Hoare logic and program correctness How do we show that a partial correctness statement {P} c {Q} holds? We know that a triple {P} c {Q} is valid if it holds for all states and interpretations: s |=_I {P} c {Q}. Furthermore, showing that s |=_I {P} c {Q} requires reasoning about the execution of command c (that is, C[[c]]), as indicated by the definition of validity. It turns out that there is an elegant way of deriving valid partial correctness assertions, without having to reason about states, interpretations, and the execution of c. We can use a set of inference rules, called Hoare rules, to directly derive valid partial correctness assertions. The set of rules forms a proof system known as Hoare logic. The inference rules derive new valid triples provided some other partial correctness assertions hold in the premises. (skip) ------------ {P} skip {P} (assign) ------------------- {P[a/x]} x := a {P} {P} c1 {R} {R} c2 {Q} (seq) ----------------------- {P} c1; c2 {Q} {P /\ b} c1 {Q} {P /\ neg b} c2 {Q} (if) ------------------------------------- {P} if b then c1 else c2 {Q} {P /\ b} c {P} (while) ----------------------------- {P} while b do c {P /\ neg b} The assertion P in the rule for while loops is essentially a loop invariant; it is an assertion that holds before and after each iteration, as shown in the premise of the rule. Therefore, it is both a pre-condition for the loop (because it holds before the first iteration); and also a post-condition for the loop (because it holds after the last iteration). The fact that P is both a pre- and post-condition for the while loop is reflected in the conclusion of the rule. There is one more rule, the rule of consequence, which allows to strengthen pre-conditions and weaken post-conditions: |= (P => P') {P'} c {Q'} |= (Q' => Q) (consequence) --------------------------------------- {P} c {Q} Essentially, these set of Hoare rules represent an inductive definition for a set of triples {P} c {Q}. We will say that {P} c {Q} is a theorem in Hoare logic, written |- {P} c {Q}, if we can build a finite proof tree for it. Soundness and Completeness At this point we have two kinds of partial correctness assertions: a) valid assertions |= {P} c {Q}, which hold for all states and interpretations, according to the semantics of c; and b) Hoare logic theorems |- {P} c {Q}, that is, triple that can be proved using Hoare rules. The question is how do these sets relate to each other? More precisely, we have to answer two questions. First, is each Hoare logic theorem guaranteed to be valid partial correctness triple? In other words, does |- {P} c {Q} imply |= {P} c {Q}? The answer is yes, and it shows that Hoare logic is sound. Soundness is important because it says that Hoare logic doesn't allow us to derive triples that actually don't hold. The proof of soundness requires induction on the derivations in |- {P} c {Q} (but we will omit this proof). The second question refers to the expressiveness and power of Hoare rules: can we always build a Hoare logic proof for each valid assertion? In other words, does |= {P} c {Q} imply |- {P} c {Q}? The answer is yes, modulo the proofs for validity of assertions that occur in the rule of consequence (|= (P => P') and |= (Q' => Q)). This result is known as the relative completeness of Hoare logic and is due to Cook (1974); the proof is fairly complex and we will omit it (but you can find details in the Winskel book).