Abstract. In formal verification, inductive definitions of predicates are widely used when we define recursive notions and algorithms. In actual verification, we ...
Evolution of Inductive Definitions Mitsuharu Yamamoto1 and Masami Hagiya2 1
2
Faculty of Science, Chiba University Graduate School of Science, University of Tokyo
Abstract. In formal verification, inductive definitions of predicates are widely used when we define recursive notions and algorithms. In actual verification, we often introduce a new inductively defined predicate by modifying an existing inductive definition. In such a case, it is usual that there are some relationships between two predicates, and such relationship theorems make the properties on one predicate applicable to the other. However such methodology have not been studied systematically. In this study we evolve inductive definitions of predicates by adding extra parameters or restrictions into the existing one, and describe how such evolution can be used and help formal verification activity.
1
Inductive Definitions
An Inductive Definition defines a predicate P using rules of the following form: P (s1 ) . . . P (sn ) C(u) P (s0 ) where s1 . . . , sn , s0 are terms. In general P is an n-ary (n > 0) predicate, but here we only treat the unary case (or you may regard si as a vector of terms). C(u) is a proposition not containing P , called a side condition. The above rule stands for the following formula: P (s1 ) ∧ . . . ∧ P (sn ) ∧ C(u) =⇒ P (s0 ). Given these rules, the predicate P is defined as the least predicate (in other words, the least relation) that satisfies all the rules. Inductively defined predicates have several properties that can be used when formally proving theorems on the predicates: – The theorem that the predicate P satisfies the given rules; – The induction theorem obtained from the fact that P is the least relation; – The case analysis theorem on P . Several theorem proving systems provide facilities for defining predicates inductively, and automatically deriving the above properties[4, 3]. In formal verification using theorem proving systems, inductive definitions of predicates play important roles when defining recursive notions and algorithms. Using inductive definitions, Camillieri[1] showed several examples of formal verification such as operational semantics of a programming language, combinatory logic, process algebra, and so on. Amongst our former studies on verification, planarity of graphs[5] and a toy compiler are also defined inductively.
As is often the case with actual verification, we sometimes want to define a new predicate by modifying an existing definition of a predicate, which is also defined inductively. In most cases, there is some relationship between the old and new predicates. In this paper we propose a mechanism “evolution of inductive definitions”, which allows us to define a new predicate by adding extra parameters or restrictions to an existing inductively defined predicate, and to derive some relationship between the two predicates automatically.
2
Evolution of Inductive Definitions
Suppose a predicate P is defined by rules at the below left, and consider the rules of Q as the below right, each of which has the same number of occurrence of Q as that of P in the corresponding rule. P (s1 ) . . . P (sn ) P (s0 )
C(u)
, ...
Q(t1 ) . . . Q(tn ) Q(t0 )
D(v)
,. . .
Then “fuse” them as follows: P Q(s1 , t1 ) . . . P Q(sn , tn ) P Q(s0 , t0 )
C(u) ∧ D(v)
, ...
In this way, we obtain a new predicate P Q by specifying only the difference (rules of Q) between it and an existing predicate P . 2.1
Properties between the Old and New Predicates
Of course, evolution of inductive definitions provides not only a “shorthand” for definition, but also some properties between the old and new predicates. For simplicity, we consider the case that the number of predicates that occur at the premise part (upper half of a rule) is exactly one. General cases can be obtained similarly. Property 1. ∀x y.P Q(x, y) =⇒ P (x) (proof) By induction on P Q, it is sufficient to prove P (s) ∧ C(u) ∧ D(v) =⇒ 2 P (s0 ), which can be obtained from rules of P . Using this property, we can derive a theorem ∀x y.P Q(x, y) =⇒ A(x) from a theorem ∀x.P (x) =⇒ A(x). This means properties on P can be imported to that of P Q. Property 2. ∀x.P (x) =⇒ ∃y.P Q(x, y) (under a certain condition) The opposite of Property 1 does not always hold. So we consider a sufficient condition that is suitable for automation. By induction on P , it is sufficient to prove (∃y.P Q(s, y)) ∧ C(u) =⇒ ∃y.P Q(s0 , y) for each rule of P . Since the general case is hard to prove automatically, consider the case that s ≡ z (i.e., a variable). Now we have P Q(s, z) ∧ C(u) ∧ D(v) =⇒ P Q(s0 , t0 ) by rules of P Q, and Property 1, P (s) ∧ C(u) =⇒ D(v) is a sufficient condition. If this condition is a simple arithmetic expression, the proving system try to prove it automatically. Otherwise the system show the condition to the user (as an unproved condition). In particular, the sufficient condition holds if s is a variable and D(v) is always true.
Property 3. ∀x.R(x) =⇒ (P (x) =⇒ ∃y.P Q(x, y)) (under a certain condition) This is a weaker version of Property 2. A restriction R to the argument of P is added. An observation similar to that of Property 2 gives us the following sufficient condition: s ≡ z (a variable), C(u) ∧ R(s0 ) =⇒ R(s), and P (s) ∧ C(u) ∧ R(s0 ) =⇒ D(v)
3
Example of Evolution
In [6], we formalized an abstract graph search algorithm and proved some properties (including correctness) on the algorithm using the theorem proving system HOL[2]. In that paper the algorithm is defined in terms of recursion with respect to natural numbers, i.e., recursion on a number of execution steps. The following is the inductively defined version of the abstract algorithm that we named POTENTIAL. (none) POTENTIAL g l s bs fe {s} {} (λv. if (v = s) then bs else Top(LEQ l)) POTENTIAL g l s bs fe ({v} ∪ open) {} xv POTENTIAL g l s bs fe (open \ {v}) (INCIDENT FROM g v) xv POTENTIAL g l s bs fe open ({e} ∪ outv) xv POTENTIAL g l s bs fe open (outv \ {e}) xv
(LEQ l) (xv (ed e)) (fe e (xv (es e))))
POTENTIAL g l s bs fe open ({e} ∪ outv) xv ¬((LEQ l) (xv(ed e)) (fe e (xv (es e))))) POTENTIAL g l s bs fe ({(ed e)} ∪ open) (outv \ {e}) (λv. if (v = ed e) then Cap(LEQ l) (xv (ed e)) (fe e (xv (es e))) else xv v)
Each rule specifies a one-step transition. That is, how internal states, which corresponds to variables in the actual programming language, change as the execution of algorithm proceeds by one step. The premise parts of the rules determine which rules are applicable under the current setting of internal states. The algorithm terminates when no rule is applicable (at that time, both open and outv become empty sets). Predicate POTENTIAL takes eight arguments, which can be classified to two categories; the former five (g, l, s, bs, and fe) are given as specification of the problem and does not change during execution, and the latter three (open, outv, and xv) corresponds to internal states. Since the meaning of each variable is beyond the scope of this paper, please refer to [6]. The rest of this section describes how evolution of inductive definition can be used under the setting of this abstract search algorithm. 3.1
Adding extra parameters
Compared with the definition of POTENTIAL in [6], the above definition lacks two arguments: n and closed. Both of them do not affect the algorithm itself, and the absence of these arguments seems to be more natural since the variables corresponding to these arguments usually do not appear in the implementation of the algorithm (i.e., program). Then why did they appear in [6]?
The execution counter n was needed because the predicate POTENTIAL was defined as a recursion on number of steps, and we could not make it a recursive definition without such a counter. The argument closed was needed for stating and proving loop invariants. Besides recursive definition issues, an argument such as n may be needed when we want to prove some theorems using course-of-values induction on the number of steps. As seen in these examples, we sometimes need to add extra parameters to an existing (inductively defined) predicate. Evolution of inductive definitions can make it systematically. For example, the execution counter n can be added by “fusing” the rules of POTENTIAL and the following rules: (none) step 0
step n step(SUC n)
step n step(SUC n)
step n step(SUC n)
Then we have new predicate POTENTIAL step. Moreover Property 1 and Property 2 in the previous section ensure the followings: – If we already have ∀g . . . xv. POTENTIAL g . . . xv =⇒ A(g, . . . , xv) proved, the same property A holds for POTENTIAL step. – If we prove ∀g . . . xv n. POTENTIAL step g . . . xv n =⇒ A(g, . . . , xv), the same property holds for POTENTIAL if A(g, . . . , xv) does not contain n. Argument closed can be added in a similar way. 3.2
Restricting Transitions: A* Algorithm
In [6], we defined a predicate ASTAR that represents A* algorithm, one of the well-known optimizing search algorithms, and proved its correctness. Some of the properties on ASTAR used for proving the correctness are imported from that on POTENTIAL. However, although the definition of ASTAR was exactly the same as POTENTIAL’s, ASTAR was defined (by recursion on a number of steps) completely separately from POTENTIAL, and relationship between two predicates was proved manually. At the concluding remarks in [6], we mentioned the necessity of facilities for helping us introduce such a predicate and to prove the relationship between them. Predicate POTENTIAL ASTAR can be defined using evolution of inductive definitions. Essentially, this is done by adding extra parameters and restricting the transition of POTENTIAL by added rules. (none) ASTAR goal hv (λv. EMPTY PATH s) ASTAR goal hv po (v 6= goal) IS MINIMAL(LEQ l) {hv v1 (xv v1 ) | v1 ∈ open}(hv v (xv v))) ASTAR goal hv po
ASTAR goal hv po ASTAR goal hv po
ASTAR goal hv po ASTAR goal hv (λv. if (v = ed e) then PATH SNOC(po (es e))e else po v)
Since the A* algorithm has a termination condition that is different from POTENTIAL’s, we must prepare a predicate ASTAR FINAL that means the shortest path to the goal has been found.
POTENTIAL ASTAR . . . goal hv po (v = goal) IS MINIMAL(LEQ l) {hv v1 (xv v1 ) | v1 ∈ open}(hv v (xv v))) ASTAR FINAL . . . goal hv po
Relationships between POTENTIAL ASTAR and POTENTIAL is immediately derived from Property 1 in the previous section. – If we already have ∀g . . . xv. POTENTIAL g . . . xv =⇒ A(g, . . . , xv) proved, the same property A holds for POTENTIAL ASTAR.
4
Summary and Concluding Remarks
We proposed evolution of inductive definition. It allows us to define a new inductively defined predicate by specifying the difference between an existing one, and to use automatically derived relationship between the two predicates. We also showed concrete examples that indicates the evolution will help our verification activities. We are now implementing this evolution mechanism on the theorem proving system HOL[2], which has a full-fledged programming language ML (as a Meta Language) to manipulate logical constructs such as terms and theorems. The outline of the implementation will be as follows. The rules used when defining an existing predicate is extracted from the theorem that asserts the predicate satisfies the given rules. After some syntax checking, the rules specified as a difference are combined with the extracted rules one by one. Then the new predicate is defined with the existing inductive definition mechanism. Finally the evolution mechanism proves the theorem corresponding to Property 1, which is implemented by constructing a specialized automated prover program in ML. Property 2 and 3 are also proved similarly if the sufficient conditions that we mentioned in Sect. 2.1 hold.
References 1. Juanito Camilleri and Tom Melham. Reasoning with inductively defined relations in the HOL theorem prover. Technical Report 265, University of Cambridge Laboratory, 1992. 2. M. J. C. Gordon and T. F. Melham, editors. Introduction to HOL: A theorem proving environment for higher order logic. Cambridge University Press, 1993. 3. John Harrison. Inductive definitions: Automation and application. In 8th International Workshop on Higher-Order Logic Theorem Proving and Its Applications, volume 971 of LNCS, pages 200–213. Springer-Verlag, 1995. 4. Thomas F. Melham. A package for inductive relation definition in HOL. In Proceedings of the 1991 International Tutorial and Workshop on the HOL Theorem Proving System, pages 27–30. IEEE Computer Society Press, August 1991. 5. Mitsuharu Yamamoto, Shin-ya Nishizaki, Masami Hagiya, and Yozo Toda. Formalization of planar graphs. In 8th International Workshop on Higher-Order Logic Theorem Proving and Its Applications, volume 971 of LNCS, pages 369–384. SpringerVerlag, 1995. 6. Mitsuharu Yamamoto, Koichi Takahashi, Masami Hagiya, Shin-ya Nishizaki, and Tetsuo Tamai. Formalization of graph search algorithms and its applications. In Theorem Proving in Higher Order Logics: TPHOLs ’98, volume 1479 of LNCS, pages 479–496. Springer-Verlag, 1998.
