Recursive Boolean Functions in HOL - CiteSeerX

Recursive Boolean Functions in HOL Flemming Andersen

Kim Dam Petersen

TFL - Telecommunications Research Laboratory Lyngs Alle 2, DK-2970 Hrsholm

Abstract The HOL system supports mechanized veri cation of speci cations in polymorphic Higher Order Logic. HOL has facilities for de ning primitive recursive functions, but no support for de ning non-primitive recursive functions. This paper presents a package for de ning recursive boolean functions in HOL as the minimal or maximal xed point of a boolean function transformer. The implementation of the package is based on the results on xed points in complete lattices by Tarski. Two examples on how to use the package are given. Both examples describe the de nition of recursive boolean functions for specifying properties of parallel programs.

1 Introduction The proof generating system HOL includes facilities for constructing primitive recursive functions over the prede ned types num (non-negative numbers) and list ( nite lists), tools have been made for de ning recursive data types and primitive recursive functions over these [13, 5], but no facilities exist for constructing functions that are not primitive recursive. This paper describes the implementation and use of a package which allows a wide class of recursive boolean functions to be constructed in HOL. The class of functions which may be constructed by the package consists of those that may be speci ed as minimal or maximal xed points of monotonic boolean function transformers. The aim of making the package is to make it simpler to de ne recursive boolean function within HOL. Hence, relieving the HOL user from the trivial details needed to convince the HOL system that a particular speci cation of a recursive boolean function is valid.

The package may be used for a wide range of purposes. Many recursive functions used to specify the semantics and properties of parallel programs are speci ed as the least or greatest xed point of boolean function transformers. A set may be represented by its characteristic (boolean) function and the semantics of predicates over xed state spaces may be represented as boolean functions with the state space as domain, hence recursively de ned sets and xed points of predicate transformers may be de ned using the package. The technique for constructing recursive boolean functions is based on the results of Tarski [17] that characterize the xed points of monotonic functions on complete lattices. Using the fact that boolean functions ordered by pointwise implication is a complete lattice, Tarski's results may be used to de ne the minimal and maximal xed point of monotonic boolean function transformers. It is not a new idea to use the result of Tarski for recursive de nitions in HOL; in [5, 9] systems for de ning mutually recursive data types and in [1] a system for automatic model checking of recursive modal assertions of nite state systems is described. These systems use the results of Tarski for internally constructing recursive de nitions. Another tool for de ning recursively de ned boolean functions is described in [14]. The paper is organized as follows. In section 2 the theory behind the implementation of the package is described. This includes a description of the results of Tarski and showing their applicability to the construction of recursive boolean functions. In section 3 the implementation of the package is given. First we show how to implement the results of Tarski in HOL, next we show the steps needed for constructing a recursive boolean function as the minimal (or maximal) solution to a monotonic boolean function transformer, and nally the construction of some general deduction theorems, which re ect some induction principles are described. In section 4 an application of the package is

demonstrated. In the application section, the progress relation \leadsto", of the UNITY theory [4], is de ned as the least solution to three equations. It is demonstrated how this speci cation may be transformed into a form applicable to the package, such that the relation and some deduction theorems concerning it may be de ned. Finally the section shows how to use the deduction theorem for proving a general property of \leadsto". In section 5 the conclusions of the work are given and some directions for future work is pointed out.

and the least upper bound of a set G of boolean functions is de ned by the boolean function:

2 Theory

Notice that considering boolean functions as being characteristic functions of sets the order relation corresponds to the set inclusion relation , the greatest lower bound to intersection (of a collection of sets), and the least upper bound to union. Considering boolean functions as predicates the order relation corresponds to the \stronger than" relation, X to the weakest predicate stronger than all predicates in X and X to the strongest predicate weaker than all predicates in X .

Tarski gives in [17] a characterization of the xed points of a monotonic function f from a complete lattice (D; v) to itself. A complete lattice is a partially ordered set, where each subset X has a greatest lower bound ( X ) and a least upper bound ( X ). The important results of Tarski for our purpose is that f has both a minimal xed point fmin and a maximal xed point fmax . A xed point of a function f : D ! D is an element x 2 D satisfying: fx

= x

A xed point is minimal (maximal) if it is smaller (greater) than any other xed point with respect to the ordering (v). The minimal xed point may be characterized as: fmin

=

fx 2 D j f (x) v xg

and the maximal xed point may be characterized as: fmax

=

fx 2 D j x v f (x)g

If only the minimal (maximal) xed point is needed the requirement of D to be a complete lattice may be reduced to require only the existence of X ( X ) for any X  D. It may be proved that boolean functions ordered by pointwise implication is a complete lattice; i.e. that: (D; v) = (X ! Bool; (f; g) 7! 8x 2 X:f (x) ) g(x)) for any set X is a complete lattice. In this lattice the greatest lower bound of a set G of boolean functions is de ned by the boolean function: ( G)(x) = 8f 2 G: f (x)

( G)(x) = 9f 2 G: f (x) The construction of the xed points satis es the following implications: f (x) v x ) fmin v x x v f (x) ) x v fmax

3 Implementation in HOL The package for de ning recursive boolean functions use the specialized results of Tarski described in the previous section. These results have been collected in a HOL theory called Tarski. The package consists of a collection of ML functions used to de ne recursive boolean functions and to automatically construct a few specialized theorems concerning the properties of the de ned recursive functions. We will start by describing how the results of Tarski have been represented in the theory Tarski, next we will describe the implementation of the functions of the package for de ning recursive functions, and nally we will describe the implementation of the functions for constructing specialized theorems concerning recursive functions de ned by the package. Throughout this section HOL notation is used. We refer to [10] for the full details on this, here we will just mention that: |- pre xes a theorem or a de nition, ! is the universal quanti er 8, ? is the existential quanti er 9, and \ the lambda abstraction symbol . During the implementation of the HOL package, it was discovered that several useful functions concerning manipulation and reasoning about uncurrying seems to be missing in the present version of the HOL system. Some of these have been made as part of the package implementation.

3.1 The HOL theory Tarski

The representation of sets, partial orders and complete lattices has to be considered when constructing a theory containing the results of Tarski. In order to get a prototype package quickly for experimentation, we decided to make simple representations of the various concepts. The representations are specialized to our speci c purpose: Construction of minimal and maximal xed points of boolean function transformers. All kinds of sets are represented by characteristic functions in Tarski, e.g. a set S is represented by the characteristic function S (x) = x 2 S . In this representation membership corresponds to application, however, to increase readability of the formulae, we introduce the in x function In to denote membership: In |- !x S. x In S = S x

The membership operation is only used in connection with boolean functions that are considered characteristic functions. It should be noted that HOL requires restrictions on quanti ed variables to be speci ed explicit, e.g. the formula 8x 2 X : P is speci ed in HOL as !x. x In X ==> P and the formula 9x 2 X : P is speci ed in HOL as ?x. x In X /\ P . Some of the formulae below becomes more readable having this requirement in mind. The order relation (v) for boolean functions, pointwise implication, is represented explicitly in HOL by the function Leq. Leq |- !f g. f Leq g = !x. f x ==> g x

To prove that Leq is a partial order requires a proof of the fact that it is re exive, anti-symmetric and transitive. This may be done by proving the theorems LeqRefl, LeqAntisym, and LeqTrans in HOL. LeqRefl |- !f. f Leq f LeqAntisym |- !f g. f Leq g /\ g Leq f ==> (f = g) LeqTrans |- !f g h. f Leq g /\ g Leq h ==> f Leq h

The greatest lower bound ( ) of a collection of boolean functions G is de ned as x:8f 2 G: f (x), considering the note on how to represent restricted quanti ers in HOL, a HOL function Glb representing the greatest lower bound may be de ned as: Glb |- !G. Glb G = \x. !f. f In G ==> f x

Recalling that the least upper bound ( ) of a collection of boolean functions G is de ned as x:9f 2 G: f (x), and considering the note again, a HOL function Lub representing the least upper bound may be de ned as: Lub |- !G. Lub G = \x. ?f. f In G /\

f x

To show that boolean functions ordered by Leq is a complete lattice it must be proved that Glb and Lub actually are the greatest lower bound and least upper bound of any collection of boolean function. For each function there are two aspects: showing that (1) the function whenever applied to a collection of boolean functions returns a lower (upper) bound, and that (2) this is greater (smaller) than any other lower (upper) bound. Proving the theorems GlbLower and GlbGreatest we have proven that the function Glb returns the greatest lower bound for any collection of boolean functions, and proving LubUpper and LubLeast we have proven that the function Lub returns the least upper bound for any collection of boolean functions. GlbLower |- !G f. f In GlbGreatest |- !G f. (!g. g In G LubUpper |- !G f. f In LubLeast |- !G f. (!g. g In G

G ==> (Glb G) Leq f

==> f Leq g) ==> f Leq (Glb G) G ==> f Leq (Lub G)

==> g Leq f) ==> (Lub G) Leq f

We represent the monotonicity relation explicitly in HOL by the function Mono. A function is monotonic if it preserves the order relation, hence it may be de ned in HOL as: Mono |- !H. Mono H = !f g. f Leq g ==> (H f) Leq (H g)

Tarski's characterization of the minimal and maximal xed points by a glb and a lub of inequalities is used to de ne the xed points. The functions MinFix and MaxFix represents in HOL the functions for constructing the minimal and maximal xed points of monotonic function transformers: MinFix |- !H. MinFix H = Glb (\f. (H f) Leq f) MaxFix |- !H. MaxFix H = Lub (\f. f Leq (H f))

From these de nitions it is now possible to prove that MinFix and MaxFix returns xed points when applied to monotonic functions, and that these are the minimal and maximal xed points. The theorems MinFix_Fix and MaxFix_Fix express the xed point properties and the theorems MinFix_Min and MaxFix_Max express the minimality and maximality. MinFix_Fix |- !f. Mono MinFix_Min |- !f. Mono (!p. (f p MaxFix_Fix |- !f. Mono MaxFix_Max |- !f. Mono (!p. (f p

f ==> (f (MinFix f) = MinFix f) f ==> = p) ==> ((MinFix f) Leq p)) f ==> (f (MaxFix f) = MaxFix f) f ==> = p) ==> (p Leq (MaxFix f)))

In proving the theorems above in HOL the proof given by Tarski for the characterization of the minimal xed points may be repeated. Tarski gets the proof of the characterization of maximal xed point for free, by observing that it corresponds to a minimal xed point using the reverse order (f v g = g v f ), and using results on dual lattices (the complete lattice with the reverse order). To avoid introducing the concept of dual lattices, we prove the characterization of the maximal xed point by performing the prove steps of the minimal xed point once again using the reverse order. The characterization of MinFix may be used to derive a theorem MinFix_Imp, which can be used to introduce an induction scheme for derived properties of minimal xed points. 0

MinFix_Imp |- !f. Mono f ==> (!p. ((f p) Leq p) ==> ((MinFix f) Leq p))

In the description of the application of the package below the induction scheme will become more explicit.

3.2 De ning recursive functions

The package de nes a collection of ML functions for de ning recursive functions in HOL. The functions in the package assumes that a recursive boolean function R to be de ned, is speci ed as the minimal or maximal solution of an equation, where the left hand side R(x1 ; : : :; xn) is an application of the recursive boolean function R with a tuple of parameters x1; : : : ; xn and the right hand side E is a boolean expression that has R and the parameters as the only free variables:

R(x1 ; : : : ; xn) = E

From the recursive equation, the boolean function transformer, whose xed point is going to de ne R is automatically constructed. The boolean function transformer is constructed by abstracting the right hand side expression with the tuple of parameters and with R giving: R:(x1; : : : ; xn): E To de ne R it must be proved that the boolean function transformer above is monotonic, i.e. that the following is a theorem: Monotonicity Theorem

|- Mono (\R.\(x1; : : : ; xn ).

E)

This step can in general not be proved automatically. To avoid that the user of the package should know about the internal representation of monotonicity, a \rewritten" theorem, in which Mono and Leq do not occur, is automatically constructed which is required to be proved: Rewritten Monotonicity Theorem

|- !f g. (!x. f x ==> g x) ==> (!x1 : : : xn . E [R := f] ==> E [R := g])

The notation E [x := v] represents the expression E with all free occurrences of x replaced by v. Any necessary renaming is automatically performed. The package supports a function set_monotonic_goal (eqn) for interactive derivation of a tactic solving the rewritten theorem and a function prove_monotonic_thm (thm name, eqn, tactic) for proving the rewritten monotonicity theorem and saving the (non-rewritten) monotonicity theorem. The package is able to de ne the recursive function given the monotonicity theorem. The package allows the minimal or the maximal solution of the recursive equation to be de ned. The function new_min_recursive_boolfun_definition (def name, mono thm) de nes the minimal solution and the function new_max_recursive_boolfun_definition (def name, mono thm) de nes the maximal solution to the recursive equation. Actually the boolean function is de ned as the application of MinFix or MaxFix to the automatically derived boolean function transformer for the equation: Minimal Recursive De nition |-

R

= MinFix(\R.\(x1; : : : ; xn ).

E)

|-

R

= MaxFix(\R.\(x1; : : : ; xn ).

E)

Maximal Recursive De nition

A theorem stating that R is actually a xed point of the equation is automatically deduced by applying the function prove_min_fix_thm (thm name, def thm, mono thm) or prove_max_fix_thm (thm name, def thm, mono thm). Fixed point Theorem |- !x1 : : : xn .

R

(x1 ; : : : ; xn ) =

E

A theorem stating that R is the minimal or maximal xed point of the equation is automatically deduced by applying the function prove_min_min_thm (thm name, def thm, mono thm) or prove_max_max_thm (thm name, def thm, mono thm). Minimal xed point Theorem

|- !f. ((\(x1; : : : ; xn ). E [R := f]) = f) ==> (!x1 : : : xn . R (x1; : : : ; xn ) = f(x1; : : : ; xn ))

3.3 Deduction theorems

The package was originally constructed after manually having de ned recursive boolean functions as the minimal solution to several equations in which the de ning expressions were sequences of disjunctions: R(x1; : : : ; xn) = E1 _ : : : _ Em

From the xed point theorem a collection of implications for deducing that R holds may automatically be constructed: Fixed point Introduction Theorems |- !x1 : : : xn .

E

i

==>

R

(x1; : : : ; xn )

Another useful theorem for performing \structural induction" was discovered. Fixed point Elimination Theorem

|- !f. ( (!x1 : : : xn . E1 ==> f(x1 ; : : : ; xn )) /\


/\ (!x1 : : : xn . Em ==> f(x1 ; : : : ; xn )) ) ==> (!x1 : : : xn . R(x1 ; : : : ; xn ) ==> f(x1 ; : : : ; xn ))

This theorem may automatically be deduced by expanding the de nition of Leq in the MinFix_Imp theorem of the Tarski theory, followed by rewriting the resulting theorem with the following unfolding scheme: (8x1; : : : ; xn: a1 _ : : : _ am ) b) = (8x1; : : : ; xn: a1 ) b) ^ : : : ^ (8x1; : : : ; xn: am ) b)

4 Application The developed package may of course be used for any kind of recursive boolean functions. This means that implementation in HOL of any logic containing recursively de ned properties e.g. [4, 6, 3, 11, 15, 8] may take advantage of the package. However, for the present only the inductively de ned progress property \leadsto" in UNITY [4] and the CTL logic [3] have been applied.

4.1 The \leadsto" progress property

In [4] a proof theory called UNITY is presented. The theory de nes a logic for describing safety and progress properties of parallel programs and a simple programming language for specifying programs. The programming language is not important here, since the progress relation in the example is de ned only in terms of itself and a basic progress relation ensures. A relation: p ensures q

in P r

guarantees that if the program P r reaches a state satisfying the predicate p then a program transition exists such that the program reaches a state satisfying q. If the program P r is assumed implicitly the \leadsto" relation 7! is inductively de ned by the three inference rules [4]:  (p ensures q) ` p 7! q  (9r : p 7! rS^ r 7! q) ` p 7! q  (9P : (p = P ) ^ (8p 2 P : p 7! q)) ` p 7! q in which the predicates p and q are universally quanti ed. This de nition is equivalent to the strongest solution of the recursive equation: leadsto p q P r = (ensures p q P r) _ (9r : (leadsto S p r P r) ^ (leadsto r q P r)) _ (9P : (p = P ) ^ (8p 2 P : (leadsto p q P r))) Hence, the \leadsto" relation may be described by the predicate transformer: Fn = leadsto: (p; q; P r): ensures(p; q; P r) _ (9r : leadstoS(p; r; P r) ^ leadsto(r; q; P r)) _ (9P : (p = P ) ^ (8p 2 P : leadsto(p ; q; P r))) Notice, that the relation leadsto is now de ned as a predicate in the product of predicates p, q and the program P r. 0

0

0

0

0

0

Traditionally only least xed points are considered for de ning the denotation of functions [16, 12], but greatest xed points are sometimes necessary for describing properties of programs as will be seen in the next example on the CTL logic [3]. To give a complete xed point characterization of the \leadsto" boolean function transformer it is recognized that (p; q; P r): true is a xed point. That means, the greatest xed point for Fn is the relation (p; q; P r): true. But, looking for the strongest solution to the three inductive \leadsto" rules, is equivalent to de ning the least xed point, hence the least xed point gives the solution. Having de ned the functional of the recursive relation the package functions may be applied. However smaller details still have to be settled. As described previously the membership of a set of predicates may be represented by a characteristic function. The union of all subsets in a set S is equal to the least upper bound of the set S . Hence this may be de ned as: Union S = Lub S

Using these two de nitions, the functional Fn may be written in HOL notation as: Fn = \Leadsto. \(p,q,Pr). Ensures(p,q,Pr) \/ (?r. Leadsto(p,r,Pr) /\ Leadsto(r,q,Pr)) \/ (?P. (p = Union P) /\ (!p'. p' In P ==> Leadsto(p',q,Pr)))

in which Ensures denotes the UNITY ensures relation. This functional is automatically constructed from the recursive equation as it was explain in the previous section. The HOL package may now be used to de ne the leadsto relation as the strongest solution to the recursive equation above. First the monotonicity of the boolean function transformer Fn, internally used by the package, has to be proven. For this purpose the HOL package functions set monotonic goal and prove monotonic thm may be used. let MonoLeadsto = prove_monotonic_thm (`MonoLeadsto`, "Leadsto (p:*->bool, q, Pr) = Ensures (p, q, Pr) \/ (?r. Leadsto(p,r,Pr) /\ Leadsto(r,q,Pr)) \/ (?P. (Union P = p) /\ (!r. r In P ==> Leadsto(r,q,Pr)))", REPEAT STRIP_TAC THENL

[ ASM_REWRITE_TAC[] ; DISJ2_TAC THEN DISJ1_TAC THEN EXISTS_TAC"r:*->bool" THEN RES_TAC THEN ASM_REWRITE_TAC[] ; DISJ2_TAC THEN DISJ2_TAC THEN EXISTS_TAC "P:(*->bool)->bool" THEN ASM_REWRITE_TAC[] THEN REPEAT STRIP_TAC THEN RES_TAC THEN RES_TAC]);;

this proves the theorem: MonoLeadsto |- Mono (\Leadsto (p,q,Pr). Ensures(p,q,Pr) \/ (?r. Leadsto(p,r,Pr) /\ Leadsto(r,q,Pr)) \/ (?P. (Union P = p) /\ (!r. r In P ==> Leadsto(r,q,Pr))))

The monotonicity theorem MonoLeadsto may now be used for de ning the least xed point of the functional Fn. let Leadsto = new_min_recursive_boolfun_definition (`Leadsto`, MonoLeadsto);;

the result of this de nition is: Leadsto |- Leadsto = MinFix (\Leadsto' (p,q,Pr). Ensures(p,q,Pr) \/ (?r. Leadsto'(p,r,Pr) /\ Leadsto'(r,q,Pr)) \/ (?P. (Union P = p) /\ (!r. r In P ==> Leadsto'(r,q,Pr))))

The function prove min fix thm proves that the xed point de ned is the expected. let FixLeadsto = prove_min_fix_thm (`FixLeadsto`, Leadsto, MonoLeadsto);;

the resulting xed point theorem is: FixLeadsto |- !p q Pr. Leadsto(p,q,Pr) = Ensures(p,q,Pr) \/ (?r. Leadsto(p,r,Pr) /\ Leadsto(r,q,Pr)) \/ (?P. (Union P = p) /\ (!r. r In P ==> Leadsto(r,q,Pr)))

It is obvious that the three inference rules are theorems satis ed by the xed point. That is:

|- !p q Pr. Ensures(p,q,Pr) ==> Leadsto(p,q,Pr) |- !p r q Pr. Leadsto(p,r,Pr) /\ Leadsto(r,q,Pr) ==> Leadsto(p,q,Pr) |- !p P q Pr. (Union P = p) /\ (!r. r In P ==> Leadsto(r,q,Pr)) ==> Leadsto(p,q,Pr)

By now the de nition of the xed point has in principle been completed. However, in order to facilitate proving theorems implied by the new recursive predicate a structural induction principle is very useful. The induction theorem, directly derived as a consequence of one of the Tarski results, is proven by the function prove min imp thm: let ImpLeadsto = prove_min_imp_thm (`ImpLeadsto`, Leadsto, MonoLeadsto);;

the resulting theorem for Leadsto is: ImpLeadsto |- !R. (!p q Pr. Ensures(p,q,Pr) ==> R(p,q,Pr)) /\ (!p q Pr. (?r. R(p,r,Pr) /\ R(r,q,Pr)) ==> R(p,q,Pr)) /\ (!p q Pr. (?P. (Union P = p) /\ (!r. r In P ==> R(r,q,Pr))) ==> R(p,q,Pr)) ==> (!p q Pr. Leadsto(p,q,Pr) ==> R(p,q,Pr))

This induction theorem is dierent from the two induction theorems informally presented in [4] and is only one out of several induction theorems as described in [2]. The theorem ImpLeadsto may now be used for proving theorems implied by the Leadsto de nition. As an example, one of the simpler theorems valid in the UNITY logic is proven. It is possible to prove the following theorem, called the ensures impossibility theorem [4], satis ed: 8p q P r : p ensures false in P r ) :p The similar theorem, called the \leadsto" impossibility theorem [4], is also satis ed: 8p q P r : p 7! false in P r ) :p For the presentation of these theorems in HOL, false and :p have to be de ned. false is de ned as: |- False = (\s. F)

and the operator : is de ned by:

|- Not p = (\s. ~p s)

The ensures impossibility theorem in HOL may now be proven: |- !p Pr. Ensures(p,False,Pr) ==> (!s. Not p s)

A new proof of the \leadsto" impossibility theorem is given using the proven induction theorem ImpLeadsto and the ensures impossibility theorem. The theorem to be proven is: Leadsto_Impossibility_THM |- !p Pr. Leadsto(p,False,Pr) ==> (!s. Not p s)

At rst it seems impossible to use the theorem

ImpLeadsto, since it is a theorem in both p, q and Pr. But assuming (q = False) allows for rewriting

the \leadsto" impossibility theorem into:

Leadsto_Impossibility_THM |- !p q Pr. Leadsto(p,q,Pr) ==> (q = False) ==> (!s. Not p s)

Hence, if it is possible to prove this theorem the original proof may be obtained. Specializing the induction theorem ImpLeadsto by: \(p,q,Pr). (q = False) ==> (!s. Not p s)

gives the following theorem: |- (!p q Pr. Ensures(p,q,Pr) ==> (q = False) ==> (!s. Not p s)) /\ (!p q Pr. (?r. ((r = False) ==> (!s. Not p s)) /\ ((q = False) ==> (!s. Not r s))) ==> (q = False) ==> (!s. Not p s)) /\ (!p q Pr. (?P. (Union P = p) /\ (!r. r In P ==> (q = False) ==> (!s. Not r s))) ==> (q = False) ==> (!s. Not p s)) ==> (!p q Pr. Leadsto(p,q,Pr) ==> (q = False) ==> (!s. Not p s))

which has the wanted theorem as its goal. The goal theorem may be proved by proving the three assumptions are satis ed. The rst assumption follows directly from the Ensures Impossibility THM theorem, the next assumption is trivially true since !p. (p = False) = (!s. Not p s) and the last assumption is satis ed by using the de nition of Union. This proof is simpler than that presented in [4]. The resulting theorem using modus ponens becomes:

|- (!p q Pr. Leadsto(p,False,Pr) ==> (q = False) ==> (!s. Not p s))

which is equivalent to the wanted theorem by specializing q to False. The complete UNITY theory has been implemented in HOL [2].

4.2 The logic CTL

In [3] the safety and progress properties of the CTL logic are presented as recursive boolean functions. In this subsection the CTL logic is de ned and presented in terms of the minimal and maximal xed points using the implemented HOL package. In this way some induction principles not presented before are automatically derived as a consequence of using the mechanized xed point package. A CTL formula is a predicate which for a given state is valid (holds) or invalid (does not hold). CTL de nes eight formulae for doing temporal reasoning, they have the form q , where q is a quanti er,  is a path formula. A quanti er may either be A (universal) or E (existential). A path formula may either be G p (globally), F p (eventually), X p (next) or p U q (until). Informally, a temporal formula q  is valid in a state u i:

 q = A and  holds for all paths starting in u  q = E and  holds for at least one path  starting in u

where a path formula  holds for a path  i:

  = G p and p holds in all states of    = F p and p holds in at least one state of    = X p and p holds in the second (next) state of 



 = p U q and there exists a pre x (possible empty and nite) of  such that p holds in all states of the pre x and q holds in the rst state of  after the pre x

A CTL model (program) is represented by a \next" relation N    , which de nes the possible transitions. Paths in CTL are in nite sequences of states, such that all subsequent states u; v in the path are related by u N v. In [3] the semantics of the CTL formulae are formalized for each of the eight kinds of formulae, without introducing a semantics for path formulae. The CTL

formulae EX p, EG p and E (p U q) are considered basic formulae and are de ned using explicit reference to the state parameter and using recursive equations. The other ve formulae are de ned in terms of the rst three. In the following we assume that the next relation N is given. The formula EX p is valid in a state u i there exists a path starting in u such that p holds in the next state of the path; i.e. i there exists a next state v given by the next relation, i.e. (u N v) for which p holds (p v). From this description EX may be de ned as:

EX p u = 9v:p v ^ u N v The formula EG p is valid in a state u i there

exists a path starting in u for which p holds in all states. This may be speci ed recursively as: p holds in u and there exists a next state of u for which EG p holds. From the last description, a recursive de nition of EG may be derived:

EG p u = p u ^ EX (EG p) u As EG p has to hold in all states of the found path, e.g. an \in nite" number of applications have to be performed, EG must be de ned as the largest solution

to the equation. Notice that p:False is a solution, and so also the minimal solution to the equation. Hence, using the smallest solution yields a de nition of EG which for any p and state yields false. The formula E (p U q) is valid in a state u i there exists a path which has a pre x such that p holds for all states in the pre x and q holds in the rst state after the pre x in the path. This may be speci ed recursively as q holds in state u or q holds in u and there exists a next state for which E (p U q) holds. From the last description the following recursive de nition of EU may be de ned:

E (p U q) u = q u _ (p u ^ EX (E (p U q)) u

As the predicate q is required to hold eventually (recall that a pre x is nite) only a nite number of recursive applications is needed for computing the result of E (p U q). Hence the smallest solution to the equation should be used. Note that using the largest solution implies that the formula is valid if there exists a path starting in u such that p holds in all states; this may be used to de ne \weak until". The CTL formula de nes \strong until". The remaining CTL formulae are de ned in terms of the three above. The formula EF p is valid in a state u i there exists a path for which p holds for some state. This may be

speci ed as there exists a path which has a pre x such that p holds in the rst state after the pre x. As True holds for any state EF may be de ned using the last description as:

EF p = E (True U p) The formula AX p is valid in a state u i p holds

in the next state of any path starting in u. This may be speci ed as there exists no path starting in u for which p does not hold in the next state. Formally AX may be de ned as:

AX p = :EX (:p) The formula AF p is valid in a state u i p holds in

some state of every path starting in u. This may be speci ed as there exists no path for which p does not hold in all states. This may be formalized as:

AF p = :EG (:p) The formula AG p is valid in a state u i p holds

in all state of every path starting in u. This may be speci ed as there exists no path for which p does not hold in some state. This may be formalized as:

AG p = :EF (:p) The formula A (p U q) is valid in a state u i for

every path starting in u, there exists a pre x such that holds in all states of the pre x and q holds in the rst state after the pre x. This may be speci ed as (1) there is no path starting in u that has a pre x such that q does not hold for any states of the pre x and neither p nor q holds after the pre x, and (2) q holds eventually in all paths starting in u. This may be formalized as: p

A (p U q) = (:E (:q U :p ^ :q)) ^ (AF q) This completes the description of the CTL formulae. The de nition of the CTL logic in HOL proceeds as follows. The rst property de ned is EX which is de ned in HOL as: let EX = new_definition(`EX`, "EX (N, p, u:*) = ?v:*. p v /\ N(u,v)");;

Next the property EG is de ned. The recursive equation expressing the xed point to be de ned is: EG(N,p,u) = p u /\ EX(N,(\u. EG(N, p, u)),u)

Now EG may be de ned:

let EG_equation = "EG(N,p,u) = p u /\ EX(N,(\u:*. EG(N, p, u)),u)";;

As before the functional of the EG equation is proven to be monotonic: let MonoEG = prove_monotonic_thm(`MonoEG`, EG_equation, BETA_TAC THEN CONV_TAC (DEPTH_CONV (FORALL_PAIR_CONV"N,p,u)")) THEN UNCURRY_BETA_TAC THEN REWRITE_TAC[EX] THEN BETA_TAC THEN REPEAT STRIP_TAC THENL [ ASM_REWRITE_TAC[] ; RES_TAC THEN EXISTS_TAC "v:*" THEN ASM_REWRITE_TAC[]]);;

the resulting monotonicity theorem is: |- Mono (\EG. \(N,p,u). p u /\ EX (N, (\u. EG(N,p,u)), u)

Notice that the functions FORALL PAIR CONV and have been constructed to simplify the proving. MonoEG may now be used to de ne EG as the maximal xed point:

UNCURRY BETA TAC

let EG = new_max_recursive_boolfun_definition (`EG`, MonoEG);;

the result is: |- EG = MaxFix(\EG' (N,p,u). p u /\ EX(N,(\u'. EG'(N,p,u')),u))

Using prove max fix thm one may now prove that

EG is a xed point:

let FixEG = prove_max_fix_thm (`FixEG`,EG,MonoEG);;

the result is: |- !N p u. EG(N,p,u) = p u /\ EX(N,(\u'. EG(N,p,u')),u)

which is the wanted xed point. It may be that it is actually the maximal xed point: |- !R. ((\(N,p,u). p u /\ EX(N,(\u'. R(N,p,u')),u)) = R) ==> (!N p u. R(N,p,u) ==> EG(N,p,u))

by using the function:

let MaxEG = prove_max_max_thm (`MaxEG`,EG,MonoEG);;

This completes the de nition of EG. Now we consider E (p U q) de ned as the minimal xed point of the equation. EU(N,p,q,u) = q u \/ (p u /\ EX(N,(\u. EU(N,p,q,u)),u))" let EU_equation = "EU(N,p,q,u) = (q u) \/ (p u /\ EX(N,(\u:*. EU(N,p,q,u)),u))";;

The functional for de ning EU is monotonic: let MonoEU = prove_monotonic_thm(`MonoEU`, EU_equation, BETA_TAC THEN CONV_TAC (DEPTH_CONV (FORALL_PAIR_CONV"(N,p,q,u)")) THEN UNCURRY_BETA_TAC THEN REWRITE_TAC[EX] THEN BETA_TAC THEN REPEAT STRIP_TAC THENL [ ASM_REWRITE_TAC[] ; DISJ2_TAC THEN ASM_REWRITE_TAC[] THEN RES_TAC THEN EXISTS_TAC "v:*" THEN ASM_REWRITE_TAC[]]);;

the result is: |- Mono(\EU (N,p,q,u). (q u) \/ (p u /\ EX(N,(\u. EU(N,p,q,u)),u)))

The minimal xed point may now be de ned: let EU = new_min_recursive_boolfun_definition (`EU`, MonoEU);;

returning the theorem: |- EU = MinFix(\EU' (N,p,q,u). (q u) \/ (p u /\ EX(N,(\u'. EU'(N,p,q,u')),u))

It is proven that it is actually the minimal xed point: let FixEU = prove_min_fix_thm (`FixEU`,EU,MonoEU);;

giving the theorem: |- !N p q u. EU(N,p,q,u) = (q u) \/ (p u /\ EX(N,(\u'. EU(N,p,q,u')),u))

Since EU is the minimal xed point it satis es the theorem: |- !R. ((\(N,p,q,u). (q u) \/ (p u /\ EX(N,(\u'. R(N,p,q,u')),u)) = R)) ==> (!N p q u. EU(N,p,q,u) ==> R(N,p,q,u))

derived by: let MaxEU = prove_min_min_thm (`MinEU`,EU,MonoEU);;

The induction principle found by the package function prove min imp thm is: |- !R. (!N p q (!N p q ==> ==> (!N p q

u. q u ==> R(N,p,q,u)) /\ u. p u /\ EX(N,(\u'. R(N,p,q,u')),u) R(N,p,q,u)) u. EU(N,p,q,u) ==> R(N,p,q,u))

As far as known, this induction principle has not been derived before. The introduction theorems for the xed points are not shown. The remaining CTL formulae may be de ned explicitly in terms of the three de ned properties. The de nitions of these are: let EF = new_definition(`EF`, "EF(N,p,u:*) = EU(N,(\u. T),p, u)");; let AX = new_definition(`AX`, "AX(N,p,u:*) = ~EX(N,(\u. ~p u),u)");; let AF = new_definition(`AF`, "AF(N,p,u:*) = ~EG(N,(\u. ~p u),u)");; let AG = new_definition(`AG`, "AG(N,p,u:*) = ~EF(N,(\u. ~p u),u)");; let AU = new_definition(`AU`, "AU(N,p,q,u:*) = (~EU(N,(\u. ~q u),(\u. ~p u /\ ~q u),u)) /\ AF(N,q,u)");;

Notice that the CTL formulae were de ned without considering any restrictions on the data domain of the logic. Hence, it need not be nite as required in [3].

5 Conclusion It has been shown that it is rather easy and straight forward to mechanize the construction of minimal and maximal xed points of recursive boolean functions using the results in [17]. The method presented has been

used to implement a package in the HOL system which supports the mechanization and partial automation of de ning such recursive functions. The implemented HOL package still needs some re nements. One of the obvious improvements would be to allow for curried boolean functions. But, more experience in using the package may also reveal other de ciencies. Other classes of recursive functions may also be possible to de ne using the package. It is however not evident for the moment how large this class is. One extension [17], would be to exchange the boolean type with any type which may be organized as a complete lattice. An automation of proving the monotonicity for the functional de ning the xed points would also be nice, but cannot be expected, in general.

References [1] Steen Agerholm and Henrik Schjdt. Automating a Model Checker for recursive Modal Assertions in HOL. DAIMI IR-92, January 1990. [2] Flemming Andersen Ph.D. Thesis, to appear. [3] J.R. Burch, E.M. Clarke, D.L. Dill and K.L. McMillan Sequential Circuit Veri cation Using Symbolic Model Checking ACM/IEEE Design Automation Conference, June 1990. [4] K.M. Chandy and J. Misra. Parallel Program Design, A Foundation. Addison Wesley, 1988. [5] Poul Christiansen and Hans Jakob Pedersen. Automating mutually recursive Type De nitions in HOL. DAIMI IR{146, July 1990. [6] R. Cleveland, J. Parrow and B. Steen. The Concurrency Workbench. University of Edinburgh, 1988. [7] Edsger W. Dijkstra. A discipline of programming. Series in Automatic Computation. Prentice Hall, Inc., 1976. [8] Edsger W. Dijkstra and Carel S. Scholten. Predicate calculus and program semantics. Texts and monographs in Computer Science. Springer Verlag, 1989.

[9] Peter Strarup Jensen and Anders Pilegaard and Ann-Grete Tan. De ning Mutually Recursive Types in HOL. DAIMI IR-99, December 1990. [10] Michael Gordon. HOL: A Proof Generating System for Higher Order Logic. VLSI Speci cation, Veri cation and Synthesis, Edited by G. Birtwistle and P. A. Subrahmanyam, Kluwer, 1987. [11] K.G. Larsen. Proof Systems for HennesyMilner Logic. The Proc. CAAP, 1988. [12] Zohar Manna. Mathematical Theory of Computation. McGraw-Hill Inc, 1974. [13] Thomas. F. Melham. Automating recursive Type De nitions in Higher Order Logic. Technical Report No. 146, Computer Laboratory, University of Cambridge, September 1988. [14] Thomas. F. Melham. A Package for Inductive De nitions in HOL. In 1991 International Tutorial and Workshop on the HOL Theorem Proving System and its Applications, IEEE Computing Society, to appear. [15] Robin Milner. Communication and Concurrency. Prentice Hall, 1989. [16] David A. Schmidt. Denotational Semantics - A Methodology for Language Development. Allyn and Bacon, Inc, 1986. [17] Alfred Tarski. A lattice-theoretical xpoint theorem and its applications. Paci c Journal of Mathematics, 5:285{309, 1955.