CS 641 Lecture -*- Outline -*- * Predicate Transformers (Chapter 11) We now return to the study of contracts, and ascend the final level to predicate transformers. This chapter essentially works with the basic definitions, and doesn't so much study refinement itself (which is the subject of chapter 13). ** satisfying contracts (11.1) Recall that s {| S |} q means our agent can satisfy follow contract S and establish q, started in state s. ------------------------------------------ SATISFYING CONTRACTS (11.1) Language of contracts S ::= | {g} | [g] | S1 \join S2 | S1 \meet S2 | S1;S2 Let s be a state, q a predicate. When should s {| S |} q hold for these? ------------------------------------------ justify the following based on the intuition given on page 188 ... s {| |} q == f.s \in q s {| {g} |} q == s \in g \intersect q s {| [g] |} q == s \in !g \union q s {| S1 \join S2 |} q == (s {| S1 |} q) \/ (s {| S2 |} q) s {| S1 \meet S2 |} q == (s {| S1 |} q) /\ (s {| S2 |} q) s {| S1 ; S2 |} q == (\exists q' :: (s {| S1 |} q') /\ (\forall s' : q'.s' : s' {| S2 |} q)) Q: When is s {| |} (x == 3) ? Q: When is s {| |} (x == 3) ? Q: When is s {| |} (x >= 3) ? Q: When is s {| {x >= 3} |} (x >= 3) ? Q: When is s {| {x >= 3} |} (x >= 4) ? Q: When is s {| {x >= 4} |} (x >= 3) ? Q: When is s {| [x >= 4] |} (x >= 3) ? Q: When is s {| [x >= 3] |} (x >= 4) ? Q: When is s {| [x >= 3]; |} (x >= 4) ? Q: When is s {| {x >= 3}; |} (x >= 4) ? Q: When is s {| {x >= 3} \join |} (x >= 4) ? Q: When is s {| [x >= 3] \join |} (x >= 4) ? Q: When is s {| {x >= 3} \meet |} (x >= 4) ? Q: When is s {| [x >= 3] \meet |} (x >= 4) ? Q: What sets do these define? that is, what predicate is determined by each; this is what we'll investigate below... ** weakest preconditions ------------------------------------------ WEAKEST PRECONDITIONS Definition: let S be a contract, and let q be a predicate. Then the weakest precondition following S to establish q, wp.S.q is ^ wp.S.q = {s | s {| S |} q} wp.S is a predicate transformer, since wp: P(\Sigma) -> P(\Sigma) wp..q == f^{-1}.q wp.{g}.q == g \intersect q wp.[g].q == !g \union q wp.(S1 \join S2).q == wp.S1.q \/ wp.S2.q wp.(S1 \meet S2).q == wp.S1.q /\ wp.S2.q wp.(S1 ; S2).q == wp.S1.(wp.S2.q) ------------------------------------------ Q: In what sense is this the weakest? Q: How would you express s {| S |} q using wp? s {| S |} q == wp.S.q.s Q: What is wp..(x == 3) ? Q: What is wp..(x == 3) ? Q: What is wp..(x >= 3) ? Q: What is wp.{x >= 3}.(x >= 3) ? Q: What is wp.{x >= 3}.(x >= 4) ? Q: What is wp.{x >= 4}.(x >= 3) ? Q: What is wp.[x >= 4].(x >= 3) ? Q: What is wp.[x >= 3].(x >= 4) ? Q: What is wp.([x >= 3]; ).(x >= 4) ? Q: What is wp.({x >= 3}; ).(x >= 4) ? Q: What is wp.({x >= 3} \join ).(x >= 4) ? Q: What is wp.([x >= 3] \join ).(x >= 4) ? Q: What is wp.({x >= 3} \meet ).(x >= 4) ? Q: What is wp.([x >= 3] \meet ).(x >= 4) ? ** Predicate Transformers (11.2) wp.S is different for each S, and there are other transformers (wlp,...) so it's good to look at the type of all alone and its lattice properties... ------------------------------------------ PREDICATE TRANSFORMERS (11.2) Definition: The set of *predicate transformers* from S to G is ^ (S |-> G) = P(G) -> P(S) . Examples: wp.skip wp.begin wp.(x := x+1) wlp.(x := x+1) ------------------------------------------ Q: Why is the map backwards like that, starting with P(G)? because it maps postconditions to preconditions. Because we want to treat this uniformly like state transformers, where G is the final state space. *** predicate transformer lattice ------------------------------------------ PREDICATE TRANSFORMER LATTICE Definition: Let wg.C1, wg.C2 \in S |-> G. Then ^ wg.C1 \refinedby wg.C2 = (\forall q \in P(G) :: wg.C1.q \subseteq wg.C2.q) ------------------------------------------ Q: Is (S |-> G, \refinedby) a lattice? Complete? Boolean? Yes, because P(S) is, by the pointwise extension property. ------------------------------------------ LATTICE CONSTANTS AND OPERATIONS abort.q == false (\bot of p.t.) magic.q == true (\top of p.t.) (!(wg.C)).q == !(wg.C.q) (! of p.t.) (wg.C1 \meet wg.C2).q == (\meet of p.t.) wg.C1.q \intersect wg.C2.q (wg.C1 \join wg.C2).q == (\join of p.t.) wg.C1.q \union wg.C2.q ------------------------------------------ Q: So what is (!wp.(x := 3)).(x == 3) ? Q: What is wp.({x == 3}; x := x+1) \join wp.(x := x) ? Q: What is wp.(x := x+1) \join wp.skip ? Q: What is wp.(x := x+1) \meet wp.skip ? Q: What is wp.(x := x+1) \join wp.(x := x+2) ? Q: What is wp.(x := x+1) \meet wp.(x := x+2) ? Q: How would you define implication and equivalence of predicate transformers? Simple pointwise extension. Q: Is there any difference between implication of predicate transformers and refinement? No, so in this case Rick Hehner uses a giant implication sign... Q: What other operations would we want on a complete lattice? Meet and join over arbitrary sets of predicate transformers *** predicate transformer category ------------------------------------------ PREDICATE TRANSFORMER CATEGORY Definition: a predicate transformer category has types as objects and predicate transformers as morphisms. 1 == skip (1 of p.t.) wg.C1; wg.C2 == wg.C1 o wg.C2 (; of p.t.) E.g., Ptran_X(S,G) == S |-> G where S, G \in X ------------------------------------------ Notice that this composition is backward, unlike what we used in other categories (state transformers and state relations) Q: Why is composition backwards function composition? because predicate transformers are backwards if we have wg.C1 : S |-> G and wg.C2 : G |-> H, then wg.C1 : P(G) -> P(S) and wg.C2 : P(H) -> P(G) so wg.C1 o wg.C2 : P(H) -> P(S) Q: what are the properties that the unit must satisfy? Q: why is composition associative? because backwards composition of predicates is associative Q: What does it mean for a predicate transformer to be monotonic? wg.C is monotonic iff for all predicates p and q, p \subseteq q ==> wg.C.p \subseteq wg.C.q Q: Is wp.skip monotonic? wp.(x := e)? wp.[false]? yes, yes, yes (iii) if p \subseteq q, then wp.[false].p == !false \union p == true \union p == true wp.[false].q == !false \union q == true \union q == true but negation as the predicate transformer itself is not monotonic, although it seems like all wp stuff is monotonic Q: Is composition monotonic? Yes in its first argument, but not in the second wg.C1 \refinedby wg.C1' ==> wg.C1 ; wg.C2 \refinedby wg.C1' ; wg.C2 because for all q we have: wg.C1 \refinedby wg.C1' |- (wg.C1 o wg.C2).q == { def } wg.C1.(wg.C2.q) ==> { assumption, def of \refinedby } wg.C1'.(wg.C2.q) == { def } (wg.C1' o wg.C2).q But monotonicity in the second argument doesn't follow, because some predicate transformers are not monotonic Theorem 11.1. Ptran_X is a left complete Boolean lattice-enriched category. ------------------------------------------ DISTRIBUTIVITY LAWS From the right also for lattic operations: magic; T == magic abort; T == abort (!S); T == !(S;T) (S1 \meet S2); T == (S1;T) \meet (S2;T) (S1 \join S2); T == (S1;T) \join (S2;T) ------------------------------------------ Q: How would you generalize these last two?