"Indet. Exp." is not allowed in "Program", but ok in "Formula" and "Expression". "Expression" that uses "Indet. Exp." becomes "Indet Exp.".
Notations
State[[Expression/Memory]]: evaluation. We evaluate the value of Expression or Memory (second argument) in the state (first argument). The resulting type is a State.
State[[Program]]State: prestate (first argument) and poststate (final argument) related by the program (middle arg). The resulting type is a Statement.
State \models Formula: A Formula (second argument) is true in State (first argument). This resulting type is a Statement.
\cdot[\cdot \mapsto \cdot]: we take state (in the first argument) and make a expression (second argument) map to a const ant value third argument. The resulting type is an updated state.
[\alpha]Q (pronounced “box alpha Q”) which is true if, starting in a prestate w, the formula Q will be true in every poststate v we can reach by executing program \alpha
w \models [\alpha]Q \text{ iff } (\lnot ( w[[\alpha]] \otimes)) \land (\forall v)(w[[\alpha]]v \implies v \models Q)
<\alpha>Q (pronounced “diamond alpha Q”) which is true in a state w if there is a poststate v that we can reach by executing \alpha in which Q is true.
\omega \models \langle \alpha \rangle Q
& \text{iff} &
\text{there is a } \nu \text{ with } \omega\llbracket \alpha \rrbracket \nu
\text{ and } \nu \models Q \text{ (allow non-deterministic) }
\end{array}
$$
Axiom
\begin{aligned}
&[:=]A && [x := e]Q(x) \iff \forall x'.x' = e \rightarrow Q(x') \quad (x' \text{ not in } e \text{ or } Q(x)) \\
&[:=]A && [x := c]Q(x) \iff x = c \to Q(x) \\
&[;]A && [\alpha ; \beta]Q \iff [\alpha]([\beta]Q) \\
&[\textbf{ if }]A && [\textbf{ if } P \textbf{ then } \alpha \textbf{ else } \beta]Q \iff (P \rightarrow [\alpha]Q) \wedge (\neg P \rightarrow [\beta]Q) \\
&[\textbf{ test }] && [\textbf{ test } P] Q \iff (P \to Q)\\
&[\textbf{ assert }] && [\textbf{ assert } P] Q \iff (P \land Q)\\
&[\textbf{ unfold }]A && [\textbf{ while } P \ \alpha]Q \iff (P \rightarrow [\alpha][\textbf{ while } P \ \alpha]Q) \wedge (\neg P \rightarrow Q)\\
&[\textbf{ divides }]A && [x := \textbf{ divides } e_1 \ e_2] Q(x) \iff \forall x'. \lnot (e_2 = 0) \land x' = e_1 / e_2 \rightarrow Q(x')\\
&[H]eq && (\forall i.H(i) = H'(i)) \land |H| = |H'| \implies H = H'\\
&[\textbf{ write }]|H| && |\textbf{ write } H \ i \ a| = |H|\\
& &&i = k \implies \textbf{ read }(\textbf{ write } H \ i \ a) = a\\
& &&i \neq k \implies \textbf{ read }(\textbf{ write } H \ i \ a) \ k = \textbf{ read } H \ k\\
\end{aligned}
Rules
\begin{align*}
\frac{\Gamma \vdash F, \Delta}{\Gamma, \neg F \vdash \Delta} \neg L\qquad&
\frac{\Gamma, F \vdash \Delta}{\Gamma \vdash \neg F, \Delta} \neg R\\
\frac{\Gamma, F, G \vdash H, \Delta}{\Gamma, F \land G \vdash H, \Delta} \land L\qquad&
\frac{\Gamma \vdash F, \Delta \quad \Gamma \vdash G, \Delta}{\Gamma \vdash F \land G, \Delta} \land R\\
\frac{}{\Gamma, F, \vdash F, \Delta} \text{id}\qquad&\\
\frac{\Gamma \vdash F, \Delta \quad \Gamma, G \vdash H, \Delta}{\Gamma, F \to G \vdash H, \Delta} \to L\qquad&
\frac{\Gamma, F \vdash G, \Delta}{\Gamma \vdash F \to G, \Delta} \to R\\
\frac{\Gamma, F \vdash \Delta \quad \Gamma, G \vdash \Delta}{\Gamma, F \vee G \vdash \Delta} \lor L\qquad&
\frac{\Gamma \vdash F, G, \Delta}{\Gamma \vdash F \land G, \Delta} \lor R\\
\frac{\Gamma, [\alpha]([\beta]Q) \vdash \Delta}{\Gamma, [\alpha; \beta]Q \vdash \Delta}[;]L\qquad&
\frac{\Gamma \vdash [\alpha]([\beta]Q), \Delta}{\Gamma \vdash [\alpha; \beta]Q, \Delta}[;]R\\
\frac{\Gamma, P [\alpha]Q \vdash \Delta \quad \Gamma, [\beta]Q \vdash P, \Delta}{\Gamma, [\textbf{ if } P \textbf{ then } \alpha \textbf{ else } \beta]Q \vdash \Delta} [\textbf{ if }]L\qquad&
\frac{\Gamma, P \vdash [\alpha]Q, \Delta \quad \Gamma \vdash P, [\beta] Q, \Delta}{\Gamma \vdash [\textbf{ if } P \textbf{ then } \alpha \textbf{ else } \beta], \Delta} [\textbf{ if }]R\\
\frac{\Gamma, \forall x . P(x), x' = e, P(x') \vdash \Delta}{\Gamma, \forall x . P(x) \vdash \Delta} \forall L^{x'}\qquad&
\frac{\Gamma \vdash P(x'), \Delta}{\Gamma \vdash \forall x.P(x), \Delta} \forall R^{x'}\\
\frac{\Gamma, x' = e, Q(x') \vdash \Delta}{\Gamma, [x := e]Q(x) \vdash \Delta}[:=]L^{x'}\qquad&
\frac{\Gamma, x' = e \vdash Q(x'), \Delta}{\Gamma \vdash [x := e] Q(x), \Delta} [:=]R^{x'}\\
\frac{\Gamma, P, [\alpha]Q \vdash \Delta \quad \Gamma, [\beta]Q \vdash P, \Delta}{\Gamma, [\textbf{ if } P \textbf{ then } \alpha \textbf{ else } \beta]Q \vdash \Delta} [\textbf{ if }]L\qquad&
\frac{\Gamma, P \vdash [\alpha]Q, \Delta \quad \Gamma \vdash P, [\beta] Q, \Delta}{\Gamma \vdash [\textbf{ if } P \textbf{ then } \alpha \textbf{ else } \beta], \Delta} [\textbf{ if }]R\\
\frac{\Gamma \vdash P, \Delta \quad \Gamma, Q \vdash \Delta}{\Gamma, [\textbf{ test } P] Q \vdash \Delta} [\textbf{ test }]L\qquad&
\frac{\Gamma, P \vdash Q, \Delta}{\Gamma \vdash [\textbf{ test } P] Q, \Delta} [\textbf{ test }]R\\
\frac{\Gamma, P, Q \vdash \Delta}{\Gamma, [\textbf{ assert } P] Q \vdash \Delta} [\textbf{ assert }]L\qquad&
\frac{\Gamma \vdash (P \land Q), \Delta}{\Gamma \vdash [\textbf{ assert } P] Q, \Delta} [\textbf{ assert }]R\\
\qquad&
\frac{\Gamma \vdash J, \Delta \quad J, P \vdash [\alpha]J \quad J, \lnot P \vdash Q}{\Gamma \vdash [\textbf{ while }_J P \ \alpha] Q, \Delta} [\textbf{ while }_J]R\\
\frac{\Gamma, P \vdash [\alpha]([\textbf{ while }^n P \ \alpha]Q), \Delta \quad \Gamma, \lnot P \vdash Q, \Delta}{\Gamma \vdash [\textbf{ while }^{n + 1} P \ \alpha]Q, \Delta} \text{unfold}^{n + 1}\qquad&
\frac{\Gamma \vdash Q, \Delta}{\Gamma \vdash [\textbf{ while }^0 P \ \alpha]Q, \Delta} \text{unfold}^0\qquad&
\qquad&
\frac{\Gamma \vdash \lnot (e_2 = 0), \Delta \quad \Gamma, x' = e_1 / e_2 \vdash Q(x'), \Delta}{\Gamma \vdash [x := \textbf{ divides } e_1 \ e_2] Q(x), \Delta} [\textbf{ divides }]R^{x'}\\
\end{align*}
Reading uninitialized memory is indeterminate (we can't prove anything) but safe.
Prove Technique
To prove
P \to [\textbf{ while }(Q) \alpha]R
We need to pick invariant S
True Initially: P \vdash S
Preserved: S, Q \vdash [\alpha]S
Postcondition: S, \lnot Q \vdash R
Safety
Unsafe Program: program with undefined behavior. In this situration, all safety properties are consider violated.
Safe Program: No unsafe operation. A safe program can be indeterminate.
Indeterminate Expression: specific outcome of expression is up to implementation (e.g. order of evaluation in C)
In dynamic logic, we do not have predicate that express whether a program is safe. But formulas can imply safety.
We define that if a program is unsafe, then we cannot prove even true proposition \top. So this is convenient: if we want to prove that a program a is safe given formula P, we just need to prove:
P \to [a]\top
// QUESTION: what is the meaning of \cdot? They have different meaning when left or right?
// QUESTION: we know that if a program is unsafe, then P - False, what about loop forever (I did the proof myself, a trivial loop forever is safe because skip is safe)? Can we prove the safety of a program that loops forever? Or if you don't know it loop forever? Do we know the safety of a program trying to calculate P=NP (yes, proving all individual iteration is safe)?