Predicate transformer semantics: Difference between revisions

'''Predicate transformer semantics''' is a reformulation of [[Floyd–Hoare logic]]. While [[Hoare logic]] was originally presented as a [[deductive system]], predicate transformer semantics (either by '''weakest-preconditions''' or by '''strongest-postconditions''' see below) give an effective [[algorithm]] to reduce the problem verifying a Hoare triple to the problem of proving a [[First-order logic | first-order formula]].

Predicate transformer semantics has been introduced by [[Edsger W. Dijkstra|Dijkstra]] in its seminal paper "[[Guarded_commands | Guarded commands, nondeterminacy and formal derivation of programs]]". It is a method for defining the semantics of an [[imperative programming]] language by assigning to each ''command'' in the language a corresponding ''predicate transformer''.: Aa ''predicate transformer'' is a [[total function]] mapping between two ''[[Predicate (mathematical logic)|predicates]]'' on the state space of a program. Actually, in [[Guarded commands]], Dijkstra uses only one kind of predicate transformers: the well-known '''weakest preconditionpreconditions''' (see below).

The canonical ''predicate transformer'' of sequential imperative programming is the so-called "'''weakest precondition'''" <math>wp(S, R)</math>. Here ''S'' denotes a list of ''commands'' and ''R'' denotes a predicate on the space, called the "[[postcondition]]". The result of applying this function gives the "weakest pre-condition" on the initial state for ''S'' terminating with ''R'' satisfied on the final state. As an example, we give below to equivalent definition of the assignment statement (in these formulas, <math>R[x \leftarrow E]</math> is a copy of ''R'' withwhere the[[ valueFree_variables_and_bound_variables| fresh occurrences]] of ''x'' are replaced by ''E''):

* version 1:
<math> wp(x := E, R)\ =\ \forall y, y = E \Rightarrow R[ y \leftarrow x]\ </math> where ''y'' is a fresh variable.

* version 2:
<math> wp(x := E, R)\ =\ R[x \leftarrow E] </math>

The first version avoids a potential duplication of ''E'' in ''R'', whereas the second version is simpler when there is at most a single occurrence of ''x'' in ''E''. The first version reveals also a deep duality between weakest-precondition and strongest-postcondition (see below) through the duality between quantifier <math>\forall</math> (resp. connector <math>\Rightarrow</math>) and <math>\exists</math> (resp. <math>\wedge</math>).