On Combining Algebraic Specifications with First-Order Logic via Athena

Abstract

We present a verification framework developed by researchers of the National Technical University of Athens as part of the Research Project Thalis “Algebraic Modeling of Topological and Computational Structures and Applications”. The proposed framework combines two different specification and theorem-proving systems, in order to facilitate the modeling and analysis of critical software systems. On the one hand, the CafeOBJ algebraic specification language offers executable, composable specifications, and insightful information about the proofs of desired invariant properties. On the other hand, Athena, an interactive theorem-proving system, provides automation and soundness guarantees for its results, as well as detailed structured proofs. Although having conducted complicated case studies (references to which are provided in the paper), here we focus on explaining the steps of the proposed hybrid methodology as clearly as possible, through an illustrative example of a simple mutual exclusion protocol.

Appendices

Appendix A

Here we present the CafeOBJ specification of the mutex system.

Appendix B

The declaration of an invariant property in CafeOBJ terms and the definition of the induction schema, are shown below:

The definition of the corresponding invariant in Athena is presented here (the induction schema is automatically defined in Athena).

The proof score of the desired invariant property in CafeOBJ, for the initial state and when a transition, called enter(s,k), is applied can be seen below:

The corresponding proof skeleton in Athena can be defined as follows.

Finally, the following proof scores present a case splitting in CafeOBJ. In the first case we assume that at(s,k) = cs while the second proof score assumes its symmetrical case, i.e. (at(s,k) = cs) = false.

The same case splitting can be defined in Athena terms as follows:

Appendix C

A detailed structured Athena proof of the (strengthened) goal for our example is shown below.

Theorem 19.1

For all states \(s'\) and processes i and j, if i and j are in their critical sections in \(s'\), then \(i = j\) and \(s'\) is locked. \(\blacksquare \)

Proof

By structural induction on \(s'\). When \(s'\) is the initial state the result is trivial because the antecedent is false, as all processes are in their remainder sections initially. Suppose now that \(s'\) is of the form (k enter s). Pick any processes i and j and assume both are in their critical sections in \(s'\). We then need to show that \(i = j\) and that \(s' = (\)k\( \textit{enter} \)s) is locked. The inductive hypothesis here is:

$$ \begin{aligned} i \,at\, s = cs \, \& \,j\, at \,s\, = cs==> i = j\, \& \,locked\, s \end{aligned}$$

(19.1)

We distinguish two cases:

1. 1.

   Case 1: k is enabled at s. Then (k at \(s'\) = cs)and (locked \(s'\)) follow from the enter axioms. Thus, we only need to show \(i = j\). By contradiction, suppose that \(i \ne j\). Then either \(i \ne k\) or \(j \ne k\).³ So assume first that \(i \ne k\) (the reasoning for the case \(j \ne k\) is symmetric). Then, from the enter axioms and the assumption that k is enabled at s, we conclude i at \(s'\) = i at s, hence i at s = cs. Now applying the inductive hypothesis to the above assumption, we conclude (locked s). However, that contradicts the assumption that k is enabled at s, as that assumption means that s is not locked.

2. 2.

   Case 2: k is not enabled at s. In that case, by the enter axioms, we get

   $$ (k \,enter\, s = s)$$

   i.e., \(s' = s\), and the result now follows directly from the inductive hypothesis.

Finally, suppose that \(s'\) is of the form (k exit s). Again pick any processes i and j and assume both are in their critical sections in \(s'\). We again need to show that \(i = j\) and that \(s' = (\)k\( \textit{exit} \)s) is locked. The inductive hypothesis here is the same as before, (19.1). We distinguish two cases again, depending on whether or not the effective condition of the exit transition holds:

1. 1.

   Case 1: (k at s = cs). We proceed by contradiction. First, by applying the inductive hypothesis to the conjunction of (k at s = cs) with itself, we obtain (locked s). Also, by the exit axioms, we get

   $$ k \,at\, s' = (k \, exit\, s) = rs$$

   i.e.,

   $$\begin{aligned} k\, at \,s' = rs. \end{aligned}$$

   (19.2)

   The exit axioms also imply that \(s'\) is not locked. We can now conclude that

   $$\begin{aligned} i \ne k \end{aligned}$$

   (19.3)

   because otherwise, if \(i = k\), the assumption that i is in cs in state \(s'\) would contradict (19.2). Hence, by the exit axioms, we get

   $$\begin{aligned} i\, at\, s' = i\, at \,s. \end{aligned}$$

   (19.4)

   Therefore, from (19.4) and the assumption that i is in cs in \(s'\), we get i at s = cs. But now applying the inductive hypothesis to i at s = cs and to (k at s = cs) yields \(i = k\), contradicting (19.3).

2. 2.

   Case 2: (k at s \(\ne \) cs). In that case the exit axioms give (k exit s = s, i.e., \(s' = s\), and the result follows directly from the inductive hypothesis.

The above informal proof can be formulated in Athena at the same level of abstraction and with the exact same structure. Moreover, the proof colloquialism “the reasoning for that case is symmetric” that appears in the enter transition can be directly accommodated by abstracting the symmetric reasoning into a method and then applying that method to multiple instances. Likewise, the treatment of enter and exit is symmetric when their effective conditions are violated, in which case the result follows directly from the inductive hypothesis, and this commonality too can be easily factored out into a general method. The entire proof, along with these two methods, can be seen below. Note that the proof doesn’t use external theorem provers. Instead, it uses Athena’s own library chain method, which allows for limited proof search. The chain method extends the readability benefits of equational chains into arbitrary implication chains.