Floyd-Hoare triples

Extended execution relation

Towards a formal definition of Floyd-Hoare triples, we first extend the execution relation $⟹$ to perform exactly $n\ge 0$ (as opposed to exactly one) execution steps:

• $C{⟹}^{0}C$, and
• $C{⟹}^{n+1}{C}^{\prime }$ if $C⟹C^{\prime \prime }$ and $C^{\prime \prime }{⟹}^n{C}^{\prime }$.

We write $C{⟹}^{\ast }{C}^{\prime }$ if there exists some $n\ge 0$ such that $C{⟹}^n{C}^{\prime }$. Furthermore, we write $C{/⟹}^n$ if there exists no configuration $C^{\prime }$ such that $C{⟹}^n{C}^{\prime }$.

Formal Definition

A Floyd-Hoare triple $\{\text{P}\}\text{S}\{\text{Q}\}$ consists of a precondition $\text{P}$ in Pred, a program statement $\text{S}$, and a postcondition $\text{Q}$ in Pred.

Intuitively, a triple is valid if every execution of program $\text{S}$ that starts in a state satisfying the precondition $\text{P}$ will not cause a runtime error (for example, by failing an assertion) and will eventually terminate in a state satisfying the postcondition $\text{Q}$.

Towards a formal definition, recall from the definition of our language that $\text{dom}(\sigma )$ denotes the variables for which the state $\sigma$ is defined. Moreover, let $\text{Var}(\text{P})$ denote all free variables that appear in predicate $\text{P}$. Then $\text{Var}(\text{P})\subseteq \text{dom}(\sigma )$ means that state $\sigma$ assigns values at least to all variables in predicate $\text{P}$.

The Floyd-Hoare triple $\{\text{P}\}\text{S}\{\text{Q}\}$ is valid (for total correctness) if and only if for every state $\sigma$ with $\text{Var}(\text{P})\subseteq \text{dom}(\sigma )$, if $\text{P},\sigma {⟹}_P\text{true}$, then

1. (safety) there exists no $n\ge 0$ such that $\text{S},\sigma {⟹}^n\text{error}$;
2. (termination) there exists $n\ge 0$ such that for every $m\ge n$, $\text{S},\sigma {/⟹}^m$; and
3. (partial correctness) if $\text{S},\sigma {⟹}^{\ast }(\text{done},{\sigma }^{\prime })$ and $\text{Var}(\text{Q})\subseteq \text{dom}({\sigma }^{\prime })$, then $\text{Q},{\sigma }^{\prime }{⟹}_P\text{true}$.

Here, the first condition (safety) ensures that we cannot encounter a runtime error (for example an assertion failure) when starting execution in a state that satisfies the precondition. The second condition ensures termination, that is, we cannot perform execution steps ad infinitum. The third condition makes sure that we satisfy the postcondition whenever we manage to terminate without a runtime error.

We say that a triple is valid for partial correctness, whenever the third (but not necessarily the first or second) property holds.

In principle, we can directly apply the above definition of validity together with our operational semantics to check whether a triple is valid. However, in most cases this is not feasible, since we would have to consider all possible program executions.

Instead, we use verification conditions to reason about the validity of a triple in a symbolic way, that is by reasoning about predicates, without invoking the operational program semantics. In the lecture, we considered two such approaches for constructing verification conditions: weakest preconditions and strongest postconditions.