Verifying Reachability-Logic Properties on Rewriting-Logic Specifications

Abstract

Rewriting Logic is a simply, flexible, and powerful framework for specifying and analysing concurrent systems. Reachability Logic is a recently introduced formalism, which is currently used for defining the operational semantics of programming languages and for stating properties about program executions. Reachability Logic has its roots in a wider-spectrum framework, namely, in Rewriting Logic Semantics. In this paper we show how Reachability Logic can be adapted for stating properties of transition systems described by Rewriting-Logic specifications. We propose a procedure for verifying Rewriting-Logic specifications against Reachability-Logic properties. We prove the soundness of the procedure and illustrate it by verifying a communication protocol specified in Maude.

Proofs of Technical Results

Proof of Proposition 1, Page 5. We use the notation convention from Definition 3.

\(\Leftarrow \). If \((\gamma ,\rho )\models \varphi \) then we consider \(\rho '\) such that \(\rho '(z)=\gamma \) and \(\rho '(x)=\rho (x)\) for all \(x\not =z\). We obtain \(\rho '\models \varphi ^=\), which implies \(\rho \models (\exists z)\varphi ^=\).

\(\Rightarrow \). Let \(\square \) be a fresh variable (\(\square \not \in Var \)) of sort \( State \) and \(\varphi ^\square \) defined in the same way like \(\varphi ^=\), but using \(\square \) instead of z. Note that \(\varphi ^\square \) is defined on a extended signature. If \(\rho : Var \rightarrow M\) and \(\gamma \in M_ State \), then let \(\rho ^\gamma : Var \cup \{\square \}\rightarrow M\) denote the extension of \(\rho \) with \(\rho (\square )=\gamma \). By Proposition 1 in [3] we have \(\rho ^\gamma \models \varphi ^\square \) iff \((\gamma ,\rho )\models \varphi \). Assume that \(\rho \models \varphi ^{=?}\). It follows that for any extension \(\rho '\) of \(\rho \) to \( Var \cup \{\square \}\) we have \(\rho '\models \varphi ^{=?}\). Since \(\varphi ^{=?}\) can be obtained from \((\exists \square )\varphi ^\square \) by alpha conversion, we obtain \(\rho '\models (\exists \square )\varphi ^\square \). It follows that there exists \(\rho '': Var \cup \{\square \}\rightarrow M\) such that \(\rho ''(x)=\rho '(x)\) for \(x\not ={\square }\) and \(\rho ''\models \varphi ^\square \). Since \(\rho '\) extends \(\rho \), we obtain \(\rho ''(x)=\rho (x)\) for \(x\in Var \). If we take \(\gamma =\rho ''(\square )\), then \(\rho ''=\rho ^\gamma \) and hence \((\gamma ,\rho )\models \varphi \).    \(\square \)

Proof of Proposition 2, Page 2. The fol formula \(\phi ^{=?}\) is the same as \(\phi \) because \(\phi \) has no basic patterns, and hence \(\phi ^{=?}\) is equivalent to \(\phi \) because the existential variable z does not occur in \(\phi \). It follows that \((\phi \wedge \varphi )^{=?}\triangleq (\exists z)(\phi \wedge \varphi )^{=}\) is equivalent \((\exists z)(\phi ^{=}\wedge \varphi ^{=})\), which in turn is equivalent to \(\phi \wedge (\exists z)\varphi ^{=}\), which is the same as \(\phi \wedge \varphi ^{=?}\).

We now prove the second part of the proposition. By Proposition 1 and \((\gamma , \rho ) \models \varphi \) we obtain \(\rho \models \varphi ^{=?}\). By applying the definition of the fol satisfaction relation to \(\rho \models \phi \) and \(\rho \models \varphi ^{=?}\) we obtain \(\rho \models \phi \wedge \varphi ^{=?}\), which, by the first part of this proposition, is equivalent to \(\rho \models (\phi \wedge \varphi )^{=?}\). Then, using Proposition 1 and its proof we obtain that \((\gamma , \rho ) \models \phi \wedge \varphi \), which concludes the proof.    \(\square \)

Proof of Lemma 1, Page 8. Assume that \(\varphi _1\) is \((\exists FreeVars (\varphi _l,\varphi _r))(\varphi _l\wedge \varphi )^{=?}\wedge \varphi _r\) for some \({\varphi _l} \Rightarrow {\varphi _r}\in \mathcal {S}\). If \([\![\varphi _1]\!] = \emptyset \) then \({\varphi _1} \Rightarrow {\varphi '}\) is an \(\mathcal {S}\)-derivative of \({\varphi } \Rightarrow {\varphi '}\) by Definition 8. Assume \([\![\varphi _1]\!] \not = \emptyset \), i.e. there exists \((\tau _1,\rho _1)\) starting from \(\varphi _1\), with \(\tau _1\triangleq \gamma _1\Rightarrow ^{\!}_{\!\mathcal {S}}\cdots \). Then

$$\begin{aligned}&(\gamma _1,\rho _1)\models \varphi _1&\longleftrightarrow \\&(\exists \rho )(\gamma _1,\rho )\models ((\varphi _l\wedge \varphi )^{=?}\wedge \varphi _r)&\longleftrightarrow \\&(\exists \rho )(\rho \models (\varphi _l\wedge \varphi )^{=?}\wedge (\gamma _1,\rho )\models \varphi _r)&\longleftrightarrow \\&(\exists \rho )((\exists \gamma _0)(\gamma _0,\rho )\models (\varphi _l\wedge \varphi )\wedge (\gamma _1,\rho )\models \varphi _r)&\longleftrightarrow \\&(\exists \rho )((\exists \gamma _0)((\gamma _0,\rho _1)\models \varphi \wedge (\gamma _0,\rho )\models \varphi _l)\wedge (\gamma _1,\rho )\models \varphi _r)&\longleftrightarrow \\&(\exists \gamma _0)(\gamma _0,\rho _1)\models \varphi \wedge (\exists \rho )((\gamma _0,\rho )\models \varphi _l\wedge (\gamma _1,\rho )\models \varphi _r)&\longrightarrow \\&(\exists \gamma _0) (\gamma _0,\rho _1)\models \varphi \wedge \gamma _0\Rightarrow ^{\!}_{\!\mathcal {S}}\gamma _1&\end{aligned}$$

where, by Assumption 1, we may w.l.o.g. choose \(\rho \) such that \(\rho (x)=\rho _1(x)\) for all \(x\not \in FreeVars (\varphi _l,\varphi _r)\). Hence there is \(\tau =\gamma _0\Rightarrow ^{\!}_{\!\mathcal {S}}\gamma _1\Rightarrow ^{\!}_{\!\mathcal {S}}\cdots \) such that \(\tau |_{1..}=\tau _1\) and \((\gamma _0,\rho _1)\models \varphi \). If \(\tau _1\) is infinite then \(\tau \) is infinite. If \((\exists i\ge 1)(\gamma _i,\rho _1)\models \varphi '\) then \((\exists i\ge 0)(\gamma _i,\rho _1)\models \varphi '\). So, finally, we obtain that \((\tau _1,\rho _1)\models {\varphi _1} \Rightarrow {\varphi '}\) implies \((\tau ,\rho _1)\models {\varphi } \Rightarrow {\varphi '}\). Since \(\gamma _1\) and \(\rho _1\) have been chosen arbitrarily we conclude that \({\varphi _1} \Rightarrow {\varphi '}\) is an \(\mathcal {S}\)-derivative of \({\varphi } \Rightarrow {\varphi '}\).    \(\square \)

Proof of Lemma 2, Page 8. Suppose that \((\tau _1,\rho )\models {\varphi _1} \Rightarrow {\varphi '}\) and \(\tau _1\triangleq \gamma _1\Rightarrow ^{\!}_{\!\mathcal {S}}\cdots \). Then \((\tau _1,\rho )\) starts from \(\varphi \) and one of the following two claims holds: a) there exists \(i\ge 1\) such that \((\gamma _i,\rho )\models \varphi '\) or b) \(\tau \) is infinite. So, to prove that \((\tau _1,\rho )\models {\varphi '_1} \Rightarrow {\varphi '}\) it is enough to prove that \((\tau _1,\rho )\) starts from some \(\varphi '_1\in \varDelta _\mathcal {S}(\varphi )\). The pair \((\tau _1,\rho )\) can be extended to \((\tau ,\rho )\) such that \(\tau |_{1..}=\tau _1\) and \((\tau ,\rho )\models {\varphi } \Rightarrow {\varphi '}\) by the definition of the \(\mathcal {S}\)-derivative. It follows that there is \(\gamma _0\) such that \(\tau \triangleq \gamma _0\Rightarrow ^{\!}_{\!\mathcal {S}}\gamma _1\Rightarrow ^{\!}_{\!\mathcal {S}}\cdots \), \((\gamma _0,\rho )\models \varphi \), and \((\gamma _1,\rho )\models \varphi _1\). There is \({\varphi _l} \Rightarrow {\varphi _r}\in \mathcal {S}\) and \(\rho '\) such that \((\gamma _0,\rho ')\models \varphi _l\) and \((\gamma _1,\rho ')\models \varphi _r\) by the definition of \(\Rightarrow ^{\!}_{\!\mathcal {S}}\). By Assumption 1, we may w.l.o.g. choose \(\rho '\) such that \(\rho '(x)=\rho (x)\) for all \(x \notin FreeVars (\varphi _l,\varphi _r)\). Hence \((\gamma _0,\rho ')\models \varphi \wedge \varphi _l\). We take \(\varphi '_1\triangleq (\exists FreeVars (\varphi _l,\varphi _r))(\varphi \wedge \varphi _l)^{=?}\wedge \varphi _r\). We obviously have \(\varphi '_1\in \varDelta _\mathcal {S}(\varphi )\) and \((\gamma _1,\rho )\models \varphi '_1\) because there exists \(\rho '\) (defined above) such that \((\gamma _1,\rho ')\models (\varphi \wedge \varphi _l)^{=?}\wedge \varphi _r\). Since \(\tau _1=\gamma _1\Rightarrow ^{\!}_{\!\mathcal {S}}\cdots \), it follows that \((\tau _1,\rho )\) starts from \(\varphi '_1\in \varDelta _\mathcal {S}(\varphi )\), which implies \((\tau _1,\rho )\models {\varphi '_1} \Rightarrow {\varphi '}\). Since \((\tau _1,\rho )\) has been chosen arbitrary, the conclusion of the lemma follows.    \(\square \)

Proof of Lemma 3, Page 9. The following equivalences hold:

$$\begin{aligned}&\bigvee _{\varphi _1\in \varDelta _\mathcal {S}(\varphi )}\varphi _1^{=?} \text { is satisfiable}&\longleftrightarrow \\&(\exists \rho _1)\rho _1\models \bigvee _{\varphi _1\in \varDelta _\mathcal {S}(\varphi )}\varphi _1^{=?}&\longleftrightarrow \\&(\exists \rho _1)(\exists \varphi _1\in \varDelta _\mathcal {S}(\varphi ))\rho _1\models \varphi _1^{=?}&\longleftrightarrow \\&(\exists \rho _1)(\exists {\varphi _l} \Rightarrow {\varphi _r}\in \mathcal {S})\rho _1\models ((\exists FreeVars (\varphi _l,\varphi _r))(\varphi _l\wedge \varphi )^{=?}\wedge \varphi _r)^{=?}&\longleftrightarrow \\&(\exists \rho _1)(\exists {\varphi _l} \Rightarrow {\varphi _r}\in \mathcal {S})(\exists \gamma _1)(\gamma _1,\rho _1)\models (\exists FreeVars (\varphi _l,\varphi _r))(\varphi _l\wedge \varphi )^{=?}\wedge \varphi _r&\end{aligned}$$

Then, we have:

$$\begin{aligned}&(\gamma _1,\rho _1)\models (\exists FreeVars (\varphi _l,\varphi _r))(\varphi _l\wedge \varphi )^{=?}\wedge \varphi _r&\longleftrightarrow \\&(\exists \rho )(\gamma _1,\rho )\models (\varphi _l\wedge \varphi )^{=?}\wedge \varphi _r&\longleftrightarrow \\&(\exists \rho )\rho \models (\varphi _l\wedge \varphi )^{=?}\wedge (\gamma _1,\rho )\models \varphi _r&\longleftrightarrow \\&(\exists \rho )(\exists \gamma ) (\gamma ,\rho )\models (\varphi _l\wedge \varphi )\wedge (\gamma _1,\rho )\models \varphi _r&\longleftrightarrow \\&(\exists \rho )(\exists \gamma ) (\gamma ,\rho ) \models \varphi \wedge (\gamma ,\rho )\models \varphi _l\wedge (\gamma _1,\rho )\models \varphi _r&\longleftrightarrow \\&(\exists (\gamma ,\rho )) (\gamma ,\rho )\models \varphi \wedge \gamma \Rightarrow ^{\!}_{\!\mathcal {S}}\gamma _1 \end{aligned}$$

where, by the definition of \(\models \), \(\rho \) satisfies \(\rho (x)=\rho _1(x)\) for all \(x\not \in FreeVars (\varphi _l,\varphi _r)\). We obtained that \(\bigvee _{\varphi _1\in \varDelta _\mathcal {S}(\varphi )}\varphi _1^{=?}\) is satisfiable iff there exists \((\gamma ,\rho )\) such that \((\gamma ,\rho )\models \varphi \) and there exists \(\gamma _1\) such that \(\gamma \Rightarrow ^{\!}_{\!\mathcal {S}}\gamma _1\), i.e., iff \(\varphi \) is \(\mathcal {S}\)-derivable.    \(\square \)

Proof of Proposition 4, Page 9. We use the notation convention in Definition 3.

$$\begin{aligned}&M\models \varphi ^{=?}\longrightarrow \bigvee _{\varphi _1\in \varDelta _\mathcal {S}(\varphi )}\varphi _1^{=?}&\longleftrightarrow \\&(\forall \rho )\rho \models \varphi ^{=?} \longrightarrow \rho \models \bigvee _{\varphi _1\in \varDelta _\mathcal {S}(\varphi )}\varphi _1^{=?}&\longleftrightarrow \\&(\forall \rho )(\exists \gamma )(\gamma ,\rho )\models \varphi \longrightarrow&\\&~~~~ (\exists {\varphi _l} \Rightarrow {\varphi _r}\in \mathcal {S}) \rho \models (\exists FreeVars (\varphi _l,\varphi _r))((\varphi _l\wedge \varphi )^{=?}\wedge \varphi _r)^{=?}&\longleftrightarrow \end{aligned}$$

(2)

(3)

(4)

$$(\forall \rho )(\exists \gamma )(\gamma ,\rho )\models \varphi \longrightarrow (\exists \gamma _1)\gamma \Rightarrow ^{\!}_{\!\mathcal {S}}\gamma _1 $$

where, by Assumption 1, we may w.l.o.g. choose \(\rho '\) such that \(\rho '(x)=\rho (x)\) for all \(x\not \in FreeVars (\varphi _l,\varphi _r)\), which implies \((\gamma ',\rho ')\models \varphi \) iff \(\gamma '=\gamma \) and \((\gamma ,\rho )\models \varphi \). Therefore in the equivalence (3) \(\longleftrightarrow \) (4) we could take \((\gamma ,\rho ')\models (\varphi _l\wedge \varphi )\). The equivalence (2) follows by Proposition 2.    \(\square \)

Proof of Theorem 1, Page 10. The following lemmas are needed in the proof.

Lemma 5

(Coverage Step). Let \(\gamma \), \(\gamma '\), \(\rho \), \(\varphi \), and \(\alpha \triangleq {\varphi _l} \Rightarrow {\varphi _r} \in \mathcal {S}\) such that \({\gamma } \Rightarrow ^{\!}_{\!\{\alpha \}}{\gamma '}\) and \((\gamma , \rho ) \models \varphi \). Then, \((\gamma ', \rho ) \models \varDelta _{\{\alpha \}}(\varphi )\).

Proof

From \({\gamma } \Rightarrow ^{\!}_{\!\{\alpha \}}{\gamma '}\) we obtain a valuation \(\rho '\) such that \((\gamma , \rho ') \models \varphi _l\) and \((\gamma ', \rho ') \models \varphi _r\). By Assumption 1, \( FreeVars (\varphi _l,\varphi _r)\cap FreeVars (\varphi )=\emptyset \). Hence we can choose \(\rho '\) such that \(\rho '(x) = \rho (x)\) for all \(x \in FreeVars (\varphi )\). Thus, \((\gamma , \rho ') \models \varphi \). From the latter and \((\gamma , \rho ') \models \varphi _l\) we obtain \((\gamma , \rho ') \models \varphi \wedge \varphi _l\), and using Proposition 1 we have \(\rho ' \models (\varphi \wedge \varphi _l)^{=?}\). Using Proposition 2 we obtain \((\gamma ', \rho ') \models (\varphi \wedge \varphi _l)^{=?} \wedge \varphi _r\) which implies \((\gamma ', \rho ) \models (\exists FreeVars (\varphi _l, \varphi _r))(\varphi \wedge \varphi _l)^{=?} \wedge \varphi _r\) (using Assumption 1). By Definition 10 \((\exists FreeVars (\varphi _l, \varphi _r))(\varphi \wedge \varphi _l)^{=?} \wedge \varphi _r\) is just \(\varDelta _{\{\alpha \}}(\varphi )\), which ends the proof.    \(\square \)

Lemma 6

(Coverage by Derivatives). Any computation \(\tau \triangleq \gamma _0\Rightarrow ^{\!}_{\!\mathcal {S}}\gamma _1\Rightarrow ^{\!}_{\!\mathcal {S}}\cdots \) with \((\tau ,\rho )\) starting from \(\varphi \) is “covered” by derivatives, i.e., there exists a sequence \(\varphi _0,\varphi _1,\ldots \) of ml formulas such that

1. 1.

   \(\varphi _0=\varphi \)

2. 2.

   \(\varphi _{i+1}\in \varDelta _\mathcal {S}(\varphi _i)\), \(i=0,1,\ldots \)

3. 3.

   \((\gamma _i,\rho )\models \varphi _i\), \(i=0,1,\ldots \)

Proof

By induction on i using Lemma 5 in the induction step.    \(\square \)

A successful execution of prove(\(\mathcal {S}, G_0, \varDelta _\mathcal {S}(G_0)\)) consists of a sequence of calls

$$\begin{aligned} \mathtt {prove}(\mathcal {S}, G_0, \mathcal {G}_1), \ldots , \mathtt {prove}(\mathcal {S}, G_0, \mathcal {G}_n) \end{aligned}$$

such that

• \(\mathcal {G}_0=G_0\),

• \(\mathcal {G}_1=\varDelta _\mathcal {S}(G_0)\),

• \(\mathcal {G}_n=\emptyset \),

• for all \(i \in {0\ldots n-1}\), \(\mathcal {G}_{i+1} = \mathcal {G}_i \setminus \{{\varphi } \Rightarrow {\varphi '}\} \cup \mathcal {G}_{{\varphi } \Rightarrow {\varphi '}}\), for some \({\varphi } \Rightarrow {\varphi '} \in \mathcal {G}_i\), where

  $$\begin{aligned} \mathcal {G}_{{\varphi } \Rightarrow {\varphi '}}= {\left\{ \begin{array}{ll} \emptyset &{}, if M \models \varphi \longrightarrow \varphi '\\ \varDelta _{{\varphi _{c}} \Rightarrow {\varphi '_{c}}}({\varphi } \Rightarrow {\varphi '}) &{}, if\,there\,is\, {\varphi _{c}} \Rightarrow {\varphi '_{c}}\in G_0, s.t. M \models \varphi \longrightarrow \overline{\varphi }_{c}, \\ \varDelta _{\mathcal {S}}({\varphi } \Rightarrow {\varphi '_c}) &{}, if\, \varphi ~\mathcal {S}\text {-derivable} \end{array}\right. } \end{aligned}$$

In the following we let \(\mathcal {F}=\bigcup _{i=0}^n\mathcal {G}_i\).

Lemma 7

Let \({\varphi } \Rightarrow {\varphi '}\in \mathcal {F}\). Then \(M\models \varphi \longrightarrow \varphi '\) or \(\varphi \) is \(\mathcal {S}\)-derivabile.

Proof

Let \({\varphi } \Rightarrow {\varphi '}\in \mathcal {F}\). If \({\varphi } \Rightarrow {\varphi '}\in \mathcal {G}_0 = G_0\) then \(\varphi \) is \(\mathcal {S}\)-derivabile (any formula in \(G_0\) has the lhs \(\mathcal {S}\)-derivable). Otherwise, there is i such that \({\varphi } \Rightarrow {\varphi '}\in \mathcal {G}_i\setminus \mathcal {G}_{i+1}\). By the definition of \(\mathcal {G}_{i+1}\) the formula \({\varphi } \Rightarrow {\varphi '}\) was eliminated from \(\mathcal {G}_i\) in one of the three situations:

1. 1.

   \(M\models \varphi \longrightarrow \varphi '\)

2. 2.

   \(M\models \varphi \longrightarrow \overline{\varphi }_{c}\) for some \({\varphi _{c}} \Rightarrow {\varphi '_{c}}\in G_0\)

3. 3.

   \(\varphi \) is \(\mathcal {S}\)-derivable.

In the first and the third cases we obtain directly the conclusion of our lemma. The only case we have to discuss is the second one. Note that there are \(\gamma \) and \(\rho \) such that \((\gamma ,\rho )\models \varphi \). Otherwise, we have \(M\models \varphi \longrightarrow \varphi '\) which corresponds to the first case. From \((\gamma ,\rho )\models \varphi \) and \(M\models \varphi \longrightarrow \overline{\varphi }_{c}\) we have \((\gamma , \rho ) \models \overline{\varphi }_{c}\). By Definition 2, there is \(\rho '\) such that \((\gamma ,\rho ')\models \varphi _{c}\). Since \(\varphi _{c}\) is derivable (because \({\varphi _{c}} \Rightarrow {\varphi '_{c}} \in G_0\) and \(\mathcal {S}\) is total, there exists a transition \(\gamma \Rightarrow ^{\!}_{\!\mathcal {S}}\gamma _1\), which, by Definition 11, implies that \(\varphi \) is \(\mathcal {S}\)-derivable.    \(\square \)

Lemma 8

For all \(\tau \), for all \(\rho \), for all \({\varphi } \Rightarrow {\varphi '}\in \mathcal {F}\), if \(\tau \) is finite and complete, and \((\tau ,\rho )\) starts from \(\varphi \) then \((\tau ,\rho )\models {\varphi } \Rightarrow {\varphi '}\).

Proof

We proceed by induction on the length of \(\tau \). We an consider arbitrary \({\varphi } \Rightarrow {\varphi '}\in \mathcal {F}\) and \(\rho \) satisfying the hypotheses of the lemma.

Base case. Assume that \(\tau =\gamma _0\) and that \((\gamma _0,\rho )\models \varphi \). Since \(\tau \) is complete then there is no \(\gamma _1\) such that \(\gamma _0\Rightarrow ^{\!}_{\!\mathcal {S}}\gamma _1\). Therefore, any \(\varphi '\) such that \((\gamma _0,\rho )\models \varphi '\), is not \(\mathcal {S}\)-derivable (otherwise, it contradicts Definition 11). Thus, \(\varphi \) is not \(\mathcal {S}\)-derivable.

By Lemma 7 we have \(M\models \varphi \longrightarrow \varphi '\), and using the fact that \((\gamma _0,\rho )\models \varphi \) we obtain \((\gamma _0,\rho )\models \varphi '\), i.e. \((\tau ,\rho )\models {\varphi } \Rightarrow {\varphi '}\).

Induction step. Assume that \(\tau =\gamma _0\Rightarrow ^{\!}_{\!\mathcal {S}}\gamma _1\cdots \), and \((\gamma _0,\rho )\models \varphi \). In this case \(\varphi \) is \(\mathcal {S}\)-derivable (by Definition 11). Since \({\varphi } \Rightarrow {\varphi '}\in \mathcal {F}\) then \({\varphi } \Rightarrow {\varphi '}\) has been eliminated at some point, so there is i such that \({\varphi } \Rightarrow {\varphi '}\in \mathcal {G}_i\setminus \mathcal {G}_{i+1}\).

Again, by the definition of \(\mathcal {G}_{i+1}\), we have three possible cases:

1. 1.

   \(M\models \varphi \longrightarrow \varphi '\). Since \((\gamma _0,\rho )\models \varphi \) we obtain \((\gamma _0,\rho )\models \varphi '\), which implies \((\tau ,\rho )\models {\varphi } \Rightarrow {\varphi '}\).

2. 2.

   \(M\models \varphi \longrightarrow \overline{\varphi }_{c}\). From \((\gamma _0,\rho )\models \varphi \) we obtain \((\gamma _0,\rho )\models \overline{\varphi }_{c}\), and, by Definition 2, there is \(\rho '\) with \(\rho '(x) = \rho (x)\) for all \(x \not \in FreeVars (\varphi _{c})\) such that \((\gamma _0,\rho ')\models \varphi _{c}\). If \(\gamma _0 \Rightarrow ^{\!}_{\!\mathcal {S}} \gamma _1\) then there is a rule \(\alpha \triangleq {\varphi _l} \Rightarrow {\varphi _r} \in \mathcal {S}\) such that \(\gamma _0 \Rightarrow ^{\!}_{\!\{\alpha \}} \gamma _1\) (Definition 5). From \((\gamma _0,\rho ')\models \varphi _{c}\) and Lemma 5 we obtain \(\varphi _1 \in \varDelta _{\{\alpha \}}(\varphi _{c}) \subseteq \varDelta _\mathcal {S}(\varphi _{c})\) such that \((\gamma _1,\rho ')\models \varphi _1\). Since \(\varphi _1 \in \varDelta _\mathcal {S}(\varphi _{c})\) and \({\varphi _{c}} \Rightarrow {\varphi '_{c}} \in G_0 = \mathcal {G}_0\) then \({\varphi _1} \Rightarrow {\varphi '_{c}} \in \varDelta _S({\varphi _{c}} \Rightarrow {\varphi '_{c}}) \subseteq \mathcal {G}_1 \subseteq \mathcal {F}\). Now, the inductive hypothesis holds for \({\varphi _1} \Rightarrow {\varphi '_{c}}\), and we have \((\tau |_{1..},\rho ')\models {\varphi _1} \Rightarrow {\varphi '_{c}}\). Since \(\tau \) is finite, there exists \(j\ge 1\) such that \((\gamma _j,\rho ')\models \varphi '_{c}\).

   Next, we want show that \((\gamma _j,\rho )\models (\exists FreeVars (\varphi _{c}, \varphi '_{c}))((\varphi _{c}\wedge \varphi )^{=?}\wedge \varphi '_{c})\). This is equivalent (by Definition 2) to showing that there is a valuation \(\rho ''\) with \(\rho ''(x) = \rho (x)\) for all \(x \not \in FreeVars (\varphi _{c'})\) such that \((\gamma _j,\rho '')\models (\varphi _{c}\wedge \varphi )^{=?}\wedge \varphi '_{c}\). Let us consider \(\rho '' = \rho '\). From the hypothesis of Theorem 1 we have \( FreeVars (\varphi '_{c}) \subseteq FreeVars (\varphi _{c})\), which implies that \( FreeVars (\varphi _{c}, \varphi '_{c}) \subseteq FreeVars (\varphi _{c})\). Also, note that \(\rho '(x) = \rho (x)\), for all \(x \not \in FreeVars (\varphi _{c})\). Using Assumption 1, i.e. \( FreeVars (\varphi ) \cap FreeVars (\varphi _{c}) = \emptyset \), and \((\gamma _0, \rho ) \models \varphi \) we obtain \((\gamma _0, \rho ') \models \varphi \). Given the fact that \((\gamma _0,\rho ')\models \varphi _{c}\), by Definition 2, \((\gamma _0,\rho ')\models \varphi _{c} \wedge \varphi \). By Proposition 1, from \((\gamma _0,\rho ')\models \varphi _{c} \wedge \varphi \) we obtain \(\rho ' \models ( \varphi _{c} \wedge \varphi )^{=?}\). Moreover, by Proposition 2 and the fact that \((\gamma _j,\rho ')\models \varphi '_{c}\) we obtain \((\gamma _j,\rho ')\models (\varphi _{c}\wedge \varphi )^{=?}\wedge \varphi '_{c}\). Therefore, there is \(\rho '' = \rho '\), such that \((\gamma _j,\rho '')\models (\varphi _{c}\wedge \varphi )^{=?}\wedge \varphi '_{c}\), and we can conclude that \((\gamma _j,\rho ) \models (\exists FreeVars (\varphi _{c}, \varphi '_{c}))((\varphi _{c}\wedge \varphi )^{=?}\wedge \varphi '_{c})\).

   Note that the set \(\mathcal {G}_{i+1}\) includes \(\varDelta _{{\varphi _{c}} \Rightarrow {\varphi '_{c}}}({\varphi } \Rightarrow {\varphi '_c})\), and we can apply again the inductive hypothesis: \((\tau |_{j..},\rho )\models {(\exists FreeVars (\varphi _{c}, \varphi '_{c}))((\varphi _{c}\wedge \varphi )^{=?}\wedge \varphi '_{c})} \Rightarrow {\varphi '}\), i.e. there is \(k\ge j\) such that \((\gamma _k,\rho )\models \varphi '\), which implies \((\tau ,\rho )\models {\varphi } \Rightarrow {\varphi '}\).

3. 3.

   \(\varphi \) is \(\mathcal {S}\)-derivable. Then \(\varDelta _{\mathcal {S}}({\varphi } \Rightarrow {\varphi '}) \subseteq \mathcal {G}_{i+1} \subseteq \mathcal {F}\). If \(\gamma _0 \Rightarrow ^{\!}_{\!\mathcal {S}} \gamma _1\) then there is a rule \(\alpha \triangleq {\varphi _l} \Rightarrow {\varphi _r} \in \mathcal {S}\) s. t. \(\gamma _0 \Rightarrow ^{\!}_{\!\{\alpha \}} \gamma _1\) (Definition 5). Since \((\gamma _1,\rho )\models \varphi _1\), then, by Lemma 5, there is \(\varphi _1 \in \varDelta _{\{\alpha \}}(\varphi ) \subseteq \varDelta _\mathcal {S}(\varphi )\) such that \((\gamma _1,\rho )\models \varphi _1\). We obtain \((\tau |_{1..},\rho )\models {\varphi _1} \Rightarrow {\varphi '}\) by the inductive hypothesis, which implies that there is \(j\ge 1\) s. t. \((\gamma _j,\rho )\models \varphi '\). Hence \((\tau ,\rho )\models {\varphi } \Rightarrow {\varphi '}\).    \(\square \)

Proof

(of Theorem 1 ). Let \(\tau \triangleq \gamma _0\Rightarrow ^{\!}_{\!\mathcal {S}}\gamma _1\Rightarrow ^{\!}_{\!\mathcal {S}}\cdots \) be a complete execution path, and let the valuation \(\rho \) be such that \((\tau ,\rho )\) starts from \(\varphi _0\) with \({\varphi _0} \Rightarrow {\varphi '_0}\in G_0\). If \(\tau \) is finite then \((\tau ,\rho )\models {\varphi } \Rightarrow {\varphi '_c}\) by Lemma 8. If \(\tau \) is infinite then \((\tau ,\rho )\models {\varphi } \Rightarrow {\varphi '_c}\) by Definition 7.    \(\square \)

Proof of Lemma 4, Page 13. By definition of \(\varDelta _R(\varphi )\), \(\varphi _1\) is \((\exists FreeVars (l,r))(l\wedge b\wedge (\exists X)(\pi \wedge \phi ))^{=?}\wedge r\) for some rewrite rule \(l\rightarrow r\mathbf ~if~ b \in R\). By Assumption 1, \( FreeVars (l,r)\cap X=\emptyset \) and hence \(\varphi _1\) is equivalent to \((\exists X\cup FreeVars (l,r))(l=\pi )\wedge b\wedge \phi \wedge r\). We have:

$$\begin{aligned}&(\gamma _1,\rho _1)\models \varphi _1&\longleftrightarrow \\&(\gamma _1,\rho _1)\models (\exists X\cup FreeVars (l,r))(l=\pi )\wedge b\wedge \phi \wedge r&\longleftrightarrow \\&(\exists \rho )(\rho (l)=\rho (\pi ))\wedge \rho \models (b\wedge \phi )\wedge (\rho (r)=\gamma _1)&\longleftrightarrow \\&(\exists \sigma )(\sigma (l)=_{E\cup A}\sigma (\pi ))\, \wedge \rho \models b\,\wedge \rho _1\models \phi \wedge (\sigma (r)\in \gamma _1)&\longleftrightarrow \\&(\exists \sigma _0)(\exists \sigma '')(\sigma _0(l)=_{E\cup A}\pi )\, \wedge \rho \models b\,\wedge \rho _1\models \phi \wedge (\sigma ''(\sigma '(\sigma _0(r)))\in \gamma _1)&\longleftrightarrow \\&(\exists \sigma _0\in match (l,\pi ))(\exists \sigma '') \rho \models b\,\wedge \rho _1\models \phi \wedge (\sigma ''\uplus \sigma '(\sigma _0(r))\in \gamma _1)&\longleftrightarrow \\&\bigvee _{\sigma _0\in match (l,\pi )}(\exists \sigma '') \rho \models b\,\wedge \rho _1\models \phi \wedge (\sigma ''\uplus \sigma '(\sigma _0(r))\in \gamma _1)&\longleftrightarrow \\&\bigvee _{\sigma _0\in match (l,\pi )}(\exists \rho _0) \rho _0\models \sigma _0(b)\,\wedge \rho _0\models \phi \wedge \rho _0(\sigma _0(r))=\gamma _1)&\longleftrightarrow \\&\bigvee _{\sigma _0\in match (l,\pi )} (\exists \rho _0)(\gamma _1,\rho _0)\models (\sigma _0(b)\,\wedge \phi \wedge \sigma _0(r))&\longleftrightarrow \\&\bigvee _{\sigma _0\in match (l,\pi )} (\gamma _1,\rho _1)\models (\exists X\cup FreeVars (r)\setminus FreeVars (l))(\sigma _0(b)\,\wedge \phi \wedge \sigma _0(r))&\longleftrightarrow \\&(\gamma _1,\rho _1)\models \bigvee _{\sigma _0\in match (l,\pi )} (\exists X\cup FreeVars (r)\setminus FreeVars (l))(\sigma _0(b)\,\wedge \phi \wedge \sigma _0(r))&\end{aligned}$$

where

• \(\gamma _1\in T_{\varSigma ,E\cup A}\) of sort State, i.e., \(\gamma _1\) is an \((E\cup A)\)-equivalence class [t] with \(t\in T_{\varSigma , State }\);

• by Assumption 1, we may assume w.l.o.g. that \(\rho (x)=\rho _1(x)\) for all \(x\not \in X\cup FreeVars (l,r)\);

• \(\sigma : FreeVars (l,r,\phi )\rightarrow T_\varSigma \) with \([\sigma (x)]=\rho (x)\);

• the substitutions \(\sigma _0: FreeVars (l)\rightarrow FreeVars (\pi )\) and \(\sigma ': FreeVars (\pi )\rightarrow T_\varSigma \) are given by Assumption 3, i.e., \(\sigma |_{ FreeVars (l,\pi )}=\sigma '\circ \sigma _0\); note that \(\sigma '\) is uniquely determined by \(\sigma \) and \(\sigma _0\);

• \(\sigma ''=\sigma |_{ FreeVars (r)\setminus FreeVars (l)}\);

• \(\sigma ''\uplus \sigma '(x)=\sigma ''(x)\) if \(x\in FreeVars (r)\setminus FreeVars (l)\), and \(\sigma ''\uplus \sigma '(x)=\sigma '(x)\) if \(x\in FreeVars (\sigma _0(l))\);

• \(\rho _0(x)=[\sigma '(x)]\), for \(x\in FreeVars (\pi )\), \(\rho _0(x)=[\sigma ''(x)]\), for \(x\in FreeVars (r)\setminus FreeVars (l)\), and \(\rho _0(x)=\rho (x)\) in the rest (hence \(\rho _0(x)=\rho _1(x)\) for \(x\not \in X\cup FreeVars (r)\setminus FreeVars (l)\)); and

• \(\rho \models b\) iff \(\sigma ''(\sigma _0(b))=_{E\cup A} true \) iff \(\rho _0\models \sigma _0(b)\).   \(\square \)