- Email: [email protected]
Varieties of weakest liberal preconditions
Information Processing Letters 25 (1987) 207-210 North-Holland
29 May 1987
VARIETIES OF WEAKEST LIBERAL PRECONDITIONS Joseph M. MORRIS Department of Computer Science, University College Dublin, Belfiela~ Dublin 4, lreland Communicated by E.C.R. Hehner Received 15 April 1986 Revised 2 September 1986
Keywords: Weakest precondition, weakest liberal precondition, abort, robustness
The semantics of programs may be defined by so-called 'predicate transformers' [2], one such class being the 'weakest precondition' transformer wp(s, R), with s a program and R a predicate defined on the state space of s. Let IX] stand for predicate X universally quantified over the state space; for example, if the program in question has just one variable--x of type integer, say--then [X] is (Vx)(x ~ Z ) : X . wp(s, R) is defined such that [P =* wp(s, R)] has the interpretation: "s executed in a state satisfying P is guaranteed to terminate in a state satisfying R", for all predicates P, R. Letting IF stand for ifbo--'so~bl--'sll]
"'" 0 b , , - - ' s ~ f i
and bb for (3i)(0 ~ i ~
(see, e.g., [4]): wlp(abort, R) - true, wlp(skip, R) - R , wlp(x "= e, R) - Dora(e) ~ R x, wlp(s ; t, R) -- wlp(s, wlp(t, R)), wlp(IF, R) = (Vi)(0 ~
abort
wlp(ahort, R)
0 1 2
loop
true
chaos break
IRI false
3
skoop
R
29 May 1987
The left colunm indexes the candidates, the middle column names them, and the fight column defines them (in each case, of course, wp(abort, R) = f a l s e ) . We offer the following intuitive guide to these statements, loop has already been explained. chaos is a mechanism that behaves arbitrarily; it is equivalent to loop U chance where chance, like a roulette wheel, is a mechanism that terminates in some unpredictable state, i.e., it satisfies wp(chance, R) - wlp(chance, R) - [ R ] . break may be thought of as a mechanism that always breaks, and skoop is skip td loop. Corresponding to the definition we chose for abort, we arrive at a different definition of wlp(s, R) for any statement s. Let us denote by w l p i , 0 ~
and applying the same intuition with which we construct the standard wlp(IF, R). Hence, we get wlp~(IF, R) -
([r]
or b b ) a n d
((Vi)(0 ~
(0¢iX0 < i ~
((Vi)(0 ~
208
Volume25, Number 3
INFORMATION PROCESSING LETrERS
signment does not abort. Finally, for each i, wlpi (skip, R) = R and wlpi(s ;t, R) - wlpi(s, wlpi(t, R ) ) . We calculate, for example, wlpl(EX, y - 0 )
- WlpE(EX, y = 0 )
=x=0orx=2orx=3, wlp3 (EX, y = 0) = x = 0 or x = 2 or x = 3 or (y = 0 and (x < 0 o r x > 6 ) )
,
wlpl(EX, t r u e ) = wlp3(EX, true) =- t r u e , wlp2 (EX, true) = x >1 0 and x <~ 6 . The standard weakest liberal preconditions satisfy the following laws: (A): wp(s, R) -= wp(s, true) and wlp(s, R), (B): wlp(s, Q) and wlp(s, R)
- wlp(s, Q and R ) , (C): wlp(s, true) =- t r u e , for all statements s and predicates Q, R. We leave it to the reader to confirm (by structural induction on the grammar of the language) that laws (A) and (B) are preserved when wlp(s, R) is replaced by each of the above three alternatives. Law (C), however, is not obeyed by wlp2, as wlp2(EX, true) shows. Of the four wlp's, wlpo, the standard, is the simplest, while wlpl, which equates abort with chaos, is perhaps more intuitively appealing. Equating abort with break, which wlp2 does, is not attractive: not only do we lose law (C), but also the appealing intuitive interpretation of wlp(s, R) given in the second paragraph above, wlp3 has little intuitive appeal and no apparent theoretical advantage over wlp0 or Wlpl. Among wlp0 and wlp~, wlpl has the simpler implementation because it allows arbitrary behaviour of a program that aborts, whereas the standard wlp obliges an implementation to fail to terminate. An implementation without subscript checking, for example, does not implement standard wlp semantics. Retaining an interest in wlp0 and wlpl only, it
29 May 1987
will be instructive to consider the property of program robustness, which is concerned with the behaviour of a program when used in unintended ways. We focus on a program s satisfying [P = wp(s, R)] for given predicates P, R. Informally, s is said to be 'robust' if, when executed, accidentally or maliciously, with P false it will not mislead us by delivering some answer not satisfying R. More precisely, let us define: s is robust (with respect to postcondition R ) - [wlp(s, R)]; the reader is invited to convince bim-/herself that this definition captures the intention, whether wlp is wlp0 or wlpl. (We note, however, that other definitions are possible. According to [4], s is robust (with respect to precondition P) iff [wp(s, t r u e ) ~ P], while, in [1], s is robust if [wp(s, true)]. Both these definitions admit the possibility of robust s establishing not R which seems unattractive--hence the definition proposed above. We could also have taken the definition [P or wlp(s, false)l, which obliges s to fail to terminate when executed with initially P false, but that seems needlessly strong.) The more expensive implementation of wlp0 has the payoff of making it easier to write a robust program, for we can show (by a routine induction on the structure of statements) that [wlpl(s, R)] =* [wlp0(s, R)] whereas the converse does not hold. Assume, for example, that a robust program which when executed with x = 0 establishes x = 1 is required, and we offer if x = 0 ~ x := 1 ft. This solution is robust according to the standard wlp semantics for then it cannot deliver any result other than x = 1. It is not robust according to the wlpl semantics for it would then be free to establish x = 2, say, when executed in a state satisfying x 4: 0. We must enter a caveat, however. Predicate transformer semantics as constituted in [2] cannot distinguish between do true ~ skip o¢1
and t ; do true ~ skip od for t any statement, and hence the second of these programs is also equivalent to abort in the standard wlp semantics. This could be exploited by an implementation based on the standard wlp semantics to create the appearance of proper 209
Volume 25, Number 3
INFORMATION PROCESSING LETrERS
termination of s when in fact s, which we assume to be robust, has been misused and is aborting; for example, t might be a statement which prints a result, but--ulabeknownst to the user, possibly-an incorrect one. In summary, we have first shown that weakest liberal preconditions are useful in specifying program behaviour, and second that they can be defined in several ways. The standard wlp semantics, which equates abort with loop, indeed turns out to be the most attractive, while equating abort with chaos also leads to a reasonable wlp, one that is cheaper to implement, and probably the one that is more frequently implemented.
210
29 May 1987
Acknowledgment I appreciate the critical comments of Hugh Gibbons, Donal Roantree, Tony Mullins, and an anonymous referee.
References [1] F. Cristian, Correct and robust programs, Tech. Rept. 183, Computing Lab., Univ. of Newcastle upon Tyne, 1983. [2] E.W. Dijkstra, A Discipline of Programming (Prentice-Hall, Englewood Cliffs, NJ, 1976). [3] D. Giles, The Science of Programming (Springer, Berlin/ New York, 1981). [4] E.C.R. Hehner, The Logic of Programming (Prentice-Hall, Englewood Cliffs, NJ, 1984).
29 May 1987
VARIETIES OF WEAKEST LIBERAL PRECONDITIONS Joseph M. MORRIS Department of Computer Science, University College Dublin, Belfiela~ Dublin 4, lreland Communicated by E.C.R. Hehner Received 15 April 1986 Revised 2 September 1986
Keywords: Weakest precondition, weakest liberal precondition, abort, robustness
The semantics of programs may be defined by so-called 'predicate transformers' [2], one such class being the 'weakest precondition' transformer wp(s, R), with s a program and R a predicate defined on the state space of s. Let IX] stand for predicate X universally quantified over the state space; for example, if the program in question has just one variable--x of type integer, say--then [X] is (Vx)(x ~ Z ) : X . wp(s, R) is defined such that [P =* wp(s, R)] has the interpretation: "s executed in a state satisfying P is guaranteed to terminate in a state satisfying R", for all predicates P, R. Letting IF stand for ifbo--'so~bl--'sll]
"'" 0 b , , - - ' s ~ f i
and bb for (3i)(0 ~ i ~
(see, e.g., [4]): wlp(abort, R) - true, wlp(skip, R) - R , wlp(x "= e, R) - Dora(e) ~ R x, wlp(s ; t, R) -- wlp(s, wlp(t, R)), wlp(IF, R) = (Vi)(0 ~
abort
wlp(ahort, R)
0 1 2
loop
true
chaos break
IRI false
3
skoop
R
29 May 1987
The left colunm indexes the candidates, the middle column names them, and the fight column defines them (in each case, of course, wp(abort, R) = f a l s e ) . We offer the following intuitive guide to these statements, loop has already been explained. chaos is a mechanism that behaves arbitrarily; it is equivalent to loop U chance where chance, like a roulette wheel, is a mechanism that terminates in some unpredictable state, i.e., it satisfies wp(chance, R) - wlp(chance, R) - [ R ] . break may be thought of as a mechanism that always breaks, and skoop is skip td loop. Corresponding to the definition we chose for abort, we arrive at a different definition of wlp(s, R) for any statement s. Let us denote by w l p i , 0 ~
and applying the same intuition with which we construct the standard wlp(IF, R). Hence, we get wlp~(IF, R) -
([r]
or b b ) a n d
((Vi)(0 ~
(0¢iX0 < i ~
((Vi)(0 ~
208
Volume25, Number 3
INFORMATION PROCESSING LETrERS
signment does not abort. Finally, for each i, wlpi (skip, R) = R and wlpi(s ;t, R) - wlpi(s, wlpi(t, R ) ) . We calculate, for example, wlpl(EX, y - 0 )
- WlpE(EX, y = 0 )
=x=0orx=2orx=3, wlp3 (EX, y = 0) = x = 0 or x = 2 or x = 3 or (y = 0 and (x < 0 o r x > 6 ) )
,
wlpl(EX, t r u e ) = wlp3(EX, true) =- t r u e , wlp2 (EX, true) = x >1 0 and x <~ 6 . The standard weakest liberal preconditions satisfy the following laws: (A): wp(s, R) -= wp(s, true) and wlp(s, R), (B): wlp(s, Q) and wlp(s, R)
- wlp(s, Q and R ) , (C): wlp(s, true) =- t r u e , for all statements s and predicates Q, R. We leave it to the reader to confirm (by structural induction on the grammar of the language) that laws (A) and (B) are preserved when wlp(s, R) is replaced by each of the above three alternatives. Law (C), however, is not obeyed by wlp2, as wlp2(EX, true) shows. Of the four wlp's, wlpo, the standard, is the simplest, while wlpl, which equates abort with chaos, is perhaps more intuitively appealing. Equating abort with break, which wlp2 does, is not attractive: not only do we lose law (C), but also the appealing intuitive interpretation of wlp(s, R) given in the second paragraph above, wlp3 has little intuitive appeal and no apparent theoretical advantage over wlp0 or Wlpl. Among wlp0 and wlp~, wlpl has the simpler implementation because it allows arbitrary behaviour of a program that aborts, whereas the standard wlp obliges an implementation to fail to terminate. An implementation without subscript checking, for example, does not implement standard wlp semantics. Retaining an interest in wlp0 and wlpl only, it
29 May 1987
will be instructive to consider the property of program robustness, which is concerned with the behaviour of a program when used in unintended ways. We focus on a program s satisfying [P = wp(s, R)] for given predicates P, R. Informally, s is said to be 'robust' if, when executed, accidentally or maliciously, with P false it will not mislead us by delivering some answer not satisfying R. More precisely, let us define: s is robust (with respect to postcondition R ) - [wlp(s, R)]; the reader is invited to convince bim-/herself that this definition captures the intention, whether wlp is wlp0 or wlpl. (We note, however, that other definitions are possible. According to [4], s is robust (with respect to precondition P) iff [wp(s, t r u e ) ~ P], while, in [1], s is robust if [wp(s, true)]. Both these definitions admit the possibility of robust s establishing not R which seems unattractive--hence the definition proposed above. We could also have taken the definition [P or wlp(s, false)l, which obliges s to fail to terminate when executed with initially P false, but that seems needlessly strong.) The more expensive implementation of wlp0 has the payoff of making it easier to write a robust program, for we can show (by a routine induction on the structure of statements) that [wlpl(s, R)] =* [wlp0(s, R)] whereas the converse does not hold. Assume, for example, that a robust program which when executed with x = 0 establishes x = 1 is required, and we offer if x = 0 ~ x := 1 ft. This solution is robust according to the standard wlp semantics for then it cannot deliver any result other than x = 1. It is not robust according to the wlpl semantics for it would then be free to establish x = 2, say, when executed in a state satisfying x 4: 0. We must enter a caveat, however. Predicate transformer semantics as constituted in [2] cannot distinguish between do true ~ skip o¢1
and t ; do true ~ skip od for t any statement, and hence the second of these programs is also equivalent to abort in the standard wlp semantics. This could be exploited by an implementation based on the standard wlp semantics to create the appearance of proper 209
Volume 25, Number 3
INFORMATION PROCESSING LETrERS
termination of s when in fact s, which we assume to be robust, has been misused and is aborting; for example, t might be a statement which prints a result, but--ulabeknownst to the user, possibly-an incorrect one. In summary, we have first shown that weakest liberal preconditions are useful in specifying program behaviour, and second that they can be defined in several ways. The standard wlp semantics, which equates abort with loop, indeed turns out to be the most attractive, while equating abort with chaos also leads to a reasonable wlp, one that is cheaper to implement, and probably the one that is more frequently implemented.
210
29 May 1987
Acknowledgment I appreciate the critical comments of Hugh Gibbons, Donal Roantree, Tony Mullins, and an anonymous referee.
References [1] F. Cristian, Correct and robust programs, Tech. Rept. 183, Computing Lab., Univ. of Newcastle upon Tyne, 1983. [2] E.W. Dijkstra, A Discipline of Programming (Prentice-Hall, Englewood Cliffs, NJ, 1976). [3] D. Giles, The Science of Programming (Springer, Berlin/ New York, 1981). [4] E.C.R. Hehner, The Logic of Programming (Prentice-Hall, Englewood Cliffs, NJ, 1984).