The Hoare triple has a very simple meaning, namely:
.
That is: if the precondition is satisfied in some state , and can transform into , then must satisfy the postcondition . (We’ll allow non-deterministic commands, so need not be uniquely determined by and .) Or, more concisely: if holds before executing , then will hold afterwards.
The statement above can be reformulated in a couple of different ways, all equivalent. One way is to introduce Dijkstra’s concept of a weakest precondition, like so:
and then observe that is the same as . Another way is to introduce the concept of a strongest postcondition, also due to Dijkstra, like so:
and then observe that is the same as .
◆
In 2019, O’Hearn introduced Incorrectness logic. This logic involves triples that have a subtly different meaning to Hoare’s, namely:
.
That is: if the postcondition is satisfied by some state , then there must exist some state that can be transformed into by command and that satisfies the precondition . Or, more concisely: every state where holds is reachable by executing from a state where holds.
There’s a neat duality between Incorrectness logic and Hoare logic:
is equivalent to
is equivalent to
What’s curious is that this / trick can only be used with the strongest-postcondition formulation. If you try it on the weakest-precondition formulation, you don’t get Incorrectness logic. In other words, and are logically equivalent, but is not the same as . If corresponds to Incorrectness logic, then what does correspond to?
◆
So let’s see what happens if we introduce a third type of triple, , which shall mean:
.
That is: if is a state that is always transformed by command into one that satisfies the postcondition , then must satisfy the precondition . Or, more concisely: if doesn’t hold before executing , then will not hold afterwards.
Essentially, we are filling in the gap marked “???” in the picture below (where the thick arrows indicate equivalences):
What can we say about these new triples? What properties do they enjoy?
In some ways, all three forms of triple are alike. For instance, they all admit the same Sequencing rule:
and they all admit the Iteration rule:
In some ways, the new triples behave more like Incorrectness triples than like Hoare triples. This is the case for the Skip rules:
and for the Consequence rules:
In yet other ways, all three forms of triple are different. For instance, they all say different things about the command that always diverges (fails to terminate):
- always holds, because Hoare logic gives no guarantees about non-terminating executions.
- holds iff , because Incorrectness logic demands termination.
- holds iff , because will always fail to reach .
Another way to distinguish the three forms is to ask what they say when the postcondition is unsatisfiable. (In what follows, let be the set of states from which execution of diverges.)
- holds iff ; i.e. is a sufficient condition for diverging.
- always holds.
- holds iff ; i.e. is a necessary condition for diverging.
Here are some rules about , which denotes a non-deterministic choice between commands and :
Here are some rules for conjoining or disjoining two different specifications for the same command:
Here are some ways to translate between Hoare triples and Incorrectness triples. (In what follows, let be the set of states from which execution of is deterministic, and let denote the inverse of the command .)
- If then implies .
- If then implies .
- Hence, if and then coincides with .
Here are some ways to translate between Hoare triples and the new form of triples.
- If then implies .
- If then implies .
- Hence, if and then coincides with .
If we become a bit more concrete now, and model program states simply as functions from variables to integers, then we can obtain specifications of the “increment ” command like so:
or:
For specifying an “assign a constant” command, we can use:
but is invalid because is not necessary to guarantee after the assignment. In fact, any initial state will suffice here, which means is valid.
We can also specify that assignment command more loosely:
but is invalid because executing can never reach a final state where , say. And is invalid too, for the same reason as given above.
Finally, we can specify some non-deterministic commands, such as a command that assigns to either 4 or 5:
or a command that either increments or does nothing:
◆
In terms of related work:
- O’Hearn does mention the curious inequivalence between and in his POPL’19 paper (near the end of Section 7), but doesn’t dig into the implications of building a proof system around triples that mean .
- He does, however, point out some earlier work by Cousot et al. that made use of these triples in an automated verification context, which was published in VMCAI 2013. Cousot et al. referred to them as necessary preconditions, and they used them because they wanted to avoid false positives in their automatic tool. However, they didn’t develop a set of proof rules for reasoning about these triples.
- More recently, Zilberstein, Dreyer, and Silva’s OOPSLA 2021 paper proposes Outcome logic as a way to unify triples and triples into a single logic based on monads and monoids. I haven’t yet figured out whether Outcome logic also covers triples.
To conclude: gives rise to a proof system that seems to have some interesting properties, and perhaps it shines some light on the nature of Hoare logic and Incorrectness logic by where it differs from them. I’m not convinced that it’s a useful proof system like Hoare logic or Incorrectness logic certainly are. Still, it’s always satisfying to fill in “gaps”!
An Isabelle-2023 proof script that formalises all of the results given above is available.
At the Incorrectness workshop at POPL, Flavio Ascari presented this work: https://arxiv.org/abs/2310.18156, which seems related. I believe they call this triple ‘NC’ and also expand a bit on it.
Very nice post!
In terms of related work: Predating Ascari et al., Zhang & Kaminski also suggests the logic “???” (and others) and – funnily enough – also call it “???”, see [A, table on p. 20]. I believe what is called weakest precondition in this post is often called weakest liberal precondition. So in the terminology of [A], the ??? triples would be defined by wlp(c, post) subset-equal pre.
[A] Zhang & Kaminski. Quantitative Strongest Post. OOPSLA 2022. https://dl.acm.org/doi/pdf/10.1145/3527331