, method invocation must appropriately inject input and output parameters into the sum types we discussed in Sect. 3. Those injections induce a specific structure on the type of the method suite of the parameter of F and thus on the types of A and B . Furthermore, to define R 0 in terms of R, the state of the resulting classes F (A) or F (B ) must have a particular structure: we need to know where the aggregated object of class A (or B ) resides in the tuple of state components. “Without loss of generality” we may fix that to be the first component, because an appropriate isomorphism on class specifications can change the order of state components as needed for a particular concrete specification. We can state sufficient conditions on the context F and prove a proposition such as (19) for arbitrary classes A and B – of the same type. Isomorphisms allow us to apply that theorem to classes of different types, which arise from the shallow encoding of concrete specifications in HOLZ. Thus, isomorphisms play a vital role in linking that
Isomorphisms – A Link Between the Shallow and the Deep
53
shallow encoding with the deep definitions of objectoriented concepts and the theory about them.
10 Conclusions We are not aware of other work addressing a formal theory of isomorphic sets in a typed logic. As we saw, the foundational definitions are quite complex, because the concept of an isomorphism between sets is inherently partial, whereas the world of HOL is total. The theory we presented “hides” that partiality for all operations except the application of isomorphisms. For those, domain considerations are necessary. In concrete applications of the theory, however, these can often be reduced to trivial verification conditions. M¨uller and Slind [11] survey methods of representing partial functions in typed logics, in particular in Isabelle/HOL. Those methods leave the domain of functions implicit, e.g., by returning a special value if a function is applied outside its domain. Our definition of isomorphisms explicitly contains the domain as a set, because we frequently need to consider the domain of an isomorphism to assess whether it is suitable to be applied to a given set of data. Leaving the domain implicit in the definition would therefore not make reasoning simpler. The theory of isomorphisms presented in this paper emerged from the combination of HOLZ with a general theory of objectorientation that we sketched in Sections 3 and 9. The application of the combined theory to the Eiffel libraries, which we mentioned in Sect. 3, shows its suitability for practical applications. In that application, isomorphisms relate the I/O data of different class specifications. Tactics uniformly construct those isomorphisms. Once the appropriate lifting operations are defined, the construction is simple. We believe that the approach of combining a shallow embedding with a general theory is useful for other theories, too. For example, one could augment the theory of CSP in Isabelle/HOL [20] with a shallow embedding of data specifications. This avoids representing complex theorems by tactic code only, as it is necessary in a “completely shallow” approach, such as [5] and most other approaches aiming at practical applications that we know of. Moreover, general purpose theories in HOL, such as a theory of (typed) relations, become immediately applicable to the combined theory. Apart from linking “shallow” and “deep”, isomorphisms also admit to switch between a “typeview” and a “setview” of data. Based on the isomorphism between a type and its representing set, predicate isomorphisms directly relate properties of the elements of the type to properties of the members of the representing set. Exploiting that relation may help to reduce the sometimes annoying technical overhead of “lifting” functions (and their properties) that are defined on the representing set to corresponding functions on the type. Acknowledgments. Thanks to the referees for their constructive comments and for their patience with the first version of the paper.
54
Thomas Santen
References [1] J. Bowen and M. Gordon. A shallow embedding of Z in HOL. Information and Software Technology, 37(5–6):269–276, 1995. [2] L. Cardelli and P. Wegner. On understanding types, data abstraction, and polymorphism. Computing Surveys, 17(4):471–522, 1985. [3] M. Gordon. Set theory, higher order logic or both? In J. von Wright, J. Grundy, and J. Harrison, editors, Theorem Proving in Higher Order Logics, LNCS 1125, pages 191– 201. SpringerVerlag, 1996. [4] M. J. C. Gordon and T. M. Melham, editors. Introduction to HOL: A theorem proving environment for higher order logic. Cambridge University Press, 1993. [5] U. Hensel, M. Huisman, B. Jacobs, and H. Tews. Reasoning about classes in objectoriented languages: Logical models and tools. In C. Hankin, editor, Programming Languages and Systems — 7th European Symposium on Programming, ESOP’98, LNCS 1381, pages 105– 121. SpringerVerlag, 1998. [6] C. A. R. Hoare. Proof of correctness of data representations. Acta Informatica, 1:271–281, 1972. [7] Kolyang, T. Santen, and B. Wolff. A structure preserving encoding of Z in Isabelle/HOL. In J. von Wright, J. Grundy, and J. Harrison, editors, Theorem Proving in HigherOrder Logics, LNCS 1125, pages 283–298. SpringerVerlag, 1996. [8] L. Lamport and L. C. Paulson. Should your specification language be typed? http://www.cl.cam.ac.uk/users/lcp/papers/lamportpaulsontypes.ps.gz, 1997. [9] B. Meyer. Reusable Software. Prentice Hall, 1994. [10] O. M¨uller. I/O automata and beyond: temporal logic and abstraction in Isabelle. In J. Grundy and M. Newey, editors, Theorem Proving in Higher Order Logics, LNCS 1479, pages 331–348. SpringerVerlag, 1998. [11] O. M¨uller and K. Slind. Treating partiality in a logic of total functions. The Computer Journal, 40(10):640–651, 1997. [12] W. Naraschewski and M. Wenzel. Objectoriented verification based on record subtyping in higherorder logic. In J. Grundy and M. Newey, editors, Theorem Proving in Higher Order Logics — 11th International Conference, TPHOLs’98, LNCS 1479, pages 349–366. SpringerVerlag, 1998. [13] T. Nipkow. More Church/Rosser proofs (in Isabelle/HOL). In Automated Deduction — CADE 14, LNCS 1104, pages 733–747. SpringerVerlag, 1996. [14] S. Owre, N. Shankar, and J. M. Rushby. The PVS Specification Language. Computer Science Laboratory, 1993. [15] L. C. Paulson. Isabelle – A Generic Theorem Prover. LNCS 828. SpringerVerlag, 1994. [16] T. Santen. A theory of structured modelbased specifications in Isabelle/HOL. In E. L. Gunter and A. Felty, editors, Proc. International Conference on Theorem Proving in Higher Order Logics, LNCS 1275, pages 243–258. SpringerVerlag, 1997. [17] T. Santen. On the semantic relation of Z and HOL. In J. Bowen and A. Fett, editors, ZUM’98: The Z Formal Specification Notation, LNCS 1493, pages 96–115. SpringerVerlag, 1998. [18] T. Santen. A Mechanized Logical Model of Z and ObjectOriented Specification. PhD thesis, Fachbereich Informatik, Technische Universit¨at Berlin, Germany, 1999. forthcoming. [19] J. M. Spivey. The Z Notation – A Reference Manual. Prentice Hall, 2nd edition, 1992. [20] H. Tej and B. Wolff. A corrected failuredivergence model for CSP in Isabelle/HOL. In J. Fitzgerald, C. B. Jones, and P. Lucas, editors, FME’97: Industrial Applications and Strengthened Foundations of Formal Methods, LNCS 1313, pages 318–337. SpringerVerlag, 1997.
Polytypic Proof Construction Hol er Pfeifer1 and Harald Rue
2
1
2
Universit¨ at Ulm, Fakult¨ at f¨ ur Informatik, D89069 Ulm, Germany pfe
[email protected] nformat k.un ulm.de SRI International, Computer Science Laboratory, 333 Ravenswood Ave. Menlo Park, CA, 94025, USA
[email protected] .com
Abs rac . This paper deals with formalizations and veri cations in type theory that are abstracted with respect to a class of datatypes; i.e polytypic constructions. The main advanta e of these developments are that they can not only be used to de ne functions in a eneric way but also to formally state polytypic theorems and to synthesize polytypic proof objects in a formal way. This opens the door to mechanically provin many useful facts about lar e classes of datatypes once and for all.
1
Introduction
It is a major challen e to desi n libraries for theorem provin systems that are both su ciently complete and relatively easy to use in a wide ran e of applications (see e. . [6, 26]). A library for abstract datatypes, in particular, is an essential component of every proof development system. The libraries of the Coq [1] and the Le o [13] system, for example, include a number of functions, theorems, and proofs for common datatypes like natural numbers or polymorphic lists. In these systems, myriads of mostly trivial developments are carried out separately for each datatype under consideration. This increases the bulk of provin e ort, reduces clarity, and complicates lemma selection. In contrast, systems like Pvs [20] or Isabelle [22] support an in nite number of datatypes by usin metalevel functions to enerate many standard developments from datatype de nitions. Pvs simply uses an extension of its implementation to enerate axiomatized theories for datatypes includin recursors and induction rules, while Isabelle’s datatype extension includes tactics to prove these theorems. Both the Pvs and the Isabelle approach usually work well in practice. On the other hand, metalevel functions must be executed separately for each datatype under consideration, and construction principles for proofs and pro rams are operationalized and hidden in metalevel functions which are encoded in the implementation lan ua e of the proof system. In this paper we propose techniques for buildin up library developments from a core system without resortin to an external meta level. Moreover, proof objects are constructed explicitly and developments from the library can be used by simply instantiatin hi herorder quanti ers. Hereby, we rely on the concept of polytypic abstraction. Y. Bertot et al. (Eds.): TPHOLs’99, LNCS 1690, pp. 55 72, 1999. c Sprin erVerla Berlin Heidelber 1999
56
Hol er Pfeifer and Harald Rue
The map functional on the list datatype L illustrates the concept of polytypic abstraction exceptionally well. Applyin this functional to a function f and a source list l yields a tar et list obtained by replacin each element a of l with the value of f (a), thereby preservin the structure of l . The type of map in a HindleyMilner type system, as employed by current functional pro rammin lan ua es, is abstracted with respect to two type variables A and B : map :
A B (A
B)
L(A)
L(B )
Thus, map is a polymorphic function. The eneral idea of the map function of transformin elements while leavin the overall structure untouched, however, is not restricted to lists and applies equally well to other datatypes. This observation ives rise to a new notion of polymorphism, viz. polytypy,1 for de nin functions uniformly on a class of (parameterized) datatypes T : map :
T
A B (A
B)
T (A)
T (B )
Notice that the notion of polytypy is completely ortho onal to the concept of polymorphism, since every instance of the family of polytypic mapfunctions is polymorphic. Many interestin polytypic functions have been identi ed and described in the literature [15, 25, 17, 10, 11, 16, 27], and concepts from cate ory theory have proven especially suitable for expressin polytypic functions and reasonin about them. In this approach, datatypes are modeled as initial objects in cate ories of functoral ebras [14], and polytypic constructions are formulated usin initiality without reference to the underlyin structure of datatypes. The concept of polytypy, however, is not restricted to the de nition of polytypic functions solely, but applies equally well to other entities of the pro ram and proof development process like speci cations, theorems, or proofs. Consider, for example, the no confusion theorem. This theorem states that terms built up from di erent constructors are di erent. It is clearly polytypic, since it applies to all initial datatypes. In the followin , we examine techniques for expressin polytypic abstraction in type theory. These developments can not only be used to polytypically de ne functions but also to formally state polytypic theorems and to interactively develop polytypic proofs usin existin proof editors. Thus, formalization of polytypic abstraction in type theory opens the door to provin many useful facts about lar e classes of datatypes once and for all without resortin to an external metalan ua e. The paper is structured as follows. The formal settin of type theory is sketched in Section 2, while Section 3 includes typetheoretic formalizations of some basic notions from cate ory theory that are needed to specify, in a uniform way, datatypes as initial objects in cate ories of functor al ebras. Furthermore, Section 3 contains eneralizations of the usual reflection and fusion theorems for recursors on initial datatypes as stated, for example, in [2] to recursors of dependent type, which correspond to structural induction schemes. These developments are polytypically abstracted for the semantically characterized class of 1
Sheard [25] calls these al orithms type parametric, Meertens [15] calls them eneric, and Jay and Cockett [9] refer to this concept as shape polymorphism.
Polytypic Proof Construction
57
initial datatypes. This notion of semantic polytypy, however, is not appropriate in many cases where inspection of the form of the de nition of a datatype is required. Consequently, in Section 4, we develop the machinery for abstractin constructions over a certain syntactically speci ed class of datatypes. Since the focus is on the eneration of polytypic proofs rather than on a eneral formalization of inductive datatypes in typetheory we restrict ourselves to the class of parameterized, polynomial (sumofproducts) datatypes in order to keep the technical overhead low. The main idea is to use representations that make the internal structure of datatypes explicit, and to compute typetheoretic speci cations for all these datatypes in a uniform way. This approach can be thou ht of as a simple form of computational reflection (e. . [23, 29]). Developments that are abstracted with respect to a syntactically characterized class of datatypes are called syntactically polytypic in the followin . We demonstrate the expressiveness of syntactic polytypy with a mechanized proof of the bifunctoriality property for the class of polynomial datatypes and a polytypic proof of the no confusion theorem. Finally, Section 5 concludes with some remarks. The constructions presented in this paper have been developed with the help of the Le o [13] system. For the sake of readability we present typeset and edited versions of the ori inal Le o terms and we take the freedom to use numerous syntactic conventions such as in x notation and pattern matchin .
2
Preliminaries
Our startin point is the Extended Calculus of Constructions (ECC ) [12] enriched with the usual inductive datatypes. We sketch basic concepts of this type theory, x the notation, and discuss the treatment of datatypes in type theory. More interestin ly, we introduce nary (co)products and de ne functions on eneralized (co)products by recursin alon the structure of the descriptions of these types. This technique has proven to be essential for the encodin of syntactic polytypy in Section 4. The type constructor x : A B (x ) is interpreted as the collection of dependent functions with domain A and codomain B (a) with a the ar ument of the function at hand. Whenever variable x does not occur free in B (x ), A B is used as shorthand for x : A B (x ); as usual, the type constructor associates to the ri ht. abstraction is of the form ( x : A M ) and abstractions like ( x : A y : B M ) are shorthand for iterated abstractions ( x : A y : B M ). Function application associates to the left and is written as M (N ), as juxtaposition M N , or even in subscript notation MN . Types of the form x : A B (x ) comprise dependent pairs ( ), and 1 , 2 denote the projections on the rst and second position, respectively. Sometimes, we decorate projections with subscripts 1 x : A B (x ). Finally, types are collected as in A B to indicate the source type in yet other types Prop and Typei (i N ). These universes are closed under the typeformin operations and form a fully cumulative hierarchy [12]. Althou h essential to the formalization of many pro rammin concepts, universes are tedious to use in practice, for one is required to make speci c choices of universe levels.
58
Hol er Pfeifer and Harald Rue
For this reason, we apply carefully, without introducin inconsistencies the typical ambi uity convention [7] and omit subscripts i of type universes Typei . xn : An ) : B ::= M are used to introduce De nitions like c(x1 : A1 a name c for the term M that is (iteratively) abstracted with respect to x1 throu h xn . Bindin s of the form x A are used to indicate parameters that can be omitted in function application. Systems like Le o are able to infer the hidden ar uments in applications automatically (see [13]). Usin the principle of propositionsastypes, the dependent product type x : A B (x ) is interpreted as lo ical universalquanti cation and if M (a) is of type B (a) for all a : A then x : A M (x ) is interpreted as a proof term for the formula x : A B (x ). It is possible to encode in ECC all the usual lo ical connectives 1 ( , , , , , ) and quanti ers ( , , ) to ether with a naturaldeduction style calculus for a hi herorder constructive lo ic. Leibniz equality (=) identi es terms havin the same properties. This equality is intensional in the sense that a = b is inhabited in the empty context if and only if a and b are convertible; i.e. they are contained in the least con ruence enerated by reduction. Constructions in this paper employ, besides Leibniz equality, a (restricted) form of extensional equality (denoted = ) on functions. = (A B Type)(f
:A
B ) : Prop ::=
x : A f (x ) =
(x )
Inductive datatypes can be encoded in type theories like ECC by means of impredicative quanti cation [3]. For the wellknown imperfections of these encodin s such as noninhabitedness of structural induction rules however, we prefer the introduction of datatypes by means of formation, introduction, elimination, and equality rules [18,4,21]. Consider, for example, the extension of type theory with (inductive) products. The declared constant forms the product type from any pair of types, and pairin ( ) is the only constructor for this newly formed product type. : Type
Type
Type
( ):
A B Type A
B
(A
B)
The type declarations for the product type constructor and pairin represent the formation and introduction rules of the inductive product type, respectively. These rules determine the form of the elimination and equality rules on products. elim :
A B Type C : (A B ) ( a : A b : B C (a b))
Type x : (A
B ) C (x )
Elimination provides a means to construct proof terms (functions) of propositions (types) of the form x : (A B ) C (x ). The correspondin equality rule is f (a b) f (a)(b). It is speci ed in terms of a lefttori ht rewrite rule: elimC convenient to specify a recursor as the nondependent variant of elimination in order to de ne functions such as the rst and second projections.
;
rec (A B C Type) fst : (A snd : (A
B) B)
A B
::= ::= ::=
elim
:AB C
rec ( x : A y : B x ) rec ( x : A y : B y)
Polytypic Proof Construction
59
Moreover, the (overloaded) functional is a bifunctor (see also Def. 2) and plays a central role in cate orical speci cations of datatypes; it is de ned by means of the split functional f . (C Type)(f : C A :C B) : C (A B ) ::= x : C (f (x ) (x )) (A B C D Type)(f : A C :B D ) : (A B ) sndA B ::= f fstA B
(C
D)
The specifyin rules for coproducts A+B with injections inlA B (a) and inrA B (b) are dual to the ones for products. Elimination on coproducts is named elim + and its nondependent variant [f ] is pronounced case f or . [ ](A B C Type) : (A ::= elim + :A+B C
C)
(B
C)
(A + B )
C
Similar to the case of products, the symbol + is overloaded to also denote the bifunctor on coproducts. + (A B C D Type f : A B ] ::= [inlB D f inrB D
:C
D ) : (A + C )
(B + D )
Unlike products or coproducts, the datatype of parametric lists with constructors nil and ( :: ) is an example of a enuinely recursive datatype. L : Type nil : ( :: ) :
Type
A : Type L(A) A Type A L(A)
L(A)
These declarations correspond to formation and introduction rules and completely determine the form of list elimination,2 elim L :
A Type C : L(A) Type (C (nilA ) ( (a l ) : (A L(A)) C (l ) l : L(A) C (l )
C ( a :: l ))
and of the rewrites correspondin to equality rules: L f nilA elimC L f ( a :: l ) elimC
; ;
fst (f ) L snd (f ) (a l ) (elimC f l)
The nondependent variants rec L and hom L of list elimination are used to encode structural recursive functions on lists. rec L (A C Type)(f : C ((A ::= elim L :L(A) C (f )
L(A))
C
C )) : L(A)
C
C )) : L(A) C hom L (A C Type)(f : C ((A C ) (a ) : A L(A) y : C snd (f )(a y)) ::= rec L (fst (f ) 2
Bindin s may also employ pattern matchin on pairs; for example, a is of type A and l of type L(A) in the bindin (a l ) : (A L(A)).
60
Hol er Pfeifer and Harald Rue
The name hom L stems from the fact that hom L (f ) can be characterized as a (unique) homomorphism from the al ebra associated with the L datatype into an appropriate tar et al ebra speci ed by f [28]. Consider, for example, the prototypical de nition of the map L functional by means of the homomorphic functional hom L . B ) : L(A) L(B ) map L (A B Type)(f : A (a y) : (A L(B )) f (a) :: y ) ::= hom L (nilB In the rest of this paper we assume the inductive datatypes 0 , 1 , , +, B , N , and L to ether with the usual standard operators and relations on these types to be prede ned. N ary Products and Coproducts. Usin hi herorder abstraction, type universes, and parametric lists it is possible to internalize nary versions of binary type An . It is constructors. Consider, for example, the nary product A1 constructed from the iterator ⊗( ) applied to a list containin the types A1 throu h An . (l ) represents an nary coproduct constructor. ⊗( ) : L(Type) ( ) : L(Type)
Type Type
::= ::=
) hom L ( 1 L hom ( 0 +)
to also The map L function on lists can be used to eneralize + and work for the nary coproduct ( ) and the nary product ⊗( ) , respectively. Let A Type, D R : A Type, f : x : A D (a) R(a), then recursion alon the structure of the nary type constructors is used to de ne these eneralized mappin functions. (map L R l ) ) map + (f ) : ( l L(A) (map L D l ) L ::= elim I0 ( (a l ) y f (a) + y) ⊗(map L R l ) ) map (f ) : ( l L(A) ⊗(map L D l ) L ) ( (a l ) y f (a) y) ::= elim ( Althou h these mappin s explicitly exclude tuples with independent types, they are su ciently eneral for the purpose of this paper.
Semantic Polytypy In this section we describe a typetheoretic framework for formalizin polytypic pro rams and proofs. Datatypes are modeled as initial objects in cate ories of functoral ebras [14], and polytypic constructions both pro rams and proofs are formulated usin initiality without reference to the underlyin structure of datatypes. We exemplify polytypic pro ram construction in this typetheoretic framework with a polytypic version of the wellknown map function. Other polytypic developments from the literature (e. . [2]) can be added easily. Furthermore we eneralize some cate orical notions to also work for eliminations and
Polytypic Proof Construction
61
lift a reflection and a fusion theorem to this eneralized framework. It is, however, not our intention to provide a complete formalization of cate ory theory in type theory; we only de ne certain cate orical notions that are necessary to express the subsequent polytypic developments. For a more elaborated account of cate ory theory within type theory see e. . [8]. Functors are twofold mappin s: they map source objects to tar et objects and they map morphisms of the source cate ory to morphisms of the tar et cateory with the requirement that identity arrows and composition are preserved. Here, we restrict the notion of functors to the cate ory of types (in a xed, but su ciently lar e type universe Typei ) with (total) functions as arrows. De nition 1 (Functor). Functor : Type ::= Type Fobj : Type B) Fobj (A) Farr : A B Type (A A Type Farr (IA ) = IFobj (A) A B C Type :A B f :B ) = Farr (f ) Farr ( ) Farr (f
Fobj (B ) C
n
times
Type Type; Bifunctors. Generalized functors are functors of type Type they are used to describe datatypes with n parameter types. In order to keep the technical overhead low, however, we restrict ourselves in this paper to modelin datatypes with one parameter type only by means of bifunctors. Bifunctors are functors of type Type Type Type or, usin the isomorphic curried form, of type Type Type Type. For a bifunctor, the functor laws in De nition 1 take the followin form: De nition 2 (Bifunctor). Bifunctor : Type ::= Type Type FFobj : Type A B C D Type (A B) (C D) FFarr : FFobj B D FFobj A C A B Type FFarr IA IB = IFFobj A B A B C D E F Type h:A B f :B C k :D E :E F k ) = (FFarr f ) (FFarr h k ) FFarr (f h)( Many interestin examples of bifunctors are constructed from the unit type and from the product and coproduct type constructors. Seein parameterized lists L(A) we et as conslists with constructors nilA : L(A) and consA : A L(A) the bifunctor FF L . Example 1 (Polymorphic Lists). Let A B X Y : Type, f : A there exists a proof term p such that: FF L : Bifunctor
::= ( A X 1 + (A
X)
f
I1 + (f
B,
:X ) p)
Y;
62
Hol er Pfeifer and Harald Rue
Fixin the rst ar ument in a bifunctor yields a functor. De nition 3. For all (FFobj FFarr q) : Bifunctor and A : Type there exists a proof term p such that induced (FFobj FFarr q)(A) : Functor X Y Type f : X (FFobj (A) Example 2. F L : Type
::= Y FFarr IA f
p)
Functor ::= induced (FF L )
Functor Al ebras. Usin the notion of Functor one de nes the concept of datatype (see Def. 8) without bein forced to introduce a si nature, that is, names and typin s for the individual sorts (types) and operations involved. The central notion is that of a functor al ebra Al (F X ) , where F is a functor. The second type de nition below just introduces a name for the si nature type C (F T ) of socalled catamorphisms ( ). De nition 4. Let F : Functor and X T : Type; then: Al (F X ) : Type ::= C
Fobj (X )
(F T ) : Type ::=
X
X Type Al (F X )
(T
X)
The initial F al ebra, denoted , is an initial object in the cate ory of F al ebras. That is, for every F al ebra f there exists a unique object, say ( f ), such that the followin dia ram commutes: F (T ) F(
/
T
f )
(f )
F (X )
f
/
X
In the case of lists, the initial F L (A)al ebra L is de ned by case split (see Section 2) and the correspondin catamorphism is a variant of the homomorphic functional on lists. Example 3. L
(
(A Type) : Al (F L (A) L(A))
L
) (A Type) :
C
L
(F (A) L(A))
::= ::=
[nilA consA ] X Type f : Al (F L (A) X ) hom L (f
inl1 AX f
inr1 AX )
Paramorphisms correspond to structural recursive functions, and can be obtained by computin not only recursive results as is the case for catamorphisms but also the correspondin data structure. The de nition of functor al ebras and si natures for paramorphisms are a strai htforward eneralization of De nition 4.
Polytypic Proof Construction
63
De nition 5. Let F : Functor and X T : Type; then: Al
P
(F T X ) : Type ::= P
Fobj (T
(F T ) : Type ::=
X)
X P
X Type Al
(F T X )
(T
X)
Any F al ebra f can be lifted to the correspondin notion for paramorphisms usin the function ( ) in De nition 6. De nition 6. Let F : Functor , T X : Type; then: (f : Al (F X ) ) : Al
P
(F T X )
::= f
Farr (
2 T X)
It is wellknown that the notions of catamorphisms and paramorphisms are interchan eable, since one can de ne a paramorphism [ ] from a catamorphism ( ) and vice versa. (
C
): [ ]:
P
(F T ) ::= (F T ) ::=
X Type [ ] () X Type : Al P (F T X ) t : T 2
((
z : F (T
X ) (t
(z )) )(t ))
Eliminations, however, are a enuine eneralization of both catamorphisms and paramorphisms in that they permit de nin functions of dependent type. In this case, the notion of functor al ebras eneralizes to a type Al E (F C ) that depends on an F al ebra , and the si nature type E (F T ) for eliminations is expressed in terms of this eneralized notion of functor al ebra. De nition 7. Let F : Functor , T : Type, C : T Al
E E
(F C (F T
) : Type ::= ) : Type ::=
z : Fobj ( C :T
Type,
: Al (F T ) ; then:
x : T C (x ) ) C (( Type Al
E
(F C
Farr ( )
1 T C ))
z)
x : T C (x )
These de nitions simplify to the correspondin notions for paramorphisms (see Def. 5) when instantiatin C with a nondependent type of the form ( : T X ). Moreover, the correspondence between the induction hypotheses of the intuitive structural induction rule and the eneralized functor al ebras Al E (F L C L ) is demonstrated in [19]. The de nition of C below is the key to usin the usual cate orical notions like initiality, since it transforms a eneralized functor al ebra f of type x : T C (x ) ) .3 Al E (F C ) to a functor al ebra Al (F E
De nition 8. Let F : Functor , T : Type, : Al (F T ) , elim : C :T Type, and f : Al E (F C ) ; then: C (f 3
) : Al (F
x : T C (x ) )
Here and in the followin the split function ar uments of dependent types; i.e. f : A B : Type, C : B Type, f : A B, :
::=
Farr (
1 T C)
(F C
),
f
is assumed to also work for function x : B C (x ) ::= (f (x ) (x )) where x : A C (f (x )), and x : A.
64
Hol er Pfeifer and Harald Rue F (T ) /
T
F (RC (f ))
RC (f )
F(
x : T C (x ) )
C (f )
/
x : T C (x )
Fi . 1. Universal Property.
Now, we et the initial al ebra dia ram in Fi ure 1 [19], where RC (f ) denotes the unique function which makes this dia ram commute. It is evident that the rst component must be the identity. Thus, RC (f ) is of the form I elimC (f ) where the term elimC (f ) is used to denote the unique function which makes the dia ram commute for the iven f of type Al E (F C ) . Alto ether, these considerations motivate the followin universal property for describin initiality. De nition 9. universal E (F T ) : Prop ::= 1 E : ( x : T C (x )) C :T Type f : Al E (F C ) = C (f ) F (RC (f )) let RC (f ) = I E in RC (f ) Witnesses of this existential formula are denoted by elimC (f ) and RC (f ) is dened by I elimC (f ) . Reflection and Fusion. Eliminations enjoy many nice properties. Here, we concentrate on some illustrative laws like reflection or fusion, but other laws for catamorphisms as described in the literature can be lifted similarly to the case of eliminations. Lemma 1 (Reflection). Let universal E (F T R
:T T (
( ))
2 T T
=
) be inhabited; then: x : T (x x )
This equality follows directly from uniqueness and some equality reasonin . The fusion law for catamorphism is central for many pro ram manipulations [2]. Now, this fusion law is eneralized to also work for eliminations. Lemma 2 (Fusion). For functor F and type T , let C D : T Type, f : x : T D (x ) , and asAl E (F C ) , : Al E (F D ) , h : x : T C (x ) sume that the followin holds: H1 : universal E (F T ) Type u v : Al E (F E H2 : S : Type E : S u = v elimE (u) = elimE (v ) Then: h
C (f
) =
D(
) F (h)
h
)
RC (f ) = RD ( )
Polytypic Proof Construction
65
The proof of this eneralized fusion theorem is alon the lines of the fusion theorem for catamorphisms [2]. F (RC (f ))
F (T )
/
F(
x : T C (x ) ) C (f
F (h) /
F(
x : T D (x ) )
)
D(
)
T
x : T C (x ) /
RC (f )
x : T D (x ) /
h
This dia ram commutes because the left part does (by de nition of elimination) and the ri ht part does (by assumption). (Extensional) equality of h RC (f ) and RD ( ) follows from the uniqueness part of the universality property and the functoriality of F . The extra hypothesis H2 is needed for the fact that the binary relation = (see Section 2) on functions is not a con ruence in eneral. Catamorphisms and Paramorphisms. A paramorphism is simply a nondependent version of an elimination scheme and a catamorphism is de ned in the usual way from a paramorphism. De nition 10. Let universal E (F T (
[ ]: ):
P C
(F T ) (F T )
::= ::=
) be inhabited and X : Type; then: X Type elim( X Type [ ]
:T X )
()
Lemma 3. If f : Al (F X ) , : Al P (F T X ) , and universal E (F T ) is inhabited then [ ] and ( ) are the unique functions satisfyin the equations: (f ) [ ]
= f
F (( f ))
=
F ( IT [ ] )
Example 4. Let FF : Bifunctor then the polytypic map function is de ned by map(f ) : T (A)
F (f )(IT (B ) ) )
T (B ) ::= (
Uniform Speci cation of Datatypes in ECC. Now, the previous developments are used to specify, in ECC , classes of parametric datatypes in a uniform way. The exact extension of this class is unspeci ed, and we only assume that there is a name dt and a describin bifunctor FFdt for each datatype in this class. De nition 11 (Specifyin Datatypes). For name : Type, let C : T and FF : name Bifunctor . De ne F (dt : name) : Type functor ::= induced (FFdt ); then: Format on:
T : name
Introduct on:
:
El m nat on: elim : Equal ty:
Type
Type,
Type
dt name A Type Al (Fdt (A) Tdt (A)) dt name A Type
1 (Fdt (A)( T C ) Fdt (A)(RC (f ))) elimC (f )( (x ))
E
(Fdt (A) Tdt (A)
; ;
dt A )
IFdt (A)(Tdt (A)) f (Fdt (A) RC x )
66
Hol er Pfeifer and Harald Rue
It is strai htforward to declare three constants T , , elim correspondin to formation, introduction, and elimination rule, respectively. The equality induced = f F (RC ) . It ives the followin by the dia ram in Fi ure 1 is elimC (f ) reduction rule by expressin the equality on the point level and by replacin f (F RC x ). There is a equality by reducibility (x : F (T )): elimC (f )( (x )) sli ht complication, however, since the lefthand side of this reduction rule is of 1 type C ( (x )) while the ri hthand side is of type C ( ((F ( T C ) F (RC (f ))) x ). These two types, althou h provably Leibnizequal, are not convertible. Consequently, an additional reduction rule, which is justi ed by the functoriality of F , is needed. This extraneous reduction rule is not mentioned for the extension of ECC with datatypes in [19], since the implicit assumption is that a reduction rule is bein added for each functor of a syntactically closed class of functors. In this case, the types of the lefthand and ri hthand sides are convertible for each instance. Since we are interested in specifyin datatypes uniformly, however, we are forced to abstract over the class of all functors, thereby loosin convertibility between these types.
;
4
Syntactic Polytypy
The essence of polytypic abstraction is that the syntactic structure of a datatype completely determines many developments on this datatype. Hence, we specify a syntactic representation for makin the internal structure of datatypes explicit, and enerate, in a uniform way, bifunctors from datatype representations. Proofs for establishin the bifunctoriality condition or the unique extension property follow certain patterns. The order of applyin product and coproduct inductions in the proof of the existential direction of the unique extension property, for example, is completely determined by the structure of the underlyin bifunctor. Hence, one may develop specialized tactics that enerate accordin proofs separately for each datatype under consideration. Here, we o one step further by capturin the eneral patterns of these proofs and internalizin them in type theory. In this way, polytypic proofs of the applicability conditions of the theory formalized in this section are constructed once and for all, and the proof terms for each speci c datatypes are obtained by simple instantiation. These developments are used to instantiate the abstract parameters name and FF in order to specify a syntactically characterized class of datatypes. Fixin the shape of datatypes permits de nin polytypic constructions by recursin (inductin ) alon the structure of representations. The additional expressiveness is demonstrated by means of de nin polytypic reco nizers and a polytypic no confusion theorem. In order to keep subsequent developments mana eable and to concentrate on the underlyin techniques we choose to restrict ourselves to representin the rather small class of parametric, polynomial datatypes; it is strai htforward, however, to extend these developments to much lar er classes of datatypes like the ones described by (strictly) positive functors [19, 5]. The only restriction on the choice of datatypes is that the resultin reduction relation as speci ed in
Polytypic Proof Construction
67
Fi ure 11 is stron ly normalizin . The developments in this section are assumed to be implicitly parameterized over the entities of Fi ure 11. A natural representation for polynomial datatypes is iven by a list of lists, whereby the j th element in the i th element list determines the type of the j th selector of the i th constructor. The type Rep below is used to represent datatypes with n constructors, where n is the len th of the representation list, and the type Sel restricts the ar uments of datatype constructors to the datatype itself (at recursive positions) and to the polymorphic type (at nonrecursive positions), respectively. Finally, rec and nonrec are used as su estive names for the injection functions of the Kind coproduct. De nition 12 (Representation Types). Kind : Type Sel : Type Rep : Type
::= ::= ::=
rec : 1 + nonrec : 1 L(Kind ) L(Sel )
Consider, for example, the representation dt B for binary trees below. The lists nil and (nonrec :: rec :: rec :: nil ) describe the si natures of the tree constructors leaf and node, respectively. Example 5. dt B : Rep ::= nil :: (nonrec :: rec :: rec :: nil ) :: nil The de nitions below introduce, for example, su estive names for the formation type and constructors correspondin to the representation dt B in Example 5. Example 6. Let B : Type leaf (A : Type) : 1
Type ::= T (dt B ); then B (A) ::= (
dt B A
inl1 A+B (A)+B (A)+0 )
node(A Type) : (A B (A) B (A) 1 ) B (A) ::= ( dt B A inr1 A+B (A)+B (A)+0 inlA+B (A)+B (A) 0 ) Ar ument types Ar A X (s) of constructors correspondin to the selector representation s are computed by placin the (parametric) type A at nonrecursive positions, type X at recursive positions, and by formin the nary product of the resultin list of types. De nition 13. Ar (A X : Type)(s : Sel ) : Type ::=
⊗(map L (rec + X A) s)
Next, a polytypic bifunctor FF is computed uniformly for the class of representable datatypes. The object part of these functors is easily computed by formin the nary sum of the list of ar ument types (products) of constructors. Likewise the arrow part of FF is computed by recursin over the structure of the representation type Rep. This time, however, the recursion is a bit more involved, since all the types of resultin intermediate functions depend on the form of the part of the representation which has already been processed.
68
Hol er Pfeifer and Harald Rue
Proposition 1. For all dt : Rep there exists a proof object p such that dt dt FFarr p) FF (dt ) : Bifunctor ::= (FFobj dt where FFobj ::= ( A X : Type () map L (Ar A X )) dt dt ::= A B X Y Type f : A B :X Y FFarr + (mapAr map (rec + A X ) (rec + A,X Ar B,Y (elim(+ k :Kind (rec + A X k )!(rec +B Y
B Y )) k ))
f
)
The inductive construction of the bifunctoriality proof p parallels the structure of the recursive de nition of FF (dt ). We present one part of this proof the preservation of identities in more detail. Let dt : Rep, and A X : Type. The dt IA IX = IFF dt A X . The proof is by induction on oal is to show that FFarr obj the representation type dt . The base case where dt = nil represents an empty datatype and hence the proposition is trivially true. In the induction step one s::l s::l FFarr IA IX x = IFF s::l A X x iven that the has to prove that x : FFobj obj proposition holds for l . The lefthand side of this equation evaluates to + l IA IX ) + FFarr IA IX ) x (map (elimC where C ::= k : Kind (rec + A X k )
(rec + A X k )
We proceed by a coproduct induction on x . The inr case can be proved easily usin the induction hypothesis. For the inl case we have to show that y : Ar
A X (s)
+ map (elimC IA IX ) y = IAr
A,X (s)
y
The next step is to induct on the representation s of the ar ument type of a constructor. The base case corresponds to a zeroplace constructor and holds trivially. The induction step requires us to prove that y : Ar
A X (k
+ :: l 0 ) mapk::l 0 (elimC IA IX ) y = IAr
A,X (k ::l
0)
y
under the induction hypothesis that the proposition holds for l 0 . The lefthand + + IA IX k mapl0 (elimC IA IX )) y. The side of this equation evaluates to (elimC induction hypothesis reduces the ri hthand side function to IAr A,X (l 0 ) and by + IA IX k = Irec + A X k . Thus, simple case analysis on k one can prove that elimC the oal now reads (Irec + A X k IAr A,X (l 0 ) ) y = IAr A,X (k ::l 0 ) y. This reduces to the trivial oal (fst (y) snd (y)) = y This polytypic proof has been constructed in Le o usin 14 re nement steps. The second part of the bifunctoriality proof, the preservation of composition, runs alon the same lines. More precisely, the induction proceeds by inductin on the number of coproduct inductions elim + as determined by the len th of the representation type dt followed by an induction on the number of product inductions elim in the induction step; the outer (inner) induction employs one coproduct (product) induction elim + (elim ) in its induction step. nth Constructor. Example 6 su ests encodin a function for extractin the nth constructor from dt . Informally, this function chains n ri htinjections
Polytypic Proof Construction
69
with a nal leftinjection: c(n) inr inr inl . It is clear how dt A to internalize the dots by recursin on n, but the complete de nition of this function is somewhat involved for the dependency of the ri ht injections from the position i and the types of intermediate functions (see also Example 6). Thus, we restrict ourselves to only state the type of this function. c:
dt Rep A Type n : N p : (n len(dt )) Tdt (A) Ar A Tdt (A) (nth dt n p)
Polytypic Reco nizer. The explicit representation of datatypes permits de nin a function for computin reco nizer functions for all (representable) datatypes. First, the auxiliary function r traverses a iven representation list and returns a pair (f i) consistin of a reco nizer f and the current position i in the representation list. De nition 14. Let dt : Rep, A : Type, n : N , and p : (n rc (dt A n p)
:
Al (Fdt (A) Prop)
1
::=
len(dt )) . (rAdt n p )
r (dt A n p) : Al (Fdt (A) Prop) N rAniln p = ( x : 0 arbitraryProp x zero) rAs::ln p = let (f i) = rAl n p in ([ : Ar A Prop (s) n = i f ] succ(i)) Now, it is a simple matter to de ne the polytypic reco nizer by applyin the polytypic catamorphism on rc . De nition 15 (Polytypic Reco nizer). Let dt : Rep, A : Type, n : N , and p : (n len(dt )) . R(dt A n p) : Tdt (A)
Prop ::= ( rc
dt An p
)
This function satis es the followin characteristic properties for reco nizers. Proposition 2. Let dt Rep, A Type, i j : N ; furthermore p : (i q : (j len(dt )) , a : Ar A Tdt (A) (nth dt i p), then: 1. Ri p ci p (a) 2. i = j (Rj
q
len(dt )) ,
ci p (a))
Polytypic No Confusion. Now, we have collected all the in redients for statin and provin a polytypic no confusion theorem once and for all. Theorem 1 (Polytypic No Confusion). dt Rep A Type i j : N p : (i len(dt )) q : (j len(dt )) a : Ar A Tdt (A) (nth dt i p) b : Ar A Tdt (A) (nth dt j q) i =j ci p (a) = cj q (b)
70
Hol er Pfeifer and Harald Rue
Given the hypothesis H : ci p (a) = cj q (b) one has to construct a proof term of . Accordin to Proposition 2 this task can be reduced to ndin a proof term for Rj q ci p (a). Furthermore, for hypothesis H , this oal is equivalent with formula Rj q cj q (a), which is trivially inhabited accordin to Proposition 2. This nishes the proof. A ain, each of these steps correspond to a re nement step in the Le o formalization. Notice that the proof of the polytypic bifunctoriality property and the polytypic no confusion theorem are as strai htforward as any instance thereof for any datatype and for any le itimate pair of datatype constructors.
5
Conclusions
The main conclusion of this paper is that the expressiveness of type theory permits internalizin many interestin polytypic constructions that are sometimes thou ht to be external and not formalizable in the base calculus [22, 24]. In this way, polytypic abstraction in type theory has the potential to add another level of flexibility in the reusability of formal constructions and in the desi n of libraries for pro ram and proof development systems. We have demonstrated the feasibility of our approach usin some smallsized polytypic constructions, but, obviously, much more work needs to be done to build a useful library usin this approach. Most importantly, a number of polytypic theorems and polytypic proofs thereof need to be identi ed. Althou h we have used a speci c calculus, namely the Extended Calculus of Constructions, for our encodin s of semantically and syntactically polytypic abstraction, similar developments are possible for other type theories such as MartinL¨ of type theories [18] with universes or the Inductive Calculus of Constructions. Semantically polytypic developments are formulated usin initiality without reference to the underlyin structure of datatypes. We have demonstrated how to eneralize some theorems from the literature, like reflection and fusion for catamorphisms, to correspondin theorems for dependent paramorphisms (eliminations). These developments may not only make many pro ram optimizations, like the fusion theorem above, applicable to functions of dependent type but for the correspondence of dependent paramorphisms with structural induction it may also be interestin to investi ate usa e of these eneralized polytypic theorems in the proof development process; consider, as a simple example, a polytypic construction of a double induction scheme from structural induction. Syntactic polytypism is obtained by syntactically characterizin the descriptions of a class of datatypes. Dybjer and Setzer [5] extend the notion of inductively de ned sets (datatypes) that are characterized by strictly positive functors [19, 21] and provide an axiomatization of sets de ned throu h inductionrecursion. For the purpose of demonstration, however, we have chosen to deal with a special case of datatypes the class of polynomial datatypes in this paper, but it is strai htforward, albeit somewhat more tedious, to eneralize these developments to support lar er classes. From a technical point of view, it was essential to be able to recurse alon the structure of arbitrary product types in order to encode in type theory many as used in informal developments. We
Polytypic Proof Construction
71
solved this problem by describin product types A1 An by a list l of the types Ai and by encodin a function ⊗(l ) for computin the correspondin product type. These developments may also be interestin for other applications such as statically typin hetero eneous lists (or Sexpressions) within type theory. The rst step towards syntactic polytypism consists in xin a representation type for the chosen class of datatypes; this representation (or abstract syntax) can be understood as a simple kind of metalevel representation, since it makes the internal structure of datatype descriptions amenable for inspection. In the next step, one xes the denotation of each datatype representation by assi nin a correspondin functor to it. These functor terms can be thou ht of as bein on the objectlevel and the typetheoretic function for computin denotations of representation is sometimes called a computational reflection function. This internalization of both the representation and the denotation function permits abstractin theorems, proofs, and pro rams with respect to the class of (syntactically) representable datatypes. The added expressiveness of syntactic polytypy has been demonstrated by means of several examples. The polytypic (bi)functoriality proof e. . requires inductin on syntactic representations, and the proof of the no confusion theorem relies on the de nition of a family of polytypic reco nizer functions. This latter theorem is a particularly ood example of polytypic abstraction, since its polytypic proof succinctly captures a ’proof idea’ for an in nite number of datatype instances.
References [1] B. Barras, S. Boutin, and C. Cornes et. al. The Coq Proof Assistant Reference Manual  Vers. 6.2.4. INRIA, Rocquencourt, 1998. [2] R. Bird and O. de Moor. Al ebra of Pro rammin . International Series in Computer Science. Prentice Hall, 1997. [3] C. B¨ ohm and A. Berarducci. Automatic Synthesis of Typed Pro rams on Term Al ebras. Theoretical Computer Science, 39:135 154, 1985. [4] T. Coquand and C. Paulin. Inductively De ned Types. In Proc. COLOG 88, volume 417 of LNCS, pa es 50 66. Sprin erVerla , 1990. [5] P. Dybjer and A. Setzer. A Finite Axiomatization of InductiveRecursive De nitions. In J.Y. Girard, editor, Proc. 4th Int. Conf. on Typed Lambda Calculi and Applications, TLCA’99, volume 1581 of LNCS. Sprin erVerla , 1999. [6] M. J. C. Gordon and T. F. Melham (eds.). Introduction to HOL: A Theorem Provin Environment for Hi her Order Lo ic. Cambrid e University Press, 1993. [7] R. Harper and R. Pollack. Type Checkin , Universal Polymorphism, and Type Ambi uity in the Calculus of Constructions. In TAPSOFT’89, volume II, LNCS, pa es 240 256. Sprin erVerla , 1989. [8] G. Huet and A. Sa¨bi. Constructive Cate ory Theory. In Proc. CLICSTYPES Workshop on Cate ories and Type Theory, January 1995. [9] C.B. Jay and J.R.B. Cockett. Shapely Types and Shape Polymorphism. In D. Sannella, editor, Pro rammin Lan ua es and Systems ESOP’94, volume 788 of LNCS, pa es 302 316. Sprin erVerla , 1994. [10] J. Jeurin . Polytypic Pattern Matchin . In Conf. Functional Pro rammin Lanua es and Computer Architecture (FPCA ’95), pa es 238 248. ACM Press, 1995.
72
Hol er Pfeifer and Harald Rue
[11] J. Jeurin and P. Jansson. Polytypic Pro rammin . In T. Launchbury, E. Meijer, and T. Sheard, editors, Advanced Functional Pro rammin , LNCS, pa es 68 114. Sprin erVerla , 1996. [12] Z. Luo. An Extended Calculus of Constructions. Technical Report CST6590, University of Edinbur h, July 1990. [13] Z. Luo and R. Pollack. The Le o Proof Development System: A User’s Manual. Technical Report ECSLFCS92211, University of Edinbur h, 1992. [14] G. Malcolm. Data Structures and Pro ram Transformation. Science of Computer Pro rammin , 14:255 279, 1990. [15] L. Meertens. Paramorphisms. Formal Aspects of Computin , 4(5):413 425, 1992. [16] L. Meertens. Calculate Polytypically. In H. Kuchen and S.D. Swierstra, editors, Pro rammin Lan ua es, Implementations, Lo ics, and Pro rams (PLILP’96), LNCS, pa es 1 16. Sprin erVerla , 1996. [17] E. Meijer, M. Fokkin a, and R. Paterson. Functional Pro rammin with Bananas, Lenses, Envelopes, and Barbed Wire. In Proc. 5th Conf. on Functional Pro rammin Lan ua es and Computer Architecture, pa es 124 144, 1991. [18] B. Nordstr¨ om, K. Petersson, and J.M. Smith. Pro rammin in MartinL¨ of ’s Type Theory. Mono raphs on Computer Science. Oxford Science Publications, 1990. [19] Ch.E. Ore. The Extended Calculus of Constructions (ECC) with Inductive Types. Information and Computation, 99, Nr. 2:231 264, 1992. [20] S. Owre, J. Rushby, N. Shankar, and F. von Henke. Formal Veri cation for FaultTolerant Architectures: Prole omena to the Desi n of PVS. IEEE Transactions on Software En ineerin , 21(2):107 125, 1995. [21] C. PaulinMohrin . Inductive De nitions in the System Coq, Rules and Properties. In J.F. Groote M.Bezem, editor, Typed Lambda Calculi and Applications, volume 664 of LNCS, pa es 328 345. Sprin erVerla , 1993. [22] L.C. Paulson. A Fixedpoint Approach to (Co)Inductive and (Co)Datatype De nition. Technical report, Computer Laboratory, University of Cambrid e, 1996. [23] H. Rue . Computational Reflection in the Calculus of Constructions and Its Application to Theorem Provin . In J. R. Hindley P. de Groote, editor, Proc. 3rd Int. Conf. on Typed Lambda Calculi and Applications TLCA’97, volume 1210 of LNCS, pa es 319 335. Sprin erVerla , 1997. [24] N. Shankar. Steps Towards Mechanizin Pro ram Transformations Usin PVS. Preprint submitted to Elsevier Science, 1996. [25] T. Sheard. Type Parametric Pro rammin . Ore on Graduate Institute of Science and Technolo y, Portland, OR, USA, 1993. [26] The Le o team. The Le o Library. Distributed with Le o System, 1998. [27] D. Tuijnman. A Cate orical Approach to Functional Pro rammin . PhD thesis, Universit¨ at Ulm, 1996. [28] F. W. von Henke. An Al ebraic Approach to Data Types, Pro ram Veri cation, and Pro ram Synthesis. In Mathematical Foundations of Computer Science, Proceedin s, volume 45 of LNCS. Sprin erVerla , 1976. [29] F. W. von Henke, S. Pfab, H. Pfeifer, and H. Rue . Case Studies in MetaLevel Theorem Provin . In Jim Grundy and Malcolm Newey, editors, Proc. Intl. Conf. on Theorem Provin in Hi her Order Lo ics, volume 1479 of LNCS, pa es 461 478. Sprin erVerla , September 1998.
Recursive unction De nition over Coinductive Types John Ma hews Ore on Graduate Institute, P.O. Box 91000, Portland OR 972911000, USA
[email protected] http://www.cse.ogi.edu/ johnm
Abs rac . Usin the notions of unique xed point, conver in equivalence relation, and contractin function, we eneralize the technique of wellfounded recursion. We are able to de ne functions in the Isabelle theorem prover that recursively call themselves an in nite number of times. In particular, we can easily de ne recursive functions that operate over coinductivelyde ned types, such as in nite lists. Previously in Isabelle such functions could only be de ned corecursively, or had to operate over types containin extra bottomelements. We conclude the paper by showin that the functions for lterin and flattenin in nite lists have simple recursive de nitions.
1
Well ounded Recursion
Ra her han specify recursive func ions by possibly inconsis en axioms, several higher order logic (HOL) heorem provers[3, 9, 12] provide wellfounded recursive func ion de ni ion packages, where new func ions can be de ned conserva ively. Recursive func ions are de ned by giving a series of pa ern ma ching reduc ion rules, and a wellfounded rela ion. For example, he map func ion applies a func ion f poin wise o each elemen of a ni e lis . This func ion can be de ned using wellfounded recursion: map :: (
)
list
list
map f [] = [] map f (x#xs) = (f x) # (map f xs) The rs rule s a es ha map applied o he emp y lis , deno ed by [], is equal o he emp y lis . The second rule s a es ha map applied o a lis cons ruc ed ou of he head elemen x and ail lis xs, deno ed by x#xs, is equal o he lis formed by applying f o x and map f o xs recursively. To de ne a func ion using wellfounded recursion, he user mus also supply a wellfounded relation on one of he func ion’s argumen s1 . A wellfounded 1
Some wellfounded recursion packa es only allow sin lear ument functions to be de ned. In this case one can ain the e ect of multiar ument curried functions by tuplin .
Y. Bertot et al. (Eds.): TPHOLs’99, LNCS 1690, pp. 73 90, 1999. c Sprin erVerla Berlin Heidelber 1999
74
John Matthews
rela ion ( O.
Let us notice that the functions T rans and Out have been curry ed. Given an initial state s, the Mealy machine computes an in nite output sequence in response to an in nite input sequence. This output stream is computed by the followin corecursive function : CoFixpoint Mealy : (Stream I) > S > (Stream O) := [inp, s] (Cons (Out (Head inp) s) (Mealy (Tail inp) (Trans (Head inp) s))).
The rst element of the output stream is the result of the application of the output fonction Out to the rst input (that is the head of the input stream inp) and to the initial state s. The tail of the output stream is then computed by a recursive call to M ealy on the tail of the input stream and the new state. This new state is iven by the function T rans, applied to the rst input and the initial state. The stream of all the successive states from the initial one s can be obtained similarly : CoFixpoint States : (Stream I) > S > (Stream S) := [inp, s] (Cons s (States (Tail inp) (Trans (Head inp) s))).
Once the eneric data type is de ned, we present the interconnection rules which express how a complex machine can be decomposed into simpler ones. 3.2
Modularity
Three interconnection rules are de ned on the set of automata. They represent the parallel composition, the sequential composition and the feedback composition of synchronous sequential devices. We shall only develop the rst one, as an illustration of the al ebraic aspect of the theory.
Hardware Veri cation Using Coinduction in COQ
95
A1
Trans1
s1
Out1
f 1 (e)
i
f
*
output
o
f 2 (e) Trans2
s2
Out2
A2
Fi . 2. Parallel Composition of two Mealy Automata
The parallel composition of two Mealy automata A1 and A2 is informally described in . 2. The two objects, on each side of the schema, need comments :  f = (f1 f2 ) builds from the current input i the pair of inputs (f1 (i) f2 (i)) for A1 and A2.  output computes the lobal output from the outputs of A1 and A2. This can be implemented in Coq in the followin way : Variables I1, I2, O1, O2, S1, S2, I, O : Set. Variable Trans1 : I1 > S1 > S1. Variable Trans2 : I2 > S2 > S2. Variable Out1 : I1 > S1 > O1. Variable Out2 : I2 > S2 > O2. Variable f : I > I1*I2. Variable output : O1*O2 > O. Local A1 := (Mealy Trans1 Out1). Local A2 := (Mealy Trans2 Out2). Definition parallel : (Stream I) > S1 > S2 := [inp, s1, s2] (Map output (Prod (A1 (Map Fst (Map f inp)) s1) (A2 (Map Snd (Map f inp)) s2))).
In the last de nition, s1 and s2 are the initial states of A1 and A2. The input of A1 is obtained by mappin the rst projection F st on the stream resultin from the mappin of the function f on the lobal stream inp. Then (A1 (M ap F st (M ap f inp)) s1) is the output stream of A1. That of A2 is de ned similarly. Finally, the parallel composition output stream is obtained by mappin the function output on the product of the output streams of A1 and A2. This parallel composition is not an automaton. But it can be shown that it is equivalent to a Mealy automaton called P C in the followin sense : if a certain relation holds on the initial states, in response to two equivalent input streams, the output streams for parallel composition and P C are equivalent. The state type of P C is the product of the state type of A1 and the state type of A2. Its transition function and its output function are respectively de ned by :
96
Solange Coupet Grimal and Line Jakubiec
i
I
s1 S 1 s2 S 2 T rans P C(i (s1 s2 )) = (T rans1(f1 (i) s1 ) T rans2(f2 (i) s2 )), Out P C(i (s1 s2 )) = (output(Out1(f1 (i) s1 ) Out2(f2 (i) s2 ))).
These de nitions are translated in Coq strai htforwardly. Let us now prove the equivalence between the parallel composition and this automaton P C. Definition PC:=(Mealy Trans_PC Out_PC). Lemma Equiv_parallel_PC : (s1 : S1) (s2 : S2) (inp : (Stream I)) (EqS (parallel inp s1 s2) (PC inp (s1,s2))).
A call to the tactic Co x points to a proof followin the coinduction principle associated with the coinductive de nition of EqS. It means that the resultin proof term will be corecursively de ned. Practically, it introduces in the context the coinduction hypothesis which is the oal to be proved. An application of this hypothesis stands for a recursive call in the construction of the proof. Equiv_parallel_PC < Cofix. 1 sub oal Equiv_parallel_PC : (s1 : S1) (s2 : S2) (inp : (Stream (EqS (parallel ============================ (s1:S1)(s2:S2)(inp:(Stream I))(EqS
(coinduction ypot esis) I)) i s1 s2) (PC i (s1,s2))) (parallel inp s1 s2) (PC inp (s1,s2)))
Of course, at this point, this hypothesis may not be used to prove the oal (petitio principii). Indeed, the resultin proof term would be rejected by the system, as syntactically incorrect since it does not satisfy the required uard conditions. Therefore, we use the tactic Intros to introduce in the context the hypotheses s1, s2 and inp and then, by applyin the constructor eqS of EqS, we split the oal into two new sub oals which mean that we have now to prove the equality of the heads and the equivalence of the tails. Equiv_parallel_PC < (Intros s1 s2 inp ; Apply eqS). 2 sub oals Equiv_parallel_PC : (s1:S1)(s2:S2)(inp:(Stream I)) (EqS (parallel inp s1 s2) (PC inp (s1,s2))) s1 : S1 s2 : S2 inp : (Stream I) ============================ (Head (parallel inp s1 s2))=(Head (PC inp (s1,s2)))
sub oal 2 is: (EqS (Tail (parallel inp s1 s2)) (Tail (PC inp (s1,s2))))
Hardware Veri cation Using Coinduction in COQ
The rst sub oal is automatically resolved, after havin been simpli ed by reduction.
97

Equiv_parallel_PC < (Simpl; Auto). 1 sub oal Equiv_parallel_PC : (s1:S1)(s2:S2)(inp:(Stream I)) (EqS (parallel inp s1 s2) (PC inp (s1,s2))) s1 : S1 s2 : S2 inp : (Stream I) ============================ (EqS (Tail (parallel inp s1 s2)) (Tail (PC inp (s1,s2))))
The equivalence of the tails is now automatically established by an application of the coinduction hypothesis (tactic T rivial) after unfoldin the de nition of parallel and simplifyin the resultin term. Equiv_parallel_PC < (Unfold parallel in Equiv_parallel_PC;Simpl;Trivial). Subtree proved!
For clarity, we ive in a sli htly simpli ed syntax the corecursive proof term enerated by this session : CoFixpoint Equiv_parallel_PC: (s1 : S1) (s2 : S2) (inp : (Stream I)) (EqS(parallel inp s1 s2) (PC inp(s1,s2))):= [s1 : S1] [s2 : S2] [inp : (Stream I)] (eqS (refl_equal O (output ((Out1 (Fst (f (Head inp))) s1), (Out2 (Snd (f (Head inp))) s2)))) (Equiv_parallel_PC (Trans1 (Fst (f (Head inp))) s1) (Trans2 (Snd (f (Head inp))) s2) (Tail inp))).
We see that, in the declaration above, the recursive call to Equiv parallel P C occurs under the constructor eqS. Moreover, two automata are said equivalent if their outputs are equivalent streams whenever their inputs are equivalent streams. We proved an important fact, namely that the equivalence of automata is a con ruence for the composition rules. For example, if A1 and A2 are two equivalent automata and B1 and B2 are equivalent as well, then the parallel composition of A1 and A2 is an automaton equivalent to the parallel composition of B1 and B2 . 3.3
Proof Schema for Circuit Correctness
Provin that a circuit is correct amounts to provin that, under certain conditions, the output stream of the structural automaton and that of the behavioural automaton are equivalent. We present in this section a eneric lemma, all our correctness proofs rely on. It is in fact a kind of preestablished proof schema which handles the main temporal aspects of these proofs. Let us rst introduce some speci c notions.
98
Solange Coupet Grimal and Line Jakubiec
In the followin , we consider two Mealy automata : A1 = (I O S1 T rans 1 Out 1) and A2 = (I O S2 T rans 2 Out 2) that have the same input set and the same output set. Invariant Given p streams, a relation which holds for all ptuples of elements at the same rank, is called an invariant for these p streams. Let us specify this notion in Coq for 3 streams on the sets I, S1 and S2 . CoInductive Inv [P : I > S1 > S2 > Prop] : (Stream I) > (Stream S1) > (Stream S2) > Prop := C_Inv : (inp : (Stream I))(st1 : (Stream S1))(st2 : (Stream S2)) (P (Head inp) (Head st1) (Head st2)) > (Inv P (Tail inp) (Tail st1) (Tail st2)) > (Inv P inp st1 st2).
Now,(Inv P inp st1 st2) means that P is an invariant for the triplet (inp st1 st2). Invariant state relation Let R be a relation on S1 S2 and P a relation on I S1 S2 . R is invariant under P for the automata A1 and A2, i : i I s1 S 1 s2 S 2 R (T rans 1 (i s1 ) T rans 2 (i s2 )). (P (i s1 s2 ) R (s1 s2 )) This is translated in Coq by : Definition Inv_under:=[P: I > S1 > S2 > Prop] [R : S1 > S2 > Prop] (i : I) (s1 : S1) (s2 : S2) (P i s1 s2) > (R s1 s2) > (R (Trans1 i s1) (Trans2 i s2)).
Output relation A relation on the states of two automata is an output relation if it is stron enou h to induce the equality of the outputs. Definition Output_rel := [R: S1 > S2 > Prop] (i : I) (s1 : S1) (s2 : S2) (R s1 s2) > (Out1 i s1) = (Out2 i s2).
We can now set the equivalence lemma : Lemma Equiv_2_Mealy : (P : I > S1 > S2 > Prop) (R : S1 > S2 > Prop) (Output_rel R) > (Inv_under P R) > (R s1 s2) > (inp : (Stream I)) (s1 : S1) (s2 : S2) (Inv P inp (States Trans1 Out1 inp s1) (States Trans2 Out2 inp s2)) > (EqS (A1 inp s1) (A2 inp s2)).
in other words if R is an output relation invariant under P that holds for the initial states, if P is an invariant for the common input stream and the state streams of each automata, then the two output streams are equivalent. The proof of this lemma is done by coinduction.
Hardware Veri cation Using Coinduction in COQ
4 4.1
99
Application to the Certi cation of a True Circuit The 4 by 4 Switchin Element
Desi ned and implemented at Cambrid e University by the Systems Research Group, the Fairisle 4 by 4 Switch Fabric is an experimental local area network based on Asynchronous Transfer Mode (ATM).
fs
1
TIMING
act
pri route
routeEnable 1
4
4
PRIORITY_DECODE
ltReq 4x4
4x2
Grant
FOUR_ARBITERS 4
outputDisable
4x2
Fi . 3. Arbitration Unit
The switchin element is the heart of the 4 by 4 Switch Fabric, connectin 4 input ports to 4 output ports. Its main role is performin switchin of data from input ports to output ports and arbitratin data clashes accordin to the output port requests made by the input ports. We focus here on its Arbitration unit, which is its most si ni cant part, as far as speci cation and veri cation are concerned. This unit decodes requests from input ports and priorities between data to be sent, and then it performs arbitration. It is the interconnection of 3 modules ( .3) : F OU R ARBIT ERS which performs the arbitration for all output ports, followin the Round Robin al orithm, T IM IN G which determines when the arbitration process can be tri ered, P RIORIT Y DECODE which decodes the requests and lters them accordin to their priority. Its structure is essentially combinatorial. As an illustration of section 3.3, we present in detail the veri cation of T IM IN G, which is rather simple and si ni cant enou h to illustrate the proof of equivalence between a structural automaton and a behavioural automaton. Then, we shall present how ARBIT RAT ION is veri ed by joinin to ether the various correctness results of its submodules. This will illustrate not only the hierarchical aspect of our approach, but also that the real objects we have to handle are in eneral much more complex than those presented on the example of T IM IN G
100
Solange Coupet Grimal and Line Jakubiec
4.2
Veri cation of the Basic Unit Timin
The unit T IM IN G can be speci ed and proved directly, that is without any decomposition. It is essentially composed of a combinatorial part connected to two re isters as shown in .4.
act
OR4 y
fs
AND4
REG
OR2
REG
routeEnable
INV
INV
y
AND2
Fi . 4. Timin Unit
Structure The structure of T IM IN G corresponds exactly to a Mealy automaton. Its transition function represents the boxed combinatorial part in .4. The state is the pair of the two re ister values. The de nitions below ive some examples of lo ical ates encodin . The function ne and andb are functions de ned in a library dedicated to the booleans. Local I := Local O := Definition Definition Definition
bool * (d_list bool four). bool. S := (d_list bool two). INV := ne . AND4 := [a, b, c, d : bool] (andb a (andb b (andb c d))).
Definition Timin : I > S > S := [i, s0] let (fs, act) = i in (List2 (AND4 (OR4 act) (Snd2 s0) (INV fs) (INV (Fst2 s0))) (OR2 fs (AND2 (INV (Fst2 s0)) (Snd2 s0)))). Definition Out_Struct_Timin I > S > O := [_ , l] (Fst2 l). Definition Structure_TIMING := (Mealy Timin Out_Struct_Timin ).
The keyword Local introduces declarations which are local to the current section. We have iven the instanciation of the type I as an example of a real data type. The input is composed of two si nals (f s, act) of 1 bit and 4 bits respectively (see .4). Therefore, f s is coded by a term of type bool, but act is a bit more complex. It is represented by a list of four booleans of type (d list bool four). This type is a dependent type : it depends on the len th (here the term f our) of the
Hardware Veri cation Using Coinduction in COQ
101
lists under consideration. We do not o into details about dependent types (see [5]), but we recall that, althou h they are quite tricky to handle, they provide much more precise speci cations. Behaviour The behaviour is presented in .5. The output is a boolean value that indicates when the arbitration can be tri ered. This output is false in eneral. When the frame start si nal f s oes hi h, the device waits until one of the four values carried by act is true. In that case the output takes the value true durin one time unit and then it oes low a ain. The type of the states is de ned by : Inductive S_beh: Set := START_t: S_beh  WAIT_t: S_beh  ROUTE_t: S_beh.
The transition function trans T and the output function out T are simple and de ned by cases. The automaton Behaviour T IM IN G is obtained as usual by an instanciation of M ealy.
fs
fs
act
START_t
WAIT_t
false false act
ROUTE_t
true
Fi . 5. Timin Behaviour
Proof of Equivalence All the notions we use in this para raph have been introduced in section 3.3. To prove the equivalence between Behaviour T IM IN G and Structure T IM IN G we apply the lemma Equiv 2 M ealy of our toolbox. For that, we have to de ne a relation between the state l of the structure and the state s of the behaviour. The relation R T imin expresses that the rst re ister value ( rst element of l) equals the output of the behaviour in the state s, that insures that the relation is an output relation. It also expresses constraints between s and the second re ister of the structure. Definition R_Timin S_beh > S > Prop := [s, l]((i:I)(Fst2 l)=(Out_T i s)) /\ (s = START_t /\ (Snd2 l) = false \/ s = WAIT_t /\ (Snd2 l) = true \/ s = ROUTE_t /\ (Snd2 l) = true).
102
Solange Coupet Grimal and Line Jakubiec
No additional hypothesis is needed to prove that R T imin is an invariant relation on the state streams, that means that it is invariant under the T rue constant predicate on the streams, which is obviously an invariant. Let us call it Cst T rue. After havin proved that R T imin is a relation invariant under Cst T rue, the required correctness result is obtained as a simple instanciation of the lemma Equiv 2 M ealy as shown in the trace below. Lemma Inv_relation_T: (Inv_under Trans_T Timin Cst_True R_Timin ). ... Lemma Correct_TIMING: (i: (Stream I)) (l: S) (s: S_beh) (R_Timin s l)> (EqS (Behaviour_TIMING i s) (Structure_TIMING i l)). Intros i l s HR. (Unfold Behaviour_TIMING; Unfold Structure_TIMING). Apply (Equiv_2_Mealy Inv_relation_T Output_rel_T Inv_Cst_True HR). Save.
In the proof above, Output rel T and Inv Cst T rue stand for the proof that R T imin is an output relation and that Cst T rue is an invariant. This example is rather simple but it clearly shows that the combinatorial part of the proof and the temporal one are separated. The former essentially consists in provin that R T imin is an invariant, which is essentially a proof by cases. The latter has been already done when we proved the lemma Equiv 2 M ealy. 4.3
Hierarchical and Modular Aspects
Let us now illustrate the hierarchical modularity of our approach on the speci cation and the veri cation of an interconnection of several modules, namely the Arbitration unit ( .3). Its structure is described in .6.
Structure_TIMING
*
(fs,act,pri,route)
Structure_FOUR_ARBITERS
Structure_PRIORITY_DECODE
Fi . 6. The Arbitration Structure as an Interconnection of Automata
Structural Description The structural description is iven in several steps ( .7, 8, 9), by usin the parallel and sequential composition rules (P C and SC) on automata presented in para raph 3.2.
Hardware Veri cation Using Coinduction in COQ
103
Structure_TIMING
(fs,act,pri,route)
*
f_tp
output_tp
Structure_PRIORITY_DECODE
Fi . 7. Structure T IM IN GP DECODE Mealy_IDENTITY
(fs,act,pri,route)
*
f_tpi
output_tpi
Structure_TIMING_PDECODE
Fi . 8. Structure T IM IN GP DECODE ID
We only ive the Coq code of the nal de nition representin the structure of ARBIT RAT ION as a sequential composition of two intermediate automata. Local I :=
bool * (d_list bool four) * (d_list bool four) * (d_list (d_list bool two) four).
Definition Structure_ARBITRATION : (Stream I) > S > (Stream O) := (SC TransPC_Tm Pdecode_id Trans_struct_four_arbiters OutPC_Tm Pdecode_id Out_struct_four_arbiters ).
The term SC builds the Mealy automaton equivalent to the sequential composition of the automata Structure T IM IN GP DECODE ID and Structure F OU R ARBIT ERS ( .9). Behavioural Description The behaviour of Arbitration was initially iven in natural lan ua e by the desi ners. Several formal descriptions can be derived. For example, in HOL, Curzon uses classical timin dia rams (waveforms) whereas Tahar, in MDG, speci es it by means of Abstract State Machines (ASM) the states of which are located accordin to two temporal axis [16]. Our description is more abstract, more compact and closer to the informal statement. We represent it, as usual, by a Mealy automaton which is described in .10. It is particularly small (only 5 states). This comes from the fact that a reat deal of information is expressed by the states themselves, the output function and the transition function. The input has the same type I as in the structural description. The current input is then (fs, act, pri, route). The states are 4tuples consistin of :
104
Solange Coupet Grimal and Line Jakubiec Structure_TIMINGPDECODE_ID
(fs,act,pri,route)
Structure_FOUR_ARBITERS
Fi . 9. Structure ARBIT RAT ION act \/ fs act /\ fs fs /\ l 2 (START_A,g,T,l1)
(ACTIVE_A,g,T,l2)
fs fs /\
l2
fs fs
(NOT_TRIGGER_A,g,T,l3)
fs
fs
(WAIT_BEGIN_A,g’,o’,l5)
(TRIGGER_A,g’,o’,l4) fs
fs
T = (true,true,true,true)
Fi . 10. Arbitration Behaviour a label (START A for instance), a list of 4 pairs of booleans, each of them bein the binary code of the last input port that ained access to the output port correspondin to its rank in the list , a list o of 4 booleans indicatin if the information of same rank in the list above is up to date (an element of can be out of date if the correspondin output port has not been requested at the previous cycle), the current requests l. It is a list of 4 elements (one for each output port). Each of these elements is itself a list of 4 booleans (one for each input port) indicatin if the input port actually requests the correspondin output port and if it has a hi h level of priority or not. The transition function computes the new state from the information carried by the current state and the current input. Hence, it is quite complex. Let us explain how and o are updated. This is done my means of an arbitration process. For each output port, it rst computes the last port (say last) that ot access to this output port. Then, it calls the RoundRobin (4 l last) where RoundRobin is described as follows :
Hardware Veri cation Using Coinduction in COQ
105
RoundRobin (n l last) = if n = 0 then (last true) else let succ = (last + 1) mod 4 in if succ l then (succ f alse) else RoundRobin (n − 1 l succ) The list of the rst components returned by the 4 calls (one for each output port) to RoundRobin constitutes the new value of and the list of the second components, that of o. We do not o into details about the new requests that are computed by decodin and lterin the current input. For lack of space, we do not ive the Coq code of this transition function. Let us just make clear that, at each step, it describes non trivial intermediate functions for arbitratin , lterin , decodin . This points out an essential feature of our speci cation : due to the hi h level of abstraction of the Coq speci cation lan ua e, we can handle automata which have few states but which carry a lot of information. This allows us to avoid combinatorial explosions and leads to short proofs (few cases have to be considered). The automaton outputs the list product of and o. Let us ive the states type S : Inductive label : Set := WAIT_BEGIN_A : label  TRIGGER_A : label  START_A : label  ACTIVE_A : label  NOT_TRIGGER_A : label. Definition S : Set := label * (d_list bool*bool four) * (d_list bool four) * (d_list (d_list bool four) four). Definition Trans_Arbitration : I > S > S := ... Definition Out_Arbitration : I > S > O := ... Definition Behaviour_ARBITRATION:= (Mealy Trans_Arbitration Out_Arbitration).
The Proof of Correctness: An Outline The proof of correctness follows from the veri cation of the modules that compose the Arbitration unit. We perform it in several steps, hierarchically. (1) We build behavioural automata for T IM IN G, F OU R ARBIT ERS, and P RIORIT Y DECODE. We prove that these three automata are equivalent to the three correspondin structural automata. (2) We interconnect the structural automata and we et the lobal structural automaton called Structure ARBIT RAT ION .
106
Solange Coupet Grimal and Line Jakubiec
(3) In the same way, we interconnect the three behavioural automata (1) and we et an automaton called Composed Behaviours. (4) We show, from (1) and by applyin the lemmas statin that the equivalence of automata is a con ruence for the composition rules, that Composed Behaviours and Structure ARBIT RAT ION are equivalent. (5) We prove that Composed Behaviours is equivalent to the expected behaviour, namely Behaviour ARBIT RAT ION . This is the essential part of the lobal proof and is much simpler than provin directly the equivalence between the structure and the behaviour. As a matter of fact, Composed Behaviours is more abstract than Structure ARBIT RAT ION which takes into account all the details of the implementation. (6) This nal result, namely the equivalence of Behaviour ARBIT RAT ION and Structure ARBIT RAT ION , is obtained easily from (4) and (5) by usin the transitivity of the equivalence on the Streams. Let us point out that the lemma Equiv 2 M ealy of our toolbox (section 3.3) has been applied several times (3 times in (1) and once in (5)). Here is the nal lemma : Lemma Correct_ARBITRATION : (i : (Stream I)) (EqS (Behaviour_ARBITRATION i (WAIT_BEGIN_A, ((List4 11_0 12_0 21_0 22_0),(l4_ffff,p_0)))) (Structure_ARBITRATION i ((IDENTITY, (l2_ff,p_0)), ((((pdt_List2 11_0),false),((pdt_List2 12_0),false)), (((pdt_List2 21_0),false),((pdt_List2 22_0),false)))))).
Moreover, it is worth noticin that the F OU R ARBIT ERS unit is itself composed of 4 subunits and that its veri cation requires a ain a modular veri cation process.
5
Conclusion
We have presented in this paper a methodolo y, entirely implemented in Coq, for specifyin and verifyin synchronous sequential circuits. The startin point is a uniform description of the structure and the expected behaviour of circuits by means of Mealy automata. The points of our work that must be emphasized are the followin : The use of Coq dependent types : althou h they are tricky to use (to our point of view), they provide very precise and reliable speci cations. The use of Coq coinductive types : we could obtain a clear and natural modellin of the history of the wires in a circuit without introducin any temporal parameter.
Hardware Veri cation Using Coinduction in COQ
107
Reasonin by coinduction : we could capture once and for all in one eneric lemma most of the temporal aspects of the proof processes. In each speci c case, only combinatorial parts need to be developed. The eneric library on automata that has been developed : it can be reused in every particular case. The feasibility of our approach, that has been demonstrated on the example of a real non trivial circuit. Our whole development (includin the eneric tools) takes approximatively 4,000 lines. The hierarchical and modular approach : not only does this lead to clearer and easier proof processes but also this allows us to use, in a complex verication process, correctness results related to preproven components. The small size of the automata we de ne : at most 5 states for the circuit under consideration. This comes from the complex structure of the states that carry a lot of information. Therefore the proofs by cases are short but they make use of hi h level transition functions on rich data types. A reat deal of work has been performed in the eld of hardware veri cation usin proof assistants. Let us mention those closest to ours. In [15] PaulinMohrin ave a proof of a multiplier, usin a codi cation of streams in type theory, in a former version of Coq in which coinductive types had not been implemented yet. In [13] a formalization of streams in PVS uses parameterized types to circumvent the absence of coinduction in PVS. Its aim is to verify a synchronous faulttolerant circuit. More recently, Cachera [2] has shown how to use PVS to verify arithmetic circuits described in Haskell. The ATM Switch Fabric has been (and still is) widely used as a benchmark in the hardware community. Let us cite Curzon[7] [6] who has speci ed and proved this circuit in HOL. His study has been a helpful startin point for our investi ations despite his approach is completely di erent in the sense that he speci es the structures as relations that are recursive on a time parameter and he represents the behaviours by timin dia rams. He does not obtain parameterized libraries but rather libraries related to speci c pieces of hardware. As most of his proofs are inductive, each proof requires at least one particular induction, and sometimes several nested inductions with various base cases. This has to be contrasted with our unique eneric temporal lemma. Tahar in [18] proved the Fabric usin MDG (Multiway Decision Graphs). He handles bi er automata and his proof is more automatic. However it is not reusable. Other approaches on the Fabric propose abstraction processes in order to alleviate the proof process [12] [8]. Several comparisons have been studied in this eld [17] [16].
References [1] B. Barras and al. T e Coq Proof Assistant Reference Manual : Version 6.1. Tec nical Report 0203, INRIARocquencourt, CNRSENS Lyon, France, Dec. 1997. [2] D. Cachera. Veri cation of Arit metic Circuits using a Functional Language and PVS. Tec nical Report 9748, ENSLyon, LIP, Dec. 1997.
108
Solange Coupet Grimal and Line Jakubiec
[3] T. Coquand. Une Theorie des Constructions. P D t esis, Universite Paris 7, Janvier 1989. [4] T. Coquand and G. Huet. Constructions : A Hig er Order Proof System for Mec anizing Mat ematics. EUROCAL 85, Linz SpringerVerlag LNCS 203, 1985. [5] S. CoupetGrimal and L. Jakubiec. Coq and Hardware Veri cation : a Case Study. In J. G. J. von Wrig t and J. Harrison, editors, TPHOLs’96, LCNS 1125, pages 125 139, Turku (Finlande), 2730t August 1996. SpringerVerlag. [6] P. Curzon. T e Formal Veri cation of t e Fairisle ATM Switc ing Element. Tec nical Report 329, University of Cambridge, Mar. 1994. [7] P. Curzon. T e Formal Veri cation of t e Fairisle ATM Switc ing Element: an Overview. Tec nical Report 328, University of Cambridge, Mar. 1994. [8] E. Garcez and W. Rosenstiel. T e Veri cation of an ATM Switc ing Fabric using t e HSIS Tool. IX Brazilian Symposium on the Design of Integrated Circuits, 1996. [9] E. Gimenez. Un calcul de constructions in nies et son application a la veri cation de systemes communicants. P D t esis, Ecole Normale Superieure de Lyon, 1996. [10] I. Leslie and D. McAuley. Fairisle : A General Topology ATM LAN. http://www.cl.cam.ac.uk/Research/SRG/fairpap.html, Dec. 1990. [11] I. Leslie and D. McAuley. Fairisle : An ATM Network for t e Local Area. ACM Communication Review, 4(19):327 336, September 1991. [12] J. Lu and S. Tahar. Practical Approac es to t e Automatic Veri cation of an ATM Switc using VIS. In IEEE 8th Great Lakes Symposium on VLSI (GLSVLSI’98), pages 368 373, Lafayette, Louisiana, USA, Feb. 1998. IEEE Computer Society Press. [13] P. S. Miner and S. D. Johnson. Veri cation of an Optimized FaultTolerant Clock Sync ronization Circuit. In Designing Correct Circuits. Bastad, 1996. [14] C. PaulinMohrin . Inductive De nition in t e System Coq : Rules and Properties. Typed Lambda Calculi and Applications (Also Research Report 9249, LIPENS Lyon), Dec. 1993. [15] C. PaulinMohrin . Circuits as Streams in Coq. Veri cation of a Sequential Multiplier. Basic Research Action Types , July 1995. [16] S. Tahar and P. Curzon. A Comparison of MDG and HOL for Hardware Veri cation. In J. G. J. von Wrig t and J. Harrison, editors, TPHOLs’96, LCNS 1125, pages 415 430, Turku (Finlande), 2730t August 1996. SpringerVerlag. [17] S. Tahar, P. Curzon, and Lu. J. T ree Approac es to Hardware Veri cation : HOL, MDG and VIS Compared. In G. Gopalakris nan and P. Windley, editors, Formal Methods in ComputerAided Design, LCNS 1522, pages 433 450, FMCAD’98, Palo Alto, California, USA, Nov. 1998. SpringerVerlag. [18] S. Tahar, Z. Zhou, X. Son , E. Cerny, and M. Lan evin. Formal Veri cation of an ATM Switc Fabric using Multiway Decision Grap s. In Proc. of the Great Lakes Symp. on VLSI, IEEE Computer Society Press, pages 106 111, Mar. 1996.
Connectin Proof Checkers and Computer Al ebra Usin OpenMa h Ol a Caprotti and Arjeh M. Cohen RIACA, Technical University of Eindhoven The Netherlands ol a,amc @win.tue.nl
Interactive mathematics over the Internet is particularly appealin in that it can take advanta e of the wealth of resources available online. In particular, a problemsolvin framework inte ratin computin and provin tools is of reat interest. Several modes of advanta eous cooperation can be envisioned. Provin is undoubtedly useful to computation for checkin assertions and side conditions, whereas computation is useful for shortenin the len ths of proofs. Both modes are de nitely needed in interactive mathematics. In the interaction we do not want to waste resources by sendin or receivin meanin less requests. There Stron OpenMath comes in, as it is possible to typecheck the welltypedeness, hence the meanin fullness, of the mathematical objects it represents. Stron OpenMath is a substantial sublan ua e of the OpenMath standard for the representation of mathematical objects. Started as a lan ua e for communicatin between computer al ebra systems [3], OpenMath has evolved and now aims at bein a universal interface amon systems of computational mathematics [7, 1]. The major novelty of the OpenMath lan ua e is the introduction of bindin objects to express variable bindin . For instance, the mathematical function x x + 2 is represented by the OpenMath object bindin (lambda x application(plus x 2)) The OpenMath standard does not adopt a speci c type system but allows for formally expressin si natures of symbols. By de nin and usin a Content Dictionary for representin terms of the chosen type system, formal si natures of OpenMath symbols are made to correspond to types representable as OpenMath bindin objects built usin this CD. As added bonus, lo ical properties of an OpenMath symbol can also be formally de ned as OpenMath bindin objects and can be included as such in the symbol’s de nitions. A standard technique in formal methods is to use formally speci ed si natures to assi n mathematical meanin to the object in which the symbol occurs. By doin this, validation of OpenMath objects depends exclusively on the context determined by the CDs and on some type information carried by the objects themselves. Determinin a type for an OpenMath object corresponds to assi nin mathematical meanin to the object. The subclass of OpenMath objects for which this can be done is called Stron OpenMath. Y. Bertot et al. (Eds.): TPHOLs’99, LNCS 1690, pp. 109 112, 1999. c Sprin erVerla Berlin Heidelber 1999
110
Ol a Caprotti and Arjeh M. Cohen
Stron OpenMath is the fra ment of OpenMath that can be used to express formal mathematical objects, so that formal theorems and proofs, understandable to proof checkers, can be unambi uously communicated, as well as the usual mathematical expressions handled by CA systems. We show this approach usin the Calculus of Constructions (CC) and its extensions as startin point for assi nin si natures to OpenMath symbols. Abstraction and function space type are represented by introducin in a new Content Dictionary, called cc, appropriate bindin symbols (lambda, PiType). Additionally, cc also provides the symbols for the names of the types of the basic OpenMath objects. The Content Dictionary ecc adds to the symbols in cc, the symbol Pair for pairin , PairProj1 and PairProj2 for projections and Si maType for the cartesian product. Usin ecc, terms and types arisin in the Extended Calculus of Constructions can be expressed as Stron OpenMath objects. Since the Calculus of Constructions and its extensions have decidable type inference, they are ood candidate type systems for proof checkers. Type checkin al orithms has been implemented in systems like Le o or COQ [4, 6]. These systems, if OpenMath compliant, can provide the functionalities for performin type checks on OpenMath objects. The authors are workin on exploitin the typecheckin functionalities of COQ and Le o for Stron OpenMath throu h several examples of Java clientserver applet. The implementations use the OpenMath Java library provided by the PolyMath Development Group [5] and extend it by encoder/decoder classes that act as Phrasebooks for COQ and Le o. Currently, the Le o Phrasebook transforms any Stron OpenMath object into the correspondin ECC term in the lan ua e used by Le o. Basic objects are translated into new constants of the appropriate type. Fi ure 1 is a screenshot of the applet that shows the result of typecheckin the expression sin(x ∗ y) + x2 + sin(x)2 in a speci c Le o context. Fi ure 1 shows that the OpenMathLe o applet takes as input a mathematical expression in Maple syntax. The Maple Phrasebook provided by the OpenMath Java library converts this expression into an OpenMath object. The Java applet then feeds this object to the Le o Phrasebook for obtainin the correspondin Le o term. This Le o term is then shipped to Le o with a context and a command to be performed on the term. Le o runs on a server machine and communicates to the applet the results of the query it has received. In particular, the query to Le o can be typecheckin . If typecheckin is successful, then the Stron OpenMath object correspondin to the input expression is a meanin ful mathematical expression. If typecheckin fails, then the resultin error messa e is displayed and can be cau ht. Another version of the applet called OpenMath STARSCOQ Applet is based on the same clientserver model but in combination with di erent Phrasebooks and di erent servers. Fi ure 2 shows a customized syntax for the input of mathematical expressions via the STARS applet. The correspondin term is rendered
Connectin Proof Checkers and Computer Al ebra Usin OpenMa h
111
Fi . 1. MapleLe o Applet
by STARS usin OpenMath and MathML technolo y. The term is then transformed to OpenMath and sent to COQ for further processin . Two particular applications we have in mind are linked to the IDA project, which brou ht forth Al ebra Interactive . This is interactive rst year underraduate al ebra course material for mathematics and computer science students, see [2]. First, user input in a speci c input eld usually represents a particular type of mathematical object (e. ., an inte er, a polynomial over a speci ed rin and with speci ed indeterminate, or a permutation roup). Before sendin the input to a computer al ebra server, it is useful to check at the client side whether the input has the ri ht type. This can easily be handled by the present OpenMathLe o Applet and will become useful when more than one computer al ebra en ine (presently GAP) will be employed. More complicated and more of a challen e is the second application we have in mind: turnin the present static proofs to interactive events. Here research is needed re ardin the correspondence of vernacular with formal mathematics and the selection of interestin steps from a formal proof. Of course, this Al ebra Interactive example is just one of many possibile ways of incorporatin mathematical software in an environment usin OpenMath.
References [1] John A. Abbott, Andre van Leeuwen, and A. Strotmann. OpenMa h: Communicatin Mathematical Information between Cooperatin A ents in a Knowled e Network. Journal of Intelli ent Systems, 1998. Special Issue: Improvin the Desi n of Intelli ent Systems: Outstandin Problems and Some Methods for their Solution. . [2] A. M. Cohen, H. Cuypers, and H. Sterk. Al ebra Interactive, interactive course material. Number ISBN 3540653686. SV, 1999.
112
Ol a Caprotti and Arjeh M. Cohen
Fi . 2. STARSCOQ Applet
[3] S. Dalmas, M. Ga¨etano, and S. Watt. An OpenMath 1.0 Implementation. pa es 241 248. ACM Press, 1997. [4] Z. Luo and R. Pollack. LEGO Proof Development System: User’s Manual. Department of Compter Science, University of Edinbur h, 1992. [5] PolyMath OpenMath Development Team. Java openmath library, version 0.5. Available at http://pd .cecm.sfu.ca/openmath/lib/, July 1998. [6] Projet Coq. The Coq Proof Assistant: The standard library, version 6.1 edition. Available at http://www.enslyon.fr/LIP/ roupes/coq. [7] The OpenMath Consortium. The OpenMath Standard. OpenMath Deliverable 1.3.1a, September 1998. Public at http://www.na .co.uk/projects/OpenMath.html.
A MachineChecked Theory of Floatin Point Arithmetic John Harrison In el Corpora ion, EY203 5200 NE Elam Young Parkway Hillsboro, OR 97124, USA
Abs rac . In el is applying formal veri ca ion o various pieces of ma hema ical sof ware used in Merced, he rs implemen a ion of he new IA64 archi ec ure. This paper discusses he developmen of a generic floa ing poin library giving de ni ions of he fundamen al erms and con aining formal proofs of impor an lemmas. We also briefly describe how his has been used in he veri ca ion e or so far.
1
Introduction
IA64 is a new 64bit computer architecture jointly developed by HewlettPackard and Intel, and the forthcomin Merced chip from Intel will be its rst silicon implementation. To avoid some of the limitations of traditional architectures, IA64 incorporates a unique combination of features, includin an instruction format encodin parallelism explicitly, instruction predication, and speculative/advanced loads [4]. Nevertheless, it also o ers full upwardscompatibility with IA32 (x86) code.1 IA64 incorporates a number of floatin point operations, the centerpiece of which is the fma (floatin point multiplyadd or fused multiplyaccumulate). This computes xy + z from inputs x, y and z with a sin le roundin error. Floatin point addition and multiplication are just de enerate cases of fma, 1y + z and xy + 0.2 On top of the primitives provided by hardware, there is a substantial suite of associated software, e. . C library functions to approximate transcendental functions. Intel has embarked on a project to formally verify all Merced’s basic mathematical software. The formal veri cation is bein performed in HOL Li ht, a version of the HOL theorem prover [6]. HOL is an interactive theorem prover in the ‘LCF’ style, meanin that it encapsulates a small trusted lo ical core and implements all hi herlevel inference by (usually automatic) decomposition to these primitives, usin arbitrary user pro rammin if necessary. A common component in all the correctness proofs is a library containin formal de nitions of all the main concepts used, and machinechecked proofs of 1 2
The wors case accuracy of he floa ingpoin ranscenden al func ions has ac ually improved over he curren IA32 chips. As we will explain la er, his is a sligh oversimpli ca ion.
Y. Bertot et al. (Eds.): TPHOLs’99, LNCS 1690, pp. 113 130, 1999. c Sprin erVerla Berlin Heidelber 1999
114
John Harrison
a number of key lemmas. Correctness of the mathematical software starts from the assumption that the underlyin hardware floatin point operations behave accordin to the IEEE standard 754 [9] for binary floatin point arithmetic. Actually, IEEE754 doesn’t explicitly address fma operations, and it leaves underspeci ed certain si ni cant questions, e. . NaN propa ation and underflow detection. Thus, we not only need to specify the key IEEE concepts but also some details speci c to IA64. Then we need to prove important lemmas. How this was done is the main subject of this paper. Floatin point numbers can be stored either in floatin point re isters or in memory, and in each case we cannot always assume the encodin is irredundant (i.e. there may be several di erent encodin s of the same real value, even apart from IEEE si ned zeros). Thus, we need to take particular care over the distinction between values and their floatin point encodin s.3 Systematically makin this separation nicely divides our formalization into two parts: those that are concerned only with real numbers, and those where the floatin point encodin s with the associated plethora of special cases (in nities, NaNs, si ned zeros etc.) come into play.
2
Floatin Point Formats
Floatin point numbers, at least in conventional binary formats, are those of the form 2e k with the exponent e subject to a certain bound, and the fraction (also called si ni cand or mantissa) k expressible in a binary positional representation usin a certain number p of bits. The bound on the exponent ran e to ether with the allowed precision p determines a particular floatin point format. Floatin point numbers cover a wide ran e of values from the very small to the very lar e. They are evenly spaced except that at the points 2j the interx 2j+1 , possibly val between adjacent numbers doubles. The intervals 2j excludin one or both endpoints, are often called binades, and the numbers 2j binade boundaries. In a decimal analo y, the ap between 1 00 and 1 01 is ten times the ap between 0 999 and 1 00, where all numbers are constrained to three si ni cant di its. The followin dia ram illustrates this.
2j

Our formalization of the encodin free parts of the standard is hi hly eneric, coverin an in nite collection of possible floatin point formats, even includin absurd formats with zero precision (no fraction bits). It is a matter of taste whether the patholo ical cases should be excluded at the outset. We sometimes 3
In he ac ual s andard (p7) ‘a bi s ring is no always dis inguished from a number i may represen ’.
A MachineChecked Theory of Floa ing Poin Ari hme ic
115
need to exclude them from particular theorems, but many of the theorems turn out to be de enerately true even for extreme values. Section 3.1 of the standard parametrizes floatin point formats by precision p and maximum and minimum exponents Emax and Em n . We follow this closely, except we represent the fraction by an inte er rather than a value 1 f 2, and the exponent ran e by two nonne ative numbers N and E. The allowable floatin point numbers are then of the form 2e−N k with k 2p and 0 e E. This was not done because of the use of biasin in actual floatin point encodin s (as we have stressed before, we avoid such issues at this sta e), but rather to use nonne ative inte ers everywhere and carry around fewer sideconditions. The cost of this is that one needs to remember the bias when considerin the exponents of floatin point numbers. We name the elds of a triple as follows:  expran e (E,p,N) = E  precision (E,p,N) = p  ulpscale (E,p,N) = N
and the de nition of the set of real numbers correspondin to a triple is:4  format (E,p,N) = x  s e k. s < 2 e < E k < 2 EXP p (x = (&1) pow s * &2 pow e * &k / &2 pow N)
This says exactly that the format is the set of real numbers representable in the form (−1)s 2e−N k with e E and k 2p (the additional restriction s 2 is just a convenience). For many purposes, includin floatin point roundin , we also consider an analo ous format with an exponent ran e unbounded above. This is de ned by simply droppin the exponent restriction e E. Note that the exponent is still bounded below, i.e. N is unchan ed.  iformat (E,p,N) = x  s e k. s < 2 k < 2 EXP p (x = (&1) pow s * &2 pow e * &k / &2 pow N)
We then prove various easy lemmas, e. .  &0 IN iformat fmt  x IN iformat fmt = x IN iformat fmt  x IN iformat fmt = 4
(&2 pow n * x) IN iformat fmt
The ampersand deno es he injec ion from N o R , which HOL’s ype sys em dis inguishes. The func ion EXP deno es exponen ia ion on na urals, and pow he analogous func ion on reals.
116
John Harrison
The above de nitions consider the mere existence of triples (s,e,k) that yield the desired value. In eneral there can be many such triples that ive the same value. However there is the possibility of a canonical representation:  iformat (E,p,N) = x  s e k. (2 EXP (p  1) i(x # y) = (i y)#(i x)
We can now perform the proof as usual, but with the nice abbreviations and syntax. We can apply all results which we might have proved about groups inside the locale. We can even use the syntax when we use tactics that use explicit instantiation, e.g. res inst tac. When the proof is nished, we can assign it to a name using result(). The theorem is now: val inv_prod = "[ ?x : (G.); ?y : (G.) ] ==> inv (binop ?x ?y) = binop (inv ?y) (inv ?x) [!!x. inv x == (G.) x, G : Group, !!x y. binop x y == (G.) x y, e == (G.<e>)]" : thm
As metaassumptions annotated at the theorem we nd all the used rules and de nitions, the syntax uses the explicit names of the locale constants, not their pretty printing form. The question mark ? in front of variables labels free schematic variables in Isabelle. They may be instantiated when applying the theorem. The assumption e == (G.<e>) is included because during the proof it was used to abbreviate the unit element. To transform the theorem into its global form we just type export inv prod. "[ ?G : Group; ?x : (?G.); ?y : (?G.) ] ==> (?G.)((?G.) ?x ?y) = (?G.)((?G.) ?y)((?G.) ?x)"
The locale constant G is now a free schematic variable of the theorem. Hence, the theorem is universally applicable to all groups. The locale de nitions have been eliminated. The other locale constants, e.g. binop, are replaced by their explicit versions, and have thus vanished together with the locale de nitions. The locale facilities for groups are of course even more practical if we carry on to more complex structures like cosets. Assuming an adequate de nition for cosets and products of subsets of a group (e.g. [Kam99b]) r_coset G H a == ( x. (G.) x a) ‘‘ H set_prod G H1 H2 == ( x. (G.) (fst x)(snd x)) ‘‘ (H1 × H2)
where ‘‘ yields the image of a HOL function applied to a set we use an extension of the locale for groups thereby enhancing the concrete syntax of the above de nitions. locale coset = roup + fixes rcos :: "[’a set, ’a] => ’a set" ("_ #> _" [60,61]60) setprod :: "[’a set, ’a set] => ’a set" ("_ _" [60,61]60) defines rcos_def "H #> x == r_coset G H x" setprod_def "H1 H2 == set_prod G H1 H2"
This enables us to reason in a natural way that reflects typical objectives of mathematics in this case abstract algebra. We reason about the behaviour of
Locales
A Sectionin Concept for Isabelle
163
substructures of a structure, like cosets of a group. Are they a group as well?4 Therefore, we welcome a notation like (H #> x) (H #> y) = H #> (x # y)
when we have to reason with such substructural properties. While knowing that the underlying de nitions are adequate and related properties derivable, we can reason with a convenient mathematical notation. Without locales the formula we had to deal with would be set_prod G (r_coset G H x)(r_coset G H y) = r_coset G H ((G.) x y)
The improvement is considerable and enhances comprehension of proofs and the actual nding of solutions in particular, if we consider that we are confronted with the formulas not only in the main goal statements but in each step during the interactive proof.
6
Discussion
First of all, term syntax may be greatly improved by locales because they enable dependent local de nitions. Locale constants can have pretty printing syntax assigned to them and this syntax can as well be dependent, i.e. use everything that is declared as xed implicitly. So, locales approximate a natural mathematical style of formalization. Locales are a simpler concept than modules. They do not enable abstraction over type constructors. Neither do locales support polymorphic constants and de nitions as the topmost theory level does. On the other hand, these restrictions admit to de ne a representation of a locale as a metalo ical predicate fairly easily. Thereby, locales can be rstclass citizen of the meta logic. We have developed this aspect of locales elsewhere [Kam99a]. In the latter experiment, we implemented the mechanical generation of a rstclass representation for a locale. This implementation automatically extends the theory state of an Isabelle formalization by declarations and de nitions for a predicate representing the locale logically. But, in many cases we do not think of a locale as a logical object, rather just an theorylevel assembly of items. Then, we do not want this overhead of automatically created rules and constants. Consequently, we abandoned the automatic generation of a rst class representation for locales. We prefer to perform the rstclass reasoning separately in higherorder logic, using an approach with dependent sets [Kam99b]. In some sense, locales do have a rstclass representation: globally interesting theorems that are proved in a locale may be exported. Then the former context structure of the locale gets dissolved: the de nitions become expanded (and thus vanish). The locale constants turn into variables, and the assumptions become individual premises of the exported theorem. Although this individual representation of theorems does not entail the locale itself as a rstclass citizen of the logic, the context structure of the locale is translated into the metalogical 4
They are a roup if H is normal which is proved conveniently in Isabelle with locales.
164
Florian Kamm¨ uller, Markus Wenzel, and Lawrence C. Paulson
structure of assumptions and theorems. In so far we mirror the local assumptions that are really the locale into a representation in terms of the simple structural language of Isabelle’s metalogic. This translation corresponds logically to an application of the introduction rules for implication and the universal quanti er of the metalogic. And, because Isabelle has a proper metalogic this rstclass representation is easy to apply. Generality of proofs is partly revealed in locales: certain premises that are available in a locale are not used at all in the proof of a theorem. In that case the exported version of the theorem will not contain these premises. This may seem a bit exotic, in that theorems proved in the same locale scope might have di erent premise lists. That is, theorems may generally just contain a subset of the locale assumptions in their premises. That takes away uniformity of theorems of a locale but grants that theorems may be proved in a locale and will be individually considered for the export. In many cases one discovers that a theorem that one closely linked with, say, groups actually does not at all depend on a speci c group property and is more generally valid. That is, locales lter the theorems to be of the most general form according to the locale assumptions. Locales are, as a concept, of general value for Isabelle independent of abstract algebraic proof. In particular, they are independent of any object logic. That is, they can be applied merely assuming the metalogic of Isabelle/Pure. They are already applied in other places of the Isabelle theories, e.g. for reasoning about nite sets where the xing of a function enhances the proof of properties of a fold functional and similarly in proofs about multisets and the formal method UNITY [CM88]. Furthermore, the concept can be transferred to all higherorder logic theorem provers. There are only a few things the concept relies on. In particular, the features needed are implication and universal quanti cation the two constructors that build the basis for the reflection of locales via export and are at the same time the explanation of the meaning of locales. For theorem provers where the theory infrastructure di ers greatly from Isabelle’s, one may consider dynamic de nition of locales instead of the static one. The simple implementation of the locale idea as presented in this paper works well together with the rstclass representation of structures by an embedding using dependent types [Kam99b]. Both concepts can be used simultaneously to provide an adequate support for reasoning in abstract algebra.
References [CCF+ 96]
[Chu40] [CM88] [dB80]
C. Cornes, J. Courant, J.C. Filliatre, G. Huet, P. Manoury, and C. Munoz. The Coq Proof Assistant User’s Guide, version 6.1. INRIARocquencourt et CNRSENS Lyon, 1996. A. Church. A Formulation of the Simple Theory of Types. Journal of Symbolic Lo ic, pa es 56 68, 1940. K. Mani Chandi and Jayadev Misra. Parallel Pro ram Desi n: A Foundation. AddisonWesley, 1988. N. G. de Bruijn. A Survey of the Project AUTOMATH. In J.P. Seldin and J.R. Hindley, editors, To H. B. Curry: Essays on Combinatory Lo ic, Academic Press Limited, pa es 579 606. 1980.
Locales [Dow90]
A Sectionin Concept for Isabelle
165
G. Dowek. Namin and Scopin in a Mathematical Vernacular. Technical Report 1283, INRIA, Rocquencourt, 1990. [FGT93] W. M. Farmer, J. D. Guttman, and F. J. Thayer. imps: an Interactive Mathematical Proof System. Journal of Automated Reasonin , 11:213 248, 1993. [GH93] John V. Gutta and James J. Hornin , editors. Larch: Lan ua es and Tools for Formal Speci cation. Texts and Mono raphs in Computer Science. Sprin erVerla , 1993. With Stephen J. Garland, Kevin D. Jones, Andres Modet, and Jeannette M. Win . [GM93] M. J. C. Gordon and T. F. Melham. Introduction to HOL, a Theorem Provin Environment for Hi her Order Lo ic. Cambrid e University Press, 1993. [Kam99a] F. Kamm¨ uller. Modular Reasonin in Isabelle. PhD thesis, University of Cambrid e, 1999. submitted. [Kam99b] F. Kamm¨ uller. Modular Structures as Dependent Types in Isabelle. In Types for Proofs and Pro rams: TYPES ’98, LNCS. Sprin erVerla , 1999. Selected papers. To appear. [KP99] F. Kamm¨ uller and L. C. Paulson. A Formal Proof of Sylow’s First Theorem An Experiment in Abstract Al ebra with Isabelle HOL. Journal of Automated Reasonin , 1999. To appear. [NW98] W. Naraschewski and M. Wenzel. Objectoriented Veri cation based on Record Subtypin in Hi herOrder Lo ic. In 11th International Conference on Theorem Provin in Hi her Order Lo ics, volume 1479 of LNCS, ANU, Canberra, Australia, 1998. Sprin erVerla . [ORR+ 96] S. Owre, S. Rajan, J. M. Rushby, N. Shankar, and M. Srivas. PVS: Combinin speci cation, proof checkin , and model checkin . In R. Alur and T. A. Henzin er, editors, Computer Aided Veri cation, volume 1102 of LNCS. Sprin er, 1996. [OSRSC98] S. Owre, N. Shankar, J.M. Rushby, and D.W.J. Strin erCalvert. PVS Lan ua e Reference. Part of the PVS Manual. Available on the Web as http://www.csl.sri.com/pvsweb/manuals.html, September 1998. [Pau94] L. C. Paulson. Isabelle: A Generic Theorem Prover, volume 828 of LNCS. Sprin er, 1994. [Win93] P. J. Windley. Abstract Theories in HOL. In L. Claesen and M. Gordon, editors, Hi her Order Lo ic Theorem Provin and its Applications, IFIP Transactions A20, pa es 197 210. NorthHolland, 1993.
Isar A Generic Interpretative Approach to Readable Formal Proof Documents Markus Wenzel Technische Universi ¨ a M¨ unchen Ins i u f¨ ur Informa ik, Arciss ra e 21, 80290 M¨ unchen, Germany http://www. n.tum.de/ wenzelm/
Abstract. We presen a generic approach o readable formal proof documen s, called Intelli ible semiautomated reasonin (Isar ). I addresses he major problem of exis ing in erac ive heorem proving sys ems ha here is no appropria e no ion of proof available ha is sui able for human communica ion, or even jus main enance. Isar’s main aspec is i s formal language for na ural deduc ion proofs, which se s ou o bridge he seman ic gap be ween in ernal no ions of proof given by s a eof hear in erac ive heorem proving sys ems and an appropria e level of abs racion for userlevel work. The Isar language is bo h human readable and machinecheckable, by vir ue of he Isar/VM in erpre er. Compared o exis ing declara ive heorem proving sys ems, Isar avoids several shor comings: i is based on a few basic principles only, i is qui e independen of he underlying logic, and suppor s a broad range of au oma ed proof me hods. In erac ive proof developmen is suppor ed as well. Mos of he Isar concep s have already been implemen ed wi hin Isabelle. The resul ing sys em already accommoda es simple applica ions.
1
Introduction
In erac ive heorem proving sys ems such as HOL [10], Coq [7], PVS [15], and Isabelle [16], have reached a reasonable level of ma uri y in recen years. On he one hand suppor ing expressive logics like se heory or ype heory, on he o her hand having acquired decen au oma ed proof suppor , such sys ems provide qui e powerful environmen s for sizeable applica ions. Taking Isabelle/HOL as an arbi rary represen a ive of hese semiautomated reasonin sys ems, ypical applica ions are he formaliza ion of subs an ial par s of he Java ype sys em and opera ional seman ics [14], formaliza ion of he rs 100 pages of a seman ics ex book [13], or formal proof of ChurchRosser proper y of reduc ions [12]. Despi e his success in ac ually formalizing par s of ma hema ics and compu er science, here are s ill obs acles in addressing a broad range of users. One of he main problems is ha , paradoxically, none of he major semiau oma ed reasoning sys ems suppor an adequa e primary no ion of proof ha is amenable o human unders anding. Typical prover inpu languages are ra her arcane, demanding a s eep learning curve of users o wri e any proof scrip s a all. Even Research suppor ed by DFG gran Ni 491/21. Y. Bertot et al. (Eds.): TPHOLs’99, LNCS 1690, pp. 167 183, 1999. c Sprin erVerla Berlin Heidelber 1999
168
Markus Wenzel
worse, he resul ing ex s are very di cul o unders and, usually requiring s epwise replay in he sys em o make any hing ou of i . This si ua ion is bad enough for proof main enance, bu is impossible for communica ing formal proofs he frui s of he formaliza ion e or o a wider audience. According o folklore, performing proof is similar o programming. Comparing curren formal proof echnology wi h ha of programming languages and me hodologies, hough, we seem o be s uck a he assembly language level. There are many a emp s o solve his problem, like providing user in erfaces for heorem provers ha help users o pu oge her proof scrip s, or browser ools presen ing he prover’s in ernal s ruc ures, or genera ors and ransla ors o conver be ween di eren no ions of proof even na ural language. The Mizar Sys em [19, 22] pioneered a di eren approach, aking he issue of a humanreadably proof lan ua e seriously. More recen ly, several e or s have been under aken o ransfer ideas of Mizar in o he es ablished radi ion of acical heorem proving, while rying o avoid i s wellknown shor comings. The DECLARE sys em [20, 21] has been probably he mos elabora e, so far. Our approach, which is called Intelli ible semiautomated reasonin (Isar ), can be bes unders ood in ha radi ion, oo. We aim o address he problem a i s very core, namely he primary no ion of formal proof ha he sys ems o ers o i s users, au hors and audience alike. Jus as he programming communi y did some decades ago, we se ou o develop a highlevel formal language for proofs ha is designed wi h he human in mind, ra her han he machine. The Isar language framework, aking bo h he underlying logic and a se of proof me hods as parame ers, resul s in an environmen for declara ive na ural deduc ion proofs ha may be execu ed a he same ime. Checking is achieved by he Isar virtual machine in erpre er, which also provides an operaional seman ics of he Isar proof language. Thus he Isar approach o readable formal proof documen s is bes characerized as being interpretative. I o ers a higher concep ual level of formal proof ha shall be considered as he new primary one. Any in ernal inferences aking place wi hin he underlying deduc ive sys em are encapsula ed in an abs rac judgmen of derivabili y. Any func ion mapping a proof goal o an appropria e proof rule may be incorpora ed as proof method. Thus arbi rary au oma ed proof procedures may be in egra ed as opaque re nemen s eps. This immedia ely raises he ques ion of soundness, which is handled in Isar according o he backpressure principle. The Isar/VM in erpre er refers o ac ual inferences a he level below only abstractly, wi hou breaching i s in egri y. Thus we inheri wha ever no ion of correc ness is available in he underlying inference sys em (e.g. primi ive proof erms). Basically, his is jus he wellknown LCF approach of correc nessbycons ruc ion applied a he level of he Isar/VM. The issue of presentation of Isar documen s can be kep ra her rivial, because he proof language has been designed wi h readabili y already in mind. Some pre y prin ing and pruning of a few de ails should be su cien for reasonable ou pu . Never heless, Isar could be easily pu in o a broader con ex of more advanced presen a ion concep s, including na ural language genera ion (e.g. [8]).
Isar
Readable Formal Proof Documen s
169
The res of his paper is s ruc ured as follows. Sec ion 2 presen s some example proof documen s wri en in he Isar language. Several aspec s of Isar are discussed informally as we proceed. Sec ion 3 reviews formal preliminaries required for he subsequen rea men of he Isar language. Sec ion 4 in roduces he Isar formal proof language syn ax and opera ional seman ics, proof me hods, and ex ralogical fea ures.
2
Example Isar Proof Documents
Isar provides a generic framework for readable formal proofs ha suppor s a broad range of bo h logics and proof ools. A ypical ins an ia ion for ac ual applica ions would use Higherorder Logic [6] oge her wi h a reasonable degree of au oma ion [17, 18]. Ye he main objec ive of Isar is no o achieve shor er proofs wi h more au oma ion, bu be er ones. The wri er is enabled o express he in eres ing par s of he reasoning as explici proof ex , while leaving o her par s o he machine. For he sake of he following examples, which are from pure rs order logic (bo h in ui ionis ic and classical), we refer o very simple proof me hods only. 2.1
Basic Proofs
To ge review K: A nes ed
a rs idea wha na ural deduc ion proofs may look like in Isar, we hree wellknown proposi ions from in ui ionis ic logic: I: A A and B A and S: (A B C) (A B) A C; recall ha is o he righ .
theorem I: A proof assume A show A qed
A
Unsurprisingly, he proof of I is ra her rivial: we jus assume A in order o show A again. The do deno es an immediate proof, meaning ha he curren problem holds by assump ion. theorem K: A proof assume A show B A proof show A qed qed
B
A
Only sligh ly less rivial is K: we assume A in order o show B A, which holds because we can show A rivially. No e how proofs may be nes ed a any
170
Markus Wenzel
ime, simply by s a ing a new problem (here via show). The subsequen proof (delimi ed by a proof/qed pair), is implici ly enclosed by a lo ical block ha inheri s he curren con ex (assump ions e c.), bu keeps any changes local. Block s ruc ure, which is a wellknown principle from programming languages, is an impor an s ar ing poin o achieve s ruc ured proofs (e.g. [9]). Also no e ha here are implici defaul proof me hods invoked a he beginning (proof ) and end (qed) of any subproof. The ini ial me hod associa ed wi h proof jus picks s andard in roduc ion and elimina ion rules au oma ically according o he opmos symbol involved (here in roduc ion), he erminal me hod associa ed wi h qed solves all remaining goals by assump ion. Proof me hods may be also speci ed explici ly, as in proof (rule modusponens) . theorem : (A B C) (A B) A C proof assume A B C show (A B) A C proof assume A B show A C proof assume A show C proof (rule modusponens ) show B C by (rule modusponens ) show B by (rule modusponens ) qed qed qed qed
In order o prove S we rs decompose he hree opmos implica ions, represen ed by he assume/show pairs. Then we pu hings oge her again, by applying modus ponens o ge C from B C and B, which are hemselves es ablished by modus ponens (by abbrevia es a singles ep proof in erminal posi ion). No e ha he con ex of assump ions A B C, A B, A is aken in o accoun implici ly where appropria e. Wha have we achieved so far? Cer ainly, here are more compac ways o wri e down na ural deduc ion proofs. In yped calculus our examples would read x: A x and x: A y: B x and x: A B C y: A B z: A (x z) (y z). The Isar ex is much more verbose: apar from providing fancy keywords for arranging he proof, i explici ly says a every s age which s a emen is es ablished nex . Speaking in erms of calculus, we have given ypes o ac ual sub erms, ra her han variables only. This sor of redundancy has already been observed in he ProveEasy eaching ool [5] as very impor an ingredien o improve readabili y of formal proofs. Ye one has o be cau ious no o become oo verbose, les he s ruc ure of he reasoning be obscured again. Isar already leaves some inferences implici , e.g. he way assump ions are applied. Moreover,
Isar
Readable Formal Proof Documen s
171
he level of primi ive inferences may be ranscended by appealing o au oma ed proof procedures, which are rea ed as opaque re nemen s eps (cf. 2.4). 2.2
Mixin Backward and Forward Reasonin
The previous examples have been s ric ly backward. While any proof may in principle be wri en his way, i may no be mos na ural. Forward s yle is of en more adequa e when working from in ermedia e fac s. Isar o ers bo h backward and forward reasoning elemen s, as an example consider he following hree proofs of A B B A. lemma A B B A proof assume A B show B A proof show B by (rule conj 2 ) show A by (rule conj 1 ) qed qed
lemma A B B proof assume A B then show B A proof assume A B show ??thesis qed qed
A
lemma A B B A proof assume ab: A B from ab have a: A from ab have b: B from b a show B A qed
The rs version is s ric ly backward, jus as he examples of 2.1. We have o provide he projec ions conj 1 2 explici ly, because he corresponding goals do no provide enough syn ac ic s ruc ure o de ermine he nex s ep. This may be seen as an indica ion ha forward reasoning would be more appropria e. Consequen ly, he second version proceeds by forward chaining from he assump ion A B, as indica ed by then. This corresponds o elimina ion, i.e. we may assume he conjunc s in order o show again B A. Repea ing he curren goal is ypical for elimina ion proofs, so Isar provides a way o refer o i symbolically as ??thesis . The double do deno es a trivial proof, by a single s andard rule. Al erna ively, we could have wri en by (rule conjintro) . Forward chaining may be done no only from he mos recen fac , bu from any one available in he curren scope. This ypically involves naming in ermedia e resul s (assump ions, or auxiliary resul s in roduced via have) and referring o hem explici ly via from. Thus he hird proof above achieves an ex reme case of forwards yle reasoning, wi h only he ou ermos s ep being backward. The key observa ion from hese examples is ha here is more o readable na ural deduc ion han pure calculus s yle reasoning. Isar’s then language elemen can be unders ood as reverse applica ion of  erms. Thus elimina ion proofs and o her kinds of forward reasoning are suppor ed as rs class concep s. Leaving he wri er he choice of proof direc ion is very impor an o achieve readable proofs, al hough yielding a nice balance be ween he ex remes of purely forward and purely backward requires some degree of discernmen . As a rule of humb for good s yle, backward s eps should be he big ones (decomposi ion,
172
Markus Wenzel
case analysis, induc ion e c.), while forward s eps ypically pick up assump ions or o her fac s o achieve he nex resul in a few small s eps. As a more realis ic example for mixed backward and forward reasoning consider Peirce’s law, which is a classical heorem so i s proof is by con radic ion. Backwardonly proof would be ra her nas y, due o he nes ing. theorem Peirce 0 sLaw : ((A B) A) A [ A] proof .. .. assume aba: (A B) A show A A proof (rule contradiction ) −− use classical con radic ion rule: A assume nota : A have ab: A B proof assume a: A from nota a show B qed from aba ab show A qed qed
There are many more ways o arrange he reasoning. In he following varian we swap wo subproofs of he con radic ion. The resul looks as if a cut had been performed. (The paren heses are a version of be in end.) theorem Peirce 0 sLaw : ((A B) A) A proof assume aba: (A B) A show A proof (rule contradiction ) assume ab: A B −− o be proved la er ( from aba ab show A
cut)
assume nota : A show A B proof assume a: A from nota a show B qed qed qed
Which of he wo varian s is ac ually more readable is a highly subjec ive ques ion, of course. The mos appropria e arrangemen of reasoning s eps also depends on wha he wri er wan s o poin ou o he audience in some par icular si ua ion. Isar does no ry o enforce any par icular way of proceeding, bu aims a o ering a high degree of flexibili y.
Isar
2.3
Readable Formal Proof Documen s
173
Intralo ical and Extralo ical Bindin of Variables
Leaving proposi ional logic behind, we consider ( x P (f (x))) ( x P (x)). Informally, his holds since af er assuming x P (f (x)), we may x some a such ha P (f (a)) holds, and use f (a) as wi ness for x in x P (x) (no e ha he wo bound variables x are in separa e scopes). So he proof is jus a composiion of in roduc ion, elimina ion, in roduc ion. Wri ing down a na ural deduc ion proof ree would resul in a very compac and hard o unders and represen a ion of he reasoning involved, hough. The Isar proof below ries o mimic our informal explana ion, exhibi ing many (redundan ) de ails. lemma ( x P (f (x))) ( x P (x)) proof assume x P (f (x)) x A(x) then show x P (x) proof (rule exelim) −− use elimina ion rule: B xa assume P (f (a)) ( s P (??witness )) show ??thesis by (rule exintro [with P ??witness ]) qed qed
[A(x)]x .. .. B
Af er forward chaining from fac x P (f (x)), we have locally xed an arbi rary a (via x) and assumed ha P (f (a)) holds. In order o s ress he role of he cons i uen s of his s a emen , we also say ha P (f (a)) ma ches he pa ern P (??witness) (via is). Equipped wi h all hese par s, he hesis is nally es ablished using in roduc ion ins an ia ed wi h P and he ??witness erm. Above example exhibi s wo di eren kinds of variable binding. Firs x a, which in roduces a local Skolem cons an used o es ablish a quan i ed proposi ion as usual. Second (is P (??witness)), which de nes a local abbrevia ion for some erm by higherorder ma ching, namely ??witness f (a). The subsequen reasoning refers o a from within he logic, while abbrevia ions have a qui e di eren logical s a us: being expanded before ac ual reasoning, he underlying logic engine will never see hem. In a sense, his jus provides an ex ralogical illusion, ye a very powerful one. Term abbrevia ions are also an impor an con ribu ion o keep he Isar language lean and generic, avoiding separa e language fea ures for logicspeci c proof idioms. Using appropria e proof me hods oge her wi h abbrevia ions having elling names like ??lhs, ??rhs, ??case already provides su cien means for represen ing ypical proofs by calcula ion, case analysis, induc ion e c. nicely. Also no e ha ??thesis is jus a special abbrevia ion ha happens o be bound au oma ically jus consider any new goal goal implici ly decora ed by (is ??thesis ). No e ha thesis is a separa e language elemen in Mizar [22]. 2.4
Automated Proof Methods and Abstraction
The quan i er proof of 2.3 has been ra her verbose, in en ionally. We have chosen o provide proof rules explici ly, even given ins an ia ions. As i happens,
174
Markus Wenzel
hese rules and ins an ia ions can be gured ou by he basic mechanism of picking s andard in roduc ion and elimina ion rules ha we have assumed as he s andard ini ial proof me hod so far. lemma ( x P (f (x))) ( x P (x)) proof assume x P (f (x)) then show x P (x) proof xa assume P (f (a)) show ??thesis qed
Much more powerful au oma ed deduc ion ools have been developed over he las decades, of course. From he Isar perspec ive, any of hese may be plugged in o he generic language framework as par icular proof me hods. Thus we may achieve more abs rac proofs beyond he level of primi ive rules, by le ing he sys em solve open branches of proofs au oma ically, provided he si ua ion has become su cien ly obvious . In he following version of our example we have collapsed he problem comple ely by a single applica ion of me hod blast , which shall refer o he generic ableau prover ac ic in egra ed in Isabelle [18]. lemma ( x P (f (x)))
( x P (x)) by (blast )
Abs rac ion via au oma ion gives he wri er an addi ional dimension of choice in arranging proofs, ye a limi ed one, depending on he power of he au oma ed ools available. Thus we achieve accidental abstraction only, in he sense ha more succinc versions of he proof ex s ill happen o work. In prac ice, here will be of en a conflic be ween he level of de ail ha he wri er wishes o confer o his audience, and he au oma ic capabili ies of he sys em. Isar also provides a simple mechanism for explicit abstraction. Subproofs s ar ed by proof /by ra her han proof /by are considered below he curren level of interest for he in ended audience. Thus excess de ail may be easily pruned by he presen a ion componen , e.g. prin ed as ellipsis ( . . . ). In a sense, proof /by have he e ec of urning concre e ex in o an adhoc proof me hod (which are always considered opaque in Isar). More general means o describe me hods would include parame ers and recursion. This is beyond he scope of Isar, hough, which is an environmen for wri ing ac ual proofs ra her han proof me hods. Isar is lef compu a ionally incomple e by full in en ion. Highlevel languages for proof me hods are an issue in heir own righ [1].
3 3.1
Formal Preliminaries Basic Mathematical Notations
Functions. We wri e func ion applica ion as f x and use abs rac ion x f (x). := xn := y] dePoin wise upda e of func ions is wri en pos x, f [x1 := xn o y and any o her x o f (x). Sequen ial no es he func ion mapping x1
Isar
Readable Formal Proof Documen s
175
composi ion of func ions f and (from lef o righ ) is wri en f ; which is de ned as (f ; )(x) = (f x). Any of hese opera ions may be used bo h for o al func ions (A B) and par ial func ions (A B). Records are like uples wi h explici ly labeled elds. For any record r: R wi h some eld a: A he following opera ions are assumed: selec or eta: R A, upda e seta: A (R R), and he func ional mapa: (A A) (R R) which is de ned as mapa f r seta (f ( eta r)). xn ] for he lis of Lists. Le list of A be he se of lis s over A. We wri e [x1 xn . Lis opera ions include x xs (cons) and xs @ ys (append). elemen s x1 3.2
LambdaCalculus and Natural Deduction
Mos of he following concep s are from Prolog or Isabelle [16, Par I]. Terms are formed as ( yped) cons an s or variables (from se var ), by applica ion t u, or abs rac ion x t. We also ake , conversions for gran ed. Hi herorder Abstract Syntax. Simply yped  erms provide a means o describe abs rac syn ax adequa ely. Syn ac ic en i ies are represen ed as ypes, and cons ruc ors as (higherorder) cons an s. Thus ree s ruc ure is achieved by (nes ed) applica ion, variable binding by abs rac ion, and subs i u ion by reduc ion. Natural Deduction (Metalo ic). We consider a minimal / fragmen of in uiionis ic logic. For he abs rac syn ax, x ype prop (me alevel proposi ions), and cons an s : prop prop prop (nes ed o he righ ), : ( prop) ] for , and x P x for prop. We wri e [ 1 n 1 n ( x P x). Deduc ion is expressed as an induc ive rela ion Γ , by he usual rules of assump ion, and / in roduc ion and elimina ion. No e ha he corresponding proof rees can be again seen as  erms, al hough a a di eren level, where proposi ions are ypes. The se is also called theorem . Encodin Objectlo ics. A broad range of na ural deduc ion logics may now be encoded as follows. Fix ypes i of individuals, o of formulas, and a cons an D: o prop (for expressing derivabili y). Objec level na ural deduc ion rules are represen ed as me alevel proposi ions, e.g. : (i o) o elimina ion as D( x P x) ( x D(P x) D(Q)) D(Q). Le form be he se of proposiions D(A), for A: o. D is usually suppressed and lef implici . Objec level rules ypically have he form of nes ed me alevel hornclauses.
4
The Isar Proof Lan ua e
The Isar framework akes a me alogical formula ion (see 3.2) of he underlying logic as parame er. Thus we abs rac over logical syn ax, rules and au oma ed proof procedures, which are represen ed as func ions yielding rules (see 4.2).
176
4.1
Markus Wenzel
Syntax
For he subsequen presen a ion of he Isar core syn ax, var and form are from he underlying higherorder abs rac syn ax (see 3.2), name is any in ni e se , while he method parame er refers o proof me hods (see 4.2). theorystmt = theorem [name: ] form proof lemma [name: ] form proof types consts defs proof = proof [(method )] stmt qed [(method )] stmt = be in stmt end note name = name + x var + assume [name: ] form + then oalstmt oalstmt oalstmt = have [name: ] form proof show [name: ] form proof The ac ual Isar proof language (proof ) is enclosed in o a heory speci ca ion language (theorystmt) ha provides global s a emen s theorem or lemma, en ering in o proof immedia ely, bu also declara ions and de ni ions of any kind. No e ha advanced de ni ional mechanisms may also require proof. Enclosed by proof /qed, op ionally wi h explici ini ial or erminal me hod invoca ion, proof mainly consis s of a lis of local s a emen s (stmt). This marginal syn ac ic role of method is in s rong con ras o exis ing ac ical proof languages. Op ional language elemen s above defaul o t: for resul names, proof me hod speci ca ions (sin le) for proof , (assumption) for qed (cf. 4.3). A few wellformedness condi ions of Isar ex s are no ye covered by he above grammar. Considering be in end and show/have qed as block delimi ers, we require any name reference o be wellde ned in he curren scope. Fur hermore, he pa hs of variables in roduced by x may no con ain duplica es, and then may only occur direc ly af er note, assume, or qed. Nex he Isar core language is ex ended by a few derived elemen s. (Below same and sin le refer o s andard proof me hods in roduced in 4.3.) from a1
an hence thus by (m)
note facts = a1 an then then have then show proof (m) qed ( erminal proof ) proof (sin le) qed ( rivial proof ) proof (same) qed ( immedia e proof )
Basically, his is already he full syn ax of he Isar language framework. Any logicspeci c ex ensions will be by abbrevia ions or proof me hods only.
Isar
4.2
Readable Formal Proof Documen s
177
Operational Semantics
The canonical opera ional seman ics of Isar is given by direc in erpre a ion wi hin he Isar virtual machine (Isar/VM ). Wellformed proof ex s, which have ree s ruc ure if considered as abs rac syn ax en i ies, are ransla ed in o lis s of Isar/VM ins ruc ions in a ra her rivial way ( he ransla ion is par icularly easy, because Isar lacks recursion): any syn ac ic cons ruc , as indica ed by some major keyword (proof , be in, show, e c.), simply becomes a separa e ins ruc ion, which ac s as ransformer of he machine con gura ion. Before going in o fur her de ails, we consider he following abs rac presena ion of he Isar/VM. The machine con gura ion has hree modes of opera ion, depic ed as separa e s a es prove, state, cha n below. Transi ions are marked by he corresponding Isar/VM ins ruc ions.
theorem a: ' lemma a: '
note a = a1 ; : : : ; an proof (m) have a: ' show a: '
prove
have a: ' show a: ' chain
state
then
begin end x x assume a: ' qed (m)
qed (m) Any legal pa h of Isar/VM ransi ions cons i u es an (in erac ive) proof, s ar ing wi h theorem/lemma and ending even ually by a nal qed. In ermedia ely, he wo main modes al erna e: prove (read apply some me hod o re ne he curren problem ) and state (read build up a sui able environmen o produce he nex resul ). Minor mode cha n modi es he nex goal accordingly. More precisely, he Isar/VM con gura ion is a nonemp y lis of levels (for block s ruc ure), where each level consis s of a record wi h he following elds: mode xes asms results problem
: : : : :
prove state cha n list of var list of form name list of theorem (bool name) ((list of theorem)
theorem)
none
Fields xes and asms cons i u e he Skolem and assump ion con ex . The results environmen collec s lis s of in ermedia e heorems, including he special one facts holding he mos recen resul (used for forward chaining). An open problem consis s of a flag (indica ing if he nished resul is o be used o re ne an enclosing goal), he resul ’s name, a lis of fac s for forward chaining, and he ac ual goal (for theorem see 3.2). Goals are represen ed as rules according o
178
Markus Wenzel
Isabelle radi ion [16, Par I]: Γ [( in assump ion con ex Γ , main goal
1
( n means ha 1) n )] . is o be shown from n subgoals
An ini ial con gura ion, en ered by theorem a: or lemma a: , has a single level wi h elds mode = prove, xes = [], asms = [], results = (facts []) , and problem = ((false a) ([] )). The erminal con gura ion is []. In ermedia e ransi ions are by he (par ial) func ion T [[I]], mapping Isar/VM congura ions depending on ins ruc ion I and he curren mode value as follows. Basic record opera ions applied o a con gura ion refer o he opmos level. mode = prove : T [[proof (m)]]
re neproblem m; setmode state
mode = state : an ]] T [[note a = a1 @ r(an )]) mapresults ( r r [facts := a := r(a1 ) @ T [[be in]] resetfacts; openblock ; setproblem none T [[end]] closeblock T [[ x x]] map xes ( xs xs @ [x]); resetfacts T [[assume a: 1 n ]] mapasms ( @[ 1 n ]); mapresults ( r r [facts := a := [ 1 1 n n ]]) T [[qed (m)]] re neproblem m; checkresult; applyresult; closeblock T [[then]] setmode cha n T [[have a: ]] setupproblem (false a) (false ) T [[show a: ]] setupproblem (true a) (false ) mode = cha n : T [[have a: ]] T [[show a: ]]
setupproblem (false a) (true setupproblem (true a) (true
) )
openblock (x xs) x x xs closeblock (x xs) xs resetfacts mapresults ( r r [facts := []]) setupproblem resultinfo (usefacts ) c f c where etasms c facts if usefacts hen ( etresults c facts) else [] f resetfacts; openblock ; setmode prove; setproblem (resultinfo (facts ( ) )) re neproblem m mapproblem ( (x (y oal )) (x (y backchain oal (m facts))) checkresult c c if problem has no subgoals, else unde ned applyresult (x xs) x (f xs) where ((useresult a) (y res)) etproblem x result eneralise ( et xes x) (dischar e ( etasms x − etasms xs) res) f mapresults ( r r [facts := a := [result]]); if useresult hen re neproblem ( y result) else ( x x)
Isar
Readable Formal Proof Documen s
179
Above opera ion setupproblem ini ializes a new problem according he curren assump ion con ex and forward chaining mode e c. The goal is se up o es ablish resul from under he assump ions. Opera ion re neproblem backchains (using a form of me alevel modus ponens) wi h he me hod applied o he fac s o be used for forward chaining. Opera ion applyresult modi es he upper con gura ion, binding he resul and re ning he second opmos problem wr . block s ruc ure (if useresult had been se ). No e ha eneralise and dischar e are basic me alevel rules. We claim (a proof is beyond he scope of his paper) ha he Isar/VM is correc and comple e as follows. For any , here is a pa h of ransi ions from he ini ial o he erminal con gura ion i is a heorem derivable by na ural deduc ion, assuming any rule in he image of he se of me hods. This resul would guaran ee ha he Isar/VM does no fail unexpec edly, or produce unexpec ed heorems. Ac ual correc ness in erms of formal derivabili y is achieved di eren ly, hough. Applying he wellknown LCF approach of correc nessbycons ruc ion a he level of he Isar/VM implemen a ion, resul s are always ac ual heorems, rela ive o he primi ive inferences underlying proof me hods and bookkeeping opera ions such as re neproblem.
4.3
Standard Proof Methods
In order o urn he Isar/VM in o an ac ually working heorem proving sys em, some s andard proof me hods have o be provided. We have already referred o a few basic me hods like same, sin le, which are de ned below. We have modeled proof me hods as func ions producing appropria e rules (me alevel heorems), which will be used o re ne goals by backchaining. Oper0 a ionally, his corresponds o a func ion reducing goal Γ oΓ (leaving he hypo heses and main goal unchanged). This coincides wi h ac ic applica ion, only ha proof me hods may depend on fac s for forward chaining. For he subsequen presen a ion we prefer o describe me hods according o his opera ional view. Me hod same inser s he fac s o any subgoal, which are lef unchanged o herwise; rule a applies rule a by backchaining, af er forwardchaining from fac s; sin le is similar o rule , bu de ermines a s andard in roduc ion or elimina ion rule from he opmos symbol of he goal or he rs fac au oma ically; assumption solves subgoals by assump ion. These me hods are su cien o suppor primi ive proofs as presen ed in 2. A more realis ic environmen would provide a few more advanced me hods, in par icular au oma ed proof ools such as a generic ableau prover blast [18], a higherorder simpli er simp e c. A su cien ly powerful combina ion of such proof ools could be even made he defaul for qed. In con ras , he ini ial proof me hod should no be made oo advanced by defaul , les he subsequen proof ex be obscured by he lef over s a e of i s invoca ion. In DECLARE [21] au oma ed initial proof me hods are rejec ed al oge her because of his.
180
4.4
Markus Wenzel
Extralo ical Features
Isar is no a monoli hic allinone language, bu a hierarchy of concep s having di eren logical s a us. Apar from he core language considered so far, here are addi ional ex ralogical fea ures wi hou seman ics a he logical level. Term Abbreviations. Any goal s a emen (show e c.) may be anno a ed wi h a is pat n ). Al erna ively, abbrevialis of erm abbrevia ion pa erns (is pat 1 ions may be bound by explici let pat term s a emen s. Levels of Interest decora e proof/by commands by a na ural number or (for in ni y), indica ing ha he subsequen proof block becomes less in eres ing for he in ended audience. The presen a ion componen will use hese hin s o prune excess de ail, collapsing i o ellipsis ( . . . ), for example. Formal Comments of he form −− text may be associa ed wi h any Isar language elemen . The commen text may con ain any ex , which may again con ain references o formal en i ies ( erms, formulas, heorems e c.).
5
Conclusion and Related Work
We have proposed he generic Intelli ible semiautomated reasonin (Isar ) approach o readable formal proof documen s. I s main aspec , he Isar formal proof language, suppor s bo h declara ive proof ex s and machinechecking, by direc execu ion wi hin he Isar vir ual machine (Isar/VM). While Isar does no require au oma ion for basic opera ion, arbi rary au oma ed deduc ion ools may be included in Isar proofs as appropria e. Au oma ed ools are an impor an fac or in scalabili y for realis ic applica ions, of course. Isar is mos closely rela ed o declara ive heorem proving sys ems, no ably Mizar [19, 22]. The Mizar projec , s ar ed in he 1970s, has pioneered he idea of performing ma hema ical proof in a s ruc ured formal language, while hiding opera ional de ail as much as possible. The gap owards he underlying calculus level is closed by a speci c no ion of obvious inferences. In ernally, Mizar does no ac ually reduce i s proof checking o basic inferences. Thus Mizar proofs are occasionally said o be rigorous only, ra her han formal . Over he years, Mizar users have buil up a large body of formalized ma hema ics. Despi e his success, hough, here are a few inheren shor comings preven ing fur her scalabili y for large applica ions. Mizar is no generic, bu igh ly buil around i s version of yped se heory and he obvious inferences prove checker. I s overall design has become ra her baroque, such ha even reengineering he syn ax has become a non rivial e or recen ly. Also no e ha Mizar has a ba chmode proof checker only. While drawing from he general experience of Mizar, Isar provides a fresh s ar ha avoids hese problems. The Isar concep s have been carefully designed wi h simplici y in mind, while preserving scalabili y. Isar is based on a lean hierarchic arrangemen of basic concep s only. I is qui e independen of he underlying logic and i s au oma ed ools, by employing a simple me alogic framework. The Isar/VM in erpre a ion process direc ly suppor s in erac ive developmen .
Isar
Readable Formal Proof Documen s
181
Two o her sys ems have ransferred Mizar ideas o ac ical heorem proving. The Mizar mode for HOL [11] is a package ha provides means o wri e ac ic scrip s in a way resembling Mizar proof ex i has no been developed beyond some ini ial experimen s, hough. DECLARE [20, 21] is a much more elabora e sys em experimen , which draws bo h from he Mizar and HOL radi ion. I has been applied by i s au hor o some subs an ial formaliza ion of Java opera ional seman ics [21]. DECLARE heavily depends on a i s buil in au oma ed procedure for proof checking, causing considerable run ime penal y compared o ordinary ac ical proving. Fur hermore, proofs canno be freely arranged according o usual na ural deduc ion prac ice. Apar from declara ive or in elligible heorem proving, here are several fur her approaches o provide human access o formal proof. Obviously, user in erfaces for heorem provers (e.g. [3]) would be of grea help in performing in erac ive proofs. Ye here is always a pending danger of overemphasizing advanced in erac ion mechanisms ins ead of adding highlevel concep s o he underlying sys em. For example, proofbypointin o ers he user a nice way o selec sub erms wi h he mouse. Such opera ions are ra her hard o communica e la er, wi hou doing ac ual replay. In Isar one may selec sub erms more abs rac ly via erm abbrevia ions, bound by higherorder ma ching. Never heless, Isar may grea ly bene from some user in erface suppor , like a live document edi or ha helps he wri er o hierarchically s ep back and for h hrough he proof ex during developmen . In fac , here is already a pro o ype available, based on he Edinburgh ProofGeneral in erface. A more advanced sys em, should also provide highlevel feedback and give sugges ions of how o proceed even ually resul ing in Computeraided proof writin (CAPW ) as proposed in [21]. Fur hermore, diges ible informa ion abou au oma ed proof me hods, which are fully opaque in Isar so far, would be par icularly useful. To his end, proof ransforma ion and presen a ion echniques as employed e.g. in ΩMega [2] appear o be appropria e. Ideally, he resul ing sys em migh be able o ransform in ernal inferences of proof ools in o he Isar proof language forma . While his resul s in bo omup genera ion of Isar proofs, ano her op ion would be opdown search of Isar documen s, similar o he proof planning echniques ha ΩMega [2] s rongly emphasizes, oo. Shif ing he focus even more beyond Isar owards ac ual highlevel proof au oma ion, we would arrive a some hing analogous o he combina ion of ac ical heorem proving and proof planning under aken in Clam/HOL [4]. We have charac erized Isar as being in erpre a ive a higher level language is in erpre ed in erms of some lower level concep s. In con ras , ransforma ional approaches such as [8] proceed in he opposi e direc ion, abs rac ing primi ive proof objec s in o a higherlevel form, even na urallanguage. Mos of he Isar concep s presen ed in his paper have already been implemen ed wi hin Isabelle. Isar will be par of he for hcoming Isabelle99 release. The sys em is already su cien ly comple e o conduc proofs ha are sligh ly more complex han he examples presen ed here. For example, a proof of Can or’s heorem ha is much more comprehensive han he original ac ic
182
Markus Wenzel
scrip discussed in [16, Par III]. Ano her example is correc ness of a simple ransla or for ari hme ic expressions o s ackmachine ins ruc ions, formula ed in Isabelle/HOL. The Isar proof documen nicely spells ou he in eres ing induc ion and case analysis par s, while leaving he res o Isabelle’s au oma ed proof ools. More realis ic applica ions of Isabelle/Isar are o be expec ed soon.
References [1] K. Arkoudas. Deduc ion visavis compu a ion: The need for a formal language for proof engineering. The MIT Express projec , http://www.a .m t.edu/projects/express/, June 1998. [2] C. Benzm¨ uller, L. Cheikhrouhou, D. Fehrer, A. Fiedler, X. Huang, M. Kerber, M. Kohlhase, K. Konrad, E. Melis, A. Meier, W. Schaarschmid , J. Siekmann, and V. Sorge. ΩMega: Towards a ma hema ical assis an . In W. McCune, edi or, 14th International Conference on Automated Deduction CADE14, volume 1249 of LNAI. Springer, 1997. [3] Y. Ber o and L. Thery. A generic approach o building user in erfaces for heorem provers. Journal of Symbolic Computation, 11, 1996. [4] R. Boul on, K. Slind, A. Bundy, and M. Gordon. An in erface be ween CLAM and HOL. In J. Grundy and M. Newey, edi ors, Proceedin s of the 11th International Conference on Theorem Provin in Hi her Order Lo ics, volume 1479 of LNCS. Springer, 1998. [5] R. Burs all. Teaching people o wri e proofs: a ool. In CafeOBJ Symposium, Numazu, Japan, April 1998. [6] A. Church. A formula ion of he simple heory of ypes. Journal of Symbolic Lo ic, pages 56 68, 1940. [7] C. Cornes, J. Couran , J.C. Fillia re, G. Hue , P. Manoury, and C. Munoz. The Coq Proof Assistant User’s Guide, version 6.1. INRIARocquencour e CNRSENS Lyon, 1996. [8] Y. Coscoy, G. Kahn, and L. Thery. Ex rac ing ex from proofs. In Typed Lambda Calculus and Applications, volume 902 of LNCS. Springer, 1995. [9] B. I. Dahn and A. Wolf. A calculus suppor ing s ruc ured proofs. Journal of Information Processin and Cybernetics (EIK), 30(56):261 276, 1994. Akademie Verlag Berlin. [10] M. J. C. Gordon and T. F. Melham (edi ors). Introduction to HOL: A theorem provin environment for hi her order lo ic. Cambridge Universi y Press, 1993. [11] J. Harrison. A Mizar mode for HOL. In J. Wrigh , J. Grundy, and J. Harrison, edi ors, Proceedin s of the 9th International Conference on Theorem Provin in Hi her Order Lo ics, TPHOLs’96, volume 1125 of LNCS, pages 203 220. Springer, 1996. [12] T. Nipkow. More ChurchRosser proofs (in Isabelle/HOL). In M. McRobbie and J. K. Slaney, edi ors, 13th International Conference on Automated Deduction CADE13, volume 1104 of LNCS, pages 733 747. Springer, 1996. [13] T. Nipkow. Winskel is (almos ) righ : Towards a mechanized seman ics ex book. In V. Chandru, edi or, Foundations of Software Technolo y and Theoretical Computer Science, volume 1180 of LNCS, pages 180 192. Springer, 1996. [14] T. Nipkow and D. v. Oheimb. Java i ht is ypesafe de ni ely. In Proc. 25th ACM Symp. Principles of Pro rammin Lan ua es, pages 161 170. ACM Press, New York, 1998.
Isar
Readable Formal Proof Documen s
183
[15] S. Owre, S. Rajan, J. M. Rushby, N. Shankar, and M. Srivas. PVS: combining speci ca ion, proof checking, and model checking. In R. Alur and T. A. Henzinger, edi ors, Computer Aided Veri cation, volume 1102 of LNCS. Springer, 1996. [16] L. C. Paulson. Isabelle: A Generic Theorem Prover, volume 828 of LNCS. Springer, 1994. [17] L. C. Paulson. Generic au oma ic proof ools. In R. Vero , edi or, Automated Reasonin and its Applications. MIT Press, 1997. [18] L. C. Paulson. A generic ableau prover and i s in egra ion wi h Isabelle. In CADE15 Workshop on Inte ration of Deductive Systems, 1998. [19] P. Rudnicki. An overview of he MIZAR projec . In 1992 Workshop on Types for Proofs and Pro rams. Chalmers Universi y of Technology, Bas ad, 1992. [20] D. Syme. DECLARE: A pro o ype declara ive proof sys em for higher order logic. Technical Repor 416, Universi y of Cambridge Compu er Labora ory, 1997. [21] D. Syme. Declarative Theorem Provin for Operational Semantics. PhD hesis, Universi y of Cambridge, 1998. Submi ed. [22] A. Trybulec. Some fea ures of he Mizar language. Presen ed a a workshop in Turin, I aly, 1993.
On the Implementation of an Extensible Declarative Proof Lan ua e? Vincent Zammit Sharp Laboratories of Europe, Oxford Science Park, Oxford, UK
Abs rac . Following the success of the Mizar [15, 9] system in the mechanisation of mathematics, there is an increasing interest in the theorem proving community in developing similar declarative languages. In this paper we discuss the implementation of a simple declarative proof language (SPL) on top of the HOL system [3] where scripts in this language are used to generate HOL theorems, and HOL de nitions, axioms, theorems and proof procedures can be used in SPL scripts. Unlike Mizar, the language is extensible, in the sense that the user can extend the syntax and semantics of the language during the mechanisation of a theory. A case study in the mechanisation of group theory illustrates how this extensibility can be used to reduce the di erence between formal and informal proofs, and therefore increase the readability of formal proofs.
1
Introduction
In this paper we illustrate a declarative proof lan ua e which we call SPL (standin for Simple Proof Lan ua e). We also describe the implementation of a proof checker for SPL on top of the HOL theorem prover [3]. Basically, the declarative lan ua e is embedded in ML which is the metalan ua e of HOL and the proof checker enerates HOL theorems from SPL proof scripts. The work described here is illustrated in more detail in the author’s thesis [17]. The HOL theorem prover is implemented accordin to the LCF philosophy, in the sense that: HOL theorems are represented by an ML abstract data type whose si nature functions correspond to the primitive inference rules of a sound deductive system of the HOL lo ic. This ensures that theorems derived in the system are valid HOL formulae. The user is iven the flexibility to implement proof procedures in the metalan ua e ML in order to facilitate the theorem provin process. The HOL system includes a number of ML functions which allow users to nd proofs interactively by applyin tactics. Most of the proofs implemented in HOL, and several other proof development systems, are found interactively usin the tacticbased oaloriented environment. The user speci es the required theorem as a oal, and then applies tactics ?
The work presented in this paper was done when the author was a student at the Computing Laboratory of the University of Kent at Canterbury.
Y. Bertot et al. (Eds.): TPHOLs’99, LNCS 1690, pp. 185 202, 1999. c Sprin erVerla Berlin Heidelber 1999
186
Vincent Zammit
which either solve the oal if it is simple enou h, or else break the oal into simpler sub oals. This is repeated until all the sub oals are solved. This mechanism is indeed quite e ective for the interactive discovery of proofs because users can use and implement powerful tactics to automate several proof steps, and usually users do not need to remember all the previous steps of interaction durin theorem provin . However, a tactic proof is simply a list of steps of interaction which is required to prove a particular theorem on a particular theorem prover, and therefore tactic proofs are not at all informative to a human reader. In eneral, it is extremely hard to follow, modify or maintain tactic proofs without feedback from the interactive theorem prover. On the other hand, proofs implemented in the Mizar proof lan ua e [15] are easier to follow since they o er more valuable information to a human reader than tactic proofs. The Mizar lan ua e is usually described as a declarative proof lan ua e, since proof steps state what is required to derive a theorem, as opposed to tacticbased procedural proofs which consist of the list of interactions required to derive it, and therefore state explicitly how the theorem is proved. The SPL lan ua e described in this paper is declarative and is based on the theorem provin fra ment of Mizar. The motivation of this implementation is to experiment with possible ways of increasin the theorem provin power of the lan ua e durin the mechanisation of a theory. The SPL lan ua e is extensible, in the sense that the user can implement new theorem provin constructs and include them in the syntax of the lan ua e. Such extensibility is important because theoryspeci c proof procedures can be implemented which use facts derived durin the development of a theory. The Mizar lan ua e is not extensible, and extensibility is often claimed to be desirable (see the conclusions of [10]). The use of such theoryspeci c proof procedures reatly reduces the len th of formal proofs since commonly used sequences of inferences can be automated by such proof procedures. Furthermore, the possibility of extendin the proof lan ua e durin mechanisation can reduce the di erence between the size of formal and informal mathematical proofs. One main di erence between formal and informal proofs is the level of detail between the two. Formal proofs are usually very detailed while informal proofs often omit proof steps which the intended reader of the proof can easily infer. Another di erence which can be noticed is that the proof steps of formal proofs vary considerably in their level of complexity: simple proof procedures which represent trivial inferences are used to ether with very complex ones which automate several nontrivial inferences. As a result, the use of theoryspeci c proof procedures can be used to automate the proof steps that are usually considered to be trivial by the authors of informal proofs. Our work is in some respect similar to that done by Harrison [5] who implemented a Mizar mode in HOL. This mode is, however, very much based on the tacticbased environment in HOL since Mizar proof constructs are translated into HOL tactics. The SPL lan ua e is richer than the Mizar mode in HOL since, for instance, SPL scripts can be structured into sections to allow a more modular presentation. The processin of SPL scripts is not based on HOL tactics.
On the Implementation of an Extensible Declarative Proof Language
187
Recently, Syme [12] has developed a declarative proof lan ua e, DECLARE, for software veri cation and used it to verify the type correctness of Java [13, 14]. This lan ua e is, however, not extensible, althou h this is su ested in the future work section of [12]. The Mizar mode described in [5] allows the use of arbitrary HOL tactics for justifyin proof steps, and is therefore extensible. In the followin sections, we rst illustrate the constructs of SPL and then discuss the implementation of the proof checker on top of the HOL theorem prover in Sec. 3, which is followed by a section on the proof procedures used to support the proof checkin process. In Sec. 5 we illustrate a userextensible database of knowled e which can be used to store and derive SPL facts that are considered to be trivial. A case study involvin the mechanisation of roup theory in SPL is described in Sec. 6, and Sec. 7 ives some concludin remarks and directions for future work.
2
SPL: A Simple Proof Lan ua e
The SPL lan ua e is based on the theorem provin fra ment of Mizar. The lan ua e is embedded in ML and the SPL proof checker enerates HOL theorems from SPL scripts, and therefore the proof checker is fullyexpansive: all theorems are derived by the primitive rules of the HOL core inference en ine in order to minimise human errors in the proofs. One can also use HOL de nitions, axioms, theorems and also proof procedures in SPL proof scripts. No SPL constructs are de ned for introducin de nitions in a HOL theory, instead one can use the HOL de nition packa es. In this section we rst use a simple example to describe briefly the syntax of SPL, and then describe the various constructs of the lan ua e. A more elaborate treatment is iven in Chap. 4 of [17]. Fi ure 1 illustrates a fra ment of an SPL proof script which derives the followin theorems: R_refl =
R. Symmetric R ( x. y. R x y)
R_equiv =
R. Symmetric R ( x. y. R x y)
Transitive R Reflexive R Transitive R Equivalence R
where the predicates Reflexive, Symmetric , Transitive and Equivalence are dened as follows: def
R. Reflexive R
( x. R x x)
def
R. Symmetric R
( x y. R x y = R y x)
def
R. Transitive R
def
( x y. R x y
R. Equivalence R (Reflexive R Symmetric R
z. R y z Transitive R)
R x z)
188
Vincent Zammit
section on_symm_and_trans given type ":’a"; let "R:’a ’a bool"; assume R_symm: "Symmetric R" R_trans: "Transitive R" R_ex: " x. y. R x y"; theorem R_refl: "Reflexive R" proof simplify with Reflexive, Symmetric and Transitive; given "x:’a"; there is some "y:’a" such that Rxy: "R x y" by R_ex; so Ryx: "R y x" by R_symm, Rxy; hence "R x x" by R_trans, Rxy, Ryx; qed; theorem R_equiv: "Equivalence R" <Equivalence> by R_refl, R_symm and R_trans; end;
Fi . 1. An Example SPL Proof Script.
The proofs of the two theorems are implemented in an SPL section which is called on_symm_and_trans . This section starts at the section keyword and is closed by the end; on the last line. Sections are opened in order to declare reasonin items, which include the introduction of assumptions, the declaration and proof of theorems, etc. The rst two reasonin items in this section introduce the type variable :’a and the variable R so that they can be used in later reasonin items. A number of assumptions are then introduced (locally to this section) which are used by the proofs of the two theorems. Theorems are declared by the theorem keyword which is followed by an optional label, the statement of the theorem and its justi cation. The justi cation of the rst theorem is a proof which consists of a number of steps, while the simple justi cation of the second theorem consists of a sin le line. The simplify statement in the proof of the theorem R_refl is a simpli er declaration. A simpli er is a proof procedure which simpli es the statement
On the Implementation of an Extensible Declarative Proof Language
189
of assumptions, theorems, and proof step results, and can be declared usin simplify constructs so that it can be used automatically durin proof checkin . De nitions can be declared as simpli ers so that they are unfolded automatically. The expression <Equivalence> in the justi cation of the second theorem is a simpli er declaration which is local to that simple justi cation. The theorems derived in the script iven in Fi . 1 can still be used outside section on_symm_and_trans , however their statements are expanded, or eneralised, accordin to the variables and assumptions local to this section, that is to the statements iven earlier this section. 2.1
On SPL Sections
The sectionin mechanism of SPL is similar to that of the Coq system [1]. In eneral, an SPL proof script consists of a list of sections, and sections can be nested to improve the overall structure of scripts. All the information declared in a section is local to it, and (with the exception of theorems) local information is lost when a section is closed. Theorems proved in a section are still visible outside it, however they are eneralised accordin to the local variables and assumptions used in derivin them. The advanta es of declarin information locally can also be seen in the simple example iven earlier in Fi 1. In particular, the statements of the theorems declared in the proof script are shorter than their fully expanded form iven in the be innin of this section, and therefore: Repetitive information in the statements of theorems is avoided, for instance the antecedents of the two theorems in our example are declared once as the assumptions local to both theorems. The unexpanded form of the statement of theorems in the section in which they are derived is due to the fact that they are specialised by the information declared locally, which includes the eneralisin variables and assumptions. As a result, justi cations usin unexpanded theorems do not have to include the assumptions which are used in derivin them. For example, when the theorem R_refl is used in justifyin the theorem R_equiv, there was no need to include the three assumptions used in derivin R_equiv. As a result, justications which use unexpanded results are shorter, and also easier to proof check, than those which use the results in their fully eneralised form. Since proof statements and proofs are shorter, scripts are easier to read. 2.2
Reasonin Items
SPL reasonin items include eneralisation which introduce new type variables and (term) variables, introductions of assumptions, abbreviations (local de nitions) which allow expressions to be represented by a sin le word, and the declaration of simpli ers. Reasonin items also include the declaration and justi cation of facts which include theorems and intermediate results (such as Rxy and Ryx in Fi . 1).
190
2.3
Vincent Zammit
Justi cations
The statements of intermediate proof step results and theorems are followed by their justi cations which include strai htforward justi cations usually consistin of the by keyword followed by a number of premises. An optional prover can be speci ed before the list of premises; a prover represents a HOL decision procedure which derives the conclusion of the justi cation from its premises. A default prover is assumed if none is speci ed. As shown in the proof of the second theorem in Fi . 1, one can declare an optional local list of simpli ers before the by keyword. Justi cations can also be of the form of proofs which consist of a list of intermediate results and other reasonin items between a proof and a qed or end keyword. A commonly used type of justi cation is the iterative equality such as the followin which justi es the fact a + (b + c) = (c + a) + b labelled with abc: abc: "a + (b + c) = ." = ." = 2.4
a + (c + b)" by commutativity (a + c) + b" by associativity (c + a) + b" by commutativity;
SPL Sentences
SPL sentences are the expressions in the syntax of SPL which denote facts (which include theorems, assumptions and intermediate results). Usually sentences consist simply of the label of the fact. However, one can specify a list of local simpli ers which are applied to a sin le fact durin proof checkin . One can also specify a forward inference rule to derive facts from other facts, variables and some other expressions. The use of local simpli ers and forward inference rules is however not encoura ed because of the procedural nature of the resultin proofs.
3
The Implementation of an SPL Proof Checker
The proof checker of the SPL lan ua e implemented in HOL processes proof scripts in two steps: Parsin the input text into an internal (ML) representation of the lan ua e constructs; Processin the constructs to modify the environment of the proof checker. The SPL state is represented by an ML object of type reason_state and consists of the input strin and the environment of type reason_environment . The implementation of the proof checker consists of a number of ML functions which parse and process SPL constructs. Such functions take and return objects of type reason_state . A number of other functions which act on objects of type reason_state are also implemented. These include functions which extract proved theorems from the SPL environment so that they can be used in HOL, add HOL axioms, de nitions and theorems to the environment, and add new input text in order to be parsed and processed.
On the Implementation of an Extensible Declarative Proof Language
191
The processin of SPL scripts can therefore be invoked durin a HOL theorem provin session by callin the appropriate ML functions. As a result, the user can implement an SPL script, process it within a HOL session and use the derived results in HOL inference rules and tactics or in the implementation of proof procedures in ML. Moreover, the SPL lan ua e is extensible: the user can implement HOL proof procedures and include them in the lan ua e syntax. Therefore, one can develop a theory by repeatin the followin steps: (i) derivin a number of theorems usin SPL proofs, (ii) usin the derived theorems in the implementation of HOL proof procedures, (iii) extendin the SPL lan ua e to make use of the new proof procedures. This approach combines the readability of SPL proofs with the extensibility of the HOL system. The mechanisation of roup theory described briefly in Sec. 6 is developed usin this approach. In this case, new proof procedures were implemented as the theory was mechanised in order to automate the proof steps which would be considered trivial by the reader. ML references are used to store the functions which parse and process the SPL lan ua e constructs (includin the parser and processors of reasonin items) so that they can be updated by the user durin the development of a theory. This simply mechanism allows the SPL parser (which consists of the collection of the functions which parse the lan ua e constructs) to be userextensible. Provers (which correspond to HOL decision procedures), simpli ers, and forward inference rules are also stored in ML references. This implementation desi n was ori inally used to allow the author to alter the syntax and semantics of the lanua e easily durin the development of a theory when the implementation of the SPL lan ua e was still in its experimental sta es. However, we now believe that the flexibility and extensibility o ered by this desi n can indeed be a desirable feature of proof lan ua es. This allows the proof implementor, for instance, to include new reasonin items (rather than just proof procedures) which make use of derived theorems durin the implementation of a theory. One can also chan e substantial parts of the syntax of the lan ua e to one which he or she believes to be more appropriate to the particular theory bein mechanised. Ideally, any alterations made to the syntax of the lan ua e should be local to particular sections. In order to achieve this, one needs a number of desi n chan es to the current implementation of the lan ua e since the use of ML references allows the user to update the syntax lobally rather than locally. A number of ML functions are implemented in order to facilitate the update of the parsin and processin functions stored in ML references. The object embeddin system of Slind [11] is used to embed the SPL lanua e in SML. Basically, usin this system the text of SPL scripts and script fra ments is enclosed in backquotes (‘) so that they can be easily written and read. The texts are however internally represented as ML objects from which ML strin s representin the lines of the proof texts can be extracted. Once extracted the strin s are then parsed usin the SPL lan ua e parser. The SPL lan ua e uses the HOL syntax for terms and types. SPL expressions representin terms and types are iven to the internal HOL parser after a simple preprocessin
192
Vincent Zammit
sta e which, for instance, ives the type :bool to expressions representin formulae, and inserts types for any free variables which have been introduced by eneralisations. Because of the hierarchical structure of SPL scripts, the SPL environment (which represents the information that has been declared and derived by SPL constructs) is structured as a stack of layers containin the information declared locally. An empty layer is created and pushed on top of the stack at the be innin of a section or proof. Processin reasonin items a ects only the information in the top layer. At the end of a section or proof, the top layer is popped from the stack and all the information stored in this layer, with the exception of theorems, is destroyed. Theorems are expanded and inserted into the new top layer. The expansion of theorems involves the substitution of local abbreviations with the terms they represent, the dischar in of locally introduced assumptions, and the eneralisation of locally introduced variables. We say that a layer has been opened when it is pushed on top of the environment stack. We also say that a layer has been closed when it is popped from the stack. Each layer contains a list of locally derived or assumed facts labelled by their identi er, a list of variables and type variables introduced by reasonin items, a list of declared simpli ers, and some other information (e. ., the name of the section, the current conclusion in case of a proof layer, etc. ).
4
Support for Automated Proof Discovery
The proof checkin process of SPL scripts, which involves the eneration of HOL theorems from SPL constructs, is supported by a number of proof procedures, which include: Inference Rules which allow the user to derive facts in a procedural manner usin any forward inference rule. The use of these rules is not encoura ed because it may reduce the readability of proof scripts. Simpli ers which can be used to normalise terms, and to perform calculations which would be considered trivial in an informal proof. Any HOL conversions can be included by the user as SPL simpli ers. Proof Search Procedures or simply provers, which are used to derive the conclusions of strai htforward justi cations from a iven list of premises. The user can implement any of these kinds of proof procedures in ML durin the development of a theory, associate SPL identi ers with them, and include them in the syntax of the lan ua e. The SPL implementation includes a knowled e database which can be used to store facts which are considered to be trivial. This database can be queried by any of the above kinds of proof procedures in order to obtain trivial facts automatically. The use of this database is described in the next section. Only one forward inference rule is used in the mechanisation of roup theory described in Sec. 6. This rule corresponds to the introduction of the Hilbert choice operator and takes a variable v and a sentence denotin some fact P [v] and derives P [ v P [v]].
On the Implementation of an Extensible Declarative Proof Language
193
Several simpli ers have been implemented durin this case study in order to extend the SPL lan ua e with roup theory speci c proof procedures. The main role of the simpli ers used in the case study is to normalise certain expressions (such as roup element expressions involvin the identity element, the roup product, the inverse function, and arbitrary roup elements) once normal forms have been discovered. A number of mathematical theories are canonisable, that is, their terms can be uniquely represented by a canonical, or normal form. Theories whose terms can be normalised e ectively have a decidable word problem since two terms are equal if and only if their respective normal forms are syntactically identical. Therefore theoryspeci c normalisers can be used to derive the equality of certain terms automatically. It should be noted, that once normal forms are discovered and described in informal mathematical texts, the simpli cation of a term into its normal form is usually considered to be obvious and omitted from proofs. The use of simpli ers to automate the normalisation process can therefore reduce the di erence between formal and informal proofs. The default prover used in the case study is a semidecision procedure for rstorder lo ic with equality implemented as a HOL derived rule. The proof search process involves the discovery of a closed tableau and uses ri id basic superposition with equational reflexivity to reason with equality [2]. This semidecision procedure is complete for rstorder lo ic with equality, however a number of resource bounds are imposed on the proof search process since the strai htforward justi cations of SPL scripts usually represent rather trivial inferences1 . The implementation of this decision procedure is discussed in Chap. 5 of [17]. Since SPL formulae are hi herorder, they need to be transformed into rstorder ones before they can be used by the above mentioned tableau prover. This is done by: 1. Normalisin them into lon normal form, 2. Eliminatin quanti cation over functions and predicates by the introduction of a new constant : (γ ) γ ( for apply ) and then transformin terms of the form (f x) into ( f x) so that hi herorder formulae like P P x P y, are transformed into rstorder ones (like P P x P y). 3. Eliminatin lambda abstractions, which for instance transforms the formula: (a = b)
P ( x f x a)
P ( x f x b)
into the valid rstorder formula (a = b)
P ( f a)
with the introduction of the constant 1
P ( f b)
= ( y z x y x z).
The tableau prover mentioned in this section is modi ed to proof check a special kind of justi cations which we call structured strai htforward justi cations. These justi cations are used in the implementation of the case study mentioned in Sec. 6. We do not discuss this type of justi cations in this paper. The reader is referred to Chapters 6 and 8 of [17].
194
5
Vincent Zammit
A Database of Trivial Knowled e
As mentioned in the introduction of this paper, one major di erence between formal and informal proofs is the level of detail between the two. Informal proofs contain aps in their reasonin which the reader is required to ll in order to understand the proof. The author of an informal proof usually has a speci c type of reader in mind: one who has a certain amount of knowled e in a number of mathematical elds, and one who has read and understood the precedin sections of the literature containin the proof. The author can therefore rely on his, usually justi ed, assumptions about what the intended reader is able to understand when decidin what to include in an informal proof and what can be easily inferred by the reader, and can (or must) therefore be unjusti ed. For example, if one assumes that some set A is a subset of B, and that some element a is a member of A, then the inference which derives the membership of a in B can usually be omitted if the reader is assumed to be familiar with the notions of set membership and containment. On the other hand, it is very often the case that when a substantial fra ment of a theory has been developed usin a theorem provin environment, the formal proofs may still contain inferences which use trivial results that have been derived much earlier in the mechanisation. Since the need to include explicitly such trivial inferences in most formal proof systems results in the observed di erence between the size and readability of formal and informal proofs, we have experimented with the implementation of a simple userextensible knowled e database which proof procedures can query in order to derive trivial facts automatically. The knowled e in the database is or anised into cate ories each containin a list of facts. New cate ories can be added durin the development of a theory. For example, in order to derive the trivial inference illustrated in the example iven earlier this section, one can include a membership cate ory with identi er in_set in order to include facts of the form x is a member of X , and a containment cate ory subset which includes facts of the form X is a subset of Y . SPL facts can then be stored in the database durin proof implementation usin the construct: consider in_set a is a member of A subset A is a subset of B ; In order that these facts can be used by proof procedures, the user is also required to implement ML functions which query the database. Such functions take the knowled e database as an ar ument to ether with a number of other ar uments dependin on the cate ory they query. For example, a function to query the in_set cate ory may take a pair of terms representin an element and a set. Query functions return a theorem when they succeed. ML references can be used to store the searchin routine of the query function so that it can be updated durin the development of a theory, as shown in the SML fra ment in Fi . 2. The user can then implement proof procedures (such as simpli ers) which call this query function.
On the Implementation of an Extensible Declarative Proof Language
195
fun in_set_search kdbs (e, s) = look for the fact ‘‘e is in s in kdbs and return it if found otherwise raise an exception local (* store the search function in a reference *) val in_set_ref = ref in_set_search in (* the query calls the stored search function *) fun in_set kdbs query = ( in_set_ref) kdbs query (* updatin the query function *) fun update_in_set new_qf = let val old_in_set = in_set_ref fun new_in_set kdbs query = old_in_set kdbs query (* try the old query *) handle _ => (* if it fails *) new_qf kdbs query (* try the new one *) in in_set_ref := new_in_set (* update the store function *) end end;
Fi . 2. The Implementation of a Query Function.
Query functions can also be implemented to handle existential queries. For example an existential query function for the subset cate ory can take a set X as an ar ument and looks for a fact of the form X is a subset of Y for some set Y . A di erent existential query function on the same cate ory would look for some fact Y is a subset of X . Since many such facts may be derived by the knowled e database, existential query functions are implemented to return a lazy sequence of facts satisfyin the query. Query functions can be updated when new results are derived which can be used in the automatic deduction of trivial facts. For example, iven the derived fact x X Y (x is in X) (X is a subset of Y ) (x is in Y )
196
Vincent Zammit
one can then update the query function of in_set so that iven some query a is in B it 1. calls the appropriate existential subset query function to check whether there is some set A such that A is a subset of B can be derived from the database, and 2. queries in_set (recursively) to check whether a is in A for some A satisfyin the previous query. Given the required facts, the new in_set query function can then derive and return the fact a is in B usin the above result. As the search function is stored in an ML reference, updatin a query function a ects the behaviour of all the proof procedures which use it. Since some search is needed in the handlin of most queries, and since the same query may be made several times durin theorem provin , the output of successful nonexistential queries is cached to avoid repeated search. In the current implementation caches are stored lobally and are reset when a layer containin knowled e which can a ect the query concerned is closed. A better approach would be to store caches locally in each layer. Case studies involvin the implementation of formal proofs in SPL showed that the len th of the proofs can be substantially reduced throu h the use of a knowled e database. This reduction of proof len th is due to the implementation of theoryspeci c query functions which make use of derived theorems, as well as the implementation of proof procedures which are able to query the database. We notice that the implementation of such functions with the intention of minimisin the di erence between formal and informal proofs involves the understandin of what authors of informal proofs consider to be trivial by the intended reader. Therefore, the implementation of functions capable of derivin facts which are considered to be trivial by a knowled eable reader is a formal means of illustratin what can be considered obvious in some particular proof and how such obvious facts can be derived. We ar ue that this is a formal means of representin a particular kind of knowled e and understandin in a mathematical eld other than ivin a list of detailed formal proofs. We believe that the presentation of such information should be included in a formal development of a mathematical eld. In the case study discussed in Sec. 6, the only proof procedures which use the knowled e database are the simplifyin procedures. The main reason for this is the fact that the proof search procedures were implemented before the experimental database was desi ned. However, in principle the proof procedures can be redesi ned and implemented to be able to query the database. We will consider this area for future work and believe that the len th of formal proofs can be reatly reduced with such a feature.
6
A Mechanisation of Group Theory: A Case Study
In this section we describe a case study involvin the mechanisation in SPL of a number of results in roup theory. The mechanisation is based on the textbook
On the Implementation of an Extensible Declarative Proof Language
197
by Herstein [6] and includes results on normal roups, quotient roups and the isomorphism theorems. Due to space limitations, we only ive a brief outline of the mechanisation here. A more detailed description is iven in Chap. 9 of [17]. Since one of the motivations of this case study is to experiment with a userextensible declarative proof lan ua e in order to reduce the di erence between formal and informal proofs, the mechanisation includes the implementation of several roup theory speci c proof procedures in ML. These proof procedures include a number of simpli ers and several query functions on the SPL knowled e database (Sec. 5). These proof procedures are used to automate a number of the inferences that are omitted from the proofs in [6]. We remark that the mechanisation of roup theory in a theorem provin environment is not a novel idea. In particular, all the results formalised in this case study (and several others) have been formalised in the Mizar system, and Gunter formalised a number of results on roup theory in HOL [4]. The contribution of this case study lies in the use of an extensible declarative proof lan ua e in which proof procedures are implemented to improve the readability of the proof scripts. 6.1
Group Theory in the HOL Lo ic
Groups are de ned in the simply typed polymorphic lo ic of HOL in a similar fashion to the de nitions in [4, 7] as a pair (G p) satisfyin the roup axioms where G is a polymorphic predicate representin the set of roup elements and p is a binary operator on the elements in G. The predicate Group ( p) de ned below holds if ( p) is a roup: def
Group (G: bool p: ) (GClosed (G p)) (GAssoc (G p)) e: . (G e) (GId (G p) e) ( x. G x GhasInv (G p) e x)
is closed under p, and p is where GClosed ( p) and GAssoc ( p) hold if respectively. The formula GId ( p) e holds associative on the elements of if e is the left and ri ht identity of p in , GhasInv ( p) e x holds if there is some y such that GInv ( p) e x y holds, which holds if y is some left and ri ht inverse of x in ( p) assumin that e is an identity element in . This de nition corresponds to the de nition of roups iven in [6]. Given a roup ( p), an identity element can be selected by the function IdG, and iven an element in , its inverse can be selected by the function InvG; these functions are de ned as follows: def
IdG (G p)
def
InvG (G p) x
e.G e
GId (G p) e
x1 .G x1
GInv (G p) (IdG (G p)) x x1
198
6.2
Vincent Zammit
Preliminary Results
In the textbook by Herstein [6], once the above de nition of a roup is introduced, a number of simple but quite useful results have been de ned. These results include the uniqueness of the identity and inverse elements, and some simpli cations on roup element expressions such as (a−1 )−1 = a and (ab)−1 = b−1 a−1 for all roup elements a and b, where x−1 represents the inverse element of x and the juxtaposition of two roup elements represents their product. Once derived, such results are then assumed to be obvious in the text: they are inferred without any justi cation. In order to achieve the same e ect in the formal SPL script, one has to implement proof procedures which automate the inference which are assumed obvious in the informal text. In this case study a simpli er which normalises expressions representin roup elements is implemented after roups are de ned. This normaliser is based on the followin rewrite rules which correspond to a stron ly normalisin term rewritin system for roup element expressions enerated by the inverse function, the roup product and the identity element e (see [8] for e. ., ). ex (x−1 )x (xy)z e−1 −1 x(x y)
x e x(yz) e y
xe x(x−1 ) (x−1 )−1 (xy)−1 −1 x (xy)
x e x y −1 x−1 y
These rules are derived usin declarative proofs in SPL as HOL theorems and used in the implementation of a simpli er (with identi er groups) for roup elements. It should be noted that because of the simple type theory the HOL lo ic is based on, the theorems correspondin to the above rules contain a number of antecedents correspondin to the facts that the elements in the rules are members of the same roup. For example, the rule correspondin to the associativity of the roup product is iven by the theorem: G p. Group (G p) ( x y z. G x (p (p x y) z = p x (p y z)))
G y
G z
In order to derive the antecedents of such rules automatically, SPL knowled e databases for the Group predicate and set membership are introduced, and the groups simpli er is implemented so that it queries the database to check whether all the antecedents of a rule hold before it is applied. Since a query to the knowled e database can correspond to several inferences (such as the use of the transitivity of the subset relation in derivin whether an element is a member of some set), several proof steps can be omitted if the groups simpli er is used. Given this simpli er, the left cancellation law is derived in SPL as follows: theorem Cancel_left : "(p z x = p z y) proof assume zx_eq_zy: "p z x = p z y";
(x = y)"
On the Implementation of an Extensible Declarative Proof Language
199
"x = p (inv z) (p z x)" < roups> by fol ."= p (inv z) (p z y)" by zx_eq_zy ."= y" < roups> by fol; qed; once the facts that x, y and z are in , and that ( p) is a roup are assumed and stored in the knowled e database. The justi cation by fol states that groups is used as a local simpli er and that the rstorder lo ic prover (fol) is used as the proof search procedure. The term inv is a local abbreviation to the expression which corresponds to the inverse function in the roup ( p). The database cate ories and their query functions were updated whenever de nitions were introduced and new results were derived in SPL. For example, when sub roups were de ned, the query function for the roup cate ory was updated so that the fact that H is a roup is automatically derived if H is stated to be a sub roup of some roup G; and the set membership cate ory was updated so that the fact that the identity element of G is in its sub roup H is automatically derived when the equality of the identity elements of H and G was proved. 6.3
Cosets, Normal Sub roups, and Further Results
The procedure of derivin theorems in SPL and then usin them to implement and update simpli ers and database query functions to extend the SPL lan ua e and to use these proof procedures in later SPL proofs to derive more results, is repeated throu hout the mechanisation of roup theory. For example, when left and ri ht cosets and products of subsets of roups are de ned: def
Ri htCoset (H p) a
def
LeftCoset a (H p)
def
SProd p X Y
( x.
( b. ( b.
h. H h h. H h
h. X h
(b = p h a)) (b = p a h))
k. Y k
(x = p h k))
a simpli er cos is implemented which normalises terms involvin these expressions. Cosets are denoted in the informal literature by juxtapositionin the roup subset with the roup element, and the product of two subsets is denoted by juxtapositionin the two subsets. Similarly to the groups simpli er, the cos simpli er queries the database to derive certain facts automatically. This simpli er is used, for example, in a very famous result in roup theory which states that if N is a normal sub roup of G), then (N a)(N b) = N ab for all some roup G (i.e., if N = N −1 for all a and b in G. This result is derived by the equations: (N a)(N b) = N (aN )b = N (N a)b = N N ab = N ab and uses the facts that if N is a sub roup then N N = N and if N is normal then N a = aN . This result is derived in SPL by the same sequence of steps with the help of the cos simpli er enhanced with appropriate database query functions:
200
Vincent Zammit
"SProd p (Ri htCoset (N,p) a) (Ri htCoset (N,p) b) = SProd p N (Ri htCoset (LeftCoset a (N,p),p) b)" by fol ."= SProd p N (Ri htCoset (Ri htCoset (N,p) a,p) b)" by Normal_ N_N , Ga ."= Ri htCoset (SProd p N N,p) (p a b)" by fol ."= Ri htCoset (N,p) (p a b)" by SProd_Idem, GroupG, Ns G; G, Ga is the where Normal_gN_Ng is the theorem statin that N = N for fact a G, GroupG is the fact that (G p) is a roup, and NsgG is the fact that N is a sub roup of G. The theorem SProd_Idem states that the product HH of a sub roup H is equal to H. The mechanisation of roup theory in SPL derives all the results in Herstein [6] up to and includin the second isomorphism theorem with the exception of those involvin nite roups. Simpli ers (other than groups and cos) which query the database of trivial knowled e are implemented in order to minimise the di erence between the SPL proofs and those found in the literature. A more detailed account of this mechanisation is iven in [17].
7
Conclusions and Future Work
In this paper we have illustrated an extensible declarative proof lan ua e, SPL, which is very much based on the theorem provin fra ment of the Mizar proof lan ua e. A fullyexpansive proof checker for SPL is implemented on top of the HOL theorem provin system. The extensibility of the lan ua e is achieved by storin the ML functions which parse and process SPL scripts in ML references so that they can be updated durin the mechanisation of a theory. The proof checker is supported by a number of proof procedures which include simpli ers, and a tableaubased prover for rstorder lo ic with equality. These proof procedures are also stored in ML references so that they can be updated durin theory mechanisation. A userextensible database of SPL facts is used to derive results which are considered trivial and should therefore be implicit durin proof implementation. The SPL proof procedures can query this database to derive such results automatically. Finally, a sectionin mechanism, similar to that of the Coq system, is used in order to ive a hierarchical structure to SPL scripts. A case study involvin the mechanisation of roup theory in SPL is also described briefly in this paper. The extensibility of the SPL lan ua e is used so that simpli ers and database query functions are implemented in order to derive certain facts automatically whose proof is usually omitted in the informal mathematical literature. As a result, the proofs implemented in this mechanisation are quite similar (in the number and complexity of proof steps) to those found in the literature. This case study shows that the extensibility of a declarative proof lan ua e is indeed a powerful feature which results in more readable proof scripts. We remark that it was possible to implement the SPL proof checker on top of the HOL system because of the way the HOL system is desi ned. In particular,
On the Implementation of an Extensible Declarative Proof Language
201
1. a Turin complete metalan ua e is available to allow the user to extend the system with new proof procedures and proof environments, and 2. the fact that all HOL theorems are constructed usin the core inference en ine ensures that such extensions are safe. It is possible to implement proof checkers of declarative lan ua es such as SPL on top of other theorem proof environments if they provide these two features. We note that althou h a number of proofs mechanised durin the case study are observed to be similar to their informal counterparts when the number of steps in the proofs are compared, the len th of the symbols in the formal proofs is still much hi her than that of the informal proofs. The authors of informal mathematics very often chan e the syntax of their lan ua e by introducin appropriate notations. It is therefore desirable that one is able to safely modify the term parser of the proof checker durin the mechanisation of a theory, and such a possibility needs to be explored in future. Also, in our case study, the only proof procedures which query the knowled e database are the simpli ers. Possible future work involves the implementation of proof search procedures (i.e., decision procedures) which can query the database. Unfortunately, query database functions are implemented manually in ML, and the possibility of desi nin and usin some hi herleverl lan ua e should be considered. The SPL lan ua e can also be extended by the introduction of theory speci c reasonin items; this feature is not exploited in our case study, and therefore other case studies on mechanisations involvin the use of such extensibility are required in order to evaluate their e ect in practice.
8
Acknowled ements
I would like to thank my supervisor, Simon Thompson, for his supervision and his continuous support on the work presented here, and throu hout the three year period of my PhD. I thanks the anonymous referess for their very helpful and interestin remarks on this paper. I would also like to thank Toshio Nomura of Sharp Labs. of Europe for ivin me the possibility to write this paper.
References [1] Bruno Barras et al. The Coq Proof Assistant Reference Manual. Projet Coq INRIARocquencourt, CNRSENS Lyons, November 1996. (Version 6.1). [2] Anatoli Degtyarev and Andrei Voronkov. What you always wanted to know about rigid Euni cation. Journal of Automated Reasonin , 20(1):47 80, 1998. [3] M. J. C. Gordon and T. F. Melham. Introduction to HOL: A Theorem Provin Environment for Hi her Order Lo ic. Cambridge University Press, 1993. [4] Elsa Gunter. The implementation and use of abstract theories in HOL. In Proceedin s of the Third HOL Users Meetin , Computer Science Department, Aarhus University, Ny Munkegade, Building 540, DK8000 Aarhus C, Denmark, October 1990. Technical Report DAIMI PB 340 (December 1990). [5] J. Harrison. A Mizar mode for HOL. In von Wright et al. [16], pages 203 220.
202
Vincent Zammit
[6] I.N. Herstein. Topics in Al ebra. John Wiley & Sons, New York, 2nd edition, 1975. [7] L. Laibinis. Using lattice theory in higher order logic. In von Wright et al. [16], pages 315 330. [8] David A. Plaisted. Equational reasoning and term rewriting systems. In D. Gabbay, C. Hogger, J. A. Robinson, and J. Siekmann, editors, Handbook of Lo ic in Arti cial Intelli ence and Lo ic Pro rammin , volume 1, chapter 5, pages 273 364. Oxford University Press, Oxford, 1993. [9] Piotr Rudnicki. An overview of the MIZAR project. Available by ftp from menaik.cs.ualberta.ca as pub/Mizar/Mizar_Over.tar.Z., June 1992. [10] Piotr Rudnicki and Andrzej Trybulec. On equivalents of wellfoundedness. Available on the web at http://www.cs.ualberta.ca/~piotr/Mizar/Wfnd/, January 1997. [11] Konrad Slind. Object language embedding in Standard ML of New Jersey. In Proceedin s of the Second ML Workshop held at Carne ie Mellon University, Pittsbur h, Pennsylvania, Septermber 2627, 1991, CMU SCS Technical Report, November 1991. [12] Don Syme. DECLARE: A prototype declarative proof system for higher order logic. Technical Report 416, University of Cambridge Computer Laboratory, New Museums Site, Pembroke Street, Cambridge, CB2 3QG, UK, 1997. [13] Don Syme. Proving Java type soundness. Technical Report 427, University of Cambridge Computer Laboratory, New Museums Site, Pembroke Street, Cambridge, CB2 3QG, UK, 1997. [14] Donald Syme. Declarative Theorem Provin for Operatin Semantics. PhD thesis, University of Cambridge, 1998. Submitted for Examination. [15] A. Trybulec. The MizarQC/6000 logic information language. Bulletin of the Association for Literary and Lin uistic Computin , 6:136 140, 1978. [16] J. von Wright, J. Grundy, and J. Harrison, editors. Proceedin s of the 9th International Conference on Theorem Provin in Hi her Order Lo ics (TPHOLs’96), volume 1125 of Lecture Notes in Computer Science, Turku, Finland, August 1996. Springer. [17] Vincent Zammit. On the Readability of Machine Checkable Formal Proofs. PhD thesis, University of Kent at Canterbury, October 1998. Submitted for Publication. (Currently available on the world wide web at the url: http://www.cs.ukc.ac.uk/people/rpg/vz1/thesis.ps.gz).
Three Tactic Theorem Provin Don Syme Microsoft Research Limited, St. Geor e House, 1 Guildhall Street, Cambrid e, CB2 3NH, UK
Abs rac . We describe the key features of the proof description lanua e of Decl re, an experimental theorem prover for hi her order lo ic. We take a somewhat radical approach to proof description: proofs are not described with tactics but by usin just three expressive outlinin constructs. The lan ua e is declarative because each step speci es its lo ical consequences, i.e. the constants and formulae that are introduced, independently of the justi cation of that step. Lo ical constants and facts are lexically scoped in a style reminiscent of structured prorammin . The style is also heavily inferential , because Decl re relies on an automated prover to eliminate much of the detail normally made explicit in tactic proofs. Decl re has been partly inspired by Mizar, but provides better automation. The proof lan ua e has been desi ned to take advanta e of this, allowin proof steps to be both lar e and controlled. We assess the costs and bene ts of this approach, and describe its impact on three areas of theorem prover desi n: speci cation, automated reasonin and interaction.
1
Declarative Theorem Provin
In erac ive heorem provers combine aspec s of formal speci ca ion, manual proof descrip ion and au oma ed reasoning, and hey allow us o develop machine checked formaliza ions for problems ha do no comple ely succumb o fully au oma ed echniques. In his paper we ake he posi ion ha he role of proof descrip ion in such a sys em is rela ively simple: i mus allow he user o describe how complex problems decompose o simpler ones, which can, we hope, be solved au oma ically. This ar icle examines a par icular kind of declarative proof, which is one echnique for describing problem decomposi ions. The proof descrip ion language we presen is ha of Decl re, an experimen al heorem prover for higher order logic. The language provides he func ionali y described above via hree simple cons ruc s which embody rs order decomposi ion, secondorder proof echniques and au oma ed reasoning. The ac ual implemen a ion of Decl re provides addi ional facili ies such as a speci ca ion language, an au oma ed reasoning engine, a module sys em, an in erac ive developmen environmen (IDE), and o her proof language cons ruc s ha ransla e o hose described here. We describe hese where relevan , bu focus on he essence of he ou lining cons ruc s. Y. Bertot et al. (Eds.): TPHOLs’99, LNCS 1690, pp. 203 220, 1999. c Sprin erVerla Berlin Heidelber 1999
204
Don Syme
In his sec ion we describe our view of wha cons i u es a declara ive proof language and look a he pros and cons of a declara ive approach. We also make a dis inc ion be ween declara ive and inferen ial aspec s of proof descripion, bo h of which are presen in he language we describe. In Sec ion 2 we describe he hree cons ruc s used in Decl re, and presen a longer example of proof decomposi ion, and Sec ion 3 discusses he language used o specify hin s. Sec ion 4 compares our proof s yle wi h ac ic proof, and summarizes rela ed issues such as au oma ed reasoning and he IDE. Space does no permi ex ensive case s udies o be presen ed here. However, Decl re has been applied o a formaliza ion of he seman ics of a subse of he Java language and a proof of ype soundness for his subse [Sym99]. The purpose of Decl re is o explore mechanisms of speci ca ion, proof and in erac ion ha may even ually be incorpora ed in o o her heorem proving sys ems, and hus complemen hem. 1.1
Back round
This work was inspired by similar languages developed by he Mizar group [Rud92] and Harrison [Har96]. Mizar is a sys em for formalizing general ma hema ics, designed and used by ma hema icians, and a phenomenal amoun of he ma hema ical corpus has been formalized in his sys em. The founda ion is se heory, which pervades he sys em, and proofs are expressed using de ailed ou lines, leaving he machine o ll in he gaps. Once he concre e syn ax is s ripped away, s eps in Mizar proofs are mos ly applica ions of simple deducion rules, e.g. generaliza ion, ins an ia ion, and proposi ional in roduc ion and elimina ion.1 Essen ially our work has been o ransfer a key Mizar idea (proof ou lining) o he se ing of higher order logic heorem proving, use ex ensive auoma ion o increase he size of proof s eps, generalize he no ion of an ou lining cons ruc in a na ural way, re ne he sys em based on some large case s udies and explore he rela ed issues of speci ca ion, au oma ion, in erac ion. This has led o he hree ou lining cons ruc s described in his paper. Some of he o her sys ems ha have mos influenced our work are HOL [GM93], Isabelle [Pau94], PVS [COR+ 95], and Nq hm [KM96]. Many of he speci ca ion and au oma ion echniques we u ilize in Decl re are derived from ideas found in he above sys ems. However, we do no use he proof descrip ion echniques from hese sys ems (e.g. he HOL ac ic language, or PVS s ra egies). 1.2
Declarative and Inferential Proof Description
For our purposes, we consider a cons ruc o be declarative if i s a es explici ly wha e ec is achieved by he cons ruc . Di eren declara ions may specify di eren proper ies of a cons ruc , e.g. ype, mode and behavioral speci ca ions in a programming language. A rela ed ques ion is whe her he cons ruc describes 1
Mizar is a poorly documented system, so our observations are based on some sample Mizar scripts and the execution of the Mizar pro ram.
Three Tactic Theorem Provin
205
how ha e ec is achieved: we will use inferential o describe sys ems ha allow he omission of such de ails and infer hem ins ead. Many sys ems are bo h declara ive and inferen ial, and oge her hey represen an ideal, where a problem s a emen is given in high level erms and a machine is used o infer a solu ion. Inferen ial is inevi ably a rela ive no ion: one sys em is more inferen ial han ano her if he user need specify fewer opera ional de ails. The erm procedural is of en used o describe sys ems ha are no highly inferen ial, and hus ypically no declara ive ei her, i.e. sys ems where signi can de ail is needed o express solu ions, and a declara ive problem s a emen is no given.2 How do declara ive and inferen ial apply o proof descrip ion? For our purposes a declara ive s yle of proof descrip ion is one ha makes he logical resul s of a proof s ep explici : A proof descrip ion s yle is declara ive if he resul s es ablished by a reasoning s ep are eviden wi hou in erpre ing he jus i ca ion given for hose resul s. Surprisingly, mos exis ing s yles of proof descrip ion are plainly not declara ive. For example, ypical HOL ac ic proofs are cer ainly no declara ive, al hough au oma ion may allow hem o be highly inferen ial. Consider he following exrac from he proof of a lemma aken from Norrish’s HOL formaliza ion of he seman ics of C [Nor98]: val wf_type_offset = prove ‘‘8smap sn. well_formed_type smap (Struct sn) ! 8fld t. lookup_field_info (smap sn) fld t ! 9n. offset smap sn fld n‘‘, SIMP_TAC (hol_ss ++ impnorm_set) [offset, definition "choltype" "lookup_field_info", definition "choltype" "struct_info"] THEN REPEAT STRIP_TAC THEN IMP_RES_TAC (theorem "choltype" "well_formed_structs") THEN FULL_SIMP_TAC hol_ss [well_formed_type_THM] THEN FIRST_X_ASSUM SUBST_ALL_TAC THEN ...
Even given all he appropria e de ni ions, we would challenge an experienced HOL user o accura ely predic he shape of he sequen la e in he proof. In an ideal world we would also like a fully inferen ial sys em, i.e. we simply s a e a proper y and he machine proves i au oma ically. For complex proper ies his is impossible, so we ry o decrease he amoun of informa ion required o specify a proof. One very helpful way of es ima ing he amoun of informa ion con ained in a proof is by looking a he dependencies inheren in i : One proof descrip ion s yle is more inferen ial han ano her if i reduces he number of dependencies inheren in he jus i ca ions for proof s eps. To give a simple concre e example, proofs in in erac ive heorem provers (e.g. HOL, PVS and Isabelle) are ypically sensi ive o he order in which subgoals 2
Declarative and inferential ideas are, of course, very common in computin , e. . Prolo and LATEX are examples of lan ua es that aspire to be both declarative and inferential.
206
Don Syme
are produced by an induc ion u ili y. Tha is, if he N induc ion u ili y suddenly produced he s ep case before he base case, hen mos proofs would break. There are many similar examples from exis ing heorem proving sys em, enough ha proofs in hese sys ems can be ex remely fragile, or relian on a lo of hidden, assumed de ail. A major aim of proof descrip ion and applied au oma ed reasoning mus be o elimina e such dependencies where possible. O her examples of such dependencies include: reliance on he orderings of cases, variables, fac s, goals and subgoals; reliance upon one of a number of logically equivalen forms of erms (e.g. n > 1 versus n 2); and reliance on he underspeci ed behavior of proof procedures, such as how names are chosen.
2
Three Constructs for Proof Outlinin
Proofs in Decl re are expressed as ou lines, in a language ha approxima es wri en ma hema ics. The cons ruc s hemselves are no radical, bu our asserion is ha mos proof ou lines can be wri en in hese cons ruc s and heir syn ac ic varian s alone. In o her words, we asser ha for many purposes hese cons ruc s are bo h logically and pragma ically adequa e. Perhaps he mos surprising hing is ha large proof developmen s can indeed be performed in Decl re even hough proofs are described in a rela ively res ric ed language. In his sec ion we shall describe he hree primary cons ruc s of he Decl re proof language. These are: Firs order decomposi ion and enrichmen ; Proof by au oma ion; Applica ion of second order proof principles. 2.1
Reduced Syntax
A simpli ed syn ax of he proof language is shown below, o demons ra e how small i is a i s core. We have omi ed aspec s ha are no relevan for he purposes of his ar icle, including speci ca ion cons ruc s for in roducing new ypes and cons an s wi h various proper ies. These include simple de ni ions, mu ually recursive func ion de ni ions, mu ually recursive xed poin speci ca ions and algebraic da a ypes. Several syn ac ic varia ions of he proof cons ruc s are ransla ed o he given syn ax, as discussed in la er sec ions. Decl re na urally performs name resolu ion and ype inference, he la er occurring in con ex , aking in o accoun all declara ions ha are visible where a erm occurs. Decl re also performs some syn ac ic reduc ion and comparison of erms during proof analysis, as described in Sec ion 2.6. We have lef some cons ruc s of he language unin erpre ed, in par icular he language of jus i ca ions, which is discussed la er in his ar icle. Declara ions also include pragma speci ca ions ha help indica e wha various heorems mean and how hey may be used by he au oma ed reasoning engine. Finally, he erms and ypes are hose of higher order logic as in he HOL sys em, ex ended wi h pa ern ma ching as described in [Sym99].
Three Tactic Theorem Provin
207
Article = Decl * Decl = thm Label "term" proof Proof end  ... (other speci cation lan ua e constructs) Proof = qed Justi cation  cases Justi cation Case* end  schema Label over Label varyin Local * Case* Justi cation = by Hint* Case = case [Label ] Enrichment* : Proof Enrichment = [locals Local *] Fact* Local = ident [: type] Fact = "term" [Label ] Label =
We consider a seman ics describing proof checking for his language in Appendix A. 2.2
An Example
We will use a Decl re proof of he following proposi ion o illus ra e he rs wo cons ruc s of he proof language: Assume n N is even, and ha whenever m is odd, n m is even, ignoring any remainder. Then he remainder of n m is always even. We assume ha our au oma ed reasoner is powerful enough o do some ari hme ic normaliza ion for us, e.g. collec ing linear erms and dis ribu ing mod over + ( his is done by rewri ing agains Decl re’s s andard library of heorems and i s buil in ari hme ic procedures). We also assume he exis ence of he following heorems abou even, odd and modulo ari hme ic. <even>  even(n) = k. n=2*k  odd(n) = k. n=2*k+1 <even_or_odd>  even(n) odd(n)  m > 0 ( d r. n=d*m+r
r<m)
A Decl re proof of his proper y is shown below. The cons ruc s used and heir meanings are explained in he following sec ions. thm <mythm> if "m > 0" "odd(m) even(n/m)" <m> "even(n)" then "even(n mod m)" < oal>; proof consider d, r st "n = d*m + r" "r < m" by ; have "d = n/m" "r = n mod m";
208
Don Syme
consider n’ st "n = 2*n’" by <even>,; cases by <even_or_odd> ["m"] case "even(m)" : consider m’ st "m=2*m’" by <even>; have "r = 2*(n’d*m’)"; qed by <even>,< oal>; case "odd(m)" : consider d’ st "r = 2*(n’d’*m)" by <m>,<even>; qed by <even>,< oal>; end; end;
2.3
Problem Introduction
A Decl re proof begins wi h he s a emen of a problem, in roduced using some varian of he thm declara ion. The example from he previous sec ion uses he one shown in Table 1. This varian allows us o begin our proof in a convenien ly decomposed form, i.e. wi hou ou er universal quan i ers and wi h fac s and goals already named. External Form thm label if facts then proof mainproof end
oals
(simpli ed problem introduction)
V
Internal Form thm label "8vars. ( facts) ! ( proof cases by < oal> case locals vs facts oals −1 : mainproof end end
W
oals)"
where vars = free symbols in facts, oals and oals −1 = oals with each term ne ated
Table 1. Syn ac ic varia ion for Decl wi h he equivalen primi ive form.
2.4
Construct 1: First Order Decomposition and Enrichment
Enrichment is he process of adding fac s, goals and local cons an s o an environmen in a logically sound fashion. Mos s eps in vernacular proofs are enrichmen s eps, e.g. consider d and r such ha n = d m + r and r m. The example above illus ra es how his ransla es in o Decl re’s syn ax. An enrichmen s ep has a corresponding proof obliga ion ha cons an s exis wi h he given proper ies. The obliga ion for his s ep is " d r. n=d*m+r r < m". This kind of enrichmen is forward reasonin . When goals are rea ed as nega ed fac s, backward reasonin also corresponds o enrichmen . For example if our goal is x ( b x = 4b) even(x) hen he vernacular given b and x such ha x = 4b hen by he de ni ion of even i su ces o show c 2 c = x is
Three Tactic Theorem Provin External Form consider vars st facts justi cation; mainproof (inline introduction) have facts justi cation; mainproof (inline assertion) let id = "term"; mainproof (inline de nition) sts oal justi cation; mainproof (inline backward reasonin )
209
Internal Form cases justi cation case locals vars facts : mainproof end cases justi cation case facts : mainproof end cases case locals id "id = term" : mainproof end; cases justi cation case oal −1 : mainproof end; where oal −1 = oal with the term ne ated
Table 2. Syn ac ic varia ions for Proof wi h equivalen primi ive forms. an enrichmen s ep ( his example is no aken from he larger example above). Based on an exis ing goal, we add wo new local cons an s b and x, a new goal c 2 c = x and a new fac x = 4b. In Decl re we can use +/ o indica e new fac s/goals respec ively (goals are rea ed as nega ed fac s), and we have: consider b,x such that + "x = 4*b"  " c. 2*c = x" by < oal>; // obli ation " b x. x=4*b
c. 2*c=x"
Decomposition is he process of spli ing a proof in o several cases. We combine decomposi ion and enrichmen via he cases cons ruc , and an example can be seen in Sec ion 2.2. For each decomposi ion/enrichmen here is a proof obliga ion ha corresponds o he defaul case of he spli , where we may assume each o her case does no apply. Syn ac ically, he locals declara ion for each enrichmen can be omi ed, as new symbols are assumed o be new local cons an s. The cons ruc is very general, and some highly useful varian s are ransla ed o i as shown in Table 2, including asser ion, abbrevia ion, and he linear forms of enrichmen seen above. These forms assume he au oma ed prover can, as a minimum, decide he rivial forms of rs order equa ional problems ha arise as proof obliga ions in he ransla ions. For example, v v = t is he proof obliga ion for he let cons ruc , where v is no free in t. General speci ca ion cons ruc s could also be admi ed wi hin enrichmen s, e.g. o de ne local cons an s by xed poin s. Decl re does no implemen hese wi hin proofs. 2.5
Construct 2: Appeals to Automation
A he ips of a problem decomposi ion we nd appeals o au oma ed reasoning o ll in he gaps of an argumen , deno ed by qed in he proof language. A se of hin s (also called a justi cation) is provided o he engine. We shall discuss
210
Don Syme
he jus i ca ion language of hin s in he Sec ion 3. The au oma ed reasoning engine is rea ed as an oracle, hough of course he in en ion is ha i is sound wi h respec o he axioms of higher order logic. 2.6
Construct 3: Second Order Schema Application
In principle, decomposi ion/enriching and au oma ed proof wi h jus i ca ions are su cien o describe any proof in higher order logic, assuming a modicum of power from he au oma ed engine (e.g. ha i implemen s he 8 primi ive rules of higher order logic described by Gordon and Melham [GM93], and can decide proposi ional logic). However, we have found i useful o add one fur her cons ruc for induc ive argumen s. The general form we have adop ed is secondorder schema application, which can encompass s ruc ural, rule and wellfounded induc ion and o her echniques. Why is his cons ruc needed? We consider a ypical proposi ion proved by induc ing over he s ruc ure of a par icular se . Assume typ list exp hastype typ is an induc ive rela ion de ned by he four rules over a erm s ruc ure as shown in Appendix B. Our example heorem s a es ha subs i u ion of wellyped values preserves ypes (we omi he de ni ion of subs i u ion): thm <subst_safe> if "[] v hastype xty" "len(E ) = n" "(E @[xty]) e hastype ty" then "E (subst n e v ) hastype ty";
The induc ion predica e ha we desire is: P =
E e ty.
n. len E = n
E
(subst n e v) hastype ty
One of our aims is o provide a mechanism o specify he induc ion predica e in a na ural way. No e i is essen ial ha n be universally quan i ed, because i is necessary o ins an ia e i wi h di eren values in di eren cases of he induc ion. Likewise E , e and ty also vary . Fur hermore, because v and xty do no vary, i is be er o leave ou of he induc ion predica e o avoid ex ra an eceden s o he induc ion hypo hesis. I is possible o use decomposi ion along wi h an explici ins an ia ion o express an induc ive decomposi ion. thm <subst_safe> if "[] v hastype xty" then " E e ty. (E @ [xty]) e hastype ty len E = n E (subst n e v) hastype ty" < oal> proof let "ihyp E e ty = n. len E = n E (subst n e v) hastype ty";
Three Tactic Theorem Provin cases by case + ... case + + + + ... end; end;
211
["ihyp"], < oal> "ihyp ([dty]@(E @[xty])) bod rty" "ihyp E (Lam dty bod ) (FUN dty rty)" : "e = App f a" "ihyp (E @[xty]) f (FUN dty ty)" "ihyp (E @[xty]) a dty" : "len E = n" "E (subst n e v ) hastype ty" :
The induc ion heorem has been explicitly instantiated, a mechanism available in he language of jus i ca ions discussed in Sec ion 3. Two rivial cases of he proof have been subsumed in he decomposi ion i self (see Sec ion 2.8 he cases in ques ion correspond o he rules Int and Var in Appendix B). For he o her wo cases we have lis ed he available induc ion hypo heses explici ly, a wo di eren dep hs of expansion in he second case we have revealed more of he s ruc ure of he goal. This approach is some imes accep able. I s advan ages include flexibili y, because simple cases may be omi ed al oge her; con rol, because we name he fac s and cons an s in roduced on each branch of he induc ion; and explici ness, which can be helpful for readabili y and he ool environmen . I s disadvan ages are an unna ural formula ion of he original problem; he unnecessary repe i ion of induc ion hypo heses; a rela ively complex proof obliga ion; and poor feedback because i is non rivial o provide good feedback if he user makes a mis ake when recording he hypo heses. We now show how he proof appears using he schema cons ruc of he Decl re proof language. thm <subst_safe> if "[] v hastype xty" "len(E ) = n" "(E @[xty]) e hastype ty" then "E (subst n e v ) hastype ty"; proof schema over varyin n,E ,ty,e case : ... case : ... case "e = Lam dty bod " "ty = FUN dty rty" "ihyp ([dty]@(E @[xty])) bod rty" : ... case <App> "e = App f a" "ihyp (E @[xty]) f (FUN dty ty)" "ihyp (E @[xty]) a dty" :
212
Don Syme ...
end; end;
Ac ually, a li le simpler is he induct varian of he schema cons ruc , which chooses a defaul induc ion principle based on he predica e used o de ne he induc ive se . The rs line of he proof could have been wri en: induct over varyin
n,E ,ty,e
Thus Decl re provides one very general cons ruc for decomposing problems along syn ac ic lines based on a secondorder proof principle, along wi h some simple varian s. The induc ion predica e is de ermined au oma ically by indica ing hose local cons an s V ha vary during he induc ion. E ec ively we ell Decl re o reformula e he problem so some local cons an s become universally quan i ed, and hen apply he induc ion principle. The induc ion hypo hesis is hus he conjunc ion of all he axioms in he curren logical conex ha con ain a member of V . This gives a declara ive speci ca ion of he induc ion predica e wi hou con or ing he ini ial speci ca ion of he problem. The schema mus be a fac in he logical environmen of he form: ( v1 ihyps1
P v1 )
( vn ihypsn
P vn )
( v R[v]
P v)
Equa ional cons rain s are encoded in he induc ion hypo heses, and he fac deno ed using over mus be an ins ance R[t] of R[v] for some t. If N is an induc ive subse of a ype for Z, hen he schema would be: ( i. i=0
P i)
( i. ( k. i=k+1
P k)
P i)
( i. i
N
P i)
The induct form where he schema is implici from a erm or fac is mos common, however he general mechanism above allows he user o prove and use new induc ion principles for cons ruc s ha were no explici ly de ned induc ively, and allows several proof principles o be declared for he same logical cons ruc . Each an eceden of he induc ive schema genera es one new branch of he proof, so no subsump ion is possible. For each case: If no fac s are given, hen he ac ual hypo heses (i.e. hose speci ed in he schema) are lef implici : hey become au oma ic unlabelled fac s used by he au oma ed prover. If fac s are given, hey are in erpre ed as purpor ed hypo heses and synac ically checked o ensure hey correspond o he ac ual hypo heses (see [Sym99] for de ails). The seman ics of he cons ruc are described in full in Appendix A. 2.7
Issues Relatin to Second Order Schema Application
Wri ing ou he induc ion predica e is imeconsuming and errorprone. The macro ihyp can be used o s and for he induc ion predica e he user does no have o de ne his predica e explici ly.
Three Tactic Theorem Provin
213
I is of en necessary o s reng hen a goal or weaken some assump ions before using induc ion. This can of en be done simply by s a ing he original goal in his way, bu in a nes ed proof we ypically prove ha he s ronger goal is su cien ( his is usually rivial), and before we perform an induc ion we purge he environmen of he now irrelevan original goal, o avoid unnecessary condi ions being included in he induc ion predica e. This means adding a discarding cons ruc o he proof language. Discarding fac s breaks he mono onici y proof language, so o minimize i s use we have chosen o make i par of he induc ion cons ruc . Our case s udies sugges i is only required when signi can reasoning is performed before he induc ion s ep of a proof, which is rare. A nal wis on he whole proof language ha comes when describing muually recursive induc ive proofs is described in [Sym99]. Essen ially we need o modify he language o accommoda e mul iple (conjoined) goals, if he s yle of he proof language is o be preserved. 2.8
A Lon er Example of Decomposition/Enrichment
We now look a a longer example of he use of enrichmen /decomposi ion, o demons ra e he flexibili y of his cons ruc . The example is similar o several ha arose in our case s udies, bu has been modi ed o demons ra e several poin s. Assume:
;
c0 is de ned by many rules (say 40). The induc ive rela ion c c akes a par icular form (A(a b) s) a he curren poin in our proof. Only 8 of he rules apply when c is of his form, and of hese, 5 represen (E(val ) s). The las 3 possible ransi ions are excep ional ransi ions c given by:
;
(a s)
; (v s ) 0
(A(a b) s)
(b s)
; (v s )
; (v s )
We are rying o prove ha
0
0
(A(a b) s)
; (a s)
(A(a b) s)
he predica e cf ok is an invarian of
type exp = A of exp * exp  E of strin thm "cf _ok (t,s) match t with A(x,y) > term_ok(s,x)  E(str) > state_ok(s)"; thm if "c c’" "c = (A(a,b),s)" "cf _ok c" then "cf _ok c’";
; (b s)
;:
state_ok(s)
;
No e he proof will be rivial in he case of he excep ional ransi ions, since he s a e is unchanged. So, how do we formula e he case analysis? Do we have o wri e all 40 cases? Or even all 8 which apply syn ac ically? No  we need specify only he in eres ing cases, and le he au oma ed reasoner deduce ha he o her cases are rivial:
214
Don Syme
;
cases by < .cases> [], , < oal> case "c’ = (v, s’)" "t = a t = b" "(t,s) > c’" : rest of proof ; case "c’ = (t, s)" "t = a t = b" : rest of proof ; end;
The hin s given o he au oma ed reasoner are explained fur her in Sec ion 3. The key poin is ha he s ruc ure of he decomposi ion does not have o ma ch he s ruc ure inheren in he heorems used o jus ify i (i.e. he s ruc ure of he rules). There mus , of course, be a logical ma ch ha can be discovered by he au oma ed engine, bu he user is given a subs an ial amoun of flexibili y in how he cases are arranged. He/she can:
;
can Subsume trivial cases. 37 of he 40 cases inheren in he de ni ion of be subsumed in jus i ca ion of he spli . Maintain disjunctive cases. Many in erac ive spli ing ools would have genera ed wo cases for he rs rule shown above, by au oma ically spli ing he disjunc . However, he proof may be basically iden ical for hese cases, up o he choice of t. Subsume similar cases. S ruc urally similar cases may be subsumed in o one branch of he proof by using disjunc s, as in he second case. This is, in a sense, a form of fac oriza ion. As in ari hme ic, helpful fac oriza ions are hard for he machine o predic , bu rela ively easy o check. The user can use such echniques o spli he proof in o chunks ha are of approxima ely equal di cul y, or o dispose of many rivial lines of reasoning, much as in wri en ma hema ics.
3
Justi cations and Automated Reasonin
Our language separa es proof outlinin from automated reasonin . We adop he principle ha hese are separa e ac ivi ies and ha he proof ou line should be independen of complica ed rou ines such as simpli ca ion. The link be ween he wo is provided by justi cations. A spec rum of jus i ca ion languages is possible. For example, we migh have no language a all, which would assume he au oma ed engine can draw useful logical conclusions e cien ly when given no hing bu he en ire logical environmen . Al erna ively we migh have a language ha spells ou deduc ions in grea de ail, e.g. he forward inference rules of an LCFlike heorem prover. I may also be useful o have domain speci c cons ruc s, such as variable orderings for model checking. Decl re provides a small se of general jus i ca ion cons ruc s ha were adequa e for our case s udies. The cons ruc s allow he user o:
Three Tactic Theorem Provin
215
Highligh fac s from he logical environmen ha are par icularly relevan o he jus i ca ion; Specify explici ins an ia ions and resolu ions; Specify explici casespli s; These cons ruc s are qui e declara ive and correspond o cons ruc s found in vernacular proofs. Fac s are hi hli hted in wo ways: By quo ing heir label By never giving hem a label in he rs place, as unlabelled fac s are rea ed as if hey were highligh ed in every subsequen proof s ep. The exac in erpre a ion of highligh ing is de ermined by he au oma ed engine, bu he general idea is ha highligh ed fac s mus be used by he au oma ed engine for he purposes of rewri ing, decision procedures, rs order search and so on. Di cul proofs of en become rac able by au oma ion if a few explicit instantiations of rs order heorems are given. Fur hermore, his is an essen ial debugging echnique when problems are no immedia ely solvable: providing ins an ia ions usually simpli es he feedback provided by he au oma ed reasoning engine. In a declara ive proof language he ins an ia ions are usually easy o wri e, because erms are parsed incon ex and convenien abbrevia ions are of en available. Formal parame ers of he ins an ia ions can be ei her ype direc ed of explici ly named, and ins an ia ions can be given in any order. For example, consider he heorem <subst safe> from Sec ion 2.6. When using his heorem a sui able ins an ia ion direc ive may be: qed by <subst_safe> ["[]", "0", "xty"/xty];
We have one named and wo ypedirec ed ins an ia ions. Af er processing he named ins an ia ion ve ins an iable slo s remain: e,v,E ,n and ty. Types give he ins an ia ions E [] and n 0 and he nal fac : e v ty [] v hastype xty len [] = 0 [] (subst 0 e v) hastype ty
([]@[xty])
e hastype ty
Explicit resolution is a mechanism similar in spiri o explici ins an ia ion. I combines ins an ia ion and resolu ion and allows a fac o elimina e an appropria e unifying ins ance of a li eral of opposi e polari y in ano her fac . We migh have: have "[] e2 hastype xty" <e2_types> by ... qed by <subst_safe> ["0", <e2_types>];
The jus i ca ion on he las line gives rise o he hin : e v ty true len [] = 0 ([]@[xty]) [] (subst 0 e v) hastype ty
e hastype ty
Decl re checks ha here is only one possible resolu ions. One problem wi h his mechanism is ha , as i s ands in Decl re, uni ca ion akes no accoun
216
Don Syme
of ground equa ions available in he logical con ex , and hus some resolu ions do no succeed where we would expec hem o. Explicit case splits can be provided by instantiatin a disjunctive fact, rule case analysis, or structural case analysis. Rule case analysis accep s a fac indica ing membership of an induc ive rela ion, and genera es a fac ha speci es he possible rules ha migh have been used o derive his fac . S ruc ural case analysis ac s on a erm belonging o a free algebra (i.e. any ype wi h an abs rac da a ype axiom): we genera e a disjunc ive fac corresponding o case analysis on he cons ruc ion of he erm.
4
Assessment
We now look a he proper ies of he proof language we have described and compare i wi h o her me hods of proof descrip ion. The language is essen ially based on decomposin and enrichin he logical environmen . This means he environmen is monotonically increasin along any par icular branch of he proof Tha is, once a fac becomes available, i remains available.3 The user manages he environmen by labelling fac s and goals, and by specifying meaningful names for local cons an s. This allows coheren reasoning wi hin a complica ed logical con ex . Mechanisms for brevity are essen ial wi hin declara ive proofs, since a rela ively large number of erms mus be quo ed. Decl re a emp s o provide mechanisms so ha he user need never quo e a par icular erm more han once wi h a proof. For example one di cul y is when a formula mus be quo ed in bo h a posi ive and a nega ive sense (e.g. as bo h a fac and an an eceden o a fac ): his happens wi h induc ion hypo heses, and hus we in roduced ihyp macros. O her mechanisms include local de ni ions; ype checking in con ex ; and s a ing problems in sequen form. When using he proof language, he user of en declares an enrichmen or decomposi ion, giving he logical s a e he/she wan s o reach, and only s a es how o ge here in high level erms. The user does no specify he syn ac ic manipula ions required o ge here, excep for some hin s provided in he jus ica ion, via mechanisms we have ried o make as declara ive as possible. Of en he jus i ca ion is simply a se of heorem names. 4.1
Comparison
Exis ing heorem provers wi h s rong au oma ion, such as BoyerMoore [RJ79], e ec ively suppor a kind of declara ive/inferen ial proof a he op level he user conjec ures a goal and he sys em ries o prove i . If he sys em fails, hen he user adds more de ails o he jus i ca ion and ries again. Decl re ex ends his approach o allow declara ive decomposi ions and lemmas in he in ernals of a proof, hus giving he bene s of scope and locali y. 3
There is an exception to this rule: see Section 2.6
Three Tactic Theorem Provin
217
One radi ional form of proof descrip ion uses ac ics [MRC79]. In principle ac ics simply decompose a problem in a logically sound fashion. In prac ice ac ic collec ions embody an in erac ive s yle of proof ha proceeds by syn acic manipula ion of he sequen and exis ing op level heorems. The user issues proof commands like simplify he curren goal , do induc ion on he rs universally quan i ed variable or do a case spli on he second disjunc ive formula in he assump ions . A major disadvan age is ha he sequen quickly becomes unwieldy, and he s yle discourages he use of abbrevia ions and complex case decomposi ions. A po en ial advan age of ac ics is programmabili y, bu in reali y userde ned ac ics are of en examples of arcane adhoc programming in he ex reme. Finally, many declara ive sys ems allow access o a procedural level when necessary. One migh cer ainly allow his in a declara ive heorem proving sysem, e.g. via an LCFlike programmable in erface. I would be good o avoid ex ending he proof language i self, bu one could imagine adding new plugin procedures o he au oma ed reasoning engine and jus i ca ion language via such echniques. 4.2
Pros and Cons
Some bene s of a declara ive approach are: Simplicity. Proofs are described using only a small number of simple cons ruc s, and he obliga ions can be genera ed wi hou knowing he behavior of a large number of ac ics. Readability. The declara ive ou line allows readers o skip sec ions hey aren’ in eres ed in, bu s ill unders and wha is achieved in hose sec ions. Reusability. Declara ive con en can of en be reused in a similar se ing, e.g. he same proof decomposi ion s ruc ure can, in principle, be used wi h many di eren au oma ed reasoning engines. Tool Support. An explici charac eriza ion of he logical e ec of a cons ruc can of en be exploi ed by ools, e.g. for error recovery and he in erac ive debugging environmen . See [Sym98] for a descrip ion of an in erac ive environmen for Decl re, and a de ailed explana ion of how a declara ive proof s yle allows proof naviga ion, po en ially leading o more e cien proof debugging. A declara ive ou line does no , of course, come for free. In par icular, new fac s mus be s a ed explici ly. Procedurally, one migh describe he syn ac ic manipula ions (modusponens, specializa ion e c.) ha lead o he produc ion of hose fac s as heorems, and his may be more succinc in some cases. This is he primary drawback of declara ive proof. Decl re proofs are no only declara ive, bu also highly inferen ial, as he au oma ed prover is lef o prove many obliga ions ha arise. The bene s of a highly inferen ial sys em are also clear: brevi y, readabili y, reusabili y and robus ness. The cos associa ed wi h an inferen ial sys em is, of course, ha he
218
Don Syme
compu er mus work ou all he de ails ha have been omi ed, e.g. he syn ac ic manipula ions required o jus ify a s ep deduc ively. This is cos ly bo h in erms of machine ime and he complexi y of he implemen a ion. Proofs in Decl re are rela ively independen of a number of fac ors ha are radi ional sources of dependency in ac ic proofs. For example, Isabelle, HOL and PVS proofs frequen ly con ain references o assump ion or subgoal numbers, i.e. indexes in o lis s of each. The proofs are sensi ive o many changes in problem speci ca ion where corresponding Decl re proofs will no be. In Decl re such changes will al er he proof obliga ions genera ed, bu of en he obliga ions will s ill be discharged by he same jus i ca ions. To summarize, declara ive heorem proving is abou making he logical e ec of proof s eps explici . Inferen ial heorem proving is abou s rong au oma ed reasoning and simple jus i ca ions. These do no come for free, bu in he balance we aim o achieve bene s ha can only arise from a declara ive/inferen ial approach.
References [COR+ 95] Judy Crow, Sam Owre, John Rushby, Natarajan Shankar, and Mandayam Srivas. A tutorial introduction to PVS. In Proceedin s of the Workshop on IndustrialStren th Formal Speci cation Techniques, Baco Raton, Florida, 1995. [GM93] M.J.C Gordon and T.F Melham. Introduction to HOL: A Theorem Provin Environment for Hi her Order Lo ic. Cambrid e University Press, 1993. [Har96] J. Harrison. A Mizar Mode for HOL. In J. Von Wri ht, J. Grundy, and J. Harrison, editors, Ninth international Conference on Theorem Provin in Hi her Order Lo ics TPHOL, volume 1125 of Lecture Notes in Computer Science, pa es 203 220, Turku, Finland, Au ust 1996. Sprin er Verla . [KM96] Matt Kaufmann and J. Strother Moore. ACL2: An industrial stren th version of Nqthm. COMPASS Proceedin s of the Annual Conference on Computer Assurance, pa es 23 34, 1996. IEEE catalo number 96CH35960. [MRC79] M.J.C. Gordon, R. Milner, and C.P. Wadsworth. A Mechanized Lo ic of Computation, volume 78 of Lecture Notes in Computer Science. Sprin erVerla , New York, 1979. [Nor98] Michael Norrish. C Formalized in HOL. PhD thesis, University of Cambrid e, Au ust 1998. [Pau94] L.C. Paulson. Isabelle: A Generic Theorem Prover, volume 828 of Lecture Notes in Computer Science. Sprin er Verla , 1994. [RJ79] R.S. Boyer and J.S. Moore. A Computational Lo ic Handbook. Academic Press, 1979. [Rud92] P. Rudnicki. An overview of the MIZAR project, 1992. Unpublished; available by anonymous FTP from menaik.cs.ualberta.ca as pub/Mizar/Mizar Over.tar.Z. [Sym98] Don Syme. Interaction for Declarative Theorem Provin , December 1998. Available from http://research.microsoft.com/users/dsyme. [Sym99] Don Syme. Declarative Theorem Provin for Operational Semantics. PhD thesis, University of Cambrid e, Computer Laboratory, January 1999. Available from http://research.microsoft.com/users/dsyme.
Three Tactic Theorem Provin
A
219
A Semantics
A lo ical environment or theory Γ contains: A si nature of type and term constants; A set of axioms, each of which are closed hi her order lo ic terms. Lo ical environments must always be wellformed: i.e. all their terms must typecheck with respect to their si nature. Axioms are named (label prop). We can add ( ) a fra ment of a lo ical environment to another environment. These fra ments specify new types, constants and axioms. We assume the existence of a lo ical environment Γ0 containin the theory of all standard propositional and rst order connectives, and other axioms of hi her order lo ic. The jud ment Decls Γ indicates that the iven declarations establish Γ as a conservative extension of a minimal theory of hi her order lo ic. The jud ment Γ Decl : Γfra is used to elaborate sin le declarations. Decls Γ Γ Decl : Γfra []
Γ0
Decls; Decl
Γ
prop is a closed term of type bool Γ (" oal" prop) proof thm prop proof : (lab prop)
X
Γfra
Γ
The label " oal" is used to represent the obli ation: in reality problems are speci ed with a derived construct in decomposed form, so this label is not used. The relation Γ proof indicates that the proof establishes a contradiction from the information in Γ , as iven by the three rules below. However rst some de nitions are required:
X
Enrichin an environment. Γ
(locals c1 Γ c1 ci
ci ; fact 1 (lab 1 fact 1 )
fact j ) = (lab j fact j )
There may be no free variables in f act1 f actj besides c1 The obli ation for an enrichment to be valid. oblig(locals c1
ci ; fact 1
fact j ) = c1
ci .
ci fact 1
fact j
In the r.h.s, each use of a symbol ci becomes a variable bound by the quanti cation. Discardin . Γ − labels = Γ without axioms speci ed by labels Factorizin . Γ V = the conjunction of all axioms in Γ involvin any of the locals speci ed in V . When the construct is used below, each use of a local in V becomes a variable bound by the quanti cation that encompasses the resultin formula.
Decomposition/Enrichment proof = cases proof 0 case lab 1 enrich 1 proof 1
Γ i
case lab n enrich n proof n end (lab 1 oblig(enrich 1 ) (lab n n Γ enrich i proof i Γ proof
X
X
oblig(enrich n )
proof 0
X
220
Don Syme
Automation prover(Γ hints(Γ )) returns yes Γ qed by hints
X
Schemas proof = schema schemalabel over factlabel varyin V discardin discards case lab 1 enrich 1 : proof 1 case lab n enrich n : proof n end Γ 0 = Γ − discards Γ 0 (schemalabel ) = P ( v ihyps1 P (v)) ( v ihypsn ( v Q(v)
V
Γ 0 (factlabel ) = Q(t) ipred = v V ( (v = t)) Γ 0 V 00 static matchin determines that v (v = t) ihypsi [ipred P ]
P (v)) P (v))
V
Γ0
enrich i
proof i
X
( 1 i n) Γ proof
oblig(enrich i ) ( i 1
i
n))
X
The conditions specify that: The proof bein considered is a secondorder schema application of some form; The iven axioms are discarded from the environment (to simplify the induction predicate); schemalabel speci es a schema in the current lo ical context of the correct form; factlabel speci es an instance of the inductive relation speci ed in the schema for some terms t. These terms may involve both locals in V and other constants.; The induction predicate is that part of the lo ical environment speci ed by the variance. If the terms t involve locals in the variance V then they become bound variables in this formula. Matchin : the enerated hypotheses must imply the purported hypotheses. Each subproof must check correctly.
B
Typin Rules for the Induction Example
"E ` (Int i) hastype INT"
"i < len(E ) ^ ty = el(i)(E )" "E ` (Var i) hastype ty"
"[dty]@E ` bod hastype rty" "E ` (Lam dty bod) hastype (FUN dty rty)"
<App>
"E ` f hastype (FUN dty rty) ^ E ` a hastype dty" "E ` (f % a) hastype rty";
Mechanized Operational Semantics via (Co)Induction Simon J. Ambler and Roy L. Crole Leicester University, Leicester LE1 7RH, U.K.
Abs rac . We ive a fully automated description of a small pro rammin lan ua e PL in the theorem prover Isabelle98. The lan ua e syntax and semantics are encoded, and we formally verify a ran e of semantic properties. This is achieved via uniform (co)inductive methods. We encode notions of bisimulation and contextual equivalence. The main ori inal contribution of this paper is a fully automated proof that PL bisimulation coincides with PL contextual equivalence.
1
Introduction
The design of new programming languages which are wellprincipled, reliable and expressive is an impor an goal of Compu er Science. Seman ics has a role o play here, in ha i provides a rm basis for es ablishing he proper ies and behaviour of language fea ures and programs. A number of advances in he me hods of opera ional seman ics have been made over he las few years, in par icular, in he s udy of higher order opera ional seman ics and program equivalences many of hese advances are de ailed below. In his paper we make a con ribu ion by considering mechanized suppor for reasoning abou opera ional seman ics. In par icular, we specify and verify proper ies of a core language, using ac ical veri ca ion wi hin he heorem prover Isabelle98 [Pau94b]. We give a presen a ion in which he concep s are expressed as uniformly as possible using he framework for (co)induc ive de ni ions wi hin IsabelleHOL. We hope ha he key principles of our me hodology are su cien ly flexible ha hey can be adap ed o new languages, provided ha heir seman ics can be given using induc ive and coinduc ive de ni ions. One framework for giving formalized seman ic speci ca ions is he s ruc ured opera ional seman ics (SOS) in roduced by Plo kin [Plo81]. This allows high level speci ca ion of programming languages, abs rac ing from machine level de ail. I is possible o presen he full seman ics of a non rivial language in his form (for example [MMH97, Cro97]). SOS allows reasoning abou programs and language proper ies, such as he veri ca ion ha program execu ion is de erminis ic or ha execu ion respec s he ype discipline (for example [CG99, Gor95a, Pi 97]). A a more re ned level, one migh wan o reason abou he equivalence of differen programs or heir ermina ion proper ies. This sor of reasoning is an essen ial basis for program re nemen echniques and for verifying compiler opimiza ion s eps. Con ex ual equivalence is a useful and in ui ive no ion of program equivalence: wo programs are regarded as equivalen if hey behave in he Y. Bertot et al. (Eds.): TPHOLs’99, LNCS 1690, pp. 221 238, 1999. c Sprin erVerla Berlin Heidelber 1999
222
Simon J. Ambler and Roy L. Crole
same way in all possible si ua ions. Abramsky’s applica ive bisimula ion gives a no ion of program equivalence in he lazy calculus [Abr90] and in fac his can be adap ed o give a general no ion of program equivalence. In more general si ua ions, applica ive bisimula ion of en implies con ex ual equivalence (*); and for some languages he wo no ions coincide. Howe [How89] showed ha bisimilari y is a congruence his essen ially means we can reason abou bisimilari y using simple algebraic manipula ions. The idea is ha con ex ual equivalence is a natural way o compare programs bu i is di cul o es ablish. As no ed above (*), i is of en su cien o show bisimilari y and his is frequen ly more rac able. So we can show wo programs o be con ex ually equivalen by ins ead showing hey are bisimilar. These sor s of resul s have been ob ained for a varie y of languages such as PCFL [Pi 97], a func ional language wi h IO [CG99], he Objec calculus of Abadi and Cardelli [AC96, GHL97], and he linear calculus [Bie97, Cro96]. The papers [Las98, MT91, Pi 98] discuss when varian s of he s andard heories apply. A key s ep owards urning hese heore ical developmen s o prac ical advan age is o produce ools which correc ly embody he heory. Over he las 10 o 15 years, au oma ed suppor has been developed in packages such as Isabelle and HOL [MG93]. Recen ly, a number of people have made advances in semanic veri ca ion. Syme has mechanized a proof of ype soundness for a fragmen of Java [Sym97b] using DECLARE [Sym97a]; a similar veri ca ion has been made by Nipkow and von Oheimb [NvO98] wi hin IsabelleHOL. B¨ orger and Schul e [BS98] have used ASMs o formalize a Java fragmen . Collins and o hers [CG94, MG94, Sym93] have coded fragmen s of S andard ML in HOL. Nipkow has veri ed he equivalence of al erna ive seman ic presen a ions of a simple impera ive language [Nip98], and Ber o and Fraer [BF96] have used COQ o verify he correc ness of ransforma ions for a rela ed language. There is also a body of work on he au oma ed veri ca ion of ype heory proper ies which are less direc ly concerned wi h he issues of programming language seman ics. Al enkirch has given a proof of s rong normaliza ion of Sysem F in he LEGO heorem prover [Al 93], and Coquand has shown normalizaion for simply yped lambda calculus wri en in ALF [Coq92]. The calculus has been encoded in he Calculus of Cons ruc ions by Hirschko [Hir97]. Our con ribu ion is o provide, wi hin IsabelleHOL, he opera ional semanics of a small programming language called PL oge her wi h a fully mechanized account of program equivalence in PL. In par icular, we de ne he no ions applica ive bisimula ion and con ex ual equivalence for his language and use Howe’s me hod o prove ha hese coincide. This is he rs ime, as far as we are aware, ha such a proof has been fully mechanized. Each cons i uen par of PL is encoded as a heory. Each heory gives rise o new HOL de niions, oge her wi h in roduc ion and elimina ion rules. We make subs an ial use of he Isabelle packages for da a ypes, induc ion and coinduc ion. Overall, our mechaniza ion speci es PL ypes, expressions, a ype assignmen sys em,
Mechanized Operational Semantics via (Co)Induction
223
an opera ional evalua ion seman ics, Kleene equali y of programs, a divergence predica e, con ex ual equivalence, and bisimilari y. We have formally veri ed : determinism of evaluation, type soundness, con ruence of bisimilarity, and he coincidence of bisimilarity and contextual equivalence, oge her wi h a number of examples of proper ies of par icular programs. The heories produced and he dependencies be ween hem are summarized in Figure 1. The paper proceeds as follows. In Sec ion 2 we give a ma hema ical framework for induc ion and coinduc ion. Each of our Isabelle encodings can be seen as an ins ance of one of he de ni ions from his framework. The idea is ha his enables us o give a uniform accoun of each of he many induc ive and coinduc ive de ni ions which appear in his paper. In Sec ion 3 we describe he syn ax of a small programming language PL, and i s ype sys em. In Sec ion 4 we provide an opera ional seman ics. In Sec ion 5 we de ne a no ion of similari y and hence bisimilari y for PL. In Sec ion 6 we de ne a binary rela ion (due o Howe [How89]) which is used o facili a e proofs in Sec ion 8. In Sec ion 7 we encode program divergence, which is also used in Sec ion 8. In his nal sec ion, we prove ha con ex ual equivalence and bisimilari y do coincide.
Comments on Notation We shall use he following conven ions in his paper == deno es an Isabelle me alevel implica ion wi h single premise and conclusion . deno es an Isabelle me alevel implica ion wi h mul[ 1 n ] == iple premises 1 n and conclusion . V x deno es universal quan i ca ion a he Isabelle me alevel. deno es a func ion space in HOL. e deno es a func ion abs rac ion in HOL, where is a variable, and e is a HOL erm. − deno es an implica ion in HOL. x deno es universal quan i ca ion in HOL. fun deno es a func ion space in he objec language PL. (e) deno es a func ion abs rac ion in he objec language PL, wri en in de Bruijn no a ion.
2
Inductive and Coinductive De nitions
We have achieved a uniform mechaniza ion of PL by he use of induc ive and coinduc ive me hods. Recall (see, for example, [Cro98]) ha if : P(X) P(X)
224
Simon J. Ambler and Roy L. Crole
Expr ?
Type
)
PreSim
Con ex
Kleene
Diverges
C
+
C
C
Sim
C
C
C
?
C
PreOpenSim
C
C
?
C
C
OpenSim
C
P
P
P q P
P P P q P
R @
Q Q s Q
P P
Compa
+
Q
P
?
P P @ P P P @ P
P P
Eval
P
P
P q P
C
C C
Cand
C C C
?
C
Howe X
C C
XX X
XX X
C XX C XX z X CW
?
Cord
Fi . 1. Theories and dependencies be ween hem.
Mechanized Operational Semantics via (Co)Induction
225
is a mono one endofunc ion on he powerse of a se X, hen he leas pre xed poin of is he subse of X inductively de ned by and he grea es pos xed poin is he subse of X coinductively de ned by . The speci ca ion and proper ies of PL can be given (co)induc ively. We shall show ha each of hese PL induc ive and coinduc ive de ni ions can be seen as an ins ance of one of he following me hods for de ning se s and func ions; and each me hod is i self readily coded wi hin Isabelle using formulas Ψ HOL of higher order logic genera ed wi h he assis ance of he (co)induc ion package [Pau94a]. The labels ISet (e c) are referenced la er on in he paper. (Co)Inductive Sets and Functions To de ne a se A P(U ) we specify a func ion A : P(U ) P(U ) and ake A o be ei her A (ISet) or A (CSet). P(U ) we specify a func ion To de ne a func ion f : P(U ) P(U ) for each subse S U and ake f (S) o be ei her f ;S : P(U ) f ;S (IFunction) or f ;S (CFunction). Throughou his paper, we show ha each of seman ic de ni ions we wish o encode in Isabelle conforms o one of he de ni ions of a se A or a func ion f given above. Both of hese are speci ed by de ning some o her func ion of he form : P(U ) P(U ). However, o encode : P(U ) P(U ) in Isabelle, we simply have o de ne a HOL formula Ψ HOL (z S) such ha z
3
S
P(U ) z
(S)
Ψ HOL (z S)
The Syntax of PL
Syn ax expressions are encoded in de Bruijn no a ion [dB72]. The expressions of PL are given by he grammar e ::= k i
(e) e e
where k ranges over cons an s and i N ranges over de Bruijn variable indices. The se of expressions is deno ed by E. The se Cst of cons an s includes, for ins ance, cond, zero, suc, ncase, and rec o cap ure condi ional es s, numbers and recursion. The heory Expr.thy de nes he syn ax of programs. The types of PL are given by he grammar ::= nat bool
fun
list( )
The se of ypes is deno ed by T . A typin environment is a lis of ypes [ 0 n−1 ] wi h i indica ing he ype of he variable wi h index i in he curren environmen . A ypical yping environmen is deno ed by Γ . The se
226
Simon J. Ambler and Roy L. Crole
G consis s of all such environmen s. We de ne a subse Cty supplies ypes for each cons an , for ins ance, (zero nat )
Cty
and
(cond bool
fun
fun
Cst )
T which
Cty
for all ypes . The ype assignmen rela ion is genera ed by he usual rules of calculus, oge her wi h an assignmen Γ k : whenever (k ) Cty. We e e: of pro rams of ype . wri e e : for [ ] e : and E for he se The heory Type.thy de nes he ype sys em wi hin Isabelle. We have coded he syn ax via calculus using de Bruijn indices. This removes he need o axioma ize conversion which would cons i u e a signi can body of work before es ablishing any non rivial resul s. O hers [GM96] have shown ha axioma izing conversion for implemen a ion is a non rivial ask; moreover, our ini ial work wi h explici variable names highligh ed he di culies of reasoning abou he choice of fresh names for bound variables. We also inves iga ed he use of higher order abs rac syn ax [JDH95] bu his raised a problem in ob aining he schemes of recursion and induc ion over he s ruc ure of syn ax needed for our proofs. Some of hese issues are addressed in [JDS97] and in he recen work of Gabbay and Pi s [GP99] and Fiore, Plo kin and Turi [FPT99]. These approaches may even ually provide a viable al erna ive o de Bruijn encoding bu , for he momen , he cos of aking a more concre e represen a ion is well repaid in he bene of being able o use s andard schemes for da aype represen a ion and induc ion. There is now a reasonable body of experience o demons ra e he e ec iveness of he de Bruijn approach in proving me a heore ic resul s abou syn ax wi h binding opera ors [Hir97, Hue94, Nip]. One cos of using de Bruijn no a ion is, of course, ha expressions can be di cul o read. This is no a subs an ial problem in proving heorems abou he general proper ies of he language as we are usually working wi h program expressions deno ed by Isabelle variables. For work involving large explici program fragmen s one migh have o wri e a parser and pre y prin er o provide a more usable in erface. More signi can is ha de Bruijn no a ion replaces reasoning abou he renaming of bound variables via elemen ary ari hme ic manipula ion of he variable indices. I is for una e ha his manipula ion can be managed by es ablishing jus a few well chosen lemmas because he proof of each of hese can involve some qui e edious ari hme ical reasoning. We nex discuss he key issues of weakening and subs i u ion. 3.1
Weakenin and Substitution
The opera ional seman ics which we have described is a subs i u ion based sysem. As such, he usual proper ies of variable weakening and expression subs i u ion mus be encoded. This requires care. If is a ype and Γ a yping environmen , hen newVar i Γ is he new environmen formed by inser ing in o he i h posi ion. The weakening of a ype assignmen Γ e : in PL requires ha he indices of exis ing variables in e mus be adjus ed o ake accoun of heir new posi ion. In Isabelle, we prove [ Γ
e:
j
len th(Γ ) ] ==
newVar j Γ
lift e j :
Mechanized Operational Semantics via (Co)Induction e ⇓ (e0 ) (e) ⇓ (e)
k⇓k e ⇓ cond
e0 ⇓ rue
e ⇓ cond
e e0 ⇓ ( (1)) e ⇓ suc
e0 [e00 0] ⇓ ve
e e00 ⇓ ve e0 ⇓ false
e e0 ⇓ suc e0
e0 (rec e0 ) ⇓ ve
e ⇓ rec
e e0 ⇓ ( (0)) e ⇓ ncase
227
e e0 ⇓ ve
e0 ⇓ zero
e ⇓ ncase
e e0 ⇓ ( (1))
e0 ⇓ suc e00
e e0 ⇓ ( (0 e00 ))
Fi . 2. PL Evalua ion Rela ion Func ion Applica ion, Condi ionals, Numbers and Recursion
where lift e j is he resul of incremen ing each of he indices in e corresponding o a free variable beyond he j h posi ion by one. Subs i u ion wi hin ype assignmen s elimina es free variables from he curren environmen . In Isabelle, we prove [ j
4
len th(Γ ) newVar j Γ
e:
Γ
e0 :
] ==
Γ
e[e0 j] :
Operational Evaluation
We de ne operational evaluation hrough judgemen s of he form e ve which deno e a rela ion be ween expressions; he Isabelle heory is called Eval.thy. This binary rela ion is induc ively de ned by rules such as he examples in Figure 2. No e ha we have op ed for a presen a ion in which des ruc ors such as cond are evalua ed immedia ely when given a rs argumen . This reduces he o al number of rules. 4.1
Subject Reduction
Recall ha Subjec Reduc ion is he proper y ha he ypes of expressions do no change on execu ion. The Isabelle proof of Subjec Reduc ion is qui e elegan . We show by induc ion on he deriva ion of e ve ha e
ve ==
e:
−
ve :
The induc ive de ni ion package supplied in Isabelle genera es a de ni ion in he form ISet au oma ically from a se of in roduc ion rules. The de ni ion of a se A comes equipped wi h an appropria e elimina ion rule and induc ion rule which can be used on he premises of a sequen o elimina e an assump ion of he form a A. In par icular, he se eval = (e ve) e ve is de ned from he rules in Figure 2 and corresponding induc ion rule allows us o elimina e an assump ion of he form e ve. Applying his o he goal above, we ob ain
228
Simon J. Ambler and Roy L. Crole
a o al of seven een subgoals, each corresponding o a las s ep in a deriva ion of e ve. These are all rela ively simple and can be es ablished by he ac ic fast tac which searches au oma ically for a proof using a given selec ion of in roduc ion and elimina ion rules and simpli ca ion rewri e rules. We supply he rules which fast tac may use in he form of a classical reasonin set. In his case i is he defaul claset() augmen ed wi h he in roduc ion and elimina ion rules for yping, oge her wi h weakening and yping subs i u ion lemmas. The proof is comple ed by he following code which applies he ac ic o all subgoals. by (ALLGOALS (fast_tac (claset() addIs (typin .intrs @ typeof.intrs @ [typin _subst_0]) addEs (typin Es @ typeofEs @ [weakenin _0]) addss simpset()))); No e ha V
he use of he yping subs i u ion lemma is in solving he subgoal
e e0 e00 ve [ e
(e0 )
e:
−
(e0 ) : e0 [e00 0]
ve
e0 [e00 0] :
==
e e00 :
−
−
ve :
]
ve :
which arises from he hird rule of Figure 2. This example exhibi s a good s yle of mechanical proof. I follows closely he s ruc ure of he corresponding penandpaper proof and uses au oma ion e ec ively o perform he case analysis via a single ac ic applied uniformly. I is unfor una e, bu few of our proofs were so easy. Many involved a large case analysis where he individual cases were more complex. These had o be proved onebyone using, some imes, ra her adhoc me hods. Here mechanical assis ance gave less suppor . 4.2
Determinism of Evaluation
Ano her example of an elegan proof is ha of he de erminism of evalua ion. We show ha p u == v p v− v=u by induc ion, again on he deriva ion of p u. The subgoals are even simpler his ime. The proof in each case uses jus one applica ion of an elimina ion rule for eval and hen elemen ary logical reasoning. The induc ion rule genera es seven een subgoals. The rs wo are rivial, bu , for each of he o hers, applying he elimina ion rule for evalua ion of a func ion applica ion, we genera e a fur her f een subgoals. There are hus a o al of 227 subgoals in he proof mos are dismissed immedia ely! 4.3
Special Tactics
Mos of he au oma ion in he proofs has been supplied by s andard search ac ics such as fast tac, depth tac and blast tac or simpli ca ion ac ics such
Mechanized Operational Semantics via (Co)Induction
229
as simp tac, asm simp tac and asm full simp tac. There is one special purpose ac ic which deserves men ion. The rules (like hose) in Figure 2 de ne he evalua ion rela ion. To evalua e an expression e we apply he rules o ry o prove a goal of he form e ?v where ?v is an unins an ia ed schemevariable. If he proof succeeds hen ?v will become ins an ia ed o a value for e. Unfor una ely, a backwards proof search using hese rules is nonde erminis ic, even hough he evalua ion s ra egy ha hey represen is de erminis ic. The solu ion is o wri e a special purpose ac ic for evalua ion based on a series of derived rules. For example, a condi ional would be evalua ed via he rules e
ve
ve e0
e e0
ve 0
e
ve
ve 0
cond true
cond ve
cond e ( (1))
cond false
ve 0
ve 0 ( (0))
Resolving agains hese rules in order, we ensure ha he func ion expression is evalua ed rs ( o he cons an cond), hen i s argumen ( o ei her true or false), and nally he applica ion is evalua ed appropria ely. The func ion eval tac encodes his de erminis ic evalua ion s ra egy for an arbi rary expression.
5
Bisimilarity for PL
We can now de ne a no ion of program similari y for PL, coded as he Isabelle heory Sim.thy. Bisimilari y [Gor95b] is he symme riza ion of similari y; his is a useful no ion of program equivalence, as described in on page 1. This has been s udied by many people (for example [CG99, Gor95a, Pi 97]). Our de ni ion of similari y is equivalen o Pi s’ [Pi 97], bu is sligh ly simpler for he purposes of mechanized proof see Sec ion 5.2. The de ni ion of simula ion is given as a ype indexed family of binary rela ions be ween closed expressions of he same ype: 4 = (4 ) P(E E ). The de ni ion of simula ion is he coinduc ively P(E E ) de ned se given by a cer ain mono one func ion of he form : P(E E ). Given any R P(E E ), one can de ne (R) by specifying [Pi 97] he componen s (R) a each ype ; if we consider he ype bool , our hen corresponds simBool (see below) corresponds o (R)bool . The func ion o our sim , and e 4 e0 corresponds o our (e e0 ) sim. Le us de ne simBool , and similar se s a he remaining ypes. simBool (
E
ve e
simFun: T T if and only if (
E where (e e0 )
ve e
simBool if and only if
ve)
(e
true
e0
P(E
E
T)
P(E
ve)
( ve ve 0 e
true)
(e
false
E) where (e e0 )
e0
false)
simFun(
ve e0 ve 0 e1 e1 : − (ve e1 ve 0 e1
)
R)
R)
230
Simon J. Ambler and Roy L. Crole
simNat : P(E
E
ve e
(
T)
ve) (e zero e0 zero) ( e00 e000 e suc e00 e0 suc e000
simPair : T T if and only if ve e
(
simList : T only if (
P(E
P(E
E
T)
E
T)
E) where (e e0 )
P(E
We hen de ne he se of simulations, sim aking E T) P(E sim : P(E sim (X)
(e00 e000 nat )
R)
simPair (
pr e1 e2 e0 pr e01 e02 (e1 e01 ) R (e2 e02
ve) (e n l e0 n l) ( e1 e2 e01 e02 e cons e1 e2 (e1 e01 ) R
where (recall page 225) z
simNat (R) if and only if
E) where (e e0 )
P(E
( e1 e2 e01 e02 e
ve)
ve e
E) where (e e0 )
P(E
)
E
E
T)
R)
simList ( R) if and
e0 cons e01 e02 (e2 e02 list( )) E
R)
R)
T using CSet by
if and only if
e e0 z = (e e0 bool ) e : bool e0 : bool (e e0 ) simBool e e0 z = (e e0 nat) e : nat e0 : nat (e e0 ) simNat (X) fun z = (e e0 ) e e0 fun fun e0 : (e e0 ) simFun( X) e: 0 0 z = (e e ) e: e0 : (e e0 ) simPair ( X) e e z = (e e0 list( )) e : list( ) e0 : list( ) (e e0 ) simList ( X) e e0 This formula can be implemen ed in IsabelleHOL using he (co)induc ion package see Sec ion 5.2. We nex de ne open similari y [Pi 97], given by judgemen s of he form Γ e 4o e0 : . In order o de ne hese judgemen s mechanically, we shall de ne he se osim for which (Γ e e0 ) osim corresponds o such a judgemen . Firs we de ne he func ion osimrel : G T T P(G E E T ) R) if and only if P(E E) where (e e0 ) osimrel (Γ Γ
e:
Γ
e0 :
We can hen de ne osim osim : P(G
where z
osim (X)
e1 (e1 : − G
E E
E E
(Γ e[e1 0] e0 [e1 0]
)
R)
T using CSet. Se T)
P(G
E
E
T)
if and only if
e e0 z = ([ ] e e0 ) (e e0 ) sim e e0 ) Γ e e0 z = (newVar 0 Γ
X
(e e0 )
osimrel (Γ
X)
Mechanized Operational Semantics via (Co)Induction
5.1
231
Extendin Weakenin and Substitution
We use Isabelle o prove varian s of he syn ax manipula ing heorems of Sec ion 3.1 for he PL judgemen s which ake he general form Γ e R e0 : . For example, in he encoding of osim, we show ha [ Γ
e 4o e0 :
j
len th(Γ ) ] newVar j Γ
== e 4o e0 :
[ newVar j Γ
j
lift e j
len th(Γ ) Γ ==
Γ
4o lift e0 j :
e1 :
]
e[e1 j] 4 e0 [e1 j] : o
These resul s are no rivial. The la er is es ablished in hree s eps by rs proving he resul in he special case where Γ is emp y, and hen in he case where j is zero, before proving he general resul . Each of hese proofs proceeds by induc ion on he s ruc ure of he lis Γ . 5.2
Mechanizin Simulations
The de ni ion of he rela ions sim and osim uses auxiliary func ions such as simBool and simFun. The Isabelle implemen a ion of rule (co)induc ion requires us o supply a proof of he mono onici y of hese func ions, in order o ensure ha he func ions sim and osim are mono one. Originally, our de ni ion of sim ma ched ha of Pi s [Pi 97] and he use of auxiliary func ions was essen ial because of he limi a ions which Isabelle imposes on he form of a (co)induc ive de ni ion. The curren formula ion is equivalen bu s more na urally wi h he Isabelle implemen a ion of rule (co)induc ion. The func ions simBool , simNat , simPair and simList are no essen ial in his formula ion. They can be expanded in he de ni ion. I is only simFun which con ains a use of universal quan i ca ion which Isabelle will no accep direc ly in he (co)induc ive de ni ion of a se . (We have, for comple eness, au oma ically checked he equivalence of he wo presen a ions.) I is convenien o use he de ni ion of sim o produce special elimina ion rules such rules ensure ha fu ure proofs are well s ruc ured and grea ly simpli ed. The elimina ion rule below was produced by mk cases, a s andard Isabelle procedure; i allows he de ni ion of simula ion a func ion ypes o be unwrapped. [ e 4 e0 : V ve ve 0 [ e fun
e0
ve e :
ve 0 e0 :
e1 e1 : [ e:
fun
e0 :
− fun
fun
fun
ve e1
4 ve 0 e1 :
ve 00 (e
] ==
Q
ve 00 ) ] ==
Q
] ==
Q
There are similar rules for he o her ypes. Well chosen elimina ion rules are essen ial for direc ing au oma ic proof procedures such as fast tac and we have
232
Simon J. Ambler and Roy L. Crole
used he mk cases func ion o genera e hese for mos of he (co)induc ive de ni ions in he implemen a ion.
The Candidate Relation for PL
6
The heory Cand.thy de nes an auxiliary rela ion be ween expressions wi h judgemen s of he form Γ e 4 e0 : . This rela ion is a precongruence, which, informally, means ha we can reason abou ins ances of he rela ion using simple algebraic manipula ions. Fur her, we use Isabelle o prove ha Γ e 4 e0 : if and only if Γ e 4o e0 : (a proof me hodology was rs given by [How89]). Hence Γ e 4o e0 : is a precongruence, and hus we can also reason abou similari y (and bisimilari y) using simple algebraic manipula ions. The precongruence proper y is also used cri ically in o her proofs. In order o de ne he candida e rela ion mechanically, we shall de ne he se cand for which (Γ e e0 ) cand corresponds o Γ e 4 e0 : . We rs de ne he func ion compat : P(G
E
E
T)
P(G
E
E
T)
using IFunction. We de ne compat;R : P(G
where z
compat;R (X)
E
E
T)
P(G
E
E
T)
if and only if
Γ k z = (Γ k k Γ e1 e01 e2 e02
k: z = (Γ e1 e2 e01 e02 ) fun ) R (Γ e1 e01 . . . further clauses for other types )
(Γ e2 e02
)
R
The idea is ha he clauses de ning compat;R cap ure precisely he proper ies of a precongruence. We can use he func ion compat o de ne [Pi 97] cand G E E T G E E T using ISet. We de ne cand : G E E T where z cand (X) if and only if Γ e e0 e00 6.1
z = (Γ e e00
)
(Γ e e0
)
(Γ e0 e00
compat (X)
)
osim
Mechanization of Candidate Order
The candida e order yields an example where proofs are more di cul o au oma e. Many sublemmas arise in proofs. Consider, for ins ance, he sublemma which s a es ha he candida e rela ion is subs i u ive. [ newVar j Γ
e1
4 e01 :
j
len th(Γ ) Γ ==
Γ
4 e02 : ] j] 4 e01 [e02 j] :
e2
e1 [e2
Mechanized Operational Semantics via (Co)Induction
233
Gordon [Gor95b] s a es ha he proof follows by rou ine rule induc ion . . . . The corresponding machine proof has 77 s eps. The longes example is he proof ha he candida e rela ion is closed under evalua ion, [ e
ve [ ]
e 4 e0 :
] ==
[]
ve
4 e0 :
which is comple ed in 254 s eps. Theorem 1. We have used Isabelle to prove mechanically that the candidate relation coincides with similarity, that is cand = osim. More informatively e 4 e0 :
Γ 6.2
Γ
e 4o e0 :
Comments on the Proof
Tha osim is con ained in cand follows from he de ni ion of cand and ha he compa ible re nemen of cand is reflexive. The o her direc ion is more di cul . We show ha res ric ion of he candida e rela ion o closed erms is a simula ion, and hence by coinduc ion, []
e 4 e0 :
==
e 4 e0 :
This follows via a series of lemmas which combine o show ha cand has he proper ies required in he de ni ion of sim. For example, in he case of na ural numbers, we have [ ] zero 4 e : nat == e zero and []
suc e 4 e0 : nat ==
e00 e0
suc e00
[]
e 4 e00 : nat
These wo resul s oge her wi h he downward closure of cand es ablish ha cand has he requisi e proper y of a simula ion on expressions of ype nat. The o her cases follow a similar pa ern. Once we have shown ha he res ric ion cand is con ained in sim, hen his can be ex ended o open erms via Γ
e 4 e0 :
==
Γ
e 4o e0 :
because he rela ion cand is subs i u ive (as we proved in Sec ion 6.1).
7
Diver ence for PL
The heory Diver es.thy de nes program divergence (looping). I formalizes he judgemen e whose meaning is ha he expression e does no converge o a resul . No e ha divergence is also used in our proofs involving con ex ual equivalence. In par icular, no e ha he clauses used in he de ni ion of similari y in Sec ion 5 involve judgemen s of he form ve e ve. These are mos easily es ablished by showing e .
234
z
Simon J. Ambler and Roy L. Crole
We de ne he se div div (X) if and only if
E using CSet by aking
(e0 ) e0 [e00 0] ( e e0 e00 z = e e00 e . . . further clauses for other types
X)
: P(E)
div
( e e0 z = e e0
P(E) where e
X)
This coinduc ive de ni ion of divergence can be shown o correspond o he usual de ni ion given in erms of an in ni e sequence of program ransi ions arising from a singles ep opera ional seman ics. We can use Isabelle o es ablish ins ances of program divergence, and his is impor an in reasoning abou con ex ual equivalence.
8
Contextual Equivalence for PL
The heory Context.thy de nes a no ion of program con ex wi h judgemen s of he form (Γ Γ 0 ) C : . The in ui ive idea of a con ex C is ha i is a program module con aining a parame er −par which indica es a posi ion a which ano her program may be inser ed o yield a new program. The meaning of he judgemen (Γ Γ 0 ) C : is ha an expression e wi h yping Γ Γ 0 e : may be inser ed in o C o yield an expression (C e) wi h yping Γ 0 (C e) : . The heory Cord.thy de nes a no ion of con ex ual ordering wi h judgemen s of he form Γ e e0 : . The in ended meaning is ha if he evalua ion of (C e) (deno ing he con ex C in which e replaces he parame er) resul s in ve, hen so oo does he evalua ion of (C e0 ). Con ex ual equivalence is he symme riza ion of con ex ual ordering. We use Isabelle o prove ha Γ e e0 : if and only if Γ e 4o e0 : . Thus we can es ablish ins ances of con ex ual equivalence by ins ead proving bisimilari y. We wish o de ne judgemen s of he form [CG99, Gor95a, Pi 97] Γ e G E E T . Given a se e0 : , or equivalen ly a subse of he form cord S, le S S deno e he se of endofunc ions on S; program con ex s C are of Isabelle ype E E and we omi heir de ni ion. We rs de ne ctypin
T
(G
G)
(E
E)
T
using ISet by aking ctypin
where z
: P((G ctypin
Γ
T
G)
(E
E)
T)
P((G
T
G)
(E
E)
(X) if and only if
z = (([ ] Γ Γ0
Γ ) id ) e e0 z = ((Γ
Γ 0) (e ) e0 ) fun ) X Γ 0 e0 : )) ((Γ Γ 0 ) e 0 0 0 0 e e z = ((Γ Γ ) e (e ) ) Γ Γ fun ((Γ Γ 0 ) e0 ) X Γ0 e: . . . further clauses for other types
T)
Mechanized Operational Semantics via (Co)Induction
We de ne he contextual orderin (Γ e e0 ) cord if and only if Γ
e:
Γ
e0 :
C
o be he se cord
((Γ −
[ ]) C ) ctypin ve (C e) ve −
G
E
E
ve (C e0 )
235
T by
ve
Theorem 2. We have used Isabelle to prove that the contextual preorder coincides with similarity, that is cord = osim. More informatively, Γ 8.1
e
e0 :
Γ
e 4o e0 :
Comments on the Proof
The main consequence of Theorem 1 is o show ha osim is a precongruence, since cand is easily proved o be precongruence. I follows ha if Γ Γ 0 e 4o e0 : and C is any con ex hen we can subs i u e e and e0 in o he con ex o ge Γ 0 (C e) 4o (C e0 ) : . More precisely, we have [ (Γ
Γ 0) C :
e 4o e0 :
Γ Γ0
] ==
Γ0
(C e) 4o (C e0 ) :
We deduce ha osim is con ained in cord . The o her direc ion is more di cul . Much as in he proof of Theorem 1, we show ha he res ric ion of cord o closed erms is a simula ion, and hence by coinduc ion, [ ] e e0 : == e 4 e0 : . We make use of a series of lemmas o charac erize he evalua ion of an expression o a par icular value in erms of a convergence predica e, for example, for he na ural numbers, e : nat ==
( e0 e
suc e0 )
ncase e
(zero)
The proof is qui e long. There are 144 s eps o es ablish all of he cases. Once i is done hen i is no oo di cul o es ablish ha cord is subs i u ive, and so Γ
9
e
e0 :
==
Γ
e 4o e0 :
Conclusions and Further Research
We have successfully mechanized a core programming language, and used he encoding o verify some fundamen al language proper ies. This has been execu ed wi h a direc and uniform me hodology, much of which can be smoo hly re ned o deal wi h larger languages. We are curren ly under aking a similar programme o he one described in his paper for he second order lambda calculus wi h xed poin recursion. Our work on PL has given us an infras ruc ure o build on and we are looking o modify and re ne his o deal wi h he more powerful sys em. We will prove once again ha bisimilari y and con ex ual equivalence coincide ( hough when we move o o her languages, we will only be able o show ha conex ual equivalence is implied by bisimilari y). We are also ex ending his work
236
Simon J. Ambler and Roy L. Crole
o procedural and objec orien ed languages. We hope, wi h he bene of experience, o develop Isabelle ac ics which can be used enerically, or a leas wi h minor modi ca ions, wi hin new languages. The seman ics of PL is presen ed using a SOS evalua ion rela ion. We will also be s udying o her seman ics including low level abs rac machines. In par icular, we aim o au oma e proofs of correspondences be ween high and low level seman ic speci ca ions. Each veri ca ion will increase con dence ha he lower level implemen a ion correc ly encodes he higher level. The long erm aim is o build a fron end which will enable language designers o use such a veri ca ion sys em wi h li le knowledge of Isabelle. This is crucial if such ools are o be used in real language design. We hank Andy Gordon (Microsof ) and Andy Pi s (Cambridge) who have made useful commen s on our work.
References [Abr90] [AC96] [Alt93]
[BF96] [Bie97] [BS98]
[CG94]
[CG99]
[Coq92]
[Cro96]
[Cro97]
[Cro98]
S. Abramsky. The lazy lambda calculus. In David Turner, editor, Research Topics in unctional Programming, pa es 65 116. AddisonWesley, 1990. M. Abadi and L. Cardelli. A Theory of Objects. Mono raphs in Computer Science. Sprin erVerla , 1996. T. Altenkirch. A formalization of the stron normalization proof for system F in LEGO. In M. Bezem and J. F. Groote, editors, Typed Lambda Calculi and Applications, volume 664 of LNCS, pa es 13 28. Sprin erVerla , 1993. Yves Bertot and Ranan Fraer. Reasonin with Executable Speci cations. Technical Report 2780, INRIA, Sophia Antipolis, January 1996. G. M. Bierman. Observations on a Linear PCF (Preliminary Report). Technical Report 412, University of Cambrid e Computer Laboratory, 1997. E. B¨ or er and W. Schulte. A Pro rammer Friendly Modular De nition of the Semantics of Java. In J. AlvesFoss, editor, ormal Syntax and Semantics of Java, 1998. To appear. G. Collins and S. Gilmore. Supportin Formal Reasonin about Standard ML. Technical Report ECSLFCS94310, Laboratory for the Foundations of Computer Science, University of Edinbur h, November 1994. R. L. Crole and A. D. Gordon. Relatin Operational and Denotational Semantics for Input/Output E ects. Mathematical Structures in Computer Science, 9:1 34, 1999. C. Coquand. A proof normalization for simply typed lambda calculus written in ALF. In K. Petersson B. Nordstr¨ om and G. Plotkin, editors, Proc. of the 1992 Workshop on Types for Proofs and Programs, 1992. R. L. Crole. How Linear is Howe? In G. McCusker, A. Edalat, and S. Jourdan, editors, Advances in Theory and ormal Methods 1996, pa es 60 72. Imperial Colle e Press, 1996. R. L. Crole. The KOREL Pro rammin Lan ua e (Preliminary Report). Technical Report 1997/43, Department of Mathematics and Computer Science, University of Leicester, 1997. R. L. Crole. Lectures on [Co]Induction and [Co]Al ebras. Technical Report 1998/12, Department of Mathematics and Computer Science, University of Leicester, 1998.
Mechanized Operational Semantics via (Co)Induction [dB72]
237
N. de Bruijn. Lambda Calculus Notation with Nameless Dummies: a Tool for Automatic Formula Manipulation, with Application to the Church Rosser Theorem. Indagationes Mathematicae, 34:381 391, 1972. [FPT99] M. Fiore, G. D. Plotkin, and D. Turi. Abstract Syntax and Variable Bindin . To appear in LICS 99, 1999. [GHL97] A. D. Gordon, P. D. Hankin, and S. B. Lassen. Compilation and Equivalence of Imperative Objects. Draft manuscript, 1997. [GM96] A. D. Gordon and T. Melham. Five axioms of alphaconversion. In J. von Wri ht, J. Grundy, and J. Harrison, editors, Proceedings of the 9th International Conference on Theorem Proving in Higher Order Logics (TPHOLs’96), volume 1125 of Lecture Notes in Computer Science, pa es 173 190, Turku, Finland, Au ust 1996. Sprin erVerla . [Gor95a] A. D. Gordon. Bisimilarity as a theory of functional pro rammin . Electronic Notes in Theoretical Computer Science, 1, 1995. [Gor95b] A. D. Gordon. Bisimilarity as a theory of functional pro rammin . Technical report, Aarhus University, Denmark, 1995. BRICS Notes Series NS 95 3, BRICS, Aarhus University. [GP99] M. J. Gabbay and A. M. Pitts. A New Approach to Abstract Syntax Involvin Binders. To appear in LICS 99, 1999. [Hir97] D. Hirschko . A full formalisation of calculus theory in the calculus of constructions. In Proceedings of TPHOL’97, volume 1275 of LNCS. Sprin erVerla , 1997. [How89] D. J. Howe. Equality in lazy computation systems. In Proceedings of the 4th IEEE Symposium on Logic in Computer Science, pa es 198 203, 1989. [Hue94] G. Huet. Residual theory in calculus: a complete Gallina development. Journal of unctional Programming, 4(3):371 394, 1994. [JDH95] A. Felty J. Despeyroux and A. Hirschowitz. Hi her order syntax in Coq. In M. DezaniCianca lini and G. Plotkin, editors, Typed Lambda Calculi and Applications, volume 902 of LNCS. Sprin erVerla , 1995. [JDS97] F. Pfennin J. Despeyroux and C. Sch¨ uermann. Primitive recursion for hi herorder abstract syntax. In Proceedings of the Third International Conference on Typed Lambda Calculus and Applications (TLCA’97), volume LNCS. Sprin erVerla , 1997. [Las98] S. B. Lassen. Relational Reasoning about unctions and Nondeterminism. PhD thesis, Dept of Computer Science, Univ of Aarhus, 1998. [MG93] T. F. Melham and M. J. C. Gordon. Introduction to HOL. Cambrid e University Press, 1993. [MG94] S. Maharaj and E. Gunter. Studyin the ML module system in HOL. In T. F. Melham and J. Camilleri, editors, Proceedings of the 7th International Workshop on Higher Order Logic Theorem Proving and Its Applications, volume 859 of Lecture Notes in Computer Science, pa es 346 361, Valletta, Malta, September 1994. Sprin erVerla . [MMH97] R. Milner, M.Tofte, and R. Harper. The De nition of Standard ML (Revised). MIT Press, Cambrid e, Mass., 1997. [MT91] I. A. Mason and C. L. Talcott. Equivalence in functional lan ua es with e ects. Journal of unctional Programming, 1:287 327, 1991. [Nip] T. Nipkow. More Church Rosser Proofs. To appear in the Journal of Automated Reasonin . [Nip98] T. Nipkow. Winskel is (Amost) Ri ht: Towards a Mechanized Semantics Textbook. ormal Aspects of Computing, 10, 1998.
238
Simon J. Ambler and Roy L. Crole
[NvO98]
[Pau94a]
[Pau94b] [Pit97]
[Pit98] [Plo81]
[Sym93]
[Sym97a]
[Sym97b]
T. Nipkow and D. von Oheimb. MachineCheckin the Java Speci cation: Provin Type Safety. In J. AlvesFoss, editor, ormal Syntax and Semantics of Java, 1998. To appear. L. C. Paulson. A xedpoint approach to implementin (co)inductive de nitions. In A. Bundy, editor, 12th International Conf. on Automated Deduction, volume 814 of LNAI, pa es 148 161. Sprin erVerla , 1994. L.C. Paulson. Isabelle: A Generic Theorem Prover. Lecture Notes in Computer Science, 828, 1994. A. M. Pitts. Operationally Based Theories of Pro ram Equivalence. In P. Dybjer and A. M. Pitts, editors, Semantics and Logics of Computation, 1997. A. M. Pitts. Existential Types: Lo ical Relations and Operational Equivalence. Draft paper, 1998. G.D. Plotkin. A structural approach to operational semantics. Technical Report DAIMI FN 19, Department of Computer Science, University of Aarhus, Denmark, 1981. D. Syme. Reasonin with the formal de nition of Standard ML in HOL. In J. J. Joyce and C.J. H. Se er, editors, Proceedings of the 6th International Workshop on Higher Order Logic Theorem Proving and its Applications (HUG’93), volume 780 of Lecture Notes in Computer Science, pa es 43 60, Vancouver, B.C., Canada, Au ust 1993. Sprin erVerla , 1994. D. Syme. DECLARE: A Prototype Declarative Proof System for Hi her Order Lo ic. Technical Report 416, Computer Laboratory, University of Cambrid e, February 1997. D. Syme. Provin JavaS Type Soundness. Technical Report 427, Computer Laboratory, University of Cambrid e, June 1997.
Representin WP Semantics in Isabelle/ZF Mark Staples University of Cambrid e Computer Laboratory, Pembroke St, Cambrid e CB23QG, United Kin dom Mark.S
[email protected] Abs rac . We present a shallow embeddin of the weakest precondition semantics for a pro ram re nement lan ua e. We use the Isabelle/ZF theorem prover for untyped set theory, and statements in our re nement lan ua e are represented as set transformers. Our representation is si ni cant in makin use of the expressiveness of Isabelle/ZF’s set theory to represent states as dependentlytyped functions from variable names to their values. This lets us ive a uniform treatment of statements such as variable assi nment, framed speci cation statements, local blocks, and parameterisation. ZF set theory requires set comprehensions to be explicitly bounded. This requirement propa ates to the de nitions of statements in our re nement lan ua e, which have operands for the state type. We reduce the syntactic burden of repeatedly writin the state type by usin Isabelle’s metalo ic to de ne a lifted set transformer lan ua e which implicitly passes the state type to statements.
Weakest precondition semantics was rst used by Dijkstra in his description of a nondeterministic pro rammin lan ua e [9]. That lan ua e was eneralised to the re nement calculus by Back [3], and later by Morris [18] and Mor an [16]. Textbook presentation of weakest precondition semantics usually represent conditions on states as formulae. However, such presentations can be unclear about the lo ic underlyin these formulae. Mechanisations of the re nement calculus must per force be precise, and two approaches have been taken. The most literal approach is to use a modal lo ic with pro ram states formin the possible worlds. Work done in the Er o theorem prover [25] is in this vein [8]. However, support for modal lo ics is currently unwieldy in most theorem provers. More importantly, usin a modal lo ic hampers the reuse of results from existin classical mathematics. Another approach is to represent pro ram states explicitly in a classical lo ic. Conditions can then be represented as collections of states. For example, A erholm [2] (and later the Re nement Calculator project [28] and others [21, 13]) used predicates (functions from states to Booleans) in hi herorder lo ic to represent sets of states. Our approach uses this kind of representation, but we work in the untyped set theory provided by the Isabelle/ZF theorem prover. Instead of representin conditions by predicates on states, we have an essentially equivalent representation usin sets of states. The main point of di erence is that we use the expressiveness of untyped set theory to represent states as dependentlytyped functions Y. Bertot et al. (Eds.): TPHOLs’99, LNCS 1690, pp. 239 254, 1999. c Sprin erVerla Berlin Heidelber 1999
240
Mark Staples
from variable names to values. This lets us ive de nitions of statements such as sin le and multiple variable assi nment, framed speci cation statements, local blocks, and parameterisation. Weakest precondition semantics is sometimes presented by inductively de nin an interpretation wp(c q) over a lan ua e of re nement lan ua e statements c and arbitrary postconditions q. However, followin the Re nement Calculator project [28], the mechanisation described here uses a shallow embeddin [7] statements are identi ed with abbreviations for their semantics. Instead of de nin an interpretation operator wp, we instead de ne each statement as an abbreviation for a speci c set transformer from a set of states representin a postcondition to a set of states representin the weakest precondition. This paper demonstrates that a shallow embeddin of weakest precondition semantics can be done in a rstorder settin . The theory is intended to support the proof of re nement rules, and the subsequent development of speci c pro ram re nements. A nontrivial re nement casestudy usin the theory has been reported elsewhere [24]. Our use of a shallow embeddin precludes the statement of some metaresults. For example, we can not state a completeness result within our theory, as there is no xed syntax de nin the limits of our lan ua e. However, if the de nitions of our lan ua e constructs are appropriate, the ‘soundness’ of our re nement rules follow from our use of conservative de nitions and the soundness of Isabelle/ZF. In Sect. 1 we introduce the metalo ic of Isabelle and its object lo ic Isabelle/ZF. In Sect. 2 we illustrate our approach to shallow embeddin by de nin set transformers which do not assume any structure in the state type, and follow that in Sect. 3 by de nin a lifted lan ua e of typepassin set transformers in Isabelle’s metalo ic. Section 4 demonstrates our representation of states as dependentlytyped functions by de nin the semantics of further statements, and Sect. 5 shows how we can modify our approach to liftin set transformers to take advanta e of structure on states.
1
Isabelle: Pure and ZF
Isabelle [20] is a eneric theorem prover in the LCF [10] family of theorem provers, implemented in the ML lan ua e [14]. It is eneric in the sense of bein a lo ical framework which allows the axiomatisation of various object lo ics. Here we briefly introduce Isabelle’s metalo ic, and the object lo ic Isabelle/ZF used in this work. Aspects of Isabelle not discussed here include its theory definition interface, theory mana ement, tactics and tacticals, eneric proof tools, oaldirected proof interface, advanced parsin and prettyprintin support, and rowin collection of eneric decision procedures. Isabelle represents the syntax of its metalo ic and object lo ics in a term lanua e which is a datatype in ML. The lan ua e provides constants, application, lambda abstraction, and bound, free and scheme variables. Scheme variables are lo ically equivalent to free variables, but may be instantiated durin unication. These are readily utilised in the development of prototype re nement
Representin WP Semantics in Isabelle/ZF
241
tools supportin metavariables [19, 23]. Isabelle’s metalo ic is an intuitionistic polymorphic hi herorder lo ic. The core datatype of thm implements the axiom schemes and rules of this metalo ic. Isabelle provides constants in its metalo ic which are used to represent the rules and axioms of object lo ics. The metalo ical constants we make use of in this paper are: Equality A = B, is used to represent de nitions of an object lo ic. Implication is used to represent rules of an object lo ic, and here we write them as follows: A B
C H
Function application F (x) is used to represent the application of an operator F to an operand x. Function abstraction x F (x) is used to represent the construction of parametric operators. Isabelle also supports the de nition of syntactic abbreviations, which we will write A B. Isabelle/ZF is an Isabelle object lo ic for untyped set theory. It is based on an axiomatisation of standard ZermeloFraenkel set theory in rst order lo ic. The de ned metalevel type of sets i is distinct from the metalevel type of rstorder lo ic propositions o. These include objectlevel operators such as: implication P Q; universal and existential quanti cation, i.e. x P (x) and x P (x); and de nite description x P (x). Families of sets can be de ned as metalevel functions from index sets to result sets, and operators can be de ned as metalevel functions from ar ument sets to result propositions. From this basis, a lar e collection of constructs are de ned and theorems about them proved. The expressiveness nature of Isabelle/ZF allows a reat deal of flexibility in representin structures not allowed in simple type theory. In particular, we make use of a structure of dependent total functions x:X Y (x) (which we sometimes write X Y ) from a domain X to an Xindexed family of ran e types Y . The simple function space X Y is the dependent function space where there is no dependency in Y , i.e. x:X Y . Other parts of the Isabelle/ZF notation which are used here include: a : A or a A for set membership, PA for the powerset operator, A B for subset, x : A P (x) for set comprehension of elements of A satisfyin P , x : A P (x) for universal quanti cation, and A for the union of a set of sets. Objectlo ic abstraction x : X F (x) is the set of pairs x F (x) for all x in the explicitly declared domain X, and is distinct from metalevel lambda abstraction x F (x) discussed above. Similarly, we have an in x objectlo ic function application f ‘a which is distinct from the metalevel function application F (a). We also make use of relational operators such as in x function overridin f g, domain dom(R), domain subtraction R dsub A, and domain restriction R dres A. These operators are either standard in the Isabelle/ZF distribution, or have standard de nitions [24].
242
2
Mark Staples
Representin Set Transformers
The re nement lan ua e we present in this section is in terms of a completely eneral statetype. States will come from a set A (say) and preconditions (or postconditions) will be represented by sets of states in PA. We write PA B for PB, and PA for the function space of hetero eneous set transformers PA the homo eneous set transformers PA A . Monotonic predicate transformers play an important role in the development of theorems concernin recursion. The condition of monotonicity can be de ned as follows: monotonic(c) = a b : dom(c) a
b
c‘a
c‘b
Note that we do not need to supply the state type as an operand to the condition of monotonicity, as we can extract it from the statement c. When c : PA B , then dom(c) = PA, and so we have: monotonic(c) = a b : PA a
b
c‘a
c‘b
We de ne the set of hetero eneous monotonic set transformers as follows: M A B = c : PA B
monotonic(c)
We write MA for the homo eneous monotonic set transformers MA A . To illustrate our representation of set transformers, we de ne the skip and sequential composition statements as follows: SkipA = q : PA q
a; b = q : dom(b) a‘(b‘q)
In the de nition of the skip statement we explicitly require an operand A to represent the state type. In simple type theory this could be left implicit, but as we are usin ZF, we must explicitly bound the set constructed on the ri ht hand side of the de nition. However, in the de nition of the sequential composition statement we can, as in the de nition of monotonicity above, extract the state type from the structure of subcomponents. When b : PA B , we have: a; b = q : PA a‘(b‘q) It is easy to see that skip and sequential composition are (monotonic) set transformers. That is: SkipA : MA
a : PB C b : PA B a; b : PA C
a : MB C b : MA B a; b : MA C
The de nition of skip and sequential composition illustrate our eneral representation scheme, and demonstrate how we can sometimes extract the state type from a statement’s components. We will now show the de nition of state assi nment (which functionally updates the entire state), and alternation (‘ifthenelse’) in order to illustrate the representation of expressions in our lan ua e. As it was natural to use sets of states to represent conditions on states, we similarly
Representin WP Semantics in Isabelle/ZF
243
use sets of states to represent Boolean expressions within statements. To represent expressions of other types, we use ZF’s standard representation of functions and relations as sets of pairs. State assi nment and alternation are de ned as follows: F A = q : PA s : dom(F ) F ‘s if g then a else b = q : dom(a) dom(b) (g
a‘q)
((
q
(dom(a)
dom(b)) − g)
b‘q)
A ain, we extract the state type from the structure of subcomponents. However, in the de nition of state assi nment, we extract the state type not from a substatement, but instead from the expression F , which should be a statefunction from some input statetype B to output statetype A. In the de nition of alternation we take the union of the domains of a and b, because the nal state q may be reached throu h either a or b. We also extract the actual underA and lyin statetype A, usin the fact that (PA) = A. So when F : B a b : PA B , we have the simpler equalities: F A = q : PA s : B F ‘s q if g then a else b = q : PA (g a‘q) ((A − g)
b‘q)
It is easy to see that state assi nment and alternation are (monotonic) set transformers: a : PA b : PA if g then a else b : PA
F :B A F A : MA B
a : MA b : MA if g then a else b : MA
We have restricted alternation to be a homo eneous set transformer, but have included an extra statetype operand in the de nition of state assi nment, in order to make it a hetero eneous set transformer. This suits our purposes, as thou h we are mainly concerned with developin a ‘userlevel’ theory of re nement laws over homo eneous set transformers, in the development of variable localisation in Sect. 4.2 we will need a hetero eneous stateassi nment statement. We can de ne the re nement relation in a fairly standard manner [6], but a ain extract the state type, so that when a : PA B , the de nition simpli es to the followin : a
b
q : PA a‘q
b‘q
If a b, then the set of states in which we can execute b is lar er than the set of states in which we can execute a. Our de nition uses the domain of a for safety, so that b will have at least the behaviour uaranteed for anythin which can be executed by a. We de ne total correctness in a standard way [4], as follows: p c q = p c‘q. The re nement relation preserves total correctness. For a b : PA B , a
b
p : PA q : PB p a q
p b q
244
Mark Staples
The simpli ed forms of our de nitions correspond fairly closely to standard de nitions of statements and re nement [1, 5]. Our de nitions also receive some measure of validation by the proof of theorems about our lan ua e which we would expect to be true. For example, the skip statement is the identity stateassi nment, and the sequential composition of state assi nments is the assi nment of their compositions. That is, for F : A B and G : B C we have: SkipA =
s:A s
A
F
B;
G
C
= G F
C
These and many other standard re nement results have been proved about this set transformer in Isabelle/ZF [24]. We have now outlined our eneral scheme for representin set transformers, expressions, and conditions. Our purpose in this paper is to expand on this representation scheme, and so we will not labour the description of other re nement calculus statements such as ma ic, nondeterministic assi nment, speci cation, demonic choice, an elic choice, and recursion. The de nitions and theorems concernin these statements appear in [24]. Nonetheless, we ive the de nitions for statements which we use in this paper. These are the assertion, uardin and chaos statements, de ned as follows: P
A
= q : PA P
q
(Q)A = q : PA (A − Q) q ChaosA = q : PA if(A = q A ) These statements are well known in the re nement literature. We note that the assertion and uardin statements do not chan e the state, but the chaos can chan e the state in any manner. We also ive the de nition of valuebindin statements, and present a store statement which we will use in Sect. 4.2 to de ne variablelocalisation statements. We call our an elic valuebindin a ‘lo ical constant’ statement, after Mor an [16],1 and dually, demonic valuebindin the ‘lo ical variable’ statement. They correspond to lifted existential and universal quanti cation respectively, and are de ned as follows: con x c(x) = q : Dom c s :
Dom c
v s
c(v)‘q
var x c(x) = q : Dom c s :
Dom c
v s
c(v)‘q
Here, the statement c is parametric upon the bound value x. We can extract the state type from c, but we must use a lifted domain operator Dom instead of the ordinary settheoretic domain dom. Its de nition makes use of the de nite description operator, as follows: Dom c = d 1
x d = dom(c(x))
Our lo ical constant statement is di erent to Mor an’s, as it does not bind the value of pro ram variables. However, we use it for much the same purpose: to remember the initial value of pro ram variables and variant functions.
Representin WP Semantics in Isabelle/ZF
245
We can use these value binders to de ne a store statement storeA x c(x) which remembers the value x of the initial state for the execution of the substatement c. The store statement can be de ned in terms of lo ical constants and assertion statements, or equivalently, in terms of lo ical variables and uardin statements, as follows: storeA x c(x) = con x
s:A s = x
A ; c(x)
storeA x c(x) = var x ( s : A s = x )A
3
; c(x)
Liftin Set Transformers
Our lan ua e of set transformers mirrors standard de nitions of statements in the re nement calculus. Unfortunately, althou h we can sometimes extract the state type from the domain of an operand to a statement, our use of Isabelle/ZF’s set theory forces us to explicitly include the state type as an operand in most atomic statements, in some compound statements, and in every expression and condition constructed by an objectlevel lambda abstraction or set comprehension. We can reduce this burden by usin a technique somewhat similar to the monadic style of functional pro rammin . We de ne a lan ua e of lifted statements as hi herorder operators in Isabelle’s metalo ic. The state type is mentioned once at the top of a lifted statement, and is implicitly passed down to its substatements. We de ne lifted skip and sequential composition statements as follows: Skip = A SkipA
a; b = A a(A); b(A)
We en a e in a sli ht abuse of notation here by overloadin the names of conventional and lifted statements; context will normally distin uish them. The lambda in these de nitions is Isabelle’s metalo ical abstraction. The lifted skip statement takes a set which will form the state type of the conventional skip statement, and the sequential composition statement takes a set which it passes to its substatements. We thus restrict our attention to homo eneous predicate transformers, but that suits our purposes of providin a simple ‘userlevel’ theory of re nement. We usually introduce the state type once at the top of an expression. Lifted equality, re nement, and monotonic predicate transformers are de ned as follows: a =A b = a(A) = b(A) b(A) a A b = a(A) a : MA = a(A) : MA For example, compare the lifted form Skip =A Skip; Skip to its equivalent set transformer statement: SkipA = SkipA ; SkipA . We can see that this mechanism provides a reat economy of notation in the presentation of complex pro rams, and recovers many of the bene ts of implicit typin as seen in simple type theory.
246
Mark Staples
Many re nement statements have operands which we intuitively think of as expressions or conditions, but which we represent as sets. For example, we use sets of states to represent the boolean expression in the uard of the alternation statement, and we use sets of pairs of states to represent the statevalued expression in the state assi nment statement. We can de ne ‘lifted’ versions of these statements which, instead of representin such operands as sets, use metalo ical predicates or functions. We can recover a set from a predicate P by usin set comprehension x : A P (x) , and we can recover an objectlo ic function as setsofpairs from a metalevel function F by usin ZF’s lambda abstraction x : A F (x). Thus our de nitions of lifted alternation and stateassi nment are as follows: if g then a else b = A if x : A g(x) then a(A) else b(A) F = A x : A F (x) A For example, for the followin statement written usin set transformers: if s : N
s = 1 then SkipN else
s:N 1 N
s:N 1 N
we can use our lan ua e of lifted set transformers, and instead write: if s s = 1 then Skip else
4
s 1
N
s 1
Representin Pro ram Variables
Our development so far has been in terms of a completely eneral statetype. Now we impose a structure on our state in order to represent pro ram variables and their values. This allows us to de ne variable assi nment, framed speci cation statements, local blocks, and parameterisation constructs. We represent states as dependent total functions of the form v:V (v) where V is a xed set of variable names, and is a (metalevel) variablename indexed family of types. For variables v not under consideration in a particular development, we underspecify both the type at v and the value of v, i.e. for a state s : v:V (v) we would underspecify both (v) and s‘v. Given a typin , we can recover the state type by usin the abbreviation S V . We also de ne substitution of a new type T for a variable v, and type overridin of a new collection of variable/type pairs S as follows: [T v] = u if(u = v T
S =
4.1
u if(u
(u))
dom(S) S‘u (u))
Atomic Statements
Atomic statements typically use variable names in order to restrict their e ect to chan in the named variables. Assi nment statements update the value of variables in the state functionally, whereas the choose statement and framed
Representin WP Semantics in Isabelle/ZF
247
speci cation statements update the value of variables in a potentially nondeterministic way. A sin levariable assi nment v :=A E chan es the value of a sin le pro ram variable v to the value of an expression E computed in the initial state. Multiplevariable assi nment is similar, but can assi n values to many variables in parallel. − A multiplevariable assi nment M A B contains an expression M which takes a state and returns a new set of variable/value pairs which will override variables in the initial state. We de ne them as follows: v :=A E = q : P(A) s : dom(E) s[E ‘s v ] q − M A = q : P(A) s : dom(M ) s M ‘s q These two forms of variable assi nment are related, i.e. when E is an expression −−−−−−−−−−− s : B v E‘s A . on statetype B, we have: v :=A E = The choose statement terminates and chan es its set of variables to arbitrary welltyped values while leavin other variables unchan ed. It is de ned as follows: Choose(w)A = q : P(A) i : A
o:A
i dsub w = o dsub w
q
The choose statement is like chaos on a set of variables, and we can prove that Chaos V = Choose(V) V . We wouldn’t normally use the choose statement within our userlevel theory of re nement, but we do use it in Sect. 4.2 in our de nition of local blocks. A framed speci cation statement w : [P Q]A has a set of pro ram variables w (the ‘frame’) which can be modi ed by the statement. It is de ned as follows: w : [P
Q]A = q : P(A) i : A i
P o:A o
Q
i dsub w = o dsub w
q
Framed speci cation can also be expressed in terms of the assertion, choose, uardin , and sequential compositions statements, i.e.: w : [P
Q]A = P
A ; Choose(w)A ; (Q)A
From our de nitions it is possible to prove a suite of fairly standard re nement rules [24], but we do not list them here. 4.2
Compound Statements: Localisation
Compound statements typically use pro ram variables to externally hide the e ects that a substatement has on the named variables. For example, local blocks localise the e ect of chan es to declared variables, and parameterisation hides e ects on formal parameters while chan in actual result parameters. As is common in the re nement calculus literature [15], we separate our treatment of parameterisation from procedure calls. This paper does not deal with procedure calls, but they are discussed elsewhere [24]. We de ne our localisation statements (local blocks and parameterisation) in a similar way:
248
Mark Staples
1. store the initial state, 2. initialise the new values for the localised variable(s), 3. execute the localised substatement, and 4. nally restore the ori inal values of the localised variable(s). These localisation statements are homo eneous set transformers which contain a di erentlytyped homo eneous set transformer. Initialisation and nalisation sta es are therefore hetero eneous set transformers. Our development of these statements is, to some extent, based on Pratten’s unmechanised formalisation of local variables [22]. Local blocks take a set of variables w and an statement c formin the body of the block. Our de nition extracts the state type from c as seen before, but we must explicitly supply the external statetype A as an ar ument to the local block. For c : PB , our de nition simpli es to the followin : −−−−− w c end = storeA s Choose(w)B A ; c; s dres w be inA −
A
Presentations of the re nement calculus typically consider three di erent kinds of parameter declaration: value, result, and valueresult [17, 22]. Procedures with multiple parameters are then modelled as a composition of these individual parameterisations. However, this is not an ideal treatment: the evaluation of each parameter ar ument should be done in the same callin state, rather than bein pro ressively updated by each parameter evaluation. We dene a eneric parameterisation statement ParamA (c I F ) which represents a parameterised call to c from a callin type A. Like a multiplevariable assi nment statement, parameterisation updates the value of many variables in parallel. The variables to be updated are contained in the initialisation and nalisation expressions I and F . They represent the interpretation of the actual parameters in the context of some formal parameter declaration, as discussed below in Sect. 5.2. As with local blocks, we extract the state type for the substatement, and supply the external (callin ) type A explicitly. When c : PB , the followin equality holds: ParamA (c I F ) = − storeA i ChaosB A ; I(i)
B ; c;
s:B i
F (s)
A
Parameterisation resembles the local block statement, except for two important di erences. Firstly, for parameterisation, we use the chaos statement to help establish our initial state. This restricts us from usin lobal variables within procedure bodies. This restriction was introduced partly to simplify reasonin about procedure calls, as a procedure body c is de ned only at its declaration statetype B, but the procedure may be called from any external statetype A. Another reason for usin chaos to prevent the use of lobal variables is that otherwise our parameterisation mechanism would model dynamic variablebindin , rather than the kind of static bindin most commonly seen in imperative prorammin lan ua es. A more sophisticated model of parameterisation could include an explicit list of lobal variables to work around these problems. Secondly,
Representin WP Semantics in Isabelle/ZF
249
parameterisation di ers from local blocks because in the nalisation part of parameterisation we don’t simply restore values of localised variables. Instead, we restore the entire initial state except for variables carried in the nalisation expression F . Thus we will be able to chan e the value of variables iven as actual parameters to result or valueresult parameter declarations.
5
Liftin Revisited
In Sect. 3, we developed a lifted lan ua e of typepassin predicate transformers in order to reduce the burden of explicitly annotatin set transformers with their statetypes. Now that we have imposed structure on states to represent named pro ram variables, we can modify our approach to liftin in order to take advanta e of this extra structure. We also de ne a lan ua e of parameter declarations which we can use for our lifted parameterisation statement. 5.1
Pass Typin s, Not StateTypes
In our state representation, the set of variable names V is a constant. We rede ne our lifted lan ua e, so that instead of passin sets in V representin the statetype, we will pass only the typin s . We can reconstruct the state as required. Althou h is not a set, de nin a lifted type S from the typin lan ua e over a family of types presents no problem for Isabelle’s hi herorder metalo ic. In a manner similar to our previous lifted lan ua e, we introduce typin s once at the top of an expression, and implicitly pass them to any component substatements. For example, we can de ne lifted equality, re nement, and monotonic predicate transformers as follows: a = b = a( ) = b( ) b = a( ) b( ) a a : M = a( ) : MSτ We can de ne the lifted skip, sequential composition, state assi nment and alternation statements as follows: Skip = a; b = F = if g then a else b
=
SkipSτ a( ); b( ) F Sτ if s : S
g(s) then a( ) else b( )
Other statements (except localisation statements, which are discussed below) can be lifted similarly. The localisation statements discussed in Sect. 4.2 have substatements which act on a di erent statetype to the external statetype. Hence, we cannot simply pass the external typin to the substatement. Instead we use type declarations
250
Mark Staples
for localised variables to modify the typin which we implicitly pass to substatements. For local blocks, we can declare a set of variables and their new types. We will model these declarations as a function from the local variables to their types. Hence the domain of this set will be the set of names of the local variables. We pass the external typin overwritten with the declaration types. Our de nition of lifted local blocks is as follows: −−−−− be inSτ dom(D) c(
be in D c end =
D) end
The e ect of the modi ed typin environment can be seen in the followin renement monotonicity theorem: a : M D b : M D a D b be in D a end be in D b end When we re ne a block usin this theorem, the internal typin for the re nement of the body of the block is automatically calculated. As a concrete example of the lifted syntax for blocks, consider the followin unsu ared re nement step, which is readily proved for a n V with a = n, and (a) = N : a : [ s true be in
n N
s s‘a = X
Y]
a n : [ s true
s s‘a = X
Y ] end
Note that in this block statement the declaration is a sin leton set containin a the local variable name n paired with its type. Inside the block, n has been added to the frame of the speci cation statement. 5.2
Liftin Parameterisation
We can lift the parameterisation statement by usin a sli ht complication to the eneral scheme. A procedure body is de ned at its declaration type and not at its various callin types. Instead of passin the current typin at execution, we must pass the xed typin at declaration to the parameterised statement. For a iven declaration typin S, we de ne the lifted parameterisation statement as follows: PARAM(c S I F ) =
ParamSτ (c(S) I F )
The PARAM(c S I F ) statement is a eneral form of parameterisation. It uses initialisation and nalisation expressions embodyin parameter declarations which have already been resolved. In the remainder of this section, we rst describe a syntax for parameter declarations, and then show how to determine the declaration typin S and the initialisation and nalisation expressions I and F.
Representin WP Semantics in Isabelle/ZF
251
Formal and Actual Ar ument Syntax We consider three types of parameterisation common in the re nement literature: value, result, and valueresult [15]. We de ne a collection of uninterpreted constants to use as syntactic abbreviations for declarin each kind of formal parameter declaration: value v : T , result v : T and valueresult v : T . The formal ar uments of a procedure are represented by a list of these formal parameters. An actual parameter is represented by the operator Ar a, where a is a metalevel function representin an expression. For value parameters, this will be a normal expression, and for result and valueresult parameters, this will be a constant expression returnin a pro ram variable. The actual ar uments to a procedure are represented by a list of these actual parameters. Interpretin Parameter Declarations We de ne three operators for interpretin lists of parameter declarations D iven a typin at declaration and actual ar ument list a: a declaration typin operator TD , and initialisation and nalisation operators ID and F D . Parameterised statements c are then interpreted as PARAM(c TD ID F D ). TD determines the typin internal to the declaration. Where decl is any of our three forms of formal parameter declaration, we have:
T(decl
T[] = v:T )::l = Tl
[T v]
ID determines the initialisation expression. It takes the state s outside the procedure call, so that actual ar uments can be evaluated. Value parameters evaluate an expression which is substituted for the formal parameter, and valueresult parameters take the value of variable iven as the actual ar ument and substitute it for the formal parameter:
I(value v:T )::dl (Ar I(result v:T )::dl (Ar I(valueresult v:T )::dl (Ar
I[] [] = s ):: l = s ):: l = Idl ):: l = s
v a(s)
Idl l(s)
l
v s‘a(s)
Idl l(s)
FD determines the nalisation expression. It takes a state s outside the procedure call, so that actual variable ar uments can be updated. Result and valueresult parameters update the value of the variable iven as the actual ar ument with the value of the formal parameter:
F (value F (result F (valueresult
v:T y)::dl (Ar v:T y)::dl (Ar v:T y)::dl (Ar
F [] [] = s ):: l = F dl ):: l = s ):: l = s
l
a(s) s‘v a(s) s‘v
F dl F dl
l (s) l (s)
252
Mark Staples
For example, assume we have a simple procedure declared (at a typin follows:
) as
procedure P ([value a : A result b : B valueresult c : C]) = Body Here a, b and c are variables in V. Now, consider the followin procedure call: P ([Ar
s
(s) Ar
s
Ar
s γ])
Here is an expression of type A, and , and γ are pro ram variables in V, with s‘ : B and s‘γ : C. This procedure call can be expanded to the followin parameterised statement: PARAM(Body
[C c][B b][A a]
s a
(s)
c s‘γ
s
s‘b
γ s‘c )
Note that the value parameters a and c are updated in the initialisation expression, and the result ar uments and γ are updated in the nalisation expression. In an actual pro ram re nement this expanded form of procedure call need not be seen by the developer, as it is built into the de nition of procedure declaration. Our treatment of procedure and recursive procedure declarations is described further elsewhere [24].
6
Conclusions
Re nement lan ua es are more di cult to formalise than ordinary pro rammin lan ua es. Durin pro ram re nement, a developer may want to introduce a local variable (whether initialised or not) whose values will come from some new abstract type. In advance of performin a re nement we may not know which types we will use, and so our type universe can’t be xed ahead of time. For statements actin on completely eneral statetypes, our approach and de nitions follow A erholm’s mechanisation for pro ram veri cation [2] and the Re nement Calculator project [28], both in the HOL theorem prover [11]. Their representation of states uses a polymorphic product of values, where ‘variable names’ are projection functions from the tuple. So, they do not have a type of all variable names. A limitation of their approach is that procedure call rules must be reproved for every procedure at each of their callin statetypes [27]. The approach outlined in this paper does not su er from this problem. We make e ective use of the expressiveness of Isabelle/ZF’s set theory to model states, but ZF set theory brin s with it the disadvanta e that we must explicitly bound set comprehensions and lambda abstractions. This means that state types must appear as operands in our de nition of set transformers. In order to miti ate a ainst this syntactic overhead, we have been able to use Isabelle’s hi herorder metalo ic to abstract the state type (or in Sect. 5, the typin ). This kind of technique may be able to be used in other settin s. For example, explicitly typed type theories may, in a similar way, be able to abbreviate fra ments of their theory correspondin to simple type theory.
Representin WP Semantics in Isabelle/ZF
253
Kleymann [12], in the context of machinechecked proofs of soundness and completeness results for pro ram veri cation, reports a representation of states similar to ours. Instead of usin an untyped set theory, Kleymann uses the rich type theory provided by the Lego proof tool. Pratten [22] and von Wri ht [26] also use an approach somewhat similar to ours. However, they use a constant lobal variable typin which does not, for example, chan e within the scope of a local block. Our statements depend on a state type operand, so we can chan e the state type under consideration when we enter a local block, or when we call a parameterised procedure. We represent states as total functions from variables, and have not as yet investi ated the use of partial dependentlytyped functions. This mi ht facilitate reasonin about the limits of variable sharin for the parallel composition of statements.
Acknowled ments Comments from anonymous referees have helped to improve this paper.
References [1] J. R. Abrial. The B Book: Assi nin Pro rams to Meanin s. Cambrid e University Press, 1996. [2] S. A erholm. Mechanizin pro ram veri cation in HOL. Master’s thesis, Computer Science Department, Aarhus University, April 1992. [3] R. J. R. Back. On the correctness of re nement steps in pro ram development. Technical Report A19784, Abo Akademi University, 1978. [4] R. J. R. Back. A calculus of re nements for pro ram derivations. Acta Informatica, 25:593 624, 1988. [5] R. J. R. Back and J. von Wri ht. Re nement calculus, part I: Sequential nondeterministic pro rams. In J. W. de Bakker, W. P. de Roever, and G. Rozenber , editors, Stepwise Re nement of Distributed Systems, volume 430 of LNCS, pa es 42 66. Sprin erVerla , 1989. [6] R. J. R. Back and J. von Wri ht. Re nement concepts formalized in hi her order lo ic. Formal Aspects of Computin , 2(3):247 272, 1990. [7] Richard Boulton, Andrew Gordon, Mike Gordon, John Harrison, and John Herbert. Experience with embeddin hardware description lan ua es. In Proceedin s of the IFIP TC10/WG 10.2 International Conference on Theorem Provers in Circuit Desi n: Theory, Practice and Experience, volume A10 of IFIP Transactions, pa es 129 156. NorthHolland/Elsevier, June 1992. [8] D. Carrin ton, I. Hayes, R. Nickson, G. Watson, and J. Welsh. Re nement in Er o. Technical Report 9444, Software Veri cation Research Centre, The University of Queensland, July 1995. [9] E. W. Dijkstra. A Discipline of Pro rammin . Prentice Hall, 1976. [10] M. Gordon, R. Milner, and C. Wadsworth. Edinbur h LCF: A Mechanised Lo ic of Computation, volume 78 of LNCS. Sprin erVerla , 1979. [11] M. J. C. Gordon and T. F. Melham, editors. Introduction to HOL: A theorem provin environment for hi her order lo ic. Cambrid e University Press, 1993.
254
Mark Staples
[12] Thomas Kleymann. Hoare Lo ic and VDM: MachineChecked Soundness and Completeness Proofs. PhD thesis, Laboratory for Foundations of Computer Science, The University of Edinbur h, September 1998. [13] J. Knappmann. A PVS based tool for developin pro rams in the re nement calculus. Master’s thesis, ChristianAlbrechtsUniversity of Kiel, October 1996. [14] R. Milner, M. Tofte, and R. Harper. The De nition of Standard ML. The MIT Press, 1990. [15] Carroll Mor an. Procedures, parameters, and abstraction: Separate concerns. Science of Computer Pro rammin , 11(1):17 28, 1988. [16] Carroll Mor an. The speci cation statement. ACM Transactions on Pro rammin Lan ua es and Systems, 10(3):403 419, July 1988. [17] Carroll Mor an. Pro rammin from Speci cations. PrenticeHall International, 2nd edition, 1994. [18] J. M. Morris. A theoretical basis for stepwise re nement and the pro rammin calculus. Science of Computer Pro rammin , 9(3):287 306, December 1987. [19] R. G. Nickson and L. J. Groves. Metavariables and conditional re nements in the re nement calculus. Technical Report 9312, Software Veri cation Research Centre, The University of Queensland, 1993. [20] L. C. Paulson. Isabelle: A Generic Theorem Prover, volume 828 of LNCS. Sprin erVerla , 1994. [21] H. Pfeifer, A. Dold, F. W. von Henke, and H. Rue . Mechanised semantics of simple imperative pro rammin constructs. Technical Report UIB9611, Universit¨ at Ulm, December 1996. [22] Chris H. Pratten. Re nement in a Lan ua e with Procedures and Modules. PhD thesis, Department of En ineerin and Computer Science, University of Southampton, June 1996. [23] Mark Staples. Window inference in Isabelle. In L. Paulson, editor, Proceedin s of the First Isabelle User’s Workshop, volume 379, pa es 191 205. University of Cambrid e Computer Laboratory Technical Report, September 1995. [24] Mark Staples. A Mechanised Theory of Re nement. PhD thesis, Computer Laboratory, University of Cambrid e, November 1998. Submitted. [25] M. Uttin and K. Whitwell. Er o user manual. Technical Report 9319, Software Veri cation Research Centre, The University of Queensland, February 1994. [26] J. von Wri ht. The lattice of data re nement. Acta Informatica, 31, 1994. [27] J. von Wri ht. Verifyin modular pro rams in HOL. Technical Report 324, University of Cambrid e Computer Laboratory, January 1994. [28] J. von Wri ht. A Mechanised Calculus of Re nement in HOL, January 27, 1994.
A HOL Conversion for Translating Linear Time Temporal Logic to Automata Klaus Schneider and Dirk W. Hoffmann University of Karlsruhe, Department of Computer Science, Institute for Computer Design and Fault Tolerance (Prof. D. Schmid), P.O. Box 6980, 76128 Karlsruhe, Germany, {Klaus.Schneider, Dirk.Hoffmann}@informatik.unikarlsruhe.de, http://goethe.ira.uka.de/
Abstract We present an embedding of linear time temporal logic LTL in HOL together with an elegant translation of LTL formulas into equivalent automata. The translation is completely implemented by HOL rules and is therefore safe. Its implementation is mainly based on preproven theorems such that the conversion works very efficiently. In particular, it runs in linear time in terms of the given formula. The main application of this conversion is the sound integration of symbolic model checkers as (unsafe) decision procedures in the HOL theorem prover. On the other hand, the conversion also enables HOL users to directly verify temporal properties by means of HOL’s induction rules.
1 Introduction Specifications of reactive systems such as digital hardware circuits are conveniently given in temporal logics (see [1] for an survey). As the system that is to be checked can be directly viewed as a model of temporal logic formulas, the verification of these specification is usually done with socalled model checking procedures which have found a growing interest in the past decade. Tools such as SMV [2], SPIN [3], COSPAN [4], HSIS [5], and VIS [6] have already found bugs in realworld examples [7, 8, 9] with more than 1030 states. While this is an enormous number for controloriented systems, this number of states is quickly exceeded if data paths are involved. In these cases, the verification with model checking tools often suffers from the socalled stateexplosion problem which roughly means that the number of states grows exponentially with the size of the implementation. For this reason, we need interactive theorem provers such as HOL [10] for the verification of systems that are build up from control and data paths. However, if lemmata or specifications about the control flow are to be verified which do not affect the manipulation of data, then the use of a model checker is often more convenient, whereas the HOL proofs are timeconsuming and tedious. This is even more true, if the verification fails and the model checker is able to present a counterexample. Therefore, it is a broadly This work has been financed by DFG project ‘Verification of embedded systems’ and the ESPRIT LTR Project 26241 (Prosper). Y. Bertot et al. (Eds.): TPHOLs’99, LNCS 1690, pp. 255–272, 1999. c SpringerVerlag Berlin Heidelberg 1999
256
Klaus Schneider and Dirk W. Hoffmann
accepted claim that neither the exclusive use of model checkers nor the exclusive use of theorem provers is sufficient for an efficient verification of entire systems. Instead, we need a combination of tools of both categories. For this reason, the integration of model checkers as (unsafe) tactics of the theorem prover are desirable. We use the notion ‘unsafe’ to indicate that the validity of the theorem has been checked by an external tool that is trusted, i.e., the validity is not checked by HOL’s rules. The HOL theorem prover has already some builtin decision procedures as e.g. ARITH_CONV, but a decision procedure for temporal logics, and even more an embedding of temporal logic at all is currently missing, although there is a longterm interest of the HOL users in temporal logic. In fact, one main application of the HOL system is the verification of concurrent systems (cf. the aim of the Prosper project http://www.dcs.gla.ac.uk/prosper). Other theorem provers for higher order logic such as PVS have already integrated model checkers [11]. For a sound integration of a model checker in the HOL theorem prover, we have to address the problem that we must first embed a temporal logic in the HOL logic. The effort of such an embedding depends crucially on the kind of temporal logic that is to be embedded. In general there are linear time and branching time temporal logics. Linear time temporal logics LTL state facts on computation paths of the systems, i.e., (where repsubformulas of this logic are viewed as HOL formulas of type resents the type of natural numbers and the type of Boolean values). Branching time temporal logics, as, e.g., CTL* [12] can moreover quantify over computation paths, i.e., they can express facts as ‘for all computation paths leaving this state some linear time property holds’ or ‘there is a computation path leaving this state that satisfies some linear time property’. We will see in the following that the embedding of LTL is straightforwardly done in HOL since we only have to define the temporal operators as functions that are applied . Embeddings of branching time temporal logics would on arguments of type additionally require to formalize the computation paths of the system under consideration and therefore cause much more effort. This is the reason why we have decided to embed LTL in HOL instead of the more powerful logic CTL*. Unfortunately the most efficient model checking tools, namely symbolic model checkers such as SMV, are not able to directly deal with LTL specifications. Instead, they are only able to handle a very restricted subset of CTL* called CTL [13] which is a subset of the alternation free calculus. For this reason, model checking can be reduced to the computation of fixpoints. Hence, the use of symbolic model checking procedures as decision procedures for LTL formulas in HOL requires the conversion of the LTL formulas into a format that the model checker can handle. In general, it is not possible to translate LTL to CTL, although there are some fragments of LTL that allow this [14]. However, it is wellknown that LTL can be translated to finitestate automata so that verifying an LTL formula is reduced to a language containment problem. The latter can be presented as a fixpoint problem that can be finally solved with a symbolic model checker. Therefore, the contribution of this paper is twofold: first, we present an embedding of LTL together with a large theory of preproven theorems that can be used for various purposes. The verification of specifications given in this temporal logic can be veri
B
N
B
N
B
N
A HOL Conversion for Translating Linear Time Temporal Logic to Automata
257
fied with traditional means in HOL and is then not limited to propositional temporal logic. For example it also allows the verification of properties as the ones given in [15]. Second, we have implemented a transformation of LTL into a generalized form of nondeterministic Büchi automata in the form of a HOL conversion. It is to be noted that the implementation only makes use of primitive HOL rules and is therefore save (i.e., the mk_thm function is not used). Using this conversion, we can translate each LTL formula into an equivalent automaton and have then the choice to verify the remaining property by means of traditional HOL tactics or by calling a model checker such as SMV. An implementation of the theory and the conversion is freely available under http://goethe.ira.uka.de/~schneider/. The paper has the following outline: in the next section, we list some related work done in the HOL community and discuss then several approaches for the translation of LTL into finite state automata that have been developed outside HOL. In Section 4, we present our embedding of LTL and the description of automata in HOL. Section 5 describes the algorithm for transforming LTL formulas into generalized Büchi automata and Section 6 explains the application of the work within the Prosper project1 . The paper then ends with some conclusions.
2 Embedding Temporal Logic and Automata in HOL Pioneering work on embedding automata theory in HOL has been done by Loewenstein [16, 17]. Schneider, Kumar and Kropf [18] presented nonstandard proof procedures for the verification of finite state machines in HOL. A HOL theory for finite state automata for the embedding of hardware designs has been presented by Eisenbiegler and Kumar [19]. Schneider and Kropf [20] presented a unified approach based on automatonlike formulas for combining different formalisms. In this paper, we have, however, no real need for an automata theory and have therefore taken a direct representation of automata by means of HOL formulas similar to [20] as given in section 4.2. In the domain of temporal logics, Agerholm and Schjodt [21] were the first who made a model checker available for HOL. Von Wright [22] mechanized TLA (Temporal Logic of Actions) [23] in HOL. Andersen and Petersen [24] have implemented a package for defining minimal or maximal fixpoints of Boolean function transformers. As applications of their work, they embedded the temporal logic CTL [13] and Unity [25] in HOL which enables them to reason about Unity programs in HOL [26, 27] (which was their primary aim). However, none of the mentioned authors considered the temporal logic LTL, although this logic is often preferred in specification since it is known to be a very readable temporal logic. Therefore, the work that comes closest to the one presented here is probably done by Schneider [28] (also [20]) who presented a subset of LTL that can be translated to deterministic automata by means of closures. This paper presents however another approach to translate full LTL to automata, but can be combined with the approach of [28] to reduce the number of states of the automaton [29]. 1
http://www.dcs.gla.ac.uk/prosper
258
Klaus Schneider and Dirk W. Hoffmann
3 Translating Linear Time Temporal Logic to
Automata
In this section, we discuss the state of the art of the translation of LTL formulas to automata. Introductions to temporal logics and automata are given in [1] and [30], respectively. Translations of LTL to automata has been studied in a lot of papers. Among the first ones is the work of Lichtenstein and Pnueli [31, 32] and those of Wolper [33, 34]. These procedures explicitly construct an automaton whose states are sets of subformulas of the given LTL formula. Hence, the number of states of the obtained automaton is of order 2O(n) where n is the length of the considered LTL formula. Hence, also the translation procedure for converting a given LTL formula to an equivalent automaton is of order 2O(n) . Another approach for translating LTL into automata has been given in [35]. There, a deterministic Muller automaton is generated by a bottomup traversal through the syntax tree of the LTL formula. Boolean connectives are reduced to closures under complementation, union and intersection of the corresponding automata. The closure under temporal operators is done by first constructing a nondeterministic automaton that is made deterministic afterwards. Clearly, this approach suffers from the high complexity of the determinization algorithm which has to be applied for each temporal operator. Note that the determinization of automata is much more complex than the determinization of finitestate automata on finite words: while for any nondeterministic automaton on finite words with n states there is an equivalent one with 2O(n) states, it has been proved in [36] that the optimal bound for automata is 2O(n log(n)) . An elegant way for translating LTL into automata by means of alternating automata has been presented in [37]. Similar to the method presented in this paper, the translation with alternating automata runs in linear runtime and space (in terms of the length of the given LTL formula), but the resulting alternating automata cannot be easily handled with standard model checkers. Therefore, if we used this conversion, we would need another translation from alternating automata to traditional automata with an exponential blowup. The translation procedure we use neither needs to determinize the automata nor is it based on alternating automata. Its runtime is nevertheless very efficient: we can translate any LTL formula of length n in time O(n), i.e., in linear runtime in an automaton with 2O(n) states. The trick is not to construct the automaton explicitly, since this would clearly imply exponential runtime. The translation goes back to [38] where it has been used for the implementation of a LTL frontend for the SMV model checker. In [39] it is shown that this translation can even be generalized to eliminate linear time operators in arbitrary temporal logic specifications so that even a model checking procedure for CTL* can be obtained.
4 Representing
Automata and Temporal Logic in HOL
The translation procedure that we use is a special case of the product model checking procedure given in [39] and has been presented in [38]. We first give the essential idea of the translation procedure and its implementation as a HOL conversion and give then the details of the LTL embedding and the formal presentation of the translation procedure.
A HOL Conversion for Translating Linear Time Temporal Logic to Automata
259
The first step of the translation procedure is the computation of a ‘definitional normal form’ for a given LTL formula , which looks in general as given below: n 1
=
n
Ψ
=1
contains exactly one temporal operator which is the toplevel In the above formula, contains only the variables that occur in plus the varioperator of . Moreover, ables 1 ,. . . , −1 . Ψ is a propositional formula that contains the variables 1 ,. . . , n and the variables occurring in , so that could be obtained from Ψ by replacing the variables 1 ,. . . , n with 1 ,. . . , n , respectively, in this order. The computation of this normal form is essentially done by the function tableau that is given in Figure 2. The equivalence between the above normal form and the original formula can be proved by a very simple HOL tactic. One direction is proved by stripping away all quantifiers and the Boolean connectives so that a rewrite step with the assumptions proves the goal. The other direction is simply obtained by instantiating the witnesses , respectively. In HOL syntax, the tactic is written as follow: EQ_TAC THENL [REPEAT STRIP_TAC MAP_EVERY EXISTS_TAC [ THEN ASM_REWRITE_TAC[]
1
n ]]
Having computed this normal form and proven the equivalence with our original formula , we then make use of preproven theorems that allow us to replace the ‘definitions’ = by equivalent nondeterministic automata2. Repeating this substitution, we finally end up with a product automaton, whose initial states are determined by Ψ , and whose transition relation and acceptance condition is formed by the equations = . 4.1 Representing Linear Time Temporal Logic in HOL We now present the formal definition of the linear time temporal logic that is considered in this paper. After defining syntax and semantics of the logic, we also present how we have embedded the logic in a very simple manner in the HOL logic. So, let us first consider the definition of the linear time temporal logic LTL. Definition 1 (Syntax of LTL). The following mutually recursive definitions introduce the set of formulas of LTL over a given set of variables V : – each variable in V is a formula, i.e., V – , , LTL if LTL LTL – X , [ U ] LTL if 2
LTL
See http://goethe.ira.uka.de/~schneider/my_tools/ltlprover/Temporal_Logic.html.
260
Klaus Schneider and Dirk W. Hoffmann
Informally, the semantics is given relative to a considered point of time t0 as follows: Xa holds at time t0 iff a holds at time t0 + 1; [a U b] holds at time t0 iff there is a point of time t + t0 in the future of t0 where b becomes true and a holds until that point of time. For a formal presentation of the semantics, we first have to define models of the temporal logic: Given a set of variables V , a model for LTL is a function of type (V ) where (M ) denotes the powerset of a set M . The interpretation of formulas is then done according to the following definition.
N
Definition 2 (Semantics of LTL). Given a finite a set of variables V and a model (V ). Then, the following rules define the semantics of LTL: :
N
– – – – – –
(0) = x iff x = iff = = iff = and = = iff = or = = X iff t (t+1) = such that t = [ U ] iff there is a that t (t+d) =
N
(t+ )
=
and for all d
it holds
As a generalization to the above definition, temporal logics such as LTL are often interpreted over finite state Kripke structures. These are finite state transition systems where each state is labeled with a subset of variables of V . To interpret a LTL formula along a path of such a Kripke structure, the above definition is used. As it is however easily possible to define a set of admissible paths in the form of a finite state transition system (similar to our representation of finitestate automata as given below), we can ‘mimic’ Kripke structures easily in HOL without the burden of deepembedding Kripke structures. x for all It is also easily seen that we can consider the projections x := t (t) (V ) itself. Using these projections, variables x V instead of the path : (t) we can reestablish the path as := t x2V x . Hence, it is only a matter of taste whether we use the path or its projections x as a model for the LTL logic. Using the projections directly leads to our HOL representation of LTL formulas: We . represent variables of LTL in the HOL logic directly as HOL variables of type So this simplification of the semantics allows a very easy treatment of LTL in HOL that even circumvents a deepembedding of the LTL syntax at all. With this point of view, we have the following definitions of temporal operators, i.e., the embedding of LTL, in HOL:
N
N B
Definition 3 (Defining Temporal Operators in HOL). The definition of temporal op): erators X and U in HOL is as follows (for any p q :
N B
– Xp := t p(t+1) – [p U q] := t q (t+
N
Note that X is of type ( ) ( ).
B
N B
)
p(t+
dd
B)
N
(
)
q (t+
)
B) and U is of type (N
B)
N
(
A HOL Conversion for Translating Linear Time Temporal Logic to Automata
261
Clearly, it is possible and desirable to have more temporal operators that describe other temporal relationships as the ones given above. We found that the following set of temporal operators turned out to be adequate for practical use and have therefore added these operators to our LTL theory: Gp = t d p(t+d) Fp = t d p(t+d) [p U q] = t [Fp](t) [p B q] = [p B q] = [p W q] = [p W q] =
t t t t
p(t+d) dd p(t+d) dd
[p U q]
(t)
dd q
(t+d)
q
[Fp](t)
(t+d)
dd q (t+d)
Gp(t)
q (t+d) dd q (t+ ) q (t+d) p(t+d) q (t+d)
p(t+d)
G, F, and [ U ] are the usual always, eventually, and until operators, respectively. There are some remarkable properties that can be found in our HOL theory on temporal operators. For example, we can compute a negation normal form NNF( ) of a formula by the following equations: [Gp](t) = [F[ t p(t) ]](t) [Fp](t) = [G[ t p(t) ]](t) [p U q](t) = [ t p(t) ] B p (t)
[p U q]
(t)
= [ t p(t) ] W p
(t)
= [ t p(t) ] W p
[p W q]
= [ t p(t) ] B p
[p W q]
(t)
[p B q](t) = [ t p(t) ] U p
(t)
[p B q]
(t)
= [ t p(t) ] U p
(t) (t)
(t) (t)
Also, it is shown that any of the binary temporal operators can be expressed by any other binary temporal operator. Hence, we could restrict our considerations, e.g., to the temporal operators X and U and use the following reduction rules: (t)
Gp = t [ t T] U [ t p(t) ] Fp = [p U [ t T]] [p U q] = t [p U q](t) [Gp](t) [p B q] = t
[ t p(t) ] U q
(t)
[p W q] = t [ t q (t) ] U [ t p(t)
q (t) ]
[p W q] = t [ t q (t) ] U [ t p(t)
q (t) ]
[p B q] = t
(t)
[ t p ]Uq
(t)
(t) (t)
[G[ t q (t) ]](t)
[Fp](t)
Note, however, that the computation of the negation normal NNF( ) of a formula form as given above reintroduces the B operator, so that we deal with X, U, and B in the following. 4.2 Representing Automata in HOL Let us now consider how we represent automata in HOL. In general, an automaton consists of a finite state transition system where transitions between two states are enabled if a certain input is read. A given sequence of inputs then induces one or more
262
Klaus Schneider and Dirk W. Hoffmann
sequences of states that are called runs over the input word. A word is accepted iff there is a run for that word satisfying the acceptance condition of the automaton. Different kinds of acceptance conditions have been investigated, consider e.g. [30] for an overview. The representation of an automaton as a formula in HOL is straightforward: We encode the states of the automaton by a subset of n . Hence, a run is encoded by a qn which are all of type . Similarly, finite number of state variables q0 xm )) and we encode the input alphabet by a subset of m (or isomorphic ( x0 xm of type . Then, we represent an input sequences with variables x0 automaton as a HOL formula of the following form:
B
B
qn (0) I (q0
q0
N
B
B
(0)
(t)
qn )
(t)
(t)
qn x0 t R (q0 qn ) F (q0 (0) I (q0 (0) q0
N
(t)
(t+1)
xm q0
(t+t)
qn
)
(0)
qn ) is thereby a propositional formula where only the atomic formulas may occur. I represents the set of initial states of the automaton. Any (0) (0) qn that satisfies I is an initial state of the valuation of the atomic formulas q0 n bn ) automaton. Hence, the set of initial states is the set of Boolean tuples (b0 such that I (b0 bn ) is equivalent to T. (0) qn
B
(t)
Similarly, R ( ) is a propositional formula where only the atomic formulas q , (t+1) may occur. R represents the transition relation of the automaton as x , and q n bn ) to the state (b00 b0n ) follows: there is a transition from state (b0 n m 0 for the input (a0 am ) , iff R (b0 b n a0 am b0 b0n ) is equivalent to T. qn ) is the acceptance condition of the automaton. Note that R may F (q0 be partially defined, i.e., there may be input sequences x that have no run through the transition system, i.e., the formula may not be satisfied even without considering the acceptance condition. In general, the following types of acceptance conditions are distinguished, where all formulas k , Ψk are propositional formulas over (t +t ) (t +t ) qn 1 2 : q0 1 2 (t)
B
B
B
Büchi: t1 t 2 0 a Generalized Büchi: k=1 [ t1 t2 a Streett: k=1 [ t1 t2 a Rabin: k=1 [ t1 t2
k] k] k]
[ t1 t2 Ψ k ] [ t1 t2 Ψ k ]
It can be shown that the nondeterministic versions of the above automata have the same expressive power [30]. Therefore, we could use any of them for our translation. In the following, we focus on generalized Büchi automata. It will become clear after the next section, why this kind of automaton is an appropriate means for a simple translation of temporal logic inside HOL.
A HOL Conversion for Translating Linear Time Temporal Logic to Automata
263
a
∗ ∗
{}
{p} ¬a
∗ {q}
{p, q} ∗
Fig.1. An example automaton As an example of the representation of an automaton, consider Figure 1. This automaton is represented by the following HOL formula: p:
N B p(0) t t1
q: q (0)

N B
(p(t) p(t+1) ) (p(t+1) p(t) q (t) ) (t+1) (t) (t) (t) (t) = (p q a ) (p q (t) )) (q t2 p(t1 +t2 ) q (t1 +t2 )
This means that the only initial state is the one where neither p nor q does hold (drawn with double lines in figure 1). The transition relation is simple as given in figure 1. The acceptance condition requires that a run must visit infinitely often the state where p holds, but q does not hold. Hence, any accepting run starts in state and must finally loop in state p so that the automaton formula is equivalent to t1 t2 a(t1 +t2 ) .
5 The Tableau Procedure Several tableau procedures have been designed for various kinds of logics, e.g., first order logic, calculi, and, of course, temporal logics. While the standard tableau procedure for LTL has been presented in [33, 34], we follow the procedure given in [38]. This works roughly as follows: for each subformula that starts with a temporal op: erator and contains no further temporal operators, a new state variable is generated. On each path, the state transitions of the automaton should be such that exactly behaves like the subformula does, hence = must hold the variable along each path. By applying the substitution of subformulas recursively, we can re= i I and some duce a given LTL formula to a set of equations E = ( = Ψ ) is valid. Clearly, if propositional formula Ψ such that 2I G[ = ] in Ψ , we obtain the original formula Ψ again we resubstitute the variables by (syntactically). In the following, we simplify the syntax to obtain more readable formulas: we neglect applications on time and abstraction of the time variable. For example, we write (t) [ t p(t) ] U q [Fp](t) . It is clear from the con[[ p] U q] [Fp] instead of t text, where applications on time and abstractions should be added to satisfy the type rules.
N
B
264
Klaus Schneider and Dirk W. Hoffmann
To illustrate the computation of the ‘definitional normal form’, consider the formula (FGa) (GFa). The construction of E and Ψ results in E = 1 = Ga 2 = F 1 3 = Fa 4 = G 3 and Ψ = 2 4 . The essential step is now to construct a transition relation out of E for an automaton with the state variables such that each behaves as . This is done by the characterization of temporal operators as fixpoints as given in the next theorem. Theorem 1 (Characterizing Temporal Operators as Fixpoints). The following formulas are valid, i.e., they hold on each path: G[y G[y G[y G[y G[y
= a Xy] = G[y = Ga] G[y = F] = a Xy] = G[y = Fa] G[y = T] = (b a Xy)] = G[y = [a W b]] G[y = [a W b]] = b a Xy] = G[y = [a U b]] G[y = [a U b]] = b (a Xy)] = G[y = [a B b]] G[y = [a B b]]
Hence, each of the equations y = a Xy, y = a Xy, y = ( b a Xy), y = b a Xy, and y = b (a Xy), has exactly two solutions for y. The following formulas are also valid and show how one of the two solutions of the above fixpoint equations can be selected with different fairness constraints: G[y G[y G[y G[y G[y G[y G[y G[y
= Ga] = G[y = a Xy] GF[a y] = Fa] = G[y = a Xy] GF[y a] = [a W b]] = G[y = ( b a Xy)] GF[y b] a Xy)] GF[y b] = [a W b]] = G[y = ( b = [a U b]] = G[y = b a Xy] GF[y a b] a b] = [a U b]] = G[y = b a Xy] GF[ y = [a B b]] = G[y = b (a Xy)] GF[y a b] = [a B b]] = G[y = b (a Xy)] GF[ y a b]
N B
(t) by : t (t) , If we define an ordering relation on terms of type then we can also state that Ga is the greatest fixpoint of fa (y) := a Xy, and so on. Consequently, the above theorem characterizes each temporal operator as a least or greatest fixpoint of some function. As can be seen, the strong and weak binary temporal operators satisfy the same fixpoint equations, i.e., they are both solutions of the same fixpoint equation. Furthermore, the equations of the first part show that there are exactly two solutions of the fixpoint equations. The strong version of a binary operator is the least fixpoint of the equations, while the weak version is the greatest fixpoint. Hence, replacing an equation as, e.g., = [a U b] by adding = b a X to the transition relation fixes such that it behaves either as [a U b] or [a U b]. Moreover, the formulas of the second part of the above theorem show how we can assure that the newly generated variables can be fixed to be either the strong or the weak version of an operator by adding additional fairness constraints. These fairness constraints distinguish between the two solutions of the fixpoint equation and select safely one of both solutions.
A HOL Conversion for Translating Linear Time Temporal Logic to Automata function tableau( ) case of s_prop( ) : return ( : (E1 1 ) return (E1 : (E1 1 ) return (E1 : (E1 1 ) return (E1 X : (E1 1 ) return (E1 [ B ] : (E1 1 ) return (E1 [ U ] : (E1 1 ) return (E1
); tableau( 1 ); tableau( E2 1 tableau( E2 1 tableau( =X tableau( E2 tableau( E2
265
); ); (E2 1 ) tableau( 1 ); ); (E2 1 ) tableau( 1 ); ); = new_var; ); 1 ); (E2 1 ) tableau( = [ 1 B 1 ] ); ); (E2 1 ) tableau( = [ 1 U 1 ] );
); );
); = new_var; ); = new_var;
function trans( ) case of =X : return = X ; =[ B ] : return = ( X ); = [ U ] : return = X ; function fa r( ) case of =X : return T; =[ B ] : return GF( = [ U ] : return GF( function Tableau( ) ( 1= 1 n = n n trans( ); R := =1 n fa r( ); F := =1 return A ( 1 b
);
);
) := tableau(NNF( ));
R
F );
Fig.2. Algorithm for translating LTL to automata It is clear that the equations in the second part of the theorem tell us how to replace by an equivalent automaton. For example, the definition 1 = the definitions = Ga is replaced with the formula: [ t
(t) 1
= a(t)
(t+1) ] 1
t1 t2 a(t1 +t2 )
(t1 +t2 ) 1
As the introduced variables occur under an existential quantifier, this formula corresponds directly to a generalized Büchi automaton. Hence, the following theorem holds: Theorem 2 (Translating LTL to Automata). For the algorithm given in Figure 2, the following holds for any LTL formula and for (E Ψ ) = tableau( ):
266
Klaus Schneider and Dirk W. Hoffmann
– E O( ) and Ψ + O( ), which implies linear runtime in = 2E terms of of tableau( ) – Ψ is a propositional formula = E, is a formula with exactly one temporal operator that – for each occurs on top of – contains at most the variables that occur in plus the variables 1 ,. . . , −1 – = 1 ] n Ψ 2I G[ = The result of the function Tableau results in an equivalent generalized Büchi automa) and acceptance ton with the initial states Ψ , transition relation = 2E trans( fa r( ). condition = 2E The construction yields in an automaton with 2O(j j) states and an acceptance condition of length O( ). Note that the constructed automaton is in general nondeterministic. This can not be avoided, since deterministic Büchi automata are not as expressive as nondeterministic ones [30]. For our example FGa GFa, we derive the following automaton: 1 2 3 4 (0) (0) 2 4 (t) (t+1) (t) (t) 1 =a 1 2 = t (t) (t+1) (t) (t) = a 3 3 4 = (t1 +t2 ) (t1 +t2 ) t 1 t2 a 1
t 1 t2
(t1 +t2 ) 3
(t) 1 (t) 3
a(t1 +t2 )
(t+1) 2 (t+1) 4 (t +t ) t1 t 2 2 1 2 (t +t ) t1 t 2 3 1 2
(t1 +t2 ) 1 (t1 +t2 ) 4
As another example, consider the translation of a property that is to be verified for the single pulser circuit [40]: G[ i
Xi
X ([o B ( i
Xi)]
[o W ( i
Xi)])]
The formula specifies that after a rising edge of the input i, the output o must hold at least once before or at the time where the next rising edge of i occurs. The translation begins with the abbreviation of the subformulas starting with temporal operators. We obtain the definitions 0 := Xi, 1 := [o B ( i 0 )], 2 := [o W ( i 0 )], 3 := X( 1 2 ), and 4 := G[ i 0 3 ]. Replacing these definition with the preproven theorems, we finally end up with the following generalized Büchi automaton: 0 1 2 3 4 (0) 4 (t) 0 (t) t 2 (t) 4
( t 1 t2 ( t 1 t2
= i(t+1) =
i(t)
= ( i(t) (t1 +t2 ) 1 (t1 +t2 ) 2
(t) 1 (t) 0 (t) 0
= ( i(t) o(t)
o(t1 +t2 ) i(t1 +t2 )
(t) 3 )
(t+1) 2 (t+1) 4
i(t1 +t2 ) (t1 +t2 ) ) 0
(t) 0 )
(o(t) (t) 3
=
(t1 +t2 ) ) 0
(t+1) ) 1 (t+1) (t+1) 1 2
A HOL Conversion for Translating Linear Time Temporal Logic to Automata
267
We have implemented a HOL conversion that computes a corresponding generalized Büchi automaton as explained above and then proves the equivalence with our preproven theorems of Theorem 1. It is easily seen that the computation of the generalized Büchi automaton is done in linear runtime wrt. the length of the given formula.
6 Applications The Prosper project focuses on reducing the gap between formal verification and industrial aims and needs. Although formal methods have proven their usefulness and importance in academia for years, they are only rarely applied in industrial environments. One reason for this is that existing proof tools require profound knowledge in logic. Since only a very few system engineers have this expertise, formal methods are often not applied at all. Another reason is the lack of automation. Many proof tools need considerable user interaction which complicates its usage and slows down the complete design cycle. Within Prosper, examples of proof tools are being produced which provide user friendly access to formal methods. An open proof architecture allows the integration of different verification tools in a uniform higher order logic environment. Besides providing easy and consistent access to these tools, a high degree of automation can be achieved by integrating various decision procedures as plugins. Examples of already integrated decision procedures are a Boolean tautology checker based on BDDs, P ROVER from Prover Technology, and the CTL model checker SMV. As mentioned before, the translation of LTL formulas to automata as described in the previous section can be used to model check LTL formulas with a CTL model checker. Using HOL’s CTL model checker plugin which has been developed as part of the Prosper project, our transformation procedure shows how LTL model checking can be performed directly within HOL.
6.1 The Prosper PlugIn Interface The basis for a uniform integration of different proof tools in HOL is Prosper’s plugin Interface [41, 42]. It provides an easy to use and formally specified communication mechanism between HOL and its various proof backends. Communication is either based on Internet sockets or on local Unix pipes, depending on the machine where the proof backend is running. The plugin interface can roughly be divided into two parts. One part that manages communication with HOL (proof engine side) and another part which is responsible for the plugged in proof backend (plugin side). If Internet sockets are used for communication, both sides of the plugin might run on different machines. The proof engine side is directly linked to HOL whereas the plugin side runs on the same machine as the proof backends. If more than one plugin is running, each back end is linked by a separate plugin interface. This allows the integration of arbitrary tools running either locally on the same machine or widespread over the world connected via Internet sockets. Overall, this leads to the sketch in Fig. 3
268
Klaus Schneider and Dirk W. Hoffmann
proofengine side
Internet or Unix pipe
plugin side
SMV
PlugIn interface proofengine side
HOL
Internet or Unix pipe
plugin side
BDD package
PlugIn interface
proofengine side
Internet or Unix pipe
plugin side
Prover (ProverTechnology)
PlugIn interface
Fig.3. Sketch of the Prosper plugin Interface 6.2 The CTL Model Checker PlugIn As part of the Prosper project, we have integrated the SMV model checker [2] into HOL via Prosper’s plugin interface. SMV has been chosen since it is one of the widest spread and most used model checkers. Moreover, SMV is freely available and can therefore be distributed with HOL. To be able to reason about SMV programs, the SMV language defined in [2] has been deeply embedded in HOL3 . According to the grammar definition given in [2], a new HOL type is defined for each nonterminal, i.e., the following HOL types are defined: smv_constant smv_ctl smv_var_decl smv_define_decl smv
smv_id smv_type_enum smv_alhs smv_declaration
smv_expr smv_type smv_assign_decl smv_moduleports
Having the SMV grammar in mind, these data types are defined in a straightforward manner, e.g., smv_constant is defined as val smv_constant = define_type {name = "smv_constant", type_spec = ‘smv_constant = ATOM_CONSTANT of string  NUMBER_CONSTANT of num  FALSE_CONSTANT  TRUE_CONSTANT‘, fixities = [Prefix,Prefix,Prefix,Prefix]}; 3
http://goethe.ira.uka.de/~hoff/smv.sml
A HOL Conversion for Translating Linear Time Temporal Logic to Automata
269
All other data types are defined in a similar way. At the moment, the language is only embedded syntactically. The semantics which is also given in [2] will be formalized in HOL soon. A parser exists which converts SMV programs to their corresponding representation in HOL. Once the datatype has been created, it can be manipulated within HOL, or SMV can be invoked with the MC command. Calling SMV via the plugin interface, the HOL datatype is converted into SMV readable format and passed to the model checker. If the specification is true, the HOL term T is returned to HOL, otherwise F is returned. Once the semantics of SMV programs has been formalized (e.g., by defining a predicate val d(S) which is true if and only if S satisfies its specification), the model checker plugin can be adapted easily to return a theorem = val d(S) instead of the HOL term T. Kripke structure
LTL Spec
Kripke structure
CTL Spec
Automaton
HOLterm of type SMV
HOLterm of type SMV
plugin interface
plugin interface
SMV
SMV
Fig.4. Invoking the SMV model checker via the Prosper plugin interface. The left picture shows the usual call to SMV with a CTL specification. The right picture demonstrates how our transformation of LTL formulas to automata can be used to model check LTL formulas with the same plugin. Internally, the SMV plugin interface interacts with SMV by using standard I/O communication. This design decision has been made because it avoids changes in the SMV source code. Treating SMV as a black box tool, it can be easily upgraded when new versions of SMV are released.
270
Klaus Schneider and Dirk W. Hoffmann
Fig. 4 (left) shows how SMV is invoked with a CTL specification. Fig. 4 (right) shows how our procedure for transforming LTL formulas to automata can be used to model check LTL formulas with the same plugin.
7 Conclusions and Future Work We have described a translation procedure for converting LTL formulas to equivalent automata and its implementation in the HOL theorem prover. Together with the SMV plugin this allows the usage of SMV as a decision procedure that can be conveniently called as a HOL tactic. As a result, temporal logic formulas given in LTL can now be used to specify and to verify the concurrent behavior conveniently by the model checker SMV, although this model checker is not directly able to handle LTL. The translation of LTL into automata by our HOL conversion runs in linear time and is also in practice very efficient since it is mainly based on preproven theorems of the LTL theory that we also provided.
References [1] E.A. Emerson. Temporal and Modal Logic. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, volume B, pages 996–1072, Amsterdam, 1990. Elsevier Science Publishers. [2] K.L. McMillan. Symbolic Model Checking. Kluwer Academic Publishers, Norwell Massachusetts, 1993. [3] G. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279–295, May 1997. [4] R. H. Hardin, Z. Har’El, and R. P. Kurshan. COSPAN. In Rajeev Alur and Thomas A. Henzinger, editors, Conference on Computer Aided Verification (CAV), volume 1102 of Lecture Notes in Computer Science, pages 423–427, New Brunswick, NJ, USA, July/August 1996. Springer Verlag. [5] A. Aziz, F. Balarin, S.T. Cheng, R. Hojati, T. Kam, S.C. Krishnan, R.K. Ranjan, T.R. Shiple, V. Singhal, S. Tasiran, H.Y. Wang, R.K. Brayton, and A.L. SangiovanniVincentelli. HSIS: A BDDBased Environment for Formal Verification. In ACM/IEEE Design Automation Conference (DAC), San Diego, CA, June 1994. San Diego Convention Center. [6] R. K. Brayton, A. L. SangiovanniVincentelli, A. Aziz, S.T. Cheng, S. Edwards, S. Khatri, Y. Kukimoto, S. Qadeer, R. K. Ranjan, T. R. Shiple, G. Swamy, T. Villa, G. D. Hachtel, F. Somenzi, A. Pardo, and S. Sarwary. VIS: A system for verification synthesis. In ComputerAided Verification, New Brunswick, NJ, JulyAugust 1996. [7] M.C. Browne, E.M. Clarke, D.L. Dill, and B. Mishra. Automatic Verification of Sequential Circuits Using Temporal Logic. IEEE Transactions on Computers, C35(12):1034–1044, December 1986. [8] D.L. Dill and E.M. Clarke. Automatic verification of asynchronous circuits using temporal logic. IEE Proceedings, 133 Part E(5):276–282, September 1986. [9] E.M. Clarke, O. Grumberg, H. Hiraishi, S. Jha, D.E. Long, K.L. McMillan, and L.A. Ness. Verification of the Futurebus+ Cache Coherence Protocol. In D. Agnew, L. Claesen, and R. Camposano, editors, IFIP Conference on Computer Hardware Description Languages and their Applications (CHDL), pages 5–20, Ottawa, Canada, April 1993. IFIP WG10.2, CHDL’93, IEEE COMPSOC, Elsevier Science Publishers B.V., Amsterdam, Netherland.
A HOL Conversion for Translating Linear Time Temporal Logic to Automata
271
[10] M.J.C. Gordon and T.F. Melham. Introduction to HOL: A Theorem Proving Environment for Higher Order Logic. Cambridge University Press, 1993. [11] N. Shankar. PVS: Combining specification, proof checking, and model checking. In M. Srivas and A. Camilleri, editors, International Conference on Formal Methods in Computer Aided Design (FMCAD), volume 1166 of Lecture Notes in Computer Science, pages 257– 264, Palo Alto, CA, USA, November 1996. Springer Verlag. [12] E.A. Emerson and J.Y. Halpern. ”sometimes” and ”not never” revisited: On branching versus linear time temporal logic. Journal of the ACM, 33(1):151–178, January 1986. [13] E.M. Clarke and E.A. Emerson. Design and Synthesis of Synchronization Skeletons using Branching Time Temporal Logic. In D. Kozen, editor, Workshop on Logics of Programs, volume 131 of Lecture Notes in Computer Science, pages 52–71, Yorktown Heights, New York, May 1981. SpringerVerlag. [14] K. Schneider. CTL and equivalent sublanguages of CTL*. In C. Delgado Kloos, editor, IFIP Conference on Computer Hardware Description Languages and their Applications (CHDL), pages 40–59, Toledo,Spain, April 1997. IFIP, Chapman and Hall. [15] K. Schneider, T. Kropf, and R. Kumar. Why Hardware Verification Needs more than Model Checking. In Higher Order Logic Theorem Proving and its Applications, Malta, 1994. [16] P. Loewenstein. Formal verification of statemachines using higherorder logic. In IEEE/ACM International Conference on Computer Design (ICCD), pages 204–207, 1989. [17] P. Loewenstein. A formal theory of simulations between infinite automata. In L.J.M. Claesen and M.J.C. Gordon, editors, Higher Order Logic Theorem Proving and its Applications, pages 227–246, Leuven, Belgium, September 1992. IFIP TC10/WG10.2, NorthHolland. IFIP Transactions. [18] K. Schneider, R. Kumar, and T. Kropf. Alternative Proof Procedures for FiniteState Machines in HigherOrder Logic. In J.J. Joyce and C.J.H. Seger, editors, Higher Order Logic Theorem Proving and its Applications, volume 780 of Lecture Notes in Computer Science, pages 213–227, Vancouver, Canada, August 1993. University of British Columbia, SpringerVerlag, published 1994. [19] D. Eisenbiegler and R. Kumar. An Automata Theory Dedicated Towards Formal Circuit Synthesis. In E.T. Schubert, P.J. Windley, and J. AlvesFoss, editors, Higher Order Logic Theorem Proving and its Applications, volume 971 of Lecture Notes in Computer Science, pages 154–169, Aspen Grove, Utah, USA, September 1995. SpringerVerlag. [20] K. Schneider and T. Kropf. A unified approach for combining different formalisms for hardware verification. In M. Srivas and A. Camilleri, editors, International Conference on Formal Methods in Computer Aided Design (FMCAD), volume 1166 of Lecture Notes in Computer Science, pages 202–217, Palo Alto, USA, November 1996. Springer Verlag. [21] S. Agerholm and H. Schjodt. Automating a model checker for recursive modal assertions in HOL. Technical Report DAIMI IR92, DAIMI, January 1990. [22] J. von Wright. Mechanizing the temporal logic of actions in HOL. In M. Archer, J.J. Joyce, K.N. Levitt, and P.J. Windley, editors, Higher Order Logic Theorem Proving and its Applications, Davis, California, August 1991. IEEE Computer Society, ACM SIGDA, IEEE Computer Society Press. [23] L. Lamport. The temporal logic of actions. Technical Report 79, Digital Equipment Cooperation, 1991. [24] F. Andersen and K.D. Petersen. Recursive Boolean Functions in HOL. In M. Archer, J.J. Joyce, K.N. Levitt, and P.J. Windley, editors, Higher Order Logic Theorem Proving and its Applications, Davis, California, August 1991. IEEE Computer Society, ACM SIGDA, IEEE Computer Society Press. [25] K.M. Chandy and J. Misra. Parallel Program Design. AddisonWesley, Austin, Texas, May 1989.
272
Klaus Schneider and Dirk W. Hoffmann
[26] F. Andersen. A Theorem Prover for UNITY in Higher Order Logic. PhD thesis, Horsholm, Denmark, March 1992. [27] F. Andersen, K.D. Petersen, and J.S. Petterson. Program Verification using HOLUNITY. In J.J. Joyce and C.J.H. Seger, editors, Higher Order Logic Theorem Proving and its Applications, volume 780 of Lecture Notes in Computer Science, pages 1–16, Vancouver, Canada, August 1993. University of British Columbia, SpringerVerlag, published 1994. [28] K. Schneider. Translating linear temporal logic to deterministic automata. In M.Pfaff and R. Hagelauer, editors, GI/ITG/GMM Workshop Methoden des Entwurfs und der Verifikation digitaler Systeme, pages 149–158, 1997. [29] K. Schneider. Yet another look at LTL model checking. In IFIP WG10.5 Advanced Research Working Conference on Correct Hardware Design and Verification Methods, Lecture Notes in Computer Science, Bad Herrenalb, Germany, September 1999. Springer Verlag. [30] W. Thomas. Automata on infinite objects. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, volume B, pages 133–191, Amsterdam, 1990. Elsevier Science Publishers. [31] O. Lichtenstein and A. Pnueli. Checking that finite state concurrent programs satisfy their linear specification. In ACM Symposium on Principles of Programming Languages (POPL), pages 97–107, New York, January 1985. ACM. [32] O. Lichtenstein, A. Pnueli, and L. Zuck. The glory of the past. In Conference on Logics of Programs, volume 193 of Lecture Notes in Computer Science, pages 196–218, New York, 1985. SpringerVerlag. [33] P. Wolper. Temporal logic can be more expressive. Information and Control, 56:72–99, 1983. [34] P. Wolper. On the relation of programs and computations to models of temporal logic. In B. Banieqbal, H. Barringer, and A. Pnueli, editors, Temporal Logic in Specification, pages 75–123, Altrincham, UK, 1987. SpringerVerlag. [35] G.G de Jong. An automata theoretic approach to temporal logic. In K.G. Larsen and A. Skou, editors, Workshop on Computer Aided Verification (CAV), volume 575 of Lecture Notes in Computer Science, pages 477–487, Aalborg, July 1991. SpringerVerlag. [36] S. Safra. On the complexity of automata. In IEEE Symp.on Foundations of Computer Science, pages 319–327, 1988. [37] M. Vardi. An automatatheoretic approach to linear temporal logic. In Banff’94, 1994. [38] E.M. Clarke, O. Grumberg, and K. Hamaguchi. Another look at LTL model checking. In David L. Dill, editor, Conference on Computer Aided Verification (CAV), volume 818 of Lecture Notes in Computer Science, pages 415–427, Standford, California, USA, June 1994. SpringerVerlag. [39] K. Schneider. Model checking on product structures. In G.C. Gopalakrishnan and P.J. Windley, editors, Formal Methods in ComputerAided Design, volume 1522 of Lecture Notes in Computer Science, pages 483–500, Palo Alto, CA, November 1998. Springer Verlag. [40] S.D. Johnson, P.S. Miner, and A. Camilleri. Studies of the single pulser in various reasoning systems. In T. Kropf and R. Kumar, editors, International Conference on Theorem Provers in Circuit Design (TPCD), volume 901 of Lecture Notes in Computer Science, pages 126– 145, Bad Herrenalb, Germany, September 1994. SpringerVerlag. published 1995. [41] M. Norrish, L. Dennis, and R. Boulton. Prosper plugin interface design. Prosper project report D3.2a, October 1998. [42] M. Norrish, G. Collins, L. Dennis, and R. Boulton. Prosper plugin interface user documentation. Prosper Project Report D3.2b, November 1998.
From I/O Automata to Timed I/O Automata A Solution to the ‘Generalized Railroad Crossin ’ in Isabelle/HOLCF Bernd Grobauer1 and Olaf M¨ uller2 1
BRICS, Depar men of Compu er Science, Universi y of Aarhus, Denmark 2 Ins i u f¨ ur Informa ik, TU M¨ unchen, 80290 M¨ unchen, Germany
Abstract. The model of imed I/O au oma a represen s an ex ension of he model of I/O au oma a wi h he aim of reasoning abou realime sys ems. A number of case s udies using imed I/O au oma a has been carried ou , among hem a rea men of he socalled Generalized Railroad Crossin (GRC). An already exis ing formaliza ion of he me aheory of I/O au oma a wi hin Isabelle/HOLCF allows for fully formal oolsuppor ed veri ca ion using I/O au oma a. We presen a modi caion of his formaliza ion which accomoda es for reasoning abou imed I/O au oma a. The guiding principle in choosing he par s of he me aheory of imed I/O au oma a o formalize has been o provide all he heory necessary for formalizing he solu ion o he GRC. This leads o a formaliza ion of he GRC, in which no only he correc ness proof i self has been formalized, bu also he underlying me a heory of imed I/O au oma a, on which he correc ness proof is based.
1
Introduction
The model of imed I/O au oma a (see e.g. [10, 8]) represen s an ex ension of he model of I/O au oma a (cf. [11]) wi h he aim of reasoning abou real ime sys ems. A number of case s udies using imed I/O au oma a has been carried ou , among hem a rea men of he socalled Generalized Railroad Crossin (GRC) [9]. As experience shows, a formal me hod is only prac ical wi h proper ool suppor . In con ras o many comparable formalisms, where he speci ca ion language is uned o make cer ain veri ca ion asks decidable, a imed I/O au oma on is in general an in ni e ransi ion sys ems. Hence he only comprehensive and generic ool suppor for proofs wi hin he model of imed I/O au oma a is (in erac ive) heorem proving; of course addi ional suppor using e.g. model checking for deciding manageable subproblems could (and even should) be provided. The aim of our work is o crea e an environmen for reasoning abou imed I/O au oma a and o apply i o a formaliza ion of he GRC. The s ar ing poin is an exis ing framework for reasoning abou un imed I/O au oma a [12, 13, 14] in BRICS: Basic Research in Compu er Science, Cen re of he Danish Na ional Research Founda ion. Y. Bertot et al. (Eds.): TPHOLs’99, LNCS 1690, pp. 273 289, 1999. c Sprin erVerla Berlin Heidelber 1999
274
Bernd Grobauer and Olaf M¨ uller
he heorem prover Isabelle/HOLCF [15]. I provides an ex ensive formaliza ion of he heory of I/O au oma a, e.g. all he proof principles which are o ered for ac ual applica ions have been shown o be sound. Such a formaliza ion of a formal me hod’s me a heory no only rules ou po en ial sources of unsoundness, i also allows one o derive new proof principles ins ead of hardwiring hem. Fur her i leads o a deeper unders anding of he heory i self; changes o he heory which harmonize wi h he chosen formaliza ion can easily be carried ou and heir e ec s evalua ed. In a sense he presen ed work is ‘living proof’ for he las claim: one of i s main s reng hs is he simplici y of ex ending he exis ing framework from un imed o imed sys ems. The guiding principle in choosing he par s of he heory of imed I/O auoma a o formalize has been o provide all he heory necessary for formalizing he GRC as presen ed in [9]. In con ras o our GRC solu ion, Archer and Hei meyer, who carried ou an al erna ive formaliza ion [2] in PVS [18], do no rea he me a heory a all and so far only deal wi h invarian s wi hou aking he s ep o simula ions. In he following we are going o describe bo h he formalizaion of he heory of imed I/O au oma a in Isabelle/HOLCF and he subsequen formaliza ion of he GRC. Af er some preliminaries abou Isabelle/HOLCF which are rea ed in Sec ion 2, Sec ion 3 gives an in roduc ion o he heory of imed I/O au oma a. In Sec ion 4 he formaliza ion of he heory of imed I/O au oma a in Isabelle/HOLCF is described. I s applica ion o he formaliza ion of he GRC is ske ched in Sec ion 5.
2
Isabelle/HOLCF
Isabelle [19] is a generic in erac ive heorem prover; we use only i s ins an ia ion wi h HOLCF [15], a conserva ive ex ension of higher order logic (HOL) wi h an LCFlike domain heory. Following a me hodology developed in [13], he simpler HOL is used wherever possible, only swi ching o LCF when needed. Several fea ures of Isabelle/HOL help he user o wri e succinc and readable heories. There is a mechanism for MLs yle de ni ions of induc ive da a ypes [4]. For every de ni ion of a recursive da a ype, Isabelle will au oma ically cons ruc a ype oge her wi h he necessary proofs ha his ype has he expec ed proper ies. Ano her fea ure working along he same lines allows he induc ive de ni ion of rela ions. Buil on op of he da a ype package is a package which provides for ex ensible record ypes [16]. The keywords in roducing he ci ed language fea ures are datatype, inductive and record respec ively. Isabelle’s syn ax mechanisms allow for in ui ive no a ions; for example se comprehension is wri en as fe j P g, a record s which con ains a eld foo can be upda ed by wri ing s([foo := bar ]). A similar no a ion is used for func ion upda e: f (e1 := e2 ) deno es a func ion which maps e1 on o e2 and behaves like f on every o her value of i s domain. The ype cons ruc or for func ions in HOL is deno ed by ), he projec ions for pairs by fst and snd. Simple nonrecursive de ni ions are marked wi h he
From I/O Au oma a o Timed I/O Au oma a
275
keyword defs, ype de ni ions wi h types, and heorems proven in Isabelle wi h he keyword thm.
3
The Theory of Timed I/O Automata
A imed I/O au oma on A is a labelled ransi ion sys em, where he labels are called actions. These are divided in o external and internal ac ions, deno ed by ext(A) and int (A), respec ively. The ex ernal ac ions are divided in o input and output ac ions (deno ed by inp(A) and out (A)) and a collec ion of special timepassa e ac ions f (t ) j t 2 T g. Here T is a dense ime domain which usually is aken o be IR>0 . Hence a imed I/O au oma on A can be speci ed by de ning a se states(A) of s a es a nonemp y se start (A) states(A) an ac ion signa ure si (A) = (inp(A) out(A) int (A)) where inp(A), out (A) and int(A) are pairwise disjoin . None of he ac ions in he signa ure is allowed o be of he form (t ) wi h t 2 T . We call vis(A) := inp(A) [ out (A) he se of visible ac ions; ext(A) hus can be wri en as vis(A) [ f (t ) j t 2Tg a ransi ion rela ion trans(A) states(A)acts(A)states(A), where acts(A) a is de ned as ext(A) [ int (A). Le r −!A s deno e (r a s) 2 trans(A) There are a number of addi ional requiremen s a imed I/O au oma on mus sa isfy, which give some insigh abou he in ui ion behind he de ni ions: For example a imepassage ac ion (t ) is supposed o s and for he passage of ime t . Obviously if t ime uni s pass and hen ano her t 0 uni s, his should have he same e ec as if t +t 0 ime uni s passed in one s ep. Therefore i is required ha (t)
(t 0 )
(t+t 0 )
if s −!A s 0 and s 0 −! A s 00 hen s −! A s 00 . Timed I/O au oma a can be combined by parallel composition, which is deno ed by k. A s ep of a composed au oma on AkB is caused ei her by an in ernal s ep of A or B alone, a combined s ep wi h an inpu ac ion common o A and B , or a communica ion be ween A and B via an ac ion ha is inpu ac ion o A and ou pu ac ion o B (or vice versa). Executions and Traces The no ion of behavior used for imed I/O au oma a is executions and, as behavior observable from he ou side, traces. As for execu ions, wo models are commonly used. The rs of hem views an execu ion ex as he con inuous passage of ime wi h imeless ac ions occurring a discre e poin s in ime: ex =
0 a1 1 a2 2
.
Here he i are socalled trajectories, ha is mappings from an in erval of he ime domain in o he s a espace of he au oma on he exac de ni ion of a
276
Bernd Grobauer and Olaf M¨ uller
rajec ory makes sure ha i de nes only imepassage ha is compa ible wi h he speci ca ion of he au oma on. These execu ions are called timed execu ions. We however are going o formalize a model which is called sampled execu ions in [10]. Here an execu ion is a sequence in which s a es and ac ions al erna e:
ex = s0 a1 s1 a2 s2 where an ac ion ai is ei her a discre e ac ion or a imepassage ac ion. Sampling can be seen as an abs rac ion of imed execu ions: ins ead of rajec ories, which hold informa ion abou he s a e of an au oma on for every poin of ime, explici imepassage s eps occur in execu ions. The o al amoun of ime which has passed up o a cer ain poin in an execu ion can be deduced by adding up all he imevalues which parame erized he imepassage ac ions ha occured so far. No ice ha he execu ion model includes execu ions which in ui ively speaking do no make sense since ime canno be s opped, only execu ions wi h an in ni e o al amoun of imepassage do. Execu ions wi h an in ni e o al amoun of imepassage are called admissible. An execu ion gives rise o a race in a s raigh forward way by rs l ering ou he invisible ac ions, suppressing he s a es and associa ing each visible ac ion wi h a ime s amp of he poin of ime of i s occurrence. Then he resul ing sequences of (visible) ac ions paired wi h a ime s amp is paired wi h he leas upper bound of he maximal ime value reached in he execu ion (a special symbol 1 is used in case of an admissible execu ion). Traces ha s em from admissible execu ions are hemselves called admissible. The observable behavior of a imed I/O au oma on A is viewed o be he se of i s races traces(A) his may some imes be res ric ed o cer ain kinds of races, e.g. admissible races. If he signa ures of wo au oma a A and C agree on he visible ac ions, hen C is said o implemen A i traces(C ) traces(A). Proof Principles The mos impor an proof me hods for imed I/O au oma a are invariance proofs and simula ion proofs. The former is used o show ha a predica e over states(A) holds for every reachable s a e in an au oma on A. Simula ion proofs are used o show ha an au oma on C implemen s an au oma on A; hey are based on a heorem abou imed I/O au oma a which says ha if here exis s a socalled simula ion rela ion S states(C )states(A), hen C implemen s A.
4
Formalizin Timed I/O Automata in HOLCF
The rea men of he GRC as presen ed in [9] is based upon he model of imed I/O au oma a. Apar from he proof principles men ioned above, namely invariance proofs and simula ion proofs, a fur her proof principle is used o show a
From I/O Au oma a o Timed I/O Au oma a
277
cer ain kind of execu ion inclusion via a simula ion rela ion. Composi ional reasoning is no employed. In he following we give an overview of he formaliza ion of he underlying heory of imed I/O au oma a in Isabelle. Of en only minor changes o he already exis ing formaliza ion of he heory of I/O au oma a had o be made, we will mos ly concen ra e on hese changes and addi ions see [1] for he comple e formaliza ion. Fur her informa ion abou he original formaliza ion of I/O au oma a can be found in [13]. All in all abou one and a half mon hs were spen in formalizing he necessary me a heory wo weeks for changing he underlying heory of I/O au oma a and four weeks for he addiions described in Sec ion 4.4; some of his ime however was spen by he rs au hor reacquain ing himself wi h Isabelle. 4.1
Timed I/O Automata
All he proofs ha have been carried ou in order o formalize he necessary fragmen of he heory of imed I/O au oma a only require he ime domain T o be an ordered group. Therefore we keep he whole Isabelle heory of imed I/O au oma a parame ric wi h respec o a ype represen ing an ordered group. This can be achieved in an elegan way using he mechanism of axiomatic type classes [22] of Isabelle: a ype class timeD is de ned which represen s all ypes ha sa isfy he axioms of an ordered group wi h respec o a signa ure h 0 i. is such a ype. The no a ion t meD signi es ha Ac ions of imed I/O au oma a can ei her be discre e ac ions or imepassage ac ions; we in roduce a special da a ype: datatype (
t meD ) action
= Discrete
Time
In he following a discre e ac ion Discrete a will be wri en as a , a imepassage ac ion Time t as (t ). We fur her chose o make iming informa ion explici in he s a es, as for example done in [10]. There only one special imepassage ac ion is used, which su ces as imepassage can be read from he s a es. We, however, keep iming informa ion bo h in he s a es and in he ac ions we argue ha speci ca ions of imed I/O au oma a will gain clari y. Therefore s a es will always be of ype ( t meD ) state, where record ( ) state = content :: now :: t meD
Wi h hese modi ca ions in mind, he de ni ions made in Sec ion 3 give rise o he following ype de ni ions in a s raigh forward way: types (
si nature = ( set set ) state ( t meD ) transition = ( ( si nature ( t meD ) tioa =
set) ) action ( ) state ) state set ( ) transition set
Thus, ( )tioa s ands for a imed I/O au oma on where discre e ac ions are of ype , he s a e con en s (i.e. he s a e wi hou i s ime s amp) of ype
278
Bernd Grobauer and Olaf M¨ uller
and he used ime domain of ype , which is required o be in he axioma ic ype class timeD. For tioa and si nature also selec ors have been de ned, namely inputs, outputs and internals, giving access o he di eren kinds of (discre e) ac ions ha form a signa ure, oge her wi h derived func ions like visibles s = inputs s [ outputs s, which are he visible discre e ac ions, si of, startsof and transof giving access o he signa ure, he s ar s a es and he ransi ion rela ion of a imed I/O au oma on. The addi ional requiremen s on imed I/O au oma a as in roduced in Sec ion 3 are formalized as predica es over he ransi ion rela ion of an au oma on. Since we have chosen o carry ime s amps wi hin he s a es, an addi ional wellformedness condi ion has o be formula ed: defs
wellformedtrans A = (s a r ) (transof A)
(case a of a now s = now r (t) now r = (now s)
t)
This and he o her requiremen s on imed I/O au oma a are combined in a predica e TIOA over ype tioa. 4.2
Executions and Traces
As men ioned above we are going o formalize sampled execu ions. In [10] i has been shown ha reachabili y is he same for bo h execu ion models. Fur her for each sampling execu ion here is a imed execu ion ha gives rise o he same race and vice versa. Since he sampling model preserves races and reachabili y, i is su cien for our purposes. Af er all we are no so much in eres ed in me aheory dealing wi h he comple eness of re nemen no ions (cf. [10]), bu wan o provide a founda ion for ac ual veri ca ion work. Execu ions hus boil down o sequences in which s a es and ac ions al erna e. Only echnical modi ca ions o he represen a ion of execu ions used in he already exis ing formaliza ion of I/O au oma a had o be made. Here he LCFpar of HOLCF comes in lazy lis s are used o model possibly in ni e sequences (cf. [7]). Consider he following ype declara ions: types ( (
t meD ) pairs = (( ) execution = ( ( ) trace = ((
) action ( ) state) Seq ) state ( ) pairs ) action ) Seq
Here Seq is a ype of lazy lis s specialized for a smoo h in erac ion be ween HOL and HOLCF (cf. [13]). An execu ion consis s of a s ar s a e paired wi h a sequence of ac ion/s a e pairs, whereas a race is a sequence of ac ions paired wi h a ime s amp (we chose no o include he end ime reached in he execu ion which gave rise o he race, since no informa ion useful for ac ual veri ca ion work is added by i ). All fur her de ni ions in he heory of imed I/O au oma a are formalized wi h func ions and predica es over he ypes de ned above. For example isexecfra A ex checks whe her ex is an execu ion fragmen of an auoma on A. I s de ni ion is based upon a con inuous LCFfunc ion isexecfra c .
From I/O Au oma a o Timed I/O Au oma a
279
To explain our formaliza ion of an execu ion fragmen , i su ces o display some proper ies of isexecfra which have been derived au oma ically from i s de ni ion: thm isexecfra A (s []) thm isexecfra A (s (a r ) ex ) = ((s a r )
transof A
isexecfra A (r ex ))
Here [] s ands for he emp y sequence and for he consopera ion. Fur her de ni ions include a func ion mktrace which maps an execu ion o he race resul ing from i , executions and traces which give he se of execu ions resp. races of an au oma on. Reachabili y can be de ned via an induc ive de ni ion: nduct ve
4.3
s s
startsof C reachable C
s
reachable C (s a t) transof C t reachableC
Invariant Proofs and Simulation Proofs for Trace Inclusion
Nei her showing he correc ness of he proof principle for invarian s nor ha of simula ion proofs required signi can changes of he formaliza ion for un imed I/O au oma a. An invarian is de ned as defs
invariant A P = s reachable A s =
P (s)
The principle of invariance proofs, namely
thm
s startsof A P (s) a s a t reachable A s P (s) s− invariant A P
A
t =
P (t)
is easily shown by rule induc ion over reachable. The correc ness of simula ion proofs has been shown for hree frequen ly used kinds of simula ion rela ions, namely re nement mappin s, forward simulations and weak forward simulations. Since i urned ou ha weak forward simulations are preferable in prac ice (see sec ion 5.4), we will res ric our presen a ion o his proof principle. All he ha ti
simula ion rela ions men ioned are based on he no ion of a move: Le s ex =) A r deno e an amove from s a e s o s a e r in an au oma on A by way of an execu ion fragmen ex . The de ni ion of a move requires, ha he execu ion fragmen ex has s as rs and r as las s a e; fur her he race arising from ex is ei her he sequence holding only ha t i if a is a visible ac ion, or he emp y sequence if a is no visible. The in ui ion is ha A performs an ac ion a and possibly some invisible ac ions before and af er ha in going from s o r . A forward simula ion R be ween an au oma on C and an au oma on A baa sically says: any s ep s −!C r from a reachable s a e s of C can be ma ched by a corresponding move of A:
280
Bernd Grobauer and Olaf M¨ uller defs
iswsimulation R C ( s u ( s ( s s
A= u R[s] = now u = now s) startsof C R[s] startsofA = ) r a reachable C s a s− C r (s s ) R reachable A s =
r ex (r r )
R
s
ex
a now r 0
=
A
r )
The rs line of he given de ni ion requires a weak forward simula ion R o be synchronous, i.e. o rela e only s a es wi h he same ime s amp (R[s] deno es he image of s under R). The second line requires he se of all s a es rela ed o some s ar s a e s of C o con ain a leas one s ar s a e of A. The requiremen ha s 0 be reachable in A and s reachable in C charac erizes a weak forward simula ion. The corresponding proof principle, which has been derived in Isabelle, is thm
visibles C = visibles A traces C
iswsimulation R C A traces A
A rs i is surprising ha showing he correc ness of simula ion rela ions required hardly any changes o he corresponding proof for un imed I/O au oma a. In par icular no informa ion abou he ime domain is needed. The poin is ha synchronous simula ion rela ions res rain imepassage so much ha imepassage ac ions do no di er signi can ly from o her invisible ac ions in his con ex . 4.4
Simulation Proofs for Execution Inclusion
In he GRC case s udy carried ou wi h imed I/O au oma a in [9], inclusion of execu ions under projec ion o a common componen au oma on is derived from he exis ence of a simula ion rela ion be ween wo au oma a. In doing so, he au hors refer o general resul s abou composi ion of imed au oma a. When rying o formalize his s ep we realized ha one of he au oma a involved canno be regarded as cons ruc ed by parallel composi ion. Therefore resul s abou he composi ion of imed au oma a canno be direc ly applied; fur her he very no ion of projec ing execu ions o a componen au oma on is no wellde ned. In order o formalize he me a heory used for solving he GRC we ried o nd a sui able reformula ion of he employed concep , which is as well in eres ing in i s own righ . The basic idea is o nd a no ion of projec ing execu ions o par s of an au oma on which is compa ible wi h he concep of simula ion proofs: inclusion of execu ions under projec ion o a common par of wo au oma a should be provable by exhibi ing a simula ion rela ion. In which se ing will execu ion inclusion wi h respec o some projec ion be employed? Say imed I/O au oma a are o be used for specifying a con roller which influences an environmen . Bo h he environmen and he implemen a ion of he con roller will be modelled using au oma a heir parallel composi ion
From I/O Au oma a o Timed I/O Au oma a
281
C describes he ac ual behavior of he con rolled environmen . Trying o show correc ness via he concep of simula ion proofs, he desired behavior of he conrolled environmen will be speci ed as ano her au oma on A. For cons ruc ing A, he au oma on specifying he environmen is likely o be reused, i.e. A arises from modifying his au oma on such ha i s behavior is res ric ed o he desired behavior. Hence he s a e space of A will con ain he environmen ’s s a e space, which can be ex rac ed by a sui able projec ion. The no ion of observable behavior one wan s o use in his case migh very well be execu ions ra her han races: execu ions hold informa ion also abou s a es, and i of en is more na ural o de ne desired behavior by looking a he s a es ra her han visible ac ions only. Wha one wan s o do is o de ne projecions for bo h au oma a, which ex rac he environmen . Using hese projec ions, execu ions of bo h au oma a can be made comparable. As he following heorem shows, a simula ion indeed implies inclusion of execu ions under he given projec ions, if hese ful ll cer ain requiremen s: iswsimulation R C A u u (u u ) R = pc u = pa u a a s s a actS s − A s = pa s = pa s actS visibles(si of A) visibles(si ofC )
thm
ex
executions C = ex execproj A pa actS ex = execproj C pc actS ex
Here pc and pa are projec ions from he s a e space of C and A on a common subcomponen . The se actS is a subse of he shared visible discre e ac ions of C and A (see he four h premise). The hird premise of he heorem expresses ha actS has o include all he ac ions which in A (describing he desired behavior) a ec he par of he s a e space ha is projec ed ou . The second premise gives a wellformedness condi ion of he simula ion rela ion R wi h respec o pc and only s a es which are equal under projec ion may be rela ed. pa I remains o clarify he role of execproj (ac ually de ned by an elabora e con inuous func ion execprojc ; all he following proper ies of execproj have been proven correc by reasoning over execprojc wi hin he LCFpar of HOLCF). The func ion execproj in e ec de nes a new no ion of observable behavior based on execu ions. Cer ainly one would expec execproj A p actS o use projec ion p on he s a es of a given execu ion and o remove ac ions no in actS : thm
a
actS =
thm
a
actS =
execproj A p actS (s ( a s ) xs) = (p s ( a p s ) (snd (execproj A p actS (s xs)))) execproj A p actS (s ( a s ) xs) = (p s snd (execproj A p actS (s xs)))
However i is also necessary o abs rac over subsequen thm
imepassage s eps:
execproj A p actS (s ( (t ) s ) ( (t ) s ) xs) = execproj A p actS (s ( (t t ) s ) xs)
By removing ac ions ha are no in actS i can happen ha imepassage s eps which before were separa ed by discre e ac ions appear in jux aposi ion. Hence we fur her require ha
282
Bernd Grobauer and Olaf M¨ uller
thm
a
thm
a
actS = execproj A p actS (s = (p s ( (t ) p s ) ( a p s actS = execproj A p actS (s = execproj A p actS (s ( (t )
( ) ( s
(t ) s ) ( a s ) xs) (snd (execproj A p actS (s xs)))) (t ) s ) ( a s ) xs) ) xs)
No ice ha he no ion of observable behavior implied by execproj may no be sui able for all applica ions. I su ces for he GRC, because in all he au oma a speci ed here imepassage leaves every hing of he s a e unchanged excep from he ime s amp. Only because of his we can abs rac away from subsequen imepassage s eps: all he s a es dropped by his abs rac ion di er only in heir ime s amp, i.e. no informa ion is los . The proof of he correc ness heorem displayed above is ra her involved. However for me a heore ic proofs, which only have o be carried ou once and for all, complica ed proofs are accep able. The in erac ion of HOL and LCF in he formaliza ion of ( imed) I/O au oma a is such ha users can carry ou ac ual speci ca ions and heir veri ca ion wi h ( imed) I/O au oma a s ric ly in he simpler logic HOL (cf. he deeper discussion in [12]). For he proof we also required assump ions abou timeD as men ioned above i was su cien o know ha every ype in class timeD is an ordered group wi h respec o h 0 i.
5
A Formalization of the ‘Generalized Railroad Crossin ’
In he speci ca ion of a solu ion o he GRC problem using imed I/O au oma a we closely follow he presen a ion of [9], formalizing invarian proofs and a simula ion proof ha were presen ed only in an informal way. In he following we give an overview over he GRC and i s formaliza ion wi hin our framework. The comple e Isabelle heories can be found in [1]. 5.1
Problem Description
The GRC deals wi h he problem of con rolling he movemen of a ga e which belongs o a railroad crossing wi h an arbi rary number of racks (hence he predica e generalized ). There is an obvious safe y proper y, namely ha whenever a rain is inside he crossing, he ga e has o be shu . A liveness condi ion ensures he u ili y of he sys em: if he crossing is emp y af er a rain has passed, he ga e mus open wi hin a cer ain ime, unless here is ano her rain approaching such ha he ga e could no s ay open for some minimum amoun of ime. 5.2
A Formalization with Timed I/O Automata
As poin ed ou in Sec ion 4.4, bo h he environmen o be con rolled and he con roller are speci ed wi h imed I/O au oma a. The environmen is modelled by wo au oma a Trains and Gate, he con roller by an au oma on CompImpl. Pu ing hese hree au oma a in parallel we ge he au oma on SysImpl, which cons i u es he behavior of he comple e sys em.
From I/O Au oma a o Timed I/O Au oma a
283
To give an impression of wha such speci ca ions look like, we will ake a closer look a he au oma on Trains:
Away
enterR(r)
Approaching
enterI(r)
Here
[e 1, e 2]
exit(r)
Since Trains has o accoun for an arbi rary number of racks, bo h i s s a e space and ac ions (all of which are ou pu ac ions) are parame erized over a ype of racks which is no fur her speci ed. The graphical represen a ion of Trains shows ha on a rack r , a rain can be away, approachin or here. The ac ion enterR(r ), wi h which a rain passes from away o approachin will be an inpu ac ion o he con roller hink of a sensor posi ioned along rack r in some dis ance from he crossing. Once a rain is approachin , i can en er in o he crossing wi h an ac ion enterI (r ) however here are wo imecons rain s given: he rain may no en er before a ime span of 1 and no af er a ime span of 2 has passed since i s ar ed o approach. Such imecons rain s ransla e in a s andard way in o condi ions under which a imepassage ac ion can ake place. We de ne he s a e space of Trains as a record ype: datatype location = Away Approachin datatype MMTtime = time
Here
record trstate = where :: location rst :: theAction MMTtime last :: theAction MMTtime
Here rst and last map ac ions (theAction is a varian ype which de nes all occurring ac ions) in o ime bounds. These are expressed wi h a varian ype, which ei her holds a ime value (of a ype time which is in he axioma ic ype class timeD) or a value deno ed wi h 1, signifying ha no upper ime bound exis s; he opera ions , and he order rela ion 6 of time ex end in a na ural way o MMTtime. Whenever a s a e is en ered, from which a cer ain ac ion has o occur wi hin some given ime bounds, hen he componen s rst and last of his s a e are se accordingly; hey are rese once he ac ion in ques ion akes place. The precondi ion for imepassage s eps checks ha imepassage does no invalida e one of he ime bounds. The precondi ion of a cons rained ac ion checks he ime bounds of his ac ion. The ransi ion rela ion of he au oma on Trains is speci ed using he mechanism of se comprehension of Isabelle/HOL. We only presen a par of i s formaliza ion o give an idea wha such a speci ca ion looks like:
284
Bernd Grobauer and Olaf M¨ uller
defs
trainstrans = (ss a tt) let s = content ss; snow = now s; t = content tt; tnow = now t in case a of a (snow = tnow ) case a of enterR(r ) if (where s)r = Away then t = s([where := (where s)(r := Approachin ) rst := (( rst s) (enterI (r ) := snow 1 )) last := ((last s) (enterI (r ) := snow 2 ))]) else False enterI (r ) if (where s) r = Approachin ( rst s)(enterI (r )) snow then t = s([where := (where s)(r := Here) rst := (( rst s) (enterI (r ) := 0 )) last := ((last s) (enterI (r ) := ))]) else False
( t)
5.3
if ( r snow t then tnow = snow
(last s)(enterI (r )) t
s = t else False
Informal Proof Outline
The correc ness proof for he GRC as ou lined informally in [9] proceeds as follows. The desired sys em behavior is formula ed in erms of a projec ion of he admissible execu ions of an abs rac au oma on OpSpec. This au oma on is buil by rs composing he au oma a Trains and Gate wi h an ‘emp y’ con roller, i.e. an au oma on which has he same signa ure as CompImpl bu pu s no cons rain s on o any ac ions. To yield OpSpec, he resul ing composi ion is hen modi ed, res ric ing i s possible behavior o he desired behavior. This is achieved by rs ly adding new componen s o he s a e space, which we formalize like follows: record opSpecstate = system :: unit trstate last1 :: MMTtime last2up :: MMTtime last2here :: MMTtime
atestate
From I/O Au oma a o Timed I/O Au oma a
285
Here system holds he s a e of he composi e au oma on ( he ‘emp y’ conroller has only one single s a e, so unit can be used for i s s a espace). The hree addi ional compon en s of he s a espace are hen used o res ric he au oma on’s behavior by adding a number of pre and pos condi ions o he ac ions of he au oma on. For example last1 is used as a deadline for some rain o en er he crossing af er he ga e s ar ed o go down. An ac ion lower of he ga e au oma on will se he deadline, whereas an ac ion enterI (r ) for any rain r will rese i . last2up and last2here are used in a similar way o enforce fur her u ili y proper ies. Correc ness is es ablished in wo s eps: The execu ions of he ac ual implemen a ion are proven o be included in hose of he au oma on OpSpec under projec ion on o he environmen . The execu ions of OpSpec in urn are shown o sa isfy he axioma ic specica ion of he safe y and u ili y proper y. Only he rs proof is described in some de ail in [9]. Accordingly, we focus only on his proof par in our Isabelle formaliza ion. Thus, he axioma ic speci ca ion is lef ou comple ely. The proof is carried ou in [9] by rs exhibi ing a weak forward simula ion be ween SysImpl and OpSpec. Then i is claimed ha he desired inclusion of execu ions under projec ion on he componen au oma a modeling he environmen follows from a general resul abou composi ion of imed au oma a [9]. In con ras , we were able o use our formal heorem abou execu ion inclusion as presen ed in Sec ion 4.4. 5.4
The Formal Proof in HOLCF
About the Importance of Invariance Proofs. Showing invarian s of auoma a seems o be he proof principle used mos frequen ly when doing veri ca ion work wi hin he heory of ( imed) I/O au oma a. This is because rs ly safe y proper ies of en are invarian s, and secondly because invarian s are used o fac orize bo h invariance and simula ion proofs: lemmas usually are formula ed as invarian s. Fac orizing proofs is no only impor an for adding clari y, bu in he con ex of in erac ive heorem proving also for keeping he in ermedia e proof s a es of a manageable size. The prac icabili y of invarian s even sugges s o prefer weak simula ion rela ions in favour of forward simula ions. In [10] i is shown ha he no ions of forward simula ion and weak forward simula ion are heore ically equivalen , i.e. whenever a forward simula ion can be es ablished, here exis s also a weak forward simula ion and vice versa. However, since for es ablishing he la er only reachable s a es of bo h au oma a have o be considered, invarian s can be used o fac or ou informa ion which o herwise would have o be made explici in he simula ion rela ion. Settin the Sta e for Semiautomated Invariance Proofs. Having esablished ha invariance proofs may be regarded as he mos impor an proof
286
Bernd Grobauer and Olaf M¨ uller
principle, i is clear ha a high degree of au oma ion for invariance proofs will be of considerable help. The guiding principle is ha a leas hose par s of invariance proofs which in a paper proof would be considered as obvious should be handled au oma ically. The proof rule for invariance proofs has been given in sec ion 4.3. One has o show ha an invarian holds for each s ar s a e, which usually is rivial, and ha any ransi ion from a reachable s a e for which he invarian holds leads again in o a s a e which sa is es he invarian . This is done by making a case analysis over all he ac ions of an au oma on. In a paper proof cer ain cases will be regarded as rivial , e.g. when a cer ain ac ion will always invalida e he premise of he invarian o be shown. I urned ou ha Isabelle’s generic simpli er and i s classical reasoners [20, 21] would usually handle all he rivial cases and even more fully au oma ically when provided wi h informa ion abou he e ec of an ac ion in ques ion. For au oma a like Trains his informa ion is given direc ly by he de ni ion, e.g: thm
(t )
s−
Tra ns t = ( r now s t now t = now s
((last (content s))(enterI (r )))) t content s = content t 0
andalf formula % %% set(auto). assi n(max_seconds,300). assi n(print_level,30). list(sos). c10(x1). c10(c5)  c10(c6). end_of_list. 2.4
Callin Gandalf
We are now ready o call Gandalf wi h he inpu s ring, and here we use he Prosper plugin in erface library. By defaul , when GANDALF TAC is loaded a Gandalf in erne server is au oma ically s ar ed on he local machine and regis ered wi h he sys em. Communica ing wi h i is simply a ma er of calling rou ines in he plugin in erface; in par icular we can spawn a new Gandalf process, send i an inpu s ring, and receive i s ou pu as a s ring. However, he generic sys em is as de ailed in Fig. 2. The Gandalf in erne server can be run on any machine on he ne work as long as i s loca ion is regis ered wi h he plugin in erface when he clien ini ialises. In his general se up we can have HOL sessions on several machines all making use of he same Gandalf server. The defaul is for ease of ins alla ion only. Here is wha he Gandalf server re urns in our example: Gandalf v. c1.0c startin
to prove:
andalf.26884
strate ies selected: ((binary 30 #t) (binaryunit 90 #f) (hyper 30 #f) (binaryorder 15 #f) (binarynameorder 60 #f 1 3) (binarynameorder 75 #f)) ********* EMPTY CLAUSE DERIVED ********* timer checkpoints: c(2,0,28,2,30,28) 1 [] c10(c5)  c10(c6). 2 [] c10(x). 3 [binary,1,2,binary_s,2] contradiction.
316
Joe Hurd
No e ha he variable x1 we passed in o Gandalf has disappeared, and a new variable x has appeared. In general we can assume no hing abou he names of variables before and af er he call. 2.5
Parsin
Our ask is now o parse he ou pu s ring in o a Gandalf proof s ruc ure, ready o be ransla ed in o he corresponding HOL proof. We rs check ha he s ring EMPTY CLAUSE DERIVED occurs in he ou pu s ring (or else he ac ic fails), and hen cu ou he proof par of he ou pu s ring. The use of ML parser combina ors enabled a parser o be quickly cons ruc ed, and we pu he resul in o special purpose da a ypes for s oring proof s eps, simpli ca ions and Gandalf erms. Here is he resul of he parse on our running example: [(1, (Axiom(), []), [(true, Branch(Leaf "c10", Leaf "c5")), (true, Branch(Leaf "c10", Leaf "c6"))]), (2, (Axiom(), []), [(false, Branch(Leaf "c10", Leaf "x"))]), (3, (Binary((1, 1), (2, 1)), [Binary_s(2, 1)]), [])] : (int * (Proofstep * Clausesimp list) * (bool * Tree) list) list 2.6
Translatin
The proof ransla or is by far he mos complica ed par of GANDALF TAC. Gandalf has four basic proof s eps (binary resolu ion, hyperresolu ion, fac oring and paramodula ion) and four basic simpli ca ion s eps (binary resolu ion, hyperresolu ion, fac oring and demodula ion). Each Gandalf proof line con ains exac ly one proof s ep followed by an arbi rary number of simpli ca ion s eps o ob ain a new clause (which is numbered and can be referred o in la er proof lines). The proof is logged in de ail and in addi ion af er each proof line he desired clause is prin ed, allowing a check ha he line has been correc ly followed. The problem is ha even hough he proofs are logged in de ail, hey are occasionally no logged in enough de ail o make hem unambiguous. The si uaions in which hey are ambiguous are rare, usually involving large clauses when more han one disjunc migh ma ch a par icular opera ion, bu hey occur of en enough o make i necessary o ackle he issue. To illus ra e he problem, here may be several pairs of disjunc s ha i is possible o fac or, or simplifying wi h binary resolu ion may be applicable o more han one disjunc in he clause. Gandalf also freely reorders he disjunc s in he axioms wi h which i has been supplied, requiring some work o even discover which of our own axioms i is using!3 3
In addition, my version of Gandalf had a small bu in the proof lo in routine requirin some uesswork to determine the exact literals used in the hyperresolution
Inte ratin Gandalf and HOL
317
A his poin i would have been easy o con ac he au hor of Gandalf and ask him o pu enough de ail in o he proofs o comple ely disambigua e hem. However, we decided o remain fai hful o he spiri of he projec by rea ing Gandalf as a blackbox, and looked ins ead for a solu ion wi hin GANDALF TAC. We implemen a Prologs yle dep h rs search wi h back racking o follow each line, if necessary rying all possible choices o ma ch he Gandalf clause wi h a HOL heorem. If here were many ambigui ies combined wi h long proof lines, his solu ion would be comple ely imprac ical, for una ely however ambiguous si ua ions occur rarely and here are usually no many possible choices, so e ciency is no a key ques ion. The only ambigui y ha of en needs o be resolved is he ma ching of axioms and his is performed in ML, bu all o her proof s eps are performed as HOL inferences on heorems. The nal line in he Gandalf proof is a con radic ion, so he corresponding line in he HOL world is oo: ( 2.7
b
x P
Pb
P x)
Final Primitive Steps
Af er ransla ion, we need only use he con radic ion axiom in order o es ablish our original goal: b
3
x P
Pb
Px
Results
3.1
Performance
In Table 1 we compare he performance of GANDALF TAC wi h MESON TAC, using a se of es heorems aken mos ly from he se ha John Harrison used o es MESON TAC, mos of which in urn are aken from he TPTP (Thousands of Problems for Theorem Provers) archive4 . In each line we give he name of he es heorem, followed by he (real) ime in seconds o prove he heorem and he number of HOL primi ive inference s eps performed, for bo h he ac ics. In addi ion, af er he GANDALF TAC primi ive inferences, we include in bracke s he number of hese inferences ha were was ed due o back racking. As can be seen he number of was ed inferences is generally zero, bu occasionally an ambigui y urns up ha requires some back racking. The o her hing o no e from Table 1 is ha MESON TAC bea s GANDALF TAC in almos every case, he only excep ions lying in he hard end of bo h sec ions. Why is his? Table 2 examines how he ime is spen wi hin bo h ac ics. We divide up he proof ime in o 3 phases:
4
steps. Of course this can be easily xed by the author, but it is a ood illustration of the type of problem encountered when usin an o the shelf prover. The TPTP homepa e is http://wwwjessen.informatik.tumuenchen.de/~tptp/.
318
Joe Hurd
Table 1. Performance comparison of GANDALF TAC wi h MESON TAC. Goal Nonequality T P P MN bu JH test P50 A atha ERIC PRV006 1 GRP031 2 NUM001 1 COL001 2 LOS GRP037 3 NUM021 1 CAT018 1 CAT005 1 Equality x=x P48 PRV006 1 NUM001 1 P52 P51 GRP031 2 GRP037 3 CAT018 1 NUM021 1 CAT005 1 COL001 2 A atha
MESON TAC
GANDALF TAC
0.027 0.075 0.122 0.137 0.159 0.438 0.989 1.064 1.267 2.090 2.150 5.705 7.149 7.535 12.226 63.849
31 72 166 176 243 872 490 1501 713 1138 847 917 2151 1246 2630 2609
0.034 2.003 2.062 2.762 1.638 3.916 2.750 41.044 8.083 40.190 39.240 5.110 79.370 17.210 61.585 66.200
32 108 286 312 441 1891 1268 8097 3699 4019 2620 2565 11988 4352 13477 13371
( ) (0) (0) (0) (0) (0) (0) (109) (251) (0) (0) (0) (0) (0) (0) (0)
0.090 0.394 0.648 0.768 1.157 1.294 1.377 3.402 7.646 7.737 30.514 56.948
54 636 1053 876 1122 1079 757 1466 1809 1026 1784 700
0.041 2.707 13.558 7.032
35 495 4015 3012
7.946 26.844 28.560 10.765 29.490 4.930 12.626
3699 8242 8611 3423 8505 1273 3409
( ) (0) (0) (0) ( ) ( ) (251) (0) (0) (0) (0) (0) (0)
Conv: Conversion in o he required inpu forma . Proof: Proofsearch using na ive da a ypes. Trans: Transla ion of he proof in o HOL. All he en ries in his able are geome ric means, so he rs line represen s he geome ric means of imes for phases of GANDALF TAC o prove all he nonequali y problems in Table 1. Geome ric means were chosen here so ha ra ios are meaningful, and he large di erence be ween GANDALF TAC and MESON TAC is in he ransla ion phase; GANDALF TAC s ruggles o ransla e proofs in ime comparable o nding hem, bu for MESON TAC hey are comple ely insigni can . Ano her in eres ing di erence is in he proofs of equali y formulae; MESON TAC has a sharp peak in his en ry, bu here is no anologue of his for GANDALF TAC.
Inte ratin Gandalf and HOL
319
Table 2. Breakdown of ime spen wi hin GANDALF TAC and MESON TAC. Conv.
Proof
Trans.
Total
1.67 4.20 2.51
5.55 5.27 5.42
2.14 7.19 3.64
11.57 17.82 13.99
0.26 0.43 0.33
0.36 1.27 0.66
0.06 0.09 0.07
0.90 2.61 1.50
GANDALF TAC Nonequality Equality Combined MESON TAC Nonequality Equality Combined
I seems likely ha his is because Gandalf’s has buil in equali y reasoning, whereas equali y has o be axioma ised in formulae sen o MESON TAC. 3.2
Gandalf the Plu In
Pu ing aside performance issues for he momen , he projec has also conribu ed o he developmen of he plugin concep . GANDALF TAC provides evidence ha plugins can coexis wi h he idea of an LCF logical core, and ha e cien proving does no have o mean accep ing heorems on fai h from an oracle. GANDALF TAC has also es ed he plugin in erface code, which is simple o use, enabling one o concen ra e on proof issues wi hou having o hink abou sys em de ails. Once he in erface becomes par of he s andard HOL dis ribu ion hen any Gandalf user will be able o download he GANDALF TAC ML source and wrapper shell scrip , and use Gandalf in heir HOL proofs. Hopefully we will see many more plugins appearing in he fu ure.
4
Conclusion
The mos impor an hing o draw from his projec is he need for good s andards. If Gandalf used a good s andard for describing proofs ha re ained he humanreadable aspec bu was comple ely unambiguous, hen he projec would have been easier o comple e and he resul would be more s reamlined. On he posi ive side, Gandalf has a good inpu forma ha is easy o produce, and he Plugin in erface is an example of a good developmen s andard, aking care of sys em issues and allowing he programmer o hink on a more abs rac level. If ei her of hese had been absen , hen he projec would have been s alled considerably. A program can only be useful as a componen of a larger sys em if he in erface is easy for machines as well as people, i.e., simple and unambiguous as well as shor and readable. Wha is he fu ure for GANDALF TAC? There are several ways in which he performance could be improved, perhaps he mos e ec ive of which would be o en er in o correspondence wi h he au hor of Gandalf, so ha comple ely explici
320
Joe Hurd
(perhaps even HOLs yle) proofs could be emi ed. Ano her approach would be o reduce he number of primi ive inferences performed, bo h he ini ial conversion o CNF and proof ransla ion could be improved in his way. Perhaps hey could even be performed ou side he logic, minimizing he primi ive inferences o a fas veri ca ion s age once he righ pa h had been found. There is much scope for op imiza ion of GANDALF TAC on he ML/HOL side, and he resul s ob ained sugges ha such an e or migh be su cien for Gandalf’s na ural advan ages of buil in equali y reasoning and coding in C o allow GANDALF TAC o over ake MESON TAC in some domains (e.g., hard problems involving equali y reasoning). To look a ano her angle, GANDALF TAC is a s ep owards dis ribu ed heoremproving. I is easy o imagine several proof servers (perhaps several Gandalf servers each wi h di eren s ra egies selec ed), and a clien in erface designed o ake he rs proof ha re urned and hrow he res away. Dis ribu ing such a CPUin ensive, one ime ac ivi y as heoremproving makes economic sense, al hough here are many problems o be solved here, such as how o divide up a problem in o pieces ha can be sepera ely solved and joined oge her a he end. Finally, one hing ha was obvious while developing GANDALF TAC is ha a ool like Gandalf does no really in wi h he in erac ive proof s yle popular a presen . If Gandalf is used in a proof and akes 3 minu es o prove a subgoal, hen every ime he proof is run here will be a 3 minu e wai . Wha would perhaps be useful is o save proofs, so ha only he speedy veri ca ion is run in he fu ure, no he ex ensive search. Maybe hen we would begin o see more ools like Gandalf applied in proofs, as well as he fas ac ics ha curren ly domina e.
5
Acknowled ements
I would like o hank Konrad Slind for helping me wi h all aspec s of his work; when I began I was bu a HOL novice. Mike Gordon, my supervisor, also gave me valuable advice on how o a ack he problem and make he mos of he oppor uni y. Michael Norrish made some useful addi ions o he Prosper plugin in erface o solve some of he problems I was having, and Myra VanInwegen, Marieke Huisman and Daryl S ewar sympa he ically lis ened o my frequen s a us repor s in he earoom. Larry Paulson kindly pos poned my scheduled group alk when i was obvious ha I needed ano her week. Finally, he commen s from he anonymous referees grea ly improved he nal version.
References [1] Wolf an Ahrendt, Bernhard Beckert, Reiner H¨ ahnle, Wolfram Menzel, Wolf an Reif, Gerhard Schellhorn, and Peter H. Schmitt. Inte ration of automated and interactive theorem provin . In W. Bibel and P. Schmitt, editors, Automated Deduction: A Basis for Applications, volume II, chapter 4, pa es 97 116. Kluwer, 1998.
Inte ratin Gandalf and HOL
321
[2] H. Busch. Firstorder automation for hi herorderlo ic theorem provin . In Hi her Order Lo ic Theorem Provin and Its Applications, volume Lecture Notes in Computer Science volume 859. Sprin erVerla , 1994. [3] M. J. C. Gordon and T. F. Melham. Introduction to HOL (A theoremprovin environment for hi her order lo ic). Cambrid e University Press, 1993. [4] J. Harrison. Optimizin proof search in model elimination. In M. A. McRobbie and J. K. Slaney, editors, 13th International Conference on Automated Deduction, volume 1104 of Lecture Notes in Computer Science, pa es 313 327, New Brunswick, NJ, 1996. Sprin erVerla . [5] J. Harrison. The HOLLi ht Manual (1.0), May 1998. Available from http://www.cl.cam.ac.uk/users/jrh/holli ht/. [6] R. Kumar, Th. Kropf, and Schneider K. Inte ratin a rstorder automatic prover in the hol environment. In M. Archer, J. J. Joyce, K. N. Levitt, and P. J. Windley, editors, Proceedin s of the 1991 International Workshop on the HOL Theorem Provin System and its Applications (HOL91), pa es 170 176, Davis, California, Au ust 1991. IEEE Computer Society Press. [7] K. Slind. HOL98 Draft User’s Manual, Athabasca Release, Version 2, January 1999. Available from http://www.cl.cam.ac.uk/users/kxs/. [8] T. Tammet. A resolution theorem prover for intuitionistic lo ic. In Cade 13, volume Lecture Notes in Computer Science volume 1104. Sprin er Verla , 1996. [9] T. Tammet. Gandalf version c1.0c Reference Manual, October 1997. Available from http://www.cs.chalmers.se/ tammet/. [10] T. Tammet. Towards e cient subsumption. In Automated Deduction: Cade 15, volume Lecture Notes in Arti cial Intelli ence volume 1421. Sprin er, 1998.
LiftedFL: A Pra matic Implementation of Combined Model Checkin and Theorem Provin Mark D. Aagaard, Rober B. Jones, and CarlJohan H. Seger S ra egic CAD Labs, In el Corpora ion, JFT104 5200 NE Elam Young Parkway, Hillsboro, OR 97124
Abs rac . Combining heorem proving and model checking o ers he an alizing possibili y of e cien ly reasoning abou large circui s a high levels of abs rac ion. We have cons ruc ed a sys em ha seamlessly in egra es symbolic rajec ory evalua ion based model checking wi h heorem proving in a higherorder classical logic. The approach is made possible by using he same programming language (fl) as bo h he me a and objec language of heorem proving. This is done by lif ing fl, essen ially deeply embedding fl in i self. The approach is a pragma ic solu ion ha provides an e cien and ex ensible veri ca ion environmen . Our approach is generally applicable o any dialec of he ML programming language and any modelchecking algori hm ha has prac ical inference rules for combining resul s.
1
Introduction
Even wi h he con inuing advances in modelchecking echnology, indus rialscale veri ca ion e or s immedia ely confron modelchecking capaci y limi s. Using heorem proving o compose veri ca ion resul s o ers he an alizing possibili y of mi iga ing he capaci y limi a ions of au oma ed model checking. The goal is o build veri ca ion sys ems ha provide bo h he power of heorem proving o reason abou large sys ems a high levels of abs rac ion and he e ciency and usabili y of model checking. In his paper, we describe a combined modelchecking and heoremproving sys em ha we have buil on op of he Voss sys em [16]. The in erface language o Voss is fl, a s rongly yped func ional language in he ML family [23]. Model checking in Voss is done via symbolic rajec ory evalua ion (STE) [26]. Theorem proving is done in he ThmTac1 proof ool. ThmTac is wri en in fl and is an LCFs yle implemen a ion of a higherorder classical logic. Al hough much of our discussion includes references o fl and rajec ory evalua ion, our approach is generally applicable o any dialec of ML and any modelchecking algori hm ha has prac ical inference rules for combining resul s. Our goal in combining rajec ory evalua ion and heorem proving was o move seamlessly be ween model checking, where we execute fl func ions, and 1
The name ThmTac comes from
heorems and
ac ics .
Y. Bertot et al. (Eds.): TPHOLs’99, LNCS 1690, pp. 323 340, 1999. c Sprin erVerla Berlin Heidelber 1999
324
Mark D. Aagaard, Rober B. Jones, and CarlJohan H. Seger
heorem proving, where we reason abou he behavior of fl func ions. A he same ime, we wan ed users who only wan o do modelchecking o be unencumbered by ar ifac s of heoremproving. These goals are achieved via a mechanism ha we refer o as lif ed fl . The basic concep of lif ed fl is o use fl as bo h he objec and me a language of a proof ool. Parsing an fl expression resul s in a conven ional combina or graph for evalua ion purposes and an abs rac syn ax ree represen ing he ex of he expression. The abs rac syn ax ree is available for fl func ions o examine, manipula e, and evalua e. Lif ed fl is similar o reflec ion, or he quo e mechanism in Lisp. One impor an di erence from Lisp is ha fl is s rongly yped, while Lisp is weakly yped. Our link from heorem proving o model checking is via he evalua ion of lif ed fl expressions. Roughly speaking, any fl expression ha evalua es o rue can be urned in o a heorem. Figure 1 shows how we move smoo hly be ween s andard evalua ion (i.e., programming) and heorem proving. The lef column illus ra es he proof of a rivial heorem. We rs evalua e 1 + 4  2 > 2 o convince ourselves ha i is indeed rue. We hen use Eval tac o prove his heorem in a single s ep. The righ column illus ra es how we debug a proof ha fails in he evalua ion s ep by execu ing fl code from he proof. Also no e ha ThmTac does no a ec he use of rajec ory evalua ion. In fac , someone who does no wan o do heorem proving is comple ely unaware of he exis ence of ThmTac. fl> 1 + 4  2 > 2; it :: bool T
fl> Prove ‘1 + 4  2 > 12‘ Eval_tac; it :: Theorem *** Failure: Eval_tac
fl> Prove ‘1 + 4  2 > 2‘ Eval_tac; fl> 1 + 4  2; it :: Theorem it :: int  ‘1 + 4  2 > 2‘ 3 Transi ion from evalua ion o heorem proving
Debug proofs by evalua ion
Fi . 1. Example use of evalua ion and lif edfl
Before proceeding, we mus in roduce a bi of erminology. Trajec ory evalua ion correc ness s a emen s are of he form STE ckt A C. The antecedent (A) gives an ini ial s a e and inpu s imuli o he circui ckt , while he consequent (C) speci es he desired response of he circui . Trajec ory evalua ion is described in Sec ion 2 and de ailed in o her papers [15, 16, 26]. Figure 2 illus ra es he ransi ion be ween model checking and heorem proving. In he lef column, we check if a rajec ory evalua ion run succeeds and hen conver i in o a heorem. In he righ column, we debug a broken proof by execu ing he rajec ory evalua ion run ha fails. When a rajec ory evalua ion run does no succeed, i re urns a BDD describing he failing condi ion. In his
Combined Model Checking and Theorem Proving
325
example, we see ha he circui does no ma ch he speci ca ion if reset is rue or if src1[63] and src2[63] are bo h false. fl> STE ckt A C; it :: bool runnin STE....success! T
fl> Prove ‘STE ckt A D‘ Eval_tac; it :: Theorem runnin STE....DID NOT SUCCEED *** Failure: Eval_tac
fl> Prove ‘STE ckt A C‘ Eval_tac; it :: Theorem runnin STE....success!  STE ckt A C
fl> STE ckt A C; it :: bool runnin STE....DID NOT SUCCEED reset + !src1[63]&!src2[63]
Transi ion from model checking o heorem proving
Examine STE coun er example if Eval tac fails
Fi . 2. Example use of model checking and heorem proving
As a mo iva ing example for he use of heorem proving, consider he inference rule for combining wo consequences oge her, STE and (Figure 3). This rule says: if we can use he an eceden A o prove consequen C1 and, in a separa e veri ca ion run, use A o prove C2 ; hen we can use A o prove he conjunc ion of C1 and C2 . This rule can subs an ially reduce he complexi y of a rajec ory evalua ion run because, unlike CTL model checking, he complexi y is dependen on he size of he speci cation and no he size of he circuit. Addi ional rajec ory evalua ion rules include precondi ion s reng hening, pos condi ion weakening, ransi ivi y, and casespli ing [2, 15]. Af er using he inference rules o decompose a proof obliga ion in o a se of smaller rajec ory evalua ion goals, we use Eval tac o carry ou he individual rajec ory evalua ion runs. STE ckt A C1
STE ckt A C2 STE and
STE ckt A (C1 and C2 )
Fi . 3. STE conjunc ion inference rule
We have used he combina ion of rajec ory evalua ion and heorem proving in several large veri ca ion e or s. Published accoun s include a varie y of floa ingpoin circui s and an IA32 ins ruc ionleng h decoder [1, 2, 22]. In conras o previous papers ha focused on he use of heorem proving o manage model checking, his paper describes he implemen a ion aspec s of he sys em. Our proof ool, ThmTac, roughly follows he model of LCF proof sys ems [13]. The core of ThmTac is encapsula ed in an abs rac da a ype and all ex ensions o he core are de ni ional, which provides bo h flexibili y and con dence in he soundness of he sys em. The core of ThmTac is a se of rus ed ac ics and is no
326
Mark D. Aagaard, Rober B. Jones, and CarlJohan H. Seger
no fully expansive, in ha proofs do no expand o rees of primi ive inference rules. Tac ics work backwards and do no provide a forwardsproof jus i ca ion of heir ac ion. 1.1
Related Work
A number of groups have a emp ed o combine heorem proving and model checking; mos have found i o be a surprisingly problema ic under aking. There have been several a emp s o use a model checker as a decision procedure in a proof sys em [6, 10, 14, 24]. Those e or s have no arge ed largescale ga elevel hardware veri ca ion. As described in Sec ion 2.3, experiences wi h HOLVoss [19] demons ra ed ha such an approach does no provide an e ec ive pla form for ga elevel hardware veri ca ion. Au oma ed model checkers some imes include reduc ion rules ha ransform he model and/or speci ca ion o decrease he size of he s a e space. These rules are ypically hardcoded in o he implemen a ion, no available for in erac ive use, and no in egra ed wi h general purpose reasoning facili ies [8, 18, 21]. ACL2 [20], originally from Compu a ional Logic, is he work mos closely rela ed o ha presen ed here, in ha Applica ive Common Lisp is used as he implemen a ion language and he erm language. ACL2 has been used for largescale heoremproving based hardware veri ca ion [25], bu his work has no made use of modelchecking.
2
Evolution of a Solution
In his sec ion we describe he lessons learned during he evolu ion of symbolic rajec ory evalua ion over he course of almos en years. During ha ime, wo di eren combina ions of rajec ory evalua ion and heorem proving were implemen ed. The nex sec ion describes how lif edfl and he hird experimen , ThmTac, resul ed from he lessons learned. 2.1
Symbolic Trajectory Evaluation
Symbolic rajec ory evalua ion [26] is based on radi ional no ions of digi al circui simula ion and excels a da apa h veri ca ion. Compu ing STE ckt A C gives he weakes condi ion under which he an eceden A sa is es he consequen C. One of he keys o he e ciency of rajec ory evalua ion and i s success wi h da apa h circui s is he res ric ed emporal logic. The core speci ca ion language for an eceden s and consequences ( rajec ory formulas) is shown in Figure 4. For he purposes of his paper, he mos impor an aspec of rajec ory evalua ion is he exis ence of a se of inference rules for manipula ing rajec ory formulas. These inference rules allow us o combine resul s oge her [16], and o use he parametric representation (Sec ion 4.3) o ransform rajec ory formulas o increase model checking e ciency [2].
Combined Model Checking and Theorem Proving traj form
327
node is value traj form when uard N traj form traj form and traj form
The meaning of he rajec ory formula: Nt (node is value when uard ) is: if uard is rue hen a ime t, node has value value ; where node is a signal in he circui and value and uard are Boolean expressions (BDDs).
Fi . 4. Ma hema ical de ni ion of rajec ory formulas
2.2
Voss
Symbolic rajec ory evalua ion was rs implemen ed as an ex ension o he COSMOS symbolic simula or [5]. Af er several experimen s wi h di eren forms of in erac ion wi h he simula or, Seger crea ed he Voss implemen a ion of rajec ory evalua ion and included an MLlike language called fl as he in erface. In fl, he Boolean da a ype is implemen ed using Binary Decision Diagrams (BDDs) [7]. Trajec ory evalua ion is execu ed by calling he buil in func ion STE. Voss provides a very igh and e cien veri ca ion and debug loop. Users can build scrip s ha run he modelchecker o verify a proper y, genera e a coun er example, simula e he coun erexample, and analyze he source of he problem. Experience has shown ha Voss provides a very e cien pla form for debugging circui s. Trajec ory formulas are implemen ed as a very shallow embedding in fl, ra her han as a more conven ional deep embedding. Trajec ory formulas are implemen ed as lis s of vetuples (Figure 5). This s yle of embedding has advan ages bo h for model checking ex ensibili y and for heorem proving. For example, users generally nd he de ni ions of from and to preferable o nes ed nex s .
uard lettype traj form = ( bool let let let let
n is v f1 and f2 f when Nf
= = = =
node strin
value bool
start nat
end nat ) list
[(T n v 0 1)] f1 append f2 map ( ( 0 n v t0 t1 ) ( 0 AND n v t0 t1 )) f map ( ( n v t0 t1 ) ( n v t0 + 1 t1 + 1)) f
let f from t0 = map ( ( n v z t1 ) ( n v t0 t1 )) f let f to t1 = map ( ( n v t0 z) ( n v t0 t1 )) f
Fi . 5. Implemen a ion of rajec ory formulas in Voss
328
Mark D. Aagaard, Rober B. Jones, and CarlJohan H. Seger
The value eld in a rajec ory formula can be any Boolean proposi ion (BDD). Because of he shallow embedding, users have he comple e freedom of a generalpurpose func ional programming language in which o wri e heir speci ca ions. As users of proof sys ems have known for a long ime, his facilia es concise and readable speci ca ions. The or hogonali y of he emporal aspec ( he wo ime elds) of he speci ca ion from he da a compu a ion ( he guard and value elds) has a number of posi ive rami ca ions. Al hough rajec ory formulas are no generally execu able, he individual elds are execu able. For example, users can evalua e he da a aspec of heir speci ca ion simply by evalua ing he fl func ion ha compu es he in ended resul . S andard rewri e rules and decision procedures over Booleans can be applied o he guard and da a elds. Rewri e rules and decision procedures for in egers can be applied o he emporal elds. A s andard deep embedding of a emporal logic would require specialized rewri e rules and decision procedures for rajec ory formulas. In summary, he lessons learned as Voss evolved from simply an implemena ion of rajec ory evalua ion o a generalpurpose pla form for symbolic simula ion and hardware veri ca ion were: 1. An MLlike programming language (such as fl) makes an excellen in erface o a veri ca ion sys em. 2. The shallow embedding of he speci ca ion language in a generalpurpose programming language facili a es user ex ensibili y and concise, readable speci ca ions. 3. An execu able speci ca ion language makes i much easier o es and debug speci ca ions. 2.3
HOLVoss
In 1991, Joyce and Seger cons ruc ed he HOLVoss sys em [19], which was an experimen wi h using rajec ory evalua ion as a decision procedure for he HOL proof sys em [13]. When he model checker is jus a decision procedure in he proof sys em, he user’s only me hod of in erac ing wi h i is o call he model checker as a ac ic. This isola es he user from he powerful debugging and analysis capabili ies buil in o he model checker. In addi ion, prac ical model checking is rarely, if ever, a black box procedure ha comes back wi h rue or false . Ra her, model checking involves signi can manual in erac ion, dealing wi h a varie y of issues including BDD variable orders and environmen modeling. Consequen ly, using a modelchecker as a decision procedure in a proof sys em does no resul in an e ec ive hardware veri ca ion environmen . The key lessons learned from HOLVoss were: 1. From he same promp , he user mus be able o in erac direc ly wi h ei her he model checker or he proof ool. 2. More ime is spen in model checking and debugging han in heorem proving.
Combined Model Checking and Theorem Proving
2.4
329
VossProver
Applying lessons learned from HOLVoss and new inference rules for rajec ory evalua ion, Seger and Hazelhurs crea ed VossProver, a ligh weigh proof sys em buil on op of Voss [15]. VossProver was implemen ed in fl in ypical LCF s yle wi h an abs rac da a ype for heorems. Hazelhurs and Seger used a limi ed speci ca ion language o simplify heorem proving. The speci ca ion language of VossProver was a deep embedding in fl of Booleans and in egers and a shallow embedding of uples, lis s, and o her fea ures. The ransi ion from heorem proving o model checking was done by ransla ing he deeply embedded Boolean and in eger expressions in o heir fl coun erpar s and hen evalua ing he resul ing fl expressions. The success of he approach implemen ed in VossProver was demons ra ed by a number of case s udies, including he veri ca ion of a pipelined IEEEcomplian floa ingpoin mul iplier by Aagaard and Seger [3]. The ransla ion from he deeplyembedded speci ca ion language used in heorem proving o he normal fl used in model checking was awkward. De ni ions were of en duplica ed for he wo ypes. The di cul y of evalua ing Boolean expressions a he fl promp was a serious de rac ion when compared o he ease of use provided by speci ca ions in fl. The lack of suppor for ypes o her han Boolean and in egers and he inabili y o de ne and reason abou new iden i ers limi ed he usefulness of he VossProver ou side of he range of ari hme ic circui s for which i was originally developed. Our conclusions from analyzing he VossProver work were: 1. When model checking, he user mus be unencumbered by ar ifac s from he heorem prover. 2. The speci ca ion language for model checking mus suppor simple and useful inference rules. 3. The heorem prover and model checker mus use he same speci ca ion language. 4. Even if a proof sys em has a very narrow focus i should include a generalpurpose speci ca ion language. 5. fl, being a dialec of ML, is a good language for implemen ing a proof sys em. Analyzing he conclusions lef us wi h he seemingly con radic ory conclusion ha we wanted to use fl as both the speci cation and implementation lan ua e for a proof tool. Our solu ion o he con radic ion was o deeply embed fl wi hin i self, ha is, o lif he language. This allows fl programs o see and manipula e fl expressions. The remainder of he paper describes lif ed fl and i s use in implemen ing ThmTac, he curren proof sys em buil on op of Voss.
3
Implementation of Liftedfl
A programming language sees he value of an expression and no he s ruc ure of he expression. For example, he value of 3 + 4 is 7. By examining he value, we
330
Mark D. Aagaard, Rober B. Jones, and CarlJohan H. Seger
canno dis inguish 3 + 4 from 8 − 1. An equali y es in a programming language is a es of semantic equality. In a programming language, every ime we evalua e an ifthenelse, we prove ha he condi ion is seman ically equal o rue or false. In a logic, he primi ive inference rule for equali y of wo erms is a es of syntactic equali y (e.g., a = a). The equali y symbol in he logic forms an asser ion abou semantic equali y (e.g., a + b = b + a). The power of heorem proving comes from he abili y o use syn ac ic manipula ion o prove he seman ic equali y of expressions ha canno be evalua ed. The inspira ion behind lif edfl was o allow his ype of reasoning abou fl programs hemselves. By basing ThmTac on lif ed fl, we crea ed a world where we can (1) direc ly and e cien ly evalua e erms in he speci ca ion language and (2) manipula e and reason abou hem. This e ec ively merges he worlds of seman ic evalua ion in model checking and syn ac ic manipula ion in heorem proving. We lif an fl expression by enclosing i in backquo es (e.g., ‘3+4‘). If an expression has ype , he lif ed expression has ype expr (e.g., ‘3+4‘ :: int expr). We evalua e concre e lif edfl expressions wi h he full e ciency of normal fl code via he func ion eval :: expr , which akes an expression and re urns a value of ype . The fl programming language is a s rongly yped, lazy func ional programming language. Syn ac ically, i borrows heavily from EdinburghML [13] and seman ically, i s core is very similar o lazyML [4]. One dis inguishing fea ure of fl is ha Binary Decision Diagrams (BDDs) [7] are buil in o he language and every objec of ype bool is represen ed as a BDD.2 Similar o mos func ional languages, he inpu language (fl) is rs ransla ed o a much simpler in ermedia e language ha is inpu o he compiler and in erpre er. For example, during his rs s age, func ions de ned by pa ern ma ching are ransla ed in o func ions ha perform he pa ern ma ching explici ly using s andard pa ern ma ching compila ion [12]. The in ermedia e language is essen ially an enriched form of lambda expressions. Figure 6 shows he da a ype represen ing he in ermedia e language for fl. All bu wo of he cons ruc ors are similar o ha of a generic higherorder logic proof sys em [13]. The expression cons ruc or (EXP ) is used o represen lif ed erms. A userde ned func ion de ni ion (USE DEF) con ains he name of he iden i er ( he s ring), he body of he de ni ion ( he erm), and he fl graph o execu e ( he code). To illus ra e, Figure 7 gives an overview of he implemen a ion of lif ed fl.3 The op of he gure shows four lines of fl code: he de ni ion of he func ion inc, a call o inc wi h an argumen of 14, a lif ed version of he same expression wi h 2
3
S ric ly speaking, he ype of hese objec s should be env bool, where env is an in erpre a ion of he variables used in he BDD. However, for convenience he global environmen is kep implici and he ype abbrevia ed o bool. For conciseness, Figure 7 does no include all of he elds for USERDEF and glosses over he fac ha leaf erms (e.g., INT 14) should be encapsula ed by a LEAF cons ruc or (e.g., (LEAF (INT 14))).
Combined Model Checking and Theorem Proving lettype leaf = INT int  STRING strin  BOOL bool  PRIM_FN int  USERDEF strin  VAR strin  NIL
term code
331
andlettype term = APPLY term term  LAMBDA strin term  LEAF leaf  EXPR term ;
Fi . 6. Term ype in lif ed fl
an argumen of 24, and he evalua ion of he lif ed expression wi h an argumen of 34. The Voss ou pu for each of he four lines is shown a he bo om of he gure. Be ween he inpu and he ou pu are he in ermedia e s eps and he symbol able. The parser genera es abs rac syn ax rees ha are iden ical o hose of a conven ional parser wi h he excep ion of EXP , which is used o mark ha an expression is o be lif ed. For each fl iden i er, he ypechecker adds wo en ries o he symbol able, one for he regular iden i er (inc) and one for he lif ed iden i er ($inc). The en ry for he regular iden i er con ains wo elds: type and raph. The type eld is inser ed by he ypechecker, and he raph eld is he combina or graph genera ed by he compiler. The lif ed iden i er con ains hree elds: type, raph, and code. The type eld is he same as for he regular func ion excep ha i is made in o an expression ype. The raph eld for he lif ed iden i er is he concre e da a ype represen a ion of he in ermedia e language (Figure 6). The code eld is included for e ciency reasons, and is a poin er o he raph eld of he regular iden i er. The abs rac syn ax rees are seman ically iden ical o he da a s ruc ure of lif ed fl. For example, in Figure 7, compare he second line genera ed by he parser and he hird line genera ed by he evalua or. The abs rac syn ax ree of he nonlif ed expression ma ches he resul ing value of he lif ed expression. To evalua e a lif edfl expression, we rs replace he lif ed combina or graph nodes wi h heir nonlif ed coun erpar s. The code eld of USE DEF improves he e ciency of evalua ion. We use he code eld o replace occurrences of lif ed iden i ers (e.g., $inc) wi h he graph of he nonlif ed iden i er, ra her han ransla e he graph of he lif ed iden i er o i s nonlif ed coun erpar . Af er ransla ing he graph, we call he fl evalua or as wi h conven ional evalua ion. So far, we have described lif ed fl as he exac coun erpar of regular fl. To suppor heorem proving, lif ed fl allows free variables which are no allowed in regular fl. Free variables are iden i ers pre xed by ? or ! (e.g., ?x and !f). We modi ed he ypechecker so ha i knows whe her i is in lif ed or regular mode. The wo modes are essen ially he same, excep ha he regular mode complains when i encoun ers a free variable while he lif ed mode does no complain if he rs charac er of he free variable is ? or ! . As expec ed,
332
Mark D. Aagaard, Rober B. Jones, and CarlJohan H. Seger
FL code 1 2 3 4
let inc = \i. 1 + i; inc 14; ‘inc 24‘; eval ‘inc 34‘;
lexer/parser 1 2 3 4
DEF( "inc", (LAMBDA "i" (APPLY (APPLY (PRIM "+") (INT 1)) (VAR "i")) VAL( APPLY (USERDEF "inc") (INT 14)) VAL( (EXPR (APPLY (USERDEF "inc") (INT 24)))) VAL( APPLY (PRIM "eval") (EXPR (APPLY (USERDEF "inc") (INT 34))))
symbol table typechecker inc
type:int > int @
graph:
compiler
@ + $inc
inc
14
1
1
type: (int > int) expr
@
2 @
code:
@
3 APPLY $inc INT
graph:
@
4
@
@
@
LAMBDA "i"
@
APPLY
eval
@ @
VAR
@ APPLY
24
@
"i"
APPLY $inc INT
@ $+
INT
1 2 3 4
@
evaluator
1
inc :: int > int 15 :: int APPLY ((USERDEF "$inc") (INT 24)) :: int expr 35 :: int
Voss output
Fi . 7. Implemen a ions of lif ed fl
@ 34
Combined Model Checking and Theorem Proving
333
evalua ing a lif edfl erm raises an excep ion if he associa ed expression con ains any free variables.
4
ThmTac
The logic of ThmTac is a higherorder classical logic. The erm language is he lambda calculus ex ended wi h he primi ive func ions of fl. Much of he implemen a ion of ThmTac is similar o ha of a ypical LCF sys em. We assume ha he reader is familiar wi h he implemen a ion of a ypical LCF proof sysem. We will focus our discussion on hose aspec s of ThmTac ha di er from conven ion. 4.1
Basic Term Lan ua e
As described a he end of Sec ion 3, we modi ed fl o suppor free variables in lif ed fl. Quan i ers are ano her dis inc ion be ween a programming language and a logic. We implemen ed quan i ers in ThmTac wi h func ions ha raise excep ions when evalua ed and hen axioma ized heir behavior. One of he few basic erm opera ions underlying ThmTac ha di ers from a conven ional implemen a ion is ha of unfolding a de ni ion. Recall ha in he USE DEF cons ruc or, iden i ers carry heir body wi h hem. Ra her han manipula ing symbol ables and concerning ourselves wi h scoping rules and mul iple de ni ions, we simply replace he occurrence of he iden i er wi h he body from he USE DEF. 4.2
General Tactics
The core se of ac ics, ac icals, rewri es and conversionals are rus ed and enclosed in abs rac da a ypes. Inside he core, ThmTac ac ics are func ions from a sequen o a lis of sequen s. An emp y sequen lis means ha he ac ic solved he goal. Ou side of he core, users combine rus ed pieces oge her in he conven ional LCF s yle. This hybrid approach s rikes a good balance be ween soundness and produc ivi y (bo h of sys em developmen and veri ca ion). We use hree abs rac da a ypes o pro ec he core: Theorem, Tactic, and ewrite. Sligh ly simpli ed versions of hese ypes and several accessor func ions are shown in Figure 8. In he LCF s yle, we provide users he full power of a programming language (fl) o cons ruc new ac ics and ac icals from exis ing ac ics and ac icals. Because ac ics are encapsula ed in an abs rac da a ype, hey canno be be direc ly applied o sequen s. We provide he func ion apply tac o apply a ac ic o a sequen . The func ion peek at sequent allows users o examine he sequen when choosing which ac ics o apply wi hou compromising he safe y of he sys em.
334
Mark D. Aagaard, Rober B. Jones, and CarlJohan H. Seger lettype lettype lettype lettype
Sequent Theorem Tactic Rewrite
= = = =
SEQUENT (bool expr list) (bool expr); THEOREM (bool expr); TACTIC (sequent sequent list); REWRITE ( expr expr);
apply tac :: Tactic Sequent Sequent list peek at sequent :: (Sequent Tactic) Tactic Prove :: bool expr Tactic Theorem
Fi . 8. Implemen a ions of core abs rac da a ypes
4.3
Special Tactics
Evaluation as a Tactic As described earlier, eval is an fl func ion of ype expr . Evalua ion is available o he ThmTac user in rewri ing and in ac ic applica ion. Eval rw is a rewri e ha evalua es a erm and subs i u es he resul in for he original erm. Eval tac evalua es he goal of he sequen and solves he goal if i evalua es o rue. Our primary in en ion wi h lif edfl was o provide for he evalua ion of rajec ory evalua ion runs (e.g., Figure 2). In addi ion, evalua ion can be applied o general expressions, and is easier and more e cien han applying libraries of rewri e rules for each of he di eren func ions o be evalua ed. Because Booleans are buil in o fl as BDDs, Eval tac provides an e cien decision procedure for Booleans. Addi ionally, we have wri en ac ics ha ake goals wi h nonBoolean sub erms, replace each erm con aining nonBoolean sub erms wi h a unique Boolean variable, and evalua e he goal. STESpeci c Tactics There are several rajec ory evalua ion inference rules for combining and decomposing STE calls [15]. Figure 3 in Sec ion 1 showed he inference rule for combining wo rajec ory evalua ion runs wi h iden ical an eceden s and di eren consequen s. This and he o her rajec ory evalua ion inference rules are implemen ed as core ac ics in ThmTac. Parameterization Tactics In an earlier paper [2], we presen ed an algori hm for compu ing he parametric representation of a Boolean predica e and described i s use in conjunc ion wi h case spli ing in a symbolic simula ion environmen . The parame ric represen a ion di ers from he more common charac eris icfunc ion represen a ion in ha i represen s a se of assignmen s o a vec or of Boolean variables as a vec or of fresh (parame ric) variables, where all assignmen s o he parame ric variables produce elemen s in he se . For example, a oneho 4 encoding of a wobi vec or has a parame ric represen a ion of 0 0 and a oneho hreebi vec or has a parame ric represen a ion of 0 0 1 0 1 . 4
A onehot encoding requires ha exac ly one bi of a kbi vec or is asser ed. For a wobi vec or, i is simply XOR.
Combined Model Checking and Theorem Proving
335
Figure 9 shows how he hree core ac ics (CaseSplit tac, ParamSTE tac, Eval tac) are used o in egra e he case spli s, he parame ric represen a ion, and rajec ory evalua ion.
1 P = STE ckt ant cons DO CaseSplit tac [P0 P1 P2 ] 1 1 (P0 OR P1 OR P2 ) = P DO Eval tac 1 2 P0 = STE ckt ant cons DO ParamSTE tac 1 2 1 STE ckt (param traj P0 ant ) (param traj P0 cons ) DO Eval tac 1 3 P1 = STE ckt ant cons DO ParamSTE tac 1 3 1 STE ckt (param traj P1 ant ) (param traj P1 cons ) DO Eval tac 1 4 P2 = STE ckt ant cons DO ParamSTE tac 1 4 1 STE ckt (param traj P2 ant ) (param traj P2 cons ) DO Eval tac
Fi . 9. Example use of case spli ing, parame ric, and evalua ion using core ac ics
For an nway case spli , CaseSplit tac genera es n + 1 subgoals (1.1 1.4). The rs subgoal (1.1) is a side condi ion o show ha he case spli s are su cien o prove he original goal. Finally, here is one subgoal for each case (1.2 1.4). By i self, his ac ic is similar o o her proof sys ems. However, wi h he availabili y of Eval tac, we can usually dispose of he rs subgoal au oma ically and e cien ly. ParamSTE tac is implemen ed via rewri ing as expec ed. There is also a userlevel ac ic ha combines hese hree ac ics oge her so ha he proof shown in Figure 9 can be carried ou in a single s ep. Eval tac has already been described, bu his is a good oppor uni y o menion an impor an aspec of i s use ha has a drama ic impac on he user’s view of he sys em. Almos all proofs and model checking runs fail when rs ried. When Eval tac fails, i genera es a coun er example ha he user can analyze. Because heorem proving, model checking, and debugging are conduc ed in he same environmen , he user’s infras ruc ure is available for all hree ac ivi ies. If he coun er example comes from a rajec ory evalua ion run, he user can debug he coun er example using he powerful debugging aids for rajec ory evalua ion available in Voss.
336
Mark D. Aagaard, Rober B. Jones, and CarlJohan H. Seger
Tactics for Instantiatin Terms and BDD Variables One of he cri ical s eps in bridging he seman ic gap be ween heorem proving and model checking is o move from a world of erm quan i ers and variables o a world of BDD quan i ers and variables. For example, we could ransform: x P (x) o QuantForall "x" (P (variable "x")) where QuantForall is a func ion ha universally quan i es he BDD variable "x" in he BDD resul ing from evalua ing P (variable "x"). Consider he goal x P (x), where x is a erm variable of ype bool. Applying Eval tac will fail, because he func ion canno , in general, be evalua ed (e.g., consider quan i ca ion over in egers). Replacing a erm quan i er wi h a BDD quan i er and BDD variable is no as simple as i seems a rs glance, as here are performance and soundness issues. If ThmTac were o provide a new and unique name for he BDD variable, i would no be placed in an op imal loca ion in he allimpor an BDDvariable order de ned by he user. Addi ionally, increasing he number of BDD variables globally ac ive in he sys em slows down some BDD opera ions. Thus, for performance reasons, he user needs o provide he variable name. If he user provides a variable name ha is already used wi hin he proof, hen he proof will no be sound. Thus, for correc ness purposes, ThmTac has he burden of making sure ha he name provided by he user is ruly a fresh variable. The process of replacing erm quan i ers and variables wi h BDD quan iers and variables and hen evalua ing he goal is implemen ed by he ac ic BddInstEval tac. The user provides he name of fresh BDD variable (say "y"). The ac ic rs checks ha his variable has no ye been used in he proof. If he variable is fresh, BddInstEval tac replaces he erm quan i er x wi h he BDD quan i er QuantForall "y", ins an ia es x in P (x) wi h variable "y", and hen applies Eval tac.
5
Analysis of the Soundness of Our Approach
When designing ThmTac, our goal was o crea e a pro o ype veri ca ion sysem ha explored new mechanisms for combining model checking and heorem proving. We ried o s rike a balance be ween soundness and produc ivi y bo h in sys em building and veri ca ion. Wi h respec o soundness, we focused our e or s on preven ing users from inadver en ly proving false s a emen s, bu did no exer undue e or in pro ec ing agains adversarial users someone who in ends o prove a false s a emen . In analyzing he soundness of our design, we s ar ed from wo fac s. Firs , he yped lambda calculus is a sound logic. Second, a s rongly yped, pure funcional programming language is very similar o he yped lambda calculus wi h he inclusion of nonprimi ive recursion. From his, we focussed on wo quesions. Firs , how do we deal wi h recursion in ThmTac? Second, wha addi ional fea ures does fl include and how do hey a ec soundness?
Combined Model Checking and Theorem Proving
5.1
337
Recursion
To deal wi h recursion in a ruly sound manner, we would need o ensure ha he compu a ion of every value in fl ermina es. The de ni ion letrec x = NOT x; can be used o prove false wi hou much di cul y. Tools such as Slind’s TFL [27] could be used o prove ermina ion of fl func ions wi h reasonable e or . Even wi hou such formal suppor , non ermina ion does no pose a signi can problem for us. Firs , because we ex ensively es speci ca ions by evalua ing hem in fl before a emp ing o reason abou hem, ermina ion problems are caugh before hey lead o soundness problems in heorem proving. Second, mos hardware speci ca ions we have used are no recursive. 5.2
Additional Lan ua e Features to Be Examined
Sec ion 4 discussed ins an ia ing erm quan i ers and variables wi h BDDs. We lis he opic here simply for comple eness. In fl, prior o lif edfl and ThmTac, es ing for he equali y of func ions re urned ei her rue or false. If he wo func ions did no have he same graph s ruc ure, hen false was re urned. This behavior crea ed a po en ial way o prove false. For example, he evalua ion of: ( x y x + y) = ( x y y + x) would re urn false, while we could rewri e one side of he equali y using commua ivi y of addi ion and prove ha he same s a emen was rue. We deal wi h his problem by changing he implemen a ion of fl so ha if i canno de ermine for cer ain ha wo func ions are he same, i raises an excep ion ra her han re urn false. There are hree fea ures of fl ha pose heore ical, bu no prac ical, soundness problems: excep ions, ca ching excep ions, and references. As a prac ice, excep ions, ca ches, and references occur only in rela ively lowlevel code. This ype of code is evalua ed, or he behavior is axioma ized, bu he ex of he code is no reasoned abou . These fea ures are included in fl for implemen a ion of an e cien veri ca ion sys em. Our requiremen hen, is ha he code ha uses hese fea ures is axioma ized correc ly and implemen ed so ha he e ec s of he fea ures are no visible ou side of he code ha is he code appears func ional from he ou side. Coquand showed ha a consequence of Girard’s Paradox is ha MLs yle polymorphism is unsound [9]. The fl ype sys em does no suppor let polymorphism, which is he dis inguishing fea ure in MLs yle polymorphism ha makes i unsound.
6 6.1
Summary E ectiveness of Our Approach
In his sec ion we briefly revisi he veri ca ion e or s previously described [1, 2] and rela e hem o he use of lif edfl. The combina ion of ThmTac and rajec ory
338
Mark D. Aagaard, Rober B. Jones, and CarlJohan H. Seger
evalua ion has been used successfully on a number of large circui s wi hin In el. Table 1 summarizes he number of la ches in he circui , he maximum number of BDD nodes encoun ered during he veri ca ion, he number of case spli s used, and he compu e ime for he model checking and heorem proving. All of he runs repor ed were performed on a 120MHz HP5 9000 wi h 786MB of physical memory. Table 1. Veri ca ion S a is ics. La ches BDD nodes IM 1100 4.2M Add/Sub Ck 1 3600 2.0M Add/Sub Ck 2 6900 1.5M Con rol Ck 7000 0.8M
Cases Veri ca ion ime 28 8 hr 333 15 hr 478 24 hr 126 16 hr
One of he rs large circui s we veri ed was he IM, an IA32 ins ruc ion leng h decoder [1]. We believe his veri ca ion o be one of he mos complex hardware veri ca ions comple ed o da e. We s ar ed wi h a very highlevel speci ca ion of correc ness ha described he desired behavior of he circui over an in ni e s ream of IA32 ins ruc ions. Using induc ion and rewri ing, we decomposed he oplevel correc ness s a emen in o a base case and an induc ive case. The base case was dispa ched wi h addi ional rewri ing and evalua ion. The induc ive case con ained a rajec ory formula ha ha was oo complex o be evalua ed in a single rajec ory evalua ion run. To solve his problem, we case spli on he in ernal s a e of he circui . Up o his poin , he proof had used conven ional heorem proving echniques. Two s eps remained o bridge he gap o model checking and nish he proof. We rs replaced he erm quan i ers and erm variables wi h BDD quan i ers and variables. We hen applied he parame ric ac ic o encode he case spli s in o he an eceden s and consequences of he rajec ory asser ions and comple ed he proof wi h a call o Eval tac for each case. We found he abili y o debug our proof scrip in he same environmen as we debugged our model checking runs o be of remendous bene . We veri ed wo IEEEcomplian , mul iprecision, floa ingpoin adder/subrac ers from In el processors [2] (Add/Sub Ck 1 and Add/Sub Ck 2 in Table 1). The ari hme ic por ion of our speci ca ion was based upon a ex book algori hm [11]. Speci ca ions for flags and special cases were based on IEEE S andard 754 [17] and proprie ary archi ec ural documen a ion. Again, he use of lif edfl was crucial. We were able o lift the speci cation itself and hen manipula e i inside ThmTac. Af er rewri ing, erm manipula ion, and parame ricbased inpu space decomposi ion, we derived he rajec ory evalua ion runs ha comple ed he veri ca ion. 5
All rademarks are proper y of heir respec ive owners.
Combined Model Checking and Theorem Proving
6.2
339
Retrospective Analysis
The rs e or s o connec rajec ory evalua ion and heorem proving began approxima ely eigh years ago. Many lessons were learned as various experimenal sys ems were designed, cons ruc ed, used, and analyzed in he in ervening ime. Three keys o success s and ou . Firs , clean and useful inference rules for model checking. Second, very igh in egra ion be ween heorem proving and model checking wi h full access o bo h ools. Third, he use of a generalpurpose speci ca ion language. Symbolic rajec ory evalua ion provides he rs of hese i ems. Lif ed fl allowed us o use he same language for bo h he objec and me a language of a proof sys em and model checker, which gave us he second and hird capabili ies.
Acknowled ments We are deeply indeb ed o Clark Barre , Tom Melham, and Donald Syme for heir insigh s and developmen work ha have con ribu ed grea ly o he work presen ed here. Addi ionally, John Harrison and ChingTsun Chou read a draf of he paper and provided helpful commen s.
References [1] M. D. Aagaard, R. B. Jones, and C.J. H. Seger. Combining heorem proving and rajec ory evalua ion in an indus rial environmen . In DAC, pages 538 541. ACM/IEEE, July 1998. [2] M. D. Aagaard, R. B. Jones, and C.J. H. Seger. Formal veri ca ion using parame ric represen a ions of Boolean cons rain s. In DAC, July 1999. [3] M. D. Aagaard and C.J. H. Seger. The formal veri ca ion of a pipelined doubleprecision IEEE floa ingpoin mul iplier. In ICCAD, pages 7 10. IEEE Comp. Soc. Press, Washing on D.C. Nov. 1995. [4] L. Augus son. A compiler for LazyML. In ACM Symposium on Lisp and Functional Pro rammin , pages 218 227, 1984. [5] D. E. Bea y, R. E. Bryan , and C.J. H. Seger. Synchronous circui veri ca ion  an illus ra ion. In Advanced Research in VLSI, Proceedin s of the Sixth MIT Conference, pages 98 112. MIT Press, 1990. [6] K. Bhargavan, C. A. Gun er, E. L. Gun er, M. Jackson, D. Obradovic, and P. Zave. The village elephone sys em: A case s udy in formal sof ware engineering. In M. Newey and J. Grundy, edi ors, Theorem Provin in Hi her Order Lo ics, pages 49 66. Springer Verlag; New York, Sep . 1998. [7] R. E. Bryan . Graphbased algori hms for boolean func ion manipula ion. IEEE Trans. on CAD, C35(8):677 691, Aug. 1986. [8] E. M. Clarke, O. Grumberg, and D. E. Long. Model checking and abs rac ion. ACM Trans. on Pro . Lan . and Systems, 16(5):1512 1542, Sep . 1994. [9] T. Coquand. An analysis of Girard’s paradox. In LICS, pages 227 236. IEEE Comp. Soc. Press, Washing on D.C. June 1986. [10] P. Curzon, S. Tahar, and O. A. Mohamed. Veri ca ion of he MDG componen s library in HOL. Technical Repor 9808, Aus ralian Na ’l Univ., Comp. Sci., 1998. pages 31 46 In Supplemen ary Proceedings of TPHOLS98.
340
Mark D. Aagaard, Rober B. Jones, and CarlJohan H. Seger
[11] J. M. Feldman and C. T. Re er. Computer Architecture. McGrawHill, 1994. [12] A. Field and P. Harrison. Functional Pro rammin . Addison Wesley, 1988. [13] M. J. C. Gordon and T. F. Melham, edi ors. Introduction to HOL: a theorem provin environment for hi her order lo ic. Cambridge Universi y Press, New York, 1993. [14] E. L. Gun er. Adding ex ernal decision procedures o HOL90 securely. In M. Newey and J. Grundy, edi ors, Theorem Provin in Hi her Order Lo ics, pages 143 152. Springer Verlag; New York, Sep . 1998. [15] S. Hazelhurs and C.J. H. Seger. A simple heorem prover based on symbolic rajec ory evalua ion and BDDs. IEEE Trans. on CAD, Apr. 1995. [16] S. Hazelhurs and C.J. H. Seger. Symbolic rajec ory evalua ion. In T. Kropf, edi or, Formal Hardware Veri cation, chap er 1, pages 3 78. Springer Verlag; New York, 1997. [17] IEEE. IEEE Standard for binary floatin point arithmetic. ANSI/IEEE S d 7541985, 1985. [18] N. C. Ip and D. L. Dill. Be er veri ca ion hrough symme ry. Formal Methods in System Desi n, 9(1/2):41 75, Aug. 1996. [19] J. Joyce and C.J. Seger. Linking BDD based symbolic evalua ion o in erac ive heorem proving. In DAC, June 1993. [20] M. Kaufmann and J. Moore. An indus rial s reng h heorem prover for a logic based on Common Lisp. IEEE Trans. on Soft. En ., 1997. [21] K. McMillan. Minimalis proof assis an s: In erac ions of echnology and me hodology in formal sys em level veri ca ion. In G. C. Gopalakrishnan and P. J. Windley, edi ors, Formal Methods in CAD, page 1. Springer Verlag; New York, Nov. 1998. [22] J. O’Leary, X. Zhao, R. Ger h, and C.J. H. Seger. Formally verifying IEEE compliance of floa ingpoin hardware. Intel Tech. Jour., Firs Quar er 1999. Online a h p://developer.in el.com/ echnology/i j/. [23] L. Paulson. ML for the Workin Pro rammer,. Cambridge Universi y Press, 1996. [24] S. Rajan, N. Shankar, and M. Srivas. An in egra ion of model checking au oma ed proof checking. In CAV. Springer Verlag; New York, 1996. [25] J. Sawada and W. A. J. Hun . Processor veri ca ion wi h precise exep ions and specula ive execu ion. In A. Hu and M. Vardi, edi ors, CAV, number 1427 in LNCS, pages 135 146. Springer Verlag; New York, June 1998. [26] C.J. H. Seger and R. E. Bryan . Formal veri ca ion by symbolic evalua ion of par iallyordered rajec ories. Formal Methods in System Desi n, 6(2):147 189, Mar. 1995. [27] K. Slind. Deriva ion and use of induc ion schemes in higherorder logic. In E. L. Gun er and A. Fel y, edi ors, Theorem Provin in Hi her Order Lo ics, pages 275 291. Springer Verlag; New York, Aug. 1997.
Symbolic Functional Evaluation Nancy A. Day1 and Je rey J. Joyce2 1
2
Ore on Graduate Institute, Portland, OR, USA nday@cse.o i.edu Intrepid Critical Software Inc., Vancouver, BC, Canada joyce@intrepidcs.com
Abs rac . Symbolic functional evaluation (SFE) is the extension of an al orithm for executin functional pro rams to evaluate expressions in hi herorder lo ic. SFE carries out the lo ical transformations of expandin de nitions, betareduction, and simpli cation of builtin constants in the presence of quanti ers and uninterpreted constants. We illustrate the use of symbolic functional evaluation as a universal translator for linkin notations embedded in hi herorder lo ic directly with automated analysis without usin a theorem prover. SFE includes eneral criteria for when to stop evaluation of ar uments to uninterpreted functions based on the type of analysis to be performed. SFE allows both a novice user and a theoremprovin expert to work on exactly the same speci cation. SFE could also be implemented in a theorem prover such as HOL as a powerful evaluation tactic for lar e expressions.
1
Introduction
Symbolic functional evaluation (SFE) is the extension of an algorithm for executing functional programs to evaluate expressions in higherorder logic. We use SFE to bridge the gap between highlevel, expressive requirements notations and automated analysis by directly evaluating the semantics of a notation in higherorder logic. SFE produces the meaning of a speci cation in a form that can be subjected to behavioural analysis. In our approach, writing the semantics of a notation is the only step necessary to have access to a range of automated analysis procedures for speci cations written in that notation. Bridging this gap allows a novice user to perform some types of analysis even if all queries of the speci cation cannot be checked automatically. SFE carries out the logical transformations of expanding de nitions, betareduction, and simpli cation of builtin constants in the presence of uninterpreted constants and quanti ers. While these logical transformations can be performed by rewriting in a theorem prover, they do not require the full generality of rewriting. To use an algorithm for evaluating functional programs, two special considerations are needed. First, we handle uninterpreted constants. Special treatment of uninterpreted constants allows us to carry out substitution, a core part of the evaluation algorithm, more e ciently. Quanti ers, such as forall , are treated for the most part as uninterpreted constants. Second, Y. Bertot et al. (Eds.): TPHOLs’99, LNCS 1690, pp. 341 358, 1999. c Sprin erVerla Berlin Heidelber 1999
342
Nancy A. Day and Je rey J. Joyce
we have de ned several distinct and intuitive levels of evaluation that serve as stopping points for the SFE algorithm when considering how much to evaluate the arguments of uninterpreted functions. The choice of level provides the user with a degree of control over how much evaluation should be done and can be keyed to the type of automated analysis to be performed. The following simple example illustrates the idea of symbolic functional evaluation. We use a syntactic variant of the HOL [17] formulation of higherorder logic called S [27].1 In S, the assignment symbol := is used to indicate that the function on the lefthand side is being de ned in terms of the expression on the righthand side. The function exp calculates xy : exp x y := if (y = 0) then 1 else (x * exp x (y  1)); If we use SFE to evaluate this function with the value of x being 2 and the value of y being 3, the result is 8. In order to test the behaviour of exp for more possible inputs, we make the input x symbolic. The constant a is an uninterpreted constant. Evaluating exp a 3, SFE produces: a * (a * (a * 1)) If both of the inputs to exp are uninterpreted constants, say a, and b, then the evaluation will never terminate. SFE can tell the evaluation may not terminate as soon as exp is expanded the rst time because the argument to the conditional is symbolic, i.e., it cannot determine whether b is equal to zero or not. At this point SFE can terminate evaluation with the result: if (b = 0) then 1 else (a * exp a (b  1)) The conditional ifthenelse is de ned using pattern matching. This stopping point is the point at which it cannot determine which case of the de nition of if to use. The conditional applied to this argument is treated as an uninterpreted function, i.e., as if we do not know its de nition. We could continue to evaluate the arguments ((b=0), 1, and (a * exp a (b  1))) further. In this case, continuing to evaluate the arguments inde nitely would result in nontermination. The levels of evaluation of SFE describe when to stop evaluating the arguments of uninterpreted functions. The levels of evaluation are general criteria that are applied across all parts of an expression. Currently, within a theorem prover, evaluating an expression may require varying amounts of interaction by the user to choose the appropriate sequence of rewriting steps to obtain the desired expansion of the expression. With SFE, we make this expansion systematic using levels of evaluation. Thus, while being less general than rewriting, SFE provides precise control for the user to guide its specialised task. SFE also does not require the uni cation step needed for rewriting. There are a variety of applications for symbolic functional evaluation. For example, Boyer and Moore [7] used a more restricted form of symbolic evaluation 1
A brief explanation of the syntax of S can be found in the appendix.
Symbolic Functional Evaluation
343
as a step towards proving theorems in a rstorder theory of lists for program veri cation. In this paper, we show how SFE allows us to bridge the gap between highlevel, expressive requirements notations and automated analysis. The input notations of many specialised analysis tools lack expressibility such as the ability to use uninterpreted types and constants, and parameterisation. One of the bene ts of our approach is that it allows speci ers to use these features of higherorder logic in speci cations written in notations such as statecharts [21], but still have the bene ts of some automated analysis. Therefore, both a novice user and a theoremproving expert can work on exactly the same speci cation using di erent tools. Section 8 provides an example of how general proof results can help the novice user in their analysis of a speci cation. We bridge the gap between highlevel notations and automated analysis by using SFE as the frontend to more specialised analysis tools. SFE directly evaluates the semantics of a notation in higherorder logic. It produces a representation of the meaning of the speci cation that can be subjected to behavioural analysis using automated techniques. Our framework is illustrated in Figure 1. SFE plays the role of a universal translator from textual representations of notations into expressions of the meaning of the speci cation. Because the evaluation process need not always go as far as producing a completely evaluated expression to be su cient for automated analysis, modes of SFE produce expressions at di erent levels of evaluation. Di erent abstractions are then applied for carrying out di erent kinds of automated analysis. For example, to use BDDbased analysis [8], we can stop evaluation once an uninterpreted function is found at the tip of an expression and then abstract to propositional logic. To use iflifting, a particular type of rewriting, it is necessary to evaluate partly the arguments of an uninterpreted function. By directly evaluating the formal semantic functions, our approach is more rigorous than a translator that has not been veri ed to match the semantics of the notation. Our framework is also more flexible than working in a current theorem proving environment. For example, we are able to return results in terms of the original speci cation and provide access to the user to control parameters such as BDD variable ordering. Another application for symbolic functional evaluation is the symbolic simulation step used in many microprocessor veri cation techniques. Cohn [11], Joyce [26], and Windley [40] all used unfolding of de nitions to execute opcodes in theorem provingbased veri cation e orts. More recently, Greve used symbolic simulation to test microcode [20]. The pipeline flushing approach of Burch and Dill begins with a symbolic simulation step [9]. Symbolic functional evaluation could be used inside or outside of a theorem prover to carry out this step for typed higherorder logic speci cations. Inside a theorem prover, it could be used as a superduper tactic [1]. The use of higherorder logic to create a formal speci cation can easily involve building up a hierarchy of several hundred declarations and de nitions, including semantic functions for notations. SFE has been an e ective tool in the analysis of
344
Nancy A. Day and Je rey J. Joyce Specification
Semantics for a notation
Symbolic Functional Evaluation expanded meaning
Abstraction to propositional logic
Abstraction
...
abstracted meaning CTL Model Checking
Completeness & Consistency Checking
...
Analysis Procedure
Fi . 1. Our framework
some large speci cations. We have used our approach to analyse an aeronautical telecommunications network (ATN) written in a statechartsvariant embedded in higherorder logic. The speci cation consisted of approximately 3100 lines of text. The SFE step for the ATN took 111 seconds on an UltraSparc 60 (300 MHz) with 1 GB RAM running SunOS 5.6 . We present our algorithm in terms of expressions in the lambda calculus (applications, abstractions, variables). This presentation provides a simple interface for integrating our implementation of SFE with other tools, as well as giving enough details to implement SFE. SFE makes it possible to have a generalpurpose speci cation notation as a frontend for many specialised analysis tools.
2
Related Work
Translation into the input notation of an existing analysis tool is a common approach to bridge the gap between specialised notations and analysis tools (e.g., [4,5,41]). There are three disadvantages to the translation approach. First, unless the translator has been veri ed, there is no assurance that the translator correctly implements the semantics of the notation. For notations such as statecharts, establishing the correctness of the translation is very di cult. Second, results are presented to the speci er in the terms of the translated speci cation, not the original speci cation. These results can be di cult to decipher. Third, translation often must include an abstraction step because the destination notation is unable to represent non nite or uninterpreted constants. The translator then matches only a particular type of analysis. Owre, Rushby, and Shankar have already demonstrated that the approach of embedding a notation in a generalpurpose base formalism, such as the PVS
Symbolic Functional Evaluation
345
form of higherorder logic, makes a range of analysis techniques accessible to a speci cation [31]. We show that this approach does not require theorem proving support. Besides being di cult to learn for a novice user, theorem provers are veri cationbased tools and often use decision procedures only for yes/no answers. They usually lack the ability to access counterexamples in terms of the original speci cation and do not allow the user to control the analysis with information such as BDD variable orderings. Our approach is more flexible because it operates independently of the analysis technique, and thus is unencumbered by the e ort of dealing with layers of proof management often necessary to integrate decision procedures into theorem provers. This di culty is noted in the work on integrating the Stanford Validity Checker (SVC) [25] with PVS [32]. It is possible to embed a notation in a functional programming language such as Haskell [33]. This approach has been used for creating domainspeci c notations such as the hardware description language Hawk [29]. Symbolic data types can be used to represent uninterpreted constants but this approach requires explicitly describing a symbolic term structure [16]. Also, a programming language lacks a means of representing uninterpreted types and quanti cation. There have been e orts to translate higherorder logic speci cations into programming languages for execution [2,10,35]. These approaches have been limited to subsets of higherorder logic, often not including uninterpreted constants. Boyer and Moore [7] used evaluation as a step in proving theorems in a rstorder theory of lists for program veri cation. Their EVAL function is similar to SFE in that it deals with skolem constants. However, SFE also handles uninterpreted function symbols, which raises the question of how much to evaluate the arguments to these symbols. We provide a uniform treatment of this issue using levels of evaluation. These levels work for both uninterpreted functions, and functions such as the conditional de ned via pattern matching. If the argument cannot be matched to a pattern, these functions are also treated as uninterpreted. SFE carries out lazy evaluation, whereas EVAL is strict. Symbolic functional evaluation resembles online partial evaluation. The goal of partial evaluation is to produce a more e cient specialised program by carrying out some expansion of de nitions based on static inputs [12]. With SFE, our goal is to expand a symbolic expression of interest for veri cation (i.e., all function calls are inlined). For this application, all inputs are symbolic and therefore divergence of recursive functions in evaluation often occurs. Our levels of evaluation handle the problem of divergence. We have special treatment of uninterpreted constants in substitution because these are free variables. SFE also handles quanti ers and constants of uninterpreted types.
3
Embeddin Notations
Gordon pioneered the technique of embedding notations in higherorder logic in order to study the notations [19]. Subsequent examples include a subset of the programming language SML [39], the process calculus valuepassing CCS [30], and the VHDL hardware description language [38]. In previous work [13], we pre
346
Nancy A. Day and Je rey J. Joyce
sented a semantics for statecharts in higherorder logic. We use an improved version of these semantics for analysing speci cations written in statecharts in our framework. For modeloriented notations, such as statecharts, the embedding of the notation suitable for many types of automated analysis is an operational semantics that creates a next state relation. Symbolic functional evaluation works with both shallow and deep embeddings of notations [6].
4
A Simple Example
For illustration, we choose an example that is written in a simple decision table notation used previously in the context of carrying out completeness and consistency analysis [15]. Table 1 is a decision table describing the vertical separation required between two aircraft in the North Atlantic region. This table is derived from a document that has been used to implement air tra c control software. These tables are similar to AND/OR tables [28] in that each column represents a conjunction of expressions. If the conjunction is true, then the function VerticalSeparationRequired returns the value in the last row of the column. Expressions in columns are formed by substituting the row label into the underscore (later represented as a lambda abstraction). In this speci cation, the functions Fli htLevel, and IsSupersonic are uninterpreted and act on elements of the uninterpreted type fli ht. They are declared as: : fli ht;
/* declaration of an uninterpreted type */
Fli htLevel : fli ht > num; IsSupersonic : fli ht > bool;
/* declaration of uninterpreted */ /* constants */
We are interested in analysing this table for all instantiations of these functions. For example, we want to know if the table is consistent, i.e., does it indicate di erent amounts of separation for the same conditions? Specialised tools for carrying out completeness and consistency checking are based on notations that lack the ability to express uninterpreted constants and types (e.g., [22,23]). We use SFE as a universal translator to determine the meaning of a speci cation in this decision table notation. Using abstraction mechanisms, we can then convert the meaning of the table into a nite state form, suitable for input to automated analysis tools. Table 1. Vertical separation
Fli htLevel A _ < = 280 . _ > 450 Fli htLevel B . _ < = 280 _ > 450 IsSupersonic A . . _ = T IsSupersonic B . . . VerticalSeparationRequired(A,B) 1000 1000 4000
Default _ > 450 _ > 450 . _ = T 4000 2000
Symbolic Functional Evaluation
347
We represent tabular speci cations in higherorder logic in a manner that allows us to capture the rowbycolumn structure of the tabular speci cation. The translation from a graphical representation into a textual representation does not involve interpreting the semantic content of the speci cation. Table 1 is represented in higherorder logic as: VerticalSeparationRequired (A,B) := Table [Row (Fli htLevel A) [(\x.x450); (\x.x>450)]; Row (Fli htLevel B) [Dc; (\x.x450); (\x.x>450)]; Row (IsSupersonic A) [Dc; Dc; True; Dc]; Row (IsSupersonic B) [Dc; Dc; Dc; True] ] [1000; 1000; 4000; 4000; 2000];
Dc is don’t care replacing the . in the table. The notation \x. is a lambda abstraction. The syntax [ ... ; ... ] describes a list. In previous work, we gave a shallow embedding of this decision table notation in higherorder logic by providing de nitions for the keywords of the notation such as Row and Table. We provide these de nitions in the appendix. The result of using SFE to evaluate the semantic de nitions for the expression VerticalSeparationRequired(A, B) is: if (Fli htLevel A 450) and (IsSupersonic A) then 4000 else if (Fli htLevel A > 450) and (Fli htLevel B > 450) and (IsSupersonic B) then 4000 else 2000
The result of SFE is an expanded version of the meaning of the speci cation that can be subjected to behavioural analysis techniques. This result is semantically equivalent to the original speci cation. It is the same as would be produced by unfolding de nitions and betareduction in a theorem prover, but we accomplish this without theorem proving infrastructure. An abstracted version of the speci cation is usually needed for nite state automated analysis techniques. For completeness and consistency analysis, one suitable abstraction is to use a Boolean variable to represent each subexpression that does not contain logical connectives. For example, Fli htLevel B fli ht > bool; Routes1 := {(USA,BDA);(CAN,BDA);(IberianPeninsula, Azores); (Iceland,Scandinavia);(Iceland, UnitedKin dom)}; 2
The Gmachine [24], another implementation of raph reduction for evaluatin functional pro rams, is not applicable here because of the free variables. It is necessary to avoid variable capture when doin substitutions of ar uments that may contain free variables.
Symbolic Functional Evaluation
349
when completely evaluated becomes: IsOnRoute {(USA,BDA);(CAN,BDA);(IberianPeninsula, Azores); (Iceland,Scandinavia);(Iceland, UnitedKin dom)} A
If subjected to abstraction to propositional logic, this whole expression is treated as one Boolean variable expanding the de nition of Routes1 adds information that is lost in the abstraction process when replaced by a single variable. Therefore evaluation to the point of distinction only evaluates an expression to the point where the tip of the expression is an uninterpreted constant or data constructor. Evaluated for Rewritin (RW EVAL) To carry out iflifting , evaluation to the point of rewriting is needed. Iflifting is a method of rewriting expressions involving the conditional operator ifthenelse to further reduce the expression. For example, if the value returned by the conditional expression is Boolean, then the following equality holds and can be used to eliminate the if function: if a then b else c ≡ (a and b) or (not(a) and c)
(1)
Jones et al. [25] describe iflifting of expressions as a heuristic for their validity checking algorithm. They present two rules:3 ((if a then b else c) = (if a then d else e)) if a then (b = d) else (c = e) ((if a then b else c) = d)
≡
≡
if a then (b = d) else (c = d)
We generalise these rules slightly to lift an argument with a conditional outside any uninterpreted function (not just equality). Eventually the expression may reach the point where equation (1) can be applied. Transforming an expression by iflifting and then carrying out abstraction to propositional logic makes the abstraction less conservative. Iflifting can optionally be carried out during symbolic functional evaluation. Evaluation to the point of rewriting evaluates each argument of an uninterpreted function to the point of distinction. This exposes conditional operators at the tip of the arguments so that iflifting can be carried out. The if operator is used in the semantics of the decision table notation described in the simple example. Therefore, evaluation to the point of rewriting is often chosen for analysing decision tables. Completely Evaluated (SYM EVAL) Complete evaluation means all possible evaluation is carried out. The expression may still contain uninterpreted constants as well as some builtin constants of higherorder logic such as conjunction. Complete evaluation can be very helpful in checking the correctness of the semantics. It may also produce more succinct output than either of the other two levels, however, complete evaluation may not terminate. 3
We use ifthenelse rather than ite .
350
5.2
Nancy A. Day and Je rey J. Joyce
Al orithm
SFE evaluates expressions in higherorder logic to the point where the expression is at a particular level of evaluation. The user chooses the mode for SFE usually based on the least amount of evaluation that is needed for the type of analysis to be carried out. Although higherorder logic notation may be enhanced with various constructs, fundamentally it consists of just four kinds of expressions: 1) applications, 2) abstractions, 3) variables, and 4) constants. We subdivide the category of constants into: 4a) uninterpreted constants (including quanti ers), 4b) de ned constants, 4c) data constructors, and 4d) builtin constants. Evaluation involves de nition expansion, betareduction, and evaluation of builtin operations. Our algorithm carries out normal order reduction, which means arguments to functions are not evaluated until they are used. Evaluation is carried out in place. Figure 3 gives the toplevel algorithm in Clike pseudo code. It is called initially with an expression, an empty argument list, and the desired level of evaluation of the expression. In spine unwinding, the arguments to an application are placed on an expression list until the tip of the application is reached. Compared to Peyton Jones’ algorithm, we include extra checks at the beginning to stop evaluation if we have reached the correct level of evaluation. Some subexpressions may already have had some evaluation carried out on them because common subexpressions are represented only once. In this we di er from many interpreters and compilers for functional languages. Evaluation results are also cached. We also include cases for variables and uninterpreted constants (a sub case of constants). In the cases for variables, uninterpreted constants, and early stopping points in evaluation, we have to recombine an expression with its arguments. Depending on the desired level of evaluation, Recombine may carry out more evaluation on the arguments of an uninterpreted function. For example, for evaluated for rewriting, the arguments are evaluated to the point of distinction. The possible values for the mode parameter are elements of the ordered list SYM EVAL, RW EVAL, and PD EVAL. All expressions begin with the level NOT EVAL. An expression’s evaluation tag is stored with the expression and is accessed using the function EvalLevel. If the expression is an abstraction, the arguments are substituted for the parameters in the body of the lambda abstraction avoiding variable capture, and the resulting expression is evaluated. While uninterpreted constants are variables in the lambda calculus, we optimise substitution by treating them di erently from other variables. By adding a flag to every expression to indicate if it has any variables that are not uninterpreted constants, we avoid walking over subexpressions that include uninterpreted constants but no parameter variables. If the expression is an application, spine unwinding is carried out. After evaluation, the original expression is replaced with the evaluated expression, using the function ReplaceExpr. A pointer to the expression is used. The evaluation of constant expressions (EvalConstant) is decomposed into cases. If the constant is a constructor or an uninterpreted constant, it is recom
Symbolic Functional Evaluation
351
expr EvalExpression(expr *exp, expr_list ar list, level mode) if (ar list==NULL) and (EvalLevel(exp) >= mode) then return exp else if (EvalLevel(exp) >= mode) and (mode == PD_EVAL) return Recombine(exp,ar list,NOT_EVAL)
then
switch (formof(exp)) case VARIABLE (v) : if (ar list!=NULL) then return Recombine(exp, ar list, mode) else return exp case ABSTRACTION (parem exp): (leftover_ar s,newexp) = Substitute(exp, parem, ar list) return EvalExpression(newexp,leftover_ar s,mode) case APPLICATION (f a) : newar list = add a to be innin of ar list newexp = EvalExpression(f, newar list,mode) if (ar list==NULL) then ReplaceExpr(exp, newexp) return newexp case CONSTANT(c) : return EvalConstant(exp, ar list, mode)
Fi . 3. Toplevel algorithm for symbolic functional evaluation
bined with its arguments, which are evaluated to the desired level of evaluation. If the constant is a builtin function, the particular algorithm for the builtin constant is executed. If the expression is a constant de ned by a nonpattern matching de nition, it is treated as an abstraction. For a constant de ned by a pattern matching de nition, its rst argument must be evaluated to the point of distinction and then compared with the constructors determining the possible branches of the de nition. If a match is not found, the expression is recombined with its arguments as if it is an uninterpreted constant. Some builtin constants have special signi cance. Conjunction, disjunction and negation are never stopping points for evaluation when they are at the tip of an expression because they are understood in all analysis procedures that we have implemented (completeness, consistency, and symmetry checking, model checking, and simulation). Our implementation of SFE can be easily extended with options to recognise particular uninterpreted constants (such as addition) and apply di erent rules for the level of evaluation of the constant’s arguments and do some simpli cation of expressions. For example, SFE simpli es 1 + a + 1 to 2 + a, where a is an uninterpreted constant. Experiments using SFE as the rst step to automated analysis revealed the value of presenting the user with the unevaluated form of expressions to interpret the results of the analysis. Evaluation in place implies the original expression is no longer available. However, by attaching an extra pointer eld allowing the
352
Nancy A. Day and Je rey J. Joyce
node to serve as a placeholder, the subexpressions of the old expression remain present. An option of SFE keeps the unevaluated versions of expressions. No special provisions have been taken to check for nontermination of the evaluation process.
6
Quanti ers
Writing speci cations in higherorder logic makes it possible to use quanti ers, which rarely appear in input notations for automated analysis tools. In this section, we describe two ways to deal with quanti ers that make information bound within a quanti er more accessible so that less information is lost in abstraction. These logical transformations can be optionally carried out during SFE. First, we handle quanti ers over enumerated types. A simple enumerated type is one where the constructors do not take any arguments. If the variable of quanti cation is of a simple enumerated type, then the quanti er is eliminated by applying the inner expression to all possible values of the type. For example, using the de nitions, : chocolate := Cadburys  Hersheys  Ro ers ; /* type definition */ tastesGood : chocolate > bool;
the expression forall (x:chocolate). tastesGood (x)
is evaluated to: tastesGood (Cadburys) and tastesGood (Hersheys) and tastesGood (Ro ers)
Second, specialisation (or universal instantiation) is a derived inference rule in HOL. Given a term 0 and a term for ll x used in a negative position in the term (such as in the antecedent of an implication), the quanti ed term can be replaced by [ 0 x], where 0 replaces free occurrences of x in . Our implementation has a specialisation option that carries out universal instantiation for any uninterpreted constants of the type of the quanti ed variable when universal quanti cation is encountered in a negative position in evaluation.
7
Abstraction
Symbolic functional evaluation produces an expression describing the meaning of a speci cation. After the SFE step, some form of abstraction is usually necessary for automated analysis. The abstraction depends on the type of analysis to be performed. We implemented an abstraction to propositional logic technique and represent the abstracted speci cation as a BDD. Together with SFE, this abstraction mechanism allows us to carry out completeness, consistency, and symmetry checking, model checking, and simulation analysis of speci cations written in highlevel notations.
Symbolic Functional Evaluation
353
When abstracting to propositional logic, subexpressions that do not contain Boolean operations at their tip are converted to fresh Boolean variables. For example, the statement, (Fli htLevel A > 450) and (Fli htLevel B > 450) and (IsSupersonic A)
can be abstracted to, x and y and z
with the Boolean variables x, y, and z being substituted for the terms in the original expression, e.g., x for (Fli htLevel A > 450). This is a conservative abstraction, meaning the abstracted version will have more behaviours than the original speci cation. In this process, quanti ers are treated as any other uninterpreted constant. To present the output of analysis to the user, the abstraction process is reversed, allowing counterexamples to appear in terms of the input speci cation. Along with reversing the abstraction process, the ability to keep the unevaluated versions of expressions during SFE means expressions can be output in their most abstract form. Keeping the unevaluated version of expressions also makes it possible to recognise structures in the speci cation that can help in choosing an abstraction. For example, the decision table form highlights range partitions for numeric values such as the flight level. In Day, Joyce, and Pelletier [15], we used this structure to create a nite partition of numeric values to produce more accurate analysis output. Because BDD variable order is critical to the size of the BDD representation of the abstracted speci cation, we provide a way for the user to control directly this order. The user runs a procedure to determine expressions associated with Boolean variables in abstraction. They can then rearrange this list and provide a new variable order as input. We use a separate tool (Voss [37]) to determine suitable variable orders for our examples. Other abstraction techniques could certainly be used. For example, we are considering what abstraction would be necessary to link the result of SFE with the decision procedure of the Stanford Validity Checker [25]. SVC handles quanti erfree, rstorder logic with uninterpreted constants.
8
Analysin the Semantics of Notations
One of the bene ts of our approach is that it allows speci ers to write in higherorder logic but still have the bene ts of some automated analysis. Therefore, both a novice user and a theoremproving expert can work on exactly the same speci cation using di erent tools. The theoremproving expert might prove that certain manipulations that the novice user can do manually are valid with respect to the semantics of the notation. In this section, we give an example of such a manipulation. We have used our approach to analyse an aeronautical telecommunications network (ATN) written in a statechartsvariant and higherorder logic [3]. The
354
Nancy A. Day and Je rey J. Joyce
ATN consists of approximately 680 transitions and 38 basic statechart states, and after abstraction is represented by 395 Boolean variables. The statechart semantics produce a next state relation. In these semantics, Boolean flags representing whether each transition is taken or not are existentially quanti ed at the top level. Turning the next state relation into a BDD required building the inner BDD and then doing this quanti cation. We discovered that the inner BDD was too big to build. Therefore we sought to move in the quanti cation as much as possible to reduce the intermediate sizes of the BDDs. The system was divided into seven concurrent components. We wanted to view the next state relation as the conjunction of the next state relations for each of the concurrent components by pushing the quanti cation of the transition flags into the component level. Gordon’s work on combining theorem proving with BDDs addresses the same problem of reducing the scope of quanti ers to make smaller intermediate BDDs by using rewriting in HOL [18]. We hypothesise the following property of statecharts that could be checked in a theorem prover such as HOL: if the root state is an ANDstate and each component state has the properties: no transition within a component is triggered in whole or in part by the event of entering or exiting a state that is not within the component the sets of names modi ed by actions for each component are disjoint then: Sc s
1
s ep
s n ]) s ep ≡ Sc (AndState [s 1 ;s 2 ; and Sc s 2 s ep and and Sc s
n
s ep
where Sc is the semantic function producing a next con guration relation, s x is a component state, and s ep is a pair of con gurations. (We use the term con guration to describe a mapping of names to values that is often called a state .) We have sketched a proof of this property but have not yet mechanised this proof. This property was used with success to allow our tool to build the next state relation for the system and then carry out model checking analysis.
9
Conclusion
This paper has presented symbolic functional evaluation, an algorithm that carries out de nition expansion and betareduction for expressions in higherorder logic that include uninterpreted constants. We have described the application of SFE to the problem of linking requirements notations with automated analysis. SFE acts as a universal translator that takes semantics of notations and a speci cation as input and produces the meaning of the speci cation. To connect a new notation with automated analysis, it is only necessary to write its semantics in higherorder logic. To use a new analysis procedure with existing notations, it is only necessary to provide the appropriate abstraction step from higherorder logic. By linking higherorder logic directly with automated analysis procedures,
Symbolic Functional Evaluation
355
some queries can be checked of the speci cation, even if all types of queries cannot be processed automatically. Our approach is more rigorous than a custom translator, and more flexible than working in a current theoremproving environment. For example, we are able to return results in terms of the original speci cation and provide access to the user to control parameters such as BDD variable ordering. Our algorithm for symbolic functional evaluation extends a spine unwinding algorithm to handle free variables with special considerations for uninterpreted constants. Levels of evaluation provide a systematic description of stopping points in evaluation to tailor the process to particular forms of automated analysis. Compared to an implementation of rewriting, SFE need not search a database for appropriate rewrite rules in a uni cation step, nor follow branches that are not used in the end result. SFE could be implemented within a theorem prover as a tactic. Symbolic functional evaluation is applicable to any expression in higherorder logic. We plan to explore how SFE can be used standalone for symbolic simulation.
10
Acknowled ments
For helpful discussions and comments on this paper, we thank Byron Cook, Mark Jones, Dick Kieburtz, Je Lewis, and John Matthews of OGI, and the reviewers. The rst author is supported by Intel, NSF (EIA98005542), USAF Air Materiel Command (F1962896C0161), and the Natural Science and Engineering Research Council of Canada (NSERC). This paper is based on the rst author’s PhD research, which was supported by the BC Advanced Systems Institute, Raytheon Systems Canada, and MacDonald Dettwiller.
References 1. M. D. Aa aard, M. E. Leeser, and P. J. Windley. Towards a super duper hardware tactic. In J. J. Joyce and C.J. H. Se er, editors, HOL User’s Group Workshop. Sprin erVerla , Au ust 1993. 2. J. H. Andrews. Executin formal speci cations by translatin to hi her order lo ic pro rammin . In TPHOLs, volume 1275 of LNCS, pa es 17 32. Sprin er Verla , 1997. 3. J. H. Andrews, N. A. Day, and J. J. Joyce. Usin a formal description technique to model aspects of a lobal air tra c telecommunications network. In FORTE/PSTV’97, 1997. 4. J. M. Atlee and J. Gannon. Statebased model checkin of eventdriven system requirements. IEEE Trans. on Soft. En ., 19(1):24 40, January 1993. 5. R. Bharadwaj and C. Heitmeyer. Verifyin SCR requirements speci cations usin state space exploration. In Proceedin s of the First ACM SIGPLAN Workshop on Automatic Analysis of Software, 1997. 6. R. Boulton et al. Experience with embeddin hardware description lan ua es in HOL. In Theorem Provers in Circuit Desi n, pa es 129 156. NorthHolland, 1992.
356
Nancy A. Day and Je rey J. Joyce
7. R. S. Boyer and J. S. Moore. Provin theorems about LISP functions. Jour. of the ACM, 72(1):129 144, January 1975. 8. R. E. Bryant. Graphbased al orithms for Boolean function manipulation. IEEE Transactions on Computers, C35(8):677 691, Au ust 1986. 9. J. R. Burch and D. L. Dill. Automatic veri cation of pipelined microprocessor control. In CAV, volume 818 of LNCS, pa es 68 79. Sprin erVerla , 1994. 10. A. J. Camilleri. Simulation as an aid to veri cation usin the HOL theorem prover. Technical Report 150, University of Cambrid e Computer Laboratory, October 1988. 11. A. Cohn. The notion of proof in hardware veri cation. Journal of Automated Reasonin , 5(2):127 139, June 1989. 12. C. Consel and O. Danvy. Tutorial notes on partial evaluation. In POPL, pa es 493 501. ACM Press, 1993. 13. N. Day and J. Joyce. The semantics of statecharts in HOL. In HOL User’s Group Workshop, volume 78, pa es 338 351. Sprin erVerla , 1993. 14. N. A. Day. A Framework for MultiNotation, ModelOriented Requirements Analysis. PhD thesis, Department of Computer Science, University of British Columbia, 1998. 15. N. A. Day, J. J. Joyce, and G. Pelletier. Formalization and analysis of the separation minima for aircraft in the North Atlantic Re ion. In Fourth NASA Lan ley Formal Methods Workshop, pa es 35 49. NASA Conference Publication 3356, September 1997. 16. N. A. Day, J. R. Lewis, and B. Cook. Symbolic simulation of microprocessor models usin type classes in Haskell. To appear in CHARME’99 poster session. 17. M. Gordon and T. Melham, editors. Introduction to HOL. Cambrid e University Press, 1993. 18. M. J. C. Gordon. Combinin deductive theorem provin with symbolic state enumeration. Transparencies from a presentation, summer 1998. 19. M. J. C. Gordon. Mechanizin pro rammin lo ics in hi herorder lo ic. In Current Trends in Hardware Veri cation and Automated Theorem Provin , pa es 387 439. Sprin erVerla , 1988. 20. D. A. Greve. Symbolic simulation of the JEM1 microprocessor. In FMCAD, volume 1522 of LNCS, pa es 321 333. Sprin er, 1998. 21. D. Harel. Statecharts: A visual formalism for complex systems. Science of Computin , 8:231 274, 1987. 22. M. P. Heimdahl and N. G. Leveson. Completeness and consistency in hierarchical statebased requirements. IEEE Trans. on Soft. En ., 22(6):363 377, June 1996. 23. C. L. Heitmeyer, R. D. Je ords, and B. G. Labaw. Automated consistency checkin of requirements speci cations. ACM Transactions on Software En ineerin and Methodolo y, 5(3):231 261, July 1996. 24. T. Johnsson. E cient compilation of lazy evaluation. In Proceedin s of the ACM Conference on Compiler Construction, pa es 122 32, 1984. 25. R. B. Jones, D. L. Dill, and J. R. Burch. E cient validity checkin for processor veri cation. In ICCAD, 1995. 26. J. Joyce. MultiLevel Veri cation of Microprocessor Based Systems. PhD thesis, Cambrid e Comp. Lab, 1989. Technical Report 195. 27. J. Joyce, N. Day, and M. Donat. S: A machine readable speci cation notation based on hi her order lo ic. In International Workshop on the HOL Theorem Provin System and its Applications, pa es 285 299, 1994. 28. N. G. Leveson et al. Requirements speci cation for processcontrol systems. IEEE Transactions on Software En ineerin , 20(9):684 707, September 1994.
Symbolic Functional Evaluation
357
29. J. Matthews, B. Cook, and J. Launchbury. Microprocessor speci cation in Hawk. In International Conference on Computer Lan ua es, 1998. 30. M. Nesi. Valuepassin CCS in HOL. In Hi her Order Lo ic Theorem Provin and Its Applications, pa es 352 365. LNCS 780, Sprin erVerla , 1993. 31. S. Owre, J. Rushby, and N. Shankar. Analyzin tabular and statetransition requirements speci cations in PVS. Technical Report CSL9512, Computer Science Laboratory, SRI International, April 1996. 32. D. Y. Park, J. U. Skakkeb k, M. P. Heimdahl, B. J. Czerny, , and D. L. Dill. Checkin properties of safety critical speci cations usin e cient decision procedures. In FMSP’98, 1998. 33. J. Peterson and K. Hammond, editors. Report on the Pro rammin Lan ua e Haskell. Yale University, Department of Computer Science, RR1106, 1997. 34. S. L. Peyton Jones. The Implementation of Functional Pro rammin Lan ua es. International Series in Computer Science. Prentice Hall, 1987. 35. P. S. Rajan. Executin HOL speci cations: Towards an evaluation semantics for classical hi her order lo ic. In Hi her Order Lo ic Theorem Provin and its Applications, pa es 527 535. NorthHolland, 1993. 36. P. S. Rajan. Transformations on Data Flow Graphs. PhD thesis, University of British Columbia, 1995. 37. C.J. H. Se er. Voss  a formal hardware veri cation system: User’s uide. Technical Report 9345, Department of Computer Science, University of British Columbia, December 1993. 38. J. P. Van Tassel. A formalization of the VHDL simulation cycle. In Hi her Order Lo ic Theorem Provin and its Applications, pa es 359 374. NorthHolland, 1993. 39. M. VanInwe an and E. Gunter. HOLML. In Hi her Order Lo ic Theorem Provin and Its Applications, pa es 61 74. LNCS 780, Sprin erVerla , 1993. 40. P. J. Windley. The Formal Veri cation of Generic Interpreters. PhD thesis, University of California, Davis, 1990. 41. P. Zave and M. Jackson. Conjunction as composition. ACM Transactions on Software En ineerin and Methodolo y, 2(4):379 411, October 1993.
A
Semantics for the Decision Table Notation
This appendix appeared previously in Day, Joyce, and Pelletier [15]. The S notation is very similar to the syntax for the term language used in the HOL theorem prover. But unlike HOL, S does not involve a metalanguage as part of the speci cation format for declarations and de nitions. Instead, the syntax for declarations and de nitions is an extension of the syntax used for logical expressions. (In this respect, S more closely resembles Z and other similar formal speci cation notations.) For example, the symbol s := f is used in S for a de nition, e.g., TWO := 2, in contrast to an assertion, e.g., TWO = 2. Another di erence that will likely be noticed by readers familiar with HOL is the explicit type parameterisation of constant declarations and de nitions. Type parameters, if any, are given in a parenthesised list which pre xes the rest of the declaration or de nition. This is illustrated in the de nitions given below by the parameterisation of EveryAux by a single type parameter, ty. Many of the de nitions shown below are given recursively based on the recursive de nition (not shown here) of the polymorphic type list. These recursive
358
Nancy A. Day and Je rey J. Joyce
de nitions are given in a pattern matching style (similar to how recursive functions may be de ned in Standard ML) with one clause for the NIL constructor (i.e., the nonrecursive case) and another clause for the CONS constructor (i.e., the recursive case). Each clause in this style of S de nition is separated by a . The functions HD and TL are standard library functions for taking the head (i.e., the rst element) of a list and the tail (i.e., the rest) of a list respectively. Type expressions of the form, :ty1 > ty2, are used in the declaration of parameters that are functions from elements of type ty1 to elements of type ty2. Type expressions of the form :ty1 # ty2 describe tuples. Similarly, type expressions of the form, :(ty) list, indicate when a parameter is a list of elements of type ty. Lambda expressions are expressed in S notation as, \x.E (where E is an expression). The semantic de nitions for the tabular notation given in the S notation are shown below. (:ty) EveryAux (NIL) (p:ty>bool) := T  EveryAux (CONS e tl) p := (p e) and EveryAux tl p; (:ty) Every (p:ty>bool) l := EveryAux l p; (:ty) ExistsAux (NIL) (p:ty>bool) := F  ExistsAux (CONS e tl) p := (p e) or ExistsAux tl p; (:ty) Exists (p:ty>bool) l := ExistsAux l p; (:ty) UNKNOWN : ty; (:ty)DC := \(x:ty).T; TRUE := \x. x = T; FALSE := \x. x = F; (:ty1) RowAux (CONS (p:ty1>bool) tl) label := CONS (p label) (RowAux tl label)  RowAux (NIL) label := NIL; (:ty) Row label (plist:(A>bool)list) := RowAux plist label; Columns t := if ((HD t)=NIL) then NIL else CONS (Every (HD) t) (Columns (Map t (TL))); (:ty) TableSemAux (NIL) (retVals:(ty)list) := if (retVals=NIL) then UNKNOWN else (HD retVals)  TableSemAux (CONS col colList) retVals := if col then (HD retVals) else TableSemAux colList (TL retVals); (:ty) Table t (retVals:(ty)list) := TableSemAux (Columns t) retVals;
Author Index
Aagaard, Mark D. Ambler, Simon J.
Kamm¨ uller, Florian Kropf, Thomas 1
323 221
Berghofer, Stefan 19 Bolignano, Dominique
291
Capretta, Venanzio 131 Caprotti, Olga 109 Cohen, Arjeh M. 109 Coupet–Grimal, Solange 91 Crole, Roy L. 221 Curzon, Paul 293 Day, Nancy A. Grobauer, Bernd
341 273
Harrison, John 113 Hoﬀmann, Dirk W. 255 Hurd, Joe 311 Jakubiec, Line 91 Jones, Robert B. 323 Joyce, Jeﬀrey J. 341
149
Matthews, John 73 M¨ uller, Olaf 273 Paulson, Lawrence C. Pfeifer, Holger 55 Rueß, Harald
149
55
Santen, Thomas 37 Schneider, Klaus 255 Seger, CarlJohan H. 323 Staples, Mark 239 Syme, Don 203 Tahar, Soﬁ´ene
293
V¨ olker, Norbert
5
Wenzel, Markus
19, 149, 167
Xiong, Haiyan Zammit, Vincent
293 185