Abstract
We formalize a fragment of the theory of institutions sufficient to establish basic facts about the institution for EventB, and its relationship with the institution for firstorder predicate logic. We prove the satisfaction condition for and encode the institution comorphism embedding in .
Supported by the Irish Research Council (GOIPG/2019/4529).
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
The theory of institutions [4] was introduced by Joseph Goguen and Rod Burstall to give concrete form to the informal notion of a “logical system”, identifying a common structure among the many logics in regular use in computer science. A 2017 paper by Marie Farrell, Rosemary Monahan, and James Power [3] uses the theory of institutions to provide a sound mathematical semantics and modularization constructs for the industrialstrength statebased formal modelling language EventB [1], providing interoperability with other formalisms. In related work, the Heterogeneous Tool Set (Hets) [7] makes use of institutions to provide heterogeneous specifications.
EventB has an associated development process for systemlevel modelling and analysis. Key features include the use of set theory as a modelling notation, the use of refinement to represent systems at different abstraction levels and the use of mathematical proof to verify consistency between refinement levels. The primary purpose of this research is to formalize the work in [3] within the Coq proof assistant, and more generally to provide the rudiments of a Coq library for the theory of institutions.
We build on earlier work formalizing universal algebra in Agda by Emmanuel Gunther, Alejandro Gadea, and Miguel Pagano [5]. However, the purpose of this work is not to provide a comprehensive development of universal algebra; we only develop as much as we need in order to define the institutions for firstorder logic and EventB. We also depend on the development of category theory by John Wiegley at jwiegley/categorytheory.
While some obligations remain to be formally discharged for the institution for firstorder predicate logic with equality, our developments for the institution for EventB are complete. We have also encoded the institution comorphism , which embeds the simpler institution into , providing the underlying mathematical language for . It remains, however, to prove the naturality condition in our encoding. The formalization is not axiomfree, assuming dependent function extensionality and proof irrelevance. A more careful development might use setoids (as in [2, 5]), and in the future we may experiment with grounding these efforts in homotopy type theory.
Throughout this paper, we will assume some familiarity with basic category theory, as well as the first two chapters of [8].
2 The Institution for EventB
An [4] consists of

a category of signatures (nonlogical syntax);

a sentence functor (logical syntax);

a model functor (semantics for nonlogical syntax); and

a semantic entailment relation for each ,
such that for any signature translation , any sentence , and any model , the satisfaction condition holds:
This kind of institution is sometimes referred to as a set/cat institution, since the target of and the target of . To avoid encoding a “category of categories” in Coq, we implement set/set institutions [6].
We will now provide a precise but brief definition for the institution for EventB, alongside its definition in Coq. For details, we refer the reader to [3]. Throughout, let .
The category of signatures has as objects , where \( \varSigma \) is a firstorder signature, \( E : \mathsf {Status} \rightarrow \mathsf {Type} \) is a statusindexed set of events, and \( X, X' : \mathsf {sorts}\ \varSigma \rightarrow \mathsf {Type} \) are sortsindexed sets of pre and postvariables, respectively. In Coq, this becomes:
An signature morphism \( \hat{\varSigma }_1 \rightarrow \hat{\varSigma }_2 \) consists of a firstorder signature morphism \( \sigma :\varSigma _1 \rightarrow \varSigma _2 \) translating the base signature, along with a function \( E_1 \rightarrow E_2 \) mapping events in such a way as to preserve the ordering on statuses, and functions \( X_1 \rightarrow X_2 \circ \sigma \), \( X'_1 \rightarrow X'_2 \circ \sigma \) mapping variables, regarded as morphisms in their respective indexed categories. It is convenient to assume that the initialization event is not in \( E \), so there is no need for the assumption that the initial event is preserved by signature morphisms. If the initialization/event distinction is made at the level of sentences, then we can enforce preservation of the initialization event definitionally.
sentences are either initialization sentences, \(\mathsf {Init}\ \psi \) where , or event sentences, \( \mathsf {Event}\ e\ \psi \) where . Note that the base signature is expanded to include the variables as constant operation names. Initialization sentences describe how variables are initially set. Event sentences describe how events change the variables. As a very simple example, given an event \( \mathsf {inc} \) which increments a variable \( n \), , we write the sentence \( \mathsf {Event}(\mathsf {inc}, n' = n + 1) \), where \( n \in X \) and \( n' \in X' \) are respectively pre and postvariables from the ambient EventB signature. Given an initialization event which starts \( n \) at \( 0 \), , we write the sentence \( \mathsf {Init}(n' = 0) \). For details on this correspondence, see again [3].
EventB sentences rely on the ability to construct the expansion of firstorder signatures by adjoining a sortsindexed set of constant operation names, which in Coq we denote by \( \mathsf {SigExpand}\ \varSigma \ X \). sentences can be defined as follows.
An model consists of a firstorder model \( M \) and a pair of environments and , which are lists of valuations of variables in \( M \). We enforce that \( L \) and \( R_e \), for each event \( e \), are nonempty.
Let \( M^{\theta } \) denote the expansion of a model \( M \) by a valuation \( \theta : X \rightarrow M \). We say that if for all valuations \( \theta \in L \), we have , and we say that if for all valuations \( \theta \in R_e \) we have . This can be written down directly in Coq.
Now, taking a topdown perspective, we can define institutions in Coq as follows:
Proving that is an institution amounts to instantiating this class to the above definitions and discharging the generated obligations. The proofs rely on custom induction principles for the dependent records we introduce above, since the induction principles generated by Coq are too strong. For example, if one wishes to prove that two EventB signature morphisms \( \hat{\sigma } \) and \( \hat{\sigma }' \) are equal, of course it suffices to prove that they are equal componentwise. Consider equality on the \( \mathsf {on\_vars} \) component. The statement of this equality will depend on a proof \( p : \sigma = \sigma ' \) that the underlying firstorder signature morphisms are equal, which we write \( p_*(\mathsf {on\_vars}\ \hat{\sigma }) = \mathsf {on\_vars}\ \hat{\sigma }' \). Notice that this requirement is substantially stronger than necessary; it suffices in this case to know that \( \sigma \) and \( \sigma ' \) agree on sorts. Hence, given \( p' : \mathsf {on\_sorts}\ \sigma = \mathsf {on\_sorts}\ \sigma ' \), we only need to prove \( p'_*(\mathsf {on\_vars}\ \hat{\sigma }) = \mathsf {on\_vars}\ \hat{\sigma }' \). This dramatically simplifies the proofs.
3 Future Work
In the future, it will be interesting to investigate Coq’s code extraction facilities to generate provably correct code derived from, for example, the institution comorphism . We also wish to prove the amalgamation property for , and more generally to build institutionindependent constructions and proofs, which we have already explored to some extent for modal logics and lineartime temporal logics. The proofs involved in the definition for firstorder predicate logic were rather complicated, but the proofs for often reduced to properties of firstorder logic. This suggests that quick progress could be made defining further institutions, verifying their properties, and providing interoperability between represented formalisms represented in our framework.
References
Abrial, J.R.: Modeling in EventB: System and Software Engineering. Cambridge University Press, Cambridge (2010)
Capretta, V.: Universal algebra in type theory. In: Bertot, Y., Dowek, G., Théry, L., Hirschowitz, A., Paulin, C. (eds.) TPHOLs 1999. LNCS, vol. 1690, pp. 131–148. Springer, Heidelberg (1999). https://doi.org/10.1007/3540482563_10
Farrell, M., Monahan, R., Power, J.F.: An institution for EventB. In: James, P., Roggenbach, M. (eds.) WADT 2016. LNCS, vol. 10644, pp. 104–119. Springer, Cham (2017). https://doi.org/10.1007/9783319720449_8
Goguen, J.A., Burstall, R.M.: Institutions: abstract model theory for specification and programming. J. ACM 39(1), 95–146 (1992)
Gunther, E., Gadea, A., Pagano, M.: Formalization of universal algebra in Agda. Electron. Notes Theor. Comput. Sci. 338, 147–166 (2018)
Mossakowski, T., Goguen, J., Diaconescu, R., Tarlecki, A.: What is a logic? In: Beziau, J.Y. (ed.) Logica Universalis, pp. 111–133. Birkhäuser Basel (2007)
Mossakowski, T., Maeder, C., Lüttich, K.: The heterogeneous tool set, Hets. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 519–522. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540712091_40
Sannella, D., Tarlecki, A.: Foundations of Algebraic Specification and Formal Software Development. SpringerVerlag (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2021 The Author(s)
About this paper
Cite this paper
Reynolds, C. (2021). Formalizing the Institution for EventB in the Coq Proof Assistant. In: Raschke, A., Méry, D. (eds) Rigorous StateBased Methods. ABZ 2021. Lecture Notes in Computer Science(), vol 12709. Springer, Cham. https://doi.org/10.1007/9783030775438_17
Download citation
DOI: https://doi.org/10.1007/9783030775438_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030775421
Online ISBN: 9783030775438
eBook Packages: Computer ScienceComputer Science (R0)