Incorrectness Logic Frameworks

• Incorrectness logic frameworks are formal systems that under-approximate program executions to reveal concrete bug witnesses.
• They employ dual predicate transformers to explain reachable errors based on existential semantics and reverse reasoning.
• They enhance static analysis by assigning responsibility to bug-inducing states, improving debugging and verification.

Incorrectness logic frameworks are a class of formal systems for under-approximate reasoning about programs: rather than proving the absence of bugs through over-approximation (as in Hoare logic and many traditional verification methods), these logics prove the presence of bugs or undesirable behaviors by systematically under-approximating program executions. Unlike classic program logics that prioritize universal safety, incorrectness logic frameworks focus on reachability, responsibility, and explanation of faulty or erroneous outcomes. This article surveys key facets of incorrectness logic frameworks, their duality with correctness logics, major technical methodologies, core proof-theoretic results, and notable applications in verification and debugging.

1. Core Principles of Incorrectness Logic

Incorrectness logic inverts the prevailing over-approximate paradigm of program verification by focusing on existential reachability and explanation of error states. In a typical incorrectness triple, written $[b]~p~[c]$, the postcondition $c$ under-approximates the set of possible outcomes; the triple asserts that every $σ$ such that $σ \models c$ is reachable via $p$ from some $σ' \models b$. Unlike Hoare triples, which state that all executions from $b$ terminate in $c$, incorrectness triples ensure that for every $σ \models c$ some witness $σ'$ and an execution path from $σ'$ to $σ$ must exist.

This existential, under-approximate flavor is central: whereas Hoare logic is robust for whole-program safety and typically employs over-approximate predicate transformers (e.g., weakest preconditions), incorrectness logic is naturally suited to bug-finding and root-cause analysis since it guarantees that discovered bugs are "true positives"—there is always a concrete witness path.

The duality is particularly evident when comparing partial and total variants: just as partial correctness tolerates divergence (non-termination is "forgivable"), partial incorrectness logic forgives unreachability (parts of a postcondition may not be triggered at all) (Verscht et al., 20 Feb 2025).

2. Foundational Dualities: Correctness, Incorrectness, Divergence, and Unreachability

Duality between correctness and incorrectness is formalized via predicate transformers. In partial correctness, one reasons with the weakest (liberal) precondition $\mathrm{wlp}$: $b \subseteq \mathrm{wlp}(p,c)$, so $b$ captures all possible initial states from which $p$ may diverge or terminate in $c$. Total correctness strengthens this with a least fixed point to demand termination.

Incorrectness logic adopts the strongest (liberal) postcondition $\mathrm{sp}_\ell(p,b)$, validating a triple if $c \subseteq \mathrm{sp}_\ell(p,b)$. Here $c$ must be explained—every state in $c$ must be reachable—though unreachable states (unlike in total incorrectness) are forgiven, mirroring the relaxation in partial correctness via divergence.

The close relationship is summarized as:

• Partial correctness: divergence is acceptable; we may not reach $c$ for all executions.
• Partial incorrectness: unreachability is acceptable; not all $c$ need be attained along some path.
• Total correctness: no divergence allowed; $b \subseteq \mathrm{wp}(p,c)$.
• Total incorrectness: no unreachability allowed; $c = \mathrm{sp}(p,b)$.

Fixed-point characterizations (e.g., for while-loops) rely on greatest fixed points in the partial setting and least in the total, further cementing the correspondence (Verscht et al., 20 Feb 2025).

3. Predicate Transformer and Proof-Theoretic Foundations

Central to the technical realization of incorrectness logic are the dual Dijkstra-style predicate transformers: $\mathrm{wlp}(p,c)$ (for partial correctness) accumulates all presumption states ($b$) from which $p$ may reach $c$ or diverge, whereas $\mathrm{sp}_\ell(p,b)$ (for partial incorrectness) accumulates all outcome states ($c$) that can be reached from $b$.

For deterministic and reversible programs, these definitions are straightforward, as each execution path is unique and in principle reversible (Verscht et al., 20 Feb 2025). For while-loops, the transformers are characterized via fixed points:

• For partial correctness: $\mathrm{wlp}(p,c) = \nu \Phi$ (greatest fixed point).
• For partial incorrectness: $\mathrm{sp}_\ell(p,b) = \nu \Psi$ with suitable functional definitions for $\Psi$.

Proof systems in the partial incorrectness setting require rules that mirror this duality, often employing backward evolution of assertions (preconditions are "pulled back" under the program), with rules constructed to support under-approximation and "dropping disjuncts"—the reverse of the classic consequence rule. The Park induction principle provides a modular proof technique: to establish a lower bound on a greatest fixed point, it suffices to show $I \subseteq f(I)$ (Verscht et al., 20 Feb 2025).

4. Specialized Proof Systems: Ordinary and Cyclic Approaches

Two formal proof systems for partial incorrectness logic (termed "partial reverse Hoare logic") have been defined: an ordinary system based on finite derivation trees and a cyclic system permitting proof trees with cycles (Oda, 28 Feb 2025). The ordinary system’s loop rule is a syntactic dual of the classic loop rule: invariants are established "in reverse," requiring that the putative postcondition implies the invariant via the loop guard.

Cyclic proof systems allow for more expressive, invariant-free reasoning, relying on backlinks and a global fairness condition to ensure soundness. In this setting, infinite proof paths are allowed provided they cycle through all advance rules infinitely often; this circumvents explicit invariant discovery and enables the system to be relatively complete over sufficiently expressive assertion languages (Oda, 28 Feb 2025).

Soundness is established by local reasoning at each rule, ensuring that the backward guarantee is strictly preserved. Relative completeness follows if the assertion language can express all weakest preconditions; cyclic and ordinary systems are proven equivalent in provability.

5. Implications for Static Analysis and Responsibility

A major application of incorrectness logic frameworks is to static program analysis and bug-finding:

• Under-approximation allows tools to pinpoint responsible initial states for bugs, localizing cause and supporting debugging.
• The partial variant supports compositional division of reasoning: first, by establishing that a bug is possible (via under-approximation), then separately by ascertaining its reachability.
• In dynamic settings, responsibility reasoning can yield more efficient analyses, as only relevant paths and states are examined; unreachable portions are safely ignored (Verscht et al., 20 Feb 2025).

Partial incorrectness logic also enables assignment of "responsibility" to initial states explaining the presence of erroneous program behaviors. This is particularly useful in focus analysis, reducing effort on variables or paths not causally implicated in a potential bug.

6. Extensibility: Nondeterminism, Irreversibility, and Quantitative Reasoning

While the basic frameworks in (Verscht et al., 20 Feb 2025, Oda, 28 Feb 2025) focus on deterministic and reversible state-transition systems, both papers note that these methods are extensible:

• In nondeterministic settings, definitions of predicate transformers adapt by ranging over unions and intersections, reflecting multiple possible successor/predecessor states.
• Irreversibility (as in many imperative programs) is addressed by more sophisticated variants and invariants handling the loss of backwards determinacy.
• A plausible implication is that integration with quantitative frameworks is attainable. The backward/forward fixed-point formulations and underapproximate methods suggest that similar techniques can be applied to quantitative expectations for probabilistic or resource-sensitive programs.

7. Summary and Outlook

Incorrectness logic frameworks, centered on under-approximate semantics and predicate transformers dual to those in Hoare logic, provide a systematic mechanism for reasoning about reachable errors, bug explanation, and responsibility in programs. In partial form, they formally dualize the role of divergence (in correctness) and unreachability (in incorrectness), prescribing acceptance of unreachable error states in the same sense that partial correctness accepts nonterminating executions.

Rigorous proof systems—both ordinary and cyclic—support practical deduction, with relative completeness established under expressive assertion languages. While the foundational work focuses on deterministic systems, extensions to nondeterministic, irreversible, and quantitative domains are plausible, expanding the toolkit for static analysis and modular verification. By isolating the "bad" as well as the "good," incorrectness logic frameworks occupy a distinctive and increasingly vital role in formal methods for software reliability and debugging.