## Relational Analysis of (Co)inductive Predicates, (Co)algebraic Datatypes, and (Co)recursive Functions (2010)

### Cached

### Download Links

### BibTeX

@MISC{Blanchette10relationalanalysis,

author = {Jasmin Christian Blanchette},

title = {Relational Analysis of (Co)inductive Predicates, (Co)algebraic Datatypes, and (Co)recursive Functions },

year = {2010}

}

### OpenURL

### Abstract

This paper presents techniques for applying a finite relational model finder to logical specifications that involve (co)inductive predicates, (co)algebraic datatypes, and (co)recursive functions. In contrast to previous work, which focused on algebraic datatypes and restricted occurrences of unbounded quantifiers in formulas, we can handle arbitrary formulas by means of a three-valued Kleene logic. The techniques form the basis of the counterexample generator Nitpick for Isabelle/HOL. As a case study, we consider a coalgebraic lazy list type.

### Citations

847 |
A formulation of the simple theory of types
- Church
- 1940
(Show Context)
Citation Context ...are mostly orthogonal and covered elsewhere [5]. 2 Logics 2.1 First-Order Logic (FOL) The first-order logic that will serve as our specification language is essentially the firstorder fragment of HOL =-=[7, 12]-=-. The types and terms are given below. Types: Terms: σ ::= κ (atomic type) t ::= xσ (variable) | α (type variable) | cτ (t,...,t) (function term) τ ::= (σ,...,σ) → σ (function type) | ∀x σ . t (univer... |

717 |
Isabelle/HOL — A Proof Assistant for Higher-Order Logic, volume 2283 of LNCS
- Nipkow, Paulson, et al.
- 2002
(Show Context)
Citation Context ...d their proper handling mitigate this problem. The ideas presented here form the basis of the higher-order counterexample generator Nitpick [5], which is included with recent versions of Isabelle/HOL =-=[25]-=-. As a case study, we employ Nitpick on a small theory of coalgebraic (lazy) lists (Sect. 6). To simplify the presentation, we use FOL as our specification language in the paper; issues specific to hi... |

705 | Symbolic model checking without BDDs
- Biere, Cimatti, et al.
- 1999
(Show Context)
Citation Context ...p( ¯x). Dually, this method can also handle positive occurrences of coinductive predicates. To deal with positive occurrences of inductive predicates, we adapt a technique from bounded model checking =-=[3]-=-: We replace these occurrences of p by a fresh predicate rk defined by the FOL equations r0( ¯x) ≃ False rSuc n( ¯x) ≃ t[rn], which corresponds to p unrolled k times. In essence, we have made the pred... |

376 | Representation of events in nerve nets and finite automata - Kleene - 1951 |

291 |
Software Abstractions: Logic, Language, and Analysis
- Jackson
- 2012
(Show Context)
Citation Context ...gic (FOL) with relational calculus operators and the transitive closure, and offers a good compromise between automation and expressiveness. Kodkod relies on a SAT solver and forms the basis of Alloy =-=[15]-=-. In a case study, the Alloy Analyzer checked a mechanized version of the paper proof of the Mondex protocol and revealed several bugs in the proof [27]. However, FORL lacks the high-level definitiona... |

228 | A tutorial on (co)algebras and (co)induction
- Jacobs, Rutten
- 1997
(Show Context)
Citation Context ...nite scope iff the FORL formula F〈P 〉 ∧ ∧n j=1 Φ(uj) with bounds /0 ⊆ uj ⊆ 〈τj 〉 is satisfiable for the same scope. 2 Other authors formulate corecursion in terms of selectors instead of constructors =-=[16]-=-. 3 Metatheoretic functions here and elsewhere are defined using sequential pattern matching.Proof. Let �t�M denote the set-theoretic semantics of the FOL term t w.r.t. a model M and the given scope ... |

198 | Melham, editors. Introduction to HOL: A Theorem Proving Environment for Higher Order Logic - Gordon, F - 1993 |

95 | A Davis-Putnam program and its application to finite first-order model seach: Quasigroup existence problems
- McCune
- 1994
(Show Context)
Citation Context ...ication languages that lend themselves to automatic analysis and those that are used in actual formalizations. As an example, infinite types are ubiquitous, yet most model finders either spin forever =-=[9, 24]-=-, give up immediately [8], or are unsound [1; 28, p. 164; 31] on finitely unsatisfiable formulas. We identified several commonly used definitional principles and showed how to encode them in first-ord... |

88 | AProVE 1.2: Automatic termination proofs in the dependency pair framework
- Giesl, Schneider-Kamp, et al.
- 2006
(Show Context)
Citation Context ...dedness, we can perform a simple syntactic check to ensure that each recursive call peels off at least one constructor. Alternatively, we can invoke an off-the-shelf termination prover such as AProVE =-=[11]-=- or Isabelle’s lexicographic_order tactic [6]. Given introduction rules of the form p(¯ti1) ∧ ··· ∧ p(¯tiℓi ) ∧ Qi −→ p(ūi) for i ∈ {1,...,n}, the prover attempts to exhibit a wellfounded relation R s... |

83 |
On notation for ordinal numbers
- Kleene
- 1938
(Show Context)
Citation Context ... out some elements of atomic types means that we must cope with partiality. Not only may functions be partial, but any term or formula can evaluate to ⊥. The logic becomes a three-valued Kleene logic =-=[17]-=-. Universal quantifiers whose bound variable ranges over an approximated type, such as ∀n nat . P(n), will evaluate to either False (if P(n) gives False for some n ≤ K) or ⊥, but never to True, since ... |

70 | Type classes and overloading in higher-order logic
- Wenzel
- 1997
(Show Context)
Citation Context ...inct, and the right-hand side t does not refer to any other free variables than ¯x, to any undefined constants or c, or to any type variables not occurring in τ. These restrictions ensure consistency =-=[32]-=-. 3.2 (Co)inductive Predicates The inductive and coinductive commands define inductive and coinductive predicates specified by their introduction rules: [co]inductive p τ where p(¯t11) ∧ ··· ∧ p(¯t1ℓ1... |

69 | HOL Light: A tutorial introduction
- Harrison
- 1996
(Show Context)
Citation Context ...riables to range over basic types, and it forbids partial function application and λ-abstractions. On the other hand, it supports the limited form of polymorphism provided by proof assistants for HOL =-=[14, 25, 29]-=-, with the restriction that type variables may only be instantiated by atomic types (or left uninstantiated in a polymorphic formula). Types and terms are interpreted in the standard set-theoretic way... |

60 | Kodkod: A relational model finder
- Torlak, Jackson
- 2007
(Show Context)
Citation Context ...ns or generate (counter)models. For testing logical specifications, a particularly attractive approach is to express these in first-order relational logic (FORL) and use a model finder such as Kodkod =-=[30]-=- to find counterexamples. FORL extends traditional first-order logic (FOL) with relational calculus operators and the transitive closure, and offers a good compromise between automation and expressive... |

58 |
eds.): Introduction to HOL: a theorem proving environment for higher order logic
- Gordon, Melham
- 1993
(Show Context)
Citation Context ...are mostly orthogonal and covered elsewhere [5]. 2 Logics 2.1 First-Order Logic (FOL) The first-order logic that will serve as our specification language is essentially the firstorder fragment of HOL =-=[7, 12]-=-. The types and terms are given below. Types: Terms: σ ::= κ (atomic type) t ::= xσ (variable) | α (type variable) | cτ (t,...,t) (function term) τ ::= (σ,...,σ) → σ (function type) | ∀x σ . t (univer... |

49 | Formal system development with KIV - Balser, Reif, et al. - 2000 |

44 |
A fixedpoint approach to implementing (co)inductive definitions
- Paulson
(Show Context)
Citation Context ...rictions on the rules ensure monotonicity; by the Knaster–Tarski theorem, the fixed point equation p( ¯x) ≃ ∃¯y. ∨n j=1 ¯x ≃ ūj ∧ p(¯tj1) ∧ ··· ∧ p(¯tjℓj ) ∧ Qj admits a least and a greatest solution =-=[13, 26]-=-. Inductive definitions provide the least fixed point, and coinductive definitions provide the greatest fixed point. As an example, assuming a type nat of natural numbers generated freely by 0nat and ... |

42 | Inductive datatypes in HOL - lessons learned in formal-logic engineering - Wenzel |

40 | Random testing in Isabelle/HOL
- Berghofer, Nipkow
- 2004
(Show Context)
Citation Context ... ∈ 〈nat list 〉: lone Cons〈x, xs〉 ACYCLIC: no sup nat list ∩ iden with sup nat list = tail + . Examples of subterm-closed list substructures using traditional notation are {[], [0], [1]} and {[], [1], =-=[2,1]-=-, [0,2,1]}. In contrast, L = {[], [1,1]} is not subterm-closed, because tail([1,1]) = [1] /∈ L. Given a cardinality, Kodkod systematically enumerates all corresponding subterm-closed list substructure... |

30 | A brief overview of HOL4
- Slind, Norrish
- 2008
(Show Context)
Citation Context ...riables to range over basic types, and it forbids partial function application and λ-abstractions. On the other hand, it supports the limited form of polymorphism provided by proof assistants for HOL =-=[14, 25, 29]-=-, with the restriction that type variables may only be instantiated by atomic types (or left uninstantiated in a polymorphic formula). Types and terms are interpreted in the standard set-theoretic way... |

25 |
New techniques that improve MACE-style model finding
- Claessen, Sörensson
(Show Context)
Citation Context ...ication languages that lend themselves to automatic analysis and those that are used in actual formalizations. As an example, infinite types are ubiquitous, yet most model finders either spin forever =-=[9, 24]-=-, give up immediately [8], or are unsound [1; 28, p. 164; 31] on finitely unsatisfiable formulas. We identified several commonly used definitional principles and showed how to encode them in first-ord... |

23 | Automated Theorem Proving in Software Engineering - Schumann - 2001 |

22 | Nitpick: A counterexample generator for higher-order logic based on a relational model finder
- Blanchette, Nipkow
- 2010
(Show Context)
Citation Context ...blematic in general, but suitable definitional principles and their proper handling mitigate this problem. The ideas presented here form the basis of the higher-order counterexample generator Nitpick =-=[5]-=-, which is included with recent versions of Isabelle/HOL [25]. As a case study, we employ Nitpick on a small theory of coalgebraic (lazy) lists (Sect. 6). To simplify the presentation, we use FOL as o... |

22 |
Inductive definitions: automation and application
- Harrison
- 1995
(Show Context)
Citation Context ...rictions on the rules ensure monotonicity; by the Knaster–Tarski theorem, the fixed point equation p( ¯x) ≃ ∃¯y. ∨n j=1 ¯x ≃ ūj ∧ p(¯tj1) ∧ ··· ∧ p(¯tjℓj ) ∧ Qj admits a least and a greatest solution =-=[13, 26]-=-. Inductive definitions provide the least fixed point, and coinductive definitions provide the greatest fixed point. As an example, assuming a type nat of natural numbers generated freely by 0nat and ... |

21 | Balanced search trees made simple - Andersson - 1993 |

20 | Relational analysis of algebraic datatypes
- Kuncak, Jackson
- 2005
(Show Context)
Citation Context ...es usually provided in interactive theorem provers, namely (co)inductive predicates, (co)algebraic datatypes, and (co)recursive functions (Sect. 3). Solutions have been proposed by Kuncak and Jackson =-=[21]-=-, who modeled lists and trees in Alloy, and Dunets et al. [10], who showed how to translate algebraic datatypes and recursive functions in the context of the first-order theorem prover KIV. In both ca... |

17 | SAT-based Finite Model Generation for Higher-Order Logic
- Weber
- 2008
(Show Context)
Citation Context ...tive predicates was inspired by bounded model checking [3] and by the Alloy idiom for state transition systems [15, pp. 172–175]. Another inspiration has been Weber’s higher-order model finder Refute =-=[31]-=-. It uses a three-valued logic, but sacrifices soundness for precision. Datatypes are approximated by subterm-closed substructures [31, pp. 58–64] that contain all datatype values built using up to k ... |

15 | Finding lexicographic orders for termination proofs in Isabelle/HOL - Bulwahn, Krauss, et al. - 2007 |

12 | Deductive search for errors in free data type specifications using model generation
- Ahrendt
- 2002
(Show Context)
Citation Context ...ns: ∀x ∈ 〈nat 〉, xs ∈ 〈nat list 〉: lone Cons〈x, xs〉 ACYCLIC: no sup nat list ∩ iden with sup nat list = tail + . Examples of subterm-closed list substructures using traditional notation are {[], [0], =-=[1]-=-} and {[], [1], [2,1], [0,2,1]}. In contrast, L = {[], [1,1]} is not subterm-closed, because tail([1,1]) = [1] /∈ L. Given a cardinality, Kodkod systematically enumerates all corresponding subterm-clo... |

12 | Why we can’t have SML-style datatype declarations in HOL - Gunter - 1993 |

9 | Monotonicity inference for higher-order formulas
- Blanchette, Krauss
- 2010
(Show Context)
Citation Context ... combinations. This can be made more efficient by taking the cardinalities as upper bounds rather than exact bounds (Alloy’s default mode of operation [15, p. 129]) or by inferring scope monotonicity =-=[4, 21]-=-. 4.2 Approximation of Infinite Types and Partiality Besides its lack of support for the definitional principles, the above translation suffers from a serious limitation: It disregards infinite types ... |

8 |
Partial and nested recursive function definitions in higher-order logic
- Krauss
(Show Context)
Citation Context ...n 〉|/|〈κ 〉| in the SAT problem. Although we focus here on primitive recursion, general well-founded recursion with non-overlapping pattern matching (as defined using, say, Isabelle’s function package =-=[20]-=-) can be handled in essentially the same way. Example 5.3. The recursive function cat from Sect. 3.4 is translated to ∀ys ∈ nilp, zs ∈ 〈α list 〉: zs.(ys.cat) ≃ zs ∀ys ∈ consp, zs ∈ 〈α list 〉: zs.(ys.c... |

8 | an electronic purse: specification and refinement checks with the Alloy model-finding method - Mondex |

6 |
Automated inference of finite unsatisfiability
- Claessen, Lillieström
- 2009
(Show Context)
Citation Context ...hemselves to automatic analysis and those that are used in actual formalizations. As an example, infinite types are ubiquitous, yet most model finders either spin forever [9, 24], give up immediately =-=[8]-=-, or are unsound [1; 28, p. 164; 31] on finitely unsatisfiable formulas. We identified several commonly used definitional principles and showed how to encode them in first-order relational logic (FORL... |

2 |
Bounded relational analysis of free datatypes
- Dunets, Schellhorn, et al.
- 2008
(Show Context)
Citation Context ...)inductive predicates, (co)algebraic datatypes, and (co)recursive functions (Sect. 3). Solutions have been proposed by Kuncak and Jackson [21], who modeled lists and trees in Alloy, and Dunets et al. =-=[10]-=-, who showed how to translate algebraic datatypes and recursive functions in the context of the first-order theorem prover KIV. In both cases, the translation is restricted to formulas whose prenex no... |

1 |
Private communication
- Lochbihler
- 2009
(Show Context)
Citation Context ...ne user has already reported saving several hours of failed proof attempts thanks to its support for codatatypes and coinductive predicates while developing a formal theory of infinite process traces =-=[22]-=-. Acknowledgment. I want to thank Sascha Böhme, Lukas Bulwahn, Andreas Lochbihler, Tobias Nipkow, Mark Summerfield, and the anonymous reviewers for suggesting many improvements to this paper, and Alex... |