VU-VFS-2025. Lecture 7 - VC's for functions and pointers [004p]

December 12, 2025

1. Assertions

December 12, 2025

Definition 1.1. Assertions & Havoc [004q]

December 12, 2025

We introduce 3 new syntactic constructs with their associated hoare rules, these constructs are:

The statement \(\texttt {assert(F)}\) which \(\texttt {fails}\) if \(F\) evaluates to \(\bot \)
The statement \(\texttt {assume(F)}\) which tells us that \(F\) evaluates to \(\top \)
The statement \(\texttt {x := havoc()}\) which assigns a non-deterministic value to a variable \(x\)

1.1.1. Evaluation rules

December 12, 2025

We introduce a new construct \(\texttt {fail}\) which denotes the failure state, as an alternative to \(\sigma \).

For the assumption we only have a \(\top \) rule, the idea being if the assumption holds then the statement is equivalent to a \(\texttt {skip}\) otherwise the execution gets stuck but doesn't fail.

The idea with getting stuck being that since we aren't failing for the case of partial-correctness (failure or termination) it means we can simply ignore this case.

The final big-step evaluation rule is for the havoc statement:

1.1.2. Hoare rules

December 12, 2025

In addition to our big-step evaluation rules we also have Hoare rules.

1.1.3. A more detailed explanation

December 12, 2025

A central thing to understand with assertions especially is that they integrate a result's monad into the big-step evaluation semantics, in addition to the Hoare logic. So the idea is now instead of the relationship being denoted by:

\[ (\texttt {Stmt} \times \texttt {Memory}) \to \texttt {Memory} \to \texttt {Prop} \]

It's now expressed as

\[ (\texttt {Stmt} \times \texttt {Memory}) \to (\texttt {Result} \texttt {Memory}) \to \texttt {Prop} \]

Where we can model \(\texttt {Result}\) as the following monad


    inductive Result (α : Type)
    | ok : α → Result α      -- Normal termination with final state
    | fail : Result α        -- Assertion failure / error state
    deriving Repr, DecidableEq

At this point if you want to be pedantic it's worth mentioning that the implication is that we are lifting all other inference rules into the context of this result monad, though for pedagogical purposes its enough to just assume that \(\Downarrow \sigma \) just corresponds to \(\Downarrow \texttt {.ok} \sigma \) i.e. evaluated into a non-fail state.

The Hoare triple is where stuff becomes a bit more interesting. As a reminder, the classical hoare triple is basically just an alias for the logical formula:

\[ \forall \sigma , \sigma '.\ P(\sigma ) \to \langle s, \sigma \rangle \Downarrow \sigma ' \to Q(\sigma ') \]

Naturally because we know are no longer evaluating into just \(\sigma '\) but either an \(\texttt {ok}\) or \(\texttt {fail}\) state, it's worth asking how we actually represent that as a Hoare triple. We can start in much the same way as we do for the regular partial correctness hoare triple

\[ \forall \sigma , \sigma _t.\ P(\sigma ) \to \langle s, \sigma \rangle \Downarrow \sigma _t \to (??) \]

Here we then run into I guess a design choice as to how we proceed, the two main possibilities are:

We fail sometimes succeed other times this would mean that: \[ (\exists \sigma ', \sigma _t = \texttt {.ok}\ \sigma ' \land Q(\sigma ')) \] another way of seeing this is here we are disallowig failure meaning that for a hoare triple to be proven valid we must explicitly demonstrate as a side condition that we cannot fail otherwise our hoare triple is invalid.
We never fail which would mean that: \[ (\forall \sigma ', \sigma _t = \texttt {.ok}\ \sigma ' \land Q(\sigma ')) \] for this rule another way of seeing it is we are ignoring failure or filter success states since we are clearly only quantifying over those states that are successfull.

The latter option seems to be generally more common in theoretical settings because it doesn't require explicitly accounting for failure states, they are just implicitly filtered out in the logic.

Quiz 1.2. Weakest precondition for assert and assume [004r]

December 12, 2025

Answer the following:

What's \(\texttt {wp}(\texttt {assert}(P), Q)\)
What's \(\texttt {wp}(\texttt {assume}(P), Q)\)
Given a statement \(s\), can we transform it into a statement \(s'\) such that: \[ \vDash \{P\}\ s\ \{Q\} \iff \{\top \}\ s'\ \{\top \} \]

Solution.

December 12, 2025

We can remember that the weakest precondition is simply what we can derive reasoning backwards from the formulaic expression of a hoare triple.

Considering our wp formula we have \[ \texttt {wp}(\texttt {assert}(b), Q)(\sigma ) \to (\texttt {assert}(b), \sigma ) \Downarrow \texttt {.ok}\ \sigma \to Q(\sigma ) \] reasoning backwards we can start with a case split on the evaluation of the assertion, this leads to two cases
- \(b\) evaluates to true, as this case trivially implies that the assertion evaluates into \(\texttt {.ok}\ \sigma \) it means we must prove \(Q(\sigma )\). The only way we can prove this is by having our weakest precondition be a witness to this assertion.
- \(b\) evaluates to false, as this would imply a contradiction since the assertion evaluates to \(\texttt {.ok}\ \sigma \), more specifically we know have to prove the contradiction that \(\texttt {.ok}\ \sigma = \texttt {.fail} \sigma \), we know (i.e. have a hypothesis) by inversion that \(b \Downarrow ^f \sigma \) since we know \(b\) has to be true to prove the contradiction we also must ensure the weakest precondition states that \(b \Downarrow ^t \sigma \)
from these two cases we can conclude that two demonstrate the soundness of the weakest precondition for assert statements, it must be the case that the \(\texttt {wp}\) is the conjunction of the postcondition and the logical assertion that what is being asserted is indeed true, so we have that \[ \texttt {wp}(\texttt {assert}(b), Q)(\sigma ) \equiv (b \Downarrow ^t \sigma ) \land Q(\sigma ) \] the more intuitive reasoning here is that \(Q\) should hold before and after as an assert should, just by design, not do anything to the memory, it's only an assertion after all. Additionally, the condition should hold true as \(\texttt {wp}\) definitionally describes a set of states where all terminating executions end in a state satisfying \(Q\) thus if \(b\) does not evaluate to true, there is no terminating execution from \(\sigma \).
We can just use the more intuitive reasoning here, we know the weakest precondition characterizes a set of states where terminating executions end in a state satisfying \(Q\). The only way for something being assumed to be true leading to some other else is it if implies something else, thus our \(\texttt {wp}\) becomes \[ \texttt {wp}(\texttt {assume}(b), Q)(\sigma ) \equiv (b \Downarrow ^t \sigma ) \to Q(\sigma ) \] in terms of backward reasoning the idea is that \(\texttt {assume}(p)\) essentially just adds a raw hypothesis \((b \Downarrow ^t \sigma )\) but clearly that by itself doesn't somehow allow me to just manifest \(Q(\sigma )\), the only way we could possibly get \(Q\) from \(b\) being true is if we have a function which states that \(b\) being true implies \(Q\).

Context

VU-VFS-2025. All VFS Quiz Solutions [0003]

November 22, 2025

This is an explanation and solution to all quizzes in the VFS lectures. By default, I have the solutions minimized, but you can expand them by clicking on the upper part of the solution box (i.e. just click the solution section).

VU-VFS-2025. Lecture 1 - Propositional Logic [0004]

November 22, 2025

Syntax

November 22, 2025

Definition. Syntax [0005]

November 22, 2025

Using BNF notation, the syntax of propositional logic can be defined as follows:

Quiz. Evaluating Syntax [0006]

November 22, 2025

Is \(p\) an atom?
Is \(p\) a literal?
Is \(p\) a formula?
What about \(\neg p\)?
What about \(\neg \neg p\)?

Solution.

November 22, 2025

Yes, \(p\) is an atom.
Yes, \(p\) is a literal. Literals are either atoms or negated atoms, and since \(p\) is an atom, it is also a literal.
Yes, \(p\) is a formula. Formulas can be literals, and since \(p\) is a literal, it is also a formula.
\(\neg p\) is not an atom, but it is a literal (as it is a negated atom) and therefore also a formula.
\(\neg \neg p\) is a formula, since the inner negation \(\neg p\) is a literal and any additional negation applied promotes it to a formula. In other words only negated atoms are literals but negated literals are formulas. This is especially important when we later discuss Negation Normal Form (NNF).

Semantics & Intepretations

November 22, 2025

Definition. Semantics [0007]

November 22, 2025

We can define the semantic inference rules for propositional logic formulas under interpretations as follows inductively, starting with the base cases:

Moving on to the inductive case we have

Similarly, the rules for when an interpretation does not satisfy a formula are as follows:

Definition. Interpretation [0008]

November 22, 2025

We define an interpretation as a function which maps propositional variables in a formula to truth values, so formally

\[ I : \texttt {Var} \to \{\top , \bot \} \]

We can evaluate a formula under an interpretation \(I\) by substituting each propositional variable with its corresponding truth value given by \(I\). Naturally under different kinds of interpretations formulas can evaluate to different truth values. We can create a classifcation of formulas based on how many interpretations evaluate them to true or false.

satisfiable: A formula is satisfiable if there exists at least one interpretation under which it evaluates to true.
unsatisfying: A formula is unsatisfying if there exists at least one interpretation under which it evaluates to false.
tautology: A formula is a tautology if it evaluates to true under every possible interpretation.
contradiction: A formula is a contradiction if it evaluates to false under every possible interpretation.
contingent: A formula is contingent if it is satisfiable and unsatisfying, i.e., there exists at least one interpretation under which it evaluates to true and at least one interpretation under which it evaluates to false.

Quiz. Evaluating PL Formulae [0009]

November 22, 2025

Consider the formula \( F \triangleq (\neg p \land q) \) and interpretation \( I \triangleq \{p \to \top , q \to \bot \} \) Which of the following is true

\(I \models F\)
\(I \nvDash F\)

What about the formula \[ (p \land q) \to (\neg p \lor q) \] under the same interpretation?

Solution.

November 22, 2025

Theres two main ways you can usually approach questions like this, the more drawn out operational way and then just going by observation more or less. Starting out with the more pedantic approach we can try to construct a proof tree for the formula under the given interpretation. So considering the first formula we have:

So we can see that the interpretation does not satisfy the formula. In other words for this assignment the formula does not hold true. Given that this is a somewhat simple formula we could also just see this by observation, i.e.

\[ \underbrace {\neg p}_{\texttt {False}} \land \underbrace {q}_{\texttt {False}} \equiv \bot \]

For the second formula lets just go with the simpler approach again, so we have

So in this case the formula is satisfied by the interpretation.

Quiz. Evaluating sat/unsat/valid [000a]

November 22, 2025

Are the following formulas sat., unsat., or valid?

\((p\land q) \to \neg p\)
\((p \land q) \to (p \lor \neg q)\)
\((p \to (q \to r)) \land \neg ((p \land q) \to r)\)

Solution.

November 22, 2025

As a reminder lets recap the definitions:

A formula is satisfiable if there exists at least one combination of true/false assignments to its variables that makes the formula true.
A formula is unsatisfiable if there is no combination of true/false assignments to its variables that makes the formula true (i.e., it is always false).
A formula is valid (or a tautology) if it is true under all possible combinations of true/false assignments to its variables.

Now we can analyze each formula:

For the lhs to be true both p and q must be true. However, if p is true then \(\neg p\) is false, making the implication false. If p is false then the implication is vacuously true regardless of what we set q to. Thus, this formula is satisfiable (e.g., when p is false) but not valid (e.g., when p and q are true).
If both p and q are true then the lhs is true and so is the rhs by virtue of p being true. If p is false then the implication is vacuously true regardless of q. If q is false then the rhs is true regardless of p. Thus, this formula is valid as it is true for all combinations of truth values for p and q.
The first part \((p \to (q \to r))\) is true unless p is true and either q or r is false. The second part \(\neg ((p \land q) \to r)\) is true when p and q are true but r is false. Thus we can satisfy the entire formula by setting p and q to true and r to false. However, if we set p to false then the first part is vacuously true, but the second part becomes false. Thus, this formula is falsifiable (e.g., when p and q are true and r is false) but not valid (e.g., when p is false).

If you want to be absolutely sure about these kinds of questions constructing truth tables is always a good idea, albeit a bit tedious for formulas with many variables so just doing a bit of analysis like above is usually sufficient

VU-VFS-2025. Lecture 2 - Normal Forms & DPLL [000b]

November 22, 2025

Formula Equivalence

November 22, 2025

Definition. Equivalence of Formulae [000c]

November 22, 2025

Two formulas \(F\) and \(G\) are said to be equivalent, written \(F \equiv G\), if they have the same truth value under every interpretation. In other words, for every interpretation \(I\), \(I \models F\) if and only if \(I \models G\).

\[ F \equiv G \iff \forall I (I \models F \iff I \models G) \]

Quiz. Normal Forms & DPLL - Equivalence [000d]

November 22, 2025

Which of the following equivalences hold?

\(\bot \equiv \bot \)
\(\top \equiv \top \)
\(\neg \top \equiv \neg \bot \)
\(\neg (p \land q) \equiv \neg p \lor \neg q\)
\(p \equiv p \lor q\)
\(\neg \neg p \equiv p\)

Solution.

November 22, 2025

True. Both sides are always false.
True. Both sides are always true.
False. Left side is always false, right side is always true.
True. This is De Morgan's law. Good to remember \[ \neg (p \land q) \equiv \neg p \lor \neg q \]
False. Left side is true when p is true, right side is true when either p or q is true.
True. Double negation elimination.

Negation Normal Forms

November 22, 2025

Definition. Negation Normal Form (NNF) [000e]

November 22, 2025

A formula \(F\) is in Negation Normal Form (NNF) if the negation operator \(\neg \) is only applied to literals (i.e., propositional variables or their negations), and the only other allowed operators are conjunction \(\land \) and disjunction \(\lor \). A nice way to think about it is that we can never have the case where we need to apply De Morgan's laws to push negations further down the formula tree. So all negations come pre-distributed to the literals.

Quiz. Negation Normal Form (NNF) [000f]

November 22, 2025

Which of the following formulas are in Negation Normal Form (NNF)?

\(p \to q\)
\(p \lor (\neg q \land (r \lor \neg s))\)
\(p \lor (\neg q \land \neg (\neg r \land s))\)
\(p \lor (\neg q \land (\neg \neg r \lor \neg s)) \)

Solution.

November 22, 2025

No. The implication operator \(\to \) is not allowed in NNF.
Yes. Negations are only applied to literals, and only \(\land \) and \(\lor \) are used.
No. The negation operator \(\neg \) is applied to a non-literal formula \((\neg r \land s)\).
No. The double negation \(\neg \neg r\) is not allowed in NNF. Important to remember since that can trip you up.

Disjunctive Normal Form

November 22, 2025

Definition. Distributing Conjunction [000k]

November 22, 2025

The distributive law of conjunction over disjunction states that for any formulas \(F\), \(G\), and \(H\), the following equivalence holds:

\[ \begin {align*} F \land (G \lor H) &\equiv (F \land G) \lor (F \land H) \\ (F \lor G) \land H &\equiv (F \land H) \lor (G \land H) \end {align*} \]

Definition. Eliminating Implications and Biconditionals [000j]

November 22, 2025

To eliminate implications (\(\to \)) and biconditionals (\(\leftrightarrow \)) from a formula \(F\), we can use the following equivalences:

\[ \begin {align*} p \to q &\equiv \neg p \lor q \\ p \leftrightarrow q &\equiv (p \land q) \lor (\neg p \land \neg q) \end {align*} \]

Definition. Disjunctive Normal Form (DNF) [000h]

November 22, 2025

A formula \(F\) is in Disjunctive Normal Form (DNF) if it is a disjunction of one or more conjunctions of one or more literals. In other words, \(F\) can be expressed as a series of clauses connected by disjunctions (\(\lor \)), where each clause is a series of literals connected by conjunctions (\(\land \)). A literal is either a propositional variable or its negation.

\[ F = C_1 \lor C_2 \lor ... \lor C_n \]

Where each clause \(C_i\) is of the form:

\[ C_i = L_{i1} \land L_{i2} \land ... \land L_{im} \]

Quiz. Converting to DNF [000l]

November 22, 2025

Convert the following formula into Disjunctive Normal Form (DNF):

\[ (q \lor \neg \neg p) \land (\neg r \to s) \]

Solution.

November 22, 2025

Equisatisfiability

November 22, 2025

Definition. Equisatisfiability [000q]

November 22, 2025

Two formulas are said to be equisatisfiable if either both formulas are satisfiable or both are unsatisfiable. In other words, there exists an assignment of truth values to the variables that makes one formula true if and only if there exists; not necessarily the same assignment; that makes the other formula true. Equisatisfiability is a weaker condition than logical equivalence, as equisatisfiable formulas may not have the same truth values under all assignments, but they share the same satisfiability status.

\[ \texttt {equisat}(F, G) \iff (\exists I.\ I \models F) \iff (\exists J.\ J \models G) \]

Quiz. Equisatisfiability [000r]

November 22, 2025

If a formula \(F\) and \(G\) are equisatisfiable, then are they equivalent?

Solution.

November 22, 2025

No. We can answer this in a few different ways. In the most direct sense they are just definitionally not the same thing, in that equivalence requires that both formulas have the same truth value under all interpretations, whereas equisatisfiability only requires that both formulas have a satisfying interpretation or both be unsatisfiable. Another way to see it is that in an abstract sense equivalence describes an object-level relationship between formulas, whereas equisatisfiability describes a meta-level relationship about the existence of satisfying interpretations. Thus, they are fundamentally different kinds of relationships.

Tseitin Transformation

November 22, 2025

Definition. Conjunctive Normal Form (CNF) [000n]

November 22, 2025

A formula is in Conjunctive Normal Form (CNF) if it is expressed as a conjunction of disjunctions of literals. In other words, a CNF formula is a series of clauses (disjunctions) connected by AND operators. Each clause contains literals (variables or their negations) connected by OR operators. For example, the formula \((p \lor \neg q) \land (r \lor s \lor \neg t)\) is in CNF.

\[ F = C_1 \land C_2 \land ... \land C_n \]

Where each clause \(C_i\) is of the form:

\[ C_i = L_{i1} \lor L_{i2} \lor ... \lor L_{im} \]

Definition. Exponential Blow up problem [000m]

November 22, 2025

When converting a formula to Disjunctive Normal Form (DNF) or Conjunctive Normal Form (CNF), the size of the resulting formula can grow exponentially in the worst case. This is known as the exponential blow up problem. For example, a formula with \(n\) variables can result in a DNF or CNF with up to \(2^n\) clauses.

Definition. Tseytin's Transformation [000s]

November 22, 2025

Tseytin's transformation is a method used in propositional logic to convert any given formula into an equisatisfiable formula in Conjunctive Normal Form (CNF). The key idea behind Tseytin's transformation is to introduce new variables to represent subformulas of the original formula, thereby avoiding an exponential increase in size that can occur with naive CNF conversion methods. There are two key properties of Tseytin's for a formula \(F\) and its Tseytin transformation \(F'\):

unsatisfiability: \(F\) is unsatisfiable if and only if \(F'\) is unsatisfiable.
model correspondence: For every satisfying assignment (model) of \(F'\), there exists a corresponding satisfying assignment of \(F\), and vice versa, when restricted to the original variables of \(F\).

To demonstrate how it works lets consider the following formula

\[ \phi = ((p \lor q ) \land r) \to (\neg s) \]

Subformula identification: Identify the subformulas of \(\phi \) and assign a new variable to each subformula. For our example, we can identify the following subformulas and assign new variables: \[ \begin {align*} & \neg s \\ & p \lor q \\ & (p \lor q) \land r \\ & ((p \lor q) \land r) \to (\neg s) \end {align*} \]
Variable assignment: Assign new variables to each subformula: \[ \begin {align*} & x_1 \text { for } \neg s \\ & x_2 \text { for } p \lor q \\ & x_3 \text { for } (p \lor q) \land r \\ & x_4 \text { for } ((p \lor q) \land r) \to (\neg s) \end {align*} \]
Equivalence clauses: For each subformula, create clauses that enforce the equivalence between the new variable and the subformula it represents. For our example, we would create the following clauses: \[ \begin {align*} & (x_1 \leftrightarrow \neg s) \\ & (x_2 \leftrightarrow (p \lor q)) \\ & (x_3 \leftrightarrow (x_2 \land r)) \\ & (x_4 \leftrightarrow (x_3 \to x_1)) \end {align*} \]
Conjunct of clauses: Combine all the equivalence clauses into a single formula in CNF. The final formula \(\phi '\) will be the conjunction of all these clauses along with the clause that asserts the truth of the variable representing the entire formula (in this case, \(x_4\)): \[ \phi ' = (x_1 \leftrightarrow \neg s) \land (x_2 \leftrightarrow (p \lor q)) \land (x_3 \leftrightarrow (x_2 \land r)) \land (x_4 \leftrightarrow (x_3 \to x_1)) \land x_4 \]
Conversion to CNF: Finally, convert the combined formula into CNF using standard techniques (like distributing disjunctions over conjunctions). The resulting formula will be in CNF and equisatisfiable to the original formula \(\phi \). For example if we consider the clause \[ x_2 \leftrightarrow (p \lor q) \] this can be converted to CNF as \[ (x_2 \lor \neg p) \land (x_2 \lor \neg q) \land (\neg x_2 \lor p \lor q) \]

Quiz. Tseytin's Transformation [000t]

November 22, 2025

Lets consider the following formula

\[ F \triangleq (p \land q) \lor (p \land \neg r \land s) \]

Using Tseytin's transformation, convert the formula \(F\) into an equisatisfiable formula in CNF.

Solution.

November 22, 2025

For the sake of brevity, let's skip assume the subformula extraction is already done, and we created the following equivalence clauses: \[ \begin {align*} F_1 &\triangleq t_1 \leftrightarrow (\neg r \land s) \\ F_2 &\triangleq t_2 \leftrightarrow (p \land t_1) \\ F_3 &\triangleq t_3 \leftrightarrow (p \land q) \\ F_4 &\triangleq t_4 \leftrightarrow (t_2 \lor t_3) \end {align*} \] This gives us the following conjunct for the transformed formula: \[ F' \triangleq F_1 \land F_2 \land F_3 \land F_4 \land t_4 \]

VU-VFS-2025. Lecture 3 - First Order Logic [000u]

November 22, 2025

Syntax

November 22, 2025

Definition. FOL - Syntax [000v]

November 22, 2025

We can define a first order language as a tuple of 3 sets \(\langle \mathcal C, \mathcal F, \mathcal R\rangle \) where:

Constants (\(\mathcal C\)): the set of constants in the language. E.g., \(\{a, b, c\}\)
Function Symbols (\(\mathcal F\)): the set of function symbols in the language. E.g., \(\{f, g, h\}\)
Relation Symbols (\(\mathcal R\)): the set of relation symbols in the language. E.g., \(\{R, S, T\}\)

Using BNF we can define the syntax as follows

Here the atom \(p\) represents an atomic predicate applied to terms \(t_1, \ldots , t_n\), where \(p \in \mathcal R\) with an arity of \(n\)

Quiz. First Order Logic - Syntax [000w]

November 22, 2025

Which of the following are syntactically valid formulas in first order logic?

\(f(x)\)
\(p(x)\)
\(p(f(x))\)
\(p(p(x))\)
\(p(f(f(x)))\)

Solution.

November 22, 2025

\(f(x)\): Invalid, as \(f\) is a function symbol and cannot stand alone as a formula.
\(p(x)\): Valid, as \(p\) is a relation symbol applied to the term \(x\).
\(p(f(x))\): Valid, as \(f(x)\) is a term and \(p\) is a relation symbol applied to that term.
\(p(p(x))\): Invalid, as \(p(x)\) is a formula, not a term, and cannot be an argument to \(p\).
\(p(f(f(x)))\): Valid, as \(f(x)\) is a term, and applying \(f\) again yields another term, which can be an argument to \(p\).

Quantifiers & Scoping

November 22, 2025

Definition. FOL - Quantifiers and Scoping [000x]

November 22, 2025

For quantifiers:

\[ \forall x.\ F \quad \exists x.\ F \]

Each variable occurring within the formula \(F\) known as the scope is either:

bound: if it is within the scope of a quantifier that binds it. E.g., in \(\forall x.\ P(x, y)\), the variable \(x\) is bound.
free: if it is not bound by any quantifier within the formula. E.g., in \(\forall x.\ P(x, y)\), the variable \(y\) is free.

Quiz. Quantifiers and Scoping in FOL [000y]

November 22, 2025

Consider the formula

\[ \forall y.\ ((\forall x.\ p(x))) \to q(x, y) \]

Is the \(y\) bound or free?
Is the first occurrence of \(x\) bound or free?
Is the second occurrence of \(x\) bound or free?

Solution.

November 22, 2025

\(y\) is bound, as it is within the scope of the quantifier \(\forall y\).
The first occurrence of \(x\) is bound, as it is within the scope of the quantifier \(\forall x\).
The second occurrence of \(x\) is free, as it is not within the scope of any quantifier that binds it.

Closed, Open & Ground Formulas

November 22, 2025

Definition. Closed, Open, and Ground Formulas (FOL) [000z]

November 22, 2025

We have 3 important classifications of formulas in First Order Logic (FOL) based on the nature of their variables:

Closed Formula: A formula with no free variables. All variables in the formula are bound by quantifiers. E.g., \(\forall x.\ \exists y.\ p(x, y)\) is a closed formula.
Open Formula: A formula with at least one free variable. E.g., \(p(x, y)\) is an open formula since both \(x\) and \(y\) are free.
Ground Formula: A formula with no variables at all. E.g., \(p(a, b)\) is a ground formula if \(a\) and \(b\) are constants.

Quiz. FOL - Closed, Open, and Ground Formulas [0010]

November 22, 2025

Consider the following formula

\[ \forall y.\ ((\forall x.\ p(x))) \to (\exists x.\ q(x, y)) \]

Is this formula closed, open, or ground?

Solution.

November 22, 2025

This formula is a closed formula because all variables within the formula are bound by quantifiers. The variable \(y\) is bound by the quantifier \(\forall y\), and both occurrences of \(x\) are bound by their respective quantifiers \(\forall x\) and \(\exists x\). There are no free variables in this formula. A nice example of a ground formula is something like this \[ p(a, f(b)) \to q(c) \] We can see here that there are no variables at all; \(a\), \(b\), and \(c\) are not bound by any quantifiers, hence the formula is ground since we aren't substituting/quantifying over any variables.

Term Evaluation

November 22, 2025

Definition. Interpretation (FOL) [0012]

November 22, 2025

In first order logic a Interpretation; similar to the case of propositional logic; is a mapping which assigns meaning to the syntax of the language. In this instance it's a mapping from constants, function symbols and predicate symbols to specific objects, functions and relations in a given domain. We can define an interpretation as a sort of piece wise function as follows:

\[ \begin {align*} I &: \mathcal C \cup \mathcal F \cup \mathcal R \to D \cup (D^n \to D) \cup (D^n \to \{\top , \bot \}) \\ I(c) & = d \quad \forall c \in \mathcal C, d \in D \\ I(f) & = f_D: D^n \to D \quad \forall f \in \mathcal F \\ I(p) & = p_D: D^n \to \{\top , \bot \} \quad \forall p \in \mathcal R \\ \end {align*} \]

Where \(D\) (sometimes also denoted as \(U\)) is the domain of discourse which is a non-empty set of objects over which the quantifiers range. Intuitively the domain of discourse represents what we wish to talk about in our interpretation. We can break this down into 3 parts:

constants (\(c \in \mathcal C\)): are mapped to specific elements in the domain \(d \in D\). For example if \(c\) is the constant \("a"\) and \(D = \{1, 2, 3\}\), then \(I(a) = 1\) could be a valid mapping.
function symbols (\(f \in \mathcal F\)): are mapped to functions that take elements from the domain and return elements in the domain. For example if \(f\) is a unary function symbol \("f"\) and \(D = \{1, 2, 3\}\), then \(I(f) = f_D\) where \(f_D(1) = 2\), \(f_D(2) = 3\), and \(f_D(3) = 1\) could be a valid mapping.
relation symbols (\(p \in \mathcal R\)): are mapped to relations (or predicates) that take elements from the domain and return truth values \(\{\top , \bot \}\). For example if \(p\) is a binary relation symbol \("R"\) and \(D = \{1, 2, 3\}\), then \(I(R) = R_D\) where \(R_D(1, 2) = \top \), \(R_D(2, 3) = \bot \), and \(R_D(3, 1) = \top \) could be a valid mapping.

Definition. Structures and Variable Assignments (FOL) [0013]

November 22, 2025

A structure \(\mathcal {M}\) for a first-order language \(\mathcal {L}\) consists of:

A non-empty domain \(D\), which is the set of objects that the variables can refer to.
An interpretation function \(I\) that assigns meanings to the non-logical symbols in \(\mathcal {L}\):

For each constant symbol \(c\) in \(\mathcal {L}\), \(I(c)\) is an element of \(D\).
For each n-ary function symbol \(f\) in \(\mathcal {L}\), \(I(f)\) is a function from \(D^n\) to \(D\).
For each n-ary predicate symbol \(P\) in \(\mathcal {L}\), \(I(P)\) is a subset of \(D^n\).

A variable assignment \(\sigma \) for a structure \(S\) is a function that assigns each variable to an element of the domain \(D\) of the structure. That is, for each variable \(x\), \(\sigma (x) \in D\).

Definition. Term evaluation (FOL) [0011]

November 22, 2025

In First Order Logic, terms are evaluated based on an interpretation \(I\) and a variable assignment \(\sigma \) within a structure \(S\) denoted as \(\langle I, \sigma \rangle (t)\). The evaluation rules are as follows:

If \(t\) is a constant symbol \(c\), then \(\langle I, \sigma \rangle (c) = I(c)\).
If \(t\) is a variable \(x\), then \(\langle I, \sigma \rangle (x) = \sigma (x)\).
If \(t\) is a function application \(f(t_1, t_2, \ldots , t_n)\), then \[ \langle I, \sigma \rangle (f(t_1, t_2, \ldots , t_n)) = I(f)(\langle I, \sigma \rangle (t_1), \langle I, \sigma \rangle (t_2), \ldots , \langle I, \sigma \rangle (t_n)) \]

Quiz. Term evaluation (FOL) [0014]

November 22, 2025

Consider the following domain/universe of discourse, variable assignment, and interpretation:

Universe \[ U \triangleq \{1, 2\} \]
Variable assignment \[ \sigma \triangleq \{x\mapsto 2, y\mapsto 1\} \]
Interpretation \[ \begin {align*} I & \triangleq \{a \mapsto 1, b \mapsto 2\} \\ I & \triangleq \{f(1, 1) \mapsto 2, f(1, 2) \mapsto 2, f(2, 1) \mapsto 1, f(2, 2) \mapsto 1\} \end {align*} \]

What is the evaluation of the following terms under the given interpretation and variable assignment?

\(f(a, y)\)
\(f(x, b)\)
\(f(f(x, b), f(a, y))\)

Solution.

November 22, 2025

\(\langle I, \sigma \rangle (f(a, y)) = I(f)(\langle I, \sigma \rangle (a), \langle I, \sigma \rangle (y)) = I(f)(I(a), \sigma (y)) = I(f)(1, 1) = 2\)
\(\langle I, \sigma \rangle (f(x, b)) = I(f)(\langle I, \sigma \rangle (x), \langle I, \sigma \rangle (b)) = I(f)(\sigma (x), I(b)) = I(f)(2, 2) = 1\)
\(\langle I, \sigma \rangle (f(f(x, b), f(a, y))) = I(f)(\langle I, \sigma \rangle (f(x, b)), \langle I, \sigma \rangle (f(a, y))) = I(f)(1, 2) = 2\)

Semantic Entailment

November 22, 2025

Definition. Semantic Entailment \(\models \) (FOL) [0015]

November 22, 2025

We evaluate formulas in first order logic under a structure which consists of a domain and an interpretation function. In addition, we need a variable assignment to evaluate formulas with free variables. To denote truth under a structure \(S\) and variable assignment \(\sigma \) we write:

True: If a formula \(F\) evaluates to true under \(U, I, \sigma \) we write \[U, I, \sigma \models F\]
False: If a formula \(F\) evaluates to false under \(U, I, \sigma \) we write \[U, I, \sigma \nvDash F\]

We can define semantic entailment inductively as follows:

Quiz. Semantic Entailment (FOL) [0016]

November 22, 2025

Consider constants (free variables) \(a, b\) and a unary function \(f\), and a binary predicate \(p\). Let \(U = \{\alpha , \beta \}\) and interpretation function \(I\) be defined as follows:

\[ \begin {align*} I &= \{a \mapsto \alpha , b \mapsto \beta \} \\ I &= \{f(\alpha ) \mapsto \beta , f(\beta ) \mapsto \alpha \} \\ I &= \{p(\beta , \alpha ) \mapsto \top , p(\beta , \beta ) \mapsto \top \} \end {align*} \]

Under the structure \(S = (U, I)\) and variable assignment \(\sigma = \{x \mapsto \alpha \}\) what do the following formulas evaluate to?

\(p(f(b), f(x))\)
\(p(f(x), f(b))\)
\(p(a, f(x))\)

Solution.

November 22, 2025

\(p(f(b), f(x))\) evaluates to \(\top \) because \(f(b) = f(\beta ) = \alpha \) and \(f(x) = f(\alpha ) = \beta \), and \(p(\alpha , \beta ) = \top \).
\(p(f(x), f(b))\) evaluates to \(\top \) because \(f(x) = f(\alpha ) = \beta \) and \(f(b) = f(\beta ) = \alpha \), and \(p(\beta , \alpha ) = \top \).
\(p(a, f(x))\) evaluates to \(\bot \) because \(a = \alpha \) and \(f(x) = f(\alpha ) = \beta \), and \(p(\alpha , \beta ) = \bot \).

Semantic argument method

November 22, 2025

Definition. Connectives and Quantifiers (FOL) [0017]

November 22, 2025

In addition to evaluating atomic formulas, we can define the evaluation of complex formulas using logical connectives and quantifiers as follows:

For the proof rules of quantifiers we have two variants depending on whether we are dealing with free or bound variables:

Definition. Semantic Argument method (FOL) [0018]

November 22, 2025

In first order logic, the semantic argument method represents a proof by contradiction. The basic idea is as follows:

We assume that our formula \(F\) is not valid, i.e., \(\exists S, \sigma \nvDash F\)
Use the proof rules to derive a contradiction from this assumption.
If we can indeed derive a contradiction, we conclude that our initial assumption was false, and therefore \(F\) must be valid.

We can express the semantic argument method via the following inference rule:

So the idea here being that if we have a predicate and its negation both holding under the same interpretation and variable assignment, we can derive a contradiction. This allows us to conclude that our initial assumption (that the formula is not valid) must be false, thereby proving the validity of the formula.

Quiz. Semantic Argument method (FOL) [0019]

November 22, 2025

Consider the following formula:

\[ F \triangleq (\forall x.\ p(x)) \to (\forall y.\ p(y)) \]

Using the semantic argument method, determine whether the formula \(F\) is valid.

Solution.

November 22, 2025

We begin by assuming that \(\exists S, \sigma \nvDash F\) \[ \begin {align*} & S, \sigma \nvDash (\forall x.\ p(x)) \to (\forall y.\ p(y)) \\ & \therefore S, \sigma \models \forall x.\ p(x) \land S, \sigma \nvDash \forall y.\ p(y) \\ & \therefore S, \sigma \models \forall x.\ p(x) \land S, \sigma \models \neg \forall y.\ p(y) \\ \end {align*} \] Since we have \(p\) and its negation both holding under the same interpretation and variable assignment, we can derive a contradiction using the Contradiction rule from the semantic argument method. Therefore, our initial assumption that \(F\) is not valid must be false. Hence, we conclude that the formula \(F\) is valid.

VU-VFS-2025. Lecture 4 - First Order Theories [0032]

December 2, 2025

Signatures and Axioms

December 2, 2025

Definition. First Order Theory \(T\) [0033]

December 2, 2025

A first order theory (FOT) \(T\) is defined by two main components:

A signature \(\Sigma \) of a set of constant, function, and predicate symbols
A set of axioms \(\mathcal A\) consisting of closed (i.e. no free variables) formulas over the signature \(\Sigma \)

We say that a formula constructed from only from the contents of the signature \(\Sigma \) is a \(\Sigma \)-formula.

Quiz. Signatures and Axioms (FOL) [0034]

December 2, 2025

Consider a theory withthe following signature:

\[ \Sigma _H : \{R = \{\texttt {taller}\}, C = F = \emptyset \} \]

And the axiom:

\[ \forall x.\ \forall y.\ (\texttt {taller}(x, y) \to \neg \texttt {taller}(y, x)) \]

Are the following legal \(\Sigma _H\)-formulas?

\( \exists x.\ \forall y.\ (\texttt {taller}(x, z) \land \texttt {taller}(y, w)) \)
\( \exists x.\ \forall z.\ \texttt {taller}(x, z) \land \texttt {taller}(\text {joe}, \text {tom}) \)

Solution.

December 2, 2025

Yes
No, there are no constants in the signature, so \text {joe} and \text {tom} are not valid terms.

Models of Theories

December 2, 2025

Definition. Structure & Model of \(T\) (FOT) [0035]

December 2, 2025

A structure which we denote as:

\[ M \triangleq \langle U, I \rangle \]

Is a model of a theory \(T\) (or \(T\)-model) iff:

\[ \forall A \in \mathcal A_T.\ M \vDash A \]

where:

\(U\) is the universe or more commonly the domain
\(I\) is the interpretation which assigns some meaning to our formula

Quiz. Models of \(T_H\) [0036]

December 2, 2025

consider a structure consisting of a universe \(U\) and interpretation \(I\) as follows:

\[ U = \{A, B\} \quad I = \{\texttt {taller} \mapsto \{\langle A, A\rangle , \langle B, B\rangle \}\} \]

Are the following models of the theory \(T\) or not:

Is \(\langle U, I\rangle \) a model of \(T\)
If we change the interpretation to \[ I = \{\texttt {taller} \mapsto \{\langle A, B\rangle \}\} \] is the structure now a model of \(T\)?
If we add the following axiom \[ \forall x, y, z.\ (\texttt {taller}(x, y) \land \texttt {taller}(y, z) \to \texttt {taller}(x, z)) \] and we change the interpretation to \[ I = \{\texttt {taller} \mapsto \{\langle A, B \rangle , \langle B, C \rangle \}\} \] then is the structure a model of \(T\)?

Solution.

December 2, 2025

As a reminder we are working with the axiom:

\[ \forall x, y.\ (\texttt {taller}(x, y) \to \neg \texttt {taller}(y, x)) \]

Clearly no, as if we take \(x = A\) and \(y = A\) we have that both \(\texttt {taller}(A, A)\) and \(\texttt {taller}(A, A)\) hold, violating the axiom.
Here we are chaning or interpretation to just the relation \(\texttt {taller}(A, B)\) holding. In this case the axiom is satisfied as there are no values of \(x\) and \(y\) such that both \(\texttt {taller}(x, y)\) and \(\texttt {taller}(y, x)\) hold. So yes this is a model of \(T\).
No, as if we take \(x = A\), \(y = B\) and \(z = C\) we have that both \(\texttt {taller}(A, B)\) and \(\texttt {taller}(B, C)\) hold, but \(\texttt {taller}(A, C)\) does not hold (so not in our interpretation for the \(\texttt {taller}\) relationship), violating the axiom.

Satisfiability Modulo \(T\)

December 2, 2025

Definition. Satisfiable & Valid modulo \(T\) [0037]

December 2, 2025

We say that a formula \(F\) is satisfiable modulo \(T\) iff there exists a \(T\)-model \(M\) and a variable assignment \(\sigma \) such that:

\[ M, \sigma \vDash F \]

We say that a formula \(F\) is valid modulo \(T\) iff forall \(T\)-models \(M\) and all variable assignments \(\sigma \) we have:

\[ M, \sigma \vDash F \]

Definition. FOL Validity vs Valid modulo \(T\) [0039]

December 2, 2025

We can compare the two notions by understanding validity in modulo \(T\) as a restriction of validity in FOL to only those models that are \(T\)-models. So the implication of that is that if a formula is valid (true in all models), then its clearly also valid in the subset/restriction to only \(T\)-models. However, the other way around does not hold, since a formula can be true in all \(T\)-models, but false in some non-\(T\)-model. Hence we have the following:

But the other way around does not hold in general:

Quiz. Satisfiability in FOL vs FOT [0038]

December 2, 2025

Consider some arbitrary first order theory \(T\)

If a formula is valid in FOL, then is it also valid in modulo \(T\)?
If a formula is valid modulo \(T\), then is it also valid in FOL?

Solution.

December 2, 2025

Yes, if its valid in FOL that means its valid in all models which includes those models that are \(T\)-models. Hence its also valid modulo \(T\).
No, a formula can be valid in all \(T\)-models, but false in some non-\(T\)-model. Hence its not necessarily valid in FOL.

Theory of Equality & Congruence

December 2, 2025

Definition. Theory of Equality \(T\) [003a]

December 2, 2025

The theory of equality \(T_=\) is a first order theory over the signature \(\Sigma _=\) which contains:

\[ \sigma _= : \{=, s\} \]

Where \(=\) is a binary relation symbol and \(s\) is any constant function or predicate symbol. The axioms of the theory of equality are:

Quiz. Theory of Equality [003b]

December 2, 2025

Consider the universe:

\[ U = \{\alpha , \beta \} \]

which of the following interpetations of \(=\) are allowd by the axioms of \(T_=\):

\(I(=) \triangleq \{\langle \alpha , \beta \rangle , \langle \beta \alpha \rangle \}\)
\(I(=) \triangleq \{\langle \alpha , \alpha \rangle , \langle \beta , \beta \rangle \}\)
\(I(=) \triangleq \{\langle \alpha , \alpha \rangle , \langle \alpha , \beta \rangle , \langle \beta , \alpha \rangle , \langle \beta , \beta \rangle \}\)

Solution.

December 2, 2025

No, violates reflexivity axiom since neither \(\alpha = \alpha \) nor \(\beta = \beta \) are in the interpretation
Yes, satisfies all axioms of equality
Yes, satisfies all axioms of equality

Definition. (Left & Right) Congruence Relations (FOT) [003c]

December 2, 2025

In the most general sense we say that a relation \(R\) over a set \(A\) is a congruence with respect to a function \(f : A^n \to A\) if for all \(a_1, \ldots , a_n, b_1, \ldots , b_n \in A\) such that \(a_i\ R\ b_i\) for all \(1 \leq i \leq n\) we have:

\[ f(a_1, \ldots , a_n)\ R\ f(b_1, \ldots , b_n) \]

if we denote \(\overline x\) as a vector of elements \(x_1, \ldots , x_n\) we can rewrite this more succinctly as:

\[ \forall \overline a, \overline b \in A^n.\ (\forall i.\ a_i\ R\ b_i) \to f(\overline a)\ R\ f(\overline b) \]

In the case of first order theories we can then instantiate \(R\) with things like equality or other relations defined in the theory. Additionally we can \(f\) represent a function or predicate symbol from the signature of the theory. In the case of binary functions or predicates we can also define left and right congruence as follows:

A relation \(R\) is a left congruence with respect to a binary function or predicate \(f : A \times A \to A\) if for all \(a, b, c \in A\) such that \(a\ R\ b\) we have:
A relation \(R\) is a right congruence with respect to a binary function or predicate \(f : A \times A \to A\) if for all \(a, b, c \in A\) such that \(a\ R\ b\) we have:

Quiz. Function & Predicate congruence [003d]

December 2, 2025

Consider the universe:

\[ U = \{a, b, c\} \]

and the interpretation:

\[ I(=) \triangleq \{\langle a, a \rangle , \langle a, b \rangle , \langle b, a \rangle , \langle b, b \rangle , \langle c, c \rangle \} \]

Does the interpetation \(I(=)\) satisfy the axioms of equality?
Which interpretations for a function \(f\) satisfy the axioms of congruence?
1. \(I(f) \triangleq \{b \to a, a \to c, c \to c\}\)
2. \(I(f) \triangleq \{b \to b, a \to b, c \to b\}\)
3. \(I(f) \triangleq \{b \to a, a \to b, c \to c\}\)

Solution.

December 2, 2025

Yes, the interpretation satisfies the axioms of equality
Going through them one by one:
1. No, because \(f(a) = c\) and \(f(b) = a\) but \(a\ I(=)\ b\) yet \(c\ not\ I(=)\ a\)
2. Yes, because \(f(a) = b\) and \(f(b) = b\) and \(a\ I(=)\ b\) thus \(b\ I(=)\ b\), similarly for \(c\)
3. Yes, because \(f(a) = b\) and \(f(b) = a\) and \(a\ I(=)\ b\) thus \(b\ I(=)\ a\), similarly for \(c\)

Theory of Peano Arithmetic

December 2, 2025

Definition. Theory of Peano Arithmetic [003e]

December 2, 2025

Peano Arithmetic (PA) is a first order theory over the signature \(\Sigma _{PA}\) which contains:

\[ \Sigma _{PA} : \{0, S, +, \times , =\} \]

Where \(0\) is a constant symbol representing zero, \(S\) is a unary function symbol representing the successor function, \(+\) and \(\times \) are binary function symbols representing addition and multiplication respectively, and \(=\) is a binary relation symbol representing equality. The axioms of Peano Arithmetic are:

Quiz. Theory of Peano Arithmetic [003f]

December 2, 2025

Are the following well-formed \(T_{\text {PA}} formulae?\)

\(x + y = 1 \land f(x) = 1 + 1\)
\(\forall x.\ \exists y.\ \exists z.\ x + y = 1\land z \times x = 1 + 1\)
\(2x = y\)

Solution.

December 2, 2025

No, the theory of Peano Arithmetic does not include function symbols like \(f\), nor does it include numerals like \(1\) or \(2\). All terms must be constructed using the constant symbol \(0\), the successor function \(S\), and the function symbols \(+\) and \(\times \).
Yes, this is a well-formed formula. It uses only the symbols and constructs allowed in the theory of Peano Arithmetic.
No, this is not a well-formed formula. The expression \(2x\) is not a valid term in Peano Arithmetic, as numerals like \(2\) are not part of the language. Terms must be built using \(0\), \(S\), \(+\), and \(\times \). A valid way to express the same idea would be \(S(S(0)) \times x = y\). Or if we replace \(S\) with \(1\) then we could do \((1 + 1) \times x = y\)

Theory of Rationals & Integers

December 2, 2025

Definition. Theory of Rationals \(T_{\mathbb {Q}}\) [003i]

December 2, 2025

The theory of rationals \(T_{\mathbb {Q}}\) is a first-order theory over the signature \(\Sigma _{\mathbb {Q}}\) which contains:

\[ \Sigma _{\mathbb {Q}} : \{0, 1, +, -, =, \geq \} \]

(Axioms ommitted for brevity.)

Some important properties of \(T_{\mathbb {Q}}\) are:

Full theory is decidable but doubly exponential.
Conjunctive quantifier-free fragment is efficiently decidable (polynomial time).
\(T_{\mathbb {Q}}\) is the basis for arithemtic reasoning in SMT solvers such as Z3.
In practice the simplex algorithm is used.

Definition. Theory of Presburger Arithmetic [003h]

December 2, 2025

Presburger Arithmetic (PA) is a first order theory over the signature \(\Sigma _{\mathbb {N}}\) which contains:

\[ \Sigma _{\mathbb {N}} : \{0, 1, +, =\} \]

Where \(0\) and \(1\) are constant symbols representing zero and one respectively, \(+\) is a binary function symbol representing addition, and \(=\) is a binary relation symbol representing equality. The axioms of Presburger Arithmetic are:

Some important properties of \(T_{\mathbb {N}} are\):

Validity in quantifer-free Presburger Arithmetic is decidable.
Validity in full Presburger Arithmetic is decidable.
Validity in Presburger Arithmetic has a super exponential complexity \(O(2^{2^n})\)
\(T_{\mathbb {N}}\) is complete, i.e. \[ \forall F.\ T_{\mathbb {N}} \models F \lor T_{\mathbb {N}} \models \neg F \]

Quiz. Theory of rationals \(T_{\mathbb {Q}}\) [003k]

December 2, 2025

Consider the following formula:

\[ \exists x.\ (1 + 1) x = 1 + 1 + 1 \]

Is this formula valid in \(T_{\mathbb {Q}}\)
Is this formula valid in \(T_{\mathbb {Z}}\)

Solution.

December 2, 2025

Yes, this formula is valid in \(T_{\mathbb {Q}}\). In the theory of rationals, we can find a rational number \(x = \frac {3}{2}\) that satisfies the equation \((1 + 1) x = 1 + 1 + 1\). Therefore, there exists an \(x\) in the rationals that makes the equation true.
No, this formula is not valid in \(T_{\mathbb {Z}}\). In the theory of integers, there is no integer \(x\) that satisfies the equation \((1 + 1) x = 1 + 1 + 1\), since \(\frac {3}{2}\) is not an integer. Thus, there does not exist an integer \(x\) that makes the equation true.

Theory of Data structures

December 2, 2025

Definition. Theory of Arrays [003l]

December 2, 2025

The theory of arrays is a first-order theory that models arrays as functions from indices to values. Its signature includes:

\[ \Sigma _A \triangleq \{- [ - ], \langle - \triangleleft - \rangle , =\} \]

where:

\(-[ - ]\): read operation, which takes an array and an index and returns the value at that index.
\(\langle - \triangleleft - \rangle \): write operation, which takes an array, an index, and a value, and returns a new array with the value at the specified index updated.
\(=\): equality relation, which checks if two arrays are identical.

The axioms of the theory of arrays are:

Quiz. Theory of arrays \(T_A\) [003m]

December 2, 2025

Which of the following formula is valid/satisfiable/unsatisfiable ?

\(a[3] = 2\)
\(a \langle 3 \triangleleft 5 \rangle [3] = 5\)
\(a \langle 3 \triangleleft 5 \rangle [3] = 3\)
\(a[3] = 2\land a \langle 3 \triangleleft 5 \rangle [3] = 5\)

Solution.

December 2, 2025

This formula is satisfiable. For example, if we have an array \(a\) such that \(a[3] = 2\), then the formula holds true.
This formula is valid. According to the Read-Over-Write axiom, when we write a value to an index in an array and then read from that same index, we get the value we just wrote. So regardless of the initial contents of array \(a\), after performing the write operation \(a \langle 3 \triangleleft 5 \rangle \), reading from index \(3\) will always yield \(5\) hence making it always true (valid).
This formula is unsatisfiable. According to the Read-Over-Write axiom, when we write a value to an index in an array and then read from that same index, we get the value we just wrote. Therefore, after performing the write operation \(a \langle 3 \triangleleft 5 \rangle \), reading from index \(3\) will always yield \(5\), making it impossible for it to equal \(3\).
This formula is satisfiable. For example, if we have an array \(a\) such that \(a[3] = 2\), then after performing the write operation \(a \langle 3 \triangleleft 5 \rangle \), reading from index \(3\) will yield \(5\). Thus, both parts of the conjunction can be true simultaneously though are not valid in all interpretations.

VU-VFS-2025. Lecture 5 - Nano and Hoare Logic [003n]

December 2, 2025

Semantics and Evaluation

December 2, 2025

Definition. Simple Imperative Language - Syntax [003t]

December 4, 2025

We define the syntax of a simple imperative programming language, using the followng bnf grammar:

Definition. Simple Imperative Language - Semantics [003u]

December 4, 2025

We can divide the environmental big-step semantics of our simple language into three parts:

Expression evaluation: Describes how arithmetic expressions are evaluated to numbers.
Boolean expression evaluation: Describes how boolean expressions are evaluated to boolean values (true/false).
Statement execution: Describes how statements are executed, transforming an initial state (environment) into a final state.

The general big-step environmental evalutation rule is denoted as:

\[ \langle t, \sigma \rangle \Downarrow v \]

Here:

We have some starting term \(\texttt {t}\) (which can be an expression, boolean expression, or statement), along with some state \(\sigma \).
The evaluation results in some value \(\texttt {v}\) (which can be a number, boolean value, or new state).

A quick aside here to deconstruct the term big-step environmental evaluation:

We say that this evaluation is big-step as it assumes some arbitrary state of intermediate steps, meaning that within big step semantics we do not care about intermediate computation only about some input expression and the final output value. A simple analogue to make here is that big-step semantics are akin to a teacher asking you to only show ur final answer to a math problem rather than all the steps you took to get there.
We say that this evaluation is environmental (as opposed to being substitution based) as we explicitly keep track of a state \(\sigma \) which maps variables to their values. This is in contrast to substitution based semantics where variable occurrences are replaced directly with their values in expressions.

The state \(\sigma : \texttt {String} \to \mathbb {Z}\) represents a mapping from variables (commonly strings) to their corresponding values (numbers). We denote the updated state after assigning a value to a variable \(\texttt {x}\) as:

\[ \sigma [x \mapsto n] \]

This means that in the new state, the variable \(\texttt {x}\) now maps to the number \(\texttt {n}\), while all other variable mappings remain unchanged from the original state \(\sigma \).

Expression evaluation

December 4, 2025

Boolean expression evaluation

December 4, 2025

Statement evaluation

December 4, 2025

Quiz. Simple Imperative Language - Evaluation [003v]

December 4, 2025

What does the following evaluate to? \[ \langle (x := x - 1), \sigma [x \mapsto 2] \rangle \]
What does the following evaluate to? \[ \langle \texttt {if } x + 1 \leq 3 \texttt { then } x := x - 1, \sigma [x \mapsto 1] \rangle \]
What does the following evaluate to? \[ \langle \texttt {while } (x + 1 \leq 3) \texttt { then } x := x - 1, \sigma [x \mapsto 1] \rangle \]
Is the following a total function? \[ \langle e, \sigma \rangle \Downarrow n \]
Is the following a total function? \[ \langle s, \sigma \rangle \Downarrow \sigma ' \]

Solution.

December 4, 2025

Starting in the state \(x \mapsto 2\) we evaluate \(x := x - 1\) to the state \(x \mapsto 1\)
Starting in the state \(x \mapsto 1\), we first evaluate the condition \(x + 1 \leq 3\): \[ \begin {align*} \langle x + 1, \sigma [x \mapsto 1] \rangle &\Downarrow 2 \\ \langle 3, \sigma [x \mapsto 1] \rangle &\Downarrow 3 \\ \langle 2 \leq 3, \sigma [x \mapsto 1] \rangle &\Downarrow \texttt {true} \end {align*} \] Since the condition evaluates to true, we then evaluate the then-branch \(x := x - 1\): \[ \begin {align*} \langle x - 1, \sigma [x \mapsto 1] \rangle &\Downarrow 0 \\ \langle x := 0, \sigma [x \mapsto 1] \rangle &\Downarrow \sigma [x \mapsto 0] \end {align*} \]
We again start by evaluating the condition \[ \begin {align*} \langle x + 1, \sigma [x \mapsto 1] \rangle &\Downarrow 2 \\ \langle 3, \sigma [x \mapsto 1] \rangle &\Downarrow 3 \\ \langle 2 \leq 3, \sigma [x \mapsto 1] \rangle &\Downarrow \texttt {true} \end {align*} \] Since we can see that the body of the loop only decreases \(x\), we are stuck in an infinite loop: \[ \begin {align*} \langle x := x - 1, \sigma [x \mapsto 1] \rangle &\Downarrow \sigma [x \mapsto 0] \\ \langle \texttt {while } (x + 1 \leq 3) \texttt { do } x := x - 1, \sigma [x \mapsto 0] \rangle &\Downarrow \sigma [x \mapsto -1] \\ \langle \texttt {while } (x + 1 \leq 3) \texttt { do } x := x - 1, \sigma [x \mapsto -1] \rangle &\Downarrow \sigma [x \mapsto -2] \\ &\vdots \end {align*} \]
Yes, for every expression \(e\) and state \(\sigma \), there exists a number \(n\) such that \[ \langle e, \sigma \rangle \Downarrow n \] This follows from the fact that expressions are finite syntax trees built from a finite set of rules, and each rule can be evaluated in a finite number of steps.
No, there exist statements \(s\) and states \(\sigma \) for which there is no resulting state \(\sigma '\) such that \[ \langle s, \sigma \rangle \Downarrow \sigma ' \] For example, consider the while-loop \[ \texttt {while } (x + 1 \leq 3) \texttt { do } x := x - 1 \] starting from the state \(\sigma [x \mapsto 1]\). As shown in the previous question, this loop does not terminate, and thus there is no resulting state \(\sigma '\).

Hoare Logic

December 2, 2025

Definition. Hoare triple - partial correctness [003x]

December 5, 2025

The basic unit of reasoning or judgement of the partial correctness of a program is the Hoare triple denoted as:

\[ \{P\}\ s\ \{Q\} \]

where:

\(P\) represents the precondition which must hold true before the execution of the statement \(s\).
\(Q\) represents the postcondition which must hold true after the execution of the statement \(s\), provided that \(P\) was true before execution.

If we consider a variable state \(\sigma : \texttt {String} \to \mathbb {Z}\) mapping variable names to integer values, then we can define the partial correctness condition of a Hoare triple as follows:

\[ \sigma \vDash P \to \exists \sigma '.\ \langle s, \sigma \rangle \Downarrow \sigma ' \to \sigma ' \vDash Q \]

What this says is that: if the precondition \(P\) holds in the initial state \(\sigma \), and if executing the statement \(s\) from that state leads to a new state \(\sigma '\), then the postcondition \(Q\) must hold in the new state \(\sigma '\).

In a more programmatic sense we can understand the pre and postconditions as assertions on the memory state \(\sigma \), in other words they represent a function \(A : (\texttt {String} \to \mathbb {Z}) \to \texttt {Prop}\) that evaluates to true or false based on the values of the variables in the state. Thus, we can rewrite the Hoare triple condition as:

\[ P(\sigma ) \to \exists \sigma '.\ \langle s, \sigma \rangle \Downarrow \sigma ' \to Q(\sigma ') \]

Or in lean equivalently as:


  abbrev Condition := Memory -> Prop

  def HoareTriple {P Q : Condition} (c : Stmt) : Prop :=
    ∀ σ σ', P σ → (c, σ) ⇓ₛ σ' → Q σ'

A note here is that we are using some custom notation for the big-step semantics relation. The notation \(\Downarrow _s\) here simply means the big step evaluation relation for statements.

In general for a Hoare triple we denote its validity as:

\[ \vDash \{P\}\ s\ \{Q\} \]

Quiz. Hoare triple evaluation [003y]

December 5, 2025

Asses the validity of each of the following Hoare triples.

\(\{x = 0 \}\ x := x + 1\ \{x = 1\}\)
\(\{x = 0 \land y = 1\}\ x := x + 1\ \{x = 1 \land y = 2\}\)
\(\{x = 0 \land y = 1\}\ x := x + 1 \{x = 1 \lor y = 2\}\)
\(\{x = 0\}\ \texttt {while}\ \top \ \texttt {do}\ x := x + 1\ \{x = 1\}\)

Solution.

December 5, 2025

Valid. If \(x = 0\) before execution, then after executing \(x := x + 1\), \(x\) will be \(1\).
Invalid. While \(x\) will be \(1\) after execution, \(y\) remains \(1\), so the post-condition \(y = 2\) does not hold.
Valid. After execution, \(x\) will be \(1\), satisfying the post-condition \(x = 1 \lor y = 2\).
Valid. The loop runs indefinitely, so the post-condition is vacuously true as the program never terminates.

Partial vs Total correctness

December 2, 2025

Definition. Hoare triple - total correctness [003z]

December 5, 2025

The classical hoare triple \(\{P\}\ s\ \{Q\}\) only captures the notion of partial correctness, meaning that if the program terminates, then the postcondition \(Q\) holds given that the precondition \(P\) held before execution. However, it does not guarantee that the program will terminate. To capture both correctness and termination, we define the total correctness Hoare triple denoted as:

\[ [P]\ s\ [Q] \]

The total correctness Hoare triple asserts that:

\[ \sigma \vDash P \to \exists \sigma '.\ \langle s, \sigma \rangle \Downarrow \sigma ' \land \sigma ' \vDash Q \]

Or equivalently viewing the conditions as assertions on memory states:

\[ P(\sigma ) \to \exists \sigma '.\ \langle s, \sigma \rangle \Downarrow \sigma ' \land Q(\sigma ') \]

The central difference we can observe here is with the usage of a conjunction with the postcondition as opposed to an implication. This means that for total correctness, if the precondition \(P\) holds in the initial state \(\sigma \), then there must exist a final state \(\sigma '\) such that executing the statement \(s\) from \(\sigma \) leads to \(\sigma '\) and the postcondition \(Q\) holds in that final state. Whereas in the case of partial correctness, if we had non-termination, the postcondition could be vacuously true.

For the sake of completeness let's also show how we might implement this in lean:


  def TotalHoareTriple {P Q : Condition} (c : Stmt) : Prop :=
    ∀ σ, P σ → ∃ σ', (c, σ) ⇓ₛ σ' ∧ Q σ'

Quiz. Understanding hoare triples [0040]

December 5, 2025

What does \(\{\top \}\ s\ \{Q\}\) express?
What about \(\{P\}\ s\ \{\top \}\)?
What about \([P]\ s\ [\top ]\)?
When does \(\{\top \}\ s\ \{\bot \}\) hold?
When does \(\{\bot \}\ s\ \{Q\}\) hold?

Solution.

December 5, 2025

It states that no matter the initial state, if the program \(s\) terminates, then the postcondition \(Q\) will hold. In other words, all terminating states end up in or satisfy \(Q\).
It states that if the precondition \(P\) holds before execution of \(s\), then after execution (if it terminates), the postcondition will always be true. Since \(\top \) is always true, this Hoare triple is valid for any program \(s\) and precondition \(P\).
Since this is a total correctness Hoare triple, it states that if the precondition \(P\) holds before execution of \(s\), then the program \(s\) will always terminate, regardless of the final state. The postcondition \(\top \) is trivially satisfied since it is always true. In other words we terminate on all states satisfying \(P\).
This Hoare triple holds if and only if the program \(s\) never terminates for any initial state. Since the postcondition is \(\bot \), which is always false, the only way for the Hoare triple to be valid is if there are no terminating executions of \(s\).
This Hoare triple holds for any program \(s\) and postcondition \(Q\), because the precondition \(\bot \) is always false. Since there are no initial states that satisfy \(\bot \), the implication in the definition of the Hoare triple is vacuously true.

Inference rules

December 2, 2025

Definition. Inference Rule Schema - Hoare logic [0043]

December 5, 2025

To denote the idea of syntactic consequence / inference within Hoare logic we use the notation:

Which says that if we can derive the hoare triple \(\{P\}\ s_1\ \{Q\}\) and so on up to \(\{Q\}\ s_n\ \{R\}\) using the inference rules of Hoare logic, then we can derive the hoare triple \(\{P\}\ s\ \{R\}\).

Inference rules without any hypotheses are considered base cases.

Quiz. Hoare logic - assignment proof rule [0045]

December 5, 2025

Consider the assignment \(x := y\) and the postcondition \(x > 2\). What needs to hold before the assignment such that \(x > 2\) holds afterwards?
Consider \(i := i + 1\) and post-condition \(i > 10\). What do we need to know before the assignment such that i > 10 holds afterwards?

Solution.

December 5, 2025

Let's write this out first as a hoare triple: \(\{?\}\ x := y\ \{x > 2\}\). Without even looking at the assignment rule it should be obvious that if we want \(x > 2\) to hold after the assignment, then before the assignment we need \(y > 2\), since after the assignment \(x\) will take the value of \(y\). So the hoare triple is valid when we have: \(\{y > 2\}\ x := y\ \{x > 2\}\).
Similarly we write the hoare triple: \(\{?\}\ i := i + 1\ \{i > 10\}\). To ensure that \(i > 10\) holds after the assignment, we need to consider what value of \(i\) before the assignment will lead to \(i > 10\) afterwards. Since we are incrementing \(i\) by 1, we need \(i + 1 > 10\) before the assignment, so our hoare triple becomes \(\{i + 1 > 10\}\ i := i + 1 \{i > 10\}\).

Definition. Hoare triple inference rules - Nano language [0044]

December 5, 2025

The basic inference rules for the Hoare logic applied to the Nano language are as follows:

Quiz. A hypothetical proof rule [0046]

December 6, 2025

A friend suggests the following proof rule for assignments:

\[ \vdash \{(x = e) \to Q\}\ x := e\ \{Q\} \]

Is the proof rule correct?

Solution.

December 6, 2025

Now let's test out the rule on a particular hoare triple:

\[ \{?\}\ x := 4\ \{y = x\} \]

To make the hoare triple valid we would have to use the following precondition:

\[ \vdash \{(x = 4) \to y = x\}\ x := 4\ \{y = x\} \]

but let's now assume the following initial state:

\[ \sigma _1 = \{x \mapsto 3, y \mapsto 1\} \]

this does correctly entail our precondition, i.e. we have \(\sigma _1 \vDash P\) as necessary by virtue of vacous truth, then executing the statement we have:

\[ \langle x := 4, \sigma _1 \rangle \Downarrow \sigma _2 \]

In the new context clearly \(x\) is reassigned to 4, thus:

\[ \sigma _2 = \{x \mapsto 4, y \mapsto 1\} \]

But we can see that clearly \(\sigma _2\) violates our postcondition \(Q\), which is to say, \(\sigma _2 \nvDash (y = x)\). The implication of this is that while the hoare triple is derivable it is not then necessarily also valid, in words this proof rule is unsound.

For completeness let's also provide a proof of soundness. As a reminder soundness states that:

If a hoare triple is derivable using the inference rules of our system, then it is valid (i.e. true in all interpretations.)

Formally we express this as:

\[ \vdash \{P\}\ s\ \{Q\} \to \vDash \{P\}\ s\ \{Q\} \]

If we instantiate this rule for our hypothetical assignment rule we must demonstrate the following:

\[ \forall \sigma .\ \sigma \vDash (x = e) \to Q \land \exists \sigma '.\ \langle (x := e), \sigma \rangle \Downarrow \sigma ' \to \sigma ' \vDash Q \]

Proof.

December 6, 2025

Let \(\sigma \) be the initial state before the assignment \(x := e\). We must show that if \(\sigma \vDash (x = e) \to Q\), then, after executing \(x := e\), the resulting state \(\sigma '\) satisfies \(\sigma ' \vDash Q\) (i.e. is valid for the assertions in the postcondition).

Before the assignment we have \(\sigma \vDash (x = e) \to Q\), in other words this means that: \[ \sigma (x) = \sigma (e) \to \sigma \vDash Q \] so if the variable \(x\) in the initial state evaluates to the same thing as some expression \(e\) then our post postcondition is valid for this state.
After the assignment we have a new state \(\sigma '\) defined as: \[ \sigma '(x) = \sigma (e) \] with everything else being unchanged, which is to say that \[ \forall y.\ y\ \mathrlap {\,/}{=}\ x \land \sigma '(y) = \sigma (y) \]
Now we want to check if \(\sigma ' \vDash Q\) as desired, we proceed by a case analysis on the equality \(\sigma '(x) = \sigma (e)\)
- Case: \(\sigma (e) = \sigma (x)\), then by the precondition we have \(\sigma \vDash Q\). Since \(\sigma '\) only changes the value of \(x\) to \(\sigma (e)\), and \(Q\) is satisfied by the initial state \(\sigma \) it follows that \(\sigma ' \vDash Q\).
- Case: \(\sigma (e) \ \mathrlap {\,/}{=}\ \sigma (x)\), then our precondition becomes vacuously true as the antecedent is false. However, as the assignment does terminate we do need to ensure that \(Q\) holds in the new state \(\sigma '\). However, since \(Q\) can be arbitrary we cannot guarantee that \(\sigma ' \vDash Q\).

Let's link the proof of soundness back to the example, so in our inital state \(\sigma _1\) we have that:

\[ \sigma (x) \ \mathrlap {\,/}{=}\ \sigma (y) \equiv 3 \ \mathrlap {\,/}{=}\ 4 \]

Since this means that the equality \(x = 4\) is false we have that implication so the precondition \(P\) is true. This corresponds precisely to the second case where \(\sigma (e) \ \mathrlap {\,/}{=}\ \sigma (x)\). The issue we can then see which naturally follows is that in the new state clearly its the case that:

\[ \sigma _2 = \{x \mapsto 4, y \mapsto 1\} \nvDash (x = y) \]

In other words we had the case where our precondition was vacuously true thus erroneously implying upon termination the arbitrary \(y = x\) must also hold. Clearly then this proof rule is incorrect as in the case of a vacuous truth we are able to generate unsound hoare triples.

To compare this with the correct assignment rule we have:

\[ \vdash \{P[x \mapsto e]\}\ x := e\ \{P\} \]

we can notice here that by removing the consequent of the logical implication we ensure that if the assertion of x being substituted / being equal to the expression e before the execution of the statement doesn't hold, then it correctly means that we indeed cannot suggest that after an assignment our assertion \(P\) is somehow correct.

Quiz. Assessing provability [0047]

December 6, 2025

Using the correct proof rule for assignments, asses which of the hoare triples are provable i.e. valid.

\(\{y = 4\}\ x:= 4\ \{y = x\}\)
\(\{x + 1 = n\}\ x := x + 1\ \{x = n\}\)
\(\{y = x\}\ y := 2\ \{y = x\}\)
\(\{z = 3\}\ y := x\ \{z = 3\}\)

Solution.

December 6, 2025

Yes, since we have that for any state \(\sigma \) the substitution \[ (y = x)[x \mapsto 4] \] holds, thus our precondition holds and upon termination of the assignment clearly our postcondition then holds as well.
Yes, again we that our post condition says \(x = n\) so \((x = n)[ n \mapsto (x + 1)]\) holds as our precondition is then \[ (x + 1 = n)[n \mapsto (x + 1)] = (x + 1 = x + 1) \]
No, again using our reasoning we have \[ (y = x)[y \mapsto 2] = 2 = x \] but then if we have \(\sigma = \{ x \mapsto 3\}\) we can generate \[ \sigma \nvDash (2 = x) \equiv (2 = 3) \]
Yes, this is just correct by definition of a substitution leaving irrelevant variables unaffected.

Consequence

December 2, 2025

Definition. Precond. Strengthening & Postcond. Weakening [0048]

December 6, 2025

As a reminder in hoare logic we denote the consequence rule as follows:

On a high level this is quite evidently just transitivity, which is to say that if some assertion \(P'\) holds and by implication \(P\) holds, and upon successful termination of \(s\) we have that \(Q\) holds and by implication \(Q'\) holds, then we can transitively reason that \(\{P'\}\ s\ \{Q'\}\) would also hold for our program \(s\).

What we can do here is decompose this rule into two separate rules:

Precondition strengthening

December 6, 2025

The idea of strengthening here comes from the fact that the rhs of an implication always at least denotes a more restrictive or strengthened condition on the memory state \(\sigma \). So a basic example being clearly:

\[ x > 3 \to x > 2 \]

So if we have that:

\[ \sigma \vDash (x > 3) \to (x > 2) \\ \vdash \{x > 2\}\ s\ \{Q\} \]

Which is to say that our hoare triple is derivable under the weaker precondition \(x > 2\), then clearly the same hoare triple is also derivable under the stronger pre-condition \(x > 3\) as it implies our weaker condition, hence we can derive:

\[ \vdash \{x > 3\}\ s\ \{Q\} \]

An example program we could take here would be something like:

\[ \{x > 2\}\ \texttt {if}\ (x > 2)\ \texttt {then}\ y := 2 \texttt {else}\ y := 3\ \{y := 2\} \]

Clearly here the condition just requires that \(x\) is larger than 2, if our precondition asserts that its larger than 3, the \(\texttt {then}\) branch executes just the same and our postcondition holds.

Postcondition weakening

December 6, 2025

On a high level this says that if we can prove some postcondition \(Q'\), we can always relax this condition to something weaker. So in simpler terms if we have the fact that the postcondition \(Q'\) holds for some more restrictive state, then we can naturally lessen the restrictions and have it still hold.

Quiz. Postcondition Weakening examples [0049]

December 6, 2025

Suppose we can prove:

\[ \{\top \}\ s\ \{x = y \land z = 2\} \]

using the rule of post-condition weakening, which of the following can we prove?

\(\{\top \}\ s\ \{x = y\}\)
\(\{\top \}\ s \ \{z = 2\}\)
\(\{\top \}\ s\ \{z > 2\}\)
\(\{\top \}\ s\ \{\forall y.\ x = y\}\)
\(\{\top \}\ s\ \{\exists y.\ x = y\}\)

Solution.

December 6, 2025

Yes, this is provable, removing a conjunct is a common way of weakening an expresison as we are removing one condition.
Yes, this is provable, same reasoning as in (1)
This is also provable, more or less same reasoning as before, here we are using the fact that \[ z = 2 \to z > 0 \] since obviously \(2 > 0\)
No, this is not provable, while removing a conjunct does weaken our postcondition, if we then also quantify over all \(y\) we make an assertion which is stronger then what the conjunct says, i.e. that \(x = y\) for a specific \(y\), hence this is not provable.
Yes, this is provable. We have the fact that \[ a = b \equiv \exists a = b \] so clearly this is the same as what we did for (1) just with no desugaring of existential syntax

VU-VFS-2025. Lecture 6 - Hoare logic & Weakest preconditions [004a]

December 6, 2025

Loops & Invariants

December 6, 2025

Quiz. Checking valid invariants [004c]

December 6, 2025

Consider the following code:


  i = 0;
  j = 0;
  n = 10;
  while i < n do 
    i = i + 1;
    j = i + j

Which of the following is a loop invariant?

\(i \leq n\)
\(i < n\)
\(j \geq n\)

Solution.

December 6, 2025

Before the loop \(i = 0\) and \(n = 10\), since that means \(i \leq n\) is true we move on to checking it holds true after each loop iteration. What we can observe is that the loop condition is \(i < n\) and during the loop we have \(i = i + 1\), what this suggests is that clearly during the iteratons the invariant holds, additionally when \(i = 10\) we have that \(10 < 0 \to \bot \) hence the invariant also holds upon the termination of the loop, i.e. after the final iteration, thus it's indeed a valid loop invariant.
No, this is not a valid invariant, we can see that its very close to being right, but it doesnt account for the case after the final iteration and before we check the loop condition, i.e. where \(i = 10\), hence its not a valid loop invariant because it does not hold true after each iteration.
No, this is quite easy to see as it immediately fails even before we get into the loop as \(0 \geq 10 \to \bot \).

Quiz. Proving validity with invariants [004d]

December 6, 2025

Let's consider the statement \(W\):


  while x < n do 
    x = x + 1

Answer the following questions:

Prove the validity of \[ \vdash \{x \leq n\}\ W\ \{x \geq n\} \] using the loop invariant \(I = x \leq n\)
Would \(\top \) also have worked as a loop invariant?
If we changed the post condition to \(x = n\), what would that have changed?

Solution.

December 6, 2025

As the usual piece of little assistance let's take a look at the while rule

Here we can try to construct the proof tree first of all, instantiating our rule with the given invariant we have: Using the assignment rule we then want to prove the antecident here, so instantiating this with or postcondition \(Q\) we have in other words our precondition becomes \[ (x + 1) \leq n \] Therefore the use the assignment rule we want we have to demonstrate \[ (x \leq n \land x < n \to (x + 1) \leq n) \] since we have that \[ x \leq n \land x < n \equiv x < n \to (x + 1) \leq n \] we clearly have that
Yes, let's again instantiate our rule since our postcondition for the assignmnet is a tautology, i.e. always valid, it will hold under substitution thus making the assignment trivially valid hence working as a correct loop invariant.
Something we could observe in question (1) is that so this is a bit of a trick question in that with question 1 we are actually just using a postcondition weaking on this postcondition, hence this is naturally a valid postcondition.

Definition. Invariant [004f]

December 7, 2025

In the most straightforward sense we say that an invariant is simply:

A property that holds at all reachable states of the program

Formally we can say if \(P\) denotes our property and \(\mathcal R\) denotes our set of reachable states then we can say that \(P\) is an invariant if:

\[ \forall \sigma , \sigma \in \mathcal R \to P(\sigma ) \]

An important thing to note here is that an invariant by itself does not need to be checkable or syntactic in any sense, there are no requirements that \(P\) must imply after each step. The distinction here is important because we can have something be an invariant though be insufficient as a proof rule.

Definition. Inductive Invariant [004e]

December 6, 2025

An inductive invariant is a regular invariant, which is to say that it:

is a property which holds at all reachable states of the program

But it has the additional constraint that it must be closed under the transition relation. In other words if it holds before a step, it must also hold after the step. Formally we say that a property \(P\) represents an inductive invariant if:

As a base case it holds at program initialization \[ \texttt {init} \to P \]
In the inductive step we have \[ P(\sigma ) \land (S, \sigma ) \to \sigma ' \to P(\sigma ') \] in plain English: If the property holds on the state \(\sigma \) and after the small step evaluation \(S\) we land in a new state \(\sigma '\) then the property also holds in the new state \(\sigma '\).

If both of the conditions hold then we we automatically have that:

\[ \sigma \in \mathcal R.\ P(\sigma ) \]

Which is to say that these conditions imply an inductive invariant is also an invariant. The prime example where we can see this is in the case of the while loop for hoare logic:

Here the invariant is represented by the assertion \(I\) on the memory state. What this rule says is that:

If the assertion \(I\) and the loop guard \(b\) hold, and upon termination of \(s\) we have that \(I\) holds.
Then we can lift the invariant out of the loop and say that it must hold for all loop iterations and upon termination of the loop we clearly have that our loop guard must be false and our invariant should still hold.

This corresponds precisely to the notion of an inductive invariant as if we can demonstrate it holding for the execution and termination of a single statement - the base case - then we can derive the inductive case where it holds for all iterations.

Quiz. Finding inductive invariants [004g]

December 7, 2025

Consider the following statement \(W\):


  while x < n do
    x := y;
    y := x + 1

Say that we wanted to prove the following Hoare triple:

\[ \{x = 0 \land y = 1\}\ W\ \{x \geq 0\} \]

What is an inductive invariant \(I\) which allows us to prove the triple?

Solution.

December 7, 2025

For reference lets pull up the while rule again:

One not entirely unreasonable albiet simple choice is to try out the post condition \(x \geq 0\), its not too uncommon that a valid postcondition - or more often a variant of it - are in fact valid loop invariants. Testing this out it means we would have to prove the body:

\[ \vdash \{x \geq 0 \land x < n\}\ x := y; y := x + 1\ \{x \geq 0\} \]

To see if this is inductive we can try and find a counterexample to demonstrate its not, and indeed we can see that \(\sigma = \{y \mapsto -1000, x \mapsto 1, n \mapsto 2 \}\) would mean that \(P(\sigma )\) would hold, and we could indeed step to a state \(\sigma '\) though clearly we have that:

\[ \sigma ' \ \mathrlap {\,/}{\vDash }\ (x \geq 0)[x \mapsto -1000] \]

Since we can see here that the unconstrained \(y\) is causing is issues lets go with:

\[ I \triangleq x \geq 0 \land y = x + 1 \]

Since this ensures that \(y\) is correctly related to \(x\) it means that we indeed have that \[ \sigma \vDash I (x := y; y := x + 1, \sigma ) \to \sigma ' \to \sigma ' \vDash I \] as desired

Arrays & Invariants

December 6, 2025

Definition. Theory of Arrays [003l]

December 2, 2025

The theory of arrays is a first-order theory that models arrays as functions from indices to values. Its signature includes:

\[ \Sigma _A \triangleq \{- [ - ], \langle - \triangleleft - \rangle , =\} \]

where:

\(-[ - ]\): read operation, which takes an array and an index and returns the value at that index.
\(\langle - \triangleleft - \rangle \): write operation, which takes an array, an index, and a value, and returns a new array with the value at the specified index updated.
\(=\): equality relation, which checks if two arrays are identical.

The axioms of the theory of arrays are:

Quiz. A hypothetical array inference rule [004i]

December 7, 2025

Say we want to add arrays to our programming language, and we come up with the following inference rule to reason about assignments:

Is this rule correct?

Solution.

December 7, 2025

There are a few ways we can answer this, starting in with the most pedantic let's construct the proof tree and then see if we can come up with a counter example, we consider the following hoare triple:

\[ \{i = 1\}\ a[i] := 3; a[1] := 2\ \{a[i] = 3\} \]

By the sequence and precondition strengthening rule we have that

Of note here we are deriving \(i = 1\) through the following implications:

\[ Q[a[i] \mapsto 3] \equiv (a[i] = 3)[a[i] \mapsto 3] \equiv (3 = 3) \equiv \top \]

Where we know that \(i = 1 \to \top \) so we can use precondition strengthening to use \(i = 1\) as our precondition since it implies something we've already syntactically demonstrated to be provable.

Clearly we have that the first assignment in the sequence holds by the naive assignment, same for the second assignment \(a[1] = 2\) since it precondition reduces to the tautology \(\top \), so the final rule is then derivable. But we can obviously see that it erroneously assumes that \(i\) represents some kind of distinct index but, we can see that in the second assignment its aliased by the constant index \(1\) which means that while we can derive the rule it is not semantically valid hence unsound.

To compare this with the correct rule we have that:

Now again let's try to derive the hoare triple we want to prove correct:

To derive we want to find some assertion \(R\), applying the correct assignment rule to the second assignment we define \(R\) as.

\[ R \equiv (a[i] := 3)[a \mapsto a \langle 1 \lhd 2 \rangle ] \]

we can think of this as defining the function:

\[ a'(j) = \begin {cases} 2 & \texttt {if}\ j = 1 \\ a(j) & \text {otherwise} \end {cases} \]

we can then do a case split on the equality \(i = 1\) using our defined function

If \(i = 1\) then we have \[ a'[i] = a[1] = 2 \to a'[i] = 3 \equiv 2 = 3 \equiv \bot \]
If \(i \ \mathrlap {\,/}{=}\ 1\) we have \[ a'[i] = a[i] \to a'[i] = 3 \equiv a[i] = 3 \]

Since it clearly must be the case that \(i \ \mathrlap {\,/}{=}\ 1\) it implies that our assertion \(R\) is equivalent to:

\[ R \equiv (i \ \mathrlap {\,/}{=}\ 1\land a[i] = 3) \]

Now testing this rule on the first hoare triple:

\[ \{i = 1\}\ a[i] := 3\ \{i \ \mathrlap {\,/}{=}\ 1\land a[i] = 3\} \]

By the assignment rule we must somehow be able to derive \(i = 1\) from the following:

\[ R[a \mapsto a \langle i \lhd 3 \rangle ] \]

substituting in our \(R\) we get

\[ (i \ \mathrlap {\,/}{=}\ 1\land a[i] = 3)[a \mapsto a \langle i \lhd 3 \rangle ] \]

after a reduction we have

\[ (i \ \mathrlap {\,/}{=}\ 1 \land \underbrace {(a \langle i \lhd 3 \rangle [i] = 3)}_{\top }) \]

simplifying this we get

\[ (i \ \mathrlap {\,/}{=}\ 1) \]

Which is where the crux of our issue lies, the precondition of our Hoare triple was \(i = 1\), but clearly here to derive our sequence of assignments we must have that i is not 1, hence this hoare triple is not derivable as its also clearly not valid.

A simpler approach at establishing the same idea is by just directly working backwards

\[ \begin {align} a \langle 1 \lhd 2 \rangle [i] & = 3 \\ a \langle i \lhd 3 \rangle \langle 1 \lhd 2 \rangle [i] & = 3 \end {align} \]

so first we substitute \(a\) for the assignment \(a[1] := 2\), then we update it for the assignment \(a[i] := 3\), then our precondition would imply that:

\[ i = 1 \to a \langle i \lhd 3 \rangle \langle 1 \lhd 2 \rangle [i] = 3 \]

We indeed cannot derive the triple with the precondition, as it should be trivially apparent that if \(i = 1\) after overwriting with \(a[1] = 2\) we clearly cannot have \(a[1] = 3\).

Quiz. Theory of arrays \(T_A\) [003m]

December 2, 2025

Which of the following formula is valid/satisfiable/unsatisfiable ?

\(a[3] = 2\)
\(a \langle 3 \triangleleft 5 \rangle [3] = 5\)
\(a \langle 3 \triangleleft 5 \rangle [3] = 3\)
\(a[3] = 2\land a \langle 3 \triangleleft 5 \rangle [3] = 5\)

Solution.

December 2, 2025

This formula is satisfiable. For example, if we have an array \(a\) such that \(a[3] = 2\), then the formula holds true.
This formula is valid. According to the Read-Over-Write axiom, when we write a value to an index in an array and then read from that same index, we get the value we just wrote. So regardless of the initial contents of array \(a\), after performing the write operation \(a \langle 3 \triangleleft 5 \rangle \), reading from index \(3\) will always yield \(5\) hence making it always true (valid).
This formula is unsatisfiable. According to the Read-Over-Write axiom, when we write a value to an index in an array and then read from that same index, we get the value we just wrote. Therefore, after performing the write operation \(a \langle 3 \triangleleft 5 \rangle \), reading from index \(3\) will always yield \(5\), making it impossible for it to equal \(3\).
This formula is satisfiable. For example, if we have an array \(a\) such that \(a[3] = 2\), then after performing the write operation \(a \langle 3 \triangleleft 5 \rangle \), reading from index \(3\) will yield \(5\). Thus, both parts of the conjunction can be true simultaneously though are not valid in all interpretations.

Quiz. Finding inductive invariants - arrays [004j]

December 10, 2025

Consider the following while loop \(W\):


  while i < n do
    a[i] := 0;
    i    := i + 1

Consider the following pre-and-post condition:

\[ \{i = 0 \land n > 0\}\ W\ \{\forall j.\ 0 \leq j < n \to a[j] = 0\} \]

What is an inductive invariant that shows correctness?

Solution.

December 10, 2025

This is almost a sort of canonical example where the index replacement trick works really nicely. On a high level our postcondition asserts something about the array over the first \(n\) indices, hence if we want to have an invariant which shows correctness, we can simply reframe our postcondition as an assertion up to the \(i\)th position / iteration, in other words we simply replace \(n\) with \(i\):

\[ \forall j.\ 0 \leq j < i \to a[j] = 0 \]

Soundness & Completeness

December 6, 2025

Definition. Soundness & Completeness - Hoare triples [0041]

December 5, 2025

In a very general sense if we have a logical or formal system a core idea is that we only want to prove things that are actually true, and conversely if we find something that is true we would want to be able to prove it. This leads to two important properties of formal systems:

Soundness is the property that everything provable within the system is in fact true, within the context of hoare logic it means that all hoare triples which we can syntactically derive using our inference rules are by implication valid (i.e. true in all interpretations), formally: \[ \vdash \{P\}\ s\ \{Q\} \to \ \vDash \{P\}\ s\ \{Q\} \]
Completeness is the property that everything that is true can be proven within the system, in the context of hoare logic it means that all valid hoare triples can be syntactically derived using our inference rules, formally: \[ \vDash \{P\}\ s\ \{Q\} \to \ \vdash \{P\}\ s\ \{Q\} \]

Weakest precondition

December 6, 2025

Definition. Working backwards - weakest precondition [004k]

December 10, 2025

I'll split this explanation into 3 parts, first the basic intuition, then the pen-and-paper reasoning, and finally a more granular explanation.

The idea

December 10, 2025

Say we want to verify a hoare triple \(\{P\}\ s\ \{Q\}\), the weakest precondition approach is that we:

Start with our postcondition \(Q\) and, going backwards, we compute a formula \(\texttt {wp}(s, Q)\) called the weakest precondition of \(Q\) w.r.t the statement \(s\).
\(\texttt {wp}(s, Q)\) has the property that it's the weakest condition which guarantees that \(Q\) will hold after the termination of \(s\).

Therefore we can say that the triple is valid:

\[ \vDash \{P\}\ s\ \{Q\} \iff P \to \texttt {wp}(s, Q) \]

The basic rules

December 10, 2025

The basic rules can be recursively defined as follows:

For assignments: \[ \texttt {wp}(x := e, Q) \triangleq Q[x \mapsto e] \]
For composition \[ \texttt {wp}(s_1; s_2, Q) \triangleq \texttt {wp}(s_1, \texttt {wp}(s_2, Q)) \]
For conditionals \[ \texttt {wp}(\texttt {if}\ b\ \texttt {then}\ s_1\ \texttt {else}\ s_2, Q) \triangleq (b \to \texttt {wp}(s_1, Q)) \land (\neg b \to \texttt {wp}(s_2, Q)) \]

The more detailed reasoning

December 10, 2025

As a reminder, a Hoare triple:

\[ \{P\}\ s\ \{Q\} \]

Is simply a kind of syntax sugar for the logical formula:

\[ \forall \sigma , \sigma '.\ P(\sigma ) \to (s, \sigma ) \Downarrow \sigma ' \to Q(\sigma ) \]

So for all source and target states, if we terminate on \(s\) then \(Q\) holds. Additionally, for different kinds of expressions we also have our constructions rules to ensure soundness, take for example assignment, our rule to only derive valid Hoare triples was:

If we assume \(e\) to be some variable expression in a context \(\sigma : \texttt {Vars} \to \mathbb {Z}\) which has to evaluate to a number before assignment then we can write the above rule more pedantically as:

\[ \forall \sigma , \sigma '.\ (\forall n : \mathbb {Z}.\ (e, \sigma ) \Downarrow n \to Q[x \mapsto n]) \to (x := e, \sigma ) \Downarrow \sigma ' \to Q(\sigma ') \]

The idea of backwards reasoning here is as follows:

First we look at the big step evaluation \((x := e, \sigma ) \Downarrow \sigma '\), we know that if this assignment succeeded, it implies there must have been a successful evaluation of the \(e\) term, we know this because the only way to have derived this step is by the following inference rule:
Using what we've learned from (1) we apply the notion of inversion, i.e. if we know a conclusion to be true, we can assert the premises of that conclusion must have also been true, this in a sense gives us the premises to use as new judgements.
Now looking at the expression \[ \forall n : \mathbb {Z},.\ (e, \sigma ) \Downarrow n \to Q[x \mapsto n] \] we can clearly derive the precondition \(Q[x \mapsto n]\) since we know the antecedent \(\forall n.\ (e, \sigma ) \Downarrow n\) is true, as it must have been true to derive the big step evaluation.
Since we have now demonstrated we can indeed provide sufficient reasoning to arrive at our conclusion \(Q(\sigma ')\) this finishes the proof.

The shorthand of the weakest precondition is nothing more than an expression of precisely this idea in a more concise fashion. Take for example \(\texttt {if conditions}\).

We again start from our post-condition then proceed with a case split or more accurately an inversion on the evaluation rule.
The inversion naturally gives us two branches, the true and false branch. This represents the conjunction here, then with each conjunct the antecedent of the implication is represented by the true or false guard condition \(b\), the consequent in this instance is simply a recursive call on the \(\texttt {then}\) and \(\texttt {else}\) branch bodies.

The main thing I'm trying to drive home here is that the weakest precondition idea is fundamentally just based on the concept of:

Seeing how a term must have been derived
Recursively going up the chain of any other sub-terms

So in a straightforward way, it's nothing more than chaining together all the individual proof rules for the various hoare triples. To show an example in lean using a some nice macros to create a simple syntax:


    example (n : Num) : 
    {{ ⟦ "x" ↦ n ⟧ }} 
      tm{ x := x + 1 } 
    {{ ⟦ "x" ↦ n + 1 ⟧ }} := by
    apply Hoare.assign'
    intro σ m hpre heval
    cases heval with
    | sum he1 he2 =>
      cases he1; cases he2
      simp [hpre]

The hoare triple we are proving here corresponds to this in the normal syntax:

\[ \{x \mapsto n \}\ x := x + 1\ \{x \mapsto n + 1\} \]

We can see here to "prove" this hoare triple was valid we started by doing our standard case split on the assign - that's the \(\texttt {apply Hoare.assign'}\) - statement, then we were inside the addition, here we did a case split which gave us the lhs and rhs we were adding, after doing a case split on those two sides we could finally just simplify (and finalize) our proof using the fact that in \(\sigma \) \(x\) evaluates to \(n\).

Definition. Weakest precondition - while loop [004m]

December 10, 2025

In an abstract sense the weakest precondition for while loops is no different from that for most other syntactic constructs, to reason backward we apply inversion to the statement we are considering; in this case the while loop; and then simply recurse on the sub-terms. Though the while loop differentiates itself through the notion of invariants.

Before we define how to compute the weakest precondition let's define the hoare rule again:

The central thing to observe here is the invariant hypothesis which acts as the premise for the while loop formation, if we write expand it out a bit we get:

\[ \{I(\sigma ) \land b \Downarrow ^t \sigma \}\ s\ \{I\} \]

So the idea, to reiterate again, is that if our invariant holds in the state \(\sigma \) and our loop condition evaluates to \(\texttt {true}\), then upon termination of \(s\) i.e. the loop body we have that the invariant \(I\) still holds.

In the false case our proof becomes trivial through inversion we know there is some terminating state \(\sigma _t\) and we know the loop condition must have evaluated to false, hence we can immediately provide the conditions to fulfill the postcondition and thus create our valid hoare triple.
The true case is a bit more complex, first let's look at the evaluation semantics for it We can see the final state is \(\sigma _3\) this means that the post-condition we want to prove for the true state is \[ I(\sigma _3) \land b \Downarrow ^f \sigma _3 \] The main thing we leverage here is the invariant hypothesis, rewriting it as a function we have \[ \lambda (\sigma , \sigma ').\ \lambda ( I(\sigma ) \land b \Downarrow ^f \sigma ).\ \lambda ((c, \sigma ) \Downarrow \sigma ').\ I(\sigma ') \] in addition to \[ \lambda \sigma .\ \lambda I(\sigma ).\ \lambda (\langle W, \sigma \rangle = \langle W, \sigma _2 \rangle ).\ I(\sigma _3) \land b \Downarrow ^f \sigma _3 \] The idea is then that we use inversion to give us the evaluated terms, we plug those terms into the invariant hypothesis to get \(I(\sigma _2)\), then using \(\sigma _2\), \(I(\sigma _2)\), and reflexivity (since \(\langle W, \sigma _2\rangle \equiv \langle W, \sigma _2 \rangle \)) we have created the proof that the invariant holds for the final memory state and the loop guard indeed evaluates to false.

Quiz. Computing weakest preconditions [004l]

December 10, 2025

Consider the following statement:


  x := y + 1;
  if x > 0 then
    z := 1
  else
    z := -1

Answer the following questions:

What is \(\texttt {wp}(s, z > 0)\)
What is \(\texttt {wp}(s, z \leq 0)\)
Can we prove \(\{-1 \leq y\}\ s\ \{z > 0\}\)
What about \(\{y > -1\}\ s\ \{z > 0\}\)

Solution.

December 10, 2025

In an abstract sense the statement is a sequence of an assignment and an if statement, starting with the if statement we get: \[ (x > 0) \to \texttt {wp}(z := 1, Q) \land (x \leq 0) \to \texttt {wp}(z := -1, Q) \] Both of the assignments resolve to substitutions of 1 and -1, so we get \[ (x > 0) \to (z > 0)[z \mapsto 1] \land (x \leq 0) \to (z > 0)[z \mapsto -1] \] With sequences we know it's a nested pattern, i.e. \(\texttt {wp}(s_1, \texttt {wp}(s_2, Q))\), the second argument we already have, we know that \(s_1\) here is just the assignment, so again we apply the subtitution \[ ((x > 0) \to Q[z \mapsto 1] \land (x \leq 0) \to Q[z \mapsto -1])[x \mapsto (y + 1)] \] which reduces to \[ \begin {align} ((y + 1 > 0) \to (1 > 0) &\land (y + 1 \leq 0) \to (-1 > 0)) \\ ((y + 1 > 0) \to \top &\land (y + 1 \leq 0) \to \bot ) \\ ((y + 1 > 0) \to \top &\land \neg (y + 1 \leq 0)) \\ ((y + 1 > 0) \to \top &\land (y + 1 > 0)) \\ ((y + 1 > 0) \to \top )& \\ (y + 1 > 0)& \\ \end {align} \]
To skip ahead a slight bit, so we have \[ (x > 0) \to (z \leq 0)[z \mapsto 1] \land (x \leq 0) \to (z \leq 0)[z \mapsto -1] \] then substituting for the intial assignment of \(x\) \[ (y + 1 > 0) \to (1 \leq 0) \land (y + 1 \leq 0) \to (-1 \leq 0) \] Here we just end up in the reverse case, i.e. \[ (y + 1 > 0) \to (\bot ) \land (y + 1 \leq 0) \to \top \] reduces now to \[ (y + 1 \leq 0) \]
The high level idea here is that we computed the weakest precondition for \(z > 0\) already, it was \[ (y + 1 > 0) \] since it's the weakest we can only admit other preconditions if they imply the weakest one, so if we then look at the implication \[ -1 > y \to (y + 1 > 0) \] we can trivially see that this implication does not hold, i.e. we cannot apply precondition strengthening here hence the rule does not allow us to prove the hoare triple.
Same reasoning as above, but now it works since \[ y > -1 \to y + 1 > 0 \] indeed makes sense

Example. Verification conditions in while loops [004n]

December 11, 2025

Let's consider the following while loop:


  @pre x <= 0
  while [x <= 6] (x <= 5) do
    x := x + 1
  @post x = 6

if we denote the loop and its body as \(W\), then it corresponds to the following hoare triple:

\[ \{x \leq 0\}\ W\ \{x = 6\} \]

With the addition of the invariant \(I \triangleq x \leq 6\), now the verification condition for the loop is expressed as:

\[ \begin {align} \texttt {vc}(W [I], x = 6) &= \forall \sigma .\ I(\sigma ) \land (b \Downarrow ^t \sigma ) \to \texttt {wp}(W [I], s, I(\sigma )) \\ &\land \forall \sigma .\ I(\sigma ) \land (b \Downarrow ^f \sigma ) \to Q(\sigma ) \\ &\land \texttt {vc}(s, I) \end {align} \]

starting with the first conjunct with have:

\[ \forall \sigma , x \leq 6 \to (x \leq 5 \Downarrow ^t \sigma ) \to \texttt {wp}(x := x + 1, (x \leq 6)) \]

After we unfold the \(\texttt {wp}\) our goal reduces to:

\[ x \mapsto x + 1 \leq 6 \equiv x \leq 5 \]

And we clearly know this is true just by inversion of the evaluation of the loop guard. Moving on to the second conjunct:

\[ \forall \sigma .\ x \leq 6 \land (x \leq 5 \Downarrow ^f \sigma ) \to x = 6 \]

This represents our termination condition, here we know by inversion of the loop guard again that the premise of our implication becomes:

\[ x \leq 6 \land x > 5 \to x = 6 \]

Our final conjunct is the verification condition on the assignment, so:

\[ \texttt {vc}(x := x + 1, x \leq 6) \]

Unfolding the call again we know this just resolves to \(\top \) as there are no verification conditions for assignment.

Finally we also have to demonstrate that:

\[ (x \leq 0 \land x = x_0) \to \texttt {wp}(W [I], Q) \]

unfolding the \(\texttt {wp}\) again gives

\[ (x \leq 0 \land x = x_0) \to x \leq 6 \]

Clearly we can see this trivially holds, i.e. our precondition is stronger than the invariant, hence by precondition strengthening, it is valid.

How do we get there though?

December 11, 2025

I do think it's worth telling this as a bit of a story, we start with the fundamental theorem for while loops:

So this is just the expanded rule for constructing valid or sound while hoare triples, now this rule assumes that the invariant \(I\) is the same as the precondition \(P\) which is naturally not always the case, so it could be nice to have a rule which accounts for constructing valid while loops with invariants and custom preconditions. Same with custom post-conditions \(Q\).

If you want to be super pedantic you could show how this is just a combination of consequence + while rule. Anyway then, moving on we have the rule for \(\texttt {wp}\) soundness.

Now depending on how you actually design your \(\texttt {wp}\) and \(\texttt {vc}\) code this rule can look slightly different, though I like this distinction, in this instance for the case of while loops \(\texttt {wp}(W[I], Q)\) simply returns the invariant \(I\), this means that again if we want to have a custom precondition for \(W\) we'd want to verify we would extend the rule as:

Thus for while loops it would become:

Where the verification conditions would unfold to what we discussed before.

A nice point to make here is that all of these rules are essentially derived from one another, which is to say that:

In a conceptual sense verification conditions i.e. what we need to prove to demonstrate a hoare triple is valid, are simply a convenience mechanism derived from the fundamental logic of how we construct a hoare triple.

VU-VFS-2025. Lecture 7 - VC's for functions and pointers [004p]

December 12, 2025

Assertions

December 12, 2025

Definition. Assertions & Havoc [004q]

December 12, 2025

We introduce 3 new syntactic constructs with their associated hoare rules, these constructs are:

The statement \(\texttt {assert(F)}\) which \(\texttt {fails}\) if \(F\) evaluates to \(\bot \)
The statement \(\texttt {assume(F)}\) which tells us that \(F\) evaluates to \(\top \)
The statement \(\texttt {x := havoc()}\) which assigns a non-deterministic value to a variable \(x\)

Evaluation rules

December 12, 2025

We introduce a new construct \(\texttt {fail}\) which denotes the failure state, as an alternative to \(\sigma \).

The idea with getting stuck being that since we aren't failing for the case of partial-correctness (failure or termination) it means we can simply ignore this case.

The final big-step evaluation rule is for the havoc statement:

Hoare rules

December 12, 2025

In addition to our big-step evaluation rules we also have Hoare rules.

A more detailed explanation

December 12, 2025

\[ (\texttt {Stmt} \times \texttt {Memory}) \to \texttt {Memory} \to \texttt {Prop} \]

It's now expressed as

\[ (\texttt {Stmt} \times \texttt {Memory}) \to (\texttt {Result} \texttt {Memory}) \to \texttt {Prop} \]

Where we can model \(\texttt {Result}\) as the following monad


    inductive Result (α : Type)
    | ok : α → Result α      -- Normal termination with final state
    | fail : Result α        -- Assertion failure / error state
    deriving Repr, DecidableEq

The Hoare triple is where stuff becomes a bit more interesting. As a reminder, the classical hoare triple is basically just an alias for the logical formula:

\[ \forall \sigma , \sigma '.\ P(\sigma ) \to \langle s, \sigma \rangle \Downarrow \sigma ' \to Q(\sigma ') \]

\[ \forall \sigma , \sigma _t.\ P(\sigma ) \to \langle s, \sigma \rangle \Downarrow \sigma _t \to (??) \]

Here we then run into I guess a design choice as to how we proceed, the two main possibilities are:

We fail sometimes succeed other times this would mean that: \[ (\exists \sigma ', \sigma _t = \texttt {.ok}\ \sigma ' \land Q(\sigma ')) \] another way of seeing this is here we are disallowig failure meaning that for a hoare triple to be proven valid we must explicitly demonstrate as a side condition that we cannot fail otherwise our hoare triple is invalid.
We never fail which would mean that: \[ (\forall \sigma ', \sigma _t = \texttt {.ok}\ \sigma ' \land Q(\sigma ')) \] for this rule another way of seeing it is we are ignoring failure or filter success states since we are clearly only quantifying over those states that are successfull.

The latter option seems to be generally more common in theoretical settings because it doesn't require explicitly accounting for failure states, they are just implicitly filtered out in the logic.

Quiz. Weakest precondition for assert and assume [004r]

December 12, 2025

Answer the following:

What's \(\texttt {wp}(\texttt {assert}(P), Q)\)
What's \(\texttt {wp}(\texttt {assume}(P), Q)\)
Given a statement \(s\), can we transform it into a statement \(s'\) such that: \[ \vDash \{P\}\ s\ \{Q\} \iff \{\top \}\ s'\ \{\top \} \]

Solution.

December 12, 2025

We can remember that the weakest precondition is simply what we can derive reasoning backwards from the formulaic expression of a hoare triple.

Considering our wp formula we have \[ \texttt {wp}(\texttt {assert}(b), Q)(\sigma ) \to (\texttt {assert}(b), \sigma ) \Downarrow \texttt {.ok}\ \sigma \to Q(\sigma ) \] reasoning backwards we can start with a case split on the evaluation of the assertion, this leads to two cases
- \(b\) evaluates to true, as this case trivially implies that the assertion evaluates into \(\texttt {.ok}\ \sigma \) it means we must prove \(Q(\sigma )\). The only way we can prove this is by having our weakest precondition be a witness to this assertion.
- \(b\) evaluates to false, as this would imply a contradiction since the assertion evaluates to \(\texttt {.ok}\ \sigma \), more specifically we know have to prove the contradiction that \(\texttt {.ok}\ \sigma = \texttt {.fail} \sigma \), we know (i.e. have a hypothesis) by inversion that \(b \Downarrow ^f \sigma \) since we know \(b\) has to be true to prove the contradiction we also must ensure the weakest precondition states that \(b \Downarrow ^t \sigma \)
from these two cases we can conclude that two demonstrate the soundness of the weakest precondition for assert statements, it must be the case that the \(\texttt {wp}\) is the conjunction of the postcondition and the logical assertion that what is being asserted is indeed true, so we have that \[ \texttt {wp}(\texttt {assert}(b), Q)(\sigma ) \equiv (b \Downarrow ^t \sigma ) \land Q(\sigma ) \] the more intuitive reasoning here is that \(Q\) should hold before and after as an assert should, just by design, not do anything to the memory, it's only an assertion after all. Additionally, the condition should hold true as \(\texttt {wp}\) definitionally describes a set of states where all terminating executions end in a state satisfying \(Q\) thus if \(b\) does not evaluate to true, there is no terminating execution from \(\sigma \).
We can just use the more intuitive reasoning here, we know the weakest precondition characterizes a set of states where terminating executions end in a state satisfying \(Q\). The only way for something being assumed to be true leading to some other else is it if implies something else, thus our \(\texttt {wp}\) becomes \[ \texttt {wp}(\texttt {assume}(b), Q)(\sigma ) \equiv (b \Downarrow ^t \sigma ) \to Q(\sigma ) \] in terms of backward reasoning the idea is that \(\texttt {assume}(p)\) essentially just adds a raw hypothesis \((b \Downarrow ^t \sigma )\) but clearly that by itself doesn't somehow allow me to just manifest \(Q(\sigma )\), the only way we could possibly get \(Q\) from \(b\) being true is if we have a function which states that \(b\) being true implies \(Q\).

VU-VFS-2025. Lecture 8 - Horn Clauses [004u]

December 15, 2025

Introduction & Syntax

December 15, 2025

Definition. Horn clauses - Syntax [004v]

December 15, 2025

A Horn clause is a disjunctive clause (disjunction of literals) with at most one positive, i.e. unnegated literal. Often written in implication form as a conjunction of literals implying some literal called the head.

\[ \underbrace {\underbrace {p(x_1, x_2) \land q(x_1, x_2, x_3) \land \ldots }_\text {queries} \land \underbrace {\phi }_\text {constraint}}_\text {body} \to \underbrace {H}_\text {head} \]

Here:

queries are relations over some vector of variables
\(\phi \) represents a formula in a first-order theory which does not contain queries
\(H\) is called the head and represents either a query in which case we also call the horn clause a definite class if it has the following shape \[ (p \land q \land \ldots \land \phi ) \to H \] or a fact if it has the following shape \[ \top \to H \] \(H\) can also be \(\bot \) in which case we refer to the horn clause as a gloal clause with the shape \[ (p \land q \land \ldots \land \phi ) \to \bot \] with the idea being that as opposed to assuming the query holds we now show that it holds

Free variables are implicitly universally quantified over, so a horn clause like

\[ \texttt {mortal}(X) \to \texttt {human}(X) \]

stands for

\[ \forall X.\ \texttt {mortal}(X) \to \texttt {human}(X) \]

Definition. Horn clauses - Semantics [004w]

December 15, 2025

Definition. Horn clause - Solution [0050]

December 16, 2025

A solution is a function \(\Sigma \) that maps queries to formulas in the background theory over the same variables. Formally we write \(\Sigma \vDash C\) and say that \(\Sigma \) satisfies \(C\), if \(C\) is true if we replace all queries by their solutions, written as an inference rule:

We write \(\Sigma \vDash \mathcal {C}\) and say that \(\Sigma \) satisfies the set of clauses \(\{C_1, C_2, \ldots , C_n\}\), if it satisfies all individual clauses, i.e:

\[ \Sigma \vDash C_1 \land \Sigma \vDash C_2 \land \ldots \land \Sigma \vDash C_n \]

We say that \(\mathcal C\) is satisfiable, if \(\exists \Sigma .\ \Sigma \vDash \mathcal C\)

Quiz. Finding recursive Horn clauses [004z]

December 16, 2025

Is the following set of horn clauses recursive?

\[ \begin {align} q(x) \land r(x) &\to p(x) \\ p(x) \land (x < n) &\to \bot \end {align} \]
\[ \begin {align} q(x) \land r(x) &\to p(x) \\ p(x) \land (x > 0) &\to r(x) \\ p(x) \land (x < n) &\to \bot \end {align} \]

Solution.

December 16, 2025

No, we can draw the dependency graph as follows
Yes, because the head \(p\) depends on the query \(r\) and vv. again as a graph we can draw it as follows

Application of Horn clauses

December 15, 2025

Definition. Normalizing Horn clauses [0059]

December 19, 2025

Something of note when dealing with weakets preconditions in terms of horn clauses is that we have to first normalize them to ensure they are in the correct horn format, which is to say we commonly have some horn clause in the form

\[ p(e_1, e_2) \land \ldots \land \phi \to H(e_3) \]

where \(e_i\) represents an expression, to normalize these clauses we lift the expressions out of the parameters for the predicates and into the list of conjuncts, i.e.:

\[ p(x_1, x_2) \land x_1 = e_1 \land x_2 = e_2 \land x_3 = e_3 \land \ldots \land \phi \to H(x_3) \]

So we create fresh variables \(x_1, x_2, x_3\) and assign these to the respective expressions then use them in place of the expressions themselves.

Definition. Strongest Postcondition [005c]

December 22, 2025

In the most straightforward sense the strongest postcondition, denoted \(\texttt {sp}\) or \(\texttt {post}\), denotes the exact or least set of final states which we land in after a successful execution. Set theoretically we can denote it as.

\[ \texttt {sp}(s, P) = \{\sigma \in \Sigma \mid \exists \sigma ' \in \Sigma : \sigma ' \vDash P \land (s, \sigma ') \Downarrow \sigma \} \]

We can also use a more logic way of expressing it as follows

\[ \texttt {sp}(s, P) \triangleq \exists \sigma '.\ P(\sigma ') \land (s, \sigma ') \Downarrow \sigma \]

But the idea is in principle the same, it represents the set of states corresponding to some evaluated result based on some existing safe state.

Quiz. Computing the strongest post-condition [005k]

December 25, 2025

Consider the following set of Horn clauses

\[ \begin {align} x = 0 &\to q(x) \\ (q(y) \land y < 6 \land x = y + 1) \to q(x) \end {align} \]

Abstraction

December 15, 2025

Definition. Abstraction & Concretization function [005d]

December 22, 2025

In the most general sense we consider two domains, an abstract domain \(A\) and a concrete domain \(C\). We have two functions the abstraction function

\[ \alpha : C \to A \]

and the concretization function

\[ \gamma : A \to C \]

Naturally we often instantiate these two domains for different scenarios.

Example: Interval abstraction

December 22, 2025

Let's consider a basic instance of abstraction where we think of the concrete domain as set's of numbers and the abstract domain as rangers or intervals of numbers which characterize these sets. So formally we say

Our concrete domain is the power set \(\mathcal P(\mathbb {R})\) of the natural real numbers \(\mathbb {R}\) ordered by set-inclusion so \(\sqsubseteq \equiv \subseteq \)
Our abstract domain is represented by intervals in addition to the symbols for true and false, so \[ A = \textrm {Intervals} \cup \{\top , \bot \} \]
Our concretization function maps from an interval to all those numbers contained within the interval, so as an example \[ \gamma ([l, u]) \equiv \{x \mid l \leq x \leq u\} \]
Our abstraction function which takes a concrete element \(c\) then maps this to the meet or conjunct of all abstract element in which the ordering with the concretization function holds, i.e. \[ \alpha (c) = \bigwedge \{a \in A \mid c \subseteq \gamma (a)\} \] the idea is that it represents the most precise abstract representation which can capture the concrete element c. Operationally we can express this equivalently as \[ \alpha(c \equiv \{x_1, x_2, \ldots, x_n\}) = \begin{cases} [\textrm{min}\ c, \textrm{max}\ c] & \textrm{if bounded} \\ [\textrm{min}\ c, +\infty) & \textrm{if only lb} \\ (-\infty, \textrm{max}\ c] & \textrm{if only ub} \\ \top & \textrm{if unbounded} \\ \bot & \textrm{if}\ = \emptyset \end{cases} \] so more plainly we can understand the abstraction function of just being the most exact combination i.e. meet / conjunction of intervals to express our concrete element.

Example: Predicate abstraction

December 22, 2025

A common application within the domain of logic and computer science is to consider the concrete domain as referring to formulas or equivalently set's of states, not too much unlike our power-set of numbers. With our abstract state then being a conjunct of predicates from some finite set \(P\) which best characterize our concrete formulas.

Each element in the abstract domain is some permutation of our finite predicate set \(P\), so we have \[ A = \mathcal P(P) \quad P_1 \sqsubseteq P_2 \iff P_2 \subseteq P_1 \] each abstract element \(a \in P\) is defined by the conjunction \[ \bigwedge _{p \in a} p \] hence our concretization function yields those set's of concrete states (or predicates representing these states) which satisfy \(a\). \[ \gamma (a) = \{\sigma \in \Sigma \mid \forall p \in a.\ p(\sigma ) = \top \} \equiv \llbracket \bigwedge _{p \in a} p \rrbracket \]
The abstraction function is then defined more or less the usual way, we take in a concrete set of states \(c\) then aggregate those predicates which describe our concrete set of states most precisely. \[ \alpha (c) = \bigcap \{a \in A \mid c \subseteq \gamma (a)\} \] can equivalent formulation is \[ \alpha (c) = \bigwedge \{p \in P \mid c \to p\} \]

Let's consider as an example

\[ P = \{x \geq 0, x \geq 5, x \leq 10\} \quad c = \{x = 7\} \]

Here we can define the abstraction function as follows

\[ \alpha (x = 7) = \bigwedge \{x \geq 0, x \geq 5, x \leq 10\} \]

Definition. Abstract strongest postcondition [005e]

December 22, 2025

The idea

December 22, 2025

Our usual strongest postcondition can be understood as a mapping from a concrete domain to a concrete domain, i.e.

\[ \begin {align} \texttt {sp} : \texttt {Stmt} \times \texttt {C} \to C \end {align} \]

Where \(C\) represents our concrete domain, in the world of program logic this is typically assertions on the state of some memory environment. The idea behind the abstract \(\texttt {sp}\), is that we have a function

\[ \begin {align} \texttt {sp}^\# : \texttt {Stmt} \times \texttt {A} \to \texttt {A} \end {align} \]

In other words we are considering the strongest postcondition from within the abstract domain. Intuitively this just means that our predicates or assertions on the memory states (or equivalently the set of states we characterize) will be expressed in abstract terms.

In more detail

December 22, 2025

The abstract strongest postcondition, denoted \(\texttt {sp}^\#\) or \(\textrm {post\#}\) is defined as

\[ \texttt {sp}^\# (s, a) = \alpha (\texttt {sp}(s, \gamma (a))) \]

Let's explain a bit on how we can derive this, we begin with the idea that for each \(a \in A\) and each statement \(s\) we want:

\[ \texttt {sp}(s, \gamma (a)) \subseteq \gamma (\texttt {sp}^\#(s, a)) \]

This expresses soundness in other words, the resulting set of states, generated by concretizing the abstraction \(a\) must be contained within the prediction of the abstract transformer predicate \(\texttt {sp}^\#\). Then using the Galois connection we have between \(\alpha \) and \(\gamma \)

\[ \forall a \in A, c \in C.\ \alpha (c) \subseteq a \iff c \leq \gamma (a) \]

which expresses the notion that \(c\) is approximated by \(a\). We can rewrite our earlier soundness condition as:

\[ \alpha (\texttt {sp}(s, \gamma (a))) \sqsubseteq \texttt {sp}^\# (s, a) \]

two again denote the same conceptual thing that our abstract predicate transformer \(\texttt {sp}^\#\) is an over-approximation of the analogous transformer for the concrete domain. As we would preferably like to have the most precise approximation we choose equality. Or stated differently by definition the most precise abstracted approximation of the strongest post-condition we can have for some abstracted state is literally just this state concretized, and the resulting set abstracted.

\[ \texttt {sp}^\# (s, a) = \alpha (\texttt {sp}(s, \gamma (a))) \]

Correctness

December 22, 2025

The most important property to remember about the abstract strongest post-condition is that if we do over-approximate an error state it does not allow us to conclude that the program is wrong.

VU-VFS-2025. Lecture 9 - Solving Horn Clauses [005g]

December 23, 2025

VU-VFS-2025. Lecture 10 - Information Flow Types [005h]

December 23, 2025

The type system

December 23, 2025

Definition. Information Flow Types - Rules [005f]

December 22, 2025

We define a typing judgement as

\[ \Gamma \vdash e : \tau \]

Expressing that in the context \(\Gamma \) expression \(e\) has a label \(\tau \in \mathcal T\)

VU-VFS-2025. Lecture 11 - Information Flow & Side Channels [005i]

December 23, 2025

VU-VFS-2025. Lecture 12 - Refinement Types [005j]

December 23, 2025