Alignment Completeness for Relational Hoare Logics
aa r X i v : . [ c s . L O ] J a n Alignment Completeness for Relational Hoare Logics
Ramana Nagasamudram
Stevens Institute of Technology
David A. Naumann
Stevens Institute of Technology
Abstract —Relational Hoare logics (RHL) provide rules forreasoning about relations between programs. Several RHLsinclude a rule, Sequential-Product, that infers a relationalcorrectness judgment from judgments of ordinary Hoare logic(HL). A variety of other rules have been found useful inpractice, but Sequential-Product is relatively complete on itsown (with HL). As a more satisfactory way to evaluate RHLs,a notion of alignment completeness for rules is introduced, interms of the inductive assertion method and product automata.Alignment completeness results are given to account for severaldifferent sets of rules. Applying alignment completeness toricher languages and product notions may serve to guide thedesign of RHLs.
1. Introduction
A common task in programming is to ascertain whethera modified version of a program is equivalent to the orig-inal. For programs with deterministic results, equivalencecan be formulated simply: From any initial state, if bothprograms terminate then their final states are the same.This termination-insensitive property is akin to partial cor-rectness: A program c satisfies P ❀ Q if its terminatingexecutions from initial states that satisfy P end in states thatsatisfy Q . To relate programs c and d , use binary relations R , S over states: c and d satisfy R ≈ > S if pairs of theirterminating executions, from R -related initial states, end in S -related states. For program equivalence, take R and S tobe the identity on states.Hoare logics (HL) provide sound rules to infer cor-rectness judgments c : P ❀ Q , conventionally written { P } c { Q } , for various programming languages. In this pa-per we confine attention to simple imperative commands andfocus on Relational Hoare logics (RHL) which provide rulesto infer judgments which we write as c | d : R ≈ > S . Suchproperties go beyond program equivalence. Using primedvariables to refer to the second of two related states, thejudgment c | d : x = x ′ ≈ > y < y ′ expresses that whenrun from states that agree on the initial value of x , the finalvalue of y produced by c is less than the final value of y from d . As another example, c | c : x = x ′ ≈ > y = y ′ relates c to itself and says that the final value of y is determined bythe initial value of x . Such dependency properties arise inmany contexts including compiler optimization and securityanalysis which motived early work on RHL [1]. Partially supported by NSF CNS 1718713Partially supported by NSF 1718713 and ONR N00014-17-1-2787
Suppose the variables of d are disjoint from those of c . For example let d be a copy of c with all the vari-ables renamed by adding primes. Then a relation on statesamounts to a predicate on primed and unprimed variablesas in the preceding informal notation. Moreover terminatedexecutions of ( c ; d ) are in bijection with pairs of terminatedexecutions of c and d . Put differently, c ; d serves as aproduct program, much like products in automata theory.The product program lets us prove relational propertiesusing HL, but in general the technique is unsatisfactory.As an example, consider the simple program c in Fig. 1which computes in z the factorial of x . Let c ′ be arenamed copy, so determinacy of c can be expressed by x = x ′ ❀ z = z ′ . To prove c c ′ : x = x ′ ❀ z = z ′ in HL we need the assertion z = x ! ∧ x = x ′ at thesemicolon, to get z = x ! ∧ z ′ = x ′ ! ∧ x = x ′ following c ′ , from which z = z ′ follows. The spec x = x ′ ❀ z = z ′ involves nothing more than equalities, yet the proof requiresnonlinear arithmetic. This illustrates the general problemthat the technique requires strong functional properties andnontrivial loop invariants (famously observed in [2]).There is a simple way to prove c | c ′ : x = x ′ ≈ > z = z ′ . Consider the execution pairs to be aligned step-by-step, and note that at each aligned pair of states we have y = y ′ ∧ z = z ′ , given x = x ′ initially. RHLs feature rulesfor compositional reasoning about subprograms, enablingus to use simple assertions with alignment of computationsexpressed in terms of syntax. For example, from judgments y := x | y ′ := x ′ : x = x ′ ≈ > y = y ′ and z := 1 | z ′ := 1 : y = y ′ ≈ > ( y = y ′ ∧ z = z ′ ) infer that y := x ; z := 1 | y ′ := x ′ ; z ′ := 1 : ( x = x ′ ) ≈ > ( y = y ′ ∧ z = z ′ ) . A number ofRHLs have appeared in the literature, but even for the simpleimperative language we see no convergence on a commoncore set of rules. Besides closely “synchronized” rules likethe sequence rule for the preceding inference (see D S EQ inFig. 9), there are sound rules to relate a command to skip(Fig. 11) or to a differently-structured command.The touchstone for Hoare logics is Cook’s complete-ness theorem [3] which says any true correctness judgment c : P ❀ Q can be derived using the rules. To be precise,HL relies on entailments between assertions and the rulesare complete relative to completeness of assertion reason-ing. Moreover, completeness requires expressiveness of theassertion language, meaning that weakest preconditions canbe expressed, for whatever types of data are manipulatedby the program [4]. These considerations, however, are notimportant for the ideas in this paper. We follow the commonpractice of treating assertions and their entailments semanti-
0: (* z := x! *) y := x; z := while y = do z := z*y; y := y − od c1: (* z := 2 x *) y := x; z := while y = do z := z*2; y := y − od c2: (* z := x! *) y := x; z :=
1; w := while y = do if w % then z := z*y; y := y − fi ; w := w+1 od c3: (* z := 2 x *) y := x; z :=
1; w := while y = do if w % then z := z*2; y := y − fi ; w := w+1 od Figure 1. Example programs (where % is modulo). cally [5] (i.e., by shallow embedding in our metalanguage).RHLs often feature a rule we dub “sequential product”,which infers c | c ′ : R ≈ > S from the HL judgment c ; c ′ : R ❀ S , formalizing the idea of product program. Itis a useful rule, to complement the rules for relational judg-ments about similarly-structured programs. For example, inthe regression verification [6] scenario with which we began,i.e., equivalence between two versions of a program, same-structure rules can be used to relate the unchanged parts,while sequential product can be used for the revised partsif they differ in control structure. But there is a problem.Consider the logic comprised of the sequential product ruletogether with a sound and complete HL. This is complete,in the sense of Cook, for relational judgments! The problemis well known to RHL experts. Completeness is the usualmeans to determine a sufficient and parsimonious set ofinference rules, but Cook completeness fails to discriminatebetween a RHL that supports compositional proofs usingfacts about aligned subprograms and an impoverished RHLwith only sequential product. The conceptual contribution of this paper is the notion ofalignment completeness, which discriminates between rulesin terms of different classes of alignments. The technicalcontributions are four alignment completeness theorems, forrepresentative collections of RHL rules.
To explain the idea our first step is to revisit Floyd-Hoarelogic. Floyd [7] made precise the inductive assertion method(IAM) already evident in work by Turing [8] (see [9]). Toprove P ❀ Q by IAM, provide assertions at control pointsin the program, at least P at the initial point and Q atprogram exit. We call this an annotation ; it is familiar toprogrammers in the form of assert statements, and gives riseto verification conditions. A valid annotation is one wherethe verification conditions are true and every loop in controlflow is “cut” by an annotation. A valid annotation constitutesa proof by induction. HL is complete in a sense that we call Floyd completeness : For any valid annotation of a program c for a spec P ❀ Q , there is a HL proof of c : P ❀ Q using only judgments of the form b : R ❀ S with b rangingover subprograms of c and R, S the assertions annotatingthe entry and exit points of b . Now consider relating two programs. An annotationshould attach relations to designated pairs of points inthe control flow of the two programs. For the exampleof c | c ′ : x = x ′ ≈ > z = z ′ , choose pairs at thelockstep positions, and the abovementioned conjunctions ofequalities. Validity of an annotation is defined in terms ofexecution pairs aligned in accord with the designated pairs
1. The precise result depends on details of the HL rules and mayrequire mildly adjusted judgments in addition to those directly given bythe annotation; see Prop. 6. of control points: at aligned steps, the asserted relations hold.To make alignment precise we use product automata. A setof RHL rules is then alignment complete , for a given classof alignment automata, if for any valid annotated automatonthere is a derivation using the rules and only the judgmentsassociated with the annotated automaton.
This paper formalizes the idea and gives some represen-tative results of this kind: for sequential product, for strictlockstep, and also for data-dependent alignment of loopiterations. To see the need for the latter, consider program c in Fig. 1, in which some iterations have no effect on y or z . We can prove c is equivalent to c , or rather c | c x = x ′ ≈ > z = z ′ , using only simple equalitiesand without reasoning about factorial, provided the effectfuliterations are aligned lockstep, while the gratuitous iterationsof c (when w is odd) proceed with c considered to bestationary.The notion of Floyd completeness should be no surpriseto readers familiar with Floyd-Hoare logic or related topicslike software model checking. But the authors are unawareof an explicit result of this form. A related idea is proof out-line logic [4], [10], which formalizes commands with correctembedded assertions. Rules for proof outlines embody theverification conditions familiar from the IAM which implyan annotation is valid. In addition to showing Cook-stylesoundness and completeness results for a proof outline logic,Apt et al. prove a “strong soundness” theorem [4, Thm. 3.3]which says that if the program’s proof outline is provablethen in any execution each assertion is true when controlis at that point. The converse would be a way to formalizeFloyd completeness. Strong soundness is phrased in termsof transition semantics (small steps). By contrast, the factthat reasoning in HL is compositional in terms of controlstructure is beautifully reflected in proofs of soundness and(Cook) completeness based on denotational semantics [4].In this paper we only consider rules that are sound, inthe usual sense, and we have no need to formalize alignmentsoundness. Outline.
Sec. 2 lays the groundwork by spelling out Floydcompleteness for HL, in terms of automata with explicitcontrol points, including automata based on small-step se-mantics of labelled commands. Sec. 3 formalizes productautomata: ways in which automata A and A ′ can be com-bined into an automaton on pairs of states and serving torepresent aligned steps of two computations.Sec. 4 gives the first alignment completeness theo-rem: Given a valid annotation of a product automaton for c | c ′ : P ≈ > Q that executes c to termination and thenexecutes c ′ , there is a proof of the judgment using just thesequential product rule ( S EQ P ROD ) and the rules of HL —2nd using only judgments for subprograms with pre- andpostconditions given by the annotation.Sec. 5 gives the alignment completess theorem for lock-step alignment: if c | c ′ : P ≈ > Q is witnessed by suchan alignment with valid annotation, then it can be provedwithout HL, using just the RHL rules that relate same-structured programs (see Fig. 9). And again the judgmentsused are those associated with the annotation, for examplejust the simple equalities mentioned in connection withexample c . The S EQ P ROD rule involves renaming identifiersin order to encode two computations as one, but our productconstructions and RHL rules do not require programs toact on distinct variables. We continue to use primes onmetavariables to aid the reader, but introduce notations like x ¨= x to express equality of the values of x in two stateswith the same variables.The theorem of Sec. 6 accounts for the combination of S EQ P ROD with the lockstep RHL rules. This and the preced-ing results are for alignments that can be described in termsof which control points are aligned. Sec. 7 accounts for data-dependent alignment of loop iterations, using a RHL ruledue to Beringer [11]. Our fourth alignment completenesstheorem is for a logic including that rule together withlockstep rules but not S EQ P ROD . As a worked example weshow that c majorizes c for sufficiently large x .Sec. 8 discusses related work and open questions. Ouralignment completeness results are for deliberately simplenotions of alignment that can be formulated in terms ofsimple product constructions, which are well matched toRHL rules in the literature. Some recent works on relationalverification use alignments that can be understood as moresophisticated product automata for which alignment com-plete rules remain to be identified. Appendix Sec. 9 provides proofs and additional details.
2. Preliminaries: unary correctness
In order to connect Floyd’s theory with Hoare’s weformulate the IAM in terms of transition systems with anexplicit finite control flow graph (CFG). We consider ordi-nary program syntax, with a standard structural operationalsemantics and Hoare logic, but with labels used to definethe transition system of a given “main program”.
Floyd automata, specs and correctness. An automaton isa tuple ( Ctrl, Sto, init , fin , ) where Sto is a set (the datastores),
Ctrl is a finite set (the control points) that containsdistinct elements init and fin , and
7→ ⊆ ( Ctrl × Sto ) × ( Ctrl × Sto ) is the transition relation. We require ( n, s ) ( m, t ) to imply n = fin and n = m and call these the finality and non-stuttering conditions respectively. Absenceof stuttering loses no generality and facilitates definitionsinvolving product automata. Let s, t range over stores and n, m over control points.A pair ( n, s ) is called a state and we write ctrl , stor for theleft and right projections on states. A trace of an automatonis a non-empty sequence of states, consecutive under thetransition relation. A trace τ is terminated provided τ is finite and ctrl ( τ − ) = fin , where τ − denotes the last stateof τ . An initial trace is one such that ctrl ( τ ) = init . Weallow traces of length one, in which case τ − = τ , but aterminated initial trace has plural length because init = fin .To streamline the formal development, we treat predi-cates semantically, i.e., as sets of stores. We define s | = P iff s ∈ P and define ( n, s ) | = P iff s | = P .Let us spell out two semantics for specs in terms ofan automaton A . The basic semantics is as follows. For afinite initial trace τ to satisfy P ❀ Q means that τ | = P and ctrl ( τ − ) = fin implies τ − | = Q , in which casewe write τ | = P ❀ Q . Then A satisfies P ❀ Q , written A | = P ❀ Q , just if all its finite initial traces do. For non-stuck semantics there are two conditions: (i) τ | = P and ctrl ( τ − ) = fin implies τ − | = Q , and (ii) τ | = P and ctrl ( τ − ) = fin implies τ −
7→ − , where τ −
7→ − means there is at least one successor state. A state with nosuccessor is called stuck . Non-final stuck states are oftenused to model runtime faults. Again A satisfies P ❀ Q justif all its finite initial traces do. Non-stuck is important inpractice and we shall consider it in passing but for clarityour main development is for basic semantics.For an automaton A , define CFG ( A ) to be the rooteddirected graph with vertices Ctrl , root init , and an edge n → m iff ∃ s, t. ( n, s ) ( m, t ) . For our purposes CFGs areunlabelled; we write n → m for ( n, m ) to avoid confusionwith various other uses of pairs. A path is a non-emptysequence of vertices that are consecutive under the edgerelation. By mapping the first projection ( ctrl ) over a trace τ of A we get its control path , cpath ( τ ) , i.e., the sequenceof control points in τ .A cutpoint set for A is a set K ⊆ Ctrl with init ∈ K and fin ∈ K , such that every cyclic path in CFG ( A ) contains an element of K . Define segs ( A, K ) , the segments for K , to be the finite paths between cutpoints that have nointermediate cutpoint. Formally, vs ∈ segs ( A, K ) iff vs isfinite, len ( vs ) > , vs ∈ K , vs − ∈ K , and ∀ i. < i
Let an be a validannotation of A with K , for P ❀ Q . Then(a) In any initial trace τ of A such that τ | = P , at anyposition i , ≤ i < len ( τ ) , we have ctrl ( τ i ) ∈ K ⇒ τ i | = an ( ctrl ( τ i )) .(b) A | = P ❀ Q . Proposition 2 (completeness of IAM).
Suppose A | = P ❀ Q and let K be a cutpoint set. Then there is an annota-tion on K that is valid.A full annotation of an automaton is one where thecutpoint set is all control points. Using strongest postcondi-tions, including disjunction at control joins, one can showthe following. Lemma 3.
Any valid annotation can be extended to a fullannotation that is valid.
Labelled commands.
A few tedious but routine technicaldetails need to be spelled out in order to precisely formulatethe main results. Hoare logic is about programs; to makeconnections with automata use syntax with labels n ∈ Z : c ::= skip n | x := n e | c ; c | c ⊔ n c | if n e then c else c fi | while n e do c od
2. For relation R on states and set X of states, pre ( R )( X ) = { α |∀ β. αRβ ⇒ β ∈ X } and post ( R )( X ) = { β | ∃ α. α ∈ X ∧ αRβ } . s ( e ) = 0 h if n e then c else d fi , s i _ h c, s i s ( e ) = 0 h if n e then c else d fi , s i _ h d, s i s ( e ) = 0 h while n e do c od , s i _ h c ; while n e do c od , s i s ( e ) = 0 h while n e do c od , s i _ h skip − n , s i h c, s i _ h d, t ih c ; b, s i _ h d ; b, t ih x := n e, s i _ h skip − n , [ s | x : s ( e )] i h skip n ; c, s i _ h c, s ih c ⊔ n d, s i _ h c, s i h c ⊔ n d, s i _ h d, s i Figure 4. Command semantics (with n ranging over Z ). where metavariable x ranges over a set Var of variable namesand e ranges over integer expressions. The form c ⊔ n d is for nondeterministic choice. We also use metavariables b, d, c ′ , . . . for commands.Let lab ( c ) be the label of command c , defined recursivelyin the case of sequence: lab ( c ; d ) = lab ( c ) . Let labs ( c ) be theset of labels that occur in c . The label of a command can beunderstood as its entry point. We focus on programs of theform c ; skip fin where fin ∈ N serves as the exit label for c .Such a program can take at least one step, even if c is justskip; this fits with our formulation of automata.Negative labels are used in the transition semantics, butfor most purposes we are concerned with “source programs”which are required to have unique, non-negative labels.This is formalized by the predicate ok ( c ) defined straight-forwardly. Fig. 2 gives example labelled commands. Thetransition semantics is standard except for the manipulationof labels, which is done in a way that facilitates definitions tocome later. The transition semantics makes use of negativelabels and non-unique labels.As in the discussion of automata, let s and t rangeover stores —but here we use variable stores , i.e., totalmappings from Var to Z . We write [ s | x : i ] for the storelike s but mapping x to i . A configuration h c, s i pairs alabelled command with a store, and we let ctrl h c, s i = c and stor h c, s i = s .The transition relation _ is defined in Fig. 4. In a con-figuration reached from an ok command, the only negativelabels are those introduced by the transitions for assignmentand while, which introduce negative labels on skip com-mands. For while, one transition rule duplicates the loopbody, creating non-unique labels. For every c, s , either h c, s i c is skip n for some n ∈ Z .Assume integer expressions are everywhere defined, soconfigurations are not stuck under _ unless the programis a single skip. The only stuck states of aut ( c ; skip fin ) areterminated ones. The automaton of a program. If ok ( c ) and m ∈ labs ( c ) ,let sub ( m, c ) be the sub-command of c with label m . Forexample, consider c in Fig. 2, then sub (2 , c is z := and sub (3 , c is while y = 0 do . . . od . To manipulatethe CFG of a program of the form c ; skip fin that is ok (so, fin / ∈ labs ( c ) ), we define functions fsuc and elab .For motivation, the control flow successors of the loop, sub (3 , c , in c skip are 3 and 6. Whereas 3 is inside c , 6 is not. We call 6 the following successor , given by fsuc (3 , c , . In general, fsuc ( n, c, f ) is defined, by recursionon c , when ok ( c ) , n ∈ labs ( c ) , and f ∈ N \ labs ( c ) .For subcommand b of c we define elab ( b, c, fin ) to be theexit label, i.e., the label to which control goes after anypath through b . In case b is a conditional, loop, choice,assignment or skip, let elab ( b, c, fin ) = fsuc ( lab ( b ) , c, fin ) .In case b is a sequence b ; b , let elab ( b, c, fin ) = elab ( b , c, fin ) , i.e., the exit of a sequence is the exit ofits last command. For example, fsuc ( sub (3 , c , c ,
6) = 6 and fsuc ( sub (5 , c , c ,
6) = 3 . For another example, let c be if x > then x := x − y := x else skip fi .Then fsuc (2 , c,
5) = 3 and fsuc (1 , c,
5) = fsuc (3 , c,
5) = fsuc (4 , c,
5) = 5 .Now we can define the CFG for an ok program c ; skip fin ,and with this in mind define an automaton with the sameCFG to represent the program. The nodes of the CFG are thecontrol points { fin } ∪ labs ( c ) . There is no successor of fin .For n ∈ labs ( c ) there are one or two successors, describedby cases on sub ( n, c ) : sub ( n, c ) successor(s) of nx := n e n → fsuc ( n, c, fin ) skip n n → fsuc ( n, c, fin ) if n e then d else d fi n → lab ( d ) and n → lab ( d ) d ⊔ n d n → lab ( d ) and n → lab ( d ) while n e do d od n → lab ( d ) and n → fsuc ( n, c, fin ) The automaton of an ok program c ; skip fin , written aut ( c ; skip fin ) , is ( labs ( c ) ∪ { fin } , ( Var → Z ) , lab ( c ) , fin , ) where ( n, s ) ( m, t ) iff either • ∃ d. h sub ( n, c ) , s i _ h d, t i ∧ lab ( d ) ≥ ∧ m = lab ( d ) , • ∃ d. h sub ( n, c ) , s i _ h d, t i ∧ lab ( d ) < ∧ m = fsuc ( n, c, fin ) , or • sub ( n, c ) = skip n ∧ m = fsuc ( n, c, fin ) ∧ t = s The first two cases use the semantics of Fig. 4 for a sub-command on its own. The third case handles skip which, onits own, would be stuck, but which should take a step whenit occurs as part of a sequence.For any traces τ via _ and υ via , define τ ≍ υ iff len ( τ ) = len ( υ ) and stor ( τ i ) = stor ( υ i ) and lab ( ctrl ( τ i )) = ctrl ( υ i ) , for all i , ≤ i < len ( τ ) .
3. Formally the definition of elab is by recursion on its first argument.We can define elab as a function of b because unique labels rules outmultiple occurrences of a subprogram. And it needs to be a function ofcommand b , not its label, to handle sequences. Lemma 4.
Suppose ok ( c ; skip n ) . Let A be aut ( c ; skip n ) andlet s be a store.(i) For any trace τ from h c ; skip n , s i via _ , there is atrace υ of A from ( lab ( c ) , s ) via , such that τ ≍ υ .(ii) For any trace υ of A from ( lab ( c ) , s ) via , thereis a trace τ from h c ; skip n , s i via _ , such that τ ≍ υ .For a full annotation, the segments are exactly the pathsof length two, i.e., the edges of the CFG. This enables astraightforward description of the VCs for the automatonof a program (not unlike the VCs given by Floyd [7] forflowchart programs). Lemma 5 (VCs for programs).
Consider an ok program c ; skip fin and a full annotation an of its automaton. Foreach control edge n → m , the verification condition (1)can be expressed as in Fig. 5.The conditions are expressed by cases on the command sub ( n, c ) and its control successor. They are derived straight-forwardly from the semantic definitions. Although we aretreating assertions as sets of stores, we use formula notationslike ∧ and ⇒ , rather than ∩ and ⊆ , for clarity. We write an ( n ) ∧ e to abbreviate an ( n ) ∩ { s | s ( e ) = 0 } . Fora set P of program stores, we use substitution notation P xe with standard semantics: s ∈ P xe iff [ s | x : s ( e )] ∈ P .So the weakest precondition of an assignment is given bysubstitution. Floyd completeness of Hoare Logic.
Fig. 6 gives the rulesof HL. We write ⊢ to indicate derivability using the rules.As usual, the semantics is that for all s, t , if s | = P and h c, s i _ ∗ h skip n , t i then t | = Q . We write this as | = c : P ❀ Q . As is well known, the rules are sound: ⊢ c : P ❀ Q implies | = c : P ❀ Q .A direct corollary of Lemma 4 is that if ok ( c ; skip f ) then aut ( c ; skip f ) | = P ❀ Q iff | = c ; skip f : P ❀ Q . The trailingskip loses no generality. By semantics, | = c ; skip f : P ❀ Q iff | = c : P ❀ Q . In terms of proofs, the two are equi-derivable.Given a valid annotation for aut ( c ; skip fin ) and P ❀ Q ,by Prop. 1 we have aut ( c ; skip fin ) | = P ❀ Q , so by thecorollary of Lemma 4 we have | = c ; skip fin : P ❀ Q andthus | = c : P ❀ Q . So by the standard completeness resultfor HL [3], [4] there is a proof of c : P ❀ Q . The ideaof Floyd completeness is that from a valid annotation an one may obtain a proof that essentially uses only judgmentsgiven directly by the annotation. Define the associated judg-ments of an and aut ( c ; skip fin ) to be • for subprograms b of c , the judgments b : an ( lab ( b )) ❀ an ( elab ( b, c, fin )) (2) • b : an ( lab ( b )) ∧ e ❀ an ( elab ( b, c, fin )) where b is thebody of a loop, or then-branch of a conditional, with test e ; • b : an ( lab ( b )) ∧ ¬ e ❀ an ( elab ( b, c, fin )) where b is theelse-branch of a conditional with test e ; • b : an ( lab ( b )) ❀ an ( lab ( b )) ∧ ¬ e where b is the body ofa loop with guard e ; and5 f b = sub ( n, c ) is. . . and n → m in CFG is. . . then the VC is equivalent to. . . skip n m = elab ( b, c, fin ) an ( n ) ⇒ an ( m ) x := n e m = elab ( b, c, fin ) an ( n ) ⇒ an ( m ) xe if n e then d else d fi m = lab ( d ) an ( n ) ∧ e ⇒ an ( m ) if n e then d else d fi m = lab ( d ) an ( n ) ∧ ¬ e ⇒ an ( m ) while n e do d od m = lab ( d ) an ( n ) ∧ e ⇒ an ( m ) while n e do d od m = elab ( b, c, fin ) an ( n ) ∧ ¬ e ⇒ an ( m ) d ⊔ n d m is lab ( d ) or lab ( d ) an ( n ) ⇒ an ( m ) Figure 5. VCs for the automaton of a program c ; skip fin and full annotation an . S KIP skip : P ❀ P A SS x := e : P xe ❀ P S EQ c : P ❀ R d : R ❀ Qc ; d : P ❀ Q I F c : P ∧ e ❀ Q d : P ∧ ¬ e ❀ Q if e then c else d fi : P ❀ Q W H c : P ∧ e ❀ P while e do c od : P ❀ P ∧ ¬ e C HOICE c : P ❀ Q d : P ❀ Qc ⊔ d : P ❀ Q C ONSEQ P ⇒ R c : R ❀ S S ⇒ Qc : P ❀ Q Figure 6. Rules of HL (command labels elided). • x := n e : an ( m ) xe ❀ an ( m ) where m = elab ( x := n e, c, fin ) . Proposition 6 (Floyd completeness).
Consider an ok pro-gram c ; skip fin . Suppose an is a valid full annotation of aut ( c ; skip fin ) for P ❀ Q . Then there is a HL proof of c : P ❀ Q using only the associated judgments of an .Note that Cook completeness, i.e., | = c : P ❀ Q implies ⊢ c : P ❀ Q , follows from Prop. 6 and Prop. 2.To prove the Proposition, we first prove that ⊢ b : an ( lab ( b )) ❀ an ( elab ( b, c, fin )) (3)for every subprogram b of c . The claim (3) is proved bystructural induction on c . In each case, we use one instanceof the syntax-directed rule for b , and in some cases also C ON - SEQ . The base cases are the assignments and skip commandsin c . For such a command b , let m = elab ( b, c, fin ) . • If b is skip n , we have ⊢ skip n : an ( m ) ❀ an ( m ) by rule S KIP , and Lemma 5 gives an ( n ) ⇒ an ( m ) (using validityof an ), so by C ONSEQ we get ⊢ skip n : an ( n ) ❀ an ( m ) • if b is x := n e , we have ⊢ x := n e : an ( m ) xe ❀ an ( m ) by rule A SS , and Lemma 5 gives an ( n ) ⇒ an ( m ) xe , so by C ONSEQ we get ⊢ x := n e : an ( n ) ❀ an ( m ) The induction step is as follows (other cases in Appendix). • If b is the sequence b ; b , by induction wehave ⊢ b : an ( lab ( b )) ❀ an ( elab ( b , c, fin )) and ⊢ b : an ( lab ( b )) ❀ an ( elab ( b , c, fin ) .We have elab ( b , c, fin ) = lab ( b ) and elab ( b ; b , c, fin ) = elab ( b , c, fin ) , so by S EQ weget ⊢ b : an ( lab ( b )) ❀ an ( elab ( b, c, fin )) . • If b is if n e then d else d fi , by inductionwe have ⊢ d : an ( lab ( d ) ❀ an ( elab ( d , c, fin )) and ⊢ d : an ( lab ( d ) ❀ an ( elab ( d , c, fin )) .Lemma 5 gives an ( n ) ∧ e ⇒ an ( lab ( d )) and an ( n ) ∧ ¬ e ⇒ an ( lab ( d )) so by Conseq weget ⊢ d : an ( n ) ∧ e ❀ an ( elab ( d , c, fin )) and ⊢ d : an ( n ) ∧ ¬ e ❀ an ( elab ( d , c, fin )) . By definitionswe have elab ( b, c, fin ) = elab ( d , c, fin ) = elab ( d , c, fin ) .So rule I F yields ⊢ b : an ( n ) ❀ an ( elab ( b, c, fin ) .To prove the Proposition we instantiate (3) with c it-self, to get ⊢ c : an ( lab ( c )) ❀ an ( elab ( c, c, fin )) . Now init = lab ( c ) by definition of aut ( c ; skip fin ) , and an is anannotation for P ❀ Q , so an ( lab ( c )) = an ( init ) = P and an ( elab ( c, c, fin )) = an ( fin ) = Q . Thus we have obtained ⊢ c : P ❀ Q , highlighting the associated judgments, q.e.d.One can dispense with all forms of associated judgmentexcept (2) by reformulating some of the HL rules to moredirectly match the judgments of a valid annotation so rule C ONSEQ becomes unnecessary, with requisite implicationsadded as side conditions of the syntax-directed rules. Forexample, the assignment rule infers x := e : P ❀ Q withcondition P ⇒ Q xe . We choose to formulate our results to fitusual presentations of HL and RHL in the literature, at thecost of some clutter in the definition of associated judgment.In the rest of the paper, we assume without mention thatall considered programs satisfy ok .
3. Relational judgments and product automata
Let A = ( Ctrl, Sto, init , fin , ) and A ′ =( Ctrl ′ , Sto ′ , init ′ , fin ′ , ′ ) be automata. A relational spec R ≈ > S is comprised of relations R and S from Sto to Sto ′ .We write s, s ′ | = R iff ( s, s ′ ) ∈ R and ( n, s ) , ( n ′ , s ′ ) | = R iff s, s ′ | = R . Finite traces τ of A and τ ′ of A ′ satisfy R ≈ > S , written τ, τ ′ | = R ≈ > S , just if τ , τ ′ | = R , ctrl ( τ − ) = fin , and ctrl ( τ ′− ) = fin ′ implies τ − , τ ′− | = S . The pair A, A ′ satisfies R ≈ > S , written A | A ′ | = R ≈ > S ,just if all pairs of finite initial traces do.In passing we will consider the non-stuck semanticsof relational specs : in addition to the above conditions, itrequires, for all finite initial τ, τ ′ such that τ , τ ′ | = R , that ctrl ( τ − ) = fin implies τ −
7→ − and ctrl ( τ ′− ) = fin ′ implies τ ′− ′ − .6n casual examples, we use primed identifiers in specsto refer to the second execution. More formally we usethe following notations. For program expressions, e ¨= e ′ denotes the relation { ( s, s ′ ) | s ( e ) = s ′ ( e ′ ) } which wecall agreement . For example, x ¨= x ≈ > z ¨= z expressesthat the final value of z is determined by the initial valueof x . Owing to our use of non-zero integers to representtruth (in semantics Fig. 4), we also need a different form, e ˚= e ′ , to express agreement on truth value; it denotes { ( s, s ′ ) | s ( e ) = 0 iff s ′ ( e ′ ) = 0 } . We also write h [ e h ] forthe set { ( s, t ) | s ( e ) = 0 } and [ i e ] i for { ( s, t ) | t ( e ) = 0 } .In the presence of nondeterminacy, the ∀∀ -propertiesexpressed by specs R ≈ > S are not the only properties ofinterest. For example, the program l := l +1 ⊔ l := l +2 doesnot satisfy l ¨= l ≈ > l ¨= l , but it does satisfy the “possibilisticnoninterference” property that for any two stores s, s ′ thatagree on l , and any run from s , there exists a run from s ′ with the same final value for l . ∀∃ -properties like thisare beyond the scope of this paper. The nondeterministicprogram ( h := 0 ⊔ h := 1); l := l + 1 does satisfy l ¨= l ≈ > l ¨= l .A product of automata A and A ′ is meant to representa chosen alignment of steps of A with steps of A ′ . In manycases, the control points of a product are pairs ( n, m ) fromunderlying automata, but we continue to use identifiers n, m for control points regardless of their type.A product of A and A ′ is an automaton Π A,A ′ of theform ( C, ( Sto × Sto ′ ) , i, f, Z ⇒ ) , together with functions lt : C → Ctrl and rt : C → Ctrl ′ such that the following hold:First, lt ( i ) = init , rt ( i ) = init ′ , lt ( f ) = fin , and rt ( f ) = fin ′ .Second, ( n, ( s, s ′ )) Z ⇒ ( m, ( t, t ′ )) implies either • ( lt ( n ) , s ) ( lt ( m ) , t ) and ( rt ( n ) , s ′ ) ′ ( rt ( m ) , t ′ ) , • ( lt ( n ) , s ) ( lt ( m ) , t ) and ( rt ( m ) , s ′ ) = ( rt ( m ) , t ′ ) , or • ( lt ( n ) , s ) = ( lt ( m ) , t ) and ( rt ( n ) , s ′ ) ′ ( rt ( m ) , t ′ ) The second condition says each step of the productrepresents a step of A , a step of A ′ , or both. Forstates of Π A,A ′ , define left ( n, ( s, s ′ )) = ( lt ( n ) , s ) and right ( n, ( s, s ′ )) = ( rt ( n ) , s ′ ) . We extend left and right totraces of Π A,A ′ by left ( T ) = destutter ( map ( left , T )) and right ( T ) = destutter ( map ( right , T )) . Observe that left ( T ) is atrace of A and right ( T ) a trace of A ′ .A product is R -adequate if it covers all terminated initialtraces from R -states: For all terminated initial traces τ of A and τ ′ of A ′ such that τ , τ ′ | = R , there is a trace T of Π A,A ′ with τ = left ( T ) and τ ′ = right ( T ) . A product is adequate if it is adequate for all initial pairs of states (true-adequate). A product is strongly R -adequate if it coversprefixes of diverging traces, in addition to terminated ones,that is: For all finite initial traces τ, τ ′ of A, A ′ such that τ , τ ′ | = R , there is a trace T of Π A,A ′ such that τ (cid:22) left ( T ) and τ ′ (cid:22) right ( T ) , where (cid:22) means prefix. Moreover, it doesnot have one-sided divergence : there is no infinite trace T ,with T | = R , with i such that left ( T j ) = left ( T i ) for all j > i , or right ( T j ) = right ( T i ) for all j > i . Note that strong R -adequacy implies R -adequacy.Here are some products defined for arbitrary A, A ′ ,taking C to be Ctrl × Ctrl ′ and lt , rt to be fst , snd . only-lockstep . (( n, n ′ ) , ( s, s ′ )) Z ⇒ olck (( m, m ′ ) , ( t, t ′ )) iff ( n, s ) ( m, t ) and ( n ′ , s ′ ) ′ ( m ′ , t ′ ) . eager-lockstep . (( n, n ′ ) , ( s, s ′ )) Z ⇒ elck (( m, m ′ ) , ( t, t ′ )) iff (( n, n ′ ) , ( s, s ′ )) Z ⇒ olck (( m, m ′ ) , ( t, t ′ )) iff or n = fin and ( n ′ , s ′ ) ′ ( m ′ , t ′ ) and ( n, s ) = ( m, t ) , or n ′ = fin ′ and ( n, s ) ( m, t ) and ( n ′ , s ′ ) = ( m ′ , t ′ ) left-only . (( n, n ′ ) , ( s, s ′ )) Z ⇒ lo (( m, m ′ ) , ( t, t ′ )) iff ( n, s ) ( m, t ) and ( n ′ , s ′ ) = ( m ′ , t ′ ) . right-only . (( n, n ′ ) , ( s, s ′ )) Z ⇒ lo (( m, m ′ ) , ( t, t ′ )) iff ( n, s ) = ( m, t ) and ( n ′ , s ′ ) ′ ( m ′ , t ′ ) . interleaved . The union Z ⇒ lo ∪ Z ⇒ ro . sequential . (( n, n ′ ) , ( s, s ′ )) Z ⇒ seq (( m, m ′ ) , ( t, t ′ )) iff n ′ = init ′ and (( n, n ′ ) , ( s, s ′ )) Z ⇒ lo (( m, m ′ ) , ( t, t ′ )) , or n = fin and (( n, n ′ ) , ( s, s ′ )) Z ⇒ ro (( m, m ′ ) , ( t, t ′ )) . conditioned . Given subsets L, R, J of Ctrl × Ctrl ′ , define (( n, n ′ ) , ( s, s ′ )) Z ⇒ cnd (( m, m ′ ) , ( t, t ′ )) iff ( n, n ′ ) ∈ L and (( n, n ′ ) , ( s, s ′ )) Z ⇒ lo (( m, m ′ ) , ( t, t ′ )) , or ( n, n ′ ) ∈ R and (( n, n ′ ) , ( s, s ′ )) Z ⇒ ro (( m, m ′ ) , ( t, t ′ )) , or ( n, n ′ ) ∈ J and (( n, n ′ ) , ( s, s ′ )) Z ⇒ olck (( m, m ′ ) , ( t, t ′ )) . As an example of the conditioned form, the lockstep-control product restricts only-lockstep to additionally require thetwo executions to follow the same control path (so it hasa linear number of control points whereas only-lockstep hasquadratic). This can be described by taking L = R = ∅ and defining the condition for joint steps by ( n, n ′ ) ∈ J iff n = n ′ . The reader can check that the conditioned formsubsumes the others listed above.The only-lockstep form is not adequate, in general,because a terminated state or stuck state can be reached onone side before the other side terminates. But even lockstep-control can be R -adequate in some cases, e.g., let R beequality of stores and A = A ′ , then lockstep-control is R -adequate if A is deterministic.The interleaved product is strongly adequate—but notvery helpful, since so many pairs of control points arereachable. The sequential form is adequate but not stronglyadequate: if τ is a finite prefix of a divergent trace, and τ ′ has length > , the sequential product never finishes on theleft and so does not cover τ ′ .Eager-lockstep is adequate, and strongly adequate if theunderlying automata have no stuck states. It shows the needfor prefix in the definition of strong adequacy: if τ is shorterthan τ ′ , the automaton needs to extend τ by further stepsin order to cover τ ′ . Auxiliary control state can be used toensure strong adequacy. The alternating product has C = Ctrl × Ctrl ′ × { , } with lt ( n, n ′ , i ) = n and rt ( n, n ′ , i ) = n ′ . Let (( n, n ′ , i ) , ( s, s ′ )) Z ⇒ alt (( m, m ′ , j ) , ( t, t ′ )) iff either i = 0 , j = 1 , ( n, s ) ( m, t ) and ( n ′ , s ′ ) = ( m ′ , t ′ ) , or i = 1 , j = 0 , ( n, s ) = ( m, t ) and ( n ′ , s ′ ) ′ ( m ′ , t ′ ) ,or one of the last two eager-lockstep cases apply (one sideterminated).A product can also be conditioned on data, as exploredin Sec. 7. Fig. 7 depicts a product of c with itself, in whichan iteration of the loop body on just the left (resp. right) sidemay happen only when relation L (resp. R ) holds.Owing to the definition of states of a product, a relation R ⊆
Sto × Sto ′ from stores of A to stores of A ′ is the samething as a predicate on stores of Π A,A ′ . So a relational spec R ≈ > S for A, A ′ can be seen as a unary spec R ❀ S for Π A,A ′ .7 , , lck , , lck , , lck , , lck , , lck , , lck , , lo , , lo , , ro , , roy := xy ′ := x ′ z := 1 z ′ := 1 y = 0 y ′ = 0 z := z ∗ yz ′ := z ′ ∗ y ′ y = 0 ∧ L z := z ∗ yy ′ = 0 ∧ R z ′ := z ′ ∗ y ′ y := y − y ′ := y ′ − y = 0 y ′ = 0 y := y − y ′ := y ′ − Figure 7. Three-way automaton for c | c , with informal edge labels. Theorem 7.
For the basic semantics of specs, if Π A,A ′ is an R -adequate product of A, A ′ then Π A,A ′ | = R ❀ S iff A | A ′ | = R ≈ > S . For the non-stuck semantics, if Π A,A ′ is a strongly R -adequate product then Π A,A ′ | = R ❀ S implies A | A ′ | = R ≈ > S .This lifts IAM to a method for proving a relational judgmentfor programs: label them, construct their automata, define aproduct Π and an annotation an ; prove R -adequacy of Π and validity of an .The number of cutpoints needed for a product may beon the order of the product of the number for the underlyingautomata. But some products have fewer. Moreover unreach-able cutpoints can be annotated as false so the correspondingVCs are vacuous.
4. A one-rule complete RHL
Recall the sequential product rule sketched in Sec. 1.Sequential product is adequate so by Theorem 7 it can beused to prove correctness for any spec. This leads to thewell known rule that we now study in detail.Although the definition of automaton allows an arbitraryset for stores, in HL we require stores to be mappings onvariables, specifically on the set
Var . To express a productas a single program we need to encode a pair of such storesas a single one. Let
Var • be the set of fresh variable names x • such that x ∈ Var . Let dot : Var → Var • be the obviousbijection. Given s : Var → Z and t : Var • → Z , the union s ∪ t is a function Var ∪ Var • → Z (treating functions assets of ordered pairs). For s and t of type Var → Z define s + t = s ∪ ( t ◦ dot − ) , so s + t : Var ∪ Var • → Z faithfullyrepresents ( s, t ) . For any relation R on variable stores, let R + be the predicate on Var ∪ Var • → Z given by R + = { s + t | ( s, t ) ∈ R} . We overload the name dot for the functionrenaming variables of an expression, and for command c on Var let dot ( c ) be the command on Var • obtained by renaming;this leaves labels unchanged.For later use we consider semantic substitutionfor relations. Define R x | x ′ e | e ′ by ( s, t ) ∈ R x | x ′ e | e ′ iff ([ s | x : s ( e )] , [ t | x ′ : t ( e ′ )]) ∈ R . (Here x need not be distinctfrom x ′ .) Substitution is preserved by the encoding: ( R x | x ′ e | e ′ ) + = ( R + ) x,x ′• e,e ′• (4) (Using simultaneous substitution on the right; it can aswell be written (( R + ) xe ) x ′• e ′• .) We write R x | e | for substitutionthat leaves the right side unchanged. We refrain explicitnotation to distinguish between correctness judgments for Var - programs and those for
Var ∪ Var • -programs. Lemma 8 (sequential program product).
Let c, d be pro-grams on
Var and R , S be relations on Var -stores. Let d ′ = dot ( d ) and note that c ; d ′ is a ( Var ∪ Var • ) -program.Then | = c ; d ′ : R + ❀ S + iff | = c | d : R ≈ > S .The lemma implies soundness of the following sequen-tial product rule (sometimes called self composition): S EQ P ROD d ′ = dot ( d ) c ; d ′ : R + ❀ S + c | d : R ≈ > S Proposition 9 (completeness of one-rule RHL).
The logiccomprised of S EQ P ROD and the rules of HL (Fig. 6) iscomplete.Proof: Suppose | = c | d : R ≈ > S . By Lemma 8 we have | = c ; d ′ : R + ❀ S + where d ′ = dot ( d ) . By completenessof HL we have ⊢ c ; d ′ : R + ❀ S + so S EQ P ROD yields ⊢ c | d : R ≈ > S , q.e.d.Analogous to Floyd completeness (Prop. 6), we candirectly prove a stronger result. It refers to the associatedjudgments of an annotation of a sequential product. Theseare similar to those defined preceding Prop. 6, but nowthey have the form b : an ( n, + ❀ an ( m, + (with b a subprogram of c with n = lab ( b ) and m the end label),the form b : an ( fin , n ) + ❀ an ( fin , m ) + , and the variationslike preceding preceding Prop. 6. The exact definition ofassociated judgment becomes evident in the proof to follow. Theorem 10 (alignment completeness for sequential prod-uct). If an is a valid full annotation of the sequentialproduct of aut ( c ; skip fin ) and aut ( d ; skip fin ) , for spec R ❀ S , then ⊢ c | d : R ≈ > S in the logic comprisedof HL and S EQ P ROD . Moreover this can be proved usingonly the associated judgments of an .The proof relies on an analysis like Lemma 5 but forVCs of sequential product. Assume w.l.o.g. that lab ( c ) =1 = lab ( d ) . As a first step, consider the CFG of thesequential product Π of aut ( c ; skip fin ) and aut ( d ; skip fin ) .Initial states of Π have the form ((1 , , ( s, t )) , final stateshave the form (( fin , fin ) , ( s, t )) , and edges of the CFG are oftwo forms: ( n, → ( m, for n → m in the CFG of c ; skip fin and ( fin , n ) → ( fin , m ) for n → m in the CFG of d ; skip fin .Now assume an is a full annotation of Π . Because stepsof Π represent execution of a program on one side or theother, the VCs are similar to those in Fig. 5 except that theypertain to control points of the forms ( n, and ( fin , n ) . Tosave space we just give some illustrative cases in Fig. 8,using some notations from the beginning of Sec. 3.Let Q = an ( fin , . We will use Q + as the intermediateassertion for rule S EQ in a proof of c ; dot ( d ) : R + ❀ S + which can then be used in S EQ P ROD to obtain c | d : R ≈ > S .To obtain proofs of c : R + ❀ Q + and dot ( d ) : Q + ❀ S + ,we use the VCs of Fig. 8 in an argument similar to the8 f b = sub ( n, c ) is. . . and ( n, → ( m, in CFG is. . . then the VC is equivalent to. . . x := n e m = elab ( b, c, fin ) an ( n, ⇒ an ( m, x | e | if n e then b else b fi m = lab ( b ) an ( n, ∧ h [ e h ] ⇒ an ( m, b ⊔ n b m is lab ( b ) or lab ( b ) an ( n, ⇒ an ( m, if b = sub ( n, d ) is. . . and ( fin , n ) → ( fin , m ) in CFG is. . . then the VC is equivalent to. . . x := n e m = elab ( b, d, fin ) an ( fin , n ) ⇒ an ( fin , m ) | x | e if n e then b else b fi m = lab ( b ) an ( fin , n ) ∧ [ i e ] i ⇒ an ( fin , m ) b ⊔ n b m is lab ( b ) or lab ( b ) an ( fin , n ) ⇒ an ( fin , m ) Figure 8. Selected VCs for sequential product of aut ( c ; skip fin ) and aut ( d ; skip fin ) and full annotation an . proof of Prop. 6. By induction on c we can show, for allsubcommands b of c : ⊢ b : an ( lab ( b ) , + ❀ an ( m, + (5)where m = elab ( b, c, fin ) . And by induction on d we canshow, for all subcommands b of d : ⊢ dot ( b ) : an ( fin , lab ( b )) + ❀ an ( fin , m ) + (6)where m = elab ( b, d, fin ) . In proving (6) using Fig. 8, weuse that ( an ( fin , n ) ∧ [ i e ] i ) + = an ( fin , n ) + ∧ dot ( e ) and ( an ( fin , n ) | x | e ) + = ( an ( fin , n ) + ) x • dot ( e ) . Instantiating (5) and(6) we get ⊢ c : an (1 , + ❀ an ( fin , + ⊢ dot ( d ) : an ( fin , + ❀ an ( fin , fin ) + Thus ⊢ c : R + ❀ Q + and ⊢ dot ( d ) : Q + ❀ S + , because an (1 ,
1) = R , an ( fin ,
1) = Q , and an ( fin , fin ) = S .
5. A logic of lockstep alignment
So far we know S EQ P ROD is complete in the sense ofCook, and alignment complete with respect to alignmentsrepresented by sequential product. It is not complete withrespect to other classes of alignments. For example, considerlockstep-control alignments. As mentioned in Sec. 1, suchan alignment enables to prove c | c x ¨= x ≈ > z ¨= z usingan annotation with intermediate relations only y ¨= y ∧ z ¨= z .A proof using S EQ P ROD with c dot ( c requires to assert z = x ! ∧ x = x • at the semicolon, and use factorial ininvariants. This is far beyond the assertions and judgmentsassociated with the annotation of the lockstep product.Fig. 9 gives rules for relational judgments sometimescalled “diagonal” [12] because they relate same-structuredprograms. They are typical of RHLs [1], [13] and wecall them lockstep because they embody lockstep-controlalignment (as defined in Sec. 3). The relational version of C ONSEQ is included in Fig. 9 because it is needed in orderfor this collection of rules to be complete for lockstep-control alignment, which we make precise in Theorem 11.These rules are not complete in the sense of Cook, forrelational judgments in general, because they do not applyto differently-structured commands.In a lockstep-control product, the CFG edges havethe form ( n, n ) → ( m, m ) . For this to be sufficient for R -adequacy, the code paths reached from initial state-pairssatisfying R need to be the same. Thus lockstep controlis not adequate for programs with choice except in trivial cases like x := 0 ⊔ x := 0 . Choice is ruled out in thetheorem and there is no rule for choice in Fig. 9.Say c and c ′ have same control , written sameCtl ( c, c ′ ) ,if labs ( c ) = labs ( c ′ ) and for each n ∈ labs ( c ) the programs sub ( n, c ) and sub ( n, c ′ ) are the same kind: both are assign-ments, both are skip, both are if, and so on; moreover n hasthe same control flow successors in c and in c ′ . Put differ-ently: c ′ can be obtained from c by renaming variables andreplacing expressions in assignments and branch conditions,but no other changes. For example, x := y + z has samecontrol as w := x − , as do c and c in Fig. 2.For c, c ′ with same control, and their lockstep-controlproduct Π , VCs for a full annotation are given in Fig. 10. Asusual, the VC for conditional has the guards as antecedents,because the VC embodies the program semantics whileassuming control is along a particular path; see (1).Regardless of whether the annotation is full, if thecutpoints include all branch conditions, and for eachpoint n with branch conditions e, e ′ , respectively, we have an ( n, n ) ⇒ e ˚= e ′ , then Π is R -adequate (if an is valid).Because: by program semantics and definition of lockstep-control, the only stuck non-terminated states are those wherethe program is a conditional branch and the conditionsdisagree (so the successor control points differ).As with Prop. 2 and Theorem 10, an annotation de-termines a set of what we call associated judgments. Forlockstep automata, the associated judgments are much likethose defined preceding Prop. 2 only doubled, like b | b ′ : an ( lab ( b ) , lab ( b )) ≈ > an ( m, m ) where m = elab ( b, c, fin ) ,together with those obtained by adding if-tests and so forth.For lack of space we refrain from spelling them out. Theorem 11 (alignment completeness for lockstep prod-uct).
Suppose c and c ′ are choice-free and satisfy sameCtl ( c, c ′ ) . Let Π be the lockstep-control product of aut ( c ; skip fin ) and aut ( c ′ ; skip fin ) and let an be a validfull annotation of Π for R ❀ S . Assume that for anybranch point n with tests e, e ′ we have an ( n, n ) ⇒ e ˚= e ′ . Then ⊢ c | c ′ : R ≈ > S in the logic comprised of HLand the rules of Fig. 9. Moreover this can be provedusing only the associated judgments of an and Π .Using that c and c ′ satisfy sameCtl ( c, c ′ ) , we prove, byinduction on structure of c , that for every subprogram b of c , with corresponding subprogram b ′ in c ′ : ⊢ b | b ′ : an ( lab ( b ) , lab ( b )) ≈ > an ( m, m ) (7)9 S KIP skip | skip : R ≈ > R D A SS x := e | x ′ := e ′ : R x | x ′ e | e ′ ≈ > R D S EQ c | d ′ : R ≈ > Q d | d ′ : Q ≈ > S c ; d | c ′ ; d ′ : R ≈ > S D I F R ⇒ e ˚= e ′ c | c ′ : R ∧ h [ e h ] ∧ [ i e ′ ] i ≈ > S d | d ′ : R ∧ ¬h [ e h ] ∧ ¬ [ i e ′ ] i ≈ > S if e then c else d fi | if e ′ then c ′ else d ′ fi : R ≈ > S D W H Q ⇒ e ˚= e ′ c | c ′ : Q ∧ h [ e h ] ∧ [ i e ′ ] i ≈ > Q while e do c od | while e ′ do c ′ od : Q ≈ > Q ∧ ¬h [ e h ] ∧ ¬ [ i e ′ ] i R C ONSEQ
P ⇒ R c | d : R ≈ > S S ⇒ Q c | d : P ≈ > Q Figure 9. Lockstep diagonal syntax-directed rules. if b = sub ( n, c ) and b ′ = sub ( n, c ′ ) are. . . and ( n, n ) → ( m, m ) in CFG is. . . then the VC is equivalent to. . . x := n e and x ′ := n e ′ m = elab ( b, c, fin ) = elab ( b ′ , c ′ , fin ) an ( n, n ) ⇒ an ( m, m ) x | x ′ e | e ′ skip n and skip n m = elab ( b, c, fin ) = elab ( b ′ , c ′ , fin ) an ( n, n ) ⇒ an ( m, m ) if n e then b else b fi and if n e ′ then b ′ else b ′ fi m = lab ( b ) = lab ( b ′ ) an ( n, n ) ∧ h [ e h ] ∧ [ i e ′ ] i ⇒ an ( m, m ) if n e then b else b fi and if n e ′ then b ′ else b ′ fi m = lab ( b ) = lab ( b ′ ) an ( n, n ) ∧ ¬h [ e h ] ∧ ¬ [ i e ′ ] i ⇒ an ( m, m ) Figure 10. Selected VCs for lockstep-control product of aut ( c ; skip fin ) and aut ( c ′ ; skip fin ) with sameCtl ( c, c ′ ) , and full annotation an . where m = elab ( b, c, fin ) . Note that lab ( b ) = lab ( b ′ ) and m = elab ( b ′ , c ′ , fin ) by sameCtl ( c, c ′ ) . In the base case, b and b ′ are both assignments or both skip. We get that an ( lab ( b ) , lab ( b )) implies the weakest precondition for thecommand to establish an ( m, m ) by the first two rows inFig. 10. So we can use D S KIP or D A SS , together with R C ONSEQ ,to get (7). For the induction step, consider the case where b is if n e then b else b fi and b ′ is if n e ′ then b ′ else b ′ fi .Let m = lab ( b ) = lab ( b ′ ) (using sameCtl ) and m = lab ( b ) = lab ( b ′ ) . Let p = elab ( b, c, fin ) = elab ( b ′ , c ′ , fin ) ,noting that p is also the end label for the then and elseparts. By induction we have ⊢ b | b ′ : an ( m , m ) ≈ > an ( p, p ) and ⊢ b | b ′ : an ( m , m ) ≈ > an ( p, p ) . By theVCs we have an ( n, n ) ∧ h [ e h ] ∧ [ i e ′ ] i ⇒ an ( m , m ) and an ( n, n ) ∧ ¬h [ e h ] ∧ ¬ [ i e ′ ] i ⇒ an ( m , m ) so using R C ONSEQ we get ⊢ b | b ′ : an ( n, n ) ∧ h [ e h ] ∧ [ i e ′ ] i ≈ > an ( p, p ) ⊢ b | b ′ : an ( n, n ) ∧ ¬h [ e h ] ∧ ¬ [ i e ′ ] i ≈ > an ( p, p ) By assumption of the theorem we have an ( n, n ) ⇒ e ˚= e ′ ,which is the side condition of rule D I F , which yields if n e then b else b fi | if n e ′ then b ′ else b ′ fi : an ( n, n ) ≈ > an ( p, p ) The arguments for sequence and while are similar, usingrules D S EQ and D W H . That completes the proof of (7), as c and c ′ are choice-free. Instantiating (7) with c, c ′ completesthe proof.Theorem 11 pertains to a restricted class of programpairs. We could relax the sameCtl condition slightly, to allowan assignment to match skip, still using lockstep controlfor the product. Then the VCs of Fig. 10 would include acase for x := n e on the left and skip n on the right, withVC an ( n, n ) ⇒ an ( m, m ) x | e | where m = elab ( b, c, fin ) = elab ( b ′ , c ′ , fin ) . To get an alignment complete logic onewould add the axiom x := e | skip : R x | e | ≈ > R . (Of coursesymmetric VC and rule for assignment on the right.) Theseaxioms are derivable in a logic with S EQ P ROD .
6. Combining lockstep with sequential
A common practical problem is regression verification:equivalence of two programs that differ in that some sub-program has been replaced by another. We can describe thisas equivalence of ˆ c [ b ] and ˆ c [ b ′ ] , using the usual notation ˆ c [ b ] for a program context ˆ c [ ] with a designated subprogram b .In this section we consider a more general situation, relating ˆ c [ b ] to ˆ c ′ [ b ′ ] where the contexts ˆ c [ ] and ˆ c ′ [ ] have the samestructure, as in Sec. 5. We consider the logic comprised of S EQ P ROD and the rules of Fig. 9. The corresponding form ofautomata has both lockstep and one-sided sequential steps,where lockstep execution is used for similar control structureand one-sided only for the designated subprograms (whichmay have arbitrarily different structure).To be precise, define sameExcept ( c, c ′ , b, b ′ , beg, end, fin ) iff there are contexts ˆ c [ ] and ˆ c ′ [ ] such that • c = ˆ c [ b ] and c ′ = ˆ c ′ [ b ′ ] • beg = lab ( b ) = lab ( b ′ ) and labs ( b ) ∩ labs ( b ′ ) = { beg }• end = elab ( b, c, fin ) = elab ( b ′ , c ′ , fin ) . • sameCtl (ˆ c [ skip beg ] , ˆ c ′ [ skip beg ]) • ˆ c [ ] and ˆ c ′ [ ] are choice free (but b, b ′ may have choice)The setup encompasses any pair of programs, because itincludes the extreme case where ˆ c [] is nothing more than thehole to be filled, i.e., ˆ c [ b ] = b and ˆ c ′ [ b ′ ] = b ′ ; put differently, c = b and c ′ = b ′ . Here is an example that is only a littlebeyond what is encompassed by Theorem 11. • c is if x > y then y := y ; x := else skip fi and • c ′ is if y ≤ x − then x := else skip fi • b is y := y ; x := and b ′ is a single assignment x := Here beg = 2 and elab ( b, c, fin ) = fin . The example doesnot satisfy sameCtl (because b and b ′ do not match).To describe the product we use extra control state, forwhich we assume a set of three tags { lck, lo, ro } to beused to designate lockstep, left-only, and right-only steps.Let Ctrl and
Ctrl ′ be the control sets for the automata10f c ; skip fin and c ′ ; skip fin respectively, assuming as beforethat lab ( c ) = 1 = lab ( c ′ ) . Recall Ctrl = labs ( c ; skip fin ) and Ctrl ′ = labs ( c ′ ; skip fin ) . The control set of the product is Ctrl × Ctrl ′ × { lck, lo, ro } and lt and rt are the first twoprojections.The initial and final control points are (1 , , lck ) and ( fin , fin , lck ) . Define Z ⇒ as follows, where isfrom aut ( c ; skip fin ) , ′ is from aut ( c ′ ; skip fin ) , and Z ⇒ lckc is the lockstep-control product based on those. For all n, m, s, t, s ′ , t ′ : (i) (( n, n, lck ) , ( s, s ′ )) Z ⇒ (( m, m, lck ) , ( t, t ′ )) if (( n, n ) , ( s, s ′ )) Z ⇒ lckc (( m, m ) , ( t, t ′ )) and n / ∈ labs ( b ) ∪ labs ( b ′ ) and m = beg (ii) (( n, n, lck ) , ( s, s ′ )) Z ⇒ (( beg, beg, lo ) , ( t, t ′ )) if (( n, n ) , ( s, s ′ )) Z ⇒ lckc (( beg, beg ) , ( t, t ′ )) and n / ∈ labs ( b ) ∪ labs ( b ′ ) (iii) (( n, beg, lo ) , ( s, s ′ )) Z ⇒ (( m, beg, lo ) , ( t, s ′ )) if m = end and ( n, s ) ( m, t ) and n ∈ labs ( b ) (iv) (( n, beg, lo ) , ( s, s ′ )) Z ⇒ (( end, beg, ro ) , ( t, s ′ )) if ( n, s ) ( end, t ) and n ∈ labs ( b ) (v) (( end, n ′ , ro ) , ( s, s ′ )) Z ⇒ (( end, m ′ , ro ) , ( s, t ′ )) if m ′ = end and ( n ′ , s ′ ) ′ ( m ′ , t ′ ) and n ′ ∈ labs ( b ′ ) (vi) (( end, n ′ , ro ) , ( s, s ′ )) Z ⇒ (( end, end, lck ) , ( s, t ′ )) if ( n ′ , s ′ ) ′ ( end, t ′ ) and n ′ ∈ labs ( b ) Rule (ii) enters left-only mode, (iii) continues, (iv) switchesto right-only, (v) continues, and (vi) resumes lockstep. Likethe lockstep-control product, this gets stuck at branch pointsoutside the designated subprograms b, b ′ , if guards don’tagree. Theorem 12.
Suppose sameExcept ( c, c ′ , b, b ′ , beg, end, fin ) and Π is the product defined above. Suppose an is avalid full annotation of Π for R ❀ S . Suppose forall branch points n ∈ labs ( c ) \ ( labs ( b ) ∪ labs ( b ′ )) , withbranch conditions e, e ′ , we have an ( n, n, lck ) ⇒ e ˚= e ′ .Then ⊢ c | c ′ : R ≈ > S in the logic comprised of HL, therules of Fig. 9, and S EQ P ROD , using only the judgmentsassociated with an and Π .
7. Data dependent alignment for loops
We want to prove c | c x = x ′ ∧ x > ≈ > z > z ′ byaligning the iterations in which y gets updated, maintaininginvariants y = y ′ and z > z ′ , and allowing the no-opiterations to happen independently. To do so we use: W HILE c | c ′ : Q ∧ h [ e h ] ∧ [ i e ′ ] i ≈ > Q c | skip : Q ∧ L ∧ h [ e h ] ≈ > Q skip | c ′ : Q ∧ R ∧ [ i e ′ ] i ≈ > QQ ⇒ e ˚= e ′ ∨ ( L ∧ h [ e h ] ) ∨ ( R ∧ [ i e ′ ] i ) while e do c od | while e ′ do c ′ od : Q ≈ > Q ∧ ¬h [ e h ] ∧ ¬ [ i e ′ ] i The first premise relates the loop bodies, like the locksteploop rule in Fig. 9. The second and third premises relate thebody to skip, under preconditions strengthened by relations L and R . Later we consider the example of c , c using h [ w % 2 = 0 h ] for L and [ i w ′ % 3 = 0 ] i for R . For W HILE to be useful, the proof system we consider has the locksteprules of Fig. 9 together with one-sided rules of Fig. 11. A SS S KIP x := e | skip : R x | e | ≈ > R S KIP S KIP skip | skip : R ≈ > R S EQ S KIP c | skip : R ≈ > Q d | skip : Q ≈ > S c ; d | skip : R ≈ > S I F S KIP c | skip : R ∧ h [ e h ] ≈ > S d | skip : R ∧ h [ ¬ e h ] ≈ > S if e then c else d fi | skip : R ≈ > S W H S KIP c | skip : Q ∧ h [ e h ] ≈ > Q while e do c od | skip : Q ≈ > Q ∧ h [ ¬ e h ] Figure 11. One-side rules (symmetric right-side rules omitted).
In order to focus on this situation, we consider relatingsame-control programs c, c ′ with a distinguished label beg such that sub ( beg, c ) is a loop—and so is sub ( beg, c ′ ) , sincewe assume sameCtl ( c, c ′ ) .Assume ok ( c ; skip fin ) and ok ( c ′ ; skip fin ) and let Ctrl, Ctrl ′ and , ′ be the control sets and transitionrelations for their automata. As in Sec. 6 we define a productwith control Ctrl × Ctrl ′ × T ag where
T ag = { lck, lo, ro } .The transition relation Z ⇒ is defined with respect to givenrelations L and R . If n is the label of the loop body, thereare three transitions from the top of the loop into the body: ( beg, beg, lck ) → ( n, n, lck ) , ( beg, beg, lck ) → ( n, beg, lo ) if L holds, and ( beg, beg, lck ) → ( beg, n, ro ) if R holds(Details in Appendix.) Fig. 7 depicts an example. Theorem 13.
Consider c, c ′ , beg, L , R such that sameCtl ( c, c ′ ) , c and c ′ are choice-free, sub ( beg, c ) is a loop, and L , R are store relations. Let Π be theproduct defined above for c ; skip fin , c ′ ; skip fin . Suppose an is a valid full annotation of Π for P ❀ Q . Assume(a) for all branch points n ∈ labs ( c ) \ { beg } with branchconditions e, e ′ , we have an ( n, n, lck ) ⇒ e ˚= e ′ ; and(b) an ( beg, beg, lck ) ⇒ e ˚= e ′ ∨ ( L ∧ h [ e ′ h ] ) ∨ ( R ∧ [ i e ] i ) where e, e ′ are the tests of the loops at beg .Then ⊢ c | c ′ : P ≈ > Q in the logic comprised of the rulesof Fig. 9, Fig. 11, and W HILE , using only the judgmentsassociated with an and Π .Assumption (a) is about annotations of aligned branchpoints, even inside the distinguished loop at beg , but onlyin the part of the product CFG that executes in lockstep.For n a branch point inside that loop, the control points ( n, n, lo ) and ( n, n, ro ) are not reachable by construction of Π . Assumption (b) is like the side condition of rule W HILE .Instead of considering c , c , we consider variations c , c in Fig. 2. This lets us avoid complications in theinvariant needed to handle the first few iterations of c , c (where z > z ′ does not hold under precondition x = x ′ ).Whereas the originals maintain the invariants x ! = z ∗ y ! (for c ) and x = z ∗ y (for c ) and y ≥ (for both), thesemaintain x ! ∗
4! = z ∗ y ! and x ∗ = z ∗ y and y ≥ ,owing to initializations of z = 4! = 24 and z = 2 = 16 .We shall prove x = x ′ ∧ x > ≈ > z > z ′ for c skip c skip . We use the three-way product construction ofthis section, for alignment conditions mentioned earlier: L is h [ w % 2 = 0 h ] and R is [ i w ′ % 3 = 0 ] i . So the transition onedge (4 , , lck ) → (5 , , lo ) is guarded by h [ w %2 = 0 h ] and thetransition (4 , , lck ) → (4 , , ro ) is guarded by [ i w ′ % 3 = 0 ] i .As loop invariant we choose S : y = y ′ ∧ y > ∧ z > z ′ > Define the annotation an as follows. ( n, m, tag ) an ( n, m, tag )(1 , , lck ) x = x ′ ∧ x > precondition (2 , , lck ) y = y ′ ∧ y > , , lck ) y = y ′ ∧ y > ∧ z > z ′ > , , lck ) S (5 , , lck ) S ∧ y > , , lck ) S ∧ y > ∧ w % 2 = 0 = w ′ % 3(7 , , lck ) S ∧ y > ∧ w % 2 = 0 = w ′ % 3(8 , , lck ) S ∧ y > ∧ w % 2 = 0 = w ′ % 3(9 , , lck ) S (5 , , lo ) S ∧ L (8 , , lo ) S (9 , , lo ) S (4 , , ro ) S ∧ R (4 , , ro ) S (4 , , ro ) S (0 , , lck ) z > z ′ postcondition Let an ( m, n, tag ) = f alse for all others. The automatonnever reaches (6 , , lck ) or (8 , , lck ) , owing to the lockstepconditions. It never reaches (6 , , lo ) or (7 , , lo ) because L contradicts the if-test; likewise (4 , , ro ) , (4 , , ro ) , and R .The annotation is valid. (Some VCs shown in Appendix.)
8. Discussion
We introduced a notion of completeness relative toa designated class of alignments, and showed alignmentcompleteness for four illustrative sets of RHL rules. Forsimplicity we used the basic semantics of specs. Non-stucksemantics is preferable for richer languages but the requisiteadjustments to HL and RHL rules are straightforward andwell known (e.g., the precondition for assignment includesa definedness condition). We highlighted what adequacymeans for non-stuck semantics, but refrained from spellingout alignment completeness results for it. In this sectionwe point out related work and directions for further de-velopment. For more extensive reviews of related work onRHLs, some starting points are [14]–[16] and [17]. The latterproposes the idea of alignment completeness but only invague terms.Product automata appear in many places (e.g., [12], [18],[19]) and are similar to control flow automata [20], [21].Francez [12] observes that sequential product is completerelative to HL, but does not work that out in detail. Itscompleteness is featured in Barthe et al [22], for the spe-cial case of relating a program to itself; it is clear thatit holds generally as noted in [23]. Beringer [11] provessemantic completeness of sequential product and leveragesit to derive rules including the three-way loop rule. A RHL for deterministic programs is proved complete basedon sequential product in [24]. Sousa and Dillig [25] givea rule like S EQ P ROD for k -products; their Theorem 2 iscompleteness relative to completeness of an underlying HL.Wang et al [26] prove a similar result specialized to programequivalence. The basis of these results is that the productunder consideration is adequate, to use our term. Francezgives a semantic completeness result of this sort, for eager-lockstep, and Eilers et al [27] do the same for a more generalform of k -product. Aguirre et al [28] prove completeness ofa RHL for higher order functional programs, via embeddingin a unary logic.By contrast with these Cook-style completeness results,alignment completeness is with respect to a designated classof alignments. Our results are for classes of alignments de-fined in terms of a limited class of product automata withoutauxiliary store. The most general notion of alignment wouldbe a function from pairs of traces to alignments thereof [29].Even restricted to computable functions, this is far beyondthe scope of known RHL rules, even using mixed-structurerules like this one adapted from [12]. while e ∧ e do b od | c : P ≈ > Q while e do b od | d : Q ≈ > R Q ∧ h [ ¬ e h ] ⇒ R while e do b od | c ; d : P ≈ > R Several practical works use more sophisticated productconstructions [19], [30], including some that use auxiliarystore [31], [32]. Clochard et al [32] highlight the efficacy of(unary) deductive verification applied to product programs(as well as going beyond ∀∀ , as do [18]).Bringing such alignments within the purview of RHLcould have the familiar benefits of HL, like bringing theprinciples of conjunctive and disjunctive decomposition to-gether with the IAM. Merely collecting a large number ofmixed-structure and data-conditioned rules would be inele-gant and likely fall short of covering all useful alignments.An alternative is to leverage HL in the way S EQ P ROD does,but for a wider range of product encodings. This mightbe achieved using a subsidiary judgment that connects twocommands with a third that is an adequate product, asexplored in [15], and taking into account the encoding oftwo stores by one for different data models [22], [33], [34].Another subsidiary judgment that broadens the applica-bility of basic RHL rules is correctness-preserving rewriting,which is common in verification tools but is seldom madeexplicit in HLs. The RHL of [35] includes an unconditionalrewriting relation ∼ = and rule to infer c | c ′ : R ≈ > S from d | d ′ : R ≈ > S if c ∼ = d and c ′ ∼ = d ′ . Using simpleequivalences like if E then C else skip fi ; while E do C od ∼ = while E do C od , together with a version of W HILE , theyprove a loop tiling transformation which had been usedto argue for working directly with automata [18]. Andunrolling examples c and c a few times would address theproblem we dodged by using c and c . Equivalences validin Kleene algebra with tests [36] are a natural candidate toconnect with some class of product automata.Alignment completeness characterizes sets of rules interms of classes of alignments. If different classes could be12efined using combinators for product automata, one mightobtain a more uniform and comprehensive theory leading tomore systematic development of relational verification tools. References [1] N. Benton, “Simple relational correctness proofs for static analysesand program transformations,” in
POPL , 2004, pp. 14–25.[2] T. Terauchi and A. Aiken, “Secure information flow as a safetyproblem,” in
Static Analysis Symposium (SAS) , ser. LNCS, vol. 3672,2005, pp. 352–367.[3] S. A. Cook, “Soundness and completeness of an axiom system forprogram verification,”
SIAM Journal of Computing , vol. 7, no. 1, pp.70–90, 1974.[4] K. R. Apt, F. S. de Boer, and E.-R. Olderog,
Verification of Sequentialand Concurrent Programs , 3rd ed. Springer, 2009.[5] T. Nipkow, “Hoare logics for recursive procedures and unboundednondeterminism,” in
Computer Science Logic: 16th InternationalWorkshop, CSL 2002, 11th Annual Conference of the EACSL , ser.LNCS, vol. 2471, 2002, pp. 155–182.[6] B. Godlin and O. Strichman, “Regression verification,” in , 2009, pp. 466–471.[7] R. Floyd, “Assigning meaning to programs,” in
Symposium on Ap-plied Mathematics 19, Mathematical Aspects of Computer Science ,J. Schwartz, Ed. American Mathematical Society, 1967, pp. 19–32.[8] A. Turing, “On checking a large routine,” in
Report of a Conferenceon High Speed Automatic Calculating Machines , 1949, pp. 67–69,univ. Math. Lab., Cambridge.[9] K. R. Apt and E. Olderog, “Fifty years of Hoare’s logic,”
FormalAsp. Comput. , vol. 31, no. 6, pp. 751–807, 2019.[10] S. Owicki and D. Gries, “An axiomatic proof technique for parallelprograms,”
Acta Inf. , vol. 6, 1976.[11] L. Beringer, “Relational decomposition,” in
Interactive Theorem Prov-ing (ITP) , ser. LNCS, vol. 6898, 2011.[12] N. Francez, “Product properties and their direct verification,”
ActaInformatica , vol. 20, pp. 329–344, 1983.[13] H. Yang, “Relational separation logic,”
Theo. Comp. Sci. , vol. 375,pp. 308–334, 2007.[14] B. Beckert and M. Ulbrich, “Trends in relational program verifica-tion,” in
Principled Software Development , P. M¨uller and I. Schaefer,Eds. Springer, 2018, pp. 41–58.[15] G. Barthe, J. M. Crespo, and C. Kunz, “Product programs andrelational program logics,”
J. Logical and Algebraic Methods inProgramming , vol. 85, no. 5, pp. 847–859, 2016.[16] K. Maillard, C. Hritc¸u, E. Rivas, and A. V. Muylder, “The next 700relational program logics,”
Proc. ACM Program. Lang. , vol. 4, no.POPL, pp. 4:1–4:33, 2020.[17] D. A. Naumann, “Thirty-seven years of relational Hoare logic:remarks on its principles and history,” in
Int. Symp. OnLeveraging Applications of Formal Methods, Verification andValidation (ISOLA) , 2020, pp. 93–116, extended version athttps://arxiv.org/abs/2007.06421.[18] G. Barthe, J. M. Crespo, and C. Kunz, “Beyond 2-safety: Asymmetricproduct programs for relational program verification,” in
LFCS , 2013,pp. 29–43.[19] B. R. Churchill, O. Padon, R. Sharma, and A. Aiken, “Semanticprogram alignment for equivalence checking,” in
PLDI , 2019, pp.1027–1040.[20] M. Heizmann, J. Hoenicke, and A. Podelski, “Software model check-ing for people who love automata,” in
CAV , 2013, pp. 36–52. [21] T. Lange, M. R. Neuh¨außer, and T. Noll, “IC3 software modelchecking on control flow automata,” in
Formal Methods in Computer-Aided Design (FMCAD) , 2015, pp. 97–104.[22] G. Barthe, P. R. D’Argenio, and T. Rezk, “Secure information flow byself-composition,” in
IEEE CSFW , 2004, pp. 100–114, see extendedversion [37].[23] G. Barthe, J. M. Crespo, and C. Kunz, “Relational verification usingproduct programs,” in
Formal Methods , ser. LNCS, vol. 6664, 2011,pp. 200–214.[24] G. Barthe, B. Gr´egoire, J. Hsu, and P. Strub, “Coupling proofs areprobabilistic product programs,” in
POPL , 2017, pp. 161–174.[25] M. Sousa and I. Dillig, “Cartesian Hoare Logic for verifying k-safetyproperties,” in
PLDI , 2016, pp. 57–69.[26] Y. Wang, I. Dillig, S. K. Lahiri, and W. R. Cook, “Verifying equiv-alence of database-driven applications,”
Proc. ACM Program. Lang. ,vol. 2, no. POPL, pp. 56:1–56:29, 2018.[27] M. Eilers, P. M¨uller, and S. Hitz, “Modular product programs,”
ACMTrans. Program. Lang. Syst. , vol. 42, no. 1, pp. 3:1–3:37, 2020.[28] A. Aguirre, G. Barthe, M. Gaboardi, D. Garg, andP. Strub, “A relational logic for higher-order programs,”
J. Funct. Program. , vol. 29, 2019. [Online]. Available:https://doi.org/10.1017/S0956796819000145[29] M. Kov´acs, H. Seidl, and B. Finkbeiner, “Relational abstract interpre-tation for the verification of 2-hypersafety properties,” in
ACM CCS ,2013.[30] R. Shemer, A. Gurfinkel, S. Shoham, and Y. Vizel, “Property directedself composition,” in
CAV , 2019, pp. 161–179.[31] T. Girka, D. Mentr´e, and Y. R´egis-Gianas, “Verifiable semanticdifference languages,” in
Principles and Practice of DeclarativeProgramming (PPDP) , 2017.[32] M. Clochard, C. March´e, and A. Paskevich, “Deductive verificationwith ghost monitors,”
Proc. ACM Program. Lang. , vol. 4, no. POPL,pp. 2:1–2:26, 2020.[33] D. A. Naumann, “From coupling relations to mated invariants forsecure information flow,” in
ESORICS , ser. LNCS, vol. 4189, 2006,pp. 279–296.[34] L. Beringer and M. Hofmann, “Secure information flow and programlogics,” in
IEEE CSF , 2007, pp. 233–248.[35] A. Banerjee, D. A. Naumann, and M. Nikouei, “Relational logicwith framing and hypotheses,” in
Foundations of Software Tech. andTheoretical Comp. Sci. , 2016, pp. 11:1–11:16, technical report athttp://arxiv.org/abs/1611.08992.[36] D. Kozen, “On Hoare logic and Kleene algebra with tests,”
ACMTrans. Comput. Log. , vol. 1, no. 1, pp. 60–76, 2000.[37] G. Barthe, P. R. D’Argenio, and T. Rezk, “Secure information flowby self-composition,”
Math. Struct. Comput. Sci. , vol. 21, no. 6, pp.1207–1252, 2011.[38] J. Filliˆatre, L. Gondelman, and A. Paskevich, “The spirit of ghostcode,”
Formal Methods in System Design , vol. 48, no. 3, pp. 152–174, 2016.
9. Appendix: additional details
Definitions.
Definition of destutter ( τ ) for trace τ : destutter ( τ ) = τ if len ( τ ) = 1 destutter ( γ :: γ :: τ ) = destutter ( γ :: τ ) if γ = γ destutter ( γ :: γ :: τ ) = γ :: destutter ( γ :: τ ) otherwise13 k ( skip n ) = n ≥ ok ( x := n e ) = n ≥ ok ( c ; d ) = labs ( c ) ∩ labs ( d ) = ∅ ∧ ok ( c ) ∧ ok ( d ) ok ( while n e do c od ) = n ≥ ∧ n / ∈ labs ( c ) ∧ ok ( c ) ok ( if n e then c else d fi ) = n ≥ ∧ n / ∈ labs ( c ; d ) ∧ ok ( c ; d ) ok ( c ⊔ n d ) = n ≥ ∧ n / ∈ labs ( c ; d ) ∧ ok ( c ; d ) Figure 12. ok ( c ) – command with unique, non-negative labels. sub ( m, skip m ) = skip m sub ( m, x := m e ) = x := m e sub ( m, c ; d ) = sub ( m, c ) , if m ∈ labs ( c )= sub ( m, d ) , otherwise sub ( m, while n e do c od ) = while n e do c od , if n = m = sub ( m, c ) , otherwise sub ( m, if n e then c else d fi ) = if n e then c else d fi , if n = m = sub ( m, c ) , if m ∈ labs ( c )= sub ( m, d ) , otherwise sub ( m, c ⊔ n d ) = c ⊔ n d , if n = m = sub ( m, c ) , if m ∈ labs ( c )= sub ( m, d ) , otherwiseFigure 13. sub ( m, c ) sub-command of c at m , assuming ok ( c ) , m ∈ labs ( c ) . Definition of lab ( c ) : lab ( skip n ) = n lab ( x := n e ) = n lab ( c ; d ) = lab ( c ) lab ( if n e then c else d fi ) = n lab ( while n e do c od ) = n lab ( c ⊔ n d ) = n Definition of labs ( c ) : labs ( skip n ) = { n } labs ( x := n e ) = { n } labs ( c ; d ) = labs ( c ) ∪ labs ( d ) labs ( if n e then c else d fi ) = { n } ∪ labs ( c ) ∪ labs ( d ) lab ( while n e do c od ) = { n } ∪ labs ( c ) labs ( c ⊔ n d ) = { n } ∪ labs ( c ) ∪ labs ( d ) Fig. 12 defines the ok condition.Fig. 13 defines sub ( m, c ) .Fig. 14 defines fsuc .As an example how labels are manipulated in the tran-sition semantics, here is an ok command and its transitions.We omit stores but assume x = 1 initially. while x > do x := x − od ; skip _ x := x − while x > do x := x − od ; skip _ skip − ; while x > do x := x − od ; skip _ while x > do x := x − od ; skip _ skip − ; skip _ skip Fig. 15 gives a more “algorithmic” version of HL, whichmakes possible a version of Prop. 6 where the “associatedjudgments” are only those given directly by the annotation,i.e., (2). This has a parallel in type systems, where subtypingis handled either with a separate rule of subsumption or withsubtype constraints in syntax-directed rules; the latter havea procedural reading.
Proof of Prop. 1.
Part (b) follows directly from (a) usingthat fin is in K . The proof of (a) is by induction on thenumber of K -states reached in τ . At least one is reached,because τ is non-empty and initial, and K contains init . If fsuc ( n, skip n , f ) = f fsuc ( n, x := n e, f ) = f fsuc ( n, c ; d, f ) = fsuc ( n, c, lab ( d )) , if n ∈ labs ( c )= fsuc ( n, d, f ) , otherwise fsuc ( m, while n e do c od , f ) = f , if m = n = fsuc ( m, c, n ) , otherwise fsuc ( m, if n e then c else d fi , f ) = fsuc ( m, c, f ) , if m ∈ labs ( c )= fsuc ( m, d, f ) , if m ∈ labs ( d )= f , otherwise (i.e., m = n ) fsuc ( m, c ⊔ n d, f ) = fsuc ( m, c, f ) , if m ∈ labs ( c )= fsuc ( m, d, f ) , if m ∈ labs ( d )= f , otherwise (i.e., m = n )Figure 14. Following successor fsuc ( n, c, f ) , for ok ( c ) , n ∈ labs ( c ) , and f ∈ N \ labs ( c ) . S KIP ’ P ⇒ Q skip : P ❀ Q A SS ’ P ⇒ Q xe x := e : P ❀ Q I F ’ P ∧ e ⇒ P P ∧ ¬ e ⇒ P c : P ❀ Q d : P ❀ Q if e then c else d fi : P ❀ Q W H ’ P ∧ e ⇒ P c : P ❀ P P ∧ ¬ e ⇒ Q while e do c od : P ❀ Q Figure 15. C ONSEQ -free HL: these rules plus S EQ and C HOICE . exactly one is reached, we have τ | = P since an ( init ) = P ,so the base case is done. Otherwise, suppose a K -state isreached at position j and the preceding K -state is at position i (so i < j ). By induction we have τ i | = an ( ctrl ( τ i )) .Let τ [ i : j ] be the trace segment from τ i to τ j , inclusive.Now cpath ( τ [ i : j ]) is in segs ( A, K ) so we can apply theverification condition (1) to conclude τ j | = an ( ctrl ( τ j )) . Proof of Prop. 2.
For each n ∈ K , let an ( n ) be the set of s such that there is a finite initial trace τ of A with τ | = P and τ − = ( n, s ) . So an ( n ) is the strongest invariant at n fortraces from P . To prove (1), consider any vs ∈ segs ( A, K ) and trace τ along vs . Suppose τ | = an ( vs ) , to show τ − ∈ an ( vs − ) . By definition of an ( vs ) , τ is reachable froman initial P -state, say by trace υ with υ − = τ . So τ − is reachable by the trace υ followed by τ , hence τ − ∈ an ( vs − ) by definition of an . Proof of Prop. 6: other cases. • If b is while n e do d od , we have elab ( d, c, fin ) = n so by induction we have ⊢ d : an ( lab ( d )) ❀ an ( n ) .Lemma 5 gives an ( n ) ∧ e ⇒ an ( lab ( d )) so by C ON - SEQ we get ⊢ d : an ( n ) ∧ e ❀ an ( n ) . Rule W H yields ⊢ b : an ( n ) ❀ an ( n ) ∧ ¬ e . Lemma 5 gives an ( n ) ∧ ¬ e ⇒ an ( elab ( b, c, fin )) so by Conseq we get ⊢ b : an ( n ) ❀ an ( elab ( b, c, fin ) . • If b is d ⊔ n d , by induction we have ⊢ d : an ( lab ( d ) ❀ an ( elab ( d , c, fin )) and ⊢ d : an ( lab ( d ) ❀ an ( elab ( d , c, fin )) . Lemma 5 gives14 n ( n ) ⇒ an ( lab ( d )) and an ( n ) ⇒ an ( lab ( d )) so by C ONSEQ we get ⊢ d : an ( n ) ❀ an ( elab ( d , c, fin )) and ⊢ d : an ( n ) ❀ an ( elab ( d , c, fin )) . By definitions wehave elab ( b, c, fin ) = elab ( d , c, fin ) = elab ( d , c, fin ) . Soby rule C HOICE we get ⊢ b : an ( n ) ❀ an ( elab ( b, c, fin ) . Proof of Theorem 7.
For basic semantics this is left tothe reader. We show that if Π A,A ′ is a strongly R -adequateproduct then, in non-stuck semantics, Π A,A ′ | = R ❀ S implies A | A ′ | = R ≈ > S .To show A | A ′ | = R ≈ > S in the non-stuck semantics ofrelational specs, we must establish (i) all terminated tracesof A and A ′ that initially satisfy R finally satisfy S , and (ii)all finite and initial traces of A and A ′ are not stuck. Let τ, τ ′ be finite initial traces of A, A ′ such that τ , τ ′ | = R .(i) Assume τ and τ ′ are terminated, therefore ctrl ( τ − ) = fin and ctrl ( τ ′− ) = fin ′ . Since Π A,A ′ is R -adequate(implied by strong R -adequacy), we can appeal to theresult for basic semantics to conclude τ − , τ ′− | = S .Hence, τ, τ ′ | = R ≈ > S and we are done.(ii) Assume τ has not yet terminated, hence ctrl ( τ − ) = fin . Since Π A,A ′ is strongly R -adequate we can obtain atrace T of Π A,A ′ such that τ (cid:22) left ( T ) . Now, there aretwo cases to consider. If τ ≺ left ( T ) , then the witness for τ −
7→ − is the successor of τ − in left ( T ) . Otherwise, τ = left ( T ) . Since Π A,A ′ satisfies R ❀ S in the non-stuck semantics of unary specs, and is not terminated(because ctrl ( left ( T − )) = ctrl ( τ − ) ) we know T Z ⇒ − .This argument can be iterated, extending T , and afterfinitely many steps it must cover a left-side step from τ − because otherwise it would contradict the one-sidedivergence condition of strong R -adequacy of Π A,A ′ . Theargument for τ ′ is similar, so we are done.Although for basic semantics the theorem is an equiva-lence, for non-stuck semantics the converse does not hold.For a counterexample, consider the interleaved product(which is strongly R -adequate) of A, A ′ and augment itscontrol points to include a tag from { , } (like the productin Sec. 6), with tag value for the initial and final points.The transition relation is the same as that of the interleavedproduct, except it is not enabled for control points with tag . Further, any step of the product may change the valueof the tag nondeterministically. Let Π be such a product. Itis strongly R -adequate. But suppose A | A ′ | = R ≈ > S , sothere are no stuck non-final traces of A or A ′ . We do nothave Π | = R ❀ S . If T is a finite initial trace of Π suchthat T | = R and T − is not final, we must show T Z ⇒ − .Clearly, this cannot be true if the tag of ctrl ( T − ) is ; inthis case, T is stuck and T − has no successor. Proof of Lemma 8.
By mutual implication. For traces τ, υ with υ = τ − we write τ ⋄ υ for the coalesced catenation,i.e., τ followed by all but the first element of υ .Assume | = c ; d ′ : R + ❀ S + . To show | = c | d : R ≈ > S ,consider terminated traces τ of c and υ of d (over Var ).Suppose τ , υ | = R , to show τ − , υ − | = S . By renaming we get a trace υ ′ of d ′ . Let s = stor ( υ ) ◦ dot . By adding s to the stores of τ we get a trace ˆ τ , of c ; d ′ that leaves the Var • part unchanged and ends ready to execute d ′ . Adding stor ( τ − ) to the stores of υ ′ we get a trace ˆ υ ′ of d ′ thatleaves the Var part unchanged. So ˆ τ ⋄ ˆ υ ′ is a terminatedtrace of c ; d ′ that ends with store stor ( τ − ) + stor ( υ − ) . Wehave τ , υ | = R iff τ ∪ s | = R + , whence (ˆ τ ⋄ ˆ υ ′ ) | = R + .So from | = c ; d ′ : R + ❀ S + we get ( τ ⋄ υ ′ ) − | = S + ,that is, stor ( τ − ) + stor ( υ − ) | = S + . The latter is equivalentto stor ( τ − ) , stor ( υ − ) | = S which completes the proof that τ, υ | = R ≈ > S .For the converse, assume | = c | d : R ≈ > S . To show | = c ; d ′ : R + ❀ S + , consider any terminated trace of c ; d ′ ,which by semantics can be written as coalesced catenation τ ⋄ υ of nonempty traces of c and d ′ , with the Var • -partof each τ i equal to that of υ , and the Var -part of each υ i equal to that of τ − . By discarding the untouched parts, andrenaming, we get terminated Var -traces ˆ τ of c and ˆ υ of d .Moreover if τ | = R + then ˆ τ , ˆ υ | = R so using | = c | d : R ≈ > S we get ˆ τ − , ˆ υ − | = S . The latter is equivalent to υ − | = S + whence ( τ ⋄ υ ) | = R + ❀ S + . Proof of Theorem 12.
As with the previous theorems, theassociated judgments are easily determined by inspectingthe proof of the theorem so we refrain from spelling themout.The proof relies on an analysis of the VCs. These includeVCs for the lockstep part of the automaton, like thosein Fig. 10, as well as VCs for the one-sided part of theautomaton like those in Figs. 8, and we omit them. We useHL to obain proofs for b and dot ( b ′ ) , then lift those using S EQ P ROD , and complete the derivation of ⊢ c | c ′ : R ≈ > S using rules in Fig. 9. Here are more details.By induction on b , using an argument similar to thatproving (5), using left-side VCs, we have for all subcom-mands d of b : ⊢ d : an ( lab ( d ) , beg, lo ) + ❀ an ( elab ( d, c ) , beg, tag ) + (8)where tag = ro if m = end , else tag = lo . (The differentcases for tag arise from the form of the CFG, in particulartransitions of type (iii) versus (iv).) Then in particular theinstantiation for b itself is ⊢ b : an ( beg, beg, lo ) + ❀ an ( end, beg, ro ) + with ending tag ro because the pathsthrough b end with a transition of type (iv). Next, byinduction on b ′ , a similar argument using right-side VCsshows for all subcommands d ′ of b ′ : ⊢ dot ( d ′ ) : an ( end, lab ( d ′ ) , ro ) + ❀ an ( end, m, tag ) + (9)where m = elab ( d ′ , c ) and tag = lck if m = end else tag = ro . Instantiating (8) and (9) we get ⊢ b : an ( beg, beg, lo ) + ❀ an ( end, beg, ro ) + ⊢ dot ( b ′ ) : an ( end, beg, ro ) + ❀ an ( end, end, lck ) + hence ⊢ b ; dot ( b ′ ) : an ( beg, beg, lo ) + ❀ an ( end, end, lck ) + by S EQ . So rule S EQ P ROD yields ⊢ b | b ′ : an ( beg, beg, lo ) ≈ > an ( end, end, lck ) (10)15ow show, for all subcommands d of c and correspondingsubcommands d ′ of c ′ , with d not a proper subcommand of b (so lab ( d ′ ) = lab ( d ) and d ′ is not a proper subcommandof b ′ ): ⊢ d | d ′ : an ( lab ( d ) , lab ( d ) , tag ) ≈ > an ( m, m, tag ) (11)where m = elab ( d, c, fin ) = elab ( d ′ , c ′ , fin ) and tag = lo if lab ( d ) = beg (i.e., d is b ), and tag = lck otherwise; and tag = lo if m = beg , else tag = lck . (Here the tagconditions are due to transitions (i) versus (ii); noting that lab ( d ) = beg implies m = beg .) The proof is by inductionon structure of c (which is structurally the same as c ′ ). Thebase cases b | b ′ , pairs of assignments outside b, b ′ , and pairsof skip. For b | b ′ , (11) is just (10). For assignments and skip,we use the VCs just as in the proof of Theorem 11. Theinduction step to prove (11) is same-structure commandrelations. By analysis of the lockstep transitions of theproduct we get VCs like in Fig. 10, and using the assumptionthat the annotation’s assertions imply guard agreement onbranches (outside b and b ′ ), we can show the rules in Fig. 9suffice to prove what’s needed.Finally, instantiate d, d ′ as c, c ′ in (11), noting that lab ( d ) = 1 = beg so tag = lck . So Theorem 12 is proved,since an (1 , , lck ) = R and an ( fin , fin , lck ) = S .To handle the general case where there are multipledesignated subprograms, disjoint from each other, one candefine the product in terms of a set BEG of begin labelsand
EN D of end labels (disjoint from
BEG ), replacingcondition m = beg with n / ∈ BEG and adjusting the othertransition rules accordingly.To avoid the case distinctions on tags in the inductionhypotheses (8) and (9), one could relax the definition ofproduct automata to allow a product to take transitions withno effect on the underlying computation. In the present casewe would use one from ( beg, beg, lck ) to ( beg, beg, lo ) andso forth. For adequacy, such steps must be bounded. Thisis akin to the familiar requirement that ghost code must beterminating [38]. Theorem 13: proof and automaton.
Here is the automatonfor the three-way product, under the conditions given inSec. 7. Note that labs ( sub ( beg, c )) = labs ( sub ( beg, c ′ )) underthose conditions. (i) (( n, n, lck ) , ( s, s ′ )) Z ⇒ (( m, m, lck ) , ( t, t ′ )) if (( n, n ) , ( s, s ′ )) Z ⇒ lckc (( m, m ) , ( t, t ′ )) (ii) (( beg, beg, lck ) , ( s, s ′ )) Z ⇒ (( m, beg, lo ) , ( s, s ′ )) if ( beg, s ) ( m, s ) and s, s ′ | = L (iii) (( beg, beg, lck ) , ( s, s ′ )) Z ⇒ (( beg, m, ro ) , ( s, s ′ )) if ( beg, s ′ ) ′ ( m, s ′ ) and s, s ′ | = R (iv) (( n, beg, lo ) , ( s, s ′ )) Z ⇒ (( m, beg, lo ) , ( t, s ′ )) if ( n, s ) ( m, t ) and m = beg and n ∈ labs ( sub ( beg, c )) (v) (( beg, n, ro ) , ( s, s ′ )) Z ⇒ (( beg, m, ro ) , ( s, t ′ )) if ( n, s ′ ) ′ ( m, t ′ ) and m = beg and n ∈ labs ( sub ( beg, c )) (vi) (( n, beg, lo ) , ( s, s ′ )) Z ⇒ (( beg, beg, lck ) , ( t, s ′ )) if ( n, s ) ( beg, t ) and n ∈ labs ( sub ( beg, c )) (vii) (( beg, n, ro ) , ( s, s ′ )) Z ⇒ (( beg, beg, lck ) , ( s, t ′ )) if ( n, s ′ ) ′ ( beg, t ′ ) and n ∈ labs ( sub ( beg, c )) Theorem 13 is proved as follows, with reference to theVCs in Fig. 16. The VCs reflect that only same-value- guard paths are taken, except in lo or ro iterations underconditions L and R respectively. The omitted VCs includethe symmetric right-only transitions and unreachable ones.As an aside, Fig. 17 instantiates some VCs for the c , c example of Sec. 7.Let b be the body of the loop sub ( beg, c ) and b ′ the bodyof the loop sub ( beg, c ′ ) (it must be a loop, by sameCtl ( c, c ′ ) ).Labels have no significance on the proof rules and wewill use skip without a label in the following. One could aswell choose fresh labels so as to work entirely with labelledcommands.By induction on b we show its relation with skip: for allsubcommands d of b : ⊢ d | skip : an ( lab ( d ) , beg, lo ) ≈ > an ( m, beg, tag ) (12)where m = elab ( d, c, fin ) and tag = lck if m = beg , else tag = lo . For this purpose we use the left-side rules ofFig. 11 together with R C ONSEQ , in an argument similar toproofs of the previous theorems. For example, in case d isan assignment x := n e we use A SS S KIP to get x := n e | skip : an ( m, beg, tag ) x | e | ≈ > an ( m, beg, tag ) and then use R C ONSEQ and the VC to strengthen an ( m, beg, tag ) x | e | to an ( n, beg, tag ) .The relevant VCs arise from type (ii), (iv), and (vi)transitions (see Fig. 16). This is similar to the proof ofTheorem 10 in the sense that the VCs are for one-sideexecution, but there we work with unary judgments and herewe are using relational judgments (and relations are sets ofstore pairs, not sets of stores).By induction on b ′ we show its relation with skip: forall subcommands d ′ of b ′ : ⊢ skip | d ′ : an ( beg, lab ( d ′ ) , ro ) ≈ > an ( beg, m, tag ) (13)where m = elab ( d ′ , c, fin ) and tag = lck if m = beg , else tag = ro . For this purpose we use the right-side rules whichmirror those shown in Fig. 11. The relevant VCs arise fromtype (iii), (v), and (vii) transitions.By induction on b we show its relation with b ′ : for allsubcommands d of b and corresponding subcommands d ′ of b ′ : ⊢ d | d ′ : an ( lab ( d ) , lab ( d ) , lck ) ≈ > an ( m, m, lck ) (14)where m = elab ( d, c, fin ) . For this purpose we use thelockstep rules of Fig. 9, similar to the proof of Theorem 11and relying on assumption (a) of Theorem 13.Instantiating (12), (13), and (14), noting that elab ( b, c, fin ) = beg , we get ⊢ b | skip : an ( lab ( b ) , beg, lo ) ≈ > an ( beg, beg, lck ) ⊢ skip | b ′ : an ( beg, lab ( b ) , ro ) ≈ > an ( beg, beg, lck ) ⊢ b | b ′ : an ( lab ( b ) , lab ( b ) , lck ) ≈ > an ( beg, beg, lck ) Now using R C ONSEQ and the VCs we get ⊢ b | skip : an ( beg, beg, lck ) ∧ h [ e h ] ∧ L ≈ > an ( beg, beg, lck ) ⊢ skip | b ′ : an ( beg, beg, lck ) ∧ [ i e ′ ] i ∧ R ≈ > an ( beg, beg, lck ) ⊢ b | b ′ : an ( beg, beg, lck ) ∧ h [ e h ] ∧ [ i e ′ ] i ≈ > an ( beg, beg, lck ) FG edge ( n, m, tag ) → . . . sub ( n, c ) and sub ( m, c ′ ) VC rule ( beg, beg, lck ) → ( m, m, lo ) enter loop body jointly an ( beg, beg, lck ) ∧ h [ e h ] ∧ [ i e ′ ] i ⇒ an ( m, m, lck ) (i) ( beg, beg, lck ) → ( m, beg, lo ) enter loop body left an ( beg, beg, lck ) ∧ h [ e h ] ∧ L ⇒ an ( m, beg, lo ) (ii) ( n, beg, lo ) → ( m, beg, lo ) left if test e true an ( n, beg, lo ) ∧ h [ e h ] ⇒ an ( m, beg, lo ) (iv) ( n, beg, lo ) → ( beg, beg, lck ) end left iteration an ( n, beg, lo ) ⇒ an ( beg, beg, lck ) (vi) ( beg, beg, lck ) → ( m, m, lck ) exit loop m = elab ( ... ) an ( beg, beg, lck ) ∧ ¬h [ e h ] ∧ ¬ [ i e ′ ] i ⇒ an ( m, m, lck ) (i) Figure 16. Selected VCs for the three-way product, with reference to relevant transition rule. ( n, n ′ , tag ) → ( m, m ′ , t ) . . . the VC is . . . (1 , , lck ) (2 , , lck ) x = x ′ ∧ x > ⇒ ( y = y ′ ∧ y > y,y ′ x,x ′ (2 , , lck ) (3 , , lck ) y = y ′ ∧ y > ⇒ ( y = y ′ ∧ y > ∧ z > z ′ > z,z ′ , (3 , , lck ) (4 , , lck ) y = y ′ ∧ y > ∧ z > z ′ > ⇒ S w,w ′ , (4 , , lck ) (5 , , lck ) S ∧ y = 4 ∧ y ′ = 4 ⇒ S ∧ y > , , lck ) (6 , , lck ) S ∧ y > ∧ w % 2 = 0 = w ′ % 3 ⇒ S ∧ y > ∧ w % 2 = 0 = w ′ % 3(6 , , lck ) (7 , , lck ) S ∧ y > ∧ w % 2 = 0 = w ′ % 3 ⇒ ( S ∧ y > ∧ w % 2 = 0 = w ′ % 3) z,z ′ z ∗ y,z ∗ (7 , , lck ) (9 , , lck ) S ∧ y > ∧ w % 2 = 0 = w ′ % 3 ⇒ S y,y ′ y − ,y − (5 , , lck ) (8 , , lck ) S ∧ y > ∧ w % 2 = 0 = w ′ % 3 ⇒ S ∧ y > ∧ w % 2 = 0 = w ′ % 3(8 , , lck ) (9 , , lck ) S ∧ y > ∧ w % 2 = 0 = w ′ % 3 ⇒ S (9 , , lck ) (4 , , lck ) S ⇒ S (9 , , lck ) (0 , , lck ) S ⇒ z > z ′ (4 , , lck ) (5 , , lo ) S ∧ y = 4 ∧ L ⇒ S ∧ L (5 , , lo ) (6 , , lo ) S ∧ L ∧ w % 2 = 0 ⇒ false (5 , , lo ) (8 , , lo ) S ∧ L ∧ w % 2 = 0 ⇒ S (8 , , lo ) (9 , , lo ) S ⇒ S (9 , , lo ) (4 , , lck ) S ⇒ S