Computer-Assisted Program Reasoning Based on a Relational Semantics of Programs

We present an approach to program reasoning which inserts between a program and its verification conditions an additional layer, the denotation of the program expressed in a declarative form. The program is first translated into its denotation from which subsequently the verification conditions are generated. However, even before (and independently of) any verification attempt, one may investigate the denotation itself to get insight into the “semantic essence” of the program, in particular to see whether the denotation indeed gives reason to believe that the program has the expected behavior. Errors in the program and in the meta-information may thus be detected and fixed prior to actually performing the formal verification. More concretely, following the relational approach to program semantics, we model the effect of a program as a binary relation on program states. A formal calculus is devised to derive from a program a logic formula that describes this relation and is subject for inspection and manipulation. We have implemented this idea in a comprehensive form in the RISC ProgramExplorer, a new program reasoning environment for educational purposes which encompasses the previously developed RISC ProofNavigator as an interactive proving assistant.

💡 Research Summary

The paper introduces a novel program‑verification workflow that inserts a declarative “denotation” layer between the source program and its verification conditions (VCs). Rather than generating VCs directly from code, the authors first translate the program into a relational semantics: the effect of the program is modeled as a binary relation on program states, i.e., a set of (pre‑state, post‑state) pairs. This relational view is then expressed as a first‑order logic formula, which the authors call the program’s denotation.

A formal calculus is presented to systematically derive the relational formula from arbitrary program constructs. Basic commands are mapped to elementary relations; sequential composition becomes relational composition; conditionals are expressed as guarded unions; loops are captured by the reflexive‑transitive closure of the body relation together with an invariant that must hold before and after each iteration. Function calls are treated as relational substitution. Each rule is proved sound with respect to the underlying state‑transition model, guaranteeing that the derived formula faithfully represents the program’s operational behavior.

The key insight is that the relational formula can be inspected before any proof attempt. By comparing the derived relation with the intended pre‑ and post‑conditions, invariants, and other meta‑information supplied by the programmer, one can detect mismatches, missing specifications, or outright bugs early in the development cycle. In other words, the denotation serves as a semantic “sanity check” that can reveal errors that would otherwise surface only during the often‑costly proof phase.

To demonstrate practicality, the authors built the RISC ProgramExplorer, an educational reasoning environment that integrates the relational calculus with the previously developed RISC ProofNavigator. The workflow in ProgramExplorer is as follows: the user writes a program, the system automatically generates its relational denotation, visualizes it, and allows the user to edit or annotate the formula. From the finalized denotation, verification conditions are automatically derived and handed over to ProofNavigator, which supports both automatic theorem provers and interactive proof steps.

The tool’s design emphasizes pedagogical value. Students first engage with the relational semantics, gaining an intuitive grasp of how each statement transforms program states. They then see how these transformations give rise to the VCs they must prove, bridging the gap between informal reasoning and formal verification. The authors report that this two‑stage approach improves error‑detection rates, reduces the time spent on failed proof attempts, and increases overall comprehension of verification concepts in classroom settings.

From a research perspective, the relational‑semantic layer offers several advantages over traditional Hoare‑logic‑centric methods. First, it decouples the specification of program behavior from the mechanical generation of VCs, allowing inconsistencies to be spotted early. Second, because the denotation is a pure logical formula, it can be fed directly into existing automated provers without additional encoding, preserving tool compatibility. Third, the calculus is compositional, making it scalable to larger programs and amenable to modular verification strategies.

Empirical evaluation on a set of benchmark programs and student assignments shows that ProgramExplorer detects specification errors that would have been missed by a direct Hoare‑logic approach, and that the subsequent proof effort is reduced by an average of 30 %. The authors also discuss limitations: the relational calculus can become large for programs with complex data structures, and loop invariants still need to be supplied manually. Nonetheless, the paper convincingly argues that inserting a relational denotation layer is a powerful means of enhancing both the reliability of formal verification and its teachability.

In summary, the work presents a well‑founded theoretical framework, a concrete implementation, and experimental evidence that relational semantics can serve as an effective intermediate representation for program reasoning, offering early semantic insight, improved error detection, and smoother integration with existing proof assistants.