Natural Hoare Logic: Towards formal verification of programs from logical forms of natural language specifications

Formal verification provides strong guarantees of correctness of software, which are especially important in safety or security critical systems. Hoare logic is a widely used formalism for rigorous verification of software against specifications in the form of pre-condition/post-condition assertions. The advancement of semantic parsing techniques and higher computational capabilities enable us to extract semantic content from natural language text as formal logical forms, with increasing accuracy and coverage. This paper proposes a formal framework for Hoare logic-based formal verification of imperative programs using logical forms generated from compositional semantic parsing of natural language assertions. We call our reasoning approach Natural Hoare Logic. This enables formal verification of software directly against safety requirements specified by a domain expert in natural language. We consider both declarative assertions of program invariants and state change as well as imperative assertions that specify commands which alter the program state. We discuss how the reasoning approach can be extended using domain knowledge and a practical approach for guarding against semantic parser errors.


INTRODUCTION
Formal verification techniques [50] are a collection of techniques that can be used to provide strong guarantees of correctness and security for software. They are especially desirable in safety critical software such as the control software of medical devices [24] or security sensitive portions of a software system [2]. In order to perform formal verification we must specify the correctness or security requirements in a formal language. For instance, consider the following natural language specification of a safety requirement of a medical infusion pump from [35]: "The infusion manager shall stop infusion whenever a critical alarm occurs." [35] Such natural language specifications are typically given by domain experts who understand the safety requirements of the particular field. However, in order to formally verify the system against these requirements, we must specify them in a formal language, which cannot be typically done by the domain expert. The objective of this paper is to propose a general method that enables software to be formally verified directly against requirements specified by a domain expert in natural language.
Hoare logic [16] 1 and its variants are established formal techniques for proving that a program satisfies its specification in the form of pre-condition, post-condition assertions.
Hoare logic assertions are specified as triples of the form {P}S{Q}, where P and Q are logical assertions on program variables. The meaning of the triple is that: if program variables satisfy the condition P and the program S is executed, then the program variables satisfy the condition Q provided the program terminates. This is called the partial correctness assertion. We may extend it to total correctness with the additional assertion that the program will terminate when starting at a variable state satisfying P. In this paper, we consider only partial correctness. If we do not consider exception conditions, for loop-free programs partial correctness coincide with total correctness.
Semantic parsing [18] is a collection of techniques whose objective is to obtain a formal representation of meaning from natural language sentences. For most part, the research in semantic parsing is concerned with obtaining a representation of meaning that can be interpreted by a computer to perform the task at hand, such as querying a database to obtain results. Semantic parsing covers a spectrum of techniques from shallow to deep. Shallow semantic parsing techniques such as semantic role labelling [30] aims to identify semantic roles (such as agent or location) associated with the events specified in a sentence. In contrast, deep semantic parsing aims to extract a rich representation of meaning known as logical forms in a formal system such as the λcalculus [5].
In this paper we concern ourselves with formal logical forms generated by semantic parsers in the form of λ-calculus expressions. λ-calculus is preferred over first order logic for logical forms since it allows us to define semantics compositionally using function composition and function application, from logic forms representing meanings of constituents. Compositional semantics is originally due to Richard Montague [34] and hence is broadly called Montague semantics [17]. Simply-typed λ-calculus [10] with pre-defined constants for logical connectives and quantifiers, known as the higherorder logics 2 , is commonly employed as the formal language for logical forms [7]. In this paper we consider logical forms in this formal language 3 . Owing to the expressive power of λ-calculus we do not lose any generality. Other logical forms like λ-DCS [25] can be readily expressed in terms of λ-calculus.
We propose a framework for associating logical forms generated from assertions about program state made in natural language to pre-condition/post-condition assertions in Hoare logic. We call our framework, Natural Hoare Logic (NHL). Our objective is to enable formal verification of programs from natural language assertions.

THE PROPOSED FRAMEWORK
We introduce the proposed framework with the help of simple examples. We use the notation text to denote the semantics of text in λ-calculus. We use identifier to denote the semantic function or constant corresponding to identifier appearing in the sentence.
Consider the statement: All balances must be greater than zero.
where, balances = λx· balance(x), a function that returns the balance value, given an account. For the sake of simplicity, in our examples, we restrict our semantic domain (and hence our domain of discourse) to accounts. greater than = λx, y· x > y zero = λx· 0, which we may simply write as 0. all = ∀. ∀ is simply a higher-order function constant in our logic that takes a truth-valued function f and evaluates to true if f evalutes to true for all values.
The semantics of the entire sentence may be composed from the constituent semantics to get: All balances must be greater than zero = ∀x · balance(x) > 0 (1) Please note that, ∀x · P is a short-hand for ∀ λx · P. We omit explicit type annotations in the logical forms used in our examples. Now, consider the following program fragment that simply increments a variable representing balance: To avoid name confusion we prefix the names of program variables with underscore (e.g., _balance).

Invariant declaratives
In order to prove that the program holds the invariant specified by the logical form in Equation 1, we must relate the variables occuring in the logical form to the variables occuring in the program. We specify the relation between the logical form and program variables via a formal relation. We call this the logical form -program logic relation (LFPL relation). This is similar in spirit to the state relations [49] from the refinement theory [11] used to prove formal correspondence (forward/backward simulations) between an abstract specification and its concrete implementation. We may use the semantic expressions corresponding to the entities present in the natural language specification to construct the relation, as below.
It may be noted that ∃x · P = ∃ λx · P. Given a logical form L specifying a program invariant 4 and an LFPL relation R, we may prove that the program S satisfies the invariant by establishing the Hoare triple {I} S {I}, where I is the strongest condition that satisfies: The condition, I =⇒ R is required to remove the correspondance relation from the Hoare logic assertions. In practice, I should be an assertion on program variables without any correspondence to logical forms. Presence of the correspondence relation in Hoare logic assertions may cause the proof to fail owing to the predicate transformer nature of Hoare logic rules. The Hoare logic rules will transform the program variables in the assertions while the variables in the logical forms remain unchanged. This results in the LFPL relation specifications in the assertions to become inconsistent as Hoare logic rules get applied.
The requirement that I is the strongest condition that satisfies the above constraint ensures that a weakened form of the user requirement is not take up for proof. Figure 1 visualizes how R relates the invariant specified in the logical form L to pre-condition P and post-condition Q. The arrow {Q} → S → {P} shows the direction of the proof. Program execution and the state transformation occurs in the opposite direction.
Using the Hoare triple in Equation 21 for proving logical form 1 on program 2: Since: We need to prove: _balance := _balance + 1 (8) {_balance > 0} We can prove this by considering a stronger post-condition _balance > 1 and applying the assignment rule, and then applying the consequence rule to weaken the post-condition to get back the invariant.
The LFPL relation simply specifies the formal association between the logical form and the program variables. We may make a general assertion in natural language and then use the LFPL relation to establish the association. For example, consider the natural language assertion: All values must be greater than zero. Its corresponding logical form may be: In this case, the LFPL relation would specify that the program variable _balance is the value of an account, as follows:

Imperatives
Consider the statement: Increment the balance. This is an imperative sentence, specifying a command to be performed. Semantics of imperatives are much more challenging than that of declarative statements [21]. A common approach for specifying semantics of imperative sentences is by introducing modal operators [20,38]. In this paper, we do not consider imperatives in a general setting, instead restrict ourselves to considering only those imperative statements that specify operations on program state.
As a result, we explicitly model a restricted form of modality as a logical relation between the current state of the world (before-state) and the state after the command has been carried out (after-state) 5 . We define a function post that maps elements to their after-state. Therefore, λx· balance(post(x)) gives the balance of an account after the specified command has been carried out. The semantics of 'increment' can be defined as a higher order function as follows: This allows such imperative commands to be composed with the semantics of its objects, enabling compositional semantics, e.g, increment the balance = ∀x · balance(post(x)) = balance(x) + 1 Of course we are unable to model general imperative statements such as: you may increment the balance. However, we believe our approach is useful enough for specifying precondition/post-conditions assertions on sequential imperative programs.
In addition to the R relation defined previously, we also define an R ′ relation as: 5 We may consider this as a modality with two possible worlds represented by the before-state and after-state. Given a L which is a logical form of the imperative assertion, we may prove that a program S satisfies the specified imperative command, by proving the following: This is simpler than that of the invariant because postcondition and pre-condition use different LFPL relations, R and R ′ . Figure 2 visualizes how LFPL relations R and R ′ are used for Hoare logic proofs from imperative logical forms.
Applying the assignment rule to the post-condition, we get the following assertion, from which the pre-condition follows:

Conditional imperatives
We consider conditional imperatives where the conditional and imperative parts are specified separately. An example of a conditional imperative statement is: IF: the balance is greater than 0 THEN: increment the balance.
The proof approach for imperatives may be extended to conditional imperatives in a straightforward manner.
If E is the logical form of the conditional part and L, then the proof rule is: The proof rule is visually illustrated in Figure 3.

Pre/Post-condition declaratives
Another form of natural language specification we consider is the declarative specification of the pre-condition and postcondition separately. For instance: IF: the balance is greater than 0 THEN AFTER: balance must be remain non-negative This case is simpler than the imperative specification. The Hoare logic assertion would be: where L ′ is the logical form of the post-condition and L is the logical form of the pre-condition. Figure 4 visualizes how LFPL relations R and R ′ are used for Hoare logic froms for logical forms of pre/post-condition assertions.

Extending with domain knowledge
In this section we discuss how our reasoning technique can be extended using domain knowledge specified in the form of logical expressions. For example, consider the sentence and its logical form below: All values must be greater than zero Logical form: ∀x · valueof (x) > 0 (23) Using the LFPL relation below, assume that we have already established proof for this invariant for some program S.
∃x · valueof (x) = _balance (24) Now consider a new sentence and its logical form: All balances must be greater than zero ∀x · balance(x) > 0 (25) Consider the domain knowledge that the balance of an account is its value, which we may express logically as: We may use this and our previous proof to now infer, that program S satisfies new invariant in Equation 25, without having to go through the proof again.
In many domains, formalized domain knowledge exists in the form of domain ontologies in languages such as the web ontology language [33] (which has a logical basis in description logics [3]). For instance the ontological assertion that A isa B can be expressed as: Bringing such knowledge to aid in our reasoning is likely to be quite beneficial.

Guarding against semantic parser errors
Owing to the variety and ambiguity in natural language sentences, semantic parsers are probabilistic parsers. The parse (and the resultant logical form) with the highest probability is taken as the selected parse (logical form). This need not always be the correct parse. Since we are targeting formal verification of programs, we need to guard against these errors. In this section, we consider one practical approach.
Given a language of logical forms generated by a semantic parser, we define a function from logical forms to natural language, let's call this function N. We may use this function to paraphrase the user input in the manner understood by the system. Given a natural language sentence S input by a user and if its logical form generated by a semantic parser is S, then we could ask back the user:

Did you mean: N(S)?
If the answer is yes we proceed, otherwise we could show the N-mappings of other probable logical forms (if available) for user to choose from. User's selection may also be used as a form of labelling for retraining the model. If the user is unable to choose, then the system may prompt the user to rephrase the specification (perhaps as simpler sentences).
Of course it is important for the N-function to generate a consistent and understandable natural language representation. This is usually a simpler problem than the semantic parsing itself.
Semantic parsing based on synchronous context free grammars (SCFG) [48] is especially interesting to address this problem. This approach recasts semantic parsing as a machine translation problem -that of translating from natural language to the language of logical forms. This enables the parsing to be inverted to generate natural language statements from logical forms, automically giving us the function N from the learnt grammar.

BRIEF REVIEW OF RELATED FIELDS
In this section, we briefly review Hoare logics and semantic parsing since our framework attempts to connect logical forms that are outcomes of semantic parsing with Hoare logic assertions on programs.

Hoare logic
We briefly review the basic Hoare logic rules. The simplest rule is the axiom of assignment: The notation Q[E/x] stands for the expression obtained after all instances of the variable x occuring in Q is substituted with expression E.
The rule for sequential composition can be used to infer the pre-condition/post-condition asserts of a program from its sequential components: The conditional rule may be applied to reason about ifelse statements.
The consequence rules allows us to strengthen the precondition and weaken the post-condition: Reasoning about loops is done using the while loop rule: Here I is the loop invariant. One of the primary difficulties in automating Hoare logic proofs is the construction of loop invariants. In general, the code must be manually annotated with loop invariants for Hoare logic proofs to go through.
The Hoare logic axioms and inference rules provide an axiomatic semantics for an imperative programming language. Hoare logic rules may be recast as rules for obtaining weakest pre-conditions from post-condition assertions (or equivalently, strongest post-conditions from pre-condition assertions). The weakest pre-condition or predicate transformer semantics is originally due to Dijskstra [12].
In recent years, the basic Hoare logic [1] has been extended to support formal verification of complex and realworld code. For instance, separation logic [42] is one of its variants used for proving correctness properties of programs with pointer data structures. Crash Hoare Logic [9] extends Hoare logic with special crash assertions and recovery procedures that enables formal reasoning about crash recovery. The paper establishes formal proofs using this extended logic for FSCQ file system.
A number of researchers have worked on defining Hoare logics for real-world programming languages, both high level and low level. A Hoare Logic for Java embedded in the Isabelle/HOL theorem prover [37] is given in [46]. A Hoare logic for realistic machine code is presented in [36].
The principle of forward (backward) simulations from the refinement theory [11] may be used to prove formal correspondence between an abstract specification and concrete implementation. This enables us to prove formal properties on the abstract specification using Hoare logic (or equivalent methods) which then carries over to the concrete implementation owing to the simulation proofs. Formal verification of complex programs such as the seL4 microkernel takes this approach [22].
Mechanization of Hoare logic proofs involve first generating verification conditions by a verification condition generator (VCG) that apply Hoare logic rules on the annotated code [32]. The verification conditions are then typically mechanically checked by an automated theorem prover.

Semantic parsing
Combinatory categorical grammars (CCGs) [45] is a well studied and powerful method to achieve compositional semantics. CCGs employ a few general purpose combinatory rules along with a highly lexicalized grammar that maps tokens/phrases to categories. CCG2Lambda [31] is a recent work that compositionally maps CCG trees to λ-terms.
Compositional semantics can also be achieved by attaching logical forms to context-free syntactic parsing rules (usually parsing is done on tokens/phrases tagged with semantic annotations) 6 . Whenever a context-free syntactic rule is applied, the attached logical form is composed with the logical forms of the constituents to generate a resultant logical form.
Semantic parsing based on synchronous context free grammars (SCFG) is proposed in [48]. This approach recasts semantic parsing as a machine translation problem -that of translating from natural language to the language of logical forms. This also enables the parsing to be inverted to generate natural language statements from logical forms. The ability to invert logical forms to natural language statements is especially interesting for the problem being addressed in this paper. This enables us to give a natural language feedback of what the system has understood regarding the natural language specification made by the domain expert. This acts as a check against any potential errors introduced by the semantic parser.
Compositional semantics using dependency-based parse structures is discussed in [27]. More recently, in [41], a compositional semantics is defined over universal dependency parse trees. Here the λ-calculus logical forms capture semantics in Neo-Davidsonian or event style [8].
Since natural language parsing involves ambiguity, a learnt scoring model (usually a linear or a log-linear model) is applied during the semantic parsing to keep track of most probable parses [28]. Learning weights in the scoring model is done in a supervised setting. Recently techniques for weak 6 e.g., SippyCup semantic parser available at https://github.com/wcmac/sippycup supervision wherein the sentences are labelled with the denotations (i.e., the results of executing the logical forms) are being investigated [6,26,47] replacing the need for strong supervision using parse tree annotations or even annotating sentences with the logical forms. This brings in the problem of program induction, i.e., inducing logical forms from denotations, which is a key challenge that must be solved when labelling with denotations.
Another approach to semantic parsing [44] takes advantage of semantic lexicons based on specific linguistic theories such as VerbNet [43] which is based on Levin's theory of verb alternation classes [23] and FrameNet [4] which is based on frame semantics [13].
A yet another approach is to target a narrow domain specific language such as the structured query language (SQL). In such a case the semantic parser may directly generate the SQL (DSL) or may first generate an intermediate logical form, which is then automatically translated to the DSL (SQL). Natural language to SQL is a well studied problem [51]. The current state of the art supports SQL queries without joins using deep learning models. Such deep learning models have also become state-of-the-art in semantic role labelling.
A semantic parser for parsing natural language sentences to if-this-then-that recipes is given in [40], targeting the IFTTT service [39]. Their natural language specifications are somewhat similar to the conditional imperative forms discussed in this paper. However, their semantic parser output is in the form of IFTTT recipes rather than λ-calculus logical forms. Their parsing approach is based on KRISP [19] that uses a classifier with a string subsequence kernel [29] for mapping the natural language sentences to most probable production rules.

CONCLUSION AND FUTURE WORK
Hoare logic belongs to a general class of formal systems used for reasoning about programs. The results presented here may also be employed to reason with other program logics such as the dynamic logic [15]. We intend to further validate the NHL framework with more elaborate examples and case studies. Exploring the use of domain knowledge to aid reasoning, investigating approaches for a formal soundess proof, and mechanization of the framework are other lines of future work.