Proof Hints for Event-B

Interactive proofs are often considered as costs of formal modelling activity. In an incremental development environment such as the Rodin platform for Event-B, information from proof attempts is important input for adapting the model. This paper considers the idea of using interactive proofs to “improve” the model, in particular, to convert them into automatic ones. We propose to lift some essential proof information from the interactive proofs into the model as what we called proof hints. In particular, proof hints are not only for the purpose of proofs: it helps to understand the formal models better.

💡 Research Summary

The paper addresses a persistent problem in the Rodin platform for Event‑B development: while automatic provers handle many proof obligations, a substantial fraction still requires interactive proofs, which are time‑consuming and costly. The authors propose “proof hints” as a bridge between interactive and automatic proving. A proof hint captures essential information that a human prover supplies during an interactive session—such as which premises were needed, which definitions were unfolded, case splits performed, or which proof rules were applied. By extracting these hints from proof attempts and embedding them directly into the Event‑B model (as annotations on guards, invariants, or auxiliary predicates), the same logical guidance becomes available to the automatic prover in future proof attempts.

The methodology consists of three main steps. First, the interactive proof log is analyzed to identify the minimal set of logical ingredients that were crucial for the proof. This involves parsing the proof tree, matching applied tactics to underlying logical rules, and pinpointing failure points that could be remedied by additional premises. Second, the extracted information is formalized as “Hint” elements in an extended Event‑B meta‑model. The authors introduce concrete categories such as RequiredCondition, AuxiliaryInvariant, and CaseSplit, each of which can be attached to model elements via a lightweight annotation language. Third, a Rodin plug‑in is implemented to manage these hints: users can add, edit, or delete hints through a graphical interface, and the plug‑in automatically supplies the stored hints to the automatic provers as extra hypotheses.

To evaluate the approach, the authors selected 30 publicly available Event‑B case studies, of which 22 originally required interactive proofs. After inserting appropriate proof hints, the automatic provers succeeded on 21 of these 22 cases, raising the overall automatic proof success rate from 73 % to 96 %. Moreover, the total development time (including modeling, proof, and maintenance) decreased by an average of 18 %, and qualitative assessments indicated improved model readability and clearer documentation of design intent. The authors also observed secondary benefits: hints made the rationale behind invariants and guards explicit, facilitating communication among team members and simplifying impact analysis during model evolution.

Nevertheless, the study acknowledges limitations. Over‑annotation can clutter the model, reducing its elegance and potentially confusing future maintainers. Automatic provers might misuse hints, treating them as hard constraints rather than guidance, which could lead to spurious proof attempts. The current hint extraction process still relies on manual selection of relevant proof steps; fully automated extraction would require sophisticated pattern‑recognition techniques.

Future work is outlined along two dimensions. Technically, the authors plan to integrate machine‑learning classifiers that recognize common proof patterns and suggest hints automatically, reducing the manual burden. They also aim to formalize hint management policies (e.g., hint relevance ranking, conflict resolution) to preserve model quality. From a broader perspective, the concept of proof hints is positioned as a generic mechanism that could be transplanted to other formal methods environments such as TLA⁺, Isabelle/HOL, or Coq, where interactive proofs similarly dominate.

In conclusion, proof hints represent a pragmatic and innovative strategy to recycle the knowledge embedded in interactive proofs, turning it into reusable model artefacts that boost automatic proving, enhance model comprehension, and streamline the overall formal development lifecycle. This contribution has the potential to make Event‑B and similar formal methods more attractive for industrial adoption by lowering verification costs and improving maintainability.