Formal Aspects of Computing (1994) 3: 1{000
c 1994 BCS
The Weakest Precondition Calculus:
Recursion and Duality
Marcello M. Bonsangue
+1
and Joost N. Kok
+ Department of Computer Science, Vrije Universiteit Amsterdam, NL;
Department
of Computer Science, Utrecht University, NL
Keywords: weakest (liberal) preconditions; renement; xed point transformations; Smyth power domain; Egli-Milner power domain; recursion; denotational
semantics;
Abstract. An extension of Dijkstra's guarded command language is studied, including unbounded demonic choice and a backtrack operator. We consider three
orderings on this language: a renement ordering dened by Back, a new deadlock ordering, and an approximation ordering of Nelson. The deadlock ordering
is in between the two other orderings. All operators are monotonic in the Nelson
ordering, but backtracking is not monotonic in the Back ordering and sequential
composition is not monotonic for the deadlock ordering. At rst sight recursion
can only be added using the Nelson ordering. We show that, under certain circumstances, least xed points for non-monotonic functions can be obtained by
iteration from the least element. This permits the addition of recursion even
using the Back ordering or the deadlock ordering in a fully compositional way.
In order to give a semantic characterization of the three orderings in terms of
semantics that relate initial states to possible outcomes of the computation, the
relation between predicate transformers and discrete power domains is studied.
We consider (two versions of) the Smyth power domain and the Egli-Milner
power domain.
1 The research of Marcello Bonsangue was supported by a grant of the Universita' degli Studi
di Milano, Italy, and by a grant of the Centro Nazionale delle Ricerche (CNR), Italy.
Correspondence and oprint requests to : Marcello M. Bonsangue, Department of Computer
Science, Vrije Universiteit, De Boelelaan 1081a, 1081 HV Amsterdam, The Netherlands.
e-mail: [email protected]
2
1. Introduction
M. M. Bonsangue and J. N. Kok
The weakest precondition calculus of Dijkstra identies statements in the guarded
command language with predicate transformers [Dij76] such that program synthesis from specications is supported. The language was extended to use it
as a vehicle for program renement. Specication constructs, like unbounded
demonic choice and angelic choice, were added and a renement ordering was
dened. This approach was introduced in [Bac78, Bac80] and is suited for renement (see [BW90, Bac90] and also [MRG88, Mor87]). The ordering can be used
to add recursion to the language, but not in a fully compositional way in which
all the operators can be used freely. For example, for each set of guards there is
a dierent conditional command.
An early treatment of recursion, based on continuity of the weakest preconditions (and hence based on nite nondeterminism), is given in [Roe76]. More
detailed treatments are given in [Heh79] and [Bak80]. Recursion together with
countable nondeterminism is studied in [AP86], and recursion with unbounded
nondeterminism in [DG86, Hes89]. Recursion is added in a fully compositional
way by Nelson in [Nel89]: the guarded command language is embedded in a
language with sequential composition, binary demonic choice and a backtrack
operator in which the operators can be used freely. An ordering on predicate
transformers is given, and all the operators are monotonic with respect to this
ordering. The ordering uses the additional notion of weakest liberal precondition,
and is an approximation ordering of the kind used in denotational semantics. It
is not suited for renement in the sense of [BW90].
Our starting point is the language of [Nel89]. In this language there is a
form of innite behavior (a divergence construct) and atomic actions that can
deadlock (to initiate backtracking). The main operators present in the language
are sequential composition, unbounded demonic choice and a backtrack operator.
We consider three orderings; besides the orderings of Back and Nelson we dene
a new ordering in between. It is called deadlock ordering because it preserves
deadlocks (as can be seen from its semantic characterization). A normal (nonmiraculous) terminating statement is not rened by a miracle in the deadlock
ordering.
Only the Nelson ordering is monotonic with respect to all three operators: the
backtrack operator is not monotonic with respect to the Back ordering and the
sequential composition is not monotonic for the deadlock ordering. At rst sight
only the Nelson ordering seems to be suited to add recursion to the language. But
the fact that for the Nelson ordering all the operators are monotonic implies that
recursion can be added also using the other two orderings. This result is proved
using an extension of xed point theory. It is well known that a continuous
function from a complete partial order to itself has a least xed point that
can be obtained by iteration from the least element. This result was extended
by Hitchcock and Park [HP72] showing that also a monotone function from a
complete partial order to itself has a least xed point. Then Apt and Ploktin
[AP81, AP86] showed that the least xed point property can be transferred, via
a commutative diagram, to monotone functions from a poset (not necessarily
complete) to itself. This transfer lemma is explored in detail by Meyer in [Mey85].
We show that the least xed point property can be transferred to arbitrary
functions from a partial order to itself.
We also provide state transformer models for three weakest precondition semantics. The state transformer models relate initial states to sets of possible out-
The Weakest Precondition Calculus
3
comes of the computation. Programs are hence represented by state transforming
functions. One of the aims of this paper is to match the predicate transformer
view of a program to the state transformer view by extending the duality which
relates the discrete version of the Smyth power domain [Smy78] and Dijkstra's
predicate transformers [Wan77, Plo79, Bac81, Smy83, Bes83, AP86]. The duality states that there is an order isomorphism between functions to the Smyth
power domain (ordered pointwise) and the predicate transformers (ordered by
the renement order).
The presence of a backtrack operator in the language justies the introduction
of two versions of the Smyth power domain: the empty set, representing deadlock,
is added in two dierent ways. We extend the duality to these two versions of the
Smyth power domain. This gives semantic models for the Back and the deadlock
ordering. The Egli-Milner power domain (extended with the empty set too, in
order to treat deadlock) is treated by giving an isomorphism between the EgliMilner state transformers and the Nelson predicate transformers (cf. [Nel89]).
For the state transformer models we dene operations that are isomorphic to
the corresponding operations between predicate transformers.
2. Language, Operational Semantics and Weakest
Preconditions
Let (v 2)Var be a set of variables, let (d 2)D be some domain of values (for
example the natural numbers) and let ( 2) = Var ! D be a set of states. Let
also (t 2)Exp = ! D be a set of (evaluated) expressions, (b 2)BExp = !
Bool be a set of (evaluated) boolean expressions, and (P; Q 2 ) Pred : ! Bool
be the set of predicates on , where Bool = ftt ; g is the set of truth-values.
Equivalently, a predicate P on can be seen as the set of states f 2 j P () =
tt g in which P holds.
V
In the rest of the paper we use the symbols ); ; _ and ^ for denoting,
respectively, the classical logical implication, the innite conjunction, the binary
disjunction, and the binary conjunction among predicates. We denote by false
(true) the predicate that yields false (true) for every state. When a predicate Vis
interpreted as a set, then the logical implication is just the subset relation,
is the intersection and _ is the binary union. Clearly the predicate false is the
empty set and true is the set of all states.
The class (S 2)Stat of statements is dened by
S ::= v := t j b ! j div j S1 ; S2 j 2i2I Si j S13S2
where I is a non-empty (but possibly innite) index set. Since the index set I is
arbitrary, Stat is a proper class in the set-theoretical sense. The language has two
atomic operators (assignment and conditional), two binary operators (sequential
composition ; and backtrack operator 3), and a demonic choice operator 2 for
every non-empty index set. A divergent statement div is also present. The binary
demonic choice is denoted by 2 (no index set).
The sequential composition executes the rst component and then it executes
the second component. The demonic choice executes one of its components in
such a way that components with possible innite behavior are given preference.
The backtrack operator backtracks to the second component if the rst component deadlocks. The only atomic action that can deadlock is b !: it deadlocks
in a state in which the boolean expression b does not evaluate to true.
4
M. M. Bonsangue and J. N. Kok
One dierence with the language studied in [Nel89] is that there are two kinds
of atomic actions: the assignment action v := t and the test action b !. Another
dierence is that we allow unbounded demonic choice.
Dijkstra's guarded command language [Dij76, DS90] can be seen as a subset
of this language, except for the do ? od construct which will be handled when
we add recursion. The guarded command b ! S corresponds to b !; S , the
conditional command if 2i2I bi ! Si to (2i2I bi !; Si)3div .
To guide the intuition about this language we give an operational semantic
model, based on a transition system, that relates initial states with possible
outcomes of the computation. In order to deal with backtracking in the transition
system we introduce the class of extended statements (m 2)Stat:
m ::= S j m1 4(m2 ; );
where S 2 Stat and 2 . Intuitively m1 4(m2 ; ) means that m1 is executed
in some state, and that the statement m2 is remembered in order to execute it
in the state if m1 fails at some later stage. After the next denition we give
some more explanation and an example of a computation.
Denition 2.1. Let Conf = (Stat [fE g) ( [fg) be a set of congurations,
and dene the transition relation ?! Conf Conf to be the least relation
satisfying the axioms and rules in gure 1.
In this denition [t=v] denotes the state
v = v0
0
[t=v](v ) = t((v)0) ifotherwise
:
Intuitively, hm1 ; i ?! hm01 ; 0 i states that one step of execution of the statement
m1 in the state leads to a state 0 with m01 (being the remainder of m1) to be
executed. The symbol E is introduced to deal with termination, and the symbol
serves as a deadlock state.
We say that m can diverge from , denoted by m* , if there exists an innite
sequence of congurations ci such that ci ?! ci+1 for all i 0, and c0 = hm; i.
We say that m cannot diverge in (denoted by m+ ) if not m* . By c ?!? c0
we denote that there exists a nite sequence (n 0)
c ?! c1 ?! cn ?! c0 :
Denition 2.2. Let the function Op : Stat ! ( ! (P () [ f? g)) (where
? = [ f?g) be dened by:
if S*
Op(S )() = f?0 jhS; i ?!? hE; 0i g otherwise
:
The denition of the function Op explains why 2 is called demonic choice: if
there is the possibility of innite behavior (S can diverge) then it will be chosen.
Next we discuss the backtrack operator 3. If we execute the statement S1 3S2
in a state then we look whether we can do a step from S1 (that possibly
changes say to 0 ) and we remember the starting state by changing 3 in 4.
If this computation deadlocks at a later stage, then we still have the alternative
S2 and we can install the state again. For example, consider the statement
(v = 0 !; v := 2)3v := 3 and let 2 be a state such that (v) = 1. Then we
derive from
h(v = 0 !; v := 2); i ?! hE; i ^ hv := 3; i ?! hE; 0i
The Weakest Precondition Calculus
5
hv := t; i ?! hE; [t=v]i
hb !; i ?! hE; i if b() = tt hb !; i ?! hE; i if b() = hdiv ; i ?! hdiv ; i
hm ; i ?! hE; i
hm ; m ; i ?! hE; i
hm ; i ?! hm00 ; 0i 0
hm ; i ?! hE; 0i 0
hm ; m ; i ?! hm ; m ; i
hm ; m ; i ?! hm ; i
8i 2 I: hmi; i ?! hE; i
h2i2I mi; i ?! hE; i
9k 2 I: hmk ; i ?! hm0k ; 0i 9k 2 I: hmk ; i ?! hE; 0i
h2i2I mi; i ?! hm0k ; 0i
h2i2I mi; i ?! hE; 0i
hm ; i ?! hE; i ^ hm ; i ?! hE; i
hm 3m ; i ?! hE; i
hm ; i ?! hE; i ^ hm ; i0 ?!0 hm0 ; 0i
hm 3m ; i ?! hm ; i
hm ; i ?! hE; i ^ hm ; i ?!
hE; 0i
0
hm 3m ; i ?! hE; i
hm ; i ?! h0m0 ; 0i
hm 3m ; i ?! hm 4(m ; ); 0i
hm ; i ?! hE; 0i 0
hm 3m ; i ?! hE; i
hm ; i ?! hE; i 0^ hm ; 0i ?! hE; i
hm 4(m ; ); i ?! hE; i
hm ; i ?! hE; i 0^ hm ; 0i ?!
h00m0 ; 00i
0
hm 4(m ; ); i ?! hm ; i
hm ; i ?! hE; i 0^ hm ; 0i ?!00 hE; 00i
hm 4(m ; ); i ?! hE; i
hm00 ; i ?! hm00 ; 0i 00 0
hm 4(m ; ); i ?! hm 4(m ; ); i
hm ; i00?! hE; 0i 0
hm 4(m ; ); i ?! hE; i
1
1
2
1
1
1
2
1
1
2
1
1
2
2
1
2
1
2
1
2
1
2
2
2
1
2
1
1
1
2
2
1
1
1
2
1
2
1
2
1
2
1
2
1
2
1
2
1
1
2
2
2
1
1
2
1
1
2
Fig. 1.
The transition system.
2
6
M. M. Bonsangue and J. N. Kok
that
h(v = 0 !; v := 2)4(v := 3; ); i ?! hE; 0i;
where 0 (v) = 3 and h(v = 0 !; v := 2); i ?! hE; i, because from
hv = 0 !; i ?! hE; i
it follows that
h(v = 0 !; v := 2); i ?! hE; i:
Therefore h(v := 2; v = 0 !; v := 2)3v := 3; i ?!? hE; 0 i.
In order to get some more feeling for this transition system we give examples
of equalities between statements (an equality S1 =Op S2 between two statements
denotes that S1 and S2 have the same operational semantics, that is, Op(S1 ) =
Op(S2 )). For all S 2 Stat we have
(false ! 2S ) =Op (S 2false !) =Op S;
(false ! 3S ) =Op S;
(div 2S ) =Op (S 2div ) =Op div ;
(div 3S ) =Op div ;
(false !; S ) =Op false !;
(div ; S ) =Op div ;
(true !; S ) =Op (S ; true !) =Op S:
Next we give the weakest precondition semantics and relate it to the operational model Op.
Denition 2.3. (Weakest Preconditions) Let wp : Stat ! (Pred ! Pred ) be
dened as follows:
wp(v := t)(Q) = Q[t=v]
wp(b !)(Q)
= b)Q
wp(div )(Q)
= false
wp(S1 ; S2)(Q) = wp
V (S1 )(wp(S2 )(Q))
wp(2i2I Si )(Q) = i2I wp(Si )(Q)
wp(S1 3S2)(Q) = wp(S1 )(Q) ^ (wp(S1 )(false) ) wp(S2 )(Q))
where Q[t=v]() = Q([t=v]).
If we identify statements with their weakest preconditions then we have that
our language is a subset of the monotonic predicate transformers of [BW90,
Wri90] because we do not consider angelic choice and multiple assignment statements. The guard statement [b] is b ! and the assert statement fbg is b ! 3div .
Other derived statements are if S = S 3div , skip = true !, abort = div , and
magic = havoc = false !.
The weakest precondition semantics wp is related to the operational semantics
Op as follows.
Theorem 2.4. For every S 2 Stat and P 2 Pred ,
wp(S )(P ) = f 2 j Op(S )() ) P g:
The Weakest Precondition Calculus
7
Proof. The proof proceeds by structural induction on S 2 Stat . We treat only
the case S = S1 3S2 , since the other cases are standard and can be found,
for example, in [Bak80]. Let S1 ; S2 be two statements. We have that the set
f 2 j Op(S1 3S2)() ) P g equals by denition of Op
f 2 j f0 2 j hS1 3S2 ; i ?!? hE; 0i ^ S13S2 + g ) P g:
By denition 2.1, hS1 3S2 ; i ?!? hE; 0 i if and only if either hS1 ; i ?!?
hE; 0i, or both hS1 ; i ?!? hE; i and h0S2 ; i ?!? hE; 0i. Also, S?13S2 +0 if
and only if either S1 + and there is a 2 such that hS1 ; i ?! hE; i or
S1 + , S2 + and the only conguration which can be reached via ?!? from
hS1 ; i is hE; i. This means that S1 3S2 + if and only if either Op(S1 )() 6= ;
and S1 + or Op(S1 )() = ; and S2 + . Therefore we have that
f 2 j f0 2 j hS1 3S2 ; i ?!? hE; 0i ^ S13S2 + g ) P g
equals
f 2 j Op(S1 )() 6= ; ^ f0 2 j hS1 ; i ?! hE; 0i ^ S1 + g ) P g
[ f 2 j Op(S1 )() = ; ^ f0 2 j hS2 ; i ?! hE; 0i ^ S2 + g ) P g:
But since S1 + , we have that Op(S1 )() = f 0 2 j hS1 ; i ?! hE; 0ig and
similarly, since S2 + , we have that Op(S2 )() = f 0 2 j hS1 ; i ?! hE; 0 ig.
Therefore the set f 2 j Op(S1 3S2 )() ) P g equals
f 2 j Op(S1 )() 6= ; ^ Op(S1 )() ) P g
[ f 2 j Op(S1 )() = ; ^ Op(S2 )() ) P g
which is by the induction hypothesis the same as
(:wp(S1 )(false) ^ wp(S1 )(P )) _ (wp(S1 )(false) ^ wp(S2 )(P )):
But wp(S1 )false ) wp(S1 )(P ), and hence the above predicate is equivalent to
(:wp(S1 )(false) ^ wp(S1 )(P )) _ (wp(S1 )(false) ^ wp(S1 )(P ) ^ wp(S2 )(P ))
which is equivalent to
wp(S1 )(P ) ^ (:wp(S1 )(false) _ (wp(S1 )(false) ^ wp(S2 )(P )));
that is,
wp(S1 )(P ) ^ (wp(S1 )(false) ) wp(S2 )(P )) = wp(S1 3S2)(P ):
From the theorem above it is easy to deduce, for example, that
wp(S )(false) = f 2 j Op(S )()g = ;; and
wp(S )(true) = f 2 j Op(S )() 6= ?g:
Furthermore, two statements S1 ; S2 2 Stat are identied by the operational
semantics if and only if they have the same weakest precondition for all predicates, that is
Op(S1 ) = Op(S2 ) , 8P 2 Pred : wp(S1 )(P ) = wp(S2 )(P ):
8
3. Orderings
M. M. Bonsangue and J. N. Kok
In this section we introduce three pre-orders on Stat . The rst pre-order vB was
proposed by Back [Bac78, Bac80] and is suited for renement (see [Bac90] and
also [Mor87, MRG88]). The second pre-order vD is a new ordering which preserves deadlocks: a non-miraculous statement can not be rened by a miraculous
one. Both are dened by means of weakest preconditions:
S1 vB S2 ,def 8Q 2 Pred : wp(S1 )(Q) ) wp(S2 )(Q); and
S1 vD S2 ,def S1 vB S2 ^ wp(S1 )(false) = wp(S2 )(false):
For the third pre-order we need weakest liberal preconditions of statements.
The denition of wlp : Stat ! (Pred ! Pred ) is similar to that of wp given in
Denition 2.3, except for the cases
wlp(div )(Q)
= true; and
wlp(S1 3S2 )(Q) = wlp(S1 )(Q) ^ (wp(S1 )(false) ) wlp(S2 )(Q)):
The next lemma, which proof can be found in [Nel89], relates wp and wlp. It
states the familiar termination law of Dijkstra.
Lemma 3.1. For every statement S 2 Stat and predicate P 2 Pred we have
wp(S )(P ) , (wp(S )(true) ^ wlp(S )(P )):
Since wp(S )(P ) ) wp(S )(true) by monotonicity of wp(S ) we have that
wp(S )(P ) ) wlp(S )(P ) as a consequence of the lemma above. Now we can
dene the third pre-order, which was introduced in [Nel89]:
S1 vN S2 ,def S1 vB S2 ^ 8Q 2 Pred : wlp(S2 )(Q) ) wlp(S1 )(Q):
By denition we have that the Nelson pre-order vN is included in the deadlock
pre-order vD , which in turn is included in the Back pre-order vB . Moreover
these inclusions are strict because of the following inequalities:
v := t vB (false !)
but v := t 6vD (false !);
v := t1 2v := t2 vD v := t2 but v := t1 2v := t2 6vN v := t2 :
We have the following problems with monotonicity:
(true !) vB (false !) but (true !)3v := t 6vB (false !)3v := t;
(v := t1 2v := t2 ) vD v := t2 but for t1 6= t2 we have
(v := t1 2v := t2 ); (v = t1 !) 6vD v := t2 ; (v = t1 !):
Theorem 3.2. 0Let0Si ; Si0 2 Stat for i 2 I where I is a non-empty index set, and
let also S1 ; S2 ; S1 ; S2 2 Stat .
(i) If Si vB Si0 for all i 2 I then 2i2I Si vB 2i2I Si0 ,
(ii) if Si vD Si0 for all i 2 I then 2i2I Si vD 2i2I Si0 ,
(iii) if Si vN Si0 for all i 2 I then 2i2I Si vN 2i2I Si0 ,
(iv) if S1 vB S10 and S2 vB S20 then S1 ; S2 vB S10 ; S20 ,
(v) if S1 vD S10 and S2 vD S20 then then S1 3S2 vD S10 3S20 ,
(vi) if S1 vN S10 and S2 vN S20 then S1 ; S2 vN S10 ; S20 , and S1 3S2 vN S10 3S20 .
The Weakest Precondition Calculus
9
Proof. For the pre-orders vB and vN we refer to [BW90] and [Nel89], respectively. We prove only (ii) and (v).
Let I be a non-empty index set and let Si ; Si0 2 Stat be statements for each
i 2 I such that Si vD Si0 . Since Si vD Si0 implies Si vB Si0 we have that
wp(2i2I Si )(P ) ) wp(2i2I Si0 )(P ) for every predicate P 2 Pred because 2 is
monotone with respect to the pre-order vB . Next we prove wp(2i2I Si)(false) =
wp(2i2I Si0 )(false) in order to conclude 2i2I Si vD 2i2I Si0 .
V
wp(2i2I Si )(false) = Vi2I wp(Si )(false)
= i2I wp(Si0 )(false) Si vD Si0
= wp(2i2I Si0 )(false):
Let now S1 ; S2 ; S10 ; and S20 2 Stat be statements such that S1 vD S10 and S2 vD
S20 . We rst prove wp(S1 3S2)(false) = wp(S10 3S20 )(false).
wp(S1 3S2)(false) = wp(S1 )(false) ^ (wp(S1 )(false) ) wp(S2 )(false))
= wp(S1 )(false) ^ wp(S2 )(false)
= wp(S10 )(false) ^ wp(S20 )(false)
= wp(S10 3S20 )(false):
It remains to prove that wp(S1 3S2 )(P ) ) wp(S10 3S20 )(P ) for every P 2 Pred .
wp(S1 3S2)(P ) = wp(S1 )(P ) ^ (wp(S1 )(false) ) wp(S2 )(P ))
) wp(S10 )(P ) ^ (wp(S10 )(false) ) wp(S20 )(P ))
= wp(S10 3S20 )(P ):
If we do not allow 2 as an operator in the set of statements then all statements
S are deterministic (that is, Op(S )() 2 [f?g or Op(S )() = ;, for all states
). For this deterministic subset of Stat the ordering vD is monotone.
3.1. Predicate Transformers
Next we dene three domains of predicate transformers. A predicate transformer
is a function : Pred ! Pred . We consider multiplicative predicate transformers
( 2)MPTran , that is, predicate transformers : Pred ! Pred such that
^
^
( Qi) = (Qi)
i2I
i2I
where I is a non-empty index set and Qi 2 Pred for all i 2 I . For every statement
S 2 Stat the function wp(S ) as dened in Denition 2.3 is a multiplicative
predicate transformer, as can be shown with some easy calculations. Moreover,
if we extend the language with multiple assignment statements, then it is possible
to prove that for every multiplicative predicate transformer 2 MPTran there
exists a statement S such that = wp(S ) [Wri90].
A number of dierent restrictions on predicate transformers can be found in
the literature. Next we give a list of some possible requirements on the function
space Pred ! Pred that are used in the various denitions:
1. is countable,
10
M. M. Bonsangue and J. N. Kok
(false) = false (exclusion of miracles),
is monotone with respect to the ) order,
is continuous with respect to the ) order,
(PV ^ Q) = (P )V^ (Q) for all P; Q 2 Pred (nite multiplicativity),
( n2N> Pn) = n2N> (Pn) where N> is the set of natural numbers greater
than
V 0 and PnV2 Pred for all n 2 N> (countable multiplicativity),
7. ( i2I Pi ) = i2I (Pi ) where I is an index set of the same cardinality as andV Pi 2 PredVfor all i 2 I (-multiplicativity),
8. ( i2I Pi ) = i2I (Pi) where I is a nonempty index set and Pi 2 Pred for
all i 2 I (multiplicativity).
The kind of restrictions depends on the kind of (specication) language one
wants to model. For example in [Dij76] predicate transformers satisfy the properties 1. - 5. and are used to model a language with at most a countable number
of states and with nite nondeterministic demonic choice. In [Wan77, Plo79]
predicate transformers satisfy the properties 1., 2., 4. and 5. For countable nondeterminism predicate transformers are required to satisfy the properties 1., 2.
and 6. in [Bes83] and [AP86]. Finally, for a rich specication language with both
unbounded angelic and demonic choice in [BW90] predicate transformers are
required to satisfy only property 3. Multiplicative predicate transformers are of
special interest for our purpose because of the following lemma. This lemma is
a variation of the stability lemma in [AP86]:
Lemma 3.3. Let : Pred ! Pred be a -multiplicative predicate transformer
and let 2 be such that 2 (true). Then there is a set min(; ) such
that
8Q 2 Pred : 2 (Q) , (min(; ) ) Q):
Proof. Let I be an index set of the same cardinality as and let (i )i2I be a
collection of elements of for which there is a predicate Q 2 Pred with i 62 Q
but 2 (Q). If there is no such Q then take min(; ) = . Also, let (Qi )i2I be
a collection ofVpredicates such that for all i 2 I , i 62 Qi but 2 (Qi). Dene
min(; ) = i2I Qi. We have to show that
8Q 2 Pred : 2 (Q) , (min(; ) ) Q):
From right to left we use that is a -multiplicative
predicate
transformer
V
V
V and
that 2 (Qi) for all i 2 I . Hence 2 i2I (Qi ) = ( i2I Qi). But i2I Qi =
min(; ), and thus 2 (min(; )) (consider min(; ) as a predicate). Hence
(min(; )) ) (Q) because is monotone. Since 2 (min(; )), we obtain
2 (Q).
Conversely, suppose that 2 (Q), but that min(; ) 6) Q. This means that
there is a 0 in min(; ) and 0 V62 Q. Hence 0 must be a k for some k 2 I . But
then k 62 Qk and min(; ) = i2I Qi ) Qk contradicts k = 0 2 min(; ).
2.
3.
4.
5.
6.
Note that if a predicate transformer satises the law of excluded miracles,
then for all 2 the set min(; ) is non-empty. The next lemma gives some
of the relationships between the restrictions on Pred ! Pred .
Lemma 3.4. Let be a countable set of states and let 1. - 8. be the list of
properties dened above. Then we have
The Weakest Precondition Calculus
11
(4: ^ 5:) ) 6: , 7: , 8: ) 3:
Proof. For a proof of (4: ^ 5:) ) 8 see [Bes83]. We prove only 7: ) 8. The other
implications are clear and are left to the reader.
Let (Pi )i2I be a set of predicates on where I 6= ; (but possibly, I is uncountable) and let be aVpredicate transformer
V satisfying the -multiplicativity law.
It sucesV to prove i2I (Pi) ) ( i2I Pi) since the other direction is trivial.
Let 2 i2I (Pi). Then 2 (Pi) for each i 2 I and hence by LemmaV3.3 this
is equivalent to min(; ) ) Pi for each i 2 I . But then min
i2I Pi .
V (;P)).Therefore
Applying
Lemma
3.3
in
the
other
direction
we
obtain
2
(
i
i
2
I
V (P ) ) (V P ).
i
i2I
i2I i
Notice that if is uncountable then (4: ^ 5:) ) 8: , 7: ) 6: ) 3: and that
in this case the rst implication needs the axiom of choice [BK93].
Next we dene the three domains of predicate transformers (with associated
orders) which we will use in the rest of the paper.
Denition 3.5. We dene MPTran B and MPTran D to be the set of multiplicative predicate transformers MPTran ordered by
1 vPB 2 ,def 8Q 2 Pred : 1 (Q) ) 2(Q);
1 vPD 2 ,def 8Q 2 Pred : (1 (Q) ) 2 (Q)) ^ (1 (false) = 2 (false)):
Notice that for all statements S1 ; S2 2 Stat we have S1 vB S2 if and only
if wp(S1 ) vPB wp(S2 ). Also, S1 vD S2 if and only if wp(S1 ) vPD wp(S2 ). In
order to deal with pairs of predicate transformers dene the Nelson predicate
transformers NPTran to be the set of pairs of predicate transformers (1 ; 2 )
such that
(i) 1 ; 2 2 MPTran ,
(ii) 2 (true) = true, and
(iii) 1 (Q) = 1 (true) ^ 2 (Q) for all predicates Q 2 Pred .
For every S 2 Stat the pair (wp(S ); wlp(S )) is a Nelson predicate transformer
by Lemma 3.1. Notice also that the pairwise composition of two Nelson predicate
transformers gives again a Nelson predicate transformer.
The Nelson predicate transformers NPTran can be turned into the poset
NPTran N using the following order:
(1 ; 2) vPN (10 ; 20 ) ,def 8Q 2 Pred : (1 (Q) ) 10 (Q)) ^ (20 (Q) ) 2 (Q)):
As above we have S1 vN S2 if and only if (wp(S1 ); wlp(S2 )) vPN (wp(S2 ); wlp(S2 ))
for all statements S1 ; S2 2 Stat .
4. Recursion
In this section we add recursion to the language. In the rst subsection we show
that under certain conditions xed points of non-monotonic functions exist and
that they can be obtained by iteration. In the second subsection, we extend the
class of statements with procedure variables in order to support recursion. Then
we apply the main results of the rst subsection to give meaning to procedure
variables via xed points of non-monotone functions.
12
M. M. Bonsangue and J. N. Kok
4.1. Order Theory
We rst recall some of the standard notions in domain theory. A good reference
for domain theory is [Plo81]. Let P be a poset and S be a non-empty subset of
P . Then S is said to be directed if every nite subset of S has an upper bound.
A poset P is calledFdirected complete (dcpo) if every directed subset S P has
least upper bound S 2 P . It is pointed if there exists a least element ?. All
dcpo's we consider in this paper are pointed.
A non-empty subset A of a poset P is called an antichain if for all a; b 2 A
such that a v b or b v a then a = b; an antichain A is an upper fringe of P if
x v a for all x 2 P n A and for all a 2 A. Dually, an antichain A is a lower fringe
of P if a v x for all x 2 P n A and for all a 2 A. An upper (lower) fringe is the
set of maximal (minimal) elements of P .
For example, for any set X , the at dcpo X? is the set X [ f?g ordered by
x v y if and only if x = ? or x = y. Then all subsets A of X , and f?g are
antichains, the set X is the only upper fringe while f?g is the only lower fringe.
In general, for a poset P , if A P is an upper or lower fringe then it is
unique. Also, if P has a top element > then f>g is the upper fringe, and dually
if P has a bottom element ? then f?g is the lower fringe.
Let P; Q be two posets. A function f : P ! Q is monotone if Fx vP y implies
F
f (x) vQ f (y) for all x; y 2 P . Moreover, f is continuous
if f ( S ) = f (S )
F
for each directed set S P with least upper bound S 2 P . The function f is
strict if f (?) = ?. If f is continuous then it is also monotone. If f is onto and
monotone then it is also strict. For a function g : P ! P , we denote by g 2 P
its least xed point, that is, g(g) = g and for every other x 2 P if g(x) = x
then g v x. For a function f : P ! Q between two posets P and Q we denote
by f ?1 (y) the poset that has elements x 2 f ?1 (y) P ordered as in P , that is,
for each x1 ; x2 2 f ?1 (y), x1 v x2 () x1 vP x2 .
The following lemma will be useful later.
Lemma 4.1. Let P be a poset and f : P ! P be a monotone function.
(i) If P has nite upper fringe A then there exist an a 2 A and a natural
number n > 0 such that f n (a) v a.
(ii) If P has nite lower fringe A then there exist an a 2 A and a natural
number n > 0 such that a v f n (a).
(iii) If every antichain of P is nite then there exist an x 2 P and a natural
number n > 0 such that either x v f n(x) or f n (x) v x.
Proof. We prove only the rst item, the other two items are left to the reader.
Let A be the nite upper fringe of P and assume it has cardinality k with k > 0
because A is non-empty. Take a 2 A and consider the set S = ff n(a) j 0 < n k + 1g. If S \ (P n A) 6= ; then there exists a f n(a) 2 S such that f n (a) 2 P n A.
But A is the upper fringe of P and hence f n (a) v a. Otherwise S \ (P n A) = ;,
that is, S A, and hence the cardinality of S is less than k. But this means
that there exists m < n k + 1 such that f m(a) = f n (a) 2 A, and hence
f n?m(f m(a)) v f m (a).
Next we turn to the existence of xed points for a function f : P ! P where
P is a poset. For any ordinal dene f <> 2 P by
G
f <> = f ( f <k> ):
k<
The Weakest Precondition Calculus
13
F
Of course f <> need not to exist, since k< f <k> need not to exist. Notice
that f <0> = f (?) when the least element ? 2 P exists since in this case the
join over an empty index set is the bottom element. If P is a pointed dcpo and
f is monotone then f <> always exists. In this case there is an ordinal k such
that whenever k we have f <> = f <k> [HP72].
The following theorem, taken from [AP81, AP86], shows that under certain
circumstances g <> always exists and stabilizes for a monotone function g : Q !
Q even if Q is not a directed complete partial order:
Theorem 4.2. Let P and Q be two posets and f : P ! P and g : Q ! Q be
two monotone functions such that there is another strict and continuous function
h : P ! Q which makes the following diagram commute:
P
f
h
?
Q
g
-P
h
- Q?
Then if f <> exists so does g <> , and g <> = h(f <> ). In particular if f exists
(and hence f = f <> for some ordinal ) then so does g and g = h(f ). 2
Several generalizations, where g is always a monotone function, and applications of this theorem (often called transfer lemma) can be found in [Mey85]. In
the next theorem we show that we can drop the condition of g to be monotone
provided that h satises some extra conditions.
Theorem 4.3. Let P be a pointed dcpo and Q be poset. Let also f : P ! P ,
g : Q ! Q, and h : P ! Q be three functions such that f is monotone, h is onto
and continuous, and the following diagram commutes:
f -P
P
h
?
Q
h
- Q?
g
Then g <> exists, and g <> = h(f <> ). Moreover, if for each y 2 Q the poset
determined by h?1 (y) has either a nite upper fringe or a nite lower fringe or
only nite antichains, then g exists and g = h(f ).
Proof. Take for some ordinal the element f <> 2 P . It exists because P is
a pointed dcpo. We prove h(f <> ) = g <> for each ordinal by transnite
induction. Since h is strict we have h(f <0> ) = h(?) = ? = g <0>. Moreover
14
M. M. Bonsangue and J. N. Kok
F
h(f <> ) = h(f (F k< f <k> ))
= g(h( k< f <k> ) commutativity of the diagram
F
= g( k< h(f <k> )) h is continuous and onto
F
= g( k< g <k> )
induction hypothesis
= g <>:
Note that the continuity and strictness of h are essential for the existence of
F
<k> . Let now f = f <> for some ordinal . We have
k< g
g<> = h(f <> ) = h(f <+1> ) = h(f (f <> )) = g(h(f <>)) = g(g<>):
So g <> is a xed point of g. In [AP86] this is enough to prove that g <> = g
because g is monotone. In our case, we still have to prove it. Let y 2 Q be another
xed point for g, that is, g(y) = y, and consider the partial order generated by
h?1 (y). There are three cases:
(i) h?1 (y) has the nite upper fringe A.
By Lemma 4.1 there exist a 2 A and a natural number n > 0 such that f n (a) v a.
By transnite induction we prove f <> v a for each ordinal . Indeed, if = 0,
then f <0> = ? v a. Assume now > 0. We have by the induction hypothesis
that f <k> v a for all k < and hence
8k < : f <k> v a ) Fk<
f <k> v a
F
) f ( k< f <k>) v f (a)
monotonicity of f
<>
) f v f (a)
denition of f <>
) 8Fk : f <k> v f (a)
f <k> v f <>
<k>
) k<
v f (a)
+1 f
F
<k>
) f ( k<+1 f ) v f 2 (a) monotonicity of f
) f <+1> v f 2(a)
) f <+n?1> v f n (a)
) f <> v f n(a)
f <> v f <+n?1>
) f <> v a
f n(a) v a.
Hence also f <> v a and by monotonicity of h:
g<> = h(f <> ) v h(a) = y:
Therefore g <> = h(f <> ) = h(f ) is the least xed point of g.
(ii) h?1 (y) has the nite lower fringe A
By Lemma 4.1 there exist an a 2 A and a natural number n > 0 such that
a v f n(a). Dene for each ordinal , f~<> 2 P by
=0
f~<> = fa n(F f~<k> ) otherwise
:
k<
Note that f~<> is always dened since P is a pointed dcpo and ff~<k> j k < g is
directed because by transnite induction f~<> v f~<+1> . Indeed, if = 0 then
f~<0> = a v f n(a) = f~<1>. Hence for > 0 we have by induction hypothesis
that f~<k> v f~<k+1> for every k < . But then we have
The Weakest Precondition Calculus
8k < : f~<k> v f~<k+1>
) Fk< f~<k> v Fk< f~<k+1>
Fk< f~<k> v Fk<+1 f~<k>
)1 f n(Fk< f~<k> ) v f nFk<+1 f~<k>
f~<> v f~<+1>
15
where )1 holds because f n is monotone.
Using transnite induction, we prove now that h(f~<> ) = y for each ordinal
. For = 0 we have h(f~<0> ) = h(a) = y, while for > 0 we have
F
h(f~<> ) = h(f n ( k< f~<k> ))
F
= h(f (f n?1 ( k< f~<k> )))
F
= g(h(f n?1 ( k< f~<k> ))) commutativity of the diagram
F
= g n(h( k< f~<k> ))
iterating the last step
F
n
<k>
~
= g (Fk< h(f ))
h is continuous
= g n( k< y)
induction hypothesis
= g n(y)
= y
g(y) = y.
Next we prove by transnite induction that f <> v f~<> for each ordinal .
If = 0 then f <0> = ? v a = f~<0> . Assume now > 0. By the induction
hypothesis f <k> v f~<k> for all k < . But then
8k < : f <k> v f~<k> ) Fk< f <k> v Fk< f~<k>
) f (Fk< f <k>) v f (Fk< f~<k>)
f <> v f (Fk< f~<k> )
)1 8k : f <k> v f (Fk< f~<k> )
) Fk<+1 f <k> v f (Fk< f~<k> )
) f (Fk<+1 f <k>) v f 2 (Fk< f~<k> )
f <+1> v f 2(Fk< f~<k>)
)2 f <+n?1> v f n(Fk< f~<k> )
f <+n?1> v f~<>
) f <> v f~<>;
where )1 holds because f <> is monotone in and )2 is obtained by iterating
the previous 5 steps. Applying this last result to the ordinal we obtain the
following:
f <> v f~<> ) h(f <> ) v h(f~<>)
) g<> v h(f~<>)
denition of g <>
) g<> v y
h(f~<> ) = y.
Therefore g <> = h(f <> ) = h(f ) is the least xed point of g.
(iii) Every antichain in h?1 (y) is nite.
16
M. M. Bonsangue and J. N. Kok
By Lemma 4.1 there exist a 2 h?1 (y) and a natural number n > 0 such that
f n(a) v a or a v f n(a). In the rst case the proof is as in case (i) where h?1 (y)
has the nite upper fringe, otherwise the proof is as in case (ii) where h?1 (y)
has the nite lower fringe.
Note that even if g is not monotone, the theorem above ensures the existence
of a least xed point for g and, moreover, that it can be obtained by iteration,
since for all ordinals , g <> exists. By a similar proof we can show that P need
not to be a pointed dcpo and h need not to be continuous for the existence of
g if for all y 2 Q the upper fringe of h?1 (y) exists and is nite. This does not
hold in case h?1 (y) has the nite lower fringe or only nite antichains because
we need both the completeness of P and the continuity of h to prove that h(f )
is the least xed point of g. Without these two conditions we can only prove that
h(f ) is a xed point of g.
Theorem 4.4. Let P and Q be two posets. Let also f : P ! P , g : Q ! Q,
and h : P ! Q be three functions such that f is monotone, h is onto, monotone
and for each y 2 Q the poset determined by h?1 (y) has a nite upper fringe.
Suppose also that following diagram commutes:
f -P
P
h
?
Q
h
- Q?
g
Then if f exists so does g, with g = h(f ). Moreover, if h is also continuous
then for each ordinal if f <> exists so does g <> and g <> = h(f <> ).
Proof. Assume f exists, say f = f <> for some ordinal . We have by commutativity of the diagram:
h(f <> ) = h(f <+1> ) = h(f (f <> )) = g(h(f <>)):
So h(f <> ) is a xed point of g. It remains to prove that h(f <> ) is the least
such. Let y 2 Q be another xed point for g, and since h?1 (y) has a nite upper
fringe A there exist an a 2 A h?1 (y) and a natural number n > 0 such that
f n(a) v a. First note that f n(a) 2 h?1(y):
h(f n (a)) = h(f (f n?1 (a))) = g(h(f n?1(a))) = ::: = gn(y) = y
by the commutativity of the diagram and because y is a xed point for g.
Next, using the same proof as in Theorem 4.3 (case (i), h?1 has the nite
upper fringe) we can prove by transnite induction that f <> v a for each
ordinal . Therefore also f <> v a and hence by monotonicity of h:
h(f <> ) v h(a) = y;
that is, h(f <> ) = h(f ) is the least xed point of g.
Suppose now that f <> exists for some ordinal and h is also continuous.
As in the rst part of Theorem 4.3 we obtain h(f <> ) = g <> .
In the following we present a number of examples in which we show that the
conditions of Theorem 4.3 cannot be weakened.
The Weakest Precondition Calculus
17
(i) Let P be the at dcpo fxg? and Q be the at dcpo fa; bg? . Consider the
following three functions f : P ! P; g : Q ! Q and h : P ! Q:
f (?) = x g(?) = a h(?) = ?
f (x) = x g(a) = a h(x) = a:
g(b) = b
The function f is monotone and has least xed point x. Also the function
h is monotone, strict, and for each y 2 Q, h?1 (y) has the upper fringe,
the lower fringe and every antichain is nite. However it is non-onto and
although g (non-monotone) makes the diagram of the theorem commute,
we have that g has two incomparable xed points, namely a and b.
(ii) Let P = fx; y; ?g be the pointed dcpo with ? v x v y and let Q be the
at dcpo fa; bg? . Consider the following functions f : P ! P; g : Q ! Q
and h : P ! Q:
f (?) = x g(?) = a h(?) = ?
f (x) = x g(a) = a h(x) = a
f (y) = y g(b) = b h(y) = b:
The function f is monotone and has least xed point x. The function h is
strict, onto, and for each y 2 Q, h?1 (y) has the nite upper fringe, the nite
lower fringe and every antichain is nite. However h is non-monotone (and
hence non-continuous) because x v y but h(x) = a 6v b = h(y). Although
g (non-monotone) makes the diagram commute, we have that g has two
dierent and incomparable xed points, namely a and b.
(iii) Let P = fxi j i 0g [ fx! g be the dcpo with the following order:
(8i j: xi v xj ) ^ (8i 0: xi v x! ) ^ x! v x! :
Also, let Q be the at domain fag? and consider the following functions
f : P ! P; g : Q ! Q and h : P ! Q:
f (xi ) = xi+1 g(?) = ? h(xi ) = ?
f (x! ) = x! g(a) = a h(x! ) = a:
The function f is monotone and has least xed point x! . The function h is
onto, monotone, and for each y 2 Q, h?1 (y) has the nite lower fringeFand
every antichain is nite.FHowever h is non-continuous because x! = xi
but h(x! ) = a 6= ? = h(xi ). Although g makes the diagram commute
and has least xed point g = ? we have that g = ? 6= a = h(x! ) =
h(f ). Note that there is no upper fringe according to Theorem 4.4.
(iv) Let P = fxi j i 0g [ fx! ; x!+1 g [ fyi j i 0g be the dcpo where
(8i j: xi v yj ^ xi v xj );
(8i 0: xi v x! ^ xi v x!+1 ^ yi v yi );
x! v x! ^ x!+1 v x!+1 ^ x! v x!+1 ;
and let Q be the at domain fa; bg? . Consider the following three functions
f : P ! P; g : Q ! Q and h : P ! Q:
18
M. M. Bonsangue and J. N. Kok
f (xi ) = xi+1
g(?) = a h(xi ) = ?
f (yi ) = yi+1
g(a) = a h(yi ) = b
f (x! ) = x!+1 g(b) = b h(x! ) = ?
f (x!+1 ) = x!+1
h(x!+1 ) = a:
The function f is monotone and has least xed point x!+1 . The function h is onto, monotone and continuous but h?1 (?) has not the nite
upper fringe, not the nite lower fringe and not all the antichains are nite. Although g (non-monotone) makes the diagram commute, it has two
incomparable xed points, namely a and b.
We have seen in Theorem 4.3 that the property of a monotone function
f : P ! P of having a least xed point is transferred to a function g : Q ! Q,
that in general need not to be monotone (and hence continuous), via an onto
function h : P ! Q. It is not hard to see that the function g preserves the order
between any y1 and y2 with y1 v y2 , if there exist x1 2 h?1 (y1 ) and x2 2 h?1 (y2 )
such that x1 v x2 . A similar result holds also for the transfer of the continuity
property from f to g.
4.2. Procedure Variables and Recursion
Next we add recursion to the language. Let (x 2)PVar be the set of procedure
variables. We remove div and add procedure variables to the class of statements
Stat . This gives a new class of statements Stat + :
S ::= v := t j b ! j x j S1 ; S2 j 2i2I Si j S13S2
where I is a non-empty index set. A declaration (d 2)Decl : PVar ! Stat +
assigns to each procedure variable a statement, possibly containing procedure
variables. For example Dijkstra's guarded command do b ! S od is equivalent
to procedure variable x with body ((b !; S ); x)3(true !).
For the semantics we introduce the set of environments Env = PVar !
MPTran , which gives a predicate transformer for each procedure variable. We use
environments to give the extension of wp and wlp to the new class of statements:
Denition 4.5. (Extension of wp) Let wp : Stat + ! (Env ! MPTran ) for
2 Env and non-empty index set I be dened by
wp(v := t)()(Q) = Q[t=v]
wp(b !)()(Q)
= b)Q
wp(x)()(Q)
= (x)(Q)
wp(S1 ; S2)()(Q) = wp
(S1 )()(wp(S2 )()(Q))
V
wp(2i2I Si )()(Q) = i2I wp(Si )()(Q)
wp(S1 3S2)()(Q) = wp(S1 )()(Q)^
(wp(S1 )()(false) ) wp(S2 )()(Q)):
The weakest liberal precondition wlp : Stat + ! (Env > ! MPTran ) is dened
similarly with the only dierence being that
wlp(S1 3S2 )()(Q) = wlp(S1 )()(Q) ^ (wp(S1 )()(false) ) wlp(S2 )()(Q))
The Weakest Precondition Calculus
where Env > Env is the set of environments such that for every
19
x 2 PVar
the predicate transformer (x) is top preserving, that is, (x)(true) = true.
The idea is to consider pairs of environments (1 ; 2) 2 Env Env such that
(1 (x); 2 (x)) 2 NPTran for every x 2 PVar .
We associate to a declaration an environment by means of a xed point
construction. In order to do this we dene the posets Env B ; Env D and Env N as
the following function spaces (ordered pointwise):
Env B = PVar ! MPTran B ;
Env D = PVar ! MPTran D ;
Env N = PVar ! NPTran N :
Dene now for every declaration d 2 Decl and x 2 Pvar the higher order
functions B : Decl ! (Env B ! Env B ), D : Decl ! (Env D ! Env D ), and
N : Decl ! (Env N ! Env N ) by
B (d)()(x)
= wp(d(x))()
for 2 Env B ;
D (d)()(x)
= wp(d(x))()
for 2 Env D ;
N (d)(1 ; 2)(x) = (wp(d(x))(1 ); wlp(d(x))(2 )) for (1 ; 2) 2 Env N :
Using the examples preceding Theorem 3.2, we see that for a xed declaration
d the functions B (d) and D (d) are not always monotone, while the function
N (d) is monotone. The poset Env N is pointed and directed complete since
NPTran N is pointed and directed complete, the latter being a consequence of
Theorem 5.7.
For every environment (1; 2 ) 2 Env N the projection on its rst component
denes two functions: hNB : Env N ! Env B and hND : Env N ! Env D . They are
continuous, onto, and have a nite upper fringe for every environment 2 Env B
or 2 Env D . Moreover, for a xed declaration d we have that
hNB N (d) = B (d) hNB and alsohND N (d) = D (d) hND :
Hence by Theorem 4.3 the functions B (d); D (d) and N (d) have least xed
points which can be obtained by iteration from the bottom elements. This yields
three weakest (liberal) precondition semantics.
Denition 4.6. Let S 2 +Stat +, d 2 Decl . We dene the weakest
precondition semantics W pB : Stat ! (Decl ! MPTran ), W pD : Stat + ! (Decl !
MPTran ) and W pN : Stat + ! (Decl ! NPTran ), by
W pB (S )(d) = wp(S )(B (d));
W pD (S )(d) = wp(S )(D (d));
W pN (S )(d) = (wp(S )(1 ); wlp(S )(2 )); where N (d) = (1 ; 2):
Notice that for every procedure variable x 2 PVar we have that
W pB (x)(d) = wp(x)(B (d))
Denition 4.5
= B (d)(x)
= B (d)(B (d))(x) xed point property
= wp(d(x))(B (d)) denition of B (d)
= W pB (d(x))(d)
Denition 4.6.
Similarly we have W pD (x)(d) = W pD (d(x))(d) and W pN (x)(d) = W pN (d(x))(d).
20
M. M. Bonsangue and J. N. Kok
! E (? ) = ETran =- NPTranN
?
=-
?
?
=-
?
! S (? )= STran
! S (?) = STran
Fig. 2.
! MPTranD
! MPTranB
Relationships between the domains.
5. Duality
In this section we relate the predicate transformers with functions to power
domains. We generalize the relationship between the Smyth power domain and
the predicate transformers [Wan77, Plo79, Bac81, Bes83, AP86, Smy83] to the
new versions of the Smyth power domain. Moreover, we introduce a relationship
between the Egli-Milner power domain and pairs of predicate transformers (see
also [Nel89]). For further reference, the diagram in Figure 2 summarizes the
relationships. All the arrows in this diagram are monotone functions.
The stability Lemma 3.3 plays a central role in the proof of the isomorphisms
between predicate and state transformers because it denes in a unique way for
every state 2 and every predicate transformer a minimal set min(; )
(representing outputs of computations). Before going into a more detailed discussion, we rst dene the three discrete power domains.
Denition 5.1. Let X? be a at domain. The Smyth power domain of X?
(with empty set), is dened as the set
S (X? ) = fA j A X g [ fX? g
ordered by the superset order, that is A v B , A B .
This denition diers from the original denition of the Smyth power domain
[Smy78] because we add the empty set as a top element and there is no restriction
on the cardinality of the subsets of X . The Smyth power domain
T S (X? ) has least
element fX? g and if S S (X? ) is a directed set then S is its least upper
bound. The Smyth power domain S (X? ) is also closed under arbitrary union
and intersection.
A meaning of a statement is a function from to S (?). We denote the
collection of these functions (ordered pointwise) by STran. Elements of S (? )
denote results of computations. Computations that are possibly non-terminating
are mapped to f? g and the empty set is interpreted as a deadlock situation.
The Weakest Precondition Calculus
by
21
To relate STran and MPTran B , we dene the function ! : STran ! MPTran B
!(m)(Q) = f 2 j m() ) Qg:
Notice that if m() = ? then 62 !(m)(Q) for all predicates Q. Its inverse ! ?1
is given by
(; ) if (true)() = tt
?
1
! ()() = min
otherwise.
?
Theorem 5.2. The function ! : STran ! MPTran B is an order isomorphism
with inverse ! ?1.
Proof. That both ! and ! ?1 are well-dened is easily veried. We prove only
that they form an order isomorphism. Indeed, the function ! is monotone. Let
m v m0 for m; m0 2 STran and assume 2 !(m)(P ). Then m0 () m() P
and hence 2 !(m0 )(P ).
Also ! ?1 is monotone. Let vB 0 for ; 0 2 MPTran B and take 2 . If
!?1()() = ? then clearly !?1()() v !?1(0)(). Otherwise 2 0 (true)
because (true) ) 0 (true). Thus ! ?1 ()() = min(; ) and ! ?1 ( 0 )() =
min(0; ).0 Since (min(; )) ) 0(min(; )) and 0 2 (min(; )) we0 have
also 2 (min(; )). Applying the Lemma 3.3 to we obtain min( ; ) )
min(; ), that is, !?1()() v !?1(0 )().
It remains to prove that ! and ! ?1 form an isomorphism. Let 2 MPTran
and P be a predicate; we have
!((!?1())(P ) = f 2 j !?1()() ) P g
= f 2 j 2 (true) ^ min(; ) ) P g
= f 2 j 2 (true) ^ 2 (P )g
Lemma 3.3
= f 2 j 2 (P )g
P ) true
= (P ):
Conversely, let m 2 STran and 2 . If m() = ? then 62 !(m)(true).
Hence ! ?1(!(m))() = ? = m(). Otherwise ! ?1 (!(m))() = min(!(m); ).
Since 2 !(m)(P ) if and only if m() ) P for every predicate P , we have
2 !(m)(m()). But then by Lemma 3.3 we have min(!(m); ) = m().
Therefore !?1 (!(m))() = m().
Next we turn to a state transformer model for MPTran D :
Denition 5.3. Let X? be a at dcpo. Dene S (X? ) to be the set fA j A X g [ fX? g ordered as follows
A v B , A = X? _ (A = ; ^ B = ;) _ (B 6= ; ^ A B ):
In general S (X? ) is not a dcpo. For example, let N be the set of natural
numbers and consider in S (N? ) the following directed set which has no upper
bound:
N v N n f0g v N n f0; 1g v :::; (this example is taken from [AP86]).
We denote by STran the state transformers ! S (?), ordered pointwise.
The identity function from STran to STran is trivially onto, continuous, and
the inverse image has nite upper fringe, lower fringe and nite antichains for
every A 2 S (? ). Note that its inverse is not even monotone.
22
M. M. Bonsangue and J. N. Kok
Theorem 5.4.? The function ! : STran ! MPTran D is an order isomorphism
with inverse ! 1.
Proof. Since the underlying set of STran is equal to the set STran and also the
underlying set of MPTran D is equal to that of MPTran B , we have by Theorem 5.2
that ! and ! ?1 are well-dened and form an isomorphism. We need to prove
that they preserve the orders. The function ! is monotone. Let m v m0 for
m; m0 2 STran . By denition 2 !(m)(false) if and only if m() = ; = m0 ()
if and only if 2 !(m0 )(false). More generally, for a predicate P , 2 !(m)(P )
implies m() P . But m0 () m(), hence 2 !(m0)(P ).
Also ! ?1 is monotone. Let vD 0 for ; 0 2 MPTran D and take 2 . If
?
1
! ()() = ? then clearly !?1()() v !?1(0)(). Otherwise 2 0 (true)
because (true) ) 0 (true). Thus ! ?1 ()() = min(; ) and also ! ?1 ( 0 )() =
min(0; ). Since (min(; )) ) 0(min(; )) and 2 (min(; )) we
have 2 0 (min(; )). Applying the Lemma 3.3 to 0 we obtain min( 0 ; ) )
min(; ), that is, ?!1?1(0 )() v !?1(0 )(). 0
Suppose now ! ( )() = ;. Then min( ; ) = ;, and hence by Lemma 3.3
2 0 (false). But (false) = 0(false), and hence by Lemma 3.3, min(; ) = ;,
that is, also ! ?1 ()() = ;.
The third state transformer model is based on the Egli-Milner power domain.
Denition 5.5. For a at domain X? we denote by E (X? ) the poset whose
elements are subsets of X? ordered as follows:
A v B , (? 62 A ^ A = B ) _ (? 2 A ^ (A n f?g) B ):
Note that this diers from the usual denition of the Egli-Milner power domain [Plo81] because we add the empty set and we have no restriction on the
cardinality of subsets of X? . The poset E (X? ) is pointed and directed complete. Indeed
F
S f?g is the least element and if S E (X? ) is a directed set then
S = (S n f?g) [ f? j 8A 2 S: ? 2 Ag. The monotone function eX : E (X? ) ! S (X? ) relates the Egli-Milner power
domain with the Smyth power domain with deadlock. It is dened by
if ? 62 A
eX (A) = A
X? otherwise.
Lemma 5.6. The function eX : E (X? ) ! S (X? ) is onto, continuous, and for
each B 2 S (X? ) there is a nite upper fringe and lower fringe in e?X1 (B ).
Proof. We only consider the lower and upper fringe (other parts of the lemma
are standard). The nite upper fringe of e?X1 (B ) is B itself, the nite lower fringe
is ? if B = X? and is B otherwise.
We denote by ETran the state transformers ! E (? ) ordered pointwise.
Non-terminating computations are represented by the element ?. Again the
empty set is interpreted as a deadlock.
Dene the function : ETran ! NPTran N by
(m)(P; Q) = (f 2 j m() ) P g; f 2 j (m() n f?g) ) Qg):
The function has inverse ?1 :
min(2 ; )
if 1 (true)() = tt
?
1
(1 ; 2)() = min
(2 ; ) [ f?g otherwise.
The Weakest Precondition Calculus
23
Theorem 5.7.? The function : ETran ! PTran N is an order isomorphism
with inverse 1 .
Proof. Let us denote by 1 (m) and 2 (m) the rst and the second component
of (m) for every m 2 ETran . It is easy to see that both 1 (m) and 2 (m) are
multiplicative predicate transformers. Moreover
2 (m)(true) = f 2 j (m() n f?g) ) trueg = true:
Hence, in order to prove the well-denedness of it remains to show that
1(m)(Q) = (1 (m)(true) ^ 2(m)(Q)) for all predicates Q. If 2 1(m)(Q)
then m() ) Q. Hence also (m() n f?g) ) Q, that is 2 2 (m)(Q). Since
1(m)(Q) ) 1 (m)(true) we have 1(m)(Q) ) (1 (m)(true) ^ 2 (m)(Q)). Conversely, if 2 2 (m)(Q) and 2 1 (m)(true) then (m() n f?g) ) Q and
? 62 m(). Hence also m(?)1) Q, that is 2 1(m)(Q).
Clearly, the function : PTran N ! ETran is well-dened. Next we turn
to the monotonicity of . Let m; m0 2 ETran be such that m v m0 , and let
P be a predicate. If 2 1(m)(P ) then m() ) P and ? 62 m(). Because
m v m0 we have then m() = m0 (). Hence 2 1(m0 )(P ), that is 1(m)(P ) )
1(m0 )(P ). Moreover, if 2 2(m0 )(P ) then (m0 () n f?g) ) P . There are two
cases depending on the presence of ? in m(). If ? 62 m() then m() = m0 ()
and hence also 2 2 (m)(P ). Otherwise, ? 2 m() implies m() ) m0().
Hence (m() n f?g) (m0 () n f?g) ) P , that is 2 2 (m)(P ). Therefore in
both cases 2 (m0 )(P ) ) 2 (m)(P ).
The function ?1 is also monotone: let ; 0 2 NPTran be such that vN 0,
and let 2 . Suppose ? 62 ?1 ()(), that is 2 1 (true) by denition of ?1 .
Since vN 0 we have that 2 10 (true) too. Thus ?1 ()() = min(2 ; )
and also ?1 ( 0 )() = min(20 ; ). Since is a Nelson predicate transformer we
have
1 (min(2 ; )) = 1(true) ^ 2(min(2 ; )):
Therefore 2 1 (min(2 ; )). But then 2 10 (min(2 ; )) because vN 0.
Since 0 is also a Nelson predicate transformer we have that 2 20 (min(2 ; )).
Hence by Lemma 3.3 applied to 20 we obtain min(20 ; ) ) min(2 ; ). We
need to prove also the converse. Since vN 0 we have that 20 (min(20 ; )) )
2(min(20 ; )). But then 2 20 (min(20 ; )) implies 2 2 (min(20 ; )) and
hence by Lemma 3.3 applied to 2 we obtain min(2 ; ) ) min(20 ; ). Therefore, if ? 62 ?1 ()() then ?1 ()() = ?1 ( 0 )().
Assume now ? 2 ?1 ()(). Since 2 20 (min(20 ; )) and vN 0 we
have that 2 2 (min(20 ; )). Hence by Lemma 3.3 applied to 2 we obtain
min(2 ; ) ) min(20 ; ). Therefore we have
( ?1 ()() n f?g) = min(2 ; ) ) min(20 ; ) ) ?1 ( 0 )():
This concludes the proof that ?1 is monotone. It remains now to prove that and ?1 form an isomorphism. Let m 2 ETran and 2 . We prove ?1 = idETran . If ? 2 m() then 62 1 (m:)(true). Hence ?1((m))() =
min(2 (m); ) [ f?g. Since 2 2(m)(m() n f?g) we obtain, by Lemma 3.3,
that min(2 (m); ) ) (m() nf?g). But by denition of 2 (m) also the converse
holds, hence min(2 (m); ) = m() n f?g, that is, ?1((m))() = m().
If ? 62 m() then 2 1 (m)(true). Thus ?1 ((m))() = min(2 (m); ).
But since ? 62 m() we have by Lemma 3.3 min(2 (m); ) = m(). Therefore
?1((m))() = m().
24
M. M. Bonsangue and J. N. Kok
Finally we prove ?1 = idNPTran . Let 2 NPTran N and let P be a
predicate. We have
2 1 (?1())(P ) , ?1()() ) P
, 2 1(true) ^ min(2 ; ) ) P
, 2 1(true) ^ 2 2 (P )
Lemma 3.3
, 2 1(P )
2 NPTran .
Also, we have
2 2 (?1())(P ) , (?1()() n f?g) ) P
, ( 2 1 (true) ^ (min(2 ; ) n f?g) ) P )
_( 62 1 (true) ^ ((min(2 ; ) [ f?g) n f?g) ) P )
1
, min(2 ; ) ) P
,2 2 2(P )
where ,1 holds because ? 62 min(2 ; ) while ,2 holds due to Lemma 3.3.
6. Semantics from Domain Transformations
In the previous section we have given three dierent semantics for a language
including recursion. We have also given three dierent domain transformations
(with inverses) that relate predicate transformer domains with state transformer
domains. In this section we study sucient conditions on functions that relate
semantic domains such that compositionality and least xed point properties of
semantic functions are preserved. We start by giving some general denitions
(cf. [GTWW77], [EM85] and references contained in these papers).
A signature S = (F; r) consists of function names (f 2)F , and a rank function
r, giving for each function symbol its arity. Function names with arity 0 are
called constants. In the sequel we use f 2 S instead of f 2 F for the signature
S = (F; r). The closed terms (s; t 2)T (S ) built from S are dened by
t ::= f (t1 ; :::; tr(f )):
Let V be a set, and dene an interpretation I 2 IntS;V of a signature S = (F; r)
to be a function
[
I : F ! (V (k) ! V );
k
such that I (f ) : V r(f ) ! V for every f 2 F (here V (k) denotes the k-product of
V ). An interpretation I induces a map (?)I : T (S ) ! V dened inductively by
f (t1 ; :::; tr(f ))I = I (f )(tI1 ; :::; tIr(f )):
We can now give a denition of a semantic function:
Denition 6.1. A semantic function is a function D : T (S ) ! Dom where T (S )
is the class of terms over a signature S and Dom is some (structured) set called
semantic domain. A semantic function D is called compositional if there exists
an interpretation I 2 IntS;Dom such that D(t) = tI for every term t 2 T (S ).
For example, both the functions Op (Denition 2.2) and wp (Denition 2.3)
are compositional semantic functions.
The Weakest Precondition Calculus
25
If T (S ) is a set, then compositionality is often expressed by a congruence for
the signature S , that is, an equivalence relation T (S ) T (S ) such that for
all f 2 S and (closed) terms u1 ; ::; ur(f ); v1 ; :::; vr(f )
(81 i r(f ) : ui vi ) f (u1 ; ::; ur(f )) f (v1 ; :::; vr(f ))):
The following lemma is standard, and can be found for example in [EM85]:
Lemma 6.2. Let S = (F; r) be a signature such that F is a set and every
function symbol has nite arity. Let also D : T (S ) ! Dom be a semantic function, and dene D T (S ) T (S ) by s D t () D(s) = D(t). Then D is
compositional if and only if D is a congruence.
Given a signature S , a compositional semantic function D : T (S ) ! Dom ,
and a domain transformation h : Dom ! Dom 0 , we say that h preserves compositionality if there exists an interpretation I 0 2 IntS;Dom such that the following
diagram commutes:
0
D
- Dom
ZZ
ZZ
h
(?)I ZZ
~Z ?0
T (S )
0
Dom
The commutativity of the diagram implies that the semantic function D0 = hD :
Stat ! Dom 0 is compositional.
For the language Stat , we have given three dierent predicate transformer
semantics wp : Stat ! MPTran B , wp : Stat ! MPTran D and (wp; wlp) :
Stat ! NPTran N . We have three domain transformations ! ?1 : MPTran B !
STran , ! ?1 : MPTran D ! STran , and ?1 : NPTran N ! Etran . These domain
transformations are isomorphisms and hence they preserve compositionality.
In the following denition three state transformer semantics for Stat are given
and in Theorem 6.4 they are proved to be isomorphic to the predicate transformer
semantics.
Denition 6.3. For every statement S 2 Stat dene the state transformer semantics stB : Stat ! STran by
v = v0
stB (v := t)() = v0 2 Var : t((v)0) ifotherwise
fg if b() = tt
stB (b !)()
=
; otherwise
stB (div )()
= ?
( ?
if ? = stB (S1 )()
;S
if stB (S1 )() = ;
stB (S1 ; S2)() =
stB (S2 )(stB (S1 )()) otherwise
S
stB (2i2I Si )() = i2I stB (Si)()
stB (S2 )() if stB (S1 )() = ;
stB (S1 3S2 )() =
stB (S1 )() otherwise:
26
M. M. Bonsangue and J. N. Kok
The denition of stD : Stat ! STran is the same and stN : Stat ! ETran
diers only in
stN (div )
= f?g
8
>
<
stN (S1 ; S2)() = >
:
f?g
if f?g = stN (S )()
;S
if stN (S )() = ;
stN (S )(stN (S )() n f?g)
[f? j ? 2 stN (S )()g
otherwise:
1
1
2
1
1
The following theorem relates the various semantics.
Theorem 6.4. For every S 2 Stat we have
(i) ! stB (S ) = wp(S ) and stB (S ) = ! ?1 wp(S );
(ii) ! stD (S ) = wp(S ) and stD (S ) = ! ?1 wp(S );
(iii) stN (S ) = (wp(S ); wlp(S )) and stN (S ) = ?1 (wp(S ); wlp(S )).
Proof. We prove only the third item since the other two can be derived from
it. Notice that since is an isomorphism, it is enough to prove only one of the
isomorphisms, and we prove (stN (S ))(P ) = (wp(S )(P ); wlp(S )(P )) for every
statement S 2 Stat and predicate P 2 Pred . The proof proceeds by structural
induction on S , and we treat two cases. Suppose S = div . We have
(stN (div ))(P ) = (f 2 j stN (div )() ) P g;
f 2 j (stN (div )() n f?g) ) P g)
= (f 2 j f?g ) P g; f 2 j false ) P g)
= (false; true)
= (wp(div )(P ); wlp(div )(P )):
Suppose S = S1 3S2 and denote by 1 the rst component of . We have
1(stN (S1 3S2 ))(P ) = f 2 j stN (S1 3S2)() ) P g
= f 2 j stN (S1 )() = ; ^ stN (S2 )() ) P g
[ f 2 j stN (S1 )() 6= ; ^ stN (S1 )() ) P g
= (1 (stN (S2 ))(P ) ^ 1 (stN (S1 ))(false))
_ (:1 (stN (S1 ))(false) ^ 1(stN (S1 ))(P ))
= (wp(S2 )(P ) ^ wp(S1 )(false))
_ (wp(S1 )(P ) ^ :wp(S1 )(false))
= wp(S1 )(P ) ^ (wp(S1 )(false) ) wp(S2 )(false))
= wp(S1 3S2 )(P ):
Also, if we denote by 2 the second component of we have
The Weakest Precondition Calculus
27
2(stN (S1 3S2 ))(P ) = f 2 j (stN (S1 3S2)() n f?g) ) P g
= f 2 j stN (S1 )() = ; ^ (stN (S2 )() n f?g) ) P g
[ f 2 j stN (S1 )() 6= ; ^ (stN (S1)() n f?g) P g
= (2 (stN (S2 ))(P ) ^ 1 (stN (S1 ))(false))
_ (:1 (stN (S1 ))(false) ^ 2(stN (S1 ))(P ))
= (wlp(S2 )(P ) ^ wp(S1 )(false))
_ (wlp(S1 )(P ) ^ :wp(S1 )(false))
= wlp(S1 )(P ) ^ (wp(S1 )(false) ) wlp(S2 )(false))
= wlp(S1 3S2)(P ):
For recursion, we add a set of constants (x 2)PVar , called procedure variables
to a signature S , and let Srec = S [ PVar be the new signature. The meaning of
procedure variables is given by means of a xed point of a function associated to a
declaration d : PVar ! T (Srec ). Given a semantic function D : T (Srec ) ! Dom
we denote by D0 : T (S ) ! Dom its restriction to terms without procedure
variables. The set of environments (the semantical counterpart of the declaration)
is given by ( 2)Env = PVar ! Dom . Every compositional semantics D :
T (S ) ! Dom can be extended to a compositional semantics D : T (Srec ) !
(Env ! Dom ) by
D(x)() = (x)
for each x 2 PVar ;
D(f (t1 ; :::; tr(f ))() = I (f )(D(t1 )(); :::; D(tr(f ))()) for each f 2 T (S )
and ti 2 T (Srec ),
where I 2 IntS;Dom is such that D(t) = I (t) for each t 2 T (S ). For every
compositional semantics D : T (Srec ) ! (Env ! Dom ) we dene a function
D : Env ! Env by
D ()(x) = D(d(x))():
Now we are ready for a formal denition of a xed point semantics.
Denition 6.5. A semantic function D : T (Srec ) ! Dom is called a xed point
semantics if D : T (S ) ! Dom is compositional and D(t) = D (t)() for some
environment 2 Env such that D0 () = . Furthermore, the semantic function
D : T (Srec ) ! Dom is called a least xed point semantics if Dom is a partial
order, D is a xed point semantics, and is the least xed point of D0 .
For example, the semantic functions W pB ; W pD and W pN as dened in Def0
0
inition 4.6 are least xed point semantics.
Let S be a signature and PVar be a set of procedure variables. For a domain
transformation h : Dom ! Dom 0 preserving
the compositionality of D : T (S ) !
Dom , dene D0 = h D : T (S ) ! Dom 0 . Then for every t 2 T (Srec ) and 2 Env
we have
D0 (t)(h ) = h(D(t)()):
This result (which can be proved by structural induction) implies that the fol-
28
M. M. Bonsangue and J. N. Kok
lowing diagram commutes:
Env
h
?
Env 0
D - Env
h
?
Env 0 :
D
0
0
Indeed, we have D (h )(x) = D (d(x))(h ) = h(D(d(x))()) = h(D ()(x)).
0
Finally the next theorem gives sucient conditions on h to ensure it preserves
the least xed point property of a semantics.
Theorem 6.6. Let S be a signature and PVar be a set of procedure variables.0
Let D : T (Srec ) ! Dom be a least xed points semantics
and h : Dom ! Dom
be a function such that D00 = h D0 : T (S ) ! Dom 0 is a compositional semantics.
If Dom is a complete partial order, if D^ 0 is monotone and if the commuting
diagram
Env D0- Env
h
?
Env 0
h
- Env?0:
hD0
satises one of the following three points:
(i) h is strict and continuous, and hD0 is monotone,
(ii) h is onto, continuous, and for all the y 2 Dom 0 either the lower fringe of
h?1 (y) exists and it is nite, or every antichain of h?1 (y) is nite,
(iii) h is onto, monotone and for all y 2 Dom 0 the upper fringe of h?1 (y) exists
and is nite,
then D0 = h D : T (Srec ) ! Dom 0 is a least xed point semantics.
Proof. If h satises point (i) then by Theorem 4.2 we have that D0 = hD0
has least xed point D0 = h(D0 ). Similarly, if h satises point (ii) then
by Theorem 4.3 we have that D0 has least point D0 = h(D0 ), while if
h satises point (iii) then by Theorem 4.4 we have that D0 has least point
D0 = h(D0 ). Hence for all terms t 2 T (S ) we have
D0(t) = h(D(t))
= h(D0 (t)(D0 )) D is a least xed point semantics
= D00 (t)(h D0 )
= D00 (t)(D0 ):
Since D00 is compositional we have that D0 is a least xed point semantics.
This theorem ensures that if we extend the semantic function stB : Stat !
0
0
0
0
0
0
0
The Weakest Precondition Calculus
29
STran to a least xed point semantics S tB : Stat + ! (Decl ! STran ), the
results of Theorem 6.4 extend, that is ! S tB (S ) = W pB (S ) and S tB (S ) =
!?1 W pB (S ). The same result also holds for the extensions of stD and stN .
7. Conclusion and Future Work
At least four dierent, but related, topics have been treated in this paper:
1. We proposed an extension of Dijkstra's Weakest Precondition Calculus in
order to treat recursion in a fully compositional way with respect to three
dierent orders: a renement order as introduced in [Bac78], a new renement
order that respects deadlock, and an approximation order as introduced in
[Nel89].
2. We showed that (under certain circumstances), least xed points of functions
(even non-monotone) between posets exist and that they can be obtained by
iteration from the least element.
3. We gave three isomorphisms between domains of predicate transformers and
domains of state transformers. The state transformers are based on two different versions of the discrete Smyth power domain and on the discrete EgliMilner power domain.
4. We gave sucient conditions on a function between two semantic domains in
order to preserve compositionality and least xed point properties of semantic
functions.
We would like to consider further extensions of the language, like arbitrary
parallelism and angelic choice.
Further results on the relationships between predicate transformers and state
transformers based on the Smyth, Hoare and Plotkin power domains on algebraic
directed complete partial orders can be found in [BK93].
Acknowledgements
We like to acknowledge the members of the Amsterdam Concurrency Group
especially Jaco de Bakker, Franck van Breugel, Jan Rutten, and Daniele Turi
for discussions and suggestions about the contents of this paper. Thanks also to
two anonymous referees for their useful comments. Finally we like to thank also
Nicoletta Sabadini, Giancarlo Mauri, Ralph Back, and Prakash Panangaden.
References
[AP81]
[AP86]
[Bac78]
[Bac80]
K.R. Apt and G. Plotkin. A Cook's tour of Countable Nondeterminism. In
S. Evens and O. Kariv, editors, Proc. 8th ICALP, volume 115 of Lecture Notes in
Computer Science, Akko, Israel, 1981. Springer-Verlag.
K.R. Apt and G. Plotkin. Countable Nondeterminism and Random Assignment.
Journal of the ACM, 33(4):724{767, October 1986.
R.-J.R. Back. On the Correctness of Renement Steps in Program Development.
PhD thesis, Department of Computer Science, University of Helsinki, 1978. Report
A-1978-4.
R.-J.R. Back. Correctness Preserving Program Renements: Proof Theory and
Applications, volume 131 of Mathematical Centre Tracts. Mathematical Centre,
Amsterdam, 1980.
30
[Bac81]
[Bac90]
M. M. Bonsangue and J. N. Kok
R.-J.R. Back. On Correct Renement of Programs. Journal of Computer and
System Sciences, 23(1):49{68, 1981.
R.-J.R. Back. Renement Calculus, part II: Parallel and Reactive Programs. In
J.W. de Bakker, W.-P. de Roever, and G. Rozenberg, editors, Stepwise Renement
of Distributed Systems: Models, Formalisms, Correctness, volume 430 of Lecture
Notes in Computer Science, pages 67{93. Springer-Verlag, 1990.
[Bak80]
J.W. de Bakker. Mathematical Theory of Program Correctness. Prentice-Hall,
1980.
[Bes83]
E. Best. Relational Semantic of Concurrent Programs (with some Applications).
In D. Bjorner, editor, Proc. of the IFIP Working Conference on on Formal Description of Programming Concepts - II, pages 431{452, Garmisch-Partenkirchen,
FRG, 1983. North-Holland Publishing Company.
[BK93]
M.M. Bonsangue and J.N. Kok. Isomorphisms between State and Predicate Transformers. In A.M. Borzyszkowski and S. Sokolowoski, editors, Proc. MFCS '93,
Gdansk, Poland, volume 711 of Lecture Notes in Computer Science, pages 301{
310. Springer-Verlag, 1993. Extended version available through anonymous ftp
from ftp.cs.vu.nl as /pub/bonsangue/isomorph.ps.Z.
[BW90]
R.-J.R. Back and J. von Wright. Renement Calculus, part I: Sequential Nondeterministic Programs. In J.W. de Bakker, W.-P. de Roever, and G. Rozenberg, editors, Stepwise Renement of Distributed Systems: Models, Formalisms,
Correctness, volume 430 of Lecture Notes in Computer Science, pages 42{66.
Springer-Verlag, 1990.
[DG86]
E.W. Dijkstra and A.J.M. van Gasteren. A Simple Fixpoint Argument without
the Restriction to Continuity. Acta Informatica, 23:1{7, 1986.
[Dij76]
E.W. Dijkstra. A Discipline of Programming. Prentice-Hall, 1976.
[DS90]
E.W. Dijkstra and C.S. Scholten. Predicate Calculus and Program Semantics.
Springer-Verlag, New York, 1990.
[EM85]
H. Ehrig and B. Mahr. Fundamentals of Algebraic Specication I, volume 6 of
EATCS monographs. Springer-Verlag, 1985.
[GTWW77] J.A. Goguen, J.W. Thatcher, E.G. Wagner, and J.B. Wright. Initial Algebra
Semantics and Continuous Algebras. Journal of the ACM, 24:68{95, 1977.
[Heh79]
E.C.R. Hehner. do considered od: a Contribution to Programming Calculus. Acta
Informatica, 11:287{304, 1979.
[Hes89]
W.H. Hesselink. Predicate Transformer Semantics of General Recursion. Acta
Informatica, 26:309{332, 1989.
[HP72]
P. Hitchcock and D. Park. Induction Rules and Termination Proofs. In M. Nivat,
editor, Proc. 1st ICALP, Rocquencourt, France, 1972. North-Holland.
[Mey85] J.-J.Ch. Meyer. Programming Calculi Based on Fixed Point Transformations:
Semantics and Applications. PhD thesis, Vrije Universiteit, Amsterdam, 1985.
[Mor87]
J. Morris. A Theoretical Basis for Stepwise Renement and the Programming
Calculus. Science of Computer Programming, 9:287{306, 1987.
[MRG88] C.C. Morgan, K.A. Robinson, and P.H.B. Gardiner. On the Renement Calculus.
Technical Report PRG{70, Programming Research Group, 1988.
[Nel89]
G. Nelson. A Generalization of Dijkstra's Calculus. ACM Transaction on Programming Languages and Systems, 11(4):517{561, 1989.
[Plo79]
G.D. Plotkin. Dijkstra's Predicate Transformer and Smyth's Powerdomain. In
Proc. of the Winter School on Abstract Software Specication, volume 86 of Lecture Notes in Computer Science, pages 527{553. Springer-Verlag, 1979.
[Plo81]
G.D. Plotkin. Post-Graduate Lecture Notes in Advanced Domain Theory (incorporating the \Pisa Notes"). Department of Computer Science, Univ. of Edinburgh,
1981.
[Roe76]
W.P. de Roever. Dijkstra's Predicate Transformer, Non-Determinism, Recursion,
and Terminations. In Proc. 5th MFCS, volume 45 of Lecture Notes in Computer
Science, pages 472{481. Springer-Verlag, 1976.
[Smy78] M.B. Smyth. Power Domains. Journal of Computer and System Sciences,
16(1):23{36, 1978.
[Smy83] M.B. Smyth. Power Domains and Predicate Transformers: A Topological View.
In J. Diaz, editor, Proc. 10th ICALP, volume 154 of Lecture Notes in Computer
Science, pages 662{675, Barcelona, Spain, 1983. Springer-Verlag.
[Wan77] M. Wand. A Characterisation of Weakest Preconditions. Journal of Computer
and System Sciences, 15:209{212, 1977.
[Wri90]
J. von Wright. A Lattice-theoretical Basis for Program Renement. PhD thesis,
The Weakest Precondition Calculus
Abo Akademi, 1990.
31