Content uploaded by Pierre Halmagrand

Author content

All content in this area was uploaded by Pierre Halmagrand on Jul 08, 2016

Content may be subject to copyright.

Soundly Proving BMethod Formulæ

Using Typed Sequent Calculus ?

Pierre Halmagrand pierre.halmagrand@inria.fr

Cnam /Inria /ENS Cachan, Paris, France

Abstract. The BMethod is a formal method mainly used in the railway

industry to specify and develop safety-critical software. To guarantee the

consistency of a Bproject, one decisive challenge is to show correct a large

amount of proof obligations, which are mathematical formulæ expressed

in a classical set theory extended with a speciﬁc type system. To improve

automated theorem proving in the BMethod, we propose to use a ﬁrst-

order sequent calculus extended with a polymorphic type system, which

is in particular the output proof-format of the tableau-based automated

theorem prover Zenon. After stating some modiﬁcations of the Bsyntax

and deﬁning a sound elimination of comprehension sets, we propose a

translation of Bformulæ into a polymorphic ﬁrst-order logic format.

Then, we introduce the typed sequent calculus used by Zenon, and show

that Zenon proofs can be translated to proofs of the initial Bformulæ in

the Bproof system.

1 Introduction

Automated transport systems have spread in many cities during last decades,

becoming a leading sector for the development of highly trusted software us-

ing formal methods. The BMethod [1] is a formal method mainly used in the

railway industry to specify and develop safety-critical software. It allows the de-

velopment of correct-by-construction programs, thanks to a reﬁnement process

from an abstract speciﬁcation to a deterministic implementation of the program.

The soundness of the reﬁnement steps depends on the validity of logical formulæ

called proof obligations, expressed in a speciﬁc typed set theory. Common in-

dustrial projects using the BMethod generate thousands of proof obligations,

thereby relying on automated tools to discharge as many as possible proof obliga-

tions. A speciﬁc tool, called Atelier B [18], designed to implement the BMethod

and provided with a theorem prover, helps users verify the validity of proof

obligations, automatically or interactively.

Improving the automated veriﬁcation of proof obligations is a crucial task.

The BWare research project [10] proposed to use external automated provers,

like ﬁrst-order Automated Theorem Provers (ATPs) and Satisﬁability Modulo

Theory (SMT) solvers, by building a common platform to run these tools. This

?This work is supported by the BWare project (ANR-12-INSE-0010) funded by the

INS programme of the French National Research Agency (ANR).

platform, based on the software veriﬁcation tool Why3 [3], requires proof obli-

gations to be encoded in its native language called WhyML. Mentré et al. [16]

proposed a translator program called bpo2why to address this issue. This tool

focuses on the translation of Bproof obligations output by Atelier B into the

WhyML language. Besides, the Bset theory is deﬁned directly in WhyML. Then,

Why3 uses speciﬁc drivers to translate proof obligations and the theory from

WhyML to the speciﬁc format of each automated tool.

The ﬁrst-order ATP Zenon [6] [9], based on the tableau method and recently

extended to deal with polymorphic types, has been used to prove Bproof obli-

gations in the BWare project and obtained good experimental results, compared

to the regular version of Zenon and other automated deduction tools as well [7].

One important feature of Zenon is to be a certifying prover [8], in the sense that

it generates proof certiﬁcates, i.e. proof objects that can be veriﬁed by external

proof checkers. It relies on an encoding of the output proof-format of Zenon,

a typed sequent calculus called LLproof, into the proof checker Dedukti [5], a

tool designed to be a universal backend to certify and share proofs coming from

automated or interactive provers. These proof certiﬁcates allow us to be very

conﬁdent about the soundness of the proofs produced by Zenon.

An issue about using Zenon to verify Bproof obligations arises in the up-

stream translation chain, from Bto Zenon input format. There is currently no

formal guarantee that this chain is sound, and it would be a tremendous work

to formalize the several steps represented by bpo2why and Why3. Instead, we

decide to conﬁrm the soundness of using Zenon to prove Bproof obligations by

formalizing a more general and direct translation from the Blogic into a poly-

morphic ﬁrst-order logic (PFOL for short), close to the Zenon input format. This

translation is to be proven sound, in the sense that if Zenon ﬁnds a proof then

it can be turned into a proof of the initial Bformula. A solution is to show a

logical equivalence between Zenon and Bproof system.

The Bset theory is provided with a speciﬁc type system, expressed using

set constructs, resulting in a lack of separation in a Bformula between typing

and set reasoning. To help us embed Btyping constraints into PFOL, we deﬁne

a procedure to annotate Bvariables with their types, using the type-checking

algorithm of the BMethod. The interpretation of these types will then be given

by the translation function into PFOL. Axioms and hypotheses are generalized

by translating Btypes to (universally quantiﬁed) type variables in PFOL. In

contrast, types coming from the formula to be proved are interpreted as type

constants in PFOL. In addition, we deﬁne the reverse translation from PFOL to

B, letting us to reword the initial Bformula. Thanks to this reverse translation

and the derivations of Zenon inference rules expressed using the Bproof system,

we can translate Zenon proofs into Bproofs, guaranteeing the soundness of our

translation.

The concerns about the conﬁdence given to ATP in the case of Bproof have

been resolved using the alternative approach of a certiﬁed prover and relying on

a deep embedding of the Blogic into the interactive prover Coq, by Jaeger et

al. [14]. It has also been studied in the context of Event-B by Schmalz in [17].

The problem of type inference in the BMethod was studied in other contexts,

see for instance [4] for an embedding into PVS, and [13] for Coq.

This paper is organized as follows: in Sec. 2, we introduce the BMethod

syntax, proof system and type system, then we introduce the type annotation

procedure; in Sec. 3, we present the polymorphic ﬁrst-order logic and the typed

sequent calculus used by Zenon; in Sec. 4, we give the translation used to encode

Bformulæ into PFOL; ﬁnally, in Sec. 5, we present the translation of proofs

expressed in the sequent calculus of Zenon into Bproofs.

2 The BSet Theory

In this section, we present the core logic and theory of the BMethod. We ﬁrst

introduce the syntax, the proof system, the set theory and the typing rules of the

BMethod. Then, we introduce a procedure to annotate variables with their cor-

responding types. Finally, we present an elimination procedure of comprehension

sets.

2.1 Syntax, Proof System and Set Theory

The presentation below follows faithfully the ﬁrst two chapters of the B-Book [1]

dealing with mathematical reasoning and set theory.

Syntax. The syntax of the BMethod is made of four syntactic categories, for

formulæ, expressions, variables and sets. A formula, or predicate, Pis built from

the logical connectives conjunction, implication and negation and the universal

quantiﬁcation. A formula may also be the result of a substitution in a formula,

the equality between two expressions and the membership to a set. An expression

Emay be a variable, the result of a substitution in an expression, an ordered

pair, an arbitrary element in a set or a set. A variable xis either an identiﬁer or

a list of variables. Finally, a set sis built using the elementary set constructs,

i.e. the cartesian product, the powerset and the comprehension set, or may be

the set BIG, a given inﬁnite set.

P::= P1∧P2|P1⇒P2| ¬P| ∀x·P|[x:= E]P|E1=E2|E∈s

E::= x|[x:= E1]E2|E1, E2|choice(s)|s

x::= identifier |x1, x2

s::= s1×s2|P(s)| {x|P} | BIG

Proof System. In Fig. 1, we present the proof system of the BMethod. This

is an adaptation of classical natural deduction for the Bsyntax. It should be

noted that the B-Book proposes some rules to deﬁne the notion of non-freeness

of a variable xin a formula P, denoted by x\P. Since these rules are standard,

we omit them here.

In the following, if xis a variable and Γa set of formulæ, x\Γmeans that

x\Hfor each Hof Γ; if Γ0is another set of formulæ, Γ@Γ0means that Γis

included in Γ0; and if Pis a formula, P–@Γmeans that Poccurs in Γ.

BR1

P`BPΓ`BP Γ @Γ0

BR2

Γ0`BP

P–@ΓBR3

Γ`BP

Γ`BP Γ , P `BQBR4

Γ`BQ

Γ`BP Γ `BP⇒QMP

Γ`BQ

Γ`BP Γ `BQR1

Γ`BP∧Q

Γ`BP∧QR2

Γ`BP

Γ`BP∧Q

R20

Γ`BQ

Γ, P `BQR3

Γ`BP⇒Q

Γ`BP⇒QR4

Γ, P `BQ

Γ, ¬Q`BP Γ, ¬Q`B¬PR5

Γ`BQ

Γ, Q `BP Γ , Q `B¬PR6

Γ`B¬Q

x\Γ Γ `BP

R7

Γ`B∀x·P

Γ`B∀x·PR8

Γ`B[x:= E]P

R10

Γ`BE=E

Γ`BE=F Γ `B[x:= E]P

R9

Γ`B[x:= F]P

Fig. 1. The Proof System of the BMethod

Set Theory. As presented in the B-Book, the BMethod set theory is a simpli-

ﬁcation of classical set theory. Some common axioms, like the foundation axiom,

are not needed in this context (see Sec. 2.2), leading to a theory made only

of six axioms. Actually, axioms presented below are axiom schemata that have

to be instantiated with some proper expressions. The ﬁrst column represents

non-freeness proviso.

E, F ∈s×t⇔(E∈s∧F∈t)SET1

x\(s, t)s∈P(t)⇔ ∀x·(x∈s⇒x∈t)SET2

x\s E ∈ {x|x∈s∧P} ⇔ (E∈s∧[x:= E]P)SET3

x\(s, t)∀x·(x∈s⇔x∈t)⇒s=tSET4

x\s∃x·(x∈s)⇒choice(s)∈sSET5

inﬁnite(BIG)SET6

Remark 1. The B-Book deﬁnes rewrite rules for secondary common constructs:

P∨Q→ ¬P⇒Q P ⇔Q→(P⇒Q)∧(Q⇒P)∃x·P→ ¬∀x· ¬P

s⊆t→s∈P(t)s⊂t→s⊆t∧s6=t

2.2 Type System

The BMethod set theory diﬀers from other ones, like the Zermelo-Fraenkel set

theory. The main diﬀerence consists in the addition of typing constraints to

expressions, and the application of a type-checking procedure before proving.

This avoids ill-formed formulæ such as ∃x·(x∈x), whose negation is provable

in ZF, due to the foundation axiom, unlike for the BMethod.

∆`tc ch(P)∆`tc ch(Q)T1

∆`tc ch(P∧Q)

∆`tc ch(P)∆`tc ch(Q)T2

∆`tc ch(P⇒Q)

∆`tc ch(P)T3

∆`tc ch(¬P)

x\s x\∆ ∆, x ∈s`tc ch(P)T4

∆`tc ch(∀x·(x∈s⇒P))

∆`tc ch(∀x·(x∈s⇒ ∀y·(y∈t⇒P))) T5

∆`tc ch(∀(x, y)·(x, y ∈s×t⇒P))

∆`tc ch(∀x·(P⇒(Q∧R))) T6

∆`tc ch(∀x·((P∧Q)⇒R))

∆`tc ty(E)≡ty(F)T7

∆`tc ch(E=F)

∆`tc ty(E)≡su(s)T8

∆`tc ch(E∈s)

∆`tc su(s)≡su(t)

T80

∆`tc ch(s⊆t)

x∈s–@∆ ∆ `tc su(s)≡U

T9

∆`tc ty(x)≡U

∆`tc ty(E)×ty(F)≡U

T10

∆`tc ty(E, F )≡U

∆`tc su(s)≡U

T11

∆`tc ty(choice(s)) ≡U

∆`tc P(su(s)) ≡U

T12

∆`tc ty(s)≡U

x∈s–@∆ ∆ `tc su(s)≡P(U)T13

∆`tc su(x)≡U

∆`tc su(s)×su(t)≡U

T14

∆`tc su(s×t)≡U

∆`tc P(su(s)) ≡U

T15

∆`tc su(P(s)) ≡U

∆`tc ch(∀x·(x∈s⇒P)) ∆`tc su(s)≡U

T16

∆`tc su({x|x∈s∧P})≡U

gi(I) –@∆ ∆ `tc I≡U

T17

∆`tc su(I)≡U

∆`tc su(s)≡P(U)T18

∆`tc su(choice(s)) ≡U

∆`tc T≡UT19

∆`tc P(T)≡P(U)

∆`tc T≡U ∆ `tc V≡WT20

∆`tc T×V≡U×W

gi(I) –@∆

T21

∆`tc I≡I

Fig. 2. The Type System of the BMethod

The typing discipline proposed relies on the monotonicity of set inclusion.

For instance, if we have an expression Eand two sets sand tsuch that E∈s

and s⊆t, then E∈t. Going further with another set usuch that t⊆u, we have

then E∈u. The idea, as explained in the B-Book, is that, given a formula to be

type checked, there exists an upper limit for such set containment. This upper

limit is called the super-set of sand the type of E. Then, if uis the super-set of

s, we obtain the typing information E∈uand s∈P(u).

Type checking is performed by applying, in a backward way and following

the numerical order, the inference rules presented in Fig. 2. Rules dealing with

the right-hand side of a typing equivalence ≡are named with the same number

primed, for T9 to T18. If this decision procedure terminates and does not fail, then

the formula is said to be well-typed. This procedure uses two syntactic categories

T ype and T ype_P red:

T ype ::= type(E)|super(s)|T y pe ×T ype |P(T y pe)|identifier

T ype_P red ::= check(P)|T ype ≡T ype

In the following, we use ty,su and ch as abbreviations for the keywords type,

super and check respectively. As a consequence, the type of an expression Emay

be either an identiﬁer (see the notion of given set below), the powerset of a type

or the cartesian product of two types; and for the particular case of sets, the

type of a set is necessarily the powerset of a type.

A type-checking sequent like ∆`tc ch(P)means that, within the environment

∆, the formula Pis well-typed. The environment ∆is made of atomic formulæ

of the form x∈s, where xis non-free in s. All free variables in Phave to be

associated with some atomic formula in ∆. The only exception is for variables

in Prepresenting some abstract given sets, introduced at a meta-level discourse

like: “Given a set s...”. Such a given set s, which will be used to type other sets,

is introduced in the environment ∆by the keyword given(s)(gi(s)for short),

telling us that sis free in the formula to be type-checked, and has the speciﬁc

property su(s) = s.

Example 1. Given two sets sand t, the formula:

∀(a, b)·(a, b ∈P(s×t)×P(s×t)⇒ {x|x∈a∧x∈b} ⊆ s×t)

will be used as a running example in this paper. We want to verify that this

formula is well-typed, i.e. verify that the following sequent is satisﬁed:

gi(s),gi(t)`tc

ch(∀(a, b)·(a, b ∈P(s×t)×P(s×t)⇒ {x|x∈a∧x∈b} ⊆ s×t))

By applying the rules of Fig. 2, we obtain the following typing derivation (due

to the large size of the tree, we present only the names of rules, starting from

the left with T5):

T5 -T4 -T4 -T80-T140-T16 -

T4 -T8 -T9 -T13 -T15 -T19 -T130-T150-T19 -T14 -T140-T20 -

T17 -T170-T21

T17 -T170-T21

T13 -T15 -T19 -T14 -T20 -

T17 -T170-T21

T17 -T170-T21

2.3 Type Annotation

In the Bsyntax presented in Sec. 2.1, there are two constructs which introduce

new bound variables: universal quantiﬁcation ∀x·Pand comprehension set {x|

P}. It should be noted that the typing rules T4 and T16 dealing with these two

syntactical constructs use the speciﬁc forms ∀x·x∈s⇒Pand {x|x∈

s∧P}. Membership x∈sis used to type the bound variable x. Unfortunately,

typing information is hidden at a set theoretic level. There is no clear distinction

between sets and types in the BMethod.

For the translation function presented in Sec. 4.2, we want to distinguish the

notion of types from the one of sets. We introduce a new syntactic category T

for types:

T::= identifier |T1×T2|P(T)

And we introduce the notation xTmeaning that the variable xhas type T.

We now present a procedure to annotate variables with their type. Once the

type-checking of a formula is done, the typing tree has environments ∆at each

node, and in particular at leaves, following the syntax:

∆::= ∅|∆, gi(s)|∆, x ∈s

In addition, ∆is augmented only by rule T4: if a formula x∈sis added, then s

has to be already associated in ∆(in particular because of rules T9 and T13), as

a given set or in a formula like s∈tfor some already associated set t.

The annotation procedure transforms all the leaf environments ∆,i.e. the

environments of the leaves, into annotated environments ∆?, where all variables

and given sets are annotated with their type, then uses these annotated environ-

ments to rebuild the typing tree of the (annotated) initial formula in a forward

way. It should be noted that in a formula x∈s, the set smay be a composition

of the two type constructors ×and P. We denote this kind of composition by a

function symbol fwith an arity n. Here is the syntax for ∆?:

∆?::= ∅|∆?,gi(sP(s))|∆?, xf(T1,...,Tn)∈f(sP(T1)

1, . . . , sP(Tn)

n)

We can now introduce the annotation procedure:

1. For all the leaf environments ∆:

1.1. For all gi(s), we annotate sby its type P(s), and then substitute all

occurrences of sin ∆by sP(s);

1.2. Following the introduction order in ∆, for all x∈f(sP(T1)

1, . . . , sP(Tn)

n), we

annotate xwith its type f(T1, . . . , Tn), and we substitute all occurrences

of xin ∆by xf(T1,...,Tn);

2. Rebuild the (annotated) initial formula by applying the type-checking tree

in a forward way, i.e. from the leaves to the root.

In the following, we denote by P?the formula Pwhere all variables are

annotated. We extend this notation to sets of formulæ Γ, and expressions E.

Proposition 1. The annotation is sound.

We have, for a variable x, an expression Eand a formula P:

1. If xTis associated in ∆?,∆?`tc ty(xT)≡T;

2. If ∆`tc ty(E)≡U, then ∆?`tc ty(E?)≡U;

3. If ∆`tc ch(P), then ∆?`tc ch(P?).

The Bproof system of Fig. 1 is neutral with respect to variable annotation, so

it is always possible to apply the same proof derivation to an annotated formula.

The provability of well-typed formulæ is then preserved: Γ`BPif and only if

Γ?`BP?.

Finally, we take the universal closure of all free variables corresponding to

given sets. To lighten the presentation in examples, we annotate only the ﬁrst

occurrence of a variable.

Example 2. Going back to the running example, we obtained the following en-

vironment ∆for the leave of the upper branch:

gi(s),gi(t), a ∈P(s×t), b ∈P(s×t), x ∈a

It leads to the annotated environment ∆?:

gi(sP(s)),gi(tP(t)), aP(s×t)∈P(s×t), bP(s×t)∈P(s×t), xs×t∈a

Finally, we obtain the annotated formula:

∀sP(s)·(∀tP(t)·(∀(aP(s×t), bP(s×t))·

(a, b ∈P(s×t)×P(s×t)⇒ {xs×t|x∈a∧x∈b} ⊆ s×t)))

2.4 The Annotated Set Theory

Axioms SET5 and SET6 are introduced in the BMethod set theory for theoret-

ical reasons, like building natural numbers, and are never used in practice, in

particular in proof obligations. So, we remove them from this work.

We now deﬁne the annotated version of the axioms presented in Sec. 2.1. In

addition, we take the universal closure for all free variables.

∀sP(s)·(∀tP(t)·(∀xs·(∀yt·(x, y ∈s×t⇔(x∈s∧y∈t))))) SET1

∀sP(s)·(∀tP(s)·(s∈P(t)⇔ ∀xs·(x∈s⇒x∈t))) SET2

∀sP(s)·(∀ys·(y∈ {xs|x∈s∧P} ⇔ (y∈s∧[x:= y]P))) SET3

∀sP(s)·(∀tP(s)·(∀xs·(x∈s⇔x∈t)⇒s=t)) SET4

2.5 Skolemization of Comprehension Sets

We propose an elimination procedure of comprehension sets inside formulæ,

based on the deﬁnition of new function symbols. The idea to skolemize compre-

hension sets is not new, see for instance [12]. In an expression, when meeting a set

uof the shape: u={xT|P(x, sT1

1, . . . , sTn

n)}we apply the following procedure:

1. Deﬁne a fresh function symbol fP(T)of arity nand annotated by P(T);

2. Add to the Bset theory, the axiom:

∀sT1

1·(. . . ·(∀sTn

n·(∀xT·(x∈fP(T)(s1, . . . , sn)⇔P(x, s1, . . . , sn)))))

3. Replace all the occurrences of uby fP(T)(s1, . . . , sn).

Remark 2. This skolemization procedure is sound (the new axiom is an instance

of axiom SET3), but not complete (it is no more possible to deﬁne a set by

comprehension during proof search).

Example 3. Applying skolemization to the running example leads to add the

following axiom to the theory:

∀aP(s×t)·(∀bP(s×t)·(∀xs×t·(x∈fP(s×t)(a, b)⇔x∈a∧x∈b)))

And we obtain the skolemized formula:

∀sP(s)·(∀tP(t)·

(∀(aP(s×t), bP(s×t))·(a, b ∈P(s×t)×P(s×t)⇒fP(s×t)(a, b)⊆s×t)))

2.6 Updated Syntax and Proof System

To conclude this section, we present the new version of the Bsyntax, with

annotated variables, function symbols and without comprehension sets, choice

function and BIG. In addition, we suppose that expressions are normalized in the

sense that substitutions are reduced, as it is for proof obligations, so we remove

substitutions from the syntax. We also merge the two categories for expressions

and sets in a single category called E. Finally, we introduce ⊥:= P∧ ¬Pand

>:= ¬⊥, where Pis a ﬁxed formula.

T::= identifier |T1×T2|P(T)

P::= ⊥ | > | P1∧P2|P1⇒P2| ¬P| ∀x·P|E1=E2|E1∈E2

E::= x|E1, E2|E1×E2|P(E)|fP(T)(E1, . . . , En)

x::= identifier |xT|xT1

1, xT2

2

Finally, we enrich the Bproof system of Fig. 1 with the two basic rules BR5

and BR6 dealing with ⊥and >:

BR5

Γ, ⊥ `BQ:=

BR3

Γ, P ∧ ¬P, ¬Q`BP∧ ¬PR2

Γ, P ∧ ¬P, ¬Q`BP

BR3

Γ, P ∧ ¬P, ¬Q`BP∧ ¬P

R20

Γ, P ∧ ¬P, ¬Q`B¬PR5

Γ, P ∧ ¬P`BQ

BR6

Γ`B>:=

BR5

Γ, ⊥ `BQBR5

Γ, ⊥ `B¬QR6

Γ`B¬⊥

3LLproof: Typed Sequent Calculus of Zenon

3.1 Polymorphic First-Order Logic

We present in this section the polymorphic ﬁrst-order logic, PFOL for short,

used by the sequent calculus proof system LLproof. This presentation is highly

inspired by [2].

A polymorphic signature is a triple Σ= (K,F,P), where K,Fand Pare

countable sets of respectively type constructors kwith their arity m, denoted

k:: m, function symbols fand predicate symbols Pwith their type signature σ.

σ::= f:Πα1. . . αm.τ1→. . . →τn→τ|P:Πα1. . . αm.τ1→. . . →τn→o

where α1. . . αmare the mﬁrst arguments of for Pand correspond to the type

parameters; τ1, . . . , τnare the following narguments of for Pand correspond

to the types of the term parameters; τis the return type of fand ois the return

pseudo-type of predicates P(but it is not a type of the language).

The syntax of PFOL is made of types, terms, formulæ and polymorphic for-

mulæ. A type τis either a type variable αor the application of a type constructor

k. A term eis either a variable xor the application of a function symbol fto

types and terms. A formula ϕis inductively built from ⊥,>, conjunction, impli-

cation, negation, universal quantiﬁcation over (term) variable, equality between

terms and application of a predicate symbol. A polymorphic formula ϕαis a uni-

versal quantiﬁcation over type variable. The typing rules of PFOL are standard

and can be found in [2]. In the following, we may omit the mﬁrst type arguments

for function and predicate symbols when they are clear from the context.

τ::= α|k(τ1, . . . , τm)

e::= x|f(τ1, . . . , τm;e1, . . . , en)

ϕ::= ⊥ | > | ϕ1∧ϕ2|ϕ1⇒ϕ2| ¬ϕ| ∀x:τ.ϕ |e1=τe2

|P(τ1, . . . , τm;e1, . . . , en)

ϕα::= ∀α.ϕα| ∀α.ϕ

3.2 The Typed Sequent Calculus Proof System LLproof

In Fig. 3, we present the typed sequent calculus LLproof used by the automated

theorem prover Zenon to output proofs. This sequent calculus is close to a tableau

method proof system; we are looking for a contradiction, given the negation of

the goal as an hypothesis. All formulæ are on the left hand side of the sequent,

and the negation of the goal has to be unsatisﬁable. In addition, the contraction

rule is always applied, leading to a growing context Γ.

This presentation diﬀers with the one in [8], which also introduces the proof

system LLproof and its embedding into the proof-checker Dedukti. We remove

the rules for equivalence and existential quantiﬁcation, because these constructs

are deﬁned using other ones in the BMethod (see Sec. 2.1). Moreover, we replace

all rules from the category Special Rules by the new one Subst, since the Subst

rule is easier to translate and can be used to deﬁne other Special rules [8].

The rules ∀and ¬∀ dealing with quantiﬁcation over variables both get a side

condition about the type of the chosen instance.

Rule ∀type is applied to instantiate the type variables in axioms with the

closed types coming from the translation of the proof obligation to be proved.

Closure and Quantiﬁer-free Rules

⊥

Γ, ⊥ `LL ⊥¬>

Γ, ¬> `LL ⊥Sym

Γ, t =τu, u 6=τt`LL ⊥

Ax

Γ, P, ¬P`LL ⊥6=

Γ, t 6=τt`LL ⊥

Γ, P `LL ⊥Γ, ¬P`LL ⊥Cut

Γ`LL ⊥

Γ, ¬¬P, P `LL ⊥¬¬

Γ, ¬¬P`LL ⊥

Γ, P ∧Q, P, Q `LL ⊥∧

Γ, P ∧Q`LL ⊥

Γ, ¬(P⇒Q), P, ¬Q`LL ⊥¬ ⇒

Γ, ¬(P⇒Q)`LL ⊥

Γ, P ⇒Q, ¬P`LL ⊥Γ, P ⇒Q, Q `LL ⊥⇒

Γ, P ⇒Q`LL ⊥

Γ, ¬(P∧Q),¬P`LL ⊥Γ, ¬(P∧Q),¬Q`LL ⊥¬∧

Γ, ¬(P∧Q)`LL ⊥

Quantiﬁer Rules Over Variables

Γ, ¬∀x:τ . P (x),¬P(c)`LL ⊥¬∀

Γ, ¬∀x:τ . P (x)`LL ⊥

where c:τis a

fresh constant

Γ, ∀x:τ . P (x), P (t)`LL ⊥∀

Γ, ∀x:τ . P (x)`LL ⊥

where t:τis

any closed term

Quantiﬁer Rules Over Type Variables

Γ, ∀α. P (α), P (τ)`LL ⊥∀type

Γ, ∀α. P (α)`LL ⊥

where τis

any closed type

Special Rule

Γ, P (t), t 6=τu`LL ⊥Γ, P (t), P (u)`LL ⊥Subst

Γ, P (t)`LL ⊥

Fig. 3. The Typed Sequent Calculus LLproof

4 Translation of BFormulæ into PFOL

4.1 Type Signatures of Primitive Constructs

We start by deﬁning a general skeleton for the type signatures of the Bbasic

constructs. We introduce two type constructors Set and Pair corresponding re-

spectively to the Btype constructors Pand ×. Then, we can deﬁne the function

symbols (-,-)for ordered pair, P(-)for powerset and -×- for product set. Finally,

we deﬁne two predicate symbols for membership and equality. For easier reading,

we use an inﬁx notation with type arguments subscripted. For instance, - ∈α-

corresponds to ∈(α, -,-).

Tske :=

Set(-) :: 1,Pair(-,-) :: 2

(-,-)α1,α2:Πα1α2. α1→α2→Pair(α1, α2)

Pα(-) : Πα. Set(α)→Set(Set(α))

-×α1,α2-:Πα1α2.Set(α1)→Set(α2)→Set(Pair(α1, α2))

-∈α-:Πα. α →Set(α)→o

-=α-:Πα. α →α→o

4.2 Translating Formulæ from Bto PFOL

We present in Fig. 4 the translation function of Bformulæ into PFOL formulæ.

This translation, denoted hPifor some Bformula P, is made of the three trans-

lations hTitfor types, hPiffor formulæ and hEiefor expressions, and a function

θ(E)that returns the PFOL type of a Bexpression E.

One important point in this embedding is the interpretation given to Btype

identiﬁers coming from the type annotation procedure (see Sec. 2.3). We inter-

pret Btype identiﬁers coming from axioms and hypotheses as type variables (and

take the universal closure with respect to them), and Btype identiﬁers of the for-

mula to prove (also called goal) as new constants, i.e. nullary type constructors.

This allows us to get polymorphic axioms in PFOL and a monomorphic/many-

sorted goal. To achieve this, we add to all Bformulæ to translate a ﬂag ax for

axioms and hypotheses and gl for the goal.

Before presenting the three translation functions, we have to deﬁne a function

called Sig(f(. . .)), where fis a Bfunction symbol coming from the skolemization

of comprehension sets (see Sec. 2.5), that returns the type signature of f. Let

F V (e)be the set of free variables of an expression e.

Sig(fP(T)(E1, . . . , En)) = Π

α∈F V n

1(θ(Ei))

α. θ(E1)→. . . →θ(En)→θ(P(T))

During the translation procedure, we carry a target PFOL theory Tcom-

posed by the skeleton Tske deﬁned in Sec.4.1, previously translated formulæ, new

type constructors and new type signatures. Also, for each formula to be trans-

lated, we carry a PFOL local context ∆of bound variables and their type, and

a set Ωof pairs of Btype identiﬁers and their corresponding PFOL types, i.e.

type variables for axioms and type constants for goals.

Example 4. Continuing with the running example, we ﬁrst translate axioms SET1,

SET2 and SET4, then the axiom coming from the skolemization, and ﬁnally the

goal. To lighten the presentation, we omit the subscripted type arguments of

function and predicate symbols of Tske and we factorize the symbol ∀. The three

set theory axioms become:

∀α1, α2.∀s:Set(α1), t :Set(α2), x :α1, y :α2.(x, y)∈s×t⇔(x∈s∧y∈t)

∀α. ∀s:Set(α), t :Set(α). s ∈P(t)⇔ ∀x:α. x ∈s⇒x∈t

∀α. ∀s:Set(α), t :Set(α).(∀x:α. x ∈s⇔x∈t)⇒s=t

θ(E) = match Ewith

|xT→∆(x)

|E1, E2→Pair(θ(E1), θ(E2))

|E1×E2→Set(Pair(θ(E1), θ(E2)))

|P(E)→Set(θ(E))

|fP(T)(. . .)→Set(hTit)

hTit=match Twith

|id when flag =ax →if id ∈Ωthen return Ω(id)

else Ω:= Ω, (id, αid )return αid

|id when flag =gl →if id ∈Ωthen return Ω(id)

else T:= T, kid :: 0 ; Ω:= Ω, (id, kid )return kid

|T1×T2→Pair(hT1it,hT2it)

|P(T)→Set(hTit)

hPif=match Pwith

| ⊥ | > → ⊥ | >

|P1∧P2→ hP1if∧ hP2if

|P1⇒P2→ hP1if⇒ hP2if

| ¬P→ ¬ hPif

| ∀xT·P→ ∀x:hTit.hPifand ∆:= ∆, x :hTit

| ∀(xT1

1, xT2

2)·P→∀x1:hT1it.∀x2:hT2it.hPif

and ∆:= ∆, x1:hT1it, x2:hT2it

|E1=E2→ hE1ie=θ(E1)hE2ie

|E1∈E2→ hE1ie∈θ(E1)hE2ie

hEie=match Ewith

|xT→x

|E1, E2→(hE1ie,hE2ie)θ(E1),θ(E2)

|E1×E2→ hE1ie×τ1,τ2hE2iewhere θ(E1) = Set(τ1)

θ(E2) = Set(τ2)

|P(E)→Pτ(hEie)where θ(E) = Set(τ)

|fP(T)(E1,...,En)→

if f:Πα1. . . αm. τ1→. . . →τn→τ6∈ T

then T:= T, f :S ig(fP(T)(E1,...,En))

return f(τ0

1,...,τ0

m;hE1ie,...,hEnie)where

θ(E1) = τ1(τ0

1,...,τ0

m)

· · ·

θ(En) = τn(τ0

1,...,τ0

m)

Fig. 4. Translation from Bto PFOL

The remainder of the theory, i.e. the signature of f, the axiom deﬁning fand

the declaration of the two type constants coming from the translation of the

goal, is:

k1:: 0, k2:: 0

f:Πα1α2.Set(Pair(α1, α2)) →Set(Pair(α1, α2)) →Set(Pair(α1, α2))

∀α1, α2.∀a:Set(Pair(α1, α2)), b :Set(Pair(α1, α2)), x :Pair(α1, α2).

x∈f(a, b)⇔(x∈a∧x∈b)

Finally, the translation of the goal (we unfold the ⊆deﬁnition, see Sec. 2.1) is:

∀s:Set(k1), t :Set(k2), a :Set(Pair(k1, k2)), b :Set(Pair(k1, k2)).

(a, b)∈P(s×t)×P(s×t)⇒f(a, b)∈P(s×t)

5 Translating LLproof Proofs into BProofs

In Fig. 5, we present the reverse translation, denoted hϕi-1, to translate monomor-

phic PFOL formulæ into Bformulæ. This reverse translation is simpler than the

one presented in Sec. 4.2 because we do not need to translate types, annotations

for bound variables and function symbols not being necessary anymore.

hϕi-1

f=match ϕwith

| ⊥ | > → ⊥ | >

|ϕ1∧ϕ2→ hϕ1i-1

f∧ hϕ2i-1

f

|ϕ1⇒ϕ2→ hϕ1i-1

f⇒ hϕ2i-1

f

| ¬ϕ→ ¬ hϕi-1

f

| ∀x:τ. ϕ → ∀x· hϕi-1

f

|e1=τe2→ he1i-1

e=he2i-1

e

|e1∈τe2→ he1i-1

e∈ he2i-1

e

hei-1

e=match Ewith

|x→x

|(e1, e2)τ1,τ2→ he1i-1

e,he2i-1

e

|e1×τ1,τ2e2→ he1i-1

e× he2i-1

e

|Pτ(e)→P(hei-1

e)

|f(τ0

1,...,τ0

m;e1,...,en)→f(he1i-1

e,...,heni-1

e)

Fig. 5. Translation from PFOL to B

Theorem 1. For a set of Bformulæ Γand a Bgoal P, if there exists a LLproof

proof of the sequent hΓi,h¬Pi `LL ⊥, then there exists a set Γ0of monomorphic

instances of hΓi, and a Bproof of the sequent hΓ0i-1 ,¬P`B⊥.

Proof. We present a sketch of the proof.

1. We show that if Pis a Bgoal, then we have hhPii-1 ⇔P.

Axiom

BR3

hP`Pi-1 BR3

h¬P` ¬Pi-1

R5

hP, ¬P` ⊥i-1

6=

R10

h` t=τti-1 BR3

h¬(t=τt)` ¬(t=τt)i-1

R5

h¬(t=τt)` ⊥i-1

Sym

BR3

ht=τu`t=τui-1

R10

h` t=τti-1 BR3

h¬(t=τt)` ¬(t=τt)i-1

R5

h¬(t=τt)` ⊥i-1

R9

ht=τu, ¬(u=τt)` ⊥i-1

¬¬

BR3

h¬P` ¬Pi-1 BR3

h¬¬P` ¬¬Pi-1

R5

h¬¬P`Pi-1 h¬¬P, P ` ⊥i-1

BR4

h¬¬P` ⊥i-1

∧

BR3

hP∧Q`P∧Qi-1

R2

hP∧Q`Pi-1

BR3

hP∧Q`P∧Qi-1

R20

hP∧Q`Qi-1 hP∧Q, P, Q ` ⊥i-1

BR4

hP∧Q, P ` ⊥i-1

BR4

hP∧Q` ⊥i-1

⇒

hP⇒Q, ¬P` ⊥i-1 BR6

h` ¬⊥i-1

R5

hP⇒Q`Pi-1 BR3

hP⇒Q`P⇒Qi-1

MP

hP⇒Q`Qi-1 hP⇒Q, Q ` ⊥i-1

BR4

hP⇒Q` ⊥i-1

Fig. 6. Translations of LLproof Rules into BProof System (part 1)

2. Given a proof Πof the sequent hΓi,h¬Pi `LL ⊥, there exists a proof ΠKleene

of the sequent, starting with all applications of ∀type rules on polymorphic

formulæ, thanks to the permutation of inference rules in sequent calculus [15].

3. We take the subproof Πmono of ΠKleene, where we removed all the ∀type

nodes and the remaining polymorphic formulæ.

4. The set Γ0of monomorphic instances of hΓiis made of the root node formulæ

of Πmono, except h¬Pi.

5. We extend the reverse translation to LLproof sequents,

hP1, . . . , Pn`LL Qi-1 → hP1i-1 ,...,hPni-1 `BhQi-1, and to LLproof proof

nodes in Fig. 6 and Fig. 7.

6. hΠmonoi-1 is a Bproof of the sequent hΓ0i-1 ,¬P`B⊥.

¬∧

h¬(P∧Q),¬P` ⊥i-1 BR6

h` ¬⊥i-1

R5

h¬(P∧Q)`Pi-1

h¬(P∧Q),¬Q` ⊥i-1 BR6

h` ¬⊥i-1

R5

h¬(P∧Q)`Qi-1

R1

h¬(P∧Q)`P∧Qi-1 Π

R5

h¬(P∧Q)` ⊥i-1

where Π:= BR3

h¬(P∧Q)` ¬(P∧Q)i-1

¬ ⇒

h¬(P⇒Q), P, ¬Q` ⊥i-1 BR6

h` ¬⊥i-1

R5

h¬(P⇒Q), P `Qi-1

R3

h¬(P⇒Q)`P⇒Qi-1 BR3

h¬(P⇒Q)` ¬(P⇒Q)i-1

R5

h¬(P⇒Q)` ⊥i-1

¬∀

h¬∀x:τ.P (x),¬P(c)` ⊥i-1 BR6

h` ¬⊥i-1

R5

h¬∀x:τ.P (x)`P(c)i-1

R7

h¬∀x:τ.P (x)` ∀x:τ .P (x)i-1 BR3

h¬∀x:τ.P (x)` ¬∀x:τ .P (x)i-1

R5

h¬∀x:τ.P (x)` ⊥i-1

∀

BR3

h∀x:τ. P (x)` ∀x:τ. P (x)i-1

R8

h∀x:τ. P (x)`P(t)i-1 h∀x:τ. P (x), P (t)` ⊥i-1

BR4

h∀x:τ. P (x)` ⊥i-1

Subst

hP(t),¬(t=τu)` ⊥i-1 BR6

h` ¬⊥i-1

R5

hP(t)`t=τui-1 BR3

hP(t)`P(t)i-1

R9

hP(t)`P(u)i-1 hP(t), P (u)` ⊥i-1

BR4

hP(t)` ⊥i-1

Fig. 7. Translation of LLproof Rules into BProof System (part 2)

We give in Fig. 6 and Fig. 7 the translations for each LLproof proof node. Each

node can be translated to a Bderivation where all PFOL sequents are translated

into Bsequents, leading to a Bproof tree. To lighten the presentation, we omit to

indicate the context Γand some useless formulæ (removable by applying BR2) on

the left-hand side of sequents, and we use `for `LL. For instance, the translation

of the LLproof Axiom rule should be:

BR3

hΓ, P, ¬P, ¬⊥ `LL Pi-1 BR3

hΓ, P, ¬P, ¬⊥ `LL ¬Pi-1

R5

hΓ, P, ¬P`LL ⊥i-1

Example 5. The proof of the running example is too big to be presented here.

Instead, we present the proof translation for the following Bformula, given s:

∀x·(x∈s⇒x∈s)

The latter leads to the PFOL formula, where kis a constant:

∀s:Set(k).∀x:k. x ∈s⇒x∈s

The LLproof proof is:

Ax

cx∈kcs, cx6∈kcs`LL ⊥¬ ⇒

¬(cx∈kcs⇒cx∈kcs)`LL ⊥¬∀

¬∀x:k. x ∈kcs⇒x∈kcs`LL ⊥¬∀

¬∀s:Set(k).∀x:k. x ∈ks⇒x∈ks`LL ⊥

We obtain the Bproof (we removed the universal quantiﬁcation over the given

set s, the ﬁrst R5 node in the translation of ¬∀, some useless formulæ on the

left-hand side of sequents and used `for `B,cfor cxand sfor cs):

BR3

c∈s`c∈sBR3

c6∈ s`c6∈ sR5

c∈s, c 6∈ s` ⊥ BR6

` ¬⊥ R5

c∈s`c∈sR3

`c∈s⇒c∈s

BR3

¬(c∈s⇒c∈s)` ¬(c∈s⇒c∈s)R5

¬(c∈s⇒c∈s)` ⊥ BR6

` ¬⊥ R5

`c∈s⇒c∈sR7

` ∀x·(x∈s⇒x∈s)

6 Conclusion

Automated theorem provers are in general made of thousands lines of code, using

elaborate decision procedures and speciﬁc heuristics. The conﬁdence in such

tools may therefore be questioned. The correctness of Zenon proofs is already

guaranteed by the checking of proof certiﬁcates by an external proof checker.

But to prove Bproof obligations, Zenon relies on two external tools, bpo2why

and Why3, to translate proof obligations into its input format, which raises the

question whether the proof found still corresponds to a proof of the original

statement.

In this paper, we have formalized a diﬀerent and direct translation from the B

Method to a polymorphic ﬁrst-order logic. The main purpose of this work is not

to replace bpo2why, but to validate the use of Zenon to prove Bproof obligations.

One of the most challenging part of this translation deals with the encoding of

the Bnotion of types. Our solution to make the axioms polymorphic allows us

to beneﬁt from the ﬂexibility of polymorphism. Furthermore, we showed that

this translation is sound and gave a procedure to translate Zenon proofs in the

Bproof system.

As future work, we want to prove the soundness and completeness of the

deduction modulo theory [11] extension of the proof system LLproof with regard

to those of LLproof, in particular in the case of the BMethod.

References

1. Abrial, J.R.: The B-Book, Assigning Programs to Meanings. Cambridge University

Press (1996)

2. Blanchette, J.C., Böhme, S., Popescu, A., Smallbone, N.: Encoding Monomorphic

and Polymorphic Types. In: Tools and Algorithms for the Construction and Anal-

ysis of Systems, TACAS 2013. Springer (2013)

3. Bobot, F., Filliâtre, J.C., Marché, C., Paskevich, A.: Why3: Shepherd Your Herd

of Provers. In: International Workshop on Intermediate Veriﬁcation Languages

(Boogie) (2011)

4. Bodeveix, J.P., Filali, M.: Type Synthesis in B and the Translation of B to PVS.

In: Formal Speciﬁcation and Development in Z and B, ZB. Springer (2002)

5. Boespﬂug, M., Carbonneaux, Q., Hermant, O.: The λΠ-Calculus Modulo as a

Universal Proof Language. In: Proof Exchange for Theorem Proving (PxTP) (2012)

6. Bonichon, R., Delahaye, D., Doligez, D.: Zenon: An Extensible Automated The-

orem Prover Producing Checkable Proofs. In: Logic for Programming Artiﬁcial

Intelligence and Reasoning (LPAR). LNCS/LNAI, vol. 4790. Springer (2007)

7. Bury, G., Delahaye, D., Doligez, D., Halmagrand, P., Hermant, O.: Automated

Deduction in the B Set Theory using Typed Proof Search and Deduction Modulo.

In: LPAR 20 : 20th International Conference on Logic for Programming, Artiﬁcial

Intelligence and Reasoning. Suva, Fiji (2015)

8. Cauderlier, R., Halmagrand, P.: Checking Zenon Modulo Proofs in Dedukti. In:

Fourth Workshop on Proof eXchange for Theorem Proving (PxTP). Berlin, Ger-

many (2015)

9. Delahaye, D., Doligez, D., Gilbert, F., Halmagrand, P., Hermant, O.: Zenon Mod-

ulo: When Achilles Outruns the Tortoise using Deduction Modulo. In: Logic for

Programming Artiﬁcial Intelligence and Reasoning (LPAR). LNCS/ARCoSS, vol.

8312. Springer (2013)

10. Delahaye, D., Dubois, C., Marché, C., Mentré, D.: The BWare Project: Building a

Proof Platform for the Automated Veriﬁcation of BProof Obligations. In: Abstract

State Machines, Alloy,B,VDM, and Z(ABZ). LNCS, Springer (2014)

11. Dowek, G., Hardin, T., Kirchner, C.: Theorem Proving Modulo. Journal of Auto-

mated Reasoning (JAR) 31 (2003)

12. Dowek, G., Miquel, A.: Cut elimination for zermelo set theory. Archive for Math-

ematical Logic. Springer. Submitted (2007)

13. Jacquel, M., Berkani, K., Delahaye, D., Dubois, C.: Verifying B Proof Rules using

Deep Embedding and Automated Theorem Proving. Software Engineering and

Formal Methods 7041, 253–268 (2011)

14. Jaeger, E., Dubois, C.: Why Would You Trust B? In: Berlin, S. (ed.) Logic for

Programming, Artiﬁcial Intelligence, and Reasoning. Lecture Notes in Computer

Science, Yerevan, Armenia (2007)

15. Kleene, S.C.: Permutability Of Inferences In Gentzens Calculi LK And LJ. In: Bul-

letin Of The American Mathematical Society. vol. 57, pp. 485–485. Amer Mathe-

matical Soc 201 Charles St, Providence, RI (1951)

16. Mentré, D., Marché, C., Filliâtre, J.C., Asuka, M.: Discharging Proof Obligations

from Atelier B using Multiple Automated Provers. In: Abstract State Machines,

Alloy,B,VDM, and Z(ABZ). LNCS, vol. 7316. Springer (2012)

17. Schmalz, M.: Formalizing the logic of event-B. Ph.D. thesis, Diss., Eidgenössische

Technische Hochschule ETH Zürich, Nr. 20516, 2012 (2012)

18. ClearSy:Atelier B 4.1 (2013), http://www.atelierb.eu/