Hoare logic

Hoare logic (also known as Floyd–Hoare logic) is a formal system developed by the British computer scientist C. A. R. Hoare, and subsequently refined by Hoare and other researchers. The purpose of the system is to provide a set of logical rules in order to reason about the correctness of computer programs with the rigour of mathematical logic.

It was published in Hoare's 1969 paper, [C. A. R. Hoare. " [http://sunnyday.mit.edu/16.355/Hoare-CACM-69.pdf An axiomatic basis for computer programming] ". "Communications of the ACM", 12(10):576–585, October 1969. doi|10.1145/363235.363259] where Hoare acknowledges earlier contributions from Robert Floyd, who had published a similar system [R. W. Floyd. " [http://laser.cs.umass.edu/courses/cs521-621.Spr06/readlings/Floyd.pdf Assigning meanings to programs.] " Proceedings of the American Mathematical Society Symposia on Applied Mathematics. Vol. 19, pp. 19–31. 1967.] for flowcharts.

The central feature of Hoare logic is the Hoare triple. A triple describes how the execution of a piece of code changes the state of the computation. A Hoare triple is of the form

:$\{P\};C;\{Q\}$

where "P" and "Q" are "assertions" and "C" is a "command". "P" is called the "precondition" and "Q" the "postcondition". Assertions are formulas in predicate logic.

Hoare logic has axioms and inference rules for all the constructs of a simple imperative programming language. In addition to the rules for the simple language in Hoare's original paper, rules for other language constructs have been developed since then by Hoare and many other researchers. There are rules for concurrency, procedures, jumps, and pointers.

Partial and total correctness

Standard Hoare logic proves only partial correctness, while termination would have to be proved separately. Thus the intuitive reading of a Hoare triple is: Whenever "P" holds of the state before the execution of "C", then "Q" will hold afterwards, or "C" does not terminate. Note that if "C" does not terminate, then there is no "after", so "Q" can be any statement at all. Indeed, one can choose "Q" to be false to express that "C" does not terminate.

Total correctness can also be proven with an extended version of the While rule.

Rules

Empty statement axiom schema

:$frac\{\}\{\{P\}\; extbf\{skip\}\; \{P\; !$

Assignment axiom schema

The assignment axiom states that after the assignment any predicate holds for the variable that was previously true for the right-hand side of the assignment:

:$frac\{\}\{\{P\; [x/E]\; \}\; x:=E\; \{P\}\; \}\; !$

Here $P\; [x/E]$ denotes the expression "P" in which all free occurrences of the variable "x" have been replaced with the expression "E".

The meaning of the assignment axiom is that the truth of $\{P\; [x/E]\; \}$ is equivalent to the after-assignment truth of $\{P\}$. Thus if $\{P\; [x/E]\; \}$ were "true" prior to the assignment, by the assignment axiom then $\{P\}$ will be "true" subsequent to that assignment. Conversely, if $\{P\; [x/E]\; \}$ were "false" prior to the assignment statement, $\{P\}$ must then be "false" following the assignment.

Examples of valid triples include:

:*$\{x+1\; =\; 43\}\; y:=x\; +\; 1\; \{\; y\; =\; 43\; \}!$:*$\{x\; +\; 1\; leq\; N\; \}\; x\; :=\; x\; +\; 1\; \{x\; leq\; N\}\; !$

The assignment axiom proposed by Hoare "does not apply" when more than one name can refer to the same stored value. For example,

:$\{\; y\; =\; 3\}\; x\; :=\; 2\; \{y\; =\; 3\; \}$

is not a true statement if "x" and "y" refer to the same variable, because no precondition can cause "y" to be 3 after "x" is set to 2.

Rule of composition

Hoare's rule of composition applies to sequentially-executed programs "S" and "T", where "S" executes prior to "T" and is written "S;T".

:$frac\; \{\{P\}\; S\; \{Q\}\; ,\; \{Q\}\; T\; \{R\}\; \}\; \{\{P\}\; S;T\; \{R\; !$

For example, consider the following two instances of the assignment axiom:

:$\{\; x\; +\; 1\; =\; 43\}\; y:=x\; +\; 1\; \{y\; =43\; \}$

and

:$\{\; y\; =\; 43\}\; z:=y\; \{z\; =43\; \}$

By the sequencing rule, one concludes:

:$\{\; x\; +\; 1\; =\; 43\}\; y:=x\; +\; 1;\; z:=\; y\; \{z\; =43\; \}$

Conditional rule

:$frac\; \{\; \{B\; wedge\; P\}\; S\; \{Q\}\; ,\; \{\; eg\; B\; wedge\; P\; \}\; T\; \{Q\}\; \}\; \{\; \{P\}\; extbf\{if\}\; B\; extbf\{then\}\; S\; extbf\{else\}\; T\; extbf\{endif\}\; \{Q\}\; \}\; !$

While rule

:$frac\; \{\; \{P\; wedge\; B\; \}\; S\; \{P\}\; \}\; \{\; \{P\; \}\; extbf\{while\}\; B\; extbf\{do\}\; S\; extbf\{done\}\; \{\; eg\; B\; wedge\; P\}\; \}!$

Here "P" is the loop invariant.

Consequence rule

:$frac\; \{\; P^prime\; ightarrow\; P\; ,\; lbrace\; P\; brace\; S\; lbrace\; Q\; brace\; ,\; Q\; ightarrow\; Q^prime\; \}\; \{\; lbrace\; P^prime\; brace\; S\; lbrace\; Q^prime\; brace\; \}!$

While rule for total correctness

:: Fact|date=August 2008

In this rule, in addition to maintaining the loop invariant, one also proves termination by way of a term, called the loop variant, whose value decreases during each iteration, here "t". Note that "t" must take values from a well-founded set, so that each step of the loop is counted by decreasing members of a finite chain.

Examples

:

See also

* Design by contract
* Dynamic logic
* Edsger W. Dijkstra
* Predicate transformer semantics
* Program verification
* Static code analysis
* Loop invariant

References

Further reading

* Robert D. Tennent. " [http://www.cs.queensu.ca/home/specsoft/ Specifying Software] " (a recent textbook that includes an introduction to Hoare logic) ISBN 0-521-00401-2

External links

* [http://isabelle.in.tum.de/Bali/ Project Bali] has defined Hoare logic-style rules for a subset of the Java programming language, for use with the Isabelle theorem prover
* [http://www.key-project.org/download/hoare/ KeY-Hoare] is a semi-automatic verification system built on top of the KeY theorem prover. It features a Hoare calculus for a simple while language.
* [http://j-algo.binaervarianz.de/index.php?language=en j-Algo-modul Hoare calculus] — A visualisation of the Hoare calculus in the in the algorithm visualisation program j-Algo