From: AAAI-02 Proceedings. Copyright © 2002, AAAI (www.aaai.org). All rights reserved. AHoare-Style Proof System for Robot Programs Yongmei Liu Department of Computer Science University of Toronto Toronto, ON, Canada M5S 3G4 [email protected] Abstract Golog is defined, properties of Golog programs can be ex- pressed as second-order situation calculus formulas. Thus Golog is a situation calculus-based logic programming theoretically, verification ofGolog programs can be reduced language for high-level robotic control. This paper ex- plores Hoare’s axiomatic approach to program verifica- to proof of such formulas. However, this is infeasible in tioninthe Golog context. We present a novel Hoare- practice: even though the semantic definition of Golog is style proof system for partial correctness of Golog pro- very succinct, the whole formula to express the semantics of grams. We prove total soundness of the proof system, even a simple Golog program can be very complicated. In and relative completeness of a subsystem of it for pro- general, providing a formal semantics for a high-level robot cedureless Golog programs. Examples are given to il- programming language in a logic framework makes possi- lustrate the use of the proof system. ble formal correctness proofs of robot programs, but does not furnish us with any systematic method for doing so. Introduction In this paper, we explore the well-established axiomatic approach to program verification in the Golog context. This When it comes to building high-level robotic controllers, approach was initiated by Hoare (1969), and it was applied to planning-based approaches suffer from computational in- Algol-like languages. In this approach, the relevant program tractability. A promising alternative is high-level program- properties are expressed as formulas in some mathematical ming. Given a particular domain, a high-level program can logic. A proof system consisting of axioms and proof rules provide natural constraints on how to achieve a specific goal. is given, which allows formal proofs of program properties. The domain constraints then allow for replacing the unre- An important advantage of Hoare’s approach is that the proof stricted search for a sequence of actions achieving a goal by system is syntax-directed and hence makes proofs easier by the more constrained task of finding a sequence of actions induction on the structure of programs. Hoare’s approach that constitutes a legal execution of some high-level pro- has received a great deal of attention, and many Hoare-style gram. The logic programming language Golog (Levesque et proof systems have been proposed for various programming al. 1997) is designed to support such an approach. constructs (Apt 1981; 1984). As its full name (alGOl in LOGic) implies, Golog attempts However, the application ofHoareLogic to Golog is not to blend Algol programming style into logic. It provides a routine due to the following differences between Golog and way of defining complex actions and procedures in terms of a Algol-like languages. First, atomic Algol programs are as- set of primitive actions, by borrowing from Algol many well- signments; while atomic Gologprograms are user-defined known programming constructs such as sequences, condi- primitive actions. Second, the semantics of Algol programs tionals, loops and recursive procedures. Primitive actions is interpretive, i.e., it is defined based on an interpretation are domain-dependentactions in the external world, and their for the first-order language in which the expressions in Al- preconditions and effects, together with the initial state of the gol programs are formed; while the semantics of Golog pro- world, are axiomatized in the situation calculus (McCarthy grams is defined by macro-expansion into situation calculus &Hayes 1969). The formal semantics of Golog is defined formulas. by introducing an abbreviation Do(δ, s, s),whereδ is a pro- In this paper, we present a novel Hoare-style proof system gram, s and s are situation terms. Intuitively, Do(δ, s, s) for partial correctness of Golog programs. We prove total will expand into a (second-order) situation calculus formula soundness of the proof system, and relative completeness of saying that it is possible to reach situation s from situation asubsystem of it for procedureless Golog programs. Exam- s by executing a sequence of actions specified by δ. ples are given to illustrate the use of the proof system. Needless to say, correctness of robot programs is of paramount importance. Hence we are concerned about veri- Failure to prove that aprogram satisfies a desired property fication of Golog programs. Due to the way the semantics of may lead us to detect 1) errors in the program, or 2) incon- sistency or incompleteness in the domain theory. So program Copyright c 2002, American Associationfor Artificial Intelli- verification can still be useful when the domain theory is it- gence (www.aaai.org). All rights reserved. self inconsistent or incomplete. 74 AAAI-02 Background 6. Nondeterministic iteration: ∗ def The Situation Calculus Do(δ ,s,s) =(∀P ).{(∀s1)P (s1,s1)∧ (∀s1,s2,s3)[P (s1,s2) ∧ Do(δ, s2,s3) ⊃ P (s1,s3)]} The situation calculus as presented in (Reiter 2001) is a ⊃ P (s, s) many-sorted second-order language for representing dy- . namic worlds. There are three disjoint sorts: action for ac- 7. Procedure calls: For any (n +2)-ary procedure variable tions, situation for situations, and object for everything (i.e., predicate variable whose last two arguments are the else. A situation calculus language L has the following com- only ones of sort situation) P , def S0 ponents: a constant denoting the initial situation; a bi- Do(P (t1,... ,tn),s,s) = P (t1,... ,tn,s,s). nary function do(a, s) denoting the successor situation to s Env resulting from performing action a;abinary predicate s 8. Blocks with local procedure declarations: Let s meaning thatsituation s is asubhistory of situation s;a be an environment, i.e., a set of procedure declarations P (v ) δ ... P (v ) δ binary predicate Poss(a, s) meaning that action a is possi- proc 1 1 1 endProc; ; proc n n n endProc, P ,... ,P ble in situation s;acountable set of action functions, e.g., where 1 n are procedure variables. Then move(x, y) Do({Env; δ},s,s) def= ;and a countable set of relational fluents, i.e., predicates taking a situation termastheirlast argument, e.g., n (∀P ).[ i=1(∀vi,s1,s2).Do(δi,s1,s2) ⊃ Pi(vi,s1,s2)] ontable(x, s) .For simplicity of presentation, we ignore ⊃ Do(δ, s, s ). functional fluents in this paper. This says: when P1,... ,Pn are the smallest binary re- L− L We use to denote the language obtained from by re- lations on situations that are closed under executing their situation moving the sort and removing the situation argu- procedure bodies δ1,... ,δn,thenany transition (s, s ) L− ment from every relational fluent. We call an -formula obtained by executing the main program δ is a transition φ apseudo-fluent formula (abbreviated “pff”). Let be a pff, for executing {Env; δ}. and s beasituation term. We use φ[s] to denote the formula φ s Conditionals and loops are defined as abbreviations: obtained from by restoring as the situation arguments to def all fluents mentioned by φ. if φ then δ1 else δ2 fi =[φ?; δ1] | [¬φ?; δ2], Frequently, we are interested only in executable situations, def ∗ while φ do δ od =[φ?; δ] ; ¬φ?. namely, action histories in which it is possible to perform the actions one after the other. This is formalized as follows: def Hoare Logic executable(s) =(∀a, s∗).do(a, s∗) s ⊃ Poss(a, s∗). The basic formulas of Hoare Logic are constructs of the Any domain of application is axiomatized by a basic ac- form {p} S {q} (called Hoare triples), where S is a program, tion theory D with thefollowing components: and p, q are first-order formulas. The intuitive meaning of 1. The foundational axioms for situations. {p} S {q} is: if p holds before the execution of S and the ex- 2. Action precondition axioms, one for each action func- ecution of S terminates, then q holds afterwards. For exam- tion A,with syntactic form Poss(A(x),s) ≡ ΠA(x)[s], ple, the following are axioms and proof rules of a basic Hoare where ΠA(x) is a pff. Logic for programs from a simple Algol-like language. 3. Successor state axioms, one for each fluent F ,with syntac- 1. Assignment Axiom F (x, do(a, s)) ≡ Φ (x, a)[s] Φ (x, a) tic form F ,where F is {p(x/t)} x := t {p}, apff.These embody a solution to the frame problem. 4. Unique names axioms for the primitive actions. where p(x/t) denotes the result of replacing all free occur- rences of x in p by t. 5. An initial database, namely a set of axioms describing S0. 2. Composition Rule Golog {p} S {r}, {r} S {q} 1 2 . The formal semantics of Golog is specified by an abbrevia- {p} S ; S {q} tion Do(δ, s, s),which is inductively defined as follows: 1 2 1. Primitive actions: For any action term α, 3. if-then-else Rule def Do(α, s, s) = Poss(α, s) ∧ s = do(α, s). {p ∧ e} S {q}, {p ∧¬e} S {q} 1 2 . 2. Test actions: For any pff φ, {p} if e then S1 else S2 fi {q} Do(φ?,s,s) def= φ[s] ∧ s = s . 4. while Rule 3. Sequence: {p ∧ e} S {p} def . Do(δ1; δ2,s,s) =(∃s ).Do(δ1,s,s )∧Do(δ2,s ,s).