Lecture 005

Summary

Grammar

$$ \begin{array}{ll} \text{Unsafe State} & \otimes \ \text{Variables} & x,y,z \in \text{Var} \ \text{State} & w : \text{Var} \to (\mathbb{Z} \cup (\mathbb{Z} \to \mathbb{Z})) \ \text{Memory} & M, N : \mathbb{Z} \to \mathbb{Z}\ \text{Constants} & c ::= \ldots,-1,0,1,\ldots \

\text{Expressions} & e ::= c \mid x \mid e_1 + e_2 \mid e_1 - e_2 \mid e_1 * e_2 \ &\mid |M|\

\text{Indet. Exp.} & e ::= e_1 / e_2 \mid e_1 \% e_2\ &\mid \textbf{ read } M \ e \mid \textbf{ write } M \ e_1 \ e_2\

\text{Programs} & \alpha,\beta ::= \alpha;\beta \ &\mid x := e \ &\mid \textbf{ if } P \textbf{ then } \alpha \textbf{ else } \beta \ &\mid \textbf{ while } P \ \alpha \ &\mid \textbf{ skip }\ &\mid x := \textbf{ divides } e_1 \ e_2\ &\mid M:= \textbf{ alloc } e\ &\mid x:=M[e] \mid M[e_1]:=e_2\

\text{Formulas} & P,Q ::= e_1 \le e_2 \mid e_1 = e_2 \mid \ldots \ &\mid P \land Q \mid P \lor Q \mid P \rightarrow Q \mid P \leftrightarrow Q \mid \neg P \mid \top \mid \bot \ &\mid \forall x.P(x) \mid \exists x.P(x) \ & \mid [\alpha]Q \mid \langle \alpha \rangle Q\ & \mid \square P\

\text{Statement}\ \end{array} $$

"Indet. Exp." is not allowed in "Program", but ok in "Formula" and "Expression". "Expression" that uses "Indet. Exp." becomes "Indet Exp.".

Notations

State[[Expression/Memory]]: evaluation. We evaluate the value of Expression or Memory (second argument) in the state (first argument). The resulting type is a State.

State[[Program]]State: prestate (first argument) and poststate (final argument) related by the program (middle arg). The resulting type is a Statement.

State \models Formula: A Formula (second argument) is true in State (first argument). This resulting type is a Statement.

\cdot[\cdot \mapsto \cdot]: we take state (in the first argument) and make a expression (second argument) map to a const ant value third argument. The resulting type is an updated state.

[\alpha]Q (pronounced “box alpha Q”) which is true if, starting in a prestate w, the formula Q will be true in every poststate v we can reach by executing program \alpha

w \models [\alpha]Q \text{ iff } (\lnot ( w[[\alpha]] \otimes)) \land (\forall v)(w[[\alpha]]v \implies v \models Q)

<\alpha>Q (pronounced “diamond alpha Q”) which is true in a state w if there is a poststate v that we can reach by executing \alpha in which Q is true.

Semantic

Expression Semantic

\begin{align*} w[[c]] & = c\\ w[[x]] & = w(x)\\ w[[e_1 + e_2]] & = w[[e_1]] + w[[e_2]]\\ w[[e_1 * e_2]] & = w[[e_1]] \times w[[e_2]]\\ \end{align*}

Program Semantic

\begin{align*} w[[x := e]]v &\iff v = w[x \mapsto c] \land c = w[[e]]\\ w[[x := e]]\otimes &\iff \bot\\ w[[\alpha ; \beta]]v &\iff (\exists u)(w[[\alpha]]u \land u[[\beta]]v)\\ w[[\alpha ; \beta]]\otimes &\iff (w[[\alpha]]\otimes) \lor (\exists u)(w[[\alpha]]u \land u[[\beta]]\otimes)\\ w[[\textbf{ if } P \textbf{ then } \alpha \textbf{ else } \beta]]v &\iff (w \models P \land w[[\alpha]]v) \lor (w \not \models P \land w[[\beta]]v)\\ w[[\textbf{ if } P \textbf{ then } \alpha \textbf{ else } \beta]]\otimes &\iff (w \models P \land w[[\alpha]]\otimes) \lor (w \not \models P \land w[[\beta]]\otimes)\\ w[[x := \textbf{ divides } e_1 e_2]]v &\iff w[[e_1]] = a \land w[[e_2]] = b \land c = a/b \land v = w[x \mapsto c] \land b \neq 0\\ w[[x:= \textbf{ divides } e_1 e_2]] \otimes &\iff w[[e_2]] = 0\\ [x:= \textbf{ divides } e_1 e_2]Q(x) &\iff \forall x'. \lnot (e_2 = 0) \land x' = e_1 / e_2 \implies Q(x')\\ w \llbracket \textbf{ while } P \ \alpha \rrbracket \nu & \iff (\exists n \geq 0)(w \llbracket \textbf{ while } P \ \alpha \rrbracket^n \nu) \\ w \llbracket \textbf{ while } P \ \alpha \rrbracket^0 \nu & \iff w \not \models P \land \omega=\nu \\ w \llbracket \textbf{ while } P \ \alpha \rrbracket^{n+1} \nu & \iff (\exists \mu)(w \models P \land w \llbracket \alpha \rrbracket \mu) \land (\mu \llbracket \textbf{ while } P \ \alpha \rrbracket^n \nu) \\ w[[\textbf{ while } P \ \alpha]]\otimes &\iff (\exists n \geq 0)(w[[\textbf{ while } P \ \alpha]]^n \otimes)\\ w[[\textbf{ while } P \ \alpha]]^0 \otimes &\iff \bot\\ w[[\textbf{ while } P \ \alpha]]^{n+1} \otimes &\iff (w \models P \land w[[\alpha]]\otimes) \lor (\exists u)(w[[\alpha]]u \land u[[\textbf{ while } P \ \alpha]]^n \otimes)\\ \omega[[\textbf{ test } P]]\nu &\iff \omega \models P \land \nu = \omega\\ \omega[[\textbf{ test } P]]\otimes &\iff \bot\\ \omega[[\textbf{ assert } P]]\nu &\iff \omega \models P \land \nu = \omega\\ \omega[[\textbf{ assert } P]]\otimes &\iff \omega \not \models P\\ \omega[[M := \textbf{ alloc } e]]\nu & \iff (\exists H)(\omega[[e]] = |H| \land |H| \geq 0 \land \nu = \omega[M \mapsto H])\\ \omega[[M := \textbf{ alloc } e]]\otimes & \iff \omega[[e]] < 0\\ \omega[[x := M[e]]]v & \iff (0 \leq \omega[[e]] < |H|) \implies (\omega[[M]] = H \land v = \omega[x \mapsto H(\omega[[e]])])\\ \omega[[x := M[e]]]\otimes & \iff \lnot (0 \leq \omega[[e]] < |\omega[[M]]|)\\ \omega[[M[e_1] := e_2]]v & \iff (\exists i = \omega[[e_1]] \land 0 \leq i < |H| \land a = \omega[[e_2]] \land H = \omega[[M]] \land H' = H[i \mapsto a] \land v = \omega[M \mapsto H'])\\ \omega[[M[e_1] := e_2]]\otimes & \iff \omega[[e_1]] = i \land \omega[[M]] = H \land \lnot (0 \leq i < |H|)\\ \end{align*}

Formula Semantic

\alpha is safe \iff [\alpha]\top

$$ \begin{array}{lll} \omega \models \top & \text{iff} & \top \

\omega \models \bot & \text{iff} & \bot \

\omega \models e_1 \le e_2 & \text{iff} & \omega\llbracket e_1 \rrbracket \le \omega\llbracket e_2 \rrbracket \

\omega \models e_1 = e_2 & \text{iff} & \omega\llbracket e_1 \rrbracket = \omega\llbracket e_2 \rrbracket \

\omega \models P \land Q & \text{iff} & \omega \models P \text{ and } \omega \models Q \

\omega \models P \lor Q & \text{iff} & \omega \models P \text{ or } \omega \models Q \

\omega \models P \rightarrow Q & \text{iff} & \omega \models P \text{ implies } \omega \models Q \

\omega \models \neg P & \text{iff} & \omega \not\models P \

\omega \models P \leftrightarrow Q & \text{iff} & \omega \models P \text{ iff } \omega \models Q \

\omega \models \forall x.P(x) & \text{iff} & \omega[x \mapsto c] \models P(x) \text{ for every } c \in \mathbb{Z} \text{ (what x currently holds doesn't matter) } \

\omega \models \exists x.P(x) & \text{iff} & \omega[x \mapsto c] \models P(x) \text{ for some } c \in \mathbb{Z} \text{ (what x currently holds matters) }\

\omega \models [\alpha]Q & \text{iff} & (\lnot ( \omega[[\alpha]] \otimes)) \land (\forall v)(\omega[[\alpha]]v \implies v \models Q) \text{ (allow loop, safe only) } \

\omega \models \langle \alpha \rangle Q & \text{iff} & \text{there is a } \nu \text{ with } \omega\llbracket \alpha \rrbracket \nu \text{ and } \nu \models Q \text{ (allow non-deterministic) } \end{array} $$

Axiom

\begin{aligned} &[:=]A && [x := e]Q(x) \iff \forall x'.x' = e \rightarrow Q(x') \quad (x' \text{ not in } e \text{ or } Q(x)) \\ &[:=]A && [x := c]Q(x) \iff x = c \to Q(x) \\ &[;]A && [\alpha ; \beta]Q \iff [\alpha]([\beta]Q) \\ &[\textbf{ if }]A && [\textbf{ if } P \textbf{ then } \alpha \textbf{ else } \beta]Q \iff (P \rightarrow [\alpha]Q) \wedge (\neg P \rightarrow [\beta]Q) \\ &[\textbf{ test }] && [\textbf{ test } P] Q \iff (P \to Q)\\ &[\textbf{ assert }] && [\textbf{ assert } P] Q \iff (P \land Q)\\ &[\textbf{ unfold }]A && [\textbf{ while } P \ \alpha]Q \iff (P \rightarrow [\alpha][\textbf{ while } P \ \alpha]Q) \wedge (\neg P \rightarrow Q)\\ &[\textbf{ divides }]A && [x := \textbf{ divides } e_1 \ e_2] Q(x) \iff \forall x'. \lnot (e_2 = 0) \land x' = e_1 / e_2 \rightarrow Q(x')\\ &[H]eq && (\forall i.H(i) = H'(i)) \land |H| = |H'| \implies H = H'\\ &[\textbf{ write }]|H| && |\textbf{ write } H \ i \ a| = |H|\\ & &&i = k \implies \textbf{ read }(\textbf{ write } H \ i \ a) = a\\ & &&i \neq k \implies \textbf{ read }(\textbf{ write } H \ i \ a) \ k = \textbf{ read } H \ k\\ \end{aligned}

Rules

\begin{align*} \frac{\Gamma \vdash F, \Delta}{\Gamma, \neg F \vdash \Delta} \neg L\qquad& \frac{\Gamma, F \vdash \Delta}{\Gamma \vdash \neg F, \Delta} \neg R\\ \frac{\Gamma, F, G \vdash H, \Delta}{\Gamma, F \land G \vdash H, \Delta} \land L\qquad& \frac{\Gamma \vdash F, \Delta \quad \Gamma \vdash G, \Delta}{\Gamma \vdash F \land G, \Delta} \land R\\ \frac{}{\Gamma, F, \vdash F, \Delta} \text{id}\qquad&\\ \frac{\Gamma \vdash F, \Delta \quad \Gamma, G \vdash H, \Delta}{\Gamma, F \to G \vdash H, \Delta} \to L\qquad& \frac{\Gamma, F \vdash G, \Delta}{\Gamma \vdash F \to G, \Delta} \to R\\ \frac{\Gamma, F \vdash \Delta \quad \Gamma, G \vdash \Delta}{\Gamma, F \vee G \vdash \Delta} \lor L\qquad& \frac{\Gamma \vdash F, G, \Delta}{\Gamma \vdash F \land G, \Delta} \lor R\\ \frac{\Gamma, [\alpha]([\beta]Q) \vdash \Delta}{\Gamma, [\alpha; \beta]Q \vdash \Delta}[;]L\qquad& \frac{\Gamma \vdash [\alpha]([\beta]Q), \Delta}{\Gamma \vdash [\alpha; \beta]Q, \Delta}[;]R\\ \frac{\Gamma, P [\alpha]Q \vdash \Delta \quad \Gamma, [\beta]Q \vdash P, \Delta}{\Gamma, [\textbf{ if } P \textbf{ then } \alpha \textbf{ else } \beta]Q \vdash \Delta} [\textbf{ if }]L\qquad& \frac{\Gamma, P \vdash [\alpha]Q, \Delta \quad \Gamma \vdash P, [\beta] Q, \Delta}{\Gamma \vdash [\textbf{ if } P \textbf{ then } \alpha \textbf{ else } \beta], \Delta} [\textbf{ if }]R\\ \frac{\Gamma, \forall x . P(x), x' = e, P(x') \vdash \Delta}{\Gamma, \forall x . P(x) \vdash \Delta} \forall L^{x'}\qquad& \frac{\Gamma \vdash P(x'), \Delta}{\Gamma \vdash \forall x.P(x), \Delta} \forall R^{x'}\\ \frac{\Gamma, x' = e, Q(x') \vdash \Delta}{\Gamma, [x := e]Q(x) \vdash \Delta}[:=]L^{x'}\qquad& \frac{\Gamma, x' = e \vdash Q(x'), \Delta}{\Gamma \vdash [x := e] Q(x), \Delta} [:=]R^{x'}\\ \frac{\Gamma, P, [\alpha]Q \vdash \Delta \quad \Gamma, [\beta]Q \vdash P, \Delta}{\Gamma, [\textbf{ if } P \textbf{ then } \alpha \textbf{ else } \beta]Q \vdash \Delta} [\textbf{ if }]L\qquad& \frac{\Gamma, P \vdash [\alpha]Q, \Delta \quad \Gamma \vdash P, [\beta] Q, \Delta}{\Gamma \vdash [\textbf{ if } P \textbf{ then } \alpha \textbf{ else } \beta], \Delta} [\textbf{ if }]R\\ \frac{\Gamma \vdash P, \Delta \quad \Gamma, Q \vdash \Delta}{\Gamma, [\textbf{ test } P] Q \vdash \Delta} [\textbf{ test }]L\qquad& \frac{\Gamma, P \vdash Q, \Delta}{\Gamma \vdash [\textbf{ test } P] Q, \Delta} [\textbf{ test }]R\\ \frac{\Gamma, P, Q \vdash \Delta}{\Gamma, [\textbf{ assert } P] Q \vdash \Delta} [\textbf{ assert }]L\qquad& \frac{\Gamma \vdash (P \land Q), \Delta}{\Gamma \vdash [\textbf{ assert } P] Q, \Delta} [\textbf{ assert }]R\\ \qquad& \frac{\Gamma \vdash J, \Delta \quad J, P \vdash [\alpha]J \quad J, \lnot P \vdash Q}{\Gamma \vdash [\textbf{ while }_J P \ \alpha] Q, \Delta} [\textbf{ while }_J]R\\ \frac{\Gamma, P \vdash [\alpha]([\textbf{ while }^n P \ \alpha]Q), \Delta \quad \Gamma, \lnot P \vdash Q, \Delta}{\Gamma \vdash [\textbf{ while }^{n + 1} P \ \alpha]Q, \Delta} \text{unfold}^{n + 1}\qquad& \frac{\Gamma \vdash Q, \Delta}{\Gamma \vdash [\textbf{ while }^0 P \ \alpha]Q, \Delta} \text{unfold}^0\qquad& \qquad& \frac{\Gamma \vdash \lnot (e_2 = 0), \Delta \quad \Gamma, x' = e_1 / e_2 \vdash Q(x'), \Delta}{\Gamma \vdash [x := \textbf{ divides } e_1 \ e_2] Q(x), \Delta} [\textbf{ divides }]R^{x'}\\ \end{align*}

Reading uninitialized memory is indeterminate (we can't prove anything) but safe.

Prove Technique

To prove

P \to [\textbf{ while }(Q) \alpha]R

We need to pick invariant S

Safety

Unsafe Program: program with undefined behavior. In this situration, all safety properties are consider violated.

Safe Program: No unsafe operation. A safe program can be indeterminate.

Indeterminate Expression: specific outcome of expression is up to implementation (e.g. order of evaluation in C)

In dynamic logic, we do not have predicate that express whether a program is safe. But formulas can imply safety.

We define that if a program is unsafe, then we cannot prove even true proposition \top. So this is convenient: if we want to prove that a program a is safe given formula P, we just need to prove:

P \to [a]\top

// QUESTION: what is the meaning of \cdot? They have different meaning when left or right? // QUESTION: we know that if a program is unsafe, then P - False, what about loop forever (I did the proof myself, a trivial loop forever is safe because skip is safe)? Can we prove the safety of a program that loops forever? Or if you don't know it loop forever? Do we know the safety of a program trying to calculate P=NP (yes, proving all individual iteration is safe)?

Table of Content