\documentclass[11pt,twoside]{scrartcl}
% \documentclass[11pt]{scrartcl}
% \documentclass[11pt,twoside]{article}

% \usepackage[top=1in,bottom=1in,left=1in,right=1in]{geometry}
% \geometry{letter}

%opening
\newcommand{\lecid}{15-414}
\newcommand{\leccourse}{Bug Catching: Automated Program Verification}
\newcommand{\lecdate}{February 25, 2021} %e.g. {October 21, 2013}
\newcommand{\lecnum}{7}
\newcommand{\lectitle}{Loops}
\newcommand{\lecturer}{Frank Pfenning}
\newcommand{\lecurl}{http://www.cs.cmu.edu/~15414/s21}

\usepackage{lecnotes}
\input{fp-macros}
\lstset{style=why}

\begin{document}

\maketitle
\thispagestyle{empty}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\section{Introduction}

At a high level, here is what our formalization efforts have
been so far:
\begin{enumerate}
\item We defined a formal language of \emph{arithmetic expressions}
  $e$ and \emph{states} $\omega$ as a map from variables to integer
  values.  The meaning of an expression in a given state is some
  integer $c$.  We used $\omega \lbb e\rbb = c$ to define the meaning
  of expressions by cases based on the form of $e$.  This definition
  may seem superfluous, but it provides a means to interpret the
  \emph{syntax} of expressions with their mathematical meaning as
  integers.
\item We defined a formal language of \emph{programs} $\alpha$ with
  statements for assignment, sequential composition, conditionals,
  while loops, and guards.  Because we would like to allow for cases
  where programs are nondeterministic the meaning of a program is
  given as a \emph{relation} between an prestate $\omega$ and a
  poststate $\nu$, written as $\omega \lbb \alpha\rbb \nu$.  This is
  defined by analyzing the structure of the program $\alpha$.
\item We defined a formal language of \emph{formulas} $P$ with the
  usual logical operators like conjunction, disjunction, implication,
  negation and also universal and existential quantification over
  integers.  The basic formulas are equality and inequality of
  expressions.  Formulas do double duty: they are used in our language
  of programs for conditionals, while loops, and guards, but they are
  also intended to be used for \emph{reasoning about} the meanings of
  programs.  The meaning of formulas is defined mathematically with
  $\omega \models P$ which tells us when the formula $P$ is true in
  state $\omega$.
\item We add to the language of formulas two modal operators that
  reference programs, $[\alpha]P$ ($P$ is true in every possible
  poststate of $\alpha$) and $\langle\alpha \rangle P$ ($P$ is true in
  some poststate of $\alpha$).  We extend the definition for the
  meaning of formulas to account for the new constructs.  We
  call this new logic \emph{(deterministic) dynamic logic}.
\item In order to facilitate reasoning, we developed some
  \emph{axioms} that allow us to break down formulas $[\alpha]P$ that
  speak about programs $\alpha$ into properties of subprograms of
  $\alpha$.  As axioms they must be \emph{valid}, that is, be true for
  all possible states.
\end{enumerate}

The final point hit a snag when we considered loops.  We were able
write down a plausible axiom, but both sides referred to the while
loop itself.  In this lecture we'll consider how to work, logically,
with loops.  Informally, we already understand how this is done, for
example, in Why3.  We hypothesize a \emph{loop invariant} and then
prove that (a) it holds initially, (b) it is preserved, and (c) it
implies the postcondition.  To arrive at this form of reasoning for
loops will take us all lecture, partly because we take a detour via
\emph{nondeterministic dynamic logic}.  It turns out this formalism
allows us to explore the issues surrounding loops in a simplified form
to understand the essence of the problem and its solution.  We then
port the solution back.

\paragraph*{Learning goals.} After this lecture, you should
be able to:
\begin{itemize}
\item Express and prove programs in (nondeterministic) dynamic logic;
\item Reason about repetition in dynamic logic;
\item Justify reasoning principles for loops as modal axioms;
\item Prove while loops in (deterministic) dynamic logic.
\end{itemize}

\section{Summary: Axioms for Dynamic Logic}

\[
  \begin{array}{lcl}
    [x \leftarrow e]Q(x) & \leftrightarrow & \forall x'.\, x' = e \rightarrow Q(x') 
            \qquad (\mbox{$x'$ not in $e$ or $Q(x)$}) \\ \relax 
    [\alpha\semi \beta]Q & \leftrightarrow & [\alpha][\beta]Q \\ \relax
    [{?}P]Q & \leftrightarrow & (P \rightarrow Q) \\ \relax
    [\m{if}\, P\, \alpha\, \beta]Q & \leftrightarrow
                                           & (P \rightarrow [\alpha]Q) \land (\lnot P \rightarrow [\beta]Q) \\ \relax
    [\m{while}\, P\, \alpha]Q & \leftrightarrow
                                           & (P \rightarrow [\alpha][\m{while}\, P\, \alpha]Q) \land (\lnot P \rightarrow Q)
  \end{array}
\]
                                             

\section{Nondeterministic Dynamic Logic}

What we call nondeterministic dynamic logic is what most sources just
call ``dynamic logic''.  The idea is to replace the conditionals by
nondeterministic choice $\alpha \cup \beta$, and while loops by
nondeterministic repetition $\alpha^*$.
\[
  \begin{array}{llcl}
    \mbox{Programs} & \alpha,\beta 
    & ::= & x \leftarrow e \mid \alpha \semi \beta \mid {?}P \mid 
            \alpha \cup \beta \mid \alpha^*
  \end{array}
\]
The nondeterministic choice $\alpha \cup \beta$ executes either  
$\alpha$ or $\beta$.  The repetition $\alpha^*$ executes $\alpha$ one  
of $0, 1, 2, \ldots$ number of times in succession.  

The formal semantics of these is a straightforward simplification of
the semantics for conditionals and while loops.  That's because we
already \emph{set up} the semantics to be relation between states.
\[
  \begin{array}{ll}
    \omega \lbb \alpha \cup \beta\rbb \nu
    & \mbox{iff $\omega \lbb \alpha\rbb \nu$ or $\omega \lbb \beta\rbb \nu$} \\
    \omega_0 \lbb \alpha^* \rbb \omega_n
    & \mbox{iff there exist $\omega_1, \ldots, \omega_{n-1}$ such that
      $\omega_i\lbb \alpha\rbb\omega_{i+1}$ for all $0 \leq i < n$}.
  \end{array}
\]
We can express the original conditionals while loops using guards
and the new constructs.
\[
  \begin{array}{lcl}
    \m{if}\, P\, \alpha\, \beta & \triangleq & ({?}P \semi \alpha) \cup (\lnot{?}P \semi \beta) \\
    \m{while}\, P\, \alpha & \triangleq & ({?}P \semi \alpha)^* \semi {?}\lnot P
  \end{array}
\]
You should convince yourself that the left-hand and right-hand
sides of these notational definitions have the same meaning, that is,
they relate the same states $\omega \lbb {-}\rbb \nu$.

Furthermore, we can capture the meaning with new axioms, again
simplifying the old ones for conditionals and while loops.
\[
  \begin{array}{lcl}
    [\alpha \cup \beta]P & \leftrightarrow & [\alpha]P \land [\beta]P \\\relax
    [\alpha^*] P & \leftrightarrow & P \land [\alpha][\alpha^*] P
  \end{array}
\]
We observe that the axiom for repetition $\alpha^*$ has the same flaw
as the axiom for while loops.

\section{The Induction Axiom for Repetition}

As a simple example of repetition, consider
\[
  [n \leftarrow 0 \semi (n \leftarrow n+2)^*]\m{even}(n)
\]
The $\m{even}$ predicate is easy to define in arithmetic
($\m{even}(n) \triangleq \exists k.\, 2\times k = n$).  We see that
the property above should hold, because no matter how often $n$ is
incremented by $2$ it will always remain even.  The question is how to
prove that in dynamic logic---mathematically we can always do an
induction over the number of iterations.  We can break off the
initialization so it becomes
\[
  n = 0 \rightarrow [(n \leftarrow n+2)^*]\m{even}(n)
\]
An attempt might be
\[
  [\alpha^*]Q \stackrel{?}{\leftrightarrow} Q \land (Q \rightarrow [\alpha]Q)
\]
with the idea that $Q$ on the right-hand side expresses that is must
be true initially, and that $Q \rightarrow [\alpha]Q$ shows that $Q$
is preserved by one iteration of the loop.  Unfortunately, this gives
us exactly that---it does not show that $Q$ is preserved by an
arbitrary number of iterations.  In order to get that, we need to say
that, after an arbitrary number of iterations, $Q$ is still preserved
by one more iteration.
\[
  [\alpha^*]Q \leftrightarrow Q \land [\alpha^*](Q \rightarrow [\alpha]Q)
\]
This seems plausible, but it suffers from the same defect we had
worried about before: $\alpha^*$ appears on both sides.  Please, have
some faith in me for a moment that we'll be able to address that
while we show that this axiom is indeed valid.

\noindent \textbf{Proof.}  While not strictly necessary, it is perhaps
easiest to understand the proof if we reformulate it in mathematics
as follows:
\begin{quote}
  (For all $n \geq 0$, $\omega \models [\alpha^n]Q$) \newline
  iff \newline
  ($\omega \models Q$ and for all $k \geq 0$, $\omega \models [\alpha^k](Q \rightarrow [\alpha]Q)$
\end{quote}
Here $[\alpha^n]Q$ means that $Q$ is true after $n$ iterations of
$\alpha$.  We prove each direction separately.

\noindent ``$\longrightarrow$''
\begin{tabbing}
  Assume for all $n \geq 0$ we have $\omega \models [\alpha^n]Q$ \`(1) \\
  To show $\omega \models Q$ we use (1) for $n = 0$. \\
  It remains to show that $\omega \models [\alpha^k](Q \rightarrow [\alpha]Q)$. \\
  For that, it is sufficient to prove $\omega \models [\alpha^k][\alpha]Q$
  (ignore the additional assumption $Q$). \\
  But that's the same as $\omega \models [\alpha^{k+1}]Q$ which follows
  from (1) with $n = k+1$.
\end{tabbing}

\noindent ``$\longleftarrow$''
\begin{tabbing}
  Assume $\omega \models Q$ \`(1) \\
  \quad and for all $k \geq 0$, $\omega \models [\alpha^k](Q \rightarrow [\alpha]Q)$. \`(2) \\
  We prove by induction on $n$ that for all $n \geq 0$, $\omega \models [\alpha^n]Q$. \\
  Base: $n = 0$.  Then $[\alpha^n]Q = Q$ and $\omega \models Q$ is exactly (1). \\
  Step: $n = m+1$.  Assume $\omega \models [\alpha^m]Q$. \`(3) \\
  We use (2) with $k = m$ to obtain $\omega \models [\alpha^m](Q \rightarrow [\alpha]Q)$. \\
  The modality distributes over implication (see below) \\
  \quad so we obtain $\omega \models [\alpha^m]Q$ implies $\omega \models [\alpha^m][\alpha]Q$. \\
  From this implication and (3), we get $\omega \models [\alpha^m][\alpha]Q$ \\
  \quad and that is the same as $\omega \models [\alpha^{m+1}]Q$. \\
  This is what we needed to complete the induction step.
\end{tabbing}

It is easy to show that the axiom
\[
  [\alpha](P \rightarrow Q) \rightarrow ([\alpha]P \rightarrow [\alpha]Q)
\]
is valid, that is, the box modality distributes over implication: if
in every poststate of $\alpha$ we have both $P \rightarrow Q$ and $P$,
then we also have $Q$ in the same poststate.

\section{Validity and Loop Invariants}

We now return to the induction axiom---thank you for your patience!
\[
  [\alpha^*]Q \leftrightarrow Q \land [\alpha^*](Q \rightarrow [\alpha]Q)
\]
How can we actually use this?  Let's think back to the early lectures
and loop invariants.  We verified that the invariant (here $Q$) is
true initially (the proof of $Q$ on the right-hand side), and then we
verified the loop invariant is preserved \emph{forgetting the concrete
  information we had when we first arrived at the loop}.  Here, this
would correspond to proving that $Q \rightarrow [\alpha]Q$ is
\emph{valid}, which means it is true for any state.  This is important
because we want to show the preservation of $Q$ no matter how many
times we have already been around the loop.

In order to express this kind of reasoning \emph{as an axiom} we need
to be able to say that ``\textit{$P$ is valid}'' inside the logic.
This is the purpose of the necessity modality $\Box P$, which was
actually inspiration for $[\alpha]P$ in dynamic logic, except $P$ has
to be \emph{true for any state}, not just for the poststates of
$\alpha$.
\[
  \begin{array}{llcl}
    \mbox{Formulas} & P
    & ::= & e_1 \leq e_2 \mid \ldots \mid [\alpha]P \mid \langle\alpha\rangle P
            \mid \Box P
  \end{array}
\]
We define
\[
  \omega \models \Box P \; \mbox{iff $\nu \models P$ for any $\nu$}
\]
We then can prove an axiom
\[
  \Box P \rightarrow [\alpha]P
\]
Our axiom for reasoning with invariants then becomes
\[
  [\alpha^*]Q \leftarrow Q \land \Box (Q \rightarrow [\alpha]Q)
\]
This is no longer a bi-implication, but only a right-to-left
implication ($Q \leftarrow P$ means $Q$ is implied by $P$).  That's
because there are other ways to prove a loop (for example, unrolling
it a finite number of times).  The new axiom is clearly sound, which
we can establish directly:
\begin{tabbing}
  $[\alpha^*]Q$  $\leftrightarrow$ \= $(Q \land [\alpha^*](Q \rightarrow [\alpha]Q))$ \\
  and \> $(Q \land [\alpha^*](Q \rightarrow [\alpha]Q))
  \leftarrow (Q \land \Box (Q \rightarrow [\alpha]Q))$
\end{tabbing}

Returning to our earlier example, we can now prove
\[
  n = 0 \rightarrow [(n \leftarrow n+2)^*]\m{even}(n)
\]
by reducing it to
\[
  n = 0 \rightarrow \m{even}(n) \land \Box(\m{even}(n) \rightarrow [n \leftarrow n+2]
  \m{even}(n))
\]
Critically, there is no longer any iteration involved, and we can
eliminate the remaining references to programs.  The first conjunct is
easy since $\m{even}(0)$.  Then we have to prove
\[
  n = 0 \rightarrow \Box (\m{even}(n) \rightarrow [n \leftarrow n+2]\m{even}(n))
\]
Because we have to show \emph{validity}, we lose the assumption
$n = 0$. Using the axiom for assignment, this comes down to
\[
  \m{even}(n) \rightarrow (\forall n'.\, n' = n+2 \rightarrow \m{even}\, n')
\]
which is clearly valid, that is, true for any value of $n$.  We
can even map this back to plain arithmetic as the obvious
\[
  \forall n.\, \m{even}(n) \rightarrow (\forall n'.\, n' = n+2 \rightarrow \m{even}\, n')
\]

\section{Strengthening the Loop Invariant}

As your experience with Why3 has undoubtedly shown, we sometimes need to
strengthen the loop invariant to make our verifications go through.
This is the same phenomenon as having to generalize an induction
hypothesis.  Let's return to everyone's favorite example, the
computation of Fibonacci numbers.  This time, we write a
nondeterministic loop.
\[
  [a \leftarrow 0 \semi b \leftarrow 1\semi 
  (a,b \leftarrow b,a+b)^*](\exists i.\, a = \m{fib}(i))
\]
To save space, we used the simultaneous assignment of $b$ to $a$ and
$a+b$ to $b$ (which, by the way, is available in Why3 and is a simple
shorthand).  It would be nice to say exactly which Fibonacci number we
have computed, so also we also compute $i$.
\[
  [a \leftarrow 0 \semi b \leftarrow 1 \semi i \leftarrow 0 \semi 
  (a,b \leftarrow b,a+b \semi i \leftarrow i+1)^*]a = \m{fib}(i) 
\]
After a couple of steps of proof, we are left with
\[
  a = 0 \land b = 1 \land i = 0 \rightarrow
  [(a,b \leftarrow b,a+b \semi i \leftarrow i+1)^*]a = \m{fib}(i) 
\]  
Unfortunately, we cannot prove this now, because our loop invariant
$a = \m{fib}(i)$ is too weak.  We also need to know that
$b = \m{fib}(i+1)$.

Before we finish the example, let's consider how we prove
$[\alpha^*]Q$ more generally.  We want to be able to use an
\emph{arbitrary} loop invariant $J$ and then show three properties:
$J$ is true initially, $J$ is preserved by the loop, and $J$ implies
the postcondition.  The last two properties require validity.
\[
  [\alpha^*]Q \leftarrow J \land \Box(J \rightarrow [\alpha]J)
  \land \Box(J \rightarrow Q)
\]

\newcommand{\Jfib}{J_{\m{fib}}}
For
\[
  \Jfib = (a = \m{fib}(i) \land b = \m{fib}(i+1))
\]
we obtain the following three proof obligations.
\[
  \begin{array}{ll}
    a = 0 \land b = 1 \land i = 0 \rightarrow \Jfib & \mbox{true initially}  \\
    \Box (\Jfib \rightarrow [(a,b \leftarrow b,a+b \semi i \leftarrow i+1)]\Jfib)
                                                    & \mbox{preserved} \\
    \Box (\Jfib \rightarrow a = \m{fib}(i)) & \mbox{implies postcondition}
  \end{array}
\]

\section{Back to While Loops}

Recall the definition
\[
  \m{while}\, P\, \alpha \quad\triangleq\quad ({?}P \semi \alpha)^* \semi {?}\lnot P
\]
We can plug this in to the axiom we have for repetition and
reason, assuming we have settled on a loop invariant $J$.
\[
  \begin{array}{ll}
    [\m{while}\, P\, \alpha]Q
    & \leftrightarrow [({?}P \semi \alpha)^* \semi {?}\lnot P]Q \\
    & \leftrightarrow [({?}P \semi \alpha)^*][{?}\lnot P]Q \\
    & \leftrightarrow [({?}P \semi \alpha)^*](\lnot P \rightarrow Q) \\
    & \leftarrow J \land \Box (J \rightarrow [{?}P \semi \alpha]J)
      \land \Box (J \rightarrow (\lnot P \rightarrow Q)) \\
    & \leftrightarrow J \land \Box (J \rightarrow (P \rightarrow [\alpha]J)) 
      \land \Box (J \land \lnot P \rightarrow Q) \\
    & \leftrightarrow J \land \Box (J \land P \rightarrow [\alpha]J)
      \land \Box (J \land \lnot P \rightarrow Q)
  \end{array}
\]
This expresses logically and concisely what we have studied earlier
regarding reasoning about while loops with loop invariants.  It does
not yet cover \emph{total correctness}, that is, reasoning about
\emph{variants} and the termination of loops.  We will return to them
in a future lecture.

\section{Aside: Regular Expressions Revisited\protect\footnotemark}
\footnotetext{not covered in lecture}

Except for assignment, we can recognize that regular expressions are
related to programs in dynamic logic as shown in the following table
of correspondences.
\[
  \begin{array}{c|c}
    \mbox{Regular Expression} & \mbox{Dynamic Logic} \\
    r \cdot s & \alpha \semi \beta \\
    1 & \m{skip} \makebox[0pt][l]{\quad $(= {?}\m{true}$)} \\
    r + s & \alpha \cup \beta \\
    0 & \m{abort} \makebox[0pt][l]{\quad $(= {?}\m{false}$)} \\
    r^* & \alpha^* \\
    a & \mbox{??} \\
    \mbox{??} & x \leftarrow e 
  \end{array}
\]
The prestate would be the input word and the poststate the remaining
word after the program (= regular expression) has matched an initial
segment of the word.  We see there are no general guards in regular
expressions, and the effect of an assignment has been replaced by the
effect of reading a character in the input word.


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%\section*{Exercises}
%\begin{exercise} \label{exc:exercise1}
%\end{exercise}

% \bibliography{bibliography}

\end{document}