Hoare logic (also known as Floyd–Hoare logic or Hoare rules) is a formal system with a set of logical rules for reasoning rigorously about the correctness of computer programs. It was proposed in 1969 by the British computer scientist and logicianTony Hoare, and subsequently refined by Hoare and other researchers.[1] The original ideas were seeded by the work of Robert W. Floyd, who had published a similar system[2] for flowcharts.
Hoare triple
The central feature of Hoare logic is the Hoare triple. A triple describes how the execution of a piece of code changes the state of the computation. A Hoare triple is of the form
Hoare logic provides axioms and inference rules for all the constructs of a simple imperative programming language. In addition to the rules for the simple language in Hoare's original paper, rules for other language constructs have been developed since then by Hoare and many other researchers. There are rules for concurrency, procedures, jumps, and pointers.
Partial and total correctness
Using standard Hoare logic, only partial correctness can be proven. Total correctness additionally requires termination, which can be proven separately or with an extended version of the While rule.[3] Thus the intuitive reading of a Hoare triple is: Whenever holds of the state before the execution of , then will hold afterwards, or does not terminate. In the latter case, there is no "after", so can be any statement at all. Indeed, one can choose to be false to express that does not terminate.
"Termination" here and in the rest of this article is meant in the broader sense that computation will eventually be finished, that is it implies the absence of infinite loops; it does not imply the absence of implementation limit violations (e.g. division by zero) stopping the program prematurely. In his 1969 paper, Hoare used a narrower notion of termination which also entailed the absence of implementation limit violations, and expressed his preference for the broader notion of termination as it keeps assertions implementation-independent:[4]
Another deficiency in the axioms and rules quoted above is that they give no basis for a proof that a program successfully terminates. Failure to terminate may be due to an infinite loop; or it may be due to violation of an implementation-defined limit, for example, the range of numeric operands, the size of storage, or an operating system time limit. Thus the notation “” should be interpreted “provided that the program successfully terminates, the properties of its results are described by .” It is fairly easy to adapt the axioms so that they cannot be used to predict the “results” of nonterminating programs; but the actual use of the axioms would now depend on knowledge of many implementation-dependent features, for example, the size and speed of the computer, the range of numbers, and the choice of overflow technique. Apart from proofs of the avoidance of infinite loops, it is probably better to prove the “conditional” correctness of a program and rely on an implementation to give a warning if it has had to abandon execution of the program as a result of violation of an implementation limit.
Rules
Empty statement axiom schema
The empty statement rule asserts that the skip statement does not change the state of the program, thus whatever holds true before skip also holds true afterwards.[note 2]
Assignment axiom schema
The assignment axiom states that, after the assignment, any predicate that was previously true for the right-hand side of the assignment now holds for the variable. Formally, let P be an assertion in which the variable x is free. Then:
where denotes the assertion P in which each free occurrence of x has been replaced by the expression E.
The assignment axiom scheme means that the truth of is equivalent to the after-assignment truth of P. Thus were true prior to the assignment, by the assignment axiom, then P would be true subsequent to which. Conversely, were false (i.e. true) prior to the assignment statement, P must then be false afterwards.
Examples of valid triples include:
All preconditions that are not modified by the expression can be carried over to the postcondition. In the first example, assigning does not change the fact that , so both statements may appear in the postcondition. Formally, this result is obtained by applying the axiom schema with P being ( and ), which yields being ( and ), which can in turn be simplified to the given precondition .
The assignment axiom scheme is equivalent to saying that to find the precondition, first take the post-condition and replace all occurrences of the left-hand side of the assignment with the right-hand side of the assignment. Be careful not to try to do this backwards by following this incorrect way of thinking: ;
this rule leads to nonsensical examples like:
Another incorrect rule looking tempting at first glance is ; it leads to nonsensical examples like:
While a given postcondition P uniquely determines the precondition , the converse is not true. For example:
,
,
, and
are valid instances of the assignment axiom scheme.
The assignment axiom proposed by Hoare does not apply when more than one name may refer to the same stored value. For example,
is wrong if x and y refer to the same variable (aliasing), although it is a proper instance of the assignment axiom scheme (with both and being ).
Rule of composition
Verifying swap-code without auxiliary variables
The three statements below (line 2, 4, 6) exchange the values of the variables a and b, without needing an auxiliary variable. In the verification proof, the initial value of a and b is denoted by the constant A and B, respectively. The proof is best read backwards, starting from line 7; for example, line 5 is obtained from line 7 by replacing a (target expression in line 6) by (source expression in line 6). Some arithmetical simplifications are used tacitly, viz. (line 5→3), and (line 3→1).
Nr
Code
Assertions
1:
2:
3:
4:
5:
6:
7:
Hoare's rule of composition applies to sequentially executed programs S and T, where S executes prior to T and is written (Q is called the midcondition):[5]
For example, consider the following two instances of the assignment axiom:
and
By the sequencing rule, one concludes:
Another example is shown in the right box.
Conditional rule
The conditional rule states that a postcondition Q common to then and else part is also a postcondition of the whole if...endif statement.[6]
In the then and the else part, the unnegated and negated condition B can be added to the precondition P, respectively.
The condition, B, must not have side effects.
An example is given in the next section.
This rule was not contained in Hoare's original publication.[1]
However, since a statement
has the same effect as a one-time loop construct
the conditional rule can be derived from the other Hoare rules.
In a similar way, rules for other derived program constructs, like for loop, do...until loop, switch, break, continue can be reduced by program transformation to the rules from Hoare's original paper.
Consequence rule
This rule allows to strengthen the precondition and/or to weaken the postcondition .
It is used e.g. to achieve literally identical postconditions for the then and the else part.
For example, a proof of
needs to apply the conditional rule, which in turn requires to prove
, or simplified
for the then part, and
, or simplified
for the else part.
However, the assignment rule for the then part requires to choose P as ; rule application hence yields
, which is logically equivalent to
.
The consequence rule is needed to strengthen the precondition obtained from the assignment rule to required for the conditional rule.
Similarly, for the else part, the assignment rule yields
, or equivalently
,
hence the consequence rule has to be applied with and being and , respectively, to strengthen again the precondition. Informally, the effect of the consequence rule is to "forget" that is known at the entry of the else part, since the assignment rule used for the else part doesn't need that information.
While rule
Here P is the loop invariant, which is to be preserved by the loop body S.
After the loop is finished, this invariant P still holds, and moreover must have caused the loop to end.
As in the conditional rule, B must not have side effects.
For example, a proof of
by the while rule requires to prove
, or simplified
,
which is easily obtained by the assignment rule.
Finally, the postcondition can be simplified to .
For another example, the while rule can be used to formally verify the following strange program to compute the exact square root x of an arbitrary number a—even if x is an integer variable and a is not a square number:
After applying the while rule with P being true, it remains to prove
,
which follows from the skip rule and the consequence rule.
In fact, the strange program is partially correct: if it happened to terminate, it is certain that x must have contained (by chance) the value of a's square root.
In all other cases, it will not terminate; therefore it is not totally correct.
While rule for total correctness
If the above ordinary while rule is replaced by the following one, the Hoare calculus can also be used to prove total correctness, i.e. termination as well as partial correctness. Commonly, square brackets are used here instead of curly braces to indicate the different notion of program correctness.
In this rule, in addition to maintaining the loop invariant, one also proves termination by way of an expression t, called the loop variant, whose value strictly decreases with respect to a well-founded relation< on some domain set D during each iteration. Since < is well-founded, a strictly decreasing chain of members of D can have only finite length, so t cannot keep decreasing forever. (For example, the usual order < is well-founded on positive integers, but neither on the integers nor on positive real numbers; all these sets are meant in the mathematical, not in the computing sense, they are all infinite in particular.)
Given the loop invariant P, the condition B must imply that t is not a minimal element of D, for otherwise the body S could not decrease t any further, i.e. the premise of the rule would be false. (This is one of various notations for total correctness.)
[note 3]
Resuming the first example of the previous section, for a total-correctness proof of
the while rule for total correctness can be applied with e.g. D being the non-negative integers with the usual order, and the expression t being , which then in turn requires to prove
Informally speaking, we have to prove that the distance decreases in every loop cycle, while it always remains non-negative; this process can go on only for a finite number of cycles.
The previous proof goal can be simplified to
,
which can be proven as follows:
is obtained by the assignment rule, and
can be strengthened to by the consequence rule.
For the second example of the previous section, of course no expression t can be found that is decreased by the empty loop body, hence termination cannot be proved.
^This article uses a natural deduction style notation for rules. For example, informally means "If both α and β hold, then also φ holds"; α and β are called antecedents of the rule, φ is called its succedent. A rule without antecedents is called an axiom, and written as .
^ Hoare's 1969 paper didn't provide a total correctness rule; cf. his discussion on p.579 (top left). For example Reynolds' textbook[3] gives the following version of a total correctness rule: when z is an integer variable that doesn't occur free in P, B, S, or t, and t is an integer expression (Reynolds' variables renamed to fit with this article's settings).
Darker colors indicate counties with higher percentage of Vietnamese population, from 2000 US Census The following is a list of U.S. cities with large Vietnamese-American populations. They consist of cities with at least 10,000 Vietnamese Americans or where Vietnamese Americans constitute a large percentage of the population. The information contained here was based on the 2010 U.S. census. Vietnamese-Americans immigrated to the United States in different waves. The first wave of Vietnamese ...
Halaman ini berisi artikel tentang tokoh dalam mitologi Yunani. Untuk satelit alami Saturnus, lihat Iapetus. IapetosTitan mortalitas, kematian dan baratPasanganAsiaOrang tuaUranus dan GaiaSaudaraOkeanos, Hiperion, Koios, Kronos, Krios, Thetis, Theia, Foibe, Rea, Mnemosine, Themis, para Kiklops, dan para HekatonkhiresAnakPrometheus, Epimetheus, Menoitios, dan AtlasPadanan dalam mitologi RomawiJapetuslbs Mitologi YunaniTitan 12 Titan Okeanos Hiperion Koios Kronos Krios Mnemosine Tethis Theia Fo...
John Duns ScotusEraFilsafat Abad PertengahanKawasanFilsuf BaratAliranSkolastisisme, pendiri ScotismeMinat utamaMetafisika, Teologi, Logika, Epistemologi, EtikaGagasan pentingUnivositas keberadaan, Haecceitas sebagai prinsip individuasi, Imakulata Bunda Maria Dipengaruhi Aristoteles, St. Augustinus, Ibnu Sina, Boethius, Anselmus, Thomas Aquinas, Henry dari Ghent Memengaruhi Paus Alexander VI, Paus Siktus IV, William dari Ockham, Martin Luther, René Descartes, Gottfried Leibniz Beat...
Dritan AbazovićДритан АбазовићAbazović in 2016 Perdana Menteri MontenegroMasa jabatan28 April 2022 – 31 Oktober 2023PresidenMilo Đukanović PendahuluZdravko KrivokapićPenggantiMilojko SpajićWakil Perdana Menteri MontenegroMasa jabatan4 Desember 2020 – 28 April 2022Perdana MenteriZdravko Krivokapić PendahuluZoran PažinMilutin SimovićRafet HusovićPenggantiPetahanaAnggota Parlemen MontenegroMasa jabatan14 Oktober 2012 – 4 Desember 2020Presi...
Artikel ini sebatang kara, artinya tidak ada artikel lain yang memiliki pranala balik ke halaman ini.Bantulah menambah pranala ke artikel ini dari artikel yang berhubungan atau coba peralatan pencari pranala.Tag ini diberikan pada Oktober 2022. Harimau sebagai simbol penjaga pintu rumah Korea Munjeon atau yang juga dikenal dengan Munsin merupakan salah satu dewa penjaga pintu dalam Muisme. Penghormatan terhadap dewa pintu berbeda-beda dalam masyarakat tradisional Korea. Di Korea dewa pintu ti...
История Грузииსაქართველოს ისტორია Доисторическая Грузия Шулавери-шомутепинская культураКуро-араксская культураТриалетская культураКолхидская культураКобанская культураДиаухиМушки Древняя история КолхидаАриан-КартлиИберийское царство ФарнавазидыГруз�...
Folk festival in Stuttgart, Germany This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources: Cannstatter Volksfest – news · newspapers · books · scholar · JSTOR (March 2013) (Learn how and when to remove this message) The Cannstatter Volksfest is an annual three-week Volksfest (beer festival and travelling funfair) i...
Private railroad police force For the Canadian federal law enforcement agency, see Royal Canadian Mounted Police. This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources: Canadian National Police Service – news · newspapers · books · scholar · JSTOR (March 2014) (Learn how and when to remove this message) Canadian Na...
ХристианствоБиблия Ветхий Завет Новый Завет Евангелие Десять заповедей Нагорная проповедь Апокрифы Бог, Троица Бог Отец Иисус Христос Святой Дух История христианства Апостолы Хронология христианства Раннее христианство Гностическое христианство Вселенские соборы Н...
Численность населения республики по данным Росстата составляет 4 003 016[1] чел. (2024). Татарстан занимает 8-е место по численности населения среди субъектов Российской Федерации[2]. Плотность населения — 59,00 чел./км² (2024). Городское население — 76,72[3] % (20...
جامعة هاغن شعار جامعة هاغن (للتعليم عن بعد) معلومات التأسيس 1974 النوع عامة الموقع الجغرافي إحداثيات 51°22′38″N 7°29′43″E / 51.37722222°N 7.49527778°E / 51.37722222; 7.49527778 المكان هاغن البلد ألمانيا إحصاءات الأساتذة 1,824 عدد الطلاب 72.868 (سنة ؟؟) عدد الموظفين 1.894 (27 يونيو 2023)[1]...
71°03′00″N 25°41′54″E / 71.05°N 25.698333333333°E / 71.05; 25.698333333333 هذه المقالة تحتاج للمزيد من الوصلات للمقالات الأخرى للمساعدة في ترابط مقالات الموسوعة. فضلًا ساعد في تحسين هذه المقالة بإضافة وصلات إلى المقالات المتعلقة بها الموجودة في النص الحالي. (يوليو 2015) جزيرة ماجيراوي ...
Category of Ethnic groups Ethnic group Indigenous peoples of the AmericasCurrent distribution of Indigenous peoples of the AmericasTotal populationApproximately 50.6 millionRegions with significant populations Mexico11.8 million[1][2] United States9.7 million[3] Guatemala6.4 million[4] Peru5.9 million[5] Bolivia4.1 million[6] Chile2.1 million[7] Colombia1.9 million[8] Canada1.8 million[...
1909 book by Vladimir Lenin Front cover of the first edition of Lenin's Materialism and Empirio-criticism, published in Moscow in 1909 under the pseudonym Vl. Ilyin. Materialism and Empirio-criticism (Russian: Материализм и эмпириокритицизм, Materializm i empiriokrititsizm) is a philosophical work by Vladimir Lenin, published in 1909. It was an obligatory subject of study in all institutions of higher education in the Soviet Union,[1] as a seminal work of d...