Jump to content

Hoare logic

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Ferris37 (talk | contribs) at 16:37, 3 October 2006 (fix link to procedure (computer science)). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Hoare logic (also known as Floyd–Hoare logic) is a formal system developed by the British computer scientist C. A. R. Hoare, and subsequently refined by Hoare and other researchers. It was published in Hoare's 1969 paper "An axiomatic basis for computer programming". The purpose of the system is to provide a set of logical rules in order to reason about the correctness of computer programs with the rigour of mathematical logic.

Hoare acknowledges earlier contributions from Robert Floyd, who had published a similar system for flowcharts.

The central feature of Hoare logic is the Hoare triple. A triple describes how the execution of a piece of code changes the state of the computation. A Hoare triple is of the form

where P and Q are assertions and C is a command. P is called the precondition and Q the postcondition. Assertions are formulas in predicate logic.

Hoare logic has axioms and inference rules for all the constructs of a simple imperative programming language. In addition to the rules for the simple language in Hoare's original paper, rules for other language constructs have been developed since then by Hoare and many other researchers. There are rules for concurrency, procedures, jumps, and pointers.

Partial and total correctness

Standard Hoare logic proves only partial correctness, while termination would have to be proved separately. Thus the intuitive reading of a Hoare triple is: Whenever P holds of the state before the execution of C, then Q will hold afterwards, or C does not terminate. Note that if C does not terminate, then there is no "after", so Q can be any statement at all. Indeed, one can choose Q to be false to express that C does not terminate.

Total correctness can also be proven with an extended version of the While rule.

Empty statement axiom

Assignment axiom schema

The assignment axiom states that after the assignment any predicate holds for the variable that was previously true for the right-hand side of the assignment:

Here denotes the expression P in which all free occurrences of the variable x have been replaced with the expression E.

An example of a valid triple is:

The assignment axiom proposed by Hoare is incorrect when more than one name can refer to the same stored value. For example, if x and y refer to the same value then

is not a true statement, because no precondition can cause y to be 3 after x is set to 2.

Sequencing rule

For example, consider the following two instances of the assignment axiom:

and

By the sequencing rule, one concludes:

Conditional rule

While rule

Here P is the loop invariant.

Consequence rule

While rule for total correctness

In this rule, in addition to maintaining the loop invariant, one also proves termination by way of a term whose value decreases during each iteration, here t. Note that t must take values from a well-founded set, so that each step of the loop is counted by decreasing members of a finite chain.

See also

References

  • C. A. R. Hoare. "An axiomatic basis for computer programming". Communications of the ACM, 12(10):576–585, October 1969. doi:10.1145/363235.363259 | Download PDF
  • Robert D. Tennent: "Specifying Software" (a recent textbook that includes an introduction to Hoare logic) ISBN 0-521-00401-2 [1]
  • Project Bali has defined Hoare logic-style rules for a subset of the Java programming language, for use with the Isabelle theorem prover