Ten Years of Hoare's Logic: A Survey—Part I

TLDR: A survey of various results concerning Hoare's approach to proving partial and total correctness of programs is presented, with emphasis on the soundness and completeness issues.

Abstract: A survey of various results concerning Hoare's approach to proving partial and total correctness of programs is presented. Emphasis is placed on the soundness and completeness issues. Various proof systems for while programs, recursive procedures, local variable declarations, and procedures with parameters, together with the corresponding soundness, completeness, and incompleteness results, are discussed.

Full text

Ten Years
of
Hoare's
Logic:
A
Survey-Part
I
KRZYSZTOF
R.
APT
Erasmus University
A survey of various results concerning Hoare's approach to proving partial and total correctness
of
programs is presented. Emphasis is placed on
the
soundness and completeness issues. Various proof
systems for
while
programs, recursive procedures, local variable declarations, and procedures with
parameters, together with the corresponding soundness, completeness, and incompleteness results,
are discussed.
Key Words and Phrases: Hoare's logic, partial correctness, total correctness, soundness, completeness
in
the sense of Cook, expressiveness, arithmetical interpretation,
while
programs, recursive proce-
dures, variable declarations, subscripted variables, call-by-name, call-by-value, call-by-variable, static
scope, dynamic scope, procedures as parameters
CR
Category: 5.24
1. INTRODUCTION
In
1969
Hoare [27] introduced
an
axiomatic
method
of proving programs correct.
This
approach was partially based on
the
so-called intermediate assertion
method
of Floyd [18]. Hoare's approach
has
received a great deal of attention during
the
last decade,
and
it
has
had
a significant impact upon
the
methods
of
both
designing
and
verifying programs.
It
has
also been used as a way of specifying
semantics of programming languages (see [17,
28,
40]).
The
purpose
of
this paper is to
present
the
most
relevant issues pertaining to
Hoare's
method
(namely, those of soundness and completeness) in a systematic
and
self-contained way.
The
main
problem with such
an
exposition is
that
various
proofs given in
the
literature
are
awkward, incomplete,
or
even incorrect.
In
many
cases proof rules are introduced without
any
proofs of soundness
or
completeness
at
all.
The
field itself is enormous, since for virtually all programming constructs
and
notions some proof rules have been suggested. Also, for some constructs,
such
as recursive procedures with parameters, several alternative proof rules have
been proposed.
Faced by
these
problems, we decided
to
restrict
the
exposition to only those
constructs
and
notions which we found
most
important.
In
each case we selected
only one, hopefully
the
most successful, among many possible proof systems.
Permission to copy without
fee
all or
part
of this material is granted provided
that
the copies are
not
made or distributed for direct commercial advantage,
the
ACM copyright notice and
the
title of
the
publication and its date appear, and notice is given
that
copying is by permission of
the
Association
for Computing Machinery. To copy otherwise,
or
to republish, requires a fee
and/or
specific
permission.
This
paper is
an
extended version
of
a paper presented
at
the
Fifth Scandinavian Logic Symposium,
Aalborg, Denmark, January
17-19, 1979.
Author's present address: LITP, Universite Paris 7,
2,
place Jussieu, 75221 Paris, France.
© 1981 ACM 0164-0925/81/1000-0431 $00.75
ACM Transactions on Programming Languages and Systems, Vol. 3, No.
4,
October
1981,
Pages
431-483.

432 Krzysztof
R.
Apt
The choice of a semantics for the programming
constructs
concerned
turns
out
to be the decisive factor for the complexity of
the
proofs.
Therefore,
we
are
at
great pains to suggest in each case a semantics which would
make
the
s~undness
and completeness proofs as simple as possible.
The
papers
we
are
ref
ernng
to
do
not necessarily provide proofs using the same semantics. However,
in
practically
all cases the proofs can be straightforwardly
translated
(and
simplified) into
our
framework.
We
refrain from pointing out mistakes
and
errors
in
the
referenced
papers. Many of them can be repaired easily,
and
many
others
cannot
occur
in
the suggested semantical framework.
We
found it convenient to divide
the
subject
material
in
accordance
with
the
constructs of programming languages:
while
statements
(Section 2), recursive
procedures
(Section
3),
local variables
(Section
4),
subscripted
variables
(Section
5),
parameter mechanisms
(Section
6),
and procedures as
parameters
(Section
7).
Of course, procedures are
but
another parameter mechanism. However,
proce-
dures as parameters deserve a separate
treatment
owing
to
the
extensive
results
concerning them.
Several
other important constructs which are also covered
by
Hoare's
method,
such as go-to's, coroutines, functions, data structures,
and
parallelism, are
not
treated in this paper. Those interested in
the
issues raised
by
these
constructs
are
referred to
[14,
chap.
10]
(written by
A.
de
Bruin)
and
to
[8, 11,
12,
25, 46, 47].
To
the reader interested in a more detailed development
of
the
subject
we suggest
(14].
The
second part of this survey, to
be
contained
in
a
separate
paper,
will
be
devoted
to
a discussion of various Hoare-like proof
systems
for
nondeterministic
and parallel programs.
It
should
be
mentioned
that
there are several
other
approaches
to
program
verification which are related to Hoare's method.
These
approaches
are
not
discussed in this paper.
The
interested reader is
referred
to
[22],
where
other
methods are discussed.
Throughout the paper
we
assume
that
the
reader
has knowledge
of
some
basic
notions and facts from mathematical logic. We
state
them
whenever
they
are
applied.
All
of them can be found in, for example, [51].
The title of this paper was perhaps appropriate
at
the
moment
of
its
submission
but is
not
so
appropriate now
that
it appears in print. We decided
to
retain
this
title,
but
to keep the paper up-to-date
we
took
the
liberty of
incorporating
here
a
few
results proved since
1979.
Most of them concern
the
use of
procedures
as
parameters and form the contents of
Section
7.
The
reader
deserves a
warning
that
that
section deals with the most complex results
obtained
in
this
area.
For
a proper understanding of them, a thorough knowledge
of
all
other
sections
of
the paper
is
required. Due to the lack of space,
the
presentation
of
Section
7 is
rather sketchy, and no examples are provided.
2.
while
PROGRAMS
Let
L
denote a first-order language with equality. We use
the
letters
a,
b,
x,
y,
z
to denote the variables of
L,
the letters
s,
t
to denote
terms
(expressions)
of
L,
the
letter
e
to denote a quantifier-free formula (a
Boolean expression)
of
L,
and,
finally, the letters
p,
q,
r
to denote the formulas
(assertions)
of
L.
Denote
by
Y
the
least class of programs such
that
ACM
Transactions on Programming Languages and
Systems, Vol.
3,
No.
4,
October
1981.

Ten Years
of
Hoare's
logic:
A
Survey
433
1.
for every variable
x
and expression
t,
x
:=
t
E
Y;
and
2.
if
S,
81,
S2
E
Y,
then
S1;
82
E
Yand,
for every Boolean expression
e,
if
e
then
Si
else
S2
fi
E
«I'
and
while
e
do
S
od
E
Y.
The
elements
of
Yare
called
while
programs.
2.1 The Proof System
The
basic formulas
ofHoare's
logic are constructs of
the
form
{p}
S
{q}
(called
asserted
programs)
where
p, q
are assertions and
SEY'.
The
formulas
are
not
subject
to
Boolean operations.
The
intuitive meaning of
the
construct {
p}
S
{
q}
is
as
follows: whenever
p
holds
before
the
execution of
S
and
S
terminates,
then
q holds
after
the
execution of
S.
Hoare's
logic is a system of formal reasoning about
the
asserted programs.
Its
axioms
and
proof
rules are
the
following.
AXIOM
1:
ASSIGNMENT
AXIOM
{p[t/x]}
x
:=
t
{p}.
RULE
2:
COMPOSITION
RULE
{p}
Si
{r}, {r}
S2
{q}
{p}
S1;
82
{q}
RULE
3:
if-then-else
RULE
{p
/\
e}
S1
{q},
{p
/\
ie}
S2
{q}
{p}
ife
then
S1
else
S2
fi
{q}
RULE
4:
while
RULE
{p/\e}S{p}
{p}
while
e
do
Sod
{p
/\
•e}
·
As usual,
p[t/x]
stands for
the
result of substituting
t
for
the
free occurrences
ofxinp.
2.2
An
Example
of
a Proof
As a typical example of a proof in
the
system,
take
for
L
the
language
of
Peano
arithmetic
augmented
with
the
minus operation
and
consider
the
program
So
computing
the
integer division of two
natural
numbers x
and
y:
a
:=
O;
b
:=
x;
while
b
:::::
y
do
b
:=
b -
y;
a
:=
a
+
1
od.
We now prove
that
{ x
2:
0
/\
y
2:
O}
So
{a
·
y
+
b
=
x
/\
0
-:S
b
<
y},
(1)
that
is,
that
if
x,
y
are nonnegative integers
and
8
0
terminates,
then
a
is
the
integer
quotient
of
x
divided
by
y
and
bis
the
remainder.
(*)
The
proof
runs
as follows.
By
the
assignment axiom,
{O
. y
+
x
=
x
/\
x
2:
O}
a:=
0
{a
·
y
+
x
=
x
/\
x
2:
O}
(2)
ACM
Transactions
on
Programming Languages and
Systems,
Vol.
3,
No.
4,
October
1981.

434 Krzysztof
R.
Apt
and
{a .
y
+
x
=
x
/\
x
2:
O}
b
:=
x
{a .
y
+
b
=
x
/\
b
2:
O};
(3)
so,
by
the composition rule,
{O
.
y
+
x
=
x
/\
x::::
O}
a:=
O;
b
:=
x
{a
·
y
+
b
=
x
/\
b
2:
0}.
(4)
Now
x::::O/\y::::O-o
·y+x=x/\x2:0
holds; so
(5)
and
(4)
imply
{ x
::::
0
/\
y
2:
0}
a
:=
O;
b
:=
x
{a
·
y
+
b
=
x
/\
b
2:
0}.
On
the
other hand, by
the
assignment axiom,
and
{(a
+
1)
.
y
+
b -
y
=
x
/\
b -
y
::::
O}
b
:=
b - y
{(a+l)
.y+b=x/\b2:0}
(5)
(6)
(7)
{(a+
1)
.
y
+
b
=
x
/\
b
2:
O}
a:=
a+
1
{a·
y
+
b
=
x
/\
b
2:
O}; (8)
so, by
the
composition rule,
{(a
+
1)
·
y
+
b -
y
=
x
/\
b -
y
2:
O}
b
:=
b -
y;
a:=
a+
1
{a·
y
+
b
=
x
/\
b
2:
O}.
Now
a·
y
+
b
=
x
/\
b
2:
0
/\
b
2:y
-
(a
+
1)
•
y
+
b - y
=
x
/\
b - y
2:
0
holds; so
(10)
and
(9)
imply
{a
·y+b=x/\b2:0/\b2:y}
b
:=
b -
y;
a:=
a+
1
{a
·
y
+
b
=
x
/\
b
2:
O}.
(11)
implies, by
the
while
rule,
{a ·
y
+
b
=
x
/\
b
2:
O}
while
b
2:
y
do
b
:=
b -
y;
a
:=
a
+
1
od
{a
·
y
+
b
=
x
/\
b
2:
0
/\
b
<
y}.
Finally,
(6)
and
(12)
imply
(1)
by
the
composition rule.
2.3
The Rule of Consequence
(9)
(10)
(11)
(12)
Several
remarks are
in
order. First,
to
justify
the
above
proof
we
have
to
explain
how
we
derived
(6)
from
(5)
and
(4)
and
derived
(11)
from
(10)
and
(9).
These
steps, although intuitively clear, lack a formal basis.
The
missing
proof
rule
which
we used here is
the
following:
RULE
5:
CONSEQUENCE
RULE
P-
P1,
{p1}
S
{q1},
q, -
q
{p}
s
{q}
ACM
Transactions on Programming
Languages and Systems, Vol.
3,
No.
4,
October
1981.

Ten Years
of
Hoare's
Logic: A
Survey
435
In
the
example,
we
used this rule for
q
1
=
q,
but
in
general
the
above version
is needed.
This
rule forces us to include assertions among
the
formulas
of
Hoare's logic.
Denote
the
resulting system by
H.
Now,
to
get
(5)
and
(10),
we have to
augment
H
with a formal proof system
concerning assertions.
In
this
particular case,
any
elementary theory
T
in
the
underlying
L,
in which
(5)
and
(10)
can
be
proved,
will
do.
The
proofs
of
(5)
and
(10)
in
T,
concatenated with
the
sequence
(2)-(12),
(1)
of
asserted programs or
assertions, finally form a proof of
(1)
in
H
U
T.
This
interpretation is by no means satisfactory for our purposes.
We
do not
care
whether
(5)
and
(10)
are theorems
of
a
theory
T.
All we need to know is
that
(5)
and
(10)
are
true
in
the
domain of integers.
2.4
Soundness
of
H
Let
A be a
set
of assertions.
Let
us write A
1-H
{
p}
S
{
q}
to
denote
the
fact
that
there
exists a proof of {
p}
S {
q}
in
H
which uses as assumptions (for
the
consequence rule) assertions from
A.
We have
thus
shown
that
(5),
(10)
1-H
(1).
The
whole idea of
the
above proof is
that
we wish
to
interpret
(1)
as(*).
To
do
this, we
must
first introduce
the
notion
of
the
truth
of
an
asserted program
under
an
interpretation
l
of the language
L.
In
this
case we choose for
l
the
standard
interpretation
lo
of
L
with
the
domain
of
integers.
So
let
l
be
an
interpretation of
L
with a
nonempty
domain
D.
By a
state
we
mean
a function assigning
to
each variable
x
a value from
the
domain
D. We use
the
letters
o,
T
to
denote states.
The
relation
"under
the interpretation
l
an
assertion
p
is true in a
state
o,"
written
as
t=1
p(O),
is defined in
the
usual way.
Iffor
all
states
o
t=1
p(o)
holds, we
say
that
p
is
true under
l,
written
t=
1
p.
With
each
program
S
E
51'
we can
associate a
meaning
.Ar(S)
under
l,
this being a
partial
function from
states
to
states.
It
is easy to define
.;ft'r(S)
so as
to
capture
the
intended meaning of
the
program.
Having
done so,
we
can finally define
the
truth
of
an
asserted program
under
I.
We
say
that
an
asserted program { p}
S
{
q} is
true under I
if
for
all
states
o,
T,
if
t=r
p(8)
and.;ft'1(S)(o)
=
T,
thent=1
q(T).
This
definition is clearly a correct formalization
of
the
informal notion
of
the
truth
of
{p}
S
{q}. We can now safely
state
that(*)
simply says
that
(1)
is
true
under
lo.
The
last
step in
the
justification
of
(
*)
is
the
following. Call
an
asserted program
valid
if
it
is
true
under
all
interpretations
I.
Call a
proof
rule
sound
if
for
all
interpretations
lit
preserves
the
truth
under
I
of
the
asserted programs (and, in
the
case
of
the
consequence rule, assertions).
It
is
easy
to prove
that
the
axioms
of
H
are
valid
and
the proof rules
of
H
are
sound.
This
fact implies (by induction on
the
length
of
proofs)
the
following theorem,
which
states
that
the
proof system
H
is
sound.
THEOREM
1.
For every interpretation I, set
of
assertions
A,
and
asserted
program
<p
the following holds:
if
all assertions from A are true under I
and
A
1-H
cp,
then
cp
is true under
l.
ACM
Transactions on Programming Languages
and
Systems,
Vol.
3,
No.
4,
October
1981.

Frequently asked questions

Q1. What are the contributions in this paper?

A survey of various results concerning Hoare 's approach to proving partial and total correctness of programs is presented. Various proof systems for while programs, recursive procedures, local variable declarations, and procedures with parameters, together with the corresponding soundness, completeness, and incompleteness results, are discussed.