Re: Contracts in generic formal subprogram

[Ben Bacarisse <ben.usenet@bsb.me.uk>]

Spiros Bousbouras <spibou@gmail.com> writes:

> On Wed, 12 Apr 2023 02:18:45 -0000 (UTC)
> Spiros Bousbouras <spibou@gmail.com> wrote:
>> On Tue, 11 Apr 2023 14:03:27 +0200
>> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> wrote:
>> > The formal meaning of weaker/stronger relation on predicates P and Q:
>> > 
>> > weaker   P => Q
>> > stronger Q => P
>> > 
>> > The formal rationale is that if you have a proof
>> > 
>> >    P1 => P2 => P3
>> > 
>> > Then weakening P1 to P1' => P1 and strengthening P3 => P3' keeps it:
>> > 
>> >    P1' => P2 => P3'
>> 
>> You have it backwards ; if  P1'  implies  P1  then  P1'  is stronger
>> than  P1 .
>
> Apologies ; it was me who got it backwards.

No, you are correct.  If P1' => P1 then P1' /is/ stronger (or at least
no weaker) than P1.

Using upper and lower case to suggest stronger and weaker then if we
have a proof p |- Q, then we can also assert that P |- q for all
stronger premises P and weaker conclusions q.  Formally

  {p, P=>p, Q=>q} |- q

Or, written out using the deduction theorem, if we have p=>Q then we can
assert P=>q for any stronger P (so P=>p) and any weaker q (so Q=>q).

In Floyd-Hoare logic, this is embodied in the consequence rule:

  P=>p, {p}S{Q}, Q=>q
  -------------------
        {P}S{q}

which says that we can always strengthen a pre-condition and weaken a
post-condition.

However (if I've got the context right), in terms of substitution and/or
inheritance, Dmitry-Kazakov was correct to say that "The general
principle of substitutability is that the preconditions can be weakened,
the postoconditions can be strengthened".  It's just the definition that
was backwards.

-- 
Ben.