An Expressive Trace Logic for Recursive Programs

Gurov, Dilian; Hähnle, Reiner

doi:10.4230/LIPIcs.FSCD.2025.21

An Expressive Trace Logic for Recursive Programs

Dilian Gurov

KTH Royal Institute of Technology, Stockholm, Sweden Reiner Hähnle

Technical University of Darmstadt, Germany

Abstract

We present an expressive logic over trace formulas, based on binary state predicates, chop, and least fixed points, for precise specification of programs with recursive procedures. Both programs and trace formulas are equipped with a direct-style, fully compositional, denotational semantics that on programs coincides with the standard SOS of recursive programs. We design a compositional proof calculus for proving finite-trace program properties, and prove soundness as well as (relative) completeness. We show that each program can be mapped to a semantics-preserving trace formula and, vice versa, each trace formula can be mapped to a canonical program over slightly extended programs, resulting in a Galois connection between programs and formulas. Our results shed light on the correspondence between programming constructs and logical connectives.

Keywords and phrases:

Denotational semantics, compositional semantics, program specification, compositional verification, fixed point logic, trace logic

Copyright and License:

2012 ACM Subject Classification:

Theory of computation

\rightarrow

Denotational semantics ; Theory of computation

\rightarrow

Operational semantics ; Theory of computation

\rightarrow

Program specifications ; Theory of computation

\rightarrow

Program verification ; Theory of computation

\rightarrow

Logic and verification ; Theory of computation

\rightarrow

Modal and temporal logics

Editor:

Maribel Fernández

Series and Publisher:

Leibniz International Proceedings in Informatics, Schloss Dagstuhl – Leibniz-Zentrum für Informatik

1 Introduction

It is uncommon that specification languages used in program verification are as expressive as the programs they are intended to specify: In model checking [7] one typically abstracts away from data and unwinds unbounded control structures. Specification of unbounded computations is achieved by recursively defined temporal operators. In deductive verification [15], first-order Hoare-style contracts [18] are the basis of widely used specification languages [3, 22]. The latter specify computation by taking symbolic memory snapshots in terms of first-order formulas, typically at the beginning and at the end of unbounded control structures, such as procedure call and return, or upon loop entry and exit. Contracts permit to approximate the effect of unbounded computation as a finite number of first-order formulas against which a program’s behavior can be verified.

Imagine, in contrast, a logic for program specification that is at least as expressive as the programs it is supposed to describe. Formulas $\phi$ of such a logic characterize a generally infinite set of program computation traces $\sigma$ . One can then form judgments of program statements $S$ of the form $S:\phi$ with the natural semantics that any possible trace $\sigma$ of $S$ is one of the traces described by $\phi$ .

Two arguments against such a trace logic are easily raised: first, one expects a specification language to be capable of abstraction from implementation details; second, its computational complexity. Regarding the first, we note that any desired degree of abstraction can be achieved by definable constructs, i.e. syntactic sugar, in a sufficiently rich trace logic. Regarding the second, it is far from obvious whether the computational worst-case tends to manifest itself in practical verification [15]. First experiments seem to indicate this is not the case. On the other hand, a rich, trace-based specification logic bears many advantages:

1.

On the practical side, trace-based specification permits to express, for example, that an event or a call happened (exactly once, at least once) or that did not happen. Likewise, one can specify without reference to the target code (via assertions) that a condition holds at some point which is not necessarily an endpoint of a procedure call. It is also possible to specify inter-procedural properties, such as call sequences, absence of callbacks, etc. Such properties are important in security analysis and they are difficult or impossible to express with Hoare-style contracts or in temporal logic.
2.

The semantics of trace formulas in terms of trace sets can be closely aligned with a suitable program semantics, which greatly simplifies soundness and completeness proofs.
3.

An expressive trace logic makes for simple and natural completeness proofs for judgments $S:\phi$ , because it is unnecessary to encode the program semantics in order to construct sufficiently strong first-order conditions.
4.

In a calculus for judgments of the form $S:\phi$ , one can design inference rules that directly decompose judgments into simpler ones, but also algebraic rules that simplify and transform $\phi$ , and one may mix both reasoning styles.
5.

The semantics of programs, of trace formulas, and the rules of the calculus can be formulated in a fully compositional manner: definitions and inference rules involve no intermediate state or context.
6.

In consequence, we are able to establish a close correspondence between programs and formulas, which sheds light on the exact relation between each program construct and its corresponding logical connective. We formulate and prove a Galois connection that formalizes this fact.

Our main contribution is a trace logic for imperative programs with recursive procedures where we formalize and prove the claims above. We restrict attention to the terminating executions of programs, i.e. to their finite trace semantics. This is not a fundamental limitation, but the desire not to obscure the construction with complications that may be added later. Still, adaptating the theory to maximal traces (including infinite runs) is not trivial, and working out the details is left as future work (see Section 8.3).

Our paper is structured as follows: In Section 2 we define the programming language Rec used throughout this paper and we give it a standard SOS semantics [29]. In Section 3 we define a denotational semantics for Rec in fully compositional style and prove it equivalent to the SOS semantics. In Section 4 we introduce our trace logic and map programs to formulas by the concept of a strongest trace formula, which is shown to fully preserve program semantics. In Section 5 we define a proof calculus for judgments and show it to be sound and complete. In Section 6, using the concept of a canonical program, we map trace formulas back to programs in the slightly extended language $\mbox{\bf Rec}^{\ast}$ with non-deterministic guards. We prove that $\mbox{\bf Rec}^{\ast}$ and trace formulas form a Galois connection via strongest trace formulas and canonical programs. In Section 7 we discuss related work, in Section 8 we sketch some extensions, including options to render specifications more abstract and how to prove consequence among trace formulas. In Section 9 we conclude.

All proofs and some examples can be found in the accompanying report [14]. The most important of these are also available in the present Appendix.

2 The Programming Language Rec

We define a simple programming language Rec with recursive procedures and give it a standard SOS semantics. We follow the notation of [26], adapted to Rec syntax.

Definition 2.1 (Rec Syntax).

A Rec program is a pair $\langle S,T\rangle$ , where $S$ is a statement with the abstract syntax defined by the grammar:

S\>::=\>\mbox{\bf skip}\mid x:=a\mid S_{1};S_{2}\mid\mbox{\bf if}\ b\ \mbox{% \bf then}\ S_{1}\ \mbox{\bf else}\ S_{2}\mid m()

and where $T$ is a procedure table given by $T\,::=\,M^{\ast}$ with declarations of parameter-less procedures $M\,::=\,m\,\{S\}$ .

In the grammar, $a$ ranges over arithmetic expressions AExp, and $b$ over Boolean expressions BExp. Both are assumed to be side-effect free and are not specified further. All variables are global and range over the set of integers $\mathbb{Z}$ . We assume programs are well-formed, i.e., only declared procedures are called, and procedure names are unique.

Example 2.2.

Consider the Rec program $p_{0}\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\langle S,T\rangle$ with statement $S\stackrel{{\scriptstyle\mathsf{def}}}{{=}}x:=3;\mathit{even}()$ and procedure table:

T\quad\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\quad\begin{array}[]{r@{\;}l}% \mathit{even}&\left\{\mbox{\bf if}\ x=0\ \mbox{\bf then}\ y:=1\ \mbox{\bf else% }\ x:=x-1;\mathit{odd}()\right\}\\ \mathit{odd}&\left\{\mbox{\bf if}\ x=0\ \mbox{\bf then}\ y:=0\ \mbox{\bf else}% \ x:=x-1;\mathit{even}()\right\}\end{array}

The intended semantics is that $\mathit{even}$ terminates in a state where $y=1$ if and only if it is started in a state where $x$ is even and non-negative, and it terminates in a state where $y=0$ if and only if it is started in a state where $x$ is odd and non-negative.

Example 2.3.

Consider the Rec program $p_{1}\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\langle S,T\rangle$ with $S\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\mathit{down}()$ and procedure table:

T\quad\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\quad\mathit{down}\left\{\mbox% {\bf if}\ x>0\ \mbox{\bf then}\ x:=x-2;\mathit{down}()\ \mbox{\bf else}\ \mbox% {\bf skip}\right\}

The intended semantics is that $p_{1}$ terminates in a state where $x=0$ if and only if it is started in state where $x$ is even and non-negative.

$\blacktriangleright$ Remark 2.4.

Loops can be defined with the help of (tail-)recursive programs. For example, a loop of the form “ $\mbox{\bf while}\ b\ \mbox{\bf do}\ S$ ” can be simulated with a procedure declared in $T$ as:

m\,\{\mbox{\bf if}\ b\ \mbox{\bf then}\ S;m()\ \mbox{\bf else}\ \mbox{\bf skip}\}

using a unique name $m$ and replacing the occurrence of the loop with a call to $m()$ .

Figure 1: SOS rules for Rec.

A standard, structural operational semantics (SOS) for Rec is defined in Figure 1 (sometimes referred to as small-step semantics). We use it as a baseline when defining the denotational finite-trace semantics in Section 3.

Let $\mathit{Var}$ be the set of program variables, and State the set of program states $s:\mathit{Var}\rightarrow\mathbb{Z}$ . Let $\mathcal{A}\left[\left[a\right]\right](s)\in\mathbb{Z}$ denote the integer value of the arithmetic expression $a$ when evaluated in state $s$ , and $\mathcal{B}\left[\left[b\right]\right](s)\in\mathbb{T}$ denote the truth value of the Boolean expression $b$ when evaluated in state $s$ , both defined as expected.

A configuration is either a pair $\left<S,s\right>$ consisting of a statement and a state, designating an initial or intermediate configuration; or a state $s$ , designating a final configuration. To simplify notation we assume that $S$ is evaluated relative to a Rec program with a procedure table $T$ which is not explicitly specified.

The transitions of the SOS either relate two intermediate configurations, or an intermediate with a final one, and thus have the shape $\left<S,s\right>\Rightarrow\left<S^{\prime},s^{\prime}\right>$ or $\left<S,s\right>\Rightarrow s^{\prime}$ , respectively.

Definition 2.5 (Rec SOS).

The structural operational semantics (SOS) of Rec is defined by the rules given in Figure 1.

The structural operational semantics of Rec induces a finite-trace semantics in terms of the sequences of states that are traversed from an initial to a final configuration when executing a given statement in the SOS. Let $\mbox{\bf State}^{+}$ denote the set of all non-empty, finite sequences of states. Formally, we define a function $\mathcal{S}_{\mathit{sos}}\left[\left[S\right]\right]:\mbox{\bf Stm}% \rightarrow 2^{\mbox{\bf State}^{+}}$ , i.e., a function such that $\mathcal{S}_{\mathit{sos}}\left[\left[S\right]\right]\subseteq\mbox{\bf State}% ^{+}$ for any statement $S$ .

Definition 2.6 (Induced Finite-Trace Semantics).

Let $S$ be a statement. Then, $\mathcal{S}_{\mathit{sos}}\left[\left[S\right]\right]$ is defined as the set of (finite) sequences $s_{0}\cdot s_{1}\cdot\ldots\cdot s_{n}$ of states for which there are statements $S_{0},S_{1},\ldots,S_{n-1}$ such that $S_{0}=S$ , $\left<S_{i},s_{i}\right>\Rightarrow\left<S_{i+1},s_{i+1}\right>$ for all $0\leq i\leq n-2$ , and $\left<S_{n-1},s_{n-1}\right>\Rightarrow s_{n}$ .

Observe that in Definition 2.6 any state $s_{0}\in\mbox{\bf State}$ can serve as the initial state of a finite trace. Next we design a “direct-style”, denotational finite-trace semantics that conforms with the SOS, in the sense that it is equal to the finite-trace semantics induced by the SOS.

3 A Denotational Finite-Trace Semantics for Rec

We define the semantic function $\mathcal{S}_{\mathit{tr}}:\mbox{\bf Stm}\rightarrow 2^{\mbox{\bf State}^{+}}$ with the intention that $\mathcal{S}_{\mathit{tr}}\left[\left[S\right]\right]\>=\>\mathcal{S}_{\mathit{% sos}}\left[\left[S\right]\right]$ . Unlike $\mathcal{S}_{sos}$ , however, $\mathcal{S}_{\mathit{tr}}$ is defined directly, without referring to other semantic rules as SOS does (hence the term “direct-style”). We define $\mathcal{S}_{\mathit{tr}}\left[\left[S\right]\right]$ in the style of denotational semantics, compositionally, by induction on the structure of $S$ , and through defining equations. We let $\sigma$ range over traces.

Let us define a unary restriction operator on trace sets, for any trace set $A$ and Boolean expression $b\in\mbox{\bf BExp}$ , as follows: $\begin{array}[]{@{}l@{\,}c@{\,}l@{}}A\mid_{b}&\>\stackrel{{\scriptstyle\mathsf% {def}}}{{=}}&\left\{s\cdot\sigma\in A\>\middle|\>\mathcal{B}\left[\left[b% \right]\right](s)=\mbox{\bf tt}\right\}\end{array}$ . It filters out all traces in $A$ whose first state does not satisfy $b$ . Another unary operator on trace sets is defined as $\sharp A\>\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\>\left\{s\cdot s\cdot% \sigma\>\middle|\>s\cdot\sigma\in A\right\}$ which duplicates the first state in each trace in $A$ . Finally, let us define the binary operator on trace sets: $A\raisebox{4.30554pt}{$\frown$}B\>\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\>% \left\{\sigma_{A}\cdot s\cdot\sigma_{B}\>\middle|\>\sigma_{A}\cdot s\in A\>% \wedge\>s\cdot\sigma_{B}\in B\right\}$ which concatenates traces from $A$ with traces from $B$ that agree on the last and first state, respectively, but without duplicating that state, see also [16].

$\begin{array}[]{@{}r@{\;}c@{\;}l@{\qquad}r@{\;}c@{\;}l@{}}\mathcal{S}^{0}_{% \mathit{tr}}\left[\left[\mbox{\bf skip}\right]\right]_{\rho}&\stackrel{{% \scriptstyle\mathsf{def}}}{{=}}&\left\{s\cdot s\>\middle|\>s\in\mbox{\bf State% }\right\}&\mathcal{S}^{0}_{\mathit{tr}}\left[\left[x:=a\right]\right]_{\rho}&% \stackrel{{\scriptstyle\mathsf{def}}}{{=}}&\left\{s\cdot s[x\mapsto\mathcal{A}% \left[\left[a\right]\right](s)]\>\middle|\>s\in\mbox{\bf State}\right\}\\ \mathcal{S}^{0}_{\mathit{tr}}\left[\left[S_{1};S_{2}\right]\right]_{\rho}&% \stackrel{{\scriptstyle\mathsf{def}}}{{=}}&\mathcal{S}^{0}_{\mathit{tr}}\left[% \left[S_{1}\right]\right]_{\rho}\raisebox{4.30554pt}{$\frown$}\mathcal{S}^{0}_% {\mathit{tr}}\left[\left[S_{2}\right]\right]_{\rho}&\mathcal{S}^{0}_{\mathit{% tr}}\left[\left[m_{i}()\right]\right]_{\rho}&\stackrel{{\scriptstyle\mathsf{% def}}}{{=}}&\rho(m_{i})\\ \lx@intercol\hfil\mathcal{S}^{0}_{\mathit{tr}}\left[\left[\mbox{\bf if}\ b\ % \mbox{\bf then}\ S_{1}\ \mbox{\bf else}\ S_{2}\right]\right]_{\rho}\,\stackrel% {{\scriptstyle\mathsf{def}}}{{=}}\,(\sharp\mathcal{S}^{0}_{\mathit{tr}}\left[% \left[S_{1}\right]\right]_{\rho})\mid_{b}\cup\,(\sharp\mathcal{S}^{0}_{\mathit% {tr}}\left[\left[S_{2}\right]\right]_{\rho})\mid_{\neg b}\hfil\lx@intercol\\ \end{array}$

Figure 2: Finite-trace semantic equations for Rec.

Definition 3.1 (Denotational Finite-Trace Semantics of Rec).

Let $M=\left\{m_{1},\ldots,m_{n}\right\}$ be the set of procedure names in Rec program $\langle S,T\rangle$ , where every $m_{i}$ is declared as $m_{i}\,\{S_{i}\}$ in $T$ . We define a helper function $\mathcal{S}^{0}_{\mathit{tr}}\left[\left[S\right]\right]_{\rho}$ that is relativized on an interpretation $\rho:M\rightarrow 2^{\mbox{\bf State}^{+}}$ of the procedure names, inductively, by the equations given in Figure 2. The duplication of the initial states in the equation for the if statement is needed to remain faithful to the SOS of Rec, which allocates a small step for evaluation of the guard $b$ . We then introduce a semantic function $H:\bigl{(}2^{\mbox{\bf State}^{+}}\bigr{)}^{n}\rightarrow\bigl{(}2^{\mbox{\bf State% }^{+}}\bigr{)}^{n}$ defined as:

H(\rho)\,\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\,(\sharp\mathcal{S}^{0}_{% \mathit{tr}}\left[\left[S_{1}\right]\right]_{\rho},\ldots,\sharp\mathcal{S}^{0% }_{\mathit{tr}}\left[\left[S_{n}\right]\right]_{\rho})\enspace

Function $H$ is monotonic and continuous in the CPO with bottom $\bigl{(}\bigl{(}2^{\mbox{\bf State}^{+}}\bigr{)}^{n},\sqsubseteq,\varnothing^{% n}\bigr{)}$ , where $\sqsubseteq$ denotes point-wise set inclusion. Hence, by the Knaster-Tarski Theorem, it has a least fixed point. Let $\rho_{0}$ denote this least fixed point. The denotational finite-trace semantics of statements $S$ of Rec is defined relative to this interpretation as: $\mathcal{S}_{\mathit{tr}}\left[\left[S\right]\right]\,\stackrel{{\scriptstyle% \mathsf{def}}}{{=}}\,\mathcal{S}^{0}_{\mathit{tr}}\left[\left[S\right]\right]_% {\rho_{0}}$ .

Example 3.2.

We execute the statement $x:=2;\mathit{down}()$ with the procedure table from Example 2.3. The program execution (or run) we obtain from an arbitrary state $s$ is:

\begin{array}[]{l}\left<x:=2;\mathit{down}(),s\right>\Rightarrow\left<\mathit{% down}(),s[x\mapsto 2]\right>\Rightarrow\\ \left<\mbox{\bf if}\ x>0\ \mbox{\bf then}\ x:=x-2;\mathit{down}()\ \mbox{\bf else% }\ \mbox{\bf skip},s[x\mapsto 2]\right>\Rightarrow\\ \left<x:=x-2;\mathit{down}(),s[x\mapsto 2]\right>\Rightarrow\left<\mathit{down% }(),s[x\mapsto 0]\right>\Rightarrow\\ \left<\mbox{\bf if}\ x>0\ \mbox{\bf then}\ x:=x-2;\mathit{down}()\ \mbox{\bf else% }\ \mbox{\bf skip},s[x\mapsto 0]\right>\Rightarrow\left<\mbox{\bf skip},s[x% \mapsto 0]\right>\Rightarrow s[x\mapsto 0]\end{array}

The finite-trace semantics agrees with the SOS of Rec, in the sense that $\mathcal{S}_{\mathit{tr}}\left[\left[S\right]\right]$ coincides with the finite-trace semantics $\mathcal{S}_{\mathit{sos}}\left[\left[S\right]\right]$ induced by the SOS, as defined in Definition 2.6.

Theorem 3.3 (Correctness of Trace Semantics).

For all statements $S$ of Rec, we have:

\mathcal{S}_{\mathit{tr}}\left[\left[S\right]\right]\>=\>\mathcal{S}_{\mathit{% sos}}\left[\left[S\right]\right].

4 A Logic over Finite Traces

Our trace logic can be seen as an Interval Temporal Logic [16] with $\mu$ -recursion [28], or alternatively, as a temporal $\mu$ -calculus with a binary temporal operator corresponding to the chop operation over sets of traces (see, e.g., [32] for a general introduction to $\mu$ -calculus).

4.1 Syntax and Semantics of the Logic

The philosophy behind our logic is to have logical counterparts to the statements of the programming language in terms of their finite-trace semantics. For instance, we use binary relation symbols that correspond to the atomic statements, and a chop operator corresponding to sequential composition. This design choice helps to simplify proofs of the properties of the logic and the calculus.

Definition 4.1 (Logic Syntax).

The syntax of the logic of trace formulas is defined by the following grammar:

\phi\>::=\>p\mid R\mid X\mid\phi_{1}\wedge\phi_{2}\mid\phi_{1}\vee\phi_{2}\mid% \phi_{1}\raisebox{4.30554pt}{$\frown$}\phi_{2}\mid\mu X.\phi

where $p$ ranges over state formulas not further specified here, but assumed to contain at least the Boolean expressions BExp, $R$ ranges over binary relation symbols over states, and $X$ over a set $\mathsf{RVar}$ of recursion variables.

Definition 4.2 (Logic Semantics).

The finite-trace semantics of a formula $\phi$ is defined as its denotation $\left|\left|\phi\right|\right|_{\mathcal{V}}\subseteq\mbox{\bf State}^{+}$ , relativized on a valuation $\mathcal{V}:\mathsf{RVar}\rightarrow 2^{\mbox{\bf State}^{+}}$ of the recursion variables, inductively by the equations given in Figure 3, where in the last clause $\mathcal{V}[X\mapsto\gamma]$ denotes the updated valuation.

$\begin{array}[]{rcl@{\qquad}rcl}\left|\left|p\right|\right|_{\mathcal{V}}&% \stackrel{{\scriptstyle\mathsf{def}}}{{=}}&\left\{s\cdot\sigma\>\middle|\>s% \models p\right\}&\left|\left|R\right|\right|_{\mathcal{V}}&\stackrel{{% \scriptstyle\mathsf{def}}}{{=}}&\left\{s\cdot s^{\prime}\>\middle|\>R(s,s^{% \prime})\right\}\\ \left|\left|X\right|\right|_{\mathcal{V}}&\stackrel{{\scriptstyle\mathsf{def}}% }{{=}}&\mathcal{V}(X)&\left|\left|\phi_{1}\wedge\phi_{2}\right|\right|_{% \mathcal{V}}&\stackrel{{\scriptstyle\mathsf{def}}}{{=}}&\left|\left|\phi_{1}% \right|\right|_{\mathcal{V}}\cap\left|\left|\phi_{2}\right|\right|_{\mathcal{V% }}\\ \left|\left|\phi_{1}\vee\phi_{2}\right|\right|_{\mathcal{V}}&\stackrel{{% \scriptstyle\mathsf{def}}}{{=}}&\left|\left|\phi_{1}\right|\right|_{\mathcal{V% }}\cup\left|\left|\phi_{2}\right|\right|_{\mathcal{V}}&\left|\left|\phi_{1}% \raisebox{4.30554pt}{$\frown$}\phi_{2}\right|\right|_{\mathcal{V}}&\stackrel{{% \scriptstyle\mathsf{def}}}{{=}}&\left|\left|\phi_{1}\right|\right|_{\mathcal{V% }}\raisebox{4.30554pt}{$\frown$}\left|\left|\phi_{2}\right|\right|_{\mathcal{V% }}\\ \lx@intercol\hfil\left|\left|\mu X.\phi\right|\right|_{\mathcal{V}}\ \stackrel% {{\scriptstyle\mathsf{def}}}{{=}}\ {\displaystyle\bigcap}\left\{\gamma% \subseteq\mbox{\bf State}^{+}\>\middle|\>\left|\left|\phi\right|\right|_{% \mathcal{V}[X\mapsto\gamma]}\subseteq\gamma\right\}\hfil\lx@intercol\end{array}$

Figure 3: Finite-trace semantic equations for formulas.

One can show that the transformers $\lambda\gamma.\left|\left|\phi\right|\right|_{\mathcal{V}[X\mapsto\gamma]}$ are monotonic functions in the complete lattice $(2^{\mbox{\bf State}^{+}},\subseteq)$ and hence, by Tarski’s fixed point theorem for complete lattices [33], they have least and greatest fixed points. In particular, the least fixed point is simultaneously also the least pre-fixed point, hence the defining equation for $\mu X.\phi$ . And because it is a fixed point, we have the following result for unfolding fixed point formulas.

Proposition 4.3 (Fixed Point Unfolding).

Let $\mu X.\phi$ be a formula and $\mathcal{V}$ a valuation. Then: $\left|\left|\mu X.\phi\right|\right|_{\mathcal{V}}=\left|\left|\phi[\mu X.\phi% /X]\right|\right|_{\mathcal{V}}$ .

Our calculus is based on closed formulas of the logic. Observe that fixed point unfolding preserves closedness. For closed formulas the valuation $\mathcal{V}$ is immaterial to the semantics $\left|\left|\phi\right|\right|_{\mathcal{V}}$ . In this case, we often omit the subscript and simply write $\left|\left|\phi\right|\right|$ .

4.2 Binary Relations

We instantiate the set $\mathsf{Rel}$ of binary relation symbols with two specific relations:

\begin{array}[]{rcl}\mathit{Id}(s,s^{\prime})&\>\stackrel{{\scriptstyle\mathsf% {def}}}{{\Longleftrightarrow}}&s^{\prime}=s\\ \mathit{Sb}^{a}_{x}(s,s^{\prime})&\>\stackrel{{\scriptstyle\mathsf{def}}}{{% \Longleftrightarrow}}&s^{\prime}=s[x\mapsto\mathcal{A}\left[\left[a\right]% \right](s)]\end{array}

These two relations are used to model skip and assignment statements, respectively. The transitive closure $R^{+}$ of a binary relation $R$ over states is easily defined as a recursive formula in our logic as $R^{+}\>\stackrel{{\scriptstyle\mathsf{def}}}{{\Longleftrightarrow}}\>\mu X.\ (% R\vee R\raisebox{4.30554pt}{$\frown$}X)$ .

Example 4.4.

For any arithmetic expression $a$ let $\mathit{Dec}_{a}$ be a binary relation symbol interpreted as follows: $\mathit{Dec}_{a}(s,s^{\prime})\>\stackrel{{\scriptstyle\mathsf{def}}}{{% \Longleftrightarrow}}\>\mathcal{A}\left[\left[a\right]\right](s^{\prime})\leq% \mathcal{A}\left[\left[a\right]\right](s)$ . That is, the value of $a$ does not increase between two consecutive states. With this symbol, the formula $\mathit{Dec}_{a}^{+}$ expresses the property that the value of $a$ does not increase throughout the whole execution of a program.

$\mathsf{stf}(\overline{X},\mbox{\bf skip})\stackrel{{\scriptstyle\mathsf{def}}% }{{=}}\mathit{Id}\qquad\mathsf{stf}(\overline{X},x:=a)\stackrel{{\scriptstyle% \mathsf{def}}}{{=}}\mathit{Sb}^{a}_{x}\qquad\mathsf{stf}(\overline{X},S_{1};\,% S_{2})\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\mathsf{stf}(\overline{X},S_{1% })\raisebox{3.87498pt}{$\frown$}\mathsf{stf}(\overline{X},S_{2})$

	$\displaystyle\mathsf{stf}(\overline{X},\mbox{\bf if}\ b\ \mbox{\bf then}\ S_{1% }\ \mbox{\bf else}\ S_{2})$	$\displaystyle\stackrel{{\scriptstyle\mathsf{def}}}{{=}}(b\land\mathit{Id}% \raisebox{3.87498pt}{$\frown$}\mathsf{stf}(\overline{X},S_{1}))\lor(\lnot b% \land\mathit{Id}\raisebox{3.87498pt}{$\frown$}\mathsf{stf}(\overline{X},S_{2}))$
	$\displaystyle\mathsf{stf}(\overline{X},m())$	$\displaystyle\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\left\{\begin{array}[]{% l@{\quad}l}\mathit{Id}\raisebox{3.87498pt}{$\frown$}\mu X_{m}.\,\mathsf{stf}(% \overline{X}\cup\{m\},S_{m})&\leavevmode\nobreak\ \leavevmode\nobreak\ m\not% \in\overline{X},\,m\,\{{S_{m}}\}\in T\\ \mathit{Id}\raisebox{3.87498pt}{$\frown$}X_{m}&\leavevmode\nobreak\ % \leavevmode\nobreak\ \text{otherwise}\end{array}\right.$

Figure 4: Definition of strongest trace formula.

4.3 Strongest Trace Formulas

Since our program logic is able to characterize program traces, and not merely pre- and postconditions or intermediate assertions, it is possible to establish a close correspondence between programs and trace formulas. This correspondence is captured by the following – constructive – definition of the strongest trace formula $\mathsf{stf}(S)$ for a given program $S$ , which characterizes all terminating traces of $S$ .

For each procedure declaration $m\,\{S_{m}\}$ in $T$ , we create a fixed point formula, whenever $m$ is called the first time. Subsequent calls to $m$ result in a recursion variable. To achieve this, we parameterize the strongest trace formula function with the already created recursion variables $\overline{X}$ . This parameter is initialized to $\varnothing$ and is ignored by all case definitions except the one for a recursive call.

Definition 4.5 (Strongest Trace Formula).

Let $\langle S,T\rangle$ be a Rec program. The strongest trace formula for $S$ , denoted $\mathsf{stf}(S)$ , is defined as $\mathsf{stf}(S)\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\mathsf{stf}(% \varnothing,S)$ , where $\mathsf{stf}(X,S)$ is defined inductively in Figure 4.

Example 4.6.

For the program $\mathit{even}()$ with the procedure table of Example 2.2, the strongest trace formula is:

\mathit{Id}\raisebox{3.87498pt}{$\frown$}\mu X_{\mathit{even}}.\Bigl{(}\bigl{(% }x=0\,\land\,\mathit{Id}\raisebox{3.87498pt}{$\frown$}\mathit{Sb}^{1}_{y}\bigl% {)}\ \lor\\ \;\bigl{(}x\neq 0\land\mathit{Id}\raisebox{3.87498pt}{$\frown$}\mathit{Sb}^{x-% 1}_{x}\raisebox{3.87498pt}{$\frown$}\mathit{Id}\raisebox{3.87498pt}{$\frown$}% \mu X_{\mathit{odd}}.((x=0\land\mathit{Id}\raisebox{3.87498pt}{$\frown$}% \mathit{Sb}^{0}_{y})\lor(x\neq 0\land\mathit{Id}\raisebox{3.87498pt}{$\frown$}% \mathit{Sb}^{x-1}_{x}\raisebox{3.87498pt}{$\frown$}\mathit{Id}\raisebox{3.8749% 8pt}{$\frown$}X_{\mathit{even}}))\bigr{)}\Bigr{)}

The binder for $X_{odd}$ can be removed without changing the semantics.

Example 4.7.

For the program in Example 2.3, the strongest trace formula is:

\mathsf{stf}(S)=\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mu X_{\mathit{down}}% .\,\bigl{(}(x>0\land\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mathit{Sb}^{x-2}% _{x}\raisebox{4.30554pt}{$\frown$}\mathit{Id}\raisebox{4.30554pt}{$\frown$}X_{% \mathit{down}})\lor(x\leq 0\land\mathit{Id}\raisebox{4.30554pt}{$\frown$}% \mathit{Id})\bigr{)}.

Theorem 4.8 (Characterisation of Strongest Trace Formula).

Let $\langle S,T\rangle$ be a program of Rec. Then the following holds: $\left|\left|\mathsf{stf}(\varnothing,S)\right|\right|\>=\>\mathcal{S}_{\mathit% {tr}}\left[\left[S\right]\right]$ .

The proof of Theorem 4.8 requires an inner fixed point induction for which it is advantageous to break down $\mathsf{stf}$ into a modal equation system $\mathsf{mes}$ [23] that preserves the structure of procedure declarations.

Definition 4.9 (Modal Equation System).

Given a closed trace formula $\phi$ , the modal equation system $\mathsf{mes}(\phi)$ is an open trace formula together with a set of modal equations of the form $X_{i}=\phi_{i}$ , inductively defined over $\phi$ as follows: $\mathsf{mes}(\phi)$ is just the homomorphism over the abstract syntax, except when $\phi=\mu X.\phi^{\prime}$ : In this case, $\mathsf{mes}(\phi)\>\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\>X$ , and a new equation $X=\mathsf{mes}(\phi^{\prime})$ is added.

The semantics of modal equation systems is defined as in the literature [23], from where we also take the semantic equivalence between $\phi$ and $\mathsf{mes}(\phi)$ .

Example 4.10.

The modal equation system corresponding to the strongest trace formula in Example 4.6 is: $\mathsf{mes}(\mathsf{stf}(\mathit{even}()))=\mathit{Id}\raisebox{4.30554pt}{$% \frown$}X_{\mathit{even}}$ , where:

	$\displaystyle X_{\mathit{even}}=\bigl{(}(x=0\,\land\,$	$\displaystyle\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mathit{Sb}^{1}_{y})\lor% (x\neq 0\land\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mathit{Sb}^{x-1}_{x}% \raisebox{4.30554pt}{$\frown$}\mathit{Id}\raisebox{4.30554pt}{$\frown$}X_{% \mathit{odd}})\bigr{)}$
	$\displaystyle X_{\mathit{odd}}=\bigl{(}(x=0\,\land\,$	$\displaystyle\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mathit{Sb}^{0}_{y})\lor% (x\neq 0\land\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mathit{Sb}^{x-1}_{x}% \raisebox{4.30554pt}{$\frown$}\mathit{Id}\raisebox{4.30554pt}{$\frown$}X_{% \mathit{even}})\bigr{)}$

Observe the structural similarity between the formula $\mathit{Id}\raisebox{4.30554pt}{$\frown$}X_{\mathit{even}}$ in the context of the defining equations for $X_{\mathit{even}}$ and $X_{\mathit{odd}}$ , and the statement $\mathit{even}()$ in the context of the procedure table $T$ of Example 2.2.

To use the decomposition of a trace formula into a modal equation system, we need to define for each program $S$ an open trace formula corresponding to $\mathsf{mes}(\mathsf{stf}(S))$ . This transformation, called $\mathsf{stf}^{\prime}(S)$ , is defined exactly as $\mathsf{stf}(X,S)$ in Definition 4.5 (ignoring the parameter $X$ ), except for the case $S=m()$ , which is defined as $\mathsf{stf}^{\prime}(m())=X_{m}$ .

Lemma 4.11.

Let $\langle S,T\rangle$ be a Rec program and $M$ the procedures declared in $T$ . Let $\rho:M\rightarrow 2^{\mbox{\bf State}^{+}}$ be an arbitrary interpretation of the procedures $m\in M$ , and let $\mathcal{V}_{\rho}:\mathsf{RVar}\rightarrow 2^{\mbox{\bf State}^{+}}$ be the (induced) valuation of the recursion variables defined by $\mathcal{V}_{\rho}(X_{m})\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\rho(m)$ . We have, for all statements $S$ of Rec: $\left|\left|\mathsf{stf}^{\prime}(S)\right|\right|_{\mathcal{V}_{\rho}}\>=\>% \mathcal{S}^{0}_{\mathit{tr}}\left[\left[S\right]\right]_{\rho}$ .

5 A Proof Calculus

We present a proof calculus for our logic in the form of a Gentzen-style deductive proof system, which is compositional both in the statement and the formula.

5.1 Definition of the Calculus

To obtain a compositional proof rule for procedure calls, its shape will essentially embody the principle of Fixed Point Induction. For this we need to represent recursion variables in the Rec language, whose syntax is extended with a set $\mathsf{SVar}$ of statement variables, ranged over by $Y$ . We add these as a new category of atomic statements to Rec.

To define the semantics of programs in the presence of statement variables, we relativize the finite-trace semantics $\mathcal{S}_{\mathit{tr}}\left[\left[S\right]\right]_{\mathcal{I}}$ of statements $S$ on interpretations $\mathcal{I}:\mathsf{SVar}\rightarrow 2^{\mbox{\bf State}^{+}}$ of the statement variables, lifted from $\mathcal{S}_{\mathit{tr}}\left[\left[S\right]\right]$ in the canonical manner.

Definition 5.1 (Calculus Syntax).

Judgments are of the form $S:\phi$ , where $S$ is a Rec statement, possibly containing statement variables, and $\phi$ is a closed trace formula. The sequents of the calculus are of the shape $\Gamma\>\vdash\>S:\phi$ , where $\Gamma$ is a possibly empty set of judgments.

Figure 5: The rules of the proof calculus.

5.1.1 Rules

The calculus has exactly one rule for each kind of Rec statement, except for statement variables which do not occur in initial judgments to be proven, but are only created intermittently in proofs by the (Call) rule. All statement rules are compositional in the sense that only the statement $S$ in focus without any context appears in the conclusion.

The statement rules and two selected logical rules of the calculus are shown in Figure 5. The remaining logical rules, in particular the axioms, are the standard Gentzen-style ones and are omitted.

To prove the judgment $S:\phi$ for a program $\langle S,T\rangle$ , we prove the sequent $\>\vdash\>S:\phi$ . All rules, except the (Call) rule, leave the antecedent $\Gamma$ invariant.

We first explain the two logical rules. The (Unfold) rule is based on Proposition 4.3 and is used to unfold fixed point formulas. The consequence rule (Cons) permits to strengthen the trace formula $\phi$ in the succedent, i.e., the specification of the program under verification. This is typically required to achieve a suitable syntactic form of $\phi$ , or to strengthen an inductive claim. The rule assumes the existence of an oracle for proving the logical entailment between trace formulas.

The (Skip) and (Assign) rules handle the atomic statements, using the two binary relation symbols defined in Section 4.2. The (Seq) rule is a rule for sequential composition. Observe that it is compositional in the sense that no intermediate state between $S_{1}$ and $S_{2}$ needs to be considered.

The (If) rule is a compositional rule for conditional statements. The trace formulas $\lnot b\lor\phi$ in the left premise (and $b\lor\phi$ in the right one) might at first appear counter-intuitive. Formula $\lnot b\lor\phi$ is read as follows: We need not consider program $S_{1}$ for any trace, where $\lnot b$ holds in the beginning, because these traces relate to $S_{2}$ ; otherwise, $\phi$ must hold. A more intuitive notation would be $b\rightarrow\phi$ , but we refrain from introducing implication in our logic.

Unsurprisingly, the (Call) rule is the most complex. We associate with each declaration of a method $m$ in $T$ a unique statement variable $Y_{m}$ . The antecedent $\Gamma$ contains judgments of the form $Y_{m}:\phi_{m}$ . One can think of the $Y_{m}$ as a generic continuation of any recursive call to $m$ of which we know that it must conform to its contract $\phi_{m}$ . Once this conformance has been established, the fact is memorized in the antecedent $\Gamma$ . Therefore, the (Call) rule is triggered only when a call to procedure $m()$ is encountered the first time. This is ensured by the condition $Y_{m}:\phi_{m}\not\in\Gamma$ . To avoid having to apply the call rule again to recursive calls of $m()$ , all such calls in the body $S_{m}$ are replaced with $\mbox{\bf skip};Y_{m}$ , where the skip models unfolding and $Y_{m}$ is justified by the assumption in $\Gamma$ . Likewise, any other $Y_{m_{i}}:\phi_{m_{i}}\in\Gamma$ triggers an analogous substitution. Now the procedure body $S_{m}[\ldots]$ in the premise contains at most procedure calls to $m^{\prime}$ that do not occur in $\Gamma$ .

If a different judgment than $\mathit{Id}\raisebox{4.30554pt}{$\frown$}\phi_{m}$ is to be proven, then rule (Cons) must be applied before (Call) to achieve the required shape.

Figure 6: Proof of

\mathit{even}():\mathsf{stf}(\mathit{even}())

.

Example 5.2.

We prove the judgment $\mathit{even}():\mathsf{stf}(\mathit{even}())$ for the program from Example 2.2 in Figure 6. We abbreviate the fixed point formula in $\mathsf{stf}(\mathit{even}())$ from Example 4.6 with $\phi_{\mathit{even}}$ , so that $\mathsf{stf}(\mathit{even}())=\mathit{Id}\raisebox{4.30554pt}{$\frown$}\phi_{% \mathit{even}}$ , the body of $\mathit{even}()$ with $S_{\mathit{even}}$ , and similarly for $\mathit{odd}()$ . Moreover, we abbreviate:

\phi^{\prime}_{\mathit{even}}=\bigl{(}x=0\land\mathit{Id}\raisebox{4.30554pt}{% $\frown$}\mathit{Sb}^{1}_{y}\bigr{)}\lor\bigl{(}x\neq 0\,\land\\ \qquad\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mathit{Sb}^{x-1}_{x}\raisebox{% 4.30554pt}{$\frown$}\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mu X_{\mathit{% odd}}.((x=0\land\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mathit{Sb}^{0}_{y})% \lor(x\neq 0\land\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mathit{Sb}^{x-1}_{x% }\raisebox{4.30554pt}{$\frown$}\mathit{Id}\raisebox{4.30554pt}{$\frown$}X_{% \mathit{even}})\bigr{)}\bigr{)}

The proof starts with the call rule, followed by an unfold of the fixed point formula $\phi_{\mathit{even}}$ . We now proceed with the other statement rules simultaneously on $S_{\mathit{even}}$ and the formula on the right until we encounter the call of $\mathit{odd}()$ in $S_{\mathit{even}}$ . Here we would like to apply the call rule to $\mathit{odd}()$ , but we do not have $\phi_{\mathit{odd}}$ on the right, because the unfolding of $\phi_{\mathit{even}}$ went “too deep”. To avoid a lengthy derivation at this point, we use the fact that trace formula on the right is equivalent to $\phi_{\mathit{odd}}$ , and use the consequence rule to obtain it.

Now we descend into $\mathit{odd}()$ , similarly as before; however, because the judgment $Y_{\mathit{even}}:\phi_{\mathit{even}}$ is present on the left, the call rule replaces $\mathit{even}()$ in $S_{\mathit{even}}$ with $\mbox{\bf skip};Y_{\mathit{even}}:\phi_{\mathit{even}}$ . Finally, we encounter the statement variable $Y_{\mathit{even}}$ , but again the fixed point formula on the right is “too deep”. After a second transformation we close the proof with an axiom.

$\blacktriangleright$ Remark 5.3.

It is easy to derive a rule for loops from the (Call) rule using the encoding $m\,\{\mbox{\bf if}\ b\ \mbox{\bf then}\ S;m()\ \mbox{\bf else}\ \mbox{\bf skip}\}$ given in Remark 2.4. In a pure loop program no unprocessed recursive call except $m()$ ever occurs in the body, so the (Call) rule is applicable with $\Gamma=\varnothing$ . Rule (Call) instantiated to $m$ and a suitable $\phi_{m}$ gives $S_{m}[\mbox{\bf skip};Y_{m}/m()]=\mbox{\bf if}\ b\ \mbox{\bf then}\ S;\mbox{% \bf skip};Y_{m}\ \mbox{\bf else}\ \mbox{\bf skip}$ in the premise on the right, so its single premise becomes: $Y_{m}:\phi_{m}\>\vdash\>\mbox{\bf if}\ b\ \mbox{\bf then}\ S;\mbox{\bf skip};Y% _{m}\ \mbox{\bf else}\ \mbox{\bf skip}:\phi_{m}$ . Subsequent application of rule (If) yields the two premises $Y_{m}:\phi_{m}\>\vdash\>\mbox{\bf skip};S;\mbox{\bf skip};Y_{m}:\lnot b\lor% \phi_{m}\text{ and }Y_{m}:\phi_{m}\>\vdash\>\mbox{\bf skip};\mbox{\bf skip}:b% \lor\phi_{m}.$ . In each premise is a spurious skip resulting from evaluating the method call which is only due to the encoding. In addition, the antecedent is not needed to prove the second premise and can be removed. After reordering and simplification, rule (While) is obtained as:

where $\Gamma$ contains judgments of the form $Y:\phi$ originating from while loops encountered previously. These are only needed in a proof in the presence of nested loops.

5.1.2 Semantics

Definition 5.4 (Calculus Semantics).

A judgment $S:\phi$ is termed valid in $\mathcal{I}$ , denoted $\models_{\mathcal{I}}S:\phi$ , whenever $\mathcal{S}_{\mathit{tr}}\left[\left[S\right]\right]_{\mathcal{I}}\subseteq% \left|\left|\phi\right|\right|$ . A sequent $\Gamma\>\vdash\>S:\phi$ is termed valid, denoted $\Gamma\>\models\>S:\phi$ , if for every interpretation $\mathcal{I}$ , $S:\phi$ is valid in $\mathcal{I}$ , whenever all judgments in $\Gamma$ are valid in $\mathcal{I}$ .

It is not possible to prove a judgment for $m()$ (or any other statement) that is stronger than its strongest trace formula. In this sense, $\mathsf{stf}(m())$ can be seen as a contract for $m$ , in fact the strongest possible contract. This is captured in the following result:

Corollary 5.5 (Strongest Trace Formula).

Let $S$ be a statement not involving any statement variables. Then the strongest trace formula $\mathsf{stf}(S)$ of $S$ entails any valid formula for $S$ . That is, if $\models S:\phi$ , then $\mathsf{stf}(S)\models\phi$ .

Proof.

The result follows directly from Theorem 4.8 and Definition 5.4. $\hfill\blacktriangleleft$

5.2 Soundness and Relative Completeness of the Calculus

Our proof system is sound, in the sense that it can only derive valid sequents.

Theorem 5.6 (Soundness).

The proof system is sound: every derivable sequent is valid.

Our proof system is complete, in the sense that every valid sequent can be derived, relative to an oracle, used by rule (Cons), that provides logical entailment between trace formulas.

By Theorem 4.8 and Definition 5.4 we know that every judgment of the shape $S:\mathsf{stf}(S)$ is valid. We next show that all such judgments are derivable in our proof system. Together with Corollary 5.5, we obtain completeness, with the help of the rule (Cons). By definition: $\mathsf{stf}(m())=\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mu X_{m}.\,\mathsf% {stf}(\{m\},S_{m})$ , where $S_{m}$ is the body of $m$ . We abbreviate $\phi_{m}=\mu X_{m}.\,\mathsf{stf}(\{m\},S_{m})$ and in the following use $\mathsf{stf}(m())=\mathit{Id}\raisebox{4.30554pt}{$\frown$}\phi_{m}$ without mentioning it explicitly.

Theorem 5.7 (Existence of Canonical Proof).

Let $\langle S,T\rangle$ be a Rec program with $n$ many method declarations in $T$ , and let $\Gamma=\{Y_{m_{1}}:\phi_{m_{1}},\ldots,Y_{m_{n}}:\phi_{m_{n}}\}.$ Then, the judgment $\Gamma\>\vdash\>S[\mbox{\bf skip};Y_{m_{1}}/m_{1}(),\ldots,\mbox{\bf skip};Y_{% m_{n}}/m_{n}()]:\mathsf{stf}(S)$ is derivable in our calculus.

Corollary 5.8 (Relative Completeness).

The proof system is relatively complete: for every Rec program $S$ without statement variables and every closed formula $\phi$ , any valid judgment of the form $S:\phi$ is derivable in the proof system.

Proof.

By Theorem 4.8 we know that $\mathsf{stf}(S)\models\phi$ , so we can use rule (Cons) to obtain $S:\mathsf{stf}(S)$ , which is derivable by Theorem 5.7. $\hfill\blacktriangleleft$

Compared to a typical completeness proof of first-order Dynamic Logic, where the invariant is constructed as equations over the Gödelized program in the loop, the argument is much simpler, because the inductive specification logic is sufficiently expressive to characterize recursive programs (and loops as a special case). First-order quantifiers are not even necessary, so our logic is not first-order, even though it is obviously Turing-hard and thus undecidable.

6 From Trace Formulas to Programs

In Section 4.3 we showed that any Rec program $S$ can be translated into a trace formula $\mathsf{stf}(S)$ that has the same semantics in terms of traces. Now we look at the other direction: Given a trace formula $\phi$ , can we construct a canonical program $\mathsf{can}(\phi)$ that has the same semantics in terms of traces? In general, this is not possible, as the following example shows:

Example 6.1.

Consider the trace formula: $\mathit{Sb}_{y}^{0}\raisebox{4.30554pt}{$\frown$}\mu X.\left(\mathit{Id}\lor% \mathit{Sb}_{y}^{y+1}\raisebox{4.30554pt}{$\frown$}X\right)$ . Its semantics are the traces that count $y$ up from $0$ to any finite number. It is not possible to model the non-deterministic choice in the fixed point formula directly in Rec, because the number of calls is unbounded.

There is a Rec program that produces exactly the same traces as the formula above, up to auxiliary variables, for example, $y:=0;m()$ , where $m$ is declared as: $m()\,\{\mbox{\bf if}\ (y\leq x)\ \mbox{\bf then}\ y:=y+1;m()\ \mbox{\bf else}% \ \mbox{\bf skip}\}$ . However, to transform an arbitrary formula with unbounded non-determinism in the number of calls to an equivalent one with non-deterministic initialization, is difficult and not natural.

6.1 Rec Programs with Non-deterministic Choice

To achieve a natural translation from the trace logic to canonical programs, it is easiest to introduce non-deterministic choice in the form of a statement $\mbox{\bf if}\ \ast\ \mbox{\bf then}\ S_{1}\ \mbox{\bf else}\ S_{2}$ . The extension of language Rec with the corresponding grammar rule is called $\mbox{\bf Rec}^{\ast}$ .

The SOS rules for non-deterministic choice are:

The finite-trace semantics of non-deterministic choice is:

$\mathcal{S}_{\mathit{tr}}\left[\left[\mbox{\bf if}\ \ast\ \mbox{\bf then}\ S_{% 1}\ \mbox{\bf else}\ S_{2}\right]\right]\stackrel{{\scriptstyle\mathsf{def}}}{% {=}}\sharp\mathcal{S}_{\mathit{tr}}\left[\left[S_{1}\right]\right]\>\cup\>\>% \sharp\mathcal{S}_{\mathit{tr}}\left[\left[S_{2}\right]\right]$

The extension of Theorem 3.3 for non-deterministic choice is completely straightforward. Likewise, the theory of strongest trace formulas is easy to extend:

$\mathsf{stf}(\mbox{\bf if}\ \ast\ \mbox{\bf then}\ S_{1}\ \mbox{\bf else}\ S_{% 2})\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\mathit{Id}\raisebox{4.30554pt}{$% \frown$}\mathsf{stf}(S_{1})\lor\mathit{Id}\raisebox{4.30554pt}{$\frown$}% \mathsf{stf}(S_{2})$

It is easy to adapt the proof of Theorem 4.8. The corresponding calculus rule is:

It is also easy to extend the proofs of Theorem 5.6 and Theorem 5.7. A more problematic aspect of the translation to canonical programs concerns formulas of the form $\phi_{1}\land\phi_{2}$ , because there is no natural programming construct that computes the intersection of traces. But in Definition 4.5 general conjunction is not required, so without affecting the results in previous sections we can restrict the syntax of trace formulas in Definition 4.1 to $p\wedge\phi$ .

A final issue are the programs that characterize a trace formula of the form $p$ with semantics $\left|\left|p\right|\right|=\mbox{\bf State}^{+}\mid_{p}$ . A program that produces such traces requires a havoc statement that resets all variables to an arbitrary value. This goes beyond non-deterministic choice quite a bit, but luckily, it is not required: As seen above, trace formulas of the form $p$ occur only as subformulas of $p\wedge\phi$ . Further, formulas of the form $p\vee\phi$ occur only as intermediate formulas in derivations, and nowhere else. Altogether, for the purpose of mapping formulas to programs, we can leave out the production for $p$ . The grammar in Definition 4.1 is thus simplified to:

\phi\>::=\>\mathit{Id}\mid\mathit{Sb}^{a}_{x}\mid X\mid p\wedge\phi\mid\phi% \vee\psi\mid\phi\raisebox{4.30554pt}{$\frown$}\psi\mid\mu X.\phi

In addition, we assume without loss of generality that all recursion variables in a trace formula have unique names.

6.2 Canonical Programs

Definition 6.2 (Canonical Program).

Let $\phi$ be trace formula. The canonical program for $\phi$ , denoted $\mathsf{can}(\phi)=\langle S_{\phi},T_{\phi}\rangle$ , is inductively defined as follows:

$\displaystyle\mathsf{can}(\mathit{Id})$	$\displaystyle\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\langle\mbox{\bf skip},\epsilon\rangle$	$\displaystyle\mathsf{can}(p\wedge\phi)$	$\displaystyle\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\langle\mbox{\bf if}\ p% \ \mbox{\bf then}\ S_{\phi}\ \mbox{\bf else}\ \mbox{\bf diverge},T_{\phi}\rangle$
$\displaystyle\mathsf{can}(\mathit{Sb}^{a}_{x})$	$\displaystyle\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\langle x:=a,\epsilon\rangle$	$\displaystyle\mathsf{can}(\phi\vee\psi)$	$\displaystyle\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\langle\mbox{\bf if}\ % \ast\ \mbox{\bf then}\ S_{\phi}\ \mbox{\bf else}\ S_{\psi},T_{\phi}\,T_{\psi}\rangle$
$\displaystyle\mathsf{can}(\phi\raisebox{4.30554pt}{$\frown$}\psi)$	$\displaystyle\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\langle S_{\phi};S_{% \psi},T_{\phi}\,T_{\psi}\rangle$	$\displaystyle\mathsf{can}(\mu X.\phi)$	$\displaystyle\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\langle m_{X}(),T_{\phi% }\,\{m_{X}\{S_{\phi}\}\}\rangle$
$\displaystyle\mathsf{can}(X)$	$\displaystyle\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\langle m_{X}(),\epsilon\rangle$

The definition contains the statement diverge. It is definable in the Rec language as $\mbox{\bf diverge}\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\mathit{abort()}$ , with the declaration $\mathit{abort}\,\{\mathit{abort()}\}$ . We assume that any table $T_{\phi}$ contains the declaration of procedure $\mathit{abort}()$ when needed.

Example 6.3.

We translate the formula in Example 6.1:

\mathsf{can}(\mathit{Sb}_{y}^{0}\raisebox{4.30554pt}{$\frown$}\mu X.(\mathit{% Id}\lor\mathit{Sb}_{y}^{y+1}\raisebox{4.30554pt}{$\frown$}X))=\langle y:=0;m_{% X}(),\,T\rangle

where $T=m_{X}\,\{\mbox{\bf if}\ \ast\ \mbox{\bf then}\ \mbox{\bf skip}\ \mbox{\bf else% }\ y:=y+1;m_{X}()\}$ .

Proposition 6.4.

We have $\mathcal{S}_{\mathit{tr}}\left[\left[\mbox{\bf diverge}\right]\right]=\varnothing$ .

Proposition 6.5.

Let $\phi$ be an open trace formula, let $T_{\phi}^{\prime}$ be declarations of its unbound recursion variables, and let $\mathsf{can}(\phi)=\langle S_{\phi},T_{\phi}\rangle$ . Then $\langle S_{\phi},T_{\phi}\,T_{\phi}^{\prime}\rangle$ is a well-defined $\mbox{\bf Rec}^{\ast}$ program.

Evaluation of procedure calls and Boolean guards introduce stuttering steps as compared to the corresponding logical operators of least fixed point recursion and disjunction, respectively. Hence, canonical programs obtained from a formula $\phi$ are statements, whose trace semantics is equal to the one of $\phi$ , but modulo stuttering: The two trace sets are equal when abstracting away the stuttering steps. Further, we say that statement $S_{1}$ refines statement $S_{2}$ , written $S_{1}\preceq S_{2}$ , when $\mathcal{S}_{\mathit{tr}}\left[\left[S_{1}\right]\right]\subseteq\mathcal{S}_{% \mathit{tr}}\left[\left[S_{2}\right]\right]$ .

Definition 6.6 (Stuttering Equivalence).

Let $\tilde{\sigma}$ be the stutter-free version of a trace $\sigma$ , i.e., where any subtrace of the form $s\cdot s\cdots s$ has been replaced with $s$ . Define $\widetilde{A}=\{\tilde{\sigma}\mid\sigma\in A\}$ . We say two trace sets $A$ , $B$ are stutter-equivalent, written $A\,\widetilde{=}\,B$ , if $\widetilde{A}=\widetilde{B}$ .

It is easy to see that $A=B$ implies $A\,\widetilde{=}\,B$ . Let $\widetilde{\models}$ and $\widetilde{\preceq}$ denote entailment between formulas and refinement between statements, respectively, both modulo stuttering equivalence.

Unsurprisingly, the characterization of canonical programs resembles the one of strongest trace formulas, however, modulo stuttering equivalence.

Theorem 6.7 (Characterisation of Canonical Program).

Let $\phi$ be a closed trace formula, and let $\mathsf{can}(\phi)=\langle S_{\phi},T_{\phi}\rangle$ . Then $\mathcal{S}_{\mathit{tr}}\left[\left[S_{\phi}\right]\right]\,\widetilde{=}\,% \left|\left|\phi\right|\right|$ .

Finally, we can establish that $\mathsf{stf}(\cdot)$ and $\mathsf{can}(\cdot)$ form a Galois connection w.r.t. the partial orders $\widetilde{\models}$ on formulas and $\widetilde{\preceq}$ on statements.

Corollary 6.8.

Let $\phi$ be a closed trace formula, and let $\mathsf{can}(\phi)=\langle S_{\phi},T_{\phi}\rangle$ . Then, for every statement $S$ , we have: $\mathsf{stf}(S)\,\widetilde{\models}\,\phi\quad\text{iff}\quad S\,\widetilde{% \preceq}\,S_{\phi}$ .

Proof.

By using Theorem 4.8 and Theorem 6.7. $\hfill\blacktriangleleft$

7 Related Work

We do not discuss higher-order logical frameworks [4, 27], because they serve a different purpose: Their expressiveness can be used to mechanize verification frameworks, including syntax, semantics, and calculus. For example, a mechanization of contract-based deductive verification is in [34]. One could do that also for the approach in the present paper.

Stirling [32, p. 528, footnote 2] suggests that the $\mu$ -calculus can be generalized to non-unary predicates, but does not develop this possibility further. In [24], Müller-Olm proposes a modal fixed point logic with chop, which can characterize any context-free process up to bisimulation or simulation. The logic is shown to be strictly more expressive than the modal $\mu$ -calculus. Lange & Somla [21] relate propositional dynamic logic over context-free programs with Müller-Olm’s logic and show the former to be equi-expressive with a fragment of the latter. Fredlund et al. [13] present a verification tool for the Erlang language based on first-order $\mu$ -calculus with actions [9]. Rosu et al. [6, 31] propose matching logic (ML) as a unifying logic for specifying and reasoning about the static structure and dynamic behaviour of programs. It uses patterns and constraints to uniformly represent mathematical domains, data types, and transition systems, whose properties can be reasoned about using one proof system. Our trace logic bares certain similarities with ML, both allowing recursion, but our logic is syntax-driven and has a fixed semantics in the domain of program traces, while ML is a semantic approach. We are not aware of a similar result as Corollary 6.8 in ML.

In contrast to the above mentioned work, we separate programs from fixed point formulas, and relate them in the form of judgments. Our logic has a single binary operator $\mathit{Sb}_{x}^{a}$ over arithmetic expressions $a$ and program variables $x$ , together with the chop operator $\frown$ . The latter models composition of binary relations in the denotational semantics. Our logic is sufficient to characterize any Rec program. Specifically, $\mu$ -formulas can serve as contracts of recursive procedures. More importantly, our approach leads to a compositional calculus, where all rules but the consequence rule are analytic.

Kleene algebra with tests (KAT) [19] are an equational algebraic theory that has been shown to be as expressive as propositional while programs. They were mechanized in an interactive theorem prover [30] and are able to express at least Hoare-style judgments [20]. The research around KATs focuses on propositional while programs: we are not aware of results relating KAT with recursive stateful programs. Specifically, our result that procedure contracts can be expressed purely in terms of trace formulas (Theorem 4.8) has not been obtained by algebraic approaches.

Expressive trace-based specification languages are rare in program verification. The trace logic of Barthe et al. [2] is a many-sorted first-order logic, equipped with an arithmetic theory of explicit trace positions to define program semantics. It is intended to model program verification in first-order logic for processing in automated theorem provers. Like $\mathcal{S}_{\mathit{tr}}\left[\left[\right]\right]$ , their program semantics is compositional; however, it uses explicit time points instead of algebraic operators. An extension of Hoare logic with trace specifications is presented by Ernst et al. [11]. Hoare triples are extended with regular expressions recording events emitted before the execution of the command and the events emitted by its execution. Our trace logic is more expressive. Also the first-order temporal logic of nested words (NWTL) of Alur et al. [1] permits to specify certain execution patterns within symbolic traces. It is orthogonal to our approach, being based on nested event pairs and temporal operators, instead of least fixed points and chop. NWTL is equally expressive over nested words as first-order logic. The intended computational model is not Rec, but non-deterministic Büchi automata over nested words for which it is complete. Temporal stream logic of Finkbeiner et al. [12], like our trace logic, has state updates $\mathit{Sb}_{x}^{t}$ (with a different syntax) and state predicates, but it is based on linear temporal logic and has no fixed points or chop. Again, the intended computational model is an extension of Büchi automata, the verification target are FPGA programs.

Cousot & Cousot [8] define a trace-based semantics for modal logics where (infinite) traces are equipped with past, present, and future. Their main focus is to relate model checking and static analysis to abstract interpretation – the trace-based semantics is the basis for it. In contrast, our paper relates a computation model to a logic. Like our semantics, theirs is compositional and the operators mentioned in their paper could inspire abstractions of our trace logic, cf. Section 8.1 below.

Nakata & Uustalu [25] present a trace-based co-inductive operational semantics with chop for an imperative programming language with loops. Following up on this work, [10] extended the approach to an asynchronous concurrent language, but neither of these uses fixed points, so that the specification language is incomplete. Also the calculus is not compositional.

Closest to the present work is our earlier work on trace-based deductive verification [5], where we used a similar trace logic than here. However, neither the semantics nor the calculus were compositional. Furthermore, we proved soundness there, but left completeness as an open question.

8 Future Work

8.1 Abstract Specifications and Extension of Recursive Programs

It is desirable to formulate specifications in a more abstract manner than the programs whose behavior they are intended to capture. For example, if we reinstate the atomic trace formula $p$ in our logic, we can easily express the set of all finite traces as $\left|\left|\mathit{true}\right|\right|=\mbox{\bf State}^{+}$ . Then we can define a binary connective as $\phi\cdot\cdot\,\psi\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\phi\raisebox{4.% 30554pt}{$\frown$}\mathit{true}\raisebox{4.30554pt}{$\frown$}\psi$ as “any finite (possibly, empty) computation may occur between $\phi$ and $\psi$ ”. For example, the trace formula $\mu X.(X\cdot\cdot\,X)$ expresses that a procedure $m_{X}$ calls itself at least twice recursively, at the beginning and at the end of its body, respectively.

A more general approach to introduce non-determinism to the logic is to define for a Boolean expression $b$ a binary relation $R_{b}$ with semantics $R_{b}(s,s^{\prime})\stackrel{{\scriptstyle\mathsf{def}}}{{\Longleftrightarrow}% }\mathcal{B}\left[\left[b\right]\right](s)=\mbox{\bf tt}$ . The atomic formula $p$ is then definable as: $p\stackrel{{\scriptstyle\mathsf{def}}}{{=}}R_{p}\raisebox{4.30554pt}{$\frown$}% R_{\mathit{true}}^{+}$ . The advantage of basing $p$ on a binary relation is that it is more easily represented as a canonical program. To this end, we introduce an atomic statement havoc with the trace semantics $\mathcal{S}_{\mathit{tr}}\left[\left[\mbox{\bf havoc}\right]\right]=\{s\cdot s% ^{\prime}\mid s,s^{\prime}\in\mbox{\bf State}\}$ , i.e. in any given state $s$ , executing havoc results in an arbitrary successor state. The proof rule for havoc is the axiom $\Gamma\>\vdash\>\mbox{\bf havoc}:R_{\mathit{true}}$ and obviously $\mathsf{stf}(\mbox{\bf havoc})\stackrel{{\scriptstyle\mathsf{def}}}{{=}}R_{% \mathit{true}}$ . Then $p$ is characterized by $\mathsf{can}(p)\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\langle\mbox{\bf if}% \ p\ \mbox{\bf then}\ \mathit{havoc()}\ \mbox{\bf else}\ \mbox{\bf diverge},T\rangle$ , where $T$ contains the declaration $\mathit{havoc}\ \{\mbox{\bf if}\ \ast\ \mbox{\bf then}\ \mbox{\bf havoc}\ % \mbox{\bf else}\ \mbox{\bf skip};\mathit{havoc()}\}.$

Interestingly, $R_{\mathit{true}}$ (and, therefore, havoc on the side of programs) permits to define concatenation of trace formulas $\phi\cdot\psi$ with the obvious semantics:

\left|\left|\phi\cdot\psi\right|\right|\,\stackrel{{\scriptstyle\mathsf{def}}}% {{=}}\,\{s_{0}\cdots s_{n}\cdot s^{\prime}_{0}\cdots s^{\prime}_{m}\mid s_{0}% \cdots s_{n}\in\left|\left|\phi\right|\right|,\,s^{\prime}_{0},\cdots s^{% \prime}_{m}\in\left|\left|\psi\right|\right|\}\,=\,\left|\left|\phi\raisebox{4% .30554pt}{$\frown$}R_{\mathit{true}}\raisebox{4.30554pt}{$\frown$}\psi\right|\right|

8.2 Proving Consequence of Trace Formulas

In general this is a difficult problem that requires fixed point induction, but the derivations needed in practice might be relatively simple, as the following example shows.

Example 8.1.

Consider the two trace formulas:

	$\displaystyle\mathsf{stf}(\mathit{down()})$	$\displaystyle=\,\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mu X_{\mathit{down}}% .\left((x>0\land\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mathit{Sb}_{x}^{x-2}% \raisebox{4.30554pt}{$\frown$}\mathit{Id}\raisebox{4.30554pt}{$\frown$}X_{% \mathit{down}})\lor(x\leq 0\land\mathit{Id\raisebox{4.30554pt}{$\frown$}}% \mathit{Id})\right)$
	$\displaystyle\mathit{Dec}_{x}^{+}$	$\displaystyle=\,\mu X_{\mathit{dec}}.(\mathit{Dec}_{x}\raisebox{4.30554pt}{$% \frown$}X_{\mathit{dec}}\lor\mathit{Dec}_{x})$

from Examples 2.3 and 4.7, respectively. We expect the trace formula implication $\mathsf{stf}(\mathit{down()})\Rightarrow\mathit{Id}\raisebox{4.30554pt}{$% \frown$}\mathit{Dec}_{x}^{+}$ to be provable, because of Theorem 4.8.

It turns out that the following fixed point induction rule and consequence rule, combined with straightforward first-order consequence and logic rules, are sufficient to prove the claim:

In fact, the proof is considerably shorter than proving the judgment $\mathit{down}():\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mathit{Dec}_{x}^{+}$ in the calculus of Section 5, which is as well possible.

A proof system for trace formula implication that can prove the above as well as many other non-trivial examples is given in [17].

8.3 Non-terminating Programs

Our results so far are limited to terminating programs, i.e. to sets of finite traces. To extend the calculus with a termination measure, such that a proof of $S:\phi$ not only shows correctness of $S$ relative to $\phi$ , but also ensures it produces only finite traces, is easy.

However, the trace-based setup permits, in principle, also to prove properties of non-terminating programs. To this end, it is necessary to extend the logic with operators whose semantics contains infinite traces. One obvious candidate are greatest fixed points [32]. The downside to this approach is that nested fixed points of opposite polarity are difficult to understand, as is well known from $\mu$ -calculus. Is there a restriction of mixed fixed point formulas that naturally corresponds to a certain class of programs? The theory of strongest trace formulas and canonical programs might guide the search for such fragments.

9 Conclusion

We presented a fixed point logic that characterizes recursive programs with non-deterministic guards. Both, programs and formulas have the same kind of trace semantics, which, like the calculus for proving judgments, is fully compositional in the sense that the definitions and rules embody no context. The faithful embedding of programs into a logic seems to suggest that we merely replace one execution model (programs) with another (trace formulas). So why is it worth having such an expressive specification logic? We can see four reasons:

First, the logic renders itself naturally to extension and abstraction that cannot be easily mimicked by programs or that are much less natural for programs. This is corroborated by the discussion in Section 8.1, but also by the case of conjunction: It is trivial to add conjunction $\phi\land\psi$ to the trace logic and to a calculus for trace formulas, but conjunction has no natural program counter-part. Yet it permits to specify certain hyper-properties, i.e., properties relating sets of traces.

Second, the logic offers reasoning patterns that are easily justified algebraically, such as projection, replacement of equivalents, strengthening, distribution, etc., that are not obvious in the realm of programs.

Third, the concept of strongest trace formula leads to a characterization of valid judgments and, thereby, enables a simple completeness proof.

And finally, the duality between programs and formulas permits to prove judgments by freely mixing two styles of reasoning: with the rules of the calculus in Figure 5, or using a calculus for the consequence of trace formulas. For example, a judgment such as $\mathit{down()}:\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mathit{Dec}_{x}^{+}$ can be proved as in Example 8.1 or directly with the rules in Figure 5, but also by mixing both styles.

A perhaps surprising feature of our trace logic is the fact that no explicit notion of procedure contract is required to achieve procedure-modular verification: Instead, strongest trace formulas and statement variables are employed. This results in a novel (Call) rule that works with symbolic continuations realized by statement variables.

References

[1] Rajeev Alur, Marcelo Arenas, Pablo Barceló, Kousha Etessami, Neil Immerman, and Leonid Libkin. First-order and temporal logics for nested words. Log. Methods Comput. Sci., 4(11):1–44, 2008. doi:10.2168/LMCS-4(4:11)2008.
[2] Gilles Barthe, Renate Eilers, Pamina Georgiou, Bernhard Gleiss, Laura Kovács, and Matteo Maffei. Verifying relational properties using trace logic. In Clark W. Barrett and Jin Yang, editors, Formal Methods in Computer Aided Design, FMCAD, pages 170–178, San Jose, CA, USA, 2019. IEEE. doi:10.23919/FMCAD.2019.8894277.
[3] Patrick Baudin, Jean-Christophe Filliâtre, Claude Marché, Benjamin Monate, Yannick Moy, and Virgile Prevosto. ACSL: ANSI/ISO C Specification. Technical Report Version 1.17, CEA and INRIA, 2021. URL: https://frama-c.com/download/frama-c-acsl-implementation.pdf.
[4] Yves Bertot and Pierre Castéran. Interactive Theorem Proving and Program Development—Coq’Art: The Calculus of Inductive Constructions. Texts in Theoretical Computer Science. An EATCS Series. Springer, Berlin Heidelberg, 2004. doi:10.1007/978-3-662-07964-5.
[5] Richard Bubel, Dilian Gurov, Reiner Hähnle, and Marco Scaletta. Trace-based deductive verification. In Logic for Programming, Artificial Intelligence and Reasoning (LPAR 2023), volume 94 of EPiC Series in Computing, pages 73–95. EasyChair, 2023. doi:10.29007/VDFD.
[6] Xiaohong Chen, Dorel Lucanu, and Grigore Rosu. Matching logic explained. Journal of Logical and Algebraic Methods in Programming, 120:100638, 2021. doi:10.1016/J.JLAMP.2021.100638.
[7] Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. Model Checking. The MIT Press, Cambridge, Massachusetts, 1999.
[8] Patrick Cousot and Radhia Cousot. Temporal abstract interpretation. In Mark N. Wegman and Thomas W. Reps, editors, Proc. 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Boston, Massachusetts, USA, pages 12–25. ACM, 2000. doi:10.1145/325694.325699.
[9] Mads Dam and Dilian Gurov. $\mu$ -calculus with explicit points and approximations. J. of Logic and Computation, 12(2):255–269, April 2002. doi:10.1093/LOGCOM/12.2.255.
[10] Crystal Chang Din, Reiner Hähnle, Einar Broch Johnsen, Violet Ka I Pun, and Silvia Lizeth Tapia Tarifa. Locally abstract, globally concrete semantics of concurrent programming languages. In Cláudia Nalon and Renate Schmidt, editors, Proc. 26th Intl. Conf. on Automated Reasoning with Tableaux and Related Methods, volume 10501 of LNCS, pages 22–43, Cham, September 2017. Springer. doi:10.1007/978-3-319-66902-1_2.
[11] Gidon Ernst, Alexander Knapp, and Toby Murray. A Hoare logic with regular behavioral specifications. In Tiziana Margaria and Bernhard Steffen, editors, Leveraging Applications of Formal Methods, Verification and Validation, 11th Intl. Symp., ISoLA, Rhodes, Greece, Proc. Part I, volume 13701 of LNCS, pages 45–64. Springer, 2022. doi:10.1007/978-3-031-19849-6_4.
[12] Bernd Finkbeiner, Felix Klein, Ruzica Piskac, and Mark Santolucito. Temporal stream logic: Synthesis beyond the bools. In Isil Dillig and Serdar Tasiran, editors, Computer Aided Verification: 31st Intl. Conf., CAV, Part I, volume 11561 of LNCS, pages 609–629, New York City, NY, USA, 2019. Springer. doi:10.1007/978-3-030-25540-4_35.
[13] Lars-Åke Fredlund, Dilian Gurov, Thomas Noll, Mads Dam, Thomas Arts, and Gennady Chugunov. A verification tool for Erlang. Journal of Software Tools for Technology Transfer, 4(4):405–420, August 2003. doi:10.1007/S100090100071.
[14] Dilian Gurov and Reiner Hähnle. An expressive trace logic for recursive programs. CoRR, abs/2411.13125, 2024. doi:10.48550/arXiv.2411.13125.
[15] Reiner Hähnle and Marieke Huisman. Deductive verification: from pen-and-paper proofs to industrial tools. In Bernhard Steffen and Gerhard Woeginger, editors, Computing and Software Science: State of the Art and Perspectives, volume 10000 of LNCS, pages 345–373. Springer, Cham, Switzerland, 2019.
[16] Joseph Y. Halpern and Yoav Shoham. A propositional modal logic of time intervals. Journal of the ACM, 38(4):935–962, 1991. doi:10.1145/115234.115351.
[17] Niklas Heidler and Reiner Hähnle. A Sequent Calculus for Trace Formula Implication. arXiv CoRR, May 2025. doi:10.48550/arXiv.2505.03693.
[18] C. A. R. Hoare. Procedures and parameters: An axiomatic approach. In Erwin Engeler, editor, Symposium on Semantics of Algorithmic Languages, volume 188 of Lecture Notes in Mathematics, pages 102–116. Springer, Berlin, Heidelberg, 1971. doi:10.1007/BFb0059696.
[19] Dexter Kozen. Kleene algebra with tests. ACM Transactions on Programming Languages and Systems, 19(3):427–443, 1997. doi:10.1145/256167.256195.
[20] Dexter Kozen. On Hoare logic and Kleene algebra with tests. ACM Transactions on Computational Logic, 1(1):60–76, 2000. doi:10.1145/343369.343378.
[21] Martin Lange and Rafał Somla. Propositional dynamic logic of context-free programs and fixpoint logic with chop. Information Processing Letters, 100(2):72–75, 2006. doi:10.1016/J.IPL.2006.04.019.
[22] Gary T. Leavens, Erik Poll, Curtis Clifton, Yoonsik Cheon, Clyde Ruby, David Cok, Peter Müller, Joseph Kiniry, Patrice Chalin, Daniel M. Zimmerman, and Werner Dietl. JML Reference Manual, May 2013. Draft revision 2344. URL: http://www.eecs.ucf.edu/˜leavens/JML//OldReleases/jmlrefman.pdf.
[23] Angelika Mader. Verification of modal properties using Boolean equation systems. PhD thesis, Technical University Munich, 1997.
[24] Markus Müller-Olm. A modal fixpoint logic with chop. In Theoretical Aspects of Computer Science (STACS 1999), volume 1563 of LNCS, pages 510–520, Berlin Heidelberg, 1999. Springer. doi:10.1007/3-540-49116-3_48.
[25] Keiko Nakata and Tarmo Uustalu. Trace-based coinductive operational semantics for While. In Theorem Proving in Higher Order Logics (TPHOLs), volume 5674 of LNCS, pages 375–390, Berlin Heidelberg, 2009. Springer. doi:10.1007/978-3-642-03359-9_26.
[26] Hanne Riis Nielson and Flemming Nielson. Semantics with Applications: An Appetizer. Undergraduate Topics in Computer Science. Springer, London, 2007. doi:10.1007/978-1-84628-692-6.
[27] Tobias Nipkow, Lawrence C. Paulson, and Markus Wenzel. Isabelle/HOL — A Proof Assistant for Higher-Order Logic, volume 2283 of LNCS. Springer, Berlin Heidelberg, 2002. doi:10.1007/3-540-45949-9.
[28] David Michael Ritchie Park. Finiteness is mu-ineffable. Theoretical Computer Science, 3(2):173–181, 1976. doi:10.1016/0304-3975(76)90022-0.
[29] Gordon D. Plotkin. A structural approach to operational semantics. J. Log. Algebr. Program., 60–61:17–139, 2004.
[30] Damien Pous. Kleene algebra with tests and Coq tools for while programs. In Sandrine Blazy, Christine Paulin-Mohring, and David Pichardie, editors, Interactive Theorem Proving, 4th Intl. Conf. ITP, Rennes, France, volume 7998 of LNCS, pages 180–196. Springer, 2013. doi:10.1007/978-3-642-39634-2_15.
[31] Grigore Rosu. Matching logic. Logical Methods in Computer Science, 13(4), 2017. doi:10.23638/LMCS-13(4:28)2017.
[32] Colin Stirling. Modal and temporal logics. In Handbook of Logic in Computer Science (Vol. 2): Background: Computational Structures, pages 477–563, USA, 1993. Oxford University Press, Inc.
[33] Alfred Tarski. A lattice-theoretical fixedpoint theorem and its applications. Pacific Journal of Mathematics, 5:285–309, 1955.
[34] David von Oheimb. Hoare logic for Java in Isabelle/HOL. Concurrency and Computation: Practice and Experience, 13(13):1173–1214, 2001. doi:10.1002/CPE.598.

Appendix A Selected Proofs

A.1 Strongest Trace Formula

Proof of Lemma 4.11.

The proof proceeds by induction on the structure of $S$ .

Case $S=\mbox{\bf if}\ b\ \mbox{\bf then}\ S_{1}\ \mbox{\bf else}\ S_{2}$ .

By the induction hypothesis, $\left|\left|\mathsf{stf}(S_{i})\right|\right|_{\mathcal{V}_{\rho}}=\mathcal{S}% ^{0}_{\mathit{tr}}\left[\left[S_{i}\right]\right]_{\rho}$ for $i=1,2$ . We have:

\begin{array}[]{cl}&\left|\left|\mathsf{stf}^{\prime}(\mbox{\bf if}\ b\ \mbox{% \bf then}\ S_{1}\ \mbox{\bf else}\ S_{2})\right|\right|_{\mathcal{V}_{\rho}}\\ =&\left|\left|(b\land\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mathsf{stf}^{% \prime}(S_{1}))\lor(\lnot b\land\mathit{Id}\raisebox{4.30554pt}{$\frown$}% \mathsf{stf}^{\prime}(S_{2}))\right|\right|_{\mathcal{V}_{\rho}}\\ =&\left|\left|(b\land\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mathsf{stf}^{% \prime}(S_{1}))\right|\right|_{\mathcal{V}_{\rho}}\cup\left|\left|(\lnot b% \land\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mathsf{stf}^{\prime}(S_{2}))% \right|\right|_{\mathcal{V}_{\rho}}\\ =&(\sharp\left|\left|\mathsf{stf}^{\prime}(S_{1})\right|\right|_{\mathcal{V}_{% \rho}})\mid_{b}\cup\>(\sharp\left|\left|\mathsf{stf}^{\prime}(S_{2})\right|% \right|_{\mathcal{V}_{\rho}})\mid_{\neg b}\\ =&(\sharp\mathcal{S}^{0}_{\mathit{tr}}\left[\left[S_{1}\right]\right]_{\rho})% \mid_{b}\cup\>(\sharp\mathcal{S}^{0}_{\mathit{tr}}\left[\left[S_{2}\right]% \right]_{\rho})\mid_{\neg b}\\ =&\mathcal{S}^{0}_{\mathit{tr}}\left[\left[\mbox{\bf if}\ b\ \mbox{\bf then}\ % S_{1}\ \mbox{\bf else}\ S_{2}\right]\right]_{\rho}\end{array}

Case $S=m()$ .

We have:

\begin{array}[]{cl}&\left|\left|\mathsf{stf}^{\prime}(m())\right|\right|_{% \mathcal{V}_{\rho}}\\ =&\left|\left|X_{m}\right|\right|_{\mathcal{V}_{\rho}}\\ =&\mathcal{V}_{\rho}(X_{m})\\ =&\rho(m)\\ =&\mathcal{S}^{0}_{\mathit{tr}}\left[\left[m()\right]\right]_{\rho}\end{array}

$\hfill\blacktriangleleft$

Proof of Theorem 4.8.

Since $\mathsf{stf}^{\prime}(S)$ and $\mathsf{stf}(X,S)$ are defined identically, except for the case $S=m()$ , the proof is the same as for Lemma 4.11, except for that case:

Case $S=m()$ .

We only sketch the proof here. We translate the formula $\mathsf{stf}(\varnothing,m())$ into a modal equation system $\mathsf{mes}(\mathsf{stf}(\varnothing,m()))$ . This results in the formula $X_{m}$ , defined in the context of a system of modal equations: for each fixed point operator $\mu X_{i}$ in $\mathsf{stf}(\varnothing,m())$ , there is an equation $X_{i}=\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mathsf{stf}^{\prime}(S_{i})$ , whenever $m_{i}$ is declared as $m_{i}\,\{S_{i}\}$ in $T$ . Next, from the standard semantics of modal equation systems, and by Lemma 4.11, it follows that the least solution $\mathcal{V}_{0}$ of the modal equation system is equal (on the names of the procedures called recursively by $m$ ) to the valuation $\mathcal{V}_{\rho_{0}}$ induced by the interpretation $\rho_{0}$ defined by the procedure table $T$ . Finally, by Lemma 4.11, we have:

\begin{array}[]{cl}&\left|\left|\mathsf{stf}(\varnothing,m())\right|\right|\\ =&\left|\left|X_{m}\right|\right|_{\mathcal{V}_{0}}\\ =&\left|\left|X_{m}\right|\right|_{\mathcal{V}_{\rho_{0}}}\\ =&\mathcal{V}_{\rho_{0}}(X_{m})\\ =&\rho_{0}(m)\\ =&\mathcal{S}^{0}_{\mathit{tr}}\left[\left[m()\right]\right]_{\rho_{0}}\\ =&\mathcal{S}_{\mathit{tr}}\left[\left[m()\right]\right]\end{array}

$\hfill\blacktriangleleft$

A.2 Soundness of the Calculus

For the proof we need to relate traces restricted by a condition $b$ to trace formulas. In the following proposition, the intuition for $\left|\left|\lnot b\lor\phi\right|\right|$ is that it ignores any trace, that is, it is trivially true for any trace, where $b$ does not hold in the beginning.

Proposition A.1 (State formulas in judgments).

Let $b$ be a Boolean expression, $\phi$ a trace formula. Then $(\mathcal{S}_{\mathit{tr}}\left[\left[S\right]\right])\mid_{b}\;\subseteq\left% |\left|\phi\right|\right|\quad\text{iff}\quad\mathcal{S}_{\mathit{tr}}\left[% \left[S\right]\right]\subseteq\left|\left|\lnot b\lor\phi\right|\right|.$

Proof.

“Only If” direction: Assume $(\mathcal{S}_{\mathit{tr}}\left[\left[S\right]\right])\mid_{b}\;\subseteq\left% |\left|\phi\right|\right|$ and there is a trace $s\cdot\sigma\in\mathcal{S}_{\mathit{tr}}\left[\left[S\right]\right]$ that is not in $\left|\left|\lnot b\lor\phi\right|\right|=\left|\left|\lnot b\right|\right|% \cup\left|\left|\phi\right|\right|$ , hence, $s\cdot\sigma\not\in\left|\left|\lnot b\right|\right|$ and $s\cdot\sigma\not\in\left|\left|\phi\right|\right|$ . But $s\cdot\sigma\not\in\left|\left|\lnot b\right|\right|$ implies $s\cdot\sigma\in(\mathcal{S}_{\mathit{tr}}\left[\left[S\right]\right])\mid_{b}% \;\subseteq\left|\left|\phi\right|\right|$ : contradiction.

“If” direction: Assume $\mathcal{S}_{\mathit{tr}}\left[\left[S\right]\right]\subseteq\left|\left|\lnot b% \lor\phi\right|\right|$ and there is a trace $s\cdot\sigma\in(\mathcal{S}_{\mathit{tr}}\left[\left[S\right]\right])\mid_{b}$ that is not in $\left|\left|\phi\right|\right|$ . From the assumption and $(\mathcal{S}_{\mathit{tr}}\left[\left[S\right]\right])\mid_{b}\subseteq% \mathcal{S}_{\mathit{tr}}\left[\left[S\right]\right]$ we obtain $s\cdot\sigma\in\left|\left|\lnot b\lor\phi\right|\right|$ . However, since $\mathcal{B}\left[\left[b\right]\right](s)=\mbox{\bf tt}$ we must have in fact $s\cdot\sigma\in\left|\left|\phi\right|\right|$ : contradiction. $\hfill\blacktriangleleft$

Proof of Theorem 5.6.

The proof system is sound, since every rule of the system is locally sound, in the sense that its conclusion is valid whenever all its premises are valid. We shall prove local soundness of each rule. Without loss of generality, we ignore $\Gamma$ in most cases.

Rule IF.

Let $\mathcal{I}$ be an arbitrary interpretation. Using Proposition A.1, we have:

\begin{array}[]{ll}&\>\models_{\mathcal{I}}\>\mbox{\bf skip};S_{1}:\lnot b\lor% \phi\>\>\text{and}\>\>\models_{\mathcal{I}}\>\mbox{\bf skip};S_{2}:b\lor\phi\\ \Leftrightarrow&\mathcal{S}_{\mathit{tr}}\left[\left[\mbox{\bf skip};S_{1}% \right]\right]_{\mathcal{I}}\subseteq\left|\left|\lnot b\lor\phi\right|\right|% \>\text{and}\\ &\mathcal{S}_{\mathit{tr}}\left[\left[\mbox{\bf skip};S_{2}\right]\right]_{% \mathcal{I}}\subseteq\left|\left|b\lor\phi\right|\right|\\ \Leftrightarrow&\sharp\mathcal{S}_{\mathit{tr}}\left[\left[S_{1}\right]\right]% _{\mathcal{I}}\subseteq\left|\left|\lnot b\lor\phi\right|\right|\>\text{and}\>% \>\sharp\mathcal{S}_{\mathit{tr}}\left[\left[S_{2}\right]\right]_{\mathcal{I}}% \subseteq\left|\left|b\lor\phi\right|\right|\\ \Leftrightarrow&(\sharp\mathcal{S}_{\mathit{tr}}\left[\left[S_{1}\right]\right% ]_{\mathcal{I}})\mid_{b}\,\subseteq\left|\left|\phi\right|\right|\>\text{and}% \>(\sharp\mathcal{S}_{\mathit{tr}}\left[\left[S_{2}\right]\right]_{\mathcal{I}% })\mid_{\lnot b}\,\subseteq\left|\left|\phi\right|\right|\\ \Leftrightarrow&\left((\sharp\mathcal{S}_{\mathit{tr}}\left[\left[S_{1}\right]% \right]_{\mathcal{I}})\mid_{b}\cup\ (\sharp\mathcal{S}_{\mathit{tr}}\left[% \left[S_{2}\right]\right]_{\mathcal{I}})\mid_{\lnot b}\right)\,\subseteq\,% \left|\left|\phi\right|\right|\\ \Leftrightarrow&\mathcal{S}_{\mathit{tr}}\left[\left[\mbox{\bf if}\ b\ \mbox{% \bf then}\ S_{1}\ \mbox{\bf else}\ S_{2}\right]\right]_{\mathcal{I}}\subseteq% \left|\left|\phi\right|\right|\\ \Leftrightarrow&\>\models_{\mathcal{I}}\>\mbox{\bf if}\ b\ \mbox{\bf then}\ S_% {1}\ \mbox{\bf else}\ S_{2}:\phi\end{array}

where we use that $\mathcal{S}_{\mathit{tr}}\left[\left[\mbox{\bf skip};S\right]\right]_{\mathcal% {I}}=\sharp\mathcal{S}_{\mathit{tr}}\left[\left[S\right]\right]_{\mathcal{I}}$ , and therefore:

\begin{array}[]{ll}&\>\models_{\mathcal{I}}\>\mbox{\bf skip};S_{1}:\lnot b\lor% \phi\>\>\text{and}\>\>\models_{\mathcal{I}}\>\mbox{\bf skip};S_{2}:b\lor\phi\\ \Leftrightarrow&\>\models_{\mathcal{I}}\>\mbox{\bf if}\ b\ \mbox{\bf then}\ S_% {1}\ \mbox{\bf else}\ S_{2}:\phi\end{array}

Rule CALL.

For the proof of the rule we employ the principle of Fixed Point Induction. To simplify the presentation, we assume there is only one procedure $m()$ , declared as $m\,\{S_{m}\}$ in $T$ . The general case follows from Bekič’s Principle. The notation $\rho[m\mapsto\gamma]$ specifies the interpretation that is identical to $\rho$ , except for $\rho(m)=\gamma$ .

\begin{array}[]{ll}&Y_{m}:\phi_{m}\>\models\>S_{m}[\mbox{\bf skip};Y_{m}/m()]:% \phi_{m}\\ \Leftrightarrow&\forall\mathcal{I}.\ (\mathcal{S}_{\mathit{tr}}\left[\left[Y_{% m}\right]\right]_{\mathcal{I}}\subseteq\left|\left|\phi_{m}\right|\right|\\ &\qquad\Rightarrow\mathcal{S}_{\mathit{tr}}\left[\left[S_{m}[\mbox{\bf skip};Y% _{m}/m()]\right]\right]_{\mathcal{I}}\subseteq\left|\left|\phi_{m}\right|% \right|)\\ \Leftrightarrow&\forall\gamma.\ (\gamma\subseteq\left|\left|\phi_{m}\right|% \right|\,\Rightarrow\mathcal{S}^{0}_{\mathit{tr}}\left[\left[S_{m}\right]% \right]_{\rho[m\mapsto\sharp\gamma]}\subseteq\left|\left|\phi_{m}\right|\right% |)\\ \Leftrightarrow&\forall\gamma.\ (\sharp\gamma\subseteq\left|\left|\mathit{Id}% \raisebox{4.30554pt}{$\frown$}\phi_{m}\right|\right|\,\Rightarrow\sharp% \mathcal{S}^{0}_{\mathit{tr}}\left[\left[S_{m}\right]\right]_{\rho[m\mapsto% \sharp\gamma]}\subseteq\left|\left|\mathit{Id}\raisebox{4.30554pt}{$\frown$}% \phi_{m}\right|\right|)\\ \Leftrightarrow&\forall\gamma.\ (\gamma\subseteq\left|\left|\mathit{Id}% \raisebox{4.30554pt}{$\frown$}\phi_{m}\right|\right|\,\Rightarrow\sharp% \mathcal{S}^{0}_{\mathit{tr}}\left[\left[S_{m}\right]\right]_{\rho[m\mapsto% \gamma]}\,\subseteq\left|\left|\mathit{Id}\raisebox{4.30554pt}{$\frown$}\phi_{% m}\right|\right|)\\ \Rightarrow&\rho_{0}(m)\subseteq\left|\left|\mathit{Id}\raisebox{4.30554pt}{$% \frown$}\phi_{m}\right|\right|\\ \Leftrightarrow&\mathcal{S}^{0}_{\mathit{tr}}\left[\left[m()\right]\right]_{% \rho_{0}}\subseteq\left|\left|\mathit{Id}\raisebox{4.30554pt}{$\frown$}\phi_{m% }\right|\right|\\ \Leftrightarrow&\mathcal{S}_{\mathit{tr}}\left[\left[m()\right]\right]% \subseteq\left|\left|\mathit{Id}\raisebox{4.30554pt}{$\frown$}\phi_{m}\right|% \right|\\ \Leftrightarrow&\>\models\>m():\mathit{Id}\raisebox{4.30554pt}{$\frown$}\phi_{% m}\end{array}

$\hfill\blacktriangleleft$

A.3 Completeness of the Calculus

Proof of Theorem 5.7.

The proof proceeds by induction on the structure of $S$ . However, In the case of a call the statement does not necessarily get smaller, because the body of $m$ is expanded. So we need to argue that the induction is well-founded. Indeed, the lexicographic order on $\langle N-\left|\Gamma\right|,\left|S\right|\rangle$ (obviously, the first component is never negative) always decreases. Since $\Gamma$ is irrelevant for all cases except $S=m()$ , we simplify the claim accordingly for these.

Case $S=\mbox{\bf if}\ b\ \mbox{\bf then}\ S_{1}\ \mbox{\bf else}\ S_{2}$ .

Assume by the induction hypothesis that $\>\vdash\>S_{1}:\mathsf{stf}(S_{1})$ and $\>\vdash\>S_{2}:\mathsf{stf}(S_{2})$ can be proven. We also use that $\phi\models(p\lor(\lnot p\land\phi))$ is a valid consequence. We have:

\begin{array}[]{rl}&\>\vdash\>\mbox{\bf if}\ b\ \mbox{\bf then}\ S_{1}\ \mbox{% \bf else}\ S_{2}:\mathsf{stf}(\mbox{\bf if}\ b\ \mbox{\bf then}\ S_{1}\ \mbox{% \bf else}\ S_{2})\\ \Leftrightarrow&\>\vdash\>\mbox{\bf if}\ b\ \mbox{\bf then}\ S_{1}\ \mbox{\bf else% }\ S_{2}:(b\land\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mathsf{stf}(S_{1}))% \lor\\ &\qquad\qquad\qquad\qquad\qquad(\lnot b\land\mathit{Id}\raisebox{4.30554pt}{$% \frown$}\mathsf{stf}(S_{2}))\\ \Leftarrow&\mbox{\{By rule ({If}) combined with rule ({Or})\}}\\ &\>\vdash\>\mbox{\bf skip};S_{1}:\lnot b\lor(b\land\mathit{Id}\raisebox{4.3055% 4pt}{$\frown$}\mathsf{stf}(S_{1}))\leavevmode\nobreak\ \mbox{and}\\ &\>\vdash\>\mbox{\bf skip};S_{2}:b\lor(\lnot b\land\mathit{Id}\raisebox{4.3055% 4pt}{$\frown$}\mathsf{stf}(S_{2}))\\ \Leftarrow&\mbox{\{By rule ({Cons})\}}\\ &\>\vdash\>\mbox{\bf skip};S_{1}:\mathit{Id}\raisebox{4.30554pt}{$\frown$}% \mathsf{stf}(S_{1})\leavevmode\nobreak\ \mbox{and}\>\vdash\>\mbox{\bf skip};S_% {2}:\mathit{Id}\raisebox{4.30554pt}{$\frown$}\mathsf{stf}(S_{2})\\ \Leftrightarrow&\mbox{\{By rule ({Seq}) combined with rule ({Skip}) and}\\ &\mbox{the induction hypothesis\}}\\ &\mathsf{true}\end{array}

Case $S=m()$ .

There are two subcases: either $m\in\{m_{1},\ldots,m_{n}\}$ or not. In the first case, $S[\mbox{\bf skip};Y_{m_{1}}/m_{1}(),\ldots,\mbox{\bf skip};Y_{m_{n}}/m_{n}()]=% \mbox{\bf skip};Y_{m}$ .

In the second case, $S[\mbox{\bf skip};Y_{m_{1}}/m_{1}(),\ldots,\mbox{\bf skip};Y_{m_{n}}/m_{n}()]=% m()$ . In both cases, we have $\mathsf{stf}(m())=\mathit{Id}\raisebox{4.30554pt}{$\frown$}\phi_{m}$ .

Subcase $\mbox{\bf skip};Y_{m}$ .

We have to prove the judgment $\Gamma\>\vdash\>\mbox{\bf skip};Y_{m}:\mathit{Id}\raisebox{4.30554pt}{$\frown$% }\phi_{m}$ . Using rules (Seq) and (Skip), this reduces to $\Gamma\>\vdash\>Y_{m}:\phi_{m}$ . Because of the assumption $m\in\{m_{1},\ldots,m_{n}\}$ we have $Y_{m}:\phi_{m}\in\Gamma$ , so the proof is finished.

Subcase $m()$ .

We have to prove the judgment $\Gamma\>\vdash\>m():\mathit{Id}\raisebox{4.30554pt}{$\frown$}\phi_{m}$ . Rule (Call) is applicable due to assumption $m\not\in\{m_{1},\ldots,m_{n}\}$ . Let

S_{m}^{\prime}\stackrel{{\scriptstyle\mathsf{def}}}{{=}}S_{m}[\mbox{\bf skip};% Y_{m}/m(),\mbox{\bf skip};Y_{m_{1}}/m_{1}(),\ldots,\mbox{\bf skip};Y_{m_{n}}/m% _{n}()]

The obtained premise yields the new claim to prove:

\Gamma\cup\{Y_{m}:\phi_{m}\}\>\vdash\>S_{m}^{\prime}:\mu X_{m}.\,\mathsf{stf}(% \{m\},S_{m})

We apply rule (Unfold) on the right and obtain:

\Gamma\cup\{Y_{m}:\phi_{m}\}\>\vdash\>S_{m}^{\prime}:\mathsf{stf}(\{m\},S_{m})% [\phi_{m}/X_{m}]

By induction and by the definition of $\mathsf{stf}(S)$ we finish the proof up to subgoals of the form (for some $m^{\prime}\neq m$ ):

\Gamma\cup\{Y_{m}:\phi_{m}\}\>\vdash\>m^{\prime}():\mathsf{stf}(\{m\},m^{% \prime})[\phi_{m}/X_{m}]

Unfortunately, the structure of the formula on the right does not conform to $\mathsf{stf}(m^{\prime})$ as required. But, observing that $\left|\left|\mathsf{stf}(S)\right|\right|=\left|\left|\mathsf{stf}(\overline{X% },S)\right|\right|$ , as well as soundness of unfolding, we can use Cons to obtain:

\Gamma\cup\{Y_{m}:\phi_{m}\}\>\vdash\>m^{\prime}():\mathsf{stf}(m^{\prime})

This follows from the induction hypothesis, because of $N-\left|\Gamma\right|>N-\left|\Gamma\cup\{Y_{m}:\phi_{m}\}\right|$ .

$\hfill\blacktriangleleft$

A.4 Canonical Programs

Proof of Proposition 6.5.

We need to show that for any call $m_{X}()$ in $\mathsf{can}(\phi)$ there is exactly one declaration of $m_{X}$ in $T_{\phi}$ . This is a straightforward structural induction. $\hfill\blacktriangleleft$

Lemma A.2.

Let $\phi$ be an open trace formula not containing fixed point binders $(\mu X.)$ , and let $\mathsf{can}(\phi)=\langle S_{\phi},T_{\phi}\rangle$ . Then, we have: $\mathcal{S}^{0}_{\mathit{tr}}\left[\left[S_{\phi}\right]\right]_{\rho}\,% \widetilde{=}\ \left|\left|\phi\right|\right|_{\mathcal{V}_{\rho}}$ for all interpretations $\rho:M\rightarrow 2^{\mbox{\bf State}^{+}}$ of the procedures $M$ declared in $T_{\phi}$ , and (induced) valuations $\mathcal{V}_{\rho}:\mathsf{RVar}\rightarrow 2^{\mbox{\bf State}^{+}}$ defined by $\mathcal{V}_{\rho}(X_{m})\stackrel{{\scriptstyle\mathsf{def}}}{{=}}\rho(m)$ .

Proof.

We proceed by structural induction on $\phi$ .

Case $\phi=p\land\psi$ .

By the induction hypothesis, $\mathcal{S}^{0}_{\mathit{tr}}\left[\left[S_{\psi}\right]\right]_{\rho}% \widetilde{=}\,\left|\left|\psi\right|\right|_{\mathcal{V}_{\rho}}$ .

	$\displaystyle\mathcal{S}^{0}_{\mathit{tr}}\left[\left[\mbox{\bf if}\ p\ \mbox{% \bf then}\ S_{\psi}\ \mbox{\bf else}\ \mbox{\bf diverge}\right]\right]_{\rho}$
	$\displaystyle\qquad=(\sharp\mathcal{S}^{0}_{\mathit{tr}}\left[\left[S_{\psi}% \right]\right]_{\rho})\mid_{p}\cup\;(\sharp\mathcal{S}^{0}_{\mathit{tr}}\left[% \left[\mbox{\bf diverge}\right]\right]_{\rho})\mid_{\neg p}$
	$\displaystyle\qquad=(\sharp\mathcal{S}^{0}_{\mathit{tr}}\left[\left[S_{\psi}% \right]\right]_{\rho})\mid_{p}\quad\quad\text{(Proposition\leavevmode\nobreak% \ \ref{prop:any})}$
	$\displaystyle\qquad=\mbox{\bf State}^{+}\mid_{p}\cap\;\sharp\mathcal{S}^{0}_{% \mathit{tr}}\left[\left[S_{\psi}\right]\right]_{\rho}\widetilde{=}\ \ \mbox{% \bf State}^{+}\mid_{p}\cap\;\mathcal{S}^{0}_{\mathit{tr}}\left[\left[S_{\psi}% \right]\right]_{\rho}$
	$\displaystyle\qquad\;\widetilde{=}\ \mbox{\bf State}^{+}\mid_{p}\cap\,\left\|% \left\|\psi\right\|\right\|_{\mathcal{V}_{\rho}}\quad\text{(Induction hypothesis)}$
	$\displaystyle\qquad=\left\|\left\|p\land\psi\right\|\right\|_{\mathcal{V}_{\rho}}$

Case $\phi=\phi_{1}\lor\phi_{2}$ .

By the induction hypothesis, we have that $\mathcal{S}^{0}_{\mathit{tr}}\left[\left[S_{\phi_{1}}\right]\right]_{\rho}\,% \widetilde{=}\,\left|\left|\phi_{1}\right|\right|_{\mathcal{V}_{\rho}}$ and $\mathcal{S}^{0}_{\mathit{tr}}\left[\left[S_{\phi_{2}}\right]\right]_{\rho}\,% \widetilde{=}\,\left|\left|\phi_{2}\right|\right|_{\mathcal{V}_{\rho}}$ . Therefore,

	$\displaystyle\mathcal{S}^{0}_{\mathit{tr}}\left[\left[\mbox{\bf if}\ \ast\ % \mbox{\bf then}\ S_{\phi_{1}}\ \mbox{\bf else}\ S_{\phi_{2}}\right]\right]_{\rho}$	$\displaystyle=\,\sharp\mathcal{S}^{0}_{\mathit{tr}}\left[\left[S_{\phi_{1}}% \right]\right]_{\rho}\cup\;\sharp\mathcal{S}^{0}_{\mathit{tr}}\left[\left[S_{% \phi_{2}}\right]\right]_{\rho}$
	$\displaystyle\;\widetilde{=}\ \ \mathcal{S}^{0}_{\mathit{tr}}\left[\left[S_{% \phi_{1}}\right]\right]_{\rho}\cup\;\mathcal{S}^{0}_{\mathit{tr}}\left[\left[S% _{\phi_{2}}\right]\right]_{\rho}$	$\displaystyle\;\widetilde{=}\ \left\|\left\|\phi_{1}\right\|\right\|_{\mathcal{V}_% {\rho}}\cup\ \left\|\left\|\phi_{2}\right\|\right\|_{\mathcal{V}_{\rho}}\quad\text% {(Ind.\ hyp.)}$
		$\displaystyle=\,\left\|\left\|\phi_{1}\lor\phi_{2}\right\|\right\|_{\mathcal{V}_{% \rho}}$

Case $\phi=X$ .

We have:

\mathcal{S}^{0}_{\mathit{tr}}\left[\left[m_{X}()\right]\right]_{\rho}=\rho(m_{% X})=\mathcal{V}_{\rho}(X)=\left|\left|X\right|\right|_{\mathcal{V}_{\rho}}\

$\hfill\blacktriangleleft$

Proof of Theorem 6.7.

By structural induction on $\phi$ . We only sketch the proof idea here. An argument can be made similar to the one in the last case of the proof of Theorem 4.8, by referring to the modal equation system corresponding to $\phi$ , and using Lemma A.2 to generalise the treatment to open formulas $\phi$ and statements that contain calls to procedures not declared in $T_{\phi}$ . Proposition 6.5 ensures that the program on the left is well-defined. Compositionality of the proof is justified by Bekič’s Principle. $\hfill\blacktriangleleft$

[bib.bib1] [1] Rajeev Alur, Marcelo Arenas, Pablo Barceló, Kousha Etessami, Neil Immerman, and Leonid Libkin. First-order and temporal logics for nested words. Log. Methods Comput. Sci., 4(11):1–44, 2008. doi:10.2168/LMCS-4(4:11)2008.

[bib.bib2] [2] Gilles Barthe, Renate Eilers, Pamina Georgiou, Bernhard Gleiss, Laura Kovács, and Matteo Maffei. Verifying relational properties using trace logic. In Clark W. Barrett and Jin Yang, editors, Formal Methods in Computer Aided Design, FMCAD, pages 170–178, San Jose, CA, USA, 2019. IEEE. doi:10.23919/FMCAD.2019.8894277.

[bib.bib3] [3] Patrick Baudin, Jean-Christophe Filliâtre, Claude Marché, Benjamin Monate, Yannick Moy, and Virgile Prevosto. ACSL: ANSI/ISO C Specification. Technical Report Version 1.17, CEA and INRIA, 2021. URL: https://frama-c.com/download/frama-c-acsl-implementation.pdf.

[bib.bib4] [4] Yves Bertot and Pierre Castéran. Interactive Theorem Proving and Program Development—Coq’Art: The Calculus of Inductive Constructions. Texts in Theoretical Computer Science. An EATCS Series. Springer, Berlin Heidelberg, 2004. doi:10.1007/978-3-662-07964-5.

[bib.bib5] [5] Richard Bubel, Dilian Gurov, Reiner Hähnle, and Marco Scaletta. Trace-based deductive verification. In Logic for Programming, Artificial Intelligence and Reasoning (LPAR 2023), volume 94 of EPiC Series in Computing, pages 73–95. EasyChair, 2023. doi:10.29007/VDFD.

[bib.bib6] [6] Xiaohong Chen, Dorel Lucanu, and Grigore Rosu. Matching logic explained. Journal of Logical and Algebraic Methods in Programming, 120:100638, 2021. doi:10.1016/J.JLAMP.2021.100638.

[bib.bib7] [7] Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. Model Checking. The MIT Press, Cambridge, Massachusetts, 1999.

[bib.bib8] [8] Patrick Cousot and Radhia Cousot. Temporal abstract interpretation. In Mark N. Wegman and Thomas W. Reps, editors, Proc. 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Boston, Massachusetts, USA, pages 12–25. ACM, 2000. doi:10.1145/325694.325699.

[bib.bib9] [9] Mads Dam and Dilian Gurov. $\mu$ -calculus with explicit points and approximations. J. of Logic and Computation, 12(2):255–269, April 2002. doi:10.1093/LOGCOM/12.2.255.

[bib.bib10] [10] Crystal Chang Din, Reiner Hähnle, Einar Broch Johnsen, Violet Ka I Pun, and Silvia Lizeth Tapia Tarifa. Locally abstract, globally concrete semantics of concurrent programming languages. In Cláudia Nalon and Renate Schmidt, editors, Proc. 26th Intl. Conf. on Automated Reasoning with Tableaux and Related Methods, volume 10501 of LNCS, pages 22–43, Cham, September 2017. Springer. doi:10.1007/978-3-319-66902-1_2.

[bib.bib11] [11] Gidon Ernst, Alexander Knapp, and Toby Murray. A Hoare logic with regular behavioral specifications. In Tiziana Margaria and Bernhard Steffen, editors, Leveraging Applications of Formal Methods, Verification and Validation, 11th Intl. Symp., ISoLA, Rhodes, Greece, Proc. Part I, volume 13701 of LNCS, pages 45–64. Springer, 2022. doi:10.1007/978-3-031-19849-6_4.

[bib.bib12] [12] Bernd Finkbeiner, Felix Klein, Ruzica Piskac, and Mark Santolucito. Temporal stream logic: Synthesis beyond the bools. In Isil Dillig and Serdar Tasiran, editors, Computer Aided Verification: 31st Intl. Conf., CAV, Part I, volume 11561 of LNCS, pages 609–629, New York City, NY, USA, 2019. Springer. doi:10.1007/978-3-030-25540-4_35.

[bib.bib13] [13] Lars-Åke Fredlund, Dilian Gurov, Thomas Noll, Mads Dam, Thomas Arts, and Gennady Chugunov. A verification tool for Erlang. Journal of Software Tools for Technology Transfer, 4(4):405–420, August 2003. doi:10.1007/S100090100071.

[bib.bib14] [14] Dilian Gurov and Reiner Hähnle. An expressive trace logic for recursive programs. CoRR, abs/2411.13125, 2024. doi:10.48550/arXiv.2411.13125.

[bib.bib15] [15] Reiner Hähnle and Marieke Huisman. Deductive verification: from pen-and-paper proofs to industrial tools. In Bernhard Steffen and Gerhard Woeginger, editors, Computing and Software Science: State of the Art and Perspectives, volume 10000 of LNCS, pages 345–373. Springer, Cham, Switzerland, 2019.

[bib.bib16] [16] Joseph Y. Halpern and Yoav Shoham. A propositional modal logic of time intervals. Journal of the ACM, 38(4):935–962, 1991. doi:10.1145/115234.115351.

[bib.bib17] [17] Niklas Heidler and Reiner Hähnle. A Sequent Calculus for Trace Formula Implication. arXiv CoRR, May 2025. doi:10.48550/arXiv.2505.03693.

[bib.bib18] [18] C. A. R. Hoare. Procedures and parameters: An axiomatic approach. In Erwin Engeler, editor, Symposium on Semantics of Algorithmic Languages, volume 188 of Lecture Notes in Mathematics, pages 102–116. Springer, Berlin, Heidelberg, 1971. doi:10.1007/BFb0059696.

[bib.bib19] [19] Dexter Kozen. Kleene algebra with tests. ACM Transactions on Programming Languages and Systems, 19(3):427–443, 1997. doi:10.1145/256167.256195.

[bib.bib20] [20] Dexter Kozen. On Hoare logic and Kleene algebra with tests. ACM Transactions on Computational Logic, 1(1):60–76, 2000. doi:10.1145/343369.343378.

[bib.bib21] [21] Martin Lange and Rafał Somla. Propositional dynamic logic of context-free programs and fixpoint logic with chop. Information Processing Letters, 100(2):72–75, 2006. doi:10.1016/J.IPL.2006.04.019.

[bib.bib22] [22] Gary T. Leavens, Erik Poll, Curtis Clifton, Yoonsik Cheon, Clyde Ruby, David Cok, Peter Müller, Joseph Kiniry, Patrice Chalin, Daniel M. Zimmerman, and Werner Dietl. JML Reference Manual, May 2013. Draft revision 2344. URL: http://www.eecs.ucf.edu/˜leavens/JML//OldReleases/jmlrefman.pdf.

[bib.bib23] [23] Angelika Mader. Verification of modal properties using Boolean equation systems. PhD thesis, Technical University Munich, 1997.

[bib.bib24] [24] Markus Müller-Olm. A modal fixpoint logic with chop. In Theoretical Aspects of Computer Science (STACS 1999), volume 1563 of LNCS, pages 510–520, Berlin Heidelberg, 1999. Springer. doi:10.1007/3-540-49116-3_48.

[bib.bib25] [25] Keiko Nakata and Tarmo Uustalu. Trace-based coinductive operational semantics for While. In Theorem Proving in Higher Order Logics (TPHOLs), volume 5674 of LNCS, pages 375–390, Berlin Heidelberg, 2009. Springer. doi:10.1007/978-3-642-03359-9_26.

[bib.bib26] [26] Hanne Riis Nielson and Flemming Nielson. Semantics with Applications: An Appetizer. Undergraduate Topics in Computer Science. Springer, London, 2007. doi:10.1007/978-1-84628-692-6.

[bib.bib27] [27] Tobias Nipkow, Lawrence C. Paulson, and Markus Wenzel. Isabelle/HOL — A Proof Assistant for Higher-Order Logic, volume 2283 of LNCS. Springer, Berlin Heidelberg, 2002. doi:10.1007/3-540-45949-9.

[bib.bib28] [28] David Michael Ritchie Park. Finiteness is mu-ineffable. Theoretical Computer Science, 3(2):173–181, 1976. doi:10.1016/0304-3975(76)90022-0.

[bib.bib29] [29] Gordon D. Plotkin. A structural approach to operational semantics. J. Log. Algebr. Program., 60–61:17–139, 2004.

[bib.bib30] [30] Damien Pous. Kleene algebra with tests and Coq tools for while programs. In Sandrine Blazy, Christine Paulin-Mohring, and David Pichardie, editors, Interactive Theorem Proving, 4th Intl. Conf. ITP, Rennes, France, volume 7998 of LNCS, pages 180–196. Springer, 2013. doi:10.1007/978-3-642-39634-2_15.

[bib.bib31] [31] Grigore Rosu. Matching logic. Logical Methods in Computer Science, 13(4), 2017. doi:10.23638/LMCS-13(4:28)2017.

[bib.bib32] [32] Colin Stirling. Modal and temporal logics. In Handbook of Logic in Computer Science (Vol. 2): Background: Computational Structures, pages 477–563, USA, 1993. Oxford University Press, Inc.

[bib.bib33] [33] Alfred Tarski. A lattice-theoretical fixedpoint theorem and its applications. Pacific Journal of Mathematics, 5:285–309, 1955.

[bib.bib34] [34] David von Oheimb. Hoare logic for Java in Isabelle/HOL. Concurrency and Computation: Practice and Experience, 13(13):1173–1214, 2001. doi:10.1002/CPE.598.

An Expressive Trace Logic for Recursive Programs

Abstract

Keywords and phrases:

Copyright and License:

2012 ACM Subject Classification:

Related Version:

DOI:

Event:

Editor:

Series and Publisher:

1 Introduction

2 The Programming Language Rec

Definition 2.1 (Rec Syntax).

Example 2.2.

Example 2.3.

▶ Remark 2.4.

Definition 2.5 (Rec SOS).

Definition 2.6 (Induced Finite-Trace Semantics).

3 A Denotational Finite-Trace Semantics for Rec

Definition 3.1 (Denotational Finite-Trace Semantics of Rec).

Example 3.2.

Theorem 3.3 (Correctness of Trace Semantics).

4 A Logic over Finite Traces

4.1 Syntax and Semantics of the Logic

Definition 4.1 (Logic Syntax).

Definition 4.2 (Logic Semantics).

Proposition 4.3 (Fixed Point Unfolding).

4.2 Binary Relations

Example 4.4.

4.3 Strongest Trace Formulas

Definition 4.5 (Strongest Trace Formula).

Example 4.6.

Example 4.7.

Theorem 4.8 (Characterisation of Strongest Trace Formula).

Definition 4.9 (Modal Equation System).

Example 4.10.

Lemma 4.11.

5 A Proof Calculus

5.1 Definition of the Calculus

Definition 5.1 (Calculus Syntax).

5.1.1 Rules

Example 5.2.

▶ Remark 5.3.

5.1.2 Semantics

Definition 5.4 (Calculus Semantics).

Corollary 5.5 (Strongest Trace Formula).

Proof.

5.2 Soundness and Relative Completeness of the Calculus

Theorem 5.6 (Soundness).

Theorem 5.7 (Existence of Canonical Proof).

Corollary 5.8 (Relative Completeness).

Proof.

6 From Trace Formulas to Programs

Example 6.1.

6.1 Rec Programs with Non-deterministic Choice

6.2 Canonical Programs

Definition 6.2 (Canonical Program).

Example 6.3.

Proposition 6.4.

Proposition 6.5.

Definition 6.6 (Stuttering Equivalence).

Theorem 6.7 (Characterisation of Canonical Program).

Corollary 6.8.

Proof.

7 Related Work

8 Future Work

8.1 Abstract Specifications and Extension of Recursive Programs

8.2 Proving Consequence of Trace Formulas

Example 8.1.

8.3 Non-terminating Programs

9 Conclusion

References

Appendix A Selected Proofs

A.1 Strongest Trace Formula

Proof of Lemma 4.11.

Case 𝑺=if⁢𝒃⁢then⁢𝑺𝟏⁢else⁢𝑺𝟐.

Case 𝑺=𝒎⁢().

Proof of Theorem 4.8.

Case 𝑺=𝒎⁢().

A.2 Soundness of the Calculus

$\blacktriangleright$ Remark 2.4.

$\blacktriangleright$ Remark 5.3.

Case $S=\mbox{\bf if}\ b\ \mbox{\bf then}\ S_{1}\ \mbox{\bf else}\ S_{2}$ .

Case $S=m()$ .

Case $S=m()$ .

Case $S=\mbox{\bf if}\ b\ \mbox{\bf then}\ S_{1}\ \mbox{\bf else}\ S_{2}$ .

Case $S=m()$ .

Case $\phi=p\land\psi$ .

Case $\phi=\phi_{1}\lor\phi_{2}$ .

Case $\phi=X$ .