\documentclass[11pt,twoside]{scrartcl}
%opening
\newcommand{\lecid}{15-414}
\newcommand{\leccourse}{Bug Catching: Automated Program Verification}
\newcommand{\lecdate}{} %e.g. {October 21, 2013}
\newcommand{\lecnum}{5}
\newcommand{\lectitle}{Compositional Reasoning}
\newcommand{\lecturer}{Matt Fredrikson}
\usepackage{lecnotes}
\usepackage[irlabel]{bugcatch}
\begin{document}
\maketitle
\thispagestyle{empty}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Introduction}
This lecture will focus on developing systematic logical reasoning principles for sequential programs.
Writing programs with correctness specifications is one thing.
But proving them to be correct is a different matter.
Both are exceedingly useful, because the clear expression of our expectations on a program often already make it more correct as it will more likely occur to us if our expectations and the program's realization are out of sync.
But, of course, we might still fail to notice that a program does not meet its correctness specification if all we do is look at them.
The fact that we unambiguously rendered program contracts in logic now plays to our advantage.
Not only did this make it clear what a precondition and postcondition of a program really means.
But logic also provides ways of reasoning logically (go figure) about the programs by systematically transforming one logical formula into a simpler logical formula to find out whether it is true.
This will lead us to discover a very systematic logical way of reasoning about the correctness of sequential programs.
More information on the topic of axioms for reasoning about the behavior of programs in dynamic logic can also be found in the literature \cite{Harel_et_al_2000,Platzer17}.
\section{Semantical Considerations on Programs}
Recall the dynamic logic formula for the program swapping two variables \texttt{x} and \texttt{y} in place:
\begin{equation}
{x=a\land y=b\limply\dbox{x:=x+y; y:=x-y; x:=x-y}{(x=b\land y=a)}}
\label{eq:swap}
\end{equation}
Its meaning, and thus the meaning of the program contract that it came from, are now mathematically defined precisely.
What can we do with its mathematical semantics?
Well, we could, for example, follow the definitions of the semantics to find out how a specific initial state \(\iget[state]{\I}\) changes as the program is executing.
Consider the initial state \(\iget[state]{\I}\) with \(\iget[state]{\I}(x)=5\) and \(\iget[state]{\I}(y)=7\).
For this state to satisfy the preconditions, it also needs to have the following values \(\iget[state]{\I}(a)=5\) and \(\iget[state]{\I}(b)=7\) for variables $a$ and $b$.
Thus,
\[
\imodels{\I}{x=a\land y=b}
\]
Since the swap program only changes the variables $x$ and $y$, we only need to track their values, since everything else stays unchanged.
After running the first assignment \(x:=x+y\), the program reaches state a \(\iget[state]{\Iz[1]}\) with \(\iget[state]{\Iz[1]}(x)=12,\iget[state]{\Iz[1]}(y)=7\).
After running the second assignment \(y:=x-y;\) from state \(\iget[state]{\Iz[1]}\) the program reaches a state \(\iget[state]{\Iz[2]}\) with \(\iget[state]{\Iz[2]}(x)=12,\iget[state]{\Iz[2]}(y)=5\).
After running the third assignment \(x:=x-y;\) from state \(\iget[state]{\Iz[2]}\) the program reaches a state \(\iget[state]{\It}\) with \(\iget[state]{\It}(x)=7,\iget[state]{\It}(y)=5\).
Let's write the respective program statements in the first row and the states in between these in the next rows:
\[\begin{array}{clclclc}
& x:=x+y;&& y:=x-y;&& x:=x-y &\\\
\iget[state]{\I}(x)=5 && \iget[state]{\Iz[1]}(x)=12 && \iget[state]{\Iz[2]}(x)=12 && \iget[state]{\It}(x)=7\\
\iget[state]{\I}(y)=7 && \iget[state]{\Iz[1]}(y)=7 && \iget[state]{\Iz[2]}(y)=5 && \iget[state]{\It}(y)=5
\end{array}\]
All those states agree that $a$ has the value 5 and $b$ the value 7.
So indeed, the (only) final state $\iget[state]{\It}$ satisfies the postcondition:
\[
\imodels{\I}{x=b\land y=a}
\]
Well that's nice.
We followed the semantics of program execution from the particular initial state \(\iget[state]{\I}\) with \(\iget[state]{\I}(x)=5\) and \(\iget[state]{\I}(y)=7\) and found out that all its final states (well $\iget[state]{\It}$ is the only one) satisfy the postcondition that formula \rref{eq:swap} claims.
This justifies that \rref{eq:swap} is true in state $\iget[state]{\I}$:
\[
\imodels{\I}{x=a\land y=b\limply\dbox{x:=x+y; y:=x-y; x:=x-y}{(x=b\land y=a)}}
\]
In fact, since we just saw there is a final state $\iget[state]{\It}$ in which the postcondition is true, this also justifies the diamond modality case is true in state $\iget[state]{\I}$:
\[
\imodels{\I}{x=a\land y=b\limply\ddiamond{x:=x+y; y:=x-y; x:=x-y}{(x=b\land y=a)}}
\]
Lovely. Now all we need to do to justify that DL formula \rref{eq:swap} is not just true in this particular initial state $\iget[state]{\I}$ but is valid in all states, is to consider one state at a time and follow the semantics to show the same.
The only downside of that approach of following the semantics through concrete states is that it will keep us busy till the end of the universe because there are infinitely many different states.
Even among those initial states that satisfy the precondition \(x=a\land y=b\) (otherwise there is nothing to show for \rref{eq:swap} since implications are true if their left hand sides are false), there are still infinitely many such states.
That's not very practical for such a simple program nor, in fact, for any other interesting program with input.
\section{Axioms for Programs}
Our approach to understanding programs with logic is to design one reasoning princple for each program operator that describes its effect in logic with simpler logical operators.
If we succeed doing that for every operator that a program can have, then we will understand even the most complicated programs just by repeatedly making use of the respective logical reasoning principles.
\subsection{Assignments}
The first case we look into is assignment, where we want to prove the validity of formulas like \m{\dbox{\pupdate{\umod{x}{\astrm}}}{p(x)}}, which expresses that the formula $p(x)$ holds after the assignment \m{\pupdate{\umod{x}{\astrm}}} that assigns the value of term $\astrm$ to variable $x$.
How could we reduce this to another logical formula that is simpler?
If we want to show that the formula $p(x)$ holds after assigning the new value $\astrm$ to variable $x$ then we might as well show $p(\astrm)$ right away.
And, in fact, $p$ is true of $x$ after assigning $\astrm$ to $x$ if and only if $p$ is true of its new value $\astrm$.
That is, the formula \m{\dbox{\pupdate{\umod{x}{\astrm}}}{p(x)}} is equivalent to the formula \m{p(\astrm)}.
We capture this argument once and for all in the assignment axiom \irref{assignb}:
%What has worked exceedingly well for propositional logic might work just as well for programs.
\[
\cinferenceRule[assignb|$\dibox{:=}$]{assignment / substitution axiom}
{\linferenceRule[equiv]
{p(\astrm)}
{\axkey{\dbox{\pupdate{\umod{x}{\astrm}}}{p(x)}}}
}
{}%{$genDJ{x}$ free for $x$ in $\ausfml$}
\]
In the assignment axiom \irref{assignb}, the formula $p(\astrm)$ has the term $\astrm$ everywhere in place of where the formula $p(x)$ has the variable $x$.
Of course, it is important for this substitution of $\astrm$ for $x$ to avoid capture of variables and not make any replacements under the scope of a quantifier or modality binding an affected variable \cite{DBLP:journals/jar/Platzer17}.
For example, the following formula is an instance of \irref{assignb}:
\[
\dbox{\pupdate{\pumod{x}{x^2-1}}}{x(x+1)\geq x+y} \lbisubjunct (x^2-1)(x^2-1+1) \geq (x^2-1)+y
\]
But the following is not because it would capture the replacement $y$ that is used for $x$:
\[
\dbox{\pupdate{\pumod{x}{y}}}{(x\geq0 \land \lforall{y}{(x\geq y)})} \lbisubjunct (y\geq0 \land \lforall{y}{(y\geq y)})
\]
Instead, if we first rename $\forall y$ to $\forall z$ then the substitution works:
\[
\dbox{\pupdate{\pumod{x}{y}}}{(x\geq0 \land \lforall{z}{(x\geq z)})} \lbisubjunct (y\geq0 \land \lforall{z}{(y\geq z)})
\]
Used correctly, this axiom is clearly convenient as it allows us to remove a box modality from a formula, and in some cases reduce our reasoning to questions of pure first-order arithmetic.
We might imagine that this takes us closer to a proof, but we might still need to make use of other axioms depending on what $p$ is.
But observe how nicely the \irref{assignb} axiom allows us to reduce a proof of an assignment program to that of another formula after making some straightforward syntactic substitutions.
We will try to identify similar axioms that reduce a property of a composed program to a logical combination of properties of subprograms also for all the other statements in a program.
That way we will obtain a compositional reasoning technique that reduces the correctness of any arbitrary big program to a number of questions about smaller and smaller subprograms, of which there are only finitely many.
Before moving on, we want to be sure that this new axiom sound, so we should pause at this point and consider how to assure ourselves that it is so.
When we proved the soundness of proof rules for the propositional logic, we reasoned that the validity of the premises logically implies the validity of the conclusions.
There are no premises in \irref{assignb}, just an assertion that a formula containing an assignment in a box is equivalent to another formula with some substitutions replacing variables with terms.
To be absolutely sure that treating these two formulas as equivalent is the right thing to do, we must show that the formula $\dbox{\pumod{x}{\astrm}}{p(x)} \lbisubjunct p(\astrm)$ is valid.
We begin with a lemma that will help us reason about the substitutions that we made to obtain $p(\astrm)$ by substituting $x$ in $p(x)$ with $\astrm$.
\begin{lemma}
\label{lem:substitution}
Let $p$ be a formula, $\astrm$ be a term, and $\omega, \nu$ be states.
If $\omega = \nu$ except that $\nu(x) = \omega\llbracket\astrm\rrbracket$, then $\omega \models p(\astrm)$ if and only if $\nu \models p(x)$.
\end{lemma}
\begin{proof}
We begin by introducing a notation for substitution of variables in terms.
If $\bstrm$ is a term containing one or more instances of variable $x$, then $\subs{\bstrm}{x}{\astrm'}$ is the corresponding term given by replacing all instances of $x$ in $\bstrm$ with $\astrm'$. More precisely,
\begin{align*}
\subs{c}{x}{\astrm'} &= c \\
\subs{x}{x}{\astrm'} &= \astrm' \\
\subs{y}{x}{\astrm'} &= y \\
\subs{(\astrm_1 + \astrm_2)}{x}{\astrm'} &= \subs{{\astrm_1}}{x}{\astrm'} + \subs{{\astrm_2}}{x}{\astrm'}
\\
\subs{(\astrm_1 \times \astrm_2)}{x}{\astrm'} &= \subs{{\astrm_1}}{x}{\astrm'} \times \subs{{\astrm_2}}{x}{\astrm'}
\end{align*}
Note that there are two cases for variables, one where the variable is the target of the substitution $x$, and another denoting the remaining cases where the variable is not the same one being substituted (i.e., $y$).
Then we note that given $\omega$ and $\nu$ as defined in the lemma statement, for any term $\bstrm$, $\omega\llbracket\subs{\bstrm}{x}{\astrm}\rrbracket = \nu\llbracket\bstrm\rrbracket$.
We have this by induction on the structure of $\bstrm$.
\begin{itemize}
\item\textbf{Case} $c$: We have that $\omega\llbracket\subs{c}{x}{\astrm}\rrbracket = c = \nu\llbracket c\rrbracket$.
\item\textbf{Case} $x$: In this case, $\omega\llbracket\subs{x}{x}{\astrm}\rrbracket = \omega\llbracket\astrm\rrbracket$. By assumption, $\nu(x) = \omega\llbracket\astrm\rrbracket$, so $\nu\llbracket x\rrbracket = \omega\llbracket\astrm\rrbracket$.
\item\textbf{Case} $y$: Here $\omega\llbracket\subs{y}{x}{\astrm}\rrbracket = \omega(y) = \nu(y) = \nu\llbracket y\rrbracket$, with the middle equality following from the assumption of the lemma that $\omega = \nu$ everywhere except at $x$.
\item\textbf{Case} $\astrm_1 + \astrm_2$: This is the inductive case. So we assume that $\omega\llbracket\subs{{\astrm_1}}{x}{\astrm}\rrbracket = \nu\llbracket\astrm_1\rrbracket$ and $\omega\llbracket\subs{{\astrm_2}}{x}{\astrm}\rrbracket = \nu\llbracket\astrm_2\rrbracket$.
Then
$
\omega\llbracket\subs{(\astrm_1 + \astrm_2)}{x}{\astrm}\rrbracket
= \omega\llbracket\subs{{\astrm_1}}{x}{\astrm}\rrbracket + \omega\llbracket\subs{{\astrm_2}}{x}{\astrm}\rrbracket
= \nu\llbracket\astrm_1\rrbracket + \nu\llbracket\astrm_2\rrbracket
= \nu\llbracket\astrm_1 + \astrm_2\rrbracket
$.
\end{itemize}
We conclude this observation by noting that the case for multiplication uses identical reasoning as the one for addition.
With this property about the equivalence of substitutions for terms in hand, we can prove the lemma itself by induction on the structure of the formula $p$.
This is left as an exercise, but we note that while it may seem straightforward when considering the base cases ($\astrm = \bstrm, \astrm \le \bstrm$) and formulas without quantifiers and modalities that bind variables, care must be taken to rigorously account for variable capture when extending substitution to all formulas.
See \cite{DBLP:journals/jar/Platzer17} for a full treatment of this matter.
\end{proof}
\begin{theorem}
\label{lem:asgn-sound}
The assignment axiom \irref{assignb} is sound, i.e., all its instances are valid. For any DL formula $p$,
\[
\models \dbox{\pupdate{\umod{x}{\astrm}}}{p(x)} \lbisubjunct p(\astrm)
\]
\end{theorem}
\begin{proof}
Recall the semantics of assignment:
\begin{equation}
\label{eq:asgn-semantics}
\llbracket\pumod{x}{\astrm}\rrbracket
=
\{
(\omega,\nu) :
\omega = \nu~\text{except that}~\nu(x) = \omega\llbracket\astrm\rrbracket
\}
\end{equation}
To show that the formula $\dbox{\pupdate{\umod{x}{\astrm}}}{p(x)} \lbisubjunct p(\astrm)$ is valid, consider any state $\omega$ and show that $\omega \models \dbox{\pupdate{\umod{x}{\astrm}}}{p(x)} \lbisubjunct p(\astrm)$.
We will use the semantics of assignment to in turn reason about the semantics of $\dbox{\pupdate{\umod{x}{\astrm}}}{p(x)}$ as we proceed.
The proof is in two parts, one for each direction of the biimplication.
\begin{enumerate}
\item[``$\lylpmi$'']
Here we assume the right hand side, i.e., $\omega \models p(\astrm)$, and show that $\omega \models \dbox{\pumod{x}{\astrm}}{p(x)}$.
Because $\omega \models p(\astrm)$ by our assumption, the substitution lemma (Lemma~\ref{lem:substitution}) gives us that $\nu \models p(x)$ for all $\nu$ where $\omega = \nu$ except that $\nu(x) = \omega\llbracket\astrm\rrbracket$.
By the semantics of the box modality $\dbox{\cdot}{}$, we know that $\omega \models \dbox{\pumod{x}{\astrm}}{p(x)}$ if and only if for all $\nu$ where $(\omega, \nu) \in \llbracket\pumod{x}{\astrm}\rrbracket$, $\nu \models p(x)$.
By the semantics of assignment given in (\ref{eq:asgn-semantics}), we know that any $\nu$ where $(\omega, \nu) \in \llbracket\pumod{x}{\astrm}\rrbracket$ is identical to $\omega$ everywhere except at $x$, where $\nu$ maps $x$ to the value of $\astrm$ in $\omega$, i.e. $\nu(x) = \omega\llbracket\astrm\rrbracket$.
Therefore, we conclude that $\omega \models \dbox{\pumod{x}{\astrm}}{p(x)}$.
\item[``$\limply$'']
Now we assume the left hand side, i.e., $\omega \models \dbox{\pumod{x}{\astrm}}{p(x)}$, and show that $\omega \models p(\astrm)$.
Reasoning as we did in the case of the opposite direction, by the semantics of the box modality, this assumption gives us that $\nu \models p(x)$ for all $\nu$ where $(\omega, \nu) \in \llbracket\pumod{x}{\astrm}\rrbracket$.
Applying the semantics of assignment, we can make this more precise to conclude that $\nu \models p(x)$ for all $\nu$ where $\omega = \nu$ except that $\nu(x) = \omega\llbracket\astrm\rrbracket$.
Again applying Lemma~\ref{lem:substitution}, we arrive at the desired result $\omega \models p(e)$.
\end{enumerate}
\end{proof}
\subsection{Conditionals}
The next case we look at is what is needed to prove in order to show the formula \m{\dbox{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}}, which expresses that formula $\ausfml$ always holds after running the if-then-else conditional \m{\pif{\ivr}{\ausprg}{\busprg}} that runs program $\ausprg$ if formula $\ivr$ is true and runs $\busprg$ otherwise.
In order to understand it from a logical perspective, how could we express \m{\dbox{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}} in easier ways?
If $\ivr$ holds then \m{\dbox{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}} says that $\ausfml$ always holds after running $\ausprg$.
If $\ivr$ does not hold then the same formula \m{\dbox{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}} says that $\ausfml$ always holds after running $\busprg$.
It is easy to say with a logical formula that $\ausfml$ always holds after running $\ausprg$, which is precisely what \(\dbox{\ausprg}{\ausfml}\) is good for.
Likewise \(\dbox{\busprg}{\ausfml}\) directly expresses in logic that $\ausfml$ always holds after running $\busprg$.
Both of those formulas \(\dbox{\ausprg}{\ausfml}\) as well as \(\dbox{\busprg}{\ausfml}\) are simpler than the original formula \m{\dbox{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}}.
But, of course, they express something else, because the program \m{\pif{\ivr}{\ausprg}{\busprg}} only runs the respective programs conditionally depending on the truth-value of $\ivr$.
Yet, there still is a way of expressing \m{\dbox{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}} in logic in easier ways with the help of other logical operators.
Implications are perfect at expressing the conditions that an if-then statement states in a program.
Indeed, if $\ivr$ holds then \(\dbox{\ausprg}{\ausfml}\) needs to be true and if $\ivr$ does not hold then \(\dbox{\busprg}{\ausfml}\) for \m{\dbox{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}} to hold.
Indeed, \m{\dbox{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}} is true if and only if
\m{(\ivr\limply\dbox{\ausprg}{\ausfml}) \land (\lnot\ivr\limply\dbox{\busprg}{\ausfml})} is true.
We capture this argument once and for all in the if-then-else axiom \irref{ifb}:
\[
\cinferenceRule[ifb|$\dibox{\text{if}}$]{if-thenelse}
{\linferenceRule[equiv]
{(\ivr\limply\dbox{\ausprg}{\ausfml}) \land (\lnot\ivr\limply\dbox{\busprg}{\ausfml})}
{\axkey{\dbox{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}}}
}{}%
\]
Just like with the assignment axiom \irref{assignb}, every time we want to make use of this equivalence, we just refer to it by name: \irref{ifb}.
When using the equivalence \irref{ifb} from left to right, we can use it to simplify every question about an if-then-else statement of the form \m{\dbox{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}}
by a corresponding structurally simpler formula
\[
(\ivr\limply\dbox{\ausprg}{\ausfml}) \land (\lnot\ivr\limply\dbox{\busprg}{\ausfml})
\]
that does not use the if-then-else statement any more but is logically equivalent.
Whether the right hand side of axiom \irref{ifb} is really seriously simpler than its left hand side needs a moment's thought because it is longer.
But the point is that, even if it may be textually longer, the right hand side is structurally simpler, because it does not use the if-then-else statement anymore but subprograms and simpler logical operators.
The axiom will enable us, for example to conclude this equivalence:
\[
{\dbox{\pif{x{\geq}0}{\pupdate{\pumod{y}{x}}}{\pupdate{\pumod{y}{-x}}}}{y{=}\abs{x}}}
\lbisubjunct
{(x{\geq}0\limply\dbox{\pupdate{\pumod{y}{x}}}{y{=}\abs{x}}) \land (\lnot x{\geq}0\limply\dbox{\pupdate{\pumod{y}{-x}}}{y{=}\abs{x}})}
\]
This formula uses $\abs{x}$ as notation for the absolute value of $x$.
Also, since axiom \irref{ifb} justifies this equivalence, we will be able to reduce a question about whether its left hand side is valid with axiom \irref{ifb} to the question whether its corresponding right hand side is valid.
In sequent calculus proofs, we will, thus, mark the use of such an axiom by giving its name \irref{ifb}:
\begin{sequentdeduction}[array]
\linfer[ifb]
{\lsequent{}{(x{\geq}0\limply\dbox{\pupdate{\pumod{y}{x}}}{y{=}\abs{x}}) \land (\lnot x{\geq}0\limply\dbox{\pupdate{\pumod{y}{-x}}}{y{=}\abs{x}})}}
{\lsequent{} {\dbox{\pif{x{\geq}0}{\pupdate{\pumod{y}{x}}}{\pupdate{\pumod{y}{-x}}}}{y{=}\abs{x}}}}
\end{sequentdeduction}
Almost always will we take care to only use axioms for reducing its left hand side to the structurally simpler right hand side in order to make sure the proof makes progress toward simpler formulas.
Since we already know an axiom for dealing with assignments, let's finish this proof.
\begin{sequentdeduction}[array]
\linfer[ifb]
{\linfer[andr]
{\linfer[implyr]
{\linfer[assignb]
{\linfer[qear]
{\lclose}
{\lsequent{x{\geq}0} {x{=}\abs{x}}}
}
{\lsequent{x{\geq}0} {\dbox{\pupdate{\pumod{y}{x}}}{\,y{=}\abs{x}}}}
}
{\lsequent{} {x{\geq}0\limply\dbox{\pupdate{\pumod{y}{x}}}{\,y{=}\abs{x}}}}
!\linfer[implyr]
{\linfer[assignb]
{\linfer[notl]
{\linfer[qear]
{\lclose}
{\lsequent{} {x{\geq}0,-x{=}\abs{x}}}
}
{\lsequent{\lnot x{\geq}0} {-x{=}\abs{x}}}
}
{\lsequent{\lnot x{\geq}0} {\dbox{\pupdate{\pumod{y}{-x}}}{\,y{=}\abs{x}}}}
}
{\lsequent{} {\lnot x{\geq}0\limply \dbox{\pupdate{\pumod{y}{-x}}}{\,y{=}\abs{x}}}}
}
{\lsequent{} {(x{\geq}0\limply\dbox{\pupdate{\pumod{y}{x}}}{\,y{=}\abs{x}}) \land (\lnot x{\geq}0\limply \dbox{\pupdate{\pumod{y}{-x}}}{\,y{=}\abs{x}})}}
}
{\lsequent{} {\dbox{\pif{x{\geq}0}{\pupdate{\pumod{y}{x}}}{\pupdate{\pumod{y}{-x}}}}{\,y{=}\abs{x}}}}
\end{sequentdeduction}
\paragraph{Verification Conditions}
This proof shows validity of the following formula, which says that the given program correctly implements the absolute value function \(\abs{\cdot}\) from mathematics:
\[{\dbox{\pif{x{\geq}0}{\pupdate{\pumod{y}{x}}}{\pupdate{\pumod{y}{-x}}}}{\,y{=}\abs{x}}}\]
The proof refers to propositional logic sequent calculus rules such as \irref{andr} and \irref{implyr} as well as the dynamic logic axioms \irref{ifb} and \irref{assignb}.
The proof is developed starting with the desired conclusion at the bottom and working with proof rules to the top as usual in sequent calculus.
But notice that we ended with an application of a new rule \irref{qear} once we had gotten to a point where the left and right sides of the sequent contained no logical operators, and only facts of arithmetic.
On the left branch of the proof, we applied this rule to:
\[
\lsequent{x \ge 0}{x = |x|}
\]
and on the right to:
\[
\lsequent{}{x \ge 0, -x = |x|}
\]
These sequents correspond to assertions about integer arithmetic, namely that $x \ge 0 \limply x = |x|$, and $x \ge 0 \lor -x = |x|$.
We refer to such formulas as \emph{verification conditions}, as in order to verify that the original DL formula is valid, we must first establish that these arithmetic conditions are valid.
This is not a course about proving facts of arithmetic, so we will leave this work to the \irref{qear} rule if we are certain that the verification conditions are valid, as we are in this example from our knowledge of the absolute value function.
It is always good form when writing proofs to make a note of why you believe that each verification condition is valid.
In practice, this work is left to one or more \emph{decision procedures}~\cite{kroening}, which are algorithms for deciding the validity (or equivalently, satsfiability) of formulas containing arithmetic and possibly operators from other domains, like lists and arrays.
Later in the semester, we will return to decision procedures and learn more about how they work, but for now, you should satisfy yourself with simply applying \irref{qear} once there are no more logical deduction rules or axioms to apply.
\subsection{Test}
The if-then-else statement branches execution of the program depending on the truth-value of its condition in the current state.
The test statement $\ptest{\ivr}$ also checks a condition on the current state.
The difference is that it has no effect on the state if $\ivr$ is indeed true, but aborts and discards the execution if $\ivr$ is not true.
How can we express \m{\dbox{\ptest{\ivr}}{\ausfml}} in logic in structurally simpler ways?
In fact, let's preferably express \m{\dbox{\ptest{\ivr}}{\ausfml}} equivalently in simpler ways, because that equivalence principle worked so well in axiom \irref{ifb}.
The formula \m{\dbox{\ptest{\ivr}}{\ausfml}} is true iff formula $\ausfml$ holds always after running the test $\ptest{\ivr}$, which can only run if $\ivr$ is true.
What happens if the test program $\ptest{\ivr}$ cannot run because $\ivr$ is false?
Well in that case nothing needs to be shown, because \m{\dbox{\ptest{\ivr}}{\ausfml}} merely expresses that $\ausfml$ holds after all runs of the program \m{\ptest{\ivr}}, which is vacuously true for any postcondition if there simply isn't a run of \(\ptest{\ivr}\) at all because $\ivr$ is false in the current state.
Consequently $\ausfml$ holds after all runs of the program \m{\ptest{\ivr}} iff postcondition $\ausfml$ is true if the test $\ivr$ is.
That is iff the test formula $\ivr$ implies the postcondition $\ausfml$.
This is captured in the test axiom \irref{testb}:
\[
\cinferenceRule[testb|$\dibox{?}$]{test}
{\linferenceRule[equiv]
{(\ivr \limply \ausfml)}
{\axkey{\dbox{\ptest{\ivr}}{\ausfml}}}
}{}%
\]
\subsection{Sequential Compositions}
The axioms we investigated so far already handle some programs, but sequential compositions are missing quite noticeably and we won't get very far in programs without them.
So how can we equivalently express \m{\dbox{\ausprg;\busprg}{\ausfml}} in simpler logic without sequential compositions?
This formula expresses that $\ausfml$ holds after all runs of $\ausprg;\busprg$, which first runs $\ausprg$ and then runs $\busprg$.
How can this be expressed in an easier way in logic, again using just the subprograms $\ausprg$ as well as $\busprg$ of $\ausprg;\busprg$ then?
In order to express \m{\dbox{\ausprg;\busprg}{\ausfml}} what we need to say is that after all runs of $\ausprg$ it is the case that $\ausfml$ holds after all runs of $\busprg$.
It is comparably easy to say that $\ausfml$ holds after all runs of $\busprg$ just with the formula \(\dbox{\busprg}{\ausfml}\).
But where does this formula need to hold?
After all runs of $\ausprg$.
In particular, all we need to say is that \(\dbox{\busprg}{\ausfml}\) holds after all runs of $\ausprg$, which is exactly what the formula \m{\dbox{\ausprg}{\dbox{\busprg}{\ausfml}}} says.
We capture these insights in the sequential composition axiom \irref{composeb}:
\[
\cinferenceRule[composeb|$\dibox{{;}}$]{composition} %``One step at a time axiom''
{\linferenceRule[equiv]
{\dbox{\ausprg}{\dbox{\busprg}{\ausfml}}}
{\axkey{\dbox{\ausprg;\busprg}{\ausfml}}}
}{}%
\]
Indeed, after all runs of $\ausprg;\busprg$ does $\ausfml$ hold if and only if after all runs of $\ausprg$ it is the case that after all runs of $\busprg$ does $\ausfml$ hold.
\begin{theorem}
The sequential composition axiom \irref{composeb} is sound, i.e. all its instances are valid:
\[
\cinferenceRule[composeb|$\dibox{{;}}$]{composition} %``One step at a time axiom''
{\linferenceRule[equiv]
{\dbox{\ausprg}{\dbox{\busprg}{\ausfml}}}
{\axkey{\dbox{\ausprg;\busprg}{\ausfml}}}
}{}%
\]
\end{theorem}
\begin{proof}
Recall the semantics of sequential composition:
\[
\iaccess[\asprg;\bsprg]{\I} = \iaccess[\asprg]{\I} \compose\iaccess[\bsprg]{\I}
= \{(\iget[state]{\I},\iget[state]{\It}) \with (\iget[state]{\I},\iget[state]{\Iz}) \in \iaccess[\asprg]{\I}, (\iget[state]{\Iz},\iget[state]{\It}) \in \iaccess[\bsprg]{\I}\}
\]
In order to show that the formula \m{{\dbox{\ausprg;\busprg}{\ausfml}} \lbisubjunct {\dbox{\ausprg}{\dbox{\busprg}{\ausfml}}}} is valid, i.e. \m{\entails {\dbox{\ausprg;\busprg}{\ausfml}} \lbisubjunct {\dbox{\ausprg}{\dbox{\busprg}{\ausfml}}}},
consider any state $\iget[state]{\I}$ and show that
\m{\imodels{\I}{{\dbox{\ausprg;\busprg}{\ausfml}} \lbisubjunct {\dbox{\ausprg}{\dbox{\busprg}{\ausfml}}}}}.
We prove this biimplication by separately proving both implications.
\begin{enumerate}
\item[``$\lylpmi$'']
Assume the right hand side \m{\imodels{\I}{\dbox{\ausprg}{\dbox{\busprg}{\ausfml}}}} and show \m{\imodels{\I}{\dbox{\ausprg;\busprg}{\ausfml}}}.
To show the latter, consider any state $\iget[state]{\It}$ with \(\iaccessible[\ausprg;\busprg]{\I}{\It}\) and show that \(\imodels{\It}{\ausfml}\).
By the semantics of sequential composition, \(\iaccessible[\ausprg;\busprg]{\I}{\It}\) implies that there is a state $\iget[state]{\Iz}$ such that
\(\iaccessible[\ausprg]{\I}{\Iz}\) and \(\iaccessible[\busprg]{\Iz}{\It}\).
The assumption implies with \(\iaccessible[\ausprg]{\I}{\Iz}\) that \(\imodels{\Iz}{\dbox{\busprg}{\ausfml}}\).
This, in turn, implies with \(\iaccessible[\busprg]{\Iz}{\It}\) that \(\imodels{\It}{\ausfml}\) as desired.
\item[``$\limply$''] Conversely, assume the left hand side \m{\imodels{\I}{\dbox{\ausprg;\busprg}{\ausfml}}} and show \m{\imodels{\I}{\dbox{\ausprg}{\dbox{\busprg}{\ausfml}}}}.
To show \m{\imodels{\I}{\dbox{\ausprg}{\dbox{\busprg}{\ausfml}}}}, consider any state $\iget[state]{\Iz}$ with \(\iaccessible[\ausprg]{\I}{\Iz}\) and show \(\imodels{\Iz}{\dbox{\busprg}{\ausfml}}\).
To show the latter, consider any state $\iget[state]{\It}$ with with \(\iaccessible[\busprg]{\Iz}{\It}\) and show \(\imodels{\It}{\ausfml}\).
Now \(\iaccessible[\ausprg]{\I}{\Iz}\) and \(\iaccessible[\busprg]{\Iz}{\It}\) imply \(\iaccessible[\ausprg;\busprg]{\I}{\It}\) by the semantics of sequential composition.
Consequently, the assumption \m{\imodels{\I}{\dbox{\ausprg;\busprg}{\ausfml}}} implies \(\imodels{\It}{\ausfml}\) as desired.
\qedhere
\end{enumerate}
\end{proof}
These axioms already enable us to prove the correctness of the integer-based swapping function
\[
{x=a\land y=b\limply\dbox{x:=x+y; y:=x-y; x:=x-y}{(x=b\land y=a)}}
\]
All we need to do is turn it into a sequent and start with this as the desired conclusion at the bottom of a sequent proof and successively apply axioms until the proof completes:
\begin{sequentdeduction}[array]
\linfer[implyr]
{\linfer[composeb]
{\linfer[composeb]
{\linfer[assignb]
{\linfer[assignb]
{\linfer[assignb]
{\linfer
{\linfer[qear]
{\lclose}
{\lsequent{x{=}a\land y{=}b} {y=b\land x=a}}
}
{\lsequent{x{=}a\land y{=}b} {x+y-(x+y-y)=b\land x+y-y=a}}
}
{\lsequent{x{=}a\land y{=}b} {\dbox{x:=x+y}{(x-(x-y)=b\land x-y=a)}}}
}
{\lsequent{x{=}a\land y{=}b} {\dbox{x:=x+y}{\dbox{y:=x-y}{(x-y=b\land y=a)}}}}
}
{\lsequent{x{=}a\land y{=}b} {\dbox{x:=x+y}{\dbox{y:=x-y}{\dbox{x:=x-y}{(x=b\land y=a)}}}}}
}
{\lsequent{x{=}a\land y{=}b} {\dbox{x:=x+y}{\dbox{y:=x-y; x:=x-y}{(x=b\land y=a)}}}}
}
{\lsequent{x{=}a\land y{=}b} {\dbox{x:=x+y; y:=x-y; x:=x-y}{(x=b\land y=a)}}}
}
{\lsequent{} {x=a\land y=b\limply\dbox{x:=x+y; y:=x-y; x:=x-y}{(x=b\land y=a)}}}
\end{sequentdeduction}
Remember how we mark the use of arithmetic reasoning as \irref{qear}.
Note how this is now a proof of correctness of the swap program from \rref{eq:swap} that, in a finite amount of work, justifies correctness for all states and, thus, implies its validity:
\[
\entails {x=a\land y=b\limply\dbox{x:=x+y; y:=x-y; x:=x-y}{(x=b\land y=a)}}
\]
The above sequent calculus proof used the assignment axiom inside out, so starting with handling the last assignment first.
It would also have been possible to start outside in handling the first assignment first.
That would have led to the following proof step:
\begin{sequentdeduction}[array]
\linfer[implyr]
{\linfer[composeb]
{\linfer[composeb]
{\linfer[assignb]
{\linfer[assignb]
{\lclose[\dots]}
% {\linfer[assignb]%unsound since captured! Other order needed
% {\linfer[qear]
% {\linfer[qear]
% {\lclose}
% {\lsequent{x{=}a\land y{=}b} {y=b\land x=a}}
% }
% {\lsequent{x{=}a\land y{=}b} {x+(x+y-y)-(x+y-y)=b\land x+(x+y-y)-(x+y-y)+y-y=a}}
% }
% {\lsequent{x{=}a\land y{=}b} {\dbox{x:=x+(x+y-y)-(x+y-y)}{(x=b\land x+y-y=a)}}}
% }
{\lsequent{x{=}a\land y{=}b} {\dbox{y:=x+y-y}{\dbox{x:=x+y-y}{(x=b\land y=a)}}}}
}
{\lsequent{x{=}a\land y{=}b} {\dbox{x:=x+y}{\dbox{y:=x-y}{\dbox{x:=x-y}{(x=b\land y=a)}}}}}
}
{\lsequent{x{=}a\land y{=}b} {\dbox{x:=x+y}{\dbox{y:=x-y; x:=x-y}{(x=b\land y=a)}}}}
}
{\lsequent{x{=}a\land y{=}b} {\dbox{x:=x+y; y:=x-y; x:=x-y}{(x=b\land y=a)}}}
}
{\lsequent{} {x=a\land y=b\limply\dbox{x:=x+y; y:=x-y; x:=x-y}{(x=b\land y=a)}}}
\end{sequentdeduction}
\subsection{Loop the Loop}
The final and most difficult case is that of the loop.
How can we prove \m{\dbox{\pwhile{\ivr}{\ausprg}}{\ausfml}} in another way by rephrasing it equivalently in logic?
What the loop \m{\pwhile{\ivr}{\ausprg}} does is to test whether formula $\ivr$ is true and, if so, run $\ausprg$, and then repeating that process until $\ivr$ is false (if it ever is, otherwise the loop just keeps running $\ausprg$ until the end of time).
Let's try to understand that by cases.
If $\ivr$ holds then \m{\dbox{\pwhile{\ivr}{\ausprg}}{\ausfml}} runs $\ausprg$ and then runs the while loop afterwards yet again.
If $\ivr$ does not hold then the loop has no effect and just stops right away.
That is why \m{\pwhile{\ivr}{\ausprg}} is equivalent to \m{\pifs{\ivr}{\plgroup\ausprg;\pwhile{\ivr}{\ausprg}\prgroup}}, because both have no effect if $\ivr$ is false but repeat $\ausprg$ as long as $\ivr$ is true.
We can capture these thoughts in the following axiom:
\[
\cinferenceRule[whileiterateb|$\dibox{\text{unwind}}$]{unfold while loop}
{\linferenceRule[equiv]
{\dbox{\pifs{\ivr}{\plgroup\ausprg;\pwhile{\ivr}{\ausprg}\prgroup}}{\ausfml}}
{\axkey{\dbox{\pwhile{\ivr}{\ausprg}}{\ausfml}}}
}{}%
\]
By applying the \irref{ifb} axiom and the composition axiom \irref{composeb} on the right hand side of axiom \irref{whileiterateb}, we obtain the following minor variation of axiom \irref{whileiterateb} which we call \irref{unfold}.
But on paper we might just as well accept either name, because both axioms follow essentially the same idea and one can easily tell which one we refer to:
\[
\cinferenceRule[unfold|$\dibox{\text{unfold}}$]{unfold while loop}
{\linferenceRule[equiv]
{(\ivr\limply\dbox{\ausprg}{\dbox{\pwhile{\ivr}{\ausprg}}{\ausfml}}) \land (\lnot\ivr\limply\ausfml)}
{\axkey{\dbox{\pwhile{\ivr}{\ausprg}}{\ausfml}}}
}{}%
\]
Both the unwinding axiom \irref{whileiterateb} and the closely related unfolding axiom \irref{unfold} have a slight deficiency that we will get back to. Can you spot it already?
% \section{Summary}
% The axioms introduced in this lecture are summarize in \rref{fig:elementary-program-axioms}.
\begin{figure}[tbp]
\begin{calculus}
\cinferenceRuleQuote{assignb}
\cinferenceRuleQuote{testb}
\cinferenceRuleQuote{ifb}
\cinferenceRuleQuote{composeb}
\cinferenceRuleQuote{whileiterateb}
\cinferenceRuleQuote{unfold}
\end{calculus}
\caption{Axioms of the day}
\label{fig:elementary-program-axioms}
\end{figure}
\bibliography{platzer,bibliography}
\end{document}