Precondition of
ϕ
w.r.t.
τ
(Con’d)
Example:
V
:
{
x
}
integer
ρ
τ
:
x >
0
∧
x
0
=
x

1
ϕ
:
x
≥
2
pre
(
τ, ϕ
) :
∀
x
0
. x >
0
∧
x
0
=
x

1

{z
}
ρ
τ
→
x
0
≥
2

{z
}
ϕ
0
x >
0
→
x

1
≥
2
x
≤
0
∨
x
≥
3
j
τ
j
+1
p
p
x
≤
0
∨
x
≥
3
x
≥
2
85
Properties of
pre
(
τ, ϕ
)
By the definition of
pre
(
τ, ϕ
)
,
{
χ
∧
ϕ
∧
pre
(
τ, ϕ
)
}
τ
{
ϕ
}
is guaranteed to be statevalid.
ϕ
ϕ
∧
χ
τ
P
accessible
But we have to justify adding the conjunct
pre
(
τ, ϕ
)
to
the antecedent.
This can be done in two ways:
1. Incremental: prove
0
pre
(
τ, ϕ
)
2. Strengthening: prove
0
(
ϕ
∧
pre
(
τ, ϕ
))
86
Properties of
pre
(
τ, ϕ
)
(Con’d)
Claim:
If
ϕ
is
P
invariant then so is
pre
(
τ, ϕ
)
for every
τ
∈ T
.
Proof:
Suppose
ϕ
is
P
invariant, but
pre
(
τ, ϕ
)
is not
P
invariant.
Then there exists a
P
accessible state
s
such that
s
q
/
pre
(
τ, ϕ
)
.
But then, by the definition of
pre
(
τ, ϕ
)
, there exists a
τ
successor
s
0
of
s
such that
s
0
q
/ ϕ
.
Since
s
is
P
accessible,
s
0
is also
P
accessible,
contradicting that
ϕ
is a
P
invariant.
87
Properties of
pre
(
τ, ϕ
)
(Con’d)
Definition:
A transition
τ
is said to be selfdisabling
if for
every state
s
,
τ
is disabled in all
τ
successors of
s
.
Claim:
For every assertion
ϕ
and selfdisabling transition
τ
{
ϕ
∧
pre
(
τ, ϕ
)
}
τ
{
ϕ
∧
pre
(
τ, ϕ
)
}
is statevalid.
Proof:
Assume
s
q
ϕ
∧
pre
(
τ, ϕ
)
.
Then by definition of
pre
(
τ, ϕ
)
, for every
s
0
,
τ
successor of
s
,
s
0
q
ϕ
.
Since
τ
is selfdisabling,
τ
is disabled in all
τ
successors
s
0
of
s
, and so trivially
s
0
q
pre
(
τ, ϕ
)
Thus for all
τ
successors
s
0
of
s
,
s
0
q
ϕ
∧
pre
(
τ, ϕ
)
.
88