Parameterized Dynamic Logic — Towards A Cyclic Logical Framework for General Program Specification and Verification

Program verification based on theorem proving has become a hot topic recently, especially with the rapid development of AI-assisted technologies that can greatly enhance the automation of interactive proof processes [39].

Dynamic logic [20] is an extension of modal logic for reasoning about programs. Here, the term ‘program’ can mean an abstract formal model, not necessarily an explicit computer program. In dynamic logic, a program $\alpha$ is embedded into a modality $[\cdot]$ in a form of $[\alpha]\phi$, meaning that after all executions of $\alpha$, formula $\phi$ holds. Formula $\phi\to[\alpha]\psi$ exactly captures partial correctness of programs expressed by triple $\{\phi\}\alpha\{\psi\}$ in Hoare logic [22]. Essentially, verification in dynamic logic is a process of continuously altering the form $[\alpha]\phi$ based on how $\alpha$ evolves according to its semantics. This characteristic brings an advantage of clearly observing programs’ behavioral changes throughout the whole verification processes. With a dynamic form $[\alpha]\phi$ that mixes programs and formulas, dynamic logic is able to express many complex program properties such as $[\alpha]\langle\beta\rangle\phi$, expressing that after all executions of $\alpha$, there is an execution of $\beta$ after which $\phi$ holds (where $\langle\cdot\rangle$ is the dual operator of $[\cdot]$ with $\langle\beta\rangle\phi$ defined as $\neg[\beta]\neg\phi$). As one of popular logical formalisms, dynamic logic has been used for many types of programs, such as process algebras [5], programming languages [4], synchronous systems [43, 42], hybrid systems [31, 32] and probabilistic systems [30, 24, 14]. Because of modality $\langle\cdot\rangle$, it is a natural candidate for unifying correctness and ‘incorrectness’ reasoning recently proposed and developed in work e.g. [29, 44].

The programs of dynamic logics are usually (tailored) regular expressions with tests (e.g. [15, 31]) or actual programming languages like Java [4]. The denotational semantics of these models is usually compositional, in the sense that the deductions of the logics mean to dissolve the syntactic structures of these models. For example, in propositional dynamic logic (PDL) [15], to prove a formula $[\alpha\cup\beta]\phi$, we prove both formulas $[\alpha]\phi$ and $[\beta]\phi$, where $\alpha$ and $\beta$ are sub-regular-expressions of $\alpha\cup\beta$. This so-called ‘divide-and-conquer’ approach to program verification has brought numerous benefits, the most significant being its ability to scale verifications by allowing parts of programs to be skipped (see an example in Section 4.2).

However, this typical structure-based reasoning heavily relies on programs’ denotational semantics, thus brings two major drawbacks:

Firstly, dynamic logics are some special theories aiming for particular domains. Thus for a new type of programs, one needs to either perform a transformation from target programs into the program models of a dynamic logic so that existing inference rules can be utilized, or carefully design a set of particular rules to adapt the new programs’ semantics. The former usually means losses of partial program structural information during the transformations, while the latter often demands a large amount of work. For example, Verifiable C [1], a famous program verifier for C programming language based on Hoare logic, used nearly 40,000 lines of Coq code to define the logic theory.

Secondly but importantly as well, some programs are naturally non-compositional or do not temporally provide a compositional semantics at some level of system design. Typical examples are neural networks [18], automata-based system models (e.g. a transition model of AADL [40]) and some programming languages (as we will see soon). For these models, one can only re-formalize their structures by additional transformation procedures so that structure-based reasoning is possible. One example is synchronous imperative programming languages such as Esterel [6] and Quartz [17]. In a synchronous parallel program $\alpha\parallel\beta$, the executions of $\alpha$ and $\beta$ cannot be reasoned independently because the concurrent executions at each instance are generally not true interleaving. To maintain the consistency of synchrony, events in one instance have to be arranged in a special order, which makes symbolic executions of $\alpha\parallel\beta$ as a whole a necessary step in program derivations. We will see an example in Appendix 0.C.

In this paper, to compensate for the above two shortcomings in existing dynamic-logic theories, we present a theory of parameterized dynamic logic ($\mathit{DL}_{p}$). $\mathit{DL}_{p}$ supports a general approach for specification and verification of computer programs and system models. On one hand, $\mathit{DL}_{p}$ offers an abstract-leveled setting for describing a broad set of programs and formulas, and is empowered to support a symbolic-execution-based reasoning based on a set of program transitions, called “program behaviours”. This reduces the burden of developing different dynamic-logic theories for different programs, and saves the additional transformations in the derivations of non-compositional programs. On the other hand, $\mathit{DL}_{p}$’s forms are still compatible with the existing structural rules of dynamic logics through a lifting process. This makes $\mathit{DL}_{p}$ subsume (at least partial) existing dynamic-logic theories into a single logical framework.

Informally, in $\mathit{DL}_{p}$ we treat dynamic formula $[\alpha]\phi$ as a ‘parameterized’ one in which program $\alpha$ and formula $\phi$ can be of arbitrary forms, provided with a structure $\sigma$ called “program configuration” to record current program status for programs’ symbolic executions. So, a $\mathit{DL}_{p}$ dynamic formula is of the form: $\sigma:[\alpha]\phi$, following a convention of labeled formulas. It expresses the same meaning as $[\alpha]\phi$ in traditional dynamic logics, except that program status is shown explicitly alongside $[\alpha]\phi$.

To see how $\mathit{DL}_{p}$ formulas are powerful for supporting both symbolic-execution-based and structure-based reasoning, consider a simple example. We prove a formula $\phi_{1}=_{df}(x\geq 0\to[x:=x+1]x>0)$ in first-order dynamic logic [19] (FODL), where $x$ is a variable ranging over the set of integer numbers. Intuitively, $\phi_{1}$ means that if $x\geq 0$ holds, then $x>0$ holds after the execution of the assignment $x:=x+1$. In FODL, to derive formula $\phi_{1}$, we apply the structural rule:

for assignment on formula $[x:=x+1]x>0$ by substituting $x$ of $x>0$ with $x+1$, and obtain $x+1>0$. Formula $\phi_{1}$ thus becomes $\phi^{\prime}_{1}=_{df}(x\geq 0\to x+1>0)$, which is true for any integer number $x\in\mathbb{Z}$.

While in $\mathit{DL}_{p}$, formula $\phi_{1}$ can be expressed as a form: $\psi_{1}=_{df}(t\geq 0\to\{x\mapsto t\}:[x:=x+1]x>0)$, where formula $[x:=x+1]x>0$ is labeled by configuration $\{x\mapsto t\}$, capturing the current program status with $t$ a free variable, meaning “variable $x$ has value $t$”. This form may seem tedious at first sight. But one soon can find out that with a configuration explicitly showing up, to derive formula $\psi_{1}$, we no longer need rule $(x:=e)$, but instead can directly perform a program transition of $x:=x+1$ as: $(x:=x+1,\{x\mapsto t\})\longrightarrow(\downarrow,\{x\mapsto t+1\})$ ¹¹1note that to distinguish ‘$\longrightarrow$’ and ‘$\to$’, which assign $x$’s value with its current value added by $1$. Here $\downarrow$ indicates a program termination. Formula $\psi_{1}$ thus becomes $\psi^{\prime}_{1}=_{df}(t\geq 0\to\{x\mapsto t+1\}:[\downarrow]x>0)$, which is actually $\psi^{\prime\prime}_{1}=_{df}(t\geq 0\to\{x\mapsto t+1\}:x>0)$ by eliminating the dynamic part ‘$[\downarrow]$’ since $\downarrow$ behaves nothing. By applying configuration $\{x\mapsto t+1\}$ on formula $x>0$ (which means replacing variable $x$ of $x>0$ with its value $t+1$ in $\{x\mapsto t+1\}$), we obtain the same valid formula $\phi^{\prime}_{1}$: $t\geq 0\to t+1>0$ (modulo the free variables $x,t$).

The above derivations of $\mathit{DL}_{p}$ formulas benefit from that for many programs, transitions like $(x:=x+1,\{x\mapsto t\})\longrightarrow(\downarrow,\{x\mapsto t+1\})$ are natural from their operational semantics and can be easily formalized (as will be seen in Appendix 0.B), while structural rules like $(x:=e)$ would consume more efforts to design. And there might exists no structural rules in certain cases, as will be illustrated in the example of Esterel programs in Appendix 0.C.

With the labels $\sigma$ structurally independent from their dynamic formulas $[\alpha]\phi$, $\mathit{DL}_{p}$ formulas $\sigma:[\alpha]\phi$ also support programs’ structural rules through a so-called “lifting process” (Section 3.4). This capability provides $\mathit{DL}_{p}$ with a flexible framework in which different inference rules can be applied to make a trade-off between symbolic-execution-based and structure-based reasoning in practical deduction processes. For example, here, to derive the formula $\psi$ above, one can also apply a lifted rule from rule $(x:=e)$:

by fixing $\{x\mapsto t\}$, and then $\psi_{1}$ becomes $\psi^{\prime\prime\prime}_{1}=_{df}(t\geq 0)\to(\{x\mapsto t\}:x+1>0)$, which is also formula $\phi^{\prime}_{1}$: $t\geq 0\to t+1>0$ after applying configuration $\{x\mapsto t\}$ on formula $x+1>0$.

In this paper, different from the traditional approach that relies on Kripke structures (cf. [20]), we give the semantics of $\mathit{DL}_{p}$ directly based on the program behaviours of target programs.

After building the logic, we propose a proof system for $\mathit{DL}_{p}$, providing a set of rules for reasoning about general programs based on program behaviours. To provide compatibilities of $\mathit{DL}_{p}$ with existing dynamic-logic theories, we propose a lifting process for introducing additional structural rules from particular program domains.

Unlike the derivation processes based on dissolving program structures, deriving a $\mathit{DL}_{p}$ formula may lead to an infinite proof tree. We develop a cyclic proof (cf. [10]) approach for $\mathit{DL}_{p}$. Generally, cyclic proof is a technique to ensure that a certain infinite proof tree, called ‘preproof’, can lead to a valid conclusion if it is ‘cyclic’, that is, containing a certain type of derivation traces (Definition 5). Cyclic proof system provides a solution for reasoning about programs with implicit loop structures and well supports the symbolic-execution-based reasoning of $\mathit{DL}_{p}$ formulas. We propose a “cyclic preproof” structure for $\mathit{DL}_{p}$ (Definition 6) and prove that it is sound under certain conditions.

To summarize, our contributions are mainly three folds:

• •

  We give the syntax and semantics of $\mathit{DL}_{p}$ formulas.

• •

  We build a proof system for $\mathit{DL}_{p}$.

• •

  We construct a cyclic preproof structure for $\mathit{DL}_{p}$ and prove its soundness.

The rest of the paper is organized as follows. Section 2 defines the syntax and semantics of $\mathit{DL}_{p}$ formulas. In Section 3, we propose a cyclic proof system for $\mathit{DL}_{p}$. In Section 4, we show how $\mathit{DL}_{p}$ can be useful as a verification framework by giving some examples. Section 5 analyzes and proves the soundness of $\mathit{DL}_{p}$. Section 6 introduces some previous work that is closely related to ours, while Section 7 makes some discussions and talks about future work.

The construction of $\mathit{DL}_{p}$ is based on a set $\mathbf{TA}$ of terms defined over a set $\mathit{Var}$ of variables and a set $\Sigma$ of signatures. In $\mathbf{TA}$, we distinguish three subsets $\mathbf{Prog},\mathbf{Conf}$ and $\mathbf{Form}$, representing the sets of programs, configurations and formulas respectively. $\mathbf{TA}\supseteq\mathbf{Prog}\cup\mathbf{Conf}\cup\mathbf{Form}$. We use $\equiv$ to represent the identical equivalence between two terms in $\mathbf{TA}$. A function $f:\mathbf{TA}\to\mathbf{TA}$ is called structural (w.r.t. $\Sigma$) if it satisfies that for any $n-$ary signature $s_{n}\in\Sigma$ ($n\geq 0$, $0-$ary signature is a constant) and term $s_{n}(t_{1},...,t_{n})$ with $t_{1},...,t_{n}\in\mathbf{TA}$, $f(s_{n}(t_{1},...,t_{n}))\equiv s_{n}(f_{1}(t_{1}),...,f_{n}(t_{n}))$ for some structural functions $f_{1},...,f_{n}:\mathbf{TA}\to\mathbf{TA}$. Naturally, we assume that a structural function always maps a term to a term with the same type: $\mathbf{Prog},\mathbf{Conf}$ and $\mathbf{Form}$.

In $\mathbf{Prog}$, there is one distinguished program $\downarrow$, called termination. It indicates a completion of executions of a program.

Program configurations have impacts on formulas. We assume that $\mathbf{Conf}$ is associated with a function $\mathfrak{I}:(\mathbf{Conf}\times\mathbf{Form})\to\mathbf{Form}$, called configuration interpretation, that returns a formula by applying a configuration on a formula.

An evaluation $\rho:\mathbf{TA}\to\mathbf{TA}$ is a structural function that maps each formula $\phi\in\mathbf{Form}$ to a proposition — a special formula that has a boolean semantics of either truth (represented as $1$) or falsehood (represented as $0$). We denote the set of all propositions as $\mathbf{Prop}$. $\mathbf{Prop}\subseteq\mathbf{Form}$. The boolean semantics of formulas is expressed by function ${\mathfrak{T}}:\mathbf{Prop}\to\{0,1\}$. $\mathbf{Prop}$ forms the semantical domain as the basis for defining $\mathit{DL}_{p}$. An evaluation $\rho\in\mathbf{Eval}$ satisfies a formula $\phi\in\mathbf{Form}$, denoted by $\rho\models_{\mathfrak{T}}\phi$, if ${\mathfrak{T}}(\rho(\phi))=1$. A formula $\phi\in\mathbf{Form}$ is valid, denoted by $\models_{\mathfrak{T}}\phi$, if $\rho\models_{\mathfrak{T}}\phi$ for all $\rho\in\mathbf{Eval}$.

In the rest of this paper, we call program domain a special instantiation of structure ${(\mathbf{TA},\mathbf{Eval},\mathfrak{I})}$ for terms $\mathbf{TA}$, evaluations $\mathbf{Eval}$ and functions $\mathfrak{I}$.

We consider two instantiated program domains, namely ${(\mathbf{TA}_{{\textit{WP}}},\mathbf{Eval}_{{\textit{WP}}},\mathfrak{I}_{{\textit{WP}}})}$ and ${(\mathbf{TA}_{E},\mathbf{Eval}_{E},\mathfrak{I}_{E})}$. Table 1 depicts two program models in these domains respectively: a While program $\textit{WP}\in\mathbf{Prog}_{\textit{WP}}$ and an Esterel program $\textit{E}\in\mathbf{Prog}_{E}$. Below we only give an informal explanation of relevant structures, but at the same time providing comprehensive formal definitions in Appendix 0.B for While programs, in case readers want to know more details.

In these two program domains, the sets of variables are denoted by $\mathit{Var}_{\textit{WP}}$ and $\mathit{Var}_{E}$ respectively. In program WP, variables are $s,n,x$, whose domain is the set of integer numbers $\mathbb{Z}$. In program E, variables are $x$ and $S$. $x$ is also called a “local variable”, with $\mathbb{Z}$ as its domain. Signal $S$ is a special variable distinguished from local variables, whose domain is $\mathbb{Z}\cup\{\bot\}$, with $\bot$ to express ‘not-happened’ of a signal (also called ‘absence’). Intuitively, assignment $x:=e$ means assigning the value of an expression $e$ to a variable $x$. Signal emission $\textit{emit}\ S(e)$ means assigning the value of an expression $e$ to a signal variable $S$ and broadcasts the value. A mapping $x\mapsto e$ of a configuration means that variable $x$ has the value of expression $e$. Formulas are first-order logical formulas in the domain $\mathbb{Z}$ or $\mathbb{Z}\cup\{\bot\}$ with arithmetical expressions. Examples are $n>0$, $\forall x.x+y=0$, $x>0\wedge y>0$, etc.

A configuration of a While program is a variable storage in which each variable has a unique value of an expression. For example, a configuration $\{x\mapsto 5,y\mapsto 1\}$ has variable $x$ storing value $5$ and variable $y$ storing value $1$. On the other hand, a configuration of an Esterel program is a variable stack, allowing several (local) variables with the same name. For example, $\{x\mapsto 5\operatorname{|}y\mapsto 1\operatorname{|}y\mapsto 2\}$ represents a configuration in which there are 3 variables: $x$, and two $y$s storing different values. The separator ‘$\operatorname{|}$’ instead of ‘,’ is used to distinguish from a configuration of a While program, with the right-most side as the top of the stack.

“Free variables” are those occurrences of variables that are not in the effect scope of any binders, such as the assignment $x:=(\cdot)$, or quantifiers $\forall x.(\cdot),\exists x.(\cdot)$. Let $\textit{FV}_{N}:\mathbf{TA}_{N}\to\mathit{Var}_{N}$ ($N\in\{\textit{WP},E\}$) return the set of all free variables of a term. For example, in program WP, variable $n$ of expression $n-1$ in $n:=n-1$ and variable $s$ of expression $s+n$ in $s:=s+n$ are bound by the assignments: $n:=(\cdot)$ and $s:=(\cdot)$ respectively, while variable $n$ is free in formula $n>0$ and in expression $s+n$ of assignment $s:=s+n$. So $\textit{FV}_{\textit{WP}}(\textit{WP})=\{n\}$. In a configuration, while mapping $x\mapsto\cdot$ is a binder for labeled formulas (as defined in Appendix 0.B), a variable in an expression $e$ of a mapping $x\mapsto e$ is always free, since interpretation $\mathfrak{I}_{\textit{WP}}$ introduced below is simply a type of substitutions.

An evaluation $\rho(t)$ ($\rho\in\mathbf{Eval}_{\textit{WP}}$ or $\rho\in\mathbf{Eval}_{E}$) returns a “closed term” (terms without free variables) by replacing each free variable of term $t$ with a value in $\mathbb{Z}$ or $\mathbb{Z}\cup\{\bot\}$. For example, if $\rho(n)=5$, then $\rho(n>0)=(5>0)$. $5>0$ is a proposition with a boolean semantics: ${\mathfrak{T}}_{N}(5>0)=1$ in the theory of integer numbers. A substitution $t[e/x]$ replaces each free variable $x$ of $t$ with term $e$.

Given a configuration $\sigma$ and a formula $\phi$, in a While program, the interpretation $\mathfrak{I}_{\textit{WP}}(\sigma,\phi)$ is defined as a type of substitutions (see Appendix 0.B). It replaces each free variable $x$ of $\phi$ with its value stored in $\sigma$. For example, $\mathfrak{I}_{\textit{WP}}(\{n\mapsto 1,s\mapsto 0\},n>0)=(1>0)$. In an Esterel program, on the other hand, the interpretation $\mathfrak{I}_{E}(\sigma,\phi)$ replaces each free variable $x$ of $\phi$ with the value of the top-most variable $x$ in $\sigma$. For instance, $\mathfrak{I}_{E}(\{n\mapsto 1\ |\ n\mapsto 2\ |\ s\mapsto 0\},n>0)=(2>0)$ (by taking the value $2$ of the right $n$).

Program Behaviours. A program state is a pair $(\alpha,\sigma)\in\mathbf{Prog}\times\mathbf{Conf}$ of programs and configurations. In $\mathbf{Form}$, we assume a binary relation $(\alpha,\sigma)\longrightarrow(\alpha^{\prime},\sigma^{\prime})$ called a program transition between two program states $(\alpha,\sigma)$ and $(\alpha^{\prime},\sigma^{\prime})$. For any evaluation $\rho\in\mathbf{Eval}$, proposition $\rho((\alpha,\sigma)\longrightarrow(\alpha^{\prime},\sigma^{\prime}))$ is assumed to be defined as: $\rho((\alpha,\sigma)\longrightarrow(\alpha^{\prime},\sigma^{\prime}))=_{df}\rho(\alpha,\sigma)\longrightarrow\rho(\alpha^{\prime},\sigma^{\prime})$. Program behaviours, denoted by $\Lambda$, is the set of all true program transitions:

which is assumed to be well-defined in the sense that there is no true transitions of the form: $(\downarrow,\sigma)\longrightarrow...$ from a terminal program.

A path $tr$ over $\Lambda$ is a finite or infinite sequence: $s_{1}s_{2}...s_{n}...$ ($n\geq 1$), where for each pair $(s_{i},s_{i+1})$ ($i\geq 1$), $(s_{i}\longrightarrow s_{i+1})\in\Lambda$ is a true program transition. A path is terminal, if it ends with program $\downarrow$ in the form of $(\alpha_{1},\sigma_{1})...(\downarrow,\sigma_{n})$ ($n\geq 1$). We call a path minimum, in the sense that in it there is no two identical program states. A state $s$ is called terminal, if from $s$ there is a terminal path over $\Lambda$.

In order to reason about termination of a program, in $\mathbf{Form}$ we assume a unary operator $(\alpha,\sigma)\Downarrow$ called the termination of a program state $(\alpha,\sigma)$. For an evaluation $\rho\in\mathbf{Eval}$, proposition $\rho((\alpha,\sigma)\Downarrow)$ is defined as: $\rho((\alpha,\sigma)\Downarrow)=_{df}(\rho(\alpha,\sigma))\Downarrow$. ${\mathfrak{T}}((\alpha,\sigma)\Downarrow)=_{df}1$ if there exists a terminal path over $\Lambda$ starting from $(\alpha,\sigma)$. We use $\Omega$ to denote the set of all true program terminations: $\Omega=_{df}\{(\alpha,\sigma)\Downarrow\ |\ {\mathfrak{T}}((\alpha,\sigma)\Downarrow)=1\}$.

For programming languages, usually, program behaviours $\Lambda$ (also program terminations $\Omega$) are defined as structural operational semantics [33] of Plotkin’s style expressed as a set of rules, in a manner that a transition ${\mathfrak{T}}((\alpha,\sigma)\longrightarrow(\alpha^{\prime},\sigma^{\prime}))=1$ only when it can be inferred according to these rules in a finite number of steps. Appendix 0.B gives an example of the operational semantics of While programs (Table 6).

Restrictions on Program Behaviours. In this paper, our current research on the proof system of $\mathit{DL}_{p}$ (Section 3) confines us to only consider a certain type of programs whose behaviours satisfy the following properties. We simply call them program properties.

The currently discussed programs restricted by Definition 1 are actually a rich set, including, for example, all deterministic programs (i.e., there is only one transition from any closed program state) and programs with finite state spaces (i.e., from each closed program state, only a finite number of closed program states can be reached). While programs and Esterel programs introduced in Table 1 above are both deterministic programs. They satisfy the program properties in Definition 1.

However, there exist types of programs that do not satisfy (some of) these program properties. For example, hybrid programs (cf. [31]) with continuous behaviours do not satisfy branching finiteness. Some non-deterministic programs, like probabilistic programs [2], do not satisfy termination finiteness. More future work will focus on relaxing these conditions to include a wider range of programs.

Based on the assumed sets $\mathbf{Prog},\mathbf{Conf}$ and $\mathbf{Form}$, we give the syntax of $\mathit{DL}_{p}$ as follows.

$\sigma$ and $\phi$ are called the label and the unlabeled part of formula $\sigma:\phi$ respectively. We call $[\alpha]$ the dynamic part of a formula, and call a $\mathit{DL}_{p}$ formula having dynamic parts a dynamic formula. Intuitively, formula $[\alpha]\phi$ means that after all executions of program $\alpha$, formula $\phi$ holds. $\langle\cdot\rangle$ is the dual operator of $[\cdot]$. Formula $\langle\alpha\rangle\phi$ can be written as $\neg[\alpha]\neg\phi$. Other formulas with logical connectives such as $\vee$ and $\to$ can be expressed by formulas with $\neg$ and $\wedge$ accordingly. Formula $\sigma:\phi$ means that $\phi$ holds under configuration $\sigma$, as $\sigma$ has an impact on the semantics of formulas as indicated by interpretation $\mathfrak{I}$.

The semantics of a traditional dynamic logic is based on a Kripke structure [20], in which programs are interpreted as a set of world pairs and logical formulas are interpreted as a set of worlds. In $\mathit{DL}_{p}$, we define the semantics by extending $\rho$ and ${\mathfrak{T}}$ from Section 2.1 to formulas $\mathbf{DL_{p}}$ and directly base on program behaviours $\Lambda$.

Notice that for a $\mathit{DL}_{p}$ formula $\phi$, how $\rho(\phi)$ is defined explicitly can vary from case to case. In Definition 3, we only assume that $\rho$ is structural and $\rho(\phi)$ must be a proposition. An example of evaluation $\rho$ is given in Appendix 0.B.

According to the semantics of operator $\langle\cdot\rangle$, we can have that ${\mathfrak{T}}(\rho(\langle\alpha\rangle\phi))=1$ iff there exists a terminal path $(\alpha_{1},\sigma_{1})...(\downarrow,\sigma_{n})$ ($n\geq 1$) over $\Lambda$ with $(\alpha_{1},\sigma_{1})\equiv\rho(\alpha,\sigma)$ such that ${\mathfrak{T}}(\rho(\sigma_{n}:\phi))=1$.

A $\mathit{DL}_{p}$ formula $\phi$ is called valid, if $\rho\models\phi$ for all evaluation $\rho\in\mathbf{Eval}$.

Sequents. In this paper, we adopt sequents [16] as the derivation form of $\mathit{DL}_{p}$. Sequent is convenient for goal-directed reversed derivation procedure which many general theorem provers, such as Coq and Isabelle, are based on.

A sequent $\nu$ is a logical argumentation of the form:

where $\Gamma$ and $\Delta$ are finite multi-sets of formulas split by an arrow $\Rightarrow$, called the left side and the right side of the sequent respectively. We use dot $\cdot$ to express $\Gamma$ or $\Delta$ when they are empty sets. A sequent $\Gamma\Rightarrow\Delta$ expresses the formula $\bigwedge_{\phi\in\Gamma}\phi\to\bigvee_{\psi\in\Delta}\psi$, denoted by $\mathfrak{P}(\Gamma\Rightarrow\Delta)$, meaning that if all formulas in $\Gamma$ hold, then one of formulas in $\Delta$ holds.

Inference Rules. An inference rule is of the form

where each of $\nu,\nu_{i}$ ($1\leq i\leq n$) is also called a node. Each of $\nu_{1},...,\nu_{n}$ is called a premise, and $\nu$ is called the conclusion, of the rule. The semantics of the rule is that if the validity of formulas $\mathfrak{P}(\nu_{1}),...,\mathfrak{P}(\nu_{n})$ implies the validity of formula $\mathfrak{P}(\nu)$. A formula pair $(\tau,\tau_{i})$ ($1\leq i\leq n$) with formula $\tau$ in node $\nu$ and formula $\tau_{i}$ in node $\nu_{i}$ is called a conclusion-premise (CP) pair.

We use a double-lined inference form:

to represent both rules

provided any sets $\Gamma$ and $\Delta$. We often call the CP pair $(\phi,\phi_{i})$ ($1\leq i\leq n$) a target pair, call $\phi,\phi_{i}$ target formulas. $\Gamma$ and $\Delta$ are called the context of a sequent.

Proof Systems. A proof tree is a tree-like structure formed by deducing a node as a conclusion backwardly by consecutively applying inference rules. In a proof tree, each node is the conclusion of a rule. The root node of the tree is called the conclusion of the proof. Each leaf node of the tree is called terminal, if it is the conclusion of an axiom. A proof tree is called finite if all of its leaf nodes terminate.

A proof system $P$ consists of a set of inference rules. We say that a node $\nu$ can be derived from $P$, denoted by $\vdash_{P}\nu$, if a finite proof tree with $\nu$ the root node can be formed by applying the rules in $P$.

Notice that the rules with names shown in the tables below in this paper (e.g. rule $([\alpha])$ in Table 3) are actually rule schemata, that is, inferences rules with meta variables as parameters (e.g. “$\Gamma,\Delta,\sigma,\alpha,\phi,\sigma^{\prime},\alpha^{\prime}$” in rule $([\alpha])$). But in the discussions below we usually still call them “inference rules”, and sometimes do not distinguish them from their instances if no ambiguities are caused.

The proof system ${P_{\textit{DLP}}}$ of $\mathit{DL}_{p}$ relies on a pre-defined proof system $P_{\Lambda,\Omega}$ for deriving program behaviours $\Lambda$ and terminations $\Omega$. $P_{\Lambda,\Omega}$ is sound and complete w.r.t. $\Lambda$ and $\Omega$ in the sense that for any transition $(\alpha_{1},\sigma_{1})\longrightarrow(\alpha_{2},\sigma_{2})\in\mathbf{Prop}$ and termination $(\alpha,\sigma)\Downarrow\ \in\mathbf{Prop}$, $(\alpha_{1},\sigma_{1})\longrightarrow(\alpha_{2},\sigma_{2})\in\Lambda$ iff $\vdash_{P_{\Lambda,\Omega}}\cdot\Rightarrow(\alpha_{1},\sigma_{1})\longrightarrow(\alpha_{2},\sigma_{2})$, and $(\alpha,\sigma)\Downarrow\ \in\Omega$ iff $\vdash_{P_{\Lambda,\Omega}}\cdot\Rightarrow(\alpha,\sigma)\Downarrow$.

Note that in ${P_{\textit{DLP}}}$, we usually assume that a formula does not contain a program transition or termination.

Table 3 lists the primitive rules of ${P_{\textit{DLP}}}$. Through ${P_{\textit{DLP}}}$, a $\mathit{DL}_{p}$ formula can be transformed into proof obligations as non-dynamic formulas, which can then be encoded and verified accordingly through, for example, an SAT/SMT checking procedure. For easy understanding, we give rule $(\langle\alpha\rangle)$ instead of the version of rule $([\alpha])$ for the left-side derivations, which can be derived using $(\langle\alpha\rangle)$ and rules $(\neg L)$ and $(\neg R)$. The rules for other operators like $\vee$, $\to$ can be derived accordingly using the rules in Table 3.

Illustration of each rule is as follows.

Rules $([\alpha])$ and $(\langle\alpha\rangle)$ deal with dynamic parts of $\mathit{DL}_{p}$ formulas based on program transitions. Both rules rely on the sub-proof-procedures of system $P_{\Lambda,\Omega}$. In rule $([\alpha])$, $\{...\}_{(\alpha^{\prime},\sigma^{\prime})\in\Phi}$ represents the collection of premises for all program states $(\alpha^{\prime},\sigma^{\prime})\in\Phi$. By the finiteness of branches of program hehaviours (Definition 1-1), set $\Phi$ must be finite. So rule $([\alpha])$ only has a finite number of premises. Note that when $\Phi$ is empty, the conclusion terminates. Intuitively, rule $([\alpha])$ says that to prove that $[\alpha]\phi$ holds under configuration $\sigma$, we prove that for each transition from $(\alpha,\sigma)$ to $(\alpha^{\prime},\sigma^{\prime})$, $[\alpha^{\prime}]\phi$ holds under configuration $\sigma^{\prime}$. Compared to rule $([\alpha])$, rule $(\langle\alpha\rangle)$ has only one premise for $(\alpha^{\prime},\sigma^{\prime})$. Intuitively, rule $(\langle\alpha\rangle)$ says that to prove $\langle\alpha\rangle\phi$ holds under configuration $\sigma$, we prove that after some transition from $(\alpha,\sigma)$ to $(\alpha^{\prime},\sigma^{\prime})$, $\langle\alpha^{\prime}\rangle\phi$ holds under configuration $\sigma^{\prime}$.

In rule $(\textit{Ter})$, each formula in $\Gamma$ and $\Delta$ is a formula in $\mathbf{Form}$. Rule $(\textit{Ter})$ terminates if formula $\mathfrak{P}(\Gamma\Rightarrow\Delta)$ is valid. The introduction rule $(\textit{Int})$ for labels is applied when $\phi$ is a formula without any dynamic parts. Through this rule we eliminate a configuration $\sigma$ and obtain a formula $\mathfrak{I}(\sigma,\phi)$ in $\mathbf{Form}$. Rule $([\downarrow])$ deals with the situation when the program is a termination $\downarrow$. Its soundness is straightforward by the well-definedness of program behaviours $\Lambda$.

Rule $({\textit{Sub}})$ describes a specialization process for $\mathit{DL}_{p}$ formulas. For a set $A$ of formulas, ${\textit{Sub}}(A)=_{df}\{{\textit{Sub}}(\phi)\ |\ \phi\in A\}$, with Sub a function defined as follows in Definition 4. Intuitively, if formula $\mathfrak{P}(\Gamma\Rightarrow\Delta)$ is valid, then its one of special cases $\mathfrak{P}({\textit{Sub}}(\Gamma)\Rightarrow{\textit{Sub}}(\Delta))$ through an abstract version of substitutions Sub on formulas is valid. Rule $({\textit{Sub}})$ plays an important role in constructing a bud in a cyclic preproof structure (Section 3.3). See Section 4.1 as an example.

Rules $(\sigma\neg)$ and $(\sigma\wedge)$ are for transforming labeled formulas. Their soundness are direct according to the semantics of labeled formulas (Definition 3).

From rule $(\textit{ax})$ to $(\sigma\wedge R)$ are the rules inherited from traditional first-order logic. Note that rule $(\textit{Cut})$ and rules $(\textit{Wk}L)$ and $(\textit{Wk}R)$ have no target pairs. The meanings of these rules are classical and we omit their discussions here.

The soundness of the rules in ${P_{\textit{DLP}}}$ is stated as follows.

Following the above explanations, Theorem 3.1 can be proved according to the semantics of $\mathit{DL}_{p}$ in Section 2.4. Appendix 0.A gives the proofs for rules $([\alpha])$ and $(\langle\alpha\rangle)$ as examples.