Lecture notes 20190531

More Semantics 4 Termination

Require Import Coq.Relations.Relation_Operators.
Require Import Coq.Relations.Relation_Definitions.
Require Export Coq.ZArith.ZArith.
Require Export Coq.Strings.String.
Require Export Coq.Logic.Classical.

Arguments clos_refl_trans {A} _ _ _.
Arguments clos_refl_trans_1n {A} _ _ _.
Arguments clos_refl_trans_n₁ {A} _ _ _.

Open Scope Z.

Termination

We have already learnt 3 different program semantics in this course: axiomatic semantics, denotational semantics and small step semantics.

For denotational semantics, we define ceval to describe how a program behave. Given starting state st₁, a program c will terminate if there is a state st₂ such that ceval c st₁ st₂ holds.

For small step semantics, we define cstep to describe what will be the next step and we call its reflexive and transitive closure multi_cstep. Given starting state st₁, a program c will terminate if there is a state st₂ such that multi_cstep (c, st₁) (CSkip, st₂).

But you may notice that Hoare logic can not yet be used to reason about termination. That is our main topic today.

Total Correctness

Hoare rules that only talk about what happens when commands terminate (without proving that they do) are often said to describe a logic of partial correctness. It is also possible to give Hoare rules for total correctness, which build in the fact that the commands terminate. We mainly focused on partial correctness in this course but we will briefly introduce total correctness today.

Unchanged rules

The following rules are not changed:

Axiom hoare_skip : ∀P,
  {{P}} Skip {{P}}.

Axiom hoare_seq : ∀(P Q R: Assertion) (c₁ c₂: com),
  {{P}} c₁ {{Q}} →
  {{Q}} c₂ {{R}} →
  {{P}} c₁;;c₂ {{R}}.

Axiom hoare_if : ∀P Q b c₁ c₂,
  {{ P AND [[b]] }} c₁ {{ Q }} →
  {{ P AND NOT [[b]] }} c₂ {{ Q }} →
  {{ P }} If b Then c₁ Else c₂ EndIf {{ Q }}.

Axiom hoare_consequence : ∀(P P' Q Q' : Assertion) c,
  P ⊢ P' →
  {{P'}} c {{Q'}} →
  Q' ⊢ Q →
  {{P}} c {{Q}}.

Axiom hoare_asgn_fwd : ∀P (X: var) E,
  {{ P }}
  X ::= E
  {{ EXISTS x, P [X ⟼ x] AND
               [[X]] == [[ E [X ⟼ x] ]] }}.

Axiom hoare_asgn_bwd : ∀P (X: var) E,
  {{ P [ X ⟼ E] }} X ::= E {{ P }}.

We can check them one by one and see whether they are actually sound.

While loop rule

A while loop might be not terminating even if its loop body always terminates. Thus, original proof rule for partial correctness will not work for total correctness.

Axiom hoare_while_partial : ∀I b c,
{{ I AND [[b]] }} c {{ I }} →
{{ I }} While b Do c EndWhile {{ I AND NOT [[b]] }}.

The following proof rule for total correctness includes not only a loop invariant I but also a loop variant V.

Axiom hoare_while_total : ∀I V b c,
  (∀T:Z,
    {{ I AND [[b]] AND V == T }} c {{ I AND 0 ≤ V AND V < T }}) →
  {{ I }} While b Do c EndWhile {{ I AND NOT [[b]] }}.

Here, the loop variable V is a integer term in the assertion language that talks about program variables. This rule says, if the loop variant strictly decreases in every execution of loop body, the loop will always terminate.

Examples

Example 1:

       {{ 0 < [[X]] }}
       While !(X == 0) Do
         X ::= X - 1
       EndWhile
       {{ [[X]] == 0 }}.

Example 2:

    {{ 0 ≤ m }}
    X ::= m;;
    Y ::= p;;
    While !(X == 0) Do
      Y ::= Y - 1;;
      X ::= X - 1
    EndWhile
    {{ [[Y]] - [[X]] == p - m AND [[X]] == 0 }}.

Example 3:

       {{ 0 ≤ m }}
       X ::= m;;
       Y ::= 0;;
       While n ≤ X Do
         X ::= X - n;;
         Y ::= Y + 1
       EndWhile
       {{ n * [[Y]] + [[X]] == m AND 0 ≤ [[X]] AND [[X]] < n }}.

Programs With Addresses And Dereferences

Now, we start to consider programming languages with addresses. In C language, people can use a pointer to represent an address in memory. Suppose E is a C pointer-type expressions, then * E represents the value stored in that address in memory. Moreover, if E talks about the value store on some address, then & E represents that specific address. In the following AST of expressions, we use ADeref E and AAddr E to represent * E and & E.

Definition var: Type := nat.

We assume that the value of variables of 0, 1, ... are stored at address 1, 2, ... etc. Address 0 is for null pointer.

Definition var2addr (X: var): Z := Z.of_nat X + 1.

Program States With Permission

One critical problem of pointer programs is dangling pointer. That is, dereferencing a null pointer is a run time error. For any address that the program has not read/write permission, dereferencing it is a run time error.

Due to this consideration, the definition of program states must talks about permission. Here is a simple approach.

Definition state: Type := Z → option Z.

For a state st and an address p, st p = Some _ means that we have read/write permission of p. Otherwise, st p = None and we do not have read or write permission of it.

Denotational Semantics

Now, we try to write down its denotational semantics. We start from integer expressions.

Module FirstTry_aeval.

Inductive aeval : aexp → state → Z → Prop :=
  | E_ANum n st:
      aeval (ANum n) st n
  | E_AId X st n:
      st (var2addr X) = Some n →
      aeval (AId X) st n
  | E_APlus (e₁ e₂: aexp) (n₁ n₂: Z) st
      (H₁ : aeval e₁ st n₁)
      (H₂ : aeval e₂ st n₂) :
      aeval (APlus e₁ e₂) st (n₁ + n₂)
  | E_AMinus (e₁ e₂: aexp) (n₁ n₂: Z) st
      (H₁ : aeval e₁ st n₁)
      (H₂ : aeval e₂ st n₂) :
      aeval (AMinus e₁ e₂) st (n₁ - n₂)
  | E_AMult (e₁ e₂: aexp) (n₁ n₂: Z) st
      (H₁ : aeval e₁ st n₁)
      (H₂ : aeval e₂ st n₂) :
      aeval (AMult e₁ e₂) st (n₁ * n₂)
  | E_ADeref (e₁: aexp) (n₁ n₂: Z) st
      (H₁ : aeval e₁ st n₁)
      (H₂ : st n₁ = Some n₂) :
      aeval (ADeref e₁) st n₂.

End FirstTry_aeval.

The problem here is that we have no way to talk about AAddr here. Because the value of AAddr E is not depended on E's value but about E's address. Thus, we need to define two evaluation relation mutually inductively.

Inductive aevalR : aexp → state → Z → Prop :=
  | E_ANum n st:
      aevalR (ANum n) st n
  | E_AId X st n:
      st (var2addr X) = Some n →
      aevalR (AId X) st n
  | E_APlus (e₁ e₂: aexp) (n₁ n₂: Z) st
      (H₁ : aevalR e₁ st n₁)
      (H₂ : aevalR e₂ st n₂) :
      aevalR (APlus e₁ e₂) st (n₁ + n₂)
  | E_AMinus (e₁ e₂: aexp) (n₁ n₂: Z) st
      (H₁ : aevalR e₁ st n₁)
      (H₂ : aevalR e₂ st n₂) :
      aevalR (AMinus e₁ e₂) st (n₁ - n₂)
  | E_AMult (e₁ e₂: aexp) (n₁ n₂: Z) st
      (H₁ : aevalR e₁ st n₁)
      (H₂ : aevalR e₂ st n₂) :
      aevalR (AMult e₁ e₂) st (n₁ * n₂)
  | E_ADeref (e₁: aexp) (n₁ n₂: Z) st
      (H₁ : aevalR e₁ st n₁)
      (H₂ : st n₁ = Some n₂) :
      aevalR (ADeref e₁) st n₂
  | E_AAddre (e₁: aexp) (n₁: Z) st
      (H₁ : aevalL e₁ st n₁):
      aevalR (AAddr e₁) st n₁
with aevalL : aexp → state → Z → Prop :=
  | EA_AId X st:
      aevalL (AId X) st (var2addr X)
  | EA_ADeref (e₁: aexp) (n₁: Z) st
      (H₁ : aevalR e₁ st n₁) :
      aevalL (ADeref e₁) st n₁.

Then, we can easily define bexp's denotations.

Inductive beval : bexp → state → bool → Prop :=
  | E_BTrue st:
      beval BTrue st true
  | E_BFalse st:
      beval BFalse st false
  | E_BEqTrue (e₁ e₂: aexp) (n₁ n₂: Z) st
      (H₁ : aevalR e₁ st n₁)
      (H₂ : aevalR e₂ st n₂)
      (H₃ : n₁ = n₂) :
      beval (BEq e₁ e₂) st true
  | E_BEqFalse (e₁ e₂: aexp) (n₁ n₂: Z) st
      (H₁ : aevalR e₁ st n₁)
      (H₂ : aevalR e₂ st n₂)
      (H₃ : n₁ ≠ n₂) :
      beval (BEq e₁ e₂) st false
  | E_BLeTrue (e₁ e₂: aexp) (n₁ n₂: Z) st
      (H₁ : aevalR e₁ st n₁)
      (H₂ : aevalR e₂ st n₂)
      (H₃ : n₁ < n₂) :
      beval (BLe e₁ e₂) st true
  | E_BLeFalse (e₁ e₂: aexp) (n₁ n₂: Z) st
      (H₁ : aevalR e₁ st n₁)
      (H₂ : aevalR e₂ st n₂)
      (H₃ : n₁ ≥ n₂) :
      beval (BLe e₁ e₂) st false
  | E_BNot (e: bexp) (b: bool) st
      (H₁ : beval e st b):
      beval (BNot e) st (negb b)
  | E_BAnd (e₁ e₂: bexp) (b₁ b₂: bool) st
      (H₁ : beval e₁ st b₁)
      (H₂ : beval e₂ st b₂):
      beval (BAnd e₁ e₂) st (andb b₁ b₂).

(* Sat Jun 8 04:35:31 UTC 2019 *)