formal semantics of programming languages · isome presentations of fol include a variable...
TRANSCRIPT
-
Formal Semantics ofProgramming Languages
Georg WeissenbacherSS 2013
-
Program with a (Partial) Specification
I Recall the program from last lecture:
y := 1;
while ¬(x = 1) doy := y * x;
x := x - 1;
` : assert (y ≥ 0);
I Assertion makes a statement about the program state:I Given state s at location `, we assert s(y) ≥ 0.
-
Program with a (Partial) Specification
I Recall the program from last lecture:
y := 1;
while ¬(x = 1) doy := y * x;
x := x - 1;
` : assert (y ≥ 0);
I Assertion makes a statement about the program state:I Given state s at location `, we assert s(y) ≥ 0.
-
Assertion Languages
assert (y ≥ 0)
I In this context: (y ≥ 0) ∈ Exp, of type B(where Exp is set of quantifier free expressions, as defined in Lecture 1)
-
Where Assertions Come From
-
Flow Diagrams Representing Programs
-
Assertion Boxes in Flow Diagrams
marked with #
-
Assertion Boxes
“an assertion box never requires that any specificcalculations be made, it indicates only that certainrelations are automatically fulfilled whenever [theprogram] gets to the region which it occupies”
“The contents of an assertion box are one or morerelations. These may be equalities, inequalities, orany other logical expressions.”
[Goldstine & von Neumann 1947]
Assertions areI side-effect freeI Boolean expressions in a logical formalism
-
Assertion Boxes
“an assertion box never requires that any specificcalculations be made, it indicates only that certainrelations are automatically fulfilled whenever [theprogram] gets to the region which it occupies”
“The contents of an assertion box are one or morerelations. These may be equalities, inequalities, orany other logical expressions.”
[Goldstine & von Neumann 1947]
Assertions areI side-effect freeI Boolean expressions in a logical formalism
-
Assertion Boxes
“an assertion box never requires that any specificcalculations be made, it indicates only that certainrelations are automatically fulfilled whenever [theprogram] gets to the region which it occupies”
“The contents of an assertion box are one or morerelations. These may be equalities, inequalities, orany other logical expressions.”
[Goldstine & von Neumann 1947]Assertions areI side-effect freeI Boolean expressions in a logical formalism
-
First Order Logic
Syntax
formula ::= formula ∧ formula | formula ∨ formula |formula⇒ formula | formula⇔ formula |¬formula | (formula) |predicate (term,. . . ,term) | term = term∀ variable . formula | ∃ variable . formula
term ::= variable | constant | function (term,. . . term)
I variables, functions, predicates, and constants arerepresented by unique identifiers
I each function and predicate has a fixed arityI ∀, ∃, ∧, ∨,⇒,⇔, ¬, and variables are logical symbolsI predicates, constants, functions are non-logical symbols
-
First Order Logic
Examples
I ∀x . (even(x) ∨ odd(x)) ∧ ∀x . (even(x)⇔ ¬ odd(x))I ∀x . ∀y . (x = y) ⇒ (f (x) = f (y))I ∀z .∃y . + (z, y) = 1
Note:I even and odd are identifiers representing arbitrary predicatesI f , + are just identifiers representing some arbitrary functionsI 1 is just an identifier representing some arbitrary constant
-
First Order Logic
Semantics
Definition (Model)
A modelM of a formula F comprisesI a (non-empty) domain D, andI an interpretation function assigning meaning to non-logical
symbols in F .
For example:I If c is a constant, then cM ∈ DI If f is a function of arity n, then fM ∈ Dn → DI Note: (f (t1, . . . , tn))M = fM(tM1 , . . . , t
Mn )
-
First Order Logic
Semantics
Definition (Model)
A modelM of a formula F comprisesI a (non-empty) domain D, andI an interpretation function assigning meaning to non-logical
symbols in F .
For example:I If c is a constant, then cM ∈ DI If f is a function of arity n, then fM ∈ Dn → DI Note: (f (t1, . . . , tn))M = fM(tM1 , . . . , t
Mn )
-
First Order Logic
Semantics
M |= F if and only if F is true inM
I M |= R(t1, . . . , tn) if and only if RM(tM1 , . . . tMn )I M |= (t1 = t2) if and only if (tM1 = tM2 )I M |= ¬F if and only if notM |= FI M |= F ∧ G if and only ifM |= F andM |= GI M |= F ∨ G if and only ifM |= F orM |= GI M |= F ⇒ G if and only ifM |= ¬F ∨ GI M |= F ⇔ G if and only ifM |= (F ⇒ G) ∧ (G⇒ F )
-
First Order Logic
Semantics
M |= ∀x .F (x)
I if and only if for every m ∈ D, if we add a constant c to ourlanguage and extendM such that cM = m, thenM |= F (c)
I This trick is necessary since we can’t refer to m directly
I M |= ∃x .F (x) if and only ifM |= ¬∀x .¬F (x)
-
First Order Logic
Semantics
M |= ∀x .F (x)
I if and only if for every m ∈ D, if we add a constant c to ourlanguage and extendM such that cM = m, thenM |= F (c)
I This trick is necessary since we can’t refer to m directly
I M |= ∃x .F (x) if and only ifM |= ¬∀x .¬F (x)
-
First Order Logic
Semantics
M |= ∀x .F (x)
I if and only if for every m ∈ D, if we add a constant c to ourlanguage and extendM such that cM = m, thenM |= F (c)
I This trick is necessary since we can’t refer to m directly
I M |= ∃x .F (x) if and only ifM |= ¬∀x .¬F (x)
-
First Order Logic
Semantics
I We can’t determine the truth of a formula unless all variablesare quantified
I Un-quantified variables are freeI Formulas in which all variables are quantified are closedI Closed formulas have no free variables
I Whether a closed formula F is true depends solely on D andthe denotations of the non-logical symbols in F
-
First Order Logic
Semantics
I Often, we have a specific domain and denotation in mindI For instance, D def= N, + denotes addition, . . .
(+(t1, t2))M = tM1 + tM2
I The + on the right side is meta-logical
-
First Order Logic
Semantics
I M assigns meanings to terms and formulasI We have seen something similar before
J−K : Exp→ N (lecture 1, slide 38)s : Var→ Z (lecture 2, slide 5)J−K s (lecture 2, slide 6)
-
First Order Logic and Denotational Semantics
I Jt1 + t2K = Jt1K + Jt2KI cf. (+(t1, t2))M = tM1 + t
M2
Denotational semantics also provides assignments for variables:I s : Var→ Z, and JxK s = s(x)
I allows us to assign free variables in FOL
I Some presentations of FOL include a variable assignment µ.Alternatively, we could have a designated set of FOL constants Var such
that each x ∈ Var is interpreted in accordance with s(x). This is just amatter of notation and terminology.
-
First Order Logic and Denotational Semantics
I Jt1 + t2K = Jt1K + Jt2KI cf. (+(t1, t2))M = tM1 + t
M2
Denotational semantics also provides assignments for variables:I s : Var→ Z, and JxK s = s(x)
I allows us to assign free variables in FOL
I Some presentations of FOL include a variable assignment µ.Alternatively, we could have a designated set of FOL constants Var such
that each x ∈ Var is interpreted in accordance with s(x). This is just amatter of notation and terminology.
-
First Order Logic and Denotational Semantics
I JEK s corresponds to interpretation of E in specific modelMI D def= Z ∪BI JtK s, uses the standard interpretation of arithmetic
I We embed J−K s intoM as follows:I for free variables x ∈ Var, xM = JxK sI EM is consistent with JEK s (wherever JEK s is defined)
-
First Order Logic Assertions
I JtK s assigns meaning to formulas and assertions
s = {x 7→ 3, y 7→ 5}J(y ≥ 0)K s = JyK s ≥ J0K s = 5 ≥ 0
I Remember:I Whether a closed formula F is true depends solely on D and
the denotations of the non-logical symbols in FI Denotation and non-logical symbols are determined by J−K sI The values of free variables are determined by s
I Therefore, we use s |= F to denote that F is true under thevariable assignment s:
{x 7→ 3, y 7→ 5} |= (y ≥ 0)
-
First Order Logic Assertions
I JtK s assigns meaning to formulas and assertions
s = {x 7→ 3, y 7→ 5}J(y ≥ 0)K s = JyK s ≥ J0K s = 5 ≥ 0
I Remember:I Whether a closed formula F is true depends solely on D and
the denotations of the non-logical symbols in FI Denotation and non-logical symbols are determined by J−K sI The values of free variables are determined by s
I Therefore, we use s |= F to denote that F is true under thevariable assignment s:
{x 7→ 3, y 7→ 5} |= (y ≥ 0)
-
First Order Logic Assertions
I JtK s assigns meaning to formulas and assertions
s = {x 7→ 3, y 7→ 5}J(y ≥ 0)K s = JyK s ≥ J0K s = 5 ≥ 0
I Remember:I Whether a closed formula F is true depends solely on D and
the denotations of the non-logical symbols in FI Denotation and non-logical symbols are determined by J−K sI The values of free variables are determined by s
I Therefore, we use s |= F to denote that F is true under thevariable assignment s:
{x 7→ 3, y 7→ 5} |= (y ≥ 0)
-
First Order Logic Assertions
I Each formula F characterizes a set of states:
{s | s |= F}
I For instance:I (x > 1)∧ 6 ∃i, j .(x = i · j) ∧ (i > 1) ∧ (j > 1))
(the set of states in which s(x) is a prime number)
-
First Order Logic Assertions
I Each formula F characterizes a set of states:
{s | s |= F}
I For instance:I (x > 1)∧ 6 ∃i, j .(x = i · j) ∧ (i > 1) ∧ (j > 1))
(the set of states in which s(x) is a prime number)
-
First Order Logic: Inference Rules
I Inference rules provide means to reason in FOL:
premisesconclusion
I For instance, for arbitrary formulas P, Q, R:
¬¬PP
P¬¬P
P QP ∧ Q
P ∧ QP
P ∧ QQ ∧ P
PP ∨ Q
P ∨ Q ¬P ∨ RQ ∨ R
P ⇔ Q QP
P ⇒ Q Q ⇒ PP ⇔ Q
-
First Order Logic: Derivations
I For instance:
∀x .P(x) ∨ ¬∀y .Q(y) ∀y .Q(y)∀x .P(x)
I A derivation comprises a number of inference steps, e.g.:
¬¬PP
¬R ∧ QQ
P ∧ Q
I We write P ` Q if Q can be derived from P
-
First Order Logic: Derivations
I We can also use derivations in premises:
P ` Q P ` ¬QP
(reductio ad absurdum)
P ` QP ⇒ Q
(Deduction theorem)
P ∨ Q P ` R Q ` RR
(Case analysis)
-
First Order Logic: Axioms
I An axiom is an inference rule without a premise:
P
(We will omit the bar if it’s clear that P is an axiom)
I Axioms denote tautologies in a given theory, e.g.:
∀x , y . (x + y) = (y + x)∀x . even(x) ∨ odd(x)∀x . prime(x)⇔ ((x > 1)∧ 6 ∃i, j .(x = i · j) ∧ (i > 1) ∧ (j > 1)))
I Can use axioms to determine the denotation of non-logicalsymbols
-
First Order Logic: Axioms
I An axiom is an inference rule without a premise:
P
(We will omit the bar if it’s clear that P is an axiom)I Axioms denote tautologies in a given theory, e.g.:
∀x , y . (x + y) = (y + x)∀x . even(x) ∨ odd(x)∀x . prime(x)⇔ ((x > 1)∧ 6 ∃i, j .(x = i · j) ∧ (i > 1) ∧ (j > 1)))
I Can use axioms to determine the denotation of non-logicalsymbols
-
First Order Logic: Axioms
I An axiom is an inference rule without a premise:
P
(We will omit the bar if it’s clear that P is an axiom)I Axioms denote tautologies in a given theory, e.g.:
∀x , y . (x + y) = (y + x)∀x . even(x) ∨ odd(x)∀x . prime(x)⇔ ((x > 1)∧ 6 ∃i, j .(x = i · j) ∧ (i > 1) ∧ (j > 1)))
I Can use axioms to determine the denotation of non-logicalsymbols
-
First Order Logic: Substitution
I We use P[t/x ] to denote the replacement of all freeoccurrences of x in P by term t . Then
∀x .PP[t/x ]
(universal instantiation)
if no free variable of t becomes bound during the substitution
I For instance:∀x . even(x) ∨ odd(x)
even(1) ∨ odd(1)
I But not:∀x .∃y . x = y
-
First Order Logic: Substitution
I We use P[t/x ] to denote the replacement of all freeoccurrences of x in P by term t . Then
∀x .PP[t/x ]
(universal instantiation)
if no free variable of t becomes bound during the substitutionI For instance:
∀x . even(x) ∨ odd(x)even(1) ∨ odd(1)
I But not:∀x .∃y . x = y
-
First Order Logic: Substitution
I We use P[t/x ] to denote the replacement of all freeoccurrences of x in P by term t . Then
∀x .PP[t/x ]
(universal instantiation)
if no free variable of t becomes bound during the substitutionI For instance:
∀x . even(x) ∨ odd(x)even(1) ∨ odd(1)
I But not:∀x . ∃y . x = y
(∃y . x = y)[y + 1/x ]
-
First Order Logic: Substitution
I We use P[t/x ] to denote the replacement of all freeoccurrences of x in P by term t . Then
∀x .PP[t/x ]
(universal instantiation)
if no free variable of t becomes bound during the substitutionI For instance:
∀x . even(x) ∨ odd(x)even(1) ∨ odd(1)
I But not:∀x . ∃y . x = y∃y . y + 1 = y
-
First Order Logic: Substitution
I Substitutions can also occur in the premise:
P[c/x ]∃x .P
(existential generalization)
where c is a constant and x must not occur free in P[c/x ]
-
First Order Logic: Substitution
I Universal instantiation allows substitution of universallyquantified variables
I What about free variables?I Depends on state s!
I Substitution lemma:
s |= P[t/x ] JtK s = cs[x 7→ c] |= P
-
Instructions and Assertions
I FOL and derivations enable us to reason about assertionsI But what about instructions?
I Currently, we can’t refer to instructions in inference rules
-
Assigning Meaning to Programs [Floyd67]
Robert W. Floyd(1936-2001)
I Used assertions to attachlogical interpretations toprograms
I proof “by induction on thenumber of commandsexecuted”
-
Assigning Meaning to Programs [Floyd67]
-
An Axiomatic Basis for Computer Programming[Hoare69]
Sir Tony Hoare(1934–)
I “Hoare Logic” (akaFloyd-Hoare Logic)
I System of axioms andinference rules for programverification
-
Hoare Triples
{P} C {Q}
Definition (Hoare Triple)
A Hoare triple comprises a pre-condition, a statement, and apost-condition.
The Hoare Triple{P} C {Q}
means that if C is executed in a state for which P holds, then Q istrue for any state in which C may halt.
We refer to P as the pre-condition and to Q as the post-conditionof the Hoare Triple.
-
Hoare Triples
{P} C {Q}
In terms of operational (big-step) semantics:I if s |= P and 〈C, s〉 ⇓ s′ then s′ |= Q
A Hoare triple characterizes the effect of commands on assertions
-
Hoare’s Axioms: Skip statement
{P} skip {P}
Example:I {x > 10} skip {x > 10}I one example should really be enough ;-)
-
Hoare’s Axioms: Assignment
{Q[E/x ]} x :=E {Q}
Intuition:I Q holds for new value of xI E evaluated in old state determines new value of xI Therefore, Q[E/x ] must hold before execution
We will make this intuition more formal later.
-
Hoare’s Axioms: Assignment
{Q[E/x ]} x :=E {Q}
Examples:I {x > 10} y :=10 {x > y}I {x > y + 1} y :=y + 1 {x > y}I {∃z . z > x + 1} y :=x + 1 {∃x . x > y}
I Rename quantified x to avoid clash!
-
Hoare’s Axioms: Composition
{P} C1 {R} {R} C2 {Q}{P} C1;C2 {Q}
Example:
{(x + 1) ≤ 10} x := x + 1 {x ≤ 10} {x ≤ 10} y := 0 {x ≤ 10}{(x + 1) ≤ 10} x := x + 1; y := 0 {x ≤ 10}
-
Hoare’s Axioms: Conditional
{B ∧ P} C1 {Q} {¬B ∧ P} C2 {Q}{P} if B then C1 else C2 {Q}
Example:
{even(x)} x := x + 1 {odd(x)} {¬ even(x)} skip {odd(x)}{true} if (even(x)) then x := x + 1 else skip {odd(x)}
I Where (or what) is P in this example?
-
Hoare’s Axioms: Conditional
{B ∧ P} C1 {Q} {¬B ∧ P} C2 {Q}{P} if B then C1 else C2 {Q}
Example:
{even(x)} x := x + 1 {odd(x)} {¬ even(x)} skip {odd(x)}{true} if (even(x)) then x := x + 1 else skip {odd(x)}
I Where (or what) is P in this example?
-
Hoare’s Axioms: Consequence
P ′ ⇒ P {P} S {Q} Q ⇒ Q′
{P ′} S {Q′}It is legal toI strengthen pre-condition, andI weaken the pre-condition
Also allows us to combine Hoare Logic and FOL derivations:
{even(x)} x := x + 1 {¬ even(x)}¬ even(x) ` odd(x)¬ even(x)⇒ odd(x)
{even(x)} x := x + 1 {odd(x)}
and
¬ even(x)∀n . even(n) ∨ odd(n)
even(x) ∨ odd(x)odd(x)
-
While Loops
{P ∧ B} C {P}{P} while B do C {¬B ∧ P}
I Statement S doesn’t change P (P is invariant)I P holds upon loop entry and exit (loop invariant)
Example:
{(x 6= 0) ∧ (x ≥ 0)} x := x − 1 {x ≥ 0}{x ≥ 0} while (x 6= 0) do x := x − 1 {¬(x 6= 0) ∧ (x ≥ 0)}
-
While Loops
In context of a larger proof:
(x 6= 0) ∧ (x ≥ 0) ` (x − 1 ≥ 0)(x 6= 0) ∧ (x ≥ 0)⇒ (x − 1 ≥ 0) {(x − 1 ≥ 0)} x := x − 1 {x ≥ 0}
{(x 6= 0) ∧ (x ≥ 0)} x := x − 1 {x ≥ 0}{x ≥ 0} while (x 6= 0) do x := x − 1 {¬(x 6= 0) ∧ (x ≥ 0)}
Here, we derive
I {(x − 1 ≥ 0)} x := x − 1 {x ≥ 0} using Hoare’s assignment ruleI {(x 6= 0) ∧ (x ≥ 0)} x := x − 1 {x ≥ 0} using rule of consequenceI {x ≥ 0} while (x 6= 0) do x := x − 1 {¬(x 6= 0) ∧ (x ≥ 0)} using loop
rule
Don’t forget: we still have to discharge the assumption
(x 6= 0) ∧ (x ≥ 0) ` (x − 1 ≥ 0)
to show that the Hoare triple is valid. Requires the theory of integerarithmetic (not presented here).
-
While Loops
In context of a larger proof:
(x 6= 0) ∧ (x ≥ 0) ` (x − 1 ≥ 0)(x 6= 0) ∧ (x ≥ 0)⇒ (x − 1 ≥ 0) {(x − 1 ≥ 0)} x := x − 1 {x ≥ 0}
{(x 6= 0) ∧ (x ≥ 0)} x := x − 1 {x ≥ 0}{x ≥ 0} while (x 6= 0) do x := x − 1 {¬(x 6= 0) ∧ (x ≥ 0)}
Here, we derive
I {(x − 1 ≥ 0)} x := x − 1 {x ≥ 0} using Hoare’s assignment ruleI {(x 6= 0) ∧ (x ≥ 0)} x := x − 1 {x ≥ 0} using rule of consequenceI {x ≥ 0} while (x 6= 0) do x := x − 1 {¬(x 6= 0) ∧ (x ≥ 0)} using loop
rule
Don’t forget: we still have to discharge the assumption
(x 6= 0) ∧ (x ≥ 0) ` (x − 1 ≥ 0)
to show that the Hoare triple is valid. Requires the theory of integerarithmetic (not presented here).
-
Hoare Rules: Overview
{P[E/x]} x:=E {P}{P} C1 {Q} , {Q} C2 {R}{P} C1 ; C2 {R}
{B ∧ P} C1 {Q} {¬B ∧ P} C2 {Q}{P} if B then C1 else C2 {Q}
P ′ ⇒ P {P} C {Q} Q ⇒ Q′
{P ′} C {Q′}
{P ∧ B} C {P}{P} while B do C {¬B ∧ P}
-
Greatest Common Divisor
Let
∀x , y , z . divides(x , y , z)⇔ ((x%z = 0) ∧ (y%z = 0))∀x , y , z . (z = GCD(x , y))⇔ divides(x , y , z)∧
( 6 ∃r . (r > z) ∧ divides(x , y , r))
I (assuming D = N and % is the modulo operator)
-
A Hoare Logic Proof of Euclid’s Algorithm
We want to show the following:
{true}if (x > y) then
k := x;m := y;
else
k := y;m := x;
while (m 6= 0) dor := k%m;k := m;m := r;{GCD(x , y) = k}
-
A Hoare Logic Proof of Euclid’s Algorithm
I Break the proof into sub-proofsI Us compact “in-line” presentation:
{P}C1{Q}C2{R}
{P} C1 {Q} {Q} C2 {R}{P} C1;C2 {R}
-
Euclid’s Algorithm – Loop Invariant
Assume we have a predicate GCD with the following axiomsI ∀x , y .GCD(x , y) = GCD(y , x)I ∀x .GCD(0, x) = xI ∀x .GCD(x , x) = xI ∀x , y . (x > y)⇒ GCD(x , y) = GCD(x%y , y)
We will first show the following:
{(k ≥ m) ∧ GCD(x , y) = GCD(m, k)}while (m != 0) {r = k % m;
k = m;
m = r;
}{GCD(x , y) = k}
-
Euclid’s Algorithm – Loop Invariant
Assume we have a predicate GCD with the following axiomsI ∀x , y .GCD(x , y) = GCD(y , x)I ∀x .GCD(0, x) = xI ∀x .GCD(x , x) = xI ∀x , y . (x > y)⇒ GCD(x , y) = GCD(x%y , y)
while (m != 0) {
{ ∧ GCD(x , y) = GCD(m, (k%m))}
r = k % m;
{(m ≥ r) ∧ GCD(x , y) = GCD(m, r)}
k = m;
{(k ≥ r) ∧ GCD(x , y) = GCD(k , r)}
m = r;
{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
}
-
Euclid’s Algorithm – Loop Invariant
Assume we have a predicate GCD with the following axiomsI ∀x , y .GCD(x , y) = GCD(y , x)I ∀x .GCD(0, x) = xI ∀x .GCD(x , x) = xI ∀x , y . (x > y)⇒ GCD(x , y) = GCD(x%y , y)
while (m != 0) {
{ ∧ GCD(x , y) = GCD(m, (k%m))}
r = k % m;
{(m ≥ r) ∧ GCD(x , y) = GCD(m, r)}
k = m;
{(k ≥ r) ∧ GCD(x , y) = GCD(k , r)}
m = r;
{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}}
-
Euclid’s Algorithm – Loop Invariant
Assume we have a predicate GCD with the following axiomsI ∀x , y .GCD(x , y) = GCD(y , x)I ∀x .GCD(0, x) = xI ∀x .GCD(x , x) = xI ∀x , y . (x > y)⇒ GCD(x , y) = GCD(x%y , y)
while (m != 0) {
{ ∧ GCD(x , y) = GCD(m, (k%m))}
r = k % m;
{(m ≥ r) ∧ GCD(x , y) = GCD(m, r)}
k = m;
{(k ≥ r) ∧ GCD(x , y) = GCD(k , r)}m = r;
{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}}
-
Euclid’s Algorithm – Loop Invariant
Assume we have a predicate GCD with the following axiomsI ∀x , y .GCD(x , y) = GCD(y , x)I ∀x .GCD(0, x) = xI ∀x .GCD(x , x) = xI ∀x , y . (x > y)⇒ GCD(x , y) = GCD(x%y , y)
while (m != 0) {
{ ∧ GCD(x , y) = GCD(m, (k%m))}
r = k % m;
{(m ≥ r) ∧ GCD(x , y) = GCD(m, r)}k = m;
{(k ≥ r) ∧ GCD(x , y) = GCD(k , r)}m = r;
{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}}
-
Euclid’s Algorithm – Loop Invariant
Assume we have a predicate GCD with the following axiomsI ∀x , y .GCD(x , y) = GCD(y , x)I ∀x .GCD(0, x) = xI ∀x .GCD(x , x) = xI ∀x , y . (x > y)⇒ GCD(x , y) = GCD(x%y , y)
while (m != 0) {{(m ≥ (k%m)) ∧ GCD(x , y) = GCD(m, (k%m))}r = k % m;
{(m ≥ r) ∧ GCD(x , y) = GCD(m, r)}k = m;
{(k ≥ r) ∧ GCD(x , y) = GCD(k , r)}m = r;
{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}}
-
Euclid’s Algorithm – Loop Invariant
Assume we have a predicate GCD with the following axiomsI ∀x , y .GCD(x , y) = GCD(y , x)I ∀x .GCD(0, x) = xI ∀x .GCD(x , x) = xI ∀x , y . (x > y)⇒ GCD(x , y) = GCD(x%y , y)
while (m != 0) {{ (m ≥ (k%m))︸ ︷︷ ︸
true
∧GCD(x , y) = GCD(m, (k%m))}
r = k % m;
{(m ≥ r) ∧ GCD(x , y) = GCD(m, r)}k = m;
{(k ≥ r) ∧ GCD(x , y) = GCD(k , r)}m = r;
{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}}
-
Euclid’s Algorithm – Loop Invariant
Assume we have a predicate GCD with the following axiomsI ∀x , y .GCD(x , y) = GCD(y , x)I ∀x .GCD(0, x) = xI ∀x .GCD(x , x) = xI ∀x , y . (x > y)⇒ GCD(x , y) = GCD(x%y , y)
(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)⇒
(GCD(x , y) = GCD(m, (k%m))
{GCD(x , y) = GCD(m, (k%m))}r := k%m; k := m; m = r
{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
r := k%m; k := m; m = r{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
-
Proof by Case Split
We still need to show that
((k ≥ m) ∧ (GCD(x , y) = GCD(k ,m)))⇒ (GCD(x , y) = GCD(m, (k%m))
We need the following axioms of the theory of arithmetic:
∀x , y . (x ≥ y)⇔ ((x = y) ∨ (x > y))∀x , y . (x%x) = 0∀x , y , z . (x = y) ∧ (y = z)⇒ (x = z)
Perform a case split. First for (k > m):
(k > m) ∧ (GCD(x , y) = GCD(m, k)) (k > m)⇒ GCD(k ,m) = GCD(k%m,m)(k > m) ∧ (GCD(x , y) = GCD(k%m,m))
(k > m) ∧ (GCD(x , y) = GCD(k%m,m)) GCD(k%m,m) = GCD(m, k%m)(k > m) ∧ (GCD(x , y) = GCD(m, k%m))
-
Proof by Case Split
Perform a case split. Second case (k = m):
(k = m) ∧ (GCD(x , y) = GCD(m, k)) GCD(m,m) = m(k = m) ∧ (GCD(x , y) = m)
(k = m) ∧ (GCD(x , y) = m) GCD(0,m) = m(k = m) ∧ (GCD(x , y) = GCD(0,m))
(k = m) ∧ (GCD(x , y) = GCD(0,m)) m%m = 0(k = m) ∧ (GCD(x , y) = GCD(m%m,m))(k = m) ∧ (GCD(x , y) = GCD(k%m,m))
(k = m) ∧ (GCD(x , y) = GCD(k%m,m)) GCD(k%m,m) = GCD(m, k%m)(k = m) ∧ (GCD(x , y) = GCD(m, k%m))
By combining the two cases we can conclude
GCD(x , y) = GCD(m, k%m)
-
Proof by Case Split
Perform a case split. Second case (k = m):
(k = m) ∧ (GCD(x , y) = GCD(m, k)) GCD(m,m) = m(k = m) ∧ (GCD(x , y) = m)
(k = m) ∧ (GCD(x , y) = m) GCD(0,m) = m(k = m) ∧ (GCD(x , y) = GCD(0,m))
(k = m) ∧ (GCD(x , y) = GCD(0,m)) m%m = 0(k = m) ∧ (GCD(x , y) = GCD(m%m,m))(k = m) ∧ (GCD(x , y) = GCD(k%m,m))
(k = m) ∧ (GCD(x , y) = GCD(k%m,m)) GCD(k%m,m) = GCD(m, k%m)(k = m) ∧ (GCD(x , y) = GCD(m, k%m))
By combining the two cases we can conclude
GCD(x , y) = GCD(m, k%m)
-
Euclid’s Algorithm – Loop Invariant
Note: Though tedious, this proof was still not entirely formal.We implicitly applied a number of rules.I Quantifier instantiationI Transitivity of equality, substitutionI Following propositional rules:
P ∧ QP
P ∧ QQ
P QP ∧ Q
P ⇒ Q¬P ∨ Q
¬P ∨ Q PQ
In the exercises, reason at least as formal as here.
-
Euclid’s Algorithm – Loop Invariant
We have established:
while (m 6= 0) do{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}r:=k%m; k:=m; m=r{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
Apply Hoare’s loop rule:
{P ∧ B} C {P}{P} while B do C {¬B ∧ P}
withI P def= (k ≥ m) ∧ GCD(x , y) = GCD(k ,m)I B def= (m 6= 0)
-
Euclid’s Algorithm – Loop Invariant
We obtain:
{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}while (m 6= 0) dor := k % m;
k := m;
m := r;
{ (m = 0) ∧ (k ≥ m) ∧ (GCD(x , y) = GCD(k ,m))}
(m = 0) ∧ (GCD(x , y) = GCD(k ,m))(GCD(x , y) = GCD(k , 0)) GCD(k , 0) = k
GCD(x , y) = k
-
Euclid’s Algorithm – Loop Invariant
We obtain:
{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}while (m 6= 0) dor := k % m;
k := m;
m := r;
{ (m = 0) ∧ (k ≥ m) ∧ (GCD(x , y) = GCD(k ,m))}
(m = 0) ∧ (GCD(x , y) = GCD(k ,m))(GCD(x , y) = GCD(k , 0)) GCD(k , 0) = k
GCD(x , y) = k
-
Euclid’s Algorithm – Loop Invariant
We obtain:
{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}while (m 6= 0) dor := k % m;
k := m;
m := r;
{ GCD(x , y) = k}
(m = 0) ∧ (GCD(x , y) = GCD(k ,m))(GCD(x , y) = GCD(k , 0)) GCD(k , 0) = k
GCD(x , y) = k
-
Euclid’s Algorithm – Loop Invariant
I We have established
P def= (k ≥ m) ∧ GCD(x , y) = GCD(k ,m)
as a loop invariantI If P holds after n iterations of the loop, it also holds after n + 1I We still need to establish the base case n = 0
-
Euclid’s Algorithm – Induction, Base Case
Does(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)
hold at the beginning of the loop?
{?}if (x > y) then
k := x;m := y;
else
k := y;m := x;{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
-
Euclid’s Algorithm – Induction, Base Case
{?}if (x > y) then
{(x ≥ y) ∧ GCD(x , y) = GCD(x , y)}
k := x;
{(k ≥ y) ∧ GCD(x , y) = GCD(k , y)}
m := y;
{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
else
{(y ≥ x) ∧ GCD(x , y) = GCD(y , x)}
k := y;
{(k ≥ x) ∧ GCD(x , y) = GCD(k , x)}
m := x;
{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
-
Euclid’s Algorithm – Induction, Base Case
{?}if (x > y) then
{(x ≥ y) ∧ GCD(x , y) = GCD(x , y)}
k := x;
{(k ≥ y) ∧ GCD(x , y) = GCD(k , y)}
m := y;
{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
else
{(y ≥ x) ∧ GCD(x , y) = GCD(y , x)}
k := y;
{(k ≥ x) ∧ GCD(x , y) = GCD(k , x)}
m := x;{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
-
Euclid’s Algorithm – Induction, Base Case
{?}if (x > y) then
{(x ≥ y) ∧ GCD(x , y) = GCD(x , y)}
k := x;
{(k ≥ y) ∧ GCD(x , y) = GCD(k , y)}
m := y;
{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
else
{(y ≥ x) ∧ GCD(x , y) = GCD(y , x)}
k := y;{(k ≥ x) ∧ GCD(x , y) = GCD(k , x)}m := x;{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
-
Euclid’s Algorithm – Induction, Base Case
{?}if (x > y) then
{(x ≥ y) ∧ GCD(x , y) = GCD(x , y)}
k := x;
{(k ≥ y) ∧ GCD(x , y) = GCD(k , y)}
m := y;
{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
else
{(y ≥ x) ∧ GCD(x , y) = GCD(y , x)}k := y;{(k ≥ x) ∧ GCD(x , y) = GCD(k , x)}m := x;{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
-
Euclid’s Algorithm – Induction, Base Case
{?}if (x > y) then
{(x ≥ y) ∧ GCD(x , y) = GCD(x , y)}
k := x;
{(k ≥ y) ∧ GCD(x , y) = GCD(k , y)}
m := y;{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
else
{(y ≥ x) ∧ GCD(x , y) = GCD(y , x)}k := y;{(k ≥ x) ∧ GCD(x , y) = GCD(k , x)}m := x;{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
-
Euclid’s Algorithm – Induction, Base Case
{?}if (x > y) then
{(x ≥ y) ∧ GCD(x , y) = GCD(x , y)}
k := x;{(k ≥ y) ∧ GCD(x , y) = GCD(k , y)}m := y;{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
else
{(y ≥ x) ∧ GCD(x , y) = GCD(y , x)}k := y;{(k ≥ x) ∧ GCD(x , y) = GCD(k , x)}m := x;{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
-
Euclid’s Algorithm – Induction, Base Case
{?}if (x > y) then{(x ≥ y) ∧ GCD(x , y) = GCD(x , y)}k := x;{(k ≥ y) ∧ GCD(x , y) = GCD(k , y)}m := y;{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
else
{(y ≥ x) ∧ GCD(x , y) = GCD(y , x)}k := y;{(k ≥ x) ∧ GCD(x , y) = GCD(k , x)}m := x;{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
-
Euclid’s Algorithm – Induction, Base Case
Strengthen the pre-conditions of the branches:I then-branch:
(x > y)(x ≥ y) (GCD(x , y) = GCD(x , y))(x ≥ y) ∧ (GCD(x , y) = GCD(x , y))
I else-branch:
¬(x > y)(y ≥ x)
(GCD(x , y) = GCD(x , y))(GCD(x , y) = GCD(y , x))
(y ≥ x) ∧ (GCD(x , y) = GCD(y , x))
-
Euclid’s Algorithm – Hoare’s Conditional Rule
Apply{B ∧ P} C1 {Q} {¬B ∧ P} C2 {Q}{P} if B then C1 else C2 {Q}
withI B def= (x > y)
I P def= trueI Q def= (k ≥ m) ∧ GCD(x , y) = GCD(k ,m)I C1
def= k := x ;m := y
I C2def= k := y ;m := x
-
Euclid’s Algorithm – Hoare’s Conditional Rule
We obtain
{true }if (x > y) then
k := x;m := y;
else
k := y;m := x;{(k ≥ m) ∧ GCD(x , y) = GCD(k ,m)}
-
Euclid’s Algorithm – Hoare’s Compositional Rule
Finally:{P} C1 {Q} , {Q} C2 {R}{P} C1 ; C2 {R}
whereC1
def= C2
def=
if (x > y) thenk := x;m := y;
else
k := y;m := x;
while (m 6= 0) dor := k % m;
k := m;
m := r;
and P def= true, Q def= (k ≥ m) ∧ GCD(x , y) = GCD(k ,m),R def= (GCD(x , y) = k)
-
Euclid’s Algorithm – Correctness Established
{true}if (x > y) then
k := x;m := y;
else
k := y;m := x;
while (m 6= 0) dor := k % m;
k := m;
m := r;
{GCD(x , y) = k}
-
Hoare’s Axioms H: Summary
{P[E/x]} x:=E {P}{P} C1 {Q} , {Q} C2 {R}{P} C1 ; C2 {R}
{B ∧ P} C1 {Q} {¬B ∧ P} C2 {Q}{P} if B then C1 else C2 {Q}
P ′ ⇒ P {P} C {Q} Q ⇒ Q′
{P ′} C {Q′}
{P ∧ B} C {P}{P} while B do C {¬B ∧ P}
-
Hoare Logic: Soundness
Recall:
{P} C {Q} def= (s |= P) ∧ 〈C, s〉 ⇓ s′ ⇒ (s′ |= Q)
We useI |=T {P} C {Q} to denote that {P} C {Q} holds in all valid
models of theory T .I `T ,H {P} C {Q} to denote that {P} C {Q} can be derived
using the axioms and rules of T and H.
Hoare Logic is sound if `T ,H {P} C {Q} ⇒ |=T {P} C {Q}
(assuming the soundness of T )
-
Hoare Logic: Soundness
Recall:
{P} C {Q} def= (s |= P) ∧ 〈C, s〉 ⇓ s′ ⇒ (s′ |= Q)
We useI |=T {P} C {Q} to denote that {P} C {Q} holds in all valid
models of theory T .I `T ,H {P} C {Q} to denote that {P} C {Q} can be derived
using the axioms and rules of T and H.
Hoare Logic is sound if `T ,H {P} C {Q} ⇒ |=T {P} C {Q}
(assuming the soundness of T )
-
Hoare Logic: Soundness
I In our context, T is determined by the underlying semantics ofthe programming language.
I We need to show that
∀s, s′ .(s |= P ∧ 〈C, s〉 ⇓ s′∧ `T ,H {P} C {Q}
)⇒ (s′ |= Q)
-
Hoare Logic: Soundness
We will prove this by nested structural inductionI on the structure of `H {P} C {Q}I as well as 〈C, s〉 ⇓ s′.
Structural induction:I Reduce problem P to smaller sub-problem(s) Pi : Pi ≺ P
Nested structural induction:I Consider two structures O, P.I Define ordering:
(Oi ,Pi) ≺ (O,P) ⇔ (Oi ≺ O) ∨ ((Oi = O) ∧ (Pi ≺ P))
Intuition: Walk backwards derivations `H {P} C {Q} and〈C, s〉 ⇓ s′ simultaneously until we reach base case
-
Hoare Logic: Soundness
We will prove this by nested structural inductionI on the structure of `H {P} C {Q}I as well as 〈C, s〉 ⇓ s′.
Structural induction:I Reduce problem P to smaller sub-problem(s) Pi : Pi ≺ P
Nested structural induction:I Consider two structures O, P.I Define ordering:
(Oi ,Pi) ≺ (O,P) ⇔ (Oi ≺ O) ∨ ((Oi = O) ∧ (Pi ≺ P))
Intuition: Walk backwards derivations `H {P} C {Q} and〈C, s〉 ⇓ s′ simultaneously until we reach base case
-
Hoare Logic: Soundness
We will prove this by nested structural inductionI on the structure of `H {P} C {Q}I as well as 〈C, s〉 ⇓ s′.
Structural induction:I Reduce problem P to smaller sub-problem(s) Pi : Pi ≺ P
Nested structural induction:I Consider two structures O, P.I Define ordering:
(Oi ,Pi) ≺ (O,P) ⇔ (Oi ≺ O) ∨ ((Oi = O) ∧ (Pi ≺ P))
Intuition: Walk backwards derivations `H {P} C {Q} and〈C, s〉 ⇓ s′ simultaneously until we reach base case
-
Hoare Logic: Soundness
We will prove this by nested structural inductionI on the structure of `H {P} C {Q}I as well as 〈C, s〉 ⇓ s′.
Structural induction:I Reduce problem P to smaller sub-problem(s) Pi : Pi ≺ P
Nested structural induction:I Consider two structures O, P.I Define ordering:
(Oi ,Pi) ≺ (O,P) ⇔ (Oi ≺ O) ∨ ((Oi = O) ∧ (Pi ≺ P))
Intuition: Walk backwards derivations `H {P} C {Q} and〈C, s〉 ⇓ s′ simultaneously until we reach base case
-
Hoare Logic: Soundness of Assignment Rule
{P[E/x]} x := E {P}Corresponding step in big-step semantics (cf. Lecture 2):
〈E , s〉 ⇓ n〈x := E , s〉 ⇓ s[x 7→ n]
Using 〈E , s〉 ⇓ n, show that:
∀s .
(s |= Q[E/x ]) ∧ (〈x := E , s〉 ⇓ s[x 7→ n])∧` {Q[E/x ]} x := E {Q}
⇒ (s[x 7→ n] |= Q)
Follows from substitution lemma:
s |= Q[E/x ] 〈E , s〉 ⇓ ns[x 7→ n] |= Q
-
Hoare Logic: Soundness of Assignment Rule
{P[E/x]} x := E {P}Corresponding step in big-step semantics (cf. Lecture 2):
〈E , s〉 ⇓ n〈x := E , s〉 ⇓ s[x 7→ n]
Using 〈E , s〉 ⇓ n, show that:
∀s .
(s |= Q[E/x ]) ∧ (〈x := E , s〉 ⇓ s[x 7→ n])∧` {Q[E/x ]} x := E {Q}
⇒ (s[x 7→ n] |= Q)Follows from substitution lemma:
s |= Q[E/x ] 〈E , s〉 ⇓ ns[x 7→ n] |= Q
-
Hoare Logic: Soundness of Consequence Rule
P ′ ⇒ P {P} C {Q} Q ⇒ Q′
{P ′} C {Q′}Induction hypothesis:
〈C, s〉 ⇓ s′ , `T ,H {P} C {Q},∀s, s′ .
(s |= P ∧ 〈C, s〉 ⇓ s′∧ `T ,H {P} C {Q}
)⇒ (s′ |= Q)
We use the soundness of FOL derivations to prove rule correct:I (s |= P ′)⇒ (s |= P) (since P ′ ⇒ P)I Now apply induction hypothesis to derive (s′ |= Q)I (s′ |= Q)⇒ (s′ |= Q′) (since Q ⇒ Q′)
-
Hoare Logic: Soundness of Composition Rule
{P} C1 {Q} {Q} C2 {R}{P} C1 ; C2 {R}
Corresponding step in big-step semantics (cf. Lecture 2):
〈C1, s〉 ⇓ s′ 〈C2, s′〉 ⇓ s′′
〈C1;C2, s〉 ⇓ s′′
I Start with s |= P.I Then s′ |= Q (by i.h. 〈C1, s〉 ⇓ s′, {P} C1 {Q})I Then s′′ |= R (by i.h. 〈C2, s′〉 ⇓ s′′, {Q} C2 {R})
-
Hoare Logic: Soundness of While Rule
{P ∧ B} C {P}{P} while B do C {¬B ∧ P}
There are two corresponding big-step rules (cf. Lecture 2):
〈while B do C, s〉 ⇓ s[B-WHILE.F] 〈B, s〉 ⇓ false
〈C, s〉 ⇓ s1 〈while B do C, s1〉 ⇓ s′
〈while B do C, s〉 ⇓ s′[B-WHILE.T] 〈B, s〉 ⇓ true
We need to consider both. Start with the easier one.
-
Hoare Logic: Soundness of While Rule
Hoare Rule for while loop:
{P ∧ B} C {P}{P} while B do C {¬B ∧ P}
Corresponding big-step rule:
〈while B do C, s〉 ⇓ s[B-WHILE.F] 〈B, s〉 ⇓ false
Using 〈B, s〉 ⇓ false and {P ∧ B} C {P}, we need to show:
∀s .
(s |= P) ∧(〈while B do C, s〉 ⇓ s) ∧`T ,H {P} while B do C {¬B ∧ P}
⇒ s |= (¬B ∧ P)
I Trivial, since (s |= P) and 〈B, s〉 ⇓ false implies s |= (¬B ∧ P)
-
Hoare Logic: Soundness of While Rule
Hoare Rule for while loop:
{P ∧ B} C {P}{P} while B do C {¬B ∧ P}
Corresponding big-step rule:
〈while B do C, s〉 ⇓ s[B-WHILE.F] 〈B, s〉 ⇓ false
Using 〈B, s〉 ⇓ false and {P ∧ B} C {P}, we need to show:
∀s .
(s |= P) ∧(〈while B do C, s〉 ⇓ s) ∧`T ,H {P} while B do C {¬B ∧ P}
⇒ s |= (¬B ∧ P)I Trivial, since (s |= P) and 〈B, s〉 ⇓ false implies s |= (¬B ∧ P)
-
Hoare Logic: Soundness of While Rule
Hoare Rule for while loop:
{P ∧ B} C {P}{P} while B do C {¬B ∧ P}
Corresponding big-step rule:
〈C, s〉 ⇓ s1 〈while B do C, s1〉 ⇓ s′
〈while B do C, s〉 ⇓ s′[B-WHILE.T] 〈B, s〉 ⇓ true
Need to show: s′ |= (¬B ∧ P)I We assume s |= P (pre-condition of Hoare rule in conclusion)I Because of 〈B, s〉 ⇓ true, we have s |= BI Hence, s |= B ∧ PI From i.h. 〈C, s〉 ⇓ s1 and {P ∧ B} C {P}, we get s1 |= P
-
Hoare Logic: Soundness of While Rule
Remember:I Nested induction only requires “progress” in one structure.I We can “put off” descending `H
{P ∧ B} C {P}{P} while B do C {¬B ∧ P}
〈C, s〉 ⇓ s1 〈while B do C, s1〉 ⇓ s′
〈while B do C, s〉 ⇓ s′[B-WHILE.T] 〈B, s〉 ⇓ true
I We have derived s1 |= P in big-step structure.I Apply i.h. 〈while B do C, s1〉 ⇓ s′ and Hoare rule aboveI Conclusion: s′ |= (¬B ∧ P)
Q.E.D. �
-
Hoare Logic: Soundness of While Rule
Remember:I Nested induction only requires “progress” in one structure.I We can “put off” descending `H
{P ∧ B} C {P}{P} while B do C {¬B ∧ P}
〈C, s〉 ⇓ s1 〈while B do C, s1〉 ⇓ s′
〈while B do C, s〉 ⇓ s′[B-WHILE.T] 〈B, s〉 ⇓ true
I We have derived s1 |= P in big-step structure.I Apply i.h. 〈while B do C, s1〉 ⇓ s′ and Hoare rule aboveI Conclusion: s′ |= (¬B ∧ P)
Q.E.D. �
-
Hoare Logic: Soundness of While Rule
Remember:I Nested induction only requires “progress” in one structure.I We can “put off” descending `H
{P ∧ B} C {P}{P} while B do C {¬B ∧ P}
〈C, s〉 ⇓ s1 〈while B do C, s1〉 ⇓ s′
〈while B do C, s〉 ⇓ s′[B-WHILE.T] 〈B, s〉 ⇓ true
I We have derived s1 |= P in big-step structure.I Apply i.h. 〈while B do C, s1〉 ⇓ s′ and Hoare rule aboveI Conclusion: s′ |= (¬B ∧ P)
Q.E.D. �
-
Hoare Logic: Soundness and Completeness
We proved that `T ,H {P} C {Q} ⇒ |=T {P} C {Q}I under assumption that derivations in T are sound
What about the other direction?
|=T {P} C {Q} ⇒ `T ,H {P} C {Q}
If a Hoare triple holds, can we always derive it?
-
Hoare Logic: Completeness
Recall from Lecture 2 (non-termination):I if C does not terminate then there is no s′ s.t. 〈C, s〉 ⇓ s′
Definition of {P} C {Q}:
{P} C {Q} def= (s |= P) ∧ 〈C, s〉 ⇓ s′ ⇒ (s′ |= Q)
Therefore, if C does not terminate in s |= P, then {P} C {Q} isvacuously true.
But then {P} C {false} is also true.If we can prove {P} C {false}, we can prove non-termination!But this would solve the halting problem.
-
Hoare Logic: Completeness
Recall from Lecture 2 (non-termination):I if C does not terminate then there is no s′ s.t. 〈C, s〉 ⇓ s′
Definition of {P} C {Q}:
{P} C {Q} def= (s |= P) ∧ 〈C, s〉 ⇓ s′ ⇒ (s′ |= Q)
Therefore, if C does not terminate in s |= P, then {P} C {Q} isvacuously true.
But then {P} C {false} is also true.If we can prove {P} C {false}, we can prove non-termination!But this would solve the halting problem.
-
Hoare Logic: Completeness
Recall from Lecture 2 (non-termination):I if C does not terminate then there is no s′ s.t. 〈C, s〉 ⇓ s′
Definition of {P} C {Q}:
{P} C {Q} def= (s |= P) ∧ 〈C, s〉 ⇓ s′ ⇒ (s′ |= Q)
Therefore, if C does not terminate in s |= P, then {P} C {Q} isvacuously true.
But then {P} C {false} is also true.If we can prove {P} C {false}, we can prove non-termination!But this would solve the halting problem.
-
Hoare Logic: Completeness
Recall from Lecture 2 (non-termination):I if C does not terminate then there is no s′ s.t. 〈C, s〉 ⇓ s′
Definition of {P} C {Q}:
{P} C {Q} def= (s |= P) ∧ 〈C, s〉 ⇓ s′ ⇒ (s′ |= Q)
Therefore, if C does not terminate in s |= P, then {P} C {Q} isvacuously true.
But then {P} C {false} is also true.
If we can prove {P} C {false}, we can prove non-termination!But this would solve the halting problem.
-
Hoare Logic: Completeness
Recall from Lecture 2 (non-termination):I if C does not terminate then there is no s′ s.t. 〈C, s〉 ⇓ s′
Definition of {P} C {Q}:
{P} C {Q} def= (s |= P) ∧ 〈C, s〉 ⇓ s′ ⇒ (s′ |= Q)
Therefore, if C does not terminate in s |= P, then {P} C {Q} isvacuously true.
But then {P} C {false} is also true.If we can prove {P} C {false}, we can prove non-termination!But this would solve the halting problem.
-
Hoare Logic: Completeness
Alternative argument:
Gödel’s incompleteness theorem (paraphrased):
In any recursively axiomatizable first-order theory rich enough toallow general mathematical reasoning to be formulated there is atrue arithmetical formula that cannot be proven.
Observe:I Let P be an arbitrary formula.I If P is valid, then {true} skip {P}.
But `T ,H {true} skip {P} implies |=T P.
-
Hoare Logic: Completeness
Alternative argument:
Gödel’s incompleteness theorem (paraphrased):
In any recursively axiomatizable first-order theory rich enough toallow general mathematical reasoning to be formulated there is atrue arithmetical formula that cannot be proven.
Observe:I Let P be an arbitrary formula.I If P is valid, then {true} skip {P}.
But `T ,H {true} skip {P} implies |=T P.
-
Hoare Logic: Completeness
Alternative argument:
Gödel’s incompleteness theorem (paraphrased):
In any recursively axiomatizable first-order theory rich enough toallow general mathematical reasoning to be formulated there is atrue arithmetical formula that cannot be proven.
Observe:I Let P be an arbitrary formula.I If P is valid, then {true} skip {P}.
But `T ,H {true} skip {P} implies |=T P.
-
Hoare Logic: Relative Completeness
Maybe Gödel’s incompleteness theorem (in combination withHoare’s consequence rule) is the culprit?
I What if we had a powerful enough decision procedure?
Still not enough:I language needs to be expressive enough to represent all
required intermediate assertions in Hoare logic proof!
I Think of language L0def= {true}: not very expressive.
-
Hoare Logic: Relative Completeness
Maybe Gödel’s incompleteness theorem (in combination withHoare’s consequence rule) is the culprit?
I What if we had a powerful enough decision procedure?
Still not enough:I language needs to be expressive enough to represent all
required intermediate assertions in Hoare logic proof!
I Think of language L0def= {true}: not very expressive.
-
Hoare Logic: Relative Completeness and Expressiveness
We define the pre operation for an assertion P as follows:
pre(C,Q) def= {s | ∀s′ . 〈C, s〉 ⇓ s′ ⇒ s′ |=T Q}
A logical language L is closed under the pre operation if
∀Q ∈ L,C . ∃P ∈ L . {s | s |=T P} = pre(C,Q)
Intuition:I For every post-condition Q and program C, there is an
assertion characterizing pre(C,Q).
-
Hoare Logic: Relative Completeness and Expressiveness
We define the pre operation for an assertion P as follows:
pre(C,Q) def= {s | ∀s′ . 〈C, s〉 ⇓ s′ ⇒ s′ |=T Q}
A logical language L is closed under the pre operation if
∀Q ∈ L,C . ∃P ∈ L . {s | s |=T P} = pre(C,Q)
Intuition:I For every post-condition Q and program C, there is an
assertion characterizing pre(C,Q).
-
Hoare Logic and Dijkstra’s Weakest Pre-condition
Edsger W. Dijkstra(1930–2002)
I Predicate Transformers[Dijkstra75]
I Weakest Pre-ConditionI Strongest Post-ConditionI Invariants defined as
Fixed Points
-
Predicate Transformers: Weakest Liberal Precondition
Definition (Weakest Liberal Precondition)
The weakest liberal precondition (wlp(C,Q)) forI a program construct CI with respect to a postcondition Q
is the weakest predicate P such that {P} C {Q} holds.
I i.e., {P ′} C {Q} is equivalent to P ′ ⇒ wlp(C,Q).
I Note the similarity to
pre(C,Q) def= {s | ∀s′ . 〈C, s〉 ⇓ s′ ⇒ s′ |=T Q}
-
Predicate Transformers: Weakest Liberal Precondition
Definition (Weakest Liberal Precondition)
The weakest liberal precondition (wlp(C,Q)) forI a program construct CI with respect to a postcondition Q
is the weakest predicate P such that {P} C {Q} holds.
I i.e., {P ′} C {Q} is equivalent to P ′ ⇒ wlp(C,Q).
I Note the similarity to
pre(C,Q) def= {s | ∀s′ . 〈C, s〉 ⇓ s′ ⇒ s′ |=T Q}
-
Predicate Transformers: Weakest Liberal Precondition
Definition (Weakest Liberal Precondition)
The weakest liberal precondition (wlp(C,Q)) forI a program construct CI with respect to a postcondition Q
is the weakest predicate P such that {P} C {Q} holds.
I i.e., {P ′} C {Q} is equivalent to P ′ ⇒ wlp(C,Q).
I Note the similarity to
pre(C,Q) def= {s | ∀s′ . 〈C, s〉 ⇓ s′ ⇒ s′ |=T Q}
-
Weakest Liberal Precondition: Assignments
wlp(x := E ,Q) def= Q[E/x ]
Looks familiar?
{Q[E/x]} x := E {Q}
Formally, we need to show correctness:
{s | s |=T Q[E/x ]} = {s | s[x 7→ JEK s] |=T Q}
As before, this follows from substitution lemma:
s |= Q[E/x ] 〈E , s〉 ⇓ ns[x 7→ n] |= Q
-
Weakest Liberal Precondition: Assignments
wlp(x := E ,Q) def= Q[E/x ]
Looks familiar?
{Q[E/x]} x := E {Q}
Formally, we need to show correctness:
{s | s |=T Q[E/x ]} = {s | s[x 7→ JEK s] |=T Q}
As before, this follows from substitution lemma:
s |= Q[E/x ] 〈E , s〉 ⇓ ns[x 7→ n] |= Q
-
Weakest Liberal Precondition: Assignments
wlp(x := E ,Q) def= Q[E/x ]
Looks familiar?
{Q[E/x]} x := E {Q}
Formally, we need to show correctness:
{s | s |=T Q[E/x ]} = {s | s[x 7→ JEK s] |=T Q}
As before, this follows from substitution lemma:
s |= Q[E/x ] 〈E , s〉 ⇓ ns[x 7→ n] |= Q
-
Weakest Liberal Precondition
Skip statement:wlp(skip,Q) def= Q
Composition:
wlp(C1; C2,Q)def= wlp(C1,wlp(C2,Q))
Conditional statement:
wlp(if B then C1 else C2,Q)def=
B ⇒ wlp(C1,Q)∧¬B ⇒ wlp(C2,Q)
-
Weakest Liberal Precondition: Loops
Loops are more complicated:I No syntactic construction possible (for the obvious reason)
wlp(while B do C,Q) def= ?
Idea: Define Hk inductively as follows:
H0(R) =wlp(while true do skip,R) = true
Hk+1(R) =(¬B ⇒ R) ∧ (B ⇒ wlp(C,Hk(R)))
Interpretation:
Hk(R) ≡loop terminates in R after < k iterations,unless it doesn’t terminate
-
Weakest Liberal Precondition: Loops
Loops are more complicated:I No syntactic construction possible (for the obvious reason)
wlp(while B do C,Q) def= ?
Idea: Define Hk inductively as follows:
H0(R) =wlp(while true do skip,R) = true
Hk+1(R) =(¬B ⇒ R) ∧ (B ⇒ wlp(C,Hk(R)))
Interpretation:
Hk(R) ≡loop terminates in R after < k iterations,unless it doesn’t terminate
-
Weakest Liberal Precondition: Loops
Loops are more complicated:I No syntactic construction possible (for the obvious reason)
wlp(while B do C,Q) def= ∀k .Hk(Q)
Idea: Define Hk inductively as follows:
H0(R) =wlp(while true do skip,R) = true
Hk+1(R) =(¬B ⇒ R) ∧ (B ⇒ wlp(C,Hk(R)))
Interpretation:
Hk(R) ≡loop terminates in R after < k iterations,unless it doesn’t terminate
-
Hoare Logic: Relative Completeness [Cook74]
Now back to our completeness question. . .
Assume we haveI A first-order language L closed under pre for all constructs in
our programming languageI A proof system powerful enough such that
∀F ∈ L . (|=T F )⇒ (`T F ) ,
i.e., we can prove any formula true in our intendedinterpretation
Then|=T {P} C {Q} ⇒ `T ,H {P} C {Q}
-
Hoare Logic: Relative Completeness [Cook74]
Proof: By induction on structure of programs.
I Assignment.I Assume |=T {P} x := E {Q}.I Then P ⇒ wlp(x := E ,Q).I Therefore, by
{P[E/x]} x := E {P}P′ ⇒ P {P} C {Q} Q ⇒ Q′
{P′} C {Q′}
we have `T ,H {P} x := E {Q}.
-
Hoare Logic: Relative Completeness [Cook74]
I Composition.I Assume |=T {P} C1;C2 {Q}.I Then |=T {P} C1 {R} and |=T {R} C2 {Q}, where
R = wlp(C2,Q).I Therefore, by the induction hypothesis and
{P} C1 {R} , {R} C2 {Q}{P} C1 ; C2 {Q}
we have `T ,H {P} C1;C2 {Q}.
-
Hoare Logic: Relative Completeness [Cook74]
I Loops. Recall:
{R ∧ B} C {R}{R} while B do C {¬B ∧ R}
I Assume |=T {P} while B do C {Q} .I We need a loop invariant R such that
(i) P ⇒ R, (ii) |=T {R ∧ B} C {R}, and (iii) R ∧ ¬B ⇒ Q
I Let R = wlp(while B do C,Q) (exists as per our assumption).
I Satisfies (i) by definition of wlpI For (ii) and (iii) note:
R ≡wlp(if B then (C; while B do C) else skip,Q)
≡(¬B ⇒ Q) ∧ (B ⇒ wlp(C, ))
I Thus (iii) trivial, and (ii) (R ∧ B)⇒ wlp(C,R) �
-
Hoare Logic: Relative Completeness [Cook74]
I Loops. Recall:
{R ∧ B} C {R}{R} while B do C {¬B ∧ R}
I Assume |=T {P} while B do C {Q} .I We need a loop invariant R such that
(i) P ⇒ R, (ii) |=T {R ∧ B} C {R}, and (iii) R ∧ ¬B ⇒ QI Let R = wlp(while B do C,Q) (exists as per our assumption).
I Satisfies (i) by definition of wlpI For (ii) and (iii) note:
R ≡wlp(if B then (C; while B do C) else skip,Q)
≡(¬B ⇒ Q) ∧ (B ⇒ wlp(C, ))
I Thus (iii) trivial, and (ii) (R ∧ B)⇒ wlp(C,R) �
-
Hoare Logic: Relative Completeness [Cook74]
I Loops. Recall:
{R ∧ B} C {R}{R} while B do C {¬B ∧ R}
I Assume |=T {P} while B do C {Q} .I We need a loop invariant R such that
(i) P ⇒ R, (ii) |=T {R ∧ B} C {R}, and (iii) R ∧ ¬B ⇒ QI Let R = wlp(while B do C,Q) (exists as per our assumption).
I Satisfies (i) by definition of wlp
I For (ii) and (iii) note:
R ≡wlp(if B then (C; while B do C) else skip,Q)
≡(¬B ⇒ Q) ∧ (B ⇒ wlp(C, ))
I Thus (iii) trivial, and (ii) (R ∧ B)⇒ wlp(C,R) �
-
Hoare Logic: Relative Completeness [Cook74]
I Loops. Recall:
{R ∧ B} C {R}{R} while B do C {¬B ∧ R}
I Assume |=T {P} while B do C {Q} .I We need a loop invariant R such that
(i) P ⇒ R, (ii) |=T {R ∧ B} C {R}, and (iii) R ∧ ¬B ⇒ QI Let R = wlp(while B do C,Q) (exists as per our assumption).
I Satisfies (i) by definition of wlpI For (ii) and (iii) note:
R ≡wlp(if B then (C; while B do C) else skip,Q)
≡(¬B ⇒ Q) ∧ (B ⇒ wlp(C, ))
I Thus (iii) trivial, and (ii) (R ∧ B)⇒ wlp(C,R) �
-
Hoare Logic: Relative Completeness [Cook74]
I Loops. Recall:
{R ∧ B} C {R}{R} while B do C {¬B ∧ R}
I Assume |=T {P} while B do C {Q} .I We need a loop invariant R such that
(i) P ⇒ R, (ii) |=T {R ∧ B} C {R}, and (iii) R ∧ ¬B ⇒ QI Let R = wlp(while B do C,Q) (exists as per our assumption).
I Satisfies (i) by definition of wlpI For (ii) and (iii) note:
R ≡wlp(if B then (C; while B do C) else skip,Q)≡(¬B ⇒ Q) ∧ (B ⇒ wlp(C,wlp(while B do C,Q)))
I Thus (iii) trivial, and (ii) (R ∧ B)⇒ wlp(C,R) �
-
Hoare Logic: Relative Completeness [Cook74]
I Loops. Recall:
{R ∧ B} C {R}{R} while B do C {¬B ∧ R}
I Assume |=T {P} while B do C {Q} .I We need a loop invariant R such that
(i) P ⇒ R, (ii) |=T {R ∧ B} C {R}, and (iii) R ∧ ¬B ⇒ QI Let R = wlp(while B do C,Q) (exists as per our assumption).
I Satisfies (i) by definition of wlpI For (ii) and (iii) note:
R ≡wlp(if B then (C; while B do C) else skip,Q)≡(¬B ⇒ Q) ∧ (B ⇒ wlp(C, wlp(while B do C,Q)︸ ︷︷ ︸
R
))
I Thus (iii) trivial, and (ii) (R ∧ B)⇒ wlp(C,R) �
-
Hoare Logic: Relative Completeness [Cook74]
I Loops. Recall:
{R ∧ B} C {R}{R} while B do C {¬B ∧ R}
I Assume |=T {P} while B do C {Q} .I We need a loop invariant R such that
(i) P ⇒ R, (ii) |=T {R ∧ B} C {R}, and (iii) R ∧ ¬B ⇒ QI Let R = wlp(while B do C,Q) (exists as per our assumption).
I Satisfies (i) by definition of wlpI For (ii) and (iii) note:
R ≡wlp(if B then (C; while B do C) else skip,Q)≡(¬B ⇒ Q) ∧ (B ⇒ wlp(C,R))
I Thus (iii) trivial, and (ii) (R ∧ B)⇒ wlp(C,R) �
-
Hoare Logic: Relative Completeness [Cook74]
I Loops. Recall:
{R ∧ B} C {R}{R} while B do C {¬B ∧ R}
I Assume |=T {P} while B do C {Q} .I We need a loop invariant R such that
(i) P ⇒ R, (ii) |=T {R ∧ B} C {R}, and (iii) R ∧ ¬B ⇒ QI Let R = wlp(while B do C,Q) (exists as per our assumption).
I Satisfies (i) by definition of wlpI For (ii) and (iii) note:
R ≡wlp(if B then (C; while B do C) else skip,Q)≡(¬B ⇒ Q) ∧ (B ⇒ wlp(C,R))
I Thus (iii) trivial, and (ii) (R ∧ B)⇒ wlp(C,R) �
-
Relative Completeness Only for Simple Languages[Clarke79]
Theorem
It is impossible to obtain a system of Hoare axioms which is soundand complete in the sense of Cook for a programming languagewhich allows:
(i) procedures as parameters of procedure calls,
(ii) recursion,
(iii) static scope,
(iv) global variables,
(v) internal procedures.
-
Hoare’s Axioms H: Summary
{P[E/x]} x:=E {P}{P} C1 {Q} , {Q} C2 {R}{P} C1 ; C2 {R}
{B ∧ P} C1 {Q} {¬B ∧ P} C2 {Q}{P} if B then C1 else C2 {Q}
P ′ ⇒ P {P} C {Q} Q ⇒ Q′
{P ′} C {Q′}
{P ∧ B} C {P}{P} while B do C {¬B ∧ P}
-
Summary
I Axiomatic semantics for reasoning about programcorrectness.
I Requires inductive invariants.
I Calculus comprises Hoare triples {P} C {Q} and axiomsI Interesting properties of calculus:
I Soundness
`T {P} C {Q} ⇒ |=T ,H {P} C {Q}
I (Relative) Completeness
|=T {P} C {Q} ⇒ `T ,H {P} C {Q}
-
References
C.A.R. Hoare. An Axiomatic Basis for Computer Programming.Communications of the ACM 12(10), 1969
E.W. Dijkstra. Guarded Commands, Nondeterminacy and FormalDerivation of Programs. Communications of the ACM 18(8), 1975
S.A. Cook. Soundness and Completeness of an Axiom System forProgram Verification. SIAM J. of Computing 7(1), 1978
E.M. Clarke. Programming Language Constructs for Which It IsImpossible To Obtain Good Hoare Axiom Systems. Journal of theACM 26(1), 1979
K.R. Apt. Ten Years of Hoare’s Logic: A Survey – Part I. ACMTOPLAS 3(4), 1981