Compositionally Writing Proof Scores of Invariants in the OTS/CafeOBJ Method

Abstract

Observational transition systems (OTSs) are state machines that can be described as behavioral specifications in CafeOBJ, an algebraic specification language and processor. The OTS/CafeOBJ method uses OTSs and CafeOBJ for systems spec- ification and verification. Simultaneous induction is intensively used to prove that an OTS enjoys invariants in the method. To prove that two state predicates p and q are invariants with respect to an OTS S, simultaneous induction generates the proof obli- gations: (1) p(υ0 )a ndp(υ) ∧ q(υ) ⇒ p(υ � ), and (2) q(υ0 )a ndp(υ) ∧ q(υ) ⇒ q(υ � ) for each initial state υ0, each state υ and each successor state υ � of υ .I nstead, we may also use the proof obligations: (1) q(υ) ⇒ p(υ), and (2) q(υ0 )a ndp(υ) ∧ q(υ) ⇒ q(υ � ). The proof technique generating proof obligations like this is called semi-simultaneous induction. The proof obligation is equivalent to (1) q(υ) ⇒ p(υ), and (2) q(υ0 )a nd q(υ) ⇒ q(υ � ). But, the former may need less cases, making proofs shorter, than the latter. More importantly, the former makes it possible to record the process in which way lemmas have been conjectured. This article demonstrates some benefits of (semi- )simultaneous induction, describes semi-simultaneous induction and justifies it.