(Co)inductive proof systems for compositional proofs in reachability logic

https://doi.org/10.1016/j.jlamp.2020.100619Get rights and content

Abstract

Reachability Logic is a formalism that can be used, among others, for expressing partial-correctness properties of transition systems. In this paper we present three proof systems for this formalism, all of which are sound and complete and inherit the coinductive nature of the logic. The proof systems differ, however, in several aspects. First, they use induction and coinduction in different proportions. The second aspect regards compositionality, broadly meaning their ability to prove simpler formulas on smaller systems and to reuse those formulas as lemmas for proving more complex formulas on larger systems. The third aspect is the difficulty of their soundness proofs.

We show that the more induction a proof system uses, and the more specialised is its use of coinduction (with respect to our problem domain), the more compositional the proof system is, but the more difficult is its soundness proof.

We present formalisations of these results in the Coq proof assistant. In particular we have developed support for coinductive proofs that is comparable to that provided by Coq for inductive proofs. This may be of interest to a broader class of Coq users.

Introduction

Reachability Logic (RL) [1] has been introduced as a language-parametric program logic: a formalism for specifying the functional correctness of programs, which may belong to any programming language whose operational semantics is also specified in RL. The functional correctness of a program is stated as the validity of a set of RL formulas (specifying the program's properties) with respect to another set of RL formulas (specifying the operational semantics of the language containing the program).

Such statements are proved by means of a proof system, which has adequate meta-properties with respect to validity: soundness (only valid RL formulas can be proved) and relative completeness (all valid RL formulas can, in principle, be proved, modulo the existence of “oracles” for auxiliary tasks). The proofs of these meta-properties are typically highly nontrivial, but for a given proof system they only need to be done once.

Program logics already have a half-century history between them, from the first occurrence of Hoare logic [2] to contemporary separation logics [3]. However, all those logics depend on a language's syntax and therefore have to be defined over and over again, for each new language (or even, for each new language version). In particular, the meta-properties of the corresponding proof systems should be reproved over and over again, a tedious task that is often postponed to an indeterminate future.

Despite being language-parametric, Reachability Logic does not come in only one version. Several versions have been proposed over the years [1], [4], [5]. The formalism has been generalised from programming languages to more abstract models: rewriting logic [6], [7] and transition systems [8], which can be used for specifying designs, and verifying them before they are implemented in program code. This does not replace code verification, just as code verification does not replace the testing of the final running software; but it enables the early catching of errors and the early discovery of key functional-correctness properties, all of which are known to have practical benefits.

Contributions.  We further study RL on transition systems (TS). We propose three proof systems for RL, formalise them in Coq [9], and illustrate them on examples.

  • The proof systems we propose have some common features: the soundness and completeness meta-properties, and the coinductive nature inherited from RL. However, they differ in other aspects: (i) the “amount” of induction they contain; (ii) their degree of compositionality (i.e., their ability to prove local formulas on “components” of a TS, and then to use those formulas as lemmas in proofs of global formulas on the TS); and (iii) the difficulty of their soundness proofs.

  • We show that the more induction a proof system uses, and the closest its “brand” of coinduction to our problem domain (proving RL formulas), the more compositional the proof system is, but the more difficult its soundness proof. There is a winner: the most compositional proof system of the three, but we believe that the other ones exhibit interesting, worth-presenting features as well.

  • The implementation of the three proof systems in Coq use different facets of coinduction available in the proof assistant. The basic, builtin ones are enough for the first (and simplest) of the three proof systems. For the second proof system, which uses a mixture of induction and coinduction, more advanced techniques are needed. The third and most complex proof system has a customised coinduction mechanism for our problem domain, implemented in an inductive setting.

  • Moreover, efforts have been made to develop the Coq formal proofs as close as possible to the paper proofs. In particular, coinductive proofs in Coq are well-formed corecursive programs, while the paper proofs are based on the Knaster-Tarski fixpoint theorems. To reconcile the two we encode instances of that theorem in Coq, whose statements are derived from the corresponding Coq coinductive definition, and whose proofs use the builtin, lower-level Coq mechanisms for corecursive programming. Then, in subsequent proofs by coinduction we use the higher-level, Knaster-Tarski theorem instances instead of the lower-level, builtin mechanisms. We obtain a framework for proofs by coinduction that offers a level of support comparable (and dual) to that provided by Coq for proofs by induction. We also show that by using the proposed approach one can write proofs that are accepted by Coq, while direct proof attempts using Coq's builtin mechanisms are rejected. The approach is systematic, amenable to automation, and may be of interest to a broad class of Coq users.

Comparison with the conference version.  The proof systems and their soundness/completeness results (minus most of the longer, more technical proofs) have been published in the conference version [10]. The proofs are here developed in full. The Coq formalisation of the proof systems was only sketched in [10], and the Knaster-Tarski framework for proofs by coinduction in Coq is new. We present them here in detail, together with design choices and examples of application. Finally, in the conference version we also briefly presented the formalisation of the first two proof systems in the Isabelle/HOL proof assistant [11]. For space reasons we do not elaborate that part, but we do acknowledge the influence of Knaster-Tarski-based coinduction in Isabelle/HOL on our corresponding developments in Coq.

Comparison with related work.  Most papers about Reachability Logic, including the ones cited above, mention the coinductive nature of the logic, but do not actually use it (nor in the paper proof, neither in Coq formalisations). In [12], [13] coinduction is used for formalising RL and for proving RL properties for programs and for term-rewriting systems, but that approach is not mechanised in a proof assistant. More closely related work to ours is reported in [14]; they attack, however, the problem in the opposite way: they develop a general theory of coinduction in Coq and use it to verify programs directly based on the semantics of programming languages, i.e., without using a proof system. They show that a proof system for RL is an instance of their approach for theoretical reasons - in order to show that their approach is complete in a formal sense.

Coinduction in Coq is based on the Curry-Howard isomorphism that views proofs as programs, hence, coinductive proofs are well-formed corecursive programs [15]. Coq offers a limited amount of support for performing coinductive proofs, much less so than for inductive ones. The basic coinduction mechanism (the cofix tactic) introduces a hypothesis that copies the current goal's conclusion, and that can only be used when progress has been achieved in the proof; technically speaking, the proof term being built has to be syntactically guarded by constructors. The exact theoretical definition of syntactical guardedness is complex [15], which does not make its use particularly easy in paper proofs. In recent work [16] we were faced with this problem when proving on paper the soundness and completeness of the first proof system also shown in this paper. To understand those proofs, readers had to “believe” that the syntactical guardedness holds, a complex hypothesis that we did not check in the paper proofs, but only in Coq. In the present paper we bring the Coq proofs closer to the paper ones (via the Knaster-Tarski theorem) rather than the other way around. The implementation of syntactical guardedness is also not very user-friendly; our framework based on Knaster-Tarski alleviates this problem by “hiding” syntactical guardedness and enables some proofs that would not be possible by directly using the builtin cofix.

Related works directed at circumventing the syntactical guardedness coinduction, in Coq and other dependent type-theoretical assistants, include [17], [18], [19], [20], [21], [22]. None are based on the Knaster-Tarski fixpoint theorems, in contrast to the implementation of coinduction in the Isabelle/HOL proof assistant [23] that inspired us here.

Regarding coinduction in general, the book [24] serves as an introduction to the topic and explores the relationships between coinduction and bisimulation.

Regarding compositional verification, most existing techniques decompose proofs among parallel composition. Various compositional methods for various parallel composition operators (rely-guarantee, assumption-commitment, …) are presented in the book [25]. We employ compositionality in a different sense - structural, for transition systems, and logical, for formulas. Many of the techniques presented in [25] have an implicit coinductive nature, which could perhaps be made explicit in future works.

Organisation.  The next section recaps preliminary notions: Knaster-Tarski style induction and coinduction, transition systems, and RL on transition systems. A first compositionality result, of RL-validity with respect to certain sub-transition systems, is given. The three following sections present our three proof systems in increasing order of complexity. Soundness and completeness results are given and a notion of compositionality with respect to formulas, in two versions: asymmetrical and symmetrical, is introduced and combined with the compositionality regarding sub-transition systems. The three proof systems are shown to have increasingly demanding compositionality features. We then present the Coq mechanisations of the proof systems, and illustrate on examples how they can be used for compositional verification. The Coq formalisations are currently available at http://project.inria.fr/jlamp2019.

Section snippets

Induction and coinduction

Consider a complete lattice (L,,,,,) and a monotone function F:LL. According to the Knaster-Tarski fixpoint theorem, F has a least fixpoint μF (respectively, greatest fixpoint νF), which is the least (respectively, greatest) element x of L such that F(x)x (respectively, xF(x)), hence, F(x)x implies μFx, and xF(x) implies xνF. We shall sometimes use a stronger version of the statement involving the greatest fixpoint: XF(XνF) iff XνF.

Those theorems can be used to define inductive

Structural compositionality

We define a notion of component of a transition system, and show that, if a formula is valid on a component, then it is valid on the whole transition system. This simplifies verification since components are typically smaller than whole transition systems.

Definition 3 Component

A transition system (S,) is a component of (S,) if

  • SS and ;

  • for all s,sS, ss implies ss;

  • for all sS, sSS, ss implies sS.

We write
when S is a component of S.

We often interchangeably use sets of states and

A one-rule proof system

Our first proof system is depicted as the one-rule inference system in Fig. 2. It is parameterised by a transition system S, and everything therein depends on it; we omit S subscripts for simplicity. Intuitively, an application of the [Stp] rule can be seen as a symbolic execution step, taking a formula lr and “moving” l “one step closer” to r - specifically, taking an over-approximation l of the “difference” between l and r (encoded in the side-condition llr) that contains no final

An asymmetrically-compositional proof system

In this section we propose another proof system and show that it is both structurally compositional (with respect to transition systems) and asymmetrically compositional (with respect to formulas). This is achieved thanks to the introduction of inductive rules in the proof system, with a better distribution of roles between these rules and the remaining coinductive rule, at the cost of a more involved soundness proof.

Our second proof system is depicted in Fig. 3. It is a binary relation - a

A symmetrically-compositional proof system

Our third proof system is depicted in Fig. 4. A first difference with the previous one is that hypotheses and conclusions are pairs of a Boolean tag and a formula. We call them tagged formulas, or simply formulas when there is no risk of confusion. The role of the tags is to avoid unsoundness. To see this, note that without the Boolean tags, one could assume any formula φ under proof as a new hypothesis by (bottom-up) applying the rule [Cof], and finish the proof with [Hyp]. However, with the

Implementation

In this section we describe the implementation of the three proof systems, of their soundness and completeness proofs, and of their compositional features.

The main challenge has been to obtain Coq proofs that are close to paper proofs while keeping the paper proofs understandable. The difficulty arises from the fact that certain mechanisms that one uses in the proof assistant produce formal proofs that do not translate well to paper (where the “natural” reasoning techniques are different).

This

Conclusions and future work

For each of the main contributions we draw some conclusions and suggest future work.

Proof systems.  We have noted a correlation between the amount of induction, the degree of compositionality, and the difficulty of soundness proofs in our three proof systems. This correlation can be explained by the fact that the proof systems are also increasingly closer to our specific problem domain - verifying RL formulas on transition systems. The first, one-rule proof system is a rather generic search

Declaration of Competing Interest

We hereby declare that there is no conflict of interest regarding our manuscript.

Acknowledgement

We acknowledge the support of the CNRS-JSPS Joint Research Project “FoRmal tools for IoT sEcurity” (PRC2199), and thank all the participants of this project for fruitful discussions.

References (26)

  • D. Lucanu et al.

    A generic framework for symbolic execution: a coinductive approach

    J. Symb. Comput.

    (2017)
  • Y. Bertot et al.

    Inductive and coinductive components of corecursive functions in Coq

  • A. Stefanescu et al.

    All-path reachability logic

    Log. Methods Comput. Sci.

    (2019)
  • C.A.R. Hoare

    An axiomatic basis for computer programming

    Commun. ACM

    (1969)
  • P.W. O'Hearn

    Separation logic

    Commun. ACM

    (2019)
  • G. Rosu et al.

    One-path reachability logic

  • A. Stefanescu et al.

    Semantics-based program verifiers for all languages

  • D. Lucanu et al.

    Verifying reachability-logic properties on rewriting-logic specifications

  • S. Skeirik et al.

    A constructor-based reachability logic for rewrite theories

  • V. Rusu et al.

    Proving partial-correctness and invariance properties of transition-system models

  • Y. Bertot et al.

    Interactive Theorem Proving and Program Development - Coq'Art: The Calculus of Inductive Constructions

    (2004)
  • V. Rusu et al.

    (Co)inductive proof systems for compositional proofs in reachability logic

  • T. Nipkow et al.

    Isabelle/HOL - a Proof Assistant for Higher-Order Logic

    (2002)
  • Cited by (0)

    This work was partially funded by the CNRS-JSPS Joint Research Project “FoRmal tools for IoT sEcurity” (PRC2199).

    1

    Univ. Lille, CNRS, Centrale Lille, UMR 9189 - CRIStAL - Centre de Recherche en Informatique Signal et Automatique de Lille, F-59000 Lille, France.

    View full text