The Hoare Triple law for the skip command says
| {P} skip {Q} ≡ [P ⟹ Q] |
Thus, to show {P} skip {Q}, it suffices to complete a proof of P ⟹ Q.
Example: Prove { x > y } skip { x ≥ y ∨ z < y }.
Solution: Taking P to be x > y and Q to be x ≥ y ∨ z < y, it suffices (by the Hoare Triple law for skip) to complete a proof of P ⟹ Q:
Assume P (i.e., x > y).
Q
= < defn of Q >
x ≥ y ∨ z < y
= < defn of ≥ >
(x > y ∨ x=y) ∨ z < y
= < assumption P (i.e., x > y) >
(true ∨ x=y) ∨ z < y
= < symmetry of ∨ (Gries 3.24) >
(x=y ∨ true) ∨ z < y
= < zero of ∨ (Gries 3.29) >
true ∨ z < y
= < symmetry of ∨ (Gries 3.24) >
z < y ∨ true
= < zero of ∨ (Gries 3.29) >
true
|
Our proof was given in quite gory detail. Usually, we can omit explicit mention of the use of (Gries 3.24), for example. Also, we could have appealed to the assumption x>y as a justification for replacing (the weaker) x≥y by true directly, without first rewriting the latter as x>y ∨ x=y and then using the assumption. A more concise proof would have been:
Assume P (i.e., x > y).
Q
= < defn of Q >
x ≥ y ∨ z < y
= < x ≥ y follows from assumption P (i.e., x > y) >
true ∨ z < y
= < zero of ∨ (Gries 3.29) >
true
|
Now suppose that we use the wp-approach instead of the Hoare Triple approach. The relationship between wp and Hoare Triples is
| {P} S {Q} ≡ [P ⟹ wp.S.Q] |
Hence, to prove {P} skip {Q} we show the equivalent [P ⟹ wp.skip.Q]. The usual approach is to assume the antecedant and to show the consequent:
Assume P (i.e., x > y).
wp.skip.Q
= < defn of Q >
wp.skip.(x ≥ y ∨ z < y)
= < wp skip rule, which says [wp.skip.Q ≡ Q] >
x ≥ y ∨ z < y
= ... continue as in proof above
|
As we have arrived at the second line of the earlier proof, we simply continue as we did there.