A Constructor-Based Reachability Logic for Rewrite Theories

by   Stephen Skeirik, et al.

Reachability logic has been applied to K rewrite-rule-based language definitions as a language-generic logic of programs. To be able to verify not just code but also distributed system designs, a new rewrite-theory-generic reachability logic is presented and proved sound for a wide class of rewrite theories. The logic's automation is increased by means of constructor-based semantic unification, matching, and satisfiability procedures. New methods for proving invariants of possibly never terminating distributed systems are developed, and experiments with a prototype implementation illustrating the new proof methods are presented.



page 1

page 2

page 3

page 4


Mechanizing Matching Logic in Coq

Matching logic is a formalism for specifying and reasoning about structu...

Verification of the IBOS Browser Security Properties in Reachability Logic

This paper presents a rewriting logic specification of the Illinois Brow...

Reachability Logic for Low-Level Programs

Automatic exploit generation is a relatively new area of research. Work ...

All-Path Reachability Logic

This paper presents a language-independent proof system for reachability...

A Logic Theory Pattern for Linearized Control Systems

This paper describes a procedure that system developers can follow to tr...

Data Abstraction and Relational Program Logic

In a paper published in 1972 Hoare articulated the fundamental notions o...

Symbolic Analysis of Maude Theories with Narval

Concurrent functional languages that are endowed with symbolic reasoning...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

The main applications of reachability logic to date have been as a language-generic logic of programs [14, 15]. In these applications, a specification of a language’s operational semantics by means of rewrite rules is assumed as the language’s “golden semantic standard,” and a correct-by-construction reachability logic for a language so defined is automatically obtained [15]. This method has been effective in proving reachability properties for a wide range of programs.

Although the foundations of reachability logic are very general [14, 15], the existing theory does not provide straightforward answers to the following questions: (1) Could a reachability logic be developed to verify not just conventional programs, but also distributed system designs and algorithms formalized as rewrite theories in rewriting logic [8]? (2) If so, what would be the most natural way to conceive such a rewrite-theory-generic logic? A satisfactory answer to questions (1)–(2) would move the verification game from the level of verifying code to that of verifying both code and distributed system designs. Since the cost of design errors can be several orders of magnitude higher than that of coding errors, answering questions (1) and (2) is of practical software engineering interest.

Although a first step towards a reachability logic for rewrite theories has been taken in [6], as explained in Section 4 and below, that first step still leaves several important questions open. The most burning one is how to prove invariants. Since they are the most basic safety properties, support for proving invariants is a sine qua non requirement. As explained below, a serious obstacle is what we call the invariant paradox: we cannot verify in this manner any invariants of a never-terminating system such as, for example, a mutual exclusion protocol.

A second open question is how to best take advantage of the wealth of equational reasoning techniques such as matching, unification, and narrowing modulo an equational theory , and of recent results on decidable satisfiability of quantifier-free formulas in initial algebras, e.g., [9] to automate as much as possible reachability logic deduction. In this regard, the very general foundations of reachability logic —which assume any -algebra with a first-order-definable transition relation— provide no help at all for automation. As shown in this work and its prototype implementation, if we assume instead that the model in question is the initial model of a rewrite theory satisfying reasonable assumptions, large parts of the verification effort can be automated.

A third important issue is simplicity. Reachability logic has eight inference rules [14, 15]. Could a reachability logic for rewrite theories be simpler? This work tackles head on these three open questions to provide a general reachability logic and a prototype implementation suitable for reasoning about properties of both distributed systems and programs based on their rewriting logic semantics.

Rewriting Logic in a Nutshell. A distributed system can be designed and modeled as a rewrite theory [8] in the following way: (i) the distributed system’s states are modeled as elements of the initial algebra associated to the equational theory with function symbols and equations ; and (ii) the system’s concurrent transitions are modeled by rewrite rules , which are applied modulo . Let us consider the QLOCK [5] mutual exclusion protocol, explained in detail in Section LABEL:os-prelims. QLOCK allows an unbounded number of processes, which can be identified by numbers. Such processes can be in one of three states: “normal” (doing their own thing), “waiting” for a resource, and “critical,” i.e., using the resource. Waiting processes enqueue their identifier at the end of a waiting queue and can become critical when their name appears at the head of the queue. A QLOCK state can be represented as a tuple where , resp. , resp. , denotes the set of identifiers for normal, resp. waiting, resp. critical processes, and is the waiting queue. QLOCK can be modeled as a rewrite theory , where includes axioms such as associativity-commutativity of multiset union, list associativity, and identity axioms for and . QLOCK’s behavior is specified by five rewrite rules . Rule below specifies a waiting process becoming critical

Reachability Logic in a Nutshell. A reachability logic formula has the form , with and state predicates (see Section LABEL:CCP). Assume for simplicity that . Such a formula is then interpreted in the initial model of a rewrite theory , whose states are -equivalence classes of ground -terms, and where a state transition holds iff according to the rewriting logic inference system [8] (computation = deduction). As a first approximation, is a Hoare logic partial correctness assertion of the form , but with the slight twist that need not hold of a terminating state, but just somewhere along the way. To be fully precise, holds in iff for each state satisfying and each terminating sequence there is a , such that satisfies . A key question is how to choose a good language of state predicates like and . Here is where the potential for increasing the logic’s automation resides. We call our proposed logic constructor-based, because our choice is to make and positive (only and ) combinations of what we call constructor patterns of the form , where is a constructor term111That is, a term in a subsignature such that each ground -term is equal modulo to a ground -term. and a quantifier-free (QF) -formula. The state predicate holds for a state iff there is a ground substitution such that and .

2 A Sound Inference System

We present our inference system for all-path reachability for any satisfying topmost requirements (1)–(2), with rules such that , . Variables of rules in are always assumed disjoint from variables in reachability formulas; this can be ensured by renaming. The inference system has two proof rules. The proof rule allows taking one step of (symbolic) rewriting along all paths according to the rules in . The Axiom proof rule allows the use of a trusted reachability formula to summarize multiple rewrite steps, and thus to handle repetitive behavior.

These proof rules derive sequents of the form , where and are finite sets of reachability formulas and a pattern predicate defining a set of -terminating ground states. Formulas in are called axioms and those in are called circularities. We furthermore assume that in all reachability formulas we have for each . According to the implicit quantification of the semantic relation this means that any variable in is either universally quantified and comes from the precondition , or is existentially quantified and comes from only. This property is an invariant preserved by the two inference rules.

Proofs always begin with a set of formulas that we want to simultaneously prove, so that the proof effort only succeeds if all formulas in are eventually proved. contains the main properties we want to prove as well as any auxiliary lemmas that may be needed to carry out the proof. The initial set of goals we want to prove is , which is a shorthand for the set of goals . Thus, we start without any axioms , but we shall be able to use the formulas in as axioms in their own derivation after taking at least on step with the rewrite rules in .

A very useful feature is that sequents , whose formulas have been postulated (as the conjectures to be proved), are transformed by into sequents of the form , where now the formulas in can be assumed valid, and can be used in derivations with the Axiom rule.

Verifying QLOCK’s Mutual Exclusion. By Corollary LABEL:invariant-coro, QLOCK’s mutual exclusion can be verified by: (i) using pattern subsumption to check the trivial inclusion , and (ii) proving , where is a sort-preserving bijective renaming of variables such that . But, since for QLOCK, is a disjunction, in our inference system this means proving from that , where are the conjectures:

where , , and are their obvious renamings.

Before explaining the proof rule we introduce some notational conventions. Assume is the pattern predicate , with , and let , we then define:

a complete set of (parameter-preserving) -matches of against the ,

a complete set of -unifiers of a pattern with the lefthand-sides of the rules in with satisfiable associated constraints.222In the current prototype implementation (see Section 3), variant satisfiability makes constraint checking decidable. Future versions will only assume convergent modulo for the equational part of , so that satisfiability of such constraints will in general be undecidable. Unifiers whose associated constraints cannot be proved unsatisfiable will then be included in as a safe over-approximation. The same approach will apply to the, in general undecidable, checking of satisfiability/validity for other constraints involved in the application of the or Axiom rules below: they will be either over-approximated, or will become proof obligations to be discharged by an inductive theorem prover. Consider now the rule:

where . This inference rule allows us to take one step with the rules in . Intuitively, characterizes the states satisfying that are not subsumed by any ; that is, states in the lefthand side of the current goal that have not yet reached the righthand side. Note that, according to Definition LABEL:all-paths-semantics, is semantically valid iff is valid. Thus, this inference rule only unifies with the lefthand sides of rules in . We impose on this inference rule a side condition that is unsatisfiable in , where is the pattern predicate characterizing the chosen -terminating states. This condition ensures that any state in has an -successor. Thus, a state in reaches on all -terminating paths a state in if all its successors do so. Each -successor is covered by one of . As an optimization, we check that is satisfiable and we drop the ones which are not. Finally, we also assume that . This parameter preservation condition ensures correct implicit quantification. Note that formulas in are added to , so that from now on they can be used by Axiom. By using -unification, this inference rule performs narrowing of with rules [16].


if such that and . This inference rule allows us to use a trusted formula in to summarize multiple transition steps. This is similar to how several transition steps would apply to a ground term, except that for ground terms we would check that is valid, whereas here we check that the condition implies . Since is stronger than , we add to (the result of using axiom ). We assume that and do not share variables, which can always be guaranteed by renaming. For correct implicit quantification, as in , we assume for each the parameter preservation condition . On a practical note, in order to be able to find the , our implementation requires that , so that all the variables in are matched.

The soundness of plus Axiom is now the theorem:

Theorem 2.1

(Soundness) Let be a rewrite theory, and a finite set of reachability formulas. If proves then .

Investigating completeness of the logic is left as future work.

3 Prototype Implementation and Experiments

We have implemented the reachability logic proof system in Maude [1]. Our prototype takes as input (i) a rewrite theory and (ii) a set of reachability formulas to be simultaneously proved.

To mechanize the two proof rules we use a finitary -unification algorithm as well as an SMT solver to discharge constraints. For SMT solving we use variant satisfiability [9, 12], which allows us to handle any rewrite theory satisfying topmost requirements (1)–(2) and such that the equational theory has a convergent decomposition satisfying the finite variant property [2] and protects a constructor subtheory which we assume consists only of commutative and/or AC and/or identity axioms . Thus, both validity and satisfiability of QF formulas in the initial algebra are decidable [9]. Future implementations will support more general rewrite theories, add other decision procedures, and use an inductive theorem prover backend.

We have verified properties for a suite of examples of rewrite theories specifying distributed systems such as communication or mutual exclusion protocols and real-time systems. Table 1 summarizes these experiments. For further details plus runnable code see http://maude.cs.illinois.edu/tools/rltool/.

=250pt Example Description of the System/Property Choice Nondeterministically throws away elements from a multiset/eventually only one element left Comm. Protocol 1 Simple communication protocol/received data is always a prefix of the data to be sent Comm. Protocol 2 Fault-tolerant communication protocol/all data is eventually received in-order Dijkstra Dijkstra’s mutual exclusion alg./mutual exclusion Fixed-Size Token Ring 2-Token ring mutual exclusion alg./mutual exclusion QLOCK QLOCK mutual exclusion alg./mutual exclusion Readers/Writers Readers-writers mutual exclusion alg./mutual exclusion Lamport’s Bakery Unbounded Lamport’s bakery/mutual exclusion Thermostat Open system that dynamically responds to temperature/temperature remains in preset bounds

Table 1: Examples Verified in the Prototype Implementation

T_1 T_2 [separation=10em]2[axiom ]⋯ ⋯ 1[step]

Figure 1: Partial Proof Tree for QLOCK

To illustrate how the tool works in practice, Fig. 1 shows a partial derivation of a sequent. Recall that for QLOCK we had to prove , where was two already-discussed reachability formulas for with respective preconditions the renamed disjuncts , in invariant , and postcondition , where and . Now, consider . In the proof fragement below, the initial sequent must apply the step rule. The result of step is the goal resulting from unifying the head of the sequent with the lefthand side of the rule using the unifier . The next inference axiom applies axiom using the substitution . Since has two constrained patterns in its succedent, we derive two new goals, represented by proof trees and . In either case, we can immediately subsume by noting that our reachability formula’s antecedent is an instance of either or using substitution , thus terminating the proof.

4 Related Work and Conclusions

This work extends reachability logic [14, 15] to a rewrite-theory-generic logic to reason about both distributed system designs and programs. This extension is non-trivial. It requires: (i) relativizing terminating sequences to a chosen subset of terminating states; (ii) solving the “invariant paradox,” to reason about invariants and co-invariants and characterizing them by reachability formulas through a theory transformation; and (iii) making it possible to achieve higher levels of automation by systematically basing the state predicates on positive Boolean combination of patterns of the form with a constructor term.

In contrast, standard reachability logic [14, 15] uses matching logic, which assumes a first-order model and its satisfaction relation in its reachability logic proof system. As discusses in Section LABEL:CCP, we choose as the model and for transitions, rather than some general and systematically exploit the isomorphism , allowing us to use unification, matching, narrowing, and satisfiability procedures based on the typically much simpler initial algebra of constructors . This has the advantage that we can explicitly give the complete details of our inference rules (e.g. how checks the subsumption, or ensures that states have at least a successor), instead of relying on a general satisfaction relation on some . The result is a simpler logic with only two rules (versus eight in [14, 15]).

We agree with the work in [6] on the common goal of making reachability logic rewrite-theory-generic, but differ on the methods used. Main differences include: (1) [6] does not give an inference system but a verification algorithm. (2) the theories used in [6] assume restrictions like those in [11] for “rewriting modulo SMT,” which limit the class of equational theories. (3) Matching is used in [6] instead of unification. Thus, unless a formula has been sufficiently instantiated, no matching rule may exist, whereas unification with some rule is always possible in our case. (4) No method for proving invariants is given in [6].

In conclusion, the goal of making reachability logic a rewrite-theory-generic verification logic has been advanced. Feasibility has been validated with a prototype and a suite of examples. Building a robust and highly effective reachability logic tool for rewrite theories is a more ambitious future goal.

Acknowledgements. Partially supported by NSF Grant CNS 14-09416.


  • [1] M. Clavel, F. Durán, S. Eker, J. Meseguer, P. Lincoln, N. Martí-Oliet, and C. Talcott. All About Maude – A High-Performance Logical Framework. Springer LNCS Vol. 4350, 2007.
  • [2] H. Comon-Lundh and S. Delaune. The finite variant property: how to get rid of some algebraic properties. In Proc RTA’05, Springer LNCS 3467, 294–307, 2005.
  • [3] N. Dershowitz and J.-P. Jouannaud. Rewrite systems. In Handbook of Theoretical Computer Science, Vol. B, pages 243–320. North-Holland, 1990.
  • [4] F. Durán and J. Meseguer. On the Church-Rosser and coherence properties of conditional order-sorted rewrite theories. J. Log. Algebr. Program., 81(7-8):816–850, 2012.
  • [5] K. Futatsugi. Fostering proof scores in CafeOBJ. In Proc. ICFEM 2010, volume 6447, pages 1–20. Springer LNCS, 2010.
  • [6] D. Lucanu, V. Rusu, A. Arusoaie, and D. Nowak. Verifying reachability-logic properties on rewriting-logic specifications. In Logic, Rewriting, and Concurrency, volume 9200, pages 451–474. Springer LNCS, 2015.
  • [7] S. Lucas and J. Meseguer. Normal forms and normal theories in conditional rewriting. J. Log. Algebr. Meth. Program., 85(1):67–97, 2016.
  • [8] J. Meseguer. Twenty years of rewriting logic.

    J. Algebraic and Logic Programming

    , 81:721–781, 2012.
  • [9] J. Meseguer. Variant-based satisfiability in initial algebras. In C. Artho and P. Ölveczky, editors, Proc. FTSCS 2015, pages 1––32. Springer CCIS 596, 2016.
  • [10] J. Meseguer and J. Goguen. Initiality, induction and computability. In Algebraic Methods in Semantics, pages 459–541. Cambridge UP, 1985.
  • [11] C. Rocha, J. Meseguer, and C. Muñoz. Rewriting modulo SMT and open system analysis. J. Logic and Algebraic Methods in Programming, 86:269–297, 2017.
  • [12] S. Skeirik and J. Meseguer. Metalevel algorithms for variant-based satisfiability. In Proc. WRLA 2016, volume 9942, pages 167–184. Springer LNCS, 2016.
  • [13] S. Skeirik, A. Stefanescu, and J. Meseguer. A constructor-based reachability logic for rewrite theories. Technical report. http://hdl.handle.net/2142/95770.
  • [14] A. Stefanescu, Ş. Ciobâcă, R. Mereuta, B. M. Moore, T. Serbanuta, and G. Rosu. All-path reachability logic. In Proc. RTA-TLCA 2014, volume 8560, pages 425–440. Springer LNCS, 2014.
  • [15] A. Stefanescu, D. Park, S. Yuwen, Y. Li, and G. Rosu. Semantics-based program verifiers for all languages. In Proc. OOPSLA 2016, pages 74–91. ACM, 2016.
  • [16] P. Thati and J. Meseguer. Symbolic reachability analysis using narrowing and its application to the verification of cryptographic protocols. J. Higher-Order and Symbolic Computation, 20(1–2):123–160, 2007.