博文

霍尔逻辑（Hoare logic）

已有 16789 次阅读 2009-5-15 09:30 |个人分类:计算机科学数学与逻辑|系统分类:科研笔记| 霍尔逻辑（Hoare, logic）

霍尔逻辑是一套由英国计算机科学家霍尔（ C. A. R. Hoare）开发的形式系统，后来又通过他与其它研究者做了进一步的精细化处理，这个系统的构建目的是用来推理验证程序的正确性，用数学的严格性做保证。
It was published in Hoare's 1969 paper,^[1] where Hoare acknowledges earlier contributions from Robert Floyd, who had published a similar system^[2] for flowcharts.

The central feature of Hoare logic is the Hoare triple. A triple describes how the execution of a piece of code changes the state of the computation. A Hoare triple is of the form

${P};C;{Q}$

where P and Q are assertions and C is a command. P is called the precondition and Q the postcondition: if the precondition is met, the command establishes the postcondition. Assertions are formulas in predicate logic.

Hoare logic has axioms and inference rules for all the constructs of a simple imperative programming language. In addition to the rules for the simple language in Hoare's original paper, rules for other language constructs have been developed since then by Hoare and many other researchers. There are rules for concurrency, procedures, jumps, and pointers.

Rules

Empty statement axiom schema

$frac{}{{P} textbf{skip} {P}} !$

Assignment axiom schema

The assignment axiom states that after the assignment any predicate holds for the variable that was previously true for the right-hand side of the assignment:

$frac{}{{P[E/x]} x:=E {P} } !$

Here $P [E / x]$ denotes the expression P in which all free occurrences of the variable x have been replaced with the expression E.

The meaning of the assignment axiom is that the truth of ${P [E / x]}$ is equivalent to the after-assignment truth of ${P}$ . Thus if ${P [E / x]}$ were true prior to the assignment, by the assignment axiom then ${P}$ will be true subsequent to that assignment. Conversely, if ${P [E / x]}$ were false prior to the assignment statement, ${P}$ must then be false following the assignment.

Examples of valid triples include:

${x+1 = 43} y:=x + 1 { y = 43 }!$
${x + 1 leq N } x?:= x + 1 {x leq N} !$

The assignment axiom proposed by Hoare does not apply when more than one name can refer to the same stored value. For example,

${ y = 3} x?:= 2 {y = 3 }$

is not a true statement if x and y refer to the same variable, because no precondition can cause y to be 3 after x is set to 2.

Rule of composition

Hoare's rule of composition applies to sequentially-executed programs S and T, where S executes prior to T and is written S;T.

$frac {{P} S {Q} , {Q} T {R} } {{P} S;T {R}} !$

For example, consider the following two instances of the assignment axiom:

${ x + 1 = 43} y:=x + 1 {y =43 }$

and

${ y = 43} z:=y {z =43 }$

By the sequencing rule, one concludes:

${ x + 1 = 43} y:=x + 1; z:= y {z =43 }$

Conditional rule

$frac { {B wedge P} S {Q} , {neg B wedge P } T {Q} } { {P} textbf{if} B textbf{then} S textbf{else} T textbf{endif} {Q} } !$

Consequence rule

$frac { P^prime rightarrow P , lbrace P rbrace S lbrace Q rbrace , Q rightarrow Q^prime } { lbrace P^prime rbrace S lbrace Q^primerbrace } !$

While rule

$frac { {P wedge B } S {P} } { {P } textbf{while} B textbf{do} S textbf{done} {neg B wedge P} } !$

Here P is the loop invariant.

While rule for total correctness

$frac { <;textrm{is well-founded,};[P wedge B wedge t = z ] S [P wedge t < z ]} { [P] textbf{while} B textbf{do} S textbf{done} [neg B wedge P] } !$

In this rule, in addition to maintaining the loop invariant, one also proves termination by way of a term, called the loop variant, here t, whose value strictly decreases with respect to a well-founded relation during each iteration. Note that, given the invariant P, the condition B must imply that t is not a minimal element of its range, for otherwise the premise of this rule would be false. Because the relation "<" is well-founded, each step of the loop is counted by decreasing members of a finite chain. Also note that square brackets are used here instead of curly braces to denote total correctness, i.e. termination as well as partial correctness. (This is one of various notations for total correctness.)

Examples

Example 1
${x+1 = 43}!$	$y:=x + 1 !$	${ y = 43 }!$	(Assignment Axiom)
			$( x + 1 = 43 Leftrightarrow x = 42 )$
${x=42}!$	$y:=x + 1 !$	${y=43 land x=42}!$	(Consequence Rule)
Example 2
${x + 1 leq N }!$	$x?:= x + 1 !$	${x leq N} !$	(Assignment Axiom)
			( $x < N implies x + 1 leq N$ for x, N with integer types.)
${x < N }!$	$x?:= x + 1 !$	${x leq N} !$	(Consequence Rule)

信息来源: http://en.wikipedia.org/wiki/Hoare_logic

转载本文请联系原作者获取授权，同时请注明本文来自黄富强科学网博客。
链接地址：https://blog.sciencenet.cn/blog-89075-231985.html

上一篇：Digital native
下一篇：Oracle's Support for Open Source and Open Standards

收藏 IP: .*| 热度|

当前推荐数：0

该博文允许实名用户评论评论 (1 个评论)

数据加载中...

返回顶部

博文发布时间已经超过87600小时，评论已关闭。

黄富强

扫一扫，分享此博文

计算之智与哲学之慧分享 http://blog.sciencenet.cn/u/huangfuqiang

博文

霍尔逻辑（Hoare logic）