## A Hoare Logic for the Coinductive Trace-Based Big-Step Semantics of While

Citations: | 2 - 0 self |

### BibTeX

@MISC{Nakata_ahoare,

author = {Keiko Nakata and Tarmo Uustalu},

title = {A Hoare Logic for the Coinductive Trace-Based Big-Step Semantics of While},

year = {}

}

### OpenURL

### Abstract

Abstract. In search for a foundational framework for reasoning about observable behavior of programs that may not terminate, we have previously devised a trace-based big-step semantics for While. In this semantics, both traces and evaluation (relating initial states of program runs to traces they produce) are defined coinductively. On terminating runs, it agrees with the standard inductive state-based semantics. Here we present a Hoare logic counterpart of our coinductive trace-based semantics and prove it sound and complete. Our logic subsumes both the partial correctness Hoare logic and the total correctness Hoare logic: they are embeddable. Since we work with a constructive underlying logic, the range of expressible program properties has a rich structure; in particular, we can distinguish between termination and nondivergence, e.g., unbounded total search fails to be terminating but is nonetheless nondivergent. Our metatheory is entirely constructive as well, and we have formalized it in Coq. 1

### Citations

142 | Semantics with Applications: A Formal Introduction
- Nielson, Nielson
(Show Context)
Citation Context ...) ∗ ⇒ τ ′,thenτ′|=τ 〈I〉 2 ∗∗ (P ∗∗ 〈I〉 2 )† ∗∗ 〈¬e〉. 3.4 Completeness The completeness result states that any semantically valid Hoare triple is derivable. Following the standard approach (see, e.g., =-=[17]-=-) we define, for a given statement s and a given precondition U, a trace predicate sp(s, U)—the candidate strongest postcondition. Then we prove that sp(s, U) is a postcondition according to the logic... |

94 |
Inductive definitions, semantics and abstract interpretation
- Cousot, Cousot
- 1992
(Show Context)
Citation Context ...0} while true do (y := x; (while y ̸= 0 do y := y − 1); x := x + 1) {up 0} Fig. 7. Derivation of {true} s {up 0} [4]. Leroy and Grall investigate two approaches. The first, based on Cousot and Cousot =-=[3]-=-, has different evaluation relations for terminating and diverges runs, one inductive (with finite traces), the other coinductive (with infinite traces). To conclude that any program either terminates... |

38 |
A Hardware Semantics based on Temporal Intervals
- HALPERN, MOSZKOWSKI
- 1983
(Show Context)
Citation Context ...of connectives for the assertion language with whom we achieve a sound and complete Hoare logic for a constructive underlying logic. We adopt a solution that is reminiscent of interval temporal logic =-=[13, 7]-=- (with a chop-connective). The logic we propose is Spartan in terms of convenience of expression, but should well qualify as a foundational formalism into which more specialized applied logics can be ... |

38 | Hoare logic and auxiliary variables
- Kleymann
- 1999
(Show Context)
Citation Context ... finished. We have chosen to introduce a separate rule for instantiating auxiliary variables. Alternatively, we might have stated the consequence rule in a more general form, as suggested by Kleymann =-=[12]-=-; yet the separation facilitates formalization in Coq. The various logical consequences and equivalences about the connectives suggest also further alternative and equivalent formulations. For instanc... |

34 | Coinductive big-step operational semantics
- Leroy
- 2006
(Show Context)
Citation Context ...ivation is given in Figure 7, with trivial applications of the consequence rule being omitted. 6 Related work Coinductive big-step semantics for nontermination have been considered by Leroy and Grall =-=[10, 11]-=- (in the context of the CompCert project, which is a major demonstration of feasibility of certified compilation) and Cousot and Cousot{y ̸= 0} y := y − 1 {(y ̸= 0)[y ↦→ y − 1]} {y ≥ 0} while y ̸= 0 ... |

29 | General Recursion via Coinductive Types
- Capretta
(Show Context)
Citation Context ...ely used slicing transformation that is unsound standardly (can turn nonterminating runs into terminating runs). Our trace-based coinductive big-step semantics [14] was heavily inspired by Capretta’s =-=[2]-=- modelling of nontermination in a constructive setting similar to ours. Rather than using coinductive possibly infinite traces, he works with a coinductive notion of a possibly infinitely delayed (fin... |

27 | Mechanized semantics for the Clight subset of the C language
- Blazy, Leroy
(Show Context)
Citation Context ...of excluded middle (amounting to decidability of the halting problem), and, as a result, the small-step semantics cannot be proved sound wrt. the big-step semantics constructively. The other approach =-=[1]-=- uses a coinductively defined evaluation relation with possibly infinite traces, where while-loops are not ensured to be progressive in terms of growing traces (an infinite number of consecutive silen... |

22 | A.: Generic trace semantics via coinduction - Hasuo, Jacobs, et al. |

15 |
A note on coinduction and weak bisimilarity for While programs
- Rutten
- 1999
(Show Context)
Citation Context ...ilar to ours. Rather than using coinductive possibly infinite traces, he works with a coinductive notion of a possibly infinitely delayed (final) state. The categorical basis appears in Rutten’s work =-=[18]-=-. But Rutten only studied the classical setting (any program terminates or not), where a delayed state collapses to a choice of between a state or a designated token signifying nontermination. While H... |

6 | Trace-based coinductive operational semantics for while
- Nakata, Uustalu
- 2009
(Show Context)
Citation Context ...framework for reasoning about possibly nonterminating programs and intrigued by attempts in this direction in the literature, we have previously devised a big-step semantics for While based on traces =-=[14]-=-. In this semantics, traces are possibly infinite sequences of states that a program run goes through. They are defined coinductively, as is the evaluation relation, relating initial states of program... |

3 | Bi-inductive structural semantics
- Cousot, Cousot
(Show Context)
Citation Context ... x := x + 1) {〈x = 0〉 2 ∗∗ (〈x〉 ∗ ∗∗ true[x ↦→ x + 1] ∗∗ 〈true〉 2 ) † ∗∗ 〈false〉} {x = 0} while true do (y := x; (while y ̸= 0 do y := y − 1); x := x + 1) {up 0} Fig. 7. Derivation of {true} s {up 0} =-=[4]-=-. Leroy and Grall investigate two approaches. The first, based on Cousot and Cousot [3], has different evaluation relations for terminating and diverges runs, one inductive (with finite traces), the o... |

3 | Elimination of ghost variables in program logics
- Hofmann, Pavlova
- 2008
(Show Context)
Citation Context ...er than traces of runs of a particular program. Notably, however, interval temporal logic has connectives similar to ours—in fact they were a source of inspiration for our design. Hofmann and Pavlova =-=[9]-=- consider a VDM-style logic with finite trace assertions that are applied to all finite prefixes of the trace of a possibly nonterminating run of a program. This logic allows reasoning about safety, b... |

3 | Mixing Induction and Coinduction
- Danielsson, Altenkirch
(Show Context)
Citation Context ...eak trace equivalence can be defined similarly. We note that our formulation is not the only one possible nor the most elegant. In particular, with a logic permitting mixing induction and coinduction =-=[5]-=-, there is no need to separate the definitionA Hoare Logic for the Coinductive Trace-Based Big-Step Semantics of While 503 {y ̸= 0} y := y − 1 {(y ̸= 0)[y ↦→ y − 1]} {y ≥ 0} while y ̸= 0do y := y − 1... |

3 |
A proof calculus for natural semantics based on greatest fixed point semantics
- Glesner
- 2004
(Show Context)
Citation Context ...re not ensured to be progressive in terms of growing traces (an infinite number of consecutive silent small steps may be collapsed). Some other works on coinductive big-step semantics include Glesner =-=[6]-=- and Nestra [15,16]. In these it is accepted that a program evaluation can somehow504 K. Nakata and T. Uustalu continue after an infinite number of small steps. With Glesner, this seems to have been ... |

2 |
Transfinite semantics in the form of greatest fixpoint
- Nestra
- 2009
(Show Context)
Citation Context ...to be progressive in terms of growing traces (an infinite number of consecutive silent small steps may be collapsed). Some other works on coinductive big-step semantics include Glesner [6] and Nestra =-=[15,16]-=-. In these it is accepted that a program evaluation can somehow504 K. Nakata and T. Uustalu continue after an infinite number of small steps. With Glesner, this seems to have been a curious unintende... |

1 |
T.: Mixing induction and coinduction. Draft available at http://www.cs.nott.ac.uk/ ∼ nad/publications/ (2009) Glesner, S.: A proof calculus for natural semantics based on greatest fixed point semantics
- Danielsson, Altenkirch
- 2004
(Show Context)
Citation Context ...eak trace equivalence can be defined similarly. We note that our formulation is not the only one possible nor the most elegant. In particular, with a logic permitting mixing induction and coinduction =-=[5]-=-, there is no need to separate the definition into an inductive part, τ ∗ � τ ′ , and a coinductive part, up n. Yet our formulation is amenable in our underlying logic, Coq. We also use an auxiliary t... |

1 |
A temporal logic for reasoning about hardware
- Moszkowski
- 1985
(Show Context)
Citation Context ...of connectives for the assertion language with whom we achieve a sound and complete Hoare logic for a constructive underlying logic. We adopt a solution that is reminiscent of interval temporal logic =-=[13,7]-=- (with a chop-connective). The logic we propose is Spartan in terms of convenience of expression, but should well qualify as a foundational formalism into which more specialized applied logics can be ... |

1 |
Fractional semantics
- Nestra
- 2006
(Show Context)
Citation Context ...to be progressive in terms of growing traces (an infinite number of consecutive silent small steps may be collapsed). Some other works on coinductive big-step semantics include Glesner [6] and Nestra =-=[15,16]-=-. In these it is accepted that a program evaluation can somehow504 K. Nakata and T. Uustalu continue after an infinite number of small steps. With Glesner, this seems to have been a curious unintende... |