Software Specification: Formal Reasoning with Hoare Logic (cont.)

Software Specification, MEIC @ IST, 2019/20

jff

### At the end of this session, you should be able to: - Describe the elements of *Hoare Logic*: assertions, triples, proof rules - Describe the concept of decorated program - Verify simple programs using *Hoare Logic*

## A brief review of last session...

Hoare Logic

Hoare Logic originated in the 1960s, but it continues to be the subject of intensive research right up to the present day. It lies at the core of a multitude of tools that are being used in academia and industry to specify and verify real software systems.

Hoare Logic

Hoare Logic combines two beautiful ideas:
- a natural way of writing down specifications of programs
- a compositional proof technique for proving that programs are correct with respect to such specifications

Assertions

We need a language that enables unambiguous specifications: we will use FOL to express assertions

$$ \scriptsize \begin{array}{lcl} P, Q & ::= & & \\ & & true, false & \textrm{Boolean literals} \\ & & R(e_1, \cdots, e_n) & \textrm{Relations} \\ & & P \wedge Q,\, P \vee Q,\, P \rightarrow Q,\, \neg{P} & \textrm{Boolean operators} \\ & & \forall x . P,\, \exists x . P & \textrm{Quantifiers} \\ \end{array} $$

First-order Logic

You have already discussed FOL in Lecture 3.

A simple programming language

$$ \scriptsize \begin{array}{lcl} C & ::= & & \textit{Commands}\\ & & skip & \textrm{Skip (no op)} \\ & & var := exp & \textrm{Assignment} \\ & & C ; C & \textrm{Sequential composition} \\ & & \ifthenelse{bexp}{C}{C} & \textrm{Conditional} \\ & & \whileloop{bexp}{C} & \textrm{While loops} \\ \end{array} $$

Here, $var$ is the name of a storage cell (variable) and $bexp$ is a quantifier-free first-order assertion.

Example

// Oldest non-trivial algorithm known
// Assume M > 0 and N > 0 

x := M; y := N;

while x != y do
    if x<y then y := y-x
           else x := x-y

// On termination: x == y

## Hoare Triples At the core of Hoare Logic is the notion of _Hoare triple_: **$$\ht{P}{C}{Q}$$** - **Meaning**: If command $C$ starts in a state satisfying assertion $P$, and if $C$ terminates in some final state, then this final state will satisfy the assertion $Q$. - The assertion $P$ is called the **precondition** of $C$, while $Q$ is the **postcondition**.

Hoare Logic

Hoare Logic provides axioms and inference rules for all the constructs of a programming language
Inference rules are of the form $$\ithree{\textrm{rule name}}{\textrm{Conclusion}}{\textrm{Premise 1}}{\cdots}{\textrm{Premise n}}$$
Rules without premises are called axioms

Example

Here's a well-known inference rule: $$ \itwo{\textit{modus ponens}}{Q}{P\rightarrow Q}{P} $$ In words: if $P$ implies $Q$ and if we have $P$, then we can conclude $Q$.

Axiom for skip

The command $\skipcmd$ does not change the state:

$$ \izero{Skip}{\ht{P}{\skipcmd}{P}} $$

Axiom for assignment

$$ \izero{Asgn}{\ht{\subst{Q}{x}{E}}{x:=E}{Q}} $$

Example

$$ \scriptsize \izero{Asgn}{\ht{\subst{(x=1)}{x}{1}}{x:=1}{x=1}} $$ which is the same as $$ \scriptsize \izero{Asgn}{\ht{1=1}{x:=1}{x=1}} $$

Consequence Rules

Note that $~~~ \scriptsize \izero{Asgn}{\ht{1=1}{x:=1}{x=1}} $

is different from $~~~ \scriptsize \izero{Asgn}{\ht{true}{x:=1}{x=1}} $

They are logically equivalent, but not syntactically equivalent!

Consequence Rules

Strengthening the precondition of a valid triple always produces another valid triple

$$ \itwo{\textrm{Conseq Pre}}{\ht{P}{C}{Q}}{P\rightarrow P'}{\ht{P'}{C}{Q}} $$

Consequence Rules

Weakening the postcondition of a valid triple always produces another valid triple

$$ \itwo{\textrm{Conseq Pos}}{\ht{P}{C}{Q}}{Q'\rightarrow Q}{\ht{P}{C}{Q'}} $$

Example: our first proof

Putting the rules we've seen together, we can prove $$ \scriptsize {\ht{x=0}{x := x+1}{x\ge 1}} $$
The proof is a derivation tree: $$ \scriptsize \itwo{\textrm{Conseq Pre}}{\ht{x=0}{x := x+1}{x\ge 1}} {\icond{x=0 \rightarrow x+1\ge 1}} {\izero{\textrm{Asgn}}{\ht{x+1\ge 1}{x := x+1}{x\ge 1}}} $$

Rule for Sequential Composition

$$ \itwo{\textrm{Seq}}{\ht{P}{C1;C2}{R}}{\ht{P}{C1}{Q}}{\ht{Q}{C2}{R}} $$

In words: if $C1$ transforms any state that satisfies $P$ into any state that satisfies $Q$, and if $C2$ transforms a state that satisfies $Q$ into any state that satisfies $R$, then $C1;C2$ transforms any state that satisfies $P$ into a state that satisfies $R$.

Example

Show that $~~~ \scriptsize \ht{x=0}{y:=2\,;\,x:=y+1}{x=3} $
Derivation tree:
$ \tiny \itwo{\textrm{Seq}} {\ht{x=0}{y:=2 ; x:=y+1}{x=3}} {\itwo{\textrm{Asgn}}{\ht{x=0}{y:=2}{y+1=3}} {\icond{x=0\,\rightarrow\,2+1=3}} {\izero{\textrm{Asgn}}{\ht{2+1 = 3}{y := 2}{y+1 = 3}}}} {\izero{\textrm{Asgn}}{\ht{y+1=3}{x:=y+1}{x=3}}} $

Rule for Conditionals

$$ \itwo{\textrm{If}} {\ht{P}{\ifthenelse{b}{C1}{C2}}{Q}} {\ht{P\wedge b}{C1}{Q}} {\ht{P\wedge\neg{b}}{C2}{Q}} $$

In words: if $b$ is true, the first branch is executed and we need to establish $\ht{P}{C1}{Q}$; otherwise, the second branch is executed and we need to establish $\ht{P}{C2}{Q}$

Rule for While Loops

$$ \ione{\textrm{While}} {\ht{P}{\whileloop{b}{C}}{P\wedge\neg{b}}} {\ht{P\wedge b}{C}{P}} $$

When the loop terminates, we know that $b$ is false
The assertion $P$ is called an invariant

Prove that the following triple is valid

$\ht{x\ge 0}{\whileloop{x>0}{x:=x-1}}{x=0}$

Summary

$$ \tiny \begin{array}{ccc} \izero{Skip}{\ht{P}{\skipcmd}{P}} & \izero{Asgn}{\ht{\subst{Q}{x}{E}}{x:=E}{Q}} & \\ &&\\ \itwo{\textrm{Seq}}{\ht{P}{C1;C2}{R}}{\ht{P}{C1}{Q}}{\ht{Q}{C2}{R}} & \itwo{\textrm{If}} {\ht{P}{\ifthenelse{b}{C1}{C2}}{Q}} {\ht{P\wedge b}{C1}{Q}} {\ht{P\wedge\neg{b}}{C2}{Q}} &\\ &&\\ \ione{\textrm{While}} {\ht{P}{\whileloop{b}{C}}{P\wedge\neg{b}}} {\ht{P\wedge b}{C}{P}} &&\\ &&\\ \itwo{\textrm{Conseq Pre}}{\ht{P}{C}{Q}}{P\rightarrow P'}{\ht{P'}{C}{Q}} & \itwo{\textrm{Conseq Pos}}{\ht{P}{C}{Q}}{Q'\rightarrow Q}{\ht{P}{C}{Q'}} & \\ \end{array} $$

Partial vs. Total Correctness

Consider the triple $~~\ht{P}{C}{Q}$.

Partial correctness: if command $C$ is started in a state satisfying assertion $P$, and if $C$ terminates in some final state, then this final state will satisfy the assertion $Q$.
Total correctness: if command $C$ is started in a state satisfying assertion $P$, then it terminates and it does so in a final state that satisfies the assertion $Q$.

Total correctness

We can establish total correctness separately, since:

Total correctness = Partial correctness + Termination proof

Soundness

Soundness: only valid Hoare Triples can be proved by the rules.
To demonstrate soundness, we can use induction over the derivation trees. We have to show that:
- The Hoare triples in the axioms are correct
- For each inference rule, assuming that the triples in the premises are valid, we show that the triple in the conclusion is also valid.
Soundness is proved w.r.t. the semantics of the programming language.

Completeness

Completeness: all valid Hoare Triples can be proved by the rules.
Completeness is relative to the logic language used.
- For example, invariants and assertions have to be expressible in the logic.
Soundness is proved w.r.t. the semantics of the programming language.

Decorated Programs

Doing proofs in Hoare Logic can feel overly verbose
Decorating programs is a way to informally write down a Hoare Logic proof
- The idea is to insert assertions between every construct that makes the program. For example:

$$ \scriptsize \begin{array}{c} \{ x = 0 \}\\ x := x+1; \\ \{ x = 1 \} \\ x := x+2; \\ \{ x = 3 \} \end{array} $$

Decorated Programs: Skip and Assignment

Skip $$ \scriptsize \begin{array}{c} \{P\}\\ \skipcmd\\ \{P\} \end{array} $$

Assignment $$ \scriptsize \begin{array}{c} \{\subst{Q}{x}{E}\} \\ x := E \\ \{Q\} \end{array} $$

Decorated Programs: Sequential Composition and While loops

Sequential Composition $$ \scriptsize \begin{array}{c} \{P\}\\ C1; \\ \{Q\} \\ C2 \\ \{R\} \end{array} $$

While loops $$ \scriptsize \begin{array}{l} \{P\}\\ \texttt{while}\,\,b\,\,\texttt{do} \\ ~~~~\{P\wedge b\} \\ ~~~~C \\ ~~~~\{P\} \\ \{P\wedge\neg{b}\} \end{array} $$

Decorated Programs: Conditionals and Consequence rules

Conditionals $$ \tiny \begin{array}{l} \{P\} \\ \texttt{if}\,\,b\,\,\texttt{then} \\ ~~~~\{P\wedge b\} \\ ~~~~C1 \\ ~~~~\{Q\}\\ \texttt{else}\\ ~~~~\{P\wedge\neg{b}\} \\ ~~~~C2 \\ ~~~~\{Q\}\\ \{Q\}\\ \end{array} $$

Consequence rules $$ \tiny \begin{array}{l} \{P\}\,\,\rightarrow \\ \{Q\} \end{array} $$

Example: A decorated program

$$ \tiny \begin{array}{l} \{true\} \\ \texttt{if}\,\,x=0\,\,\texttt{then} \\ ~~~~\{true \wedge x=0\}~~\rightarrow \\ ~~~~\{x\le 2\}\\ ~~~~y := 2 \\ ~~~~\{x\le y\}\\ \texttt{else}\\ ~~~~\{true \wedge \neg{(x=0)}\}~~\rightarrow \\ ~~~~\{x\le x+1\}\\ ~~~~y := x+1 \\ ~~~~\{x\le y\}\\ \{x\le y\}\\ \end{array} $$

Verify the following program by decorating it:

$$ \scriptsize \begin{array}{l} \{ x=m \wedge y=n \wedge 0\leq n \}\\ \texttt{while}\,\,0\lt y\,\,\texttt{do \{} \\ ~~~ x := x+1; \\ ~~~ y := y-1 \\ \texttt{\}}\\ \{ x = m+n \} \end{array} $$

Invariants

To reason about loops, we need to identify loop invariants, which might be difficult!
For example, $\scriptsize j\ge 1$ is an invariant of the loop: $$\scriptsize i:=1;\,j:=1;\,\whileloop{i\lt n}{j:=j{+}i;\,i:=i{+}1}$$ but we cannot prove $$\scriptsize \ht{j\ge 1 \,\wedge\, i\lt n}{j:=j{+}i;\,i:=i{+}1}{j\ge 1}$$
We need to strengthen the invariant: $\scriptsize j\ge 1 \,\wedge\, i\ge 1$

Invariant-Based Programming

When developing algorithms, it might help to formulate an invariant first and then use it to guide all other steps.

This is the standard practice in formal program derivation.

### After this session, you should now be able to: - Describe the elements of *Hoare Logic*: assertions, triples, proof rules - Describe the concept of decorated program - Verify simple programs using *Hoare Logic*

## Next time... - We will start studying Dafny - The goal is to discuss the central concepts using case studies - I recommend you to bring a laptop to the lectures, so that we can have practical and interactive sessions

Credits

These slides use the framework reveal.js and were produced using vim and Ubuntu.
Some slides and examples are based on material available online by Ian Sommerville, Vasco T. Vasconcelos, Ian Stark, and Simão Melo de Sousa.