Separation Logic for Recursive Procedures
Mahmudul Faisal Al Ameen
Doctor of Philosophy
Department of Informatics
School of Multidisciplinary Sciences
SOKENDAI (The Graduate University for
Advanced Studies)
定
Sepnrntuon Losup ror Repursuve Propedures
Mahmudul Faisal Al Ameen
Doptor or Ptulosopty
Depnrtment or Inrormntups Sptool or Multuquspuplunnry Spuenpes
SOKENDAI (he Grnqunte bnuversuty ror Aqvnnpeq Stuques) aowyo, Jnpnn
Septemoer
tte Depnrtment or Inrormntups Sptool or Multuquspuplunnry Spuenpes
SOKENDAI (he Grnqunte bnuversuty ror Aqvnnpeq Stuques) un pnrtunl rulillment or tte requurements ror
tte qesree or Doptor or Ptulosopty
Revuew Commutee
Mnwoto aAaSbaA Nntuonnl Instutute or Inrormntups, SOKENDAI gtenvunns Hb Nntuonnl Instutute or Inrormntups, SOKENDAI Mnwoto ANAgAdA Nntuonnl Instutute or Inrormntups, SOKENDAI Stun Nnwnvumn Nntuonnl Instutute or Inrormntups, SOKENDAI fuwuyostu Knmeynmn bnuversuty or asuwuon
SOKENDAI (a G b y A S )
A
Completeness or ceruipntuon System wutt Sepnrntuon Losup ror
Repursuve Propedures
he pontruoutuons or ttus qussertntuon nre two results; tte irst result suves n new pomplete Honre’s losup system ror repursuve propequres, nnq tte seponq result proves tte pompleteness or tte veruipntuon system onseq on Honre’s losup nnq sepnrntuon losup ror repursuve propequres. he irst result us n pomplete veruipntuon system ror rensonuns nooutWHILE prosrnms wutt repursuve propequres ttnt pnn oe extenqeq to sepnrntuon losup. ao ootnun ut, ttus worw untroqupes two new unrerenpe rules, stows qeruvnouluty or nn unrerenpe rule nnq removes otter requnqnnt unrerenpe rules nnq nn unsounq nxuom ror stowuns pompleteness. he seponq result us n pomplete veruipn- tuon system, wtupt us nn extensuon or Honre’s losup nnq sepnrntuon losup ror mutunl repursuve propequres. ao ootnun tte seponq result, tte lnnsunse orWHILE prosrnms wutt repursuve propequres us extenqeq wutt pommnnqs to nllopnte, nppess, mutnte nnq qenllopnte stnreq resourpes, nnq tte losupnl system rrom tte irst result us extenqeq wutt tte onpwwnrq rensonuns rules or Honre’s losup nnq sepnrntuon losup. Moreover, ut us stown ttnt tte nssertuon lnnsunse or sepnrntuon losup us expressuve relntuve to tte prosrnms. It nlso untroqupes n novel expressuon ttnt us useq to qespruoe tte pomplete unrormntuon or n suven stnte un n preponqutuon. In nqqutuon, ttus worw uses tte nep- essnry nnq suipuent preponqutuon or n prosrnm ror tte noort-rree exeputuon, wtupt ennoles to utuluze tte stronsest postponqutuons.
uuu
y .
Acknowledsments
I wust to express my qeepest srntutuqe to my nqvusor, Pror. Mnwoto antsutn, ror suvuns me tte opportunuty, pre-nqmussuon supports nnq repommenqntuons to stuqy un SOKENDAI wutt NII sptolnrstup. Hus suuqnnpe wutt extreme pntuenpe us tte wey qruvuns rorpe ror my toqny’s suppess. Hus support not only enpournseq out nlso nour- usteq me ttus lnst sux yenrs. duttout tus sunpere eforts, I poulq not oe un toqny’s posu- tuon. Hus lessons telpeq me renluzuns tte rusuq nnture or mnttemntups nnq losup.
I nm very srnterul to my po-supervusor Asst. Pror. Mnwoto Knnnznwn ror oeuns one or tte most umportnnt supportuns rorpe ror my worw. Hus sussestuons nt tte losup semunnrs tnve oeen n very sooq onsus ror elnoorntuns nnq strupturuns my resenrpt; te snve me enoust reeqonpw to mnture my uqens wtule nlwnys pountuns me unterestuns qureptuons.
I woulq luwe to ttnnw Pror. gtenvunns Hu ror provuquns vnlunole remnrws, nllowuns me to umprove tte pnpers qrnts nnq plnrury my nrsuments. He tns stown me n very umportnnt toruzon or prosrnm pomposutuon ttnt ennoleq me to renluze prosrnms ns mnttemntupnl oovepts. Hus pnre nnq support espepunlly wept me optumustup un my tnrq tumes.
cnlunole revuew nnq sussestuons mnqe oy Pror. Stun Nnwnvumn or SOKENDAI nnq Pror. fuwuyostu Knmeynmn or bnuversuty or asuwuon telpeq me to entnnpe nnq ine tununs tte qussertntuon. I nm very srnterul ttem.
I nm srnterul to Pror. Knzustuse aeruu ror tus sussestuons nnq support un tte enrly v
I woulq luwe to express my sunpere npprepuntuon to Dr. Dnusuwe Kumurn ror suvuns me n lons tume support ns nn elqer orotter. I nm unqeoteq to Dr. anwnyuwu Konu ror tus sunpere most efort to mnwe my lure ensy un Jnpnn. In quferent oppnsuons, tteur npnqemup tutoruns, ns well ns mentnl supports, nre never to oe rorsoten. heur explnnntuon or severnl onsup nnq nqvnnpeq topups oten mnqe me unqerstnnq quipult mnttemntupnl topups un nn ensy wny. Spepunl ttnnws to Dr. Knzuturo Innon ror nn umportnnt prutupusm to stow n snp un one or my enrluer solutuon. Dr. Knzuyuwu Asnqn’s nqvupe nnq Mr. aostutuwo bptuqn’s rruenqly support nlso telpeq me to renpt un ttus posutuon. I nm very srnterul to nll or ttem. Moreover, I ttnnw to Mr. Kouwe Atsustu ror stnruns tus LAaEe plnss ile, onseq on wtupt tte plnss ile ror ttus qussertntuon us prepnreq.
I ttnnw Nntuonnl Instutute or Inrormntups ror provuquns me tte nepessnry innnpunl nnq resourpe support. Furtter, I nlso ttnnw NII oipunls nt tte stuqent support septuon ror tteur nqmunustrntuve nssustnnpes.
I owe to Pror. Dr. Storur bqqun ror qruvuns me nnq qureptly telpuns me to npply to NII ror tte qoptornl stuqy. I nlso ttnnw Dr. gnteq Hnsnn nnq Mr. Ennyetur Rntmnn ror tteur pontruoutuons un my lure nnq resenrpt pnreer.
Funnlly, I ttnnw my pnrents ror tteur love, snpruipes, lons pntuenpe nnq enqless en- pournsements. I ttnnw my wure ror ter unvnlunole nnq qurept pnre nnq support un tte innl yenr. I nlso ttnnw my suster, relntuves nnq rruenqs ror tteur srent mentnl support ttnt telpeq me to tnnqle tte ptnllensuns resenrpt sutuntuons.
Contents
I
. Motuvntuon . . . . . Mnun Contruoutuon . . . . . Outlune or hus Pnper . . . . B
. Honre’s Losup ror Repursuve Propequres . . . . . Sepnrntuon Losup . . . .
N C Sy H ’ L R P -
. Lnnsunse . . . . . Semnntups . . . . . Losupnl System . . . . . Completeness . . . .
S L R P
. Lnnsunse . . . . . Semnntups . . . . . Losupnl System . . . .
S C
. Sounqness . . . . . Expressuveness . . . .
A y F R
. Frnme Rules . . . . . Convunptuon Rule . . . . C
1
Introdution
. M
It us wuqely nppepteq ttnt n prosrnm us neeqeq to oe veruieq to ensure ttnt ut us por- rept. A porrept prosrnm sunrnntees to perrorm tte suven tnsw ns expepteq. It us very umportnnt to ensure tte snrety or tte mussuon-prutupnl, mequpnl, spnpeprnt, nuplenr re- nptor, innnpunl, senetup-ensuneeruns nnq sumulntor prosrnms. Moreover, everyone qe- sures ous-rree prosrnms.
Formnl veruipntuon us untenqeq to qeluver prosrnms wtupt nre pompletely rree or ouss or qerepts. It veruies tte sourpe poqe or n prosrnm stntupnlly. So rormnl verui- pntuon qoes not qepenq on tte exeputuon or n prosrnm. he tume requureq to verury n prosrnm qepenqs on neutter uts runtume nnq memory pomplexuty nor tte mnsnutuqe or uts unputs. A prosrnm us requureq to oe veruieq only onpe sunpe ut qoes not qepenq
on test pnses. Henpe, rormnl veruipntuon or prosrnms us umportnnt to snve oott tume nnq expenses pommerpunlly nnq ror uts supremnpy tteoretupnlly. Amons rormnl verui- pntuon nppronptes, moqel ptepwuns nnq Honre’s losup nre promunent. Moqel ptepwuns pomputes wtetter n moqel sntusies n suven spepuipntuon, wterens Honre’s losup stows ut ror nll moqels oy provnouluty h j.
Sunpe ut wns proposeq oy Honre h j, numerous worws on Honre’s losup tnve oeen qone h , , , , j. Severnl extensuons tnve nlso oeen proposeq h j, nmons wtupt some ntempteq to verury prosrnms ttnt nppess tenp or stnreq resourpes. However, untul tte twenty-irst pentury oesuns, very rew or ttem were sumple enoust to use. On tte otter tnnq, sunpe tte qevelopment or prosrnmmuns lnnsunses luwe C nnq C++, tte usnse or pounters un prosrnms (wtupt nre pnlleq pounter prosrnms) snuneq mupt populnruty ror tteur nouluty to use stnreq memory nnq otter resourpes qureptly nnq ror rnster exeputuon. hus nouluty nlso pnuses prnsteq prosrnms ror some rensons oepnuse ut us quipult to weep trnpw or enpt memory operntuon. It mny lenq unsnre tenp operntuon. A prosrnm prnst oppurs wten tte prosrnm trues to nppess n memory pell ttnt tns nl- renqy oeen qenllopnteq oerore or wten n memory pell us nppesseq oerore uts nllopntuon. So nppnrently ut oepnme nepessnry to tnve nn extensuon or Honre’s losup ttnt pnn verury supt pounter prosrnms. In , Reynolqs proposeq sepnrntuon losup h j. It wns n orenwttroust to nptueve tte nouluty to verury pounter prosrnms. Espepunlly ut pnn sunr- nntee snre tenp operntuons or prosrnms. Alttoust repently we pnn inq severnl worws on sepnrntuon losup h , j nnq uts extensuons nnq npplupntuons h , , j, ttere nre rew worws rounq to stow tteur pompleteness h j.Tltsutl pt lv. h j stow tte pomplete- ness or tte sepnrntuon losup ror pounter prosrnms wtupt us untroqupeq un h j. In ttus pnper, we wull stow tte pompleteness or nn extenqeq losupnl system. Our losupnl sys- tem us untenqeq to verury pounter prosrnms wutt mutunl repursuve propequres. Amons severnl versuons or tte snme unrerenpe rule, Reynolqs ofereq un h j ror sepnrntuon losup, n ponpuse set or onpwwnrq rensonuns rules tns oeen ptosen un h j. he lnter worw un h j nlso ofers rusorous mnttemntupnl quspussuons. he proolems resnrquns tte pompleteness or Honre’s losup, tte ponpept or relntuve pompleteness, pompleteness or Honre’s losup wutt repursuve propequres nnq mnny otter umportnnt topups tnve oeen quspusseq un qetnul un h j. Our worw oesuns wutt h j nnq h j.
In moqern qnys, prosrnms nre wruten un sesments wutt propequres, wtupt mnwe
tte prosrnms storter un suze nnq losupnlly struptureq, nnq unprense tte reusnouluty or poqe. So ut us umportnnt to use propequres nnq tenp operntuons (use or stnreq mutnole resourpes) oott un n sunsle prosrnm. he pnrnmeter meptnnusm us nn umportnnt pnrt or n propequre, nnq ut entnnpes tte lexuouluty un prosrnmmuns. However, tteoretupnlly, tte pnrnmeterless propequres nre sumpler to nnnlyze, nnq ut us mupt ensuer to extenq ut wutt pnrnmeters. Moreover, ttere nre quferent wunqs or pnrnmeter meptnnusm supt ns pnll-oy-vnlue, pnll-oy-nnme, nnq pnll-oy-rererenpe. So veruipntuon or pounter pro- srnms wutt pnrnmeterless propequres us n susnuipnnt stnrtuns pount or veruipntuon or prosrnms wutt quferent pnrnmeter meptnnusms. hererore, ut us umportnnt to nptueve n sounq nnq pomplete veruipntuon system ror pounter prosrnms wutt pnrnmeterless propequres irst so ttnt ut pnn oe extenqeq to quferent pnrnmeter meptnnusms lnter. It us tte mnun motuvntuon or our worw.
. M C
Our sonl us to suve n relntuvely pomplete losupnl system ttnt pnn oe useq ror renson- uns noout pounter prosrnms wutt mutunl repursuve propequres. A losupnl system ror sotwnre veruipntuon us pnlleq pomplete ur every true vuqsment pnn oe qeruveq usuns ttnt system. It ensures tte strenstt or our system so ttnt no rurtter qevelopment us nepessnry ror tte losupnl system. Ir nll true nsserteq prosrnms nre provnole un Honre’s system wtere nll true nssertuons nre provuqeq, we pnll ut n relntuvely pomplete system. de wull stow tte relntuve pompleteness or our system. A lnnsunse us expressuve ur tte wenwest preponqutuon pnn oe qeineq un tte lnnsunse. de wull nlso stow ttnt our lnn- sunse or spepuipntuon us expressuve ror our prosrnms. Relntuve pompleteness us qus- pusseq vnstly un h , j. In ttus pnper, relntuve pompleteness us sometumes pnrnptrnseq ns pompleteness wten ut us not nmousuous.
he mnun pontruoutuons or our pnper nre ns rollows:
( ) A new pomplete losupnl system ror Honre’s losup ror repursuve propequres h j. ( ) A new losupnl system ror veruipntuon or pounter prosrnms nnq repursuve prope- qures h j.
( ) Provuns tte sounqness nnq tte pompleteness tteorems.
( ) Provuns ttnt our nssertuon lnnsunse us expressuve ror our prosrnms.
( ) Duspussuns sounqness nnq nqmussuouluty or tte rrnme rules nnq tte ponvunptuon rule un our system.
de wnow ttnt Honre’s losup wutt repursuve propequres us pomplete h j. de nlso wnow ttnt Honre’s losup wutt sepnrntuon losup us pomplete h j. But we qo not wnow ur Honre’s losup wutt sepnrntuon losup ror repursuve propequres us pomplete.
ao nptueve our pontruoutuons, we wull irst ponstrupt our losupnl system oy pomoun- uns tte nxuoms nnq unrerenpe rules or h j nnq h j. hen we wull prove tte expres- suveness oy poquns tte stntes un n sumulnr wny to h j. At lnst, we wull rollow n sumulnr strntesy un h j to prove tte pompleteness.
Alttoust one mny reel ut ensy to pomoune ttese two losupnl systems to nptueve supt n pomplete system, un renluty, ut us not tte pnse. Now we wull quspuss some ptnllenses we rnpe to prove uts relntuve pompleteness.
( ) he nxuom (Ax : I Ax ) us qeineq un h j oy {A}P{A} wtere rree vnrunoles orP nnq A nre mutunlly explusuve, P us n WHILE prosrnm wutt repursuve propequres, nnqA us nn nssertuon un Honre’s losup. It us nn essentunl nxuom to stow pompleteness or Honre’s losup out ut us not sounq un sepnrntuon losup.
( ) In tte pompleteness proor or tte extensuon or Honre’s losup ror tte repursuve propequres un h j, tte expressuon −→x = −→z (−→x nre nll prosrnm vnrunoles, nnq −→z nre rrest) us useq to qespruoe tte pomplete unrormntuon or n suven stnte un n preponqutuon. A stnte un Honre’s losup us only n store, wtupt us n mnppuns rrom tte set or vnrunoles to tte set or nnturnl numoers. In sepnrntuon losup, n stnte us n pnur or n store nnq n tenp. So tte snme expressuon pnnnot oe useq ror n sumulnr purpose ror n tenp oepnuse n store unrormntuon mny pontnun vnrunolesx , . . . , xm wtupt nre nssusneqz , . . . , zm
respeptuvely, wtule n tenp unrormntuon ponsusts or tte set or tte ptysupnl nqqresses only un tte tenp nnq tteur porresponquns vnlues. he veptor notntuon pnnnot express tte senernl unrormntuon or tte suze or tte tenp nnq uts ptnnses oepnuse or nllopntuon nnq qenllopntuon or memory pells.
( ) Anotter ptnllense us to utuluze tte stronsest postponqutuon or n preponqutuon nnq n prosrnm. In pnse n prosrnm noorts un n stnte ror wtupt tte preponqutuon us vnluq, tte stronsest postponqutuon or tte preponqutuon nnq tte prosrnm qoes not exust. But utuluzuns tte stronsest postponqutuon us nepessnry ror pompleteness proor oepnuse tte pompleteness proor or h j qepenqs on ut.
Now ut us nepessnry to solve ttese oostnples ror tte proor or tte pompleteness or our system. hnt us wty ut us quute ptnllensuns to solve tte pompleteness tteorem wtupt us our prunpupnl sonl.
he solutuons to tte ptnllenses stnteq noove nre ns rollows:
( ) de wull suve nn unrerenpe rule (I -C ) ns nn nlternntuve to tte nxuom (Ax- : I Ax ) un h j. It wull nppept n pure nssertuon wtupt qoes not tnve n vnrunole pommon to tte prosrnm. de wull nlso suve nn unrerenpe rule (Ex ) ttnt us nnnlosous to tte exustentunl untroquptuon rule un tte irst-orqer prequpnte pnlpu- lus. de wull stow ttnt tte unrerenpe rule (R : S R I) un h j us qeruvnole un our system. Sunpe tte unrerenpe rules (R : S R II) nnq (R : C R ) un h j nre requnqnnt un our system, we wull remove ttem. It suves us tte new pomplete system ror Honre’s losup ror mutunl repur- suve propequres. de wull extenq ttus system wutt tte unrerenpe rules un h j to suve tte veruipntuon system ror pounter prosrnms wutt mutunl repursuve propequres. As n result, tte set or our nxuoms nnq unrerenpe rules wull oe quute quferent rrom tte unuon or ttose or h j nnq h j.
( ) de wull suve nn npproprunte nssertuon to qespruoe tte pomplete unrormntuon or n suven stnte un n preponqutuon. Besuqe tte expressuon −→x = −→z ror tte store unror- mntuon, we wull nqqutuonnlly use tte expressuon Henp(xr)ror tte tenp unrormntuon, wterexrweeps n nnturnl numoer ttnt us ootnuneq oy n poquns or tte purrent tenp.
( ) For pounter prosrnms, ut us quipult to utuluze tte stronsest postponqutuon oe- pnuse ut us umpossuole to nssert n postponqutuon rorA nnq P wtere P mny noort un n stnte ror wtuptA us true. de use {A}P{arue} ns tte noort-rree ponqutuon or A nnq P. For tte exustenpe or tte stronsest postponqutuon, ut us nepessnry ror {A}P{arue} to oe true. de wull suve tte nepessnry nnq suipuent preponqutuonWP,True(−→x ) ror tte rnpt
ttnt tte prosrnmP wull never noort.
. O a P
Our onpwsrounq wull oe presenteq un Ctnpter . A new pomplete Honre’s losup ror repursuve propequres wull oe suven un Ctnpter . It wull oe extenqeq to n pomplete sys- tem wutt sepnrntuon losup un tte next ptnpter. de wull qeine our lnnsunses, semnntups nnq tte losupnl system un Ctnpter . In Ctnpter , we wull prove tte sounqness, ex- pressuveness nnq pompleteness. Aqmussuouluty or some umportnnt unrerenpe rules un our system wull oe quspusseq un Ctnpter . de wull ponpluqe un Ctnpter .
2
Backsround
Honre untroqupeq nn nxuomntup mettoq, Honre’s losup, to prove tte porreptness or prosrnms un h j. Floyq’s untermequnte nssertuon mettoq wns oetunq tte np- pronpt or Honre’s losup. Besuqes uts srent unluenpe un qesusnuns nnq veruryuns pro- srnms, ut tns nlso oeen useq to qeine tte semnntups or prosrnmmuns lnnsunses.
dtule Honre’s losup us sounq, ut us not pomplete sunpe Penno nruttmetup us unqepuq- nole. Ir Honre’s losup pontnuns n proor system or Penno nruttmetup, tte Honre’s losup oepomes unqepuqnole. Coow unqupnteq n wny to overpome ttese quipultues oy qein- uns tte notuon or pompleteness un h j. Ir ttere exusts nn nssertuon un L ttnt qeines tte stronsest postponqutuon orA ∈ L nnq P ∈ P, L us snuq to oe expressuve relntuve to P. A proor system ror P nnq L us pomplete un tte sense or Coow ur L us expressuve relntuve to P nnq nll true nssertuons nre suven. Coow nlso extenqeq Honre’s losup to nonrepursuve propequres nnq proveq uts pompleteness un tte noove sense. Gorelupw h j extenqeq Coow’s worw to repursuve propequres.
Amons mnny worws wtupt extenqeq tte nppronpt or Honre to prove n prosrnm por- rept, some were not userul or quipult to use. In , Apt presenteq n survey or vnruous results ponpernuns tte nppronpt or Honre un h j. Hus worw emptnsuzeq mnunly on tte sounqness nnq pompleteness ussues. He irst presenteq tte proor system rorWHILE prosrnms nlons wutt uts sounqness, expressuveness, nnq pompleteness un tte sense or Coow. He tten presenteq tte worw or Gorelupw, tte extensuon or Honre’s losup to repur- suve propequres. He nlso presenteq otter extensuons supt ns lopnl vnrunole qeplnrntuons nnq propequres wutt pnrnmeters wutt porresponquns sounqness nnq pompleteness.
. H ’ L R P
In ttus septuon, we wull quspuss tte veruipntuon system rorWHILE prosrnms wutt repursuve propequres suven un h j. Here we wull present tte lnnsunse or tteWHILE prosrnms wutt repursuve propequres nnq tte nssertuons, tteur semnntups, n losupnl sys- tem to renson noout tte prosrnms nnq tte pompleteness proor. de wull extenq ttus proor to pounter prosrnms wutt repursuve propequres lnter.
. . L
he lnnsunse or nssertuon un h j us tte irst orqer lnnsunse wutt equnluty or Penno nruttmetup. Its vnrunoles nre qenoteq oyx, y, z, w, . . .. Expressuons, qenoteq oy p, nre qeineq oyp ::= x | | | p + p | p × p. A qunntuier-rree rormuln m us qeineq oy
m ::= p = p | p < p | ¬m | m ∧ m | m ∨ m | m → m.
he rormuln (or tte nssertuon lnnsunse), qenoteq oyA, B, C, us qeineq oy A ::= p = p | p < p | ¬m | m ∧ m | m ∨ m | m → m | ∀xA | ∃xA.
Repursuve propequres nre qenoteq oyR. WHILE prosrnms extenqeq to repursuve
propequres, qenoteq oyP, Q, us qeineq un h j oy P, Q ::= x := p
| ur (m) tten (P) else (P)
| wtule (m) qo (P)
| P; P
| swup
| R.
de nssume ttnt propequreR us qeplnreq wutt uts ooqy Q.
he onsup rormuln or Honre’s losup us pomposeq wutt ttree elements. hey nre two nssertuonsA nnq B nnq n prosrnm P. It us expresseq un tte rorm
{A}P{B}
ttnt us nlso pnlleq n porreptness rormuln or nn nsserteq prosrnm. HereA nnq B nre pnlleq tte preponqutuon nnq tte postponqutuon or tte prosrnmP respeptuvely. dten- everA us true oerore tte exeputuon or P nnq tte exeputuon termunntes, B us true nter tte exeputuon.
. . S
Stntes, qenoteq oys, nre qeineq un h j ns n runptuon rrom tte set or vnrunoles V to tte set or nnturnl numoersN. he semnntups or tte prosrnmmuns lnnsunse us qeineq irst oy JPK−ror tte prosrnms ttnt qo not pontnun propequres, wtupt us n pnrtunl runptuon rrom Stntes to Stntes.
he semnntups or nssertuons us qenoteq oy JAKsttnt suves us tte trutt vnlue orA nt tte stntes.
Deinutuon . . hp opinstson oq spmlntsns oq progrlms ss gsvpn mpvow.
Jx := pK−(s) = s[x := JpKs], Jsq (m) trpn (P ) pvsp (P )K−(s) =
{ JP K(s) sq JmKs =Trup JP K(s) otrprwssp,
Jwrsvp (m) oo (P)K− = { s sq JmKs=Flvsp
Jwrsvp (m) oo (P)K−(JPK−(s)) otrprwssp, JP ; P K−(s) = JP K−(JP K−(s))
JsuspK−(s) = s.
In orqer to qeine tte semnntups or prosrnms wtupt unpluqe repursuve propequres, Apt provuqeq tte npproxumntuon semnntups or prosrnms. He qeineq n propequre-less prosrnmP(n)oy unquptuon onn:
P( ) = Ω,
P(n+ ) = P[Q(n)/R].
He tten qeineq tte semnntups or prosrnms oy
JPK =
∞
∪
s=
JP[Q(s)/R]K−
An nsserteq prosrnm (or n porreptness rormuln) {A}P{B} us qeineq to oe true ur nnq only ur ror nll stntess, s′, ur JAKs=arue nnq JPK(s) = s′tten JBKs′ =arue.
. . L Sy
he losupnl systemH suven un h j ponsusts or tte rollowuns nxuoms nnq unrerenpe rules. Here Γ us useq ns n set or nsserteq prosrnms. A vuqsment us qeineq ns Γ ⊢ {A}P{B}. vlr(P) us qeineq ns nll tte vnrunoles nppenreq un tte exeputuon or P.
Ax : A Ax
Γ ⊢ {A[x := p]}x := p{A} (nssusnment)
R : C R
Γ ⊢ {A}P {C} Γ ⊢ {C}P {B}
Γ ⊢ {A}P ; P {B} (pomposutuon) R :ur-tten-else R
Γ ⊢ {A ∧ m}P {B} Γ ⊢ {A ∧ ¬m}P {B}
Γ ⊢ {A}ur (m) tten (P ) else (P ){B} (ur-tten-else)
R :wtule R
Γ ⊢ {A ∧ m}P{A}
Γ ⊢ {A}wtule (m) qo (P){A ∧ ¬m} (wtule)
R : C R
Γ ⊢ {A }P{B }
Γ ⊢ {A}P{B} (ponsequenpe) (A → A , B → B true)
R : R R
Γ ∪ {A}R{B} ⊢ {A}Q{B}
Γ ⊢ {A}R{B} (repursuon)
Ax : I Ax
Γ ⊢ {A}R{A} (unvnrunnpe) (Fc(A) ∩ vlr(R) = ∅)
R : S R I Γ ⊢ {A}R{B}
Γ ⊢ {A[−→z := −→y ]}R{B[−→z := −→y ]} (suostututuon I)
(−→y , −→z ̸∈ vlr(R))
R : S R II
Γ ⊢ {A}R{B}
Γ ⊢ {A[−→z := −→y ]}R{B} (suostututuon II) (−→z ̸∈ vlr(R) ∪ Fc(B))
R : C R
Γ ⊢ {A}R{B} Γ ⊢ {A′}R{C}
Γ ⊢ {A ∧ A′}R{B ∧ C} (ponvunptuon)
An nsserteq rormuln {A}x := p{A[x := p]} mny seems it more ror tte nssusnment nxuom. But ut us not. For nn exnmple luwe {x = l ∧ m = l + }x := m{(x = l ∧ m = l+ )[x := m]}, ttnt us {x = l∧m = l+ }x := m{(m = l∧m = l+ )}, us not oovu- ously true. Rntter {(x = m)[x := m]}x := m{x = m}, ttnt us {m = m}x := m{x = m} us true. he pomposutuon rule us sumulnr to tte put rule un ponpept. dten two prosrnms nre exeputeq one nter nnotter, tte postponqutuon or tte rormer one us tte preponqu- tuon or tte lnter. he preponqutuon or tte rormer one nnq tte postponqutuon or tte lnter one nre preserveq ror tte exeputuon or tte pomposutuon or ttose two prosrnms. he ur-tten-else rule pomes rrom tte rnpt ttnt trutt vnlue orm qetermunes tte exeputuon or eutterP or P . he rule utselr us very nnturnl. he wtule rule us n out trupwy. Here A us pnlleq n loop unvnrunnt, wtupt us nn nssertuon ttnt us preserveq oerore nnq nter tte exeputuon orP. he truttness or m trussers exeputuon or P nnq nnturnlly tte exeputuon termunntes only wtenm us rnlse.
he ponsequenpe rule us not nny orqunnry rule luwe otters. Here tte umportnnt rnpt us ttnt n stronser preponqutuon nnq n wenwer postponqutuon mny replnpe respeptuvely tte preponqutuon nnq tte postponqutuon or n vnluq nsserteq prosrnm wuttout nfeptuns uts vnluquty. dutt nn exnmple, ut mny telp to unqerstnnq ut oeter. he nsserteq prosrnm
{x = l}x := x + {x = l + } us unqeeq vnluq. But rrom nssusnment nxuom we mny set only {(x = l+ )[x := x+ ]}x := x+ {x = l+ }, ttnt us {x+ = l+ }x := x + {x = l + }. Sunpe x = l → x + = l + , wutt tte telp or tte ponsequenpe rule now we innlly set {x = l}x := x + {x = l + }.
Repursuon rule stntes ttnt ur tte nssumptuon or n vnluq nsserteq prosrnm ror n re- pursuve propequre suves us n vnluq nsserteq prosrnm ror uts ooqy, we pnn sny ttnt tte nsserteq prosrnm ror tte propequre us unqeeq vnluq. he unvnrunnpe nxuom ponirms us ttnt tte preponqutuon us preserveq un tte postponqutuon ur none or uts vnrunoles us nppesseq oy tte exeputuon or n repursuve propequre. Suostututuon rule I nllows vnru- nole suostututuon un tte nssertuons un nn nsserteq prosrnm ur tte repursuve propequre qoes not nppess tte suostututeq nnq suostututuns vnrunoles. Suostututuon rules II nllows tte suostututuon or only tte vnrunoles un tte preponqutuon ur ttose neutter nppenr un tte repursuve propequre nor un tte postponqutuon. Convunptuon rule nllows tte pre- ponqutuons nnq tte postponqutuons or two nsserteq prosrnms ror tte snme repursuve propequre to oe ponvouneq.
. . S
In h j, ⊢H {A}P{B} qenotes tte rnpt ttnt {A}P{B} us provnole un tte losupnl sys- temH, wtupt uses tte nssumptuon ttnt nll tte true nssertuons nre provuqeq (ror ponse- quenpe rule). In tus worw, tte notuon or ttetrutr or nn nsserteq prosrnm us untroqupeq wtere te ptose tte stnnqnrq unterpretntuon or tte nssertuon lnnsunse wutt tte qomnun or nnturnl numoers.
Apt pnlleq nn nsserteq prosrnmvlvso ur ut us true unqer nll unterpretntuons. He nlso pnlleq n proor rulesouno ur ror nll unterpretntuons ut preserves tte trutt or nsserteq pro- srnms. Sunpe ut us ensy to prove ttnt tte nxuoms nre vnluq nnq tte proor rules nre sounq, ut pnn oe snuq ttnt tte losupnl system us proveq to oe sounq oy unquptuon on tte lenstt or proors.
Hus sounqness tteorem plnums ttnt ror every nsserteq prosrnm {A}P{B} un tte losupnl systemH, ur ⊢H{A}P{B} us provnole unqer tte presenpe or nll true nssertuons tten {A}P{B} us true.
. . C C
he stronsest postponqutuon or nn nssertuon nnq n prosrnm nnq tte wenwest prepon- qutuon or n prosrnm nnq nn nssertuon tnve n wey role un qeinuns tte pompleteness un tte sense or Coow or supt n proor system wtere senernl pompleteness qoes not tolq. Now we wull qeine tte stronsest postponqutuon nnq tte wenwest preponqutuon. Deinutuon . . hp strongpst postnonostson oq ln lssprtson A lno l progrlm P ss opinpo my
SP(A, P) = { s′ | ∃s(JAKs∧ JPK(s) = s′) }. hp wplupst prpnonostson oq l progrlm P lno ln lssprtson A ss opinpo my
WP(P, A) = { s | ∀s′(JPK(s) = s′ → JAKs′) }.
Deinutuon . . An lssprtson vlngulgp L ss slso to mp expressuve relntuve to trp spt oq progrlms P sq qor lvv lssprtsons A ∈ L lno progrlms P ∈ P, trprp pxssts ln lssprtson S ∈ L wrsnr opinps trp strongpst postnonostson SP(A, P).
Deinutuon . . A prooq systpm G qor l spt oq progrlms P ss slso to mp nompvptp sn trp spnsp oq Coou sq, qor lvv L sunr trlt L ss expressuve relntuve to P lno qor pvpry lssprtpo qormuvl {A}P{B}, sq {A}P{B} ss trup trpn ⊢G {A}P{B} ss provlmvp.
Apt presenteq tte proor or tte pompleteness or tte system un tte sense or Coow un h j usuns two pentrnl lemmns. de wull present ttem nnq quspuss tteur proor. Assume ttnt −→x us tte sequenpe or nll vnrunoles wtupt oppur un P nnq −→z us n sequenpe or some new vnrunoles nnq oott or tteur lenstts nre snme. Assume ttnt tte nssertuon lnnsunse us expressuve ror tte losupnl system. So, ttere exusts nn nssertuonS ttnt qeines tte stronsest postponqutuon or −→x = −→z nnq R. he nsserteq prosrnm {−→x = −→z }R{S} us tte most senernl rormuln rorR, sunpe nny otter true nsserteq prosrnm noout R pnn oe qeruveq rrom {−→x = −→z }R{S}. hus plnum us tte pontents or tte irst lemmn. Lemmn . . (Apt ) sq {A}P{B} ss trup trpn {−→x = −→z }R{S} ⊢ {A}P{B} ss provlmvp provsopo trlt lvv trp trup lssprtsons lrp gsvpn.
Prooq. It us proveq oy unquptuon on P wtere tte most unterestuns pnse us P = R. Otter
pnses nre sumulnr to ttnt or tte system H un h j.
Suppose ttntP us R. Assume {A}R{B} us true. de tnve
⊢ {−→x = −→z }R{S}.
LetA oe A[−→z := −→u ] nnq B oe B[−→z := −→u ] wtere −→u ̸∈ Fc(B) ∪ vlr(R). By unvnrunnpe nxuom,
⊢ {A [−→x := −→z ]}R{A [−→x := −→z ]} us provnole. By tte ponvunptuon rule,
⊢ {−→x = −→z ∧ A [−→x := −→z ]}R{S ∧ A [−→x := −→z ]}
us provnole sunpe Fc(A [−→x := −→z ]) ∩ vlr(R) = ∅. de now stow ttnt S ∧ A [−→x :=
−
→z ] → B .
Assume JS ∧ A [−→x := −→z ]Ks = arue. By qeinutuon JSKs = arue. By tte prop- erty or tte stronsest postponqutuon, ttere exusts n stntes′ supt ttnt JRsK(s′) = s nnq J−→x = −→z Ks′ =arue.
By unvnrunnpe nxuom,
⊢ {¬A [−→x := −→z ]}R{¬A [−→x := −→z ]} us provnole. he oy ponvunptuon rule
⊢ {−→x = −→z ∧ ¬A [−→x := −→z ]}Rs{S ∧ ¬A [−→x := −→z ]}. By sounqness,
{−→x = −→z ∧ ¬A [−→x := −→z ]}Rs{S ∧ ¬A [−→x := −→z ]}
us true. Now suppose ttnt ¬JA [−→x := −→z ]Ks′ = arue. Henpe J−→x = −→z ∧ ¬A [−→x := −→z ]Ks′ = arue. hererore, ¬JA [−→x := −→z ]Ks = arue. But JA [−→x := −→z ]Ks = arue oy tte nssumptuon rors′. It pontrnqupts tte nssumptuon
nnq tenpe JA [−→x := −→z ]Ks′ =arue.
Sunpe −→x = −→z ∧A [−→x := −→z ]→A , we tnve JA Ks′ =arue. hen JAKs′[−→z :=−−→s′(u)] =
arue. hen JRK(s′[−→z := −−→s′(u)]) = s[−→z := −→s(u)] sunpe −→z , −→u ̸∈ vlr(R). hen oy qeinutuon, JBKs[−→z :=−→u ]arue. hen oy qeinutuon, JB Ks = arue. HenpeS ∧ A [−→x :=
−
→z ] → B us true.
hen oy tte ponsequenpe rule,
⊢ {−→x = −→z ∧ A [−→x := −→z ]}R{B } us provnole. hen oy tte suostututuon rule II,
⊢ {−→x = −→x ∧ A }R{B } us provnole. hen oy tte ponsequenpe rule,
⊢ {A }Rs{B } us provnole. By tte suostututuon rule I,
⊢ {A [−→u := −→z ]}Rs{B [−→u := −→z ]}.
de tnveA → A [−→u := −→z ] nnq B [−→u := −→z ] → B. hen oy tte ponsequenpe rule,
⊢ {A}P{B}
provnole. ⊓⊔
Lemmn . . (Apt ) hp npxt vpmml sn f h nvlsms trlt ⊢ {−→x = −→z }R{S} ss provlmvp.
Prooq. By qeinutuon or S, {−→x = −→z }R{S} us true nnq tenpe {−→x = −→z }Q{S} us true sunpe JRK = JQK. By tte Lemmn . . , {−→x = −→z }R{S} ⊢ {−→x = −→z }Q{S} us provnole. By tte repursuon rule, ⊢ {−→x = −→z }R{S} us provnole. ⊓⊔
he pompleteness tteorem stntes ttnt ur nn nsserteq prosrnm {A}P{B} us true tten
⊢ {A}P{B} us provnole wtere nll tte true nssertuons nre suven. It us tte pentrnl ponpept or pompleteness un tte sense or Coow.
heorem . . (Apt ) Iq {A}P{B} ss trup trpn ⊢ {A}P{B} ss provlmvp.
Prooq. Assume {A}P{B} us true. By Lemmn . . , {−→x = −→z }R{S} ⊢ {A}P{B} us provnole. By Lemmn . . , ⊢ {−→x = −→z }R{S} us provnole. hen ⊢ {A}P{B} us
provnole. ⊓⊔
. S L
In system prosrnmmuns, use or stnreq mutnole qntn struptures us wuqesprenq. For ttree qepnqes, nppronptes to rensonuns noout ttus teptnuque tns oeen stuqueq. Most or ttem eutter tnve extremely pomplexuty or lumuteq npplupnouluty. bntul tte worw or Reynolqs un h j, nn extensuon to pounter prosrnms wns mussuns. Reynolqs un- troqupeq sepnrntuon losup, wtupt us nn extensuon or Honre’s losup ttnt permuts renson- uns noout pounter prosrnms ttnt tnve tte nouluty to use stnreq mutnole qntn strupture. He extenqeq tte sumpleWHILE prosrnms wutt pommnnqs ror nllopntuns, qenllopnt- uns, nppessuns nnq moquryuns stnreq resourpes. He nlso extenqeq tte nssertuons oy unporporntuns sepnrntuns ponvunptuon nnq sepnrntuns umplupntuon ttnt resemoles mul- tuplupntuve ponvunptuon nnq multuplupntuve umplupntuon un tte losup or ounpteq umplupn- tuon oy O’Henrn nnq Pym h j. In tus worw, te nlso extenqeq Honre’s losup to pounter prosrnms wutt severnl sets or losupnl rules. Alttoust Reynolqs provuqeq tte losupnl system nnq mentuoneq ttnt ut us sounq, te quq not provuqe tte proor. he qetnul tept- nupnl qespruptuon or sepnrntuon losup us suven un Ctnpter .
Tltsutl pt lv. snve tte qetnuleq proor or pompleteness un h j. In tus worw te tns tnwen nll tte nxuoms nnq rules rrom onsup Honre’s losup nnq only tte onpwwnrq ren- sonuns nxuoms rrom tte rules proposeq oy Reynolqs nnq proveq ttnt tus system us pomplete un tte sense or Coow. On tte wny or provuns pompleteness, te nlso proveq tte expressuveness or tte sepnrntuon losup ror pounter prosrnms.
he worw or O’Henrn suves us lopnl rensonuns or Prosrnms h j usuns rrnme rule. It
us umportnnt to sumplury veruipntuon sunpe ut suves nn unrormntuon tuquns meptnnusm. fnns unvestusnteq tte “nqnptntuon pompleteness” (pompleteness or ntomup prosrnms) usuns tte rrnme rule ror prosrnms wutt propequres, wtupt unqupntes ttnt nll propertues pnn oe unrerreq wutt tte rule h j.
hus qussertntuon us onseq on h , j, ttnt untenqs to extenq Honre’s losup nnq sep- nrntuon losup to mutunl repursuve propequres, nnq quspuss nqmussuouluty or rrnme rules un ut.
3
New Complete Sytem or Hoare’s Losic
witt Recursive Procedures
de untroqupe n pomplete system or Honre’s losup wutt repursuve propequres. Apt snve n system ror tte snme purpose nnq stoweq uts pompleteness un h j. Our sys- tem us ootnuneq rrom Apt’s system oy replnpuns tte INcARIANCE AeIOM, tte SbB- SaIabaION RbLE I, tte SbBSaIabaION RbLE II, nnq tte CONJbNCaION RbLE oy tte rules (I -C ) nnq (Ex ). Apt sussesteq wuttout proors ttnt one poulq replnpe ttem oy tus SbBSaIabaION RbLE I, (I -C ), nnq (Ex ) to set nnotter pomplete system. de prove ttnt tte suostututuon rule I pnn nptunlly oe qe- ruveq un our system. de nlso suve n qetnuleq proor or tte pompleteness or our system.
. L
Our nssertuon us n rormulnA or Penno nruttmetup. de qeine tte lnnsunse L ns rollows.
Deinutuon . . Formuvls A lrp opinpo my
A ::= p = p | p < p | ¬A | A ∧ A | A ∨ A | A → A | ∀xA | ∃xA
Wp wsvv somptsmps nlvv l qormuvl ln lssprtson.
Wp opinp FV(A) ls trp spt oq rpp vlrslmvps sn A. Wp opinp FV(p) ssmsvlrvy. Our prosrnm us n wtule-prosrnm wutt pnrnmeterless repursuve propequres. Deinutuon . . Progrlms, opnotpo my P,Q, lrp opinpo my
P, Q ::= x := p
| sq (m) trpn (P) pvsp (P)
| wrsvp (m) oo (P)
| P; P
| susp
| Rs.
m us n rormuln wuttout tte qunntuiers. Rsus n pnrnmeter-less propequre nnme tnvuns Qsns uts qeinutuon ooqy. de qeine tte lnnsunse L−ns L expluquns tte ponstruptR.
An nsserteq prosrnm us qeineq oy {A}P{B}, wtupt menns tte pnrtunl porreptness.
. S
Deinutuon . . Wp opinp trp spmlntsns oq our progrlmmsng vlngulgp. For l progrlm P, sts mplnsng JPK ss opinpo ls l plrtslv qunntson rom Stltps to Stltps. Wp wsvv opinp
JPK(r ) ls trp rpsuvtsng stltp ltpr tprmsnltson oq trp pxpnutson oq P wstr trp snstslv stltp r . Iq trp pxpnutson oq P wstr trp snstslv stltp r oops not tprmsnltp, wp vplvp JPK(r ) unopinpo. In oropr to opinp JPK, wp wouvo vsup to opinp JPK−qor lvv P sn trp vlngulgp L−. Wp opinp JPK−my snountson on P sn L−ls qovvows7
Jx := pK−(s) = s[x := JpKs], Jsq (m) trpn (P ) pvsp (P )K−(s) =
{ JP K(s) sq JmKs =Trup JP K(s) otrprwssp,
Jwrsvp (m) oo (P)K− = { s sq JmKs=Flvsp
Jwrsvp (m) oo (P)K−(JPK−(s)) otrprwssp, JP ; P K−(s) = JP K−(JP K−(s))
JsuspK−(s) = s.
Deinutuon . . For ln lssprtpo progrlm {A}P{B}, trp mplnsng oq {A}P{B} ss op- inpo ls Trup or Flvsp. {A}P{B} ss opinpo to mp Trup sq trp qovvowsng rovos.
For lvv s lno s′, sq JAKs=Trup lno JPK(s) = s′, trpn JBKs′ =Trup. Deinutuon . . hp spmlntsns oq P sn L ss opinpo my
JPK(s) = { s
′ sq {JP(s)K−(s)|s ≥ } = {s′} unopinpo sq {JP(s)K−(s)|s ≥ } = ∅
. L Sy
hus septuon qeines tte losupnl system.
de wull wruteA[x := p] ror tte rormuln ootnuneq rrom A oy replnpuns x oy p. Deinutuon . . Our vogsnlv systpm nonsssts oq trp qovvowsng snqprpnnp ruvps. As mpn- tsonpo sn prpvsous spntson, wp wsvv usp Γ qor l spt oq lssprtpo progrlms. A tuogmpnt ss opinpo ls Γ ⊢ {A}P{B}.
S
Γ ⊢ {A}susp{A}
I y
Γ, {A}P{B} ⊢ {A}P{B} A
Γ ⊢ {A[x := p]}x := p{A} I
Γ ⊢ {A ∧ m}P {B} Γ ⊢ {A ∧ ¬m}P {B} Γ ⊢ {A}sq (m) trpn (P ) pvsp (P ){B} W
Γ ⊢ {A ∧ m}P{A}
Γ ⊢ {A}wrsvp (m) oo (P){A ∧ ¬m} C
Γ ⊢ {A}P {C} Γ ⊢ {C}P {B} Γ ⊢ {A}P ; P {B} C
Γ ⊢ {A }P{B }
Γ ⊢ {A}P{B} (A → A , B → B) R
Γ ∪ {{As}Rs{Bs}|s = , . . . , npron} ⊢ {A }Q {B } ...
Γ ∪ {{As}Rs{Bs}|s = , . . . , npron} ⊢ {Anpron}Qnpron{Bnpron}
Γ ⊢ {At}Rt{Bt}
≤t ≤ npron
I -C
Γ ⊢ {A}P{C}
Γ ⊢ {A ∧ B}P{C ∧ B} (FV(B) ∩ Moo(P) = ∅) Ex
Γ ⊢ {A}P{B}
Γ ⊢ {∃x.A}P{B} (x /∈ FV(B) ∪ EFV(P))
de sny {A}P{B} us provnole nnq we wrute ⊢ {A}P{B}, wten ⊢ {A}P{B} pnn oe qeruveq oy ttese unrerenpe rules.
he rule (Ex ) us nnnlosous to tte rule exustentunl untroquptuon or proposutuonnl pnlpulus.
. C
Lemmn . . Iq {A}P {B} ss trup lno JP K = JP K trpn {A}P {B} ss trup.
Prooq. By qeinutuon. ⊓⊔
Deinutuon . . c ss nlvvpo trp strongpst postnonostson oq P lno A sq lno onvy sq trp qov- vowsng rovos.
( ) For lvv s, s′, sq JAKs=Trup lno JPK(s) = s′trpn s′ ∈c.
( ) For lvv d, sq ∀s, s′(JAKs =Trup ∧ JPK(s) = s′→s′ ∈d) trpn c ⊆ d. Deinutuon . . SA,P(−→x ) ss opinpo ls trp strongpst postnonostson qor A lno P.
SA,P(−→x ) gsvps trp strongpst lssprtson S sunr trlt {A}P{S} ss trup.
Lemmn . . Iq ⊢ {A}P{B} trpn ⊢ {A[−→x := −→z ]}P{B[−→x := −→z ]} wrprp −→z , −→x ̸∈ EFV(P).
Prooq. Assume ⊢ {A}P{B} nnq −→z ̸∈ EFc(P). hen oy (I -C ),
⊢ {A ∧ −→x = −→z }P{B ∧ −→x = −→z }. de tnveB ∧ −→x = −→z → B[−→x := −→z ]. hen oy (C ),
⊢ {A ∧ −→x = −→z }P{B[−→x := −→z ]}. hen oy (Ex ),
⊢ {∃−→z (A ∧ −→x = −→z )}P{B[−→x := −→z ]}. de tnveA[−→x := −→z ] → ∃−→z (A ∧ −→x = −→z ). hen oy (C ),
⊢ {A[−→x := −→z ]}P{B[−→x := −→z ]}.
⊓
⊔ Lemmn . . Iq {A}P{B} ss trup lno −→z ̸∈ EFV(P) trpn Γ ⊢ {A}P{B} wrprp Γ = {{−→x = −→z }Rs{S−→x =−→z,Rs(−→x )}|s = , . . . , n}, −→x = x , . . . , xm lno {xt|t =
, . . . ,m} = EFV(P).
Prooq. de wull prove ut oy unquptuon on P. de wull ponsuqer tte pnses or P.
IrP us otter ttnn Rs, tte proor or ttese pnses nre sumulnr to ttose or pompleteness proor or H suven un h j.
CnseP us Rs.
Assume {A}Rs{B} us true nnq⃗z ̸∈ EFc(Rs). de tnve Γ ⊢ {−→x = −→z }Rs{S→−x =−→z,Rs(−→x )}.
LetA oe A[−→z := −→u ] nnq B oe B[−→z := −→u ] wtere −→u ̸∈ Fc(B) ∪ EFc(Rs). By tte rule (I -C ),
Γ ⊢ {−→x = −→z ∧ A [−→x := −→z ]}Rs{S→−x =−→z,Rs(−→x ) ∧ A [−→x := −→z ]}
sunpe Fc(A [−→x := −→z ]) ∩ Moq(Rs) = ∅.
de now stow ttntS−→x =−→z,Rs(−
→x ) ∧ A [−→x := −→z ] → B .
Assume JS−→x =−→z,R(−→x ) ∧ A [−→x := −→z ]Ks = arue. By qeinutuon JS−→x =−→z,Rs(−→x )Ks = arue. By tte property or tte stronsest postponqutuon, ttere exusts n stntes′supt ttnt JRsK(s′) = s nnq J−→x = −→z Ks′ =arue.
Now suppose ttnt ¬JA [−→x := −→z ]Ks′ =arue. By (I -C ), Γ ⊢ {−→x = −→z ∧ ¬A [−→x := −→z ]}Rs{S−→x =−→z,Rs(−
→x ) ∧ ¬A [−→x := −→z ]}.
Sunpe Γ us true oy qeinutuon, oy sounqness, {−→x = −→z ∧ ¬A [−→x :=
−
→z ]}R
s{S−→x =−→z,Rs(−
→x ) ∧ ¬A [−→x := −→z ]} us true. hen oy qeinutuon
¬JA [−→x := −→z ]Ks = arue. But JA [−→x := −→z ]Ks =arue. It pontrnqupts tte nssump- tuon nnq tenpe JA [−→x := −→z ]Ks′ =arue.
Sunpe −→x = −→z ∧A [−→x := −→z ]→A , we tnve JA Ks′ =arue. hen JAKs′[−→z :=−−→s′(u)] =
arue. hen JRsK(s′[−→z :=−−→s′(u)]) = s[−→z :=−→s(u)] sunpe −→z , −→u ̸∈ EFc(Rs). hen oy qeinutuon, JBKs[−→z :=−→u ]arue. hen oy qeinutuon, JB Ks =arue. HenpeS−→x =−→z,R(−→x ) ∧ A [−→x := −→z ] → B us true. hen oy tte rule (C ),
Γ ⊢ {−→x = −→z ∧ A [−→x := −→z ]}Rs{B }. hen oy tte rule (Ex ),
Γ ⊢ {∃−→z (−→x = −→z ∧ A [−→x := −→z ])}Rs{B }.
de tnveA → ∃−→z (−→x = −→z ∧ A [−→x := −→z ]). hen oy tte rule (C ), Γ ⊢ {A }Rs{B }.
By Lemmn . . ,
Γ ⊢ {A [−→u := −→z ]}Rs{B [−→u := −→z ]}.
de tnveA → A [−→u := −→z ] nnq B [−→u := −→z ] → B. hen oy (ponseq), Γ ⊢ {A}P{B},
wtupt wns to oe proveq. ⊓⊔
Next lemmn stows ttnt tte typottesus {−→x = −→z (−→x )}R{S→−x =−→z,R(−→x )} useq un lemmn . . us provnole un tte our system.
Lemmn . . ⊢ {−→x = −→z }Rt{S−→x =−→z,Rt(−
→x )} qor t = , . . . , n wrprp −→x = x , . . . , xm, {xt|t = , . . . , m} = ∪ns= EFV(Rs)lno −→z ̸∈ ∪ns= EFV(Rs).
Prooq. Assume −→z ̸∈ ∪ns= EFc(Rs)nnq −→x = x , . . . , xmwtere {xt|t = , . . . , m} =
∪n
s= EFc(Rs).
Fuxt. Assume J−→x = −→z Ks = arue. Assume JQtK(s) = r wtere Qt us tte ooqy orRt. hen oy Lemmn . . , JRtK(s) = r. By qeinutuon, JS−→x =−→z,Rt(−→x )Kr = arue. hen oy qeinutuon, {−→x = −→z }Qt{S−→x =−→z,Rt(−→x )} us true. By Lemmn . . , {{−→x =
−
→z }R
s{S−→x =−→z,Rs(−→x )}|s = , . . . , n} ⊢ {−→x = −→z }Qt{S−→x =−→z,Rt(−→x )}. Henpe, {{−→x = −→z }Rs{S→−x =−→z,Rs(−→x )}|s = , . . . , n} ⊢ {−→x = −→z }Qt{S−→x =−→z,Rt(−→x )} ror nllt = , . . . , n. hen oy tte rule (R ), ⊢ {−→x = −→z }Rt{S−→x =−→z,Rt(−→x )}.
⊓
⊔
he rollowuns tteorem us tte wey tteorem or ttus pnper. It snys ttnt our system us pomplete.
heorem . . Iq {A}P{B} ss trup trpn ⊢ {A}P{B} ss provlmvp.
Prooq. Assume {A}P{B} us true. Let −→z oe supt ttnt −→z ̸∈ ∪ns= EFc(Rs) ∪EFc(P) nnq −→x = x , . . . , xmwtere {xt|t = , . . . , m} = ∪ns= EFc(Rs) ∪EFc(P). hen oy Lemmn . . , {{−→x = −→z }Rs{S−→x =−→z,Rs(−→x )}|s = , . . . , n} ⊢ {A}P{B}. By Lemmn . . , ⊢ {−→x = −→z }Rs{S→−x =−→z,Rs(−→x )} ror s = , . . . , n. hen we tnve ⊢ {A}P{B}.
⊓
⊔
Apt’s system pnnnot oe extenqeq to sepnrntuon losup, oepnuse tus unvnrunnpe nxuom
us unponsustent wutt sepnrntuon losup. On tte otter tnnq, we pnn extenq our system to n veruipntuon system wutt sepnrntuon losup nnq repursuve propequres un n strnusttrorwnrq wny.
4
Separation Losic ror Recursive Procedures
. L
hus septuon qeines our prosrnmmuns lnnsunse nnq our nssertuon lnnsunse. Our prosrnmmuns lnnsunse unteruts rrom tte pounter prosrnms un Reynolqs’ pnper h j. Our nssertuon lnnsunse us nlso tte snme ns un h j, wtupt us onseq on Penno nruttmetup.
. . B L
de irst qeine our onse lnnsunse, wtupt wull oe useq lnter ror oott n pnrt or our prosrnmmuns lnnsunse nnq n pnrt or our nssertuon lnnsunse. It us essentunlly n irst- orqer lnnsunse ror Penno nruttmetup. de pnll uts rormuln npurp rormuln. de wull use s, t, u, v, m, n ror nnturnl numoers. Our onse lnnsunse us qeineq ns rollows. de tnve vnrunolesx, y, z, w, . . . nnq ponstnnts , , null, qenoteq oy n. he symool null menns tte null pounter. de tnve runptuon symools +, × nnq we qo not tnve nny prequpnte ponstnnts. Our prequpnte symools nre = nnq <. aerms nnq expressuons, qenoteq oy p, nre qeineq oy p ::= x | n | p + p | p × p. aerms menn nnturnl numoers or pounters. Ourpurp rormulns, qenoteq oy A, nre qeineq oy
A ::= p = p | p < p | ¬A | A ∧ A | A ∨ A | A → A | ∀xA | ∃xA.
he rormuln ponstruptuons menn usunl losupnl ponneptuves. de wull sometumes wrute tte numoern to qenote tte term + ( + ( + . . . ( + ))) (n tumes or +).
. . P L
Next we qeine our prosrnmmuns lnnsunse, wtupt us nn extensuon or wtule pro- srnms to pounters nnq propequres. Its expressuons nre terms or tte onse lnnsunse. Its ooolenn expressuons, qenoteq oym, nre qunntuier-rree purp rormulns nnq qeineq oym ::= p = p | p < p | ¬m | m ∧ m | m ∨ m | m → m. Boolenn expressuons nre useq ns ponqutuons un n prosrnm.
de nssume propequre nnmesR , . . . , Rnpronror somenpron. de wull wruteR ror ttese propequre nnmes.
Deinutuon . . Progrlms, opnotpo my P,Q, lrp opinpo my
P ::= x := p (lsssgnmpnt)
| sq (m) trpn (P) pvsp (P) (nonostsonlv)
| wrsvp (m) oo (P) (stprltson)
| P; P (nomposstson)
| susp (no opprltson)
| x := nons(p, p) (lvvonltson)
| x := [p] (voouup)
| [p] := p (mutltson)
| ossposp(p) (oplvvonltson)
| R (mutulv rpnurssvp pronpourp nlmp)
R menns n propequre nnme wuttout pnrnmeters.
de wrute L ror tte set or prosrnms. de wrute L−ror tte set or prosrnms ttnt qo not pontnun propequre nnmes.
he stntementx := pons(p , p ) nllopntes two new ponseputuve memory pells, puts tte vnlues orp nnq p un tte respeptuve pells, nnq nssusns tte irst nqqress to x. he stntementx := [p] loows up tte pontent or tte memory pell nt tte nqqress p nnq nssusns ut tox. he stntement [p ] := p ptnnses tte pontent or tte memory pell nt tte nqqress p oy p . he stntement quspose(p) qenllopntes tte memory pell nt tte nqqress p.
he prosrnmsx := p, swup, x := pons(p , p ), x := [p], [p ] := p nnq quspose(p) nre pnlleqltomsn prosrnms.
de pnllPropequreR(Q) n propequre qeplnrntuon wtere R us n propequre nnme nnq Q us n prosrnm. he prosrnm Q us snuq to oe tte ooqy or R. hus menns ttnt we qeine tte propequre nnmeR wutt uts propequre ooqy Q.
de nssume tte propequre qeplnrntuons
{PropequreR (Q ), . . . ,PropequreRnpron(Qnpron)}
ttnt suves propequre qeinutuons to nll propequre nnmes un tte rest or tte pnper. de nllow mutunl repursuve propequre pnlls.
. . A L A P
Our nssertuon lnnsunse us n irst-orqer lnnsunse extenqeq oy tte sepnrntuns pon- vunptuon ∗ nnq tte sepnrntuns umplupntuon −∗ ns well ns emp nnq 7→. Its vnrunoles, ponstnnts, runptuon symools, nnq terms nre tte snme ns ttose or tte onse lnnsunse. de tnve prequpnte symools =, < nnq 7→ nnq n prequpnte ponstnnt emp. Our nssertuon lnnsunse us qeineq ns rollows.
Deinutuon . . Formuvls A lrp opinpo my
A ::= pmp | p = p | p < p | p 7→ p | ¬A | A ∧ A | A ∨ A | A → A | ∀xA |
∃xA | A ∗ A | A −∗ A
Wp wsvv somptsmps nlvv l qormuvl ln lssprtson.
Wp opinp FV(A) ls trp spt oq rpp vlrslmvps sn A. Wp opinp FV(p) ssmsvlrvy.
he symool emp menns tte purrent tenp us empty. he rormulnp 7→ p menns tte purrent tenp tns only one pell nt tte nqqressp nnq uts pontent us p . he rormuln A ∗ B menns tte purrent tenp pnn oe splut unto some two qusvount tenps supt ttnt tte rormulnA tolqs nt one tenp nnq tte rormuln B tolqs nt tte otter tenp. he rormuln A −∗ B menns ttnt ror nny tenp qusvount rrom tte purrent tenp supt ttnt tte rormuln A tolqs nt tte tenp, tte rormuln B tolqs nt tte new tenp ootnuneq rrom tte purrent tenp nnq tte tenp oy pomoununs ttem.
de use veptor notntuon to qenote n sequenpe. For exnmple, −→p qenotes tte se- quenpep , . . . , pnor expressuons.
Deinutuon . . hp pxprpssson {A}P{B} ss nlvvpo ln lssprtpo progrlm, wrprp A, B lrp qormuvls lno P ss l progrlm.
hus menns tte prosrnmP wutt uts preponqutuon A nnq uts postponqutuon B.
. . b P
de qeine tte set or propequre nnmes wtupt nre vusuole un n prosrnm. It wull oe nepessnry lnter un qeinuns tte qepenqenpy relntuon oetween two propequres.
Deinutuon . . hp spt PN(P) oq pronpourp nlmps sn P ss opinpo ls qovvows.
PN(P) = ∅ sq P ss ltomsn,
PN(sq (m) trpn (P ) pvsp (P )) = PN(P ) ∪ PN(P ),
PN(P ; P ) = PN(P ) ∪ PN(P ),
PN(wrsvp (m) oo (P)) = PN(P),
PN(Rs) = {Rs}.
de qeine tte qepenqenpy relntuon oetween two propequres. dten n propequre nnme nppenrs un tte ooqy or nnotter propequre, we sny tte lnter propequre qepenqs on tte rormer propequre nt level . dten one propequre qepenqs on nnotter nnq tte lnter one nsnun qepenqs on tte tturq one, we sny tte irst one nlso qepenqs on tte tturq one. In ttus pnse, tte level or tte tturq qepenqenpy us qetermuneq oy summuns up tte levels or irst nnq seponq qepenqenpues mentuoneq noove.
Deinutuon . . Wp opinp trp rpvltson Rs❀u Rtls qovvows7 Rs❀Rs,
Rs❀Rtsq PN(Qs) ∋Rt,
Rs❀u Rtsq Rs =R′ ❀R′ ❀ . . . ❀R′u =Rtqor somp R′, . . . ,R′u.
Pronpourps opppnopnny PD(Rs,u) oq l pronpourp nlmp Rs up to vpvpv u ss opinpo my PD(Rs,u) = { Rt|Rs❀v Rt,v ≤ u }.
