Computer-Assisted Program Reasoning Based on a Relational Semantics of Programs

Most systems for program reasoning are based on calculi such as the Hoare Calculus or Dynamic Logic [1] where we generate from a program specification and a program implementation (which is annotated with additional meta-information such as loop invariants and termination terms) those conditions whose verification implies that the implementation indeed meets the specification. The problem is that by such an approach we gain little insight into the program before respectively independently of the verification process. In particular, if the verification attempt is a priori doomed to fail because of errors, inconsistencies, or weaknesses in the program’s specification, implementation, or meta-information (which is initially the case in virtually all verification attempts), we will learn so only by unsuccessfully struggling with the verification until some mental “click” occurs. This click occurs frequently very late, because, in the heat of the struggle, it is usually hard to see whether the inability to perform a correctness proof is due to an inadequate proving strategy or due to errors or inconsistencies in the program. Actually, it is usually the second factor that contributes most to the time spent and frustration experienced; once we get the specification/implementation/meta-information correct, the verification is a comparatively small problem. We have frequently observed this fact in our own verification attempts as well as in those performed by students of computer science and mathematics in courses on formal methods. We therefore advocate an alternative approach where we insert between a program and its verification conditions an additional layer, the denotation of the program [4] expressed in a declarative form. The program (annotated with its meta-information) is translated into its denotation from which subsequently the verification conditions are generated. However, even before (and independently of) any verification attempt, one may investigate the denotation itself to get insight into the “semantic essence” of the program, in particular to see whether the denotation indeed gives reason to believe that the program has the expected behavior. Errors in the program and in the meta-information may thus be detected and fixed prior to actually performing the formal verification. More concretely, following the relational approach to program semantics [2], we model the effect of a program (command) c as a binary relation [c ] on program states which describes the possible pairs of preand post-states of c. Such a relation can be also described in a declarative form by a logic formula fr with denotation [ fr ]. Thus a formal calculus is devised to derive from a program c a judgment c : fr such that [c ]⊆ [ fr ]. For instance, we can derive