Lecture 3: Hoare Logic

COMS E6998 Formal Verification of System Software
Fall 2018
Ronghui Gu

1. What is Hoare Logic

Goal of formal verification: software without bugs.

We have seen how to reason about mathematical properties in FOL
From now on, we will see how to reason about simple imperative programs
- FOL for specifications

1.1 Intro to Hoare Logic

The goal is to prove the following specification:

"Program $C$ computes a number $y$ which is less than the input $x$ "
“Program $C$ computes an array of integers that is increasingly ordered”

using the following logical formalism:

$\{P\}\ C\ \{Q\}$

$P$ and $Q$ are called assertions, which are fornulae in a base logic (FOL in our case)
$P$ is the Precondition and $Q$ is the Postcondition
$C$ is a program
Meaning: if the precondition $P$ is satisfied, after executing the program $C$ , the postcondition $Q$ holds.

Examples:

$\{⊤\}\ y := x - 1\ \{y <x\}$
$\{⊤\}\ C\ \{\forall i. (0\leq i < |a|-1) \rightarrow a[i]\leq a[i+1]\}$

1.2 A simple imperative language

Language Syntax:

Expressions:

$\begin{align} eop :=& + \ | \ - \ | \times \ | \cdots \\ E:=& c\ |\ x\ |\ - E\ |\ E_1\ eop\ E_2 \end{align}$

Boolean Conditions:

$\begin{align} cop :=& < \ | > \ | \ \leq \ | \geq \ | = \ |\ !\!=\\ bop :=& \wedge \ | \vee \ | \ \rightarrow \\ B:=& \textbf{true}\ |\ \textbf{false} \ |\ E_1\ cop\ E_2 \ |\ \neg B \ |\ B_1\ bop\ B_2 \end{align}$

Program Statements:

$C := \textbf{skip} \ | \ x:=E \ |\ C_1; C_2 \ | \ \textbf{if } B \textbf{ then } C_1 \textbf{ else } C_2 \ | \ \textbf{while } B\ C$

Language Semantics:

State $s$ : a map from variables to values
- For this simple language, we assume the machine only has a heap. No memory and no registers.
- Also, we only consider integer values.
Program semantics is defined as a labeled transition system
$s \overset{C}{\leadsto} s'$
which states that, starting from the initial state $s$ , the execution of program $C$ will result in the final state $s'$ .
$\frac{s':= s\{x:[\![ E ]\!]^{s} \}}{s \overset{x:=E}{\leadsto} s'} \qquad \frac{s \overset{C_1}{\leadsto} s'' \quad s'' \overset{C_2}{\leadsto} s'}{s \overset{C_1; C_2}{\leadsto} s'}$ $\frac{[\![ B ]\!]^s = \textbf{true}\quad s \overset{C_1}{\leadsto} s'} {s \overset{\textbf{if } B \textbf{ then } C_1 \textbf{ else } C_2}{\leadsto} s'} \qquad \frac{[\![ B ]\!]^s = \textbf{false}\quad s \overset{C_2}{\leadsto} s'} {s \overset{\textbf{if } B \textbf{ then } C_1 \textbf{ else } C_2}{\leadsto} s'}$ $\frac{[\![ B ]\!]^s = \textbf{true}\quad s \overset{C;\textbf{while } B\ C }{\leadsto} s'} {s \overset{\textbf{while } B\ C}{\leadsto} s'} \qquad \frac{[\![ B ]\!]^s = \textbf{false}} {s \overset{\textbf{while } B\ C}{\leadsto} s}$

1.3 Assertion language

Assertion: A logical formula describing a set of valuations on program variables with some interesting property.

expressed in the underlying logic
in this course, we use FOL

Assertion semantics: if the integer model $\mathcal{M}$ and the environment (i.e., state) $s$ models the assertion $A$

$\mathcal{M} \models_s A\ \Leftrightarrow\ s \models A$

1.4 Hoare Triple Semantics

The partial correctness Hoare triple $\{P\}\ C\ \{Q\}$ is valid iff

$\forall s\models P.\forall s'. s \overset{C}{\leadsto} s' \rightarrow s'\models Q\$

The total correctness Hoare triple $[P]\ C\ [Q]$ is valid iff

$\forall s\models P.\exists s'. s \overset{C}{\leadsto} s' \wedge s'\models Q\$

For program $C$ without loops, we have

$\{P\}\ C\ \{Q\} \Leftrightarrow [P]\ C\ [Q]$

2 Hoare Logic Inference Rules

Weakening Rule

$\frac{P\rightarrow P'\quad \{P'\}\ C\ \{Q'\}\quad Q\rightarrow Q'} {\{P\}\ C\ \{Q\}}\text{WEAK}$

Assignment Rule
$\frac{} {\{A[E/x]\}\ x:=E\ \{A\}}\text{ASG}$
Example:
$\{(z\times y > 5) \wedge (\exists x, y = x^x)\} \ x:= z*y\ \{(x > 5) \wedge (\exists x, y = x^x)\}$
Forward assignment rule:
$\frac{} {\{A\}\ x:=E\ \{\exists x_0, A[x_0/x] \wedge x = E[x_0/x]\}}\text{ASG-FWD}$
Sequential Rule
$\frac{\{P\}\ C_1\ \{A\} \quad \{A\}\ C_2\ \{Q\}} {\{P\}\ C_1; C_2\ \{Q\}}\text{SEQ}$
Example:
$\frac{\{y+z > 4\}\ y:=y+z\ \{y>3\} \quad \{y>3\}\ x:=y+2\ \{x>5\}} {\{y+z+2>5\}\ y:=y+z;x:=y+2\ \{x>5\}}$
Conditional Branch Rule
$\frac{\{P \wedge B\}\ C_1\ \{Q\} \quad \{P \wedge \neg B\}\ C_2\ \{Q\}} {\{P\}\ \textbf{if } B \textbf{ then } C_1 \textbf{ else } C_2\ \{Q\}}\text{IF}$
Example:
$\frac{\{⊤ \wedge x > 0\}\ y:= x\ \{y \geq 0\} \quad \{⊤ \wedge \neg (x > 0)\}\ y:= -x\ \{y \geq 0\}} {\{⊤\}\ \textbf{if } x > 0 \textbf{ then } y:= x \textbf{ else } y:= -x\ \{y \geq 0\}}$
```
// Proof.
// { ⊤ }              (PRE)
if x > 0 then {
  // { ⊤ ∧ x > 0 }    (IF)
  // { x >= 0 }       (WEAK)
  y := x;
  // { y >= 0 }       (ASG)
} else {
  // { ⊤ ∧ ~ (x > 0)} (IF)
  // { -x >= 0 }      (WEAK)
  y := -x
  // { y >= 0 }       (ASG)
}
// { y >= 0 }         (IF)
```
Q: What if $\{P \wedge B\}\ C_1\ \{Q_1\}$ and $\{P \wedge \neg B\}\ C_2\ \{Q_2\}$ ?
Partial Correctness of Loops Rule
$\frac{\{I \wedge B\}\ C\ \{I\}} {\{I\}\ \textbf{while } B\ C\ \{I \wedge \neg B\}}\text{While}$
- $I$ is the loop invariants.
- Take it in this way, the inference rule is to derive the pre- and postconditions of “ $\textbf{while } B\ C$ ”:
  - Suppose $\{P\} \textbf{while } B\ C \{Q\}$
  - If $P \rightarrow \neg B$ , the loop becomes a $\textbf{skip}$ , thus $\{P\} \textbf{while } B\ C \{P\}$ , which is equivalent to:
  $\{P\} \textbf{while } B\ C \{P \wedge \neg B\}$
  - If $P \rightarrow B$ , the loop body $C$ is executed
    - We know that if $Q'$ holds after the completion of $C$ , this $Q'$ has to meet the precondition of starting the next iteration of $C$ (as long as $B$ is true) and eventually after any number of iterations of $C$ (until $B$ is false).
    - Thus, we know that $\{Q' \wedge \neg B\}\ C\ \{Q'\}$ and when the loop terminates the postcondition is $Q' \wedge B$ .
    - Since the precondition of while loop should be the precondition of $C$ (when $B$ holds), we know that:
    $\{Q'\} \textbf{while } B\ C \{Q' \wedge \neg B\}$
  - We write $I = P = Q'$ and call them loop invariants: $\{I\} \textbf{while } B\ C \{I \wedge \neg B\}$
- Partial Correctness Semantics:
  - if loop does not terminate, Hoare triple is vacuously satisfied
  - if it terminates, $I \wedge \neg B$ must be satisfied
- Example:
  $\frac{\{x_0=x+z \wedge z\neq 0\}\ x:=x+1; z:=z-1\ \{x_0 = x +z\}} {\{x_0=x+z\}\ \textbf{while } (z !\!= 0) \{x:=x+1; z:=z-1\}\ \{x_0 = x+z \wedge z=0\}}$
```
// Proof.
// { x0 = x+z }             (PRE)
while z != 0 {
  // { x0 = x+z ∧ z != 0}   (WHILE)
  // { x0 = (x+1)+(z-1) }   (WEAK)
  x := x + 1;
  // { x0 = x+(z-1) }       (ASG)
  z := z - 1;
  // { x0 = x+z }           (ASG)
}
// { x0 = x+z ∧ z = 0 }     (WHILE)
```
  - Logical (ghost) variables: variable $x_0$ is used only in formulas to “remember” some value
  - program variables: variables used by the program from the starting state.
- Q Prove $\{x>0\}\ \text{Fact1}\ \{y:= x! \}$ where
```
// Program Fact1 is
y := 1;
z := 0;
while (z != x) {
  z := z + 1;
  y := y * z;
}
```
```
// Proof.
// { x > 0 }                (PRE)
// { 1 = 0! }               (WEAK)
y := 1;
// { y = 0! }               (ASG)
z := 0;
// { y = z! }               (ASG)
while (z != x) {
  // { y = z! ∧ z != x}     (WHILE)
  // { y * (z+1) = (z+1)!}  (WEAK)
  z := z + 1;
  // { y * z = z! }         (ASG)
  y := y * z;
  // { y = z! }             (ASG)
}
// { y = z! ∧ ~(z != x)}    (WHILE)
// { y = x!}                (WEAK)
```

Total Correctness of Loops Rule

$\frac{[I \wedge B \wedge 0 \leq E = E_0]\ C\ [I\wedge 0 \leq E < E_0]} {[I \wedge \wedge 0 \leq E ]\ \textbf{while } B\ C\ [I \wedge \neg B]}\text{While}$

$E$ is the loop variant.
A variant is not always easy to find:
- Collatz Conjecture: the following program C satisfies $⊢ [0 < x] C [⊤]$ (i.e., the program terminates for all positive inputs)
```
c = x;
while (c != 1) {
  if ( c % 2 == 0 ) {
    c = c / 2;
  }else {
    c = 3 * c + 1;
  }
}
```

Q Prove $[x>0]\ \text{Fact1}\ [y:= x!]$

// Proof.
// [ x > 0 ]                        (PRE)
// [ 1 = 0! ]                       (WEAK)
y := 1;
// [ y = 0! ]                       (ASG)
z := 0;
// [ y = z! ]                       (ASG)
// [ y = z! ∧ 0 <= x-z ]            (WEAK)
while (z != x) {
  // [ y = z! ∧ (0 <= x-z = x-z0) ∧ z != x]      (WHILE)
  // [ y*(z+1) = (z+1)! ∧ 0 <= x-(z+1) < x-z0 ]  (WEAK)
  z := z + 1;
  // [ y*z = z! ∧ 0 <= x-z < x-z0 ]              (ASG)
  y := y * z;
  // [ y = z! ∧ 0 <= x-z < x-z0 ]                (ASG)
}
// [ y = z! ∧ ~(z != x)]            (WHILE)
// [ y = x! ]                       (WEAK)

3 Weakest Precondition

Intuitively, the largest set of states (represented as an assertion) starting from which if a program $C$ is executed, the resulting states satisfy a given post-condition $Q$ , which is denoted as “ $wp(C, Q)$ ”.

Definition
Given $C$ and $Q$ , a weakest precondition $wp(C, Q)$ is an assertion such that

it is a precondition: $\models \{wp(C, Q)\}\ C\ \{Q\}$
it is weakest: $\forall P$ if $\models \{P\}\ C\ \{Q\}$ then $\models P \rightarrow wp(C, Q)$

3.1 Weakest Precondition Exists

Assignment: $wp(x:=E, Q) = Q[E/x]$
Seq: $wp(C1;C2, Q) = wp(C1, wp(C2, Q))$
Condition: $wp(\textbf{if }B\textbf{ then }C1\textbf{ else }C2, Q) = (B\wedge wp(C1,Q)) \vee (\neg B\wedge wp(C2,Q))$

Example: what is “ $wp(\textbf{if } x>0 \textbf{ then }y:=x\textbf{ else }y:=-x, y>=0)$ ”?
$\begin{align} &wp(\textbf{if } x>0 \textbf{ then }y:=x\textbf{ else }y:=-x, y\geq0)\\ &= (x>0 \wedge wp(y:=x, y \geq0)) \vee (\neg(x>0) \wedge wp(y:=-x, y \geq0)) \\ &=(x>0 \wedge x \geq0) \vee (\neg(x>0) \wedge -x \geq0) \\ &= x>0 \vee \neg(x>0) \\ &= ⊤ \end{align}$
Loops:
$wp(\textbf{while }B\ C, Q) = \bigwedge_{k\geq 0} P_k$
- $P_0$ = $⊤$
- $P_{k+1} = (B \wedge wp(C, P_k)) \vee (\neg B \wedge Q)$ : $\begin{align} &P_{k+1}\\ &= wp(\textbf{while}_{k+1}\ B\ C, Q) \\ &= wp(\textbf{if } B \textbf{ then }\{ C;\textbf{while}_{k}\ B\ C\} \textbf{ else skip}, Q) \\ &= (B \wedge wp(C, wp(\textbf{while}_{k}\ B\ C))) \vee (\neg B \wedge wp(\textbf{skip},Q)) \\ &= (B \wedge wp(C, P_k)) \vee (\neg B \wedge Q) \end{align}$
- By Kleene fixed-point theorem, we know that the fixed point exists and is called "loop invariants $I$ "
Loops with invariant: although we know that this loop invariant $I$ exists, in practice, such an abstract construction cannot be handled efficiently by theorem provers. Hence, loop invariants and variants are provided by human users.

If $I$ is provided as a correct loop invariant, then we have “ $\textbf{while }B\textbf{ inv }I\ C$ ” iff
- $(I ∧ B) \Rightarrow wp(C, I)$
- $wp(\textbf{while }B\textbf{ inv }I\ C , Q) ≡ (Q ∧ ¬B) ∨ (((I ∧ ¬B) \Rightarrow Q) ∧ I)$
Example: Given the following program
```
while (i < n) invariant i {
  i++;
}
```
- Let $Q := (i = n)$ .
  - $I := (i < n)$ , is not a correct loop invariant.
  - $I := (i <= n)$ is a correct invariant, and is sufficient to imply the post-condition $Q$ . In this case the weakest precondition is $(i\leq n)$ .
  - $I := i <= n+1$ is a correct (but weak) loop invariant, but is not sufficient to imply the post-condition. In this case the weakest precondition given $I$ is false.
- Let $Q := (n = 10)$ .
  - $I := (n = 10)$ is a correct loop invariant, and is necessary to imply the post-condition $Q$ . Then the weakest precondition is $(n = 10)$ .

4 Meta Theory of Hoare Logic

Theorem (Soundness)
Hoare Logic is sound: $⊢\{P\}C\{Q\}\ \Rightarrow\ \models \{P\}C\{Q\}$

Reason about the number of steps required to terminate loop for the loop rule. Then use induction on the structure of the proof tree.

Theorem (Relative Completeness)
If there is a complete proof system for proving assertions in the underlying logic, then all valid Hoare triples have a proof.

Hoare logic is no more incomplete than our language of assertions
First Order Logic is incomplete!
The result uses weakest pre-condition.

Proof.
Given $\models \{P\}C\{Q\}$ and the properties of the weakest precondition, we have that

$\models \{wp(C,Q)\}C\{Q\}$
$\models P \Rightarrow wp(C,Q)$
Since the weakest precondition can be proved using inference rules (proved by the induction over the definition of weakest precondition), we know

$⊢\{wp(C,Q)\}C\{Q\}$

Thus, as long as $⊢ P \Rightarrow wp(C,Q)$ , we know that

$⊢ \{P\}C\{Q\}$

$\Box$