A Logical Treatment of Non-Termination and Program Behaviour

Can the semantics of a program be represented as a single formula? We show that one formula is insufficient to handle assertions, refinement or slicing, while two formulae are sufficient: ( ) S  , defining non-termination, and ( ) S  , defining behaviour. Any two formulae A and B will define a corresponding program. Refinement is defined as implication between these formulae.


Introduction
The idea of using a single formula to represent the behaviour of a program is a very attractive one: proving that two programs are equivalent then reduces to the task of proving that two formula are equivalent.For the latter task, mathematicians have developed many powerful techniques over the last few thousand years of the history of mathematics.
In this paper, we show that a single formula is insufficient to represent the semantics of a program in the desired way, but there are two formulae which are sufficient.

The WSL Language
The WSL transformation theory is based in infinitary logic: an extension of first order logic which allows infi-nitely long formulae.The statements in the WSL kernel language are as follows: { } P is an assertion which terminates immediately if P is true and aborts if P is false, [ ] P is a guard which ensures that P is true without changing the value of any variable, ( ) add x adds the variables in x to the state space, if they are not already present, and assigns arbitrary values to the variables.

( )
remove x removes the variables in x from the state space, 1 2 ; S S is sequential composition, ( )

S S 
is nondeterministic choice, and ( ) is a recursive subroutine which also adds the variables in x to the state space and removes the variables in y from the state space.
The semantics of a WSL program is defined as a function which maps each initial state to the set of possible final states.A state is either the special state ⊥ , which represents non-termination, or a proper state which is a function from a set of variables (the state space) to the set of values.The semantics of a program is always defined in the context of a particular initial state space and final state space.
For any list of variables x , we define x  to be the set of variables in x , and ′ x and ′′ x to be the corresponding sequences of primed and doubly primed variables.The formula ′′ ≠ x x is true precisely when the value of any variable in x differs from the value of the corresponding variable in ′′ x .The interpretation function maps each statement S and initial state space V to the corres- ponding state transformation (under a model M for the logic in question).For a state space V , and set of values  , let ( ) be the set of states on V and  (including ⊥ ), and for any formula P let ( ) int , M V P be the set of states which satisfies the formula.See [1] for details.For initial state ⊥ we define , i.e. if the program is started in the non-terminating state then it cannot be guaranteed to terminate.(Starting the program in a non-terminating state simply means that some previous program in the sequence has failed to terminate, so this program can never actually start.This restriction simply means that a later statement in a sequence cannot somehow "recover" from non-termination of an earlier statement in the sequence the program).
The semantics for the recursive program is simply the intersection of the semantics for each finite truncation.The result is the least defined statement which is a refinement of all the truncations.
If the initial state space is empty, then there are two possible initial states: ⊥ and the single proper state ∅ .For ⊥ the set of final states must be ( ) , by definition.So the state transformation is entirely determined by its value on the initial state ∅ .If the final state space is also empty, then there are exactly three distinct state transformations, corresponding to the three possible sets of states. 1 The three state transformations are 1 f , 2 f and 3 f where: These correspond to the three fundamental statements Note that there are three different semantic function which use no variables, but only two semantically-different formulae with no free variables (namely true and false ).Under any interpretation of the logic, any formula with no free variables must be interpreted as either universally true or universally false.There is no way to map three different semantics onto two formulae: so this proves that a single formula is insufficient to represent the semantics of a program.

The Abort and Behaviour Predicates
Since it is not possible to represent the semantics of a program using one formula, we will now consider how we can represent the denotational semantics of a program using two formulae from infinitary first order logic.The formulae are defining in terms of the weakest precondition.
For any program S and postcondition (condition on the final state space) R , the weakest precondition ( ) WP , S R is the weakest condition on the initial state space such that if the initial state satisfies ( ) WP , S R then S is guaranteed to terminate in a state which satisfies R .
In [1], we show that ( ) WP , S R can be defined as a formula in infinitary logic and that refinement can be characterised by the weakest precondition as follows: for any to programs 1 S and 2 S with the same initial and final state spaces, 2 S is a refinement of 1 S , written 1 2 ≤ S S , if and only if for all postconditions R : ( ) ( ) In the same paper, we also prove that it is not necessary to determine the weakest preconditions for all postconditions: two very simple postconditions are sufficient.These are the conditions true and ′′ ≠ x x where x is a list of all the variables in W and ′′ x is a list of new variables, not appearing in either program, which are the doubly-primed versions of the variables in W . Then 1 2 ≤ S S if and only if: For any statement S , the formula ( ) WP , S true describes precisely those initial states on which S is guaranteed to terminate.For each of these states, the formula ( ) describes the behaviour of S in the sense that, if s is an initial state for which S terminates, and is an extension of s which adds the variables ′′ x to the state with a given set of values, then s′′ satisfies ( ) precisely when the values assigned to ′′ x form a possible final state for S when they are assigned to the corresponding un- primed variables.
To be more precise, we will prove the following theorem: Theorem 3.1.If f is the interpretation of S , then for every initial state s and final state ( ) t f s ∈ .Proof: Suppose f is the interpretation of S as a state transformation from V to W , and let s be any initial state.Let t be any proper state in ( ) f s (i.e.any element of ( ) f s apart from ⊥ ).Let f ′′ be the extension of f which adds W ′′ to the initial and final state spaces and preserves the values of these variables.Then f ′′ is the interpretation of S  ( ) . In [1] we also prove the Representation Theorem: Theorem 3.2.For any statement : is equivalent to skip and the formula ′′ ≠ x x is equivalent to true .)

Examples
Some example programs to illustrate the formulae: { } ( ) Here, 2 S is both more defined (terminating on more initial states) and more deterministic than 1 S , and so 2 S is a refinement of 1 S .A refinement of a program can for initial states on which the original program aborts, so 3 S is also a refinement of 1 S .Finally, 4 S is more deterministic than 3 S in that it restricts the set of possible final states (for initial states with 0 y < the set of final states is empty).These facts are reflected in the formulae in Table 2. Clearly, ( ) ( ) ⇒ S S   which shows that 1 3 ≤ S S .However, it is not the case that 2 3 ≤ S S since when 0 y = in- itially, 2 S must assign x the value 1, while 3 S can non-deterministically choose to assign x the value 1 or 3. Conversely, 3 S is not refined by 2 S because 3 S is defined on initial states for which 2 S is not de- fined: namely, those initial states in which 0 y < .Finally, 4 S is a (strict) refinement of all the other programs, and none of the other programs is a refinement of 4 S because 4 S is null on initial states with 0 y < .Given that  and  capture the semantics of a program, it should be possible to compute the formulae for a compound statement from the formulae for the components.For the primitive statements in the first level of WSL, the formulae are given in Table 3. Table 1. and  for some fundamental programs.

2 .
 and  for the example programs.
, where s is the restriction of t s to V and t′′ is the restriction of t s to W ′′ and where t is the state on W which corresponds to t′′ .We claim that and final values of x′′ on f ′′ are identical.Let t s be the state s extended to state space V W′′  which gives the variables in W ′′ the same values that the corresponding unprimed f s contains every state) and t is not a possible final state for s .So every final state in ( ) f s differs from t .As before, let t t be the extension of t over W ′′ such that ( ) ( )

Table 1 .
, skip and null for which the corresponding formulae are given in From this table we see that: x is non-empty, then all three refinements are strict refinements.Note that abort and when

Table 3 .
 and  for the atomic statements.