Hoare Logic = Syntax and (Semantics or Calculus)
Post on 26-Nov-2021
10 Views
Preview:
Transcript
Hoare Logic = Syntax and (Semantics or Calculus)Syntax Semantics Calculus
CPL predicates CPL semantics No ND!
variables x,y,z · · · arith-
metic expressions 1 +
2,x < y, · · · and predi-
cates built from them
states map variables
and expressions to val-
ues and predicates to
true/false
rules of arithmetic e.g
1+2 = 3, 22 = 4, 6/3 =
2 etc
programming language
:= ; if.then. whileas usual
one rule for each (seen
rule for :=) · · ·
Hoare Triple {P} S {Q}if pre-state satisfies Pand S terminates then
post-state satisfies Q
proo f
COMP 2600 — Hoare Logic 37
Summary of Lecture 1
Hoare triple syntax:
{P} S {Q}
Hoare triple Semantics (meaning):
If P is true in the initial state and Sterminates then Q will hold in the final
state.
Proof Rule for Assignment:
{Q(e)} x := e {Q(x)}
One line proof: Any instance of this
triple is (defined to be) provable and
Soundness: is guaranteed to be true
Examples:
Hoare triple true? Provable by assignment axiom?
{x+1 = 3} x := x+1 {x = 3} yes yes
{y > 2} x := y {x > 2} yes yes
{y = 3} x := y {x > 2} yes no ... need more rules ...
COMP 2600 — Hoare Logic 38
Weak and Strong Predicates
A predicate P is stronger than Q if it is the case that P implies Q.
(Similarly Q is weaker than P.)
If P is stronger than Q then P is more likely to be false than Q.
A politician’s example:
• I will keep unemployment below 3% is stronger than
• I will keep unemployment below 15%.
• The strongest possible statement is False, i.e. I will keep unemployment
below 0%.
• The weakest possible statement is True, i.e. I will keep unemployment at
or below 100%.
COMP 2600 — Hoare Logic 39
Strong Postconditions
• (x = 6) =⇒ (x > 0), so (x = 6) is stronger than (x > 0)
• The Hoare triple:
{x = 5} x := x+1 {x = 6}
says more about the code than does:
{x = 5} x := x+1 {x > 0}
If a postcondition Q1 is stronger than Q2,then {P}S{Q1} is a stronger statementthan {P}S{Q2}.
If a postcondition x = 6 is stronger than x > 0,then {x = 5} x := x+1 {x = 6} is a stronger statementthan {x = 5} x := x+1 {x > 0}.
COMP 2600 — Hoare Logic 40
Weak Preconditions
• The condition (x > 0) says less about a state than the condition (x = 5).Thus x > 0 is the weaker condition since x = 5 implies x > 0
• But the Hoare triple
{x > 0} x := x+1 {x > 1}
says more about the code than:
{x = 5} x := x+1 {x > 1}
If a precondition P1 is weaker than P2,then {P1}S{Q} is stronger than {P2}S{Q}.
If a precondition {x > 0} is weaker than {x = 5},then {x > 0} x := x+1 {x > 1} is strongerthan {x = 5} x := x+1 {x > 1}.
COMP 2600 — Hoare Logic 41
Proof rule for Strengthening Preconditions (Rule 2/6)
It is safe (sound) to make a precondition more specific (stronger).
The rule: if the premises are provable then so is the conclusion
Ps ⇒ Pw {Pw} S {Q}
{Ps} S {Q}
An instance: obtained by pattern matching
(y = 2)⇒ (y > 0) {y > 0} x := y {x > 0}
{y = 2} x := y {x > 0}
Precondition equivalence: if Ps⇔Pw i.e. Ps⇒Pw∧Pw⇒Ps
COMP 2600 — Hoare Logic 42
Proof rule for Weakening Postconditions (Rule 3/6)
It is safe (sound) to make a postcondition less specific (weaker).
The rule: if the premises are provable then so is the conclusion
{P} S {Qs} Qs⇒Qw
{P} S {Qw}
An instance: obtained by pattern matching
{x > 2} x := x+1 {x > 3} (x > 3)⇒ (x > 1)
{x > 2} x := x+1 {x > 1}
Postcondition equivalence: if Qs⇔Qw i.e. Qs⇒Qw∧Qw⇒Qs
We will not have need of this postcondition weakening rule for a while...
COMP 2600 — Hoare Logic 43
Proof rule for Sequencing (Rule 4/6)
Imperative programs consist of a sequence of statements, affecting the state
one after the other:
Proof Rule: if the premises are provable then so is the conclusion
{P} S1 {Q} {Q} S2 {R}
{P} S1 ; S2 {R}
Example Instance:
{x > 2} x := x+1 {x > 3} {x > 3} x := x+2 {x > 5}
{x > 2} x := x+1 ; x := x+2 {x > 5}
COMP 2600 — Hoare Logic 44
Laying out a proof
For the sake of the sanity of your markers, it would help if you all used the
same layout for your proofs:
1. {x+2 > 5} x := x+2 {x > 5} (Assignment)
2. {x > 3} x := x+2 {x > 5} (1, Precondition Equivalence)
3. {x+1 > 3} x := x+1 {x > 3} (Assignment)
4. {x > 2} x := x+1 {x > 3} (3, Precondition Equivalence)
5. {x > 2} x := x+1;x := x+2 {x > 5} (2, 4, Sequencing)
Note the numbered proof steps and justifications.
COMP 2600 — Hoare Logic 45
How do we get the Condition in the Middle?
In the rule
{P} S1 {Q} {Q} S2 {R}
{P} S1;S2 {R}
Our precondition P and postcondition R will be given to us, but how do wecome up with the Q?
By starting with our goal R and working backwards, as usual!
{x > 2} x := x+1 {Q} {Q} x := x+2 {x > 5}
{x > 2} x := x+1;x := x+2 {x > 5}
COMP 2600 — Hoare Logic 46
An example with precondition strengthening
Say we wanted to prove
{x = 3} x := x+1;x := x+2 {x > 5}
The first five steps will be the same as those we’ve seen:
5. {x > 2} x := x+1;x := x+2 {x > 5} (See earlier slide)
To which we add:
6. x = 3 ⇒ x > 2 (Basic arithmetic)
7. {x = 3} x := x+1;x := x+2 {x > 5} (5, 6, Pre. Strength.)
COMP 2600 — Hoare Logic 47
Soundness of Rule for Sequences
Lemma: if the premises of Sequencing rule are true then so is the conclusion
Suppose the premises {P}S1{Q} and {Q}S2{R} are true and let σ0 be an
arbitrary state that satisfies P.
From the rule premises, we know that:
1. Executing S1 on σ0 must produce a state σ1 that satisfies Q.
2. Executing S2 on σ1 must produce a state σ2 that satisfies R.
But S1;S2 just means execute S1 and then execute S2.
So, when S1;S2 executes on σ0, the resulting state will be state σ2 which we
know must satisfy R.
What about non-termination?
COMP 2600 — Hoare Logic 48
Proof Rule for Conditionals (Rule 5/6)
{P∧b} S1 {Q} {P ∧¬b} S2 {Q}
{P} if b then S1 else S2 {Q}
• When a conditional is executed, either S1 or S2 is executed.
• Therefore, if the conditional is to establish Q, both S1 and S2 must estab-
lish Q.
• Similarly, if the precondition for the conditional is P, then it must also be a
precondition for the two branches S1 and S2.
• The choice between S1 and S2 depends on evaluating b in the initial state,
so we can also assume b to be a precondition for S1 and ¬b to be a
precondition for S2.
COMP 2600 — Hoare Logic 49
Example of Conditional Rule
{P∧b} S1 {Q} {P ∧¬b} S2 {Q}
{P} if b then S1 else S2 {Q}
Suppose we wish to prove:
{x > 2} if x>2 then y:=1 else y:=-1 {y > 0}
The proof rule for conditionals suggests we prove:
{x > 2 ∧ x > 2} y:=1 {y > 0} {x > 2 ∧ ¬(x > 2)} y:=-1 {y > 0}
Simplifying the preconditions: don’t be fooled by the variable being y!
(1) {x > 2} y:=1 {y > 0}
(2) {False} y:=-1 {y > 0}
COMP 2600 — Hoare Logic 50
Example ctd
For subgoal (1) {x > 2} y:=1 {y > 0} the assignment axiom tells us that
3. {1 > 0} y:=1 {y > 0} {Q(e)}y := e{Q(y)} (Assignment)
4. (1 > 0)⇔True (Prop Logic)
5. {True} y:=1 {y > 0} (3. Pre Eq)
6. (x > 2)⇒True (Prop Logic)
7. {x > 2} y:=1 {y > 0} i.e (1) (Pre Str)
For subgoal (2) {False} y:=-1 {y > 0} the assignment axiom tells us that
8. {−1 > 0} y:=-1 {y > 0} (Assignment)
9. False⇔ (−1 > 0) (Prop Logic)
10. {False} y:=-1 {y > 0} i.e (2) (Pre Eq)
COMP 2600 — Hoare Logic 51
Conditionals Without ‘Else’
The conditional rule is for code fragments of the form
if b then S1 else S2
How would we derive a rule for a conditional statement without else:
if b then S
First note that this is equivalent to
if b then S else x := x
(It doesn’t matter much what x is here, or whether this variable is used any-
where else in the program!)
COMP 2600 — Hoare Logic 52
Conditionals Without ‘Else’ ctd.
How do we prove
{P∧b} S {Q} {P ∧¬b} x := x {Q}
{P} if b then S else x := x {Q}?
Our assignment rule only gets us as far as
{Q} x := x {Q}
Precondition strengthening comes to the rescue, giving us the derived ‘rule’
{P∧b} S {Q} (P∧¬b)⇒Q
{P} if b then S else x := x {Q}
COMP 2600 — Hoare Logic 53
Finding a Proof
Say we wanted to prove
{x = 3} x := x+1;x := x+2 {x > 5}
Proof Rule for Sequencing: if premises are provable then so is the conclusion
{P} S1 {Q} {Q} S2 {R}
{P} S1 ; S2 {R}
{x = 3} x := x+1 {Q} {Q} x := x+2 {x > 5}Seq
{x = 3} x := x+1;x := x+2 {x > 5}
COMP 2600 — Hoare Logic 54
Finding a Proof
Say we wanted to prove
{x = 3} x := x+1;x := x+2 {x > 5}
Can we apply axiomatic rule: {Q(e)}x := e{Q(x)}
{x = 3} x := x+1 {Q}{x+2 > 5} x := x+2 {x > 5}
?{Q} x := x+2 {x > 5}Seq
{x = 3} x := x+1;x := x+2 {x > 5}
COMP 2600 — Hoare Logic 55
Finding a Proof
Say we wanted to prove
{x = 3} x := x+1;x := x+2 {x > 5}
Hmm ... putting Q to be x > 3 would mean “?” can be PreEq
{x = 3} x := x+1 {x > 3}{x+2 > 5} x := x+2 {x > 5}
PreEq{x > 3} x := x+2 {x > 5}
Seq{x = 3} x := x+1;x := x+2 {x > 5}
COMP 2600 — Hoare Logic 56
Finding a Proof
Say we wanted to prove
{x = 3} x := x+1;x := x+2 {x > 5}
Can we apply axiomatic rule: {Q(e)}x := e{Q(x)}
{x+1 > 3} x := x+1 {x > 3}?{x = 3} x := x+1 {x > 3}
{x+2 > 5} x := x+2 {x > 5}PreEq
{x > 3} x := x+2 {x > 5}Seq
{x = 3} x := x+1;x := x+2 {x > 5}
COMP 2600 — Hoare Logic 57
Finding a Proof
But: x > 2⇔ x+1 > 3
Hmm ...: what if we used precondition equivalence?
The rule: if the premises are provable then so is the conclusion
Ps ⇒ Pw {Pw} S {Q}
{Ps} S {Q}
{x+1 > 3} x := x+1 {x > 3}PreEq
{x > 2} x := x+1 {x > 3}?{x = 3} x := x+1 {x > 3}
{x+2 > 5} x := x+2 {x > 5}PreEq
{x > 3} x := x+2 {x > 5}Seq
{x = 3} x := x+1;x := x+2 {x > 5}
COMP 2600 — Hoare Logic 58
Finding a Proof
But ...: x = 3 implies x > 2 so “?” can be PreStr
The rule: if the premises are provable then so is the conclusion
Ps ⇒ Pw {Pw} S {Q}
{Ps} S {Q}
{x+1 > 3} x := x+1 {x > 3}PreEq
{x > 2} x := x+1 {x > 3}PreStr{x = 3} x := x+1 {x > 3}
{x+2 > 5} x := x+2 {x > 5}PreEq
{x > 3} x := x+2 {x > 5}Seq
{x = 3} x := x+1;x := x+2 {x > 5}
COMP 2600 — Hoare Logic 59
Writing it out
1. {x+1 > 3} x := x+1 {x > 3} (Assignment)
2. x > 2⇔ x+1 > 3 (Basic arithmetic)
3. {x > 2} x := x+1 {x > 3} (1,2. PreEq)
4. x = 3⇒ x > 2 (Basic arithmetic)
5.{x = 3} x := x+1 {x > 3} (3.4. PreStr)
6. {x+2 > 5} x := x+2 {x > 5} (Assignment)
7. x > 3⇔ x+2 > 5 (Basic arithmetic)
8. {x > 3} x := x+2 {x > 5} (6,7. PreEq)
9. {x = 3} x := x+1;x := x+2 {x > 5} (5,8. Seq)
COMP 2600 — Hoare Logic 60
top related