\documentclass[11pt,twoside]{scrartcl}
%opening
\newcommand{\lecid}{15-414}
\newcommand{\leccourse}{Bug Catching: Automated Program Verification}
\newcommand{\lecdate}{} %e.g. {October 21, 2013}
\newcommand{\lecnum}{9}
\newcommand{\lectitle}{Diamonds and Total Correctness}
\newcommand{\lecturer}{Matt Fredrikson}
\usepackage{lecnotes}
\usepackage[irlabel]{bugcatch}
\begin{document}
\maketitle
\thispagestyle{empty}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Introduction}
The previous lectures gave us a good understanding of how to reason about $\dbox{\cdot}{}$ properties of programs.
We saw how to decompose in logic properties of the form \(\dbox{\ausprg;\busprg}{\ausfml}\) and \(\dbox{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}\) etc.
That is all good and useful, but we need to remember that \(\dbox{\ausprg}{\ausfml}\) means that $\ausfml$ holds after all runs of program $\ausprg$.
Since while programs $\ausprg$ are deterministic and, thus, have at most one run, the formula \(\dbox{\ausprg}{\ausfml}\), in particular, means that:
\begin{center}
\emph{if} $\ausprg$ terminates, then $\ausfml$ holds in the final state
\end{center}
But formula \(\dbox{\ausprg}{\ausfml}\) says nothing at all about whether the program terminates.
Because it makes no statement about termination, this notion is also called \dfn[correctness!partial]{partial correctness} of program $\ausprg$ with respect to postcondition $\ausfml$.
This is what the diamond modality \(\ddiamond{\cdot}{}\) is good for.
The formula \(\ddiamond{\ausprg}{\ausfml}\) says that there is a run of program $\ausprg$ that reaches a final state in which postcondition $\ausfml$ is true.
Since while programs $\ausprg$ have at most one run, the formula \(\ddiamond{\ausprg}{\ausfml}\), in particular, means that:
\begin{center}
$\ausprg$ terminates \emph{and} $\ausfml$ holds in the final state.
\end{center}
Because it guarantees both a correct result and termination, this notion is also called \dfn[correctness!total]{total correctness} of program $\ausprg$ with respect to postcondition $\ausfml$.
Total correctness is the stronger notion compared to partial correctness, because it says that a program not only gives the right answer upon termination but also actually stops in finite time.
Consequently, in order to understand total correctness and how to reason about total correctness of while programs, we investigate diamond modalities \cite{Harel_et_al_2000,Platzer17}.
\section{Diamond Axioms for Programs}
Our approach to understanding programs with logic still is to design one reasoning principle for each program operator that describes its effect in logic with simpler logical operators.
If we succeed doing that for every operator that a program can have, then we will understand even the most complicated programs just by repeatedly making use of the respective logical reasoning principles.
Only this time it will be the combination of diamond modalities and the respective program operators we worry about.
\subsection{Assignments}
The easiest case to look into is what we need to prove in order to show the formula \m{\ddiamond{\pupdate{\umod{x}{\astrm}}}{p(x)}}, which expresses that the assignment \m{\pupdate{\umod{x}{\astrm}}} terminates and the formula $p(x)$ holds after the assignment \m{\pupdate{\umod{x}{\astrm}}} that assigns the value of term $\astrm$ to variable $x$.
How could we reduce this to another logical formula that is simpler?
Obviously assignments always terminate, because their only effect is to change the value of one variable which succeeds in (very) finite time.
If we want to show that the formula $p(x)$ holds after assigning the new value $\astrm$ to variable $x$ then we might as well show $p(\astrm)$ right away.
And, in fact, $p$ is true of $x$ after assigning $\astrm$ to $x$ if and only if $p$ is true of its new value $\astrm$.
That is, the formula \m{\ddiamond{\pupdate{\umod{x}{\astrm}}}{p(x)}} is equivalent to the formula \m{p(\astrm)}.
We capture this argument once and for all in the assignment axiom \irref{assignd}:
%What has worked exceedingly well for propositional logic might work just as well for programs.
\[
\cinferenceRule[assignd|$\didia{:=}$]{assignment / substitution axiom}
{\linferenceRule[equiv]
{p(\astrm)}
{\axkey{\ddiamond{\pupdate{\umod{x}{\astrm}}}{p(x)}}}
}
{}%{$genDJ{x}$ free for $x$ in $\ausfml$}
\]
In the assignment axiom \irref{assignd}, the formula $p(\astrm)$ has the term $\astrm$ everywhere in place of where the formula $p(x)$ has the variable $x$.
Of course, it is important for this substitution of $\astrm$ for $x$ to avoid capture of variables and not make any replacements under the scope of a quantifier or modality binding an affected variable \cite{DBLP:journals/jar/Platzer17}.
For example, the following formula is an instance of \irref{assignd}:
\[
\ddiamond{\pupdate{\pumod{x}{x^2-1}}}{x(x+1)\geq x+y} \lbisubjunct (x^2-1)(x^2-1+1) \geq (x^2-1)+y
\]
But the following is not because it would capture the replacement $y$ that is used for $x$:
\[
\ddiamond{\pupdate{\pumod{x}{y}}}{(x\geq0 \land \lforall{y}{(x\geq y)})} \lbisubjunct (y\geq0 \land \lforall{y}{(y\geq y)})
\]
Instead, if we first rename $\forall y$ to $\forall z$ then the substitution works:
\[
\ddiamond{\pupdate{\pumod{x}{y}}}{(x\geq0 \land \lforall{z}{(x\geq z)})} \lbisubjunct (y\geq0 \land \lforall{z}{(y\geq z)})
\]
Indeed by combining the \irref{assignb} and \irref{assignd} axioms, one can also show that both modalities are equivalent for assignments:
\[
{\dbox{\pupdate{\umod{x}{\astrm}}}{p(x)}} \lbisubjunct {\ddiamond{\pupdate{\umod{x}{\astrm}}}{p(x)}}
\]
This makes sense because an assignment always terminates and has exactly one successor, so modalities quantifying over all or one successor actually express the same fact for assignments.
But such an equivalence will not generally hold for other program operators!
Recall one implication for deterministic programs, which shows that total correctness implies partial correctness.
\begin{lemma}[Deterministic program modality relation]
Deterministic programs $\asprg$ make the following formula valid for all formulas $\asfml$:
\[
\ddiamond{\asprg}{\asfml} \limply \dbox{\asprg}{\asfml}
\]
\end{lemma}
There is no reason to believe both sides would be equivalent in general, because there are many programs that are partially correct just never terminate.
In fact, can you find a program that is partially correct for all preconditions $A$ and postconditions $B$?
Finally, since box and diamond modalities are equivalent in the case of assignments, the equational form of an assignment proof rule not only works for boxes but also for diamonds:
\[
\dinferenceRule[assigndeqr|$\didia{:=}_=$]{assignbeq}%{assignment equational rule}
{\linferenceRule[sequent]
{\lsequent[L]{y=\austrm} {p(y)}}
{\lsequent[L]{} {\ddiamond{\pupdate{\umod{x}{\austrm}}}{p(x)}}}
~~
}
{\text{$y$ new}}
\]
\subsection{Conditionals}
The next case we choose to look at is what we need to prove in order to show the formula \m{\ddiamond{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}}, which expresses that formula $\ausfml$ holds in some final state reached after running the if-then-else conditional \m{\pif{\ivr}{\ausprg}{\busprg}} that runs program $\ausprg$ if formula $\ivr$ is true and runs $\busprg$ otherwise.
And that this conditional program will indeed terminate.
Of course, the if will terminate but the question is whether the resulting subprograms $\ausprg$ and/or $\busprg$ terminate.
In order to understand it from a logical perspective, how could we express \m{\ddiamond{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}} in easier ways?
If $\ivr$ holds then \m{\ddiamond{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}} says that $\ausfml$ holds in some final state after running $\ausprg$.
If $\ivr$ does not hold then the same formula \m{\ddiamond{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}} says that $\ausfml$ holds in some final state after running $\busprg$.
It is easy to say with a logical formula that $\ausfml$ holds in some state after running $\ausprg$, which is precisely what \(\ddiamond{\ausprg}{\ausfml}\) is good for.
Likewise \(\ddiamond{\busprg}{\ausfml}\) directly expresses in logic that $\ausfml$ in some state after running $\busprg$.
Both of those formulas \(\ddiamond{\ausprg}{\ausfml}\) as well as \(\ddiamond{\busprg}{\ausfml}\) are simpler than the original formula \m{\ddiamond{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}}.
But, of course, they express something else, because the program \m{\pif{\ivr}{\ausprg}{\busprg}} only runs the respective programs conditionally depending on the truth-value of $\ivr$.
Yet, there is a way of expressing \m{\ddiamond{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}} in logic in easier ways with the help of other logical operators.
Implications are perfect at expressing the conditions that an if-then statement states in a program.
Indeed, if $\ivr$ holds then \(\ddiamond{\ausprg}{\ausfml}\) needs to be true and if $\ivr$ does not hold then \(\ddiamond{\busprg}{\ausfml}\) for \m{\ddiamond{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}} to hold.
Indeed, \m{\ddiamond{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}} is true if and only if
\m{(\ivr\limply\ddiamond{\ausprg}{\ausfml}) \land (\lnot\ivr\limply\ddiamond{\busprg}{\ausfml})} is true.
This is the diamond formulation of the if-then-else axiom \irref{ifd}:
\[
\cinferenceRule[ifd|$\didia{\text{if}}$]{if-thenelse}
{\linferenceRule[equiv]
{(\ivr\limply\ddiamond{\ausprg}{\ausfml}) \land (\lnot\ivr\limply\ddiamond{\busprg}{\ausfml})}
{\axkey{\ddiamond{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}}}
}{}%
\]
This axiom tells us everything we need to know about correct termination of if-then-else statements.
When using the equivalence \irref{ifd} from left to right, we can use it to simplify every question about an if-then-else statement of the form \m{\ddiamond{\pif{\ivr}{\ausprg}{\busprg}}{\ausfml}}
by a corresponding structurally simpler formula \m{(\ivr\limply\ddiamond{\ausprg}{\ausfml}) \land (\lnot\ivr\ddiamond{\busprg}{\ausfml})}
that does not use the if-then-else statement any more but is logically equivalent.
The axiom \irref{ifd} achieves the same kind of compositionality that axiom \irref{ifb} achieves, just for diamond modalities of if-then-else statements.
The \irref{ifd} axiom will enable us, for example to conclude this equivalence:
\[
{\ddiamond{\pif{x{\geq}0}{\pupdate{\pumod{y}{x}}}{\pupdate{\pumod{y}{-x}}}}{y{=}\abs{x}}}
\lbisubjunct
{(x{\geq}0\limply\ddiamond{\pupdate{\pumod{y}{x}}}{y{=}\abs{x}}) \land (\lnot x{\geq}0\limply\ddiamond{\pupdate{\pumod{y}{-x}}}{y{=}\abs{x}})}
\]
This formula uses $\abs{x}$ as notation for the absolute value of $x$.
Since axiom \irref{ifd} justifies this equivalence, we will be able to reduce a question about whether its left hand side is valid with axiom \irref{ifd} to the question whether its corresponding right hand side is valid.
\begin{sequentdeduction}[array]
\linfer[ifd]
{\linfer[andr]
{\linfer[implyr]
{\linfer[assignd]
{\linfer[qear]
{\lclose}
{\lsequent{x{\geq}0} {x{=}\abs{x}}}
}
{\lsequent{x{\geq}0} {\ddiamond{\pupdate{\pumod{y}{x}}}{\,y{=}\abs{x}}}}
}
{\lsequent{} {x{\geq}0\limply\ddiamond{\pupdate{\pumod{y}{x}}}{\,y{=}\abs{x}}}}
!\linfer[implyr]
{\linfer[assignd]
{\linfer[qear]
{\lclose}
{\lsequent{\lnot x{\geq}0} {-x{=}\abs{x}}}
}
{\lsequent{\lnot x{\geq}0} {\ddiamond{\pupdate{\pumod{y}{-x}}}{\,y{=}\abs{x}}}}
}
{\lsequent{} {\lnot x{\geq}0\limply \ddiamond{\pupdate{\pumod{y}{-x}}}{\,y{=}\abs{x}}}}
}
{\lsequent{} {(x{\geq}0\limply\ddiamond{\pupdate{\pumod{y}{x}}}{\,y{=}\abs{x}}) \land (\lnot x{\geq}0\limply \ddiamond{\pupdate{\pumod{y}{-x}}}{\,y{=}\abs{x}})}}
}
{\lsequent{} {\ddiamond{\pif{x{\geq}0}{\pupdate{\pumod{y}{x}}}{\pupdate{\pumod{y}{-x}}}}{\,y{=}\abs{x}}}}
\end{sequentdeduction}
This proof shows validity of the following formula, which says that the given program is totally correct in implementing the absolute value function \(\abs{\cdot}\) from mathematics:
\[{\ddiamond{\pif{x{\geq}0}{\pupdate{\pumod{y}{x}}}{\pupdate{\pumod{y}{-x}}}}{\,y{=}\abs{x}}}\]
As usual the proof is developed starting with the desired conclusion at the bottom and working with proof rules to the top as usual in sequent calculus.
\subsection{Test}
The test statement $\ptest{\ivr}$ also checks a condition on the current state but has a different effect.
It has no effect on the state if $\ivr$ is indeed true, but aborts and discards the execution if $\ivr$ is not true.
In particular, in the latter case, the program did not terminate (rather it was aborted unsuccessfully).
How can we express \m{\ddiamond{\ptest{\ivr}}{\ausfml}} in logic in structurally simpler ways?
The formula \m{\ddiamond{\ptest{\ivr}}{\ausfml}} is true iff formula $\ausfml$ holds in some final state after running the test $\ptest{\ivr}$, which only even has a final state if $\ivr$ is true.
Consequently $\ausfml$ holds in some final state after running the program \m{\ptest{\ivr}} iff postcondition $\ausfml$ is true and if the test $\ivr$ is.
This is captured in the test axiom \irref{testd}:
\[
\cinferenceRule[testd|$\didia{?}$]{test}
{\linferenceRule[equiv]
{(\ivr \land \ausfml)}
{\axkey{\ddiamond{\ptest{\ivr}}{\ausfml}}}
}{}%
\]
Even if diamonds of deterministic programs imply their own boxes, the test axiom \irref{testd} already alerts us to the fact that some programs are only partially correct but not totally correct.
The following box formula is valid
\[
\dbox{\ptest{x=2}}{x\cdot x=4}
\]
because by axiom \irref{testb} it is equivalent to the valid formula \(x=2 \limply x\cdot x=4\).
But the corresponding diamond formula is not valid:
\[
\ddiamond{\ptest{x=2}}{x\cdot x=4}
\]
because axiom \irref{testd} makes it equivalent to \(x=2 \land x\cdot x=4\) so $x=2$, which is not valid but merely satisfiable.
\subsection{Sequential Compositions}
The next most pressing case to worry about are sequential compositions.
So how can we equivalently express \m{\ddiamond{\ausprg;\busprg}{\ausfml}} in simpler logic without sequential compositions?
This formula expresses that $\ausfml$ holds after some runs of $\ausprg;\busprg$, which first runs $\ausprg$ and then runs $\busprg$.
How can this be expressed in an easier way in logic, again using just the subprograms $\ausprg$ as well as $\busprg$ of $\ausprg;\busprg$ then?
In order to express \m{\ddiamond{\ausprg;\busprg}{\ausfml}} what we need to say is that after some run of $\ausprg$ it is the case that $\ausfml$ holds after some run of $\busprg$.
It is comparably easy to say that $\ausfml$ holds after some runs of $\busprg$ just with the formula \(\ddiamond{\busprg}{\ausfml}\).
But where does this formula need to hold?
After some runs of $\ausprg$!
In particular, all we need to say is that \(\ddiamond{\busprg}{\ausfml}\) holds after some run of $\ausprg$, which is exactly what the formula \m{\ddiamond{\ausprg}{\ddiamond{\busprg}{\ausfml}}} says.
This is the sequential composition axiom \irref{composed} for diamonds:
\[
\cinferenceRule[composed|$\didia{{;}}$]{composition} %``One step at a time axiom''
{\linferenceRule[equiv]
{\ddiamond{\ausprg}{\ddiamond{\busprg}{\ausfml}}}
{\axkey{\ddiamond{\ausprg;\busprg}{\ausfml}}}
}{}%
\]
Indeed, after all runs of $\ausprg;\busprg$ does $\ausfml$ hold if and only if after all runs of $\ausprg$ it is the case that after all runs of $\busprg$ does $\ausfml$ hold.
This enables us to consider another absolute value function implementation that is partially correct but \emph{not} totally correct!
The following formula is easily seen to be valid:
\[
\dbox{\pupdate{\pumod{y}{-x}}; \ptest{y\geq0}}{\,y=\abs{x}}
\]
A proof of validity is easy from the box axioms and arithmetic facts about the absolute value function $\abs{\cdot}$:
\begin{sequentdeduction}[array]
\linfer[composeb]
{\linfer[assignb]
{\linfer[testb]
{\linfer[qear]
{\lclose}
{\lsequent{} {{-}x\geq0 \limply {-}x=\abs{x}}
}
}
{\lsequent{} {\dbox{\ptest{{-}x\geq0}}{\,{-}x=\abs{x}}
}}
}
{\lsequent{} {\dbox{\pupdate{\pumod{y}{-x}}}{\dbox{\ptest{y\geq0}}{\,y=\abs{x}}}
}}
}
{\lsequent{} {\dbox{\pupdate{\pumod{y}{-x}}; \ptest{y\geq0}}{\,y=\abs{x}}
}}
\end{sequentdeduction}
A corresponding attempt to prove total correctness
will, however, fail:
\begin{sequentdeduction}[array]
\linfer[composed]
{\linfer[assignd]
{\linfer[testd]
{\linfer[cut]
{\lsequent{} {{-}x\geq0}
!\linfer[andr]
{\linfer[id]
{\lclose}
{\lsequent{-x\geq0} {{-}x\geq0}}
!\linfer[qear]
{\lclose}
{\lsequent{-x\geq0} {{-}x=\abs{x}}}
}
{\lsequent{-x\geq0} {{-}x\geq0 \land {-}x=\abs{x}}}
}
{\lsequent{} {{-}x\geq0 \land {-}x=\abs{x}}}
}
{\lsequent{} {\ddiamond{\ptest{{-}x\geq0}}{\,{-}x=\abs{x}}
}}
}
{\lsequent{} {\ddiamond{\pupdate{\pumod{y}{-x}}}{\ddiamond{\ptest{y\geq0}}{\,y=\abs{x}}}
}}
}
{\lsequent{} {\ddiamond{\pupdate{\pumod{y}{-x}}; \ptest{y\geq0}}{\,y=\abs{x}}
}}
\end{sequentdeduction}
In fact, the total correctness property is not valid:
\[
\ddiamond{\pupdate{\pumod{y}{-x}}; \ptest{y\geq0}}{\,y=\abs{x}}
\]
Only if the formula $-x\geq0$ in the remaining open proof branch is assumed in the initial state is the total correctness formula valid:
\[
x\leq0 \limply
\ddiamond{\pupdate{\pumod{y}{-x}}; \ptest{y\geq0}}{\,y=\abs{x}}
\]
\subsection{Loop the Loop}
Unwinding a loop is also possible for diamond modalities with while loops.
If $\ivr$ holds then \m{\ddiamond{\pwhile{\ivr}{\ausprg}}{\ausfml}} runs $\ausprg$ and then runs the while loop afterwards yet again.
If $\ivr$ does not hold then the loop has no effect and just stops right away.
That is why \m{\pwhile{\ivr}{\ausprg}} is equivalent to \m{\pifs{\ivr}{\plgroup\ausprg;\pwhile{\ivr}{\ausprg}\prgroup}}, because both have no effect if $\ivr$ is false but repeat $\ausprg$ as long as $\ivr$ is true.
We can capture these thoughts in the following axiom:
\[
\cinferenceRule[whileiterated|$\didia{\text{unwind}}$]{unfold while loop}
{\linferenceRule[equiv]
{\ddiamond{\pifs{\ivr}{\plgroup\ausprg;\pwhile{\ivr}{\ausprg}\prgroup}}{\ausfml}}
{\axkey{\ddiamond{\pwhile{\ivr}{\ausprg}}{\ausfml}}}
}{}%
\]
Of course, this axiom has the same shortcoming that the unwinding axiom already had for box modalities.
If we unwind a loop, there still is a loop to be taken care of, which is quite problematic for loops that do not have a fixed small finite number of iterations.
As in the case of box modalities, a similar axiom can be derived by already applying the \irref{ifd} and \irref{composed} axioms on the right-hand side:
\[
\cinferenceRule[unfoldd|$\didia{\text{unfold}}$]{unfold while loop}
{\linferenceRule[equiv]
{(\ivr\limply\ddiamond{\ausprg}{\ddiamond{\pwhile{\ivr}{\ausprg}}{\ausfml}}) \land (\lnot\ivr\limply\ausfml)}
{\axkey{\ddiamond{\pwhile{\ivr}{\ausprg}}{\ausfml}}}
}{}%
\]
\newcommand{\ssign}[1]{\text{sig}(#1)}
The \irref{unfoldd} axiom can be used to prove total correctness of a loopy program:
\[
{\pupdate{\pumod{s}{1}};
\pwhile{x<0}{\plgroup\pupdate{\pumod{x}{-x}}; \pupdate{\pumod{s}{s-2}}\prgroup}}
\]
This program totally correctly implements the nonnegative sign function:
\[
\ssign{x} =
\begin{cases}
1 & \text{if}~x\geq0\\
-1 & \text{if}~x<0
\end{cases}
\]
{\small
\begin{sequentdeduction}[default]
\linfer[composed]
{\linfer[assigndeqr]
{\linfer[unfoldd]
{\linfer[andr]
{\linfer
{\lclose[\dots]}
{\lsequent{s{=}1} {x{<}0 \limply \ddiamond{\pupdate{\pumod{x}{-x}}; \pupdate{\pumod{s}{s-2}}}{\ddiamond{\pwhile{x{<}0}{\plgroup\pupdate{\pumod{x}{-x}}; \pupdate{\pumod{s}{s-2}}\prgroup}}{\,s{=}\ssign{x}}}}}
!\linfer[qear]
{\lclose}
{\lsequent{s{=}1} {\lnot x{<}0 \limply s{=}\ssign{x}}}
}
{\lsequent{s=1} {(x{<}0 \limply \ddiamond{\pupdate{\pumod{x}{-x}}; \pupdate{\pumod{s}{s-2}}}{\ddiamond{\pwhile{x{<}0}{\plgroup\pupdate{\pumod{x}{-x}}; \pupdate{\pumod{s}{s-2}}\prgroup}}{\,s{=}\ssign{x}}}) \land (\lnot x{<}0 \limply s{=}\ssign{x})}}
}
{\lsequent{s=1} {\ddiamond{\pwhile{x{<}0}{\plgroup\pupdate{\pumod{x}{-x}}; \pupdate{\pumod{s}{s-2}}\prgroup}}{\,s{=}\ssign{x}}}}
}
{\lsequent{} {\ddiamond{\pupdate{\pumod{s}{1}}}{\ddiamond{\pwhile{x{<}0}{\plgroup\pupdate{\pumod{x}{-x}}; \pupdate{\pumod{s}{s-2}}\prgroup}}{\,s{=}\ssign{x}}}}}
}
{\lsequent{} {\ddiamond{\pupdate{\pumod{s}{1}};
\pwhile{x<0}{\plgroup\pupdate{\pumod{x}{-x}}; \pupdate{\pumod{s}{s-2}}\prgroup}}{\,s{=}\ssign{x}}}}
\end{sequentdeduction}
}
The left branch continues as follows using that \(x<0 \limply \ddiamond{\pupdate{\pumod{x}{-x}}}{x>0}\) is valid:
\begin{sequentdeduction}[default]
\linfer[implyr]
{\linfer[unfoldd]
{\linfer[composed]
{\linfer[assignd]%+monotonically replace RHS of vacuous implication by $\lfalse$
{\linfer%[simplify]
{\linfer[assignd]
{\linfer[qear]
{\lclose}
{\lsequent{s{=}1, x{<}0} {\lnot {-}x{<}0 \limply s-2{=}\ssign{-x}}}
}
{\lsequent{s{=}1, x{<}0} {\ddiamond{\pupdate{\pumod{s}{s-2}}}{(\lnot {-}x{<}0 \limply s{=}\ssign{-x})}}}
}
{\lsequent{s{=}1, x{<}0} {\ddiamond{\pupdate{\pumod{s}{s-2}}}{\big(
(-x{<}0 \limply
\dots)
\land (\lnot {-}x{<}0 \limply s{=}\ssign{-x})
\big)}}}
}
{\lsequent{s{=}1, x{<}0} {\ddiamond{\pupdate{\pumod{x}{-x}}}{\ddiamond{\pupdate{\pumod{s}{s-2}}}{\big(
(x{<}0 \limply
\ddiamond{\dots}{\ddiamond{\pwhile{x{<}0}{\dots}}{\,s{=}\ssign{x}}})
\land (\lnot x{<}0 \limply s{=}\ssign{x})
\big)}}}}
}
{\lsequent{s{=}1,x{<}0} {\ddiamond{\pupdate{\pumod{x}{-x}}; \pupdate{\pumod{s}{s-2}}}{\big(
(x{<}0 \limply
\ddiamond{\dots}{\ddiamond{\pwhile{x{<}0}{\dots}}{\,s{=}\ssign{x}}})
\land (\lnot x{<}0 \limply s{=}\ssign{x})
\big)}}}
}
{\lsequent{s{=}1,x{<}0} {\ddiamond{\pupdate{\pumod{x}{-x}}; \pupdate{\pumod{s}{s-2}}}{\ddiamond{\pwhile{x{<}0}{\plgroup\pupdate{\pumod{x}{-x}}; \pupdate{\pumod{s}{s-2}}\prgroup}}{\,s{=}\ssign{x}}}}}
}
{\lsequent{s{=}1} {x{<}0 \limply \ddiamond{\pupdate{\pumod{x}{-x}}; \pupdate{\pumod{s}{s-2}}}{\ddiamond{\pwhile{x{<}0}{\plgroup\pupdate{\pumod{x}{-x}}; \pupdate{\pumod{s}{s-2}}\prgroup}}{\,s{=}\ssign{x}}}}}
\end{sequentdeduction}
In general, of course, unwinding is only enough if the loop terminates in at most some known fixed finite number of iterations.
Would the program also work correctly for a corresponding sign function when replacing its loop guard by $x\leq0$?
The above proof also has a minor subtlety in the occurrence of $\dots$. Can you spot it and suggest a way of solving it?
\section{Soundness}
The above axioms can again all be shown to be sound.
We only show the proof of one axiom in order to leave you sufficiently many other axioms to practice soundness proofs on.
\begin{lemma}
The sequential composition axiom \irref{composed} is sound, i.e. all its instances are valid:
\[
\cinferenceRuleQuote{composed}
\]
\end{lemma}
\begin{proof}
Recall the semantics of sequential composition:
\[
\iaccess[\asprg;\bsprg]{\I} = \iaccess[\asprg]{\I} \compose\iaccess[\bsprg]{\I}
= \{(\iget[state]{\I},\iget[state]{\It}) \with (\iget[state]{\I},\iget[state]{\Iz}) \in \iaccess[\asprg]{\I}, (\iget[state]{\Iz},\iget[state]{\It}) \in \iaccess[\bsprg]{\I}\}
\]
In order to show that the formula \m{{\ddiamond{\ausprg;\busprg}{\ausfml}} \lbisubjunct {\ddiamond{\ausprg}{\ddiamond{\busprg}{\ausfml}}}} is valid, i.e. \m{\entails {\ddiamond{\ausprg;\busprg}{\ausfml}} \lbisubjunct {\ddiamond{\ausprg}{\ddiamond{\busprg}{\ausfml}}}},
consider any state $\iget[state]{\I}$ and show that
\m{\imodels{\I}{{\ddiamond{\ausprg;\busprg}{\ausfml}} \lbisubjunct {\ddiamond{\ausprg}{\ddiamond{\busprg}{\ausfml}}}}}.
We prove this biimplication by separately proving both implications.
\begin{enumerate}
\item[``$\lylpmi$'']
Assume the right hand side \m{\imodels{\I}{\ddiamond{\ausprg}{\ddiamond{\busprg}{\ausfml}}}} and show \m{\imodels{\I}{\ddiamond{\ausprg;\busprg}{\ausfml}}}.
To show the latter, we need to show that there is a state $\iget[state]{\It}$ with \(\iaccessible[\ausprg;\busprg]{\I}{\It}\) for which \(\imodels{\It}{\ausfml}\).
By the semantics of sequential composition, \(\iaccessible[\ausprg;\busprg]{\I}{\It}\) iff there is a state $\iget[state]{\Iz}$ such that
\(\iaccessible[\ausprg]{\I}{\Iz}\) and \(\iaccessible[\busprg]{\Iz}{\It}\).
The assumption implies that there is a state $\iget[state]{\Iz}$ with \(\iaccessible[\ausprg]{\I}{\Iz}\) such that \(\imodels{\Iz}{\ddiamond{\busprg}{\ausfml}}\).
The latter implies that there is a $\iget[state]{\It}$ with \(\iaccessible[\busprg]{\Iz}{\It}\) such that \(\imodels{\It}{\ausfml}\).
Thus, \(\imodels{\It}{\ausfml}\) and, as desired, \(\iaccessible[\ausprg;\busprg]{\I}{\It}\), because \(\iaccessible[\ausprg]{\I}{\Iz}\) and \(\iaccessible[\busprg]{\Iz}{\It}\).
Hence \m{\imodels{\I}{\ddiamond{\ausprg;\busprg}{\ausfml}}}.
\item[``$\lylpmi$''] Conversely, assume the left hand side \m{\imodels{\I}{\ddiamond{\ausprg;\busprg}{\ausfml}}} and show \m{\imodels{\I}{\ddiamond{\ausprg}{\ddiamond{\busprg}{\ausfml}}}}.
Consequently, there is a state $\iget[state]{\It}$ such that \(\iaccessible[\ausprg;\busprg]{\I}{\It}\) and \(\imodels{\It}{\ausfml}\).
Now \(\iaccessible[\ausprg]{\I}{\Iz}\) and \(\iaccessible[\busprg]{\Iz}{\It}\) iff \(\iaccessible[\ausprg;\busprg]{\I}{\It}\) by the semantics of sequential composition.
Hence, there is a state $\iget[state]{\Iz}$ such that \(\iaccessible[\ausprg]{\I}{\Iz}\) and \(\imodels{\Iz}{\ddiamond{\busprg}{\ausfml}}\).
Thus, \m{\imodels{\I}{\ddiamond{\ausprg}{\ddiamond{\busprg}{\ausfml}}}}.
\qedhere
\end{enumerate}
\end{proof}
\begin{lemma}
The following axiom is a derived axiom, so can be proved from the other axioms in sequent calculus, and is, thus, sound:
\[
\cinferenceRuleQuote{unfoldd}
\]
\end{lemma}
\begin{proof}
The axiom \irref{unfoldd} can be derived by using other axioms (from right to left):
\begin{sequentdeduction}[array]
\linfer[composed]
{\linfer[ifd]
{\linfer[whileiterated]
{\lclose}
{\lsequent{} {{\ddiamond{\pwhile{\ivr}{\ausprg}}{\ausfml}}\lbisubjunct
{\ddiamond{\pifs{\ivr}{\plgroup\ausprg;\pwhile{\ivr}{\ausprg}\prgroup}}{\ausfml}}}}
}
{\lsequent{} {{\ddiamond{\pwhile{\ivr}{\ausprg}}{\ausfml}}\lbisubjunct
{(\ivr\limply\ddiamond{\ausprg;\pwhile{\ivr}{\ausprg}}{\ausfml}) \land (\lnot\ivr\limply\ausfml)}}}
}
{\lsequent{} {{\ddiamond{\pwhile{\ivr}{\ausprg}}{\ausfml}}\lbisubjunct
{(\ivr\limply\ddiamond{\ausprg}{\ddiamond{\pwhile{\ivr}{\ausprg}}{\ausfml}}) \land (\lnot\ivr\limply\ausfml)}}}
\end{sequentdeduction}
\end{proof}
\section{Summary}
The axioms introduced in this lecture are summarize in \rref{fig:elementary-program-diamond-axioms}.
These axioms handle all total correctness properties of programs that only consist of assignment, conditionals, sequential compositions, and tests.
But as soon as while loops are involved, things get more complicated, since the unwinding-based axioms help for finite bounded loops.
\begin{figure}[tbhp]
\begin{calculus}
\cinferenceRuleQuote{assignd}
\cinferenceRuleQuote{testd}
\cinferenceRuleQuote{ifd}
\cinferenceRuleQuote{composed}
\cinferenceRuleQuote{whileiterated}
\cinferenceRuleQuote{unfoldd}
\end{calculus}
\caption{Diamond axioms of the day}
\label{fig:elementary-program-diamond-axioms}
\end{figure}
\bibliography{platzer,bibliography}
\end{document}