Abstract

Scalable automated proving and debugging of set-based specifications^* * Partially funded by INRIA/CASSIS project, CAPES grant BEX0006/02-5, and CNPq grant 500473/2003-0.

J.-F. Couchot^I; D. Déharbe^II; A. Giorgetti^I; S. Ranise^III

^ILIFC, U. de Franche-Comté, Besançon (France)

^IIDIMAp/UFRN, Natal (Brazil)

^IIILORIA & INRIA-Lorraine, Nancy (France) {couchot, giorgett}@lifc.univ-fcomte.fr, david@consiste.dimap.ufrn.br, ranise@loria.fr

ABSTRACT

We present a technique to prove invariants of model-based specifications in a fragment of set theory. Proof obligations containing set theory constructs are translated to first-order logic with equality augmented with (an extension of) the theory of arrays with extensionality. The idea underlying the translation is that sets are represented by their characteristic function which, in turn, is encoded by an array of Booleans indexed on the elements of the set. A theorem proving procedure automating the verification of the proof obligations obtained by the translation is described. Furthermore, we discuss how a sub-formula can be extracted from a failed proof attempt and used by a model finder to build a counter-example. To be concrete, we use a B specification of a simple process scheduler on which we illustrate our technique.

Keywords: Set-theory, First-order logic with equality, Decision procedures, Superposition, BDDs, haRVey.

1 Introduction

Formal methods are increasingly integrated in the development cycle of both hardware and software artifacts. For software specification, industry is open to trying out rigorous notations like VDM [9], Z [18] or B [1]. Also, a combination of theorem proving and model checking is becoming increasingly popular to formally validate specifications.

Theorem proving discharges proof obligations entailing the correctness of a system with respect to its specification; it is a tedious activity requiring a significant amount of user interaction since it is usually conducted in undecidable logics. For example, Z and B are based on (variants of) set theory [1] which is well-known to be difficult to mechanise. State-of-the-art theorem provers (such as PVS¹ 1 http://pvs.csl.sri.com ) provide only a limited amount of automation although a great deal of effort has been put into the automation of routine reasoning tasks. Indeed, a lot of research deals with the combination of decision procedures for selected theories and their incorporation in more general reasoning activities [17]. The main advantage of theorem proving is that it permits reasoning about infinite domains which are ubiquitous in software systems. The main disadvantage is that it can be difficult to say whether a property is not proved because the assumptions are not sufficiently strong or whether just some extra effort in theorem proving is required. Model checking consists of searching for a counter-example violating some property that the system is supposed to comply with. It can be made automatic for finite-state systems and only semi-automatic (i.e. the search may not terminate) for infinite-state systems. For infinite domains, the main drawback of model checking is that it can find counter-examples proving that the specification is contradictory with the system, but it may fail to prove that the specification is correct.

In this paper, we propose to leverage recent advances in the design of decision procedures for first-order theories [3, 10] to build automatic and flexible tools for proving and debugging set-based specifications. The key idea of our approach is that only fragments of set theory are used in many situations of practical relevance and such fragments can be translated into decidable theories of equational first-order logic. In order to test the feasibility of our approach, we have chosen the specification language of the B method. However, we intend the underlying method to be generally applicable to the model-based approach to specifications which encompasses also other notations such as Z or VDM.

The main ingredients of our method are fourfold. First, we translate a selected subset of the B specification language to first-order logic augmented with some set-theoretic constructs. More precisely, a B specification module-called Abstract Machine (AM)-is translated to first-order formulae encoding the relations between the before and after values of the variables of the AM according to its operations. Such formulae may contain sets (with a particular structure) and selected set-theoretic constructs. Second, the before-after representation of the system together with the invariant of the AM is translated into a set of first-order proof obligations (containing set-theoretic constructs) which entail that the invariant is inductive for the AM. (The first two ingredients of our method are briefly sketched in Section 2 since they are an adaptation of existing techniques, e.g. [1].) Third, we eliminate the set-theoretic constructs in the proof obligations by interpreting them in an extension of the decidable theory of arrays with extensionality (Section 3), see e.g. [3] . Such a translation is based on the idea that an array of Booleans indexed by the elements of a set s represents the characteristic function of s. Fourth, we pre-process the resulting proof obligations so as to eliminate quantifiers, thereby obtaining ground formulae (Section 4.1). Such pre-processing consists of exhaustively substituting a quantified sub-formula ψ with a propositional letter q and adding the axiom q ⇔ ψ to the background theory. Afterwards, we invoke haRVey [10]-a reasoning system capable of proving the validity of quantifier-free formulae modulo equational first-order theories-to discharge the resulting proof obligations (Section 4.2). If a formula is shown to be valid, then we report it to the user. Otherwise, a selected sub-formula is extracted and passed to a model finder (i.e. a tool which takes a formula and attempts to find one of its models) so that a counterexample can be built and afterwards scrutinised by the user in order to understand why the formula failed to be proved valid (Section 4.3).

Related work. The closest related work is [15, 14] since it tries to combine the best of theorem proving and model finding by loosely coupling AtelierB² 2 http://www.atelierb.societe.com/index.html with the Alloy analyser³ 3 http://sdg.lcs.mit.edu/alloy . The main difference is that the entire proof obligation is used for both theorem proving and model finding whereas we use theorem proving to simplify the formula so that only a small portion of it (ultimately responsible for its invalidity) is passed to a model finder, thereby considerably simplifying the task of the latter. There is some work (e.g. [4]) in using state-of-the-art theorem provers for formal reasoning in state-based specification languages such as B, Z, and VDM. The emphasis of such works is on the soundness of the translation from set theory to the logic used by the prover, ignoring the issues of automation thereby leaving the user with the burden of long and tedious interactive proofs. On the contrary, our work focuses on translating a fragment of set theory for which the theorem proving problem can be effectively automated by using decision procedures for first-order equational theories. To our knowledge, it is the first time that the idea of using (an extension of) a decision procedure for the theory of arrays is put forward to mechanise the reasoning in (fragments of) set theory by representing characteristic functions of sets with arrays. Section 4.4 reports some experiments which confirm the scalability of our approach on a class of large specifications manipulating simple data structures.

2 The B Specification and Verification Method

The B method has an associated specification notation called Abstract Machine Notation (AMN). This is a state-based notation similar to Z or VDM which features constructs such as assignments (:=), conditionals (IF THEN ELSE), multiple assignments (||), and non-deterministic choice (ANY) [1].

Roughly, an AM is composed of some state variables, an initialisation, and some operations that may alter the value of the state variables. Although the B method includes refinement and implementation of a specification, we consider here only the problem of checking whether an invariant is established by the initialisation and is preserved by the execution of all the operations of an AM. Proof obligations implying the correctness of the AM operations and initialisation with respect to its candidate invariant are generated following an effective procedure (along the lines in [1]).

Example 1(The Process Scheduler) As a running example on which we illustrate our techniques, we consider the process scheduler introduced in [11]. Although simple, this example allows us to discuss the typical problems arising in handling the type of AMs our technique is aimed at, i.e. (large) AMs which manipulate simple data structures, represented by sets of primitive elements. Its B specification is shown in Figure 1. At any one time, the system may have some processes ready to be scheduled,, some processes waiting for some external action before they become ready and, possibly, a single active process. Each process is uniquely identified, by an identifier (taken out of a set PID). The invariant states that active, ready, and waiting are pairwise disjoint subsets of PID and that at most one process can be in the active state (this enforces mutual exclusion in the execution of processes). The initialisation requires that all the processes are in the waiting state at the beginning. The operation Swap allows the AM to evolve by exchanging the currently active process with a ready one, leaving the system idle ifthere are no ready processes. In the operation Ready, a process pw, that has been waiting, is somehow unblocked and can go to the ready state or to the active state, if the system is idle (we will see in Section 4.3 that the specification of this operation contains a bug).

The specification of an operation such as Swap is a description of certain relevant properties that the intended state modification must fulfil. To formally express such properties, a common technique is to write the, so called, before-after predicate which relates the values of the state variables (i.e. ready, waiting, and active) as they are immediately before and immediately after the operation takes place (see [1] for details). In order to write down such predicates, we adopt the convention ofdenoting the values ofthe variables just after the execution ofthe operation by priming the corresponding identifiers. The following before-after predicate Ps_wap(r, w, a, r', w', a') specifies the operation Swap:

wherer, w, a, r', w', a'abbreviate ready, waiting, active, ready', waiting' and active respectively. The Boolean conditional connective if A then B else C abbreviates (A ⇒ B) (¬A ⇒ C) where A,B, and C are formulae. We use such a construct in order to preserve the structure of the B specification in the before-after predicate. Notice that the non-deterministic choice operator (ANY) is expressed by existential quantification and the multiple assignment operator (||) by conjunction. Also, state variables that are not explicitly assigned retain their previous value. Although this is not in the scope of this paper, we believe it would be easy to adapt our approach to handle other B constructs such as constants, machine parameters and properties.

The invariant (cf. INVARIANT clause of Figure 1) can easily be translated to the following predicate:

wherep is a constant representing PID; it is abbreviated byInv(r, w, a).

Once both an operation and the invariant have been specified by predicates, we can prove that the operation preserves the invariant by checking the validity of the following formula which encodes the fact that Inv holds after the execution of Swap, provided that it holds before:

In addition to proving that each operation preserves the invariant Inv, one also has to check that Inv is satisfied, by the initialisation condition (cf. INITIALISATION clause of Figure 1). We omit the corresponding proof obligation, since this does not add much to the discussion.

Proof obligations-such as (3)- shall be discharged by using automated theorem provers. Typically, in currently available commercial tools supporting the B method, there is a number of proof obligations that the automated prover cannot discharge so the developer can switch the prover to an interactive mode and attempt to try to discharge the remaining proof obligations manually. The B method is actually supported by two commercially available tools: the B-Toolkit⁴ 4 http://www.b-core.com/btoolkit .html and the AtelierB.⁵ 5 http://www.atelierb.societe.com/index.html Although quite successful, both tools leave the developer without help to discover why a certain proof obligation has failed to be shown valid.

In the rest of this paper, we describe a technique to check the validity of proof obligations and to provide the user with counter-examples when the validity check fails.

3 Translating Set-Based Proof Obligations

In Section 2, we have relied on the reader's intuition of basic concepts of first-order logic and naive set theory to write down the before-after predicates specifying the operation, the invariant, and the proof obligation of the AM in Figure 1. Here, we define the simple version of set theory we use and explain how to translate it into a suitable extension of first-order logic with equality so that haRVey (cf. Section 4.2)-a system to check the validity of equational first-order formulae-can be used to discharge such proof obligations (if possible).

Below, we assume the usual syntactic and semantic notions of first-order logic with equality as defined for example in [12]. We say that a formula Φis satisfiable modulo a theory iff Φ ∧ is satisfiable.⁶ 6 A theory is a set of formulae closed under logical consequence.

3.1 A Simple Set Theory

For simplicity, in this paper, we consider a restricted fragment of set theory, which we denote with SSET . Notice, however, that our approach can be extended to handle more expressive fragments of set theory such as the theory of Hereditarily Finite Sets with Atoms (see, e.g. [5]), which permits sets of primitive elements, sets of sets of primitive elements, and so on. SSET is a theory of first-order sorted logic with equality. It contains two distinct sort symbols ELEM and SET. Its set of terms contains the variable and constant symbols of sort ELEM and SET. We assume there is at least one constant of sort ELEM. The distinguished constant ∅ is a term of sort SET. If e is a term of sort ELEM, then {e} is a term of sort SET; also, if si and s₂ are terms of sort SET, then si s₂ is also a term of sort SET, where is one of the binary function symbols (intersection), (union), and \ (set difference). We also write {e₁,... ,e_n} as an abbreviation of {e₁} . . . {e_n}. The set of atoms of SSET contains expressions of the form e₁ = e₂, e ∈ s, s₁⊆ s₂, s₁ = s₂, where e, e₁, e₂ are terms of sort ELEM and s, s₁, s₂ are terms of sort SET. Literals, Boolean combinations of literals, and possibly quantified formulae are inductively defined in the usual way. Furthermore, let Ax(SSET) be the set obtained by adding the following axioms to the theory of equality:

where E, F are variables of sort ELEM and S₁, S₂ are variables of sort SET. The semantics of SSET is given by the class (SSET) of first-order interpretations satisfying each axiom in Ax(SSET) whose domain interpreting sort SET is "generated by" ∅, {_}, and ; i.e. all elements of the domain of sort SET are the interpretations of terms containing only ∅, {_}, and È as function symbols whose application yields terms of sort SET.⁷ 7 This is equivalent to say that we adopt an "initial model semantics" for SSET. This allows us to prove properties by induction over ∅, {_}, and È (see, e.g. Fact 1 below).

Intuitively, the set theory we are considering permits to reason about sets with a very simple structure, i.e. sets (represented by terms of sort SET) which are subsets of a given universal set (e.g. the set PID in the example of Figure 1) and whose elements (represented by terms of sort ELEM) are primitive. So, for example, if the universal set is that of integers, the set {1,2,3} is a valid set of SSET, whereas {1, {2}} is not. Notice that SSET is already useful in many practical verification problems involving large systems (say some pages of B specifications) which manipulate simple data structures represented by sets of primitive elements.

3.2 The Theory of Arrays with Extension-ality

Let be the many-sorted theory with sorts value, index and array, with function symbols write (abbreviated below with wr) and read (abbreviated below with rd) of type ARRAY X INDEX X VALUE → ARRAY and ARRAY X INDEX → VALUE respectively. Furthermore, let be the set of axioms obtained by adding the following axioms to the theory of equality:

where A and B are variables of sort array, I and J are variables of sort index, and E is a variable of sort value. denotes a signature containing the function symbols rd, wr, and a finite set of constant symbols. We assume that the signature of admits at least one ground term for each sort. Checking the satisfiability of conjunctions of ground literals modulo is decidable (see, e.g. [3]).

3.3 From Set Theory to Array Theory

We explain how to translate formulae of SSET to (extensions of) so that the reasoning system haRVey (cf. Section 4.2) can be used to discharge the proof obligations which imply that an invariant of an AM is an inductive property of the machine (along the lines sketched in Section 2).

The intuition underlying our approach is based on using the characteristic function to represent sets. Such a function, in turn, can be encoded by an array of Booleans whose indexes are the elements of the set. For example, the set s := {1,2} can be represented as s[1] = s[2] = true and s[x] = false, for all x distinct from 1 and 2.

First, let be an extension of containing two distinguished constants tt and ff of sort value together with the axiom

In this way, we consider arrays storing Boolean values (from this, the 'B' in front of '' in ). Furthermore, contains a distinguished constant symbol mty of sort array and the axiom

where I is a variable of sort index (the intuition is that mty is the counterpart of the empty set in ).

Then, we define three functions S, T, and F from the sorts, terms, and formulae of SSET to the sorts, pairs of terms and set of formulae, and pairs of formulae and set of formulae (respectively) of . Below, we will see that other symbols and axioms will be added to in the process of translating a formula of SSET to a formula in first-order logic with equality by applying functions T and F. Formally, this is done by returning the translated terms together with the set of formulae to be added to . Such formulae will implicitely determine the symbols to be added to .

We define S(ELEM) := INDEX and S(SET) := array. Then, we assume that T is s.t. it maps (one-to-one) constants of sort elem and set to constants of sort index and array, respectively. Now, we home-omorphically extend T to compound terms of SSET as follows, where ι and u are fresh constants of sort index and array, respectively:

We regard {e₁,...,e_n} (for n > 1) as an abbreviation of

Then, for each constant u of sort ARRAY (representing a set), we add to the following axiom:

where I is a variable of sort INDEX. Axiom (17) constrains the co-domain of the characteristic function represented by u to be {tt, ff}.

Furthermore, we translate the ground atoms of SSET by defining the function F as follows:

where q is a fresh propositional letter, for ι = 1,2 and α is

Then, the translation process is homeomorphically extended to Boolean combinations of atoms in the following way:

where for i = 1,2, and 3.

Now, we are in the position to state the main property of our translation process (we state it in terms of satisfiability since our theorem proving approach is based on refutation; see Section 4.2). Let Φ be a ground formula of SSET and be its translation. We denote by the theory containing , the axioms (15), (16), (17) and the formulae in 0.

Theorem 1 Φ is satisfiable modulo SSET iff is satisfiable modulo .

In order to prove the Theorem, we need some technical definitions and facts.

Fact 1For any ground term t of SSET, there exists a term t' containing only the function symbols ∅, {_}, and s.t. t = t' is satisfied by an interpretation in (SSET).

The proof consists of an easy induction on ∅, {_}, and U. Then, we introduce the function ins as follows:

for all ground terms e and s of sort ELEM and SET, respectively.

Fact 2Letbe the term rewriting system consisting of (18) and (19), oriented from right to left, and ins(e, mty) s = ins(e,s), oriented from left to right. Then, is terminating and confluent.

The termination of can be easily seen by observing that the number of occurrences of {_} and decreases following the orientation of each rewrite rule. It is also trivial to see that if a term t does not contain any occurrence of {_} or , then no rule in can be applied. The fact of being confluent is an immediate consequence of the fact that the set of equations is closed under the rules of the superposition calculus [16].⁸ 8 In fact, ins(e, mty)Us = ins(e, s) is obtained by superposition of (18) and (19). As a consequence, we are entitled to define a function .' on terms of SSET obtained by using Facts 1 and 2. By abuse of notation, we extend such a function to formulae as follows: Φ' will denote the formula obtained from Φ by applying .' to its sub-terms. Then, we introduce the set Ax(SSET') of axioms obtained from Ax(SSET) by replacing (5) and (6) with

where E, F are variables of sort elem and S is a variable of sort set. The signature of SSET' is obtained from that of SSET by replacing {_} with ins.

Fact 3 Φ is SSET - satisfiable iff Φ' is SSET' - satisfiable.

To see this, it is sufficient to observe that both (20) and (21) are logical consequences of Ax(SSET) and of (18) and (19). Now, we consider the mapping T^' from ground terms of SSET^' to pairs of ground terms and set of formulae of defined as follows, where i and u are fresh constants of sort index and array, respectively:

Lemma 1Let t be a ground term on the signature of SSET and t' be the translated, term on the signature of SSET'. Let T(t) = (s,α) and . Then, s = s' is a logical consequence of , α, α', (15), (16) and (17).

Again, the proof is obtained by induction on the structure of the term t and therefore is omitted. If we define F^' as F above where the calls to T are replaced with calls to T', then we can easily derive that ψ is logically equivalent to modulo as a corollary of Lemma 1, where (ψ,α) = F(Φ) and (ψ', α') = F(Φ'). The following diagram summarizes the situation:

Proof of Theorem 1. We prove (the counterpositive of) if Φ is satisfiable modulo SSET then is satisfiable modulo . First of all, we translate the formula Φ of SSET to a formula Φ^' of SSET ^' by using Fact 1 and Fact 2. Then, we observe that the translation of the ground instances of the axioms in Ax(SSET') (under F') are all logical consequences of Ax(). If Φ' is the formula of which is the translation of Φ' under F^', then, by Fact 3, Lemma 1, and the previous observation, we are entitled to conclude that is unsatisfiable modulo SSET if is unsatisfiable modulo . The other implication of the biconditional is similar and therefore omitted.

3.4 Two Important Extensions

In order to enlarge the scope of applicability of our technique, we consider two extensions of the translation defined above. The former handles (a restricted form of) the cardinality operator which is frequently used in set-based specification. The latter considers non-ground formulae containing quantifiers over the elements of the universal set. We do not consider quantifiers over sets since it is well-known that the full first-order theory of arrays is undecidable (see [3] for further references on this point).

The cardinality operator. Let us consider only ground atoms of the form card(s) = k, where s is a term of sort SET and k is a given numeral. Then, we can replace each atom of the form card(s) = k with s = {f1,...,fk}, where f_ι is a fresh constant of sort ELEM (for ι = 1,...,k). After the exhaustive application of such a rule we obtain a formula of SSET which can be translated to described above. We can generalise the approach to handle more complex arithmetic relation. For example, card(active) < 1 can be rewritten as card(active) = 0∨ (active) = {f₁} which, in turn, rewrites to active = Φ ∨ active = {f₁}, where f₁ is a fresh constant of sort ELEM. Formally, we extend the definition of F above as follows:

where

where q is a fresh propositional letter, k is a numeral constant denoting an integer s.t. k ≠ 0, T(e) = (ê,α),

.

By applying the above three equations defining the extension of F, we can eliminate all occurrences of the cardinality operator in a formula. As a consequence, we obtain a formula of SSET to which Theorem 1 is still applicable. In other words, Theorem 1 can be straightforwardly adapted to hold for the extension of SSET with the restricted form of the cardinality operator considered here.

Quantifiers over set elements. Frequently, the proof obligations resulting from the verification of invariants of B machines are not ground. They usually contain quantifiers over the elements of a certain set. For example, we will obtain existentially quantified sub-formulae whenever we handle the non-deterministic choice operator (i.e. ANY), see the Example below. To handle quantifiers over elements of sets, we define the function F^Q to be equal to F on ground formulae and s.t.

where x is a variable of sort ELEM, Q is either ∀ or , and .

Example 2(The Process Scheduler-continued) The before-after predicate P_swapin (1) is translated, to the predicate :

wherew, a, rand their primed versions are variables of sort ARRAY.

It is possible to express the set-theoretic constructs in the verification condition (3) by using the translation described above, thereby obtaining the formula

of (pure) first-order theory (with equality), where is as specified, above and Inv^sqis the translation of Inv. If we reason by refutation, Theorem 1 allows us to say that the satisfiability of the negation of (23) modulo is equivalent to the satisfiability of the negation of (3) modulo SSET . It is easy to see that in the negation of (23), the variables r, w, a, r^', w^' and a^' become existentially quantified while the variable pr in will still be existentially quantified. As a consequence, all the variables can be replaced by Skolem constants so that the negation of (23) can be considered as a ground formula (see Section 4 for a more systematic handling of quantifiers).

Theorem 1 can be extended to the restricted class of quantified formulae considered here by using the following observations. First, the function T above acts as the identity on ground terms of sort elem. Second, a quantified formula is unsatisfiable iff there exists a ground instance which is unsatisfiable by Her-brand Theorem (see, e.g. [7]). Let G be the function that given an unsatisfiable quantified formula returns its (smallest) unsatisfiable ground instance. Then, it is not difficult to show that yis logically equivalent to modulo where and .

3.5 Relationships with WS1S

The reader with some knowledge of WS1S [6] may wonder whether SSET can be translated to such a logic so that proof obligations can be discharged by existing tools such as, for example, Mona [13]. The answer to this question is indeed positive. However, we point out that the proof obligations generated in our applications are typically very big since the original AM is large. Now, Mona suffers from memory consumptions problem as all tools based on automata do. For this reason, in practice, Mona does not seem suited to handle some of the largest proof obligations arising in our applications (see Section 4.4 for more details on this issue). Furthermore, as already noted above, our approach can be extended to handle more expressive set theories. This is not the case for the translation whose target is the MONA tool. Since WS1S logic can only handle primitive elements (integers) and sets of primitive elements, it is not straightforward to encode in such logic a set of sets of primitive elements. Our theory extends to sets of sets of primitive elements, and so on, simply by extending the theory of arrays accordingly.

4 Discharging Proof Obligations

We are left with the problem of checking that formulae of first-order logic with equality, such as (23), are logical consequences of the equational theory . To do this, we reason by refutation and prove that the negation of the formula is unsatisfiable modulo .

Example 3(The Process Scheduler-continued) To discharge proof obligation (23), we prove that

is unsatisfiable modulo.

Our refutation-based theorem proving technique consists of three phases. We describe them in detail in the following subsections.

4.1 Eliminating Quantifiers

We show how to reduce the satisfiability of a first-order formula Φ (possibly containing quantifiers) modulo to the satisfiability of a ground formula Φ_g modulo a theory is satisfiable modulo iff Φ_g is satisfiable modulo and . The key idea is to transform Φ into a ground formula Φ_g by replacing the quantified sub-formulae of Φ with fresh propositional letters and to add their definitions Δ to the axioms in such a way that is satisfiable iff is.

Some preliminary definitions (borrowed from [19]) are required. A position is a word over the natural numbers. The set pos(Φ) of positions of a formula Φ is defined as follows: the empty word ∈ is in pos(Φ), i.p is in pos(Φ) if Φ is of the form Φ₁ ° ... ° Φ_n, 1 < ι < n, p is in pos(Φ_ι), and ° is a Boolean connective or a quantifier; nothing else is in pos(Φ). We define Φ|_∈ to be Φ and Φ|_i.p to be Φ_ι|_p when Φ is of the form Φ₁ ° ... ° Φ_n. We write Φ[ψ]_p when is Φ and Φ[x/c] to denote the formula obtained by replacing all the occurrences of x with c in Φ. The polarity poZ(Φ, π) of the formula Φ|πoccurring at position π in a formula Φ is defined as follows: pol(Φ, ∈) := +1, poZ(Φ,π.ι) := pol(Φ,π) if Φ|_π is a conjunction, disjunction, formula whose top-most symbol is a quantifier, an implication with ι = 2, or an if then else with ι = 2 or ι = 3, pol(Φ,π.ι) := - pol(Φ, π) if Φ|_π is a formula whose top-most symbol is the negation or the implication with ι = 1, and finally, pol(Φ, π.ι) := 0 if Φ|_π is a formula whose top-most symbol is the biconditional or the if then else with ι = 1. We say that the variable x of Qx.ψis essentially existentially quantified, in the formula Φ[Qx.ψ]_π either when Q is and pol(Φ,π) = -1 or when Q is and pol(Φ, π) = +1. Now, we are in the position to describe the details of our algorithm to handle quantifiers.

First of all, a pre-processing step replaces all essentially existentially quantified variables a with fresh Skolem constants and their quantifiers are removed. This can be mechanised by invoking the function dropExistential which is defined in Figure 2 together with the auxiliary function de whose second parameter is the polarity of the sub-formula being considered (in the Figure, for the sake of conciseness, the mixfix Boolean connective if then else has been written as the prefix ternary operator ite). It is easy to check that f is satisfiable iff dropExistential(Φ) is.

Then, since we want to preserve the propositional structure of the formula as much as possible (so that it can be exploited by haRVey in the following phase), we move quantifiers as far inwards as possible. To this end, we use all the rules to transform a formula into prenex form⁹ 9 A formula is in prenex form if it has the structure Qixi...Q nXn .f,where Qi is either V or 3, Xi is a variable (i = 1, n), and <f> is a quantifier-free formula whose free variables (see again [12] for details) but in the opposite direction. For example, the formula is transformed to does not occur in ψ. This operation, known as miniscoping, can be mechanised as shown in Figure 3. We assume that only formulae obtained as the result of the invocation of dropExistential are fed to mini. The function is defined on the structure of first-order formulae. When it encounters an atomic formula it simply returns it whereas when a quantified sub-formula is met, the auxiliary function m_q is invoked. In the definition of m_q, the following notation is used: Q abbreviates either or , - Q abbreviates () when Q is (), ν (Φ) denotes the set of free variables in Φand x^' is a fresh variable. The first and the second arguments of m_q are the quantifier and the quantified variable whose scope is reduced by the function while the third argument is the already processed sub-formula. Again, it is a routine exercise to check that Φ is satisfiable iff mini(Φ) is.

As the third and last step, we replace each outermost quantified sub-formula ψ with a fresh propo-sitional letter q and we add q ⇒ ψ (resp. ψ ⇒ q, q ⇔ ψ) to if Φ|_π = ψ and pol(Φ,π) = +1 (resp. pol(Φ,π) = -1, pol(Φ,π) = 0). Notice that if there is a quantified sub-formula ψ' occurring in ψ, we do not recursively apply the above process to ψ' but we stop at ψ. This is a heuristic decision which seems to give good results in practice. The mechanization of this last phase is given in Figure 4. We assume that only formulae obtained from the applications of dropExistential first followed by mini are passed to renameFormula. The first argument of the auxiliary function rf is the formula being considered and the second is its polarity. The function returns a pair whose first argument is the result of replacing quantified sub-formulae with fresh propositional letters and the second is the set of implications between quantified sub-formulae and propositional letters to be added to the background theory. We can show that Φ is satisfiable iff Φ' ∧ Φ is, where (Φ', Φ) = renameFormula(Φ). The proof is by induction on the structure of the formula Φ. To illustrate, we consider the case where Φis of the form ξV 3x.ψ s.t. renameFormula(Φ) = (ξ ∨ q, {q ⇒ x.ψ}), where q is a fresh propositional letter. Now, any model of (ξ ∨ q) ∧ (q = x.ψ) is also a model of ξ V x.ψ since this last is a logical consequence of ξ ∨ q and q ⇒x.ψ. Conversely, a model for (ξ ∨ q) ∧ (q = x.ψ) can be obtained from a model for ξ ∨ x.ψ by defining q s.t. satisfies q ⇔x.ψ. The remaining cases are similar and therefore omitted.

Let (Φ_g,Φ_g) = renameFormula(mini(dropExistential(Φ))) and be the theory axiomatized by ∪_Φg.

Theorem 2 Φ is satisfiable modulo iff (the ground formula) Φ_gis satisfiable modulo .

The proof of this theorem is an immediate consequence of the fact that each function preserves satisfiability as argued above.

Example 4(The Process Scheduler-continued) Let us consider formula (24). First of all, we replace the outermost existentially quantified variables with fresh constants obtaining the formula:

which is satisfiable iff (24) is (by basic properties of first-order logic [12]).¹⁰ 10 If the formula contains free variables we take its existential closure. The sub-formula in the formula above is left unmodified, since the only existential quantifier cannot be further moved inward and we replace the existentially quantified sub-formula by the fresh propositional letter q. Thus, we obtain the following equisatisfiable formula

and the formula wr(mty,pr,tt) is added to

4.2 Checking Satisfiability

We are left with the problem of checking the unsatisfiability of the ground formula Φ_g modulo the first-order theory . We solve this problem by invoking haRVey¹¹ 11 http://www.loria.fr/equipes/cassis/softwares/haRVey , a tool based on the flexible and efficient combination of BDDs and superposition theorem proving (see [10] for details). The idea is to abstract ground atoms to propositional letters and then let BDDs represent the Boolean structure of (an abstraction of) Φg . Since it is easy to extract the Disjunctive Normal Form (DNF) of Φg from its BDD representation, we check the satisfiability of each disjunct in the DNF modulo by invoking a superposition theorem prover. In practice, a refinement of this schema which greatly improves performances (based on the capability of generating suitable lemmas to simplify the BDD) is implemented in the system. In order to build procedures which check for the satisfiability modulo a first-order theory, we adopt the superposition-based approach of [3]. This permits the flexible implementation of many decision (and semi-decision) procedures by simply feeding a superposition theorem prover with the axioms of the theory and the literals to be proved satisfiable. It is also an efficient alternative to specialized decision procedures as shown in [2, 10].

The algorithm underlying haRVey is shown in Figure 5. Let Atm be the set of distinct ground atoms in Φ_g and P_Atm be a set of propositional letters s.t. the cardinalities of Atm and P_Atm are equal and Atm ∩ PA_tm = ∅. Let atm2pl be a bijective function from Atm to P_Atm. We define the mapping fol2prop from the ground first-order formula Φ_g to a propositional formula as the homeomorphic extension of atm2pl to Φg. Then, abs takes the propositional formula returned by fol2prop and builds its BDD representation Φª. The function pickBranch selects a branch βª of the BDD Φª going from the root to the node labelled by true; βª is a conjunction of propositional literals. We assume that prop2fol is the inverse of fol2prop so that its result is a conjunction of ground first-order literals. Furthermore, we require that checkSatBranch iff n is a sub-formula of β and it is unsatisfiable modulo ; thereby checkSatBranch is a decision procedure for the problem of checking whether a conjunction of ground literals is satisfiable modulo with the capability of returning small subsets of the input literals which are unsatisfiable. Such a set of literals can then be used to simplify the BDD, as shown by the last statement of the loop in Figure 5. We consider the branches (leading to the leaf labelled with true) in the BDD until one is shown to be satisfiable modulo (in which case, we return that Φ_g is satisfiable) or the BDD has been reduced to ⊥ (i.e. false) by interleaving unsatisfiability checking and BDD simplification steps.

4.3 Providing the User with CounterExamples

If a branch β has been found satisfiable by haRVey, then we can use it as the starting point to build a model for the formula Φ_g under consideration, i.e. a counter-example for the formula to be proved valid (which is the negation of Φ_g). Notice that this is an advantage w.r.t. building a model for the whole formula Φ_g since the branch is usually much smaller.

In preliminary investigations, we have tried to build a (finite) model of β by using state-of-the-art model finders (such as MACE¹² 12 http://www-unix.mcs.anl.gov/AR/mace2/ and SEM¹³ 13 http://www.cs.uiowa.edu/~hzhang/sem.html ) without success. As a matter of fact, the theory generates a search space which is too large to be treated in a reasonable amount of time. In order to overcome these difficulties, we have investigated the possibility to use the CLPS tool [5], a constraint solver for the theory of Hereditarily Finite Sets with Atoms which includes SSET . This tool has already been successfully used on industrial verification problems. Since the input language of CLPS is based on set theoretic constructs, we need to translate the branch β back to a conjunction η of literals in SSET. Once the universal set of the AM (cf. the set PID in Figure 1) is manually instantiated to a certain finite set, CLPS can find a solution (if any) to η which (possibly) constitutes a transition of (an instance of) the AM leading to a state which violates the invariant. However, notice that we are not guaranteed that such a state is reachable by executing the AM starting in the initial state (specified by the clause INITIALISATION in Figure 1). To establish whether the state is reachable or not, two solutions are possible. First, one can use an animation tool (e.g. the one integrated in [14]) in order to discover if there exists an execution of the AM going from the initial state to the one found by CLPS. Second, use a model checker (such as SMV) to check whether the state found by CLPS is reachable from the initial state. In this second case, we should translate the AM to the input language of the model checker. This should be possible because we are considering a finite instance of the original AM since we have instantiated to a finite set the universal set in the AM in order to invoke CLPS. Once the reachability of the state found by CLPS is established, the counter-example can be used as the basis to correct the initial AM, either by changing the system or by strengthening the invariant.

Example 5(The Process Scheduler-continued) To illustrate, we consider the (erroneous) specification of the Ready operation given in Figure 6, which must be considered as part of the AM in Figure 1. In this operation, a process pw, that has been waiting, is somehow unblocked and can go to the ready state or to the active state, if the system is idle. The bug consists of leaving pw in waiting. As a result, the invariant is violated since the intersection of waiting and active at the next state will contain pw and will no more be empty. (Notice that to correct the problem it is sufficient to uncomment the line delimited, by /* and */ in Figure 6.) We want to detect the anomalous situation by using the approach described above. First, we generate the verification condition (along the lines of Section 2). Then, we translate and manipulate the resulting formula so that haRVey can process it (cf. Sections 3 and 4). The system finds that the proof obligation is not valid and returns the following set ofliterals (intended, conjunctively): {q₀, qi, q₂, q₃, active = mty, waiting' = waiting, ready' = ready, active' = Í25, rd(waiting,pw) = tt, iiy = mty, i_M = mty, in = mty, i₃₅ ≠mty}.¹⁴ 14 The output of haRVey has been slightly edited in order to improve the readability. As the reader can see, it is quite difficult to understand the problem in the specification by looking at this set of literals, even for this simple example. As a matter of fact, it is rather obscure to see the meaning of the propositional letters q0, ... , q3 and of the constants i₂E,i₃₅ which have been introduced to eliminate set-theoretic constructs and quantifiers as specified in Sections 3 and 4.1. However, it is easy to maintain a table (during the translation) which associates the original set theoretic literals with the literals passed to haRVey. The table for the formula under consideration is shown in Table 1. The boxed literal corresponds to the violation of the invariant, namely the intersection of waiting and active at the next state will be non-empty (contrary to what is stated in the clause INVARIANT of Figure 1). Now, we can invoke the CLPS solver on the conjunctions of the literals in the right column of Table 1 after having instantiated, the universal set PID to be the singleton set {pi}. The solver returns the following solution for such a set of constraints:

Then, the user is free to run an animation tool so to check that the state identified, by (25) is reachable from the initial state given in Figure 1. Afterwards, he/she can make modification to the operation (sometimes, it is also required to strengthen the invariant to make it inductive) so that the generated proof obligation will be found valid. After some experiments with the animation tool, it is easy to see that all we need to do is to add the commented, line of Figure 6 to correct the bug.

4.4 Prototype Implementation

The architecture of our system is depicted in Figure 7. The box with round corners contains the functionalities we have implemented so far and the boxes outside are the tools which are already available. bam2rv¹⁵ 15 http://lifc.univ-fcomte.fr/~giorget"t/Rech/Software/ bam2rv/ takes a B abstract machine and returns a set of proof obligations in pure equational first-order logic along the lines of Section 3. rvqe¹⁶ 16 http://lifc.univ-fcomte.fr/~couchot/rvqe is a pre-processor to eliminate the quantifiers from the proof obligations along the lines of Section 4.1. The second and the last authors are also developing haRVey [10] as a flexible and efficient reasoning module to be used in larger verification tools, as it is the case for the application described here. bam2rv and rvqe are implemented in Java while haRVey is developed in C. The various tools exchange information by using the ATerms data struc-ture.¹⁷ 17 http://www.cwi.nl/htbin/seni/twiki/bin/view/SEN1/ATermLibrary Let us briefly analyse the flow of the data in the architecture. The specification of a B machine annotated with an invariant is given to bam2rv. This module translates the various B operations into before-after predicates and constructs the proof obligations entailing that the specified invariant is an inductive invariant of the system by eliminating set-theoretic operators. These proof obligations are formulae of first-order logic with equality possibly containing quantifiers. Notice also that the association between literals containing set-theoretic constructs and their translation to formulae of pure equational first-order logic are stored in DB. Then, the negation of the proof obligations are sent to rvqe which eliminates the quantifiers occurrences and builds a rich background theory so as to take into account the quantified subformulae. These ground formulae and theory are sent to haRVey which is capable of proving their satisfiability or unsatisfiability. If these formulae are all unsatisfiable, then we are entitled to conclude that the original proof obligations are valid and the specified invariant is an inductive invariant of the system. If a formula is satisfiable, then a conjunction of literals in the formula is returned by haRVey from which a counter-example can be built. To do this, we retrieve from DB the set-theoretic literals associated with the literals returned by haRVey and we invoke the CLPS solver on the resulting set of literals. This will return a candidate solution representing a state of the AM which falsifies the invariant. Then by means of an animation tool or a model checker, we can check whether the state is reachable from the initial state or not. If so, the error trace is shown to the user which can modify the specification in order to correct the problem. If the state is not reachable, then we ask the CLPS solver to return a new solution and we check whether the new state is reachable and so on. The prototype tool is indeed capable of discharging all the proof obligations of the process scheduler discussed here and to detect the invalidity of those generated from some buggy versions.

4.5 Experimental Results

Table 2 presents a comparison of an implementation of our approach with AtelierB.¹⁸ 18 All the experiments have been run on a Pentium II 250 Mhz running Linux with 128 Mb of RAM. Timings are expressed in seconds. The first column ("Model") lists the identifier of the considered B AMs. The columns haRVey, bam2rv, and rvqe give the partial time spent in each module of the system while the column "Total" lists the total time to prove the invariant of the machine (which is the sum of the times in the previous three columns). The column AtelierB gives the time spent by this commercial tool on the various machines.

Four problems have been considered: "Pidset" is the running example used in this paper, "Robot" is a device to move blocks around, "T=1" is a communication protocol between a smart card and its reader, and "SCard" specifies a smart card terminal developed by an industrial partner. The first three problems are small (at most one A4-page) while the last consists of about six A4-pages without comments. We stress here that "SCard" is the perfect example of the kind of specifications our technique has been designed for, i.e. large models with a rich control path (giving rise to a large and complex Boolean structure of the resulting proof obligation obligations) performing operations on relatively simple data structures (which require only selected fragments of set theory, such as SSET , to be specified).

Experience. AtelierB (we have used version 3.6_BOM.l) is one order of magnitude faster than our tool on the three small problems but it aborts (cf. ) after 45 minutes on the last. The reasons for these results are mainly two. First, the tools bam2rv and rvqe are still prototypes which have not been coded with efficiency in mind. We believe that their execution time can be reduced of one order of magnitude with some care. This would yield a substantial speed-up for the first three examples where the execution times of bam2rv and rvqe represent from 50% to 70% of the total time. Second, our system scales up more smoothly to the industrial specification "SCard" than AtelierB because of the integration between Boolean reasoning (the BDD library) and first-order reasoning (the E prover) featured by haRVey. In particular, we believe that its capability of pruning the BDD representing the Boolean structure of the proof obligation by using the information received from the prover is the key to the scalability. In fact, AtelierB finds large proof obligations with rich Boolean structures difficult to handle because it tries to break them down to small formulae with a very simple Boolean structure by using a Tableau-like technique (see e.g. [8]), whose efficiency is well-known to be inferior to BDDs. Furthermore, it does not exploit the proof of a sub-formula to prune the search space of the Tableau procedure and this may result in the generation of a dramatic number of formulae to be discharged by the first-order reasoner. This analysis is confirmed by the fact that for "SCard", AtelierB generates more than 10 , 000 formulae (its maximal bound) after about 45 minutes.

We have also built a prototype tool which encodes the proof obligations in the logic of WS1S¹⁹ 19 This is possible as observed in Section 3.5. so that the system Mona [13] can be invoked. On "SCard", Mona runs out of memory after two hours of computation, having built more than 140 automata in memory.

We believe that these preliminary results confirm the viability of our approach.

5 Conclusion and Future Work

We have presented a technique to prove invariants of model-based specifications in a fragment of set theory. Proof obligations containing set theory constructs are translated to first-order logic with equality augmented with (an extension of) the theory of arrays with extensionality. A theorem proving procedure automating the verification of the proof obligations obtained by the translation has also been described. The technique has been implemented and experimental results confirm the viability of our approach.

The lines of future research are essentially fourfold. First, we envisage extending the decidability result for in [3] to the theory considered in this paper. Second, we plan to handle a larger number of constructs: on the one hand we will integrate operators as Cartesian product and relations which are commonly used in state-based specifications and, on the other hand, we will add some B syntactic sugar. Third, we want to integrate the CLPS solver in our tool so that meaningful counter-examples can be automatically built from failed proof attempts. Finally, we plan to apply our technique to a larger number of case studies.

Acknowledgement

We thank Frédéric Dadeau for his implementation of bam2rv and many useful discussions on the work reported in the paper. We would also like to thank Dominique Cansell and Stephan Merz for useful comments on a preliminary version of this paper.

Publication Dates