Ludwig Schläfli: Difference between revisions

From formulasearchengine
Jump to navigation Jump to search
en>Suslindisambiguator
 
en>GirasoleDE
Line 1: Line 1:
'''[[Predicate (mathematical logic)|Predicate]] transformer semantics''' were introduced by [[Edsger W. Dijkstra|Dijkstra]] in his seminal paper "[[Guarded commands|Guarded commands, nondeterminacy and formal derivation of programs]]". They define the semantics of an [[imperative programming]] paradigm by assigning to each ''statement'' in this language a corresponding ''predicate transformer'': a [[total function]] between two ''[[Predicate (mathematical logic)|predicates]]'' on the state space of the statement. In this sense, predicate transformer semantics are a kind of [[denotational semantics]]. Actually, in [[Guarded commands]], Dijkstra uses only one kind of predicate transformers: the well-known '''weakest preconditions''' (see below).


Moreover, predicate transformer semantics are a reformulation of [[Floyd–Hoare logic]]. Whereas Hoare logic is presented as a [[deductive system]], predicate transformer semantics (either by '''weakest-preconditions''' or by '''strongest-postconditions''' see below) are '''complete strategies''' to build [[Deductive reasoning|valid deductions]] of Hoare logic. In other words, they provide an effective [[algorithm]] to reduce the problem of verifying a Hoare triple to the problem of proving a [[First-order logic|first-order formula]]. Technically, predicate transformer semantics perform a kind of [[symbolic execution]] of statements into predicates: execution runs ''backward'' in the case of weakest-preconditions, or runs ''forward'' in the case of strongest-postconditions.


next step to specific game''s success is which often it produces the impression that it''s a multi player game. I come to feel it''s a fantasy for the you don''t do all that is necessary directly with the next player. You don''t fight and explore in unison like you would found in Wow, of play against another player even during with a turn-by-turn justification comparable to Chess. Any time you raid another player''s village, when player is offline and you could at the type of same time just be particularly raiding a random computer-generated village.<br><br>Beginning nearly enough pebbles to get another general contractor. Don''t waste specific of the gems while any way on rush-building anything, as if the concept can save you them you are going if you want to eventually obtain enough entirely free extra gems to get that extra builder without any cost. Particularly, the customer can get [http://Www.bing.com/search?q=free+gallstones&form=MSNNWS&mkt=en-us&pq=free+gallstones free gallstones] for clearing obstructions similar rocks and trees, subsequent you clear them completly they come back in addition to you may re-clear these guys to get more gems.<br><br>Numerous games which have first been created till now, clash of clans is preferred by prefer to. The game which requires players develop a villages and characters to move forward can quite daunting at times. Players have to carry out doors different tasks including raids and missions. May be very tough and many players often get stuck in one place. When this happens, it quite frustrating. Yet still this can be been changed now because there is really a way out of .<br><br>Have a look at evaluations and see unquestionably the trailers before buying another video game. Makes it one thing you are looking for before you get it. These video games aren't low-cost, and also you doesn't just get nearly as plenty cash whenever you markets inside a employed game which you have only utilized several times.<br><br>Provde the in-online game songs opportunity. If, nonetheless, you might wind up being annoyed by using it soon after one per hour approximately, don't be worried to mute the television set or personal computer plus play some audio of your very own. You will discover a far more exciting game playing experience in this method and therefore are a whole lot unlikely to get a good frustration from actively competing.<br><br>Be mindful about letting your young person play online video games, especially games with function sound. There could be foul language in all channels, in addition a lot of bullying behavior. You may also have child predators in these types of chat rooms. Know what your child is going through and surveil these chatting times due to those protection.<br><br>Think about to restrain your highly important gaming to only individual kind of machine. Buying all the good consoles plus a gaming-worthy personal computer can costs up to thousands, simply in hardwareIf you adored this article and you would such as to get more information pertaining to [http://prometeu.net clash of clans hack no download no survey] kindly check out the web site. Yet, most big titles would probably be available on a lot all of them. Choose one platform to successfully stick with for price markdowns.
== Weakest preconditions ==
=== Definition ===
Given ''S'' a ''statement'', the '''weakest-precondition''' of ''S'' is a
function mapping any [[postcondition]] ''R'' to a [[precondition]]. Actually,  the result of this function, denoted <math>wp(S, R)</math>, is the "weakest" precondition on the initial state ensuring that execution of ''S'' terminates in a final state satisfying ''R''.  
 
More formally, let us use variable ''x'' to denote ''abusively'' the [[tuple]] of variables involved in statement ''S''. Then, a given ''Hoare triple'' <math>\{ P \} S \{ Q \}</math> is provable in [[Hoare logic]] for '''total correctness''' if and only if the first-order predicate below holds:
:<math>\forall x, P \Rightarrow wp(S,Q)</math>
 
Formally, weakest-preconditions are defined recursively over the [[abstract syntax]] of statements. Actually, weakest-precondition semantics is a [[Continuation-passing style]] semantics of state transformers where the predicate in parameter is a continuation.
 
=== Skip ===
{| style="background-color:#eeeeff;" border="1" cellpadding="10"
|<math>wp(\textbf{skip},R) \ =\ R</math>
|}
 
=== Abort ===
{| style="background-color:#eeeeff;" border="1" cellpadding="10"
|<math>wp(\textbf{abort},R) \ =\ \textbf{false}</math>
|}
 
=== Assignment ===
We give below two equivalent weakest-preconditions for the assignment statement. In these formulas, <math>R[x \leftarrow E]</math> is a copy of ''R'' where [[Free variables and bound variables|free occurrences]] of ''x'' are replaced by ''E''. Hence, here, expression ''E'' is implicitly coerced into a ''valid term'' of the core logic: it is thus a ''pure'' expression, totally defined, terminating and without side effect.
* version 1:
{| style="background-color:#eeeeff;" border="1" cellpadding="10"
|<math> wp(x := E, R)\ =\ \forall y, y = E \Rightarrow R[x \leftarrow y]\ </math>
where ''y'' is a fresh variable (representing the final value of variable ''x'')
|}
* version 2:
{| style="background-color:#eeeeff;" border="1" cellpadding="10"
|<math> wp(x := E, R)\ =\ R[x \leftarrow E] </math>
|}
 
The first version avoids a potential duplication of ''E'' in ''R'', whereas the second version is simpler when there is at most a single occurrence of ''x'' in ''R''. The first version also reveals a deep duality between weakest-precondition and strongest-postcondition (see below).
 
An example of a valid calculation of ''wp'' (using version 2) for assignments with integer valued variable ''x'' is:
:<math>\begin{array}{rcl}
wp(x := x - 5, x > 10) & = & x - 5 > 10 \\
                      & \Leftrightarrow & x > 15
\end{array}</math>
 
This means that in order for the postcondition ''x > 10'' to be true after the assignment, the precondition ''x > 15'' must be true before the assignment. This is also the "weakest precondition", in that it is the "weakest" restriction on the value of ''x'' which makes ''x > 10'' true after the assignment.
 
=== Sequence ===
{| style="background-color:#eeeeff;" border="1" cellpadding="10"
|<math>wp(S_1;S_2,R)\ =\ wp(S_1,wp(S_2,R))</math>
|}
 
For example,
:<math>\begin{array}[t]{rcl} wp(x:=x-5;x:=x*2\ ,\ x>20) & = & wp(x:=x-5,wp(x:=x*2, x > 20))\\
  & = & wp(x:=x-5,x*2 > 20)\\
  & = & (x-5)*2 > 20\\
  & = & x > 15
  \end{array}</math>
 
=== Conditional ===
{| style="background-color:#eeeeff;" border="1" cellpadding="10"
|<math>wp(\textbf{if}\ E\ \textbf{then}\ S_1\ \textbf{else}\ S_2\ \textbf{end},R)\ =\ (E \Rightarrow wp(S_1,R)) \wedge (\neg E \Rightarrow wp(S_2,R))</math>
|}
 
As example:
:<math>\begin{array}[t]{rcl}
wp(\textbf{if}\ x < y\ \textbf{then}\ x:=y\ \textbf{else}\;\;\textbf{skip}\;\;\textbf{end},\ x \geq y)
& = & (x < y \Rightarrow wp(x:=y,x\geq y))\ \wedge\ (\neg (x<y) \Rightarrow wp(\textbf{skip}, x \geq y))\\
& = & (x < y \Rightarrow y\geq y) \ \wedge\ (\neg (x<y) \Rightarrow x \geq y)\\
& \Leftrightarrow & \textbf{true}
\end{array}</math>
 
=== While loop ===
Weakest-precondition of ''while-loop'' is usually parametrized by a predicate ''I'' called [[loop invariant]], and a [[well-founded relation]] on the space state denoted "<" and called [[loop variant]]. Hence, we have:
{| style="background-color:#eeeeff;" border="1" cellpadding="10"
|<math>wp(\textbf{while}\ E\ \textbf{do}\ S\ \textbf{done}, R)\ =\
          \begin{array}[t]{l}
            I\\
            \wedge\ \forall y, ((E \wedge I) \Rightarrow wp(S,I \wedge x < y))[x \leftarrow y]\\
            \wedge\ \forall y, ((\neg E \wedge I) \Rightarrow R)[x \leftarrow y]
          \end{array}\ </math>
where ''y'' is a fresh tuple of variables
|}
Informally, in the above conjunction of three formulas:
* the first one means that invariant ''I'' must initially hold;
* the second one means that the body of the loop (e.g. statement ''S'') must preserve the invariant and decrease the variant: here, variable ''y'' represents the initial state of the body execution;
* the last one means that ''R'' must be established at the end of the loop: here, variable ''y'' represents the final state of the loop.
 
In predicate transformers semantics, ''invariant'' and ''variant'' are built by mimicking the [[Kleene fixed-point theorem]]. Below, this construction is sketched in [[set theory]]. We assume that ''U'' is a set denoting the state space. First, we define a family of subsets of ''U'' denoted <math>(A_k)_{k \in \mathbb{N}}</math> by induction over [[Natural number]] ''k''. Informally <math>A_k</math> represents the set of initial states that makes ''R'' satisfied after less than ''k'' iterations of the loop:
:<math>\begin{array}{rcl}
A_0 & = & \emptyset \\
A_{k+1} & = & \left\{\ y \in U\ | \ ((E \Rightarrow wp(S, x \in A_k)) \wedge (\neg E \Rightarrow R))[x \leftarrow y]\ \right\} \\
\end{array}</math>
 
Then, we define:  
* invariant ''I'' as the predicate <math>\exists k, x \in A_k</math>.
* variant <math>y < z</math> as the proposition <math>\exists i, y \in A_i \wedge (\forall j, z \in A_j \Rightarrow i < j)</math>
 
With these definitions, <math>wp(\textbf{while}\ E\ \textbf{do}\ S\ \textbf{done}, R)</math> reduces to formula <math>\exists k, x \in A_k</math>.
 
However in practice, such an abstract construction can not be handled efficiently by theorem provers. Hence, loop invariants and variants are provided by human users, or are inferred by some [[abstract interpretation]] procedure.
 
=== Non-deterministic guarded commands ===
Actually, Dijkstra's [[Guarded Command Language]] (GCL) is an extension of the simple imperative language given until here with non-deterministic statements. Indeed, GCL aims to be a formal notation to define algorithms. Non-deterministic statements represent choices left to the actual implementation (in an effective programming language): properties proved on non-deterministic statements are ensured for all possible choices of implementation. In other words, weakest-preconditions of non-deterministic statements ensure
* that there exists a terminating execution (e.g. there exists an implementation),
* and, that the final state of all terminating execution satisfies the postcondition.
 
Notice that the definitions of weakest-precondition given above (in particular for '''while-loop''') preserve this property.
 
==== Selection ====
Selection is a generalization of '''if''' statement:
{| style="background-color:#eeeeff;" border="1" cellpadding="10"
|<math>wp(\mathbf{if}\ E_1 \rightarrow S_1 \ [\!] \ \ldots\ [\!]\ E_n \rightarrow S_n\ \mathbf{fi}, R)\ = \begin{array}[t]{l}
    (E_1 \vee \ldots \vee E_n) \\
    \wedge\ (E_1 \Rightarrow wp(S_1,R)) \\
    \ldots\\
    \wedge\ (E_n \Rightarrow wp(S_n,R)) \\
    \end{array}</math>
|}
 
Here, when two guards <math>E_i</math> and <math>E_j</math> are simultaneously true, then execution of this statement can run any of the associated statement <math>S_i</math> or <math>S_j</math>.
 
==== Repetition ====
Repetition is a generalization of '''while''' statement in a similar way.
 
=== Specification statement (or weakest-precondition of procedure call) ===
[[Refinement calculus]] extends non-deterministic statements with the notion of ''specification statement''. Informally, this statement represents a procedure call in black box, where the body of the procedure is not known. Typically, using a syntax close to [[B-Method]], a '''specification statement''' is written
:<math>P\ |</math>&nbsp;@<math>y.\ Q \rightarrow x:=y</math>
where
* ''x'' is the global variable modified by the statement,
* ''P'' is a predicate representing the precondition,
* ''y'' is a fresh logical variable, bound in ''Q'', that represents the new value of ''x'' non-deterministically chosen by the statement,
* ''Q'' is a predicate representing a postcondition, or more exactly a guard: in ''Q'', variable ''x'' represents the initial state and ''y'' denotes the final state.
 
The weakest-precondition of '''specification statement''' is given by:
{| style="background-color:#eeeeff;" border="1" cellpadding="10"
|<math>wp(P\ |</math>&nbsp;@<math>y.\ Q \rightarrow x:=y\ ,\ R)\ =\ P \wedge \forall z, Q[y \leftarrow z] \Rightarrow R[x \leftarrow z]</math>
where ''z'' is a fresh name
|}
 
Moreover, a statement ''S'' '''implements''' such a specification statement if and only if the following predicate is a tautology:
{| style="background-color:#eeeeff;" border="1" cellpadding="10"
|<math>\forall x_0, (P \Rightarrow wp(S,Q[x \leftarrow x_0][y \leftarrow x]))[x \leftarrow x_0]</math>
where <math>x_0</math> is a fresh name (denoting the initial state)
|}
 
Indeed, in such a case, the following property is ensured for all postcondition ''R'' (this is a direct consequence of ''wp'' monotonicity, see below):
:<math>wp(P\ |</math>&nbsp;@<math>y.\ Q \rightarrow x:=y\ ,\ R) \Rightarrow wp(S,R)</math>
 
Informally, this last property ensures that any proof about some statement involving a specification remains valid
when replacing this specification by any of its implementations.
 
== Other predicate transformers ==
=== Weakest liberal precondition  {{anchor|Weakest liberal precondition}} ===
An important variant of the weakest precondition is the '''weakest liberal precondition'''
<math>wlp(S, R)</math>, which yields the weakest condition under which ''S'' either does not terminate or establishes ''R''. It therefore differs from ''wp'' in not guaranteeing termination. Hence it corresponds to [[Hoare logic]] in partial correctness: for the statement language given above, ''wlp'' differs with ''wp'' only on '''while-loop''', in not requiring a variant.
 
=== Strongest postcondition ===
Given ''S'' a statement and ''R'' a [[precondition]] (a predicate on the initial state), then
<math>sp(S, R)</math> is their '''strongest-postcondition''': it implies any postcondition satisfied by the final state of any execution of S,
for any initial state statisfying R. In other words, a Hoare triple <math>\{ P \} S \{ Q \}</math> is provable in Hoare logic if and only if the predicate below hold:
:<math>\forall x, sp(S,P) \Rightarrow Q</math>
Usually, '''strongest-postconditions''' are used in partial correctness.
Hence, we have the following relation between weakest-liberal-preconditions and strongest-postconditions:
:<math>(\forall x, P \Rightarrow wlp(S,Q)) \ \Leftrightarrow\ (\forall x, sp(S,P) \Rightarrow Q)</math>
 
For example, on assignment we have:
{| style="background-color:#eeeeff;" border="1" cellpadding="10"
|<math> sp(x := E, R)\ =\ \exists y, x=E[x \leftarrow y] \wedge R[x \leftarrow y]</math>
where ''y'' is fresh
|}
 
Above, the logical variable ''y'' represents the initial value of variable ''x''.
Hence,
:<math> sp(x := x - 5, x > 15)\ =\ \exists y, x = y - 5 \wedge y > 15 \ \Leftrightarrow \ x > 10</math>
 
On sequence, it appears that ''sp'' runs forward (whereas ''wp'' runs backward):
{| style="background-color:#eeeeff;" border="1" cellpadding="10"
|<math>sp(S_1;S_2\ ,\ R)\ =\ sp(S_2,sp(S_1,R))</math>
|}
 
=== Win and sin predicate transformers ===
[[Leslie Lamport]] has suggested ''win'' and ''sin'' as ''predicate transformers''  for [[concurrent programming]].<ref>[[Leslie Lamport]], "''win'' and ''sin'': Predicate Transformers for Concurrency". ''[[Association for Computing Machinery|ACM]] Transactions on Programming Languages and Systems'', 12(3), July 1990.  [http://research.microsoft.com/users/lamport/pubs/pubs.html#lamport-win]</ref>
 
== Predicate transformers properties ==
 
This section presents some characteristic properties of predicate transformers.<ref>[[Ralph-Johan Back]] and [[Joakim von Wright]], ''Refinement Calculus: A Systematic Introduction'', 1st edition, 1998. ISBN 0-387-98417-8.</ref> Below, ''T'' denotes a predicate transformer (a function between two predicates on the state space) and ''P'' a predicate. For instance, ''T(P)'' may denote ''wp(S,P)'' or ''sp(S,P)''. We keep ''x'' as the variable of the state space.
 
=== Monotonic ===
Predicate transformers of interest (''wp'', ''wlp'', and ''sp'') are [[monotonic]]. A predicate transformer ''T'' is '''monotonic''' if and only if:
:<math>(\forall x, P \Rightarrow Q) \Rightarrow (\forall x, T(P) \Rightarrow T(Q))</math>
 
This property is related to [[Hoare_logic#Consequence_rule|Consequence rule of Hoare logic]].
 
=== Strict ===
A predicate transformer ''T'' is '''strict''' iff:
:<math>T(\mathbf{false})\ \Leftrightarrow\ \mathbf{false}</math>
 
For instance, ''wp'' is strict, whereas ''wlp'' is generally not. In particular, if statement ''S'' may not terminate then
<math>wlp(S,\mathbf{false})</math> is satisfiable. We have
:<math>wlp(\mathbf{while}\ \mathbf{true}\ \mathbf{do}\ \mathbf{skip}\ \mathbf{done}, \mathbf{false}) \ \Leftrightarrow \mathbf{true}</math>
Indeed, '''true''' is a valid invariant of that loop.
 
=== Terminating ===
A predicate transformer ''T'' is '''terminating''' iff:
:<math>T(\mathbf{true})\ \Leftrightarrow\ \mathbf{true}</math>
 
Actually, this terminology makes sense only for strict predicate transformers: indeed, <math>wp(S,\mathbf{true})</math> is the weakest-precondition ensuring termination of ''S''.  
 
It seems that naming this property '''non-aborting''' would be more appropriate: in total correctness, non-termination is abortion, whereas in partial correctness, it is not.
 
=== Conjunctive ===
A predicate transformer ''T'' is '''conjunctive''' iff:
:<math>T(P \wedge Q)\ \Leftrightarrow\ (T(P) \wedge T(Q))</math>
 
This is the case for <math>wp(S,.)</math>, even if statement ''S'' is non-deterministic as a selection statement or a specification statement.
 
=== Disjunctive ===
A predicate transformer ''T'' is '''disjunctive''' iff:
:<math>T(P \vee Q)\ \Leftrightarrow\ (T(P) \vee T(Q))</math>
 
This is generally not the case of <math>wp(S,.)</math> when ''S'' is non-deterministic. Indeed, let us consider a non-deterministic statement ''S'' choosing an arbitrary boolean. This statement is given here as the following ''selection statement'':
:<math>S\ =\ \mathbf{if}\ \mathbf{true} \rightarrow x:=0\  [\!]\  \mathbf{true} \rightarrow x:=1\ \mathbf{fi}</math>
 
Then, <math>wp(S,R)</math> reduces to the formula <math>R[x \leftarrow 0] \wedge R[x \leftarrow 1]</math>.
 
Hence, <math>wp(S,\ x=0 \vee x=1)</math> reduces to the ''tautology'' <math>(0=0 \vee 0=1) \wedge (1=0 \vee 1=1)</math>
 
Whereas, the formula <math>wp(S, x=0) \vee wp(S,x=1)</math>
reduces to the ''wrong proposition'' <math>(0=0 \wedge 1=0) \vee (1=0 \wedge 1=1)</math>.
 
The same counter-example can be reproduced using a ''specification statement'' (see above) instead:
:<math>S\ =\ \mathbf{true}\ |</math>&nbsp;@<math>y.\ y \in \{ 0, 1 \} \rightarrow x:=y</math>
 
== Applications ==
* Computations of weakest-preconditions are largely used to statically check [[Assertion (computing)|assertions in programs]] using a theorem-prover (like [[Satisfiability Modulo Theories|SMT-solvers]] or [[Interactive theorem proving|proof assistants]]): see [[Frama-C]] or [[ESC/Java|ESC/Java2]].
 
* Unlike many other semantic formalisms, predicate transformer semantics was not designed as an investigation into foundations of computation. Rather, it was intended to provide programmers with a methodology to develop their programs as "correct by construction" in a "calculation style".  This "top-down" style was advocated by Dijkstra<ref>[[Edsger W. Dijkstra]], ''A constructive approach to program correctness'', BIT Numerical Mathematics, 1968 - Springer</ref> and [[Niklaus Wirth|N. Wirth]].<ref>[[Niklaus Wirth|N. Wirth]], ''Program development by stepwise refinement'', Communications of the ACM, 1971 [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.90.408&rep=rep1&type=pdf]</ref> It has been formalized further by [[Ralph-Johan Back|R.-J. Back]] and others in the [[Refinement Calculus]]. Some tools like [[B-Method]] now provide [[automated reasoning]] in order to promote this methodology.
 
* In the meta-theory of [[Hoare logic]], weakest-preconditions appear as a key notion in the proof of [[Gödel's completeness theorem|relative completeness]].<ref>[http://coq.inria.fr/distrib/current/contribs/HoareTut.html Tutorial on Hoare Logic]: a [[Coq]] library, giving a simple but formal proof that [[Hoare logic]] is sound and complete with respect to an [[operational semantics]].</ref>
 
== Beyond predicate transformers ==
=== Weakest-preconditions and strongest-postconditions of imperative expressions ===
In predicate transformers semantics, expressions are restricted to terms of the logic (see above). However, this restriction seems too strong for most existing programming languages, where expressions may have side effects (call to a function having a side effect), may not terminate or abort (like ''division by zero''). There are many proposals to extend weakest-preconditions or strongest-postconditions for imperative expression languages and in particular for [[Monad (functional programming)|monads]].
 
Among them, ''Hoare Type Theory'' combines [[Hoare logic]] for a [[Haskell (programming language)|Haskell]]-like language, [[Separation logic]] and [[Type Theory]]
.<ref>Aleksandar Nanevski, Greg Morrisett, Lars Birkedal. ''Hoare Type Theory, Polymorphism and Separation'',
Journal of Functional Programming, 18(5/6), 2008 [http://ynot.cs.harvard.edu/papers/jfpsep07.pdf]</ref>
This system is currently implemented as a [[Coq]] library called '''Ynot'''.<ref>[http://ynot.cs.harvard.edu/ Ynot] a [[Coq]] library implementing Hoare Type Theory.</ref> In this language, [[Evaluation strategy|evaluation of expressions]] corresponds to computations of ''strongest-postconditions''.
 
=== Probabilistic Predicate Transformers ===
''Probabilistic Predicate Transformers'' are an extension of predicate transformers for [[Randomized algorithm|probabilistic programs]].
Indeed, such programs have many applications in [[cryptography]] (hiding of information using some randomized noise),
[[Distributed systems]] (symmetry breaking).
<ref>Carroll Morgan,  Annabelle McIver ,  Karen Seidel. ''Probabilistic Predicate Transformers'', ACM Transactions on Programming Languages and Systems, 1995 [http://www.cse.unsw.edu.au/~carrollm/probs/Papers/Morgan-96d.pdf]</ref>
 
== See also ==
* [[Axiomatic semantics]] — includes predicate transformer semantics
* [[Formal semantics of programming languages]] — an overview
* [[Hoare logic]] — the best-known axiomatic semantics
* [[Refinement calculus]], an extension of [[guarded commands]] (and Hoare logic)  exploiting the [[Lattice (order)|lattice]] structure of predicate transformers (for "refinement" order).
* [[Dynamic logic (modal logic)|Dynamic logic]], where predicate transformers appear as modalities (in the sense of [[Modal logic]]).
 
== Notes ==
{{reflist|colwidth=35em}}
 
== References ==
* [[J. W. de Bakker]]. ''Mathematical theory of program correctness''. Prentice-Hall, 1980.
* [[Marcello M. Bonsangue]] and [[Joost N. Kok]], [http://dx.doi.org/10.1007/BF01213603 ''The weakest precondition calculus: Recursion and duality''], ''[[Formal Aspects of Computing]]'', '''6'''(6):788–800, November 1994. [[Digital object identifier|DOI]] 10.1007/BF01213603.
* [[Edsger W. Dijkstra]], ''Guarded commands, nondeterminacy and formal derivation of program''. ''[[Communications of the ACM]]'', 18(8):453–457, August 1975. [http://doi.acm.org/10.1145/360933.360975]
* [[Edsger W. Dijkstra]]. ''A Discipline of Programming''. ISBN 0-613-92411-8. — A systematic introduction to a version of the guarded command language with many worked examples
* [[Edsger W. Dijkstra]] and [[Carel S. Scholten]]. ''Predicate Calculus and Program Semantics''. Springer-Verlag 1990 ISBN 0-387-96957-8 — A more abstract, formal and definitive treatment
* [[David Gries]]. ''The Science of Programming''. Springer-Verlag 1981 ISBN 0-387-96480-0
 
{{DEFAULTSORT:Predicate Transformer Semantics}}
[[Category:Formal methods]]
[[Category:Program logic]]
[[Category:Dutch inventions]]

Revision as of 14:38, 12 May 2013

Predicate transformer semantics were introduced by Dijkstra in his seminal paper "Guarded commands, nondeterminacy and formal derivation of programs". They define the semantics of an imperative programming paradigm by assigning to each statement in this language a corresponding predicate transformer: a total function between two predicates on the state space of the statement. In this sense, predicate transformer semantics are a kind of denotational semantics. Actually, in Guarded commands, Dijkstra uses only one kind of predicate transformers: the well-known weakest preconditions (see below).

Moreover, predicate transformer semantics are a reformulation of Floyd–Hoare logic. Whereas Hoare logic is presented as a deductive system, predicate transformer semantics (either by weakest-preconditions or by strongest-postconditions see below) are complete strategies to build valid deductions of Hoare logic. In other words, they provide an effective algorithm to reduce the problem of verifying a Hoare triple to the problem of proving a first-order formula. Technically, predicate transformer semantics perform a kind of symbolic execution of statements into predicates: execution runs backward in the case of weakest-preconditions, or runs forward in the case of strongest-postconditions.

Weakest preconditions

Definition

Given S a statement, the weakest-precondition of S is a function mapping any postcondition R to a precondition. Actually, the result of this function, denoted wp(S,R), is the "weakest" precondition on the initial state ensuring that execution of S terminates in a final state satisfying R.

More formally, let us use variable x to denote abusively the tuple of variables involved in statement S. Then, a given Hoare triple {P}S{Q} is provable in Hoare logic for total correctness if and only if the first-order predicate below holds:

x,Pwp(S,Q)

Formally, weakest-preconditions are defined recursively over the abstract syntax of statements. Actually, weakest-precondition semantics is a Continuation-passing style semantics of state transformers where the predicate in parameter is a continuation.

Skip

wp(skip,R)=R

Abort

wp(abort,R)=false

Assignment

We give below two equivalent weakest-preconditions for the assignment statement. In these formulas, R[xE] is a copy of R where free occurrences of x are replaced by E. Hence, here, expression E is implicitly coerced into a valid term of the core logic: it is thus a pure expression, totally defined, terminating and without side effect.

  • version 1:
wp(x:=E,R)=y,y=ER[xy]

where y is a fresh variable (representing the final value of variable x)

  • version 2:
wp(x:=E,R)=R[xE]

The first version avoids a potential duplication of E in R, whereas the second version is simpler when there is at most a single occurrence of x in R. The first version also reveals a deep duality between weakest-precondition and strongest-postcondition (see below).

An example of a valid calculation of wp (using version 2) for assignments with integer valued variable x is:

wp(x:=x5,x>10)=x5>10x>15

This means that in order for the postcondition x > 10 to be true after the assignment, the precondition x > 15 must be true before the assignment. This is also the "weakest precondition", in that it is the "weakest" restriction on the value of x which makes x > 10 true after the assignment.

Sequence

wp(S1;S2,R)=wp(S1,wp(S2,R))

For example,

wp(x:=x5;x:=x*2,x>20)=wp(x:=x5,wp(x:=x*2,x>20))=wp(x:=x5,x*2>20)=(x5)*2>20=x>15

Conditional

wp(ifEthenS1elseS2end,R)=(Ewp(S1,R))(¬Ewp(S2,R))

As example:

wp(ifx<ythenx:=yelseskipend,xy)=(x<ywp(x:=y,xy))(¬(x<y)wp(skip,xy))=(x<yyy)(¬(x<y)xy)true

While loop

Weakest-precondition of while-loop is usually parametrized by a predicate I called loop invariant, and a well-founded relation on the space state denoted "<" and called loop variant. Hence, we have:

wp(whileEdoSdone,R)=Iy,((EI)wp(S,Ix<y))[xy]y,((¬EI)R)[xy]

where y is a fresh tuple of variables

Informally, in the above conjunction of three formulas:

  • the first one means that invariant I must initially hold;
  • the second one means that the body of the loop (e.g. statement S) must preserve the invariant and decrease the variant: here, variable y represents the initial state of the body execution;
  • the last one means that R must be established at the end of the loop: here, variable y represents the final state of the loop.

In predicate transformers semantics, invariant and variant are built by mimicking the Kleene fixed-point theorem. Below, this construction is sketched in set theory. We assume that U is a set denoting the state space. First, we define a family of subsets of U denoted (Ak)k by induction over Natural number k. Informally Ak represents the set of initial states that makes R satisfied after less than k iterations of the loop:

A0=Ak+1={yU|((Ewp(S,xAk))(¬ER))[xy]}

Then, we define:

With these definitions, wp(whileEdoSdone,R) reduces to formula k,xAk.

However in practice, such an abstract construction can not be handled efficiently by theorem provers. Hence, loop invariants and variants are provided by human users, or are inferred by some abstract interpretation procedure.

Non-deterministic guarded commands

Actually, Dijkstra's Guarded Command Language (GCL) is an extension of the simple imperative language given until here with non-deterministic statements. Indeed, GCL aims to be a formal notation to define algorithms. Non-deterministic statements represent choices left to the actual implementation (in an effective programming language): properties proved on non-deterministic statements are ensured for all possible choices of implementation. In other words, weakest-preconditions of non-deterministic statements ensure

  • that there exists a terminating execution (e.g. there exists an implementation),
  • and, that the final state of all terminating execution satisfies the postcondition.

Notice that the definitions of weakest-precondition given above (in particular for while-loop) preserve this property.

Selection

Selection is a generalization of if statement:

wp(ifE1S1[][]EnSnfi,R)=(E1En)(E1wp(S1,R))(Enwp(Sn,R))

Here, when two guards Ei and Ej are simultaneously true, then execution of this statement can run any of the associated statement Si or Sj.

Repetition

Repetition is a generalization of while statement in a similar way.

Specification statement (or weakest-precondition of procedure call)

Refinement calculus extends non-deterministic statements with the notion of specification statement. Informally, this statement represents a procedure call in black box, where the body of the procedure is not known. Typically, using a syntax close to B-Method, a specification statement is written

P| @y.Qx:=y

where

  • x is the global variable modified by the statement,
  • P is a predicate representing the precondition,
  • y is a fresh logical variable, bound in Q, that represents the new value of x non-deterministically chosen by the statement,
  • Q is a predicate representing a postcondition, or more exactly a guard: in Q, variable x represents the initial state and y denotes the final state.

The weakest-precondition of specification statement is given by:

wp(P| @y.Qx:=y,R)=Pz,Q[yz]R[xz]

where z is a fresh name

Moreover, a statement S implements such a specification statement if and only if the following predicate is a tautology:

x0,(Pwp(S,Q[xx0][yx]))[xx0]

where x0 is a fresh name (denoting the initial state)

Indeed, in such a case, the following property is ensured for all postcondition R (this is a direct consequence of wp monotonicity, see below):

wp(P| @y.Qx:=y,R)wp(S,R)

Informally, this last property ensures that any proof about some statement involving a specification remains valid when replacing this specification by any of its implementations.

Other predicate transformers

Weakest liberal precondition <Weakest liberal precondition>...</Weakest liberal precondition>

An important variant of the weakest precondition is the weakest liberal precondition wlp(S,R), which yields the weakest condition under which S either does not terminate or establishes R. It therefore differs from wp in not guaranteeing termination. Hence it corresponds to Hoare logic in partial correctness: for the statement language given above, wlp differs with wp only on while-loop, in not requiring a variant.

Strongest postcondition

Given S a statement and R a precondition (a predicate on the initial state), then sp(S,R) is their strongest-postcondition: it implies any postcondition satisfied by the final state of any execution of S, for any initial state statisfying R. In other words, a Hoare triple {P}S{Q} is provable in Hoare logic if and only if the predicate below hold:

x,sp(S,P)Q

Usually, strongest-postconditions are used in partial correctness. Hence, we have the following relation between weakest-liberal-preconditions and strongest-postconditions:

(x,Pwlp(S,Q))(x,sp(S,P)Q)

For example, on assignment we have:

sp(x:=E,R)=y,x=E[xy]R[xy]

where y is fresh

Above, the logical variable y represents the initial value of variable x. Hence,

sp(x:=x5,x>15)=y,x=y5y>15x>10

On sequence, it appears that sp runs forward (whereas wp runs backward):

sp(S1;S2,R)=sp(S2,sp(S1,R))

Win and sin predicate transformers

Leslie Lamport has suggested win and sin as predicate transformers for concurrent programming.[1]

Predicate transformers properties

This section presents some characteristic properties of predicate transformers.[2] Below, T denotes a predicate transformer (a function between two predicates on the state space) and P a predicate. For instance, T(P) may denote wp(S,P) or sp(S,P). We keep x as the variable of the state space.

Monotonic

Predicate transformers of interest (wp, wlp, and sp) are monotonic. A predicate transformer T is monotonic if and only if:

(x,PQ)(x,T(P)T(Q))

This property is related to Consequence rule of Hoare logic.

Strict

A predicate transformer T is strict iff:

T(false)false

For instance, wp is strict, whereas wlp is generally not. In particular, if statement S may not terminate then wlp(S,false) is satisfiable. We have

wlp(whiletruedoskipdone,false)true

Indeed, true is a valid invariant of that loop.

Terminating

A predicate transformer T is terminating iff:

T(true)true

Actually, this terminology makes sense only for strict predicate transformers: indeed, wp(S,true) is the weakest-precondition ensuring termination of S.

It seems that naming this property non-aborting would be more appropriate: in total correctness, non-termination is abortion, whereas in partial correctness, it is not.

Conjunctive

A predicate transformer T is conjunctive iff:

T(PQ)(T(P)T(Q))

This is the case for wp(S,.), even if statement S is non-deterministic as a selection statement or a specification statement.

Disjunctive

A predicate transformer T is disjunctive iff:

T(PQ)(T(P)T(Q))

This is generally not the case of wp(S,.) when S is non-deterministic. Indeed, let us consider a non-deterministic statement S choosing an arbitrary boolean. This statement is given here as the following selection statement:

S=iftruex:=0[]truex:=1fi

Then, wp(S,R) reduces to the formula R[x0]R[x1].

Hence, wp(S,x=0x=1) reduces to the tautology (0=00=1)(1=01=1)

Whereas, the formula wp(S,x=0)wp(S,x=1) reduces to the wrong proposition (0=01=0)(1=01=1).

The same counter-example can be reproduced using a specification statement (see above) instead:

S=true| @y.y{0,1}x:=y

Applications

  • Unlike many other semantic formalisms, predicate transformer semantics was not designed as an investigation into foundations of computation. Rather, it was intended to provide programmers with a methodology to develop their programs as "correct by construction" in a "calculation style". This "top-down" style was advocated by Dijkstra[3] and N. Wirth.[4] It has been formalized further by R.-J. Back and others in the Refinement Calculus. Some tools like B-Method now provide automated reasoning in order to promote this methodology.

Beyond predicate transformers

Weakest-preconditions and strongest-postconditions of imperative expressions

In predicate transformers semantics, expressions are restricted to terms of the logic (see above). However, this restriction seems too strong for most existing programming languages, where expressions may have side effects (call to a function having a side effect), may not terminate or abort (like division by zero). There are many proposals to extend weakest-preconditions or strongest-postconditions for imperative expression languages and in particular for monads.

Among them, Hoare Type Theory combines Hoare logic for a Haskell-like language, Separation logic and Type Theory .[6] This system is currently implemented as a Coq library called Ynot.[7] In this language, evaluation of expressions corresponds to computations of strongest-postconditions.

Probabilistic Predicate Transformers

Probabilistic Predicate Transformers are an extension of predicate transformers for probabilistic programs. Indeed, such programs have many applications in cryptography (hiding of information using some randomized noise), Distributed systems (symmetry breaking). [8]

See also

Notes

43 year old Petroleum Engineer Harry from Deep River, usually spends time with hobbies and interests like renting movies, property developers in singapore new condominium and vehicle racing. Constantly enjoys going to destinations like Camino Real de Tierra Adentro.

References

  1. Leslie Lamport, "win and sin: Predicate Transformers for Concurrency". ACM Transactions on Programming Languages and Systems, 12(3), July 1990. [2]
  2. Ralph-Johan Back and Joakim von Wright, Refinement Calculus: A Systematic Introduction, 1st edition, 1998. ISBN 0-387-98417-8.
  3. Edsger W. Dijkstra, A constructive approach to program correctness, BIT Numerical Mathematics, 1968 - Springer
  4. N. Wirth, Program development by stepwise refinement, Communications of the ACM, 1971 [3]
  5. Tutorial on Hoare Logic: a Coq library, giving a simple but formal proof that Hoare logic is sound and complete with respect to an operational semantics.
  6. Aleksandar Nanevski, Greg Morrisett, Lars Birkedal. Hoare Type Theory, Polymorphism and Separation, Journal of Functional Programming, 18(5/6), 2008 [4]
  7. Ynot a Coq library implementing Hoare Type Theory.
  8. Carroll Morgan, Annabelle McIver , Karen Seidel. Probabilistic Predicate Transformers, ACM Transactions on Programming Languages and Systems, 1995 [5]