CS 641 meeting -*- Outline -*- * semantics of recursion (4.4) We now will give the main definition of the book! ** the setup Let A = disjoint union of S and H. *** simple commands (S) S is set of simple commands, assumed to contain all guards and assignments. wp and wlp defined on them as before. notation: ws_0: S -> MT, for wp ws_1: S -> MT, for wlp *** procedure names (H) H is set of procedure names. body: H -> A(.) *** the problem -------------------------- THE PROBLEM Want to construct wp, wlp: A(.) -> MT such that wp|S = ws_0 wlp|S = ws_1, and for all h \in H, wp.h = wp.(body.h) wlp.h = wlp.(body.h) --------------------------- Then we would also want to verify that: the homomorphism properties are satisfied, and the healthiness laws hold ** construction *** overview ----------------------- CONSTRUCTION OVERVIEW for e \in {0,1}, ws_e is extended to A -> MT as (ws_e \cup v) for a v \in H -> MT to be selected. Then use its language extension: (ws_e \cup v)(.) \in A(.) -> MT ----------------------- It remains to select v *** fixpoints we find the v above as a fixpoints (least and greatest) want to satisfy wg.h = wg.(body.h), so we calculate for e \in {0,1} (all h \in H :: (ws_e \cup v)(.).h = (ws_e \cup v)(.).(body.h)) = {def of language extension} (all h \in H :: v.h = (ws_e \cup v)(.).(body.h)) = {def of composition} (all h \in H :: v.h = ((ws_e \cup v)(.) o body).h) = {Liebniz} v = (ws_e \cup v)(.) o body Now we abstract out v from the rhs, by defining D_e: (H -> MT) -> (H -> MT) D_e.v = (ws_e \cup v)(.) o body and this lets us write a fixpoint equation: v: v = D_e.v Q: Can we find fixpoints of D_e? Yes, MT is a complete lattice, and so (H -> MT) is a complete lattice in the induced order. Remains to show that D_e is monotone... Thm: Function D_e: (H -> MT) -> (H -> MT) defined above is monotone, and has a least fixpoint wa_e and greatest fixpoint wb_e in (H -> MT). Pf: By Knaster-Tarski theorem, suffies to show D_e is monotone. Let v, w \in (H -> MT). D_e.v <= D_e.w = {induced order on H -> MT, definition of D_e} (all h \in H :: (ws_e \cup v)(.).(body.h) <= (ws_e \cup w)(.).(body.h)) <== {r must be in A(.), definition of language extension} (all r \in A(.) :: (inf s \in r :: (ws_e \cup v)*.s) <= (inf s \in r :: (ws_e \cup w)*.s)) <== {if s \in r and r \in A(.), then s \in A*; inf is monotone} (all s \in A* :: (ws_e \cup v)*.s <= (ws_e \cup w)*.s) It remains to show that this last is implied by v <= w. This is done by induction on length of strings s. QED ------------------- DEFINITIONS OF WP AND WLP Using the theorem. def: wp = (ws_0 \cup wa_0)(.) wlp = (ws_1 \cup wb_1)(.) ------------------- so wp is language extension of ws_0 by least fixpoint of D_0 and wlp is language extension of ws_1 by greatest fixpoint of D_1 By the first calculation, these satisfy the requirements. *** auxiliary definitions -------------------- SOME NOTATION def: Let v : (H -> MT), and e \in {0,1}. Then v^e : A(.) -> MT is defined by v^e = (ws_e \cup v)(.) Thus D_e.v = v^e o body wp = (wa_0)^0 wlp = (wb_1)^1 -------------------- ** healthiness laws *** wlp is universally conjunctive (4.5) want this to be a theorem now Q: how would you go about that? Assume: ws_1 \in S -> MU Thm: Suppose ws_1 \in S -> MU. Then wlp \in A(.) -> MU. Pf: using the Knaster-Tarski theorem it suffices to prove: 1. (H -> MU) is inf-closed in (H -> MT). 2. (H -> MU) is D_1-invariant. Q: can you prove (1)? For (2) Let v \in (H -> MT). Need to show: v \in (H -> MU) ==> D_1.v \in (H -> MU). D_1.v \in MU = {def of D_1} (ws_1 \cup v)(.) o body \in (H -> MU) <== {types of language extension and body} (ws_1 \cup v)(.) \in A(.) -> MU <== {lemma 17 in section 4.3} (ws_1 \cup v) \in A -> MU <== {A is disjoint union of S and H, assumption ws_1 \in S -> MU} v \in (H -> MU) So by Knaster-Tarski theorem, the greatest fixpoint, wb_1, of D_1 in (H -> MT) is an element of (H -> MU): wb_1 \in (H -> MU) By the above calculation, note that, v \in (H -> MU) ==> v^1 \in (A(.) -> MU) Since wlp = (wb_1)^1, the result follows. QED Q: why doesn't this proof work to show wp is universally conjunctive? You'd have to use "MU is sup-closed" for the analogous argument but MU isn't sup-closed in MT. *** termination law (4.6) Thm: Suppose (all s \in S, p \in |P :: ws_0.s.p = ws_0.s.true /\ ws_1.s.p). Then for all r \in A(.) and p \in |P, wp.r.p = wp.r.true /\ wlp.r.p. Pf: Let WT \subseteq (H -> MT) be defined by v \in WT equiv (all h \in H, p \in |P :: v.h.p = v.h.true /\ wlp.h.p) To prove wp \in WT, it suffices to show that 1. (all v \in WT, r \in A(.), p \in |P :: v^0.r.p = v^0.r.true /\ wlp.r.p) 2. WT is D_0-invariant 3. WT is sup-closed in (H -> MT). Once this is done, by (2,3) and the Knaster-Tarski theorem, the least fixpoint of D_0 in (H -> MT), wa_0, is such that wa_0 \in WT and thus by (1) wp = (wa_0)^0 satisfies the termination law Q: how would you prove (1)? let v be given, proceed by induction on structure of A(.) Hesselink defines a subset of A(.) called K that satisfies the result, then shows this is all of K by showing that A(.) is a subset of K. Q: how would you prove (2)? calculate Q: how would you prove (3)? What does it mean to be sup-closed? QED