2

In Hoare logic, one often makes a distinction between partial and total correctness. Partial correctness means that the program fulfills its specification, or does not terminate (infinite loop or recursion).

Does anyone know why this subtlety about termination was introduced ? To me it seems only total correctness is useful : a program fulfills its specification and terminates. Who wants to execute a possibly infinite loop ?

V. Semeria
  • 3,128
  • 1
  • 10
  • 25
  • You can see the explanation in the link you posted: Hoare logic can only prove partial correctness (and Wikipedia pages about correctness and related topics talk more about that). The concept is introduced not because it is useful in comparison to total correctness, but as the limit of the analysis. – jdehesa Aug 09 '18 at 15:56
  • @jdehesa The question is more about partial correctness than Hoare logic. I use program verifiers such as Why3 or Frama-C, which do both partial and total correctness proofs. The termination part is done by giving loop variants, it is usually easier than the specification part, that needs loop invariants. – V. Semeria Aug 09 '18 at 16:02

2 Answers2

3

The fact that we talk about partial correctness doesn't mean partial correctness is equally useful to prove. We talk about partial correctness because we have a technique for proving it (Hoare logic), and we should understand the limitations of that technique.

Hoare logic can be used to prove that an algorithm never terminates with an incorrect result (partial correctness), but it cannot be used to prove that an algorithm always terminates with a correct result (total correctness). These are not logically equivalent, but if we didn't have separate terms for them then it would be easy to naively assume they are equivalent.

Says Wikipedia:

Using standard Hoare logic, only partial correctness can be proven, while termination needs to be proved separately.

One way to think of a Hoare triple is that it is a segment of code, annotated with two assertions, one before the segment and one after it. An assertion is a logical test which either passes or fails when the assertion is reached. The Hoare triple says that if the first assertion never fails, then the second assertion also never fails.

Fundamentally, you cannot write an assertion which says that a line of code will be reached, because whatever condition you write, the assertion never fails if it is never reached. Note that you can assert false to say that a line of code won't be reached, but assert true never fails, whether or not it is ever reached. Therefore, although a proof by Hoare logic is able to conclude that the final assertion in an algorithm (i.e. its postcondition) never fails, that doesn't imply the algorithm terminates.

kaya3
  • 47,440
  • 4
  • 68
  • 97
1

While many termination cases can be addressed with a minor augmentation of the Hoare logic, and more can be rewritten to be so addressed, this is not true of all cases.

Thus, in the general case, you may need to use an elaborate proof construction to prove total correctness. This should be more than sufficient to justify making a distinction between partial and total correctness.

To look at it another way: when proving termination is much more difficult than proving partial correctness, a practical engineering approach should consider whether the additional effort is worth it.

comingstorm
  • 25,557
  • 3
  • 43
  • 67
  • What do you know about a program if you've only proven partial correctness? It could still be an infinite loop (written in complicated way). – V. Semeria Aug 09 '18 at 18:20
  • Sure. But, as a practical example: there's a difference between having reasons to believe your SAT solver should terminate for all inputs, and coming up with a formally verified proof that this is so. – comingstorm Aug 09 '18 at 18:44