On Hoare Logic and Kleene Algebra with Tests Dexter Kozen Cornell University Weshow that Kleene algebra with tests KAT subsumes prop ositional Hoare logic PHL Thus the sp ecialized syntax and deductive apparatus of Hoare logic are inessential and can b e replaced by simple equational reasoning In addition weshow that all relationally valid inference rules are derivable in KAT and that deciding the relational validity of suchrulesisPSPACE complete Categories and Sub ject Descriptors D Software Engineering To ols and Techniques structured programming D Software Engineering Program Vericationcorrectness proofs D Software Engineering Language Constructs and Featurescontrol structures F Logics and Meanings of Programs Sp ecifying and Verifying and Reasoning ab out chanical verication pre and postcon Programsassertions invariants logics of programs me ditions specication techniques F Logics and Meanings of Programs Semantics of Programming Languagesalgebraic approaches to semantics F Logics and Meanings of Programs Studies of Program Constructscontrol primitives I Algebraic Manipula tion Expressions and Their Representationssimplication of expressions I Algebraic Manipulation Languages and Systemsspecialpurpose algebraic systems I Algebraic Manipulation Automatic Programmingprogram modication program synthesis program transformation program verication General Terms Design Languages TheoryVerication Additional Key W ords and Phrases Dynamic logic Hoare logic Kleene algebra Kleene algebra with tests sp ecication INTRODUCTION Hoarelogicintro duced by C A R Hoare in Hoare was the rst for mal system for the sp ecication and verication of wellstructured programs This pioneering work initiated the eld of program correctness and inspired dozens of technical articles Co ok Clarke et al Cousot For this achievement among others Hoare received the Turing Award in Hoare logic uses a sp ecialized syntax involving partial correctness assertions The supp ort of the National Science Foundation under grant CCR is gratefully acknowledged This pap er is a revised and expanded version of Kozen Address Department of Computer Science Cornell University Ithaca NY USA Email kozencscornelledu Permission to make digital or hard copies of part or all of this work for p ersonal or classro om use is granted without fee provided that copies are not made or distributed for prot or direct commercial advantage and that copies show this notice on the rst page or initial screen of a display along with the full citation Copyrights for comp onents of this work owned by others than ACM must b e honored Abstracting with credit is p ermitted Tocopy otherwise to republish to p ost on servers to redistribute to lists or to use any comp onentofthiswork in other works requires prior sp ecic p ermission andor a fee Permissions may b e requested from Publications Dept ACM Inc Broadway New York NY USA fax or permissionsacmorg D Kozen PCAs of the form fbg p fcg and a deductive apparatus consisting of a system of sp ecialized rules of inference Under certain conditions these rules are relatively complete Co ok essentially the prop ositional fragment of the logic can be used to reduce partial correctness assertions to static assertions ab out the under lying domain of computation In this pap er we show that this prop ositional fragment which we call propo sitional Hoare logic PHL is subsumed by Kleene algebra with tests KAT an equational algebraic system intro duced in Kozen The reduction transforms PCAs to ordinary equations and the sp ecialized rules of inference to equational implications universal Horn formulas The transformed rules are all derivable in KAT by pure equational reasoning More generally we show that all Hoarestyle inference rules of the form fb g p fc g fb g p fc g n n n fbg p fcg that are valid over relational mo dels are derivable in KAT this is trivially false for PHL We also show that deciding the relational validityofsuch rules is PSPACE complete A Kleene algebra with tests is dened simply as a Kleene algebra with an em b edded Bo olean subalgebra Possible interpretations include the various standard relational and tracebased mo dels used in program semantics and KAT is complete for the equational theory of these mo dels Kozen and Smith This work shows that the reasoning p ower represented by prop ositional Hoare logic is captured in a concise purely equational system KAT that is complete over various natural classes of interpretations and whose exact complexityisknown Thus for all practical pur p oses KAT can b e used in place of the Hoare rules in program correctness pro ofs Related Work Equational logic p ossesses a rich theory and is the sub ject of numerous pap ers versatility in program sp ecication and and texts Taylor Its power and verication are widely recognized ODonnell Goguen and Malcolm The equational nature of Hoare logic has b een observed previously Manes and Arbib Manes and Arbib formulate Hoare logic in partially additive semirings and categories The enco ding of the PCA fbg p fcg as the equation bpc is observed there They consider only relational mo dels and the treatment of iteration is innitary Blo om and Esik Blo om and Esik reduce Hoare logic to the equational logic of iteration theories They do not restrict their attention to while programs but capture all owchart schemes requiring extra notation for insertion tupling and pro jection Their developmentisdonein the framework of category theory Semantic mo dels consist of morphisms in algebraic theories a particular kind of category Other related work can b e found in Blo om and Esik Main and Black The enco ding of the while programming constructs using the regular op erators and tests originated with prop ositional dynamic logic PDL Fischer and Ladner Although strictly less expressivethan PDL KAT hasanumber of advantages i it isolates the equational part of PDLallowing program equivalence pro ofs to b e expressed in their natural form ii it conveniently overloads the op erators On Hoare Logic and Kleene Algebra with Tests allowing concise and elegant algebraic pro ofs iii it is PSPACE complete Cohen et al whereas PDL is EXPTIME complete Fischer and Ladner iv interpretations are not restricted to relational mo dels but may be any algebraic structure satisfying the axioms and v it admits various general and useful alge braic constructions such as the formation of algebras of matrices over a KATwhich among other things allows a natural enco ding of automata Halp ern and Reif Halp ern and Reif prove PSPACE completeness of strict deterministic PDL but neither the upp er nor the lower b ound of our PSPACE completeness result follows from theirs Not only are PDL semantics restricted to relational mo dels but the arguments of Halp ern and Reif dep end on an additional nonalgebraic restriction the relations interpreting atomic programs must b e singlevalued Without this restriction even if only while programs are allowed PDL is exp onential time hard In contrast KAT imp oses no such restrictions In Section we review the denitions of Hoare logic and Kleene algebra with tests In Section we reduce PHL to KAT and derive the Hoare rules as theorems of KAT In Section we strengthen this result to showthat KAT is complete for relationally valid rules of the form In Section weprove that the problem of deciding the relational validityofsuch rules is PSPACE complete PRELIMINARY DEFINITIONS Hoare Logic Hoare logic is a system for reasoning inductively ab out wellstructured programs A comprehensiveintro duction can b e found in Cousot A common choice of programming language in Hoare logic is the language of while programs The rstorder version of this language contains a simple assign q and ment x e conditional test if b then p else q sequential comp osition p a lo oping construct while b do p The basic assertion of Hoare logic is the partial correctness assertion PCA fbg p fcg where b and c are formulas and p is a program Intuitively this statement asserts that whenever b holds b efore the execution of the program p then if and when p halts c is guaranteed to hold of the output state It do es not assert that p must halt Semantically programs p in Hoare logic and dynamic logic DL are usually in M terpreted as binary inputoutput relations p on a domain of computation M and assertions are interpreted as subsets of M Co ok Pratt The denition of M M M M the relation p is inductive on the structure of p for example p q p q the ordinary relational comp osition of the relations corresp onding to p and q The meaning of the PCA is the same as the meaning of the DL formula b pc where is ordinary prop ositional implication and the mo dal construct pc is in M terpreted in the mo del M as the set of states s suchthat for all s t p the output state t satises c Hoare logic provides a system of sp ecialized rules for deriving valid PCAs one rule for each programming construct The verication pro cess is inductiveonthe structure of programs The traditional Hoare inference rules are D Kozen Assignment rule fbxeg x e fbg Composition rule fbg p fcg fcg q fdg fbg p q fdg Conditional rule fb cg p fdg fb cg q fdg fcg if b then p else q fdg While rule fb cg p fcg fcg while b do p fb cg Weakening rule b b fbg p fcg c c fb g p fc g Prop ositional Hoare logic PHL consists of atomic prop osition and program sym b ols the usual prop ositional connectives while program constructs and PCAs built from these Atomic programs are interpreted