0% found this document useful (0 votes)
22 views25 pagesAI
converting code to first order logic
Uploaded by
samerelking3Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
0% found this document useful (0 votes)
22 views25 pagesAI
converting code to first order logic
Uploaded by
samerelking3Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
/ 25
AetfcilIteigence 235 (2016) 1-25
Contents lists available at ScienceDirect
Artificial Intelligence
ELSEVIER www.elsevier.com/locate/artint
A formalization of programs in first-order logic Deore
with a discrete linear order
Fangzhen Lin
Department of Computer Sclence, Hoe Hong Kong Univers of ScenceandTeelogy lear Wate Bay, Koon. Ho Kong
ARTICLE INFO ABSTRACT
Ane isto ‘We consider the problem of representing and reasoning about computer programs. and
Received 17 December 2014 propose a translation from a core procedutal scerative programming language to fist
Received in revised form 23 August 2015 forder logic with quantification aver the domain of natiral numbers that includes the
Accepted 28 January 2016
scented 8 mary 2016 usual successor function and the “less than” linear order, essentially a first-order logic
with a discrete linear order. Unlike Hoare's logic, our approach does not rely on loop
Rounds TTC Citvtiats, Unlike the typical temporal logic specification of a program, aur tanslation
Program semantis does not reeuire a transition system model of the program, and is compositional on the
Reatoning about programs structures of the program. Some non-trivial examples are given to show the effectiveness
Frssorder lope fof our translation for proving properties of programs.
(© 2016 Elsevier BY. All rights reserved
1. Introduction
In computer science, how to represent and reason about computer programs effectively has been a major concen since
the beginning. For imperative, non-concurrent programs that we are considering here, notable approaches include Dijkstra's
calculus of weakest preconditions [1.2], Hoate’s logic [3], dynamic logic [4], and separation logic [5]. For the most part, these
logics provide rules for proving assertions about programs, In particular, for proving assertions about iterative loops, these
logics rely on what have been known as Hoare's loop invariants. In this papet. we propose a way to translate a program
toa first-order theory with quantification over natural numbers. The properties that we need about natural numbers are
that they have a smallest element (eto), are linearly ordered, and each of them has a successor (plus one), Thus we are
‘essentially using first-order logic with a predefined dliscrete linear order, Ths logic is closely related to linear temporal logic,
which is a main formalism for specifying concurrent programs [6]
Given a program, we translate it to a first-order theory that captures the relationship between the input and output
values of the program variables, independent of what one may want to prove about the program. For instance, trivially, the
following assignment
xox
can be captured by the following two axioms:
X=X+Y,
yey,
ral eres ines wt le
np éoiorg/i0 016}.ain.20:6 0.014
(0043702) 2016 Elsevier BY. All ight reserved.
2 Lin Arc neigence 285 (2016) 1-25
where X and ¥ denote the initial values of the corresponding program variables and X’ and Y' their values after the
statement is performed, Obviously, the question is how the same can be done for loops. This is where quantification over
natural numbers comes in, Consider the following while loop
while X M,
N= Xn <
van M.
where NV is a natural number constant denoting the total number of iterations that the loop runs to termination, and X(n)
the value of X after the nth iteration. Thus the third axiom says that if the program enters the loop, then the output value
of the program variable X, denoted by X’, is X(N), the value of X when the loop exits.
The purpose of this paper is to describe how this set of axioms can be systematically generated, and show by some
examples how reasoning can be done with this set of axioms. Without going into details, one can already see that unlike
Hoare's logic, our axiomatization does not make use of loop invariants. One can also see that unlike typical temporal logic
specification of a program, we do not need a transition system model of the program, and do not need to keep track of
program execution traces. We will discuss related work in more detail later
We use a typed first-order language. We assume a type for natural numbers (non-negative integers). Depending on the
programs, other types such as integers may be used. For natural numbers, we use constant 0, linear ordering relation <
(and =), successor function n+ 1, and predecessor function n~ 1. We follow the convention in logic to use lower case
letters, possibly with subscripts, for logical variables. In particular, we use m and n for natural number variables, and x. y.
and 2 for generic variables. The variables in a program will be treated as functions in logic, and written as either upper case
letters or strings of letters,
We use the following shorthands. The conditional expression:
er = ifg thene, else es
{sa shorthand for the conjunction of the following two sentences:
Viger
2.
Vin > e105,
where % are all the free variables in g and e:, /=1,2,3. Typically, all free variables in g occu in ey.
‘Our most important shorthand is the following expression which says that e is the smallest natural number that satisties
(ny
smallest(e, 1,9)
is a shorthand for the following formula:
einje) AYm.m <-> >g(n/m,
where n is a natural number variable in g, m a new natural number variable not in e or y, g(a/e) the result of replacing
nin by ¢, similarly for g(n/m). For example, smallest(M, k,k< N * found(W)) says that M is the smallest natural number
such that M < N A found(M)
M =n < N/A found(n)), where the universal quantification is over the domain of natural numbers as 1
is a natural number variable. Notice however, in the macro smallest(M, k,k O1 > [g(m) A=g(m = 1)]
Furthermore
VR(ENL(VK.K > n> GO) A (WRK Sm —> pe (R))] >
Ymismallest(m, n, g(n)) = gm) A gm — 1D},
where kis a variable notin
Proof. For any given % and m, suppose smallest(m, n, g(7)) Am > 0, Then g(m) and Vk.k-< m—> ~p(K). Since m > 0, thus
=g(m —1). Now suppose that gm)» =y(m ~1) and for some M,
[kk > M— (0) A Wkk = M— 4(h))]
This means that M =m —1, and smatlestim, ng).
‘To motivate our next proposition, consider again the following loop
while X p20).
smallest(m,1, gx(n)) A:smallest(m2,n, g2(0))] >
mz =m, +0
3. A simple class of programs
Consider the following simple class of programs > constructed from a set of array identifiers array, a set of functions
operator, and a set of Boolean operators boolean-op
array(E,...,5) |
poe E |
boolean-op(B, -.-B)
Posse arraytb,. = B) SE |
fB then Peise > |
P|
while B do P
Here E denotes expressions, 2 boolean expressions, and P programs. Notice that instead of. for example "array () (3]"
commonly used in programming languages to refer to an atray element, we use the notation “array (i, j)” more com-
‘monly used in mathematics and logic.
‘As one can see, programs here are constructed using assignments, sequences, if-then-else, and while loops. Other con-
structs such as if-then and for-loop can be defined using these constructs, For instance. “if B then P* can be defined as “if B
then P else X =x
We assume a base first-order language £ that contains functions and predicates that are static in the sense that their
semantics are fixed and cannot be changed by programs. They include functions that correspond to operator, predicates
4 F Lin Arc neigence 285 (2016) 1-25
that correspond to boolean-op, and possibly other functions and predicates fr formalzing the domain knowledge. In the
following, we call £ the base language
Given a program P, we extend the base language by functions to represent program variables in the program. These
functions are dynamic in that their vahies may be changed during the execution of a program. We assume that program
variables are new, not already used in C. We also assume that there is no overloading so that two different program
Variables cannot have the same name but different artis, Thus we can use the same program variables as functions in
tur fistorder language. Specifically if V isa program variable for an nary array, then we add V and Vas new nary
functions to-£: Von, %4) and VG, .¥q) denote the values ofthe (.»..as)th cell nV at the input and the output
respectively of the program P. For their values during the execution of P, we'll intodice temporary function symbols to
denote them, These temporary function symbols can be systematically named using statement labels (see Section & below)
fand are useful wien one is interested about properties that hold during the execution of a program, For now. we assume
that we ae interested only in the program outputs
Given a program P and a set X of program variables including all variables used in P, we define inductively the set of
axioms for P and X, written TH, as follows
eIrPis
W(BL, --,Bk) =
then If consists of following axioms that say that only the value of V(EL, . Bk) is possibly changed
VG = fer
else V®,
X= XG), XX and X different from V
where = (e1,...2%), and k is the arity of the program variable (array) V. We assume here that for each program
‘expression B, there isa corresponding term E in our first-order language. Recall that by our convention, these variables
are universally quantified, The domains of these variables depend on the type of the program variable V,
sIPis
1 Aco Axy = Ey) then E
if B then PL else P2
then If is constructed ftom 113, and 11f, a follows
Bp, foreach et,
=B—9, foreach y enh,
We assume here that for each boolean expression B, there is a cortesponding formula B in our fitst-order language.
opis
PL; pa,
then I1f is constructed from I1f, and 11f, by connecting the outputs of Py with the inputs of Pz as follows:
e0%/), foreach g eTHh,
eG, foreach gent,
where 7 (V1, Ya) i6 a tuple of new function symbols such that each ¥; is ofthe same arity as X; in X, gti/¥) is
the result of replacing in g each occurrence of X/ by Y;, and similarly for @(X/¥). The new function symbols in ¥ are
called temporaty functions and used to denote the values of program varlables during the execution of the program.
By our inductive construction, I1¥, and THE, may already have some temporary function symbols introduced this way.
Furthermore. if Py andjor Ps have loops_éhen they may slso have some new natural number constants (see below
fc
share any ofthese temporary symbol. In other words, we assume that 1 and TH, have only common symbols fom
LUKUX,
ei Pis
how axioms are constructed for while loops). By renaming if necessary, we assume here that II}, and I1f, do not
while B do Pl
Fine tigen 285 (206) 1-25 s
‘Then rf is constructed by aéing an index parameter to all dynamic functions in 1, to record thei values ater
the body Py has been executed 1 times, Formally it consists of the following axioms:
ln}, foreach g e TH,
Xi@) = Xi®%_0), for each Xj eX
smallest(Nn, ~B(n)
X}G) = Xi N), foreach Xie X
Where n is a new natural number variable not already in g, and Na new natural number constant not already used in
TIX, and for each formula or term at, an} denotes the value of a after the body P; has been executed n times, and is
obtained fom a as follows:
1. Gea) is 3x(atn), (24 v ag)l0) is y(n] ¥ aztn}, and (mapIn] is Can),
2. Fey, on€,n} is F(ExkM)-» alm) Af F is a predicate or a function in the base first-order language £. In particular,
1 = en)in) is extn] =entm)
X¥less 04) En) 18 XiCenn} een}. m+ 1), if 5 is im X
Viers.-vep)ln] is Vien). .vee{n].m), if V is a non-primed function not in £
While we have used 1 to denote “the” set of axioms for P and X, the construction above does not yield a unique set
of axioms as the temporary functions introduced when constructing axioms for program sequences and while-loops are not
unique. However, TY is unique up to the renaming of these new functions. In particular, any two different sets of these
axioms are logically equivalent wien considering only program variables from X, ie. when the temporary functions are
forgotten’. More precisely, given two theories & and Zp. we say that they are equivalent when considering a subset 9 of
their vocabularies if any model My of E} can be modified into a model Mz of Ez such that M; and Mz agree on 9, and
conversely any model of 2 can be similarly modified into a model of 2
Appendix A proves the correctness of IIS under an operational semantics In the following, we give some simple prop-
erties about our axiomatization
‘The following proposition says that a program is local, in that it has effects only on variables in i.
Proposition 4 tbe a tuple of program variables tha are notin P and not used in Tf, Then considering only Xu ¥, nf? is
‘equivalent to the union of 11% and the set of following “frame axioms’
Y'G)=YG), foreach Y¥ e¥
The construction rule for a sequence P; Q can also be modified so that temporary functions only need to be introduced
{or those that occu in both P and Q
Proposition S. Let X be a tuple of program variables including those used in either P or Q,.and V = (Vj... Vx) the tuple of program
variables used in both P and Q (thus asubset of X). When considering only X, I1¥.g is equivalent tothe set o following axioms:
et*/), foreach y ent
pW /¥), foreach g ek
where 7 = (¥s,.-.¥q) i. tuple of temporary functions such that each ¥, is ofthe same arity as Vin 7. Again we assume that, by
renaming i necessary, LVS and 11% have no common function symbols other than those in X or inthe base language C
The following important property about our axiomatization says that we do not need to wait until we have the full set
of axioms to do simplification. During the construction of the axioms for a program. we can simplify first the axioms for its
subprograms. This greatly simplifies the above recursive procedure for constructing axioms of a program.
Proposition 6 Let X be a tuple of program variables, including al those that occur in program P. For any subprogram P’, iT is
‘equivalent t TIS when considering only X, then we use T instead of 1%, in computing TIX, che resulting theory i equivalent to 11%
‘hen considering only X as wel
Notice that in the above proposition. when we use T instead of TI, in computing T1%, we assume that we will also
rename temporary function symbols when necessary to avoid name conflicts. For example, if P is Py: Pz. and a theory
equivalent to TTS, is
XSYAY=X41. o
6 F Lin Arc neigence 285 (2016) 1-25
It Tf, also uses the temporary function symbol Y, then we need to rename ether the ¥ in (1) or the ¥ in Tif, when
constructing 1.
Before we consider more interesting examples, we illustrate our construction of IT using two simple programs.
31 Asimple sequence
Consider the following program P and two program variables X; and X» (notice that X; is used in P, but Xz is not)
xls 1; M2 = xd
HG) is the set ofthe following two sentences
Xj=1
Xa
and 142%),
the set of following two sentences:
Xexith
X=X
Thus 119% is
wet
Ya= Xa,
xy=¥i+1
Xh=¥o
Eliminating the temporary constants ¥1 and Yo, we get Xj —2 and X} — Xo.
3.2, Asimple loop
Consider the following program P with a simple loop.
while I n X'> AC, @)
which is equivalent to
O AQ),
which ean be proved by induction on N, The base case of N=0 is trivial, For the inductive case, suppose the result holds
for N=K. Let N= K +1, There are two cases to consider: X(K) < ACK) and X(K) > A(K). We show the first case here
The second case is similar. In the first case, X(K +1) = A(K) and we need to show that
Osn A(K) = AC.
Two cases for On A(n) follows from the
inductive assumption and that X(K) < A(K)
2.3, Partial and total correctness
Ak program is partially correct wrt. a specification if the program satisfies the specification when it terminates. It is
totally correct if tis partially correct and terminates.
In our framework, a program P with variables X is represented by a set of sentences, 14. Whatever properties that one
wants to show about P ate proved using this set of sentences. A partial correctness result correspords to proving a sentence
about X and X' from M14. An example is the assertion (2) above for the simple loop. On the other hand, termination of
4 program is proved by showing that the new natural number constants introduced by the loops and used in the smallest
‘acto expressions are well-defined, which in logic means that the resulting theory TIS is consistent, thus there is a model
where the new constants are mapped to natural numbers. For instance, for the above simple loop, the smallest macro
4s smallet(M,n, ~I(n) < Ni@)). By Proposition 1 and the fact that (N) > N holds it can be verified that the theory is
consistent because there is indeed 2 natural number M that satisfies this macro expression
Ifa loop docs not terminate, then its smallest macro will cause a contradiction. For instance, consider the following loop:
while I 0, then it will loop forever. Our axioms for the loop are:
TV =KN)AM'=M,
1@=
a4
if I(n) > O then I(n) +1 else Tin),
nN I(n) M. OF
course in logic, this also means that the axioms for the loops will entail that “(J =0.A.0 X> AGM)
in Hoare's logic. To prove this assertion, one would need to find a suitable “loop invariant”, a formula that if true initially
will continue to be true after each iteration. In general, there are infinite number of such loop invariants. The key is to
find one that, in conjunction with the negation of the loop condition, can entail the postcongition in the assertion. For this
simple loop, the following is such a loop invariant:
Vin(lo X= Atm).
Finding suitable loop invariants is at the heart of Hoare's logic, and it is not surprising that there has been much work on
discovering loop invariants (eg. [7-11]
In comparison, our proof of (2) uses ordinary mathematical induction and recurrences on I(n) and X(n). See Appendix 8
for more details.
Another difference between our approach and Hoate’s logic is that Hoare’s logic is a set of general rules about program.
assertions, while we provide a translation from programs to first-order theories with quantification over natural numbers.
‘Once the translation is done, assertions about it are proved with respect to the translated first-order theory, without ref
‘erence to the original program. This is similar to Pnueli’s temporal logic approach to program semantics [6]. According to
common classification used in the formal methods community (cf, [12.13]}: approaches like Hoare’s logic and dynamic
logic are exogenous in that they have programs explicitly in the language. while in the temporal logic approach, program
semantics is typically endogenous in that a fixed program is often assumed and a program execution counter is part of the
specification language. Our approach is certainly not exogenous. Its alittle endogenous as we use natural numbers to keep
tack of loop iterations, but not as endogenous as typical temporal logic specifications which requites program counters,
to be part of states. In particular, our mapping from programs to theories is compositional, built up from the structure of
the program. Barringer et al. 14] proposed a compositional approach using temporal logic, but only in the style of Hoare's
logic, using Hoare triples. However, a caveat is that so far the temporal logic approach (0 program semantics have been
‘mainly for concurrent programs, while what we have proposed is for non-parallel programs. Given the close relationship
between temporal logics and first-order logic with a linear order, if there are no nested loops, then our translation can be
reformulated in a temporal logic, It is hard to see how this can be done when there are nested loops, as this will lead to
nested time lines, modeled here by predicates with multiple natural number arguments. Of course, one can always construct
‘a transition graph of a program, and model it in a temporal logic, But then the structure of the original program is lost
We are certainly not the first to use first-order logic with a linear order to model dynamic systems. For instance, it has
bbeen used to model Turing machines in the proof of Trakhtenbrot’s theorem in finite moctel theory (see, eg. [15])
{A closely related work is Charguéraud’s characteristic formulas for functional programs [16,17]. However, these formulas
are higher-order formulas that reformulate Hoare's rules by quantifying over preconditions and postconditions.
‘Our use of natural numbers as “indices” to model iterations is similar to Wallace's use of natural numbers to model rule
applications in his semantics for logic programs (18
‘While we use natural numbers to formalize loops, Levesque et al, [19] used second-order logic to capture Golog programs
with loops in the situation calculus, Recently, Lin [20] showed that under the foundational axioms of the situation calculus,
Golog programs can be defined in first-order logic as well. However, the crucial difference between the work here and
the work in the situation calculus on Golog is that our axioms try to capture the changes of states in terms of values of
program variables, while the semantics of Golog programs is more about defining legal sequences of executions. To illustrate
the difference here, consider a program that consists of assignments that make no change (nil actions). For this program,
it would stil be non-trivial to define sequences of legal executions, although it does not matter which sequences are legal
as none of them change the values of program variables. Another difference is that we consider only assignments and
deterministic programs, while Golog programs allow any actions that can be axiomatized by successor state axioms, and
‘can have nondeterministic choices.
5. Cohen’s integer division algorithm
For a more complex example, consider the following program P which implements the well-known Cohen's integer
division algorithm [21] (our program below is adapted from (11)). 1t has two loops, one nested inside another. The program
vatiables are A,8,Q,R,X,¥. where X and ¥ are inputs, and Q is the ouput. Let X= (A,B, Q,R,X,¥). There are two
loops. Let’s name the inner loop Inner, and outer Joop Outer. When computing I1%, we again consider only equivalence
under % and use Proposition 6 to simplify the process
0 F Lin Arc neigence 285 (2016) 1-25
J and ¥ are two input integers; ¥ > 0
9-0; // quotient
R=x; // xenainder
while (R >= ¥) do ¢
Asl; // A and B are some that at any tine for
Bey; // some n, A=2%n and B=2*n4¥
while (R >= 2+8) do {
= 2A;
= 2B;
RB;
oa
1 eeturn Q = X/¥:
itis easy to see that If is equivalent to Hy, (@ =0,R=X), To compute Tg. we compute fst Fi, which i
equivalent tothe se of fllowing sentences
An +1) = 2AM),
Bin +1) =2B(n),
Qint+ 1) =Q«n),
Rin = RO,
‘X(ns1)
Yan+1)
A@=A,
50
Q@=a,
RO
X(Q)=X,
YO
smallet(N,n, (a) < 2800),
y=
smailest(,n, R< 2"*1B),
A =2A
Bi =2%B.
inj rica ietigence 235 (2016) 1-25. "
We can now eliminate terms ike ACH) and Br), expand the smallest macro expression, and obtain Ty the sof
Taowng sentences:
Rep
m2""'R,
A =2NA,
a’ =2"B,
x
N=X,
yey
Thus the set of sentences for the body of the loop Outer is equivalent to the set of the following sentences:
R<2Ntty,
mR>2"1y,
aa"
Br =2"y.
Q=a4a,
R=R-B,
X =X.
yay
Thus Ty (Q =0, R= X) is equivalent 10
Rey < 281M,
m RQ) = 2"FY(),
Aga) =28,
Bon + 1) =2%Y (a)
aime n= ae rai.
Rin 1) = Rem = 2"'Y(M),
Xn+D =X),
Ya+=Yq),
AQ) =A,
BO) =B.
Qo
RO)
X@)=X,
Y@=Y,
smallest(M,n, Rin) < ¥(n)),
A= AM),
2 F Lin Arc eigence 235 (2016) 1-25
X(M),
yon,
Now get rid of Xn) and ¥(n) as they do not change: Xin) =X and ¥(n) = ¥, get rid of A ané B as they are irrelevant now,
and expand the smallest macro expression, we obtain IU as the set of following sentences
Rem <28oVY,
m- R¢n) = 2Y,
Bee D= 20) HN
Rent 1) = Rea — 2",
0) =0.
RO =X,
Ru <¥.
m 0, we have R= R(M) =
ROM = 1) = 28D. By the axiom
m= N(n) > Rom >2™*1Y,
Jet n= M—1 and m= N(M ~1)—1, we have R(M—1) 2 28M-D-Dely = 2NO—Dy, Thus Rt = 0. For the second property,
we have
over’
(My + RM)
= (Q(M = 1) + 28D yy + ROM — 1) — ND
=Q(M—DY+R(M—1)
QWY+RO=X.
‘Again this is partial correctness. To prove the termination, we need to show that the new terms introduced by the smallest
‘macro expressions are all well-defined. For this program, it means that M (the outer loop counter) is bounded, and for
every n, N(n) (the inner loop counter for each outer loop iteration) is bounded. By Proposition 1, these can be proved by
showing the following two properties
Sm.Rom) <¥,
nam. R(n) <2™-1Y.
Notice that these properties must be proved without those axioms about M and N(n). Since R(n-+1) is inductively defined
in terms af N(n), we prove the second property by induction on n, thus showing that Nn) is well-defined, Sine R(0) = X
and ¥ > 1, 3m,R(0) < 2*1Y is easy to see: we can let m= X. Thus N(0) is well-defined, Inductively, suppose N(R) is well-
defined and 3m.R(&) < 2"*1Y. Since R(&e+ 1) < ROW, we have 3m.ROk-+ 1) <2"1Y as wel, Thus N+ 1) is well-defined
Now to show the first property 3m.R(m) < ¥, observe that R(m) = X —m¥, thus 3m. R(m) <0 <¥
Lin Arf negence 2952016) 1-25 8
Ik may not seem obvious how properties like these can be proved in general. As we mentioned, logical consistency is
‘what we meant for terms like Nin) to be well-defined. Thus all one needs to show is that the set of axioms is consistent
under the assumption that ¥ > 0 and X > 0. Using Proposition 1 is just one way of showing this: if the axioms that do not
‘mention N are consistent and entail 3n.g(n), then adding smallest(N, n, g(n)) to the axioms will also be consistent.
‘Again we remark that we relied on mathematical induction in our proof and made no use of loop invariants. Notice also
that our proof actually shows that for integer division, any program of the following form is correct
// % and ¥ are two input integers; ¥ > 0
0-0; // quotient
Rex: // renainder
waile (R >= ¥) do
le (R >= keB) do {
A= Kea;
B= kaBy
R= RB,
Q = Ora
)
uw en Q = X/¥:
where k> 1 can be any constant,
6, Properties of programs during execution
‘As we mentioned, our proposed translation to first order logic has been tailored for the program behaviors in terms of
input and ouput conditions. Sometimes one may be interested in properties of a program during its execution, We have
been using temporary function symbols to denote the values of program variables during the execution of a program. So to
reason about properties of a program during its execution, all we need to do is to give these temporary functions explicit
names. One way to do this is to label program statements and use these labels as the point of reference. Consider the
following class of labeled programs:
B rs arzay(s, 8) |
Gperatort,.--/E)
aisz-E|
bootean-op (2, 2)
Pos Es array(s, 8)
=|
L: if B then P else P |
L: while 2 do P |
PB; PB
Here 1, is a label, typically a natural number, Notice that there is no label in front of a sequence, In general, a program P is
2 sequence of statements:
(Lis Pads (la Padi sles PO
where P; is either an assignment, a conditional or a while loop. We call Py the last statement of P, and the output of P is
the same as the output of Py.
‘Again assume that program variable names are unique and notin the base language C. Now given a program P. for each
program variable V and label L, we add functions V and V! to £2 Again, V(d) denotes the value at the input, where % are
the indices of the corresponding array. The value at the end of a statement Lis now denoted by V4(i). Of course, V' is V!
When L is the label ofthe last statement in the program.
Given a program P and a set X of program variables including all variables used in P, we again use Tf to denote the
set of axioms for P and X
ol Pis
Ls V(EL,...,8k) = E
then THE consists of following axioms:
4 F Lin Arc neigence 285 (2016) 1-25
VEG = ify = Ey A Ame = Ep) then E
else V@®),
1G) =X), Xe K and X different from V
oi pis
if B then Pl else 22
then ITF is the union of 11f,, 11}, and the set of the following axioms: for each X € X,
Bo x4) = x GH,
Bo X'G@ = xEw,
where £1 and Lz are the labels of the last statements in P, and P2, respectively.
eUPis
PL; 2
then 114 is the union of 114, and the set ofthe following axioms:
e05Xl, foreach g er,
where Ls the abel ofthe fst tteent in
ars
while B do PL
Then 11} is constructed from 11%, as follows:
ln), for each ye nf,
XE@_0) = Xi@), for each X;€ X
XP@& n+ 1) = XP Gm),
smallest(N, n, =B{n))
XEG) = XE@N), foreach X, € X
label of the last statement of the loop body Py, is a new natural number variable not already in
rnumber constant not already used in IT}, and for each formula or term e, ain) is defined
where Ly i
4. and Na new na
similarly as before:
1, Gea) ni] is AxCerim), (a ¥ap){n] is ayn] Vaa{n}, and (-a){n) is Can)
2. Fees, ep)Unl i Fles[n), ..exln)) if F is a predicate or a function in the base first-order language .
3. X(er, eg)in] is XE(ey{M, eel}, for each X eX, _
4 for each label tin Py, X'(@x, ~» ex) [a] is X*(en[n], ext]. m), for each Xe X.
‘As an example, consider the simple loop in Section 2.2, with labels added:
i: while 2 Tin <
aM) @=bAX=y)
Vows: List] £a::x,
and the three functions yield the following axioms:
(Wax: List) length(x) = if = (J then 0
else length(tail()) +1
(Wx: List).tai(x) = ifx= (J then {]
else if Sa(Sy = List)x =a sy then y.
(Wax, y List) appendix, y) = ife= [1 then y
Lisa: xy
then a: append(x1. y)
With these axioms, one can prove, for example length(a:: b= [)
properties like the following simple one:
However, they are not sufficient for proving general
(ve, y: Listlength(append(x, y)) = length(x) + length(y).
To prove properties like this, we need induction on lists. This can be done by using a second-order axiom on sort List,
similar to the one on natural numbers. However, since we already have natural numbers, this is not necessary. We can
introduce lists of n elements, and define a list to be a list of n elements, for some n. This way, we can use mathematical
induction on natural numbers to prove inductive properties about lists. We show how this is done here. We introduce a
binary predicate List(x,n), meaning that x isa list with exactly elements:
(Vx: List)3n.List(x,n),
0,
List(x, 0) =
Liston +1) =
1a) (By = List) x=.
ya ist(y.m)
We first show that if x is alist, then there is a unique n such that Lst(x, 1) holds:
List(x,m) A List(x,m) > m=. @)
Suppose x is a list. and List m) and List(x,n) are true. We do simultaneous induction on n and m, If n=0, then x= [J If
m0, then for some k, m=k +1 and x=[] =a: y for some a and list y. a contradiction with one of our axioms about
lists. Thus m=O as well, Similarly, if m= 0, then m= 0 as well. Suppose n= ky +1 and m =ky +1, and suppose inductively
that for any i, j las: x)) > CX: List} gO)
‘Suppose the premise is true and for some list x, —w(a). By (3) there is a unique n such that List(x,n). Suppose x isa shortest
such lst: for any ist y. if List(y,m) Am n. Gm)
This axiomatization is similar to the iterated version of the least fixed-point semantics for recursive functions: Byg is the
base case and By is the inductive case.
Consider again function foo) defined above. We have
fo0(X,M) { if M=0 then
{if X=0 then ret
Lf X=1 then ret!
cycle else
m1) else
00%,
aD
1) else
{if X20 then ret
hen ret
and the following axioms for foo(X) and foo(X, M):
‘Jo0(x) = y = mn > m foo(x.n) = y,
Joo(0, 0) = Cycle,
foo(1,0)=1,
Jo0{0.n + 1) = fo0(0,
foo(t.n+1)=1
Thus Vn.foo(0, n) = Cycle and ¥n.foo(1,n) = 1. So foo(0) = Cyele and foo(
values for foo(x) when x is not equal to 0 oF 1
‘The axioms again leave open the possible
8, Pointers
To illustrate how this approach can handle pointers and reference variables, we consider here a language with some
simple pointer operations similar to those in C. In particular, for a program variable X, we use &X to refer to the address
of the memory location assigned to x, and for a pointer variable 1, use #1, to refer to the value in the location pointed to
by L. Thus for a variable x, # (&%) and x return the same value when evaluated in an expression,
F Lin Arf negence 2952016) 1-25 19
eperator(S,....E) |
#PE
er | Gia | pointe: 1B)
eI
hoolean-op(E,
While B do P
Here id is an integer program variable, and pointer a pointer program variable, For simplicity, we do not consider arrays
here. operator is a function that returns an integer value, pointer-op a pointer value, and ool ean-op a truth value
Our axiomatization of this class of programs will model directly how the compiler works. We assume a set of storage
locations which can hold a value which is either an integer or the location of another storage cell. A program variable
will be assigned to a location by the compiler at the beginning and this will not be changed during the execution of the
program. The value of a program variable will be the value stored at the location.
Thus we assume a location sort in our language. In our axiomatization above, we represent a program variable V by
4 function (of the same name) in our language. The value of this function denotes the value of the program variable in
the program. Here, we are going to make a conceptual shift: we are going to represent a program variable by a function of
location sort so that the value of the function denotes the location assigned to the program variable by the compiler. So for a
program variable Vv, while before its corresponding function V in the first-order language was dynamic as its value changes
luring the execution of the program, now V is static as the location assigned to this program variable by the compiler will
not change. What is changing during the program execution is the values stored in the memory locations, and this will be
‘modeled by a dynamic function val:
val: location —> int U location
Thus if Vis an integer variable, then val(V) will be an integer. If V is a pointer, then val(V) will be a location,
To summarize, given a program and a program variable V, instead of using V and V’ to denote its values at the input
and output of the program, respectively, we now use V to denote a memory location and val(V) and val (V) to denote
these two values, respectively. We need to do a similar translation from an expression 1: in the program to a term val(E)
(and similarly val(B)) in our first-order language:
1, val(&id) isi, if 46 is an integer program variable.
2. valG#PE) is val(val(PB), if Eis a pointer expression,
3. val (Et, oe) 18 f al(E). .» al(E;)), if £ is either an operator, pointe:
We have a corresponding function fin ot language,
p, of boolean-op, assuming that
Given a program P, our axioms for it, denoted Tp, will be in terms of val and vat’
eirPis
where v is an (integer or pointer) program variable and Fan (integer or pointer) expression, then we have the following
val (x) = ifx = V then val(E) else val),
Where x ranges over locations.
otis
#PE =
‘where PE is a pointer expression, then the axioms are as follows:
val (x) = ifx = val(PE) then val(E else val(x)
2 Lin Arc neigence 285 (2016) 1-25
etPis
PL P2
then TIp is constructed from T1p, and Tp, as follows
‘g(vat jtmp), for each y < Tp,
‘g(val/emp), for each » € Tp...
where tmp is a new function of the same arity as val and val’ and not already used in Tp, and Tp,
+ The cases for conditionals and while loops are similar as before.
Consider the program
Lav;
aed
where v is an integer variable and 1, a pointer, Given that val(&V) = V, we have the following axioms:
tmp(a) = ifx=Lthen V else val(x,
val () = if x= tmp(L) then 1 else tmp)
Assuming that LV (they are assigned diferent locations by the compiler). we have val (V) =1, vaf(L) = V. and
XAVAXALD valle = vale
Now consider the following program:
while x < ¥ do
Lf Max <
X= KHL
(A,X) then Max = #next (A,X);
where a is a pointer variable and next (A, x) is a pointer pointing to the Xth location after the one pointed to by A. In C
notation, next (A,X) would be A+x and "+" is addition in pointer arithmetic. We use next in order to distinguish it from
the normal addition operator arithmetic. We assume the following unique names axioms on locations:
Yn. (X #¥ Max #£ next(A, 1)
‘Again we compute the axioms for the body of the loop first, which can be simplified into the following axioms under the
above unique names axioms:
vat (X) = val(X) +1
val(Max) < val(val(next(A, X)))
vat (Max) = val(val(next(A, X))),
AX Axx Max v sal Max) < val(val(next(A, X)))) >
val (x) = val)
Thus the axioms for the program are
val(x, 0) = val
val X41) = val(X,n) +1,
al(Max,n) < val(val(next(A. X), 1), 1) >
val(Max, n+ 1) = val(valinext(A, X),n), 1)
AX A(x A Max v —wal(Max) < val(val(next(A, X),1),2))
val(x, n+ 1) = val(x,n)
vax, +1) = vale, n)
val (x) = val(x,N).
Compared to the formalization in Section 3, the one here looks more compact as it quantifies over program variables
which ate locations. This representation is more low level. For instance, some axioms about the next function will be needed
before they can be used to infer anything interesting about the program, For more details on how this can be done, see
lea}
9. Concluding remarks
Our goal is to construct a translator from a full programming language like C or Java to first-order logic. Once this is
done, reasoning about programs can then be done in logic using techniques including but not limited to induction and loop
invariants. In this paper, we show how this is possible for a core procedural programming language with loops, functions,
and simple pointers. We have extended it to more complex mutable data structures including lists and trees and are working
‘on extending it to thread-based concurrency.
The complexity of the translated first-order theory of a given program depends on what the program is about. If all
program variables are propositional, then the resulting first-order theory is decidable for proving both partial and total
correctness of the program with respect to any given propositional specification. if the program is about natural numbers
and involves addition and multiplication, then we may need full arithmetic to reason about it. If the program is about
Predicting the trajectory of a planet, then a theory of physics is needed in order to prove anything interesting about it. How
‘to integrate logical reasoning with a domain theory has long been a challenge in Al as well as in computer science.
Acknowledgements
I thank Yin Chen, Shing-Chi Cheung, Yongmet Liu, Pritom Prajkhowa, Yidong Shen, Bo Yang, Charles Zhang, Mingyi Zhang,
Yan Zhang, and Yi Zhou for many useful discussions related to the subject of this paper. [ also thank the anonymous
reviewers for both KR-2014 and this journal for sharing their insights on the topic of this paper and for their valuable
‘comments on earlier versions of this paper. This work was supported in part by HK RGC under GRF 616013,
Appendix A. Correctness under an operational semantics
In this appendix we provide an operational semantics to the language in Section 3 and show the correctness of our
axiomatization with respect to this semantics
Given a program, we define its models to be sequences of states from its executions. We represent states by first-order
structures, As before, we assume a base language that contains functions and predicates corresponding to build-in functions
and operators. Given a program P, and a tuple X of functions that includes all program variables used in P, we extend the
base language to a new language C; by adding functions in X. Notice that this means that sf V is a program variable in P
for an n-ary array, then we assume that V ¢ X is an n-ary function. Again, we assume that the program variable names are
unique and there is no overloading of names.
For the class of programs that we consider here, executing a program in a state either does not terminate or yields a
finite sequence of assignments. This can be defined in a standard way. Now a finite sequence (My, , My) of Cy structures
is a model of P if when executed in M;, P terminates with a sequence of assignments er,--.,-1 such that for each
1 9, foreach eM,
Observe that a model M of 11 satistes Biff the projection of M on Cj. My. satisfies B. Thus M is 2 model of TH if
either B is true in My and M is a model of M1, of B is false in Mz and M is a model of TI,. By inductive assumption,
suppose now M is @ model of 1H. Then either B is true in My and for some M, (Mj. Mz,.-. My, My. is a model of Py
or Bis false in My and for some Mj, [Mj. My,» Mu, My.] is & model of Pa, where My. isthe primed projection of M on
In either case, for some Mi, Mj, My, My, My, iS a model of P
‘suppose P is
P2
then a sequence of states [Mj, .... My] is a model of P iff for some 1 0, some such that
© [My -1 Miy,,] 18 a model of P;, 0<1 . A condition @ is a loop invariant if whenever g and C are true initially. ¢
will continue to hold after P is performed. In our notation, this means that the theory corresponding to the program entails
the following sentence:
Yn.Cin] 4 gin] —> gin +11
Now if a postcondition Q can be proved using the invariant ¢
CAg +a,
then we can prove in our theory that Q’ holds as Q’ is Q[N] for the N that satisfies smallest(N, n, “Cin).
Consider the simple example of the following loop for computing factorials:
120;
while T X(ND),
Hq) = 10) 41
Fa(n) = Fen),
x4qn) = Xin),
Fin 1) = 140m) + Fa(n),
4 N=),
Xa + = xan,
X'=XN1)
From this set of equations, it is easy to verify the loop invariant:
Hen) < X(n) A (ln) = Xia) A Fin) = fact lin) >
1+ DS X41 AFO+ 1) = fact +1),
Thus
Re NI Mrs 1) < X41) A Feat 1) = fact(lin +1)
Instantiate n= NI — 1 in the above equation, we have I(N1) < X(N1). Thus I(N1) = X(ND). So F’ = F(N1) = fact(1(N1)) =
$act(X(N1)) = fact(X’),
Our translator simplifies the translated theory as much as possible by getting rid of temporary variables and making use
of Mathematica? to solve recurrences as much as possible. For the factorial program. it generates the following set IT of
formulas:
hist iplemeated by Pritom Paow ad i tllbe upon sequs.
in rif oetigence 235 (2016) 1-25. as
FO)
ne NI In) n
