Other commands

In this section we describe the other commands which we added to the ITP for developing a proof strategy, and debugging failed proofs.

Enable/Disable. The enable and disable commands control the executabil- ity of the different rewrite rules and memberships in the current goal. The rules can either come from hypotheses in the current module, lemmas that were previously added, or labeled equations in the original user’s module.

(enable rule-name .) (disable rule-name .)

If enable is called with the name of a rule in the module labeled with the attribute nonexec, it will discard the nonexec attribute, thus enabling the rule during rewriting. Conversely, when the disable command is given for a rule that is not labeled with the nonexec attribute, it will add the nonexec attribute to the rule, thus disabling it when rewriting is used to simplify goals. These commands can be used in debugging to help identify non-terminating hypotheses or lemmas. They also can be used for information hiding. It is often useful to prove lemmas that state the essential properties of an operation, and then disable the operation’s definition.

Reduction. It can be difficult to remember all the lemmas and hypotheses added to a module, and sometimes rules may fail to apply because a condition cannot be resolved. Unfortunately, there is no automatic way to fix the second problem, but to aid the debugging process, we have added the command

(red term .)

which computes the canonical form and least sort of an arbitrary term in the current module.

Showing rules. A large part of the success of inductive theorem provers stems from a user’s ability to construct a set of terminating rules that yield unique normal forms for terms appearing in the current goal. In the ITP, the rules depend not only on the definitions in the user’s module and lemmas, but also on the hypotheses added to the current proof attempt. Unlike the lemmas, the hypotheses are usually different for each subgoal, and so it is often helpful to see the current hypotheses assumed in the current goal. To do this, we added the command (show-hyps .) to show the current hypotheses.

In addition to the hypotheses, it is often useful to see all of the rules related to a given symbol appearing in the current goal. Although the existing show-all command will display all of the rules, it can be tedious to sort through them in larger proofs to see the rules that are currently relevant. For more targeted searches, we added the command

(show-rules with op .)

which will display the equations and memberships whose left-hand side refer- ences op.

7.6

Conclusions and future work

In this chapter we have presented several improvements to the Maude Inductive Theorem Prover. This includes a general form of coverset induction, equivalence propagation, and several different commands to help debug proofs using the rewriting engine. These techniques have already proven useful in the powerlist case study which we will discuss in the next chapter. However, there are still many ways the ITP could be improved.

Our approach to coverset induction is similar to the first sufficient complete- ness checking algorithm described in Section 5.3. It would also be interesting to develop equational tree automata-based techniques for generating coverset induction schemes. These techniques should allow us to generate better cover- set induction schemas with specifications supporting rewriting modulo axioms. This is related to the work in [86] which considered rewriting modulo linear arithmetic. Our work would build upon that to consider other theories such as the combinations of associativity, commutativity, and identity supported by our CETA tree automata library.

A second research direction would be to extend the auto tactic to take advan- tage of recent advances in efficient decision procedures for uninterpreted function symbols, linear arithmetic, bit vectors, and arrays. These decision procedures have been successfully combined with algorithms for Boolean satisfiability as the basis for SAT Modulo Theories (SMT)-based theorem proving, and there are currently many different SMT-theorem provers including Barcelogic [13], CVC3 [9], MathSAT [23], Yices [45], and Z3 [116]. One recent direction is to combine the capabilities of SMT-based theorem provers with matching modulo ground equations [115] and superposition [114]. It seems worth investigating whether these techniques can be combined with the (conditional) rewriting sup- ported by the ITP in an efficient way.

A third direction for further research is to further decouple the reasoning capabilities in the ITP from the ITP’s user interface. This would enable the core reasoning of the ITP to more easily be integrated in other tools such as Full Maude or Real-time Maude. This should be possible since all of these tools use the core Maude metalevel infrastructure. One step in this direction that we have taken in the ITP is to make the module used to define the ITP’s commands an argument to the initial ITP state. This allows us to define new commands to the ITP in a modular way without altering any of the existing ITP’s source code. After making this change, Ralf Sasse was able to port the JAVA+ITP [132] extension to the newest version of the ITP with no code changes to the ITP’s

source code.

It is an exciting time for automated theorem proving as their techniques have become fundamental to many different formal analysis tools. The ITP has a great deal of potential to become useful across the different Maude tools. However, it is important to carefully validate these ideas on different domains.

Chapter 8

Powerlist case study

To evaluate the Maude ITP and the extensions introduced in the previous chap- ter, we present a case study in which we mechanically prove the correctness of many different algorithms over Misra’s powerlist [113] data type. Powerlists are non-empty lists which can be nested, but where two lists P and Q can be concatenated to form P | Q if and only if they are similar — that is they have the same number of nested levels and the same length at each level. Powerlists satisfy the nice algebraic property that the interleaving P × Q of two similar powerlists P and Q can be distributed over concatenation,

(P1| P2) × (Q1| Q2) =(P1× Q1) | (P2× Q2) S1× S2=S1| S2

where P1, P2, Q1, and Q2are all similar powerlists, while S1and S2denote single

elements or nested powerlists. We sometimes refer to | as the tie operator, and × as the zip operator.

It is not difficult to see that each powerlist has 2n

elements for some n ∈ N. A crucial property of powerlists is that each powerlist with more than one ele- ment can be represented as either the concatenation P1| P2or the interleaving

Q1× Q2 of two similar powerlists. Moreover, the conversion between the in-

terleaving and concatenation representations can be done efficiently in parallel architectures [96]. Powerlists can also succinctly describe many different parallel algorithms in a way that leads to elegant correctness proofs [1, 96, 113].

Powerlists have served as a challenge problem for inductive theorem provers. There are several papers which reproduce the different correctness properties of powerlists in both ACL2 [55–57] and the RRL [85, 87]. Unfortunately, it is widely felt that these proofs lack the simplicity of hand proofs. Attempts to replicate that simplicity have lead to new techniques for simplifying inductive theorem proofs [84], however there have not yet been any completely satisfactory solutions. The aim of this work is to replicate many of these proofs using the Maude ITP in a natural way that achieves the simplicity of the hand proofs. We hope to use this experience to identify both strengths of the ITP that may be useful in other theorem provers and weaknesses where we can improve the ITP.

An important reason why the powerlist proofs are complicated in other for- mal tools is that powerlists cannot be naturally formalized in the logics sup-

ported by those tools. For example, ACL2’s logic is an applicative subset of Common Lisp, and powerlists were encoded in [56] as trees formed from cons and nil rather than treating the tie and/or zip operators directly as construc- tors. Our goal is to determine if membership equational logic can avoid this problem. One important feature of MEL is that the partial powerlist construc- tors of | and × can be naturally expressed as conditional memberships.

Our results are encouraging, and we have verified many of the powerlists theorems in existing work in the Maude ITP. We have formally proven many of the theorems in [113] on basic properties of powerlists, and on the Fast Fourier Transform (FFT), inverse FFT, and the Batcher sort algorithm. We also have proven the results in [1] on representing arbitrary size ripple-carry and carry- lookahead adders in powerlists. The proofs scripts for the different proofs con- tain over 100 different theorems and lemmas. The vast majority of these were proven using a single ITP command using coverset induction or the cov-split described in the previous chapter.

The rest of this chapter is organized as follows. In the next section we in- troduce our parameterized specification of powerlists in membership equational logic. This parameterized specification forms the basis for all of the later proofs, and is instantiated in later proofs for powerlists over natural numbers, complex numbers, and bits. In Section 8.2, we show how basic algorithms on powerlists can be proven correct in the ITP. Many of the lemmas in this section are reused in later proofs. In Section 8.3, we present our definitions and correctness proofs for the FFT and inverse FFT. In Section 8.4, we present our results on the Batcher sort algorithm. In Section 8.5, we present our results on the ripple- carry and carry-lookahead adders. Finally, we conclude in Section 8.6 with a discussion of how our work relates to existing work as well as promising future directions of research. To improve the flow of this chapter, we will not always show the full proof scripts, however they are included in Appendices A–D.