A Theory for Abstract Reduction Systems in PVS (cid:3)

A theory for Abstract Reduction Systems (ARS) in the proof assistant PVS (Prototype Veri(cid:12)cation System) called ars is described. Adequate speci(cid:12)cations of basic de(cid:12)nitions and notions such as reduction, con(cid:13)uence, normal form are given and well-known results proved, which includes non trivial ones such as Noetherian Induction, Newman’s Lemma and its generalizations, and Commutation Lemma among others. Although term rewriting proving technologies have been speci(cid:12)ed in several speci(cid:12)cation languages and proof assistants, to our knowledge this has not been done in PVS. This makes relevant our ARS speci(cid:12)cation as the initial step in the formulation of a complete theory for Term Rewriting Systems (TRS) in PVS.


Introduction
Abstract Reduction Systems (ARS) and Term Rewriting Systems (TRS) have been specified in several proof assistants, e.g., RRL [9], ACL2 [16], Coq [8], Isabelle [15], Boyer-Moore [17], Otter [5] among others.Term rewriting proving technologies have been shown adequate in several mathematics and computer science fields including theorem proving as well as formal specification and design of computational processes and technologies (i.e., standard and non-standard software and hardware).In particular, we have developed a methodology for specifying reconfigurable hardware over FPGAs using the rewriting-logic programing environment ELAN [2].These rewriting based hardware specifications are synthesized to commercial reconfigurable hardware by applying the system FELIX [10] and their correctness is verified over the proof assistant PVS after translating the rewriting specification to a corresponding logic theory with the system SAEPTUM [3].The last mentioned step should be improved by making available a full theory of rewriting methods in PVS, that to our knowledge is not available in this proof assistant.
With this motivation, this paper introduces a PVS theory called ars for dealing with properties of ARSs.Basic ARS notions are adequately specified in such a way that non elementary proof techniques such as Noetherian induction are straightforwardly applicable.To illustrate the adequateness of these specification well-known results that are considered proof benchmarks such as Newman's, Yokouchi's and commutation Lemma are verified.These specifications are built over PVS theories for sets and relations.In particular Noetherianity is based on the notion of well-founded relations and because of this, after introducing the notion of noetherian relation the principle of noetherian induction should be verified.
The introduced PVS theory ars should be conceived as a first step in the development of a full TRS theory in PVS.The files of this theory are available at www.mat.unb.br/∼ayala/TCgroup.

Brief Introduction to PVS
This section briefly describes the PVS prover used to specify the ARS theory.PVS consists of a specification language integrated with support tools and a proof assistant, that provides an integrated environment for the development and analysis of formal specifications.Only the relevant aspects of PVS are explained here.For more details about the tool, refer to the PVS System Guide [19], the PVS Prover Guide [18] and the PVS Language Reference [14] available at http://pvs.csl.sri.com.
The specification language of PVS is built on higher-order logic, which supports modularity by means of parameterized theories, with a rich type-system, including the notions of subtypes and dependent types.It provides a large set of built-in constructs for expressing a variety of notions.The PVS specifications is organized as a collection of theories, from which the most relevants are collectively referred as the prelude [13].Each theory is composed essentially of declarations, which are used to introduce names for types, constants, variables, axioms and formulas, and IMPORTINGs, which allow to import the visible names of another theories.Notice that parameterized theories are very convenient since the use of parameters allows more generic specifications, as we can see with the ars theory below:

ars[T : TYPE] : THEORY BEGIN IMPORTING results_commutation[T], modulo_equivalence[T], results_normal_form[T], newman_yokouchi[T] end ars
T is treated as a fixed uninterpreted type.Consequently, when the ars theory is invoked by another theory, T must be instantiated.For example, the theory of ars of set of term is just ars [term].Notice that ars imports the theories results commutation[T], modulo equivalence[T], results normal form[T] and newman yokouchi [T].
A important step in PVS specifications is type-checking the theory, which checks for semantic errors, such as undeclared names and ambiguous types.Type-checking may build new files or internal structures such as TCCs (type-correctness conditions).These TCCs represent proof obligations that must be discharged before the theory can be considered type-checked, and its proofs may be postponed indefinitely.Although, the theory is considered complete when all TCCs and formulas upon which the proof is dependent have been completed.
The PVS Prover provides a variety of commands to construct the proofs of the different theorems.It is used interactively and it uses the sequent-style proof representation to display the current proof goal for the proof in progress.The prover maintains a proof tree for the current theorem being proved being the aim of the user to construct a proof tree that is complete, in the sense that all the leaves are recognized as true.Each node of the tree is a proof goal that results from the application of a prover command (rule or strategy) to its parent node.Each proof goal is a sequent consisting of two sequences of formulas called the antecedents (logically connected by conjunctions and numbered with negative integers) and the consequent (connected by disjunctions and numbered with positive integers) displayed as below: Below we describe some PVS prover commands that are commonly used in our specification, and we define some strategies that reduce the size of the proofs.Many of these commands take parameters that control its behavior which are not discussed here.For additional details see [18].
1. skolem: This command chooses fresh constant names (universally quantified consequent), and proving "without loss of generality", or unconstrained arbitrary constant when one is known to exist (existentially quantified antecedent).In other words, skolem gives new constant names, e.g., for x it will give x!1, x!2, . . .when applied repeatedly.
2. skeep: This command, from the Field library, is used to introduce Skolem constants by keeping the original names of the quantified variables.See [12] and [20].

flatten:
This command is used to break an antecedent formula that is a conjunction or a consequent formula that is a disjunction into its components.

assert:
This command is used to simplify the proof goal using decision procedures and rewriting.

inst:
This command is used to instantiate a universally quantified antecedent or an existentially quantified consequent formula.
6. case: This command generates two subgoal, one where the given boolean expression is assumed to be true and the other where it is assumed to be false.

expand:
This command expands and simplifies the definitions of the specified functions/predicates at the occurrences.

lemma:
This command is used to put in a previously proved theorem as antecedent formula into the current proof goal instantiated as specified by the user.
Other useful rules can be found in [18], e.g., replace, prop, split and decompose-equality.PVS also provides a simple language to combine sequences of commonly used proof steps into strategies [1].These strategies can then be used as prover commands.In many proofs, it is necessary to use the same sequence of proof steps.Thus, to facilitate and to reduce the proofs we turned some commonly used sequences of proof commands into strategies.Some of them are discussed below.
In some proofs, it was necessary to firstly, expand the definition of joinable; afterward, to introduce skolem constants and finally, to apply disjunctive simplification (flatten).The strategy join-skolem presented below accomplishes this.

Specifying ARS in PVS
We briefly present the standard definitions of ARS and some properties [4] and then we present their specification in the ars theory.
An Abstract Reduction System (ARS) is a pair (A, →), where the reduction → is a binary relation on the set A, i.e., →⊆ A × A. In this paper we consider some arbitrary but fixed ARS (A, →).We treated, in PVS, the set A as a fixed uninterpreted type T, and the reduction → as a binary relation R on T defined as predicate PRED: TYPE = [[T,T] -> bool].So the relation R(x,y) means x reduces to y, and y is called a reduct of x.
To specify some of the central notions of ARS such as confluence and termination, first, it is necessary to adequately speficify several closure relations: RC, TC, RTC, SC, and EC were defined in the relations closure PVS file in the same way that Alfons Geser does in the PVS theory for closure operators (closure ops).We just changed the names of the definitions and we proved some additional properties.For example, RTC is defined using the iterate function which allows us to obtain inductive proofs on the length of derivations: Then the additional properties are proved:

Confluence
For all x, y, z ∈ A a relation → is called 1. confluent iff y * ← x → * z implies that y and z are joinable, i.e., iff there is a r ∈ A such that y → * r * ←z; 2. Church-Rosser iff x ↔ * y implies that x and y are joinable; 3. semi-confluent iff y ← x → * z implies that y and z are joinable.
These and other notions such as local confluent, strongly confluent, diamond property, normal form, normalizing and commutation are specified in the ars PVS file ars terminology as follow:

Termination
A relation → is called terminating or noetherian iff there is no infinite descending chain a 0 → a 1 → • • •.In other words, → is noetherian iff ← is well-founded.
As it is well-known many results involving termination are proved by Noetherian induction, that is: let P be some property of elements of A. Then to prove P (x) for all x ∈ A, it suffices to prove P (x) under the assumption that P (y) holds for all successors y ∈ A of x.

Organization of the theory ars
Below we show the organization of the PVS theories which compound the ars theory and we give a brief description of each one (see Figure 1).
1. relations closure: This theory contains the definitions of closure of a relation and some properties.
2. ars terminology: This theory contains some terminology of ARS such as unique normal form, reducible and sucessor, and notions of confluence and commutation.

results confluence:
This theory contains some results about confluence such as strong confluent implies semi-confluent.

results commutation:
This theory contains some results about commutation such as Commutation lemma.

results normal form:
This theory contains some results involving normal form such as a relation is normalizing and confluent iff every element has a unique normal form.
6. noetherian: This theory contains the definition of convergent reduction and noetherian relation and the Noetherian induction lemma.
7. newman yokouchi: This theory contains the specification of Newman's lemma and Yokouchi's lemma.
8. modulo equivalence: This theory contains the notions of reduction modulo equivalence and, for example, the proof of the generalization of Newman's Lemma.

Proof Examples
The PVS proofs are available as part of the ars theory at www.mat.unb.br/∼ayala/TCgroup and detailed explanations of the PVS proofs of Newmann's and Yokouchi's lemmas are available in [6].
To prove the commutation lemma: Commutation_Lemma: THEOREM strong_commute?(R1,R2)=> commute?(R1,R2) we use the sequence of commands skeep, expand, skolem, lemma, inst, and assert.The command lemma is used to invoke the following lemma: This lemma is proved by induction on m by applying the command (induct "m"), and by invoking the lemma commute and iterate one, presented below, which is proved by induction too.Now, we present details of the proof of Newman's lemma that since the inductive proof given by Huet in [7] is considered a classical benchmark for proof in higher-order logic as discussed for instance in [5].
Newman's lemma states that an abstract reduction system is confluent if it is local confluent and noetherian and is specified in the ars theory as: Newman_lemma: THEOREM noetherian?(R) => (confluent?(R) <=> local_confluent?(R)) When the PVS prover is invoked the proof tree starts off with a root node having no antecedent and the theorem to be proved as the sole consequent: The universally quantified variable is skolemized and disjuntive simplification is applied using the command skeep, and then the command split yields (splitting the consequent formula) two subgoals: The first subgoal is This subgoal is proved immediately from the definitions of confluent?(R)and local confluent?(R).Firstly, by applying the disjuntive simplification (flatten) and expanding the definitions of confluent?and local confluent?(expand*), one obtains: Next, this is simplified by applying skeep and invoking the lemma R subset RTC which establishes that R ⊆ RTC.Finally, we conclude by applying the strategy expand-sm, that expands the definitions of subset?and member, and doing the convenient instantiation using the command inst.
The second and truly interesting subgoal is As it is well-known, this result is obtained by Noetherian induction using the predicate: P (x) = ∀y, z. y * ← x → * z implies that y and z are joinable.
After applying the disjuntive simplification (flatten), we invoke the lemma noetherian induction instantiated with the predicate Next, by applying the command split we obtain two subgoals.As we can see below, the first one is obvious and its proof is obtained by expanding confluent?, and by applying the sequence of commands skeep, inst, used with suitable substitutions, and assert.

Conclusions and Future Work
The PVS theory ars specifies adequately basic notions of the theory of Abstract Reduction Systems.On the one hand ars is built over the PVS theory for binary relations being the closures specified in terms of "iteration" of the binary relations.In this way inductive proofs on the length of derivations are possible.On the other hand, the notion of noetherianity is specified in terms of the notion of well-founded relations which allows us to adequately formulate and verify the principle of noetherian induction necessary for proving several properties of ARSs.
Our intention specifying the ars theory was not to exhaustively include proofs of all well-known results of the theory of ARSs, but instead to give the essential mechanisms for expressing and mechanically proving all these results.Adequability of our specification is made evident by the presentation of elegant proofs of well-known results over ARSs such as the Newman's and Yokouchi's lemmas [6].Also it should be stressed here that although ars does not advance the state of the art in the formalization of mathematics since specifications of Abstract Reductions Systems and even of Term Rewriting Systems are available since the development of the Rewriting Rule Laboratory (RRL) in the 1980s [9], it is of practical interest since the availability of rewriting proving technologies are essential in a modern proof assistants as PVS.
As current work ars is being extended to a more elaborated PVS theory for full Term Rewriting Systems that is of interest to verify the correction of concrete rewriting based specifications of computational objects as mentioned in the introduction.By this extension rewriting strategies and new tactic-based techniques will be available in PVS in a natural manner.

(
LAMBDA (a: T): (FORALL (b,c: T): RTC(R)(a,b) AND RTC(R)(a,c) IMPLIES joinable?(R)(b,c))) Another useful strategy is expand-closure that expands the definition of closure relation according to input closure which can be either rtc (Reflexive Transitive Closure) or ec (Equivalence Closure) or rc (Reflexive Closure) or sc (Symmetric Closure).This strategy uses another one called expand-um which expands the definitions of union and member.Few other commonly used sequences of proof steps were turned into strategies too.