Keywords

1 Introduction

The theory of institutions [4] was introduced by Joseph Goguen and Rod Burstall to give concrete form to the informal notion of a “logical system”, identifying a common structure among the many logics in regular use in computer science. A 2017 paper by Marie Farrell, Rosemary Monahan, and James Power [3] uses the theory of institutions to provide a sound mathematical semantics and modularization constructs for the industrial-strength state-based formal modelling language Event-B [1], providing interoperability with other formalisms. In related work, the Heterogeneous Tool Set (Hets) [7] makes use of institutions to provide heterogeneous specifications.

Event-B has an associated development process for system-level modelling and analysis. Key features include the use of set theory as a modelling notation, the use of refinement to represent systems at different abstraction levels and the use of mathematical proof to verify consistency between refinement levels. The primary purpose of this research is to formalize the work in [3] within the Coq proof assistant, and more generally to provide the rudiments of a Coq library for the theory of institutions.

We build on earlier work formalizing universal algebra in Agda by Emmanuel Gunther, Alejandro Gadea, and Miguel Pagano [5]. However, the purpose of this work is not to provide a comprehensive development of universal algebra; we only develop as much as we need in order to define the institutions for first-order logic and Event-B. We also depend on the development of category theory by John Wiegley at jwiegley/category-theory.

While some obligations remain to be formally discharged for the institution for first-order predicate logic with equality, our developments for the institution for Event-B are complete. We have also encoded the institution comorphism , which embeds the simpler institution into , providing the underlying mathematical language for . It remains, however, to prove the naturality condition in our encoding. The formalization is not axiom-free, assuming dependent function extensionality and proof irrelevance. A more careful development might use setoids (as in [2, 5]), and in the future we may experiment with grounding these efforts in homotopy type theory.

Throughout this paper, we will assume some familiarity with basic category theory, as well as the first two chapters of [8].

2 The Institution for Event-B

An  [4] consists of

  • a category of signatures (non-logical syntax);

  • a sentence functor (logical syntax);

  • a model functor (semantics for non-logical syntax); and

  • a semantic entailment relation for each ,

such that for any signature translation , any sentence , and any model , the satisfaction condition holds:

(1)

This kind of institution is sometimes referred to as a set/cat institution, since the target of and the target of . To avoid encoding a “category of categories” in Coq, we implement set/set institutions [6].

We will now provide a precise but brief definition for the institution for Event-B, alongside its definition in Coq. For details, we refer the reader to [3]. Throughout, let .

The category of -signatures has as objects , where \( \varSigma \) is a first-order signature, \( E : \mathsf {Status} \rightarrow \mathsf {Type} \) is a status-indexed set of events, and \( X, X' : \mathsf {sorts}\ \varSigma \rightarrow \mathsf {Type} \) are sorts-indexed sets of pre- and post-variables, respectively. In Coq, this becomes:

figure aa

An -signature morphism \( \hat{\varSigma }_1 \rightarrow \hat{\varSigma }_2 \) consists of a first-order signature morphism \( \sigma :\varSigma _1 \rightarrow \varSigma _2 \) translating the base signature, along with a function \( E_1 \rightarrow E_2 \) mapping events in such a way as to preserve the ordering on statuses, and functions \( X_1 \rightarrow X_2 \circ \sigma \), \( X'_1 \rightarrow X'_2 \circ \sigma \) mapping variables, regarded as morphisms in their respective indexed categories. It is convenient to assume that the initialization event is not in \( E \), so there is no need for the assumption that the initial event is preserved by signature morphisms. If the initialization/event distinction is made at the level of sentences, then we can enforce preservation of the initialization event definitionally.

figure ac

-sentences are either initialization sentences, \(\mathsf {Init}\ \psi \) where , or event sentences, \( \mathsf {Event}\ e\ \psi \) where . Note that the base signature is expanded to include the -variables as constant operation names. Initialization sentences describe how variables are initially set. Event sentences describe how events change the variables. As a very simple example, given an event \( \mathsf {inc} \) which increments a variable \( n \), , we write the -sentence \( \mathsf {Event}(\mathsf {inc}, n' = n + 1) \), where \( n \in X \) and \( n' \in X' \) are respectively pre- and post-variables from the ambient Event-B signature. Given an initialization event which starts \( n \) at \( 0 \), , we write the -sentence \( \mathsf {Init}(n' = 0) \). For details on this correspondence, see again [3].

Event-B sentences rely on the ability to construct the expansion of first-order signatures by adjoining a sorts-indexed set of constant operation names, which in Coq we denote by \( \mathsf {SigExpand}\ \varSigma \ X \). -sentences can be defined as follows.

figure am

An -model consists of a first-order model \( M \) and a pair of environments and , which are lists of valuations of variables in \( M \). We enforce that \( L \) and \( R_e \), for each event \( e \), are nonempty.

figure aq

Let \( M^{\theta } \) denote the expansion of a model \( M \) by a valuation \( \theta : X \rightarrow M \). We say that if for all valuations \( \theta \in L \), we have , and we say that if for all valuations \( \theta \in R_e \) we have . This can be written down directly in Coq.

figure av

Now, taking a top-down perspective, we can define institutions in Coq as follows:

figure aw

Proving that is an institution amounts to instantiating this class to the above definitions and discharging the generated obligations. The proofs rely on custom induction principles for the dependent records we introduce above, since the induction principles generated by Coq are too strong. For example, if one wishes to prove that two Event-B signature morphisms \( \hat{\sigma } \) and \( \hat{\sigma }' \) are equal, of course it suffices to prove that they are equal componentwise. Consider equality on the \( \mathsf {on\_vars} \) component. The statement of this equality will depend on a proof \( p : \sigma = \sigma ' \) that the underlying first-order signature morphisms are equal, which we write \( p_*(\mathsf {on\_vars}\ \hat{\sigma }) = \mathsf {on\_vars}\ \hat{\sigma }' \). Notice that this requirement is substantially stronger than necessary; it suffices in this case to know that \( \sigma \) and \( \sigma ' \) agree on sorts. Hence, given \( p' : \mathsf {on\_sorts}\ \sigma = \mathsf {on\_sorts}\ \sigma ' \), we only need to prove \( p'_*(\mathsf {on\_vars}\ \hat{\sigma }) = \mathsf {on\_vars}\ \hat{\sigma }' \). This dramatically simplifies the proofs.

3 Future Work

In the future, it will be interesting to investigate Coq’s code extraction facilities to generate provably correct code derived from, for example, the institution comorphism . We also wish to prove the amalgamation property for , and more generally to build institution-independent constructions and proofs, which we have already explored to some extent for modal logics and linear-time temporal logics. The proofs involved in the definition for first-order predicate logic were rather complicated, but the proofs for often reduced to properties of first-order logic. This suggests that quick progress could be made defining further institutions, verifying their properties, and providing interoperability between represented formalisms represented in our framework.