Software Quality Journal

, Volume 21, Issue 1, pp 101–126 | Cite as

Relational analysis of (co)inductive predicates, (co)algebraic datatypes, and (co)recursive functions

  • Jasmin Christian BlanchetteEmail author


We present techniques for applying a finite relational model finder to logical specifications that involve high-level definitional principles such as (co)inductive predicates, (co)algebraic datatypes, and (co)recursive functions. In contrast to previous work, which focused on algebraic datatypes and restricted occurrences of unbounded quantifiers in formulas, we can handle arbitrary formulas by means of a three-valued Kleene logic. The techniques form the basis of the counterexample generator Nitpick for Isabelle/HOL. As case studies, we consider formulas about an inductively defined context-free grammar, a functional implementation of AA trees, and a coalgebraic list datatype.


Model finding Higher-order logic First-order relational logic 



I want to thank Sascha Böhme, Lukas Bulwahn, Andreas Lochbihler, Tobias Nipkow, Mark Summerfield, and the anonymous reviewers for suggesting many improvements to this article, and Alexander Krauss for helping to structure it. This work is supported by the Deutsche Forschungsgemeinschaft grant Ni 491/11-1.


  1. Ahrendt, W. (2002). Deductive search for errors in free data type specifications using model generation. In A. Voronkov (Ed.), CADE-18 (Vol. 2392 of LNAI, pp. 211–225). Springer.Google Scholar
  2. Andersson, A. (1993). Balanced search trees made simple. In F. K. H. A. Dehne, N. Santoro, & S. Whitesides (Eds.), WADS 1993 (Vol. 709 of LNCS, pp. 61–70). Springer.Google Scholar
  3. Balser, M., Reif, W., Schellhorn, G., Stenzel, K., & Thums, A. (2000). Formal system development with KIV. In T. Maibaum (Ed.), FASE 2000 (number 1783 in LNCS). Springer.Google Scholar
  4. Berghofer, S., & Nipkow, T. (2004). Random testing in Isabelle/HOL. In J. Cuellar, & Z. Liu, (Eds.), SEFM 2004, (pp. 230–239). IEEE C.S.Google Scholar
  5. Berghofer, S., & Wenzel, M. (1999). Inductive datatypes in HOL—lessons learned in formal-logic engineering. In Y. Bertot, G. Dowek, A. Hirschowitz, C. Paulin, & L. Théry, (Eds.), TPHOLs ’99 (Vol. 1690 of LNCS, pp. 19–36).Google Scholar
  6. Biere, A., Cimatti, A., Clarke, E. M., & Zhu, Y. (1999). Symbolic model checking without BDDs. In R. Cleaveland (Ed.), TACAS ’99 (Vol. 1579 of LNCS, pp. 193–207). Springer.Google Scholar
  7. Blanchette, J. C., & Krauss, A. (2010). Monotonicity inference for higher-order formulas. In J. Giesl, & R. Hähnle, (Eds.), IJCAR 2010 (Vol. 6173 of LNCS, pp. 91–106). Springer.Google Scholar
  8. Blanchette, J. C., & Nipkow, T. (2010). Nitpick: A counterexample generator for higher-order logic based on a relational model finder. In M. Kaufmann, & L. Paulson (Eds.), ITP-10 (Vol. 6172 of LNCS, pp. 131–146). Springer.Google Scholar
  9. Bulwahn, L., Krauss, A., & Nipkow, T. (2007). Finding lexicographic orders for termination proofs in Isabelle/HOL. In K. Schneider, & J. Brandt (Eds.), TPHOLs 2007 (Vol. 4732 of LNCS, pp. 38–53). Springer.Google Scholar
  10. Church, A. (1940). A formulation of the simple theory of types. The Journal of Symbolic Logic, 5, 56–68.MathSciNetCrossRefGoogle Scholar
  11. Claessen, K., & Lillieström, A. (2009). Automated inference of finite unsatisfiability. In R. A. Schmidt (ed.), CADE-22 (Vol. 5663 of LNAI, pp. 388–403). Springer.Google Scholar
  12. Claessen, K., & Sörensson, N. (2003). New techniques that improve MACE-style model finding. In MODEL.Google Scholar
  13. Dunets, A., Schellhorn, G., & Reif, W. (2008). Bounded relational analysis of free datatypes. In B. Beckert, & R. Hähnle (Eds.), TAP 2008 (Vol. 4966 of LNCS, pp. 99–115). Springer.Google Scholar
  14. Giesl, J., Schneider-Kamp, P., & Thiemann, R. (2006). AProVE 1.2: Automatic termination proofs in the dependency pair framework. In IJCAR 2006 (Vol. 4130 of LNAI, pp. 281–286).Google Scholar
  15. Gordon, M. J. C., & Melham, T. F. (Eds.) (1993). Introduction to HOL: A theorem proving environment for higher order logic. Cambridge: Cambridge University Press.zbMATHGoogle Scholar
  16. Gunter E. L. (1993). Why we can’t have SML-style datatype declarations in HOL. In L. J. M. Claesen, & M. J. C. Gordon (Eds.), TPHOLs 1992, IFIP transactions (pp. 561–568). North-Holland/Elsevier.Google Scholar
  17. Harrison, J. (1995). Inductive definitions: Automation and application. In E. T. Schubert, P. J. Windley, & J. Alves-Foss (Eds.), TPHOLs 1995 (Vol. 971 of LNCS, pp. 200–213). Springer.Google Scholar
  18. Harrison, J. (1996). HOL Light: A tutorial introduction. In FMCAD ’96 (Vol. 1166 of LNCS, pp. 265–269). Springer.Google Scholar
  19. Jackson, D. (2006). Software abstractions: Logic, language, and analysis. Cambridge: MIT Press.Google Scholar
  20. Jacobs, B., & Rutten, J. (1997). A tutorial on (co)algebras and (co)induction. Bulletin of EATCS, 62, 222–259.zbMATHGoogle Scholar
  21. Kleene, S. C. (1938). On notation for ordinal numbers. The Journal of Symbolic Logic, 3(4), 150–155.MathSciNetzbMATHCrossRefGoogle Scholar
  22. Kleene, S. C. (1956). Representation of events in nerve nets and finite automata. In J. McCarthy, & C. Shannon (Eds.), Automata ltudies (pp. 3–42). Princeton University Press.Google Scholar
  23. Kozen, D. C. (1997). Automata and computability. Undergrad. Texts in C.S. Springer.Google Scholar
  24. Krauss, A. (2009). Partial and nested recursive function definitions in higher-order logic. Journal of Automated Reasoning, 44(4), 303–336.MathSciNetCrossRefGoogle Scholar
  25. Kuncak, V., & Jackson, D. (2005). Relational analysis of algebraic datatypes. In H. C. Gall (Ed.), ESEC/FSE 2005.Google Scholar
  26. Lochbihler, A. (2009). Private communication.Google Scholar
  27. Lochbihler, A. (2010, February). Coinduction. In G. Klein, T. Nipkow, & L. C. Paulson (Eds.), The archive of formal proofs.
  28. McCune, W. (1994). A Davis–Putnam program and its application to finite first-order model search: Quasigroup existence problems. Technical report, ANL.Google Scholar
  29. Nipkow, T., Paulson, L. C., & Wenzel, M. (2002). Isabelle/HOL: A proof assistant for higher-order logic (Vol. 2283 of LNCS). Springer.Google Scholar
  30. Paulson, L. C. (1994). A fixedpoint approach to implementing (co)inductive definitions. In A. Bundy (Ed.), CADE-12 (Vol. 814 of LNAI, pp. 148–161). Springer.Google Scholar
  31. Jones, S. P. (Ed.) (2003). Haskell 98 language and libraries: The revised report. Cambridge: Cambridge University Press.Google Scholar
  32. Ramananandro, T. (2008). Mondex, an electronic purse: Specification and refinement checks with the Alloy model-finding method. Formal Aspects of Computing, 20(1), 21–39.CrossRefGoogle Scholar
  33. Schumann, J. M. (2001). Automated theorem proving in software engineering. Berlin: Springer.Google Scholar
  34. Slind, K., & Norrish, M. (2008). A brief overview of HOL4. In O. A. Mohamed, C. M. Noz, & S. Tahar (Eds.), TPHOLs 2008 (Vol. 5170 of LNCS, pp. 28–32).Google Scholar
  35. Torlak, E., & Jackson, D. (2007). Kodkod: A relational model finder. In O. Grumberg, & M. Huth (Eds.), TACAS 2007 (Vol. 4424 of LNCS, pp. 632–647). Springer.Google Scholar
  36. Weber, T. (2008). SAT-based finite model generation for higher-order logic. Ph.D. thesis, Dept. of Informatics, T.U. München.Google Scholar
  37. Wenzel, M. (1997). Type classes and overloading in higher-order logic. In E. L. Gunter, & A. Felty (Eds.), TPHOLs 1997 (Vol. 1275 of LNCS, pp. 307–322). Springer.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  1. 1.Institut für InformatikTechnische Universität MünchenMunichGermany

Personalised recommendations