dark
Hand-Picked Top-Read Stories
Trending Tags

The Hoare Cube

I wrote earlier this year about my attempt to understand the repercussions of toggling subseteq and supseteq when giving a semantics to Hoare triples. In response to that post, Yann Herklotz helpfully pointed me to Patrick Cousot’s POPL 2024 paper [10], which does all this and a lot more besides. In particular, Cousot’s paper includes the following diagram…

…which shows how to obtain dozens of program logics just by toggling a handful of switches in the semantics.

However, that diagram is completely terrifying, and (just between you and me) I can’t get my head around much of the rest of Cousot’s paper. So, this blog post is my attempt to end up with a similar diagram to Cousot’s one, but while trying to keep things as simple as possible.

Let us assume that we have a set of states, and that a command is simply a binary relation on states. We shall write (sigma, sigma') in c to mean that if command c is started in state sigma it can produce final state sigma'. Our commands need not always terminate: if there is no sigma' such that (sigma, sigma') in c, then that means c does not terminate when started in state sigma. Also, our commands can be non-deterministic: if (sigma, sigma') in c and (sigma, sigma'') in c with sigma' neq sigma'', then that means c behaves non-deterministically when started in state sigma.

The original “partial correctness” interpretation [1] of the Hoare triple {P},c,{Q} is that whenever c is started in a state satisfying the assertion P (an assertion is just a set of states), any final state it reaches must satisfy the assertion Q. That is…

forall sigma, sigma'ldotp sigma in P wedge (sigma,sigma') in c longrightarrow sigma' in Q.

Let us define a helper function: the “strongest postcondition”. We shall write text{sp}(P,c) for the set of all states that command c can reach if it starts executing in a P state…

text{sp}(P, c)={sigma'ldotp existssigmaldotp (sigma,sigma') in c wedge sigma in P}.

We can use text{sp} to give a semantics to Hoare triples in a variety of different ways. For instance, the partial correctness interpretation given above can be rewritten as…

text{sp}(P,c) subseteq Q.

Flipping the subseteq into a supseteq to get Incorrectness logic…

text{sp}(P,c) supseteq Q

…is what led O’Hearn to remark that “program correctness and incorrectness are two sides of the same coin”. But there are other components that can be “flipped” too. I think there are three “dimensions” in total:

(NB: Cousot seems to identify four dimensions in his diagram above, but I haven’t understood what his fourth one is.)

The eight options, then, are as follows:

Name(s)Meaning of {P},c,{Q}Reach
Direction
Approximation
Partial correctness [1]text{sp}(P,c) subseteq Qmay
forward
over
Reverse Hoare logic [5],
Incorrectness logic [6]		text{sp}(P,c) supseteq Qmay
forward
under
Necessary preconditions (as formulated in [4])text{sp}(Q,c^{-1}) subseteq Pmay
backward
over
Backward under-approximate Hoare triple [2],
Lisbon triple [3],
Sufficient incorrectness logic [4],
Possible correctness [9]		text{sp}(Q,c^{-1}) supseteq Pmay
backward
under
Necessary preconditions (as originally formulated in [7])text{sp}(neg P,c) subseteq neg Qmust
forward
over
text{sp}(neg P,c) supseteq neg Qmust
forward
under
Partial correctness (alternative formulation)text{sp}(neg Q,c^{-1}) subseteq neg Pmust
backward
over
text{sp}(neg Q,c^{-1}) supseteq neg Pmust
backward
under

Note that partial correctness can also be rewritten into the more familiar P subseteq text{wlp}(c, Q) if we define text{wlp} as the “weakest liberal precondition” in the usual way…

text{wlp}(c,Q)={sigmaldotp forallsigma'ldotp (sigma,sigma') in c longrightarrow sigma' in Q}

…but I quite like how “systematic” the table above is: it distinguishes may from must by negating the pre and postconditions; it distinguishes forward from backward by using c or c^{-1}; and it distinguishes over from under approximate by using subseteq or supseteq.

Note also that I’ve labelled text{sp}(neg P,c) subseteq neg Q as the “original” formulation of necessary preconditions, as it captures the two negatives in Cousot et al.’s definition quite nicely: “under which precondition, if violated, will the program always be incorrect?” [7, my emphasis].

We can assemble all eight options in the table into a cube — a “Hoare cube”, if you will.

In the cube, I’ve drawn solid lines between vertices that represent equal semantics. For instance, may+forward+over is equal to must+backward+over because…

text{sp}(P,c) subseteq Q quadLongleftrightarrowquad text{sp}(neg Q,c^{-1}) subseteq neg P.

Sometimes these equalities can be phrased as Galois connections. For instance…

text{sp}(P,c) subseteq Q quadLongleftrightarrowquad P subseteq text{wlp}(c, Q)

…signifies a Galois connection between text{sp}(-,c) and text{wlp}(c, -).

I’ve also drawn dashed lines between vertices that represent equivalent semantics. By “equivalent” here, I mean that there exists a bijection f between triples such that the triple {P},c,{Q} holds according to one semantics if and only if the triple f({P},c,{Q}) holds according to the other semantics. What this means is that one strategy for proving {P},c,{Q} under one semantics is to prove f({P},c,{Q}) under the other semantics.

For instance, may+backward+over (necessary preconditions, text{NC}) is equivalent to may+forward+over (partial correctness, text{PC}) because…

text{NC} models {P},c,{Q} quadLongleftrightarrowquad text{PC} models {neg P},c,{neg Q}

…as Ascari et al. have observed [4, Proposition 5.4]. Here we use the bijection f_1 that maps {P},c,{Q} to {neg P},c,{neg Q}.

For another instance, may+forward+under (incorrectness logic, text{IL}) is equivalent to may+backward+under (sufficient incorrectness logic, text{SIL}) because, using another bijection f_2 that maps {P},c,{Q} to {Q},c^{-1},{P}, we have…

text{IL} models {P},c,{Q} quadLongleftrightarrowquad text{SIL} models {Q},c^{-1},{P}.

For this reason, I’ve deemed all of the over nodes equivalent (and coloured them green) and all of the under nodes equivalent (and coloured them blue).

But is it a bit of a stretch to consider all those same-coloured nodes “equivalent”? I mean, if the point of these bijections is to suggest how a proof in one logic can be transformed into a proof in another logic, then are these transformations reasonable? The bijection f_2, for instance, requires the ability to invert an arbitrary command (turning c into c^{-1}). That’s straightforward enough for simple programs, thanks to properties like (c; d)^{-1}=(d^{-1} ; c^{-1}) and (c + d)^{-1}=(c^{-1} + d^{-1}) and (c^*)^{-1}=(c^{-1})^*, but it could become infeasible in more complicated settings. Likewise, the bijection f_1 requires the ability to negate an arbitrary assertion (turning P into neg P), which is fine in ordinary predicate logic but doesn’t work very nicely in a substructural logic like separation logic.

Still, it does give a pretty handy way to generate proof rules for one logic from the proof rules for another logic. For instance, Ascari et al. [4] present this proof rule from incorrectness logic…

…and if we apply our bijection f_2 to all the triples in this rule, then we obtain “for free” the corresponding proof rule from their sufficient incorrectness logic…

…without having to prove anything about its soundness.

To conclude: perhaps program correctness and incorrectness are not simply two sides of the same coin, but two opposite faces of the same cube!

Related work

Möller et al. [2, Section 5] define and briefly study “backward under-approximate Hoare triples”. Zilberstein et al. [3] refer to those triples also as “Lisbon triples”. Ascari et al. [4] define sufficient incorrectness logic as a proof system for those “backward under-approximate Hoare triples”, and I’m grateful to Ike Mulder who referred me to Ascari et al.’s paper in a comment on my earlier blog post.

Zilberstein et al. [3] defines and studies “Outcome logic”, but I haven’t included it in my “cube” because I don’t think it quite fits with the other logics – its postconditions are not simply “sets of states”, but have a more complicated monoidal structure. I also haven’t included “Exact separation logic” [11], which unifies over-approximate and under-approximate reasoning in the context of separation logic.

Zhang and Benjamin Kaminsky [8, Section 6.3] also studied the eight options in my table above, similarly obtained by toggling three binary switches (albeit with slightly different names), and I’m grateful to Benjamin for pointing me to his work in a comment on my earlier blog post. I’ve reproduced their table here:

The two blue rows in their table are equal, and they correspond to the two “partial correctness” vertices in my cube. The two orange lines are also equal, and they correspond to the two “necessary preconditions” vertices in my cube. I also haven’t got names for the ??? and ¿¿¿ logics, but I note that ??? can be straightforwardly obtained from sufficient incorrectness logic via the f_1 bijection I defined above, and ¿¿¿ can be obtained from incorrectness logic in the same way, so I think this makes it unlikely that those logics will offer anything particularly new.

For the record: one potential point of confusion in Zhang and Kaminsky’s table is that what they call “wp” is actually what O’Hearn [6, Section 6.3] calls the “weakest possible precondition”: the sets of states from which c can reach a final state satisfying the postcondition (but due to non-determinism, might not). Thus, I think “total correctness” should probably be read as “possible correctness”, following Hoare’s terminology [9, Section 5.3].

Bibliography

Note: This article have been indexed to our site. We do not claim legitimacy, ownership or copyright of any of the content above. To see the article at original source Click Here

KitchenAid Ribbed Soft Silicone Oven Mitt Set, 7"x13", Aqua Sky 2 Count
4.7 out of 5 stars(7672)
$17.44 (as of January 26, 2025 19:26 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Beef Tallow For Skin - Whipped Tallow Balm with Organic Jojoba Oil (Unscented/Herb-Infused), Grass Fed Beef Tallow Face Moisturizer for Eczema, Baby, Lip Balm - Lotion For Extremely Dry Skin
4.6 out of 5 stars(486)
$29.99 (as of January 26, 2025 19:57 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
SWITTE Outdoor Rocking Chair, Patio Egg Rocking Chair, Indoor Papasan Chair, Rattan Wicker Lounge Chair, Modern Royal Chair for Bedroom, Living Room, Porch, Garden, Lawn-Beige
4.4 out of 5 stars(324)
$229.99 (as of January 26, 2025 19:26 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Hanes EcoSmart Fleece, Cotton-Blend Pullover, Crewneck Sweatshirt for Men (1 Or 2 Pack)
4.5 out of 5 stars(150698)
$11.30 (as of January 26, 2025 19:57 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Apple AirTag
4.6 out of 5 stars(19145)
$21.41 (as of January 26, 2025 19:26 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Index Of News Author
Related Posts
Android 12L Beta 3 jetzt auch für Pixel 6-Handys thumbnail

Android 12L Beta 3 jetzt auch für Pixel 6-Handys

Bild: Triyansh Gill/Unsplash Google stellt das Betaprogramm von Android jetzt auch für Pixel 6 und Pixel 6 Pro bereit. Direkt mit einer neuen Android-Testversion. Android 12L erscheint in einer neuen Betaversion. Jetzt dürfen auch Pixel 6-Besitzer mitmachen. Das finale Android 12L ist bald da. Google bringt eine weitere Testversion von Android 12L an den Start…
February 9, 2022
Read More
Robot manicures are the newest way to get people back in the office thumbnail

Robot manicures are the newest way to get people back in the office

With only around one-third of workers interested in going back to the office, buildings are rolling out incentives to try to maintain corporate tenants. The latest perk: the robot manicure.  Robot manicure startup Clockwork began offering its services at 30 Rockefeller Center on October 4 as a part of the building’s Zo Lounge for employee…
October 5, 2021
Read More
Index Of News
Total
0
Share