## Proof Rules in Hoare Logic

### Overview

- We now formalize how to **prove Hoare triples** using **inference rules**.
- These rules are written as:

      Premises
      --------
      Conclusion

- If all premises above the line hold, then the conclusion below is valid.
- Some rules **have no premises** — these are **base cases**.
- Rules **with premises** represent **inductive steps**.

There is **one inference rule for each type of statement** in the IMP language.

---

### Assignment Rule

#### Intuition

Given a statement like:

    x := y

To prove a postcondition like:

    { ? } x := y { x > 2 }

You must ensure the **value assigned to `x` (i.e., `y`) already satisfies the postcondition**.

More generally:

- If the postcondition is `Q`,
- Replace all instances of the **assigned variable** with the **expression** on the right-hand side.

Example:

    { y > 2 } x := y { x > 2 }

    { i > 9 } i := i + 1 { i > 10 }

This leads to the formal rule:

#### Rule:

    { Q[x ← E] } x := E { Q }

---

### Examples Using Assignment Rule

- `{ y = 4 } x := 4 { y = x }` ✅ Provable
- `{ x + 1 = 5 } y := x + 1 { y = 5 }` ✅ Provable
- `{ x = 2 } y := 2 { y = x }` ❌ Not provable (not sound)
- `{ z = 3 } x := y { z = 3 }` ✅ Provable (postcondition doesn't depend on y)

---

### Need for More Rules

The assignment rule is not sufficient in all cases.

#### Example:

    { z = 2 } y := x { y = x }

Using assignment rule alone gives `{ true } y := x { y = x }`.

So we introduce:

---

### Precondition Strengthening

If:

- `{ P' } S { Q }` is provable
- and `P ⇒ P'` (P is stronger than P')

Then `{ P } S { Q }` is also valid.

This allows you to **add assumptions** to your precondition.

---

### Postcondition Weakening

If:

- `{ P } S { Q' }` is provable
- and `Q' ⇒ Q` (Q is weaker than Q')

Then `{ P } S { Q }` is valid.

This allows you to **weaken** your claim about the postcondition.

---

### Examples of Postcondition Weakening

If we can prove:

    { true } S { x = y ∧ z = 2 }

Then we can also conclude:

- `{ true } S { x = y }`
- `{ true } S { z = 2 }`
- `{ true } S { z > 0 }` (if `z = 2 ⇒ z > 0`)
- ❌ `{ true } S { false }` (not valid — false is not implied)

---

### Sequencing (Composition) Rule

To prove:

    { P } S1; S2 { R }

We must find an **intermediate assertion Q**, such that:

1. `{ P } S1 { Q }`
2. `{ Q } S2 { R }`

Then we can conclude the overall triple.

#### Example:

    { true } x := 2; y := x { y = 2 ∧ x = 2 }

Intermediate assertion: `x = 2`

- `{ true } x := 2 { x = 2 }` ✅ by assignment
- `{ x = 2 } y := x { x = 2 ∧ y = 2 }` ✅ by assignment + strengthening

---

### If Statement Rule

To prove:

    { P } if C then S1 else S2 { Q }

We must prove:

- `{ P ∧ C } S1 { Q }`
- `{ P ∧ ¬C } S2 { Q }`

So the postcondition must hold regardless of the branch taken.

---

### Example of If Rule

    { true } if x > 0 then y := x else y := -x { y ≥ 0 }

Proof breakdown:

1. `{ x > 0 } y := x { y ≥ 0 }`  
   - Precondition strengthening: `x > 0 ⇒ x ≥ 0`  
2. `{ x ≤ 0 } y := -x { y ≥ 0 }`  
   - `x ≤ 0 ⇒ -x ≥ 0`

Thus the full triple is provable.

---

### Summary

We now have rules for:

- Assignment
- Precondition Strengthening
- Postcondition Weakening
- Composition (Sequencing)
- Conditionals (If-Then-Else)

Next, we'll handle **loops**, which are more involved and require reasoning about **induction**.
