Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Hoare logic
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Partial and total correctness == Using standard Hoare logic, only [[partial correctness]] can be proven. [[Total correctness]] additionally requires [[Termination analysis|termination]], which can be proven separately or with an extended version of the While rule.{{sfn|Reynolds|2009|loc=Sect. 3.4, p. 64}} Thus the intuitive reading of a Hoare triple is: Whenever <math>P</math> holds of the state before the execution of <math>C</math>, then <math>Q</math> will hold afterwards, or <math>C</math> does not terminate. In the latter case, there is no "after", so <math>Q</math> can be any statement at all. Indeed, one can choose <math>Q</math> to be false to express that <math>C</math> does not terminate. "Termination" here and in the rest of this article is meant in the broader sense that computation will eventually be finished, that is it implies the absence of infinite loops; it does not imply the absence of implementation limit violations (e.g. division by zero) stopping the program prematurely. In his 1969 paper, Hoare used a narrower notion of termination which also entailed the absence of implementation limit violations, and expressed his preference for the broader notion of termination as it keeps assertions implementation-independent: {{quote|1=Another deficiency in the axioms and rules quoted above is that they give no basis for a proof that a program successfully terminates. Failure to terminate may be due to an infinite loop; or it may be due to violation of an implementation-defined limit, for example, the range of numeric operands, the size of storage, or an operating system time limit. Thus the notation “<math>P\{Q\}R</math>” should be interpreted “provided that the program successfully terminates, the properties of its results are described by <math>R</math>.” It is fairly easy to adapt the axioms so that they cannot be used to predict the “results” of nonterminating programs; but the actual use of the axioms would now depend on knowledge of many implementation-dependent features, for example, the size and speed of the computer, the range of numbers, and the choice of overflow technique. Apart from proofs of the avoidance of infinite loops, it is probably better to prove the “conditional” correctness of a program and rely on an implementation to give a warning if it has had to abandon execution of the program as a result of violation of an implementation limit.|source={{harvnb|Hoare|1969|pp=578-579}}}}
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)