5.3.2 An Inference System

An inference system is a system for inferring conclusions from hypotheses in a systematic manner. Such a system can be defined by means of the following artifacts:

A set F of (syntactically defined) formulas. •

A subset A of F, called the set of axioms, which includes formulas that we assume to be valid by hypothesis.

A set of inference rules, which we denote by R, where each rule is made up of a set of formulas called the premises of the rule, and a formula called the conclusion of the rule. We interpret a rule to mean that whenever the premises of a rule are valid, so is its conclusion; we usually represent a rule by listing its premises above a line and its conclusion below the line.

An inference in an inference system is an ordered sequence of formulas, say v 1 ,v 2 , …, v n , such each formula in the sequence, say v i , is either an axiom or the conclusion of a rule whose premises appear prior to v i , that is, amongst v 1 ,v 2 , …, v i−1 . A theorem of a deductive system is any formula that appears in an inference. In this section, we propose an inference system that enables us to establish the validity of Hoare formulas by induction on the complexity of the program component of the formulas. To this effect, we present in turn, the formulas, then the axioms, and finally the rules.

• Formulas. Formulas of our inference system include all the formulas of logic, as well as Hoare formulas.

• Axioms. Axioms of this inference system include all the tautologies of logic, as well as the following formulas: ○ {false} p {ψ}, for any program p and any postcondition ψ. ○ {ϕ} p {true}, for any program p and any precondition ϕ.

• Rules. We present below a rule for each statement of a simple C-like programming language.

Assignment Statement Rule: We consider an assignment statement that affects a program variable (and implicitly preserving all other variables), and we interpret it as an assignment to the whole program state (changing the selected variable and preserving the other variables), which we denote by s=E(s), where s is the state of the program. We submit the following rule,

ϕ ψ Es ϕ s=Esψ

92 PROGRAM CORRECTNESS AND VERIFICATION

Interpretation: If we want ψ to hold after execution of the assignment statement, when s is replaced by E(s), then ψ(E(s)) must hold before execution of the assignment; hence the precondition ϕ must imply ψ(E(s)).

Sequence Rule: Let p be a sequence of two subprograms, say p1 and p2. We have the following rule,

int: ϕ p1 int int p2 ψ

ϕ p1;p2 ψ

Interpretation: if we can find an intermediate predicate int that serves as a postcondi- tion to p1 and a precondition to p2, then the conclusion is established.

Conditional Rule: Let p be a conditional statement of the form: if (condition) {statement;}. We have the following rule,

ϕ tBψ ϕ − t

ψ ϕ if t B ψ

Interpretation: The two premises of this rule correspond to the two execution paths through the flowchart of the conditional statement (Fig. 5.2).

Alternation Rule: Let p be an alternation statement of the form: if (condition) {statement;} else {statement;}. We have the following rule,

ϕ t B1 ψ ϕ ¬t B2 ψ ϕ if t B1 else B2 ψ

Figure 5.2 Flowchart of if-statement.

Figure 5.3 Flowchart of if-else statement.

Interpretation: The two premises of this rule correspond to the two execution paths through the flowchart of the conditional statement (Fig. 5.3).

Iteration Rule: Let p be an iterative statement of the form: while (condition) {statement;}. We have the following rule,

E inv ϕ inv inv t B inv inv ¬t ψ

ϕ while t B ψ

Interpretation: The first and second premises establish an inductive proof to the effect that predicate inv holds after any number of iterations. The third premise provides that upon termination of the loop, the combination of predicate inv and the negation of the loop condition must logically imply the postcondition. Predicate inv is called an invar- iant assertion. It must be chosen so as to be sufficiently weak to satisfy the first prem- ise, yet sufficient strong to satisfy the third premise (and the second). See the flowchart below, which highlight the points at which each of the relevant assertions is supposed to hold. Note that inv is placed upstream of the loop condition; hence the loop con- dition is never part of inv (since upstream of the loop condition we do not know whether t is true or not) (Fig. 5.4).

Consequence Rule: Given a Hoare formula, we can always strengthen the precon- dition and/or weaken the postcondition. We have the following rule:

ψ ϕ pψ ϕ pψ

94 PROGRAM CORRECTNESS AND VERIFICATION

inv

Figure 5.4 Flowchart of while statement.

Interpretation: This rule stems readily from the definition of these formulas. Using the proposed axioms and rules, we can now generate theorems of the form {ϕ}

p {ψ}. The question that arises then is: what good does it do us to generate such theo- rems? What does that tell us about p? The following Proposition provides the answer.

Proposition: Proving Partial Correctness If the formula

{ϕ} p {ψ}

is a theorem of the deductive system, then p is partially correct with respect to the specification R = s,s ϕ s ψ s .

In the following section, we present sample illustrative examples of the inference system presented herein.