From: AAAI-02 Proceedings. Copyright © 2002, AAAI (www.aaai.org). All rights reserved.

AHoare-Style Proof System for Robot Programs

Yongmei Liu Department of Computer Science University of Toronto Toronto, ON, Canada M5S 3G4 [email protected]

Abstract Golog is defined, properties of Golog programs can be ex- pressed as second-order situation calculus formulas. Thus Golog is a situation calculus-based programming theoretically, verification ofGolog programs can be reduced language for high-level robotic control. This paper ex- plores Hoare’s axiomatic approach to program verifica- to proof of such formulas. However, this is infeasible in tioninthe Golog context. We present a novel Hoare- practice: even though the semantic definition of Golog is style proof system for partial correctness of Golog pro- very succinct, the whole formula to express the semantics of grams. We prove total soundness of the proof system, even a simple Golog program can be very complicated. In and relative completeness of a subsystem of it for pro- general, providing a formal semantics for a high-level robot cedureless Golog programs. Examples are given to il- programming language in a logic framework makes possi- lustrate the use of the proof system. ble formal correctness proofs of robot programs, but does not furnish us with any systematic method for doing so. Introduction In this paper, we explore the well-established axiomatic approach to program verification in the Golog context. This When it comes to building high-level robotic controllers, approach was initiated by Hoare (1969), and it was applied to planning-based approaches suffer from computational in- Algol-like languages. In this approach, the relevant program tractability. A promising alternative is high-level program- properties are expressed as formulas in some mathematical ming. Given a particular domain, a high-level program can logic. A proof system consisting of and proof rules provide natural constraints on how to achieve a specific goal. is given, which allows formal proofs of program properties. The domain constraints then allow for replacing the unre- An important advantage of Hoare’s approach is that the proof stricted search for a sequence of actions achieving a goal by system is syntax-directed and hence makes proofs easier by the more constrained task of finding a sequence of actions induction on the structure of programs. Hoare’s approach that constitutes a legal execution of some high-level pro- has received a great deal of attention, and many Hoare-style gram. The logic programming language Golog (Levesque et proof systems have been proposed for various programming al. 1997) is designed to support such an approach. constructs (Apt 1981; 1984). As its full name (alGOl in LOGic) implies, Golog attempts However, the application ofHoareLogic to Golog is not to blend Algol programming style into logic. It provides a routine due to the following differences between Golog and way of defining complex actions and procedures in terms of a Algol-like languages. First, atomic Algol programs are as- set of primitive actions, by borrowing from Algol many well- signments; while atomic Gologprograms are user-defined known programming constructs such as sequences, condi- primitive actions. Second, the semantics of Algol programs tionals, loops and recursive procedures. Primitive actions is interpretive, i.e., it is defined based on an interpretation are domain-dependentactions in the external world, and their for the first-order language in which the expressions in Al- preconditions and effects, together with the initial state of the gol programs are formed; while the semantics of Golog pro- world, are axiomatized in the situation calculus (McCarthy grams is defined by macro-expansion into situation calculus &Hayes 1969). The formal semantics of Golog is defined formulas. by introducing an abbreviation Do(δ, s, s),whereδ is a pro- In this paper, we present a novel Hoare-style proof system gram, s and s are situation terms. Intuitively, Do(δ, s, s) for partial correctness of Golog programs. We prove total will expand into a (second-order) situation calculus formula soundness of the proof system, and relative completeness of saying that it is possible to reach situation s from situation asubsystem of it for procedureless Golog programs. Exam- s by executing a sequence of actions specified by δ. ples are given to illustrate the use of the proof system. Needless to say, correctness of robot programs is of paramount importance. Hence we are concerned about veri- Failure to prove that aprogram satisfies a desired property fication of Golog programs. Due to the way the semantics of may lead us to detect 1) errors in the program, or 2) incon- sistency or incompleteness in the domain theory. So program Copyright c 2002, American Associationfor Artificial Intelli- verification can still be useful when the domain theory is it- gence (www.aaai.org). All rights reserved. self inconsistent or incomplete.

74 AAAI-02 Background 6. Nondeterministic iteration: ∗ def The Situation Calculus Do(δ ,s,s) =(∀P ).{(∀s1)P (s1,s1)∧ (∀s1,s2,s3)[P (s1,s2) ∧ Do(δ, s2,s3) ⊃ P (s1,s3)]} The situation calculus as presented in (Reiter 2001) is a ⊃ P (s, s) many-sorted second-order language for representing dy- . namic worlds. There are three disjoint sorts: action for ac- 7. Procedure calls: For any (n +2)-ary procedure variable tions, situation for situations, and object for everything (i.e., predicate variable whose last two arguments are the else. A situation calculus language L has the following com- only ones of sort situation) P , def S0 ponents: a constant denoting the initial situation; a bi- Do(P (t1,... ,tn),s,s) = P (t1,... ,tn,s,s). nary function do(a, s) denoting the successor situation to s Env resulting from performing action a;abinary predicate s 8. Blocks with local procedure declarations: Let s meaning thatsituation s is asubhistory of situation s;a be an environment, i.e., a set of procedure declarations P (v ) δ ... P (v ) δ binary predicate Poss(a, s) meaning that action a is possi- proc 1 1 1 endProc; ; proc n n n endProc, P ,... ,P ble in situation s;acountable set of action functions, e.g., where 1 n are procedure variables. Then move(x, y) Do({Env; δ},s,s) def= ;and a countable set of relational fluents, i.e.,  predicates taking a situation termastheirlast argument, e.g.,  n (∀P ).[ i=1(∀vi,s1,s2).Do(δi,s1,s2) ⊃ Pi(vi,s1,s2)] ontable(x, s) .For simplicity of presentation, we ignore ⊃ Do(δ, s, s ). functional fluents in this paper. This says: when P1,... ,Pn are the smallest binary re- L− L We use to denote the language obtained from by re- lations on situations that are closed under executing their situation moving the sort and removing the situation argu- procedure bodies δ1,... ,δn,thenany transition (s, s ) L− ment from every relational fluent. We call an -formula obtained by executing the main program δ is a transition φ apseudo-fluent formula (abbreviated “pff”). Let be a pff, for executing {Env; δ}. and s beasituation term. We use φ[s] to denote the formula φ s Conditionals and loops are defined as abbreviations: obtained from by restoring as the situation arguments to def all fluents mentioned by φ. if φ then δ1 else δ2 fi =[φ?; δ1] | [¬φ?; δ2], Frequently, we are interested only in executable situations, def ∗ while φ do δ od =[φ?; δ] ; ¬φ?. namely, action histories in which it is possible to perform the actions one after the other. This is formalized as follows: def Hoare Logic executable(s) =(∀a, s∗).do(a, s∗) s ⊃ Poss(a, s∗). The basic formulas of Hoare Logic are constructs of the Any domain of application is axiomatized by a basic ac- form {p} S {q} (called Hoare triples), where S is a program, tion theory D with thefollowing components: and p, q are first-order formulas. The intuitive meaning of 1. The foundational axioms for situations. {p} S {q} is: if p holds before the execution of S and the ex- 2. Action precondition axioms, one for each action func- ecution of S terminates, then q holds afterwards. For exam- tion A,with syntactic form Poss(A(x),s) ≡ ΠA(x)[s], ple, the following are axioms and proof rules of a basic Hoare where ΠA(x) is a pff. Logic for programs from a simple Algol-like language. 3. Successor state axioms, one for each fluent F ,with syntac- 1. Assignment F (x, do(a, s)) ≡ Φ (x, a)[s] Φ (x, a) tic form F ,where F is {p(x/t)} x := t {p}, apff.These embody a solution to the frame problem. 4. Unique names axioms for the primitive actions. where p(x/t) denotes the result of replacing all free occur- rences of x in p by t. 5. An initial database, namely a set of axioms describing S0. 2. Composition Rule Golog {p} S {r}, {r} S {q} 1 2 . The formal semantics of Golog is specified by an abbrevia- {p} S ; S {q} tion Do(δ, s, s),which is inductively defined as follows: 1 2 1. Primitive actions: For any action term α, 3. if-then-else Rule def Do(α, s, s) = Poss(α, s) ∧ s = do(α, s). {p ∧ e} S {q}, {p ∧¬e} S {q} 1 2 . 2. Test actions: For any pff φ, {p} if e then S1 else S2 fi {q} Do(φ?,s,s) def= φ[s] ∧ s = s . 4. while Rule 3. Sequence: {p ∧ e} S {p} def . Do(δ1; δ2,s,s) =(∃s ).Do(δ1,s,s )∧Do(δ2,s ,s). {p} while e do S od {p ∧¬e} 4. Nondeterministic choice of two actions: def Do(δ1 | δ2,s,s) = Do(δ1,s,s) ∨ Do(δ2,s,s). 5. Consequence Rule 5. Nondeterministic choice of action arguments: p ⊃ p1, {p1} S {q1},q1 ⊃ q def . Do((πx)δ(x),s,s) =(∃x)Do(δ(x),s,s). {p} S {q}

AAAI-02 75 However, Hoare Logic is not complete; see (Apt 1981) for where A is an action function, F is a relational fluent adiscussion of the incompleteness results. Cook (1978) cir- with successor state axiom F (x, do(a, s)) ≡ ΦF (x, a)[s]. cumvented these incompleteness problems by defining the Note that ΦF (x, A(y)) can be simplified using unique notion of relative completeness. The basic idea was to sup- names axioms for actions. plyHoare’s system with an oracle which had the ability to an- 2. Fluent-Free Axiom (FF) swer questions concerning the truths of first-order formulas. In this way, he separated reasoning about programs from rea- {Q} δ {Q}, soning about the underlying domain, in his case, arithmetic. where no fluent occurs in Q. The Proof System HG 3. Test Action Axiom (TA) In this section, we present a novel Hoare-style proof system {φ ⊃ R} φ? {R}. HG for partial correctness of Golog programs. Proof Rules Syntax and Semantics 1. Primitive Action Rule (PAR) Awell-formed formula of HG (HG-wff) is either an invari- {Q ∧ Π (x)} A(x) {R} ant formula or a Hoare triple, which are defined as follows. A , Definition 1 An formula is a construct of the form {Q} A(x) {R} Q Q ,where is a pff; a Hoare triple is a construct of the where A is an action function with action precondition ax- form {Q} δ {R},whereQ and R are pffs, and δ is a Golog iom Poss(A(x),s) ≡ ΠA(x)[s]. program. 2. Sequence Rule (Seq) In traditional work on Hoare Logic, the semantics of Hoare triples is defined with respect to an interpretation. In {Q} δ {S}, {S} δ {R} 1 2 . the Golog context, since the semantics of programs is defined {Q} δ1; δ2 {R} by macro-expansion into situation calculus formulas, Hoare triples can be conveniently defined as abbreviations for situ- 3. Nondeterministic Action Rule (NA) ation calculus formulas. {Q} δ {R}, {Q} δ {R} Let φ be a formula. We use (∀).φ to denote the first-order 1 2 . closure of φ,i.e.,theresultofprefixingtoφ universal quan- {Q} δ1 | δ2 {R} tifiers for all free individual variables in φ. 4. Nondeterministic Action Argument Rule (NAA) Q def=(∀).executable(s) ⊃ Q[s] Definition 2 1. ; {Q} δ(x) {R} def , 2. {Q} δ {R} =(∀).executable(s) ∧ Q[s] ∧ Do(δ, s, s ) {Q} (πx) δ(x) {R} ⊃ R[s]. where x does not occur free in Q or R. Intuitively, Q means that Q is true in all executable situa- tions; {Q} δ {R} means that if s is an executable situation 5. Nondeterministic Iteration Rule (NI) satisfying Q and the execution of δ in s leads to a situation {Q} δ {Q} s,thens satisfies R. . {Q} δ∗ {Q} Axioms and Proof Rules 6. Consequence Rule (Cons) Let D be a basic action theory. The proof system HG(D) is (Q ⊃ Q ), {Q } δ {R }, (R ⊃ R) defined as follows. Abbreviations given in parentheses are 1 1 1 1 . used to refer to the axioms or rules. {Q} δ {R}

Oracle Axioms 7. Conjunction Rule (Conj) Invariant Oracle Axiom (Inv) {Q1} δ {R1}, {Q2} δ {R2} Q, where D|= Q. . {Q1 ∧ Q2} δ {R1 ∧ R2} Here we adopt Cook’s idea in formulating the notion of rel- ative completeness, and supply our proof system with an or- 8. Disjunction Rule (Disj) acle which can answer questions concerning whether an in- {Q } δ {R }, {Q } δ {R } variant formula is entailed by a basic action theory. In this 1 1 2 2 . way, we can concentrate on reasoning about programs. {Q1 ∨ Q2} δ {R1 ∨ R2} Axioms 9. Quantification Rule (Quan) 1. Effect and Frame Axiom (EF) {Q(x)} δ {R(x)} {Q(x)} δ {R(x)} , , {ΦF (x, A(y))} A(y) {F (x)}, {∀xQ(x)} δ {∀xR(x)} {∃xQ(x)} δ {∃xR(x)} {¬Φ (x, A(y))} A(y) {¬F (x)}, F where x does not occur free in δ.

76 AAAI-02 10. Recursion Rule (Rec) Definition 4 That Ψ is provable in HG(D),written {{Q } P (v ) {R }}n {{Q } δ {R }}n HG(D) Ψ,isinductively defined as follows: i i i i i=1 i i i i=1 , n  ∅ {{Qi}{Env; Pi(vi)}{Ri}}i=1 1. HG(D) ; n HG(D) Φ Φ BH(D) Ψ HG(D) Ψ where { φi }i=1 denotes the set {φi | i =1,... ,n}. 2. If , and ,then ; n Intuitively, this rule says that we can infer 3. If HG(D) Φ, and Φ ∪{{Qi} Pi(vi) {Ri}}i=1 {Q }{Env; P (v )}{R } i =1,... ,n n i i i i , from the BH(D) {{Qi} δi {Ri}} ,then {{Q } δ {R }}n i=1 fact that i i i i=1 can be proved (using the  {{Q }{Env; P (v )}{R }}n other proof rules and axioms) from the hypotheses HG(D) i i i i i=1. n {{Qi} Pi(vi) {Ri}}i=1. 11. Invocation Rule (IK) Example: A Blocks World Pj (t ) In this section, we demonstrate the use of our proof system {Q} δi {R} {Env; Pj (t )} , by proving properties of robot programs in a simple domain: {Q}{Env; Pi(vi)}{R} ablocks world. Despite its simplicity, this domain illustrates some important issues in verification of robot programs. Pj (t ) where δi denotes the result of replacing each {Env; Pj (t )} Action Precondition Axioms  procedure call Pj(t ) in δi by its contextualized version Poss(move(x, y),s) ≡ clear(x, s) ∧ clear(y,s) ∧ x = y,  Poss(moveT oTable(x),s) ≡ {Env; Pj (t )}.Intuitively, to execute {Env; Pi(vi)} is clear(x, s) ∧¬ontable(x, s). Pj (t ) 1 to execute δi . {Env; Pj (t )} Successor State Axioms 12. Substitution Rule (Subs) on(x, y, do(a, s)) ≡ a = move(x, y)∨ {Q(x)}{Env; P (x)}{R(x)} on(x, y, s) ∧ a = moveT oTable(x)∧ i , ¬(∃z)a = move(x, z)    , {Q(x/t )}{Env; Pi(x/t )}{R(x/t )} above(x, y, do(a, s)) ≡ (∃z){a = move(x, z) ∧ [z = y ∨ above(z,y,s)]}∨ {Q(x)} P (x) {R(x)} , above(x, y, s) ∧ a = moveT oTable(x)∧    {Q(x/t )} P (x/t) {R(x/t )} ¬(∃z)a = move(x, z), clear(x, do(a, s)) ≡ where P is an action function or a procedure variable, and Q(x/t ) (∃y){[(∃z)a = move(y,z) ∨ a = moveT oTable(y)]∧ denotes the result of simultaneously substituting on(y,x,s)}∨ terms from t for the corresponding variables from x in Q. clear(x, s) ∧¬(∃y)a = move(y,x), The following are derived rules: ontable(x, do(a, s)) ≡ a = moveT oTable(x)∨ 1. If Rule ontable(x, s) ∧¬(∃y)a = move(x, y). {Q ∧ φ} δ1 {R}, {Q ∧¬φ} δ2 {R} Initial Database . φ[S ] φ ∈A {Q} if φ then δ1 else δ2 fi {R} 0 ,where bw,whichisthe set of the following pffs: on(x, y) ≡ above(x, y)∧¬(∃z)(above(x, z)∧above(z,y)), 2. While Rule clear(x) ≡¬(∃y)on(y,x), {Q ∧ φ} δ {Q} ontable(x) ≡¬(∃y)on(x, y) . , {Q} while φ do δ od {Q ∧¬φ} ¬above(x, x), above(x, y) ∧ above(y,z) ⊃ above(x, z), Provability above(x, y) ∧ above(x, z) ⊃ Due to the recursionrule,thesystemHG(D) is not a stan- y = z ∨ above(y,z) ∨ above(z,y), dard proof system. Let BH(D) denote HG(D) without the above(y,x) ∧ above(z,x) ⊃ recursion rule. We first define provability in BH(D),and y = z ∨ above(y,z) ∨ above(z,y), then use it to define provability in HG(D).Inthesequel, ontable(x) ∨ (∃y)(above(x, y) ∧ ontable(y)), we use Φ and Ψ to denote finite sets of HG-wffs. clear(x) ∨ (∃y)(above(y,x) ∧ clear(y)), above(x, y) ⊃ (∃z)on(x, z) ∧ (∃w)on(w, y) Definition 3 Aformalproof of Ψ from Φ in BH(D) is a fi- . nite sequence S of HG-wffs, each of which is either an ax- Cook and Liu (2002) show that Abw is complete in the fol- iom of BH(D),anelement of Φ,orisobtained from pre- lowing sense: if we model a state of blocks world by a finite vious formulas of S by a proof rule of BH(D).Wewrite collection of finite chains, then every sentence that is true in A Φ BH(D) Ψ,ifthereisaproof of Ψ from Φ in BH(D). all such models is a consequence of bw. Let Dbw denote the basic action theory of this blocks 1 Note that this rule supports the compositional proof of proper- world. We can prove that for each φ ∈Abw, Dbw |= φ. tiesofprocedures. For example, suppose that P1 only calls itself, and P2 only calls P1.Wecan first use the recursion rule to prove the While Loop property of P1,andthenuse this property and the invocation rule to prove the property of P2.Without the invocation rule, we can only Consider the following Golog program β,which nondeter- prove properties of all procedures simultaneously. ministically moves a block onto another block, so long as

AAAI-02 77 there are at least two blocks on the table: 1. {ψ(b, x)} flattenT ower(b) {ontable(x)} while (∃x, y)[ontable(x) ∧ ontable(y) ∧ x = y] do Hypothesis 2. {ψ(c, x)} flattenT ower(c) (πu,v)move(u, v) od {ontable(x)} Subs(1) {ontable(x)} flattenT ower(c) We want to prove that whenever this program terminates, 3. {ontable(x)} there is a unique block on the table, provided there was some Cons(2) {x = c ∨ above(c, x)} block on the table to begin with: 4. flattenT ower(c) {ontable(x)} Cons(2) {(∃x)ontable(x)} β {(∃!y)ontable(y)}. 5. {ψ(b, x)} ontable(b)? Aproof consists of a sequence of lines. To justify a new {ψ(b, x) ∧ ontable(b)} TA line, we annotate it by an axiom or a proof rule, together with 6. {ψ(b, x) ∧ ontable(b) ⊃ the lines that are used as rule premises. ontable(x)} Inv In the following proof, to reduce length of formulas, we 7. {ψ(b, x)} ontable(b)? {ontable(x)} Cons(5,6) use φ(x, y) to denote ontable(x) ∧ ontable(y) ∧ x = y. {ontable(x) ∧ u = x} 8. {ontable(x)} on(b, c)? {ontable(x)} TA 1. {ontable(x)} moveT oTable(b) move(u, v) {ontable(x)} EF 9. {φ(x, y) ∧ u = x} {ontable(x)} EF 2. {ontable(x)} γ(b, c) {ontable(x)} move(u, v) {ontable(x)} Cons(1) 10. Seq(8,9,3) {ontable(y) ∧ u = y} 3. 11. {x = b} on(b, c)? {x = b} FF move(u, v) {ontable(y)} EF {x = b} moveT oTable(b) {x = b} {φ(x, y) ∧ u = x} 12. FF 4. 13. {true} moveT oTable(b) move(u, v) {ontable(y)} Cons(3) {ontable(b)} {φ(x, y)} move(u, v) EF 5. 14. {x = b} moveT oTable(b) {ontable(x) ∨ ontable(y)} Disj(2,4) {x = b ∧ ontable(b)} {φ(x, y)} (πu,v)move(u, v) Conj(12,13) 6. 15. {x = b} moveT oTable(b) {ontable(x) ∨ ontable(y)} NAA(5) {ontable(x)} {(∃x, y)φ(x, y)} (πu,v)move(u, v) Cons(14) 7. 16. {x = b} γ(b, c) {ontable(x)} Seq(11,15,3) {(∃x, y)[ontable(x) ∨ ontable(y)]} Quan(6) 8. {(∃x)ontable(x) ∧ (∃x, y)φ(x, y)} 17. {above(b, x)} on(b, c)? (πu,v)move(u, v) {(∃x)ontable(x)} Cons(7) {above(b, x) ∧ on(b, c)} TA 9. {(∃x)ontable(x)} β {(∃!y)ontable(y)} While(8) 18. {above(b, x) ∧ on(b, c) ⊃ x = c ∨ above(c, x) ∧ b = c} Inv Recursive Procedure 19. {above(b, x)} on(b, c)? Consider the following Gologprocedure which puts all the {x = c ∨ above(c, x) ∧ b = c} Cons(17,18) blocks in the tower with top block b onto the table: 20. {x = c} moveT oTable(b) {x = c} FF {above(c, x) ∧ b = c} proc flattenT ower(b) 21. moveT oTable(b) {above(c, x)} EF ontable(b)? | 22. {x = c ∨ above(c, x) ∧ b = c} (πc)[on(b, c)?; moveT oTable(b); flattenT ower(c)] moveT oTable(b) endProc. {x = c ∨ above(c, x)} Disj(20,21) 23. {above(b, x)} γ(b, c) {ontable(x)} Seq(19,22,4) We want to prove its partial correctness: {ψ(b, x)} γ(b, c) {ontable(x)} {x = b ∨ above(b, x)} 24. Disj(10,16,23) 25. {ψ(b, x)} (πc)γ(b, c) {ontable(x)} NAA(24) {Env; flattenT ower(b)}{ontable(x)}. 26. {ψ(b, x)} ontable(b)? | (πc)γ(b, c) {ontable(x)} We will prove a stronger statement: NA(7,25) {ontable(x) ∨ x = b ∨ above(b, x)} Soundness and Completeness Results {Env; flattenT ower(b)}{ontable(x)}. In traditional work on Hoare Logic, the soundness and com- In what follows, we use ψ(b, x) to denote pleteness results explore the relationship between I |= φ and ontable(x) ∨ x = b ∨ above(b, x),andγ(b, c) to de- H(I)  φ,whereI is an interpretation, φ is a Hoare triple, note on(b, c)?; moveT oTable(b); flattenT ower(c). and H(I) is a Hoare-style proof system with some set of for- mulas true in I taken as additional axioms. In our work, the By the recursion rule, it suffices to prove that soundness and completeness results will explore the relation- {ψ(b, x)} flattenT ower(b) {ontable(x)} D|= φ G(D)  φ D BP(Dbw ) ship between and ,where is a basic {ψ(b, x)} ontable(b)? | (πc)γ(b, c) {ontable(x)}. action theory, φ is a Hoare triple, and G(D) is a Hoare-style proof system with some set of formulas entailed by D taken We use blank lines to break the proof into paragraphs: as additional axioms.

78 AAAI-02 Theorem 5 Total Soundness of HG. For every basic ac- D+ is that by using G¨odel’s β-function we can encode finite tion theory D,ifHG(D) Ψ,thenD|=Ψ. sequences of elements from the domain by a pair of natural numbers. We say that D+ is finite-change if there are only The following are two important lemmas for the theorem. D+ The fixpoint lemma handles the invocation rule, and the in- finitely many fluents, and in each model of , each prim- duction principle deals with the recursion rule. itive action can only change the value of fluents at finitely many points. We conjecture that if D+ is finite-change, then Lemma 6 Fixpoint Lemma. Let i =1,... ,n. L+ is expressive relative to D+ and WG. The following is a valid sentence:

Pj (t ) Conclusions (∀).Do({Env; Pi(vi)},s,s) ≡ Do(δi ,s,s). {Env; Pj (t )} Gologisanovel logic programming language for high-level robotic control. To establish a systematic approach for prov- Lemma 7 Induction Principle for Recursive Procedures. ing correctness of robot controllers written in Golog, we have Let Q1, ... ,Qn,R1, ... ,Rn be pffs. The following is a explored Hoare’s axiomatic approach to program verifica- valid second-order sentence:   tion in the Golog context. This is not a routine task due to the  n n (∀P )[ i=1{Qi} Pi(vi) {Ri}⊃ i=1{Qi} δi {Ri}] ⊃ differences between Golog and Algol-like languages. Our n technical contributions include the definition of the seman- {Qi}{Env; Pi(vi)}{Ri}. i=1 tics of Hoare triples, and the formulation of the notions of The notion of completeness applicable to HG is that of soundness, completeness and expressiveness in the Golog relative completeness. This is because HG has oracle ax- context. ioms, which are not necessarily recursive. The relative com- In summary, we have presented a novel Hoare-style proof pleteness of HGremains open. Here we prove relative com- system for partial correctness of Golog programs. We have pleteness of a subsystem of HG.LetWGbe the set of Golog proved total soundness of the proof system, and relative com- programs without procedures. Let HW be the restriction of pleteness of a subsystem of it for procedureless Golog pro- HG to WG,i.e.,programs appearing in Hoare triples are grams. Using this proof system, we can obtain structured procedureless, and the recursion, invocation and substitution and compositional proofs for properties of Golog programs. rules concerning procedures are removed. We will prove rel- An important future research topic is to investigate the com- ative completeness of HW.Wefirstdefinethenotion of ex- pleteness issue for procedures. pressiveness, which is adapted from that in (Cook 1978). Acknowledgments Definition 8 Let D be a basic action theory in language L and ∆ be a set of Golog programs. We say that L is expres- Ithank Hector Levesque and Ray Reiter for many helpful sive relative to D and ∆ if for any program δ ∈ ∆ and any discussions about this paper. I am grateful to Stephen Cook pff R,thereexists a pff Q such that for his valuable help with this work. Thanks also to the anonymous referees for useful comments. D|=(∀).Q[s] ≡ (∀s).Do(δ, s, s) ⊃ R[s]; References we call Q the weakest liberal precondition of δ wrt R. Apt, K. 1981. Ten years of Hoare’s logic: a survey–Part I. We first give an example of non-expressiveness by show- ACM Trans. Program. Lang. Syst. 3(4):431–483. ingthat the language of blocks world is not expressive rela- D WG δ ∈ WG Apt, K. 1984. Ten years of Hoare’s logic: a survey–Part II: tive to bw and .Itiseasy to write a program nondeterminism. Theoret. Comput. Sci. 28:83–109. which makes a tower of even height with at most one block not in the tower. Then the weakest liberal precondition of Cook, S., and Liu, Y. 2002. A complete axiomatization δ wrt (∃!x)ontable(x) would assert that there are an even for blocks world. In Seventh International Symposium on number of blocks, which we know is not expressible in the Artificial Intelligence and Mathematics. language of blocks world. Cook, S. 1978. Soundness and completeness of an ax- HW iom system for program verification. SIAM J. of Computing Theorem 9 Relative Completeness of . For any ba- 7(1):70–90. sic actiontheory D in L such that L is expressive relative to D and WG,forany Hoare triple {Q} δ {R} such that Hoare, C. 1969. An axiomatic basis for computer program- ming. Comm. ACM 12(10):576–580, 583. δ ∈ WG,ifD|= {Q} δ {R},thenHW(D) {Q} δ {R}. Levesque, H.; Reiter, R.; Lesp´erance, Y.; Lin, F.; and Here we conjecture a sufficient condition for expressive- WG D Scherl, R. 1997. Golog: A logic programming language ness relative to .Foranybasic action theory in lan- for dynamic domains. J. of Logic Programming 31:59–84. guage L,defineL+ as the extension of L which contains a sort nat for natural numbers, the language of Peano arith- McCarthy, J., and Hayes, P. 1969. Some philosophical metic, and two function symbols (their intended interpreta- problems from the standpoint of artificial intelligence. In Machine Intelligence 4 tions are codings of objects and situations into natural num- Meltzer, B., and Michie, D., eds., . bers); define D+ = D∪P∪C,whereP is thesecond- Edinburgh University Press. 463–502. order axiomatization ofPeano arithmetic, and C asserts that Reiter, R. 2001. Knowledge in Action: Logical Founda- the objects and situations are countable. We call D+ an arith- tions for Specifying and Implementing Dynamical Systems. metical basic action theory. A nice property of models of MIT Press.

AAAI-02 79