The PL0 language

This page formally defines the language PL0 considered in the lecture. It is similar to the Viper language, but not identical.

In particular, the formalization includes

variables and constants,
the syntax of PL0 programs,
our notion of program states and program configurations,
the formal semnatics of PL0, including the semantics of arithmetic expressions, Boolean expressions, predicates, and statements.

Variables & Constants

We denote by Var the set of (program) variables, such as x, y, z, etc. Moreover, we typically denote integer-valued constants (of type Int) by c, u, v, w, etc. Analogously, we denote truth values (of type Bool) by t.

Syntax

The syntax of PL0 is composed of

arithmetic expressions,
Boolean expressions,
predicates, and
program statements.

Arithmetic Expressions

The set AExpr of arithmetic expressions is given by the grammar:

a    ::=    c           (integer-valued constants)
         |  x           (variables)
         |  a + a       (addition)
         |  a * a       (multiplication)
         |  a - a       (subtraction)
         |  a / a       (integer division)
         |  a % a       (remainder)

Boolean Expressions

The set BExpr of Boolean expressions is given by the grammar:

b    ::=    true        (truth)
         |  false       (falsety)
         |  a == a      (equality between arithmetic expressions)
         |  a != a      (inequality between arithmetic expressions)
         |  a <= a      (less-or-equal for arithmetic expressions)
         |  a >= a      (greater-or-equal for arithmetic expressions)
         |  a < a       (less-than for arithmetic expressions)
         |  a > a       (greater-than for arithmetic expressions)
         |  !b          (negation)
         |  b && b      (conjunction)
         |  b || b      (disjunction)

Predicates

The set Pred of predicates P is given by the following grammar:

P    ::=    b                   (Boolean expressions)
         |  exists x :: P       (existential quantification)
         |  forall x :: P       (universal quantification)
         |  !P                  (negation)
         |  P && P              (conjunction)
         |  P || P              (disjunction)
         |  P ==> P             (implication)

PL0 Statements

The set Stmtof program statements S written in PL0 is given by the following grammar:

S    ::=    var x       (local variable declaration)
         |  x := a      (assignment)
         |  assert P    (assertion)
         |  assume P    (assumption)
         |  S;S         (sequential composition)
         |  S [] S      (nondeterministic choice)

Program States

The set States of program states consists of all mappings from finitely many variables to (integer) values, that is,

$States ::= {σ : V \to Int ∣ V \subseteq Var, Var finite} .$

We denote by $σ [x := v]$ the state is equal to $σ$ except that we assign value $v$ to variable $x$ , that is, $σ [x := v] (y) ::= σ [x := v] (y) ::= v σ (y) if x = y, if x \neq = y .$

Notice that the domain of a state $σ$ , $dom (σ) = V$ , can be enlarged through the update $σ [x := v]$ , that is, $dom (σ [x := v]) = dom (σ) \cup {x}$ .

Operational Semantics

We will define the semantics of statements using four execution relations:

a relation $⟹_{a}$ for evaluating arithmetic expressions in a program state;
a relation $⟹_{b}$ for evaluating Boolean expressions in a program state;
a relation $⟹_{P}$ for evaluating predicates in a program state; and
a relation $⟹$ for performing one execution step from one program configuration (a statement coupled with a program state) to another configuration.

Evaluation of arithmetic expressions

For arithmetic expressions a in AExpr, we denote by $a, σ ⟹_{a} v$ that evaluating expression a in state $σ$ yields integer value v.

Formally, the evaluation relation $⟹_{a} \subseteq (AExpr \times States) \times Int$ is given by the following inference rules:

$v , σ ⟹ _{a} v x , σ ⟹ _{a} σ ( x )$

$\frac{∙ \in { + , - , * , / , % } a1 , σ ⟹ _{a} v1 a2 , σ ⟹ _{a} v2 v = v1 ∙ v2}{a1 ∙ a2 , σ ⟹ _{a} v}$

Notice that the last rule from above uses the standard arithmetic operators on integers v1 and v2 with one exception: we assume that all arithmetic operators are defined for every input, that is, they are total functions. If an operation is not well-defined, then it returns some value but we do not know which one. For example, evaluating 5 / 0 yields such an unknown value. We will address how to spot and report such runtime errors later in the course.

Evaluation of Boolean expressions

For Boolean expressions b in BExpr, we denote by $b, σ ⟹_{b} t$ that evaluating expression b in state $σ$ yields truth value t.

Formally, the evaluation relation $⟹_{b} \subseteq (BExpr \times States) \times Bool$ is defined by structural induction using the following inference rules:

$true , σ ⟹ _{b} true false , σ ⟹ _{b} false$

$\frac{a1 , σ ⟹ _{a} v1 a2 , σ ⟹ _{a} v2 t = ( v1 ⋈ v2 ) ⋈\in { == , != , <= , >= , < , > }}{a1 ⋈ a2 , σ ⟹ _{b} t}$

$\frac{b , σ ⟹ _{b} false}{!b , σ ⟹ _{b} true} \frac{b , σ ⟹ _{b} false}{!b , σ ⟹ _{b} true}$

$\frac{b1 , σ ⟹ _{b} false}{b1 && b2 , σ ⟹ _{b} false} \frac{b2 , σ ⟹ _{b} false}{b1 && b2 , σ ⟹ _{b} false} \frac{b1 , σ ⟹ _{b} true b2 , σ ⟹ _{b} true}{b1 && b2 , σ ⟹ _{b} true}$

$\frac{b1 , σ ⟹ _{b} true}{b1 || b2 , σ ⟹ _{b} true} \frac{b2 , σ ⟹ _{b} true}{b1 || b2 , σ ⟹ _{b} true} \frac{b1 , σ ⟹ _{b} false b2 , σ ⟹ _{b} false}{b1 || b2 , σ ⟹ _{b} false}$

In the above rules, we write $v1 ⋈ v2$ to denote the value obtained from performing a standard comparison $⋈$ between two integer values.

Evaluation of predicates

For predicates P in Pred, we denote by $P, σ ⟹_{b} t$ that evaluating predicate P in state $σ$ yields truth value t.

Formally, the evaluation relation $⟹_{P} \subseteq (Pred \times States) \times Bool$ is defined by structural induction using the following inference rules:

$\frac{b , σ ⟹ _{b} t}{b , σ ⟹ _{P} t} \frac{P , σ ⟹ _{P} false}{!P , σ ⟹ _{P} true} \frac{P , σ ⟹ _{P} false}{!P , σ ⟹ _{P} true}$

$\frac{v \in Int P , σ [ x := v ] ⟹ _{P} true}{exists x :: P , σ ⟹ _{P} true}$

$\frac{\dots P , σ [ x := -1 ] ⟹ _{P} false P , σ [ x := 0 ] ⟹ _{P} false P , σ [ x := 1 ] ⟹ _{P} false \dots}{exists x :: P , σ ⟹ _{P} false}$

$\frac{v \in Int P , σ [ x := v ] ⟹ _{P} false}{forall x :: P , σ ⟹ _{P} false}$

$\frac{\dots P , σ [ x := -1 ] ⟹ _{P} true P , σ [ x := 0 ] ⟹ _{P} true P , σ [ x := 1 ] ⟹ _{P} true \dots}{forall x :: P , σ ⟹ _{P} true}$

$\frac{P1 , σ ⟹ _{P} false}{P1 && P2 , σ ⟹ _{P} false} \frac{P2 , σ ⟹ _{P} false}{P1 && P2 , σ ⟹ _{P} false}$

$\frac{P1 , σ ⟹ _{P} true P2 , σ ⟹ _{P} true}{P1 && P2 , σ ⟹ _{P} true}$

$\frac{P1 , σ ⟹ _{P} true}{P1 || P2 , σ ⟹ _{P} true} \frac{P2 , σ ⟹ _{P} true}{P1 || P2 , σ ⟹ _{P} true}$

$\frac{P1 , σ ⟹ _{P} false P2 , σ ⟹ _{P} false}{P1 || P2 , σ ⟹ _{P} false}$

$\frac{P1 , σ ⟹ _{P} true P2 , σ ⟹ _{P} true}{P1 ==> P2 , σ ⟹ _{P} true} \frac{P1 , σ ⟹ _{P} true P2 , σ ⟹ _{P} false}{P1 ==> P2 , σ ⟹ _{P} false}$

$\frac{P1 , σ ⟹ _{P} false}{P1 ==> P2 , σ ⟹ _{P} true}$

Program Configurations

A program configuration is either a pair $(S, σ)$ consisting of a statement $S$ and a program state $σ$ , or a pair $(done, σ)$ indicating termination with final state $σ$ , or $error$ , which indicates the occurrence of a runtime error, or $magic$ indicating that we ended up in a magical place where anything is possible (i.e., we can verify any property, even wrong ones). Formally, the set $Conf$ of program configurations is given by

$Conf ::= (Stmt \times States) \cup ({done} \times States) \cup {error, magic} .$

Execution relation for statements

For PL0 statements S in Stmt, we denote by $S, σ ⟹ C$ that executing one step starting in configuration $(S, σ)$ results in configuration $C$ . Formally, the execution relation $⟹ \subseteq Conf \times Conf$ is defined by structural induction using the following inference rules:

$\frac{v \in Int}{var x , σ ⟹ done , σ [ x := v ]}$

$\frac{a , σ ⟹ _{a} v}{x := a , σ ⟹ done , σ [ x := v ]}$

$\frac{P , σ ⟹ _{P} true}{assert P , σ ⟹ done , σ} \frac{P , σ ⟹ _{P} false}{assert P , σ ⟹ error}$

$\frac{P , σ ⟹ _{P} true}{assume P , σ ⟹ done , σ} \frac{P , σ ⟹ _{P} false}{assume P , σ ⟹ magic}$

$\frac{S1 , σ ⟹ S1 ^{'} , σ ^{'}}{S1;S2 , σ ⟹ S1 ^{'} ;S2 , σ ^{'}} \frac{S1 , σ ⟹ done , σ ^{'}}{S1;S2 , σ ⟹ S2 , σ ^{'}}$

$\frac{S1 , σ ⟹ error}{S1;S2 , σ ⟹ error} \frac{S1 , σ ⟹ magic}{S1;S2 , σ ⟹ magic}$

$S1 [] S2 , σ ⟹ S1 , σ S1 [] S2 , σ ⟹ S2 , σ$

Notice that we can always perform at least one step of the execution relation until we reach a final configuration of the form error, magic, or (done, _).

02245 - Program Verification - Fall 2022