Floyd/Hoare Logic

1
Floyd/Hoare Logic

• Literature peled ch. 7 7.5
• Mads Dam

2
Transition Diagrams

• Transition system specs, with explicit underlying
  control graph
• Labelled directed graph (S,?,R,si,sf)
• s2 S Control states
• ? ?! (x1,...,xn) (e1,...,en) 2 ?
  Transition specification
• Rµ S ? S (Control) transition relation
• s!? s Means R(s,?,s)
• s0 2 S Initial state
• sf 2 S Final state
• sf should not have outgoing edges
• Generated state space has states
  (s,x1v1,...,xnvn)
• ? ranges over data vectors (v1,...,vn)

s0
?1! f1
?2! f2
s1
s2
?4! f4
?3! f3
?5! f5
s3
sf
?6! f6
3
Floyd Inductive Assertions

• Assume transition diagram P (S,?,R,si,sf)
• Assertion network
• Assignment N s ? ?s of total predicates to
  control states in S
• N is inductive if whenever
• then if ² ?s(?) and ² ?(?) then ²
  ?se1/x1,...,en/xn(?)
• Formally ² ?s Æ ? ! (?se1/x1,...,en/xn)

?s
?s
?
?
? ! (x1,...,xn) (e1,...,en)
s
s
4

• An assertion network N is invariant if for all
  computation paths
• (s0,?0) ! ... ! (si,?i) ! ...
• such that ² ?s0(?0), also ² ?si(?i) , for any i
  0
• An assertion network N is consistent, or correct,
  w.r.t. precondition ?pre and postcondition ?post,
  if
• ² ?pre ! ?s0 , and
• ² ?sf ! ?post
• A transition diagram P is partially correct
  w.r.t. precondition ?pre and postcondition ?post
  if whenever ² ?pre(?0) and
• (s0,?0) ! ... ! (si,?i) ! ... ! (sf,?f)
• then ² ?post(?f)
• Partial correctness of P w.r.t. ?pre and ?post is
  written ?preP?post

5
Floyds Inductive Assertion Method

• Give assertion network N for P
• Prove that N is inductive, i.e. prove that
  whenever
• then ² ?s Æ ? ! ?se1/x1,...,en/xn
• Prove that N is consistent w.r.t. ?pre and ?post,
  i.e. that
• ² ?pre ! ?s0
• ² ?sf ! ?post
• Then P is partially correct w.r.t. ?pre and ?post

? ! (x1,...,xn) (e1,...,en)
s
s
6
Inductive Assertion Method Soundness

• Theorem
• If N is an inductive assertion network for P
  which is consistent w.r.t. ?pre and ?post then P
  is partially correct w.r.t. ?pre and ?post
• Lemma
• If N is an inductive assertion network for P then
  N is invariant for P
• Proof Induction on length of prefix (s0,?0) !
  ... ! (si,?i)
• Lemma
• If N is invariant for P and consistent w.r.t.
  ?pre and ?post then ?preP?post

7
Example

• Procedure for computing integer square root of
  nonnegative integer y1, with result in y2
• Integer square root y2 s.t. y22 y1 lt (y21)2

s0
(y2,y3,y4) (0,0,1)
s1
y3 y3 y4
(y3 y1) ! (y2,y4) (y2 1, y4 2)
s2
sf
y3 gt y1
8
Example
?s0 y1 0
s0
(y2,y3,y4) (0,0,1)
?s1 y22 y1 Æ y3 y22 Æ y4 2y2 1
s1
y3 y3 y4
(y3 y1) ! (y2,y4) (y2 1, y4 2)
y3 gt y1
s2
sf
?s2 y22 y1 Æ y3 (y2 1)2 Æ y4 2y2 1
?sf y22 y1 lt (y2 1)2
9
Semantic Completeness

• Soundness Whenever ?pre P ?post is proved
  using the inductive assertion method then ?pre
  P ?post is valid
• Completeness The inductive assertion method is
  sufficient to derive any valid partial
  correctness property ?pre P ?post
• For completeness prove the existence of network N
  such that
• ² ?pre ! ?N,s0 and ² ?N,sf ! ?post
• Obs Doesnt prove that the ?s are expressible in
  any given logic
• The derived assn network N is minimal in the
  sense that if M is some other assn network which
  establishes partial correctness of P w.r.t. ?pre
  and ?post then ?N,s ! ?M,s for all s 2 S
• In other words, ?N,sj s2 S is the set of
  strongest least inclusive predicates such that
  ?pre P ?post
• Notation ?N,s SPs(?pre,P), SPsf(?pre,P)
  SP(?pre,P)

10
Proof of Semantic Completeness

• Suppose ?pre P ?post
• Define
• SPs(?pre,P) ?9 ?.(s0,?)!(s,?) and ²
  ?pre(?)
• The assertion network N determined by
• ?s SPs(?pre,P)
• is inductive
• If ² ?s(?), s !?! f s, and ² ?(s) then ²
  ?s(f(?))
• N is also consistent w.r.t. ?pre and ?post
• SPs0(?pre,P) ?pre, so ² ?pre ! ?s0
• N is inductive, hence invariant. We assumed
  ?pre P ?post. But then ² SPsf(?pre,P) ! ?post
• Since N is inductive and consistent w.r.t. ?pre
  and ?post the inductive assertions method applies

11
Strongest Postconditions

• SP(?,P)
• SPsf(?,P)
• ? 9 ?.(s0,?) ! (sf,?) and ² ?(?)
• Lemma
• ² ? P SP(?,P)
• If ² ? P ? then ² SP(?,P) ! ?
• 2. explains why SP(?,P) is called strongest

12
Incompleteness

• By Gödels incompleteness theorem no complete
  proof system can exist for FOL (Peano)
  arithmetic
• It follows that the inductive assertion method is
  incomplete too
• Consider P
• with specification true P ? such that ² ?
• Completeness would require us to prove ? which is
  not generally possible

true ! Id
s0
sf
13
Total Correctness

• Total correctness partial correctness
  termination
• This terminology is from the days when programs
  were by default sequential and terminating
• A transition diagram P is totally correct w.r.t.
  precondition ?pre and postcondition ?post if
  whenever ² ?pre(?0) and
• (s0,?0) ! ... ! (si,?i) ! ...
• is maximal then si sf for some i, and ²
  ?post(?i)
• Termination is about progressing towards a
  terminal state
• So is induction
• For termination proofs need general induction
  principle called well-founded induction, but here
  ordinary induction suffices

14
Deadlock-free Networks

• To avoid states (s,?) such that (s,?)9 but s ? sf
  we assume that if
• are all control transitions emanating from
  control state s then
• ² ?1 Ç ?2 Ç ... Ç ?n

s
?1 ! f1
?n ! fn
?2 ! f2
. . . .
s1
s2
sn
15
Extended Inductive Assertions

• Extended assertion network
• In addition to assertion network N
• Associate to each control state s a natural
  number w(s) s.t. whenever
• then
• ² ?s! w(s) 2 W
• ² ?s Æ ? ! w(s) w(s)e1/x1,...,en/xn
• For each cycle ( strongly connected subset)
  there is at least one transition as above such
  that ² ?s Æ ? ! w(s) gt w(s)e1/x1,...,en/xn
• Say N is progressing if an assignment w
  satisfying 1.-3. exists

?s w(s)
?s w(s)
?
?
? ! f (x1,...,xn) (e1,...,en)
s
s
16
Extended Inductive Assertion Method

• Give assertion network N for P
• Prove that the network is inductive
• Prove that N is consistent w.r.t. ?pre and ?post
• Prove that N is deadlock-free
• Determine assignment w
• Prove that N with this assignment is progressing
• Then P is totally correct w.r.t. ?pre and ?post
• Theorem
• The extended inductive assertion method is sound

17
Example
w(s0) y1 w(s1) w(s2) w(sf) y1 y2
?s0 y1 0
s0
(y2,y3,y4) (0,0,1)
?s1 y22 y1 Æ y3 y22 Æ y4 2y2 1
s1
y3 y3 y4
(y3 y1) ! (y2,y4) (y2 1, y4 2)
y3 gt y1
s2
sf
?s2 y22 y1 Æ y3 (y2 1)2 Æ y4 2y2 1
?sf y22 y1 lt (y2 1)2
18
While programs

• Primitive
• x2 X set of identifiers
• e2 E set of expressions
• v2 V set of values
• Command syntax in BNF
• c skip x e c c if e then c else c
  while e do c
• Exercise Cast the command syntax as first-order
  structure
• ? . (will remain so for a while)

19
Stores

• Stores are assignments ? x ? v of values to
  identifiers
• e(?) value of e in store ?
• Store update
• ?x ? v(y) if xy then v else ?(y)
• States are either
• Intermediate Pairs of commands and stores (c,?),
  or
• Final A state ?

20
While Programs

• Transitions inductively defined by inference
  system
• - -
• (skip,?) ! ? (xe,?) ! ?x ? e(?)
• (c1,?) ! ? (c1,?)!
  (c1,?)
• (c1c2,?) ! (c2,?) (c1,c2,?) !
  (c1c2,?)
• e(?) ? 0
• (if e then c1 else c2,?) ! (c1,?)
• e(?) 0
• (if e then c1 else c2,?) ! (c2,?)

21
While Programs, II

• e(?) ? 0
• (while e do c,?) ! (c while e do c,?)
• e(?) 0
• (while e do c,?) ! ?
• Exercise Let c1 x1while xgt0 do xx-1. Pick
  an arbitrary ?1. Compute a sequence
  (c1,?1)!(c2,?2)! ... ! ?n
• Exercise Prove that ! is deterministic, i.e that
  for any c, ? there is at most one c,? such that
  (c,?)!(c,?)
• Exercise (more advanced) Try to add some new
  language construction, like choice,
  cobegin/coend, or variable declarations. Add new
  components to the state if you want.

22
Hoare Logic

• Hoare triple ? c ?
• Starting in state satisfying ?, if and when c
  terminates, ? holds
• Or Whenever ² ?(?) and
• (c,?) (c0,?0) ! (c1,?1) ! ... ! ?i
• then ² ?(?i)
• I.e. c is partially correct w.r.t. ? and ?

23
Inference Rules

• Assignment
• -
• ?e/v v e ?
• Skip
• -
• ? skip ?
• Rule of consequence
• ² ? ! ? ? c ? ² ? ! ?
• ? c ?

24
Inference Rules, II

• Sequential composition
• ? c1 ? ? c2 ?
• ? c1c2 ?
• Conditional
• ? Æ e ? 0 c1 ? ? Æ e 0 c2 ?
• ? if e then c1 else c2 ?
• While
• ? Æ e ? 0 c ?
• ? while e do c od ? Æ e0

25
Example

• The integer square root example again
• P y2 0
• y3 1
• y4 1
• while y3 lt y1 do
• y2 y2 1
• y4 y4 2
• y3 y3 y4
• od
• Proof goal y1 gt 0 P y22 lt y1 lt (y2 1)2

26
Proof Outlines

• State predicates inserted into program text such
  that each statement (simple or compound) has pre-
  and postcondition
• Proof outline is valid, if each embedded triple
  if valid and adjacent state predicates related by
  implication

27
Proof Outlines, Example

• P y1gt0
• y2 0
• y1gt0 Æ y20
• y3 1
• y1gt0 Æ y20 Æ y31
• y4 1
• y1gt0 Æ y20 Æ y31 Æ y41
• y22lty1 Æ y3(y21)2 Æ y42y21
• while y3 lt y1 do
• y22lty1 Æ y3(y21)2 Æ y42y21 Æ y3lty1
• y2 y2 1
• y22lty1 Æ y3y22 Æ y42y21
• y4 y4 2
• y22lty1 Æ y3y22 Æ y42y21
• y3 y3 y4
• y22lty1 Æ y3(y21)2 Æ y42y21
• od
• y22 lt y1 lt (y21)2 / Postcondition /

28
Soundness and Completeness

• Theorem (soundness)
• If ? c ? is provable then c is partially
  correct w.r.t. ? and ?
• For the case of sequential composition and while,
  let
• (c,?) !n ? if (c,?)! ? ! ? in n steps
• Lemma If (c1c2,?) !n ? then there are n1,n2,
  ? such that (c1,?) !n1 ?, (c2,?) !n2 ? and
  n n1 n2
• Completeness
• Can obtain relative completeness, completeness
  relative to oracle answering true statements in
  FOL arithmetic