The characterization problem for Hoare logics

Research by this author and by others has shown that there are natural programming language control structures which are impossible to describe adequately by means of Hoare axioms. Specifically, we have shown that there are control structures for which it is impossible to obtain axiom systems that are sound and relatively complete in the sense of Cook. These constructs include procedures with procedure parameters under standard Algol 60 scope rules and coroutines in a language with parameterless recursive procedures. A natural question to ask is whether it is possible to characterize those programming languages for which sound and complete proof systems can be obtained. For a wide class of programming languages and interpretations, it can be shown that P has a sound and relatively complete proof system for every expressive interpretation iff the halting problem for language P is decidable for all finite interpretations. Nevertheless, we are still far from a completely satisfactory characterization of the programming languages that can be axiomatized in this manner. The proof system that is generated in proving the above result does not have the property of being "syntax-directed" which is distinctive of the Hoare axioms. Moreover, theoretical considerations suggest that good axioms for total correctness may exist for a wider spectrum of languages than is the case for partial correctness. In this paper we discuss these questions and others which still need to be addressed before the characterization problem can be considered solved.


Introduction
A key trend in program verification has been the use of axioms and rules of inference to specify the meanings of programming language constructs.This approach was first suggested by C.A.R. Hoare in 1969 [11].Although the most complicated control structure in Hoare's original paper was the while statement, there has been considerable success in extending his method to other language features.Axioms have been proposed for the goto statement, functions, recursive procedures with value and reference parameter passing, simple coroutines, and concurrent programs.Research by Clarke [2] has shown, however, that there are natural programming language control structures which are impossible to describe adequately by means of Hoare axioms.Specifically, Clarke has shown that there are control structures for which it is impossible "^This research was partially supported by NSF Grant MCS-82-16706.
to obtain axiom systems that are sound and complete in the sense of Cook [5].These constructs include procedures witii procedure parameters under standard Algol 60 scope rules and coroutines in a language with parameterless recursive procedures.
A natural question to ask is whether it is possible to characterize those programming languages for which sound and complete proof systems can be obtained.The incompleteness results are established by observing that if a programming language P has a sound and relatively complete proof system for all expressive interpretations, then the halting problem for P must be decidable for finite interpretations.This condition also appears to be sufficient: For a wide class of programming languages and interpretations, it can be shown that if the halting problem for language P is decidable for all finite interpretations, then P has a proof system which will be sound and relatively complete for any expressive interpretation.Nevertheless, we are still far from a completely satisfactory characterization of the programming languages that can be axiomatized in this manner.In this paper we identify and discuss four specific issues which we believe still need to be addressed before the characterization problem can be considered solved: 1.The present version of the Characterization Theorem predicts that certain programming languages should have good Hoare proof systems, even though no natural systems have been found.
2. The Characterization Theorem should result in a usable proof system-not just an enumeration procedure.Also, the proof system should follow the syntax of the programming language (i.e.be syntax-directed) in the same way that Hoare's original system does.
3. It appears from the proof of the Characterization Theorem that certain programming languages may have good total correctness proof systems even though they do not have good partial correctness proof systems.
4. Lasdy, the hypothesis of expressiveness for interpretations deserves more thought This hypothesis is important because it determines the degree of encoding that is permitted in reasoning about programs.Is it too strong or, perhaps, not strong enough?
The paper is organized as follows: Section 2 contains a short discussion of the basic ideas of Hoare's logic and gives definitions for partial and total correctness.Soundness and relative completeness are introduced and motivated in Section 3. Expressibility and the implications of this concept are discussed in some detail in Section 4. Section 5 briefly outlines how incompleteness results are obtained for various combinations of programming language features.
In Section 6 the proof of the Characterization Theorem is sketched and the limitations of this theorem are discussed.Section 7 contains a discussion of the research problems mentioned above and is the heart of the paper.Finally, Section 8 discusses the relevance of the characterization problem to programming language design.

Hoare Logics
The formulas in a Hoare axiom system are triples {P} S {Q} where S is a statement of the programming language and P and Q are formulas describing the initial and final states of the program S. The logical system in which the predicates P and Q are expressed is called the assertion language (AL) and in this paper will always be a first order language with type or signature 2.
Intuitively, the partial correctness formula {P} S {Q} is true iff whenever precondition P holds for the initial program state and S terminates, then postcondition Q will be satisfied by the final program state.
Although this paper is primarily concerned with partial correctness, we will occasionally need to discuss total correctness as well.Total correctness formulas will be triples with the syntax <P> S <Q>.Such a formula is true iff whenever the precondition P holds for some initial program state, then program S will terminate when started in this state and Q will be satisfied by the final program state.
The control structures of a programming language are specified by axioms and rules of inference for the partial correctness formulas.A typical rule of inference is The predicate P is the invariant of the while loop.Proofs of correctness for -programs are constructed by using the axioms together with a proof system T for the assertion language.We write I-H T {P} S {Q} if the partial correctness formula {P} S {Q} is provable using the Hoare axiom system H and the proof system T for the assertion language AL.
To discuss whether a particular Hoare axiom system adequately describes the programming language PL, it is necessary to have a definition of truth for partial correctness formulas which is independent of the axiom system H.The definition of truth requires two steps.First, we give an interpretation I for the assertion language AL.The interpretation I (over type 2 ) specifies the primitive data objects of our programming language; it consists of a set Dom(I) (the domain of the interpretation) and an assignment of a function (respectively, predicate) over Dom(I) of the appropriate arity to each function (respectively, predicate) symbol of 2. Typical interpretations might be the integers with the standard functions and predicates of aridimctic, or linear lists with the list processing functions car, cdr, etc. Th(I) is die set of all first-order sentences (over 2) true in I.
Second, we provide an interpreter for the statements of the programming language.There are many ways such an interpreter may be specified-in terms of computation sequences or as the least fixed point of a continuous functional (denotational semantics

Soundness and Completeness
When can we be satisfied that a Hoare axiom system H adequately describes the programming language PL?There are two possible ways a Hoare axiom system may be inadequate.First, some theorem {P} S {Q} which can be proven in the axiom system may fail to hold for actual executions of the program S; in other words, there is a terminating computation of S such that the initial state satisfies P but the final state fails to satisfy Q.A way of preventing this source of error is to adopt an operational or denotational semantics for the programming language which is close to the way statements are actually executed.We then show that every theorem which can be proven using the axiom system will be true in the model of program execution that we have adopted.In the notation defined above we prove that for all P, Q, S, if H~H T {P} S {Q} then ^1 (P) S {Q}.In general, this type of soundness property is fairly easy to establish.
A second source of inadequacy is that the axioms for the programming language may not be sufficiently powerful to handle all combinations of the control structures of the language.
However, the question of when it is safe to stop looking for new axioms is much more difficult to answer than the question of soundness.One solution is to prove a completeness theorem for the Hoare axiom system.We can attempt to prove that every partial correctness formula which is true of the execution model of the programming language is provable in die axiom system.In general it is impossible to prove such completeness tiieorems; the proof system for the assertion language may itself fail to be complete.For example, when dealing with the integers for any consistent axiomatizable proof system, there will be formulas which are true of the integers but not provable within the system.Also the assertion language may not be powerful enough to express the invariants of loops.This difficulty occurs if the assertion language is Prcsburger arithmetic (i.e., integer arithmetic without multiplication).Note that both of the difficulties above are faults of the underlying assertion language and interpretation--not of the Hoare axiom system.
How can we talk about the completeness of a Hoare axiom system independently of its assertion language?Cook [5] gives a Hoare axiom system for a subset of Algol including the while statement and nonrccursive procedures.He then proves that if there is a complete proof system for the assertion language (e.g., all true statements of the assertion language) and if the assertion language satisfies a certain natural expressibility condition, which will be discussed in detail in the next section, then every true partial correctness assertion will be provable.
Definition 1: A Hoare axiom system H for a programming language PL is sound and complete (in the sense of Cook) iff for all AL and I, if I is expressive with respect to AL and PL, then ^{P}S{Q}~ ^H,Th(I)^> S W>

Expressibility
We say that I is expressive with respect to AL and PL iff for all S e PL and Q there is a formula of AL which expresses the weakest precondition for partial correctness (called the weakest liberal precondition in [7]) This type of reasoning (cf [3]) shows that WP[while b do S](Q) can always be used as the invariant of a while loop with postcondition Q and is the essence of the relative completeness proof for a simple programming language containing the while statement as the only control structure.
We could have equally well defined expressibility in terms of the weakest precondition for total correctness or in terms of the strongest postcondition

SP[S](P) = {a\3 a[P[a] A (a, a) € M[S] ]}.
It is shown in [2] that all of these definitions lead to the same concept.
Theorem 2: The following are equivalent: 1.1 is WP-expressive with respect to PL and AL 2.1 is WT-expressive with respect to PL and AL

is SP-expressive with respect to PL and AL
In establishing relative completeness results for looping constructs it is more convenient to work with the weakest precondition for partial correctness.For recursive procedures, on the other hand, the strongest postcondition generally is more useful.
Not every choice of AL, PL, and I gives expressibility.Cook demonstrates this in the case where the assertion language is Presburger arithmetic.Wand [20] gives another example of the same phenomenon.More realistic choices of AL, PL, and I do give expressibility, however.If AL is the full language of number theory and I is an interpretation in which the symbols of number theory receive their usual interpretations, then I is expressive with respect to AL and PL.Also if the domain of I is finite, then expressibility is assured.Recently, German and Halpern [9] and Urzyczyn [19] have independently obtained a strong characterization of those interpretations which are expressive: Theorem 3: Suppose that PL is an acceptable programming language with recursion and that I is a Herbrand definable interpretation which is expressive for AL and PL.Then 1 is cither finite or strongly arithmetic.
The acceptability of the programming language is a mild technical assumption which ensures that the language is closed under certain reasonable programming constructs, and that given a program, it is possible to effectively ascertain its step-by-step computation in interpretation I by asking quantifier-free questions about I.An interpretation I over a type 2 is Herbrand definable is the meaning of some term of the Herbrand universe over type 2.An interpretation 1 is said to be strongly arithmetic (cf [4]) if there exist first order formulas Z(x) (for zero), S(x,y) (for successor), A(x,y,z) (for addition), and M(w,y,z) (for multiplication) and an bijection J:dom(I) -• N which makes I isomorphic to a standard model of arithmetic.

Incompleteness Results
Are there any programming language constructs for which it is impossible to obtain good Hoare axiomatizations?An obvious place to start our search is with more complicated parameter passing mechanisms.In this section we consider the problem of obtaining a sound and complete proof system for an Algol-like language which allows procedures as parameters of procedure calls.
Theorem 4: It is impossible to obtain a Hoare proof system H which is sound and complete in the sense of Cook for a programming language PL which allows: 1. procedures as parameters of procedure calls 2. recursion 3. static scope 4. global variables

internal procedures as parameters of procedure calls
Proof of Theorem 4 follows immediately from Lemmas 5 and 6.Note that all of the features (i)-(v) are found in Algol 60.Moreover, the result holds even if the language PL is restricted so that self-application (e.g., calls of the form call P(.. .,P,...)) is not permitted.Thus, the result also applies to Pascal where procedures are restricted so that actual procedure parameters must be either formal procedure parameters or names of procedures with no procedure formal parameters.
Lemma 5: The halting problem is undecidable for programs in a programming language PL with features (l)-( 5) above for all finite interpretations I with card(dom(I)) > 2.
The proof of the lemma uses a modification of a technique of Jones and Muchnick [12] and is fully described in [2].Note that the lemma does not hold for flowchart schemes or while schemes.
In each of these cases if I is finite, the program can be viewed as a finite state machine and we may test for termination (at least theoretically) by watching the execution sequence of the program to see whether any program state is repeated.In the case of recursion one might expect that the program could be viewed as a type of pushdown automaton (for which the halting problem is also decidable).This is not the case if we allow procedures as parameters.The static scope execution rule, which states that procedure calls are interpreted in the environment of the procedure's declaration rather than in the environment of the procedure call, allows the simulation program to access values normally buried in the runtime stack without first "popping the top" of the stack.
This additional power can be used to simulate an arbitrary Turing machine.
Lemma 6: If PL has a Hoare proof system which is sound and complete in the sense of Cook, then the halting problem for PL must be decidable for all finite interpretations.
Proof: Suppose that PL has a Hoare proof system which is sound and complete in the sense of Cook.Thus, for all AL and I if (a) T is a complete proof system for AL and I and (b) I is expressive with respect to PL and AL, then N, {P}S{Q}«h-HT {P}S{Q}.
Assume further that the halting problem for PL is undecidable for some particular finite interpretation I. Observe that in this case T may be chosen in a particularly simple manner; in fact, there is a decision procedure for the truth of formulas in AL relative to I. Note also that AL is expressive with respect to PL and I, since I is finite.Thus, both hypothesis (a) and (b) are satisfied.From the definition of partial correctness, we see that {true} S {false} holds iff S diverges for the initial values of its global variables.We conclude that the set of programs S such that N=j {true} S{false} holds is not recursively enumerable.On the other hand, since We can enumerate those programs S such that N^/rwe} S {false} holds -simply enumerate all possible proofs and use the decision procedure for T to check applications of the rule of consequence; this, however, is a contradiction.
If sharing (which intuitively means referring to the same program variable by two or more different names) and self application are disallowed, a sound and relatively complete Hoare proof system may be obtained by modifying any one of the five features of Theorem 4. Thus if we change from static scope to dynamic scope, a complete set of axioms may be obtained for (i) procedures with procedure parameters, (ii) recursion, (iv) global variables, and (v) internal procedures as parameters; or if we disallow internal procedures as parameters, a complete system may be obtained for (i) procedures with procedure parameters, (ii) recursion, (iii) static scope, and (iv) global variables.
Techniques similar to that used in Theorem

The Characterization Problem
The incompleteness results are established by observing that if a programming language PL has a sound and relatively complete proof system for all expressive interpretations, then the halting problem for PL must be decidable for finite interpretations.Lipton [14] considered a form of converse: If PL is an acceptable programming language and the halting problem is decidable for finite interpretations, then PL has a sound and relatively complete Hoare logic for expressive and effectively presented interpretations.Lipton actually proved a partial form of the converse.He showed that given a program S and the effective presentation of I, it is possible to enumerate all the partial correctness assertions of the form {true} S {false} which are true in I. From this it easily follows that we can enumerate all true quantifier-free partial correctness assertions, since we can encode quantifier-free tests into the programs.But, it does not follow that we can enumerate all first-order partial correctness assertions, since an acceptable programming language will not in general allow first-order tests.
Clarke, German, and Halpern [4] consider acceptable programming languages which permit recursive procedure calls.They also require that the interpretation be Hcrbrand-definable.Under these assumptions they are able to extend the results of [2] and [14], significantly.They are able to eliminate the requirement that pre and postconditions be quantifier-free and that the interpretation be effectively presented.They further show that the set of partial correctness assertions true in I is actually (uniformly) decidable in Th(I) provided that the halting problem for P is decidable for finite interpretations.Lipton's proof, on the other hand, produces an enumeration procedure for partial correctness assertions and, thus, shows only that the set of true partial correctness assertions is r.e. in Th(I).We sketch below a proof of the main theorem of [4].
Theorem 7: Let PL be an acceptable programming language with recursion.Then the following are equivalent: 1.There is an effective procedure which for expressive, Herbrand-definable interpretations 1 will decide which first-order partial correctness assertions are true in I when given an oracle for Th(I).
2. PL has a decidable halting problem for finite interpretations.
Sketch of proof.The fact that (1) =» (2) follows from Lemma 6. Proof that (2) => ( 1) is considerably more complicated.Assume that PL is an acceptable programming language with recursion and that I is both expressive and Herbrand-definable.By Theorem 3 we know that I is either finite or strongly arithmetic.Assume further that we are given an oracle for Th(I).We must provide an effective procedure for deciding which partial correctness assertions are true in I.The decision procedure will actually consist of two procedures M 1 and M 2 which arc dovetailed.
Both M 1 and M 2 are sound in the sense that they generate only true partial correctness triples; in addition, M 1 will be complete if I is strongly arithmetic, and M 2 will be complete if I is finite.
Let AX be a finite set of axioms for first-order arithmetic.We could take, for example, the nine axioms for zero, successor S(x,y), addition A(x,y,z), multiplication M(x,y,z), and less-than L(x,y,z) given in chapter 2 of [18].There will, of course, be nonstandard models for AX, so this set of axioms will not be complete for all of standard arithmetic.Nevertheless, an interpretation which satisfies AX will have a standard part consisting of those elements of the domain of the form S k (0) for some integer k.In general, there is no first-order formula which defines the standard part, but under the hypothesis above we will show that the standard part can be defined.
The first step is to define inductively an encoding of Herbrand terms of type 2. The details of the encoding are straightforward, and we refer the reader to [4] for details.We will use the binary predicate symbol H to denote this encoding.Thus, we want H(u,d) to be true iff u is the encoding We can now describe the construction of M r M 1 will guess formulas Z(x), S(x,y), L(x,y), A(x,y,z), M(x,y,z), and H(x,y) and check using the oracle for Th(I) that AX and ENC hold in I when written in terms of these formulas.We then define STD(x) as in Lemma 8 check t=j V*[Std(x)].
If not, M l continues guessing.But if Vx[Std(x)] does hold in I, tiien we have effectively found formulas which make I strongly arithmetic.
Lemma 9: Suppose we can effectively find formulas Z(x), S(x,y), A(x,y,z) and M(x,y,z) of type 2 which make I strongly arithmetic.Then for each P € PL we can effectively find a formula A^ of type 2 which is equivalent to A p in I.
Now given a pair of first-order formulas P, Q and a program S, M 1 will construct the formula and consult the oracle for Th(I).If this formula is true, M 1 will output {P}S{Q}; otherwise it will output-({P}S{Q}).
By making use of Theorem 3, the construction of M 2 can be made much simpler than the version in [4].The first step is to determine how many elements are in Dom(I).P 2 will successively generate formulas of the form F n = ]x 1 x 2 ...x n Vxtx^x-j^ V x = x 2 V ... V x = xj for n = 1,2,... and submit them to the oracle for Th(I).If I is finite, then the answer true will be obtained for some formula F n indicating that Dom(I) has no more than n elements.In this case every element of Dom(I) must be the value of some Herbrand term of depth n+1 or less.Let t 1 ,t 2 ,... ,t m be the Herbrand terms of depth n + 1 or less.Consider a particular partial correctness formula {P}S{Q}.We rename the bound variables of P and Q so that all are distinct.We next replace every subformula of P and Q of the form Vx[W] by and every subformula of the form E3x[W] by to obtain a new quantifier-free partial correctness triple {P'}S{Q'} which will be true in I iff the original triple {P}S{Q} is true in I.If LOOP is a program which always diverges, then S' if -iF then LOOP else begin S; if Q' then LOOP end will also be a program and will diverge on all of its inputs iff {P'}S{Q'} is true in I. Thus, by using our decision procedure for the halting problem of PL on finite interpretations we can determine whether the original triple {P}S{Q} is true or false in I.
This completes the sketch of the proof of Theorem 7. Grabowski [10] has developed a modification of the proof above which appears to avoid the hypothesis of Herbrand-dcfinability that we have previously required of interpretations.However, Grabowski's version of the theorem does not handle total correctness.
The deficiencies of the Characterization Theorem and its proof are clear.The proof system that is produced is an enumeration procedure and could not be used in practice.Moreover, the proof system does not follow the syntax of the programming language in the same way that Hoare's original system does.This is disturbing since the theorem may guarantee a proof system for a programming language for which no natural Hoare system is "known.These problems, however, are precisely the ones mentioned in the introduction as being suitable for further research; we will discuss them in detail in the next section.

Natural Axiomatizations for New Programming Languages
Although, it is difficult to say precisely what makes a proof system natural or whether one system is more natural than another, certainly no one would claim that Theorem 7 leads to a natural Hoare proof system.Since the present version of the Characterization Theorem may predict that a certain programming language should have a good Hoare proof system, even though no natural system has been found, it would seem to be of little use.We conjecture, however, that whenever this happens, additional research will always lead to a natural proof system-perhaps by extending the existing notions of what is permitted in a Hoare axiomatization.
A good example is the language L4, which is obtained from the programming language in Theorem 4 when global variables are disallowed.Since L4 has generated a great deal of interesting research and since it also illustrates a number of new ideas, we consider it in some detail below.
In [2] it was argued that if use of global variables was disallowed, then denesting of internal procedures would be possible.Thus, the proof system given for the latter case in [2] could also be adapted for use with L4.This argument was shown to be incorrect by Olderog [15].Since globally declared procedures can still be called from within an internal procedure declaration even if global variables have been disallowed, complete denesting is not always possible.For example, it is impossible to denest the internally declared procedure q in the program segment below.(We use the convention that parameters appearing after the colon ":" in a parameter list are procedure parameters.) begin proc p(:f); begin proc q; begin ... f;... end q ; ...p(:q);... ...f;... end p; proc r; begin ... end r;

P(:r) end
Previous languages involving procedures were relatively easy to axiomatize, since they all had the finite range property.Informally, this property states for each program, there is a bound on the number of distinct procedure environments, or associations between procedure names and bodies, that can be reached.L4 does not have this property, however.This is significant since all previous axiom systems for procedures were based on Algol 60's copy mle semantics for procedure execution and since Olderog [16] was able to show that none of these axiom systems can deal adequately with infinite range.
For several years the question of whether there existed a natural Hoare proof system for L4 that was sound and complete in the sense of Cook remained open.Langmaack [13] proved that the halting problem for L4 was decidable and hence by the Characterization Theorem given in Section 6 such a proof system should exist (although perhaps not a natural one!).In 1982 Olderog [15] and Damm and Josko [6] devised proof systems for L4 which were based on the use of a higher order assertion language and the addition of relation variables to the programming language.Their systems did not completely solve the problem, however; in both of these papers, the axiom system is assumed to include all of the formulas valid in a certain higher order theory related to the interpretation.Moreover, because of the addition of relation variables to the programming language, their proofs required a stronger notion of expressiveness than was used originally by Cook.A natural proof system which only uses a first order assertion language and the standard notion of expressiveness has recently been given by German, Clarke, and Halpern [4].In order to deal with infinite range, they introduce a class of generalized partial correctness assertions, which permit implication between partial correctness assertions, universal quantification over procedure names, and universal quantification over environment variables.By using these assertions it is possible to relate die semantics of a procedure with the semantics of procedures passed to it as parameters.
For example, let p be the procedure proc p(x:r); begin r(x); r(x) end which calls the formal procedure r twice on the variable parameter x.For an arithmetic domain, p satisfies the formula Intuitively, this formula says that for all procedures r and domain values v, if the call r(y) multiplies y by v, then for the same procedure r and value v, the call p(x:r) multiplies x by v 2 .Observe how the environment variable v, appearing in the postconditions of the calls r(y) and p(x:r), is used to express the relationship between the semantics of r(y) and p(x:r).
It is not obvious that this approach is sufficient to specify all procedures; indeed, this is the essence of the relative completeness proof.The proof is based on the existence of abstract interpreter programs which can be shown to exist whenever the interpretation is Herbranddefinable and the programming language is acceptable in the sense of Section 4. Roughly speaking, an interpreter program receives as inputs a number of ordinary variables containing an encoding of a relation to be computed and a number of other variables to which the relation is to be applied.The interpreter then modifies the second set of variables according to the relation.
Using interpreter programs, we can transform any L4 program into a program without procedures passed as parameters by adding additional ordinary variables to pass values which encode the procedures.
Many of the techniques introduced in [8] appear to have applications beyond L4.For example, the more general partial correctness assertions and the way the relative completeness proof is structured may be helpful with other languages which have infinite range [1].

Syntax-Directed Proof systems
Certainly die most important research problem is to develop a version of the Characterization Theorem which provides some insight as to when a syntax-directed proof system can be obtained.
One could even argue that any version the theorem which fails to address this issue does not really capture the spirit of Hoare's Logic.An important first step towards developing such a theorem has recently been made by Olderog who has obtained an interesting characterizadon of the formal call trees of programs in those sublanguages of Pascal for which a sound and relatively complete Hoare axiomatization can be obtained.His theorem also guarantees that a particular syntaxdirected proof system will be sound and relatively complete for those sublanguages.
Let PLp^ be the language obtained from Dijkstra's guarded command language by adding blocks and a Pascal-like procedure mechanism in which actual procedure parameters of a procedure call must either be formal procedure parameters or names of procedures with no formal procedure parameters.Thus, self application is not possible with programs in PL pas .We refer the reader to [16] for the formal syntax and semantics of this class of programs.
By the Incompleteness Theorem of Section 5 there is no sound and relatively complete proof system for the full language; however, there may be complete proof systems for sublanguages of PL c PL pas .Olderog gives a Hoare proof system H Q which is sound for all of PL pas and then proves the following surprising result Theorem 10: For every admissible PL c PL pas the following are equivalent: 1.There exists a sound and relatively complete Hoare logic in the sense Theorem 7 for PL.
2. The halting problem for PL is decidable under finite interpretations.
3. All programs in PL have regular formal call trees.
4. The Hoare proof system H Q is sound and relatively complete for PL.
A sublanguage PL c PL pas is admissible if PL is r.e. and closed under program transformations which leave procedure structure invariant.A tree T over a finite alphabet is regular if the set of paths in T is a regular language or,equivalently, if there are only finitely many different patterns of subtrees.The formal call tree of a program S records the order in which the procedures of S are called in all possible executions of S. The formal call tree for the program skeleton in Section 7.1 is shown below and is clearly non-regular.
For the converse we actually prove that if the halting problem for PL is decidable for finite interpretations, then the set of WT-formulas which are true in I is uniformly decidable in Th(I).
Assume that I is Herbrand-definable and expressive and that the halting problem for PL is decidable for finite interpretations.Given an oracle for Th(I), die construction used in the proof of theorem 7 can also be used to find a formula of AL which expresses WT[S](Q) whenever Q is a formula of AL and S is a program in PL.
In case I is arithmetical, we can use the formula 3 y[Ag(jc, y)=> Q(y) ] where A^(X y) is the AL formula which expresses the input/output relation of S.
In explaining the finite case we use the same notation as in Theorem 7. Assume that S has variab begin global variables v,, v 0 , ..., v.. Let S'(a., ... a. ) be the program i z Where each a is one of the terms t r ..., t n and Q' is the quantifier-free formula that is equivalent to Q J .Next, determine whether S' will halt for each possible combination of ..., a i . n The formula for the weakest precondition will be the disjunction of all those clauses v, = a.A

More Powerful Notions of Expressibility
Another obvious question is whether a more powerful notion of expressibility might permit sound and relatively complete proof systems to be obtained for a wider class of programming languages than is currently the case with Cook's original definition.The answer is, trivially, yes.
If, for example, we use a notion of expressibility which requires that interpretations be strongly arithmetical, then only the infinite case in Theorem 7 will apply.Since the infinite case does not use the hypothesis that the halting problem is decidable for finite interpretations, the relative decision procedure could be adapted, for example, to apply to die full language PL pas .This is unlikely to lead to a very natural proof technique because of die encoding diat is necessary to obtain the formula A^(x,y) from program S.
Alternatively, we could simply compile PL p into an assembly language where the runtime stack is encoded as the value of an integer variable, where the only control structures are the conditional and the while statement, and where assignments can use standard aritiimetical operations of addition, multiplication, etc.This, however, is contrary to die spirit of high level programming languages.If the proof of a recursive program requires explicit reasoning about the low-level implementation of the language by means of the runtine stack, then why not simply replace the recursive procedures themselves by stack operations.The purpose of recursion in programming languages is to free the programmer from the details of implementing recursive constructs.
If a programming language requires an unnatural use of encoding in order to get an axiomatization, then perhaps it is too powerful to reason about effectively.The incompleteness results of Section 5, which depend only on finite interpretations, show that certain programming language features cannot have natural axiomatizations.In fact, we would argue that finite interpretations are often more useful than infinite interpretations for judging whether an axiomatization is natural, since they preclude the possibility that domain elements can be used to encode complicated runtime data structures such as the runtime stack or linked lists of activation records.Moreover, all of the standard partial-correctness rules (e.g. the assignment axiom, the while statement rule, etc.) work just as well for finite interpretations as for infinite ones.
We do not mean to imply that there is nothing to be learned from further study of expressiveness.We suggest, however, a different direction for research on this topic.Although expressiveness has been assumed by many previous researchers to get a complete axiomatization, the use they have made of this assumption (e.g. to generate the existence of loop invariants) seems more natural than its use in the proof of the characterization theorem in Section 6.Thus, we believe that perhaps the hypothesis of expressiveness should be weakened or restricted in some way.We note, however, that such a weakening would not affect the incompleteness results of Section 5.

2 )
expressive with respect to AL and PL, then it is not difficult to prove that Nj {WP[S](Q)} S {Q} and that if {P} S {Q} then Nj P -* WP[S](Q).Expressibility is important because it guarantees the existence of invariants for loops and recursive procedures.For example, it is easy to show that Nj WP[>vhile b do S](Q) = (b A WP[S](WP[while b do S](Q)) v(-« b A Q) From this identity it follows that Nj {WP[while b do S](Q) A b} S {WP[while b do S](Q)} (1) and Nj WP[wliile b do S](Q) A -i b Q (By using the while axiom and the rule of consequence, we immediately obtain Nj {WP[while b do S](Q)} while b do S {Q}.
4 have also been used to obtain incompleteness results for programming languages which include any of the following features: (a) call-by-name parameter passing in the presence of recursive procedures, functions, and global variables; (b) coroutines with local recursive procedures that can access global variables; (c) unrestricted (PL/1 like) pointer variables with retention; (d) unrestricted pointer variables with recursion; and (e) label variables with retention.
of a Herbrand term with value d.To achieve this goal, we give an axiom ENC for H and prove that if I satisfies AX and ENC, then N=j H(S k (0),d) iff k is the encoding of a Herbrand term whose value in I is d.By using the encoding relation H we can explicitly give a formula which defines the standard part of I. Lemma 8: If I satisfies AX, ENC, and is Herbrand definable then STD(x) = 3 d V z(H(z,d) =* x <z) defines die standard part of I.

1 \ 2 \
v~ = a.A ... A v. = a.which correspond to initial states in which S' will halt 1 l Thus, given an arbitrary WT-formula, we can transform it to an equivalent formula of AL not involving WT.Start with the most deeply nested occurrence of WT, say WTISJCQj), where Q x is a formula of AL and does not involve WT.By the observation above, we can replace WT [S^Q^ by an equivalent AL formula Q 2 not involving WP.We continue to repeat this process until all occurrences of WT are eliminated.We then ask the oracle for Tli(I) about the truth of f* where f is the universal closure of f.