7/26/2019 Weakest Precondition1 (1)
1/37
Dijkstras Weakest PreconditionEdsko de Vries
7/26/2019 Weakest Precondition1 (1)
2/37
Introduction
Dijkstras Weakest Precondition
We characterise a program state by listing the value ofall variables in the program
A predicate (or condition) is a function from programstate to a boolean value
We define the goal of the program as a predicate onits final state: thepostcondition
We are interested in the set of states I, such that whenthe program is started in a statei I, it is guaranteed toterminate in a state that meets the postcondition. Thisset is defined by the weakest preconditionof the pro-
gram and the postcondition.
7/26/2019 Weakest Precondition1 (1)
3/37
Notation
Dijkstras Weakest Precondition
If the program is denoted by S (for System) and the post-condition is denoted by R, then the corresponding weakestprecondition is given by
wp(S, R)
Thus, if a programS is started in a state satisfyingwp(S, R),it is guaranteed to terminate in a state satisfying R.
We introduce two constant predicates:
All program states satisfytrue(T)
No program states satisfy false(F)
7/26/2019 Weakest Precondition1 (1)
4/37
Properties ofwp
Dijkstras Weakest Precondition
For any programS,
wp(S, F) =F Property (1)
When a program S is started in a state satisfying wp(S, F),it will terminate in a state satisfyingF.
However, no states satisfyF; therefore, no states can satisfy
wp(S, F).
This law is also called the Law of the Excluded Miracle. Wewill briefly come back to it later.
7/26/2019 Weakest Precondition1 (1)
5/37
Properties ofwp(2)
Dijkstras Weakest Precondition
For any programSand postconditionsQ, Rs.t. Q R,
wp(S, Q)wp(S, R) Property (2)
WhenSis started in a state satisfyingwp(S, Q), it will termi-nate in a state satisfyingQ.
ButQ R, so whenSis started in a state satisfying wp(S, Q)it will also terminate in a state satisfying R.
wp(S, R) is the weakest precondition for states that will re-sult in R; so the set of states that satisfy wp(S, Q) must bea subset of the set of states that satisfy wp(S, R).
7/26/2019 Weakest Precondition1 (1)
6/37
Properties ofwp(3)
Dijkstras Weakest Precondition
Properties (3) and (4) deal with conjunction (and) and dis-junction (or) of wp respectively. I.e., for a programS andpostconditionsQandR, we are interested in
wp(S, Q) wp(S, R) (conjunction)
and
wp(S, Q) wp(S, R) (disjunction)
7/26/2019 Weakest Precondition1 (1)
7/37
Properties ofwp(4)
Dijkstras Weakest Precondition
Every state (solid box) that satisfies wp(S, Q) (dashed box)is guaranteed to terminate in some state that satisfies Q.
wp(S, Q)
Q
wp(S, R)
R
7/26/2019 Weakest Precondition1 (1)
8/37
7/26/2019 Weakest Precondition1 (1)
9/37
Properties ofwp(6)
Dijkstras Weakest Precondition
wp(S, Q) wp(S, R)wp(S, Q R) Property (4)
wp(S, Q)
Q
wp(S, R)
R
Q R
wp(S, Q) wp(S, R)
7/26/2019 Weakest Precondition1 (1)
10/37
Properties ofwp(7)
Dijkstras Weakest Precondition
wp(S, Q) wp(S, R)=wp(S, Q R)
wp(S, Q)
Q
wp(S, R)
R
Q QR R
wp(S, Q) wp(S, R)wp(S, Q R)
7/26/2019 Weakest Precondition1 (1)
11/37
Properties ofwp(8)
Dijkstras Weakest Precondition
wp(S, Q) wp(S, R) =wp(S, Q R)Property (4) (Sdeterministic)
wp(S, Q)
Q
wp(S, R)
R
wp(S, R) wp(S, Q)
7/26/2019 Weakest Precondition1 (1)
12/37
The Derivation ofwp(S, R)
Dijkstras Weakest Precondition
The simplest program is one that does nothing. Let Skipbethe null statement. Then
wp(Skip, R) = R (skip)
In words, R will only hold after executing Skip when it heldbefore executingSkip.
7/26/2019 Weakest Precondition1 (1)
13/37
The Derivation ofwp(S, R)(2)
Dijkstras Weakest Precondition
Next we introduce two programs with a constant precondi-tion (one that does not depend on the postcondition).
wp(Abort, R) =F (abort)
By definition, Abort will fail to reach anystate, so it cannotreach a state that satisfies any R.
The following is (explicitely) excluded by Dijkstra but is useful
in a lattice theoretic framework:
wp(Miracle, R) =T (miracle)
So, Miracle is guaranteed to terminate in a state that satis-
fies any postcondition you want, independent of the precon-dition.
7/26/2019 Weakest Precondition1 (1)
14/37
The Derivation ofwp(S, R)(3)
Dijkstras Weakest Precondition
LetR[x :=E]denoteRwithEsubstituted forx. Then
wp(x :=E, R) =R[x :=E] (assignment)
For example
wp(a := 7, a= 7) = (7= 7) =T
wp(a := 7, a= 6) = (7= 6) =F
So,ais always 7after executinga := 7, and never 6, as onewould expect.
7/26/2019 Weakest Precondition1 (1)
15/37
The Derivation ofwp(S, R)(4)Dijkstras Weakest Precondition
A few more examples
wp(a := 7, b=c) = (b=c)
wp(a := 2 b+1, a= 13) = (2 b+1= 13) = (b= 6)
wp(a := a b, a > b) = (a b > b) = (a > 2 b)
7/26/2019 Weakest Precondition1 (1)
16/37
The Derivation ofwp(S, R)(5)Dijkstras Weakest Precondition
We must be able to compose multiple atomic instructions.
wp(S1; S2, R) =wp(S1, wp(S2, R)) (sequencing)
Intuitively, ifS1; S2 is to establish R, the last statement in thesequence (S2) should establishR, and the first statement inthe sequence should pave the way for S2.
But by definition S2 will be able to establish R if wp(S2, R)
holds; so this is exactly what S1 must establish.
Thus, the weakest precondition ofS1; S2is the condition suchthatS1 is able to to establish the weakest precondition of S2.I.e.,S1 must be able to pave the way for S2.
7/26/2019 Weakest Precondition1 (1)
17/37
The Derivation ofwp(S, R)(6)Dijkstras Weakest Precondition
Example
wp(a :=a+b; b := a b, b > a) =
wp(a :=a+b, wp(b :=a b, b > a))
wp(b := a b, b > a) = (a b > a) =
(b > 1 a 0) (b < 1 a 0)
wp(a :=a+b, (b > 1 a 0) (b < 1 a 0)) =
(b > 1 (a+b) 0) (b < 1 (a+b) 0)
= (b > 1 a b) (b < 1 a b)
7/26/2019 Weakest Precondition1 (1)
18/37
The Derivation ofwp(S, R)(7)Dijkstras Weakest Precondition
Two conditional statements:
ifB1 S1B2 S2 Bn Sn fi
and
doB1 S1B2 S2 Bn Sn od
7/26/2019 Weakest Precondition1 (1)
19/37
The Derivation ofwp(S, R)(8)Dijkstras Weakest Precondition
LetIF=ifB1 S1B2 S2 Bn Sn fi. Then
wp(IF, R) =i Bi i Bi wp(Si, R) (if)
Thus, at least one of the guards must be true, and the weak-est precondition of all selected statements must be satisfied.(The ifstatement will abort if all guards are false.)
7/26/2019 Weakest Precondition1 (1)
20/37
The Derivation ofwp(S, R)(9)Dijkstras Weakest Precondition
Consider this program to calculate the maximum of threenumbers1
IF=
if
x > y x > zmax :=x
y > x y > zmax :=y
((x > y x > z) (y > x y > z)) max :=z
fi
(Example is due to Hugh Gibbons)
7/26/2019 Weakest Precondition1 (1)
21/37
The Derivation ofwp(S, R)(10)Dijkstras Weakest Precondition
We use the postcondition R= max x max y max z. By definition,
wp(IF, R) =i Bi i Bi wp(Si, R)
i Bi is automatically satisfied because the conditions ofIFare exclusive. Left to show i Bi R. For the first branch:
x>
y
x>
zwp
(
max :
= x,
max
x
max
y
max
x > y x > zx x x y x z
x > y x > zxy x z
T
The proof is similar for the second branch.
7/26/2019 Weakest Precondition1 (1)
22/37
The Derivation ofwp(S, R)(11)Dijkstras Weakest Precondition
The third branch is more interesting.
((x > y x > z) (y > x y > z))
wp(max :=z, max x max y maxz)
((x > y x > z) (y > x y > z)) zx zy
(x > y x > z) (y > x y > z)) zx zy
(xy xz) (yx yz)zx zy
((xy xz) yx) ((xy xz) yz)zx z
(x=y) (yxz) (xy z) (xz yz)zx z
(x=y)(zx zy)
(x=y) (zx zy)
(x=y) (zx)
7/26/2019 Weakest Precondition1 (1)
23/37
The Derivation ofwp(S, R)(12)Dijkstras Weakest Precondition
Thus, withIFdefined as before,
IF=
if
x>
y x>
zmax :=xy > x y > zmax :=y
((x > y x > z) (y > x y > z)) max :=z
fi
we have
wp(IF, max x maxy maxz) = (x =y zx)
and the program fails if x=y z < x.
7/26/2019 Weakest Precondition1 (1)
24/37
The Derivation ofwp(S, R)(13)Dijkstras Weakest Precondition
LetDO= doB1 S1B2 S2 Bn Sn od, and letIFbe the corresponding ifstatement.
If Hk
(R) is the weakest condition such that the loop willterminate in a state satisfying R after at most k iterations(k 0), then
wp(DO, R) =kHk(R) (do)
We define Hk inductively.
H0(R) = R i Bi
Hk(R) =wp(IF,Hk1(R)) H0
7/26/2019 Weakest Precondition1 (1)
25/37
Invariant PropertiesDijkstras Weakest Precondition
A predicatePisinvariantin an ifstatementIFif
Pholds before and afterIF, and
IFdoes not abort (at least one branch is selected)
I.e.,
P (i Bi)wp(IF, P) (if-invariant)
This will hold ifPis invariant in all selected branches:
i (P Bi)wp(Sj, P)
7/26/2019 Weakest Precondition1 (1)
26/37
Invariant Properties (2)Dijkstras Weakest Precondition
Let DO be a doloop, and IF the corresponding ifstatement.
Theorem(Fundamental Invariance Theorem for Loops)LetPbe invariant inIF, i.e.
P (i Bi)wp(IF, P)
Then for the correspondingDOconstruct, we can conclude
P wp(DO, T)wp(DO, P i Bi) (do-invariant)
(The conditionwp(DO, T)forces the loop to terminate.)
7/26/2019 Weakest Precondition1 (1)
27/37
Loop TerminationDijkstras Weakest Precondition
wp(DO, T)is impossible to prove in the general case (haltingproblem).
The idea is to
introduce a function t from program state to the set ofintegers, and
to show thattis bounded below by some number and
every execution of the loop reducestby at least one.
This guarantees termination of the loop. We design our pro-gram in a way such that we can find a suitable function t.
7/26/2019 Weakest Precondition1 (1)
28/37
Loop Termination (2)Dijkstras Weakest Precondition
Let a property P be invariant in the loop. Lettbe a functionfrom program state to the set of integers, such that
P (i Bi)t > 0 (t-bounded)
Furthermore, for any valuet0,
P (i Bi) (tt0 + 1)wp(IF, tt0) (t-decreasing)
This proves that P (t k) wp(Hk(T)), therefore P wp(DO, T), and thus
Pwp(DO, P i Bi)
7/26/2019 Weakest Precondition1 (1)
29/37
Loop Termination (3)Dijkstras Weakest Precondition
To show (t-decreasing), we must show that every branch oftheDOreducest, i.e.
i P Bi (tt0+1)wp(Si, tt0)
Consider wp(Si, tt0). Calculating this yields
wp(Si, tt0) =t t0
where both t and t are functions of the current state. Wemust show that t t 1, i.e., Si decreases t by at leastone. This is denoted by wdec:
wdec(Si, t) =t t 1 (wdec)
7/26/2019 Weakest Precondition1 (1)
30/37
Loop ExampleDijkstras Weakest Precondition
As a final example, we consider a loop.
, x,y := 0, 10, 10;
do= 0 x > 0 , x := 1, x 1;
= 1 y > 0 ,y := 0,y 1;
od
Prove that = x=y= 0when the loop terminates.
7/26/2019 Weakest Precondition1 (1)
31/37
Loop Example (2)Dijkstras Weakest Precondition
We need to find an invariant P.
, x,y := 0, 10, 10;
do
= 0 x > 0 , x := 1, x 1;
= 1 y > 0 ,y := 0,y 1;
od
What is invariant throughout the program?
P = (y x= ) x 0 y 0
7/26/2019 Weakest Precondition1 (1)
32/37
Loop Example (3)Dijkstras Weakest Precondition
Lets verify thatPholds after the initial assignment.
wp(, x,y := 0, 10, 10,y x= x 0 y 0)
10
10
=0
10
0
10
0
T
7/26/2019 Weakest Precondition1 (1)
33/37
Loop Example (4)Dijkstras Weakest Precondition
Now lets verify that P is invariant in the loop. For the firstbranch in the loop:
(y x= x 0 y 0) = 0 x > 0
wp(, x := 1, x 1,y x= x 0 y 0)
(y x= 0) x > 0 y 0
(y (x 1) = 1) (x 1) 0 y 0
T
By a similar argument, P is also invariant in the secondbranch in the loop. Thus,P is invariant throughout the pro-gram.
7/26/2019 Weakest Precondition1 (1)
34/37
Loop Example (5)Dijkstras Weakest Precondition
To prove termination, we need to choose an appropriate t.
, x,y := 0, 10, 10;
do= 0 x > 0 , x := 1, x 1;
= 1 y > 0 ,y := 0,y 1;
od
What would be a suitable function?
t =x+y
7/26/2019 Weakest Precondition1 (1)
35/37
Loop Example (6)Dijkstras Weakest Precondition
To show thatt =x+yis a suitable choice, we need to show(t-bounded) and (t-decreasing). First, we show (t-bounded):
(y x= x 0 y 0) = 0 x > 0(x+y) > 0
T
(y x= x 0 y 0) = 1 y > 0(x+y) > 0
T
7/26/2019 Weakest Precondition1 (1)
36/37
Loop Example (7)Dijkstras Weakest Precondition
To show (t-decreasing), we have to show that every branchof the doloop reducest. We have
wp(t, x := 1, x 1, x+y < t0) = ((x 1) +y) < t0
wdec(t, x := 1, x 1, x+y) = ((x 1) +y)(x+y) 1=
By a similar argument, the second branch of the doloopalso decreasest. So, we have proven termination.
7/26/2019 Weakest Precondition1 (1)
37/37
Loop Example (8)Dijkstras Weakest Precondition
So, now we know that P wp(DO, P i Bi). We knowthat P holds before the doloop, and we can conclude thatP i Bi holds when the program terminates. To be ac-curate, we know
(t= 0 x > 0) (t= 1 y > 0) (y x= x 0 y 0)
There are only two possibilities for ; either = 0or = 1.We cannot have = 1, because then y 0, y x = 1, sox < 0which contradicts the invariant.
So, = 0, thereforex 0. Butx 0 x 0 x= 0. We
knowy x=
;y 0
=0
, soy=0
.