Averiedmodelcheckerforthemodal -calculusincoq SwissFederalInstituteofTechnology,Lausanne,Switzerland ComputerNetworkingLaboratory, sprenger@di.epfl.ch ChristophSprenger Abstract.Wereportontheformalisationandcorrectnessproofofa ory.usingcoq'sextractionmechanismweobtainanexecutablecaml modelcheckerforthemodal-calculusincoq'sconstructivetypethe- 1Introduction exampleillustratesitsapplicationincombinationwithdeduction. program,whichisaddedasasafedecisionproceduretothesystem.an techniquesforthevericationofreactivesystems.theexpressivenessofthetheoremprover's(oftenhigher-order)logiccanbeusedtoaccommodateavarietyof designscanbeveried.however,usingatheoremproverisnottransparentand Thereisanobviousadvantageincombiningtheoremprovingandmodelchecking programmodellingandvericationparadigms,soinnitestateandparametrised whenusedinisolation. thetwotechniquescanthereforealleviatetheproblemsinherenttoeachofthem plicationisthuslimitedtosystemswithsmallstatespaces.acombinationof transparent,butexponentialinthenumberofconcurrentcomponents.itsap- mayrequireafairamountofexpertise.ontheotherhand,modelcheckingis areabstractinterpretation[4,11,7]andinductivereasoningattheprocesslevel smallenoughtobeamenabletomodelchecking.examplesofsuchtechniques ductiontechniqueswhichtransforminnitestateorparametrisedsystemsinto nitestateones,whilepreservingthepropertiesofinterest.theseareoften Suchanintegrationpaysoevenmore,whenusedincombinationwithre- [23,10]. environments[20,14,8].commontoallthesecasesisthatthemodelcheckerisan posed.inthispaper,wetakethepositionthatthisisanimportantquestion, aretrusted.thequestionofthecorrectnessofthemodelcheckeritselfisrarely externalprogramthatisinvokedasneededand,mostimportantly,whoseresults Variousmodelcheckershavealreadybeenintegratedintheoremproving whenevertheproofenvironmentweuseshouldbehighlyreliable.thisquestion gainsevenmoreimportanceinthecontextofproversbasedonintuitionistic (i.e.-terms)areconstructedduringtheproof.theseproofobjectsarethen typetheorysuchascoq[3],alf[1]andlego[12],whereexplicitproofobjects veriedbyaninferenceengineimplementingthebasicproofrules.sincethere

areonlyafewrulesandthecorrectnessofanyproofdependsonlyonthecorrect implementationoftheserules,thesesystemscanberegardedasveryreliable. necessaryproofobjectandadditasatactictothesystemor(2)weprovethe procedure.inbothapproachestheproofsystemforthetemporalormodallogic modelcheckeritselfformallycorrectandthenconsideritasatrusteddecision aframework:(1)weimplementitasanexternalprogramthatgeneratesthe Weseetwopossibilitiesfortheintegrationofamodelcheckerintosuch isimplementedintheproverandisthereforeavailablefordeductiveproofs. proofobjectsgrowslinearlywiththenumberofapplicationsofproofrules.this isclosesttoours.theyhaveimplementedamodelcheckerforthemodalcalculusforlegointhisway.whileintegratingverysmoothlyintotheprover, TherstapproachhasbeenfollowedbyYuandLuo[24],theworkwhich thisapproachhastheproblemofbeinginecient.thesizeofthegenerated ismoreecient,butintegratessomewhatlesssmoothlyintotheproofenvironment,astheresultsproducedbythemodelcheckerhavetobeintroducedas generateslargeproofobjectsevenforquitesmallexamples.thesecondapproach (safe)axiomsintotheprover. translatedintoanexecutablecamlprogram.moreover,wealsohavethepossibilitytodirectlyrunthe(proofofthe)modelcheckerincoqitselfandgenerate Ourapproachisacompromisebetweenthetwo.Wehaveformalisedthe modal-calculus,aspecicationofthemodelcheckerin[22]andprovedit correctincoq.usingcoq'sprogramextractionmechanismourproofisthen calculuscanbeusedtoprovepropertiesof(possiblyinnite)transitionsystems. istherstformallyveriedmodelchecker.secondly,theformalisationoftheablycorrectsequential(functional)programs.tothebestofourknowledge,this correctnessproofofthemodelcheckerprovidesacasestudyindevelopingprov- aproofobject.weseeourcontributionastwo-fold.firstly,thespecicationand Fornitestatesystems,themodelcheckerprovidesausefuldecisionprocedure whichrelievestheuserfromtediousdetailsofaproof.reductiontechniquescan beusedtoreduceinnitestatesystemstonitestate,whichcanthenbeproved -calculus,theproofsystemunderlyingthemodelcheckerandthecorrectness anoverviewofthecoqsystem.section3recallsthesyntaxandsemanticsof themodal-calculus.insection4wedescribeourformalisationofthemodal automaticallywiththemodelchecker.weillustratethisusewithanexample. proofofthealgorithm.section5reportsonanexampleillustratingthecombinationofdeductiveproofandautomaticproofusingthemodelchecker. Theoutlineoftherestofthepaperisasfollows.Thenextsectiongives 2OverviewofCoq Coq[3]isaninteractiveproofdevelopmentsystemimplementingtheCalculusof structions[6]isthemostpowerfulsysteminbarendregt's-cube[2].itcombines provideapowerfulandnaturalmechanismforthedenitionofdatatypes,spec- InductiveConstructions(CIC)[18,21].TheunderlyingpureCalculusofCon- polymorphic,higherorderanddependenttypes.theadditionalinductivetypes

toderivejudgementsoftheform `t:tmeaningthatincontext,termt CICisatypedlambdacalculus.Itsnaturaldeductionstyleproofrulesareused hastypet.sinceprovingtincontext involvestheexplicitconstructionofa -termtinhabitingt,thecurry-howardcorrespondenceallowsustoidentify icationsandpredicatesaswellasforproofsbystructuralinduction.formally, 2.1Thepurecalculus InCoqthefollowingnotationforthebasictermandtypeconstructionsisused: proofswithprogramsandtypeswithspecications. associatestotheleftandproductstotheright.inthispaper,wewritethe specialcaseoftheproductwhenxdoesnotoccurfreeinb.functionapplication [x:a]mistheabstractionofx:afromm(usuallynotedx:a:m),(mn) dependentproductas8x:a:minordertoimprovereadability. B(oftennoted8x:A:Morx:A:M).ThefunctionspaceA!Bisthe denotesapplicationofmtonand(x:a)bthedependentproductofaand fprop;set;typeg,axiomsa=fprop:type;set:typegandrulesr=ss. Thepurecalculuscanbespeciedasthepuretypesystem[2]withsortsS= Moreover,therearethethreeconstantsProp,SetandType,calledsorts. arityisofsorts.alongwitheachinductivetypeastructuralinductionprinciple arityisatypeoftheform8x1:a1:::8xn:an:s,wheresisasort.wesaythe 2.2Inductivetypesandrecursion isautomaticallygenerated.forourpurpose,thedenitionofinductivetypesis bestexplainedwithacoupleofexamples. Apositiveinductivetypeisspeciedbyanarity,andasetofconstructors.An Example1.(Naturalnumbers)The(data)typeofnaturalnumbersisspecied bythefollowinginductivedenition: ThistypehasaritySetandtwoconstructorsO:natandS:nat!nat.Inthis case,theinductionprincipleisatermnatindofthefamiliartype: Inductivenat:Set:=O:natjS:nat!nat: instance,additiononnaturalnumberscanbedenedbyprimitiverecursion: combinedwiththefixpointconstructtodeneprimitiverecursivefunctions.for TheconstructCases:::of:::enddenesafunctionbycaseanalysis;itmaybe 8P:nat!Prop:(PO)!(8n:nat:(Pn)!(P(Sn)))!8n:nat:(Pn) Fixpointadd[n:nat]:nat!nat:= teeingitstermination. verifythatitbecomesstructurallysmallerineachrecursivecall,thusguaran- Notethatbyemphasisingtherstargument(namedn),thesystemisableto [m:nat]casesnofo)mj(sp))(s(addpm))end:

Example2.(Predicates)Thepredicateonnaturalnumbersisdenedby: Inductivele[n:nat]:nat!Prop:= tobegreaterorequalton. Infact,thisdenesthefamilyofinductivepredicates\n:",indexedbyn:nat, jles:8m:nat:(lenm)!(len(sm)): len:(lenn) quantication: tionprincipleprovidestheeliminationrule.asanexample,wetakeexistential Example3.Logicalconnectivescanbedenedasnon-recursiveinductivetypes. Thetypesoftheconstructorstaketheroleofintroductionrules,whiletheinduc- naturaldeduction: Theassociatedinductionprincipleremindsofthe9-eliminationruleknownfrom Inductiveex[A:Set;P:A!Prop]:Prop:= exintro:8x:a:(px)!(exap): 2.3Programdevelopmentandextraction exind:8a:set:8p:a!prop:8q:prop: (8x:A:(Px)!Q)!(exAP)!Q Pandinput-outputrelationQ. AccordingtoHeyting'sconstructiveinterpretationofpropositions[9],aproofof theformula8x:a:(px)!9y:b:(qxy)isafunctiontakingavalueianda acomputationalpointofview,weareonlyinterestedintheinputandoutput proofof(pi)andconstructsvalueoalongwithaproofthat(qio).so,this valuesandnotintheproofsofpandq,whichareofpurelylogicalcontent.the formulacanbeunderstoodasthespecicationofaprogramwithprecondition content,respectively.theextractionmechanismstripso(sub-)termswhose twosortssetandpropareusedtomarktermsofcomputationalandoflogical Anyproofofthisspecicationisavalidimplementation.However,from functionalsoforgetsaboutdependenciesoftypesonterms.itscodomainis specicationlanguageforfind typeareofsortprop,whilekeepingthosewithtypesofsortset.theextraction executablecamlprograms1. thesubsystemofcicwithoutdependenttypes,calledfind replacesexinspecications.(sigap)iswrittenasfx:aj(px)g.extraction InCoq,thereisatypesigisomorphictoexbutwhosearityisofsortSet.It!programs.Thesemaythenbetranslatedinto!.CICisusedas proofofthespecication8x:a:(px)!fy:bj(qxy)gextractstoafunction f:a!b.thecorrectnessoftheextractumisjustiedbytherealisability A!(sig0A).Thistypecanbesimpliedtotheisomorphictype[A:Set]A.So,a yieldstheinductivetypesig0ofarityset!setwithitsonlyconstructoroftype 1providedtheyaretypableinCaml,whichisthecaseformostpracticalapplications

interpretation[16,17],ensuringinthiscasethatfsatises8x:a:(ix)! (Qx(fx)). arityofsortset)givenby: Decisionproceduresarespeciedbyavariantoflogicaldisjunction(with Inductivesumbool[A:Prop;B:Prop]:Set:= tothetypeofbooleans.forexample,8x;y:nat:fx=yg+f:x=ygspeciesa Thenotationfor(sumboolAB)isfAg+fBg.Itsextractionisisomorphic left:a!(sumboolab)jright:b!(sumboolab) decisionprocedureforequalityonthenaturalnumbers. arguments.moresophisticatedpatternmatchingrequiresstatingandproving specialisedinductionprinciples,whicharethenappliedtoobtainthedesired Proofmethods.Therearetwopossibilitiestoproveaprogramspecication. controlstructure[19]. TherstoneistousetheusualtacticsandtacticalsprovidedbyCoq.Primitiverecursivefunctionsareconstructedbystructuralinductionononeoftheir systemrightfromthebeginningandthenapplyaspecialprogramtacticwhich triestosynthesisethecomputationalpartsoftheproofandgeneratesthelogical lemmasnecessarytocompletetheproof.thisistheinversetotheextraction process.however,asextractionisnotinvertible,therawfind Theideaofthesecondmethodisroughlytogivethedesiredprogramtothe andthelanguageofrealizersiscalledreal. programwithspecications[15].suchannotatedprogramsarecalledrealizers sucientandthetacticneedssomehintswhicharegivenbyannotatingthe!programisnot Themodal-calculussubsumesinexpressivepowermanymodalandtemporal logicssuchasltlandctl.itisinterpretedoverlabelledtransitionsystems 3Thepropositionalmodal-calculus states,actisasetofactionsand!stactstisthetransitionrelation. anenvironmentwhichassignstoeachvariableandatomicpropositionasetof APofatomicpropositions.Amodelisapair(T;)consistingofaLTSTand Wewritesa!tfor(s;a;t)2!.AssumeacountablesetsVarofvariablesand (LTS),whicharestructuresoftheformT=(St;Act;!),whereStisasetof states.theabstractsyntaxofthemodal-calculusisnowdenedby anaction.thexedpointoperatorsandaretaggedwithanitesetuof wherex2varisavariable,a2apisanatomicpropositionand2actis ::=XjAj:Aj_j^jhij[]jXfUg:jXfUg: states.wewritewheneverwemeaneitherofor.thesemanticsisthen

inductivelydenedasfollows: kxk=(x) k0^1k=k0k\k1k k0_1k=k0k[k1k k:ak=stnkak kak=(a) kxfug:k=s:( khik=fs2sj9s02s:s!s0^s02kkg k[]k=fs2sj8s02s:s!s0)s02kkg thefalse(f)andtrue(t)propositionsaredenableasx:xandx:x,respectively.thispresentationofthecalculus,wherenegationoccursonlyinfront (S)) (S)=kk[S=X].TheusualX:isdenedasXf?g:.Notethat kxfug:k=s:(u[ (S)nU) 4Implementationofthemodelchecker ofatomicpropositioniscalledpositivenormalform. mentationandcorrectnessproofofthemodelcheckerdescribedin[22]. 4.1Fixedpoints Thissectiondescribestheformalisationofthe-calculusinCoqandtheimple- AssumeanarbitrarytypeU.Then(EnsembleU)isthetypeofsetsoverU (whichareimplementedaspredicatesu!prop).weabbreviatethistypeto inclusionordering.wedenethefollowingtwooperatorsmuandnu: EnsU.SupposefurtherthatF:EnsU!EnsUisamonotonefunctionw.r.t.the Denitionmu:(EnsU!EnsU)!EnsU:= Denitionnu:(EnsU!EnsU)!EnsU:= [F:EnsU!EnsU][s:U]8X:EnsU:(Included(FX)X)!(InXs): Winskel'sreductionlemma,whichformsthebasisforthemodelchecker: AccordingtoTarski'stheorem,thesetwooperatorsdenetheleastandgreatest xedpointsoff,respectively,asiseasilyprovedincoq.thenextingredientis [F:EnsU!EnsU][s:U]9X:EnsU:(IncludedX(FX))^(InXs): ItstatesthatasetPiscontainedinthegreatestxedpointofamonotone TheoremReductionlemma: functionexactlyifitiscontainedinacertainkindofunfoldingofthatxed (IncludedP(F(nu[S:EnsU]UnionP(FS)))): (IncludedP(nuF))$ point,wherepisaddedtofunderthexedpointoperator.

4.2-calculussyntaxandsemantics s.thisisexpressedinthefollowinglines: functionwhich,foranystatesandactiona,computesalistofa-successorsof sitionsystem.weassumethatthesetofstatesisniteandthatwehavea Ourdevelopmentofthemodelcheckerwillbeparametrisedbyalabelledtran- ParameterAct;St:Set: ParameterTrans:St!Act!St!Prop. Theinductivetypedeningthesyntaxisthendenedby: Axiompostspec: Axiomfinitestate:(Finite(FullsetSt)): InductiveMuForm:Set:= 8s:St:8a:Act:fl:(listSt)j8t:St:(Elemtl)$(Transsat)g: jor: jand:muform!muform!muform jlit:(st!bool)!muform Var:nat!MuForm jnu: jmu: jdia:act!muform!muform jbox:act!muform!muform (listst)!muform!muform. predicatesoftypest!bool.sincethistypeisclosedundernegationwecan ofatomicpropositionsisdirectlycodedintothesyntaxintheformofcomputable dropnegationaltogetherfromthesyntax.thexedpointoperatorsaretagged withalistofstates. VariablesareencodedinthestandardwayusingdeBruijnindices.Thevaluation aninnitelistsofsetsofstates.weintroduceanoperationenvcons:ensst! functionrecursivelycomputingthesemanticsofaformulawithrespectto environmentisdenedby: Env!Envwith(envconsR)returningRforOand(j)forj+1.The ThetypeEnvofenvironmentsisdenedasnat!EnsSt,whichcanbeseenas FixpointSem[:MuForm]:Env!EnsSt:= [:Env]Casesof j(litp) (Vari) )(i) j(diaa))(diasema(sem)) j(boxa))(boxsema(sem)) j(or12))(unionst(sem1)(sem2)) j(and12))(intersectionst(sem1)(sem2)) )(cf2ensstp) end: j(mul) j(nul) )(MuSeml[R:EnsSt](Sem(envconsR))) )(NuSeml[R:EnsSt](Sem(envconsR)))

Thefunction(cf2ensSt)transformsapredicateoftypeSt!boolintothe setofstates(oftypeensst)verifyingthepredicate.boxsem,diasemarethe freevariablesbyone,accountingfortheincreasedabstractiondepthunderthese pointoperator.here,envconshastheeectofshiftingtheinterpretationof debruijnversionofs:kk[s=x]whenxisthevariableboundtothexed ofthexedpointoperators,thesecondargumenttomusemandnusemisthe predicatetransformersdeningthesemanticsofthemodalities.inthecases operators.forillustration,wegivethedenitionsofdiasemandnusem. InductiveDiaSem[a:Act;R:EnsSt]:EnsSt:= DenitionNuSem:(listSt)!(EnsSt!EnsSt)!EnsSt:= diaintro:8s;t:st:(transsat)!(instrt)!(inst(diasemar)s): [P:(listSt)][:EnsSt!EnsSt] typenat!muformassigningeachvariablea-calculusformula.substitutionis Substitution.WedenethetypeofsubstitutionsSubsttobethefunctionsof (nust[r:ensst](unionst(list2ensstp)(r))): ducessomenotationwhichisusefulinthecontextofdebruijn-codedvariables: thusafunctionsubst:muform!subst!muform.thefollowingtableintro- notationdenition 0 id " [i:nat](vari) [i:nat](var(si)) name *() [i:nat]casesiofo)j(sk))(k)end\cons" [i:nat](subst(i)0) O(") \lift" \shift" \composition" \identity" of(subst).insubst,thecasesofthexedpointoperatorsuse'lift'to pushsubstitutioninside,i.e.wehave(l Inordertoimprovereadability,wewillusetheusualnotation[]instead Lemma4.(0)=*()(0): operatorisusefulinunfoldingxedpointformulas: totheunfoldingof(nul ).Withthesedenitions,wecanprove: )[]=(l( [(Nul[*()])).The'cons' )id]corresponds stitutionandenvironment.itisprovedisbystructuralinductionon. Thenextlemmaestablishesastandardsemanticalcorrespondencebetweensub- LemmaSubstitutionlemma: 4.3Correctnessassertions 8:MuForm:8:Env:8:Subst: (Sem[])=(Sem[i:nat](Sem(i))): Thesatisfactionrelationsatonstatesandformulasisdenedas:

Wecalltheproposition(sats)acorrectnessassertionandwriteitassj=. InCoq,wecanprovethefollowinglemma: Inductivesat[s:St;:MuForm]:Prop:= satintro:(8:env:(inst(sem)s))!(sats): Lemma5.For';'0;'1and(l 1.sj=(And01)$sj=0^sj=1 2.sj=(Or01)$sj=0_sj=1 3.sj=(Diaa)$9s0:St:(Transsas0)^s0j= )closedformulas,wehave 4.sj=(Boxa)$8s0:St:(Transsas0)!s0j= Proof.Items(1)-(5)followdirectlyfromthesemanticdenition.For(6),weneed 6.if:(Elemsl)thenfor2fMu;Nug: 5.if(Elemsl)then(a):(sj=(Mul sj=(l )$sj=[((conssl))),and(b)sj=(nul )id] ) thereductionandsubstitutionlemmas.inthecaseoftheleastxedpoint,a ertiesofarbitrary(possiblyinnitestate)transitionsystemsdeductively. dualversionofthereductionlemmaisused. Theseequivalences,whencastintoproofrules,canbeusedtoestablishprop- ut 4.4Thealgorithm themassimplicationrules(ingoingfromlefttoright). correctnessassertionsbyexploringtheneighbourhoodofthestateofinterest. Inthissection,wedescribethespecicationandcorrectnessproofofWinskel's TheideaistoexploittheequivalencesofthepreviousLemma5byconsidering localmodelcheckingalgorithm[22]incoq.itdecidesthetruthorfalsityof oritnot.thisleadsustothefollowingcoqspecication: transitionsystem,themodelcheckerissupposedtodecidewhetherssatises Specication.Givenaclosedformulaofthe-calculusandastatesofthe (booleancombinationsof)simplerones.thexedpointoperatorsaredealtwith byunfoldingthemwhileaddingthecurrentstatetothetag,wheneveritisnot WeapplyLemma5inordertograduallytransformthedecisionprobleminto MuChk:8:MuForm:(Closed)!8s:St:fsj=g+f:(sj=)g: openorclosed.thisleadstothefollowinggeneralisedspecicationmuchkplus, proofalsorequiresthatweextendourspecicationtoarbitraryformulas,bethey thatthecorrectnessproofwillproceedbywell-foundedinduction.however,the alreadythere.incases1-4thereisastructuralreductioningoingfromleftto right.case5providesthebase.incase6thereductionislessobvious.thismeans usingtheauxiliarypredicatesqandq+.

DenitionQ+:MuForm!Set:= DenitionQ:MuForm!Set:= [:MuForm]8:Subst: [:MuForm]8s:St:fsj=g+f:(sj=)g: MuChkplus:8:MuForm:(Q+) 8i:nat:(Elemi(fv))!(Closed(i))! 8i:nat:(Elemi(fv))!(Q(i))!(Q[]): TherstconditioninthedenitionofQ+meansthatthesubstitute(i)for isequivalenttoqinthiscase.withthesedenitionstheoriginalspecication eachfreevariableiofisaclosedformula.thesecondconditionexpresses substitutes.sinceaclosedformulatriviallysatisesbothoftheseconditions,q+ MuChkreads8:MuForm:(Closed)!(Q). theassumptionthatweknowhowtodecidethesatisfactionproblemforthese partofthecoqlibrary.itisstatedinthefollowing. well-foundedinduction.thewell-foundedinductionprinciple(wfi)isatheorem Correctnessproof.WeprovethegeneralisedspecicationMuChkplusby wellfoundedinduction: 8A:Set:8R:A!A!Prop:(wellfoundedAR)! P)!P)!A!P.Note,however,thatbytherecursiverealisabilityinterpretation[19]anyprogramextractedfromaproofbywell-foundedinductionis guaranteedtoterminateonargumentssatisfyingthespeciedpreconditions. tryheretopointouttheapplicationoftheproofmethodprovidedbyrealizers ProofofmaintheoremMuChkplus.Aswefollowbasicallytheproofin[22],we obtainedbyextractionisageneralrecursor.itstypeis8a;p:set:(a!(a! Thecomputationalcontentoftheproofofthewell-foundedinductionprinciple 8P:A!Set:(8x:A: 8y:A:(Ryx)!(Py))!(Px)!8a:A:(Pa) formulas.thenrelationr:muform!muform!propisdenedby: andtheprogramtactic. Denition6.Letbetheproperone-step2subformularelationon-calculus isnite.bythewell-foundedinductionprinciple,muchkplusfollowsfrom: Well-foundednessofRfollowsfromtheassumptionthatthesetofstatesSt [;0:MuForm] 0_9s:St:9l:(listSt):9 (:(Elemsl)^((conssl))^0(l :MuForm: )) Theproofproceedsbycaseanalysisontheformof,whichgenerateseight subgoals,oneforeachconstructorofmuform.wepickoutthecaseofthegreatest xedpointwhichwestateasthelemma: 8:MuForm:(8 :MuForm:(R )!(Q+ ))!(Q+): (1) 2i.e.if0thenthereisno00s.t.000

AfterunfoldingthedenitionsofQ+andQ,introducingthehypothesisintothe LemmachkNuplus: contextandpushingsubstitutioninsidenu,weobtainthesequent: 8l:(listSt):8:MuForm: (8:MuForm:(R(Nul))!(Q+))!(Q+(Nul)): h:8 80:Subst: :MuForm:(R (8j:nat:(Elemj(fv(Nul)))!(Closed(0j)))! (8j:nat:(Elemj(fv(Nul))!(Q(0j)))!(Q (Nul))! h1:8i0:nat:(elemi0(fv(nul))!(q(i0)) s:st :Subst h0:8i0:nat:(elemi0(fv(nul)))!(closed(i0)) [0]) Therealizerforthisgoaldependsontwolemmaswhichareprovedinthecontext above.therstoneis: ============================ fsj=(nul([*()]))g+f:(sj=(nul([*()])))g righthandsideoflemma5(6): ItisautomaticallyprovedbyProgramall.Thesecondonecorrespondstothe LemmaQNucons::(Elemsl)!(Q(Nu(conssl))[]) Realizer(h(Nu(conssl)h1)): UsingLemma4,werstrewritethisto(Q[(Nu(conssl)([*()]))]).Now, sincebylemmaqnuconsweknowhowtodecide(nu(conssl)([*()])) LemmaQNuunfold: :(Elemsl)! Q([*()])(Nu(conssl)([*()]))id thefollowingrealizer howtodosoforeach(i),wecanusetheinductionhypothesishtoconstruct (whichisconvertiblewith(nu(conssl))[])andbyhypothesish1weknow ApplyingthetacticProgramallleavesuswithtwosubgoalswhichareeasily solved.now,withlemma5(5b)and(6)inmind,wearereadytogivetherealizer Realizer h(nu(conssl)([*()])) [i:nat]casesiofo)qnuconsj(sj))(h1j)end forthegoalofouroriginalsequent: and5(6). subgoalsgeneratedbyprogramallarealleasilyprovedusinglemmas5(5b) whereiselemspec:8s:st:8l:(listst):f(elemsl)g+f:(elemsl)g.the Realizerif(iselemspecsl)thentrueelse(QNuunfolds):

realizerformuchkplus: (applicationofthewfiandcaseanalysis)canbereplacedbythefollowing ArealizerforthecontrolstructureThestepstakeninthebeginningoftheproof Realizer<Q+>recmuchkplus::::fRg [:MuForm]Casesof j(constrargs))(chkconstrplusargsmuchkplus) j(litp) j::: (Vari) )(chklitplusp) )(chkvarplusi) hypothesisandm:p,issyntacticsugarfor(wellfoundedinductionap[a: Thenotation<P>rech::::fRg[a:A]M,wherehisthenameoftheinduction end: A][h:A!P]M).Theidentierschkconstrplus,whereconstristhenameof 5Application insubgoal(1). arecursiveconstructorofmuform,denotelemmasprovingthedierentcasesfor CCSandthespecicationpreorder.Werecallthebasicdenitions.For ematicalnotationforbrevity. AllthenotionsinthissectionhavebeenformalisedinCoq.WeuseusualmathplementsA=fljl2AgandthesetoflabelsL=A[A.Wesetl=l.fDene moredetail,wereferthereaderto[13,5].letabeasetofnames,theircom- thesetofactionsbyact=l[fg,wherewiththeinvisible/silentaction.f isarelabellingfunctioniff(l)=f(l)andf()=.supposeasetkofprocess constants.thesetpofprocessesisdenedbytheabstractsyntax: bytherules: wherea2act,farelabellingfunction,llanda2k.lettbethe transitionsystem(p;act;!),whosetransitionrelation!isinductivelydened p::=nilj?ja:pjp0+p1jp0jp1jp[f]jpnlja a:pa!p pa!p0;a;a62l)pnla!p0nl pa!p0;adef pa!p0)p+qa!p0;q+pa!p0; =p)aa!p0 pjqa!p0;qjpa!p0;pffgf(a)!p0ffg Thepartialitypredicate"isthecomplementof#whichisdenedby:(i)nil# ;a:p#,(ii)p#;q#)p+q#;pjq#,(iii)p#)pnl#;p[f]#,(iv) Adef =p;p#)a#.intuitively,"denotestheunderdenedprocesses.

Denition7.Letl2Landa2Act.Dene 1.l)=!l!!and)= p+(p+a)isthecomplementsofp*(p*a).wesaythataprocesspistotally 3.p*aip*_9p0:(p")p0^p0*) 2.p*i9p0:p")p0^p"! s.t.p+awehave: Denition8.Denethespecicationpreorderasthegreatestxedpointof thefunctionfonrelationsoverpdenedby(p;q)2f(r)iforalla2act denedifforallp0reachablefromp:p+.otherwise,itispartiallydened. Letdenoteweakbisimulationequivalence[13]. 3.ifqa!q0then9p0:pa)p0^(p0;q0)2R. 1.q+a, 2.ifpa!p0then9q0:qa)q0^(p0;q0)2R, Lemma9.Ifpqandpistotallydened,thenqistotallydenedandpq. Theorem10.([5])Thepreorderisaprecongruencew.r.t.parallelcomposition,restrictionandrelabelling,i.e.ifpqthenpjrqjr;pffgqffgand Vericationofusingthemodelchecker.Weintroducethetransition systemt+=(pp;act]act;!+),where!+isdenedby: pnlqnl. thetransitionsystemt+: Next,wedenesomeleftandrightmodalitiesforthe-calculusinterpretedover pa!p0)(p;q)0(a)!+(p0;q);(q;p)1(a)!+(q;p0) Ofallthesewedene\right"versions,butwithhair=h1(a)i.Wealso hh`iil=hilh`ilhil(`2l) hail=h0(a)i hhiil=hil hil=x:_hilx(x62fv()) Similarly,\right"versionsaredenedusing"r=P".Now,supposingtheset introduceleft/rightversionsofthepartialitypredicates: Actisnite,thefunctionFfromdenition8canbeexpressedasthe-calculus formula:~f(x)=^ "l="p *l=hhiil"l *l(a)=*l_hhaiil*l Wedene=X:~F(X).Thenwehavethefollowingresult: a2act:*l(a)_ *r(a)^[a]lhhaiirx^[a]rhhaiilx

Lemma11.ForActnite:pq,(p;q)j=. Asimpleprotocol.AsimpleprotocolPniscomposedofasenderSsynchronouslytransmittingsignalsoverabuerBnofsizentoareceiverR.With XkYdef =(X[out=z]jY[in=z])nfzg,thedenitionis: Bdef =in:out:b Bndef =kni=1b Sdef =send:in:ack:s Rdef =out:recv:ack:r Edef =(SjR)nfackg Pndef =(EjBn)nfin;outg WedeneaspecicationoftheprotocolbySpecdef =send:recv:spec.wewantto showthatthebehaviouroftheprotocolisindependentofthesizeofthebuer. Theorem12.Foralln1:SpecPn. Proof.Theproofisdecomposedintothefollowingtwosteps: 1.ndanetworkinvariantJsuchthatforalln1:JBn 2.verifythatSpec(EjJ)nfin;outg TheresultthenfollowsfromTheorem10andLemma9,afactwhichisproved bydeductionincoq.wedenejdef =in:j0andj0def =out:j+in:?. Step(1)isprovedbyanimplicitinductiononn:(a)JB(basecase)(b) JBkJ(inductivestep).Boththesestepscanbeprovedwiththemodel checker,byusingthecharacteristicformula.that(a)and(b)imply(1)is proved\byhand"incoq.step(2)canbedelegatedtothemodelcheckeras well. ut Asanyproperty,expressedinaversionofthemodal-calculuswithweak modalitiesonly,ispreservedbyweakbisimulationequivalence,wecanverifyit onthespecicationspecandconcludethatitalsoholdsforeachofthepn. References 1.L.Augustsson,T.Coquand,andB.Nordstrom.Ashortdescriptionofanother logicalframework.ing.huetandp.g.,editors,preliminaryproceedingsoflogical Frameworks,1990. 2.H.P.Barendregt.Lambdacalculiwithtypes.InS.Abramsky,D.M.Gabbay, andt.s.e.maibaum,editors,handbookoflogicincomputerscience,volume2: Background:ComputationalStructures,pages118{309.OxfordUniversityPress, 1992. 3.B.Barras,S.Boutin,C.Cornes,J.Courant,j.-C.Fili^atre,E.Gimenez,H.Herbelin, G.Huet,andal.TheCoqProofAssistantReferenceManual,Version6.1.Projet Coq,INRIARocquencourt,CNRS-ENSLyon,Dec.1996. 4.E.M.Clarke,O.Grumberg,andD.E.Long.Modelcheckingandabstraction. ACMTransactionsonProgrammingLanguagesandSystems,16(5):1512{1542, Sept.1994.

5.R.CleavelandandB.Steen.Apreorderforpartialprocessspecications.In CONCUR'90,volume458ofLectureNotesinComputerScience.Springer-Verlag, 1990. 6.T.CoquandandG.Huet.Thecalculusofconstructions.InformationandComputation,76:95{120,1988. 7.D.Dams,O.Grumberg,andR.Gerth.Abstractinterpretationofreactivesystems. ACMTransactionsonProgrammingLanguagesandSystems,19(2):253{291,1997. 8.J.DingelandT.Filkorn.Modelcheckingforinnitestatesystemsusingdata abstraction,assumption-commitmentstylereasoningandtheoremproving.incav '95,volume939ofLectureNotesinComputerScience.Springer-Verlag,1995. 9.J.-Y.Girard,Y.Lafont,andP.Taylor.ProofsandTypes,volume7ofCambrdge TractsinTheoreticalComputerScience.CambridgeUniversityPress,1989. 10.R.P.KurshanandK.McMillan.Astructuralinductiontheoremforprocesses. In8thACMSymposiumonPrinciplesofDistributedComputing,pages239{248, 1989. 11.C.Loiseaux,S.Graf,J.Sifakis,A.Bouajjani,andB.S.Propertypreserving abstractionsforthevericationofconcurrentsystems.formalmethodsinsystem Design,6:11{44,1995. 12.Z.LuoandR.Pollack.Legoproofdevelopmentsystem:User'smanual.TechnicalReportECS-LFCS-92-211,DepartmentofComputerScience,Universityof Edinburgh,1992. 13.R.Milner.CommunicationandConcurrency.PrenticeHallInternationalSeriesin ComputerScience.PrenticeHall,1989. 14.O.MullerandT.Nipkow.CombiningmodelcheckinganddeductionforI/Oautomata.InTACAS95,volume1019ofLectureNotesinComputerScience, pages1{16.springer-verlag,1995. 15.C.Parent.SynthesedepreuvesdeprogrammesdansleCalculdesConstructions Inductives.PhDthesis,EcoleNormaleSuperieuredeLyon,Jan.1995. 16.C.Paulin-Mohring.ExtractingF!programsfromproofsintheCalculusofConstructions.InSixteenthAnnualACMSymposiumonthePriciplesofProgramming Languages,Austin,Texas,Jan.1989. 17.C.Paulin-Mohring.ExtractiondeprogrammesdansleCalculdesConstructions. PhDthesis,UniversitedeParisVII,Jan.1989. 18.C.Paulin-Mohring.InductivedenitionsinthesystemCoq{rulesandproperties. TechnicalReport92-49,Laboratoiredel'InformatiqueduParallelisme,ENSLyon, France,Dec.1992. 19.C.Paulin-MohringandB.Werner.SynthesisofMLprogramsinthesystemcoq. JournalofSymbolicComputation,11:1{34,1993. 20.S.Rajan,N.Shankar,andM.K.Srivas.Anintegrationofmodelcheckingwith automatedproofchecking.incav'95,volume939oflecturenotesincomputer Science,pages84{97.Springer-Verlag,1995. 21.B.Werner.UneTheoriedesConstructionsInductives.PhDthesis,Universitede Paris7,France,1994. 22.G.Winskel.Anoteonmodelcheckingthemodal-calculus.TheoreticalComputer Science,83:157{167,1991. 23.P.WolperandV.Lovinfosse.Verifyingpropertiesoflargesetsofprocesseswith networkinvariants.inj.sifakis,editor,internationalworkshoponautomatic VericationMethodsforFiniteStateSystems,volume407ofLectureNotesin ComputerScience,pages68{80.Springer-Verlag,1989. 24.S.YuandZ.Luo.ImplementingamodelcheckerforLEGO.InFormalMethods Europe,1997.