\documentclass{article}
\usepackage{611-lecture}
\usepackage{amsthm,amsmath,amssymb}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% CS611: Please fill in these macros as appropriate:
\lecture{16}                  %% Lecture number
\title{Dynamic Logic and Kleene Algebra with Tests} %% Title of lecture
%\author{Bryant Adams, Mia Minnes}       %% name of scribe
%\lecturer{Michael Clarkson}
\date{4 October 2006}     %% Date of lecture, e.g., 1 January 2001
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\theoremstyle{definition}
\newtheorem*{defn}{Definition}
\newcommand{\nondet}{\left[\!\kern1pt\right]}
\renewcommand\phi\varphi
\renewcommand\wp[2]{\mathsf{wp}~{#1}~{#2}}
\newcommand\wlp[2]{\mathsf{wlp}~{#1}~{#2}}
\renewcommand\({\begin{eqnarray*}}
\renewcommand\){\end{eqnarray*}}

\newcommand\LOOKUP[2]{\mathrm{LOOKUP}~{#1}~{#2}}
\newcommand\UPDATE[3]{\mathrm{UPDATE}~{#1}~{#2}~{#3}}
\newcommand\MALLOC[2]{\mathrm{MALLOC}~{#1}~{#2}}
\newcommand\EMPTY{\mathrm{EMPTY\mbox{-}STORE}}
\renewcommand\dom[1]{\mathrm{dom}\,{#1}}
\newcommand\p[2]{\langle{#1},\,{#2}\rangle}
\newcommand\bigcdot{\mathrel{\raisebox{1pt}{$\scriptscriptstyle\bullet$}}}
\newcommand\holed[1]{[\,#1\,]}
\newcommand\hole{\holed\bigcdot}
\newcommand\context[1]{E\kern1pt\holed{#1}}
\newcommand\contextHole{\context\bigcdot}
\newcommand\goesto[2]{\underset{#2}{\overset{#1}\longrightarrow}}
\newcommand\ifthenelse[3]{\mathsf{if\ }#1\mathsf{\ then\ }#2\mathsf{\ else\ }#3}
\newcommand\whiledo[2]{\mathsf{while\ }#1\mathsf{\ do\ }#2}
\newcommand\letin[3]{\mathsf{let\ }#1 = #2\mathsf{\ in\ }#3}
\newcommand\letrec[5]{\mathsf{letrec\ }#1 = #2\mathsf{\ and\ \ldots\ and\ }#3 = #4\mathsf{\ in\ }#5}
\newcommand\letrecone[3]{\mathsf{letrec\ }#1 = #2\mathsf{\ in\ }#3}
\newcommand\true{\ensuremath{\mathsf{true}}}
\newcommand\false{\ensuremath{\mathsf{false}}}
\newcommand\error{\ensuremath{\mathsf{error}}}
\newcommand\pca[3]{\{#1\}\kern1pt{#2}\kern1pt\{#3\}}
\newcommand\states{\Set{St}}
\newcommand\rtc{^{\textstyle *}}
\newcommand\sat\vDash
\newcommand\force\vdash

\newlength\reasonwidth
\setlength\reasonwidth{3cm}
\newcommand\reasoning[1]{\def\longest{#1}\settowidth{\reasonwidth}{$\displaystyle\longest$}\addtolength{\reasonwidth}{5mm}}
\newcommand\reason[2]{\makebox[\reasonwidth][l]{$\displaystyle{#1}$}\mbox{#2}}
\newcommand\comp[2]{{#1};{#2}}
\newcommand\ite[3]{\ifthenelse{#1}{#2}{#3}}
\newcommand\whd[2]{\whiledo{#1}{#2}}
\renewcommand\star{^{\textstyle *}}
\newcommand\barnone{\bar{\rule{0mm}{1ex}\hspace{1ex}}}
\renewcommand\d[1]{\mbox{\rm\texttt<}#1\mbox{\rm\texttt>}}
\newcommand\bx[1]{\mbox{\rm\texttt[}#1\mbox{\rm\texttt]}}

\begin{document}

\maketitle

\section{Outline}

Weakest preconditions, predicate transformers, and Hoare logic were relatively early developments.  In this lecture we survey some more recent developments in this area:
\begin{itemize}
\setlength\itemsep{0pt}
\item{Kleene algebra (KA) and Kleene algebra with tests (KAT)}
\item{Dynamic logic (DL)}
\end{itemize}

\section{Kleene Algebra (KA)}

\emph{Kleene algebra} (KA) is an algebraic system that captures axiomatically the properties of
several natural classes of structures that arise in logic and computer science. It is named for Stephen
Cole Kleene (1909--1994), who among his many other achievements invented finite automata
and regular expressions, structures of fundamental importance in computer science. Kleene
algebra is the algebraic theory of these objects, although it has many other natural and
useful interpretations.  Kleene algebras arise in
various guises in many contexts: relational algebra, semantics and logics of programs,
automata and formal language theory, and the design and analysis of algorithms.

Formally, a \emph{Kleene algebra} is an algebraic structure
$(K,\,+,\,\cdot,\,\star ,\,0,\,1)$ satisfying the axioms listed below.
The operator $\cdot$ is usually omitted, writing $pq$ for
$p\cdot q$.  The order of precedence of the operators is $\star\gt\cdot\gt+$; thus $p + qr\star$ should be parsed as $p + (q(r\star))$.

The axioms of KA are
\[\begin{array}{rcl@{\hspace{1cm}}rcl}
p+(q+r) &=& (p+q)+r & p(qr) &=& (pq)r\\
p+q &=& q+p & 1p &=& p\\
p+0 &=& p & p1 &=& p\\
p+p &=& p\\[1em]
p(q+r) &=& pq+pr & 0p &=& 0\\
(p+q)r &=& pr+qr & p0 &=& 0\\[1em]
1+pp\star &=& p\star & q+pr \leq r &\rightarrow& p\star q \leq r\\
1+p\star p &=& p\star & q+rp \leq r &\rightarrow& qp\star \leq r
\end{array}\]
where $\leq$ refers to the natural partial order on $K$:
\(
p\leq q &\stackrel\triangle\Longleftrightarrow& p+q = q.
\)
Instead of the last two equational implications, we might take the equivalent axioms
\[\begin{array}{rcl@{\hspace{1cm}}rcl}
pr \leq r &\rightarrow& p\star r \leq r & rp \leq r &\rightarrow& rp\star \leq r.
\end{array}\]
The axioms not involving $\star$, taken together, say that the structure
$(K,\,+,\,\cdot,\,0,\,1)$ is an \emph{idempotent semiring}.  The term \emph{idempotent}
refers to the axiom $p+p=p$.  The remaining axioms involving $\star$ say
essentially that $\star$ behaves like the Kleene asterate operator of
formal language theory or the reflexive transitive closure operator of binary relations.

The standard model is the family of regular sets over a finite alphabet $\Sigma$.  The elements
are the regular subsets of $\Sigma\star$, the set of finite-length strings over a finite alphabet $\Sigma$, including the null string $\varepsilon$.  The operations are
\[\begin{array}{rcl@{\hspace{1cm}}rcl}
A + B &\definedas& A \cup B & 0 &\definedas& \varnothing\\[2pt]
A\cdot B &\definedas& \{xy \mid x\in A,\ y\in B\} & 1 &\definedas& \{\varepsilon\}\\[2pt]
A\star &\definedas& \lefteqn{\bigcup_{n\geq 0} A^n\ \ =\ \ \{x_1\cdots x_n \mid n\geq 0\mbox{ and }x_i\in A,\ 1\leq i\leq n\},}
\end{array}\]
where $A^0\definedas\{\varepsilon\}$ and $A^{n+1}\definedas AA^n$.  The operation $\star$ is known as \emph{Kleene asterate}.

Another model is the family of binary relations on a set $X$, that is, subsets of $X\times X$, with operations
\[\begin{array}{rcl@{\hspace{1cm}}rcl}
R + S &\definedas& R\cup S & 0 &\definedas& \varnothing\\[2pt]
R\cdot S &\definedas& R\circ S\ \ =\ \ \{(u,w) \mid \exists v\ (u,v)\in R\wedge (v,w)\in S\} & 1 &\definedas& \{(u,u) \mid u\in X\}\\[2pt]
R\star &\definedas& \lefteqn{\bigcup_{n\geq 0} R^n\ \ =\ \ \{\mbox{reflexive transitive closure of $R$}\},}
\end{array}\]
where $R^0\definedas\{(u,u) \mid u\in X\}$ and $R^{n+1}\definedas R\circ R^n$.

One can show that the family of $n\times n$ matrices over a Kleene algebra is a Kleene algebra.  Other more unusual interpretations include the (min,+) algebra used in shortest path algorithms and models consisting of convex polyhedra used in computational geometry.

The following are some typical consequences of the axioms:
\[\begin{array}{rcl@{\hspace{1cm}}rcl}
(p\star q)\star p\star &=& (p+q)\star & p(qp)\star &=& (pq)\star p\\
(pq)\star &=& 1 + p(qp)\star q & p\star &=& (pp)\star(1+p).
\end{array}\]

The axioms are complete for the equational theory of the regular set model.  That is, all true identities between regular expressions, interpreted as regular sets of strings, are provable.  The axioms are also complete for the equational theory of relational models, which are useful in programming language semantics.

\section{Kleene Algebra with Tests (KAT)}

A \emph{Kleene algebra with tests} (KAT) is just a Kleene algebra with an embedded Boolean subalgebra.  That is, it is a two-sorted structure $(K,\,B,\ +,\,\cdot,\,\star,\,\barnone,\,0,\,1)$ such that
\begin{itemize}
\item
$(K,\,+,\,\cdot,\,\star ,\,0,\,1)$ is a Kleene algebra,
\item
$(B,\,+,\,\cdot,\,\barnone,\,0,\,1)$ is a Boolean algebra, and
\item
$(B,\,+,\,\cdot,\,0,\,1)$ is a subalgebra of $(K,\,+,\,\cdot,\,0,\,1)$.
\end{itemize}
The Boolean complementation operator $\barnone$ is defined only on $B$.  Elements of $B$ are called \emph{tests}.  The letters $p,q,r,s$ denote arbitrary elements of $K$ and $a,b,c$ denote tests.

This deceptively simple definition actually carries a lot of information in a concise package.  The operators $+,\cdot,0,1$ each play two roles: applied to arbitrary elements of $K$, they refer to nondeterministic choice, composition, fail, and skip, respectively; and applied to tests, they take on the additional meaning of Boolean disjunction, conjunction, falsity, and truth, respectively.  These two usages do not conflict---for example, sequential testing of $b$ and $c$ is the same as testing their conjunction---and their coexistence admits considerable economy of expression.

The programming constructs of the IMP language are encoded as follows:
\[\begin{array}{rcl@{\hspace{1cm}}rcl@{\hspace{1cm}}rcl}
\comp p q &\definedas& pq & \ite b p q &\definedas& bp + \bar b q & \whd b p &\definedas& (bp)\star \bar b.
\end{array}\]

For applications in program verification, the standard interpretation would be a Kleene algebra of binary relations on a set and the Boolean algebra of subsets of the identity relation.  There are also \emph{trace models}, in which the Kleene elements are sets of traces (sequences of states) and the Boolean elements are sets of states (traces of length 0).  As with KA, one can form the algebra of $n\times n$ matrices over a KAT $(K,B)$; the Boolean elements of this structure are the diagonal matrices over $B$.  There is also a language-theoretic model that plays the same role in KAT that the regular sets of strings over a finite alphabet play in KA, namely the family of regular sets of \emph{guarded strings} over a finite alphabet $\Sigma$ with guards from a set $\mathsf B$.  The equational theory of this structure is exactly the set of all equational consequences of the KAT axioms.  Moreover, KAT is complete for the equational theory of relational models.

\subsection{Encoding Hoare Logic}

As we have seen, Hoare logic uses a specialized syntax involving \emph{partial correctness assertions} (PCAs) of the form $\pca bpc$ and a deductive apparatus consisting of a system of specialized rules of inference.  The PCA $\pca bpc$ is encoded in KAT in any one of the following three equivalent ways:
\[\begin{array}{rcl@{\hspace{1cm}}rcl@{\hspace{1cm}}rcl}
bp &\leq& pc & bp &=& bpc & bp\bar c &=& 0.
\end{array}\]
Intuitively, the last of these says that the program $p$ with preguard $b$ and postguard $\bar c$ has no halting execution, and the second says that the test $c$ after executing $p$ with preguard $b$ is always redundant.

Hoare-style inference rules of the form 
\begin{equation}
\frac{\pca{b_1}{p_1}{c_1},\ \ldots,\ \pca{b_n}{p_n}{c_n}}{\pca bpc}\label{eqn:Hoarerule}
\end{equation}
become equational implications (universal Horn formulas)
\newcommand\kpca[3]{{#1}{#2}\leq{#2}{#3}}
\(
\kpca{b_1}{p_1}{c_1}\wedge\ldots\wedge\kpca{b_n}{p_n}{c_n} &\rightarrow& \kpca bpc
\)
in KAT.  The variables are implicitly universally quantified.  The Hoare rules (see Lecture 14) then take the following form:
\newlength\tl
\settowidth\tl{(sequential composition)\quad}
\begin{enumerate}
\item[] \parbox\tl{(sequential composition)} $bp\leq pc \wedge cq\leq qd\ \rightarrow\ bpq\leq pqd$
\item[] \parbox\tl{(conditional)} $bcp\leq pd \wedge \bar bcq\leq qd\ \rightarrow\ c(bp+\bar bq)\leq (bp+\bar bq)d$
\item[] \parbox\tl{(while)} $bcp\leq pc\ \rightarrow\ c(bp)\star\bar b\leq (bp)\star\bar b\kern2pt\bar bc$
\item[] \parbox\tl{(weakening)} $b'\leq b \wedge bp\leq pc \wedge c\leq c'\ \rightarrow\ b'p\leq pc'$.
\end{enumerate}

\medskip\noindent
\textbf{Theorem}
The KAT encodings of the Hoare rules above are all theorems of KAT.

\medskip

\emph{Proof sketch}.
We just do the "while" rule.  By trivial simplifications it suffices to show $cbp\leq bpc \rightarrow c(bp)\star\leq (bp)\star c$.  Taking $q=bp$, it suffices to show $cq\leq qc \rightarrow cq\star\leq q\star c$.  Assume $cq\leq qc$.  By the axiom $c + xq\leq x \rightarrow cq\star\leq x$ of Kleene algebra, we need only show $c + q\star cq\leq q\star c$.  But
\reasoning{c1c + c(bp)\star cbpc}
\begin{eqnarray*}
c + q\star cq &\leq& \reason{c + q\star qc}{by the assumption $cq\leq qc$ and monotonicity}\\
&\leq& \reason{(1 + q\star q)c}{by distributivity}\\
&\leq& \reason{q\star c}{by the axiom $1 + q\star q = q\star$.}
\end{eqnarray*}
\hfill$\Box$

\medskip

More importantly,

\medskip\noindent
\textbf{Theorem}
KAT is complete for all relationally valid Hoare rules of the form (\ref{eqn:Hoarerule}); that is, all such rules that are true in all relational interpretations are theorems of KAT.

\medskip

This is trivially false for Hoare logic; for example,
\[
\frac{\pca b{\ifthenelse dpp}c}{\pca bpc}
\]
is not provable in Hoare logic, but its translation $b(dp+\bar dp)\leq (dp+\bar dp)c\rightarrow bp\leq pc$ is easily provable in KAT.

\section{Dynamic Logic (DL)}

\newcommand\nec[1]{\Box\kern1pt{#1}}
\newcommand\pos[1]{\Diamond\kern1pt{#1}}

Dynamic Logic (DL) is a logic of programs based on \emph{modal logic}, the logic of \emph{possibility} and \emph{necessity}.  Modal logic has formulas $\pos\phi$, read ``$\phi$ is possible'' or just ``diamond $\phi$'', and $\nec\phi$, read ``$\phi$ is necessary'' or just ``box $\phi$''.  These operators are dual to each other in the sense that $\pos\phi\Leftrightarrow\neg\nec{\neg\phi}$; intuitively, $\phi$ is possibly true if and only if it is not necessarily false.

In Dynamic Logic, there is a separate modality for each program $p$, and we can write $\bx p\phi$ or $\d p\phi$.  In Propositional Dynamic Logic (PDL), programs are usually taken to be \emph{regular programs} formed with the regular expression operators as in Kleene algebra.  There is also a test operator ? that turns a proposition into a program.

Programs are interpreted as binary relations on a set of states, and propositions are interpreted as sets of states.  The formula $\bx p\phi$ is semantically equivalent to the weakest liberal precondition $\wlp p\phi$.  Thus the Hoare partial correctness assertion $\pca \phi p\psi$ is equivalent to $\phi\rightarrow\bx p\psi$.

The axioms and rules of inference of PDL are
\begin{enumerate}
\item
axioms for propositional logic\label{eqn:prop}
\item
$\bx p(\phi\rightarrow\psi)\ \ \rightarrow\ \ (\bx p\phi\rightarrow\bx p\psi)$\label{eqn:modalK}
\item
$\bx p(\phi\wedge\psi)\ \ \leftrightarrow\ \ \bx p\phi\wedge\bx p\psi$\label{eqn:modalR}
\item
$\bx{p+q}\phi\ \ \leftrightarrow\ \  \bx p\phi\wedge\bx q\phi$\label{eqn:cup}
\item
$\bx{\comp p q}\phi\ \ \leftrightarrow\ \ \bx p\bx q\phi$\label{eqn:box-seq}
\item
$\bx{\psi?}\phi\ \ \leftrightarrow\ \ (\psi\rightarrow\phi)$\label{eqn:box-test}
\item
$\phi\wedge\bx p\bx{p\star}\phi\ \ \leftrightarrow\ \ \bx{p\star}\phi$\label{eqn:rtc1}
\item
\label{eqn:box-ind}
$\phi\wedge\bx{p\star}(\phi\rightarrow\bx p\phi)\ \ \rightarrow\ \ \bx{p\star}\phi$\qquad\mbox{(induction axiom)}
\item
$\displaystyle\frac{\phi \quad \phi\rightarrow\psi}{\psi}$\qquad\mbox{(modus ponens)}\label{eqn:MP}
\item
$\displaystyle\frac{\phi}{\bx p\phi}$\qquad\mbox{(modal generalization)}\label{eqn:GEN}
\end{enumerate}
Axioms \ref{eqn:prop}--\ref{eqn:modalR} and the rules of inference \ref{eqn:MP} and \ref{eqn:GEN} are not particular to PDL, but come from modal logic.

Axiom \ref{eqn:box-ind} is called the PDL \emph{induction axiom}.  Intuitively, it says: ``Suppose $\phi$ is true in the current state, and suppose that after any number of iterations of $p$, if $\phi$ is still true, then it will be true after one more iteration of $p$.  Then $\phi$ will be true after any number of iterations of $p$.''  In other words, if $\phi$ is true initially, and if the truth of $\phi$ is preserved by the program $p$, then $\phi$ will be true after any number of iterations of $p$.

The axioms are complete over all relational interpretations.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\end{document}