Mechanically certifying formula-based Noetherian induction reasoning

We present a deductive proof system to automatically prove separation logic entailments by mathematical induction. Our technique is called the mutual induction proof . It is an instance of the well-founded induction, a.k.a., Noetherian induction. More specifically, we propose a novel induction principle based on a well-founded relation of separation logic models. We implement this principle explicitly as inference rules so that it can be easily integrated into a deductive proof system. Our induction principle allows a goal entailment and other entailments derived during the proof search to be used as hypotheses to mutually prove each other. This feature increases the success chance of proving the goal entailment. We have implemented this mutual induction proof technique in a prototype prover and evaluated it on two entailment benchmarks collected from the literature as well as a synthetic benchmark. The experimental results are promising since our prover can prove most of the valid entailments in these benchmarks, and achieves a better performance than other state-of-the-art separation logic provers.

Structural and (Noetherian) cyclic induction are two instances of the Noetherian induction principle adapted to reason on first-order logic. From a theoretical point of view, every structural proof can be converted to a cyclic proof but the other way is only conjectured. From a practical point of view, i) structural induction principles are built-in or automatically issued from the analysis of recursive data structures by many theorem provers, and ii) the implementation of cyclic induction reasoning may require additional resources such as functional schemas, libraries and human interaction. In this paper, we firstly define a set of conjectures that can be proved by using cyclic induction and following a similar scenario. Next, we implement the cyclic induction reasoning in the Coq proof assistant. Finally, we show that the scenarios for proving these conjectures with structural induction differ in terms of the number of induction steps and lemmas, as well as proof scenario. We identified three conjectures from this set that are hard or impossible to be proved by structural induction.

Transitive closure logic is a known extension of first-order logic obtained by introducing a transitive closure operator. While other extensions of first-order logic with inductive definitions are a priori parametrized by a set of inductive definitions, the addition of the transitive closure operator uniformly captures all finitary inductive definitions. In this paper we present an infinitary proof system for transitive closure logic which is an infinite descent-style counterpart to the existing (explicit induction) proof system for the logic. We show that, as for similar systems for first-order logic with inductive definitions, our infinitary system is complete for the standard semantics and subsumes the explicit system. Moreover, the uniformity of the transitive closure operator allows semantically meaningful complete restrictions to be defined using simple syntactic criteria. Consequently, the restriction to regular infinitary (i.e. cyclic) proofs provides the basis for an effective system for automating inductive reasoning.

We give evidence of the direct integration and automated checking of implicit induction-based proofs inside certified reasoning environments, as that provided by the Coq proof assistant. This is the first step of a long term project focused on 1) mechanically certifying implicit induction proofs generated by automated provers like Spike, and 2) narrowing the gap between automated and interactive proof techniques inside proof assistants such that multiple induction steps can be executed completely automatically and mutual induction can be treated more conveniently. Contrary to the current approaches of reconstructing implicit induction proofs into scripts based on explicit induction tactics that integrate the usual proof assistants, our checking methodology is simpler and fits better for automation. The underlying implicit induction principles are separated and validated independently from the proof scripts that consist in a bunch of one-to-one translations of implicit induction proof steps. The translated steps can be checked independently, too, so the validation process fits well for parallelisation and for the management of large proof scripts. Moreover, our approach is more general; any kind of implicit induction proof can be considered because the limitations imposed by the proof reconstruction techniques no longer exist. An implementation that integrates automatic translators for generating fully checkable Coq scripts from Spike proofs is reported.

Code generators can address many of the increasing demands placed on software in the aerospace industry, yet trust in the code produced by commercial generators is notoriously difficult to achieve and traditionally relies on qualification of the generator. We describe an alternative approach that directly ensures trust in each individual generated program, using a combination of three fully automated formal techniques: i.) the generation of safety proofs, ii.) the generation of documentation that explains the generated code, and iii.) the generation of hyperlinks between all the elements of the code generation and certification process. Our approach is integrated with the AutoFilter generator for state estimation code, but it could, in principle, also be integrated with commercial code generators such as RealTime Workshop.

Reachability Logic is a formalism that can be used, among others, for expressing partial-correctness properties of transition systems. In this paper we present three proof systems for this formalism, all of which are sound and complete and inherit the coinductive nature of the logic. The proof systems differ, however, in several aspects. First, they use induction and coinduction in different proportions. The second aspect regards compositionality, broadly meaning their ability to prove simpler formulas on smaller systems and to reuse those formulas as lemmas for proving more complex formulas on larger systems. The third aspect is the difficulty of their soundness proofs.We show that the more induction a proof system uses, and the more specialised is its use of coinduction (with respect to our problem domain), the more compositional the proof system is, but the more difficult is its soundness proof.We present formalisations of these results in the Coq proof assistant. In particular we have developed support for coinductive proofs that is comparable to that provided by Coq for inductive proofs. This may be of interest to a broader class of Coq users.

This paper presents on-going researches on theoretical and practical issues of combining rewriting based automated theorem proving and user-guided proof development, with the strong constraint of safe cooperation of both. In practice, we instantiate the theoretical study on the Coq proof assistant and the ELAN rewriting based system, focusing first on equational and then on inductive proofs. Different concepts, especially rewriting calculus and deduction modulo, contribute to define and to relate proof search, proof representation and proof check.

This paper presents a generic proof of Typical Worst-Case Analysis (TWCA), an analysis technique for weakly-hard real-time uniprocessor systems. TWCA was originally introduced for systems with fixed priority preemptive (FPP) schedulers and has since been extended to fixed-priority nonpreemptive (FPNP) and earliest-deadline-first (EDF) schedulers. Our generic analysis is based on an abstract model that characterizes the exact properties needed to make TWCA applicable to any system model. Our results are formalized and checked using the Coq proof assistant along with the Prosa schedulability analysis library. Our experience with formalizing real-time systems analyses shows that this is not only a way to increase confidence in our claimed results: The discipline required to obtain machine checked proofs helps understanding the exact assumptions required by a given analysis, its key intermediate steps and how this analysis can be generalized.

A ”linear — style” sequent calculus makes it possible to explore the close structural relationships between primitive recursive programs and their inductive termination proofs, and between program transformations and their corresponding proof transformations. In this context the recursive — to — tail — recursive transformation corresponds proof theoretically to a certain kind of cut elimination, called here ”call by value cut elimination”.

Distributed protocols serve as the foundation of modern fault tolerant systems, making the correctness of these protocols critical to the reliability of large scale database, cloud computing, and other decentralized systems. Formally modeling and automatically verifying the safety of distributed systems, however, remains an important and difficult challenge, and remains a non-trivial task that has traditionally required a large amount of human effort. A fundamental approach for reasoning about the correctness of these protocols involves specifying system invariants, which are assertions that must hold in every reachable system state. The classical technique for proving that such a system satisfies a given invariant is to discover an inductive invariant, which is an invariant that is typically stronger than the desired system invariant, and is preserved by all protocol transitions. Discovering inductive invariants is typically one of the most challenging aspects of verification. In this dissertation, we attempt to advance the state of the art of inductive safety verification of distributed protocols, both by manual and automated techniques, and by improving the interpretability of formal inductive proof artifacts as they are being developed and evolved.We first present the design and formal specification and verification of a novel, logless dynamic reconfiguration protocol for Raft-based replication systems. Ours is the first formal specification and verification of the safety of a reconfigurable, Raft- based consensus protocol. We focus on a Raft-based dynamic reconfiguration protocol employed in the widely used MongoDB distributed database system. We present a formally stated inductive invariant for the protocol, which we formally prove and utilize to establish high level safety properties of the protocol. We next present a new technique for automatically inferring inductive invariants of parameterized distributed protocols specified in TLA+. We present a new algorithm for inductive invariant inference that is based around a core procedure for generating plain, potentially non-inductive lemma invariants that are used as candidate conjuncts of an overall inductive invariant. We couple this with a greedy lemma invariant selection procedure that selects lemmas that eliminate the largest number of counterexamples to induction at each round of our inference procedure. Finally, aiming to improve the interpretability of automated verification methods for these protocols, we present inductive proof decomposition, a compositional technique for inductive invariant inference that scales to large distributed protocol verification tasks and provides an interpretable proof artifact in case of failure and during development. Our technique is built on a core data structure, the inductive proof graph, which explicitly represents the relative induction dependencies of an inductive invariant and is built incrementally during the inference procedure. We present an inductive invariant synthesis algorithm that integrates localized syntax-guided lemma synthesis routines at nodes of this graph, accelerated by computation of localized grammar and state variable slices. In the case of failure to produce a complete inductive invariant, this proof graph structure allows failures to be localized to small sub-components of this graph, enabling fine-grained failure diagnosis and repair by a user. We evaluate our technique on several complex distributed and concurrent protocols, including a large, asynchronous specification of the Raft distributed replication protocol.--Author's abstract

This paper presents HashWires, a hash-based range proof protocol that is applicable in settings for which there is a trusted third party (typically a credential issuer) that can generate commitments. We refer to these as “credential-based” range proofs (CBRPs). HashWires improves upon hashchain solutions that are typically restricted to micro-payments for small interval ranges, achieving an exponential speedup in proof generation and verification time. Under reasonable assumptions and performance considerations, a Hash-Wires proof can be as small as 305 bytes for 64-bit integers. Although CBRPs are not zero-knowledge and are inherently less flexible than general zero-knowledge range proofs, we provide a number of applications in which a credential issuer can leverage HashWires to provide range proofs for private values, without having to rely on heavyweight cryptographic tools and assumptions.

A framework is presented to show formally that a parallel system is fair with respect to any set of events. Systems are specified by means of a set of variables, a set of guarded transitions and a set of liveness conditions, using an already presented technique [PA93]. Their semantics are given in the CSP model [BRH84]. The proofs use normal predicate logic and noetherian induction. Invariants are an important piece of information in the development of the proofs. A non trivial case study is developed.

The theory of institutions provides an abstract mathematical framework for specifying logical systems and their semantic relationships. Institutions are based on category theory and have deep roots in a well-developed branch of algebraic specification. However, there are no machine-assisted proofs of correctness for institution-theoretic constructions—chiefly satisfaction conditions for institutions and their (co)morphisms—making them difficult to incorporate into mainstream formal methods. This paper therefore provides the details of our approach to formalizing a fragment of the theory of institutions in the Coq proof assistant. We instantiate this framework with the institutions FOPEQ for first-order predicate logic and EVT for the Event-B specification language, and define some institution-independent constructions, all of which serve as an illustration and evaluation of the overall approach.

Inductive logic is a research area in the intersection of machine learning and logic programming, and has been increasingly applied to data mining. Inductive logic studies learning from examples, within the framework provided by clausal logic. It provides a uniform and expressive means of representation: examples, background knowledge, and induced theories are all expressed in first-order logic. Such an expressive representation is computationally expensive, so it is natural to consider improving the performance of inductive logic data mining using parallelism. We present a parallelization technique for inductive logic, and implement a parallel version of a core inductive logic programming system: Progol. The technique provides perfect partitioning of computation and data access and communication requirements are small, so almost linear speedup is readily achieved. However, we also show why the information flow of the technique permits superlinear speedup over the standard sequential algorithm. Performance results on several datasets and platforms are reported. The results have wider implications for the design on parallel and sequential data-mining algorithms.

We present the rewriting toolkit CiME3. Amongst other original features, this version enjoys two kinds of engines: to handle and discover proofs of various properties of rewriting systems, and to generate Coq scripts from proof traces given in certification problem format in order to certify them with a skeptical proof assistant like Coq. Thus, these features open the way for using CiME3 to add automation to proofs of termination or confluence in a formal development in the Coq proof assistant.