Punctuality, conjunctivity, and monotonicity - CiteSeerX

AB45

1

Punctuality, conjunctivity, and monotonicity Lex Bijlsma [email protected]

December, 1993

In this paper we study the relationships between three properties of predicate transformers that were defined in [3]. Many of the results, proofs, and examples that follow are not new; these are included in the interest of self-containedness.

1

Definitions

A predicate transformer f is called punctual [3, page 45] if, for all predicates x and y , [(x ≡ y) ⇒ (f.x ≡ f.y)] .

(1)

A predicate transformer f is called (finitely) conjunctive [3, page 87] if, for all predicates x and y , [f.(x ∧ y) ≡ f.x ∧ f.y] . (2) A predicate transformer f is called monotonic [3, page 82] if, for all predicates x and y , [x ⇒ y] ⇒ [f.x ⇒ f.y] .

2

Conjunctivity implies monotonicity

The most obvious connection between the above concepts is the following fact. Theorem 1 [3, page 28] Proof

Let f be conjunctive. Then, for any predicates x, y ,

[f.x ⇒ f.y] ≡ {implication} [f.x ∧ f.y ≡ f.x] ≡ {(2)} [f.(x ∧ y) ≡ f.x] ⇐ {Leibniz} [x ∧ y ≡ x] ≡ {implication} [x ⇒ y] . 2

Every conjunctive predicate transformer is monotonic.

(3)

AB45

2

Monotonicity is a proper weakening of conjunctivity, as is shown by the following example. Example 2 Consider predicate transformers f and g defined by f.x

def

=

[x] ,

g.x

def

¬f.¬x .

=

Remark that f is conjunctive [3, page 58], hence monotonic by Theorem 1. It follows that g is monotonic. The knowledgeable reader will have deduced this from the fact that f and g are conjugates; an elementary proof runs as follows: [g.x ⇒ g.y] ≡ {definition of f } [¬f.¬x ⇒ ¬f.¬y] ≡ {contrapositive} [f.¬y ⇒ f.¬x] ⇐ {monotonicity of f , (3)} [¬y ⇒ ¬x] ≡ {contrapositive} [x ⇒ y] . Next we show that g is not, in general, conjunctive. Let the state space be the set Z of all integers. Consider, for every integer constant c , the predicate xc defined by def

xc = λn∈Z (n 6= c) . Observe that xc .c ≡ false , from which it follows that [f.xc ≡ false] .

(4)

[x0 ∨ x1 ≡ true] .

(5)

On the other hand, for any n , (x0 ∨ x1 ).n {definition of xc } n 6= 0 ∨ n 6= 1 ≡ { 0 6= 1 } true ,

≡

so We derive g.¬x0 ∧ g.¬x1 {definition of g } ¬f.x0 ∧ ¬f.x1 ≡ {(4)} ¬false ∧ ¬false ≡ {} true , ≡

AB45

3

whereas g.(¬x0 ∧ ¬x1 ) ≡ {definition of g } ¬f.(x0 ∨ x1 ) ≡ {(5)} ¬f.true ≡ {definition of f } ¬[true] ≡ {} false . This proves that g is not conjunctive. 2

3

Punctual monotonicity implies conjunctivity

In this section we prove a partial converse to Theorem 1. As far as we have been able to ascertain, this is a new result. Theorem 3 Every punctual monotonic predicate transformer is conjunctive. The proof of theorem 3 will be preceded by a number of auxiliary results. Throughout this section, we let f denote a predicate transformer and we introduce the abbreviations F

def

=

f.false ,

T

def

f.true .

=

The first result is Lemma 4 If f is monotonic, then [F ⇒ T ] . Proof [F ⇒ T ] {definitions of F and T } [f.false ⇒ f.true] ⇐ {monotonicity of f , (3)} [false ⇒ true] ≡ {} true . ≡

2 Next we aim for an explicit formula for punctual f . The next two lemmas first appeared in [6]. Lemma 5 For punctual f and any x , [f.x ∧ x ≡ T ∧ x] ,

(6)

[f.x ∧ ¬x ≡ F ∧ ¬x] .

(7)

AB45 Proof

We prove only (6); the proof of (7) is analogous.

f.x ∧ x ≡ T ∧ x {extracting an antecedent} x ⇒ (f.x ≡ T ) ≡ {true unit element of ≡ , definition of T } (x ≡ true) ⇒ (f.x ≡ f.true) ≡ {punctuality of f , (1)} true . ≡

2 Lemma 6 For punctual f and any x , [f.x ≡ (T ∧ x) ∨ (F ∧ ¬x)] . Proof f.x ≡

{Excluded Middle} f.x ∧ (x ∨ ¬x) ≡ {distribution} (f.x ∧ x) ∨ (f.x ∧ ¬x) ≡ {Lemma 5} (T ∧ x) ∨ (F ∧ ¬x) . 2

Combination of Lemmas 6 and 4 yields a simpler formula: Lemma 7 For f both punctual and monotonic and any x , [f.x ≡ T ∧ (x ∨ F )] . Proof f.x ≡

{Lemma 6} (T ∧ x) ∨ (F ∧ ¬x) ≡ {lemma 4} (T ∧ x) ∨ (T ∧ F ∧ ¬x) ≡ {distribution} T ∧ (x ∨ (F ∧ ¬x)) ≡ {complement rule} T ∧ (x ∨ F ) .

2

4

AB45

5

The preparations are now complete and we may proceed with the proof of the theorem. Proof of Theorem 3 Let f be monotonic and punctual. Then, for predicates x and y , f.x ∧ f.y ≡ {Lemma 7} T ∧ (x ∨ F ) ∧ T ∧ (y ∨ F ) ≡ {idempotence of ∧ ; distribution} T ∧ ((x ∧ y) ∨ F ) ≡ {Lemma 7} f.(x ∧ y) . This shows that f is conjunctive. 2 Remark With very little added effort, the result of Theorem 3 may be strengthened to positive conjunctivity; see [1] for details. 2 Remark Universal quantification over some coordinate of the state space can be viewed as a predicate transformer. As such, it is universally conjunctive, and hence monotonic, but not even finitely disjunctive. In view of the the disjunctive analogue of Theorem 3, it is slightly confusing that the generalized Leibniz rule [(∀i :: x.i ≡ y.i) ⇒ ((∀i :: x.i) ≡ (∀i :: y.i))] is consistently referred to in [3] by the description ‘ ∀ is punctual’. 2

4

Alternative characterization of punctual monotonicity

Theorem 8 [5, Lemma 2] A predicate transformer f is both punctual and monotonic if and only if for all predicates x, y [(x ⇒ y) ⇒ (f.x ⇒ f.y)] . (8) Proof

Let f be punctual and monotonic. First observe that for every x, y [(x ≡ y) ∧ f.x ≡ (x ≡ y) ∧ f.y] ,

since [(x ≡ y) ∧ f.x ≡ (x ≡ y) ∧ f.y] ≡ {extracting an antecedent} [(x ≡ y) ⇒ (f.x ≡ f.y)] ≡ { f is punctual, (1)} true . Hence

(9)

AB45

6

[(x ⇒ y) ⇒ (f.x ⇒ f.y)] {shunting} [(x ⇒ y) ∧ f.x ⇒ f.y] ≡ {implication} [(x ∧ y ≡ x) ∧ f.x ⇒ f.y] ≡ {(9) with y := x ∧ y } [(x ∧ y ≡ x) ∧ f.(x ∧ y) ⇒ f.y] ⇐ {weakening the antecedent} [f.(x ∧ y) ⇒ f.y] ⇐ { f is monotonic, (3)} [x ∧ y ⇒ y] ≡ {} true . ≡

For the other direction, we have to prove that (8) implies (3), which is obvious on account of the monotonicity of state space quantification, and that it implies (1), which is equally obvious by mutual implication. 2

5

Alternative characterization of punctuality

Consider the standard model of predicate calculus, where predicates are functions of type S → B . Here S is some arbitrary fixed set called the state space, and B is the set of boolean values. Within this model, punctuality can be characterized in a way that, for some purposes, may be easier to work with than (1). Theorem 9 A predicate transformer f is punctual if and only if there exists a mapping g of type S → B → B such that ∀x∈S→B ∀s∈S f.x.s = g.s.(x.s) . Proof

(10)

Suppose f is punctual. As before, we write F

def

=

f.false ,

T

def

f.true .

=

Let g of type S → B → B be defined by g.s.b ≡ (b ∧ T.s) ∨ (¬b ∧ F.s) . Then (10) holds according to Lemma 6. Conversely, consider a g of type S → B → B and let f be defined by (10). Then, for any predicates x, y and state s ,

≡

(f.x ≡ f.y).s {(10), lifting} g.s.(x.s) ≡ g.s.(y.s)

AB45

7

⇐ {Leibniz} x.s ≡ y.s ≡ {lifting} (x ≡ y).s , which proves (1). 2 Remark An example of the way in which this theorem might be applied is the following. Remark that f is conjunctive (or monotonic) if and only if, for every state s , boolean function g.s is conjunctive (or monotonic). Since the number of functions of type B → B is only 4, it is easy to check by enumeration of cases that conjunctivity and monotonicity coincide for such functions. This provides an alternative proof for Theorem 3. 2

6

Weakest preconditions

Theorem 10 Let f be a predicate transformer. For every predicate x , let predicate transformer h.x be defined by [h.x.y ≡ x ⇒ f.y] . (11) Assume that h.x is punctual for every x . Then f is punctual. Proof

For predicates x and y we have

f.x ⇒ f.y {definition of h , (11)} h.(f.x).y ⇐ {punctuality of h.(f.x) } h.(f.x).x ∧ (x ≡ y) ≡ {definition of h , (11)} (f.x ⇒ f.x) ∧ (x ≡ y) ≡ {} x≡y , ≡

so [(x ≡ y) ⇒ (f.x ⇒ f.y)] . Punctuality of f follows by symmetry. 2 An error sometimes found in textbooks of programming (e.g. [2, page 83] and arguably [4, page 109]) is the following. The author introduces the Hoare triple {x} S {y} as an abbreviation for the implication x ⇒ wp.S.y , and postulates {x} S {y} ∧ (y ⇒ z) ⇒ {x} S {z} .

(12)

AB45

8

According to Theorem 8, it follows from (12) that Hoare triples are punctual functions of the postcondition; by Theorem 10, it then follows that wp.S is punctual. This conclusion is absurd, as, for instance, wp.havoc.x ≡ [x] .

References [1] A. Bijlsma, Punctual monotonicity implies positive junctivity. AB46, Eindhoven University of Technology, December 1993. [2] E. Cohen, Programming in the 1990s: an introduction to the calculation of programs. Springer-Verlag, New York, 1990. [3] E.W. Dijkstra and C.S. Scholten, Predicate calculus and program semantics. Springer-Verlag, New York, 1990. [4] D. Gries, The science of programming. Springer-Verlag, New York, 1981. [5] C.S. Scholten, More about propositionality. CSS101, March 1985. [6] J.G. Wiltink, R.W. Bulterman, W.H.J. Feijen, A. Kaldewaij, Cai Chengdian, M. Boasson, A. Bijlsma, and A.J.M. van Gasteren, A note on propositional predicate transformers. Eindhoven University of Technology, January 1985.