Predicate transformer semantics
Encyclopedia
Predicate transformer semantics was introduced by Dijkstra in his seminal paper "Guarded commands, nondeterminacy and formal derivation of programs". They define the semantics of an imperative programming
Imperative programming
In computer science, imperative programming is a programming paradigm that describes computation in terms of statements that change a program state...

 paradigm by assigning to each statement in this language a corresponding predicate transformer: a total function between two predicates on the state space of the statement. In this sense, predicate transformer semantics are a kind of denotational semantics
Denotational semantics
In computer science, denotational semantics is an approach to formalizing the meanings of programming languages by constructing mathematical objects which describe the meanings of expressions from the languages...

. Actually, in Guarded commands, Dijkstra uses only one kind of predicate transformers: the well-known weakest preconditions (see below).

Moreover, predicate transformer semantics are a reformulation of Floyd–Hoare logic. Whereas Hoare logic is presented as a deductive system
Deductive system
A deductive system consists of the axioms and rules of inference that can be used to derive the theorems of the system....

, predicate transformer semantics (either by weakest-preconditions or by strongest-postconditions see below) are complete strategies to build valid deductions
Deductive reasoning
Deductive reasoning, also called deductive logic, is reasoning which constructs or evaluates deductive arguments. Deductive arguments are attempts to show that a conclusion necessarily follows from a set of premises or hypothesis...

 of Hoare logic. In other words, they provide an effective algorithm
Algorithm
In mathematics and computer science, an algorithm is an effective method expressed as a finite list of well-defined instructions for calculating a function. Algorithms are used for calculation, data processing, and automated reasoning...

 to reduce the problem of verifying a Hoare triple to the problem of proving a first-order formula
First-order logic
First-order logic is a formal logical system used in mathematics, philosophy, linguistics, and computer science. It goes by many names, including: first-order predicate calculus, the lower predicate calculus, quantification theory, and predicate logic...

. Technically, predicate transformer semantics perform a kind of symbolic execution
Symbolic execution
In computer science, symbolic execution refers to the analysis of programs by tracking symbolic rather than actual values, a case of abstract interpretation. The field of symbolic simulation applies the same concept to hardware...

 of statements into predicates: execution runs backward in the case of weakest-preconditions, or runs forward in the case of strongest-postconditions.

Definition

Given S a statement, the weakest-precondition of S is a
function mapping any postcondition
Postcondition
In computer programming, a postcondition is a condition or predicate that must always be true just after the execution of some section of code or after an operation in a formal specification. Postconditions are sometimes tested using assertions within the code itself...

 R to a precondition
Precondition
In computer programming, a precondition is a condition or predicate that must always be true just prior to the execution of some section of code or before an operation in a formal specification....

. Actually, the result of this function, denoted , is the "weakest" precondition on the initial state ensuring that execution of S terminates in a final state satisfying R.

More formally, let us use variable x to denote abusively the tuple
Tuple
In mathematics and computer science, a tuple is an ordered list of elements. In set theory, an n-tuple is a sequence of n elements, where n is a positive integer. There is also one 0-tuple, an empty sequence. An n-tuple is defined inductively using the construction of an ordered pair...

 of variables involved in statement S. Then, a given Hoare triple is provable in Hoare logic
Hoare logic
Hoare logic is a formal system with a set of logical rules for reasoning rigorously about the correctness of computer programs. It was proposed in 1969 by the British computer scientist and logician C. A. R. Hoare, and subsequently refined by Hoare and other researchers...

 for total correctness if and only if the first-order predicate below holds:

Formally, weakest-preconditions are defined recursively over the abstract syntax
Abstract syntax
The abstract syntax of data is its structure described as a data type , independent of any particular representation or encoding....

 of statements. Actually, weakest-precondition semantics is a Continuation-passing style
Continuation-passing style
In functional programming, continuation-passing style is a style of programming in which control is passed explicitly in the form of a continuation. Gerald Jay Sussman and Guy L. Steele, Jr...

 semantics of state transformers where the predicate in parameter is a continuation.

Skip


Abort


Assignment

We give below two equivalent weakest-preconditions for the assignment statement. In these formulas, is a copy of R where free occurrences
Free variables and bound variables
In mathematics, and in other disciplines involving formal languages, including mathematical logic and computer science, a free variable is a notation that specifies places in an expression where substitution may take place...

 of x are replaced by E. Hence, here, expression E is implicitly coerced into a valid term of the core logic: it is thus a pure expression, totally defined, terminating and without side effect.
  • version 1:

    where y is a fresh variable (representing the final value of variable x)
    • version 2:


    The first version avoids a potential duplication of E in R, whereas the second version is simpler when there is at most a single occurrence of x in R. The first version reveals also a deep duality between weakest-precondition and strongest-postcondition (see below).

    An example of a valid calculation of wp (using version 2) for assignments with integer valued variable x is:

    This means that in order for the postcondition x > 10 to be true after the assignment, the precondition x > 15 must be true before the assignment. This is also the "weakest precondition", in that it is the "weakest" restriction on the value of x which makes x > 10 true after the assignment.

    Sequence



    For example,

    Conditional



    As example:

    While loop

    Weakest-precondition of while-loop is usually parametrized by a predicate I called loop invariant
    Loop invariant
    In computer science, a loop invariant is an invariant used to prove properties of loops. Informally, a loop invariant is a statement of the conditions that should be true on entry into a loop and that are guaranteed to remain true on every iteration of the loop...

    , and a well-founded relation
    Well-founded relation
    In mathematics, a binary relation, R, is well-founded on a class X if and only if every non-empty subset of X has a minimal element with respect to R; that is, for every non-empty subset S of X, there is an element m of S such that for every element s of S, the pair is not in R:\forall S...

     on the space state denoted "<" and called loop variant
    Loop variant
    In computer science, a loop variant is a mathematical function defined on the state space of a computer program whose value is monotonically decreased with respect to a well-founded relation by the iteration of a while loop under some invariant conditions, thereby ensuring its termination...

    . Hence, we have:

    where y is a fresh tuple of variables

    Informally, in the above conjunction of three formulas:
    • the first one means that invariant I must initially hold;
    • the second one means that the body of the loop (e.g. statement S) must preserve the invariant and decrease the variant: here, variable y represents the initial state of the body execution;
    • the last one means that R must be established at the end of the loop: here, variable y represents the final state of the loop.


    In predicate transformers semantics, invariant and variant are built by mimicking Kleene fixed-point theorem. Below, this construction is sketched in set theory
    Set theory
    Set theory is the branch of mathematics that studies sets, which are collections of objects. Although any type of object can be collected into a set, set theory is applied most often to objects that are relevant to mathematics...

    . We assume that U is a set denoting the state space. First, we define a family of subsets of U denoted by induction over Natural number
    Natural number
    In mathematics, the natural numbers are the ordinary whole numbers used for counting and ordering . These purposes are related to the linguistic notions of cardinal and ordinal numbers, respectively...

     k. Informally represents the set of initial states that makes R satisfied after less than k iterations of the loop:

    Then, we define:
    • invariant I as the predicate .
    • variant as the proposition


    With these definitions, reduces to formula .

    However in practice, such an abstract construction can not be handled efficiently by theorem provers. Hence, loop invariants and variants are provided by human users, or are inferred by some abstract interpretation
    Abstract interpretation
    In computer science, abstract interpretation is a theory of sound approximation of the semantics of computer programs, based on monotonic functions over ordered sets, especially lattices. It can be viewed as a partial execution of a computer program which gains information about its semantics In...

     procedure.

    Non-deterministic guarded commands

    Actually, Dijkstra's Guarded Command Language
    Guarded Command Language
    The Guarded Command Language is a language defined by Edsger Dijkstra for predicate transformer semantics. It combines programming concepts in a compact way, before the program is written in some practical programming language...

     (GCL) is an extension of the simple imperative language given until here with non-deterministic statements. Indeed, GCL aims to be a formal notation to define algorithms. Non-deterministic statements represent choices left to the actual implementation (in an effective programming language): properties proved on non-deterministic statements are ensured for all possible choices of implementation. In other words, weakest-preconditions of non-deterministic statements ensure
    • that there exists a terminating execution (e.g. there exists an implementation),
    • and, that the final state of all terminating execution satisfies the postcondition.


    Notice that the definitions of weakest-precondition given above (in particular for while-loop) preserve this property.

    Selection

    Selection is a generalization of if statement:


    Here, when two guards and are simultaneously true, then execution of this statement can run any of the associated statement or .

    Specification statement (or weakest-precondition of procedure call)

    Refinement calculus
    Refinement Calculus
    Refinement calculus is a formalized approach to stepwise refinement for program construction. The required behaviour of the final executable program is specified as an abstract and perhaps non-executable "program", which is then refined by a series of correctness-preserving transformations into an...

     extends non-deterministic statements with the notion of specification statement. Informally, this statement represents a procedure call in black box, where the body of the procedure is not known. Typically, using a syntax close to B-Method
    B-Method
    The B method is method of software development based on B, a tool-supported formal method based around an abstract machine notation, used in the development of computer software. It was originally developed by Jean-Raymond Abrial in France and the UK. B is related to the Z notation and supports...

    , a specification statement is written @
    where
    • x is the global variable modified by the statement,
    • P is a predicate representing the precondition,
    • y is a fresh logical variable, bound in Q, that represents the new value of x non-deterministically chosen by the statement,
    • Q is a predicate representing a postcondition, or more exactly a guard: in Q, variable x represents the initial state and y denotes the final state.


    The weakest-precondition of specification statement is given by:
     @
    where z is a fresh name


    Moreover, a statement S implements such a specification statement if and only if the following predicate is a tautology:

    where is a fresh name (denoting the initial state)


    Indeed, in such a case, the following property is ensured for all postcondition R (this is a direct consequence of wp monotonicity, see below): @

    Informally, this last property ensures that any proof about some statement involving a specification remains valid
    when replacing this specification by any of its implementation.

    Weakest liberal precondition

    An important variant of the weakest precondition is the weakest liberal precondition
    , which yields the weakest condition under which S either does not terminate or establishes R. It therefore differs from wp in not guaranteeing termination. Hence it corresponds to Hoare logic
    Hoare logic
    Hoare logic is a formal system with a set of logical rules for reasoning rigorously about the correctness of computer programs. It was proposed in 1969 by the British computer scientist and logician C. A. R. Hoare, and subsequently refined by Hoare and other researchers...

     in partial correctness: for the statement language given above, wlp differs with wp only on while-loop, in not requiring a variant.

    Strongest postcondition

    Given S a statement and R a precondition
    Precondition
    In computer programming, a precondition is a condition or predicate that must always be true just prior to the execution of some section of code or before an operation in a formal specification....

     (a predicate on the initial state), then
    is their strongest-postcondition: it implies any postcondition satisfied by the final state of any execution of S,
    for any initial state statisfying R. In other words, a Hoare triple is provable in Hoare logic if and only if the predicate below hold:
    Usually, strongest-postconditions are used in partial correctness.
    Hence, we have the following relation between weakest-liberal-preconditions and strongest-postconditions:

    For example, on assignment we have:

    where y is fresh


    Above, the logical variable y represents the initial value of variable x.
    Hence,

    On sequence, it appears that sp runs forward (whereas wp runs backward):

    Win and sin predicate transformers

    Leslie Lamport
    Leslie Lamport
    Leslie Lamport is an American computer scientist. A graduate of the Bronx High School of Science, he received a B.S. in mathematics from the Massachusetts Institute of Technology in 1960, and M.A. and Ph.D. degrees in mathematics from Brandeis University, respectively in 1963 and 1972...

     has suggested win and sin as predicate transformers for concurrent programming.

    Predicate transformers properties

    This section presents some characteristic properties of predicate transformers. Below, T denotes a predicate transformer (a function between two predicates on the state space) and P a predicate. For instance, T(P) may denote wp(S,P) or sp(S,P). We keep x as the variable of the state space.

    Monotonic

    Predicate transformers of interest (wp, wlp, and sp) are monotonic. A predicate transformer T is monotonic if and only if:

    This property is related to Consequence rule of Hoare logic.

    Strict

    A predicate transformer T is strict iff:

    For instance, wp is strict, whereas wlp is generally not. In particular, if statement S may not terminate then
    is satisfiable. We have
    Indeed, true is a valid invariant of that loop.

    Terminating

    A predicate transformer T is terminating iff:

    Actually, this terminology makes sense only for strict predicate transformers: indeed, is the weakest-precondition ensuring termination of S.

    It seems that naming this property non-aborting would be more appropriate: in total correctness, non-termination is abortion, whereas in partial correctness, it is not.

    Conjunctive

    A predicate transformer T is conjunctive iff:

    This is the case for , even if statement S is non-deterministic as a selection statement or a specification statement.

    Disjunctive

    A predicate transformer T is disjunctive iff:

    This is generally not the case of when S is non-deterministic. Indeed, let us consider a non-deterministic statement S choosing an arbitrary boolean. This statement is given here as the following selection statement:

    Then, reduces to the formula .

    Hence, reduces to the tautology

    Whereas, the formula
    reduces to the wrong proposition .

    The same counter-example can be reproduced using a specification statement (see above) instead: @

    Applications

    • Computations of weakest-preconditions are largely used to statically check assertions in programs
      Assertion (computing)
      In computer programming, an assertion is a predicate placed in a program to indicate that the developer thinks that the predicate is always true at that place.For example, the following code contains two assertions:...

       using a theorem-prover (like SMT-solvers
      Satisfiability Modulo Theories
      In computer science, the Satisfiability Modulo Theories problem is a decision problem for logical formulas with respect to combinations of background theories expressed in classical first-order logic with equality...

       or proof assistants
      Interactive theorem proving
      In computer science and mathematical logic, a proof assistant or interactive theorem prover is a software tool to assist with the development of formal proofs by man-machine collaboration...

      ): see Frama-C
      Frama-C
      Frama-C stands for Framework for Modular Analysis of C programs. Frama-C is a set of interoperable program analyzers for C programs. Frama-C has been developed by Commissariat à l'Énergie Atomique et aux Énergies Alternatives and Inria...

       or ESC/Java2
      ESC/Java
      ESC/Java , the "Extended Static Checker for Java," is a programming tool that attempts to find common run-time errors in Java programs at compile time...

      .

    • Unlike many other semantic formalisms, predicate transformer semantics was not designed as an investigation into foundations of computation. Rather, it was intended to provide programmers with a methodology to develop their programs as "correct by construction" in a "calculation style". This "top-down" style was advocated by Dijkstra and N. Wirth
      Niklaus Wirth
      Niklaus Emil Wirth is a Swiss computer scientist, best known for designing several programming languages, including Pascal, and for pioneering several classic topics in software engineering. In 1984 he won the Turing Award for developing a sequence of innovative computer languages.-Biography:Wirth...

      . It has been formalized further by R.-J. Back
      Ralph-Johan Back
      Ralph-Johan Back is a Finnish computer scientist.Back originated the refinement calculus, an important approach to the formal development of programs using stepwise refinement, in his 1978 PhD thesis at the University of Helsinki, On the Correctness of Refinement Steps in Program Development. He...

       and others in the Refinement Calculus
      Refinement Calculus
      Refinement calculus is a formalized approach to stepwise refinement for program construction. The required behaviour of the final executable program is specified as an abstract and perhaps non-executable "program", which is then refined by a series of correctness-preserving transformations into an...

      . Some tools like B-Method
      B-Method
      The B method is method of software development based on B, a tool-supported formal method based around an abstract machine notation, used in the development of computer software. It was originally developed by Jean-Raymond Abrial in France and the UK. B is related to the Z notation and supports...

       provide now automated reasoning
      Automated reasoning
      Automated reasoning is an area of computer science dedicated to understand different aspects of reasoning. The study in automated reasoning helps produce software which allows computers to reason completely, or nearly completely, automatically...

       in order to promote this methodology.

    • In the meta-theory of Hoare logic
      Hoare logic
      Hoare logic is a formal system with a set of logical rules for reasoning rigorously about the correctness of computer programs. It was proposed in 1969 by the British computer scientist and logician C. A. R. Hoare, and subsequently refined by Hoare and other researchers...

      , weakest-preconditions appear as a key notion in the proof of relative completness
      Gödel's completeness theorem
      Gödel's completeness theorem is a fundamental theorem in mathematical logic that establishes a correspondence between semantic truth and syntactic provability in first-order logic. It was first proved by Kurt Gödel in 1929....

      .

    Weakest-preconditions and strongest-postconditions of imperative expressions

    In predicate transformers semantics, expressions are restricted to terms of the logic (see above). However, this restriction seems too strong for most existing programming languages, where expressions may have side effects (call to a function having a side effect), may not terminate or abort (like division by zero). There are many proposals to extend weakest-preconditions or strongest-postconditions for imperative expression languages and in particular for monads.

    Among them, Hoare Type Theory combines Hoare logic
    Hoare logic
    Hoare logic is a formal system with a set of logical rules for reasoning rigorously about the correctness of computer programs. It was proposed in 1969 by the British computer scientist and logician C. A. R. Hoare, and subsequently refined by Hoare and other researchers...

     for a Haskell
    Haskell (programming language)
    Haskell is a standardized, general-purpose purely functional programming language, with non-strict semantics and strong static typing. It is named after logician Haskell Curry. In Haskell, "a function is a first-class citizen" of the programming language. As a functional programming language, the...

    -like language, Separation logic
    Separation logic
    In computer science, separation logic is an extension of Hoare logic, a way of reasoning about programs.It was developed by John C. Reynolds, Peter O'Hearn, Samin Ishtiaq and Hongseok Yang, drawing upon early work by Burstall...

     and Type Theory
    Type theory
    In mathematics, logic and computer science, type theory is any of several formal systems that can serve as alternatives to naive set theory, or the study of such formalisms in general...


    .
    This system is currently implemented as a Coq
    Coq
    In computer science, Coq is an interactive theorem prover. It allows the expression of mathematical assertions, mechanically checks proofs of these assertions, helps to find formal proofs, and extracts a certified program from the constructive proof of its formal specification...

     library called Ynot. In this language, evaluation of expressions
    Evaluation strategy
    In computer science, an evaluation strategy is a set of rules for evaluating expressions in a programming language. Emphasis is typically placed on functions or operators: an evaluation strategy defines when and in what order the arguments to a function are evaluated, when they are substituted...

     corresponds to computations of strongest-postconditions.

    Probabilistic Predicate Transformers

    Probabilistic Predicate Transformers are an extension of predicate transformers for probabilistic programs
    Randomized algorithm
    A randomized algorithm is an algorithm which employs a degree of randomness as part of its logic. The algorithm typically uses uniformly random bits as an auxiliary input to guide its behavior, in the hope of achieving good performance in the "average case" over all possible choices of random bits...

    .
    Indeed, such programs have many applications in cryptography
    Cryptography
    Cryptography is the practice and study of techniques for secure communication in the presence of third parties...

     (hiding of information using some randomized noise),
    Distributed systems (symmetry breaking).

    See also

    • Axiomatic semantics
      Axiomatic semantics
      Axiomatic semantics is an approach based on mathematical logic to proving the correctness of computer programs. It is closely related to Hoare logic....

       — includes predicate transformer semantics
    • Formal semantics of programming languages
      Formal semantics of programming languages
      In programming language theory, semantics is the field concerned with the rigorous mathematical study of the meaning of programming languages and models of computation...

       — an overview
    • Hoare logic
      Hoare logic
      Hoare logic is a formal system with a set of logical rules for reasoning rigorously about the correctness of computer programs. It was proposed in 1969 by the British computer scientist and logician C. A. R. Hoare, and subsequently refined by Hoare and other researchers...

       — the best-known axiomatic semantics
    • Refinement calculus
      Refinement Calculus
      Refinement calculus is a formalized approach to stepwise refinement for program construction. The required behaviour of the final executable program is specified as an abstract and perhaps non-executable "program", which is then refined by a series of correctness-preserving transformations into an...

      , an extension of guarded commands (and Hoare logic) exploiting the lattice
      Lattice (order)
      In mathematics, a lattice is a partially ordered set in which any two elements have a unique supremum and an infimum . Lattices can also be characterized as algebraic structures satisfying certain axiomatic identities...

       structure of predicate transformers (for "refinement" order).
    • Dynamic logic
      Dynamic logic (modal logic)
      Dynamic logic is an extension of modal logic originally intended for reasoning about computer programs and later applied to more general complex behaviors arising in linguistics, philosophy, AI, and other fields.-Language:...

      , where predicate transformers appear as modalities (in the sense of Modal logic
      Modal logic
      Modal logic is a type of formal logic that extends classical propositional and predicate logic to include operators expressing modality. Modals — words that express modalities — qualify a statement. For example, the statement "John is happy" might be qualified by saying that John is...

      ).
    The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK