Formal Proof of a Machine Closed Theorem in Coq

The paper presents a formal proof of a machine closed theorem of TLA + in the theorem proving system Coq. A shallow embedding scheme is employed for the proof which is independent of concrete syntax. Fundamental concepts need to state that the machine closed theorems are addressed in the proof platform. A useful proof pattern of constructing a trace with desired properties is devised. A number of Coq reusable libraries are established.


Introduction
TLA + [1,2] is a formal specification language for describing and reasoning about distributed and concurrent systems.It is based on mathematical logic, set theory, and linear time temporal logic TLA [3].TLA + is widely used to write precise and formal specifications of discrete systems.The notion of machine closed plays an important role in the system specification.Generally speaking, a specification consists of two parts: one is a safety part and the other is a liveness part.The specification is called machine closed if the liveness part does not constrain the safety part.In [1], it is said that "we seldom want to write a specification that isn't machine closed.If we do write one, it's usually by mistake." Hence, we need to check whether the specification is machine closed.Fortunately, there is a well-known theorem, that is, machine closed theorem [4], stating that all the TLA + specifications are machine closed.More precisely, a TLA + specification which consists of a transition system and a possibly countable infinite fairness constraints is machine closed.Hence, in TLA + there is no need to verify the specification to see whether it is machine closed.In other words, TLA + specifications are constructed to be machine closed.
We are now working on formalizing a subset of TLA + in the theorem prover Coq.As an important part, we want to have the machine closed theorem in our formalization.There are mainly two ways to embed the theorem: one is to have it as an axiom and the other is to state it as a theorem and prove it.We think the second way is better.The reason is twofold: (i) it needs to be very careful to introduce an axiom into a proof system, since sometimes the introduction of a new axiom may result in inconsistence; (ii) it is worthwhile to have a formal proof of the theorem, though it is well-known.The proof will help to understand and check the previous formalizations (i.e., the fundamental definitions needed to state the theorem) and make the whole formalization more solid.
In this paper, we present a formal proof of a machine closed theorem in the theorem prover Coq.In order to do so, various fundamental definitions, such as traces, properties, safety property, liveness property, safety closure, and machine closed are given.Based on these definitions, the theorem is formally stated.The proof follows [4].The key part of the proof is to find a strategy which can generate a trace with some desired properties.We designed a reusable proof pattern to guide this process.Besides this proof, the pattern is also used in proving whether a property is a liveness property; for example, both strong and weak fairness constraints are proved to be liveness properties using this pattern.The whole proof is done in a shallow-embedded manner, which makes the formalization independent of any concrete syntaxes.In other words, this work can be reused in other settings.

Journal of Applied Mathematics
The rest of the paper is organized as follows.In Section 2, some preliminaries and a short introduction of TLA + are given.Section 3 presents the formalization of the machine closed theorem in Coq.The detailed proof is described in Section 4. Related work and concluding remarks are given in Section 5.

Preliminaries
2.1.TLA + Specifications.The TLA + specification is a formula of the form  ∧ ◻[] V ∧ , where V is a tuple usually containing all state variables in , , and  [4].The first conjunct  describes the possible initial states of the system.The second conjunct of the specification asserts that every step (i.e., every pair of successive states in the system) either satisfies  or leaves the variables in V unchanged.Allowing such stuttering steps is a key ingredient to obtain compositionality of specifications.However, it also means that executions that stutter infinitely are allowed by the specification.The third conjunct  is a temporal formula stating the liveness constraints of the specification, and particularly it can be used to rule out infinite stuttering.The part  ∧ ◻[] V is known to be the safety part of the specification while  to be the liveness part.The machine closed theorem states that ( ∧ ◻[] V , ) is machine closed.

Definitions.
We fix the set of states as . * denotes the set of finite sequences of states, and   is the set of infinite sequences of states.A sequence is also called a trace in this paper.The th state in trace  is denoted by   .|| denotes the length of , if  is finite.
An action  is a predicate over two states.Action  is a subaction of action   if ∀   .   →      .
Following [6], we have the definitions of safety closure and machine closed.Given an arbitrary property , its safety closure () is defined as { ∈   | ∀. [⋅⋅⋅] ⊨ }.It can be proved that () is the smallest safety property containing .
Definition.A pair of properties (, ) is said to be machine closed if ( ∩ ) =  and  is a safety property.

Formalization of Machine Closed Theorem
We work on the semantical level, in other words, we define all the concepts described in Section 2.2 in a shallow embedding manner.Throughout this section, we first describe the notions informally then give the corresponding Coq scripts.

Help Definitions.
In the following scripts, we first define the set of state as .A trace is a function of type  →  (There are other ways to define traces.E.g., [7] uses coinductive data types to define infinite traces and [8] uses coinductive data types to define both infinite and finite traces.The reasons why we adapt the "function type" one is twofold: (i) the "function type" trace is intuitive; (ii) we only consider infinite traces, and we want to separate the finite traces and infinite traces at the data type level.In the subsequent section, finite traces are defined separately using inductive data type.).So given a trace  and a natural number , ( ) denotes the th state of  (count from 0). 1 and 2 are the types of predicates over one state and two states, respectively.1 is the state predicate type while 2 is the action type.A property is a set of traces, whose type is  → .     means traces  and   are identical up to index .     means traces  and   are identical up to index ( − 1). returns  [𝑛⋅⋅⋅ ] .1 (2, resp.)makes a trace predicate(i.e., a property) from a one-state (two-state, resp.)predicate.In order to make the representation more concise, we define three coercions which implicitly changes a onestate or a two-state predicate to properties, respectively.Coercion Action2toProperty: Actions >-> Property.

Safety, Liveness, and Machine
Closed.In the definitions of safety property, liveness property and safety closure, the notions of "finite trace" and "concatenation of a finite trace and an infinite trace" are used.Since we choose the function type to present traces, it is not very convenient to express finite traces.In order to avoid the notions of "finite trace" and "concatenation, " we should change the definitions to their equivalent counterparts which only involve infinite traces.Safety Property.We change "∀ ∈   .↔ ∀.∃  ∈   .[⋅⋅⋅] ∘   ⊨ " to its equivalent formula "∀ ∈   .↔ ∀.∃  ∈   .(   ) ∧   ⊨ ." Definition IsSafetyProperty (p: Property) := forall t, p t <-> (forall i, exists t', UptoN t t' i /\ p t').
Liveness Property.We change "∀ ∈  * .∃ ∈   .∘   ⊨ " to "∀ ∈   .∀.∃  ∈   .     ∧   ⊨ " and have the following definition: Definition IsLivenessProperty (p: Property) := forall t i, exists t', UptoN e t t' i /\ p t'. forall i s s', (Acts W i) s s' -> Next s s'.In the scripts, we use a function of type  →   to represent the set of actions.Note that the cases where the set of actions is finite or countable infinite are covered by the definitions of   and  .The essential point is that both   and   are of type  →  .Suppose the set of  is finite, say its cardinality is , we can build   as follows: for each  < , map    to the ( + 1)th action in ; for each  ≥ , map    to (    ⇒ ).If the set of  is countable infinite, then for each  ∈ N, map    to the (+1)th action.
Based on the above definitions, we can build the safety part  and the liveness part  for the transition system: (i) : all traces allowed by  and .
(ii) : all traces allowed by the set of fairness constraints.
Definition lp: Property := fun t => forall n, Acts SF n t /\ Acts WF n t.

Finally, we get the theorem to prove
Theorem machine closed: MachineClosed sp lp.

Proof of Machine Closed Theorem
The proof follows the proof of Proposition 4 in [4].
Given a specification of a transition system, ∧◻∧  where  = ∀ ∈ .(  ) ∧ ∀ ∈ .(  ), ∀ ∈ .  is a subaction of , ∀ ∈ .  is a subaction of  and  ∪  is finite or countable infinite, we need to prove that ( ∧ ◻, ) is machine closed.Based on the discussion in Section 3.3, here we prove a more general case where both  and  are countable infinite.Hence, we can take  and  to be N.
The whole proof is divided into two steps.First, we prove that a stronger version of the specification, in which all the weak fairness constraints are changed to their strong fairness counterparts, is machine closed.Second, we prove the original specification is machine closed.

The Stronger Specification.
To build a stronger specification, first we need a mapping  :  →  , which has the property that ( ) ∪ ( ) = (), where  • is the range of function •.Informally speaking, through  we can get all the actions used in the original specification.In the following scripts, V   is deployed to test whether a natural number is even and V2  returns /2.

Definition f (n:nat): Actions
Then we can build the stronger specification that is equivalent to the original one except for (i) the fairness constraint  is replaced by  .
As we can see in the following scripts, each action is associated with a strong fairness constraint.It differs from the original one in which some actions are associated with weak fairness constraints, while the other with strong fairness constraints.
Definition lp stronger := fun t => forall n, SF Action (f n) t.
(ii) Based on assumptions      and     , the following theorem is proved: Theorem Acts subaction of Next: forall i s s', (f i) s s' -> Next s s'.
Since all the actions are indexed by a natural number and accessible through the number using , in the sequel, we will use a natural number to represent the action: phrase "action " is equivalent to "action ()." The intermediate theorem about the stronger specification is Theorem sp lp stronger machine closed: MachineClosed sp lp stronger.
Following the definition of machine closed, we need to prove (1)  is a safety property; (2) ( ∩  ) = .There are two directions: The set of all runs of the transition system is a safety property. ∧ ◻[], which is equal to , defines a transition system.Hence, condition (1) is proved.Condition (2.1) can be proved from the fact that  ∩   ⊆  and the following theorem:

Theorem SafetyClosureSmallest: forall p p', p[<=]p' -> [S?] p' -> ([C] p) [<=] p'.
In order to prove condition (2.2), based on the definition of safety closure, it is sufficient to prove that for each  ∈  and  ∈ N,  [⋅⋅⋅] can be extended to an infinite trace   such that   ∈  ∧   ∈  .As described in [4], given  [⋅⋅⋅] we need to construct a trace-generate strategy  which can generate a trace   and   have properties:

Trace-Generate Strategy.
Roughly speaking, a tracegenerate strategy is of type  * → , which takes a finite trace as input and returns a state.In other words, a trace-generate strategy defines a scheduling policy which returns a next state based on the state sequence the system already produced.We first define the finite trace data type  (list is a predefined type in Coq: Inductive list (A: Type): Type := nil: list A-cons: A → list A → list A. The concatenation of an element  of type  and a list  of type   is denoted by  :: .).

Definition FiniteTrace := list St.
There are two ways to obtain a strategy function: (1) define it as a function of type  →  directly; (2) first define a relation of type  →  →  and then derive a function of type  →  from the relation using the classical choice axiom.In our case, we choose the second way, since we only care about the relation.And furthermore defining a relation is easier than defining a function: a function is difficult to define if the computation is complex.In our case, we essentially defined a scheduling policy, which is complex.
In order to use the classic choice axiom, the relation  should be total; that is, for each finite trace  there exists a state  such that   .We only consider this kind of strategy relations.The set of all valid strategy relations is captured by .
A trace  can be derived based on a valid strategy relation V.
The main derivation steps are as follows: (1) a strategy function  is derived from V using the choice axiom; (2) given a strategy function  and a natural number , prefix  (3) the prefix is always not nil, which means we can always get the last state   that is the th state in .
(ℎ of type ∀ : . ̸ =  →  returns the head of a finite trace.It requires a proof that the input finite trace is not nil.This fact is provided by theorem    .)Definition GSF to Trace (g: GenStrategyF): Trace := fun n => myhead (GSF to FiniteTrace g n) (GSF to FiniteTrace notnil g n).
Finally we get theorem   , through which we can derive a trace  based on a valid strategy  and  fulfils our constraints that (,  0 ) and ( , (b)   ∈  and (c)   ∈   are hold.To achieve the goal, firstly, we need to design a trace-generate strategy relation (the relation is designed with the three properties under consideration); secondly, we need to prove the relation is valid; at last, we need to prove the generated trace conforms to the properties.We fix , , , and  in the sequel.
Define the Relation.The design principles of the relation are as follows: (1) at any point, the set of schedulable actions should be finite and all actions in the set is enabled; (2) at any point, if the schedulable action set is not empty, the action that has not been executed for the longest time is scheduled to execute.In event of ties, the action with minimal index is chosen.Principle 1 is the key to this principle, since if the schedulable action set is infinite, there may exist an action which is infinitely enabled but not infinitely executed; (3) at any point, if the schedulable actions set is empty, then pick  to execute since  is total; (4)  [⋅⋅⋅] should be a prefix of the generated trace.
The strategy is defined as: Intuitively "(   ) " has the following implicit meanings: (i)  is the finite trace that the system has already produced; (ii) if (   )   holds, then  is the next state the system will generate. ℎ     denotes that the action  has the properties mentioned in the second principle.In order to define  ℎ, there are several concepts that need to be represented: (a) given a finite trace and an action, the number of steps that the action continuously has not been executed up to now (); (b) notion of the largest number of nonexecuted steps ( ℎ); (c) the smallest index with the largest nonexecuted number  ℎ.Given a finite trace , a nat , and an action predicate ,     returns the number of executable actions of . needs more descriptions.For its arguments,  is the finite trace,  is the index of the action and  is the action.   returns  if and only if its first argument is less than the second argument.The first if-statement is the key to make the schedulable action set finite, but it does so in an implicit way, which will be explained in section "Prove the Properties."    ℎ  ℎ returns  if and only if  ℎ ℎ  holds.
Useful Theorems.In the sequent proofs, we want to choose an element with a specific property from a set, for example, the minimal or the maximal element from a set according to some order.We use theorems to do so and these theorems are of a similar pattern: given a set, if the set is not empty, then there exists an element in the set with some specific properties.
(i) Get the Minimal Element.The following theorem states that given a set , if  is not empty and  is a well-founded order, then there exists a minimal element in  according to order .
Theorem ExistTheMin general: forall (A:Set)(R: A -> A -> Prop) (P: Ensemble A), well founded R ->( ∼ Empty set P) -> (exists n, In P n /\ (forall i, In P i -> ∼ R i n)).(ii) Get the Maximal Element.The following theorem expresses that given a set  of natural numbers, if there exists a natural number  which is larger than all the elements in , then there exists a maximal element in .
Theorem ExistTheMax nat: ( ∼ Empty set P) -> (exists max, (forall n, In P n -> n <= max)) -> exists m, In P m /\ forall n, In P n -> n <= m.These theorems can be thought as a kind of element choosers, which can be used to pick up a specific element from a set.Combining these choosers with proper initializations of the set predicates (i.e.,  in the theorem), we can obtain some useful complex choosers, such as the one choosing the smallest index among the indexes whose associated actions have not been executed for the longest time.
(iii) The following theorem represents that given , a finite set of natural numbers, and , a relation over two natural numbers, if  is total on  (i.e., for each element in  there exists a number -related to it), and  is transitive over the second parameter (i.e., for each element in , if a number is -related to the element then any number larger than the number is also related to the element) then there exists an  such that  is -related to each element in .
The second conjunct consists of four disjuncts, each of which corresponds to a sub condition in condition (1).The total and transitive properties of  are proved by case analysis.By  we obtain the   which is -related to all the actions whose indexes are less than ( + 1).For each index  > , by using theorem   we know   [⋅⋅⋅]  ( ) ≤ ( + 1 − ), and by theorem  , we know  −  ≤   [⋅⋅⋅]  ( ); hence, we know  also holds for condition (2).Thus  is the position we wantproperty (c) holds on trace   .

Lemma greater less:
forall ft i a, nstep ft i a <= length ft -i.
Lemma less greater: Finally, we prove that the stronger specification is machine closed.

Related Works and Concluding Remarks
The machine closed theorem is first proved in [4].There is already some work that embeds TLAi n a theorem prover [9], but to our best knowledge, this is the first time that the theorem is formally proved in a theorem prover.There are several other works that concern the definitions of properties.These works can be discussed in two steps.The first step is how traces are represented.In [10], a function of type  →  is chosen, which is the same as our solution.In other works, inductive and/or coinductive types are used [7,8,11].
In [12], the authors propose a more general solution, in which they do not commit to a particular formalization of traces; instead, they exploit the module system of Coq and only list the interface of traces.The second step is how the safety and liveness properties are defined.In [7], the safety property is defined as a state invariant of a transition system and the liveness property is not defined formally.
In this paper, we present a formal proof of the the machine closed theorem in theorem prover Coq.Various fundamental definitions, such as traces, properties, safety property, liveness property, safety closure and machine closed, are given.Based on these definitions, the theorem is formally stated and proved.The main proof of machine closed theorem is done using the section mechanism of Coq.This mechanism makes our formalization adaptable.It can be encapsulated into a module or a record.In our case study, we used the module type.The result module is general, since it is at the semantics level (because we do the proof in a shallow embedding manner) and thus is independent of any concrete syntax.This work also results in several reusable Coq libraries.The Coq scripts can be provided upon request.
Depend on the length of , there are 4 cases of how the strategy generates a next state: (a)  is nil; (b) || ≤ ; (c) || >  and all the actions are not enabled; (d) || >  and there is an enabled action.
We use the notation mechanism of Coq to make the representations more succinct. [/\]  denotes that the intersection of properties  and . [<=]  expresses the fact that property  is a subset of property . [=]  describes the fact that property  is equal to property .[] is the safety closure of .[?] is a shorthand of predicate  while [?] is a shorthand of predicate V.
fun t => forall i, exists t', UptoN t t' i /\ p t'. (2) predicates  of type 1 and  of type 2 characterizing the initial states and nextstate relation, respectively, where we require that (Parameter is a synonym of Variable in Coq.): every state has a successor according to ; in other words,  is total.Parameter Init: PredOn1 St. Parameter Next: PredOn2 St. Hypothesis next input enabled: forall s, exists s', Next s s'.(3) two sets of indexes:  and . ∪  is finite or countable infinite and each  ∈  ∪ , action   is a subaction of .Each  ∈  ( ∈ , resp.), action   (  , resp.) is associated with a strong (weak, resp.)fairness constraint.
[⋅⋅⋅],  +1 ) (for all  ∈ N) satisfies the strategy relation.isused to get the  part from a  and  is used to get the first  states from a .Trace-Generate Strategy.Recall that we need to prove condition (2.2) in the previous subsection: given a trace  ∈  and a position , a trace   should be constructed such that three properties (a)  [⋅⋅⋅] = [⋅⋅⋅] Specification.Based on theorem    ℎ , we need to prove theorem ℎ .According to the definition of machine closed, the proof is sketched as  ⊆ ( ∩ ).Given  and , by theorem    ℎ  we can get an extended trace  0 of  [⋅⋅⋅] such that  0 ∈  ∧  0 ∈  .Hence, the only subgoal needed to solve is to prove that  0 is also in .It is sufficient to prove that (i) for each  ∈ ,  0 satisfies the strong fairness constraint of action   -this holds, since  0 satisfies the strong fairness constraint of action  (2 * ) which is equal to   .(ii) for each  ∈ ,  0 satisfies the weak fairness constraint of action   -this holds, since  0 satisfies the strong fairness constraint of action  (2 * +1) which is equal to   and the following theorem which expresses that if a trace satisfies the strong fairness constraint of an action it also satisfies the weak fairness constraint of that action: Theorem SF imp WF: forall (a:Actions), SF Action a [->] WF Action a.