Formal Semantics of

Programming Languages

Florian Zuleger
SS 2023
 Program with a (Partial) Specification

I Consider the following program:

y := 1;
while ¬(x = 1) do
y := y * x;
x := x - 1;
` : assert (y ≥ 0);
 Program with a (Partial) Specification

I Consider the following program:

y := 1;
while ¬(x = 1) do
y := y * x;
x := x - 1;
` : assert (y ≥ 0);

I Assertion makes a statement about the program state:

I Given state s at location `, we assert s(y ) ≥ 0.
 Assertion Languages

assert (y ≥ 0)

I In this context: (y ≥ 0) ∈ Bool,

(where Bool is set of Boolean expressions, as defined in Lecture 2)
Where Assertions Come From
Flow Diagrams Representing Programs
Assertion Boxes in Flow Diagrams

marked with #
 Assertion Boxes

“an assertion box never requires that any

specific calculations be made, it indicates
only that certain relations are automatically
fulfilled whenever [the program] gets to the
region which it occupies”

“The contents of an assertion box are one or

more relations. These may be equalities, in-
equalities, or any other logical expressions.”

[Goldstine & von Neumann 1947]

 Assertion Boxes

“an assertion box never requires that any

specific calculations be made, it indicates
only that certain relations are automatically
fulfilled whenever [the program] gets to the
region which it occupies”

“The contents of an assertion box are one

or more relations. These may be equalities,
inequalities, or any other logical expres-
sions.”

[Goldstine & von Neumann 1947]

Assertions are
I side-effect free
I Boolean expressions in a logical formalism
 First Order Logic

Syntax

formula ::= formula ∧ formula | formula ∨ formula |

formula ⇒ formula | formula ⇔ formula |
¬formula |
predicate (term,. . . ,term) | term = term
∀ variable . formula | ∃ variable . formula
term ::= variable | constant | function (term,. . . term)
I variables, functions, predicates, and constants are
represented by unique identifiers
I each function and predicate has a fixed arity
I ∀, ∃, ∧, ∨, ⇒, ⇔, ¬, and variables are logical symbols
I predicates, constants, functions are non-logical symbols
Note: The set of first-order logic formulae extends the set of
Boolean expressions Bool of our While language.
 First Order Logic

Examples

I ∀x . (even(x ) ∨ odd(x )) ∧ ∀x . (even(x ) ⇔ ¬ odd(x ))

I ∀x . ∀y . (x = y ) ⇒ (f (x ) = f (y ))
I ∀z . ∃y . + (z , y ) = 1
Note:
I even and odd are identifiers representing arbitrary predicates
I f , + are just identifiers representing some arbitrary functions
I 1 is just an identifier representing some arbitrary constant
 First Order Logic

Semantics

Definition (Model)
A model M of a formula F comprises
I a (non-empty) domain D, and
I an interpretation function assigning meaning to non-logical
symbols in F .
 First Order Logic

Semantics

Definition (Model)
A model M of a formula F comprises
I a (non-empty) domain D, and
I an interpretation function assigning meaning to non-logical
symbols in F .

For example:
I If c is a constant, then c M ∈ D
I If f is a function of arity n, then f M ∈ Dn → D
I Note: (f (t1 , . . . , tn ))M = f M (t1M , . . . , tnM )
 First Order Logic

Semantics

M |= F if and only if F is true in M

I M |= R (t1 , . . . , tn ) if and only if R M (t1M , . . . tnM )

I M |= (t1 = t2 ) if and only if (t1M = t2M )
I M |= ¬F if and only if not M |= F
I M |= F ∧ G if and only if M |= F and M |= G
I M |= F ∨ G if and only if M |= F or M |= G
I M |= F ⇒ G if and only if M |= ¬F ∨ G
I M |= F ⇔ G if and only if M |= (F ⇒ G) ∧ (G ⇒ F )
 First Order Logic

Semantics

M |= ∀x . F (x )
I if and only if for every m ∈ D, if we introduce a fresh constant
c and extend M such that c M = m, then M |= F (c )
 First Order Logic

Semantics

M |= ∀x . F (x )
I if and only if for every m ∈ D, if we introduce a fresh constant
c and extend M such that c M = m, then M |= F (c )
 First Order Logic

Semantics

M |= ∀x . F (x )
I if and only if for every m ∈ D, if we introduce a fresh constant
c and extend M such that c M = m, then M |= F (c )
M |= ∃x . F (x )
I if and only if there is a m ∈ D such that c M = m and
M |= F (c ) for some fresh constant c and extended M
 First Order Logic

Semantics

I Un-quantified variables are free

I Formulas in which all variables are quantified are closed (i.e.,
closed formulas have no free variables)
I Whether a closed formula F is true depends solely on D and
the denotations of the non-logical symbols in F
I We can’t evaluate a formula with free variables without
providing assignments to the free variables (we will do so in a
moment)
 First Order Logic

Semantics

I Often, we have a specific domain and denotation in mind

I For instance, D def
= Z, +M denotes addition, ∗M multiplication
, ...
(+(t1 , t2 ))M = t1M +M t2M
(∗(t1 , t2 ))M = t1M ∗M t2M
...
I The +M , ∗M , . . . on the right side are meta-logical
I In assertions we want to interpret the arithmetic and Boolean
expressions from our While language according to their
intended meaning
def
I From now on we fix the standard model, where D = Z and
the function symbols +, ∗, . . . and predicates ≥, ≤, . . . are
interpreted according to their expected semantics
 First Order Logic

Semantics

I We will use a state s : Var → Z to assign meaning to the free

variables in a formula:
We interpret x by s(x ).
I Given a formula F whose free variables are contained in Var,
we write s |= F to denote that F is true under the variable
assignment s (recall that all function symbols and predicates
are interpreted according to the standard model).
I Note that according to this definition we have
s |= E = n if and only if JE Ks = n
s |= B if and only if JB Ks = true
for all arithmetic expressions E and Boolean expressions B
from our While language (exercise: prove this statement).
 First Order Logic Assertions

I We use first-order logic as assertion language.

I We interpret first-order formulae over the standard model.
I Example:

We consider the state s = {x 7→ 3, y 7→ 5} and the assertion

y ≥ 0.

We have
{x 7→ 3, y 7→ 5} |= y ≥ 0.
 First Order Logic Assertions

I Each formula F characterizes a set of states:

{s | s |= F }
I For instance:
I (x > 1)∧ 6 ∃i , j .(x = i · j ) ∧ (i > 1) ∧ (j > 1))
 First Order Logic Assertions

I Each formula F characterizes a set of states:

{s | s |= F }
I For instance:
I (x > 1)∧ 6 ∃i , j .(x = i · j ) ∧ (i > 1) ∧ (j > 1))
(the set of states in which s(x ) is a prime number)
 First Order Logic: Inference Rules

I Inference rules provide means to reason in FOL:

premises
conclusion

I For instance, for arbitrary formulas P, Q, R:

¬¬P P P Q P∧Q P∧Q P

P ¬¬P P∧Q P Q∧P P∨Q
P ∨ Q ¬P ∨ R P⇔Q Q P⇒Q Q⇒P
Q∨R P P⇔Q
 First Order Logic: Derivations

I For instance:

∀x . P (x ) ∨ ¬∀y . Q (y ) ∀y . Q (y )
∀x . P (x )

I A derivation comprises a number of inference steps, e.g.:

¬¬P ¬R ∧ Q
P Q
P∧Q

I We write P ` Q if Q can be derived from P

 First Order Logic: Derivations

I We can also use derivations in premises:

P`Q P ` ¬Q
(reductio ad absurdum)
¬P

P`Q
(Deduction theorem)
P⇒Q

P∨Q P`R Q`R

(Case analysis)
R
 First Order Logic: Axioms

I An axiom is an inference rule without a premise:

(We will omit the bar if it’s clear that P is an axiom)

 First Order Logic: Axioms

I An axiom is an inference rule without a premise:

(We will omit the bar if it’s clear that P is an axiom)

I Axioms denote tautologies in a given theory, e.g.:

∀x , y . (x + y ) = (y + x )
∀x . even(x ) ∨ odd(x )
∀x . prime(x ) ⇔ ((x > 1)∧ 6 ∃i , j .(x = i · j ) ∧ (i > 1) ∧ (j > 1)))
 First Order Logic: Axioms

I An axiom is an inference rule without a premise:

(We will omit the bar if it’s clear that P is an axiom)

I Axioms denote tautologies in a given theory, e.g.:

∀x , y . (x + y ) = (y + x )
∀x . even(x ) ∨ odd(x )
∀x . prime(x ) ⇔ ((x > 1)∧ 6 ∃i , j .(x = i · j ) ∧ (i > 1) ∧ (j > 1)))

I Last example shows that we can use axioms to determine the

denotation of non-logical symbols
 First Order Logic: Substitution

I We use P [t /x ] to denote the replacement of all free

occurrences of x in P by term t. Then

∀x .P
(universal instantiation)
P [t /x ]

if no free variable of t becomes bound during the substitution

 First Order Logic: Substitution

I We use P [t /x ] to denote the replacement of all free

occurrences of x in P by term t. Then

∀x .P
(universal instantiation)
P [t /x ]

if no free variable of t becomes bound during the substitution

I For instance:
∀x . even(x ) ∨ odd(x )
even(1) ∨ odd(1)
 First Order Logic: Substitution

I We use P [t /x ] to denote the replacement of all free

occurrences of x in P by term t. Then

∀x .P
(universal instantiation)
P [t /x ]

if no free variable of t becomes bound during the substitution

I For instance:
∀x . even(x ) ∨ odd(x )
even(1) ∨ odd(1)

I But not:
∀x . ∃y . x = y
(∃y . x = y )[y + 1/x ]
 First Order Logic: Substitution

I We use P [t /x ] to denote the replacement of all free

occurrences of x in P by term t. Then

∀x .P
(universal instantiation)
P [t /x ]

if no free variable of t becomes bound during the substitution

I For instance:
∀x . even(x ) ∨ odd(x )
even(1) ∨ odd(1)

I But not:
∀x . ∃y . x = y
∃y . y + 1 = y
 First Order Logic: Substitution

I Substitutions can also occur in the premise:

P [c /x ]
(existential generalization)
∃x . P

where c is a constant and x must not occur free in P [c /x ]

 First Order Logic: Substitution

I Universal instantiation allows substitution of universally

quantified variables
I What about free variables?
I Depends on state s!
I Substitution lemma:

s |= P [t /x ] s |= t = c
s[x 7→ c ] |= P
 Instructions and Assertions

I FOL and derivations enable us to reason about assertions

I But what about instructions?
I Currently, we can’t refer to instructions in inference rules
Assigning Meaning to Programs [Floyd67]

I Used assertions to attach

logical interpretations to
programs
I proof “by induction on the
number of commands
executed”
Robert W. Floyd
(1936-2001)
Assigning Meaning to Programs [Floyd67]
An Axiomatic Basis for Computer Programming
[Hoare69]

I “Hoare Logic” (aka

Floyd-Hoare Logic)
I System of axioms and
inference rules for program
verification
Sir Tony Hoare
(1934–)
 Hoare Triples

{P } C {Q }

Definition (Hoare Triple)

A Hoare triple comprises a pre-condition, a statement, and a
post-condition.
The Hoare Triple
{P } C {Q }
means that if C is executed in a state for which P holds, then Q is
true for any state in which C may halt.
We refer to P as the pre-condition and to Q as the post-condition
of the Hoare Triple.
 Hoare Triples

{P } C {Q }

In terms of operational (big-step) semantics:

I if s |= P and hC , si ⇓ s0 then s0 |= Q

A Hoare triple characterizes the effect of commands on assertions

 Hoare’s Axioms: Skip statement

{P } skip {P }
Example:
I {x > 10} skip {x > 10}
I one example should really be enough ;-)
 Hoare’s Axioms: Assignment

{Q [E /x ]} x :=E {Q }
Intuition:
I Q holds for new value of x
I E evaluated in old state determines new value of x
I Therefore, Q [E /x ] must hold before execution
We will make this intuition more formal later.
 Hoare’s Axioms: Assignment

{Q [E /x ]} x :=E {Q }
Examples:
I {x > 10} y :=10 {x > y }
I {x > y + 1} y :=y + 1 {x > y }
I {∃z . z > x + 1} y :=x + 1 {∃x . x > y }
I Rename quantified x to avoid clash!
 Hoare’s Axioms: Composition

{P } C1 {R } { R } C2 {Q }
{P } C1 ;C2 {Q }
Example:

{(x + 1) ≤ 10} x := x + 1 {x ≤ 10} {x ≤ 10} y := 0 {x ≤ 10}

{(x + 1) ≤ 10} x := x + 1; y := 0 {x ≤ 10}
 Hoare’s Axioms: Conditional

{B ∧ P } C1 {Q } {¬B ∧ P } C2 {Q }
{P } if B then C1 else C2 {Q }
Example:

{even(x )} x := x + 1 {odd(x )} {¬ even(x )} skip {odd(x )}

{true} if (even(x )) then x := x + 1 else skip {odd(x )}
 Hoare’s Axioms: Conditional

{B ∧ P } C1 {Q } {¬B ∧ P } C2 {Q }
{P } if B then C1 else C2 {Q }
Example:

{even(x )} x := x + 1 {odd(x )} {¬ even(x )} skip {odd(x )}

{true} if (even(x )) then x := x + 1 else skip {odd(x )}

I Where (or what) is P in this example?

 Hoare’s Axioms: Consequence

P0 ⇒ P {P } S {Q } Q ⇒ Q 0
{P 0 } S {Q 0 }
It is legal to
I strengthen pre-condition, and
I weaken the post-condition
Also allows us to combine Hoare Logic and FOL derivations:

¬ even(x ) ` odd(x )
{even(x )} x := x + 1 {¬ even(x )} ¬ even(x ) ⇒ odd(x )
{even(x )} x := x + 1 {odd(x )}

and
∀n . even(n) ∨ odd(n)
¬ even(x ) even(x ) ∨ odd(x )
odd(x )
 While Loops

{P ∧ B } C {P }
{P } while B do C {¬B ∧ P }
I Statement S doesn’t change P (P is invariant)
I P holds upon loop entry and exit (loop invariant)
Example:

{(x 6= 0) ∧ (x ≥ 0)} x := x − 1 {x ≥ 0}
{x ≥ 0} while (x 6= 0) do x := x − 1 {¬(x 6= 0) ∧ (x ≥ 0)}
 While Loops
In context of a larger proof:
(x 6= 0) ∧ (x ≥ 0) ` (x − 1 ≥ 0)
(x 6= 0) ∧ (x ≥ 0) ⇒ (x − 1 ≥ 0) {(x − 1 ≥ 0)} x := x − 1 {x ≥ 0}
{(x 6= 0) ∧ (x ≥ 0)} x := x − 1 {x ≥ 0}
{x ≥ 0} while (x 6= 0) do x := x − 1 {¬(x 6= 0) ∧ (x ≥ 0)}

Here, we derive
I {(x − 1 ≥ 0)} x := x − 1 {x ≥ 0} using Hoare’s assignment rule
I {(x 6= 0) ∧ (x ≥ 0)} x := x − 1 {x ≥ 0} using rule of consequence
I {x ≥ 0} while (x 6= 0) do x := x − 1 {¬(x 6= 0) ∧ (x ≥ 0)} using loop
rule
 While Loops
In context of a larger proof:
(x 6= 0) ∧ (x ≥ 0) ` (x − 1 ≥ 0)
(x 6= 0) ∧ (x ≥ 0) ⇒ (x − 1 ≥ 0) {(x − 1 ≥ 0)} x := x − 1 {x ≥ 0}
{(x 6= 0) ∧ (x ≥ 0)} x := x − 1 {x ≥ 0}
{x ≥ 0} while (x 6= 0) do x := x − 1 {¬(x 6= 0) ∧ (x ≥ 0)}

Here, we derive
I {(x − 1 ≥ 0)} x := x − 1 {x ≥ 0} using Hoare’s assignment rule
I {(x 6= 0) ∧ (x ≥ 0)} x := x − 1 {x ≥ 0} using rule of consequence
I {x ≥ 0} while (x 6= 0) do x := x − 1 {¬(x 6= 0) ∧ (x ≥ 0)} using loop
rule

Don’t forget: we still have to discharge the assumption

(x 6= 0) ∧ (x ≥ 0) ` (x − 1 ≥ 0)

to show that the Hoare triple is valid. Requires the theory of integer
arithmetic (not presented here).
 Hoare Rules: Overview

{P } C1 {Q } , {Q } C2 {R }
{P [E /x]} x:=E {P } {P } C1 ; C2 {R }

{B ∧ P } C1 {Q } {¬B ∧ P } C2 {Q }
{P } if B then C1 else C2 {Q }

P0 ⇒ P {P } C {Q } Q ⇒ Q 0
{P 0 } C {Q 0 }

{P ∧ B } C {P }
{P } while B do C {¬B ∧ P }
 Greatest Common Divisor

Let

∀x , y , z . divides(x , y , z ) ⇔ (z > 0 ∧ x %z = 0 ∧ y %z = 0)
∀x , y , z . z = GCD (x , y ) ⇔ divides(x , y , z )∧
(6 ∃r . r > z ∧ divides(x , y , r ))

I (assuming % is the modulo operator)

 A Hoare Logic Proof of Euclid’s Algorithm

We want to show the following:

{x ≥ 0 ∧ y ≥ 0}
if (x > y ) then
k := x;
m := y;
else
k := y;
m := x;
while (m 6= 0) do
r := k %m;
k := m;
m := r ;
{GCD (x , y ) = k }
 A Hoare Logic Proof of Euclid’s Algorithm

I Break the proof into sub-proofs

I Us compact “in-line” presentation:

{P }
C1
{Q } {P } C1 {Q } {Q } C2 {R }
C2
{P } C1 ; C2 {R }
{R }
 Euclid’s Algorithm – Loop Invariant
Assume we have a predicate GCD with the following axioms
I ∀x , y . GCD (x , y ) = GCD (y , x )
I ∀x . GCD (0, x ) = x
I ∀x . GCD (x , x ) = x
I ∀x , y . (x ≥ y ∧ y > 0) ⇒ GCD (x , y ) = GCD (x %y , y )
We will first show the following:

{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (m, k )}

while (m != 0) {
r = k % m;
k = m;
m = r;
}
{GCD (x , y ) = k }
 Euclid’s Algorithm – Loop Invariant
Assume we have a predicate GCD with the following axioms
I ∀x , y . GCD (x , y ) = GCD (y , x )
I ∀x . GCD (0, x ) = x
I ∀x . GCD (x , x ) = x
I ∀x , y . (x ≥ y ∧ y > 0) ⇒ GCD (x , y ) = GCD (x %y , y )

while (m != 0) {

r = k % m;

k = m;

m = r;

}
 Euclid’s Algorithm – Loop Invariant
Assume we have a predicate GCD with the following axioms
I ∀x , y . GCD (x , y ) = GCD (y , x )
I ∀x . GCD (0, x ) = x
I ∀x . GCD (x , x ) = x
I ∀x , y . (x ≥ y ∧ y > 0) ⇒ GCD (x , y ) = GCD (x %y , y )

while (m != 0) {

r = k % m;

k = m;

m = r;
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
}
 Euclid’s Algorithm – Loop Invariant
Assume we have a predicate GCD with the following axioms
I ∀x , y . GCD (x , y ) = GCD (y , x )
I ∀x . GCD (0, x ) = x
I ∀x . GCD (x , x ) = x
I ∀x , y . (x ≥ y ∧ y > 0) ⇒ GCD (x , y ) = GCD (x %y , y )

while (m != 0) {

r = k % m;

k = m;
{k ≥ r ∧ r ≥ 0 ∧ GCD (x , y ) = GCD (k , r )}
m = r;
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
}
 Euclid’s Algorithm – Loop Invariant
Assume we have a predicate GCD with the following axioms
I ∀x , y . GCD (x , y ) = GCD (y , x )
I ∀x . GCD (0, x ) = x
I ∀x . GCD (x , x ) = x
I ∀x , y . (x ≥ y ∧ y > 0) ⇒ GCD (x , y ) = GCD (x %y , y )

while (m != 0) {

r = k % m;
{m ≥ r ∧ r ≥ 0 ∧ GCD (x , y ) = GCD (m, r )}
k = m;
{k ≥ r ∧ r ≥ 0 ∧ GCD (x , y ) = GCD (k , r )}
m = r;
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
}
 Euclid’s Algorithm – Loop Invariant
Assume we have a predicate GCD with the following axioms
I ∀x , y . GCD (x , y ) = GCD (y , x )
I ∀x . GCD (0, x ) = x
I ∀x . GCD (x , x ) = x
I ∀x , y . (x ≥ y ∧ y > 0) ⇒ GCD (x , y ) = GCD (x %y , y )

while (m != 0) {
{m ≥ k %m ∧ k %m ≥ 0 ∧ GCD (x , y ) = GCD (m, (k %m))}
r = k % m;
{m ≥ r ∧ r ≥ 0 ∧ GCD (x , y ) = GCD (m, r )}
k = m;
{k ≥ r ∧ r ≥ 0 ∧ GCD (x , y ) = GCD (k , r )}
m = r;
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
}
 Euclid’s Algorithm – Loop Invariant

Assume we have a predicate GCD with the following axioms

I ∀x , y . GCD (x , y ) = GCD (y , x )
I ∀x . GCD (0, x ) = x
I ∀x . GCD (x , x ) = x
I ∀x , y . (x ≥ y ∧ y > 0) ⇒ GCD (x , y ) = GCD (y , x %y )

(m 6= 0 ∧ k ≥ m ∧ m ≥ 0∧ {m ≥ k %m ∧ k %m ≥ 0∧
GCD (x , y ) = GCD (k , m)) GCD (x , y ) = GCD (m, (k %m))}
⇒ r := k %m; k := m; m = r
(m ≥ k % m ∧ m ≥ 0 {k ≥ m ∧ m ≥ 0∧
∧GCD (x , y ) = GCD (m, (k %m)) GCD (x , y ) = GCD (k , m)}
{m 6= 0 ∧ k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
r := k %m; k := m; m = r
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
 Proof derivation for the Implication
We still need to show that

(m 6= 0 ∧ k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)) ⇒

(m ≥ k %m ∧ k %m ≥ 0 ∧ GCD (x , y ) = GCD (m, (k %m)))

We need the following axioms of the theory of arithmetic:

∀x , y . (x ≥ y ) ⇔ ((x = y ) ∨ (x > y ))
∀x , y . (x ≥ y ∧ y > 0) ⇒ x %y ≥ 0
∀x , y . (x ≥ y ∧ y > 0) ⇒ y ≥ x %y

With these axioms we make the following inferences:

m 6= 0 ∧ k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)
k ≥ m ∧ m > 0 ∧ GCD (x , y ) = GCD (k , m)
k ≥ m ∧ m > 0 ∧ GCD (x , y ) = GCD (m, k %m)
m ≥ k %m ∧ k %m ≥ 0 ∧ GCD (x , y ) = GCD (m, k %m)
 Euclid’s Algorithm – Loop Invariant

Note: Though tedious, this proof was still not entirely formal.
We implicitly applied a number of rules:
I Quantifier instantiation
I Transitivity of equality
I Following propositional rules:

P∧Q P∧Q P Q P⇒Q ¬P ∨ Q P

P Q P∧Q ¬P ∨ Q Q

In the exercises, reason at least as formal as here.

 Euclid’s Algorithm – Loop Invariant
We have established:

while (m 6= 0) do
{m 6= 0 ∧ k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
{m ≥ k %m ∧ k %m ≥ 0 ∧ GCD (x , y ) = GCD (m, (k %m))}
r:=k%m; k:=m; m=r
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}

Apply Hoare’s loop rule:

{P ∧ B } C {P }
{P } while B do C {¬B ∧ P }

with
def
I P= k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)
def
I B= m 6= 0
 Euclid’s Algorithm – Loop Invariant

We obtain:

{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}

while (m 6= 0) do
r := k % m;
k := m;
m := r;
{m = 0 ∧ k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
 Euclid’s Algorithm – Loop Invariant

We obtain:

{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}

while (m 6= 0) do
r := k % m;
k := m;
m := r;
{m = 0 ∧ k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}

(m = 0) ∧ (GCD (x , y ) = GCD (k , m))

(GCD (x , y ) = GCD (k , 0)) GCD (k , 0) = k
GCD (x , y ) = k
 Euclid’s Algorithm – Loop Invariant

We obtain:

{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}

while (m 6= 0) do
r := k % m;
k := m;
m := r;
{m = 0 ∧ k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
{GCD (x , y ) = k }

(m = 0) ∧ (GCD (x , y ) = GCD (k , m))

(GCD (x , y ) = GCD (k , 0)) GCD (k , 0) = k
GCD (x , y ) = k
 Euclid’s Algorithm – Loop Invariant

I We have established
def
P = k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)

as a loop invariant
I If P holds after n iterations of the loop, it also holds after n + 1
I We still need to establish the base case n = 0
 Euclid’s Algorithm – Induction, Base Case

Does
k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)
hold at the beginning of the loop?

{?}
if (x > y ) then
k := x;
m := y;
else
k := y;
m := x;
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
 Euclid’s Algorithm – Induction, Base Case

{?}
if (x > y ) then

k := x;

m := y;

else

k := y;

m := x;

{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}

 Euclid’s Algorithm – Induction, Base Case

{?}
if (x > y ) then

k := x;

m := y;

else

k := y;

m := x;
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
 Euclid’s Algorithm – Induction, Base Case

{?}
if (x > y ) then

k := x;

m := y;

else

k := y;
{k ≥ x ∧ x ≥ 0 ∧ GCD (x , y ) = GCD (k , x )}
m := x;
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
 Euclid’s Algorithm – Induction, Base Case

{?}
if (x > y ) then

k := x;

m := y;

else
{y ≥ x ∧ x ≥ 0 ∧ GCD (x , y ) = GCD (y , x )}
k := y;
{k ≥ x ∧ x ≥ 0 ∧ GCD (x , y ) = GCD (k , x )}
m := x;
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
 Euclid’s Algorithm – Induction, Base Case

{?}
if (x > y ) then

k := x;

m := y;
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
else
{y ≥ x ∧ x ≥ 0 ∧ GCD (x , y ) = GCD (y , x )}
k := y;
{k ≥ x ∧ x ≥ 0 ∧ GCD (x , y ) = GCD (k , x )}
m := x;
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
 Euclid’s Algorithm – Induction, Base Case

{?}
if (x > y ) then

k := x;
{k ≥ y ∧ y ≥ 0 ∧ GCD (x , y ) = GCD (k , y )}
m := y;
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
else
{y ≥ x ∧ x ≥ 0 ∧ GCD (x , y ) = GCD (y , x )}
k := y;
{k ≥ x ∧ x ≥ 0 ∧ GCD (x , y ) = GCD (k , x )}
m := x;
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
 Euclid’s Algorithm – Induction, Base Case

{?}
if (x > y ) then
{x ≥ y ∧ y ≥ 0 ∧ GCD (x , y ) = GCD (x , y )}
k := x;
{k ≥ y ∧ y ≥ 0 ∧ GCD (x , y ) = GCD (k , y )}
m := y;
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
else
{y ≥ x ∧ x ≥ 0 ∧ GCD (x , y ) = GCD (y , x )}
k := y;
{k ≥ x ∧ x ≥ 0 ∧ GCD (x , y ) = GCD (k , x )}
m := x;
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
 Euclid’s Algorithm – Induction, Base Case

Strengthen the pre-conditions of the branches:

I then-branch:

x >y ∧x ≥0∧y ≥0
x ≥y ∧y ≥0 (GCD (x , y ) = GCD (x , y ))
x ≥ y ∧ y ≥ 0 ∧ (GCD (x , y ) = GCD (x , y ))

I else-branch:

¬(x > y ) ∧ x ≥ 0 ∧ y ≥ 0 GCD (x , y ) = GCD (x , y )

y ≥x ∧x ≥0 GCD (x , y ) = GCD (y , x )
y ≥ x ∧ x ≥ 0 ∧ GCD (x , y ) = GCD (y , x )
 Euclid’s Algorithm – Hoare’s Conditional Rule

Apply
{B ∧ P } C1 {Q } {¬B ∧ P } C2 {Q }
{P } if B then C1 else C2 {Q }
with
def
I B= x >y
def
I P= x ≥0∧y ≥0
def
I Q= k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)
def
I C1 = k := x ; m := y
def
I C2 = k := y ; m := x
 Euclid’s Algorithm – Hoare’s Conditional Rule

We obtain

{x ≥ 0 ∧ y ≥ 0 }
if (x > y ) then
k := x;
m := y;
else
k := y;
m := x;
{k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m)}
 Euclid’s Algorithm – Hoare’s Compositional Rule

Finally:
{P } C1 {Q } , {Q } C2 {R }
{P } C1 ; C2 {R }
where
def def
C1 = C2 =
if (x > y ) then
k := x; while (m 6= 0) do
m := y; r := k % m;
else k := m;
k := y; m := r;
m := x;

def
P = x ≥ 0 ∧ y ≥ 0,
def
Q = k ≥ m ∧ m ≥ 0 ∧ GCD (x , y ) = GCD (k , m),
def
R = (GCD (x , y ) = k )
 Euclid’s Algorithm – Correctness Established

{x ≥ 0 ∧ y ≥ 0}
if (x > y ) then
k := x;
m := y;
else
k := y;
m := x;
while (m 6= 0) do
r := k % m;
k := m;
m := r;
{GCD (x , y ) = k }
 Hoare’s Axioms: Summary

{P } C1 {Q } , {Q } C2 {R }
{P [E /x]} x:=E {P } {P } C1 ; C2 {R }

{B ∧ P } C1 {Q } {¬B ∧ P } C2 {Q }
{P } if B then C1 else C2 {Q }

P0 ⇒ P {P } C {Q } Q ⇒ Q 0
{P 0 } C {Q 0 }

{P ∧ B } C {P }
{P } while B do C {¬B ∧ P }
 Hoare Logic: Soundness

Recall:

{P } C {Q } = s |= P ∧ hC , si ⇓ s0 ⇒ s0 |= Q
def

We use
I |= {P } C {Q } to denote that {P } C {Q } is valid.
I ` {P } C {Q } to denote that {P } C {Q } can be derived using
Hoare’s Axioms and the axioms and inference rules of
first-order logic with arithmetic over the integers.
 Hoare Logic: Soundness

Recall:

{P } C {Q } = s |= P ∧ hC , si ⇓ s0 ⇒ s0 |= Q
def

We use
I |= {P } C {Q } to denote that {P } C {Q } is valid.
I ` {P } C {Q } to denote that {P } C {Q } can be derived using
Hoare’s Axioms and the axioms and inference rules of
first-order logic with arithmetic over the integers.

Hoare Logic is sound if ` {P } C {Q } ⇒ |= {P } C {Q }

 Hoare Logic: Soundness

We need to show

∀s, s0 . s |= P ∧ hC , si ⇓ s0 ∧ ` {P } C {Q } ⇒ s0 |= Q


 Hoare Logic: Soundness

We will prove this by nested structural induction

I on the structure of ` {P } C {Q }
I as well as hC , si ⇓ s0 .
 Hoare Logic: Soundness

We will prove this by nested structural induction

I on the structure of ` {P } C {Q }
I as well as hC , si ⇓ s0 .

Structural induction:
I Reduce problem P to smaller sub-problem(s) Pi : Pi ≺ P
 Hoare Logic: Soundness

We will prove this by nested structural induction

I on the structure of ` {P } C {Q }
I as well as hC , si ⇓ s0 .

Structural induction:
I Reduce problem P to smaller sub-problem(s) Pi : Pi ≺ P
Nested structural induction:
I Consider two structures O, P.
I Define ordering:

(Oi , Pi ) ≺ (O , P ) ⇔ (Oi ≺ O ) ∨ ((Oi = O ) ∧ (Pi ≺ P ))

 Hoare Logic: Soundness

We will prove this by nested structural induction

I on the structure of ` {P } C {Q }
I as well as hC , si ⇓ s0 .

Structural induction:
I Reduce problem P to smaller sub-problem(s) Pi : Pi ≺ P
Nested structural induction:
I Consider two structures O, P.
I Define ordering:

(Oi , Pi ) ≺ (O , P ) ⇔ (Oi ≺ O ) ∨ ((Oi = O ) ∧ (Pi ≺ P ))

Intuition: Walk backwards derivations ` {P } C {Q } and hC , si ⇓ s0

simultaneously until we reach base case
 Hoare Logic: Soundness of Assignment Rule

{P [E /x]} x := E {P }
Corresponding step in big-step semantics (cf. Lecture 2):

JE Ks = n
hx := E , si ⇓ s[x 7→ n]
Using JE Ks = n, show that:
 
s |= Q [E /x ] ∧ hx := E , si ⇓ s[x 7→ n]
∀s .  ∧  ⇒ s[x 7→ n] |= Q
` {Q [E /x ]} x := E {Q }
 Hoare Logic: Soundness of Assignment Rule

{P [E /x]} x := E {P }
Corresponding step in big-step semantics (cf. Lecture 2):

JE Ks = n
hx := E , si ⇓ s[x 7→ n]
Using JE Ks = n, show that:
 
s |= Q [E /x ] ∧ hx := E , si ⇓ s[x 7→ n]
∀s .  ∧  ⇒ s[x 7→ n] |= Q
` {Q [E /x ]} x := E {Q }
Follows from substitution lemma
s |= Q [E /x ] s |= E = n
s[x 7→ n] |= Q

and the fact that s |= E = n if and only if JE Ks = n.

 Hoare Logic: Soundness of Consequence Rule

P0 ⇒ P {P } C {Q } Q ⇒ Q 0
{P 0 } C {Q 0 }
Induction hypothesis:

hC , si ⇓ s0 , ` {P } C {Q },
∀s, s . s |= P ∧ hC , si ⇓ s0 ∧ ` {P } C {Q } ⇒ (s0 |= Q )
0

We use the soundness of FOL derivations to prove rule correct:

I (s |= P 0 ) ⇒ (s |= P ) (since P 0 ⇒ P)
I Now apply induction hypothesis to derive (s0 |= Q )
I (s0 |= Q ) ⇒ (s0 |= Q 0 ) (since Q ⇒ Q 0 )
 Hoare Logic: Soundness of Composition Rule

{P } C1 {Q } {Q } C2 {R }
{P } C1 ; C2 {R }
Corresponding step in big-step semantics (cf. Lecture 2):

hC1 , si ⇓ s0 hC2 , s0 i ⇓ s00

hC1 ; C2 , si ⇓ s00

I Start with s |= P.
I Then s0 |= Q (by i.h. hC1 , si ⇓ s0 , {P } C1 {Q })
I Then s00 |= R (by i.h. hC2 , s0 i ⇓ s00 , {Q } C2 {R })
 Hoare Logic: Soundness of While Rule

{P ∧ B } C {P }
{P } while B do C {¬B ∧ P }
There are two corresponding big-step rules (cf. Lecture 2):

[B- WHILE .F] hB , si ⇓ false

hwhile B do C , si ⇓ s

hC , si ⇓ s1 hwhile B do C , s1 i ⇓ s0
[B- WHILE .T] hB , si ⇓ true
hwhile B do C , si ⇓ s0
We need to consider both. Start with the easier one.
 Hoare Logic: Soundness of While Rule

Hoare Rule for while loop:

{P ∧ B } C {P }
{P } while B do C {¬B ∧ P }

Corresponding big-step rule:

[B- WHILE .F] JB Ks = false

hwhile B do C , si ⇓ s

Using JB Ks = false and {P ∧ B } C {P }, we need to show:

 
(s |= P ) ∧
∀s .  (hwhile B do C , si ⇓ s) ∧  ⇒ s |= (¬B ∧ P )
` {P } while B do C {¬B ∧ P }
 Hoare Logic: Soundness of While Rule

Hoare Rule for while loop:

{P ∧ B } C {P }
{P } while B do C {¬B ∧ P }

Corresponding big-step rule:

[B- WHILE .F] JB Ks = false

hwhile B do C , si ⇓ s

Using JB Ks = false and {P ∧ B } C {P }, we need to show:

 
(s |= P ) ∧
∀s .  (hwhile B do C , si ⇓ s) ∧  ⇒ s |= (¬B ∧ P )
` {P } while B do C {¬B ∧ P }

I Trivial, since (s |= P ) and JB Ks = false implies s |= (¬B ∧ P )

 Hoare Logic: Soundness of While Rule

Hoare Rule for while loop:

{P ∧ B } C {P }
{P } while B do C {¬B ∧ P }

Corresponding big-step rule:

hC , si ⇓ s1 hwhile B do C , s1 i ⇓ s0
[B- WHILE .T] JB Ks = true
hwhile B do C , si ⇓ s0

Need to show: s0 |= (¬B ∧ P )

I We assume s |= P (pre-condition of Hoare rule in conclusion)
I Because of JB Ks = true, we have s |= B
I Hence, s |= B ∧ P
I From i.h. hC , si ⇓ s1 and {P ∧ B } C {P }, we get s1 |= P
 Hoare Logic: Soundness of While Rule

Remember:
I Nested induction only requires “progress” in one structure.
I We can “put off” descending `

{P ∧ B } C {P }
{P } while B do C {¬B ∧ P }

hC , si ⇓ s1 hwhile B do C , s1 i ⇓ s0
[B- WHILE .T] JB Ks = true
hwhile B do C , si ⇓ s0
 Hoare Logic: Soundness of While Rule

Remember:
I Nested induction only requires “progress” in one structure.
I We can “put off” descending `

{P ∧ B } C {P }
{P } while B do C {¬B ∧ P }

hC , si ⇓ s1 hwhile B do C , s1 i ⇓ s0
[B- WHILE .T] JB Ks = true
hwhile B do C , si ⇓ s0

I We have derived s1 |= P in big-step structure.

I Apply i.h. hwhile B do C , s1 i ⇓ s0 and Hoare rule above
I Conclusion: s0 |= (¬B ∧ P )
 Hoare Logic: Soundness of While Rule

Remember:
I Nested induction only requires “progress” in one structure.
I We can “put off” descending `

{P ∧ B } C {P }
{P } while B do C {¬B ∧ P }

hC , si ⇓ s1 hwhile B do C , s1 i ⇓ s0
[B- WHILE .T] JB Ks = true
hwhile B do C , si ⇓ s0

I We have derived s1 |= P in big-step structure.

I Apply i.h. hwhile B do C , s1 i ⇓ s0 and Hoare rule above
I Conclusion: s0 |= (¬B ∧ P )
Q.E.D. 
 Hoare Logic: Soundness and Completeness

We proved that ` {P } C {Q } ⇒ |= {P } C {Q }
I under assumption that the derivations using the axioms and
inference rules of first-order logic with arithmetic over the
integers are sound
What about the other direction?

|= {P } C {Q } ⇒ ` {P } C {Q }

If a Hoare triple holds, can we always derive it?

 Hoare Logic: Completeness

Recall from Lecture 2 (non-termination):

I if C does not terminate then there is no s0 s.t. hC , si ⇓ s0
 Hoare Logic: Completeness

Recall from Lecture 2 (non-termination):

I if C does not terminate then there is no s0 s.t. hC , si ⇓ s0
Definition of {P } C {Q }:

{P } C {Q } = (s |= P ) ∧ hC , si ⇓ s0 ⇒ (s0 |= Q )
def
 Hoare Logic: Completeness

Recall from Lecture 2 (non-termination):

I if C does not terminate then there is no s0 s.t. hC , si ⇓ s0
Definition of {P } C {Q }:

{P } C {Q } = (s |= P ) ∧ hC , si ⇓ s0 ⇒ (s0 |= Q )
def

Therefore, if C does not terminate for all s with s |= P, then

{P } C {Q } is vacuously true, i.e., {P } C {false} is also true.
 Hoare Logic: Completeness

Recall from Lecture 2 (non-termination):

I if C does not terminate then there is no s0 s.t. hC , si ⇓ s0
Definition of {P } C {Q }:

{P } C {Q } = (s |= P ) ∧ hC , si ⇓ s0 ⇒ (s0 |= Q )
def

Therefore, if C does not terminate for all s with s |= P, then

{P } C {Q } is vacuously true, i.e., {P } C {false} is also true.

We will use this insight to relate the validity of Hoare triples to the
Halting Problem.
 Excursion: Results on the Halting Problem

Theorem (Turing, 1936)

Given a command C in the While language, it is not decidable

whether C terminates for the initial state s, where s(x ) = 0 for all
x ∈ Var .
 Excursion: Results on the Halting Problem

Theorem (Turing, 1936)

Given a command C in the While language, it is not decidable

whether C terminates for the initial state s, where s(x ) = 0 for all
x ∈ Var .

Theorem

The set of commands C in the While language, which terminate for

the initial state s, where s(x ) = 0 for all x ∈ Var , is recursively
enumerable.
 Excursion: Results on the Halting Problem

Theorem (Turing, 1936)

Given a command C in the While language, it is not decidable

whether C terminates for the initial state s, where s(x ) = 0 for all
x ∈ Var .

Theorem

The set of commands C in the While language, which terminate for

the initial state s, where s(x ) = 0 for all x ∈ Var , is recursively
enumerable.

Corollary

The set of commands C in the While language, which do not

terminate for the initial state s, where s(x ) = 0 for all x ∈ Var , is
not recursively enumerable.
 Hoare Logic: Incompleteness

Given a command C in the While language, we denote by initC the

sequence x1 := 0; x2 := 0; . . . ; xn := 0 for all variables xi of C.

From the previous slides we immediately obtain:

Theorem

The set of valid Hoare triples {true} initC ; C {false}, where C is a

command in the While language, is not recursively enumerable.

Corollary

There is no recursively enumerable set of axioms and derivation

rules which allow us to derive all valid Hoare triples {P } C {Q }.
 Hoare Logic: Incompleteness

Given a command C in the While language, we denote by initC the

sequence x1 := 0; x2 := 0; . . . ; xn := 0 for all variables xi of C.

From the previous slides we immediately obtain:

Theorem

The set of valid Hoare triples {true} initC ; C {false}, where C is a

command in the While language, is not recursively enumerable.

Corollary

There is no recursively enumerable set of axioms and derivation

rules which allow us to derive all valid Hoare triples {P } C {Q }.

Can we pinpoint the source of incompleteness?

 Hoare Logic: Incompleteness

Alternative argument:

Gödel’s Incompleteness Theorem:

In any recursively axiomatizable first-order theory rich enough to

allow the integers with addition and multiplication to be encoded
there is a true arithmetic formula (i.e., a formula that uses
encodings of the integers, addition and multiplication) that cannot
be proven.
 Hoare Logic: Incompleteness

Alternative argument:

Gödel’s Incompleteness Theorem:

In any recursively axiomatizable first-order theory rich enough to

allow the integers with addition and multiplication to be encoded
there is a true arithmetic formula (i.e., a formula that uses
encodings of the integers, addition and multiplication) that cannot
be proven.

Observe:
I Let P be an arbitrary formula.
I If P is valid, then {true} skip {P }.
 Hoare Logic: Incompleteness

We show the following theorem:

There is no recursively enumerable set of axioms and derivation

rules which allow us to derive all valid Hoare triples
{true} skip {P }.
 Hoare Logic: Incompleteness

We show the following theorem:

There is no recursively enumerable set of axioms and derivation

rules which allow us to derive all valid Hoare triples
{true} skip {P }.

Proof:
We can assume w.l.o.g. that the set of axioms includes the set

{¬(i = j ) | i , j ∈ Z, i 6= j }∪
{i + j = k | i , j , k ∈ Z, i + j = k }∪
{i ∗ j = k | i , j , k ∈ Z, i ∗ j = k },

which is recursively enumerable (alternative: Peano Axioms).

Hence, Gödel’s Incompleteness Theorem can be applied.
 Hoare Logic: Relative Completeness

Maybe Gödel’s incompleteness theorem (in combination with

Hoare’s consequence rule) is the culprit?
I What if we had a powerful enough decision procedure?
 Hoare Logic: Relative Completeness

Maybe Gödel’s incompleteness theorem (in combination with

Hoare’s consequence rule) is the culprit?
I What if we had a powerful enough decision procedure?
Is this enough?
I We need to check that the assertion language is expressive
enough to represent all required intermediate assertions in
the Hoare logic proof!
def
I Compare to the language L0 = {true}: not very expressive.
Hoare Logic: Relative Completeness and Expressiveness
We define the pre operation for an assertion P as follows:

pre(C , Q ) = {s | ∀s0 . hC , si ⇓ s0 ⇒ s0 |= Q }
def

A logical language L is closed under the pre operation if

∀Q ∈ L, ∀ command C . ∃P ∈ L . {s | s |= P } = pre(C , Q )
Hoare Logic: Relative Completeness and Expressiveness
We define the pre operation for an assertion P as follows:

pre(C , Q ) = {s | ∀s0 . hC , si ⇓ s0 ⇒ s0 |= Q }
def

A logical language L is closed under the pre operation if

∀Q ∈ L, ∀ command C . ∃P ∈ L . {s | s |= P } = pre(C , Q )

Definition (Weakest Liberal Precondition)

We call a predicate transformer wlp(C , Q ) with

{s | s |= wlp(C , Q )} = pre(C , Q )

the weakest liberal precondition.

Note wlp(C , Q ) is the weakest predicate (up to logical
equivalence) such that {wlp(C , Q )} C {Q }, i.e., {P } C {Q } is
equivalent to P ⇒ wlp(C , Q ) for all predicates P.
 Hoare Logic: Properties of wlp(C , Q )
wlp(x := E , Q ) ≡ Q [E /x ]
wlp(skip, Q ) ≡ Q
wlp(C1 ; C2 , Q ) ≡ wlp(C1 , wlp(C2 , Q ))
 
B ⇒ wlp(C1 , Q )
wlp(if B then C1 else C2 , Q ) ≡  ∧ 
¬B ⇒ wlp(C2 , Q )

Proof: We observe that for wlp(x := E , Q ) we have

{s | s |= Q [E /x ]} = {s | s[x 7→ JE K s] |= Q }.
As before, this follows from substitution lemma:
s |= Q [E /x ] s |= E = n
s[x 7→ n] |= Q
The proofs for the other cases are similar (using the rules of
hC , si ⇓ s0 ).
 Hoare Logic: Relative Completeness [Cook74]

Assume we have
I an assertion language L closed under wlp(C , ·) for all
constructs C in our programming language, and
I a proof system powerful enough such that

∀F ∈ L . (|= F ) ⇒ (` F ) ,

i.e., we can prove any formula true in our intended

interpretation.
Then,
|= {P } C {Q } ⇒ ` {P } C {Q }.
 Hoare Logic: Relative Completeness

We will prove for all predicates Q and programming constructs C

that
` {wlp(C , Q )} C {Q }(∗).
This will immediately allow us to prove

|= {P } C {Q } ⇒ ` {P } C {Q }

for all Hoare-triples {P } C {Q }:

Assume |= {P } C {Q }. Then we have that P ⇒ wlp(C , Q ) by the

definition of weakest liberal precondition. By (*) we further have
` {wlp(C , Q )} C {Q }. Applying the rule of consequence then
establishes ` {P } C {Q }.

We now proceed to the proof of (*).

 Hoare Logic: ` {wlp(C , Q )} C {Q }

Proof: By induction on structure of programs.

I Assignment.
The claim follows from

{Q [E /x]} x := E {Q }

and
wlp(x := E , Q ) ≡ Q [E /x ].
 Hoare Logic: ` {wlp(C , Q )} C {Q }

I Composition.
I We consider {wlp(C1 ; C2 , Q )} C1 ; C2 {Q }.
I By the induction hypothesis we have ` {wlp(C2 , Q )} C2 {Q }
and ` {wlp(C1 , wlp(C2 , Q ))} C1 {wlp(C2 , Q )}.
I We then can apply the composition rule:

{wlp(C1 , wlp(C2 , Q ))} C1 {wlp(C2 , Q )} , {wlp(C2 , Q )} C2 {Q }

{wlp(C1 , wlp(C2 , Q ))} C1 ; C2 {Q }
I The claim then follows from

wlp(C1 ; C2 , Q ) ≡ wlp(C1 , wlp(C2 , Q )).

 Hoare Logic: ` {wlp(C , Q )} C {Q }

I Composition.
I We consider {wlp(C1 ; C2 , Q )} C1 ; C2 {Q }.
I By the induction hypothesis we have ` {wlp(C2 , Q )} C2 {Q }
and ` {wlp(C1 , wlp(C2 , Q ))} C1 {wlp(C2 , Q )}.
I We then can apply the composition rule:

{wlp(C1 , wlp(C2 , Q ))} C1 {wlp(C2 , Q )} , {wlp(C2 , Q )} C2 {Q }

{wlp(C1 , wlp(C2 , Q ))} C1 ; C2 {Q }
I The claim then follows from

wlp(C1 ; C2 , Q ) ≡ wlp(C1 , wlp(C2 , Q )).

I Branching.
Similar. Left as exercise.
 Hoare Logic: ` {wlp(C , Q )} C {Q }
I Loops. Recall:

{R ∧ B } C {R }
{R } while B do C {¬B ∧ R }
I We consider {wlp(while B do C , Q )} while B do C {Q }.
I We set R = wlp(while B do C , Q ) (such a predicate exists as
per our assumption).
I We note that
R ≡wlp(if B then (C ; while B do C ) else skip, Q )
≡(¬B ⇒ Q ) ∧ (B ⇒ wlp(C , wlp(while B do C , Q )))
 Hoare Logic: ` {wlp(C , Q )} C {Q }
I Loops. Recall:
{R ∧ B } C {R }
{R } while B do C {¬B ∧ R }
I We consider {wlp(while B do C , Q )} while B do C {Q }.
I We set R = wlp(while B do C , Q ) (such a predicate exists as
per our assumption).
I We note that
R ≡wlp(if B then (C ; while B do C ) else skip, Q )
≡(¬B ⇒ Q ) ∧ (B ⇒ wlp(C , wlp(while B do C , Q )))
| {z }
R
 Hoare Logic: ` {wlp(C , Q )} C {Q }
I Loops. Recall:

{R ∧ B } C {R }
{R } while B do C {¬B ∧ R }
I We consider {wlp(while B do C , Q )} while B do C {Q }.
I We set R = wlp(while B do C , Q ) (such a predicate exists as
per our assumption).
I We note that
R ≡wlp(if B then (C ; while B do C ) else skip, Q )
≡(¬B ⇒ Q ) ∧ (B ⇒ wlp(C , R ))
 Hoare Logic: ` {wlp(C , Q )} C {Q }
I Loops. Recall:

{R ∧ B } C {R }
{R } while B do C {¬B ∧ R }
I We consider {wlp(while B do C , Q )} while B do C {Q }.
I We set R = wlp(while B do C , Q ) (such a predicate exists as
per our assumption).
I We note that
R ≡wlp(if B then (C ; while B do C ) else skip, Q )
≡(¬B ⇒ Q ) ∧ (B ⇒ wlp(C , R ))
I By the induction hypothesis we have ` {wlp(C , R )} C {R }.
From R ∧ B ⇒ wlp(C , R ) and the consequence rule we then
get ` {R ∧ B } C {R }.
 Hoare Logic: ` {wlp(C , Q )} C {Q }
I Loops. Recall:

{R ∧ B } C {R }
{R } while B do C {¬B ∧ R }
I We consider {wlp(while B do C , Q )} while B do C {Q }.
I We set R = wlp(while B do C , Q ) (such a predicate exists as
per our assumption).
I We note that
R ≡wlp(if B then (C ; while B do C ) else skip, Q )
≡(¬B ⇒ Q ) ∧ (B ⇒ wlp(C , R ))
I By the induction hypothesis we have ` {wlp(C , R )} C {R }.
From R ∧ B ⇒ wlp(C , R ) and the consequence rule we then
get ` {R ∧ B } C {R }.
I We can then apply the while-loop rule and obtain
` {R } while B do C {¬B ∧ R }.
 Hoare Logic: ` {wlp(C , Q )} C {Q }
I Loops. Recall:

{R ∧ B } C {R }
{R } while B do C {¬B ∧ R }
I We consider {wlp(while B do C , Q )} while B do C {Q }.
I We set R = wlp(while B do C , Q ) (such a predicate exists as
per our assumption).
I We note that
R ≡wlp(if B then (C ; while B do C ) else skip, Q )
≡(¬B ⇒ Q ) ∧ (B ⇒ wlp(C , R ))
I By the induction hypothesis we have ` {wlp(C , R )} C {R }.
From R ∧ B ⇒ wlp(C , R ) and the consequence rule we then
get ` {R ∧ B } C {R }.
I We can then apply the while-loop rule and obtain
` {R } while B do C {¬B ∧ R }.
I The claim then follows from ¬B ∧ R ⇒ Q and the
consequence rule.
 Weakest Liberal Precondition

We will now define a concrete predicate transformer wlp(C , Q ) with

pre(C , Q ) = {s | s |= wlp(C , Q )}.

We will define wlp(C , Q ) inductively and will establish the

correctness of the definition by structural induction.
Hoare Logic and Dijkstra’s Weakest Pre-condition

I Predicate Transformers
[Dijkstra75]
I Weakest Pre-Condition
I Strongest Post-Condition
I Invariants defined as
Fixed Points
Edsger W. Dijkstra
(1930–2002)
Weakest Liberal Precondition: Predicate Transformers

def
wlp(x := E , Q ) = Q [E /x ]
def
wlp(skip, Q ) = Q
def
wlp(C1 ; C2 , Q ) = wlp(C1 , wlp(C2 , Q ))
 
B ⇒ wlp(C1 , Q )
def
wlp(if B then C1 else C2 , Q ) =  ∧ 
¬B ⇒ wlp(C2 , Q )
Using the I.H. and our earlier results it is straight-forward to
establish the correctness for these cases.
 Weakest Liberal Precondition: Loops

Loops are more complicated:

I No syntactic construction possible

def
wlp(while B do C , Q ) = ?
 Weakest Liberal Precondition: Loops

Loops are more complicated:

I No syntactic construction possible

def
wlp(while B do C , Q ) = ?
Idea: Use Gödel’s β -function to encode sequences of numbers.
We will use a variation of the function used by Gödel.
 Gödel’s β -function

β(x , y , z ) = x /10y ∗z %10y

Lemma

For any sequence of numbers d0 , d1 , . . . , dk with di ≥ 0 there are

numbers a ≥ 0 and b ≥ 0 such that β(a, b, i ) = di for all 0 ≤ i ≤ k.

Proof sketch: Observe that β(x , y , z ) returns a number with y

digits. Let b be the maximum number of digits of di . Construct x by
padding each di with leading 0’s in order to obtain a number with
exactly b digits; concatenate this sequence of digits to obtain x.
 Gödel’s β -function extended

We define a function β(x , y , z ) by

∀x , y , z . β(x , y , z ) = β(x , y , 2z ) ∧ β(x , y , 2z + 1) > 0

∨ β(x , y , z ) = −β(x , y , 2z ) ∧ β(x , y , 2z + 1) = 0

Lemma

For any sequence of numbers d0 , d1 , . . . , dk there are numbers

a ≥ 0 and b ≥ 0 such that β(a, b, i ) = di for all 0 ≤ i ≤ k.

Proof: left as exercise

 Weakest Liberal Precondition: Loops

Intuition:
We have s |= wlp(while B do C , Q ) if and only if for every finite
sequence of states s0 , s1 , . . . , sk we have that
I s = s0 ,
I si |= B and hC , si i ⇓ si +1 for all 0 ≤ i < k, and
I sk |= ¬B
imply that
I sk |= Q.
 Weakest Liberal Precondition: Loops
We state the weakest liberal precondition for commands C and
Boolean conditions B with a single variable x (the generalization to
several variables x1 , . . . , xn is left as an exercise):
def
wlp(while B do C , Q ) =
∀a, b,k . a ≥ 0 ∧ b ≥ 0 ∧ k ≥ 0
⇒ β(a, b, 0) = x

∧ ∀i , y , z . 0 ≤ i < k
⇒ β(a, b, i ) = y ∧ β(a, b, i + 1) = z 
⇒ (B ∧ wlp(C , x = z ) ∧ ¬wlp(C , false))[y /x ]

∧¬B [β(a, b, k )/x ]
⇒ Q [β(a, b, k )/x ].
By the I.H. we have that (B ∧ wlp(C , x = z ) ∧ ¬wlp(C , false))[y /x ]
holds iff {x 7→ y } |= B and hC , {x 7→ y }i ⇓ {x 7→ z }.
 Hoare’s Axioms: Summary

{P } C1 {Q } , {Q } C2 {R }
{P [E /x]} x:=E {P } {P } C1 ; C2 {R }

{B ∧ P } C1 {Q } {¬B ∧ P } C2 {Q }
{P } if B then C1 else C2 {Q }

P0 ⇒ P {P } C {Q } Q ⇒ Q 0
{P 0 } C {Q 0 }

{P ∧ B } C {P }
{P } while B do C {¬B ∧ P }
 Summary

I Axiomatic semantics for reasoning about program

correctness.
I Requires inductive invariants.
I Calculus comprises Hoare triples {P } C {Q } and axioms
I Interesting properties of calculus:
I Soundness

` {P } C {Q } ⇒ |= {P } C {Q }

I (Relative) Completeness

|= {P } C {Q } ⇒ ` {P } C {Q }
 References

C.A.R. Hoare. An Axiomatic Basis for Computer Programming.

Communications of the ACM 12(10), 1969

E.W. Dijkstra. Guarded Commands, Nondeterminacy and Formal

Derivation of Programs. Communications of the ACM 18(8), 1975

S.A. Cook. Soundness and Completeness of an Axiom System for

Program Verification. SIAM J. of Computing 7(1), 1978

E.M. Clarke. Programming Language Constructs for Which It Is

Impossible To Obtain Good Hoare Axiom Systems. Journal of the
ACM 26(1), 1979

K.R. Apt. Ten Years of Hoare’s Logic: A Survey – Part I. ACM

TOPLAS 3(4), 1981