This file contains the hoare rules from the paper of lundberg et al. Those rules are being defined and proved. By proving these rules, we archive
- showing the correctness of the rules themselves
- verifying the compatibility of the constructed machine model and the hoare logic from lundberg et al.
The assumptions of Hoare's rules used here differ in some respects from those in lundberg et al. This is because conditions such as $L_W \cap L_B = \emptyset$ are preconditions from the judgement of \mathcal{L}_{AS}. These statements must be valid in order for the conditions for applying the assumptions to be met.
TODO: prove of S_LOOP
Enables the merge of two Hoare-triples into one, given that the postcondition of the first triple is equal to the precondition of the second triple.
This rule lets you apply S_SEQ with any form of L_{B''} but asks for
a proof of L_{B''} = L_B ∩ L_{B'}
A rule to verify the formal correctness of a loop. Requires:
A Condition
CAn Invariant
IA Variant
VHigh-level proof idea of S_LOOP
- Define C v := “for any state s at l with invariant I and variant V s = v, we can reach some s' satisfying Q via weak with the original L_w/L_b.”
- Prove C v by well-founded induction on v.
- If C s (the loop condition) holds, use the given loop-body triple at variant v to get a next state s' back at l with strictly smaller variant (V s' < v) and still I. Then apply induction hypothesis to V s' to get a final state s'' satisfying Q. Finally, compose the two runs to build weak s s'' ... (this is where we stitch step counts and the “no earlier hit” condition).
- If ¬C s, use the given exit triple to get Q directly.
- Apply C (V s) to your original starting state s.