Weakest Precondition1 (1)

7/26/2019 Weakest Precondition1 (1)

1/37

Dijkstras Weakest PreconditionEdsko de Vries


2/37

Introduction

Dijkstras Weakest Precondition

We characterise a program state by listing the value ofall variables in the program

A predicate (or condition) is a function from programstate to a boolean value

We define the goal of the program as a predicate onits final state: thepostcondition

We are interested in the set of states I, such that whenthe program is started in a statei I, it is guaranteed toterminate in a state that meets the postcondition. Thisset is defined by the weakest preconditionof the pro-

gram and the postcondition.


3/37

Notation


If the program is denoted by S (for System) and the post-condition is denoted by R, then the corresponding weakestprecondition is given by

wp(S, R)

Thus, if a programS is started in a state satisfyingwp(S, R),it is guaranteed to terminate in a state satisfying R.

We introduce two constant predicates:

All program states satisfytrue(T)

No program states satisfy false(F)


4/37

Properties ofwp


For any programS,

wp(S, F) =F Property (1)

When a program S is started in a state satisfying wp(S, F),it will terminate in a state satisfyingF.

However, no states satisfyF; therefore, no states can satisfy

wp(S, F).

This law is also called the Law of the Excluded Miracle. Wewill briefly come back to it later.


5/37

Properties ofwp(2)


For any programSand postconditionsQ, Rs.t. Q R,

wp(S, Q)wp(S, R) Property (2)

WhenSis started in a state satisfyingwp(S, Q), it will termi-nate in a state satisfyingQ.

ButQ R, so whenSis started in a state satisfying wp(S, Q)it will also terminate in a state satisfying R.

wp(S, R) is the weakest precondition for states that will re-sult in R; so the set of states that satisfy wp(S, Q) must bea subset of the set of states that satisfy wp(S, R).


6/37

Properties ofwp(3)


Properties (3) and (4) deal with conjunction (and) and dis-junction (or) of wp respectively. I.e., for a programS andpostconditionsQandR, we are interested in

wp(S, Q) wp(S, R) (conjunction)

and

wp(S, Q) wp(S, R) (disjunction)


7/37

Properties ofwp(4)


Every state (solid box) that satisfies wp(S, Q) (dashed box)is guaranteed to terminate in some state that satisfies Q.

wp(S, Q)

Q

wp(S, R)

R


8/37


9/37

Properties ofwp(6)


wp(S, Q) wp(S, R)wp(S, Q R) Property (4)

wp(S, Q)

Q

wp(S, R)

R

Q R

wp(S, Q) wp(S, R)


10/37

Properties ofwp(7)


wp(S, Q) wp(S, R)=wp(S, Q R)

wp(S, Q)

Q

wp(S, R)

R

Q QR R

wp(S, Q) wp(S, R)wp(S, Q R)


11/37

Properties ofwp(8)


wp(S, Q) wp(S, R) =wp(S, Q R)Property (4) (Sdeterministic)

wp(S, Q)

Q

wp(S, R)

R

wp(S, R) wp(S, Q)


12/37

The Derivation ofwp(S, R)


The simplest program is one that does nothing. Let Skipbethe null statement. Then

wp(Skip, R) = R (skip)

In words, R will only hold after executing Skip when it heldbefore executingSkip.


13/37

The Derivation ofwp(S, R)(2)


Next we introduce two programs with a constant precondi-tion (one that does not depend on the postcondition).

wp(Abort, R) =F (abort)

By definition, Abort will fail to reach anystate, so it cannotreach a state that satisfies any R.

The following is (explicitely) excluded by Dijkstra but is useful

in a lattice theoretic framework:

wp(Miracle, R) =T (miracle)

So, Miracle is guaranteed to terminate in a state that satis-

fies any postcondition you want, independent of the precon-dition.


14/37

The Derivation ofwp(S, R)(3)


LetR[x :=E]denoteRwithEsubstituted forx. Then

wp(x :=E, R) =R[x :=E] (assignment)

For example

wp(a := 7, a= 7) = (7= 7) =T

wp(a := 7, a= 6) = (7= 6) =F

So,ais always 7after executinga := 7, and never 6, as onewould expect.


15/37

The Derivation ofwp(S, R)(4)Dijkstras Weakest Precondition

A few more examples

wp(a := 7, b=c) = (b=c)

wp(a := 2 b+1, a= 13) = (2 b+1= 13) = (b= 6)

wp(a := a b, a > b) = (a b > b) = (a > 2 b)


16/37


We must be able to compose multiple atomic instructions.

wp(S1; S2, R) =wp(S1, wp(S2, R)) (sequencing)

Intuitively, ifS1; S2 is to establish R, the last statement in thesequence (S2) should establishR, and the first statement inthe sequence should pave the way for S2.

But by definition S2 will be able to establish R if wp(S2, R)

holds; so this is exactly what S1 must establish.

Thus, the weakest precondition ofS1; S2is the condition suchthatS1 is able to to establish the weakest precondition of S2.I.e.,S1 must be able to pave the way for S2.


17/37


Example

wp(a :=a+b; b := a b, b > a) =

wp(a :=a+b, wp(b :=a b, b > a))

wp(b := a b, b > a) = (a b > a) =

(b > 1 a 0) (b < 1 a 0)

wp(a :=a+b, (b > 1 a 0) (b < 1 a 0)) =

(b > 1 (a+b) 0) (b < 1 (a+b) 0)

= (b > 1 a b) (b < 1 a b)


18/37


Two conditional statements:

ifB1 S1B2 S2 Bn Sn fi

and

doB1 S1B2 S2 Bn Sn od


19/37


LetIF=ifB1 S1B2 S2 Bn Sn fi. Then

wp(IF, R) =i Bi i Bi wp(Si, R) (if)

Thus, at least one of the guards must be true, and the weak-est precondition of all selected statements must be satisfied.(The ifstatement will abort if all guards are false.)


20/37


Consider this program to calculate the maximum of threenumbers1

IF=

if

x > y x > zmax :=x

y > x y > zmax :=y

((x > y x > z) (y > x y > z)) max :=z

fi

(Example is due to Hugh Gibbons)


21/37


We use the postcondition R= max x max y max z. By definition,

wp(IF, R) =i Bi i Bi wp(Si, R)

i Bi is automatically satisfied because the conditions ofIFare exclusive. Left to show i Bi R. For the first branch:

x>

y

x>

zwp

(

max :

= x,

max

x

max

y

max

x > y x > zx x x y x z

x > y x > zxy x z

T

The proof is similar for the second branch.


22/37


The third branch is more interesting.

((x > y x > z) (y > x y > z))

wp(max :=z, max x max y maxz)

((x > y x > z) (y > x y > z)) zx zy

(x > y x > z) (y > x y > z)) zx zy

(xy xz) (yx yz)zx zy

((xy xz) yx) ((xy xz) yz)zx z

(x=y) (yxz) (xy z) (xz yz)zx z

(x=y)(zx zy)

(x=y) (zx zy)

(x=y) (zx)


23/37


Thus, withIFdefined as before,

IF=

if

x>

y x>

zmax :=xy > x y > zmax :=y

((x > y x > z) (y > x y > z)) max :=z

fi

we have

wp(IF, max x maxy maxz) = (x =y zx)

and the program fails if x=y z < x.


24/37


LetDO= doB1 S1B2 S2 Bn Sn od, and letIFbe the corresponding ifstatement.

If Hk

(R) is the weakest condition such that the loop willterminate in a state satisfying R after at most k iterations(k 0), then

wp(DO, R) =kHk(R) (do)

We define Hk inductively.

H0(R) = R i Bi

Hk(R) =wp(IF,Hk1(R)) H0


25/37

Invariant PropertiesDijkstras Weakest Precondition

A predicatePisinvariantin an ifstatementIFif

Pholds before and afterIF, and

IFdoes not abort (at least one branch is selected)

I.e.,

P (i Bi)wp(IF, P) (if-invariant)

This will hold ifPis invariant in all selected branches:

i (P Bi)wp(Sj, P)


26/37

Invariant Properties (2)Dijkstras Weakest Precondition

Let DO be a doloop, and IF the corresponding ifstatement.

Theorem(Fundamental Invariance Theorem for Loops)LetPbe invariant inIF, i.e.

P (i Bi)wp(IF, P)

Then for the correspondingDOconstruct, we can conclude

P wp(DO, T)wp(DO, P i Bi) (do-invariant)

(The conditionwp(DO, T)forces the loop to terminate.)


27/37

Loop TerminationDijkstras Weakest Precondition

wp(DO, T)is impossible to prove in the general case (haltingproblem).

The idea is to

introduce a function t from program state to the set ofintegers, and

to show thattis bounded below by some number and

every execution of the loop reducestby at least one.

This guarantees termination of the loop. We design our pro-gram in a way such that we can find a suitable function t.


28/37

Loop Termination (2)Dijkstras Weakest Precondition

Let a property P be invariant in the loop. Lettbe a functionfrom program state to the set of integers, such that

P (i Bi)t > 0 (t-bounded)

Furthermore, for any valuet0,

P (i Bi) (tt0 + 1)wp(IF, tt0) (t-decreasing)

This proves that P (t k) wp(Hk(T)), therefore P wp(DO, T), and thus

Pwp(DO, P i Bi)


29/37

Loop Termination (3)Dijkstras Weakest Precondition

To show (t-decreasing), we must show that every branch oftheDOreducest, i.e.

i P Bi (tt0+1)wp(Si, tt0)

Consider wp(Si, tt0). Calculating this yields

wp(Si, tt0) =t t0

where both t and t are functions of the current state. Wemust show that t t 1, i.e., Si decreases t by at leastone. This is denoted by wdec:

wdec(Si, t) =t t 1 (wdec)


30/37

Loop ExampleDijkstras Weakest Precondition

As a final example, we consider a loop.

, x,y := 0, 10, 10;

do= 0 x > 0 , x := 1, x 1;

= 1 y > 0 ,y := 0,y 1;

od

Prove that = x=y= 0when the loop terminates.


31/37

Loop Example (2)Dijkstras Weakest Precondition

We need to find an invariant P.

, x,y := 0, 10, 10;

do

= 0 x > 0 , x := 1, x 1;

= 1 y > 0 ,y := 0,y 1;

od

What is invariant throughout the program?

P = (y x= ) x 0 y 0


32/37


Lets verify thatPholds after the initial assignment.

wp(, x,y := 0, 10, 10,y x= x 0 y 0)

10

10

=0

10

0

10

0

T


33/37


Now lets verify that P is invariant in the loop. For the firstbranch in the loop:

(y x= x 0 y 0) = 0 x > 0

wp(, x := 1, x 1,y x= x 0 y 0)

(y x= 0) x > 0 y 0

(y (x 1) = 1) (x 1) 0 y 0

T

By a similar argument, P is also invariant in the secondbranch in the loop. Thus,P is invariant throughout the pro-gram.


34/37


To prove termination, we need to choose an appropriate t.

, x,y := 0, 10, 10;

do= 0 x > 0 , x := 1, x 1;

= 1 y > 0 ,y := 0,y 1;

od

What would be a suitable function?

t =x+y


35/37


To show thatt =x+yis a suitable choice, we need to show(t-bounded) and (t-decreasing). First, we show (t-bounded):

(y x= x 0 y 0) = 0 x > 0(x+y) > 0

T

(y x= x 0 y 0) = 1 y > 0(x+y) > 0

T


36/37


To show (t-decreasing), we have to show that every branchof the doloop reducest. We have

wp(t, x := 1, x 1, x+y < t0) = ((x 1) +y) < t0

wdec(t, x := 1, x 1, x+y) = ((x 1) +y)(x+y) 1=

By a similar argument, the second branch of the doloopalso decreasest. So, we have proven termination.


37/37


So, now we know that P wp(DO, P i Bi). We knowthat P holds before the doloop, and we can conclude thatP i Bi holds when the program terminates. To be ac-curate, we know

(t= 0 x > 0) (t= 1 y > 0) (y x= x 0 y 0)

There are only two possibilities for ; either = 0or = 1.We cannot have = 1, because then y 0, y x = 1, sox < 0which contradicts the invariant.

So, = 0, thereforex 0. Butx 0 x 0 x= 0. We

knowy x=

;y 0

=0

, soy=0

.

Documents

Weakest Precondition1 (1)