use an application speci c formalism that provides a clear and amenable mechanism for keeping ..... In Lawrence C. Paulson, editor, Proceedings of the FirstĀ ...
A Substructural Logic for Formal Veri cation Sara Kalvala
Valeria de Paiva
Department of Computer Science University of Warwick Coventry CV4 7AL
School of Computer Science University of Birmingham Birmingham B15 2TT
Theorem provers are used extensively for veri cation of software and hardware. While formal veri cation is a mature area of research, with a growing industrial intake, it is still limited by the practical di�culty of modelling large representational systems in low-level mathematical notations. Computations involve change: to values assumed by variables, to bits stored in particular memory locations, or more generally to a global state. Formal veri cation of computational systems must employ an adequate mathematical model for systems and changes to systems. Most current veri cation methodologies do not do this in a direct way, and the complexity of representing change is partly responsible for the perceived di�culty in applying theorem provers in veri cation. We propose to address this limitation in theorem proving technology by bringing to bear recent results in computational logic, namely the development of substructural logics such as Linear Logic, which provide proof systems that naturally address some of the problematic issues in the use of more traditional logics for reasoning about dynamic systems. The aim of the project is to examine variant substructural logics and use them for building tools for speci cation and veri cation of dynamic systems, both directly and as meta logics. Our emphasis will be on case studies and concrete applications. We will work with `Isabelle', a well-known proof tool, instead of creating a completely new proof system. One of the advantages of using Isabelle is that it provides a quick route from a formal logic to a proof environment that can be applied directly in veri cation tasks.
1 Background
We build on results from two active areas of research: formal veri cation of computer systems, and computational logic. Formal veri cation, whether of software, hardware, or a hybrid of the two, takes as a basis a logic system and applies it as a rigorous, unbiased tool for reasoning about the correctness of the modelled system. Computational logic is concerned, in part, with providing a mathematical model of computation, and relating the di�erent models available. Both these research communities look at similar issues but from di�erent perspectives.
Formal veri cation of dynamic systems
Computational systems are designed to e�ect a change in the environment. Formal veri cation of a computational system involves modeling the system mathematically and proving properties of the model through rigorous proof. Tools for formal veri cation are usually built around a formal notation. Commonly used formalisms include Set Theory, Higher-Order Logic, and Constructive Type Theory. Use of formal logics brings several advantages, among which are well known uniform proof search mechanisms, a clear understanding of completeness and consistency issues, and the use of sophisticated and well-developed implementations. Well-known provers developed in the UK are HOL [9], based on Higher-Order Logic, and Isabelle [21], which supports a variety of logics. When general-purpose logics are used to model computations, explicit manipulation of changing state results in verbose descriptions cluttered by unnecessary detail. Therefore one is tempted to use an application speci c formalism that provides a clear and amenable mechanism for keeping track of changing values. It is possible to do so and still have the advantages of a general logic by using the formal logic as a meta logic and embed the desired formalism within the theorem 1
prover. Many provers are designed to support this approach. Two issues must be considered: the ease of use of the formalism and the ease of embedding the formalism in the meta-logic. TLA is such a formalism [16]. In TLA (Temporal Logic of Actions) computations proceed by a series of actions, described through predicates relating the values of variables before and after the action. Behaviours over time are speci ed through a temporal logic. The semantics of TLA speci es that a name x refers not to a value directly but to a function from a state to a value. The discrepancy between the super cial syntax of formulas and the semantics of TLA adds practical di�culties in designing a theorem prover for TLA, an issue commented upon by builders of several existing implementations [24, 7, 12]. Proofs involving temporal aspects are di�cult to automate. There are other formalisms which attempt to address the representation of dynamic systems by considering transitions between states rather than states directly. The �-calculus is an algebraic formulation of the notion of processes and transitions [19]. The �-calculus is a propositional dynamic logic speci cally designed for the analysis of concurrent systems, and incorporates elements of both temporal logic and process algebras [2]. Petri Nets [20] capture the dynamic nature of ongoing processes graphically, through the ring of transitions and transmission of tokens. These formalisms are theoretically quite suitable for veri cation purposes. But several practical di�culties remain when attempts are made to use them as a basis for large-scale veri cation. Embedding such formalisms in standard logics results in complex representations, with one of the di�cult issues being the intricacy of representing transitions in a standard logic. The di�culty of describing changing systems is not an issue only concerning formal veri cation: the frame problem is a commonly used term to refer to this issue in other uses of standard logic. As one of the main aspects of a computation is change, a logic that does not address the frame problem is inherently at a disadvantage, both as a logic for representing computations directly and as a meta-language for embedding transition or action-based formalisms. Proof systems can still be developed, but unless a lot of care is taken they can become unwieldy, due to the di�culty in representing properties of a temporal nature. Alternatives to traditional logics must be explored. Recent research indicates that substructural logics may provide an elegant way to solve the problems described above. However, existing results have not yet been translated into concrete proof tools for formal veri cation. The theme of our project is this practical exploration.
Substructural logics
A common starting point for describing formal logics is Gentzen's Sequent Calculus. A sequent, written P ` C , is valid if the consequences C can be proved from the premises P . A logic, or a deductive system, is a set of schematic rules that state that the conclusion of each rule is valid if all the hypotheses are valid. The rules of traditional logic systems can be divided into two groups: structural rules, which manipulate the structure of a sequent|either by duplicating an existing premise, or by discarding a premise, or even changing the order of premises|and rules that de ne the meaning of connectives of the logic, when they appear within a formula on either the left or the right side of a sequent. A typical collection of structural rules is shown in Figure 1. The exchange rule states that the order in which premises are stated does not matter, and the weakening and contraction rules state that the same premise can be discarded or used once or more as necessary for a proof. Typically, in what we call traditional logics, the structural rules are always accepted, the logics di�ering in the rules de ning connectives. In substructural logics [6], one or more of the structural rules are restricted. If they were all simply removed, the resulting logic would be rendered too weak to be useful, so expressive power is restored by creating new connectives. Furthermore, modifying the structural rules usually implies that connectives such as the conjunction and the disjunction can have di�erent interpretations, and therefore one usually considers two variations on these connections: the multiplicatives and the additives. 2
Substructural logics have been of interest to logicians for a variety of reasons. One of the earlier substructural logics is the Lambek Calculus [15], developed for representing sentences in natural languages. Relevance Logic rejects weakening with the intuition that all premises of a sequent must be relevant to entail the consequence relation [6]. Linear Logic is a particular substructural logic with restricted weakening and contraction [8]. The idea is that premises are `resources' that are consumed and can normally be used only once. Expressive power is added by the use of exponentials, which provide a mechanism for a controlled use of weakening and contraction. The implication connective in Linear Logic (also called the linear implication) also re ects the consumption of the premise of a deduction. Linear Logic has been the target of much interest in the research community, particularly with regards to theoretical issues such as its semantics and time complexity. A lot of the development in the proof theory of Linear Logic builds on the concept of proof nets, graphical links which are added to existing proofs that illustrate the creation and consumption of resources. The notion that some valid formulae are consumed in the proof process and are therefore transient suggests that some substructural logics may be natural formalisms for expressing dynamic properties, which require the invalidation of old properties and the validation of new properties over the computation. In fact, they have already been proposed and used as a metalanguage to describe models of computation, with varying degrees of success, as described below.
Substructural logics and systems speci cations
There have been many recent e�orts to explore the connection between substructural logics and other speci cation formalisms. Much of this work has been concerned with the principle and correctness of embedding other formalisms, such as Petri Nets [17, 4] and the �-calculus [3, 10, 18], into Linear Logic. These e�orts show the consistency between the di�erent formalisms, but they do not address the issue of the proof environment made available to someone who wants to describe a computational system in one of the formalisms and any pragmatic advantages arising. A more practical result is provided by the uses of implementations of linear logic programming languages. Lygon is a linear language that has been used directly to represent changing systems [11]. Forum is another language with a linear essence that has been used to embed the �-calculus as well as to directly specify hardware systems [5]. These are full implementations of Linear Logic, providing programming environments, but they do not provide interactive proof environments which can be useful for veri cation through interactive theorem proving. Temporal logic is a natural formalism for specifying systems with a sequential behaviour, but substructural logics do not directly allow one to state temporal properties. Kanovitch and Ito have recently described their approach to adding temporal logic to `Light' Linear Logic [14]. Retor�e [22] proposes the use of ordered sequents, and a before connective which models sequentiality. Ruet [23] introduces another variation of non-commutative linear logic characterized by the addition of new non-commutative variants of multiplicative connectives, and new modalities called mobilities. All these are attempts at building substructural logics that model sequentiality as well as concurrency. However, they are yet to be integrated into veri cation-style proof environments.
A`A
?`B
identity
B; � ` C cut ?; � ` C
?`B ?; A; B; � ` C ?; A; A ` B weakening exchange contraction ?; A ` B ?; B; A; � ` C ?; A ` B Figure 1: Structural rules of sequent calculus 3
2 Further work
On the whole, the extensive research summarized above and elsewhere [1] points to the possible adequacy of using a substructural logic as a basis for reasoning about dynamic systems. Much of this research has been carried out from a theoretical perspective, and we therefore have a good understanding of the semantic issues of representing speci cation formalisms into Linear Logic. However, very few results exist as to how practical such a model would be, and if the di�culty in specifying dynamic systems and proving properties about them using a substructural logic would be at all an improvement from current embeddings on traditional logics. There is no consensus as to which variant substructural logic is useful for representing both sequential and concurrent behaviours. We now propose to extend this work by investigating the practical use of Linear Logic or some other substructural logic in the analysis of dynamic systems, aiming at the production of a speci cation environment and a theorem-prover useful for veri cation. A rst step in exploring this approach is to study several varieties of substructural logics in a uniform framework, guided by case studies of interest to formal methodologists. The case studies should be both example systems to be speci ed and veri ed as well as formalisms to be embedded, as we see that both uses of traditional logics in veri cation carry drawbacks.
2.1 Development of proof theory
We will start by developing one or more substructural logics suitable for veri cation of dynamic systems. We will take into account work already done by others, but we will ne-tune it for the speci c kind of applications in hand, namely the modelling of sequential behaviour as well as concurrency, and the representation of a large state space. Rather than taking any published variant as the language of choice a priori, we will start by addressing the following questions: �
�
�
What is the role of commutativity? The preliminary intuition guiding this proposal was that sequential composition could be represented by a list of premises. We will expand on this intuition with regards to models of temporal logic. What is the role of exponentials? These seem to model iteration naturally, but there semantics doesn't correspond exactly to a naive mapping into temporal operators. We may design new variants of these operators. Should we consider classical or only intuitionistic variations? We want to explore whether there is a useful interpretation we can give to a term calculus for the logic.
These issues will be resolved in close association with our collaborator, and will bene t from the feedback provided as the implementation is developed and case studies are attempted.
2.2 Implementation and case studies
Marti-Oliet and Meseguer propose the use of linear logic axioms as speci cations of concurrent systems [17], and indicate the importance of comparing such speci cations with more traditional speci cation techniques. However, there are still few results in this area. In order to perform such a comparison, it is crucial to develop an adequate speci cation environment linked to a proof tool. The veri cation community emphasizes a set of properties di�erent from the one addressed by researchers in the logic community, such as the stress on proof checking instead of complete proof automation, the importance of an interface that can aid the speci cation of fairly complex systems, and a high-level proof methodology that supports accepted styles of interaction. We will produce implementations of the chosen substructural logics and develop the proof environment in such a way that reasonable proof e�orts can be attempted, and compared with existing proofs in traditional implementations. An important aspect of the work will be the use of the Isabelle generic prover, which provides a quick way of building a proof environment for a logic, without the need to program all the infra-structure for a usable system, and apply it immediately. 4
We have developed a preliminary implementation of Linear Logic in Isabelle [13], with positive results. This implementation lacked sophisticated proof search functions, and was tested on general problem sets rather than ones speci c to formal veri cation. By choosing a more appropriate substructural logic, it seems very likely that a more sophisticated and useful environment for veri cation can be developed. Isabelle has already been used for large example proofs [12, 21], even when the interface hasn't been further enhanced. So we can quickly test our logic on examples.
2.3 Embedding TLA
The veri cation community is very often interested in developing and supporting specialized formalisms. We will analyze the use of the substructural logics being developed as meta languages for embedding other formalisms, and we will start by embedding TLA. While there has been considerable interest in representing transition systems in Linear Logic, there has been less emphasis on action systems, though these are often considered a more natural method for describing systems by the veri cation community. There are several substantial case studies and industrial strength systems based on action systems, and TLA in particular has been the target of several attempts at mechanization, and some large veri cation exercises. Di�culties remain, some to do with the syntax expected, and others to do with the awkward style of some of the rules provided. It is therefore useful to embed TLA in one or more of our logics. These can then be compared with other implementations of TLA, including one developed by the investigator [12]. This task will be eased by the use of Isabelle, which o�ers useful facilities for embedding new formalisms.
References
[1] Vladimir Alexiev. Applications of Linear Logic to computation: An overview. Technical Report TR93-18, University of Alberta, Edmonton, 1993. [2] Henrik Reif Andersen, Colin Stirling, and Glynn Winskel. A compositional proof system for the modal �calculus. IEEE, 1994. [3] Gianluigi Bellin and Philip J. Scott. On the �-calculus and linear logic. Manuscript, 1992. [4] Carolyn Brown, Doug Gurr, and Valeria de Paiva. A linear speci cation language for Petri Nets. Technical Report DAIMI PB { 363, Aarhus University, 1991. [5] Jawahar L. Chirimar. Proof Theoretic Approach to Speci cation Languages. PhD thesis, Department of Computer and Information Science, University of Pennsylvania, 1995. [6] Kosta Dosen. A historical introduction to substructural logics. In Peter Schroeder-Heister and Kosta Dosen, editors, Substructural Logics, volume 2 of Studies in Logic and Computation. Clarendon, 1993. [7] Urban Engberg. Reasoning in the Temporal Logic of Actions. PhD thesis, Aarhus University, 1994. [8] Jean-Yves Girard. Linear logic. Theoretical Computer Science, 50:1{101, 1987. [9] M. J. C. Gordon and T. F. Melham, editors. Introduction to HOL: A theorem proving environment for higher order logic. Cambridge University Press,, 1993. [10] Vineet Gupta. Chu Spaces: A Model of Concurrency. PhD thesis, Stanford University, September 1994. [11] James Harland, David Pym, and Michael Winiko�. Programming in Lygon: An overview. In M. Wirsing and M. Nivat, editors, Algebraic Methodology and Software Technology, pages 391{405, Munich, Germany, July 1996. Springer-Verlag LNCS 1101. [12] Sara Kalvala. A formulation of TLA in Isabelle. In E. Thomas Schubert, Phillip J. Windley, and James Alves-Foss, editors, Higher Order Logic Theorem Proving and its Applications, number 971 in Lecture Notes in Computer Science. Springer-Verlag, 1995. [13] Sara Kalvala and Valeria de Paiva. Linear logic in Isabelle. In Lawrence C. Paulson, editor, Proceedings of the First Isabelle Users Workshop, number 379 in Technical Report. University of Cambridge Computer Laboratory, 1995. [14] Max Kanovitch and Takayasu Ito. Temporal linear logic speci cations for concurrent processes. In Logic in Computer Science. IEEE, 1997. [15] Joachim Lambek. From categorial grammar to bilinear logic. In Peter Schroeder-Heister and Kosta Dosen, editors, Substructural Logics, volume 2 of Studies in Logic and Computation. Clarendon, 1993. [16] Leslie Lamport. The temporal logic of actions. ACM Transactions on Programming Languages and Systems, 16(3), 1994. [17] Narciso Marti-Oliet and Jose Meseguer. From Petri nets to linear logic. Mathematical Structures in Computer Science, 1, 1991.
5
[18] Dale Miller. The �-calculus as a theory in linear logic: Preliminary results. In E. Lamma and P. Mello, editors, Proceedings of the 1992 Workshop on Extensions to Logic Programming, Lecture Notes in Computer Science. Springer-Verlag, 1993. [19] Robin Milner, Joachim Parrow, and David Walker. A calculus of mobile processes. Information and Computation, 100(1), 1992. [20] T. Murata. Petri nets: properties, analysis, and applications. Proceedings of the IEEE, 77(4), 1989. [21] Lawrence Paulson. Isabelle: A generic theorem prover, volume 828 of Lecture Notes in Computer Science. Springer-Verlag, 1994. [22] Christian Retor�e. Pomset logic: a non-commutative extension of classical linear logic. In TLCA'97, volume 1210 of LNCS. Springer-Verlag, 1997. [23] Paul Ruet. Non-commutative linear logic with mobilities. In Bulletin of Symbolic Logic, volume 3-2, 1997. [24] Joakim von Wright and Thomas Langbacka. Using a theorem prover for reasoning about concurrent algorithms. In Proceedings of the Fourth International Workshop on Computer-Aided Veri cation, 1992.
6
