## Applications of Logic in Software Verification

### Overview of Deductive Program Verification

- A **program verifier** takes two inputs:
  1. The **source code** of your program.
  2. A **specification** of what the program is supposed to do.

- Specifications can range from:
  - Simple properties (e.g., no arithmetic/buffer overflows).
  - Rich behavioral specifications (e.g., the program sorts an array).

- The verifier analyzes the program and produces a **verification condition** (VC), a first-order logic formula (typically SMT).

- If the VC is **valid**, we know the program satisfies its specification.
  - Validity is checked by a **theorem prover** (e.g., an SMT solver).

- If not valid, it could mean:
  - The program has a **bug**.
  - The spec is incorrect.
  - The verifier had **limitations**.

---

### Hoare Logic: The Foundation of Program Verification

- Hoare Logic is the logical system most program verifiers are based on.
- Invented by **Tony Hoare**, also the inventor of quicksort.
- Sometimes called **Floyd-Hoare Logic** due to similar work by **Robert Floyd**.

---

### The IMP Language

We'll use a simple imperative language called **IMP** to illustrate Hoare Logic.

- **Expressions**: integers, variables, arithmetic ops (`+`, `*`)
- **Boolean Conditions**: `true`, `false`, comparisons (`=`, `<=`, etc.)
- **Statements**:
  - `x := e` (assignment)
  - `s1; s2` (sequencing)
  - `if c then s1 else s2` (conditional)
  - `while c do s` (loop)

---

### Hoare Triples

A **Hoare triple** has the form:

    { P } S { Q }

- `P` is the **precondition** (must hold before execution)
- `Q` is the **postcondition** (must hold if the program terminates)
- `S` is a statement from IMP

**Meaning**:  
If you execute `S` in a state satisfying `P`, and the execution **terminates**, then `Q` must hold afterward.

- Hoare triples describe **partial correctness**:
  - They say nothing about whether `S` terminates.
  - Only that if it **does**, `Q` is satisfied.

---

### Examples

- `{ x = 0 } x := x + 1 { x = 1 }` ✅ valid
- `{ x = 0 ∧ y = 1 } x := x + 1 { x = 1 ∧ y = 2 }` ❌ invalid
- `{ x = 0 ∧ y = 1 } x := x + 1 { x = 1 ∨ y = 2 }` ✅ valid
- `{ x = 0 } while true do skip { x = 1 }` ✅ valid (vacuously, since the loop never terminates)

---

### Total vs. Partial Correctness

- **Partial correctness** (curly braces `{}`):
  - Only guarantees correctness **if** the program terminates.

- **Total correctness** (square brackets `[]`):
  - Guarantees both **termination** and **correct output**.

Example:

- `{ x = 0 } while true do skip { x = 1 }` ✅ partial
- `[ x = 0 ] while true do skip [ x = 1 ]` ❌ total

---

### Proofs in Hoare Logic

We aim to **prove** that Hoare triples are valid using a proof system.

- Use `⊨ {P} S {Q}` to denote validity (semantic truth).
- Use `⊢ {P} S {Q}` to denote provability (proof exists in system).

A good system satisfies:

- **Soundness**: If `⊢ {P} S {Q}`, then `⊨ {P} S {Q}`
- **Completeness**: If `⊨ {P} S {Q}`, then `⊢ {P} S {Q}`

In Hoare logic:

- The proof system is **sound**.
- It is **relatively complete**:
  - If you assume a **perfect theorem prover**, the system can prove all valid triples.
