Unifying Model Execution and Deductive Verification with Interaction Trees in Isabelle/HOL (2408.15817v2)

Abstract: Model execution allows us to prototype and analyse software engineering models by stepping through their possible behaviours, using techniques like animation and simulation. On the other hand, deductive verification allows us to construct formal proofs demonstrating satisfaction of certain critical properties in support of high-assurance software engineering. To ensure coherent results between execution and proof, we need unifying semantics and automation. In this paper, we mechanise Interaction Trees (ITrees) in Isabelle/HOL to produce an execution and verification framework. ITrees are coinductive structures that allow us to encode infinite labelled transition systems, yet they are inherently executable. We use ITrees to create verification tools for stateful imperative programs, concurrent programs with message passing in the form of the CSP and \Circus languages, and abstract system models in the style of the Z and B methods. We demonstrate how ITrees can account for diverse semantic presentations, such as structural operational semantics, a relational program model, and CSP's failures-divergences trace model. Finally, we demonstrate how ITrees can be executed using the Isabelle code generator to support the animation of models.

• The paper introduces a unified framework that mechanizes ITrees in Isabelle/HOL to integrate model execution with deductive verification.
• It formalizes operational semantics with weak bisimulation and develops a Hoare logic for verifying imperative and concurrent programs using automation.
• The work demonstrates practical benefits, including efficient model animation and scalability for stateful, reactive, and hybrid system verification.

Unifying Model Execution and Deductive Verification with Interaction Trees in Isabelle/HOL

The paper "Unifying Model Execution and Deductive Verification with Interaction Trees in Isabelle/HOL" by Simon Foster, Chung-Kil Hur, and Jim Woodcock presents a comprehensive framework that mechanizes Interaction Trees (ITrees) in Isabelle/HOL to integrate model execution and deductive verification. By capitalizing on ITrees' ability to encode infinite labeled transition systems in an executable form, the authors provide tools for verifying stateful imperative programs, concurrent programs with message passing, and abstract system models. This essay explores the core contributions, methodologies, and implications of this research.

Core Contributions

1. Mechanization of ITrees in Isabelle/HOL:
   • The authors define an ITree as a coinductive structure with constructors for return values, internal events (Sil), and visible events (Vis).
   • Unique representation using partial functions to model visible events facilitates the encoding of external choice and deadlocks, providing more flexibility compared to the Coq mechanization of ITrees.
2. Operational Semantics and Weak Bisimulation:
   • Big-step operational semantics provided via a transition relation that skips over internal steps.
   • Formal characterization of weak bisimulation, allowing abstraction over internal events (τ transitions), bridging operational and denotational semantics.
3. Imperative Programming Verification:
   • Homogeneous Kleisli trees are used to model stateful imperative programs.
   • Development of a Hoare logic for partial and total correctness, weakest precondition calculus, and corresponding verification condition generation leveraging Isabelle's proof automation tools like \lstinline{sledgehammer}.
4. Embedding of CSP and Circus:
   • Encoding of deterministic fragments of CSP and Circus with core operators like external choice, parallel composition, and hiding.
   • Linking ITrees with the CSP failures-divergences model to utilize symbolic verification for reactive and concurrent programs.
5. Tool for System Modelling:
   • The Z-Machine formalism allows modeling similar to Z specification and B method with automated invariant checking.
   • Demonstration of animation capabilities through code generation, allowing interactive execution and analysis of ITrees.

Methodologies

• Isabelle/HOL Mechanization: The ITree codatatype is defined with core constructors, and further combinators like monadic bind and external choice are developed using corecursion. Coinduction is extensively employed to prove properties of ITrees.
• Verification Framework: The paper introduces the weakest precondition and weakest liberal precondition for ITrees, translating these to Hoare logic and total correctness. Verification condition generation automates the proof obligations required for verifying imperative programs.
• Formal Semantics for Reactive Programming: The semantic encoding of CSP processes supports deterministic choice and parallel composition without introducing nondeterminism. Circus actions are embedded by lifting CSP processes to homogeneous Kleisli trees.

Numerical Results and Claims

• Efficiency of Animation: The authors report efficient animation of the ring buffer example with up to 850 cells, highlighting the scalability of their approach. Despite some performance limitations with larger models, this demonstrates practical feasibility for typical use cases.
• High Level of Automation: The methodology supports significant automated proof, demonstrated by verifying relatively non-trivial imperative programs like sorting algorithms using Hoare logic and \lstinline{sledgehammer}.

Implications and Future Developments

1. Integration and Accessibility:
   • By unifying model execution and verification, the framework simplifies applying formal methods to early-stage prototyping and high-assurance software engineering.
   • The mechanization of ITrees in Isabelle/HOL makes it more accessible to proof automation and friendly front-end syntax, potentially driving wider adoption.
2. Educational Utility:
   • The simplicity and power of the framework can be leveraged for teaching formal methods, allowing students to experiment with executable models backed by solid theoretical verification.
3. Expansion to Hybrid Systems:
   • Future work could extend the framework to handle hybrid systems involving continuous dynamics. An exploration of tock-CSP semantics would enable real-time systems verification.
4. Enhanced Tool Support:
   • Developing more user-friendly interface tools for simulation and animation, akin to FDR4's probe tool, will further enhance usability for practical applications in industry and academia.
   • Coupling with graphical modeling tools like RoboChart could bridge the gap between high-level modeling and low-level implementation with formal assurance.

Conclusion

The mechanization of Interaction Trees in Isabelle/HOL and the associated verification framework present a significant step towards integrating executable models with formal verification. The paper demonstrates a scalable and automated approach to verifying imperative and reactive systems through formal semantics and proof automation. With practical applications in teaching, system modeling, and hybrid systems, this work lays the foundation for broader adoption and further innovation in high-assurance software engineering.