Towards Theorem Proving Graph Grammars using Event-BPartially supported by CNPq/Brazil. Electronic Communications of the EASST Volume 30 (2010) International Colloquium on Graph and Model Transformation - On the occasion of the 65th birthday of Hartmut Ehrig (GraMoT 2010) Towards Theorem Proving Graph Grammars using Event-B Leila Ribeiro, Fernando Luís Dotti, Simone André da Costa and Fabiane Cristine Dillenburg 16 pages Guest Editors: Claudia Ermel, Hartmut Ehrig, Fernando Orejas, Gabriele Taentzer Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 http://www.easst.org/eceasst/ ECEASST Towards Theorem Proving Graph Grammars using Event-B∗ Leila Ribeiro1, Fernando Luís Dotti2, Simone André da Costa3 and Fabiane Cristine Dillenburg4 1 leila@inf.ufrgs.br 4 fabiane.dillenburg@inf.ufrgs.br Instituto de Informática Universidade Federal do Rio Grande do Sul, Brazil 2 fernando.dotti@pucrs.br Faculdade de Informática Pontifícia Universidade Católica do Rio Grande do Sul, Brazil 3 simone.costa@ufpel.edu.br Institudo de Física e Matermática Universidade Federal de Pelotas, Brazil Abstract: Graph grammars may be used as specification technique for different kinds of systems, specially in situations in which states are complex structures that can be adequately modeled as graphs (possibly with an attribute data part) and in which the behavior involves a large amount of parallelism and can be described as reactions to stimuli that can be observed in the state of the system. The verification of properties of such systems is a difficult task due to many aspects: the systems in many situations involve an infinite number of states; states themselves are complex and large; there are a number of different computation possibilities due to the fact that rule applications may occur in parallel. There are already some approaches to verification of graph grammars based on model checking, but in these cases only finite state systems can be analyzed. Other approaches propose over- and/or under- approximations of the state-space, but in this case it is not possible to check arbitrary properties. In this work, we propose to use the Event-B formal method and its the- orem proving tools to analyze graph grammars. We show that a graph grammar can be translated into an Event-B specification preserving its semantics, such that one can use several theorem provers available for Event-B to analyze the reachable states of the original graph grammar. The translation is based on a relational definition of graph grammars, that was shown to be equivalent to the Single-Pushout approach to graph grammars. Keywords: Graph Grammars, Theorem Proving, Event-B ∗ Partially supported by CNPq/Brazil. 1 / 16 Volume 30 (2010) mailto:leila@inf.ufrgs.br mailto:fabiane.dillenburg@inf.ufrgs.br mailto:fernando.dotti@pucrs.br mailto:simone.costa@ufpel.edu.br Towards Theorem Proving Graph Grammars using Event-B 1 Introduction Graph grammars [Ehr79, Roz97] are a formal description technique suitable for the specification of distributed and reactive systems. The basic idea of this formalism is to model the states of a system as graphs and describe the possible state changes as rules (where the left- and right- hand sides are graphs). The operational behavior of the system is expressed via applications of these rules to graphs depicting the current states of the system. Graph grammars are appealing as specification formalism because they are formal and based on simple, but powerful, concepts to describe behavior. At the same time they also have a nice graphical layout that helps even non-theoreticians to understand a specification. At the same time they also have a nice graphical layout that helps even non-theoreticians to understand a specification. The verification of graph grammar models through model-checking is currently supported by various approaches. Although model checking is an important analysis method, it has as disadvantage the need to build the complete state space, which can lead to the state explosion problem. Much progress has been made to deal with this difficulty, and a lot of techniques have increased the size of the systems that could be verified [CGJ+01]. Baldan and König proposed [BK02] approximating the behavior of (infinite-state) graph transformation systems by a chain of finite under- or over- approximations, at a specific level of accuracy of the full unfolding [BCMR07] of the system. However, as [DHR+07] emphasizes, these approaches that derive the model as approximations can result in inconclusive error/verification reports. Besides model checking, theorem proving [RV01, CW96] is another well-established ap- proach used to analyze systems. Theorem proving is a technique where both the system and its desired properties are expressed as formulas in some mathematical logic. A logical descrip- tion defines the system, establishing a set of axioms and inference rules. The verification process consists in finding a proof of the required property from the axioms or intermediary lemmas of the system. In contrast to model checking, theorem proving can deal directly with infinite state spaces and it relies on techniques such as structural induction to construct proofs over infinite domains. The use of this technique may require interaction with a human; however, via this interactive process the user often gains very useful perceptions into the system or the property being proved. Each verification technique has arguments for and against its use, but we can say that model- checking and theorem proving are complementary. Most of the existing approaches use model checkers to analyze properties of computations, that is, properties over the sequences of steps a system may engage in. Properties about reachable states are handled, if at all possible, only in restricted ways. In this work, our main aim is to provide a means to prove properties of reachable graphs using the theorem proving technique. In previous work [CR09a] we proposed a relational approach to graph grammars, providing an encoding of graphs and rules into relations. This enabled the use of logic formulas to express properties of reachable states of a graph grammar. This encoding was shown to be equivalent to the Single-Pushout approach to graph grammars, and was inspired by Courcelle’s research about logic and graphs [Cou97]. Courcelle investigates in various papers [Cou94, Cou97, Cou04] the representation of graphs and hypergraphs by relational structures as well as the expressiveness of their properties by log- ical languages. In [Cou94] the description of graph properties and the transformation of graphs Proc. GraMoT 2010 2 / 16 ECEASST in monadic second-order logic is proposed. However, these works are not particularly interested in effectively verifying the properties of graph transformation systems (GTSs). Since theorem provers, in general, works efficiently with specifications in relational style, we extended the re- lational representation of graphs to graph grammar models and use such representation for the formal analysis of reactive systems through the theorem proving technique. Other authors have investigated the analysis of GTSs based on relational logic or set theory. Baresi and Spoletini [BS06] explore the formal language Alloy to find instances and counterexamples for models and GTSs. With Alloy, they only analyze the system for a finite scope, whose size is user-defined. Strecker [Str08], aiming to verify structural properties of GTSs, proposes a formalization of graph transformations in a set-theoretic model. His goal is to obtain a language for writing graph transformation programs and reasoning about them. Nevertheless, the language has only two statements, one to apply a rule repeatedly to a graph, and another to apply several rules in a specific order to a graph. Until now, the work just presents a glimpse of how to reason about graph transformations. In this paper we use Event-B to analyze properties of graph grammars. Event-B [AH07] is a state-based formal method closely related to Classical B [Abr05]. It has been success- fully used in several applications, and there is tool support for both model specification and analysis. There are a series of powerful theorem provers that can be used to analyze event-B specifications[ABHV06, DEP]. Due to the similarity between event-B models and graph gram- mar specifications, specially concerning the rule-based behavior, in this paper we propose to translate graph grammar specifications in event-B structures, such that it is possible to use the event-B provers to demonstrate properties of a graph grammar. This translation is based on the relational definition of graph grammars. The paper is organized as follows. Section 2 presents the relational approach of graph gram- mars. Section 3 briefly introduces the event B formalism. Section 4 shows how a graph grammar can be translated into an Event-B program. Section 5 contains some final remarks. 2 Relational Approach to Graph Grammars Graph Grammars are a generalization of Chomsky grammars from strings to graphs suitable for the specification of distributed, asynchronous and concurrent systems. The basic notions behind this formalism are: states are represented by graphs and possible state changes are modeled by rules, where the left- and right-hand sides are graphs. We use a relational and logical approach for the description of Graph Grammars: graphs and graph morphisms are described as relational structures [CR09a, CR10], that is, they are defined as tuples formed by a set and by a family of relations over this set. Proofs about the well- definedness of these definitions were detailed in [CR09b]. Definition 1 (Relational Structures) Let R be a finite set of relation symbols, where each R∈R has an associated positive integer called its arity, denoted by ρ(R). An R-structure is a tuple S = 〈DS,(RS)R∈R〉 such that DS is a possible empty set called the domain of S and each RS is a ρ(R)-ary relation on DS, i.e., a subset of D ρ(R) S . R(d1,...,dn) holds in S if and only if (d1,...,dn)∈ RS, where d1,...,dn ∈ DS. 3 / 16 Volume 30 (2010) Towards Theorem Proving Graph Grammars using Event-B A relational graph |G| is a tuple composed of a set, the domain of the structure, representing all vertices and edges of |G| and by two finite relations: a unary relation, vert G, defining the set of vertices of |G| and a ternary relation incG representing the incidence relation between vertices and edges of |G|. The uniqueness edge condition assures that the same edge doesn’t connect different vertices. Definition 2 (Relational Graph) Let Rgr ={vert,inc} be a set of relations, where vert is unary and inc is ternary. A relational graph is a Rgr-structure |G|= 〈DG, (RG)R∈Rgr〉, where: • DG = VG ∪EG is the union of sets of possible vertices and edges of |G|, respectively (we always assume that VG ∩EG = ∅); • vertG ⊆VG, with vertG(x) iff x is a vertex of |G|; • incG ⊆ EG ×VG ×VG, with incG(x,y,z) iff x is a directed edge that links vertex y to vertex z in |G|. such that the following condition is satisfied: • Uniqueness Edge Condition. ∀x,y,z,y′,z′, [incG(x,y,z)∧incG(x,y′,z′)⇒ y = y′∧z = z′]. A relational graph morphism |g| from a relational graph |G| to a relational graph |H| is ob- tained through two binary relations: one to relate vertices (gV ) and other to relate edges (gE ). The type consistency conditions state that if two vertices are related by gV then the first one must be a vertex of |G| and the second one a vertex of |H|, and if two edges are related by gE , then the first one must be an edge of |G| and the second one an edge of |H|. The (morphism) commutativity condition assures that the mapping of edges preserves the mapping of source and target vertices. Definition 3 (Relational Graph Morphism) Let |G| = 〈VG ∪ EG,{vertG,incG}〉 and |H| = 〈VH ∪EH,{vertH,incH}〉 be relational graphs. A relational graph morphism |g| from |G| to |H| is defined by a set |g|={gV ,gE} of binary relations where: • gV ⊆VG ×VH is a partial function that relates vertices of |G| to vertices of |H|; • gE ⊆ EG ×EH is a partial function that relates edges of |G| to edges of |H|; such that the following conditions are satisfied: • Type Consistency Conditions. ∀x,x′, [gV (x,x′)]⇒ vertG(x)∧vertH(x′); and [gE(x,x′)]⇒∃y,y′,z,z′[incG(x,y,z)∧incH(x′,y′,z′)]; • Morphism Commutativity Condition. ∀x,y,z,x′,y′,z′, [gE(x,x′)∧incG(x,y,z)∧incH(x′,y′,z′)⇒ gV (y,y′) ∧ gV (z,z′)]. |g| is called total/injective if relations gV and gE are total/injective functions. A relational typing morphism is a relational graph morphism that has the role of typing all elements of a graph |G| over a graph |T|. Proc. GraMoT 2010 4 / 16 ECEASST Definition 4 (Relational Typing Morphism) Let |G| and |T| be relational graphs. A relational typing morphism from |G| over |T| is defined by a total relational graph morphism |t G| = {t GV ,t G E } from |G| to |T|. A relational typed graph is defined by two relational graphs together with a relational typing morphism. A relational typed graph morphism between graphs typed over the same graph is defined by a relational graph morphism. A (typed morphism) compatibility condition assures that the mappings of vertices and edges preserve types. Definition 5 (Relational Typed Graph, Relational Typed Graph Morphism) A relational typed graph is given by a tuple |GT| = 〈|G|,|t G|,|T|〉 where |G| and |T| are relational graphs and |t G| = {t GV ,t G E } is a relational typing morphism from |G| over |T|. A relational (typed) graph morphism from |GT| to |H T| is defined by a relational graph morphism |g|={gV ,gE} from |G| to |H|, such that the typed morphism compatibility condition is satisfied: • (Typed Morphism) Compatibility Condition. ∀x,x′,y, [gV (x,x′)∧t GV (x,y)⇒ t H V (x ′,y)]; and [gE(x,x′)∧t GE (x,y)⇒ t H E (x ′,y)]. A relational rule specifies a possible behaviour of the system. It consists of a left-hand side |LT|, describing items that must be present in a state to enable the application of the rule and a right-hand side |RT|, expressing items that will be present after the application of the rule. We require that rules do not collapse vertices or edges (are injective) and do not delete vertices. Definition 6 (Relational Rule) A relational rule α is given by a tuple 〈|LT|,|α|,|RT|〉 where: • |LT|= 〈|L|,|t L|,|T|〉 and |RT|= 〈|R|,|t R|,|T|〉 are relational typed graphs; • |α| = {αV ,αE} is an injective relational typed graph morphism from |LT| to |RT|, such that αV is a total function on the set of vertices. A relational graph grammar is composed by a relational type graph, characterizing the types of vertices and edges allowed in a system, an initial relational graph, representing the initial state of a system and a set of relational rules, describing the possible state changes that can occur in a system. Definition 7 (Relational Graph Grammar) Let RGG = {vertT , incT , vertG0,incG0, t G0V , t G0 E , (vertLi, incLi, t LiV , t Li E ,vertRi,incRi, t Ri V , t Ri E , αiV , αiE )i∈{1,...,n}} be a set of relation symbols. A relational graph grammar is a RGG-structure |GG|= 〈DGG,(r)r∈RGG〉 where • DGG = VGG ∪EGG is the set of vertices and edges of the graph grammar, where: VGG ∩ EGG = ∅, VGG = VT ∪VG0 ∪(VLi ∪VRi)i∈{1,...,n} and EGG = ET ∪EG0 ∪(ELi ∪ERi)i∈{1,...,n}. • |T|= 〈VT ∪ET ,{vertT ,incT}〉 defines a relational graph (the type of the grammar). • |G0T| = 〈|G0|,|t G0|,|T|〉, with |G0| = 〈VG0 ∪EG0,{vertG0,incG0}〉 and |t G0| = {t G0V ,t G0 E }, defines a relational typed graph (the initial graph of the grammar). 5 / 16 Volume 30 (2010) Towards Theorem Proving Graph Grammars using Event-B • Each collection (vertLi, incLi, t LiV , t Li E , vertRi,incRi, t Ri V , t Ri E , αiV , αiE ) defines a rule: – |LiT|= 〈|Li|,|t Li|,|T|〉, with |Li|= 〈VLi∪ELi,{vertLi,incLi}〉 and |t Li|={t LiV ,t Li E }, de- fines a relational typed graph (the left-hand side of the rule). – |RiT| = 〈|Ri|,|t Ri|,|T|〉, with |Ri| = 〈VRi ∪ERi,{vertRi,incRi}〉 and |t Ri| = {t RiV ,t Ri E }, defines a relational typed graph (the right-hand side of the rule). – 〈|LiT|,|αi|,|RiT|〉, with |αi|={αiV ,αiE}, defines a relational rule. Given a relational rule and a state, we say that this rule is applicable in this state if there is a match, that is, an image of the left-hand side of the rule in the state. The operational behaviour of a graph grammar is defined in terms of applications of the rules to some state graph. Definition 8 (Relational Match) Let 〈|LT|,|α|,|RT|〉 be a relational rule, with |LT| = 〈|L|,{t LV , t LE},|T|〉 and |R T|=〈|R|,{t RV ,t R E},|T|〉. Let |G T|=〈|G|,|t G|,|T|〉 be a relational typed graph with t G = {t GV ,t G E }. A relational match |m| of the given rule in |G T| is defined by a total relational typed graph morphism |m|={mV ,mE} from |LT| to |GT|, such that the following conditions are satisfied: • mE is injective; • Match Compatibility Condition. ∀x,x′,y [mV (x,x′)∧t LV (x,y)⇒ t G V (x ′,y)], [mE(x,x′)∧t LE(x,y)⇒ t G E (x ′,y)]. Since we restrict our approach to injective rules that can not delete vertices and matches that can no identify edges, the application of a given rule to a match in a state essentially removes from the state all elements that are in the left-hand side of the rule that are not mapped to the right-hand side, and creates in the state all new elements of the right-hand side of the rule. The rest of the state remains unchanged. Given a rule 〈|LiT|,|αi|,|RiT|〉 of a graph grammar and a corresponding match |m|={mV ,mE} in the initial state of the graph grammar, formulas θvertG′ , θincG′ , θt G′V , θt G′E described below define the graph resulting of the rule application. The elements that satisfy the stated formulas θrel are those that define the relations rel of the resulting typed graph |G′T|. Table 1 presents the explanations for the notation used in θ specifications. θvertG′(x) = vertG0(x) ∨ nvertRi(x) θincG′(x,y,z) = nincG0(x,y,z) ∨ nincRi(x,y,z). θt G ′ V (x,t) = nvertG0(x,t) ∨ [ nvertRi(x) ∧ t RiV (x,t) ] . θt G ′ E (x,t) = nt G0E (x,t) ∨ t Ri E (x,t). This construction is described by a first-order definable transduction (i.e., by a tuple of first- order formulas) on relational structures associated to graph grammars. Details can be found in [CR09a]. Proc. GraMoT 2010 6 / 16 ECEASST Table 1: Formulas used in θ specifications Notation Formula Intuitive Meaning vertG0(x) vertG0(x) x is a vertex of graph |G0|. t RiV (x,y) t Ri V (x,y) x is a vertex of |Ri| of type y. t RiE (x,y) t Ri E (x,y) x is an edge of graph |Ri| of type y. nvertRi(x) vertRi(x)∧@y ( αiV (y,x) ) x is a vertex of graph |Ri| cre- ated by rule |αi|. nincG0(x,y,z) incG0(x,y,z)∧@w ( mE(w,x) ) x is an edge of graph |G0| that is not image of the match. n(r,y) { ∃v ( αiV (v,r)∧mV (v,y) ) if r 6= y @v αiV (v,r) if r = y n relates vertices r and y if (i) r = y and r is created by rule |αi|, or (ii) there is a vertex v preserved by the rule whose images in Ri and G0 are r and y, resp. nincRi(x,y,z) ∃r,s [ incRi(x,r,s)∧n(r,y)∧n(s,z) ] x is an edge created by rule |αi| (connecting existing or newly created vertices. nvertG0(x,t) vertG0(x)∧t G0V (x,t) x is a vertex of |G0| of type t. nvertRi(x,t) vertRi(x)∧t RiV (x,t) x is a vertex of |Ri| of type t. nt G0E (x,t) ∃y,z ( incG0(x,y,z) ) ∧ @w ( mE(w,x) ) ∧ ∧ t G0E (x,t) x is an edge of graph |G0| of type t that is not image of the match. 7 / 16 Volume 30 (2010) Towards Theorem Proving Graph Grammars using Event-B 3 Event-B Event-B [AH07] is a state-based formalism closely related to Classical B [Abr05] and Action Systems [BS89]. Definition 9 (Event-B Model, Event) An Event-B Model is defined by a tuple EBModel = (c,s,P,v, I,RI,E) where c are constants and s are sets known in the model; v are the model variables1; P(c,s) is a collection of axioms constraining c and s; I(c,s,v) is a model invariant limiting the possible states of v s.t. ∃c,s,v ·P(c,s)∧I(c,s,v) - i.e. P and I characterise a non- empty set of model states; RI(c,s,v′) is an initialisation action computing initial values for the model variables; and E is a set of model events. Given states v,v′ an event is a tuple e = (H,S) where H(c,s,v) is the guard and S(c,s,v,v′) is the before-after predicate that defines a relation between current and next states. We also denote an event guard by H(v), the before-after predicate by S(v,v′) and the initialization action by RI(v′). An event-B model is assembled from two parts, a context which defines the triple (c,s,P) and a machine which defines the other elements (v,I,RI,E). Model correctness is demonstrated by generating and discharging a collection of proof obliga- tions. The model consistency condition states that whenever an event on an initialisation action is attempted, there exists a suitable new state v′ such that the model invariant is maintained - I(v′). This is usually stated as two separate proof obligations: a feasibility (I(v)∧H(v)⇒∃v′ ·S(v,v′)) and an invariant satisfaction obligation (I(v)∧ H(v)∧ S(v,v′) ⇒ I(v′)). The behaviour of an Event-B model is the transition system defined as follows. Definition 10 (Event-B Model Behaviour) Given EBModel = (c,s,P,v,I, RI,E), its behaviour is given by a transition system BST = (BState,BS0,→) where: BState = {〈v〉|v is a state}∪ U nde f , BS0 = U nde f , and →⊆ BState×BState is the transition relation given by the rules: start RI(v′)∧I(v′) U nde f →〈v′〉 transition ∃(H,S)∈ E ·I(v)∧H(v)∧S(v,v′)∧I(v′) 〈v〉→〈v′〉 According to rule start the model is initialized to a state satisfying RI ∧I and then, as long as there is an enabled event (rule transition), the model may evolve by firing an enabled event and computing the next state according to the event’s before-after predicate. Events are atomic. In case there is more than one enabled event at a certain state, the choice is non-deterministic. The semantics of an Event-B model is given in the form of proof semantics, based on Dijkstra’s work on weakest preconditions [Dij76]. An extensive tool support through the Rodin Platform makes Event-B especially attractive [DEP]. An integrated Eclipse-based development environment is actively developed, and open to third-party extensions in the form of Eclipse plug-ins. The main verification technique is 1 For convenience, as in [Abr05], no distinction is made between a set of variables and a state of a system. Proc. GraMoT 2010 8 / 16 ECEASST theorem proving supported by a collection of theorem provers, but there is also some support for model checking. 4 Verification of Graph Grammars using Event-B The behavior of an event-B model is similar to a graph grammar: there is a notion of state (given by a set of variables in event-B, and by a graph in a graph grammar) and a step is defined by an atomic operation on the current state (an event that updates variables in event-B and a rule application in a graph grammar). Each step should preserve properties of the state. In event-B, these properties are stated as invariants. In a graph grammar, the properties that are inherently guaranteed to be preserved are related to the graph structure (only well-formed graphs can be generated). Now, we present a way to model each structure of a graph grammar GG in event-B such that it is possible to use the event-B provers to demonstrate properties of a graph grammar. We will use an example to describe how graphs, typed graphs and rules can be defined in Event-B. The example is depicted in Figure1. Vertex1 Vertex2 Edge2 Edge1 (a) Type Graph T Vertex2 Edge2 Edge1 G T tG 1 1 Vertex1 (b) Start Graph GT e1_R1v1_R1v1_L1 e1_L1 v2_R1 (c) Rule α 1 Figure 1: Example of Graph Grammar Graphs: According to Def. 2 and Def. 7, sets VGG and EGG contain all possible vertices and edge names that may appear in graphs of this relational structure. We will define these sets as VGG = vertT ∪N, where vertT is the set of names used as vertex types in GG (we assume 9 / 16 Volume 30 (2010) Towards Theorem Proving Graph Grammars using Event-B that vertT ∩N = ∅); EGG = edgeT ∪N, where edgeT is the set of names used as edge types in GG (we assume that edgeT ∩N = ∅). Moreover, we assume that vertT ∩edgeT = ∅. The type graph T is defined in an event-B context as described in Figure 2, where we define all vertex and edge types as constants. In the axioms, we define these sets explicitly (for example, axiom axm1 means that vertT = {Vertex1,Vertex2}). We also define the functions sourceT and targetT that respectively designate the source and target vertex of each edge. Text after a // is a comment. Here, instead of using the ternary inc relation we used a set of edges and two binary relations (source and target) to define the edges of a graph. This is an equivalent formulation that is convenient to use in Event-B because it eases the proof of some proof obligations. CONTEXT ctx_GG SETS vertT // (Type Graph ) Vertices edgeT // (Type Graph ) Edges CONSTANTS Vertex1 Vertex2 Edge1 Edge2 sourceT // (Type Graph ) Source Function targetT // (Type Graph ) Target Function AXIOMS axm1 : partition(vertT,{Vertex1},{Vertex2}) axm2 : partition(edgeT,{Edge1},{Edge2}) axm3 : sourceT ∈ edgeT →vertT axm4 : partition(sourceT,{Edge1 7→ Vertex1},{Edge2 7→ Vertex1}) axm5 : targetT ∈ edgeT →vertT axm6 : partition(targetT,{Edge1 7→ Vertex1},{Edge2 7→ Vertex2}) END Figure 2: Event-B Type Graph Instances of vertices and edges that appear in graphs representing states will be described by natural numbers. It is not necessary to have distinct numbers for vertices and edges: a graph may have a vertex with identity 1 as well as an edge with identity 1, these elements will be different because one will be mapped to a vertex type and the other to an edge type. A graph typed over a type graph T is modeled by a set of variables describing its set of vertices, set of edges, source, target and typing functions. It is possible to state the com- patibility conditions of types and source and target of edges (stated in Def. 3) as invariants. However, since we will always generate well-formed graphs (the start graph is well-formed and events implement the single-pushout construction), we will skip these invariants (each invariant that is used generates proof obligations and therefore it is advisable to use only the necessary ones). Figure 3 shows the definition of a graph G typed over T . Invariants Proc. GraMoT 2010 10 / 16 ECEASST are used to define the types of the variables (for example, tG_V is a total function from vertG to vertT and tG_E is a total function from edgeG to edgeT ). MACHINE mch_GG SEES ctx_GG VARIABLES vertG // (Graph) Vertices edgeG // (Graph) Edges sourceG // (Graph) Source Function targetG // (Graph) Target Function tG_V // Typing of vertices tG_E // Typing of edges INVARIANTS inv_vertG : vertG ∈P(N) inv_incG : edgeG ∈P(N) inv_sourceG : sourceG ∈ edgeG→vertG inv_targetG : targetG ∈ edgeG→vertG inv_tG_V : tG_V ∈ vertG→vertT inv_tG_E : tG_E ∈ edgeG→edgeT EVENTS Initialisation begin act1 : vertG :={10} act2 : edgeG :={20} act3 : sourceG :={20 7→ 10} act4 : targetG :={20 7→ 10} act5 : tG_V :={10 7→ Vertex1} act6 : tG_E :={20 7→ Edge1} end Figure 3: Event-B Graph G There is special event in an event-B model that is executed before any other. This is the initialization event. In our encoding, this event will be used to create the start graph of a graph grammar. This is done by assigning initial values to the variables that correspond to graph G (see Figure 3). Within an event, the order in which attributions occur in non- deterministic. Rules: Left- and right-hand sides of rules are graphs, and thus will have representations as defined previously. Additionally, we have to define the partial morphism (αV ,αE) that maps elements from the left- to the right-hand side of the rule. The Event-B enconding of ule α 1 depicted in Figure 1 is shown in Figure 4. Since rules do not change during execution, their structures will be defined as constants. The behavior of a rule is described by an event (for the example, by event al pha1 in Figure 5). Whenever there are concrete values for variables mV , mE, newV and newE that satisfies the guard conditions, the event may occur. Guard conditions grd1, grd2 and grd5 to grd7 assure that the pair (mV,mE) is actually a match from the left-hand side of the 11 / 16 Volume 30 (2010) Towards Theorem Proving Graph Grammars using Event-B SETS vertL1 edgeL1 vertR1 edgeR1 CONSTANTS v1_L1 // vertex of LHS e1_L1 // edge of LHS v1_R1 v2_R1 // vertices of RHS e1_R1 // edge of RHS sourceL1 targetL1 sourceR1 targetR1 tL1_V // (Rule 1) Typing vertices of LHS tL1_E // (Rule 1) Typing edges of LHS tR1_V // (Rule 1) Typing vertices of RHS tR1_E // (Rule 1) Typing edges of RHS alpha1V // (Rule 1) Rule morphism: mapping vertices alpha1E // (Rule 1) Rule morphism: mapping edges AXIOMS // GRAPH L1: axm7 : partition(vertL1,{v1_L1}) axm8 : partition(edgeL1,{e1_L1}) axm9 : sourceL1 ∈ edgeL1→vertL1 axm10 : partition(sourceL1,{e1_L1 7→ v1_L1}) axm11 : targetL1 ∈ edgeL1→vertL1 axm12 : partition(targetL1,{e1_L1 7→ v1_L1}) axm13 : tL1_V ∈ vertL1→vertT axm14 : partition(tL1_V,{v1_L1 7→ Vertex1}) axm15 : tL1_E ∈ edgeL1→edgeT axm16 : partition(tL1_E,{e1_L1 7→ Edge1}) // GRAPH R1: axm17 : partition(vertR1,{v1_R1},{v2_R1}) axm18 : partition(edgeR1,{e1_R1}) axm19 : sourceR1 ∈ edgeR1→vertR1 axm20 : partition(sourceR1,{e1_R1 7→ v1_R1}) axm21 : targetR1 ∈ edgeL1→vertR1 axm22 : partition(targetR1,{e1_R1 7→ v2_R1}) axm23 : tR1_V ∈ vertR1→vertT axm24 : partition(tR1_V,{v1_R1 7→ Vertex1},{v2_R1 7→ Vertex2}) axm25 : tR1_E ∈ edgeR1→edgeT axm26 : partition(tR1_E,{e1_R1 7→ Edge2}) // Rule morphism alpha1: axm27 : alpha1V ∈ vertL1→vertR1 axm28 : partition(alpha1V,{v1_L1 7→ v1_R1}) axm29 : alpha1E ∈ edgeL1 7→edgeR1 axm30 : alpha1E = ∅ END Figure 4: Event-B Rule Strucure Proc. GraMoT 2010 12 / 16 ECEASST rule to the state graph G (see Def. 8). Guard conditions grd3 and grd4 assure that newV and newE are new fresh elements (a new vertex and a new edge identifier, not belonging to graph G). The actions update the state graph (graph G) according to the rule. In this example one loop edge is deleted and a new vertex and a new edge are created. A vertex newV with type Vertex2, and an edge newE with type Edge2 are generated. The source of this new edge is the image of the only vertex in the left-hand side of the rule in G and the target is the newly created vertex. The relational operators2 used in the definition of the actions implement the formulas that define rule application in Sect. 2. This is an encoding of rule α 1, there is a concrete choice for identifiers of elements created by the rule (newV and newE). For this reason and to obtain a more efficient encoding, we did not use explicitly the functions sourceR1, targetR1, al pha1V and al pha1E to define this event (but they were implicitly used to define the actions). For example, to obtain the set of vertices of the resulting graph we used the existing set of vertices vertG and added a set containing newV , instead of taking a vertex of R1 that was not in the image of al pha1V (there is a vertex of R1 that is not in the image of al pha1V , that is v2_R2, and by giving it the name newV in the generated graph we assure that this name did not occur already in vertG). Note that this choice of representation was dependent on the Event-B language, if we were to translate graph grammars to a different language, other encodings of the relational representation might be more suitable. Proving Properties: Once the start graph and all rules are represented in the event-B model, the property to be proved can be stated as an invariant. For example, we could add the invariant card(edgeG)≤ 2, meaning that no reachable graph can have more than 2 edges. For the given example, this property is true, and this can be easily proven automatically by the Rodin platform. 5 Final Remarks In this paper we have defined an event-B model that faithfully describes the behavior of a given graph grammar. To define this model, we used the relational definition of graph grammars, that was proven to be equivalent to the SPO approach. Now, it is possible to use the existing theorem provers for event-B to prove properties of graph grammars, for example, using the Rodin platform. This is an initial work in using event-B to help proving properties of graph grammars. Be- sides implementation, case studies are necessary to evaluate and improve the proposed approach. Another interesting topic for further research is to investigate to which extent the theory of re- finement, that is very well-developed in event-B, can be used to validate a stepwise development based on graph grammars. 2 The relational operators used to define this event are: \ (minus), ∪ (union), C− (domain subtraction). 13 / 16 Volume 30 (2010) Towards Theorem Proving Graph Grammars using Event-B EVENTS Event alpha1 =̂ any mV mE newV newE where grd1 : mV ∈ vertL1→vertG // total on vertices grd2 : mE ∈ edgeL1�edgeG // total and injective on edges grd3 : newV ∈N\vertG // newV is a fresh vertex name grd4 : newE ∈N\edgeG // newE is a fresh edge name grd5 : ∀v·v ∈ vertL1⇒tL1_V(v) = tG_V(mV(v)) // vertex type compatibility grd6 : ∀e·e ∈ edgeL1⇒tL1_E(e) = tG_E(mE(e)) edge type compatibility grd7 : ∀e·e ∈ edgeL1⇒mV(sourceL1(e)) = sourceG(mE(e))∧mV(targetL1(e)) = targetG(mE(e)) source/target compatibility then act1 : vertG := vertG ∪{newV} act2 : edgeG := (edgeG\{mE(e1_L1)})∪{newE} act3 : sourceG := ({mE(e1_L1)}C−sourceG)∪{newE 7→ mV(v1_L1)} act4 : targetG := ({mE(e1_L1)}C−targetG)∪{newE 7→ newV} act5 : tG_V := tG_V ∪{newV 7→ Vertex2} act6 : tG_E := ({mE(e1_L1)}C−tG_E)∪{newE 7→ Edge2} end END Figure 5: Event-B Rule Event Proc. GraMoT 2010 14 / 16 ECEASST Bibliography [ABHV06] J.-R. Abrial, M. J. Butler, S. Hallerstede, L. Voisin. An Open Extensible Tool En- vironment for Event-B. In Liu and He (eds.), ICFEM. Lecture Notes in Computer Science 4260, pp. 588–605. Springer, 2006. [Abr05] J. R. Abrial. The B-Book: Assigning Programs to Meanings. Cambridge University Press, 2005. [AH07] J.-R. Abrial, S. Hallerstede. Refinement, Decomposition, and Instantiation of Dis- crete Models: Application to Event-B. Fundam. Inform. 77(1-2):1–28, 2007. [BCMR07] P. Baldan, A. Corradini, U. Montanari, L. Ribeiro. Unfolding semantics of graph transformation. Inf. Comput. 205(5):733–782, 2007. doi:http://dx.doi.org/10.1016/j.ic.2006.11.004 [BK02] P. Baldan, B. König. Approximating the behaviour of graph transformation systems. In Proceedings of ICGT ’02 (International Conference on Graph Transformation). LNCS 2505, pp. 14–29. Springer, 2002. [BS89] R.-J. Back, K. Sere. Stepwise Refinement of Action Systems. In Snepscheut (ed.), Proceedings of the International Conference on Mathematics of Program Construc- tion, 375th Anniversary of the Groningen University. Pp. 115–138. Springer, Lon- don, UK, 1989. [BS06] L. Baresi, P. Spoletini. On the Use of Alloy to Analyze Graph Transformation Sys- tems. In Corradini et al. (eds.), ICGT. LNCS 4178, pp. 306–320. Springer, 2006. [CGJ+01] E. M. Clarke, O. Grumberg, S. Jha, Y. Lu, H. Veith. Progress on the State Explo- sion Problem in Model Checking. In Informatics - 10 Years Back. 10 Years Ahead. Pp. 176–194. Springer, London, UK, 2001. [Cou94] B. Courcelle. Monadic Second-Order Definable Graph Transductions: A Survey. Theoretical Computer Science 126(1):53–75, 1994. [Cou97] B. Courcelle. The Expression of Graph Properties and Graph Transformations in Monadic Second-Order Logic. Pp. 313–400 in [Roz97]. [Cou04] B. Courcelle. Recognizable Sets of Graphs, Hypergraphs and Relational Structures: A Survey. In Calude et al. (eds.), Developments in Language Theory. LNCS 3340, pp. 1–11. Springer, 2004. [CR09a] S. A. da Costa, L. Ribeiro. Formal Verification of Graph Grammars using Math- ematical Induction. Electronic Notes Theoretical Computer Science 240:43–60, 2009. doi:http://dx.doi.org/10.1016/j.entcs.2009.05.044 [CR09b] S. A. da Costa, L. Ribeiro. Relational and Logical Approach to Graph Grammars. Technical report 359, Porto Alegre: Instituto de Informática/UFRGS, 2009. 15 / 16 Volume 30 (2010) http://dx.doi.org/http://dx.doi.org/10.1016/j.ic.2006.11.004 http://dx.doi.org/http://dx.doi.org/10.1016/j.entcs.2009.05.044 Towards Theorem Proving Graph Grammars using Event-B [CR10] S. A. da Costa, L. Ribeiro. Formal Verification of Graph Grammars using Mathe- matical Induction. Science of Computer Programming, 2010. doi:http://dx.doi.org/10.1016/j.scico.2010.02.006 [CW96] E. M. Clarke, J. M. Wing. Formal methods: state of the art and future directions. ACM Computing Surveys 28(4):626–643, 1996. doi:http://doi.acm.org/10.1145/242223.242257 [DEP] DEPLOY. Event-B and the Rodin Platform. http://www.event-b.org/ (last accessed 16 March 2010). Rodin Development is supported by European Union ICT Projects DEPLOY (2008 to 2012) and RODIN (2004 to 2007). [DHR+07] M. B. Dwyer, J. Hatcliff, R. Robby, C. S. Pasareanu, W. Visser. Formal Software Analysis Emerging Trends in Software Model Checking. In FOSE ’07: 2007 Future of Software Engineering. Pp. 120–136. IEEE Computer Society, 2007. doi:http://dx.doi.org/10.1109/FOSE.2007.6 [Dij76] E. Dijkstra. A Discipline of Programming. Prentice-Hall International, 1976. [Ehr79] H. Ehrig. Introduction to the algebraic theory of graph grammars. In 1st Interna- tional Workshop on Graph Grammars and Their Application to Computer Science and Biology. Lecture Notes in Computer Science 73, pp. 1–69. Springer-Verlag, Germany, 1979. [Roz97] G. Rozenberg (ed.). Handbook of Graph Grammars and Computing by Graph Transformations, Volume 1: Foundations. World Scientific, 1997. [RV01] J. A. Robinson, A. Voronkov (eds.). Handbook of Automated Reasoning (in 2 vol- umes). Elsevier and MIT Press, 2001. [Str08] M. Strecker. Modeling and Verifying Graph Transformations in Proof Assistants. Electronic Notes in Theoretical Computer Science 203(1):135–148, 2008. doi:http://dx.doi.org/10.1016/j.entcs.2008.03.039 Proc. GraMoT 2010 16 / 16 http://dx.doi.org/http://dx.doi.org/10.1016/j.scico.2010.02.006 http://dx.doi.org/http://doi.acm.org/10.1145/242223.242257 http://dx.doi.org/http://dx.doi.org/10.1109/FOSE.2007.6 http://dx.doi.org/http://dx.doi.org/10.1016/j.entcs.2008.03.039 Introduction Relational Approach to Graph Grammars Event-B Verification of Graph Grammars using Event-B Final Remarks