\documentclass{article} \usepackage{611-lecture} \usepackage{611} \usepackage{amsthm, amsmath, amssymb, amsfonts} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% CS611: Please fill in these macros as appropriate: \lecture{15} %% Lecture number \title{Semantics and Completeness of Hoare Logic} %% Title of lecture %\author{Bryant Adams, Mia Minnes} %% name of scribe %\lecturer{Michael Clarkson} \date{2 October 2006} %% Date of lecture, e.g., 1 January 2001 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % See 611.sty for a variety of macros that will be helpful in % typesetting the lecture. Here are a few of particular interest: % % "x" x in keyword font (e.g., "if", "#t") % _x_ x in italics % \nm{n} n in slanted font (used for abbreviations) % (if x is more than a single character, use \Tr{x}{y}) \theoremstyle{definition} \newtheorem*{defn}{Definition} \newcommand{\nondet}{\left[\!\kern1pt\right]} \renewcommand\phi\varphi \renewcommand\wp[2]{\mathsf{wp}~{#1}~{#2}} \newcommand\wlp[2]{\mathsf{wlp}~{#1}~{#2}} \renewcommand\({\begin{eqnarray*}} \renewcommand\){\end{eqnarray*}} \newcommand\LOOKUP[2]{\mathrm{LOOKUP}~{#1}~{#2}} \newcommand\UPDATE[3]{\mathrm{UPDATE}~{#1}~{#2}~{#3}} \newcommand\MALLOC[2]{\mathrm{MALLOC}~{#1}~{#2}} \newcommand\EMPTY{\mathrm{EMPTY\mbox{-}STORE}} \renewcommand\dom[1]{\mathrm{dom}\,{#1}} \newcommand\p[2]{\langle{#1},\,{#2}\rangle} \newcommand\bigcdot{\mathrel{\raisebox{1pt}{$\scriptscriptstyle\bullet$}}} \newcommand\holed[1]{[\,#1\,]} \newcommand\hole{\holed\bigcdot} \newcommand\context[1]{E\kern1pt\holed{#1}} \newcommand\contextHole{\context\bigcdot} \newcommand\goesto[2]{\underset{#2}{\overset{#1}\longrightarrow}} \newcommand\ifthenelse[3]{\mathsf{if\ }#1\mathsf{\ then\ }#2\mathsf{\ else\ }#3} \newcommand\whiledo[2]{\mathsf{while\ }#1\mathsf{\ do\ }#2} \newcommand\letin[3]{\mathsf{let\ }#1 = #2\mathsf{\ in\ }#3} \newcommand\letrec[5]{\mathsf{letrec\ }#1 = #2\mathsf{\ and\ \ldots\ and\ }#3 = #4\mathsf{\ in\ }#5} \newcommand\letrecone[3]{\mathsf{letrec\ }#1 = #2\mathsf{\ in\ }#3} \newcommand\true{\ensuremath{\mathsf{true}}} \newcommand\false{\ensuremath{\mathsf{false}}} \newcommand\error{\ensuremath{\mathsf{error}}} \newcommand\pca[3]{\{#1\}\kern1pt{#2}\kern1pt\{#3\}} \newcommand\states{\Set{St}} \newcommand\rtc{^{\textstyle *}} \newcommand\sat\vDash \newcommand\force\vdash \begin{document} \maketitle \section{Semantics of IMP Revisited} \subsection{Syntax of Commands} \begin{eqnarray*} c & ::= & "skip" \bnf x:=a \bnf c_0;c_1 \bnf \ifthenelse b{c_1}{c_2} \bnf \whiledo bc. \end{eqnarray*} \subsection{Big-Step Rules} \newlength\tl \settowidth\tl{(sequential composition)} \begin{itemize} \item[] \parbox\tl{("skip")} \begin{tabular}c $<"skip",\sigma>\stepsto\sigma$ \end{tabular} \item[] \parbox\tl{(assignment)} \begin{tabular}{c} \infer{\stepsto\sigma[n/x]}{\stepsto n} \end{tabular} \item[] \parbox\tl{(sequential composition)} \begin{tabular}{c} \infer{\stepsto\rho} {\stepsto\tau\quad\stepsto\rho} \end{tabular} \item[] \parbox\tl{(conditional)} \begin{tabular}{cc} \infer{<\ifthenelse b{c_1}{c_2},\sigma>\stepsto\tau} {\stepsto "true"\quad\stepsto\tau} & \infer{<\ifthenelse b{c_1}{c_2},\sigma>\stepsto\tau} {\stepsto "false"\quad\stepsto\tau} \end{tabular} \item[] \parbox\tl{(while loop)} \begin{tabular}{cc} \infer{<\whiledo bc,\sigma>\stepsto\sigma} {\stepsto"false"} & \infer{<\whiledo bc,\sigma>\stepsto\rho} {\stepsto"true"\quad\stepsto\tau\quad<\whiledo bc,\tau>\stepsto\rho} \end{tabular} \end{itemize} \subsection{Binary Relation Semantics} In the semantics of IMP, states $\sigma,\tau,\ldots$ are functions $\Set{Var}\rightarrow\mathbb Z$. Let \states\ denote the set of all states. For each program $c$, the big-step rules determine a binary input/output relation on \states, namely \( \SB c &\definedas& \{(\sigma,\tau) \mid \stepsto\tau\}\ \ \subseteq\ \ \states\times\states. \) With this notation, we can express the big-step rules in terms of some basic operations on binary relations, namely _relational composition_ ($\circ$) and _reflexive transitive closure_ ($\rtc$): \( R\circ S &\definedas& \{(\sigma,\rho) \mid \exists \tau\ (\sigma,\tau)\in R,\ (\tau,\rho)\in S\}\\ R\rtc &\definedas& \bigcup_{n\geq 0} R^n\ \ =\ \ \{(\sigma,\tau) \mid \exists \sigma_0,\ldots,\sigma_n\ \sigma=\sigma_0,\ \tau=\sigma_n,\ \mbox{and}\ (\sigma_i,\sigma_{i+1})\in R,\ 0\leq i\leq n-1\}, \) where $R^0\definedas\{(\sigma,\sigma) \mid \sigma\in\states\}$ and $R^{n+1}\definedas R\circ R^n$. The big-step rules are equivalent to the following: \[\begin{array}{lrcl} \mbox{("skip")} & \SB{"skip"} &=& \{(\sigma,\sigma) \mid \sigma\in\states\}\\[1ex] \mbox{(assignment)} & \SB{x:=a} &=& \{(\sigma,\sigma[n/x]) \mid \stepsto n\}\\[1ex] \mbox{(sequential composition)} & \SB{c_0;c_1} &=& \SB{c_0}\circ\SB{c_1}\\[1ex] \mbox{(conditional)} & \SB{\ifthenelse b{c_1}{c_2}} &=& \SB{b}\circ\SB{c_1}\ \cup\ \SB{\neg b}\circ\SB{c_2}\\[1ex] \mbox{(while loop)} & \SB{\whiledo bc} &=& (\SB{b}\circ\SB{c})\rtc\circ\SB{\neg b}, \end{array}\] where in the conditional and while loop, \( \SB{b} &\definedas& \{(\sigma,\sigma) \mid \stepsto"true"\}\\ \SB{\neg b} &\definedas& \{(\sigma,\sigma) \mid \stepsto"false"\}\ \ =\ \ \SB{"skip"} - \SB b. \) In fact, this would have been a much more compact way to define them originally. \subsection{Semantics of Weakest Liberal Preconditions and Partial Correctness Assertions} We can now give a formal semantics for weakest liberal preconditions and Hoare partial correctness assertions. Let $L$ denote the underlying logic (typically first-order logic). Write $\sigma\sat\phi$ if the formula $\phi$ of $L$ is true in state $\sigma$, and write $\sat\phi$ if $\phi$ is true in all states. We wish to define what it means for a weakest liberal precondition assertion $\wlp c\psi$ to be true in a state $\sigma$, written $\sigma\sat\wlp c\psi$, and for a partial correctness assertion $\pca\phi c\psi$ to be true, written $\sat\pca\phi c\psi$. \( \sigma\sat\wlp c\psi &\stackrel\triangle\Longleftrightarrow& \forall\tau\ \ (\sigma,\tau)\in\SB c\ \Rightarrow\ \tau\sat\psi\\[1ex] \sat\pca\phi c\psi &\stackrel\triangle\Longleftrightarrow& \forall\sigma\ \ \sigma\sat\phi\ \Rightarrow\ \sigma\sat\wlp c\psi\\ &\Longleftrightarrow& \forall\sigma,\tau\ \ \sigma\sat\phi\wedge(\sigma,\tau)\in\SB c\ \Rightarrow\ \tau\sat\psi. \) \subsection{Soundness and Relative Completeness of Hoare Logic} Let us write $\force\pca\phi c\psi$ to assert that $\pca\phi c\psi$ is provable in Hoare logic. Then soundness and relative completeness of Hoare logic are captured in the following theorems. The relative completeness result is due to Cook. \medskip\noindent \textbf{Theorem (soundness)}\quad $\force\pca\phi c\psi\ \Rightarrow\ \ \sat\pca\phi c\psi$. \medskip\noindent \textbf{Theorem (relative completeness)}\quad Assume that the underlying logic $L$ is _expressive_ in the sense that all weakest liberal preconditions are expressible in $L$; that is, for each program $c$ and formula $\psi$ of $L$, there is a formula $\psi'$ of $L$ such that for all $\sigma$, $\sigma\sat\psi'$ iff $\sigma\sat\wlp c\psi$. Then $\sat\pca\phi c\psi\ \Rightarrow\ \ \force\pca\phi c\psi$, provided we are allowed to assume all true formulas of $L$ as axioms. \medskip \textit{Proof sketch}. The proof is by structural induction on $c$. We will just sketch the proof for two cases, assignments and the while loop. For an assignment $x:=a$, suppose $\sat\pca\phi{x:=a}\psi$. Then $\forall\sigma\ \ \sigma\sat\phi\ \Rightarrow\ \sigma\sat\wlp{(x:=a)}\psi$. But $\wlp{(x:=a)}\psi = \subst\psi ax$, so $\forall\sigma\ \ \sigma\sat\phi\ \Rightarrow\ \sigma\sat\subst\psi ax$, therefore $\sat\phi\rightarrow\subst\psi ax$. We can thus assume $\force\phi\rightarrow\subst\psi ax$, since we are allowed to take true formulas of $L$ as axioms. Then $\force\pca{\subst\psi ax}{x:=a}\psi$ by the assignment rule of Hoare logic, thus $\force\pca\phi{x:=a}\psi$ by the weakening rule of Hoare logic. Now for the while loop. Suppose $\sat\pca\phi{\whiledo bc}\psi$. Then $\forall\sigma\ \ \sigma\sat\phi\ \Rightarrow\ \sigma\sat\wlp{(\whiledo bc)}\psi$. Since $L$ is expressive, $\wlp{(\whiledo bc)}\psi$ is equivalent to a formula $\rho$ of $L$, and $\sat\phi\rightarrow\rho$. Since the programs \( \whiledo bc &\quad& \ifthenelse b{(c;\whiledo bc)}{"skip"} \) are semantically equivalent, we have \( \rho &\Leftrightarrow& \wlp{(\whiledo bc)}\psi\\ &\Leftrightarrow& \wlp{(\ifthenelse b{(c;\whiledo bc)}{"skip"})}\psi\\ &\Leftrightarrow& (b\ \Rightarrow\ \wlp c{(\wlp{(\whiledo bc)}\psi)}) \wedge (\neg b\ \Rightarrow\ \wlp{"skip"}\psi)\\ &\Leftrightarrow& (b\ \Rightarrow\ \wlp c\rho) \wedge (\neg b\ \Rightarrow\ \psi), \) thus $\sat\rho\wedge\neg b \rightarrow \psi$ and $\sat\rho\wedge b \rightarrow \wlp c\rho$. The latter says exactly that $\sat\pca{\rho\wedge b}c\rho$. By the induction hypothesis, $\force\pca{\rho\wedge b}c\rho$, and by the fact that we may assume all true formulas of $L$ as axioms, $\force\phi\rightarrow\rho$ and $\force\rho\wedge\neg b \rightarrow \psi$. Then \newlength\reasonwidth \setlength\reasonwidth{3cm} \newcommand\reasoning[1]{\def\longest{#1}\settowidth{\reasonwidth}{$\displaystyle\longest$}\addtolength{\reasonwidth}{5mm}} \newcommand\reason[2]{\makebox[\reasonwidth][l]{$\displaystyle{#1}$}\mbox{#2}} \reasoning{\force\pca\rho{\whiledo bc}{\rho\wedge\neg b}} \( \force\pca{\rho\wedge b} c\rho &\Rightarrow& \reason{\force\pca\rho{\whiledo bc}{\rho\wedge\neg b}}{by the Hoare while rule}\\ &\Rightarrow& \reason{\force\pca\phi{\whiledo bc}\psi}{by weakening}. \) \hfill$\Box$ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \end{document}