Automated Mutual Explicit Induction Proof in Separation Logic
Quang-Trung Ta, Ton Chanh Le, Siau-Cheng Khoo, Wei-Ngan Chin
aa r X i v : . [ c s . L O ] S e p Automated Mutual Explicit Induction Proof inSeparation Logic
Quang-Trung Ta Ton Chanh Le Siau-Cheng Khoo Wei-Ngan Chin { taqt, chanhle, khoosc, chinwn } @comp.nus.edu.sg School of Computing, National University of Singapore
Abstract.
We present a sequent-based deductive system for automati-cally proving entailments in separation logic by using mathematical in-duction. Our technique, called mutual explicit induction proof , is an in-stance of Noetherian induction. Specifically, we propose a novel inductionprinciple on a well-founded relation of separation logic model, and followthe explicit induction methods to implement this principle as inferencerules, so that it can be easily integrated into a deductive system. We alsosupport mutual induction, a natural feature of implicit induction, wherethe goal entailment and other entailments derived during the proof searchcan be used as hypotheses to prove each other. We have implemented aprototype prover and evaluated it on a benchmark of handcrafted entail-ments as well as benchmarks from a separation logic competition.
Separation logic (SL) [21,29] has been actively used recently to reason aboutimperative programs that alter data structures. For example, the static analysistool Infer [1] of Facebook has been using SL to discover critical memory safetybugs in Android and iOS applications. One of the pivotal features making thesuccess of SL is the separating conjunction operator ( ∗ ), which is used to describethe separation of computer memory. In particular, the assertion p ∗ q denotes amemory portion which can be decomposed into two disjoint sub-portions held by p and q , respectively. In addition, SL is also equipped with the ability for usersto define inductive heap predicates [28,5,15]. The combination of the separatingconjunction and inductive heap predicates makes SL expressive enough to modelvarious types of recursive data structures, such as linked lists and trees.However, this powerful expressiveness also poses challenges in reasoning aboutSL entailments. Considerable researches have been conducted on the SL en-tailment proving problem, including the works [5,7,11] related to mathematicalinduction. In particular, Brotherston et al. [5,7] propose the cyclic proof , whichallows proof trees to contain cycles, and can be perceived as infinite derivationtrees. Furthermore, during the proof derivation, induction hypotheses are notexplicitly identified via applications of induction rules; instead, they are implic-itly obtained via the discovery of valid cycle proofs. Consequently, a soundnesscondition needs to be checked globally on proof trees. On the other hand, Chuet al. [11] apply structural induction on inductive heap predicates for provingL entailments. During proof search, this technique dynamically uses derivedentailments as induction hypotheses. When applying induction hypotheses, itperforms a local check to ensure that predicates in the target entailments aresubstructures of predicates in the entailments captured as hypotheses. This dy-namicity in hypothesis generation enables multiple induction hypotheses withina single proof path to be exploited; however, it does not admit hypotheses ob-tained from different proof paths.In this work, we develop a sequent-based deductive system for proving SL entail-ments by using mathematical induction. Our technique is an instance of Noethe-rian induction [8], where we propose a novel induction principle based on a well-founded relation of SL models. Generally, proof techniques based on Noetherianinduction are often classified into two categories, i.e., explicit and implicit in-duction [8], and each of them presents advantages over the other. We followthe explicit induction methods to implement the induction principle as inferencerules, so that it can be easily integrated into a deductive system, and the sound-ness condition can be checked locally in each application of inference rules. Inaddition, since the well-founded relation defined in our induction principle doesnot depend directly on the substructure relationship, induction hypotheses gath-ered in one proof path can be used for hypothesis applications at other proofpaths of the entire proof tree. Thus, our induction principle also favors mutualinduction , a natural feature of implicit induction , in which the goal entailmentand other entailments derived during the proof search can be used as hypothesesto prove each other. Our proof technique, therefore, does not restrict inductionhypotheses to be collected from only one proof path, but rather from all derivedpaths of the proof tree. Related work.
The entailment proving problem in SL has been actively stud-ied recently. Various sound and complete techniques have been introduced, butthey deal with only pre-defined inductive heap predicates, whose definitions andsemantics are given in advance [2,3,12,23,22,4,24,25]. Since these techniques aredesignated to only certain classes of pre-defined predicates, they are not suitablefor handling general inductive heap predicates.Iosif et al. [15,16] and Enea et al. [13] aim to prove entailments in more generalSL fragments by translating SL assertions into tree automata. However, theseapproaches still have certain restrictions on inductive heap predicates, such asthe predicates must have the bounded tree width property, or they are variants oflinked list structures. Proof techniques proposed by Nguyen et al. [20,19,10] andby Madhusudan et al. [26] can prove SL entailments with general inductive heappredicates. Nonetheless, these techniques are semi-automated since users are re-quired to provide supplementing lemmas to assist in handling those predicates.In [14], Enea et al. develop a mechanism to automatically synthesize these sup-porting lemmas, but solely limited to certain kinds of lemmas, i.e., compositionlemmas , completion lemmas and stronger lemmas .2yclic proof [5,7] and induction proof in [11] are most closely related to ourapproach. We recall the aforementioned comments that cyclic proof requiressoundness condition to be checked globally on proof trees, whereas proof tech-nique in [11] restricts that induction hypotheses collected from one path of prooftree cannot be used to prove entailments in other paths. Our work differs fromthem as we not only allow soundness condition to be checked locally at inferencerule level, but also support mutual induction where entailments from differentproof paths can be used as hypotheses to prove each other. Contribution.
Our contributions in this work are summarized as follows:– We define a well-founded relation on SL models and use it to construct anovel mutual induction principle for proving SL entailments.– We develop a deductive system for proving SL entailments based on the pro-posed mutual induction principle, and prove soundness of the proof system.– We implement a prototype prover, named
Songbird , and experiment on itwith benchmarks of handcrafted entailments as well as entailments collectedfrom
SL-COMP , an SL competition. Our prover is available for both onlineuse and download at: http://loris-5.d2.comp.nus.edu.sg/songbird/ . We consider the procedure traverse in Fig. 1, which traverses a linked list inan unusual way, by randomly jumping either one or two steps at a time. In orderto verify memory safety of this program, automated verification tools such as[9,17] will first formulate the shape of the computer memory manipulated by traverse . Suppose the initially discovered shape is represented by an inductiveheap predicate tmp ( x ) in SL, defined as: tmp ( x ) , emp ∨∨∨ ∃ u. ( x u ∗ tmp ( u )) ∨∨∨ ∃ u, v. ( x u ∗ u v ∗ tmp ( v )) struct node { struct node ∗ next ; } void traverse ( struct node ∗ x ) { if ( x == NULL ) return ; bool jump = random (); if ( jump && x → next != NULL ) traverse ( x → next → next ); else traverse ( x → next ); } Fig. 1: A linked-list traversal algorithmwith random jumpIntuitively, tmp ( x ) covers three pos-sible cases of the shape, which canbe an empty memory emp (when x == NULL ), or be recursively expandedby a single data structure x u (when traverse jumps one step), or be recur-sively expanded by two structures x u and u v (when traverse jumps twosteps). Note that x u and u v are SLpredicates modeling the data structure node . Details about the SL syntax willbe explained in Section 3.Since the derived shape is anomalous, the verifiers or users may want to examineif it is actually a linked l ist s egment, modeled by the following predicate: ls ( x, y ) , ( emp ∧ x = y ) ∨∨∨ ∃ w. ( x w ∗ ls ( w, y ))3his can be done by checking the validity of the following entailment: E , tmp ( x ) | − ∃ y. ls ( x, y )In the semantics of SL, the entailment E is said to be valid , if all memorymodels satisfying tmp ( x ) also satisfy ∃ y. ls ( x, y ). To prove it by induction, E isfirstly recorded as an induction hypothesis (IH), then the predicate tmp ( x ) isanalyzed in each case of its definition, via a method called unfolding, to derivenew entailments E , E , E as follows. E , emp | − ∃ y. ls ( x, y ) E , x u ∗ tmp ( u ) | − ∃ y. ls ( x, y ) E , x u ∗ u v ∗ tmp ( v ) | − ∃ y. ls ( x, y )The entailment E can be easily proved by unfolding the predicate ls ( x, y ) in theright side by its base case to obtain a valid entailment emp | − ∃ y. ( emp ∧ x = y ).On the contrary, the entailment E can only be proved by using the inductionhypothesis E . Its (simplified) proof tree can be depicted in Fig. 2. ( | − pure ): Valid, proved by external provers, e.g. Z3. true | − ∃ y, w. ( u = w ∧ t = y ) ( ∗ P ): Match and remove predicates ls ( u, t ) and ls ( w, y ). ls ( u, t ) | − ∃ y, w. ( ls ( w, y ) ∧ u = w ) ( ∗ 7→ ): Match and remove data nodes x u and x w . x u ∗ ls ( u, t ) | − ∃ y, w. ( x w ∗ ls ( w, y )) ( PR ): Unfold ls ( x, y ) by its inductive case. ( E ) x u ∗ ls ( u, t ) | − ∃ y. ls ( x, y ) ( AH ): Apply IH E with subst. [ u/x ], rename y to fresh t . ( E ) x u ∗ tmp ( u ) | − ∃ y. ls ( x, y ) Fig. 2: Proof tree of E , using induction hypothesis E We can also prove E by the same method, i.e., applying the IH E , and its prooftree is shown in Fig. 3. ( | − pure ): Valid, proved by external prover, e.g. Z3. true | − ∃ y, z, w. ( u = z ∧ v = w ∧ t = y ) ( ∗ P ): Remove predicates ls ( v, t ) and ls ( w, y ). ls ( v, t ) | − ∃ y, z, w. ( ls ( w, y ) ∧ u = z ∧ v = w ) ( ∗ 7→ ): Remove data nodes u v and z w . u v ∗ ls ( v, t ) | − ∃ y, z, w. ( z w ∗ ls ( w, y ) ∧ u = z ) ( PR ): Unfolding ls ( z, y ) by inductive case. u v ∗ ls ( v, t ) | − ∃ y, z. ( ls ( z, y ) ∧ u = z ) ( ∗ 7→ ): Remove data nodes x u and x z . x u ∗ u v ∗ ls ( v, t ) | − ∃ y, z. ( x z ∗ ls ( z, y )) ( PR ): Unfold ls ( x, y ) by inductive case. x u ∗ u v ∗ ls ( v, t ) | − ∃ y. ls ( x, y ) ( AH ): Apply IH E with substitution [ v/x ],and rename y to t ( E ) x u ∗ u v ∗ tmp ( v ) | − ∃ y. ls ( x, y ) Fig. 3: Ordinary proof tree of E , using induction hypothesis E Using a different strategy, we observe that once E is proved, entailments derivedduring its proof, i.e., E and E , can be used as hypotheses to prove E . In thiscase, the new proof of E is much simpler than the above original induction proof,as demonstrated in Fig. 4; the proving process, therefore, is more efficient.In the new proof tree, the entailment E can be directly used as a hypothesisto prove other entailments since it is already proven valid (see Fig. 2). However,4hen E is applied to prove E , thus prove E , it is not straightforward toconclude about E , since the validity of E is still unknown . This is because theproof of E in Fig. 2 also uses E as a hypothesis. Therefore, E and E jointlyform a mutual induction proof, in which they can be used to prove each other.The theoretical principle of this proof technique will be introduced in Section 4. ( | − pure ): Valid, proved by external provers, e.g., Z3. true | − ∃ y. y = z ( ∗ P ): Remove predicates ls ( x, z ) and ls ( x, y ). ls ( x, z ) | − ∃ y. ls ( x, y ) ( AH ): Apply E with subst. [ r/t ], and rename y to z . x u ∗ ls ( u, r ) | − ∃ y. ls ( x, y ) ( AH ): Apply hypothesis E with subst. [ u/x, v/u ],and rename y to r . ( E ) x u ∗ u v ∗ tmp ( v ) | − ∃ y. ls ( x, y ) Fig. 4: New proof tree of E , using hypotheses E and E In this work, we consider the symbolic-heap fragment of separation logic witharbitrary user-defined inductive heap predicates. We denote this logic fragmentas SL ID . It is similar to those introduced in [15,6], but extended with lineararithmetic (LA) to describe more expressive properties of the data structures,such as size or sortedness. The syntax and semantics of the SL ID assertions andtheir entailments are introduced in this section. Syntax.
The syntax of our considered separation logic fragment SL ID is de-scribed in Fig. 5. In particular, the predicate emp represents an empty memory.The singleton heap predicate x ι x ,...,x n models an n -field single data structurein memory where x points-to; its data type is represented by a unique sort ι and values of its fields are captured by x ,...,x n . The inductive heap predicate P ( x ,...,x n ) models a recursively defined data structure, which is formally de-fined in Definition 1. These three heap predicates, called spatial atoms , composethe spatial assertions Σ via the separating conjunction operator ∗ . Π denotes pure assertions in linear arithmetic, which do not contain any spatial atoms. Definition 1 (Inductive heap predicate).
A system of k inductive heappredicates P i of arity n i and parameters x i , ..., x in i , with i = 1 , ..., k , are syn-tactically defined as follows: n P i ( x i , ..., x in i ) , F i ( x i , ..., x in i ) ∨∨∨ · · · ∨∨∨ F im i ( x i , ..., x in i ) o ki = 1 where F ij ( x i , ..., x in i ) , with ≤ j ≤ m i , is a definition case of P i ( x i , ..., x in i ) . More-over, F ij is a base case of P i , if it does not contain any predicate symbol whichis (mutually) recursively defined with P i ; otherwise, it is an inductive case . Note that for the simplicity of presenting the motivating example, we have removedthe sort ι from the SL singleton heap predicate denoting the data structure node . , x, ι, P resp. denote constants, variables, data sorts, and predicate symbols. e ::= c | x | − e | e + e | e − e Integer expressions a ::= nil | x Spatial expressions Π ::= a = a | a = a | e = e | e = e | Pure assertions e > e | e ≥ e | e < e | e ≤ e |¬ Π | Π ∧ Π | Π ∨ Π | Π ⇒ Π | ∀ x.Π | ∃ x.ΠΣ ::= emp | x ι x ,...,x n | P ( x ,...,x n ) | Σ ∗ Σ Spatial assertions F ::= Σ | Π | Σ ∧ Π | ∃ x.F SL ID assertionsFig. 5: Syntax of assertions in SL ID Definition 2 (Syntactic equivalence).
The syntactical equivalence relationof two spatial assertions Σ and Σ , denoted as Σ ∼ = Σ , is recursively definedas follows:– emp ∼ = emp – u ι v ,...,v n ∼ = u ι v ,...,v n – P ( u ,...,u n ) ∼ = P ( u ,...,u n ) – If Σ ∼ = Σ ′ and Σ ∼ = Σ ′ , then Σ ∗ Σ ∼ = Σ ′ ∗ Σ ′ and Σ ∗ Σ ∼ = Σ ′ ∗ Σ ′ Semantics.
The semantics of SL ID assertions are given in Fig. 6. Given a set Var of variables,
Sort of sorts,
Val of values and
Loc ⊂ Val of memory addresses, amodel of an assertion consists of: – a stack model s , which is a function s : Var → Val . We write J Π K s to denotevaluation of a pure assertion Π under the stack model s . Note that theconstant nil ∈ Val \ Loc denotes dangling memory address. – a heap model h , which is a partial function h : Loc ⇀ fin ( Sort → ( Val list )).dom( h ) denotes domain of h , and | h | is cardinality of dom( h ). We followReynolds’ semantics [27] to consider finite heap models, i.e., | h | < ∞ . h h ′ indicates that h and h ′ have disjoint domains, i.e., dom( h ) ∩ dom( h ′ ) = ∅ ,and h ◦ h ′ is the union of two disjoint heap models h, h ′ , i.e., h h ′ . SL ID In this section, we formally define the SL ID entailments and introduce a new con-cept of model of entailments , which will be used in the next section to constructthe well-founded relation in our induction principle. Definition 3 (Entailment).
An entailment between two assertions F and G ,denoted as F | − G , is said to be valid (holds), iff s, h | = F implies that s, h | = G ,for all models s, h . Formally, F | − G is valid, iff ∀ s, h. ( s, h | = F → s, h | = G )Here, F and G are respectively called the antecedent and the consequent of theentailment. For simplicity, the entailment F | − G can be denoted by just E , i.e., E , F | − G . 6 , h | = Π iff J Π K s = true and dom( h ) = ∅ s, h | = emp iff dom( h ) = ∅ s, h | = x ι x ,...,x n iff s ( x ) ∈ Loc and dom( h ) = { s ( x ) } and h ( s ( x )) ι = ( s ( x ) , ..., s ( x n )) s, h | = P ( x ,...,x n ) iff s, h | = R i ( x ,...,x n ), with R i ( x ,...,x n ) is one ofthe definition cases of P ( x ,...,x n ) s, h | = Σ ∗ Σ iff there exist h , h such that: h h , h ◦ h = h and s, h | = Σ and s, h | = Σ s, h | = Σ ∧ Π iff J Π K s = true and s, h | = Σs, h | = ∃ x.F iff ∃ v ∈ Val . [ s | x : v ] , h | = F Fig. 6: Semantics of assertions in SL ID . [ f | x : y ] is a function like f except that itreturns y for input x . Definition 4 (Model and counter-model).
Given an entailment E , F | − G . An SL model s, h is called a model of E , iff s, h | = F implies s, h | = G . Onthe contrary, s, h is called a counter-model of E , iff s, h | = F and s, h | = G . We denote s, h | = ( F | − G ), or s, h | = E , if s, h is a model of E . Similarly, wewrite s, h | = ( F | − G ), or s, h | = E , if s, h is a counter-model of E . Given a listof n entailments E , ..., E n , we write s, h | = E , ..., E n if s, h is a model of all E , ..., E n , and s, h | = E , ..., E n if s, h is a counter-model of some E , ..., E n . In this section, we first introduce the general schema of
Noetherian induction,a.k.a. well-founded induction, and then apply it in proving SL entailments.
Noetherian induction [8] . Given a conjecture P ( α ), with α is a structure oftype τ , the general schema of Noetherian induction on the structure α is ∀ α : τ. ( ∀ β : τ. β ≺ τ α → P ( β )) → P ( α )) ∀ α : τ. P ( α )where ≺ τ is a well-founded relation on τ , i.e., there is no infinite descendingchain, like ... ≺ τ α n ≺ τ ... ≺ τ α ≺ τ α . Noetherian induction can be appliedfor arbitrary type τ , such as data structures or control flow. However, successin proving a conjecture by induction is highly dependent on the choice of theinduction variable α and the well-founded relation ≺ τ . Proving SL entailments using Noetherian induction . We observe that anSL entailment E is said to be valid if s, h | = E for all model s, h , given that theheap domain is finite, i.e., ∀ h. | h | ∈ N , according to Reynolds’ semantics [27].This inspires us to define a well-founded relation among SL models, called model rder , by comparing size of their heap domains. To prove an SL entailment byNoetherian induction based on this order, we will show that if all the smallermodels satisfying the entailment implies that the bigger model also satisfies theentailment, then the entailment is satisfied by all models, thus it is valid. Themodel order and induction principle are formally described as follows. Definition 5 (Model order).
The model order , denoted by ≺ , of SL modelsis a binary relation defined as: s , h ≺ s , h , if | h | < | h | . Theorem 1 (Well-founded relation).
The model order ≺ of SL models is awell-founded relation.Proof. By contradiction, suppose that ≺ were not well-founded, then there wouldexist an infinite descending chain: ... ≺ s n , h n ≺ ... ≺ s , h . It follows that therewould exist an infinite descending chain: ... < | h n | < ... < | h | . This is impossiblesince domain size of heap model is finite, i.e., | h | , ..., | h n | , ... ∈ N . (cid:31) Theorem 2 (Induction principle).
An entailment E is valid, if for all model s, h , the following holds: ( ∀ s ′ , h ′ . s ′ , h ′ ≺ s, h → s ′ , h ′ | = E ) → s, h | = E . Formally: ∀ s, h. ( ∀ s ′ , h ′ . s ′ , h ′ ≺ s, h → s ′ , h ′ | = E ) → s, h | = E ∀ s, h. s, h | = E Since our induction principle is constructed on the SL model order, an inductionhypothesis can be used in the proof of any entailment whenever the decreasingcondition on model order is satisfied. This flexibility allows us to extend theaforementioned principle to support mutual induction , in which multiple entail-ments can participate in an induction proof, and each of them can be used as ahypothesis to prove the other. In the following, we will introduce our mutual in-duction principle . Note that the induction principle in Theorem 2 is an instanceof this principle, when only one entailment takes part in the induction proof.
Theorem 3 (Mutual induction principle).
Given n entailments E , ..., E n .All of them are valid, if for all model s, h , the following holds: ( ∀ s ′ , h ′ . s ′ , h ′ ≺ s, h → s ′ , h ′ | = E , ..., E n ) → s, h | = E , ..., E n . Formally: ∀ s, h. ( ∀ s ′ , h ′ . s ′ , h ′ ≺ s, h → s ′ , h ′ | = E , ..., E n ) → s, h | = E , ..., E n ∀ s, h. s, h | = E , ..., E n Proof.
By contradiction, assume that some of E , ..., E n were invalid. Then, therewould exist some counter-models s, h such that s, h | = E , ..., E n . Since ≺ is awell-founded relation, there would exist the least counter-model s , h such that s , h | = E , ..., E n , and, s ′ , h ′ | = E , ..., E n for all s ′ , h ′ ≺ s , h . Following thetheorem’s hypothesis ∀ s, h. ( ∀ s ′ , h ′ . s ′ , h ′ ≺ s, h → s ′ , h ′ | = E , ..., E n ) → s, h | = E , ..., E n , we have s , h | = E , ..., E n . This contradicts with the assumptionthat s , h is a counter-model. ⊓⊔ The proof system
In this section, we introduce a sequent-based deductive system, which comprisesa set of inference rules depicted in Fig. 7 (logical rules) and Fig. 8 (inductionrules), and a proof search procedure in Fig. 10. Each inference rule has zeroor more premises, a conclusion and possibly a side condition. A premise or aconclusion is described in the same form of H , ρ, F | − F , where (i) F | − F is an entailment, (ii) H is a set of entailments with validity status, which arerecorded during proof search and can be used as hypotheses to prove F | − F ,and (iii) ρ is a proof trace capturing a chronological list of inference rules appliedby the proof search procedure to reach F | − F .In addition, the entailment in the conclusion of a rule is called the goal en-tailment . Rules with zero (empty) premise is called axiom rules . A proof trace ρ containing n rules R , . . . , R n , with n ≥
0, is represented by [( R ) , . . . , ( R n )],where the head ( R ) of ρ is the latest rule used by the proof search procedure. Inaddition, some operations over proof traces are (i) insertion: ( R ) :: ρ , (ii) mem-bership checking: ( R ) ∈ ρ , and (iii) concatenation: ρ @ ρ . ( ⊥ L ) H , ρ, F ∧ u = u | − F ( ⊥ L ) H , ρ, F ∗ u ι ~v ∗ u ι ~w | − F ( | − pure ) Π ⇒ Π H , ρ, Π | − Π H , ρ ′ , F | − F ( empL ) H , ρ, F ∗ emp | − F H , ρ ′ , F [ u/v ] | − F [ u/v ](= L ) H , ρ, F ∧ u = v | − F H , ρ ′ , F | − ∃ ~x.F ( empR ) H , ρ, F | − ∃ ~x. ( F ∗ emp ) H , ρ ′ , F | − ∃ ~x.F (= R ) H , ρ, F | − ∃ ~x. ( F ∧ u = u ) H , ρ ′ , F | − ∃ ~x. ( F ∧ u = t ∧ ~v = ~w )( ∗ 7→ ) ( u, ~v ) ~x H , ρ, F ∗ u ι ~v | − ∃ ~x. ( F ∗ t ι ~w ) H , ρ ′ , F [ u/x ] | − F ( ∃ L ) u FV ( F ) H , ρ, ∃ x.F | − F H , ρ ′ , F | − ∃ ~x. ( F ∧ ~u = ~v )( ∗ P ) ~u ~x H , ρ, F ∗ P ( ~u ) | − ∃ ~x. ( F ∗ P ( ~v )) H , ρ ′ , F | − F [ e/x ]( ∃ R ) H , ρ, F | − ∃ x.F H , ρ ′ , F | − ∃ ~x. ( F ∗ F P i ( ~u ))( PR ) F P i ( ~u ) is one of thedefinition cases of P ( ~u ) H , ρ, F | − ∃ ~x. ( F ∗ P ( ~u )) Fig. 7: Logical rules. Note that for a rule R with trace ρ in its conclusion, thetrace in its premise is ρ ′ , ( R ) :: ρ . Logical rules in Fig. 7 deal with the logical structure of SL entailments. Forbrevity, in these rules, we write the complete symbolic-heap assertion ∃ ~x. ( Σ ∧ Π )as a standalone F . We define the conjoined assertion F ∗ Σ ′ , Σ ∗ Σ ′ ∧ Π and F ∧ Π ′ , Σ ∧ Π ∧ Π ′ , given that existential quantifiers does not oc-cur in the outermost scope of F , i.e., F , Σ ∧ Π . The notation ~u = ~v means9 u = v ) ∧ . . . ∧ ( u n = v n ), given that ~u = u , . . . ,u n and ~v = v , . . . ,v n are two listscontaining the same number of variables. We also write ~x ~y to denote ~x and ~y are disjoint, i.e., ∄ u. ( u ∈ ~x ∧∧∧ u ∈ ~y ), and use FV ( F ) to denote the list of allfree variables of an assertion F . Moreover, F [ e/x ] is a formula obtained from F by substituting the expression e for all occurrences of the free variable x in F .The set of logical rules are explained in details as follows:– Axiom rules.
The rule | − pure proves a pure entailment Π | − Π by invokingoff-the-shelf provers such as Z3 [18] to check the pure implication Π ⇒ Π in its side condition. The two rules ⊥ L and ⊥ L decide an entailment vacuously valid if its antecedent is unsatisfiable, i.e., the antecedent containsa contradiction ( u = u ) or overlaid data nodes ( u ι ~v ∗ u ι ~w ).– Normalization rules.
These rules simplify their goal entailments by eithereliminating existentially quantified variables ( ∃ L , ∃ R ), or removing equalities(= L , = R ) or empty heap predicates ( empL , empR ) from antecedents (leftside) or consequents (right side) of the entailments.– Frame rules.
The two rules ∗ 7→ and ∗ P applies the frame property ofSL [27] to remove identical spatial atoms from two sides of entailments. Notethat the identical condition is guaranteed by adding equality constraints ofthese spatial atoms’ arguments into consequents of the derived entailments.– Unfolding rules.
The rule PR derives a new entailment by unfolding aheap predicate in the goal entailment’s consequent by its inductive definition.Note that unfolding a heap predicate in the entailment’s antecedent will beperformed by the induction rule Ind , as discussed in the next section.
H ∪ { ( H, ? ) } , ρ ′ , F ∗ F P ( ~u ) | − F . . . H ∪ { ( H, ? ) } , ρ ′ , F ∗ F P m ( ~u ) | − F ( Ind ) † ( Ind ) H , ρ, F ∗ P ( ~u ) | − F Given H , F ∗ P ( ~u ) | − F , ρ ′ = ( Ind ) :: ρ , and † ( Ind ) : P ( ~u ) , F P ( ~u ) ∨∨∨ . . . ∨∨∨ F P m ( ~u ) H ∪ { ( H, status ) } , ( AH ) :: ρ, F θ ∗ Σ ′ ∧ Π | − F ( AH ) ∃ θ,Σ ′ . ( Σ ∼ = Σ θ ∗ Σ ′ ∧∧∧ Π ⇒ Π θ ) , † ( AH ) H ∪ { ( H , Σ ∧ Π | − F , status ) } , ρ, Σ ∧ Π | − F with † ( AH ) : ( status = X ) ∨∨∨ ∃ ι, u, ~v, Σ ′′ . ( Σ ′ ∼ = u ι ~v ∗ Σ ′′ ) ∨∨∨ ∃ ρ , ρ . ( ρ = ρ @[( ∗ 7→ )]@ ρ ∧∧∧ ( Ind ) ρ ∧∧∧ ( Ind ) ∈ ρ ). Fig. 8: Induction rulesFig. 8 presents inference rules implementing our mutual induction principle. The induction rule
Ind firstly records its goal entailment as an induction hypothesis H , and unfolds an inductive heap predicate in the antecedent of H to derivenew entailments. When H is inserted into the hypothesis vault H , its status isinitially assigned to ? ( unknown ), indicating that its validity is not known atthe moment. Later, the status of H will be updated to X ( valid ) once the proofsearch procedure is able to prove it valid. Generally, given an entailment E and10ts proof tree T , the proof search procedure concludes that E is valid if (i) everyleaf of T is empty via applications of axiom rules, and (ii) all hypotheses usedby the apply hypothesis rule AH must be derived in T .Rule AH is the key rule of our mutual induction principle, which applies anappropriate hypothesis H , Σ ∧ Π | − F in proving its goal entailment E , Σ ∧ Π | − F . The rule firstly unifies the antecedents of H and E bya substitution θ , i.e., there exists a spatial assertion Σ ′ such that Σ ∼ = Σ θ ∗ Σ ′ and Π ⇒ Π θ . If such θ and Σ ′ exist, we can weaken the antecedent of E asfollows ( Σ ∧ Π ) | − ( Σ θ ∗ Σ ′ ∧ Π θ ∧ Π ) | − ( F θ ∗ Σ ′ ∧ Π ). Note that we useReynolds’s substitution law [27] to obtain Σ θ ∧ Π θ | − F θ from the hypothesis H . The proof system then derives the next goal entailment F θ ∗ Σ ′ ∧ Π | − F as shown in the premise of rule AH . E, ( AH ) H I, ( Ind ) apply hypo Fig. 9: Applying hypothesisThe side condition † ( AH ) of rule AH en-sures the decreasing condition of the mutualinduction principle. In particular, supposethat the proof search procedure applies ahypothesis H in H to prove an entailment E via rule AH . If the status of H is X , de-noted by the first condition in † ( AH ) , then H is already proved to be valid; thus it canbe freely used to prove other entailments. Otherwise, the status of H is ? , and H may participate in a (mutual) induction proof with an entailment I in the proofpath of E , as depicted in Fig. 9. Note that the entailment I has been recordedearlier as an induction hypothesis by an application of the induction rule Ind .In the latter case, the induction principle requires the decrease of model sizewhen applying the hypothesis H to prove entailment I . We then show that thisdecreasing condition holds if one of the following conditions of † ( AH ) is satisfied.(i) ∃ ι, u, ~v, Σ ′′ . ( Σ ′ ∼ = u ι ~v ∗ Σ ′′ ) indicates that the left-over heap part Σ ′ afterunifying antecedent of H into that of E contains at least one singleton heappredicate, or(ii) ∃ ρ , ρ . ( ρ = ρ @[( ∗ 7→ )]@ ρ ∧∧∧ ( Ind ) ρ ∧∧∧ ( Ind ) ∈ ρ ) requires that there is aremoval step of a singleton heap predicate by the rule ∗ 7→ applied betweenthis hypothesis application AH and the most recent induction step Ind .Consider an arbitrary model s, h satisfying I . During the derivation path from I to E , the model s, h is transformed into a corresponding model s e , h e of E .We always have | h e | ≤ | h | as the applications of logical rules and rule Ind neverincrease heap model size of entailments. Moreover, when applying H to prove E ,the model s ′ , h ′ of H , which corresponds to s e , h e of E , satisfies | h ′ | ≤ | h e | , dueto the unification step in rule AH . We consider two following cases. If condition(i) is satisfied, then heap model size of the left-over part Σ ′ is at least 1 since Σ ′ contains a singleton heap predicate. As a result, | h ′ | < | h e | and it follows that | h ′ | < | h | . If condition (ii) is satisfied, then | h e | < | h | since there is a singletonheap predicate, whose size of heap model is 1, is removed when deriving I to11 . This implies that | h ′ | < | h | . In summary, we obtain that | h ′ | < | h | for bothcases; thus, s ′ , h ′ ≺ s, h . This concludes our explanation about the rule AH . Procedure
Prove ( H , ρ, F | − G ) Input: H , F | − G and ρ are respectively a set of hypotheses, a goal entailment and itscorresponding proof trace. Output:
Validity result (
True or False ), a set of derived entailments with their validitystatuses, and a set of hypotheses used in proof of F | − G . S ← { R inst | R inst = Unify ( R, ( H , ρ, F | − G )) ∧∧∧ R ∈ R } if S = ∅ then return False , ∅ , ∅ // no rule is selected for each R inst in S do if GetName ( R inst ) ∈ { | − pure , ⊥ L , ⊥ L } then // R is an axiom rule return True , ∅ , ∅ H used ← ∅ if R inst = AH with hypothesis E then H used ← H used ∪ { E } H derived ← ∅ ( H i , ρ i , F i | − G i ) i =1 ,...,n ← GetPremises ( R inst ) // all premises of R inst for i = 1 to n do res, H derived , H ′ used ← Prove ( H i ⊕ H derived , ρ i , F i | − G i ) if res = False then return
False , ∅ , ∅ H used ← H used ∪ H ′ used if H used ⊆ ( GetEntailments ( H derived ) ∪ { F | − G } ) then H derived ← H derived ⊕ { ( F | − G, X ) } else H derived ← H derived ⊕ { ( F | − G, ? ) } return True , H derived , H used // all derived premises are proved return False , ∅ , ∅ // all rules fail to prove F | − G Fig. 10: General proof search procedure, in which R is the set of inference rulesgiven in Fig. 7 and 8. Our proof search procedure
Prove is designed in a self-recursive manner, as pre-sented in Fig. 10. Its inputs consist of a set of hypotheses, a proof trace, and anentailment, which are components of an inference rule’s conclusion. To prove acandidate entailment F | − G , initially the hypothesis set H and the proof traceare assigned to empty ( ∅ and [ ]).Firstly, the procedure Prove finds a set S of suitable rules, whose conclusion canbe unified with the goal entailment F | − G , among all inference rules in R (line 1).If no suitable rule is found, the procedure immediately returns False , indicatingthat it is unable to prove the entailment (line 2). Otherwise, it subsequentlyprocesses each discovered rule R inst in S by either (i) returning True to announcea valid result, if an axiom rule is selected (line 5), or (ii) recursively searchingfor proofs of the derived entailments in the premises of R inst (lines 9–17). In thelatter case, the procedure returns False if one of the derived entailments is notproved (line 12), or returns
True if all of them are proved (line 17). Finally, it12imply returns
False when it cannot prove the goal entailment with all selectedrules (line 18).The procedure uses a local variable H used to store all hypotheses used duringthe proof search. H used is updated when the rule AH is applied (line 7) or afterthe procedure finishes proving a derived entailment (lines 11 and 13). We alsouse another variable H derived to capture all generated entailments with theirvalidity statuses. The condition at line 14 checks if all hypotheses used to provethe entailment F | − G are only introduced during the entailment’s proof. If thiscondition is satisfied, then F | − G is updated with a valid status X (line 15).Otherwise, the entailment may participate in a (mutual) induction proof, thusits status is assigned to unknown ? (line 16).At line 11, the procedure uses not only the hypothesis set H i , introduced by theselected inference rule, but also the set H derived containing entailments derivedduring proof search to prove a new goal entailment F i | − G i . This reflects ourmutual induction principle which allows derived entailments to be used as hy-potheses in other entailments’ proofs. Note that the union and update operator ⊕ used in the algorithm will insert new entailments and their statuses into theset of hypotheses, or update the existing entailments with their new statuses. Inaddition, the auxiliary procedures used in our proof search procedure are namedin a self-explanatory manner. In particular, Unify , GetName and
GetPremises respectively unifies an inference rule with a goal entailment, or returns nameand premises of an inference rule. Finally,
GetEntailments returns all entailmentsstored in the set of derived entailments H derived . Soundness . Soundness of our proof system is stated in Theorem 4. Due to pageconstraint, we present the detailed proof in the Appendix A
Theorem 4 (Soundness).
Given an entailment E , if the proof search proce-dure returns True when proving E , then E is valid. We have implemented the proposed induction proof technique into a prototypeprover, named
Songbird . The proof system and this paper’s artifact are availablefor both online use and download at http://loris-5.d2.comp.nus.edu.sg/songbird/ . Category
Slide Spen Sleek Cyclist Songbird singly-ll (64) 12 3 48
63 63 doubly-ll (37) 14 0 17 24 nested-ll (11) 0 skip-list (13) 0 tree (26) 12 1 14 18 Total (151) 38 27 88 116
Songbird ✓ sb ✗ o ✗ sb ✓ o ✓ sb ✓ o ✗ sb ✗ o Cyclist
13 0 116 22
Sleek
41 0 88 22
Spen
109 7 20 15
Slide
103 12 26 10(a) (b)
Fig. 11: Overall evaluation on the benchmark slrd entl of SL-COMP
13o evaluate our technique, we compared our system against state-of-the-art SLprovers, including
Slide [15,16],
Spen [13],
Sleek [10] and
Cyclist [5,7], which hadparticipated in the recent SL competition
SL-COMP [30]. We are however unableto make direct comparison with the induction-based proof technique presentedin [11] as their prover was not publicly available. Our evaluation was performedon an Ubuntu 14.04 machine with CPU Intel E5-2620 (2.4GHz) and RAM 64GB.Firstly, we conduct the experiment on a set of valid entailments , collected fromthe benchmark slrd entl of SL-COMP . These entailments contain general induc-tive heap predicates denoting various data structures, such as singly linked lists( singly-ll ), doubly linked lists ( doubly-ll ), nested lists ( nested-ll ), skip lists ( skip-list ) and trees ( tree ). We then categorize problems in this benchmark based ontheir predicate types. In Fig. 11(a), we report the number of entailments suc-cessfully proved by a prover in each category, with a timeout of 30 seconds forproving an entailment. For each category, the total number of problems is put inparentheses, and the maximum number of entailments that can be proved by thelist of provers are highlighted in bold. As can be seen,
Songbird can prove moreentailments than all the other tools. In particular, we are the best in almost cat-egories, except for skip-list . However, in this category, we are behind only
Spen ,which has been specialized for skip lists [13]. Our technique might require moreeffective generalization to handle the unproven skip-list examples.In Fig. 11(b), we make a detailed comparison among Songbird and other provers.Specifically, the first column ( ✓ sb ✗ o ) shows the number of entailments that Songbird can prove valid whereas the others cannot. The second column ( ✗ sb ✓ o )reports the number of entailments that can be proved by other tools, but not by Songbird . The last two columns list the number of entailments that both Song-bird and others can ( ✓ sb ✓ o ) or cannot ( ✗ sb ✗ o ) prove. We would like to highlightthat our prover efficiently proves all entailments proved by Cyclist (resp.
Sleek )in approximately half the time , i.e., 20.92 vs 46.40 seconds for 116 entailments,in comparison with
Cyclist (resp. 8.38 vs 15.50 seconds for 88 entailments, incomparison with
Sleek ). In addition, there are 13 (resp. 41) entailments that canbe proved by our tool, but not by Cyclist (resp.
Sleek ). Furthermore, our
Songbird outperforms
Spen and
Slide by more than 65% of the total entailments, thanksto the proposed mutual induction proof technique.Secondly, we would like to highlight the efficiency of mutual induction in ourproof technique via a comparison between
Songbird and its variant
Songbird SI ,which exploits only induction hypotheses found within a single proof path. Thismimics the structural induction technique which explores induction hypothe-ses in the same proof path. For this purpose, we designed a new entailmentbenchmark, namely slrd ind , whose problems are more complex than those inthe slrd entl benchmark. For example, our handcrafted benchmark contains an We exclude the set of invalid entailments because some evaluated proof techniques,such as [10,5], aim to only prove validity of entailments. Available at https://github.com/mihasighi/smtcomp14-sl/tree/master/bench . The full benchmark is available at http://loris-5.d2.comp.nus.edu.sg/songbird/ . lsEven ( x, y ) ∗ y z ∗ lsEven ( z, t ) | − ∃ u. lsEven ( x, u ) ∗ u t with the pred-icate lsEven ( x, y ) denoting list segments with even length. This entailment wasinspired by the entailment lsEven ( x, y ) ∗ lsEven ( y, z ) | − lsEven ( x, z ) in the problem of slrd entl , contributed by team Cyclist . Note that entailments in ourbenchmark were constructed on the same set of linked list predicates provided in slrd entl , comprised of regular singly linked lists ( ll ), linked lists with even or oddlength ( ll-even/odd ) and linked list segments which are left- or right-recursivelydefined ( ll-left/right ). We also use a new ll2 list segment predicate whose structureis similar to the predicate tmp in our motivating example. In addition, problemsin the misc. category involve all aforementioned linked list predicates.As shown in Fig. 12, Songbird SI is able to prove nearly 70% of the total entail-ments, which is slightly better than Cyclist , whereas Songbird , with full capa-bility of mutual induction, can prove the whole set of entailments. This resultis encouraging as it shows the usefulness and essentials of our mutual explicitinduction proof technique in proving SL entailments.
Category
Cyclist Songbird SI Songbird ll/ll2 (24) 18 22 24 ll-even/odd (20) 8 17 20 ll-left/right (20) 12 10 20 misc. (32) 17 16 32Total (96) 55 65 96Fig. 12: Comparison on slrd ind benchmark
We have proposed a novel induction technique and developed a proof system forautomatically proving entailments in a fragment of SL with general inductivepredicates. In essence, we show that induction can be performed on the size ofthe heap models of SL entailments. The implication is that, during automaticproof construction, the goal entailment and entailments derived in the entireproof tree can be used as hypotheses to prove other derived entailments, andvice versa. This novel proposal has opened up the feasibility of mutual inductionin automatic proof, leading to shorter proof trees being built. In future, wewould like to develop a verification system on top of the prover
Songbird , so thatour mutual explicit induction technique can be effectively used for automatedverification of memory safety in imperative programs.
Acknowledgement . We would like to thank the anonymous reviewers for theirvaluable and helpful feedback. The first author would like to thank Dr. JamesBrotherston for the useful discussion about the cyclic proof. This work has beensupported by NUS Research Grant R-252-000-553-112. Ton Chanh and Wei-Ngan are partially supported by MoE Tier-2 grant MOE2013-T2-2-146. We do not list other provers in Fig. 12 as they cannot prove any problems in slrd ind . eferences
1. Infer: A tool to detect bugs in Android and iOS apps before they ship. http://fbinfer.com/ , accessed: 2016-05-272. Berdine, J., Calcagno, C., O’Hearn, P.W.: A Decidable Fragment of SeparationLogic. In: International Conference on Foundations of Software Technology andTheoretical Computer Science (FSTTCS). pp. 97–109 (2004)3. Berdine, J., Calcagno, C., O’Hearn, P.W.: Symbolic Execution with SeparationLogic. In: Asian Symposium on Programming Languages and Systems (APLAS).pp. 52–68 (2005)4. Bozga, M., Iosif, R., Perarnau, S.: Quantitative Separation Logic and Programswith Lists. J. Autom. Reasoning 45(2), 131–156 (2010)5. Brotherston, J., Distefano, D., Petersen, R.L.: Automated Cyclic EntailmentProofs in Separation Logic. In: International Conference on Automated Deduc-tion (CADE). pp. 131–146 (2011)6. Brotherston, J., Gorogiannis, N., Kanovich, M.I., Rowe, R.: Model checking forSymbolic-Heap Separation Logic with inductive predicates. In: Symposium onPrinciples of Programming Languages (POPL). pp. 84–96 (2016)7. Brotherston, J., Gorogiannis, N., Petersen, R.L.: A generic cyclic theorem prover.In: Asian Symposium on Programming Languages and Systems (APLAS). pp.350–367 (2012)8. Bundy, A.: The automation of proof by mathematical induction. In: Handbook ofAutomated Reasoning (in 2 volumes). pp. 845–911 (2001)9. Calcagno, C., Distefano, D., O’Hearn, P.W., Yang, H.: Compositional shape anal-ysis by means of bi-abduction. In: Symposium on Principles of Programming Lan-guages (POPL). pp. 289–300 (2009)10. Chin, W., David, C., Nguyen, H.H., Qin, S.: Automated verification of shape,size and bag properties via user-defined predicates in Separation Logic. Science ofComputer Programming (SCP) 77(9), 1006–1036 (2012)11. Chu, D., Jaffar, J., Trinh, M.: Automatic induction proofs of data-structures inimperative programs. In: Conference on Programming Language Design and Im-plementation (PLDI). pp. 457–466 (2015)12. Cook, B., Haase, C., Ouaknine, J., Parkinson, M.J., Worrell, J.: Tractable Reason-ing in a Fragment of Separation Logic. In: International Conference on ConcurrencyTheory (CONCUR). pp. 235–249 (2011)13. Enea, C., Leng´al, O., Sighireanu, M., Vojnar, T.: Compositional Entailment Check-ing for a Fragment of Separation Logic. In: Asian Symposium on ProgrammingLanguages and Systems (APLAS). pp. 314–333 (2014)14. Enea, C., Sighireanu, M., Wu, Z.: On automated lemma generation for separa-tion logic with inductive definitions. In: International Symposium on AutomatedTechnology for Verification and Analysis (ATVA). pp. 80–96 (2015)15. Iosif, R., Rogalewicz, A., Sim´acek, J.: The Tree Width of Separation Logicwith Recursive Definitions. In: International Conference on Automated Deduction(CADE). pp. 21–38 (2013)16. Iosif, R., Rogalewicz, A., Vojnar, T.: Deciding Entailments in Inductive SeparationLogic with Tree Automata. In: International Symposium on Automated Technol-ogy for Verification and Analysis (ATVA). pp. 201–218 (2014)17. Le, Q.L., Gherghina, C., Qin, S., Chin, W.: Shape analysis via second-order bi-abduction. In: International Conference on Computer Aided Verification (CAV).pp. 52–68 (2014)
8. Moura, L.M.D., Bjørner, N.: Z3: An Efficient SMT Solver. In: International Confer-ence on Tools and Algorithms for Construction and Analysis of Systems (TACAS).pp. 337–340 (2008)19. Nguyen, H.H., Chin, W.: Enhancing Program Verification with Lemmas. In: Inter-national Conference on Computer Aided Verification (CAV). pp. 355–369 (2008)20. Nguyen, H.H., David, C., Qin, S., Chin, W.: Automated verification of shape andsize properties via Separation Logic. In: Int. Conf. on Verification, Model Checking,and Abstract Interpretation (VMCAI). pp. 251–266 (2007)21. O’Hearn, P.W., Reynolds, J.C., Yang, H.: Local Reasoning about Programs thatAlter Data Structures. In: International Conference on Computer Science Logic(CSL). pp. 1–19 (2001)22. P´erez, J.A.N., Rybalchenko, A.: Separation Logic + Superposition Calculus =Heap Theorem Prover. In: Conference on Programming Language Design and Im-plementation (PLDI). pp. 556–566 (2011)23. P´erez, J.A.N., Rybalchenko, A.: Separation Logic Modulo Theories. In: Asian Sym-posium on Programming Languages and Systems (APLAS). pp. 90–106 (2013)24. Piskac, R., Wies, T., Zufferey, D.: Automating Separation Logic Using SMT. In: In-ternational Conference on Computer Aided Verification (CAV). pp. 773–789 (2013)25. Piskac, R., Wies, T., Zufferey, D.: Automating Separation Logic with Trees andData. In: International Conference on Computer Aided Verification (CAV). pp.711–728 (2014)26. Qiu, X., Garg, P., Stefanescu, A., Madhusudan, P.: Natural proofs for structure,data, and separation. In: Conference on Programming Language Design and Im-plementation (PLDI). pp. 231–242 (2013)27. Reynolds, J.C.: An Introduction to Separation Logic -
Lecture Notes forthe PhD Fall School on Logics and Semantics of State, Copenhagen 2008 . , [Online; accessed 20-Jan-2016]28. Reynolds, J.C.: Intuitionistic Reasoning about Shared Mutable Data Structure. In:Millennial Perspectives in Computer Science. pp. 303–321. Palgrave (2000)29. Reynolds, J.C.: Separation Logic: A Logic for Shared Mutable Data Structures.In: Symposium on Logic in Computer Science (LICS). pp. 55–74 (2002)30. Sighireanu, M., Cok, D.R.: Report on SL-COMP 2014. Journal of Satisfiability,Boolean Modeling and Computation (2014)31. Ta, Q.T., Le, T.C., Khoo, S.C., Chin, W.N.: Automated Mutual Explicit InductionProof in Separation Logic. arXiv abs/1609.00919 (2016) Soundness proof
A.1 Soundness of inference rules
We prove soundness of these rules by showing that if entailments in their premisesare valid, and their side conditions are satisfied, then goal entailments in theirconclusions are also valid.
1. Axiom rules ⊥ L , ⊥ L and | − pure : ( ⊥ L ) H , ρ, F ∧ u = u | − F ( ⊥ L ) H , ρ, F ∗ u ι ~v ∗ u ι ~w | − F ( | − pure ) Π ⇒ Π H , ρ, Π | − Π – It is easy to verify that antecedents of goal entailments in the two rules ⊥ L , ⊥ L are unsatisfiable, since they either contain a contradiction ( u = u inthe rule ⊥ L ) or contain two data nodes having the same memory address( u ι ~v ∗ u ι ~w in the rule ⊥ L ). Therefore, these entailments are evidently valid.– When the rule | − pure is applied, pure provers will be invoked to check the sidecondition: Π ⇒ Π . If this side condition holds, then clearly the entailment Π | − Π is valid. (cid:31)
2. Rule = L and = R : H , ρ ′ , F [ u/v ] | − F [ u/v ](= L ) H , ρ, F ∧ u = v | − F H , ρ ′ , F | − ∃ ~x.F (= R ) H , ρ, F | − ∃ ~x. ( F ∧ u = u )– Soundness of the rule = R is evident since the condition u = u in the goalentailment F | − ∃ ~x. ( F ∧ u = u ) is a tautology.– For the rule = L , consider an arbitrary model s, h of antecedent of the goalentailment. Then s, h | = F ∧ u = v . It follows that s ( u ) = s ( v ), therefore s, h | = F [ u/v ]. Since the entailment F [ u/v ] | − F [ u/v ] in the rule’s premise is valid,it implies s, h | = F [ u/v ]. But this also means that s, h | = F , since s ( u ) = s ( v ).Therefore, F ∧ u = v | − F is valid. (cid:31)
3. Rule ∃ L and ∃ R : H , ρ ′ , F [ u/x ] | − F ( ∃ L ) u FV ( F ) H , ρ, ∃ x.F | − F H , ρ ′ , F | − F [ e/x ]( ∃ R ) H , ρ, F | − ∃ x.F – To prove correctness of the rule ∃ L , we consider an arbitrary model s, h suchthat s, h | = ∃ x.F . By semantics of the ∃ quantification, there is an integer value v ∈ Int such that s ′ , h | = F , with s ′ = [ s | x : v ]. Then s ′′ , h | = F [ u/x ] with s ′′ is extended from s ′ such that s ′′ ( u ) = s ′ ( x ). Since s ′ = [ s | x : v ], it follows that s ′′ = [ s | u : v ]. On the other hand, given that entailment in the rule’s premise isvalid, then s ′′ , h | = F . It implies that [ s | u : v ] | = F . In addition u FV ( F ).18herefore s, h | = F . Since s, h is chosen arbitrarily, it follows that the rule ∃ L is correct.– Correctness of ∃ R is straight forward. Suppose that s, h is an arbitrary modelsuch that s, h | = F . Since entailment in the rule’s premise is valid, then s, h | = F [ e/x ]. It follows that s, h also satisfies ∃ x.F , by simply choosing value v of x such that v = J e K s . Since s, h is chosen arbitrarily, it follows that the entailmentin the rule’s conclusion is valid. Therefore ∃ R is valid. (cid:31)
4. Rule empL and empR : H , ρ ′ , F | − F ( empL ) H , ρ, F ∗ emp | − F H , ρ ′ , F | − ∃ ~x.F ( empR ) H , ρ, F | − ∃ ~x. ( F ∗ emp )It is evident that two assertions F ∗ emp and F in the rule empL are semanticallyequivalent. In addition, F ∗ emp and F in the rule empR are also semanticallyequivalent. It follows that both the two rules empL and empR are correct. (cid:31)
5. Rule ∗ 7→ and ∗ P : H , ρ ′ , F | − ∃ ~x. ( F ∧ u = t ∧ ~v = ~w )( ∗ 7→ ) ( u, ~v ) ~x H , ρ, F ∗ u ι ~v | − ∃ ~x. ( F ∗ t ι ~w ) H , ρ ′ , F | − ∃ ~x. ( F ∧ ~u = ~v )( ∗ P ) ~u ~x H , ρ, F ∗ P ( ~u ) | − ∃ ~x. ( F ∗ P ( ~v ))In the following, we present soundness proof of the rule ∗ 7→ . Soundness of ∗ P can proved in a similar way.Consider an arbitrary model s, h such that s, h | = F ∗ u ι ~v . Then, there exists h h such that h = h ◦ h , and s, h | = F , and s, h | = u ι ~v . On onehand, entailment in the rule’s premise is valid, it follows that s, h | = ∃ ~x. ( F ∧ u = t ∧ ~v = ~w ). By semantics of ∃ quantification, s ′ , h | = F ∧ u = t ∧ ~v = ~w , with s ′ is a model extended from s with integer values of ~x . On the other hand,the rule’s side condition gives u ~x , and ~v ~x , and s ′ is extend from s withvalues of ~x , and s, h | = u ι ~v , it follows that s ′ , h | = u ι ~v . Combining thesetwo hands, with the fact that h h and h = h ◦ h , the following holds: s ′ , h | = F ∗ u ι ~v ∧ u = t ∧ ~v = ~w . By semantics of equality (=), the following alsoholds: s ′ , h | = F ∗ t ι ~w ∧ u = t ∧ ~v = ~w . By weakening this assertion via droppingthe condition u = t ∧ ~v = ~w , it is evident that s ′ , h | = F ∗ t ι ~w . Since s ′ is extendedfrom s with values of ~x , it is evident that s, h | = ∃ ~x. ( F ∗ t ι ~w ). Recall that s, h is chosen arbitrarily, this implies that the rule ∗ 7→ is sound. (cid:31)
6. Rule PR : H , ρ ′ , F | − ∃ ~x. ( F ∗ F P i ( ~u ))( PR ) F P i ( ~u ) is one of thedefinition cases of P ( ~u ) H , ρ, F | − ∃ ~x. ( F ∗ P ( ~u )) 19onsider an arbitrary model s, h such that s, h | = F . Since entailment in therule’s premise is valid, it follows that s, h | = ∃ ~x. ( F ∗ F P i ( ~u )). In addition, therule’s side condition that F P i ( ~u ) is one of the definition cases of P ( ~u ) clearlyimplies that s, h | = ∃ ~x. ( F ∗ P ( ~u )). Since s, h is chosen arbitrarily, it follows thatentailment in the rule’s conclusion is valid. (cid:31)
7. Rule
Ind : H ∪ { ( H, ? ) } , ρ ′ , F ∗ F P ( ~u ) | − F . . . H ∪ { ( H, ? ) } , ρ ′ , F ∗ F P m ( ~u ) | − F ( Ind ) † ( Ind ) H , ρ, F ∗ P ( ~u ) | − F Given H , F ∗ P ( ~u ) | − F , ρ ′ = ( Ind ) :: ρ , and † ( Ind ) : P ( ~u ) , F P ( ~u ) ∨∨∨ ... ∨∨∨ F P m ( ~u ) We show that if all of the entailments F ∗ F P ( ~u ) | − F ,..., F ∗ F P m ( ~u ) | − F in the rule premise are valid, then so is the entailment F ∗ P ( ~u ) | − F in theconclusion.Indeed, consider an arbitrary model s, h such that s, h | = F ∗ P ( ~u ). Side conditionof the rule gives that P ( ~u ) , F P ( ~u ) ∨∨∨ ... ∨∨∨ F P m ( ~u ), i.e., F P ( ~u ), ..., F P m ( ~u ) are alldefinition cases of P ( ~u ). Since s, h | = F ∗ P ( ~u ), it follows that s, h | = F ∗ F P i ( ~u ),for all i = 1 ...m . On the other hand, F ∗ F P ( ~u ), ..., F ∗ F P m ( ~u ) are antecedentsof all entailments in this rule’s premises, and these entailments have the sameconsequent F . Therefore, s, h | = F . Since s, h is chosen arbitrarily, it followsthat entailment in the rule’s conclusion is valid. This confirms soundness of therule Ind . (cid:31)
8. Rule AH : H ∪ { ( H, status ) } , ( AH ) :: ρ, F θ ∗ Σ ′ ∧ Π | − F ( AH ) ∃ θ,Σ ′ . ( Σ ∼ = Σ θ ∗ Σ ′ ∧∧∧ Π ⇒ Π θ ) , † ( AH ) H ∪ { ( H , Σ ∧ Π | − F , status ) } , ρ, Σ ∧ Π | − F with † ( AH ) : ( status = X ) ∨∨∨ ∃ ι, u, ~v, Σ ′′ . ( Σ ′ ∼ = u ι ~v ∗ Σ ′′ ) ∨∨∨ ∃ ρ , ρ . ( ρ = ρ @[( ∗ 7→ )]@ ρ ∧∧∧ ( Ind ) ρ ∧∧∧ ( Ind ) ∈ ρ ). We show that if two entailments F θ ∗ Σ ′ ∧ Π | − F and Σ ∧ Π | − F in therule’s premise are valid, then so is the entailment in the rule’s conclusion.Indeed, the side condition Σ ∼ = Σ θ ∗ Σ ′ and Π ⇒ Π θ implies that Σ ∧ Π | − Σ θ ∗ Σ ′ ∧ Π θ ∧ Π is valid.By applying Reynolds’s substitution law [27], the hypothesis Σ ∧ Π | − F implies that Σ θ ∧ Π θ | − F θ is valid. It follows that the following entailmentis also valid: Σ θ ∗ Σ ′ ∧ Π θ ∧ Π | − F θ ∗ Σ ′ ∧ Π .We have shown that the two entailments Σ ∧ Π | − Σ θ ∗ Σ ′ ∧ Π θ ∧ Π and Σ θ ∗ Σ ′ ∧ Π θ ∧ Π | − F θ ∗ Σ ′ ∧ Π are valid. In addition, the rule’s premise givesthat F θ ∗ Σ ′ ∧ Π | − F is valid. It follows that the entailment Σ ∧ Π | − F inthe rule’s conclusion is valid as well. Therefore, the rule AH is correct. (cid:31) .2 Soundness of the proof system We are now ready to prove soundness of our proof system, which is stated inTheorem 4:
Given an entailment E , if the proof search procedure returns True when proving E , then E is valid .Our soundness proof is as follow.Suppose that during proving the entailment E , the proof search procedure de-rives a proof tree T of E . If the rule AH ( apply hypothesis ) is not used in T , thenit is clear that induction is not used in proof of E . Then, it is clear that E isvalid, since soundness of our inference rules are proven in the previous section.If the rule AH is used in T , then statuses of the applied hypotheses, at themoment they are used, can be either valid ( X ) or unknown ( ? ). If statuses ofall the applied hypotheses in the proof tree T are valid ( X ), then it is clearthat E is valid, due to correctness of our inference rules. If there exists someapplied hypotheses whose statuses are unknown ( ? ), then these hypotheses mayparticipate in a mutual induction proof. We will show that the entailment E isalso valid in this case.Recall that hypotheses applied by the rule AH are either (i) induction hypothesesrecorded by the rule Ind , or (ii) hypotheses derived by other rules during proofsearch. Therefore, in the proof tree T , both the induction hypotheses and otherhypotheses can participate in a mutual induction proof. We will transform theproof tree T into a new tree T ′ in which the mutual induction proof involvesonly the induction hypotheses recorded by the rule Ind . This can be done bymodifying the rule AH to put the used hypothesis, which is not derived by therule Ind , into premises of the rule.In particular, suppose the (simplified) rule AH which applies a hypothesis Σ ∧ Π | − F , (not derived by the rule Ind ), into proving a goal entailment Σ ∧ Π | − F as follow: F θ ∗ Σ ′ | − F ( AH ) apply hypothesis: Σ ∧ Π | − F , (which is not derived by rule Ind ) ∃ θ, Σ ′ . ( Σ ≡ Σ θ ∗ Σ ′ ∧∧∧ Π ⇒ Π θ ) Σ ∧ Π | − F We modify the rule AH so that the hypothesis Σ ∧ Π | − F appears in thepremises as follows: Σ ∧ Π | − F F θ ∗ Σ ′ | − F (modified AH ) Σ ∧ Π | − F is not derived by rule Ind ∃ θ, Σ ′ . ( Σ ≡ Σ θ ∗ Σ ′ ∧∧∧ Π ⇒ Π θ ) Σ ∧ Π | − F ∧ Π | − F , ( AH ) F θ ∗ Σ ′ | − F T Σ ∧ Π | − F T ERoot apply hypo
Fig. 13: Original proof tree T , where Σ ∧ Π ⊢ F is not derived by theinduction rule Ind Σ ∧ Π | − F F θ ∗ Σ ′ | − F T Σ ∧ Π | − F T Σ ∧ Π | − F insertedtree T ′ ERoot
Fig. 14: Transformed proof tree T ′ By modifying the rule AH , we can transform the proof tree T into a proof tree T ′ , where every node of the tree T which applies a hypothesis (not derived by therule Ind ) to prove an entailment is replaced by a new node that contains not onlythe target entailment, but also full proof tree of the applied hypothesis. Since thistransformation is performed only on hypotheses not derived by the rule
Ind , itfollows that in the new proof tree T ′ , only induction hypotheses recorded by therule Ind participating into the mutual induction proof. We have shown earlier inthe discussion about the rule AH that its side condition about model decreasingmaps to the well-founded relation of our mutual induction principle. Therefore,the mutual induction principle is ensured by this new proof tree. This impliesthat all induction hypotheses (recorded by the rule Ind ) are valid. Therefore, theoriginal entailment is also valid. (cid:31)(cid:31)