

Floyd–Hoare logic - iamcurious
https://en.wikipedia.org/wiki/Hoare_logic

======
drdeca
This is a cool thing.

I've been thinking about this with functions, and trying to think of a way to
make a programming language have support for a proof checker for this sort of
thing built in, with functions having pre and postconditions, and function
bodies that prove the postcondition is true after the function is run, given
that the precondition was true before it was run, but I've encountered a
problem when one allows first class functions.

If one allows first class functions, it seems that it would allow one to make
tricks like "if this statement is true, 2+2=5". I'm not sure how to get around
it.

It's possible that if one actually tried what I am thinking would be the
problem, the preprocessor-thing (the thing that validates all the proofs
before the program is actually run as a program) might just get into an
infinite loop (through infinite recursion). But it doesn't look like that
would necessarily happen.

And I'm not sure what thing in what I've written should be something that the
proof validator should accept, but it certainly does not seem like the proof
validator should accept all of it (because it can be used to "prove" anything
that can be expressed in the language)

~~~
ahelwer
Look at the Dafny language from MSR: [http://research.microsoft.com/en-
us/projects/dafny/](http://research.microsoft.com/en-us/projects/dafny/)

Your problem is, I think, assuming programs have correctness as an intrinsic
property. This is not so. Programs can only be correct _with respect to_
something - some idea born in a human mind, transcribed into something the
checker understands (here, pre- and post-conditions). If the human mind wants
2+2 to equal 5 in their program, all power to them - they must only ensure
this does not cause inconsistency.

~~~
mcguire
Should I be concerned that the Dafny tutorial
([http://rise4fun.com/Dafny/tutorial/guide](http://rise4fun.com/Dafny/tutorial/guide))
seems kind of...odd?

    
    
        Getting Started with Dafny: A Guide
    
        1. undefined
    
        2. undefined
    
        3. undefined
    
        ...

------
mcguire
Coming from the land of Dijkstra (UTAustin, by the way), pre- and post-
conditions were how I learned to think about programs. Things like
denotational semantics and what-not seem odd and somehow magical to me, even
after a lot of experience with languages like Haskell that incorporate that
kind of thinking.

I'm not going to get this right because I haven't even thought it out to my
own satisfaction, but the fundamental difference seems to me to be that the
_those_ things treat a program as a mathematical object in itself, which is
one of the reasons they focus on functional languages and immutability.

Floyd-Hoare treats the program as a _text_ ; it assigns states to the spaces
between statements. As a result, it's pretty darn happy with imperative
programming, although it has its own limits.

(As an aside (Did I mention that I once worked in the same building as
Dijkstra, although I never took a class from him.), I find it very amusing
that the article has the sentence " _There are rules for concurrency,
procedures, jumps, and pointers._ " although neither it nor the linked
"Branch" article actually describe Knuth's revelation of Hoare's axioms for
goto.)

~~~
AdieuToLogic
Your background immediately reminded me of Betrand Meyer and Design by
Contract[1]. I wonder how much of Hoare's work influenced Meyer.

Do you care to opine? :-)

1 -
[http://www.artima.com/intv/contracts.html](http://www.artima.com/intv/contracts.html)

~~~
mcguire
I don't know much about Meyer's history and the history of Design by Contract,
but I'm going to go out on a limb and say, "quite a bit." The major difference
that I can see, with my limited experience, is that DbC seems to be focused on
the boundaries between functions and is more closely related to assertions
(which are probably also related to Hoare).

------
codelion
If you are interested in this sort of thing you can also have a look at
HIP/SLEEK Verification System -
[http://loris-7.ddns.comp.nus.edu.sg/~project/TeachHIP/](http://loris-7.ddns.comp.nus.edu.sg/~project/TeachHIP/)

It uses separation logic which is an extension of Hoare logic for programs
that manipulate the heap.

------
techbio
Is this not immediately obviously useless?

~~~
ht_th
No. Given a formal specification of a problem, one could use this logic to
derive a correct program. In theory, that's great because it is proven error-
free. In practice, of course, implementing a "correct program" can introduce
bugs and running it on a non-ideal machine (i.e. any physical computer),
introduces uncertainties.

Furthermore, it is expensive to do: you need people with a strong
understanding of mathematics/computer science, it is time intensive, and for
most applications, just writing a program is good enough. But, to be honest,
that goes for most formal methods. Well, unless they're completely automated,
of course.

