Hoare Logic = Syntax and (Semantics or Calculus)

Hoare Logic = Syntax and (Semantics or Calculus)Syntax Semantics Calculus

CPL predicates CPL semantics No ND!

variables x,y,z · · · arith-

metic expressions 1 +

2,x < y, · · · and predi-

cates built from them

states map variables

and expressions to val-

ues and predicates to

true/false

rules of arithmetic e.g

1+2 = 3, 22 = 4, 6/3 =

2 etc

programming language

:= ; if.then. whileas usual

one rule for each (seen

rule for :=) · · ·

Hoare Triple {P} S {Q}if pre-state satisfies Pand S terminates then

post-state satisfies Q

proo f

COMP 2600 — Hoare Logic 37

Summary of Lecture 1

Hoare triple syntax:

{P} S {Q}

Hoare triple Semantics (meaning):

If P is true in the initial state and Sterminates then Q will hold in the final

state.

Proof Rule for Assignment:

{Q(e)} x := e {Q(x)}

One line proof: Any instance of this

triple is (defined to be) provable and

Soundness: is guaranteed to be true

Examples:

Hoare triple true? Provable by assignment axiom?

{x+1 = 3} x := x+1 {x = 3} yes yes

{y > 2} x := y {x > 2} yes yes

{y = 3} x := y {x > 2} yes no ... need more rules ...


Weak and Strong Predicates

A predicate P is stronger than Q if it is the case that P implies Q.

(Similarly Q is weaker than P.)

If P is stronger than Q then P is more likely to be false than Q.

A politician’s example:

• I will keep unemployment below 3% is stronger than

• I will keep unemployment below 15%.

• The strongest possible statement is False, i.e. I will keep unemployment

below 0%.

• The weakest possible statement is True, i.e. I will keep unemployment at

or below 100%.


Strong Postconditions

• (x = 6) =⇒ (x > 0), so (x = 6) is stronger than (x > 0)

• The Hoare triple:

{x = 5} x := x+1 {x = 6}

says more about the code than does:

{x = 5} x := x+1 {x > 0}

If a postcondition Q1 is stronger than Q2,then {P}S{Q1} is a stronger statementthan {P}S{Q2}.

If a postcondition x = 6 is stronger than x > 0,then {x = 5} x := x+1 {x = 6} is a stronger statementthan {x = 5} x := x+1 {x > 0}.


Weak Preconditions

• The condition (x > 0) says less about a state than the condition (x = 5).Thus x > 0 is the weaker condition since x = 5 implies x > 0

• But the Hoare triple

{x > 0} x := x+1 {x > 1}

says more about the code than:

{x = 5} x := x+1 {x > 1}

If a precondition P1 is weaker than P2,then {P1}S{Q} is stronger than {P2}S{Q}.

If a precondition {x > 0} is weaker than {x = 5},then {x > 0} x := x+1 {x > 1} is strongerthan {x = 5} x := x+1 {x > 1}.


Proof rule for Strengthening Preconditions (Rule 2/6)

It is safe (sound) to make a precondition more specific (stronger).

The rule: if the premises are provable then so is the conclusion

Ps ⇒ Pw {Pw} S {Q}

{Ps} S {Q}

An instance: obtained by pattern matching

(y = 2)⇒ (y > 0) {y > 0} x := y {x > 0}

{y = 2} x := y {x > 0}

Precondition equivalence: if Ps⇔Pw i.e. Ps⇒Pw∧Pw⇒Ps


Proof rule for Weakening Postconditions (Rule 3/6)

It is safe (sound) to make a postcondition less specific (weaker).


{P} S {Qs} Qs⇒Qw

{P} S {Qw}

An instance: obtained by pattern matching

{x > 2} x := x+1 {x > 3} (x > 3)⇒ (x > 1)

{x > 2} x := x+1 {x > 1}

Postcondition equivalence: if Qs⇔Qw i.e. Qs⇒Qw∧Qw⇒Qs

We will not have need of this postcondition weakening rule for a while...


Proof rule for Sequencing (Rule 4/6)

Imperative programs consist of a sequence of statements, affecting the state

one after the other:

Proof Rule: if the premises are provable then so is the conclusion

{P} S1 {Q} {Q} S2 {R}

{P} S1 ; S2 {R}

Example Instance:

{x > 2} x := x+1 {x > 3} {x > 3} x := x+2 {x > 5}

{x > 2} x := x+1 ; x := x+2 {x > 5}


Laying out a proof

For the sake of the sanity of your markers, it would help if you all used the

same layout for your proofs:

1. {x+2 > 5} x := x+2 {x > 5} (Assignment)

2. {x > 3} x := x+2 {x > 5} (1, Precondition Equivalence)

3. {x+1 > 3} x := x+1 {x > 3} (Assignment)

4. {x > 2} x := x+1 {x > 3} (3, Precondition Equivalence)

5. {x > 2} x := x+1;x := x+2 {x > 5} (2, 4, Sequencing)

Note the numbered proof steps and justifications.


How do we get the Condition in the Middle?

In the rule

{P} S1 {Q} {Q} S2 {R}

{P} S1;S2 {R}

Our precondition P and postcondition R will be given to us, but how do wecome up with the Q?

By starting with our goal R and working backwards, as usual!

{x > 2} x := x+1 {Q} {Q} x := x+2 {x > 5}

{x > 2} x := x+1;x := x+2 {x > 5}


An example with precondition strengthening

Say we wanted to prove

{x = 3} x := x+1;x := x+2 {x > 5}

The first five steps will be the same as those we’ve seen:

5. {x > 2} x := x+1;x := x+2 {x > 5} (See earlier slide)

To which we add:

6. x = 3 ⇒ x > 2 (Basic arithmetic)

7. {x = 3} x := x+1;x := x+2 {x > 5} (5, 6, Pre. Strength.)


Soundness of Rule for Sequences

Lemma: if the premises of Sequencing rule are true then so is the conclusion

Suppose the premises {P}S1{Q} and {Q}S2{R} are true and let σ0 be an

arbitrary state that satisfies P.

From the rule premises, we know that:

1. Executing S1 on σ0 must produce a state σ1 that satisfies Q.

2. Executing S2 on σ1 must produce a state σ2 that satisfies R.

But S1;S2 just means execute S1 and then execute S2.

So, when S1;S2 executes on σ0, the resulting state will be state σ2 which we

know must satisfy R.

What about non-termination?


Proof Rule for Conditionals (Rule 5/6)

{P∧b} S1 {Q} {P ∧¬b} S2 {Q}

{P} if b then S1 else S2 {Q}

• When a conditional is executed, either S1 or S2 is executed.

• Therefore, if the conditional is to establish Q, both S1 and S2 must estab-

lish Q.

• Similarly, if the precondition for the conditional is P, then it must also be a

precondition for the two branches S1 and S2.

• The choice between S1 and S2 depends on evaluating b in the initial state,

so we can also assume b to be a precondition for S1 and ¬b to be a

precondition for S2.


Example of Conditional Rule

{P∧b} S1 {Q} {P ∧¬b} S2 {Q}

{P} if b then S1 else S2 {Q}

Suppose we wish to prove:

{x > 2} if x>2 then y:=1 else y:=-1 {y > 0}

The proof rule for conditionals suggests we prove:

{x > 2 ∧ x > 2} y:=1 {y > 0} {x > 2 ∧ ¬(x > 2)} y:=-1 {y > 0}

Simplifying the preconditions: don’t be fooled by the variable being y!

(1) {x > 2} y:=1 {y > 0}

(2) {False} y:=-1 {y > 0}


Example ctd

For subgoal (1) {x > 2} y:=1 {y > 0} the assignment axiom tells us that

3. {1 > 0} y:=1 {y > 0} {Q(e)}y := e{Q(y)} (Assignment)

4. (1 > 0)⇔True (Prop Logic)

5. {True} y:=1 {y > 0} (3. Pre Eq)

6. (x > 2)⇒True (Prop Logic)

7. {x > 2} y:=1 {y > 0} i.e (1) (Pre Str)

For subgoal (2) {False} y:=-1 {y > 0} the assignment axiom tells us that

8. {−1 > 0} y:=-1 {y > 0} (Assignment)

9. False⇔ (−1 > 0) (Prop Logic)

10. {False} y:=-1 {y > 0} i.e (2) (Pre Eq)


Conditionals Without ‘Else’

The conditional rule is for code fragments of the form

if b then S1 else S2

How would we derive a rule for a conditional statement without else:

if b then S

First note that this is equivalent to

if b then S else x := x

(It doesn’t matter much what x is here, or whether this variable is used any-

where else in the program!)


Conditionals Without ‘Else’ ctd.

How do we prove

{P∧b} S {Q} {P ∧¬b} x := x {Q}

{P} if b then S else x := x {Q}?

Our assignment rule only gets us as far as

{Q} x := x {Q}

Precondition strengthening comes to the rescue, giving us the derived ‘rule’

{P∧b} S {Q} (P∧¬b)⇒Q

{P} if b then S else x := x {Q}


Finding a Proof


{x = 3} x := x+1;x := x+2 {x > 5}

Proof Rule for Sequencing: if premises are provable then so is the conclusion

{P} S1 {Q} {Q} S2 {R}

{P} S1 ; S2 {R}

{x = 3} x := x+1 {Q} {Q} x := x+2 {x > 5}Seq

{x = 3} x := x+1;x := x+2 {x > 5}


Finding a Proof


{x = 3} x := x+1;x := x+2 {x > 5}

Can we apply axiomatic rule: {Q(e)}x := e{Q(x)}

{x = 3} x := x+1 {Q}{x+2 > 5} x := x+2 {x > 5}

?{Q} x := x+2 {x > 5}Seq

{x = 3} x := x+1;x := x+2 {x > 5}


Finding a Proof


{x = 3} x := x+1;x := x+2 {x > 5}

Hmm ... putting Q to be x > 3 would mean “?” can be PreEq

{x = 3} x := x+1 {x > 3}{x+2 > 5} x := x+2 {x > 5}

PreEq{x > 3} x := x+2 {x > 5}

Seq{x = 3} x := x+1;x := x+2 {x > 5}


Finding a Proof


{x = 3} x := x+1;x := x+2 {x > 5}

Can we apply axiomatic rule: {Q(e)}x := e{Q(x)}

{x+1 > 3} x := x+1 {x > 3}?{x = 3} x := x+1 {x > 3}

{x+2 > 5} x := x+2 {x > 5}PreEq

{x > 3} x := x+2 {x > 5}Seq

{x = 3} x := x+1;x := x+2 {x > 5}


Finding a Proof

But: x > 2⇔ x+1 > 3

Hmm ...: what if we used precondition equivalence?



{Ps} S {Q}

{x+1 > 3} x := x+1 {x > 3}PreEq

{x > 2} x := x+1 {x > 3}?{x = 3} x := x+1 {x > 3}

{x+2 > 5} x := x+2 {x > 5}PreEq

{x > 3} x := x+2 {x > 5}Seq

{x = 3} x := x+1;x := x+2 {x > 5}


Finding a Proof

But ...: x = 3 implies x > 2 so “?” can be PreStr



{Ps} S {Q}

{x+1 > 3} x := x+1 {x > 3}PreEq

{x > 2} x := x+1 {x > 3}PreStr{x = 3} x := x+1 {x > 3}

{x+2 > 5} x := x+2 {x > 5}PreEq

{x > 3} x := x+2 {x > 5}Seq

{x = 3} x := x+1;x := x+2 {x > 5}


Writing it out

1. {x+1 > 3} x := x+1 {x > 3} (Assignment)

2. x > 2⇔ x+1 > 3 (Basic arithmetic)

3. {x > 2} x := x+1 {x > 3} (1,2. PreEq)

4. x = 3⇒ x > 2 (Basic arithmetic)

5.{x = 3} x := x+1 {x > 3} (3.4. PreStr)

6. {x+2 > 5} x := x+2 {x > 5} (Assignment)

7. x > 3⇔ x+2 > 5 (Basic arithmetic)

8. {x > 3} x := x+2 {x > 5} (6,7. PreEq)

9. {x = 3} x := x+1;x := x+2 {x > 5} (5,8. Seq)


Hoare Logic = Syntax and (Semantics or Calculus)

Documents