University “Alexandru Ioan Cuza” of IasiFaculty of Computer Science

TECHNICAL

REPORT

Verifying Reachability-Logic Propertieson Rewriting-Logic Specifications

(Extended Version)

Andrei Arusoaie, Dorel Lucanu,David Nowak, Vlad Rusu

TR 15-01, February 2015

ISSN 1224-9327

Universitatea “Alexandru Ioan Cuza” IasiFacultatea de Informatica

Str. Berthelot 16, 6600-Iasi, Romania

Tel. +40-32-201090, email: bibl@infoiasi.ro

Verifying Reachability-Logic Properties on

Rewriting-Logic Specifications (Extended

Version)

Andrei Arusoaie1, Dorel Lucanu2, David Nowak3, and Vlad Rusu1

1 Inria Lille Nord Europe, FranceAndrei.Arusoaie@inria.fr Vlad.Rusu@inria.fr

2 Faculty of Computer Science, Alexandru Ioan Cuza University, Iaşi, Romaniadlucanu@info.uaic.ro

3 CRIStAL, CNRS & University of Lille, Francedavid.nowak@univ-lille1.fr

Abstract. Reachability Logic is a recently introduced formalism, whichis currently used for defining the operational semantics of programminglanguages and for stating properties about program executions. In thispaper we show how Reachability Logic can be adapted for stating prop-erties of transition systems described by Rewriting-Logic specifications.We propose an automatic procedure for verifying Rewriting-Logic speci-fications against Reachability-Logic properties. We prove the soundnessof the procedure and illustrate it by verifying a communication protocolspecified in Maude.

1 Introduction

Reachability Logic (hereafter, rl) was introduced in a series of papers [1,2,3,4]as a means for specifying the operational semantics of programming languagesand for stating reachability properties between states of program executions.Briefly, an rl formula ' ) '

0 expresses reachability relationships between twosets of states of a system, denoted by the patterns ' and '

0 respectively. De-pending on the interpretation of formulas, the relationships can express eitherprogramming-language semantic steps, or safety properties of programs in thelanguages in question. Several real language semantics (including C [5], Java [6])have been completely specified in using an rl-based semantics in the K tool [7],and nontrivial programs have been proved using an implementation of rl

4.

Contributions. In this paper we show that rl can be used beyond its (by now,traditional) domain of programming languages. Specifically, we adapt rl forstating properties of systems described in Rewriting Logic [8] (hereafter, rwl).We propose an automatic procedure for proving rl properties of rwl specifica-tions, we prove the soundness of our procedure, and illustrate its use by verifyingrl properties of a communication protocol written in Maude [9].4 available at http://www.matching-logic.org/index.php/Special:MatchCOnline.

Our contribution with respect to rl is a proved-sound mechanical verificationprocedure. Previous works include sound and relatively complete proof systemsfor (the various versions of) rl, but these proof systems lack strategies for ruleapplications, making them unpractical for verification; our procedure can be seenas such a strategy.

With respect to rwl, our contribution is the adaptation of the above pro-cedure for verifying rwl theories against reachability properties ' ) '

0, whichsay that all terminating executions starting from a state in the set ' eventuallyreach a state in the set '0. Both ' and '0 denote possibly infinite sets of states.We note that rl properties for rwl theories are different from the reachabil-ity properties that can be checked in Maude using the search command. Thedifference resides in the possibility of using first-order logic for constraining theinitial and the final state terms, and in the interpretation of rl formulas.

Related work. We have already mentioned related work on rl. We now focuson related verification approaches for rwl specifications. These fall under theusual classification of verification techniques: algorithmic ones, which essentiallyconsists in using an automatic model checker; deductive ones, which involve aninteraction with a theorem prover; and abstraction-based ones, which consists infirst reducing the state-space of a system from unmanageable (e.g., infinite/large)to manageable (e.g., finite/small), a step that typically involves human interac-tion, and then using a model checker on the reduced system.

Algorithmic techniques include Maude’s finite-state LTL model checker [10],with its more recent extensions to the LTL logic of rewriting [11], and a narrowing-based symbolic model-checker for handling classes of infinite-state systems [12].Among the deductive techniques, [13,14] propose two different approaches forreducing safety properties of rwl to equational reasoning, and then using equa-tional reasoning tools for proving the resulting encoded properties. We note thatthe encoding of rwl into equational logic was proposed earlier in [15] for defin-ing the semantics of rwl. Among the abstraction-based techniques, equationalabstractions [16], and algebraic simulations [17] are key contributions.

Finally, our verification procedure uses an operation called derivative thatconsists in computing the symbolic successors of a given set of states (representedby a formula). This symbolic computation is inspired from [18,19].

Outline. After preliminaries in Section 2, we introduce in Section 3 the notionderivative that is essential for our approach. We then introduce in Section 4our procedure for verifying rl properties on transition systems also defined byrl formulas, and prove its soundness. In Section 5, we adapt our approach totransition systems defined by rwl theories. We finally illustrate in Section 6 theusability of our procedure by applying it to a communication protocol describedin Maude, and conclude in Section 7.

2 Preliminaries

2.1 Matching Logic

We recall the syntax and the semantics of Matching Logic (ml) as presentedin [1]. Since ml is based on the many-sorted first-order logic (fol), we recallfirst the basic definitions from fol.

Given S a set of sorts, an S-sorted first order signature � is a pair (⌃,⇧),where ⌃ is an algebraic S-sorted signature and ⇧ is an indexed set of the form{⇧w | w 2 S

⇤} whose elements are called predicate symbols, where ⇡ 2 ⇧w issaid to have arity w.

A �-model consists of a ⌃-algebra M together with a subset Mp ✓ Ms1 ⇥· · ·⇥Msn for each predicate p 2 ⇧w, where w = s1 . . . sn.

Next, we define the syntax of fol formulas over a first order signature � =(⌃,⇧) and a possible infinite set of variables Var . We let S denote the set ofsorts in �, Var an infinite S-indexed set of variable symbols (disjoint from ⌃),and T⌃(Var) the algebra of ⌃-terms with variables in Var .

The set of �-formulas is defined by

� ::= > | p(t1, . . . , tn) | ¬� | � ^ � | (9V )�

where p ranges over predicate symbols ⇧, each ti ranges over T⌃(Var) of appro-priate sort, and V over finite subsets of Var .

Given a first order �-model M ,a �-formula �, and a valuation ⇢ : Var !M ,the satisfaction relation ⇢ |= � is defined as follows:

1. ⇢ |= >;2. ⇢ |= p(t1, . . . , tn) iff (⇢(t1), . . . , ⇢(tn)) 2Mp;3. ⇢ |= ¬� iff ⇢ |= � does not hold;4. ⇢ |= �1 ^ �2 iff ⇢ |= �1 and ⇢ |= �2;5. ⇢ |= (9V )� iff there is ⇢0 : Var !M with ⇢0(X) = ⇢(X), for all X 62 V , such

that ⇢0 |= �.

A formula � is valid in M , denoted by M |= �, if it is satisfied by all valuations ⇢.We recall below the ml concepts and results used in this paper. Their pre-

sentation is based on [1].

Definition 1 (ml Formulas). An ml signature � = (⌃,⇧,State) is a first-order signature (⌃,⇧) together with a distinguished sort State for states. Theset of ml-formulas over � is defined by

' ::= ⇡ | > | p(t1, . . . , tn) | ¬' | ' ^ ' | (9V )'

where the basic pattern ⇡ ranges over T⌃,State(Var), p ranges over predicatesymbols ⇧, each ti ranges over T⌃(Var) of appropriate sorts, and V over finitesubsets of Var .

The sort State is intended to model system states. The free occurrence of vari-ables in ml formulas is defined as usual (i.e., like in fol) and we let FreeVars(')denote the set of variables freely occurring in '.

Example 1. Assume that S includes the sorts Nat ,State, ⌃ includes a binaryoperation symbol h_,_i : Nat ⇥ Nat ! State, and ⇧ the predicate symbolsdiv and _>_, with arguments of sort Nat . Then ' , hx, yi ^ (9z)((z > 1) ^div(z, x) ^ div(z, y)) is an ml formula. We have FreeVars(') = {x, y}.

Definition 2 (ml satisfaction relation). Given � = (⌃,⇧,State) an ml

signature, M a (⌃,⇧)-model, ' an ml formula, � 2 M

State

a state, and ⇢ :Var !M a valuation, the satisfaction relation (�, ⇢) |= ' is defined as follows:

1. (�, ⇢) |= ⇡ iff ⇢(⇡) = �;2. (�, ⇢) |= >;3. (�, ⇢) |= p(t1, . . . , tn) iff (⇢(t1), . . . , ⇢(tn)) 2Mp;4. (�, ⇢) |= ¬' iff (�, ⇢) |= ' does not hold;5. (�, ⇢) |= '1 ^ '2 iff (�, ⇢) |= '1 and (�, ⇢) |= '2; and6. (�, ⇢) |= (9V )' iff there is ⇢0 : Var !M with ⇢0(X) = ⇢(X), for all X 62 V ,

such that (�, ⇢0) |= '.

We let [[']] denote the set {� 2M

State

| (9⇢ : Var !M)(�, ⇢) |= '}.

Example 2. Let M be a model defined such that M

Nat

is the set of natu-ral numbers, M< is the inequality "greater than" over natural numbers, andM

div

(m,n) holds iff m divides n. Let ' denote the ml formula hx, yi^ ((9z)(z >

1) ^ div(z, x) ^ div(z, y)). If we consider ⇢(x) = 4 and ⇢(y) = 6 then we have(h4, 6i, ⇢) |= ' because ⇢(hx, yi) = h4, 6i and ⇢ |= ((9z)(z > 1) ^ div(z, x) ^div(z, y)). We do not have (h3, 5i, ⇢) |= ' because ⇢(hx, yi) 6= h3, 5i. Even if weconsider ⇢0(x) = 3 and ⇢

0(y) = 5 we still have (h3, 5i, ⇢0) 6|= ' because there isno m greater than 1 such that M

div

(m, 3) and M

div

(m, 5) hold.

Definition 3 (fol encoding of ml). If ' is an ml-formula then '

=? is thefol formula (9z)'=, where '= is obtained from ' by replacing each basic patternoccurrence ⇡ with z = ⇡, and z is a variable that does not occur in '.

Example 3. Here are a few examples of ml formulas and their fol encodings:' '

=?

(⇡1 ^ �1) _ (⇡2 ^ �2) (9z)((z = ⇡1 ^ �1) _ (z = ⇡2 ^ �2))¬⇡ (9z)¬(z = ⇡)

⇡1 ^ ¬⇡2 (9z)((z = ⇡1) ^ ¬(z = ⇡2))

⇡ _ ¬⇡ (9z)(z = ⇡ _ ¬(z = ⇡))

The relationship between ml formulas and their fol encodings is given bythe following result.

Proposition 1. ⇢ |= '

=? iff there is � such that (�, ⇢) |= '.

Proof. We use the notation convention from Definition 3.(. If (�, ⇢) |= ' then we consider ⇢0 such that ⇢0(z) = � and ⇢0(x) = ⇢(x) for allx 6= z. We obtain ⇢0 |= '

=, which implies ⇢ |= (9z)'=.

). Let ⇤ be a fresh variable (⇤ 62 Var) of sort State and '⇤ defined in the sameway like '=, but using ⇤ instead of z. Note that '⇤ is defined on a extendedsignature. If ⇢ : Var !M and � 2M

State

, then let ⇢� : Var [ {⇤}!M denotethe extension of ⇢ with ⇢(⇤) = �. By Proposition 1 in [1] we have ⇢� |= '

⇤

iff (�, ⇢) |= '. Assume that ⇢ |= '

=?. It follows that for any extension ⇢

0 of⇢ to Var [ {⇤} we have ⇢0 |= '

=?. Since '=? can be obtained from (9⇤)'⇤

by alpha conversion, we obtain ⇢

0 |= (9⇤)'⇤. It follows that there exists ⇢00 :Var [ {⇤} ! M such that ⇢00(x) = ⇢

0(x) for x 6= ⇤ and ⇢

00 |= '

⇤. Since ⇢0extends ⇢, we obtain ⇢

00(x) = ⇢(x) for x 2 Var . If we take � = ⇢

00(⇤), then⇢

00 = ⇢

� and hence (�, ⇢) |= '. ut

Proposition 2. If � is a fol (structureless) formula, then (� ^ ')=? is equiv-alent to � ^ '=?.

Proof. The fol formula �= is the same with � because � has no basic patterns,and hence �=? is equivalent to � because the existential variable z does not occurin �. It follows that (�^')=? , (9z)(�^')= is equivalent (9z)(�=^'=), whichin turn is equivalent to � ^ (9z)'=, which is the same with � ^ '=?.

2.2 Reachability Logic

In this section we recall reachability-logic formulas, the transition systems thatthey induce, and their all-paths interpretation [4]. We consider a fixed ml sig-nature � = (⌃,⇧,State), a set of variables Var , and a fixed �-model M .

Definition 4 (rl Formulas). An rl formula is a pair ') '

0 of ml-formulas.

Definition 5 (Transition-System Specification). An rl transition-systemspecification is a set S of rl-formulas. The transition system defined by Sover M is (M

State

,)S), where )S = {(�, �0) | (9' ) '

0 2 S)(9⇢)(�, ⇢) |=' ^ (�0, ⇢) |= '

0}. We write � )S �0 for (�, �0) 2 )S .

Example 4. The following set of rules is meant to compute the gcd of two naturalnumbers:

S = {hx, yi ^ x > y ^ y > 0) (9k)hy, x� k ⇤ yi ^ x � k ⇤ y ^ k > 0,

hx, yi ^ y � x) hy, xi}.

We further assume that M interprets + and ⇤ as being the usual operationsover natural numbers; m� n is the difference between m and n, if m > n, or 0,otherwise. Examples of transitions are: h8, 10i )S h10, 8i and h8, 2i )S h2, 0i asinstances of the first rule, and h2, 2i )S h2, 2i as an instance of the second rule.

In the sequel we consider a fixed transition system (MState

,)S).

Definition 6 (Execution Paths). An execution path is a (possibly infinite)sequence of transitions ⌧ , �0 )S �1 )S · · · .

If i � 0 then ⌧ |i.. is the execution path consisting of the (possibly infinite)subsequence starting from �i, if any. An execution path is complete iff it is nota strict prefix of an another execution path.

A pair (⌧, ⇢), consisting of an execution path ⌧ , �0 )S · · · and a valuation⇢, starts from an ml formula ' if (�0, ⇢) |= '.

Example 5. Examples of executions are ⌧ , h8, 10i )S h10, 8i )S h8, 2i )Sh2, 0i and ⌧

0 , h8, 10i )S h10, 8i )S h8, 2i )S h2, 2i )S h2, 2i )S · · · . Bothexecutions are complete.

Note that infinite execution paths are complete and hence the above defini-tion is slightly different from that given in [4].

Definition 7 (All-Paths Interpretation of rl formulas). We say that apair (⌧, ⇢) satisfies an rl formula ' ) '

0, written (⌧, ⇢) |= ' ) '

0, iff (⌧, ⇢)starts from ' and one of the following two conditions holds: there exists i � 0such that (�i, ⇢) |= '

0 or ⌧ is infinite.We say that )S satisfies ' ) '

0, written)S |= ') '

0, iff (⌧, ⇢) |= ') '

0 for all (⌧, ⇢) starting from '.We let [[' ) '

0]] , {⌧ | (9⇢)(⌧, ⇢) |= ' ) '

0}. If F is a set of rl formulas,then [[F ]] =

S')'02F [[') '

0]].

Example 6. An rl formula specifying that any execution path satisfying it com-putes the greatest commond divisor (gcd) is hx, yi ) (9x0

, y

0)hx0, y

0i ^ gcd(x0, x, y),

where gcd is a predicate symbol with the interpretation: Mgcd

(d,m, n) holds iffd is the gcd of m and n. If ⇢(x) = 10, ⇢(y) = 8, ⌧ and ⌧ 0 are the execution pathsdefined in Example 5, then both (⌧, ⇢) and (⌧ 0, ⇢) satisfy the given formula.

2.3 Rewrite Theories

Since its original formulation [21], Rewriting Logic (rwl) was defined as a se-mantical framework, suitable for describing concurrent and distributed systems,and as a logical framework, i.e. a meta-logic where other logics can be naturallyrepresented. Both directions are having a dynamic and strong development.

Maude [9] is the most well-known and most used implementation of rwl.Maude is accompanied by a set of tools for analysing rewrite theories and thesystems they describe.

In this paper we use rwl as a semantical framework. Here we briefly recall thedefinition for (a particular case of) rewrite theories and their rewriting relation.A rewrite theory R = (⌃, E [A,R) consists of a signature ⌃, a set of equationsE, a set of axioms A, e.g., associativity, commutativity, identity or combinationsof these, a set of rewrite rules R of the form l! r if b, where l and r are termswith variables and b is a term of a distinguished sort Bool. We further assumethat there is a special constant true of sort Bool.

In this paper we shall consider only rewrite theories R = (⌃, E[A,R) with adistinguished sort State such that R is topmost w.r.t. State. We use the standardnotation for rwl artefacts: =E[A denotes the equality modulo the equationsgiven by E and A, T⌃,E[A(X) denotes the set of =E[A-equivalences classes of ⌃-terms with variables in X, T⌃,E[A , T⌃,E[A(;) is the set of =E[A-equivalencesclasses of ground ⌃-terms, and FreeVars(t) denotes the set of variables occurring

in the term t

5. The relation !R denotes the one-step rewriting relation definedby applying a rule from R modulo axioms E [ A over ground terms of sortState: [u]!R [v] iff there are a rule l! r if b in R and a (ground) substitution� : FreeVars(l, r, b) ! T⌃,E[A such that �(l) =E[A �(u), �(r) =E[A �(v), and�(b) =E[A true.

3 Derivatives of ml and rl Formulas

The notion of derivative is essential for our approach. Roughly speaking, thederivative of a formula specifies states/execution paths obtained from those sat-isfying the initial formula after executing one step. For the remaining part of thissection we consider a fixed transition system specification S and its associatedtransition system (M

State

,)S) over a fixed model M .

Assumption 1 In what follows we consider only ml formulas ' with the fol-lowing property: if ' does not occur as a member of a rule in S and 'l ) 'r 2 Sthen FreeVars(')\FreeVars('l,'r) = ;. This is not a real restriction since thefree variable in rules can always be renamed.

Definition 8 (Semantic Definition of Derivatives for rl Formulas). Wesay that '1 ) '

0 is a S-derivative of ' ) '

0 if for all (⌧1, ⇢) |= '1 ) '

0 thereis (⌧, ⇢) |= ') '

0 such that ⌧1 = ⌧ |1...

Example 7. An S-derivative for hx, yi ) (9x0, y

0)hx0, y

0i ^ gcd(x0, x, y) is the fol-

lowing formula: hy, x� yi ^ x > y ^ y > 0) (9x0, y

0)hx0, y

0i ^ gcd(x0, x, y).

Definition 9 (Complete Sets of Derivatives). A set D of S-derivatives of' ) '

0 is complete iff [['1 ) '

0]] ✓ [[D]] for each S-derivative '1 ) '

0 of') '

0.

Example 8. The set{(9k)hy, x� k ⇤ yi ^ y > 0 ^ x � k ⇤ y ^ k > 0) (9x0

, y

0)hx0, y

0i ^ gcd(x0, x, y),

hy, xi ^ y � x) (9x0, y

0)hx0, y

0i ^ gcd(x0, x, y)}

is a complete set of S-derivatives for hx, yi ) (9x0, y

0)hx0, y

0i ^ gcd(x0, x, y).

The next definition and lemmas provide us with syntactical means of com-puting complete sets of derivates for rl formulas.

Definition 10 (Syntactic Definition of Derivative for rl Formulas). If' is an ml formula then

�S(') , {(9FreeVars('l,'r))('l ^ ')=? ^ 'r | 'l ) 'r 2 S}.

If ') '

0 is an rl-formula then

�S(') '

0) , {'1 ) '

0 | '1 2 �S(')}.5 For the sake of uniformity, we keep the notation FreeVars(t) for the set of variables

occurring in the term t. This is a consistent notation since all occurrences of variablesin term are considered as being free. FreeVars(t1, t2) is FreeVars(t1)[FreeVars(t2).

Lemma 1. If '1 2 �S(') then '1 ) '

0 is a S-derivative of ') '

0.

Proof. Assume that '1 is (9FreeVars('l,'r))('l^')=?^'r for some 'l ) 'r 2S. If [['1]] = ; then '1 ) '

0 is a S-derivative of ') '

0 by Definition 8. Assume[['1]] 6= ;, i.e. there exists (⌧1, ⇢1) starting from '1, with ⌧1 , �1 )S · · · . Then

(�1, ⇢1) |= '1 !(9⇢)(�1, ⇢) |= (('l ^ ')=? ^ 'r) !(9⇢)(⇢ |= ('l ^ ')=? ^ (�1, ⇢) |= 'r) !(9⇢)((9�0)(�0, ⇢) |= ('l ^ ') ^ (�1, ⇢) |= 'r) !(9⇢)((9�0)((�0, ⇢1) |= ' ^ (�0, ⇢) |= 'l) ^ (�1, ⇢) |= 'r) !(9�0)(�0, ⇢1) |= ' ^ (9⇢)((�0, ⇢) |= 'l ^ (�1, ⇢) |= 'r) �!(9�0)(�0, ⇢1) |= ' ^ �0 )S �1

where, by Assumption 1, we may w.l.o.g. choose ⇢ such that ⇢(x) = ⇢1(x) for allx 62 FreeVars('l,'r). Hence there is ⌧ = �0 )S �1 )S · · · such that ⌧ |1.. = ⌧1

and (�0, ⇢1) |= '. If ⌧1 is infinite then ⌧ is infinite. If (9i � 1)(�i, ⇢1) |= '

0 then(9i � 0)(�i, ⇢1) |= '

0. So, finally, we obtain that (⌧1, ⇢1) |= '1 ) '

0 implies(⌧, ⇢1) |= ') '

0. Since �1 and ⇢1 have been chosen arbitrary, we may concludethat '1 ) '

0 is a S-derivative of ') '

0. ut

Lemma 2. Let '1 ) '

0 be a S-derivative of ' ) '

0, ⌧1 be an execution pathand ⇢ a valuation. If (⌧1, ⇢) |= '1 ) '

0 then there is '01 2 �S(') such that

(⌧1, ⇢) |= '

01 ) '

0.

Proof. Suppose that (⌧1, ⇢) |= '1 ) '

0 and ⌧1 , �1 )S · · · . Then (⌧1, ⇢) startsfrom ' and one of the following two claims holds: a) there exists i � 1 suchthat (�i, ⇢) |= '

0 or b) ⌧ is infinite. So, to prove that (⌧1, ⇢) |= '

01 ) '

0 it isenough to prove that (⌧1, ⇢) starts from some '0

1 2 �S('). The pair (⌧1, ⇢) canbe extended to (⌧, ⇢) such that ⌧ |1.. = ⌧1 and (⌧, ⇢) |= ') '

0 by the definitionof the S-derivative. It follows that there is �0 such that ⌧ , �0 )S �1 )S· · · , (�0, ⇢) |= ', and (�1, ⇢) |= '1. There is 'l ) 'r 2 S and ⇢

0 such that(�0, ⇢0) |= 'l and (�1, ⇢0) |= 'r by the definition of )S . By Assumption 1, wemay w.l.o.g. choose ⇢0 such that ⇢0(x) = ⇢(x) for all x /2 FreeVars('l,'r). Hence(�0, ⇢0) |= '^'l. We take '0

1 , (9FreeVars('l,'r))('^'l)=?^'r. We obviouslyhave '0

1 2 �S(') and (�1, ⇢) |= '

01 because there exists ⇢0 (defined above) such

that (�1, ⇢0) |= (' ^ 'l)=? ^ 'r. Since ⌧1 = �1 )S · · · , it follows that (⌧1, ⇢)starts from '

01 2 �S('), which implies (⌧1, ⇢) |= '

01 ) '

0. Since (⌧1, ⇢) has beenchosen arbitrary, the conclusion of the lemma follows. ut

Lemma 3. �S(') '

0) is a complete set of S-derivatives for ') '

0.

Proof. The conclusion directly follows from Lemma 1 and Lemma 2.

Example 9.�S(hx, yi^y � 0)={(9x0

, y

0, k)hy0, x0�k ⇤ y0i ^ hx0

, y

0i=hx, yi ^ y

0> 0 ^ x

0> y

0

^ x

0 � k ⇤ y0 ^ k > 0 ^ y � 0,

(9x0, y

0)hy0, x0i ^ hx0, y

0i = hx, yi ^ y

0 � x

0 ^ y � 0},

which can be simplified to�S(hx, yi ^ y � 0) = {(9k)hy, x� k ⇤ yi ^ y > 0 ^ x � k ⇤ y ^ k > 0,

hy, xi ^ y � x ^ y � 0},using the implications M |= hx0

, y

0i = hx, yi �! (x = x

0 ^ y = y

0), M |= (x �k ⇤ y ^ k > 0) �! x > y and M |= y > 0 �! y � 0, where M is the modeldefined in the previous examples.

�S(hx, yi ) (9x0, y

0)hx0, y

0i ^ gcd(x0, x, y)) is the set given in Example 8.

The following definition of S-derivability is used in our verification procedurefor rl formulas. The lemma following it gives an equivalent characterisation interms of fol, which enables the checking of S-derivability using SMT solvers.

Definition 11 (S-derivability of ml-formulas). An ml formula ' is S-derivable iff there is at least a transition starting from it, i.e., there exist amodel (�, ⇢) |= ' and a transition � )S �1.

Lemma 4. ' is S-derivable iffW

'12�S(') '=?1 is satisfiable.

Proof. The following equivalences hold:_

'12�S(')

'

=?1 is satisfiable !

(9⇢1)⇢1 |=_

'12�S(')

'

=?1 !

(9⇢1)(9'1 2 �S('))⇢1 |= '

=?1 !

(9⇢1)(9'l ) 'r 2 S)⇢1 |= ((9FreeVars('l,'r))('l ^ ')=? ^ 'r)=? !

(9⇢1)(9'l ) 'r 2 S)(9�1)(�1, ⇢1) |= (9FreeVars('l,'r))('l ^ ')=? ^ 'r

Then, we have:

(�1, ⇢1) |= (9FreeVars('l,'r))('l ^ ')=? ^ 'r !(9⇢)(�1, ⇢) |= ('l ^ ')=? ^ 'r !(9⇢)⇢ |= ('l ^ ')=? ^ (�1, ⇢) |= 'r !(9⇢)(9�)(�, ⇢) |= ('l ^ ') ^ (�1, ⇢) |= 'r !(9⇢)(9�)(�, ⇢)' ^ (�, ⇢) |= 'l ^ (�1, ⇢) |= 'r !(9(�, ⇢))(�, ⇢) |= ' ^ � )S �1

where, by the definition of |=, ⇢ satisfies ⇢(x) = ⇢1(x) for all x 62 FreeVars('l,'r).We obtained that

W'12�S(') '

=?1 is satisfiable iff there exists (�, ⇢) such that

(�, ⇢) |= ' and there exists �1 such that � )S �1, i.e., iff ' is S-derivable. Theproof of the lemma is finished now. ut

Lemma 4 also shows the strong relationship between the S-derivability of aml formula ' and the S-derivatives of rl-formulas ') '

0. Hence it does makesense to name the elements of the set �S(') as being S-derivatives of '.

The notion of totality, defined below, is essential for the soundness of ourverification procedure. Intuitively, a transition-system specification S is total ifits rules cover all models (�, ⇢) of any S-derivable formula '. For instance, ifhx, yi ^ y 6= 0 ) hy, x% yi 2 S then in order to be total S must also include arule for the case y = 0.

Definition 12. S is total iff for for each S-derivable ' and each pair (�, ⇢) suchthat (�, ⇢) |= ', there is �1 such that � )S �1.

Note the difference between S-derivability and totality: S-derivability re-quires to have at least one transition starting from ' and the totality requiresto have at least one transition starting from � for any model (�, ⇢) of '.

The next result enables the use of SMT solvers for checking totality.

Proposition 3. S is total iff for each ' derivable,

M |= '

=? �!_

'12�S(')

'

=?1 .

Proof. We use the notation convention in Definition 3.

M |= '

=? �!_

'12�S(')

'

=?1 !

(8⇢)⇢ |= '

=? �! ⇢ |=_

'12�S(')

'

=?1 !

(8⇢)(9�)(�, ⇢) |= ' �!(9'l ) 'r 2 S)⇢ |= (9FreeVars('l,'r))(('l ^ ')=? ^ 'r)

=? !(8⇢)(9�)(�, ⇢) |= ' �!

(9'l ) 'r 2 S)⇢ |= (9FreeVars('l,'r))('l ^ ')=? ^ '=?r ! (1)

(8⇢)(9�)(�, ⇢) |= ' �!(9'l ) 'r 2 S)(9⇢0)⇢0 |= ('l ^ ')=? ^ (9�1)(�1, ⇢0) |= 'r ! (2)

(8⇢)(9�)(�, ⇢) |= ' �!(9'l ) 'r 2 S)(9⇢0)(�, ⇢0) |= ('l ^ ') ^ (9�1)(�1, ⇢0) |= 'r ! (3)

(8⇢)(9�)(�, ⇢) |= ' �! (9�1)� )S �1

where, by Assumption 1, we may w.l.o.g. choose ⇢0 such that ⇢0(x) = ⇢(x) forall x 62 FreeVars('l,'r), which implies (�0, ⇢0) |= ' iff �

0 = � and (�, ⇢) |= '.Therefore in the equivalence (2) ! (3) we could take (�, ⇢0) |= ('l ^ '). Theequivalence (1) follows by Proposition 2. ut

4 A Procedure for Verifying rl Properties

We now introduce our procedure for verifying rl properties on transition systemsalso defined by rl formulas. We assume given an ml signature � and �-model M .

procedure prove(S, G0, G)

1: if G = ; then return success2: else choose ' ) '

0 2 G

3: if M |= ' �! '

0then return prove(S, G0, G \ {' ) '

0})4: else if there is 'c ) '

0c 2 G0 s. t. M |= ' �! (9FreeVars('c))'c then

5: return prove(S, G0, G \ {' ) '

0} [�'c)'0c(' ) '

0))6: else if ' is S-derivable then

7: return prove(S, G0, G \ {' ) '

0} [�S(' ) '

0))8: else return failure.

Fig. 1. rl verification procedure.

The soundness result, stated below, says that if the procedure returns successwhen presented with a given input (consisting of a transition system rl spec-ification S, a set of goals G0, and the S-derivatives of G0, then the transitionsystem )S satisfies all the goals. We shall need the following lemma.

Lemma 5 (Coverage by Derivatives). Any computation ⌧ , �0 )S �1 )S· · · with (⌧, ⇢) starting from ' is "covered" by derivatives, i.e., there exists asequence '0,'1, . . . of ml formulas such that

1. '0 = '

2. 'i+1 2 �S('i), i = 0, 1, . . .3. (�i, ⇢) |= 'i, i = 0, 1, . . .

Proof. We proof by induction on i the following property:

(8i � 0)(�i, ⇢) |= 'i �! (9'i+1 2 �S('i)) ^ (�i+1, ⇢) |= 'i+1 (4)

Assuming 'i defined we set 'i+1 , (9FreeVars('l,'r))('i ^ 'l)=? ^ 'r 2�S('i), where 'l ) 'r 2 S is the rule used in �i )S �i+1. We show that(�i, ⇢) |= 'i implies (�i+1, ⇢) |= 'i+1. There is ⇢0 such that (�i, ⇢0) |= 'l and(�i+1, ⇢

0) |= 'r by the definition of)S . Since FreeVars('l,'r)\FreeVars('i) = ;by Assumption 1, we may choose w.l.o.g. ⇢0 such that ⇢0(x) = ⇢(x) for x 62FreeVars('l,'r). This implies that (�i, ⇢) |= (9FreeVars('l,'r))('i ^ 'l) and(�i+1, ⇢) |= (9FreeVars('l,'r))'r. Hence (�i+1, ⇢) |= (9FreeVars('l,'r))('i ^'l)=? ^ 'r, i.e. (�i+1, ⇢) |= 'i+1. This finishes the proof by induction.

The conclusion of the lemma follows by observing that for i = 0 the propertiesrequired by (4). ut

Definition 13 (Digraph Associated to prove). The digraph G associated toa successful run of the procedure prove, given in Figure 1, is defined as follows:

– the vertices consists of G0 together with all sets G collected during the re-cursive calls of the procedure prove;

– there are arcs from the current formula ' ) '

0 to the each derivative in�S('c ) '

0c) whenever the condition on the line 4 holds;

– there is an arc from the current formula ') '

0 to each formula in �S(')'

0) added by the recursive call at line 7, whenever the condition on line 4does not hold and that on the line 6 holds.

One can see that all formulas in G belong to cycles, except for the ones satisfyingthe condition on line 3 which are sinks in the graph. Moreover, any maximal walkstarting from a source, i.e. a formula in G0, either is infinite or ends in a sink.

We first prove the next lemma that states that any sequence of derivatives,starting from the left-hand side of a initial goal, is covered by a walk in G.

Lemma 6. Assume that the call prove(S, G0,�S(G0)) successfully finishes forG0 such that each 'c ) '

0c 2 G0 is S-derivable and satisfies FreeVars('0

c) ✓FreeVars('c). Let G the digraph associated to this run (cf. Definition 13).

Then any sequence of ml-formulas '0,'1, . . ., with '0 ) '

00 2 G0 and

'i+1 2 �S('i) for i = 0, 1, . . ., is "covered" by G, i.e., there exists a walk'0 ) '

00, '1 ) '

00, . . . in G such that

a. there is j with 'j ) '

00 a sink, i.e. M |= 'j �! '

00, and M |= 'i �!

(9FreeVars('i))'i for all i j, orb. M |= 'i �! (9FreeVars('i))'i for all i � 0.

Proof. We prove first the following property }:

if '0 ) '

00, . . . ,'n ) '

00 is a walk in G such that M |= 'i �!

(9FreeVars('i))'i, for all i n, then one of the following claims holds:1. M |= 'n �! '

00 or

2. there exists 'n+1 and an arrow from 'n to 'n+1 in G such thatM |= 'n+1 �! (9FreeVars('n+1))'n+1.

By the definition of G, we distinguish three cases corresponding to the three ifstatements in the procedure prove:

A) 'n ) '

00 is a sink, i.e., M |= 'n �! '

00. Then 1. in } holds.

B) M |= 'n �! (9FreeVars('c))'c for some 'c ) '

0c 2 G0, and there is

an arc from 'n ) '

00 to each S-derivative of 'c ) '

0c. Let 'n+1 ) '

0c be

the derivative of 'c ) '

0c corresponding to the rule 'l ) 'r 2 S used in the

definition of 'n+1. We have 'n+1 , (9FreeVars('l,'r))('n ^ 'l)=? ^ 'r and'n+1 , (9FreeVars('l,'r))('c ^ 'l)=? ^ 'r.

In �'c)'0c(' ) '

0) the rl formula 'c ) '

0c is used in the same way the

rules S are used, so obviously it respects the same constraints as the rules S,i.e. FreeVars(') \ FreeVars('c) = ;. In particular, we have FreeVars('n) \FreeVars('c) = ;.

We prove now that M |= 'n �! (9FreeVars('n))'n, which holds by thehypothesis of (}), and M |= 'n �! (9FreeVars('c))'c, which holds by theabove assumption, imply M |= 'n �! (9FreeVars('c))'c (|). If [['n]] = ; then(|) obviously holds. Assume that there is (�, ⇢) |= 'n. Since M |= 'n �!(9FreeVars('n))'n, there is ⇢0 such that (�, ⇢0) |= 'n and ⇢

0(x) = ⇢(x), for allx 62 FreeVars('n). Since M |= 'n �! (9FreeVars('c))'c, there is ⇢00 such that

(�, ⇢00) |= 'c and ⇢00(x) = ⇢

0(x), for all x 62 FreeVars('c). It follows that ⇢00(x) =⇢(x), for all x 62 FreeVars('n,'c) and hence (�, ⇢) |= (9FreeVars('n,'c))'c.But, the formula (9FreeVars('n,'c))'c is equivalent to (9FreeVars('c)'c be-cause FreeVars('n) \ FreeVars('c) = ;. Now (|) is proved. We obtain thatM |= 'n+1 �! (9FreeVars('l,'r,'c))('c ^ 'l)=? ^ 'r using (|), i.e., M |='n+1 �! (9FreeVars('n+1))'n+1. It follows that 2. in } holds.

C) 'n is S-derivable and there is an arc from from 'n ) '

00 to each derivative

in �S('n ) '

00). Then we set 'n+1 ) '

00 to be the derivative of 'n ) '

00

corresponding to the rule 'l ) 'r 2 S used in the definition of 'n+1. We obtainM |= 'n+1 �! (9FreeVars('n+1))'n+1 in a similar way to that of the case B,which implies that 2. in } holds.

Now } is proved. We construct the required sequence '0 ) '

00, '1 ) '

00, . . .

in G as follows:

– The initial step n = 0: We set '0 ) '

00 , '0 ) '

00, which is in G by the

definition of G. We obviously have M |= '0 �! (9FreeVars('0))'0.– The iterative step: we assume that the sequence '0 ) '

00, . . . ,'n ) '

00 has

been constructed, and M |= 'i �! (9FreeVars('i))'i for all i n. If thesequence ('i) has the length n, the process is finished and the built sequencesatisfies the second item of the conclusion of the lemma. If 1. in } holds,then the constructed sequence satisfies the first item of the conclusion of thelemma for j = n. and the construction of the sequence is finished. If 2. in }holds, then the sequence of length n + 1 is obtained by adding 'n+1 ) '

00

to the above one.

If the above process is finite then obviously the built sequence satisfies the con-clusion of the lemma. If it is infinite, then it builds an infinite sequence thatsatisfies the second item of the conclusion of the lemma. This finishes the proofof the lemma. ut

Theorem 1 (Soundness). Let prove be the procedure given in Figure 1. As-sume that S is total. Let G0 be such that each 'c ) '

0c 2 G0 is S-derivable

and satisfies FreeVars('0c) ✓ FreeVars('c). If prove(S, G0,�S(G0)) returns

success then )S |= G0.

Proof. Let ⌧ , �0 )S �1 )S · · · be a complete execution path, and let thevaluation ⇢ be such that (⌧, ⇢) starts from '0 with '0 ) '

00 2 G0. There is a

sequence of ml-formulas '0,'1, . . . that covers ⌧ cf. Lemma 5. There is a walk'0 ) '

00,'1 ) '

00, . . . in G that covers '0,'1, . . . cf. Lemma 6.

If the walk ends in a sink 'j ) '

00 then (�j , ⇢) |= '

00, and therefore (⌧, ⇢) |=

'0 ) '

00.

If the walk is infinite then ⌧ is also infinite, which also implies (⌧, ⇢) |= '0 )'

00.

It remains to investigate the case when the walk is finite and does not endin a sink. In that case ⌧ is finite as well and let �j be the last element of ⌧ .We have (�j , ⇢) |= 'j and M |= 'j �! (9FreeVars('j))'j by Lemma 5 andLemma 6, respectively, which implies (�j , ⇢) |= (9FreeVars('j))'j , i.e., there is

⇢

0 such that (�j , ⇢0) |= 'j . By the definition of G, we have two cases when thecurrent goal is the non-sink vertex 'j ) '

0j : either it is processed by line 6 in

prove, case in which 'j is S-derivable, or it is processed by line 4 in prove, casein which we have M |= 'j �! (9FreeVars('c))'c for some 'c ) '

0c 2 G0. In

the later case, there is ⇢00 such that (�j , ⇢00) |= 'c and 'c is S-derivable by thehypotheses of the theorem. So, in both cases we have (�j , ⇢00) |= ' for certain ⇢00and S-derivable '. Since S is total, there is �j )S �j+1, which contradicts that⌧ is complete. ut

Remark 1. A sound approximated check for validity statements M |= ' is an au-tomatic procedure that, when presented with M and ', if it answers true thenM |= '. We note that Theorem 1 still holds when one uses sound approximatedchecks for the various validity statements occurring in the procedure (includ-ing S-derivability and totality of S, which amount to validity, cf. the previoussection). Approximated checks, such as those implemented in SMT solvers, arerequired here since exact checks do not exist due to undecidability issues.

Remark 2. Theorem 1 says nothing about executions of the procedure thatreturn failure or that do not terminate. Such outcomes may mean either)S 6|= G0, or )S |= G0 but the information contained in the goals G0 is notenough for proving them, or, again, that the approximation induced by the valid-ity checkers was too coarse. It is the user’s burden to come up with a set of goalscontaining enough information such that the procedure terminates successfully.

This is similar to proving loop invariants in imperative programs, which re-quires users to provide a strong-enough invariant (i.e., one that can be proved).

Example 10. Let S be the rl specification defined in Example 4 and G0 ,{'0 ) '

00}, where '0 ) '

00 is

hx, yi ^ y � 0) (9x0, y

0)hx0, y

0i ^ gcd(x0, x, y).

We illustrate in a step-by-step manner the procedure call prove(S, G0, G), whereG is initially �S(G0) = {'1 ) '

00,'2 ) '

00}, and

'1 , (9k)hy, x� k ⇤ yi ^ y > 0 ^ x � k ⇤ y ^ k > 0) '

00,

'2 , hy, xi ^ y � x ^ y � 0) '

00}.

Let us consider that '1 ) '

00 is the current chosen goal from G. Obviously,

M |= '1 �! '

00 does not hold. Since M |= x � k ⇤y �! x�k ⇤y � 0, we obtain

M |= '1 �! (9x0, y

0)hx0, y

0i ^ y

0 � 0 (i.e. the condition of the if statement atline 4 holds) and hence the goal '1 ) '

00 is replaced with '11 ) '

00 by the

statement in line 5, where'11 , (9x1, y1, x

01, y

01, k)hx0

1, y01i ^ gcd(x0

1, x1, y1) ^ hy, x� k ⇤ yi = hx1, y1i^ y > 0 ^ x � k ⇤ y ^ k > 0

Since M |= (gcd(x0, y, x � k ⇤ y) ^ k > 0 ^ x � k ⇤ y) �! gcd(x0

, x, y), itfollows that M |= '11 �! '

00 and the goal '11 ) '

00 is removed from G by the

if statement in line 2.Now the only goal in G is '2 ) '

00. It is easy to see that M 6|= '2 �! '

00

and M 6|= '2 �! (9FreeVars('00))'

00, i.e. the conditions on then lines 3 and 4

'0 ) '

00

'1 ) '

00 '2 ) '

00

'11 ) '

00

'21 ) '

00 '22 ) '

00

'211 ) '

00 '221 ) '

00

Fig. 2. The graph G corresponding to the prove procedure call for Example 10

do not hold. We have �S('2 ) '

00) = {'21 ) '

00,'22 ) '

00}, where

'21 , (9k)hx, y � k ⇤ xi ^ x > 0 ^ y � k ⇤ x ^ k > 0 ^ y > x) '

00,

'22 , hx, yi ^ x � y ^ y � x ^ y � 0) '

00}.

The '21 ) '

00 is processed in the same way like '1 ) '

00. Since M |= '22 �!

(9x0, y

0)hx0, y

0i^y0 � 0 and hence the goal '22 ) '

00 is replaced with '221 ) '

00

by the if statement in line 4, where'221 , (9x1, y1, x

01, y

01, k)hx0

1, y01i ^ gcd(x0

1, x1, y1) ^ hx, yi = hx1, y1i^ x � y ^ y � x ^ y � 0

.

It is easy to see that M |= '221 �! '

00 and hence the goal '221 ) '

00 is

removed from G by the if statement in line 2.Now the set of current goals G is empty and the execution of the proce-

dure call prove(S, G0,�S(G0)) returns success. The execution of the procedureprove corresponding to this call is graphically represented in Figure 2.

5 Reachability Properties for Rewrite Theories

In this section we show that rl formulas can be used to specify properties oftransition systems defined by rwl theories. This is achieved by extending thesignature of an rwl theory R to an ml-signature, which includes predicates thatcan be used to define rl properties of the transition system defined by R.

We also show how the verification procedure in Section 4 can be adapted inorder to take advantage of rwl-specific operations such as matching. More pre-cisely, we prove that, under reasonable assumptions, a complete set of derivativesof an rl formula can be computed using standard matching-modulo algorithms.

We note that rl properties for rewrite theories are different from the reacha-bility properties that can be checked in Maude using the search command. Thedifference is given by the possibility of using fol for constraining the initial andthe final state terms, and by the interpretation of rl formulas.

Definition 14 (ml Extension of a Rewrite Theory). Consider a rewritetheory R = (⌃, E [A,R) with a distinguished sort State such that R is topmostw.r.t. State. An ml extension of R consists of an ml signature (⌃,⇧,State)together with an interpretation (T⌃,E[A)p ✓ T⌃,E[A,s1 ⇥ · · · ⇥ T⌃,E[A,sn foreach predicate symbol p 2 ⇧s1,...,sn . In this way, T⌃,E[A is a model of the ml

extension of R.

The above definition allows one to see the operations bop 2 ⌃s1...sn,Bool

aspredicates bop 2 ⇧s1...sn with the interpretation ([t1], . . . , [tn]) 2 (T⌃,E[A)bop iffbop(t1, . . . , tn) =E[A true. Consequently, each term b of sort Bool defines a fol

formula such that, if ⇢ : Var ! T⌃,E[A, then ⇢ |= b iff ⇢(b) =E[A true.Any rewrite rule l ! r if b can be viewed as an rl formula l ^ b ) r and

the transition relation)R is exactly the same with the one-step topmost rewrit-ing relation !R. This allows one to naturally define when rl formulas specifyproperties for rwl theories.

Definition 15 (rl Properties for rwl Theories). An rl property for R =(⌃, E[A,R) is an rl formula ') '

0, where ' and '0 are ml formulas definedover an ml extension of R (cf. Definition 14). We say that R satisfies ' ) '

0

iff !R |= ') '

0 (cf. Definition 7).

We next focus on adapting the prove procedure for verifying rl properties ofrwl theories. Specifically, we show the derivatives can be computed using match-ing algorithms (under certain assumptions). We give first a technical definition.

Definition 16 (Ground (E [ A)-unifier). Consider a rewrite theory R =(⌃, E [ A,R). Two ⌃-terms t and t

0 are ground (E [ A)-unifiable if there is� : FreeVars(t, t0)! T⌃ such that �(t) =E[A �(t0). The substitution � is called(E [A)-unifier of t and t

0.

The following assumptions are required for computing derivatives using match-ing. The first assumption restricts the class of rl formulas that can be used asproperties to those that are useful in practice (i.e., having more than one pattern,or having negations of patterns, in either side of formulas is not really useful).

Assumption 2 We assume that FreeVars(b) ✓ FreeVars(l, r) for each rule l!r if b in R. In this paper we also assume that the rl properties of rwl theoriesR are of particular form (9X)(⇡ ^ �) ) (9X 0)(⇡0 ^ �0) with FreeVars(�) ✓FreeVars(⇡) (and hence X ✓ FreeVars(⇡)).

The second assumption relates ground unifiers to matching substitutions.

Assumption 3 We assume that for each l ! r if b in R with l and ⇡ ground(E [A)-unifiable, there is a set of matching substitutions match(l,⇡) such that

– �0(l) = ⇡ for each �0 2 match(l,⇡), and– for each ground E [ A-unifier � of l and ⇡ there are �0 2 match(l,⇡) and�

0 : FreeVars(⇡)! T⌃ satisfying � =E[A �

0 � �06.

Assumption 3 holds under reasonable constraints, cf. the Matching Lemma [19].The next results show that the matching substitutions can be used to computethe derivatives of ml formulas and, consequently, the derivatives of rl formulas.

Lemma 7. Let ' ) '

0 be an rl property for R = (⌃, E [ A,R), where ' ,(9X)⇡ ^ �. Then, for each derivative '1 2 �R(') there exists a rewrite rulel! r if b in R such that

T⌃,E[A |= '1 !W

�02match(l,⇡)

(9X [ FreeVars(r) \ FreeVars(l))�0(r) ^ �0(b) ^ �.

Proof. By the definition of�R('), '1 is (9FreeVars(l, r))(l^b^(9X)(⇡^�))=?^rfor some rewrite rule l ! r if b 2 R. By Assumption 1, FreeVars(l, r) \X = ;and hence '1 is equivalent to (9X [ FreeVars(l, r))(l = ⇡) ^ b ^ � ^ r. We have:

(�1, ⇢1) |= '1 !(�1, ⇢1) |= (9X [ FreeVars(l, r))(l = ⇡) ^ b ^ � ^ r !(9⇢)(⇢(l) = ⇢(⇡)) ^ ⇢ |= (b ^ �) ^ (⇢(r) = �1) !(9�)(�(l) =E[A �(⇡)) ^ ⇢ |= b ^ ⇢1 |= � ^ (�(r) 2 �1) !(9�0)(9�00)(�0(l) =E[A ⇡) ^ ⇢ |= b ^ ⇢1 |= � ^ (�00(�0(�0(r))) 2 �1) !(9�0 2 match(l,⇡))(9�00)⇢ |= b ^ ⇢1 |= � ^ (�00 ] �0(�0(r)) 2 �1) !

_

�02match(l,⇡)

(9�00)⇢ |= b ^ ⇢1 |= � ^ (�00 ] �0(�0(r)) 2 �1) !

_

�02match(l,⇡)

(9⇢0)⇢0 |= �0(b) ^ ⇢0 |= � ^ ⇢0(�0(r)) = �1) !

_

�02match(l,⇡)

(9⇢0)(�1, ⇢0) |= (�0(b) ^ � ^ �0(r)) !

_

�02match(l,⇡)

(�1, ⇢1) |= (9X [ FreeVars(r) \ FreeVars(l))(�0(b) ^ � ^ �0(r)) !

(�1, ⇢1) |=_

�02match(l,⇡)

(9X [ FreeVars(r) \ FreeVars(l))(�0(b) ^ � ^ �0(r)) !

where

– by Assumption 1, we may assume w.l.o.g. that ⇢(x) = ⇢1(x) for all x 62X [ FreeVars(l, r),

– � : FreeVars(l, r,�)! T⌃ with [�(x)] = ⇢(x),6�1 =E[A �2 iff dom(�1) = dom(�2) and (8x 2 dom(�1))�1(x) =E[A �2(x).

– the substitutions �0 : FreeVars(l) ! FreeVars(⇡) and �

0 : FreeVars(⇡) !T⌃ are given by Assumption 2, i.e., �|

FreeVars(l,⇡) = �

0 � �0– �

00 = �|FreeVars(r)\FreeVars(l),

– �

00 ] �0(x) = �

00(x) if x 2 FreeVars(r) \ FreeVars(l), and �00 ] �0(x) = �

0(x)if x 2 FreeVars(�0(l)),

– ⇢0(x) = [�0(x)], for x 2 FreeVars(⇡), ⇢0(x) = [�00(x)], for x 2 FreeVars(r) \FreeVars(l), and ⇢0(x) = ⇢(x) in the rest (hence ⇢0(x) = ⇢1(x) for x 62X [ FreeVars(r) \ FreeVars(l)), and

– ⇢ |= b iff ⇢0 |= �0(b).ut

Theorem 2. For each '1 ) '

0 2 �R(' ) '

0) with ' , (9X)⇡ ^ �, there isl! r if b 2 R such that

[['1 ) '

0]] = [[_

�02match(l,⇡)

(9X [ FreeVars(r) \ FreeVars(l))�0(r) ^ �0(b) ^ �) '

0]].

Proof. The proof directly follows from Lemma 7. ut

Symbolic Rewrite Rules. We now show that Theorem 2 enables the use of sym-bolic rewrite rules to efficiently compute derivatives and hence to implement theprocedure prove in rwl. For ' , (9X)(⇡ ^ �), let �match

R (') '

0) be the set

{(9X [ FreeVars(r) \ FreeVars(l))�0(r) ^ �0(b) ^ �) '

0 | l! r if b 2 R,

�0 2 match(l,⇡)}(5)

We have [[�match

R (' ) '

0)]] = [[�R(' ) '

0)]] by Theorem 2, which impliesthat �match

R (') '

0) is a complete set of R-derivatives. This allows us to use of�

match

R in the procedure prove instead of �R. Next, we note that formulas '1 )'

0 in �

match

R (' ) '

0) (where ' , (9X)(⇡ ^ �)) can be computed by applyinga symbolic rewrite rule of the form l ^ ) r ^ b ^ to the left-hand side of' ) '

0, where is a fresh variable of sort Bool , with a matching substitution�0 such that �0( ) = �. Moreover, ' is R-derivable iff there are a rule l! r if b

in R and �0 2 match(l,⇡) such that (9X [ FreeVars(r) \ FreeVars(l))�0(b) ^ �is satisfible, by Lemma 7. This is equivalent to saying that ' is R-derivable iffthe symbolic rewrite rule l ^ ) r ^ b ^ is applicable to '.

Overall, R-derivatives of rl formulas ' ) '

0 (where ' , (9X)(⇡ ^ �)) canbe computed by transforming each rule l ! r if b 2 R into a symbolic rewriterule l ^ ) r ^ b ^ and by applying the symbolic rewrite rule. This is howderivatives are computed in our rwl adaptation of the prove procedure.

6 Verifying rl Properties of a Communication Protocol

We illustrate the theory on a simple communication protocol described in Maude.

Protocol Description. The protocol transmits a file between a sender and areceiver. The file is a sequence of records. The sender and receiver communicatethrough unidirectional, lossy channels, one of which carries messages (a record inthe file, together with a sequence number) from send to receiver, while the otherone carries retransmission requests (natural numbers) from receiver to sender.

Both the sender and the receiver maintain a counter in order to keep trackof the next record to be sent resp. received. The sender transmits the nextrecord in the file together with the current value of its counter, which then isincremented by one. The receiver accepts a message only if the sequence numberof the message is equal to the receiver’s counter; if this is the case, the counter isincremented and the record from the message is saved. The receiver discards allother messages (i.e., whose sequence number is not the expected one). It may also(nondeterministically) request a retransmission, by sending the current value ofits counter over the retransmission request channel. This nondeterminism can beseen as an abstraction of a timeout mechanism, not modeled here for simplicity.

Upon reception of a retransmission request, the sender ignores it if it is greaterthan or equal to its counter (indicating a wrong retransmission request). Other-wise the sender updates its counter to the number it received on retransmissionrequest channel, in order to start resending messages from that number on.

The protocol’s State structure is given as a constructor with five arguments:<_,_,_,_,_> : Nat List{Pair} List{Nat} Nat List{Element} -> State,where Pair is a sort of pairs consisting of an Element and a natural number,and List{} are parameterised lists. The file to be sent is modeled by a functionfileToSend : Nat -> Elements, of size Max. The sender and receiver’s rulesare shown in Fig. 3. There are also rules for the channels losing elements, notshown here due to lack of space.

Reachability Properties. The protocol’s initial state is <0,nil,nil,0,nil>. Itsexpected reachability property states that all terminating executions startingfrom the initial state should end up in a state of the form

< (s Max),nil,nil,(s Max),file:List{Element}>where file should satisfy 8j.0 j Max �! fileToSend(j) = file[j],where _[_] is a function returning an element at a given position in a list. (Thatis, the file received is the same as the file sent.) In order to specify the constraintson the final states we defined in Maude a subset of rl, so that the reachabilityproperty specifying the protocol is written as the following Maude rewrite rule:

< 0,nil,nil,0,nil > //\\ True =>Exists file : <(s Max),nil,nil,(s Max),file:>//\\ Forall j : ((0 <=? j And (j <=? Max)

Implies (fileToSend(j) === file[j]))

The operation _//\\_ is the constructor for our defined subset of ml, whichtakes a term of sort State and term of sort FOL and builds a term of sort ML.Note that the Maude search command cannot be used to prove this RL formula:

--- sender

crl [send_to_R] :

< n, R, L, m, recv > => < s(n),(< fileToSend(n),n >: R), L, m, recv >

if n <= Max .

crl [update_request_from_L] :

< n, R, (resend : L), m, recv > => < resend, R, L, m, recv >

if resend < n .

crl [ignore_request_from_L] :

< n, R, (resend : L), m, recv > => < n, R, L, m, recv >

if resend >= n .

--- receiver

crl [accept_element_from_R] :

< n, (R : < e, nb >), L, m, recv > => < n, R, L, (s m), (recv : e) >

if m == nb .

crl [ignore_element_from_R] :

< n, (R : < e, nb >), L, m, recv > => < n, R, L, m, recv >

if m =/= nb .

crl [send_request_to_L] :

< n, R, L, m, recv > => < n, R, L : m, m, recv>

if m <= Max .

Fig. 3. : Communication Protocol (excerpt).

to do so it would have to explore all terminating executions starting from theinitial state, which are infinitely many (and can be arbitrarily long).

Thus, we use our verification procedure. Unsurprisingly, the above rl formulais not enough by itself for our procedure to succeed. For this to happen, a"helper" rl formula is required, whose right-hand side is the same as for theone above, but whose left-hand side describes an invariant (to hold for all statesreachable from the initial states):< n, R, L, m, file > //\\Forall j : (0 <=? j And j <? m) Implies fileToSend(j) === file[j] AndForall e : Forall nb : < e,nb > In? R Implies e === fileToSend(nb) Andsize(file) + 1 === m

=>Exists file : <(s Max),nil,nil,(s Max),file:> //\\Forall j : (0 <=? j And j <=? Max) Implies (fileToSend(j) === file[j])

This formula says that the currently received file (whose size is m -1) equals theportion of the file being sent (up to that size); and that all messages currentlyin transition from sender to receiver are records in the fileToSend file. It wasobtained by trial-and-error, while applying the following verification technique.

Verification. We have implemented key functionality from our verification pro-cedure (computing derivatives) at Maude’s metalevel. Derivatives are computedbased on matching and rewriting as described in Section 5. We also use Maude’smetalevel to achieve the following executions of our verification procedure:

– for the first rl formula (the protocol’s specification): deriving it with respectto the protocol’s rules S, then applying the second formula as a circularity;

– for the second rl formula (designated above as the "helper" formula): deriv-ing it with respect to the protocol’s rules, then applying itself as a circularity.

By requiring that these two executions return success, Maude generates severalproof obligations: essentially, that the condition for applying circularities holds(at line 4 in our verification procedure), and that the condition for returningsuccess (line 3) also holds. Several of those proof obligations are discharged au-tomatically by simplification rules we included in Maude (e.g., that fol disjunc-tion is commutative). The remaining ones are axioms satisfied by the assumedmodel for the various elements in our problem domain (e.g., lossy channels, filesconsisting on records, and natural numbers). For example, one proof obligationsays that if all messages in a channel contain records from the fileToSend file,then by losing a message all the remaining messages satisfy the same property.

There are four such proof obligations left after automatic simplification. Wehave (manually) checked that they hold (in the assumed model for our problemdomain). The trial-and-error process for finding the helper rl formula consistedin examining the generated proof obligations, and noting that some do not holdunless more information is added about the problem domain.

7 Conclusion and Future Work

In this paper, we propose a procedure for verifying reachability properties onsymbolic transition systems. While the reachability properties are stated as rl

formulas, we allow symbolic transition systems to be described by either rl

specifications or by rwl specifications. We prove that our procedure is sound.We show with a concrete example that our procedure works in practice.

The paper also contributes to establishing connections between rl and rwl.In [22] it is shown how rl specifications can be encoded as rwl theories. Here, wetake an alternative approach, which consists in using rl as a property languagefor rwl. The proposed procedure adapted for rwl can be implemented in Maude,using reflection and the recently added support for sat checking and one-steprewriting modulo SMT using the CVC4 library (http://cvc4.cs.nyu.edu/).

In terms of future work there are several directions to follow. First, startingfrom our prototype, we shall develop a tool in the Maude environment that willefficiently implement our procedure; we envision that the tool will generate proofobligations to be discharged by Maude’s inductive theorem prover itp [23]. Wealso intend to formalise in the Coq proof assistant our procedure and its sound-ness proof in order to be able not only to verify properties but also to generatecertificates. Finally, we will use the extraction mechanism of Coq to obtain cer-tified OCaml code for our procedure and use it as a reference implementation.

References

1. Grigore Roşu and Andrei Ştefănescu. Checking reachability using matching logic.In Gary T. Leavens and Matthew B. Dwyer, editors, OOPSLA, pages 555–574.

ACM, 2012. Also available as technical report http://hdl.handle.net/2142/33771.

2. Grigore Rosu and Andrei Stefanescu. Towards a unified theory of operationaland axiomatic semantics. In Proceedings of the 39th International Colloquium onAutomata, Languages and Programming (ICALP’12), volume 7392 of LNCS, pages351–363. Springer, 2012.

3. Grigore Roşu, Andrei Ştefănescu, Ştefan Ciobâcă, and Brandon M. Moore. One-path reachability logic. In Proceedings of the 28th Symposium on Logic in ComputerScience (LICS’13), pages 358–367. IEEE, June 2013.

4. Andrei Ştefănescu, Ştefan Ciobâcă, Radu Mereuță, Brandon M. Moore, Tra-ian Florin Şerbănuță, and Grigore Roşu. All-path reachability logic. In Proceedingsof the Joint 25th International Conference on Rewriting Techniques and Applica-tions and 12th International Conference on Typed Lambda Calculi and Applications(RTA-TLCA’14), volume 8560 of LNCS, pages 425–440. Springer, July 2014.

5. Chucky Ellison and Grigore Roşu. An executable formal semantics of C withapplications. In Proceedings of the 39th Symposium on Principles of ProgrammingLanguages (POPL’12), pages 533–544. ACM, 2012.

6. Denis Bogdănaş and Grigore Roşu. K-Java: A Complete Semantics of Java.In Proceedings of the 42nd Symposium on Principles of Programming Languages(POPL’15), pages 445–456. ACM, January 2015.

7. Grigore Roşu and Traian Florin Şerbănuță. An overview of the K semantic frame-work. Journal of Logic and Algebraic Programming, 79(6):397–434, 2010.

8. José Meseguer. Twenty years of rewriting logic. The Journal of Logic and AlgebraicProgramming, 81(7):721–781, 2012.

9. Manuel Clavel, Francisco Durán, Steven Eker, Patrick Lincoln, Narciso Martí-Oliet, José Meseguer, and Carolyn Talcott. All about maude-a high-performancelogical framework: how to specify, program and verify systems in rewriting logic.Springer-Verlag, 2007.

10. Steven Eker, José Meseguer, and Ambarish Sridharanarayanan. The maude ltlmodel checker. Electronic Notes in Theoretical Computer Science, 71:162–187,2004.

11. Kyungmin Bae and José Meseguer. A rewriting-based model checker for the lineartemporal logic of rewriting. Electronic Notes in Theoretical Computer Science,290:19–36, 2012.

12. Santiago Escobar and José Meseguer. Symbolic model checking of infinite-statesystems using narrowing. In Term Rewriting and Applications, pages 153–168.Springer, 2007.

13. Camilo Rocha and José Meseguer. Proving safety properties of rewrite theories.In Algebra and Coalgebra in Computer Science, pages 314–328. Springer, 2011.

14. Vlad Rusu. Combining theorem proving and narrowing for rewriting-logic specifi-cations. In Tests and Proofs, pages 135–150. Springer, 2010.

15. Roberto Bruni and José Meseguer. Semantic foundations for generalized rewritetheories. Theoretical Computer Science, 360(1):386–414, 2006.

16. José Meseguer, Miguel Palomino, and Narciso Martí-Oliet. Equational abstrac-tions. Theoretical Computer Science, 403(2):239–264, 2008.

17. José Meseguer, Miguel Palomino, and Narciso Martí-Oliet. Algebraic simulations.Journal of Logic and Algebraic Programming, 79(2), 2009.

18. Andrei Arusoaie, Dorel Lucanu, and Vlad Rusu. A generic framework for symbolicexecution. In 6th International Conference on Software Language Engineering,volume 8225 of LNCS, pages 281–301. Springer Verlag, 2013. Also available as atechnical report http://hal.inria.fr/hal-00853588.

19. Camilo Rocha, José Meseguer, and César A. Muñoz. Rewriting modulo SMTand open system analysis. In Santiago Escobar, editor, Rewriting Logic and ItsApplications - 10th International Workshop, WRLA 2014, Held as a Satellite Eventof ETAPS, Grenoble, France, April 5-6, 2014, Revised Selected Papers, volume8663 of Lecture Notes in Computer Science, pages 247–262. Springer, 2014.

20. Andrei Arusoaie, Dorel Lucanu, David Nowak, and Vlad Rusu. VerifyingReachability-Logic Properties on Rewriting-Logic Specifications. Technical Re-port TR 15-01, “Al.I.Cuza” University of Iaşi, Faculty of Computer Science, 2015.http://www.infoiasi.ro/~tr/tr.pl.cgi.

21. José Meseguer. Conditional rewriting logic as a unified model of concurrency.Theoretical Computer Science, 96(1):73 – 155, 1992. Selected Papers of the 2ndWorkshop on Concurrency and Compositionality.

22. Andrei Arusoaie, Dorel Lucanu, Vlad Rusu, Traian-Florin Serbanuta, Andrei Ste-fanescu, and Grigore Rosu. Language definitions as rewrite theories. In WRLA,volume 8663 of Lecture Notes in Computer Science, pages 97–113. Springer, 2014.

23. Joe Hendrix. Decision Procedures for Equationally Based Reasoning. PhD thesis,University of Illinois at Urbana Champaign, 2008.