circular coinduction-based techniques for proving ... · dorel lucanu (al. i. cuza univ., ia˘si,...

Circular Coinduction-based Techniques for ProvingBehavioral Properties

Dorel Lucanu

Al. I. Cuza Univ., Iasi, RO

Nov. 6, 2008, INRIA/LORIA

Dorel Lucanu (Al. I. Cuza Univ., Iasi, RO) Circular Coinduction-based Techniques Nov. 6, 2008, INRIA/LORIA 1 / 1

Outline

Introduction

What is CIRC?

I CIRC is a metalanguage application implemented as an extension ofFull Maude:

I comes with a new way of execution (proving goals expressingbehavioral equivalences)

I provides a parser for a language syntax that extends Maude’s

I implements Circularity Principle (CP) for both coinduction andinduction (the later partially implemented)

I extends CP for coinduction with simplification and special context (inprogress)

I uses strategies for specifying proof tactics

Introduction

What is CIRC?

Introduction

What is CIRC?

Introduction

What is CIRC?

Introduction

What is CIRC?

Introduction

What is CIRC?

CIRC at Work

CIRC at Work Streams

Example: Streams 1/3

I consider:I two datatypes: Bit = {0, 1} and BitStream (S = b0b1b2 . . .)I two behavioral operations:

hd : BitStream→ Bit (hd(S) = b0)tl : BitStream→ BitStream (tl(S) = b1b2 . . .)

I another operation:zip : BitStream BitStream→ Bit

zip(b0b1 . . . , b′0b

′1 . . .) = b0b

′0b1b

′1 . . .

I define behavioral equivalence ≡ over BitStream by:S1 ≡ S2 iff hd(S1) = hd(S2) and tl(S1) ≡ tl(S2)

I how do we prove that zip(0∞, 1∞) ≡ (01)∞? 1

1w∞ def= w : w : w : . . .

zip(b0b1 . . . , b′0b

′1 . . .) = b0b

′0b1b

′1 . . .

1w∞ def= w : w : w : . . .

zip(b0b1 . . . , b′0b

′1 . . .) = b0b

′0b1b

′1 . . .

1w∞ def= w : w : w : . . .

zip(b0b1 . . . , b′0b

′1 . . .) = b0b

′0b1b

′1 . . .

1w∞ def= w : w : w : . . .

zip(b0b1 . . . , b′0b

′1 . . .) = b0b

′0b1b

′1 . . .

1w∞ def= w : w : w : . . .

(fth BITSTREAM .sort Bit BitStream .var S S’ : BitStream .var B : Bit .

ops 0 1 : -> Bit . --- constants of sort Bit

op hd : BitStream -> Bit . --- the derivativesop tl : BitStream -> BitStream . --- (observers)

op zip : BitStream BitStream -> BitStream .eq hd(zip(S, S’)) = hd(S) .eq tl(zip(S, S’)) = zip(S’, tl(S)) .

op _:_ : Bit BitStream -> BitStream .eq hd(B : S)) = B .eq tl(B : S)) = S .

endfth)

(cth BITSTREAM-0-1 is including BITSTREAM .

ops zeroes ones blink : -> BitStream .

eq hd(zeroes) = 0 . eq tl(zeroes) = zeroes .

eq hd(ones) = 1 . eq tl(ones) = ones .

eq hd(blink) = 0 . eq tl(blink) = 1 : blink .

der hd(*:BitStream) .

der tl(*:BitStream) .

endcth)

(add goal zip(zeroes, ones) = blink .)

Demo: streams-blink.maude

endcth)

CIRC at Work Extended Regular Expressions

Example: Extended Regular Expressions 1/3Let Alph be an alphabet.The extended regular expressions over Alph:

R ::= ε | ∅ | A | R1 + R2 | R1#R2 | R∗ | R1 ∩ R2 | ¬R

where A ranges over Alph.The behavioral operations (derivatives)[Brzozowski]:

I epsIn , testing the membership of ε to an ERE, and

I { }, which takes an ERE R and a letter a and returns anexpression characterized by L(R{a}) = {w | aw ∈ L(R)}.

the behavioral equivalence:R ≡ R′ iff epsInR = epsinR′ and (∀a) R{a} ≡ R′{a}

TheoremTogether with the B-ERE behavioral specification, CIRC becomes a fullyautomatic decision procedure for the equivalence of EREs.

CIRC at Work Extended Regular Expressions

Example: Extended Regular Expressions 2/2th ALPH is

sort Alph . --- the alphabetops a b : -> Alph .

th ERE isinc ALPH + BOOL .sort Ere . --- regular expressions

var R R1 R2 : Ere . var A B : Alph .

op _‘{_‘} : Ere Alph -> Ere . --- letters derivativesop epsIn_ : Re -> Bool . --- epsilon membership derivative

subsort Alph < Ere . --- a lettereq epsIn A = false .eq B { A } = if A == B then epsilon else empty fi .

op epsilon : -> Ere . --- the empty wordeq epsilon { A } = empty .eq epsIn epsilon = true .

op _+_ : Ere Ere -> Ere [assoc comm] . --- unioneq ( R1 + R2 ){ A } = (R1 { A }) + (R2 { A }) .eq epsIn ( R1 + R2 ) = epsIn R1 or epsIn R2 ....

endth ***>Demo: ere.maude

Behavioral specifications

Behavioral Specifications: SyntaxA behavioral specification is a triple (D,B,∆), where

I D = (SD ,ΣD ,ED) specifies data,

I B = (S ,Σ,E ) specifies further the behavioral operations

I there is an inclusion D ↪→ B,

I the elements of SD are visible sorts; e.g., Elt

I the elements of S − SD are hidden sorts; e.g., Stream

I ∆ ⊆ Der(Σ) whose operations are called derivatives (behavioral opns)∆; e.g., hd(∗ : Stream), tl(∗ : Stream)∗ is a special variable of a hidden sortother names for derivatives: destructors, observers

I the derivatives are used to define the experiments:each δ ∈ ∆ of visible sort is an experiment; e.g., hd(∗ : Stream)if γ[∗ : h] is an experiment and (δ : w → h) ∈ ∆,then γ[δ/∗] is an experiment;e.g., hd(tl(∗ : Stream)), hd(tl(tl(∗ : Stream))), . . .

Behavioral Specifications of EREs

(cth B-ERE

including ERE .

--- any Maude declaration is allowed here

der epsIn(*:Ere) .

der *:Ere a .

der *:Ere b .

endcth)

Behavioral Specifications of EREs

(cth B-ERE

including ERE .

--- any Maude declaration is allowed here

der epsIn(*:Ere) .

der *:Ere a .

der *:Ere b .

endcth)

Behavioral Specifications: Semantics

Let (D,B,∆) be a behavioral spec.

A model is a B-model M together with the behavioral equivalence ≡M :

I (∀v ∈ SD) a ≡M,v b iff a = b (for visible sorts ≡M is equality)

I (∀h ∈ S − SD) a ≡M,h b iff (∀γ[∗])[[γ]]M(a) = [[γ]]M(b)(for hidden sorts is the non-distinguish-ability under experiments)

E.g., for streams, s ≡ s ′ iff (∀i)[[hd]]M([[tli]]M(s)) = [[hd]]M([[tli]]M(s′))

M behavioral satisfies (∀X )t = t ′ iff for all θ : X → M, θ∗(t) ≡M θ∗(t ′),where θ∗ is the extension of θ to terms. We write M |≡ (∀X )t = t ′.

Notation. D = M|D (the restriction of M to D)

A Model for the “Streams of Bits”

[[Stream]]M = N∞[[hd]]M(n0 : n1 : n2 : . . .) = n0 mod 2[[tl]]M(n0 : n1 : n2 : . . .) = n1 : n2 : . . .[[zip]]M(n0 : n1 : n2 : . . . , n′0 : n′1 : n′2 : . . .) = n0 : n′0 : n1 : n′1 : . . .

w∞def= w : w : w : . . .

(0 : 1)∞ ≡M 2 : (3 : 4)∞

A Model for the Regular Expression

[[Re]]M = P({a, b}∗)[[epsilon]]M = {ε}[[+]]M(L1, L2) = L1 ∪ L2

[[ { }]]M(L, x) = {w | xw ∈ L}[[epsIn]]M(L) = (ε ∈ L)

L1 ≡M L2 iff L1 = L2

Behavioral equivalence lifted up to specifications

Let (D,B,∆) be a behavioral spec, whereD = (SD ,ΣD ,ED), B = (S ,Σ,E )I consider a sound inference relation E ` (∀X )t = t ′

I ` could be the equational deduction (complete, but non-practical)I E ` (∀X )t = t ′ iff nfE (t) = nfE (t ′), where the normal forms are

computed using the equations as rewrite rules, e.g., oriented from leftto right (practical, but incomplete)

I define E (∀X )t = t ′ as follows:I if t, t ′ are of visible sort, then E (∀X )t = t ′ iff E ` (∀X )t = t ′

I if t, t ′ are of hidden sort, then E (∀X )t = t ′ iff(∀γ)E ` (∀X )γ[t] = γ[t ′]

Note. We may consider conditional equations, as well.

Soundness

TheoremLet (D,B,∆) be a behavioral spec, where D = (SD ,ΣD ,ED),B = (S ,Σ,E ). If E (∀X ) t = t ′, then E |≡ (∀X ) t = t ′.

Note. E |≡ e iff for each model M of (D,B,∆), M |≡ e.

Notation. We write t ≡E t ′, or t ≡ t ′ when E is understood from thecontext, for E |≡ (∀X )t = t ′.

Circular coinduction

How to prove behavioral equivalence

goal: t ≡E t ′

I coinductionI define a relation RI show that R ⊆ ≡E

I show that E ` t R t ′

I context induction (Hennicker, 1990)I uses the inductive definition of the experiments

I both above methods need manual interventionI circular coinduction

I first time implemented in BOBJ (Goguen, Rosu, Lin, 1999)I at that time Maude did not include reflective capabilitiesI now implemented in CIRC (Lucanu & Rosu, 2007)

I iterative circular coinduction for CoCASL in Isabelle/HOL (Haussmanet al., 2005)

Circularity principle

I generalizes circular coinductive deduction

I assume that each equation of interest (to be proved) e admitsI a frozen form [[[e]]] andI a set of derived equations, its derivatives, Der(e)

I the circularity principle says that the following statement is valid:if from hypotheses H together with [[[e]]] we can deduce Der(e),then e is a consequence of H

I structural induction can also be seen as an instance of the circularityprinciple

Circular Coinduction in CIRC(1/4)

I an example:I the initial goal is zip(0∞, 1∞) ≡ (01)∞

I compute hd(zip(0∞, 1∞)) = 0; hd((01)∞) = 0. They are equal. OK.I compute tl(zip(0∞, 1∞)) = zip(1∞, 0∞); tl((01)∞) = 1 : (01)∞).

zip(1∞, 0∞) ≡ 1 : (01)∞) is the new goal.I compute hd(zip(1∞, 0∞)) = 1; hd(1 : (01)∞)) = 1. OK.I compute tl(zip(1∞, 0∞)) = zip(0∞, 1∞), tl(1 : (01)∞)) = (01)∞.

zip(0∞, 1∞) ≡ (01)∞ should be the new goal but . . .I . . . because it is equal to the initial goal (a circularity was found), we

conclude that zip(0∞, 1∞) ≡ (01)∞ holds.

The frozen form of equation (∀X ) t = t ′ if c is

(∀X )[[[t]]] = [[[t ′]]] if c,

where [[[ ]]] : sort(t)→ new is a new operation andnew is a new sort

The set Der∆(e) is

{(∀X ) [[[δ[t/∗:h]]]] = [[[δ[t ′/∗:h]]]] if c | δ[∗:h ∈ ∆, h = sort(t)}.

Note. 1. CIRC tool uses the notation fr(t) for [[[t]]].2. Conditions c in equations must of of the form ∧i ti = t ′i ,

where ti and t ′i are of visible sort.

[Normalize]:(E ,G ∪ {[[[(∀X )t = t ′ if c]]]},S)⇒(E ,G ∪ {[[[(∀X )nf (t) = nf (t ′) if c]]]},S)

[EqRed]:(E ,G ∪ {[[[e]]]},S)⇒ (E ,G,S) if E ` [[[e]]]

[CoindFail]:(E ,G ∪ {[[[e]]]},S)⇒ failure if E 6` [[[e]]] and e is visible

[CCStep]:(E ,G ∪ {(∀X )[[[t]]] = [[[t ′]]] if c},S)⇒(E ∪ {(∀X )[[[t]]] = [[[t ′]]] if c},G ∪ Der∆((∀X )t = t ′ if c),S)if E 6` (∀X )[[[t]]] = [[[t ′]]] if c and t, t ′ are of a hidden sort

[Simpl]:(E ,G ∪ {[[[e]]]},S)⇒ (E ,G ∪ {(∀X )[[[θ(u)]]] = [[[θ(u′)]]]},S)if (S is S ′ ∪ {(∀X ) t = t ′ if u = u′ ∧ scond}) ∧

(e is (∀X )θ(t) = θ(t ′)) for some θ ∧E ` (∀X )θ([[[scond ]]])

[Comm]:(E ,G ∪ { op : Stream Stream→ Stream [comm]},S)⇒(E ∪ { opComm : Stream Stream→ Stream [comm],

(∀x , y)[[[x op y ]]] = [[[x opComm y ]]]}G ∪ Der(x op y = y op x)},S)

Note. Similar rules to [Comm] are added for associativity, idempotency,and identity. Combinations are also possible, but these require someworkaround; the details will be given somewhere else.

Correctness of CIRC

TheoremLet (D,B = (Σ,E ),∆ be a behavioral specification, e a Σ-equation, andS a set of simplification equations. If (E , [[[e]]])⇒? (E , ∅) using theprocedure above, then E e.

Remarks

I the termination is not guaranteed

I the procedure may fail even if the eqn is beh satisfied (false negativeanswers)

I behavioral equivalence problem is Π02-complete (even for streams)

There are cases when CIRC together with an appropriate beh spec suppliesa fully automatic procedure, e.g., extended regular expressions (ERE)

Coinduction Step

[CCStep]:(E ,G ∪ {(∀X )[[[t]]] = [[[t ′]]] if c},S)⇒(E ∪ {(∀X )[[[t]]] = [[[t ′]]] if c},G ∪ Der∆((∀X )t = t ′ if c),S)if E 6` (∀X )[[[t]]] = [[[t ′]]] if c and t, t ′ are of a hidden sort

I implements Circularity Principle for coinduction

E ∪ {(∀X )[[[t]]] = [[[t ′]]] if c} G ∪ Der∆((∀X )t = t ′ if c)

E G ∪ {(∀X )[[[t]]] = [[[t ′]]] if c}

I in terms of proving theory: [CCStep] tries to discover new helpfullemmas; if in the end all these lemmas are proved using the frozenhypothesis, then the initial goals hold

I in terms of bisimulation: [CCStep] tries to discover new bisimilar pairs

Simplification Step

[Simpl]:(E ,G ∪ {[[[e]]]},S)⇒ (E ,G ∪ {(∀X )[[[θ(u)]]] = [[[θ(u′)]]]},S)if (S is S ′ ∪ {(∀X ) t = t ′ if u = u′ ∧ scond}) ∧

(e is (∀X )θ(t) = θ(t ′)) for some θ ∧E ` (∀X )θ([[[scond ]]])

I it is used to simplify goals; a simplification equation can be thought as

(∀X )t = t ′

u = u′if scond

I an example of simplification equation isS1 + S2 = S ′

S1 = S ′if S2 = [0]

I the correctness is given by the following Modus Ponens like rule:

(MP)(E ∪ S) ` (∀X )t = t ′ if c, E ` c

E ` (∀X )t = t ′

provided that S is sound for E , i.e., E |≡ S.

Special Contexts

I restricting application of circularities to the top of proof goals usingthe operation [[[ ]]] excludes many important situations

I e.g., if f = 1 : zip(f , f ), g = 1 : zip(g , g) and the goal is f = g ,then after a derivation with tl, we obtain zip(f , f ) = zip(g , g); nowthe frozen hypothesis should be applied under the contextszip(∗:Stream, S :Stream) and zip(S :Stream, ∗:Stream)

I a context is defined similarly to experiments, but the result sort couldalso be hidden

I under which context is it safe to use the frozen hypothesis?[in progress]

I adding the equation[[[γ[X :h]]]] = [[[γ[X ′:h]]]] if [[[X :h]]] := [[[X ′:h]]] ∧ X :h 6= X ′:h

to E , solve the above problem

I can the special contexts be automatically computed?[in progress]

Proof Strategies

I the core of CIRC is a set of reduction rules (nondeterministicprocedure)

I a proof tactic means apply these rules in a controlled way

I CIRC uses a strategy language, ROC!, to specify proof tactics(SYNASC 2008)

act ::= r | act . act | act ◦ act | act !

I the (extended) coinduction strategy is like([Comm] . [Normalize] . [Simpl] . [EqRed] . [CCstep])!

Conclusion

A short history of CIRC

I February-March 2006: a first version, as a Maude application,developed by G. Rosu, A. Popescu and D. Lucanu at UIUC

I Autumn 2006: the first major refactoring as Maude metalanguageapplication (D. Lucanu) [CALCO 2007]

I Spring 2007: regular strategies are added (D. Lucanu, G. Rosu, Gh.Grogoras) [WRS 2007]

I Autumn 2007: CIRC become a funded project (PN II ID 393,Romanian Government); G. Caltais (Goriac) and E. Goriac enjoyCIRC team

I Spring 2008: the second major refactoring based on patterns and thestrategy language ROC! [WRLA 2008, SYNASC 2008]

Conclusion

I CIRC tool implements in Maude Circularity Principle using reflectionproperty of RWL

I CIRC extends Circularity Principle with other capabilities:simplification, special contexts, case analysis

I the proof tactics for CIRC can be described using rewriting strategieswritten in ROC!

I the theoretical background of CIRC is behavioral logic, known also ashidden logic

I CIRC can be easily extended with other capabilities, e.g., combinationof induction with coinduction

I case studies: streams (over rings, fieds), extended regular expressions,infinite trees, equivalence of programs [in progress]

I things to do: refactor induction engine, finding automatically specialcontexts, bisimulation of lts specified as rewrite theories, applicationto program equivalence, integration . . .

Conclusion

Thanks!

circ.jpg

circular coinduction-based techniques for proving ... · dorel lucanu (al. i. cuza univ., ia˘si,...

Documents