Predicate transformer semantics


Predicate transformer semantics were introduced by Edsger Dijkstra in his seminal paper "Guarded commands, nondeterminacy and formal derivation of programs". They define the semantics of an imperative programming paradigm by assigning to each statement in this language a corresponding predicate transformer: a total function between two predicates on the state space of the statement. In this sense, predicate transformer semantics are a kind of denotational semantics. Actually, in guarded commands, Dijkstra uses only one kind of predicate transformer: the well-known weakest preconditions.
Moreover, predicate transformer semantics are a reformulation of Floyd–Hoare logic. Whereas Hoare logic is presented as a deductive system, predicate transformer semantics are complete strategies to build valid deductions of Hoare logic. In other words, they provide an effective algorithm to reduce the problem of verifying a Hoare triple to the problem of proving a first-order formula. Technically, predicate transformer semantics perform a kind of symbolic execution of statements into predicates: execution runs backward in the case of weakest-preconditions, or runs forward in the case of strongest-postconditions.

Weakest preconditions

Definition

For a statement S and a postcondition R, a weakest precondition is a predicate Q such that for any precondition, if and only if. Uniqueness follows easily from the definition: If both Q and Q' are weakest preconditions, then by the definition so and so, and thus. Denote by the weakest precondition for statement S and postcondition R.

Skip

Abort

Assignment

We give below two equivalent weakest-preconditions for the assignment statement. In these formulas, is a copy of R where free occurrences of x are replaced by E. Hence, here, expression E is implicitly coerced into a valid term of the underlying logic: it is thus a pure expression, totally defined, terminating and without side effect.
The first version avoids a potential duplication of E in R, whereas the second version is simpler when there is at most a single occurrence of x in R. The first version also reveals a deep duality between weakest-precondition and strongest-postcondition.
An example of a valid calculation of wp for assignments with integer valued variable x is:
This means that in order for the postcondition x > 10 to be true after the assignment, the precondition x > 15 must be true before the assignment. This is also the "weakest precondition", in that it is the "weakest" restriction on the value of x which makes x > 10 true after the assignment.

Sequence

For example,

Conditional

As example:

While loop

Partial Correctness

Ignoring termination for a moment, we can define the rule for the weakest liberal precondition, denoted wlp, using a predicate I, called the loop invariant, typically supplied by the programmer:
This simply states that the invariant must hold at the start of the loop; additionally, for any initial state y, the invariant and guard taken together be strong enough to establish the weakest precondition necessary for the loop body to be able to re-establish the invariant; finally, if and when the loop terminates in a given state y, the fact that the loop guard is false along with the invariant should be able to establish the required postcondition.

Total Correctness

To show total correctness, we also have to show that the loop terminates. For this we define a well-founded relation on the state space denoted "<" and called loop variant. Hence, we have:
Informally, in the above conjunction of three formulas:
In predicate transformers semantics, invariant and variant are built by mimicking the Kleene fixed-point theorem. Below, this construction is sketched in set theory. We assume that U is a set denoting the state space. First, we define a family of subsets of U denoted by induction over natural number k. Informally represents the set of initial states that makes R satisfied after less than k iterations of the loop:
Then, we define:
With these definitions, reduces to formula.
However, in practice, such an abstract construction cannot be handled efficiently by theorem provers. Hence, loop invariants and variants are provided by human users, or are inferred by some abstract interpretation procedure.

Non-deterministic guarded commands

Actually, Dijkstra's Guarded Command Language is an extension of the simple imperative language given until here with non-deterministic statements. Indeed, GCL aims to be a formal notation to define algorithms. Non-deterministic statements represent choices left to the actual implementation : properties proved on non-deterministic statements are ensured for all possible choices of implementation. In other words, weakest-preconditions of non-deterministic statements ensure
Notice that the definitions of weakest-precondition given above preserve this property.

Selection

Selection is a generalization of if statement:
Here, when two guards and are simultaneously true, then execution of this statement can run any of the associated statement or.

Repetition

Repetition is a generalization of while statement in a similar way.

Specification statement (or weakest-precondition of procedure call)

extends non-deterministic statements with the notion of specification statement. Informally, this statement represents a procedure call in black box, where the body of the procedure is not known. Typically, using a syntax close to B-Method, a specification statement is written
where
The weakest-precondition of specification statement is given by:
Moreover, a statement S implements such a specification statement if and only if the following predicate is a tautology:
Indeed, in such a case, the following property is ensured for all postcondition R :
Informally, this last property ensures that any proof about some statement involving a specification remains valid
when replacing this specification by any of its implementations.

Other predicate transformers

Weakest liberal precondition

An important variant of the weakest precondition is the weakest liberal precondition
, which yields the weakest condition under which S either does not terminate or establishes R. It therefore differs from wp in not guaranteeing termination. Hence it corresponds to Hoare logic in partial correctness: for the statement language given above, wlp differs with wp only on while-loop, in not requiring a variant.

Strongest postcondition

Given S a statement and R a precondition, then
is their strongest-postcondition: it implies any postcondition satisfied by the final state of any execution of S,
for any initial state satisfying R. In other words, a Hoare triple is provable in Hoare logic if and only if the predicate below hold:
Usually, strongest-postconditions are used in partial correctness.
Hence, we have the following relation between weakest-liberal-preconditions and strongest-postconditions:
For example, on assignment we have:
Above, the logical variable y represents the initial value of variable x.
Hence,
On sequence, it appears that sp runs forward :

Win and sin predicate transformers

has suggested win and sin as predicate transformers for concurrent programming.

Predicate transformers properties

This section presents some characteristic properties of predicate transformers. Below, T denotes a predicate transformer and P a predicate. For instance, T may denote wp or sp. We keep x as the variable of the state space.

Monotonic

Predicate transformers of interest are monotonic. A predicate transformer T is monotonic if and only if:
This property is related to the consequence rule of Hoare logic.

Strict

A predicate transformer T is strict iff:
For instance, wp is strict, whereas wlp is generally not. In particular, if statement S may not terminate then
is satisfiable. We have
Indeed, true is a valid invariant of that loop.

Terminating

A predicate transformer T is terminating iff:
Actually, this terminology makes sense only for strict predicate transformers: indeed, is the weakest-precondition ensuring termination of S.
It seems that naming this property non-aborting would be more appropriate: in total correctness, non-termination is abortion, whereas in partial correctness, it is not.

Conjunctive

A predicate transformer T is conjunctive iff:
This is the case for, even if statement S is non-deterministic as a selection statement or a specification statement.

Disjunctive

A predicate transformer T is disjunctive iff:
This is generally not the case of when S is non-deterministic. Indeed, consider a non-deterministic statement S choosing an arbitrary boolean. This statement is given here as the following selection statement:
Then, reduces to the formula.
Hence, reduces to the tautology
Whereas, the formula
reduces to the wrong proposition.
The same counter-example can be reproduced using a specification statement instead:

Applications

Weakest-preconditions and strongest-postconditions of imperative expressions

In predicate transformers semantics, expressions are restricted to terms of the logic. However, this restriction seems too strong for most existing programming languages, where expressions may have side effects, may not terminate or abort. There are many proposals to extend weakest-preconditions or strongest-postconditions for imperative expression languages and in particular for monads.
Among them, Hoare Type Theory combines Hoare logic for a Haskell-like language, separation logic and type theory.
This system is currently implemented as a Coq library called Ynot. In this language, evaluation of expressions corresponds to computations of strongest-postconditions.

Probabilistic Predicate Transformers

Probabilistic Predicate Transformers are an extension of predicate transformers for probabilistic programs.
Indeed, such programs have many applications in cryptography,
distributed systems.