Download pdf - Proving Reachability Properties by CoinductionLucanu (UAIC) Proving Reachability by Coinduction SYNASC, September 21, 2018 7 / 55. Our Propossal we usecoinductionin order to handle

Proving Reachability Properties by Coinduction 1

Dorel Lucanu1

(Joint work with S, tefan Ciobaca)

1Department of Computer ScienceAlexandru Ioan Cuza University of Ias, i

SYNASC, September 21, 2018

1This work was supported by a grant of the Romanian National Authority forScientific Research and Innovation, CNCS/CCCDI - UEFISCDI, project numberPN-III-P2-2.1-BG-2016-0394, within PNCDI III.

Lucanu (UAIC) Proving Reachability by Coinduction SYNASC, September 21, 2018 1 / 55

1 Motivation

2 Induction and CoinductionMotivationTheoretical Foundation(Co)Inductive Sets Defined by Ground Inference Systems

3 Reachability Predicates

4 Logical Constrained Rewriting Systems (LCTRSs)

5 A Coinductive Proof System for Reachability Formulas

6 Conclusion


Plan

1 Motivation





6 Conclusion


A Specification of a Transition System

〈n〉� 〈n, a〉 if ∃y .y = a ∧ 2 ≤ y ∧ y < n

〈n, a〉� 〈composite〉 if isEullerWitness(a, n)

〈n, a〉� 〈n〉 if ¬isEullerWitness(a, n)

where

isEullerWitness(a, n) ≡ ((a | n) = 0 ∨ (an−1

2 6= a | n (mod n)))

a | n is the Jacobi symbol

We want to show that”if 〈n〉 goes to 〈composite〉 then∃n1, n2. n = n1 · n2 ∧ n1 > 1 ∧ n2 > 1”.


The First IssueThe computations can befinite:

〈4〉start 〈4, 2〉〈composite〉

or infinite:

〈5〉start

〈5, 2〉

〈5, 3〉

〈5, 4〉


The First IssueThe computations can befinite:

〈4〉start 〈4, 2〉〈composite〉

or infinite:

〈5〉start

〈5, 2〉

〈5, 3〉

〈5, 4〉


The Second Issue

The conditions∃y .y = a ∧ 2 ≤ y ∧ y < n

((a | n) = 0 ∨ (an−1

2 6= a | n (mod n)))

((a | n) = 0 ∨ (an−1

2 6= a | n (mod n)))→ ∃n1, n2. n = n1 · n2 ∧ n1 > 1 ∧ n2 > 1

are very complex first order formulas including functions and predicateswhose definitions are orthogonal with that of the transition system.


Our Propossal

we use coinduction in order to handle both finite and infinitecomputations

we introduce LCTRSs (Logical Constrained Term Rewriting Systems)for specifying transition systems

we propose an effective proof system that, given a LCTRS, provesvalid reachability formulas, assuming an oracle (e.g., an SMT solver)that solves logical constraints


Our Propossal





Our Propossal





Plan

1 Motivation





6 Conclusion


Outline

1 Motivation





6 Conclusion


A Simpler Transition System Specification

〈a, b〉� 〈a− b, b〉 if a ≥ b

〈a, b〉� 〈a, b − a〉 if b ≥ a

〈a, b〉� 〈a + b〉 if a = 0 ∨ b = 0


Two Computations

– finite computations

〈6, 4〉start 〈2, 4〉〈2, 2〉

〈2, 0〉

〈0, 2〉

〈2〉

– infinite computations

〈6,−4〉start 〈10,−4〉〈14,−4〉 · · ·


A Possible Specification of Computations

using BNF notation:C ::= 〈a〉 | 〈a, b〉; C

equivalently, using inference rules

〈a〉C

〈a, b〉; C

Question

Are these specifications appropriate?

I.e., do they uniquely define the computations?

AnswerYes, if

we consider the smallest fixed-point satisfying the rules (finitecomputations, inductively defined), or

we consider the greatest fixed-point satisfying the rules (finitecomputations + infinite computations, coinductively defined)





〈a〉C

〈a, b〉; C

Question



AnswerYes, if







〈a〉C

〈a, b〉; C

Question



AnswerYes, if







〈a〉C

〈a, b〉; C

Question



AnswerYes, if




Outline

1 Motivation





6 Conclusion


Complete Lattices

partial ordered set (poset): set L together with a binary relationv ⊆ L× L that is

I reflexiveI transitiveI antisymmetric

complete lattice = a poset with all lubs (least upper bounds, joins),and hence also all glbs (greatest lower bounds, meets)

notations:I lub of x and y : x t yI lub of a set A: tAI glb of x and y : x u yI glb of a set A: uAI ⊥ = uLI > = tL

the most known (and used) example: (P(X ),⊆), where X is a set


Complete Lattices







Complete Lattices







Complete Lattices







Complete Lattices







Complete Lattices







Complete Lattices







Complete Lattices







Complete Lattices







Examples of Lattices

y

x

•

• •

• • •

• •

•

•

•

•

•

•

• •

• •

x < y complete latticeposet that is nota complete lattice


Fixed Points

Let (L,v) be a complete lattice and f : L→ L.

x ∈ L pre-fixed point of f if f (x) v x

x ∈ L post-fixed point of f if x v f (x)

x ∈ L fixed point of f if f (x) = x

Terminology:

pre-fixed point, f -forward-closed, f -closed

post-fixed point, f -backward-closed, f -stable, f -consistent


Knaster-Tarski Theorem 1/2

Let (L,v) be a complete lattice.f : L→ L is monotone if f (x) v f (y) whenever x v y .

Theorem (Knaster-Tarski)

Any f : L→ L monotone has

a least fixed point µ y . f (y) (on short µ f ), and

a greatest fixed point ν y . f (y) (on short ν f ).

Moreover,

µ f =d{x | f (x) v X} and

ν f =⊔{x | x v f (x)}

I.e.,

µ f is the meet of pre-fixed points

ν f is the join of post-fixed point


Knaster-Tarski Theorem 2/2

x v f (x)

x = f (x)

f (x) v x

set of post-fixed points

complete lattice of fixed points

set of pre-fixed points

µ f

ν f

⊥

>


(Co)Induction Proof Principle

f : L→ L monotone

induction proof principle:

f (x) v x

µ f v xµ-rule

coinduction proof principle:

x v f (x)

x v ν fν-rule


(Co)Continuous Functions and Kleene Theorem

f : L→ L is continuous if f (⊔

n≥0 xn) =⊔

n≥0 f (xn) for any increasingchain x0 v x1 v · · · .f : L→ L is cocontinuous if f (

dn≥0 xn) =

dn≥0 f (xn) for any decreasing

chain x0 w x1 w · · · .

Theorem (Kleene)

If f : L→ L is continuous then µ f =⊔

n≥0 fn(⊥).

If f : L→ L is cocontinuous then ν f =d

n≥0 fn(>).

The theorem supplies a practical way to compute the least/greatest fixedpoints, or their approximations.


(Co)Continuous Functions and Kleene Theorem

f : L→ L is continuous if f (⊔

n≥0 xn) =⊔

n≥0 f (xn) for any increasingchain x0 v x1 v · · · .f : L→ L is cocontinuous if f (

dn≥0 xn) =

dn≥0 f (xn) for any decreasing

chain x0 w x1 w · · · .

Theorem (Kleene)

If f : L→ L is continuous then µ f =⊔

n≥0 fn(⊥).

If f : L→ L is cocontinuous then ν f =d

n≥0 fn(>).

The theorem supplies a practical way to compute the least/greatest fixedpoints, or their approximations.


Inductive and Coinductive Set Definitions

Context:

U an universe set

(L,v) = (P(U),⊆)

⊥ = ∅, > = U⊔X =

⋃〈X | X ∈ X〉,

dX =

⋂〈X | X ∈ X〉, where X ⊆ P(U)

Definition

A set X ⊆ U is inductively defined if there is f monotone s.t. X = µ f .A set X ⊆ U is coinductively defined if there is f monotone s.t. X = ν f .



Context:

U an universe set

(L,v) = (P(U),⊆)

⊥ = ∅, > = U⊔X =

⋃〈X | X ∈ X〉,

dX =

⋂〈X | X ∈ X〉, where X ⊆ P(U)

Definition




Context:

U an universe set

(L,v) = (P(U),⊆)

⊥ = ∅, > = U⊔X =

⋃〈X | X ∈ X〉,

dX =

⋂〈X | X ∈ X〉, where X ⊆ P(U)

Definition




Context:

U an universe set

(L,v) = (P(U),⊆)

⊥ = ∅, > = U⊔X =

⋃〈X | X ∈ X〉,

dX =

⋂〈X | X ∈ X〉, where X ⊆ P(U)

Definition




Context:

U an universe set

(L,v) = (P(U),⊆)

⊥ = ∅, > = U⊔X =

⋃〈X | X ∈ X〉,

dX =

⋂〈X | X ∈ X〉, where X ⊆ P(U)

Definition




Context:

U an universe set

(L,v) = (P(U),⊆)

⊥ = ∅, > = U⊔X =

⋃〈X | X ∈ X〉,

dX =

⋂〈X | X ∈ X〉, where X ⊆ P(U)

Definition



Outline

1 Motivation





6 Conclusion


Ground (Inference) Systems

[source: David Sangiorgi, 2008 (Chap. 2 in the book Introduction toBisimulation and Coinduction, 2012)]

Definition

Let U be a set. A ground (inference) rule on U is a pair (S , x), whereS ⊆ U, x ∈ U.S is called the premise of the rule and x the conclusion of the rule.

If S = {x1, x2, . . .}, then a rule (S , x) is written as

x1, x2, . . .

x

If S = ∅ then the rule is called axiom.


Functional of a Ground (Inference) System

Definition

A set R of ground rules yields a function R : P(U)→ P(U) given by

R(X ) = {x | (∃S ′ ⊆ X )(S ′, x) ∈ R}.

Proposition

If R is a set of ground rules, then R is monotone.

It follows that each set of ground rules R inductively defines a set µ R andcoinductively defines a set ν R.


Functional of a Ground (Inference) System at Work

U = (Z ∪ {〈, 〉, ”, ”,;})∞

[A]〈a〉

a ∈ Z [B]τ

〈a, b〉; τa, b ∈ Z

R = {[A], [B]}

X =

〈2, 5〉; 〈5, 3〉,;〉7, 2, 6〉〈,〈1〉; 〈1〉; · · ·

R(X ) = {〈a〉 | a ∈ Z} ∪

〈a, b〉; 〈2, 5〉; 〈5, 3〉,〈a, b〉;;〉7, 2, 6〉〈,〈a, b〉; 〈1〉; 〈1〉; · · ·

∣∣∣∣∣∣∣a, b ∈ Z



U = (Z ∪ {〈, 〉, ”, ”,;})∞

[A]〈a〉

a ∈ Z [B]τ

〈a, b〉; τa, b ∈ Z

R = {[A], [B]}

X =

〈2, 5〉; 〈5, 3〉,;〉7, 2, 6〉〈,〈1〉; 〈1〉; · · ·

R(X ) = {〈a〉 | a ∈ Z} ∪

〈a, b〉; 〈2, 5〉; 〈5, 3〉,〈a, b〉;;〉7, 2, 6〉〈,〈a, b〉; 〈1〉; 〈1〉; · · ·

∣∣∣∣∣∣∣a, b ∈ Z



U = (Z ∪ {〈, 〉, ”, ”,;})∞

[A]〈a〉

a ∈ Z [B]τ

〈a, b〉; τa, b ∈ Z

R = {[A], [B]}

X =

〈2, 5〉; 〈5, 3〉,;〉7, 2, 6〉〈,〈1〉; 〈1〉; · · ·

R(X ) = {〈a〉 | a ∈ Z} ∪

〈a, b〉; 〈2, 5〉; 〈5, 3〉,〈a, b〉;;〉7, 2, 6〉〈,〈a, b〉; 〈1〉; 〈1〉; · · ·

∣∣∣∣∣∣∣a, b ∈ Z


Construction of the Least Fixed Point

U = (Z ∪ {〈, 〉, ”, ”,;})∞

[A]〈a〉

a ∈ Z [B]τ

〈a, b〉; τa, b ∈ Z

R = {[A], [B]}fortunately R is continuous

R0(∅) = ∅R1(∅) = {〈a〉 | a ∈ Z}

R2(∅) ={〈a〉 | a ∈ Z} ∪{〈b, c〉; 〈a〉 | a, b, c ∈ Z} | a, b, c ∈ Z}

R3(∅) ={〈a〉 | a ∈ Z} ∪{〈b, c〉; 〈a〉 | a, b, c ∈ Z} ∪{〈d , e〉; 〈b, c〉; 〈a〉 | a, b, c , d , e ∈ Z}

. . .



U = (Z ∪ {〈, 〉, ”, ”,;})∞

[A]〈a〉

a ∈ Z [B]τ

〈a, b〉; τa, b ∈ Z


R0(∅) = ∅R1(∅) = {〈a〉 | a ∈ Z}



. . .



U = (Z ∪ {〈, 〉, ”, ”,;})∞

[A]〈a〉

a ∈ Z [B]τ

〈a, b〉; τa, b ∈ Z


R0(∅) = ∅R1(∅) = {〈a〉 | a ∈ Z}



. . .



U = (Z ∪ {〈, 〉, ”, ”,;})∞

[A]〈a〉

a ∈ Z [B]τ

〈a, b〉; τa, b ∈ Z


R0(∅) = ∅R1(∅) = {〈a〉 | a ∈ Z}



. . .



U = (Z ∪ {〈, 〉, ”, ”,;})∞

[A]〈a〉

a ∈ Z [B]τ

〈a, b〉; τa, b ∈ Z


R0(∅) = ∅R1(∅) = {〈a〉 | a ∈ Z}



. . .


Construction of the Greatest Fixed Point

U = (Z ∪ {〈, 〉, ”, ”,;})∞

[A]〈a〉

a ∈ Z [B]τ

〈a, b〉; τa, b ∈ Z

R = {[A], [B]}fortunately R is cocontinuous

R0(U) = U

R1(U) = {〈a〉 | a ∈ Z} ∪ {〈a, b〉; τ | τ ∈ U}

R2(U) ={〈a〉 | a ∈ Z} ∪{〈b, c〉; 〈a〉 | a, b, c ∈ Z} ∪{〈c , d〉; 〈a, b〉; τ | a, b, c , d ∈ Z, τ ∈ U}

. . .



U = (Z ∪ {〈, 〉, ”, ”,;})∞

[A]〈a〉

a ∈ Z [B]τ

〈a, b〉; τa, b ∈ Z


R0(U) = U

R1(U) = {〈a〉 | a ∈ Z} ∪ {〈a, b〉; τ | τ ∈ U}


. . .



U = (Z ∪ {〈, 〉, ”, ”,;})∞

[A]〈a〉

a ∈ Z [B]τ

〈a, b〉; τa, b ∈ Z


R0(U) = U

R1(U) = {〈a〉 | a ∈ Z} ∪ {〈a, b〉; τ | τ ∈ U}


. . .



U = (Z ∪ {〈, 〉, ”, ”,;})∞

[A]〈a〉

a ∈ Z [B]τ

〈a, b〉; τa, b ∈ Z


R0(U) = U

R1(U) = {〈a〉 | a ∈ Z} ∪ {〈a, b〉; τ | τ ∈ U}


. . .


Induction Principle on Rules

if R(X ) ⊆ X then µ(R) ⊆ X

that means that

for a given X ,if for all rules (S , x) ∈ R, if S ⊆ X , then also x ∈ Xthen µ(R) ⊆ X


Coinduction Principles on Rules

if X ⊆ R(X ) then X ⊆ ν(R)

that means that

for a given X ,if for all x ∈ X there is a rule (S , x) ∈ R with S ⊆ Xthen X ⊆ ν(R)


Example

〈a, b〉� 〈a− b, b〉 if a ≥ b

〈a, b〉� 〈a, b − a〉 if b ≥ a

〈a, b〉� 〈a + b〉 if a = 0 ∨ b = 0

U = (Z ∪ {〈, 〉, ”, ”,;})∞

[A]〈a〉

a ∈ Z [B]τ

〈a, b〉; τ∃ transition from 〈a, b〉 to hd(τ)

The set of finite executions: C+ = µ [A,B]

The set of infinite and finite executions: C∞ = ν [A,B]

The set of infinite executions: Cω = ν [B]


Proof Trees

[A]〈2〉

[B]〈2, 0〉; 〈2〉

[B]〈2, 2〉; 〈2, 0〉; 〈2〉

[B]〈2, 4〉; 〈2, 2〉; 〈2, 0〉; 〈2〉

[B]〈6, 4〉; 〈2, 4〉; 〈2, 2〉; 〈2, 0〉; 〈2〉

· · ·[B]

〈14,−4〉; 〈18,−4〉; 〈22,−4〉; · · ·[B]

〈10,−4〉; 〈14,−4〉; 〈18,−4〉; · · ·[B]

〈6,−4〉; 〈10,−4〉; 〈14,−4〉; · · ·

finite proof tree infinite proof tree


Proof Trees Supply Proofs

A tree is well-founded if the relation on the nodes, which contains a pair ofnodes (n, p) if p is the parent of n, is well-founded.

Remark

Finite proof trees are well-founded.

Proposition

Let R be a set of a set of ground rules over U such that R is cocontinuous.

Then x ∈ µ R iff there is a well-founded proof tree of x under R.

Then x ∈ ν R iff there is a proof tree of x under R.


Plan

1 Motivation





6 Conclusion


Overview

Semantics First! (J. Goguen)

transition systems

state predicate

derivative (semantically)

reachability predicate as pairs of state predicates


Transition Systems(M,;), with ; ⊆ M ×M

s1

s2

s3

s4

s5

s6

execution paths:

γγ ∈ M, γ irreducible

τ

γ0 ◦ τγ0 ; hd(τ)


State Predicates and their Derivatives

state predicate: P ⊆ M

derivative of a state predicate P:∂(P) = {γ′ | γ ; γ′ for some γ ∈ P}

s1

s2

s3

s4

s5

s6

P

∂(P)


Reachability Predicatesa reachability predicate is a pair of state predicates: P ⇒ Qmodels: transition systemssatisfiability: (M,;) �∀ P ⇒ Q iff any execution path τ startingfrom P (hd(τ) ∈ P) is infinite or eventually reaches Q

s1

s2

s3

s4

s5

s6

s7

P

Q


Satisfiability Coinductively

(M,;) �∀ P ⇒ Q

iffP ⇒ Q ∈ ν DVP

where DVP consists of the following rules:

JSubsKP ⇒ Q

P ⊆ Q JStepK∂(P \ Q)⇒ Q

P ⇒ QP \ Q runnable

P is runnable if P 6= ∅ and for all γ ∈ P there is γ′ ∈ M s.t. γ ; γ′.


Plan

1 Motivation





6 Conclusion


Overview

(based on IJCAR 2018 paper)

builtin models (local computations, constraints over builtin modelsolvable by SMT)

state predicates as constrained terms = 〈term | constraint-formulas〉reachability predicates as reachability formulas = pair of constrainedterms

transition systems represented as set of rewriting rules logicallyconstrained (LCTRSs)


Overview






Overview






Overview






Signatures Modulo a Builtin Model

a builtin model Mb for a many-sorted builtin signature Σb = (Sb,F b).Example: Sb = {Int,Bool}, F b = {+,×,∧,∨, . . .}.

an order-sorted signature (S ,≤,Σ) including Σb

Mb is freely extended to a Σ-model MΣ s. t.:I each f ∈ Σ \ Σb is interpreted as a term constructorI the Σb-terms reduced to their values in Mb












Constrained Terms

constrained terms 〈t |φ〉I t is a Σ-termI φ is a first-order (with equality) formula

Example:〈init(n) | ∃u.1 < u < n ∧ n mod u = 0〉init ∈ ΣInt,Cfg , n and u variables of sort Int

semantically, a constrained term defines a state predicate[[〈t |φ〉]] , {α(t) | α : X → MΣ s.t. MΣ, α � φ}.


Constrained Terms





Constrained Terms





Specification of Transition Systems as LCTRS

LCTRS = Logical Constrained Term Rewriting System

example:

init(n)� loop(n, 2) if >,loop(i × k, i)� comp if k > 1,loop(n, i)� loop(n, i + 1) if ¬(∃k .k > 1 ∧ n = i × k).

the general form of a rule: l � r if φ

we may think that 〈l |φ〉 and 〈r |φ〉 are two constrained terms, butthis is not entirely true (see the next slide)

a LCTRS R defines a transition relation ;R between thecorresponding instances of l and r satisfying φexample: loop(5, 2) ;R loop(5, 3), loop(8, 2) ;R comp




example:








example:






Reachability Properties of LCTRSs

a reachability formula is a pair of constrained terms ϕ⇒ ϕ′

semantics:

R �∀ ϕ⇒ ϕ′

iff(MΣ,;R) �∀ [[σ(ϕ)]]⇒ [[σ(ϕ′)]]

for each σ : var(ϕ) ∩ var(ϕ′)→ MΣ

the shared variable must have the same values


Derivatives of Constrained Terms

the derivatives of state predicates are extended to constrained terms

the set of derivatives of a constrained term ϕ , 〈t |φ〉 w.r.t. a rulel � r if φlr is

∆l ,r ,φlr (ϕ) , {⟨c[r ]

∣∣φ′⟩ | φ′ , φ ∧ t = c[l ] ∧ φlr ,c[·] an appropriate context

φ′ is satisfiable}.

example:∆R(〈init(n) | ∃u.1 < u < n ∧ n mod u = 0〉) ={〈loop(n, 2) | ∃u.1 < u < n ∧ n mod u = 0〉}.


Symbolic Derivatives and the Concrete Ones Agree

Theorem

Let ϕ , 〈t |φ〉 be a constrained term, R a constrained rule system, and(MΣ,;R) the transition system defined by R. Then [[∆R(ϕ)]] = ∂([[ϕ]]).


Plan

1 Motivation





6 Conclusion


Overview

lift up the inference system to reachability formulas

add a circular inference rule to infinite proof trees into finite ones


Overview

lift up the inference system to reachability formulas

add a circular inference rule to infinite proof trees into finite ones


Proof System (DSTEP(R))

it corresponds to the semantic coinductive definition

[axiom]〈tl | ⊥〉 ⇒ 〈tr |φr 〉

[subs]〈tl |φl ∧ ¬(∃x .tl = tr ∧ φr )〉 ⇒ 〈tr |φr 〉

〈tl |φl〉 ⇒ 〈tr |φr 〉conds

[der∀]

⟨t j∣∣φj⟩⇒ 〈tr |φr 〉, j ∈ {1, . . . , n}〈tl |φl〉 ⇒ 〈tr |φr 〉

condd

where ∆R(〈tl |φl〉) = {⟨t1∣∣φ1⟩, . . . , 〈tn |φn〉}

The conditions ensure the sound application of the rules.


Example

The infinite proof tree for the reachability formula 〈init(n) |ψ〉 ⇒ ϕr ,where ψ , ∃u.1 < u < n ∧ n mod u = 0 and ϕr , 〈comp | >〉:

[axiom]〈comp | ⊥〉 ⇒ ϕr

[subs]〈comp |ψ ∧ φa〉 ⇒ ϕr


[subs]〈comp |ψ ∧ φ2 ∧ φb〉 ⇒ ϕr

...[der∀]〈loop(n, 3) |ψ ∧ φ2〉 ⇒ ϕr

[der∀]〈loop(n, 2) |ψ〉 ⇒ ϕr[der∀]〈init(n) |ψ〉 ⇒ ϕr

Infinite proof trees cannot be handled in practice, therefore we look forfinite representations of them.


Extending the Proof System to the Unbounded Case

Let G be a finite set reachability formulas (goals that we intend to prove).Then the set of rules DCC(R,G ) consists of DSTEP(R), together with

[circ]

〈tcr |φl ∧ φ ∧ φcr 〉 ⇒ ϕr ,〈tl |φl ∧ ¬φ〉 ⇒ ϕr

〈tl |φl〉 ⇒ ϕr

φ is ∃var(tcl , φcl ).tl = tcl ∧ φcl ,

〈tcl |φcl 〉 ⇒ 〈tcr |φcr 〉 ∈ G .

Theorem (Circularity Principle)

Let R be a constrained rule system and G a set of goals. If (R,G ) `∀ Gthen R �∀ G .


Example

In order to prove 〈init(n) |ψ〉 ⇒ 〈comp | >〉, we choose the following set ofcircularities

G =

{〈init(n) |ψ〉 ⇒ 〈comp | >〉,〈loop(n, i) | 2 ≤ i ∧ ∃u.i ≤ u < n ∧ n mod u = 0〉 ⇒ 〈comp | >〉

}.

The finite proof tree for the first circularity:


[subs]〈comp |ψ ∧ φ ∧ >〉 ⇒ ϕr

[axiom]〈loop(n, 2) |ψ ∧ ¬φ〉 ⇒ ϕr

[circ]〈loop(n, 2) |ψ〉 ⇒ ϕr

[der∀]〈init(n) |ψ〉 ⇒ ϕr


Example

In order to prove 〈init(n) |ψ〉 ⇒ 〈comp | >〉, we choose the following set ofcircularities

G =

{〈init(n) |ψ〉 ⇒ 〈comp | >〉,〈loop(n, i) | 2 ≤ i ∧ ∃u.i ≤ u < n ∧ n mod u = 0〉 ⇒ 〈comp | >〉

}.

The finite proof tree for the first circularity:


[subs]〈comp |ψ ∧ φ ∧ >〉 ⇒ ϕr

[axiom]〈loop(n, 2) |ψ ∧ ¬φ〉 ⇒ ϕr

[circ]〈loop(n, 2) |ψ〉 ⇒ ϕr

[der∀]〈init(n) |ψ〉 ⇒ ϕr


Example Proof Tree for the Second Circularity

〈c | ⊥〉 ⇒ ϕr

〈c |ψi ∧ ψa〉 ⇒ ϕr

〈c | ⊥〉 ⇒ ϕr

〈c |ψi ∧ ψb ∧ ψc 〉 ⇒ ϕr 〈l(n, i + 1) |ψi ∧ ψb ∧ ¬ψc 〉 ⇒ ϕr

〈l(n, i + 1) |ψi ∧ ψb〉 ⇒ ϕr ,[der∀]

〈l(n, i) |ψi 〉 ⇒ 〈c | >〉


Plan

1 Motivation





6 Conclusion


Conclusion

we defined a framework for proving reachability properties consistingof

I logical constrained rewriting systems, for specifying transition systems(LCTRS)

I a coinductive proof system consisting of four rules

LCTRSs are expressive enough to describe semantics of programminglanguages (K Framework, G. Rosu)

there is a prototype that implements the proof system (Ciobaca,Buruiana)

further work includesI unification modulo builtins (a first step in WOLLIC 2018)I extension of the proof systems to program equivalence (a first step in

FAoC 2015)
