Re nement Calculus, Part I: Sequential Nondeterministic ... - CiteSeerX

Re nement Calculus, Part I: Sequential Nondeterministic Programs R.J.R. Back J. von Wright November 2, 1989 Abstract

A lattice theoretic framework for the calculus of program re nement is presented. Speci cations and program statements are combined into a single (in nitary) language of commands which permits miraculous, angelic and demonic statements to be used in the description of program behavior. The weakest precondition calculus is extended to cover this larger class of statements and a game-theoretic interpretation is given for these constructs. The language is complete, in the sense that every monotonic predicate transformer can be expressed in it. The usual program constructs can be de ned as derived notions in this language. The notion of inverse statements is de ned and its use in formalizing the notion of data re nement is shown.

1

Contents

1 Introduction

1.1 A lattice-theoretic basis : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1.2 Overview of the paper : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :

2 Predicates and predicate transformers 2.1 2.2 2.3 2.4 2.5

Lattices : : : : : : : : : : : : States and state spaces : : : : Predicate lattice : : : : : : : Operations on predicates : : : Predicate transformer lattices

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

The command language : : : : : : : : : Commands as predicate transformers : : Completeness of command language : : Sublanguages of C : : : : : : : : : : : : Subcommand replacement : : : : : : : : Re nements in the command languages

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

Inverse commands : : : : : : : : : : : : : : A characterization of re nement : : : : : : Data re nement : : : : : : : : : : : : : : : Abstraction and representation commands :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

3 A command language 3.1 3.2 3.3 3.4 3.5 3.6

4 Speci cation and program constructs 4.1 4.2 4.3 4.4 4.5 4.6 4.7

Assert commands and guards : : : : : Update commands : : : : : : : : : : : Nondeterministic variable introduction Conditional composition : : : : : : : : Recursion and iteration : : : : : : : : Blocks with local variables : : : : : : : Assignment commands : : : : : : : : :

: : : : : : :

5 Inverse commands and data re nement 5.1 5.2 5.3 5.4

6 Conclusions and related work

3 4 5

5 5 5 6 6 7

8

8 9 10 11 12 13

14

14 15 15 16 16 17 17

19

19 20 21 23

24

2

1 Introduction Stepwise re nement is one of the main methods for systematic construction of sequential programs: an originally high level program speci cation is transformed by a sequence of correctness preserving re nements into an executable and ecient program. The origins of this method are in the writings of Dijkstra and Wirth [19, 37] and in the program transformation approach of Gerhart [21] and Burstall and Darlington [15]. The stepwise re nement approach was formalized by Back [1, 2] in a re nement calculus , using the weakest precondition technique of Dijkstra [18] as a basis. The central notion in this calculus is a relation of re nement between program statements: Statement S is said to be (correctly) re ned by statement S 0 , denoted S  S 0 , if 8P ; Q : P hS iQ ) P hS 0 iQ : Here P hS iQ stands for total correctness of S with respect to precondition P and postcondition Q . An equivalent characterization in terms of weakest preconditions is 8R : wp(S ; R ) ) wp(S 0 ; R ): The re nement relation is re exive and transitive. Hence, if we can prove that S0  S1  : : :  Sn ?1  Sn , then S0  Sn . This models the successive re nement steps in program development. S0 is the initial high level speci cation statement and Sn is the nal executable program derived through the intermediate program versions S1 ; : : :; Sn ?1 . Each re nement step preserves the correctness of the previous step. Hence the nal program preserves the correctness of the original speci cation. Speci cations are treated as generalized statements and may include higher level, not necessary computable notions. The re nement relation is monotonic with respect to the sequential statement constructors. This means that if T is a statement where S occurs as a substatement, T = T (S ), then S  S 0 ) T (S )  T (S 0): In other words, we may replace a substatement by its re nement in any program context. This justi es the top-down method of program constructions that is very important in stepwise re nement. The re nement calculus was used to formalize dierent aspects of the stepwise re nement method, such as the use of speci cations as program statements, procedural abstraction, re nement of data representations in programs, use of context information in re ning program components and proving correctness of program transformation rules. The notion of correctness preserving program re nements need not be restricted to total correctness. Back [3] studies the notion of correct re nement in general, for dierent classes of correctness properties to be preserved by the re nement steps. The foundations of the re nement calculus is further developed by Back in [5]. In [4] the calculus is used to give a simple formalization of procedures and to derive proof rules for procedures, in [6] to handle data abstraction in general. Back and Sere extend the applicability of the re nement calculus to the stepwise re nement of parallel algorithms in [7, 8]. In [12, 11] we further develop the mathematical foundations of the re nement calculus, in a simple and very general lattice-theoretic framework. The re nement calculus has attracted renewed interest lately also by other researchers. Morgan has together with Gardiner studied both procedural and data re nement [30, 29, 33] along somewhat similar lines as in [4, 6], as well as the use of types in the re nement calculus [31]. Morris [34] is largely a reinvention of the re nement calculus, but does present a more elegant treatment of predicate transformers and unbounded nondeterminism than [2]. He also treats data re nement [35], as do Chen and Udding [16], along similar lines as [29]. 3

An important contribution of this recent work has been to permit miraculous program statements, which were not included in the original re nement calculus. Miracles were originally proposed for program construction by Nelson [36], although miraculous statements were studied semantically already by de Bakker [17]. The use of miracles simpli es the theory, and were also employed by Back [7] in the extension of the re nement calculus to parallel programs. More algebraic approaches to program construction, but in a similar spirit, are described by Hoare and others in [28] and by Hesselink [26]. Our purpose here is to present an overview of the re nement calculus for sequential and parallel programs. We focus on the basic kernel of the calculus, referring to other publications for applications and for detailed proofs of the results presented. The presentation has been divided into two parts. Part I presents the basic lattice-theoretic framework for sequential and nondeterministic programs, providing a uni ed treatment of ordinary and miraculous statements, as well as permitting both demonic and angelic nondeterminism in statements. Part II shows how to combine the action system framework with the re nement calculus for sequential programs, in particular the method of data re nement, to get a simple and general framework for the stepwise re nement of parallel and reactive programs.

1.1 A lattice-theoretic basis

The original weakest precondition calculus of Dijkstra [18] identi ed the meaning of a program statement with its weakest precondition predicate transformer. Dijkstra's also introduced a number of "healthiness conditions" to characterize those predicate transformers that could be considered as meanings of programs. These required that predicate transformers for executable program statements to be strict (satisfy the "Law of Excluded Miracle"), monotonic, conjunctive and continuous. The main idea of the re nement calculus [2] was to generalize the notion of executable programs to also include program speci cations, which can be understood as executable in an idealized sense, even if they need not be executable by a machine. This makes it possible to treat program speci cations and executable program statements in the same way, and combine them in a single framework. Treating speci cations as programs has the consequences for the healthiness conditions. Introducing weakest preconditions for speci cation statements [2] implies that the continuity restriction has to be dropped. This is because unbounded nondeterminism, even if it is not realizable by a machine, is a reasonable property of a speci cation and unbounded nondeterminism violates the continuity assumption. The miraculous statements [17, 36, 34, 30, 7] do not satisfy the Law of Excluded miracle, but are well motivated in program speci cations. The angelic statements [6] are disjunctive but not conjunctive, but turn out to be very useful in data re nements with non-functional data abstractions. Thus, in going from an executable programming language to a language which also treats speci cations as executable entities, most of the original healthiness conditions have been questioned. The driving force has been to gain expressive power and to develop more powerful calculi for program development. A speci cation language is in this sense truly more general than a programming language, for which all the original healthiness conditions are well motivated. The only healthiness criteria that has gone unquestioned is the monotonicity requirement. Morris [34] noted that the monotonic predicate transformers form a lattice, with the partial order corresponding to the re nement ordering of statements. Lattice-like operators on statements have been considered by Gardiner and Morgan [20] and by Hoare and others [28]. We have carried this lattice-theoretic approach further in [12, 11], with the purpose of providing a simple and uni ed framework in which to incorporate the above extensions . 4

1.2 Overview of the paper

This paper gives an overview of our work on the foundations of the re nement calculus, reported in [12, 11, 9, 13, 10]. We do not give proofs of the results here as they can be found in these references. Our main purpose is to present the re nement calculus in a latticetheoretic framework. We describe a simple lattice-based language in which all monotonic predicate transformers can be expressed. This language permits unbounded nondeterminism, nontermination and miracles as well as demonic and angelic nondeterminism. The re nement relation coincides with the lattice ordering. We show how ordinary program constructs can be de ned in this language. The main tools for program development are described, on which e.g., data and procedural re nement can be based. The lattice of monotonic predicate transformers is described in section 2. A language of commands is described in section 3. This language is a generalization and also a simpli cation of the original guarded commands language of Dijkstra, hence the name. The only constructors in this language are the lattice operators meet and join, together with functional composition. In section 4 we de ne ordinary program constructs, such as assignments, conditional composition, recursion and blocks with local variables, in terms of the more basic constructs of the command language. In section 5 we introduce the concept of inverse commands and show how these can be used in data re nement.

2 Predicates and predicate transformers 2.1 Lattices

We assume the concepts of partial orders and lattices (complete, distributive and boolean lattices) are familiar, as presented in e.g. [14, 22], as well as the weakest precondition technique of Dijkstra [18]. The ordering of a partial order K is denoted K (the subscript is usually dropped, if it is clear from the context which ordering is intended). Assume that K and L are partial orders. We write [K ! L] for the set of all monotonic functions from K to L. This set is a partial order, when ordered by f g

=

def

?




8x 2 K : f (x )  g (x ) :

This is called the pointwise extended partial order. If L is a (complete) lattice, then [K ! L] is also a (complete) lattice for this partial ordering. The partial order K is said to be discrete, if a K a 0 holds if and only if a = a 0 . The set [K ! L] will then consist of all functions from K to L.

2.2 States and state spaces

Let var be a countable set of program variables. Elements of var will be denoted x ; y ; z and lists of (distinct) program variables u ; v ; w . Subsets of var will also be denoted u , v and w , and we will usually not distinguish between a list of distinct variables and the set of these variables, using the same name ambiguously for both notions. The speci c interpretation will be pointed out when necessary, but in most cases the context will make clear which interpretation is intended. We assume that there is some unique ordering of all variables, so that each set of variables u denotes a unique list of variables u . Superposition uv of two variable lists u and v denotes the union u [ v with the implicit assumption that u \ v = ;. We assume that every variable x is associated with a nonempty set Dx of values. Values are typically denoted c ; c 0 ; : : : and lists of values d ; d 0 ; : : :. 5

Let v  var. A state on v is a (total) function mapping every x in v to some value in Dx . We assume that there are no unde ned values. The set of all states on v is called the state space on v and is denoted v . Typical states on v are denoted v ; v0 ; : : :. We often drop the subscript when the variable environment v of the state space is clear from the context. The state space v is discrete. To avoid degenerate cases we assume that v contains at least two elements, i.e.,. that there is some x 2 v such that Dx contains at least two elements.

2.3 Predicate lattice Let

Bool = f; ttg

be the set of truth values for a two-valued logic. We de ne the ordering a  b def = a =  or b = tt: of Bool (the implication ordering). Bool is a complete lattice with this ordering. A predicate on v is a total function from v to Bool. The predicate space over v is Predv = [v ! Bool ]; with typical elements P ,Q and R . An element P of Predv is called a predicate on v . Pointwise extension of the partial order on Bool, P Q

?




= 8 2 v : P ()  Q () makes Predv a complete boolean lattice. The meet and join operators on Predv are denoted ^ and _. We have that P  Q corresponds to P ) Q , while meet and join correspond to logical conjunction and disjunction of predicates. The bottom element of Predv is the predicate falsev which maps every state v to . The top element is the predicate truev that maps every state to tt. def

2.4 Operations on predicates

Substitutions A (semantic) substitution in v is de ned in the following way: =x ] is

the state which diers from  only in that it assigns the value c to the variable x . Substitutions in v are extended to Predv in the usual way. The predicate P [d =v ] is de ned by P [d =v ]() = P ( =v ]) We say that a predicate P depends on the variable x if there exist values c1 and c2 such that P [c1 =x ] 6= P [c2=x ]. The set of variables that the predicate P depends on is denoted vP .

Quali ed meets and joins Assume that v is a list of distinct variables and that fQd g is a set of predicates indexed by the set of all lists of values from D of the same length as v . We use the following notations for quali ed meets (and the corresponding notations for joins): V V Q (or simply Q d :P [d =v ] d d :P ) means taking the meet over all lists d of elements from D such that P [d =v ] = true. Thus ^

d :P [d =v ] _

d :P [d =v ]

=

^

=

_

Qd

def

Qd

def

(d : P [d =v ] = true : Qd ) (d : P [d =v ] = true : Qd ) 6

V

V

as d Qd , the meet over all lists d of appropriate length, and d :true Qd is the same W d :true Qd is the same as d Qd . The length of the list d is assumed to be clear from the

Then W

context.

Quanti cation We de ne quanti ed predicates as follows: ^ 8v :P def = P [d =v ] 9v :P

d

_

=

def

d

P [d =v ]

with d ranging over all lists of values of the same length as v . Given these de nitions, we can treat predicates much in the same way as we treat ordinary rst-order formulas.

Moving between predicate spaces Let v and w be subsets of var with v  w . If  is a state on w , we de ne the restriction of  to v , denoted  # v , by ( # v )(x ) = (x ) for all variables x in v . If Q is a predicate on v , we de ne its generalization (its upward projection) to w , denoted Q " w by (Q " w )() = Q ( # v ) (1) for all states  over w . Intuitively speaking, Q " w is the same predicate as Q , viewed in the enlarged variable environment. Conversely, if Q is a predicate over w , we de ne its restriction (its downward projection) to v , denoted Q # v , by the following: (Q # v )() = tt i (8u :Q )(0 ) = tt for all 0 such that 0 # v =  (2) where u = w ? v . Intuitively speaking, Q # w is the same predicate as 8u :Q , viewed in the restricted variable environment. We write Q : v to show that Q is a predicate in Predv . If v  w , we can consider Q as a predicate in Predw without explicitly writing Q " w . Thus v is the minimal type of Q . A simple typing algorithm computes a unique minimal result type for any predicate formula, when the minimal types of its predicate symbols are given. From now on we assume this algorithm is at work. Thus we write Q instead of Q " w and 8u 0 :Q instead of Q # u , when Q : v and uu 0 = v  w .

2.5 Predicate transformer lattices

We now de ne predicate transformers as total functions from one predicate lattice to another. Let v and w be arbitrary subsets of var. We write Mtranv !w for the set of all monotonic predicate transformers from Predw to Predv , Mtranv !w = [Predw ! Predv ] (note the reversed order of v and w ). The pointwise extended partial order from Predv , t  t0

=

def

?




8P 2 Predw : t (P )  t 0(P ) : 7

makes Mtranv !w a complete lattice. This ordering is the re nement ordering introduced in Back[1, 2] and later also used in Morris[34] and by Gardiner and Morgan [20] . A predicate transformer t in Mtranv !w is said to have arity v ! w , written t : v ! w . We are going to identify such a predicate transformer with a command executed with initial state in v and intended to terminate in a state in w , hence the reverse ordering in the arities. The top element magic v !w maps every predicate in Predw to true v . It is the unit element of lattice meet: magic ^ t = t ^ magic = t . The bottom element abort v !w maps every predicate in Predw to false v , and is the unit element of lattice join, abort _ t = t _ abort = t . The functional composition of two predicate transformers t : u ! v and t 0 : v ! w is called their sequential composition, denoted t ; t 0. It is a predicate transformer with arity u ! w , de ned by (t ; t 0 )(P ) = t (t 0(P )). The sequential composition of two predicate transformers is de ned only when their arities match. We often work with predicate transformers on some speci c predicate lattice Predv . The lattice Mtranv !v (abbreviated Mtranv ) is a complete lattice which is also closed under sequential composition. The element skip is the identity predicate transformer, which maps every predicate to itself. It is the unit element of sequential composition: skip ; t = t ; skip = t .

3 A command language 3.1 The command language

We will now de ne a small language for specifying computations. The language will be powerful enough so that both program speci cations and executable statements can be expressed within it.

Syntax The commands are de ned by the following syntax: S ::= hu = d i (strict test ) j hu  d i (miraculous test ) j h+u := d i (variable introduction ) j h?u i (variable elimination ) j SV1 ; S2 (sequential composition) (demonic choice) j Wi 2I Si j S (angelic choice) i i 2I Here S and Si are commands for all i and I is an index set (I could also be in nite), u is a list of distinct variables and d a list of values of the same length as u . Note that we permit the use of values d 2 Dx as such in commands. Alternatively, we can assume that there is a name (a constant symbol) for each value d in Dx . The language of commands is in nitary, as we permit the meets and joins to be taken also over in nite sets of commands.

Operational meaning The meaning of a command is described with respect to a nal condition Q that it is intended to establish. The strict test hu = d i will leave the state unchanged if the variables u have corresponding values d , otherwise it fails. It thus succeeds if Q was true initially and in addition u = d , but fails otherwise. The miraculous test hu  d i also leaves the state unchanged if u = d , but succeeds (miraculously) otherwise. It thus succeeds to establish Q if either Q holds initially or if u = 6 d (the success is said to be miraculous when u = 6 d , because the command will succeed in establishing any Q desired, even false).

8

The variable introduction h+u := d i adds the variables u to the state space, assigning them the values d . The old variables keep their values. The command succeeds to establish condition Q , if Q [d =v ] holds before execution of the command. The variable elimination command h?u i simply deletes the variables u from the state space. It succeeds to establish Q if Q holds before execution of the command. The execution of a compound command S is described as a game between two parties, the demon and the angel. The demon chooses a command Si to be executed in a demonicW choice V i 2I Si , while the angel chooses a command Si to be executed in an angelic choice i 2I Si . Sequential composition S1 ; S2 is executed in the usual way, i.e., S1 is executed rst, and then S2 . Assume that S is executed in the initial state 0 and that the desired condition to be established is Q . The angel tries to reach a state where Q holds, whereas the demon tries to prevent this. S is considered to (be guaranteed to) succeed in establishing Q if and only if the angel has a winning strategy, i.e.,. no matter what choices the demon makes, the angel can force the execution into a nal state where Q holds. Note that there are no looping constructs, so execution must always nish after a nite number of moves. Because of the in nite meets and joins, the number of moves needed need not, however, be bounded.

Arities Let v and w be sets of program variables. We write S : v ! w to denote that command S has arity v ! w . The arity of a command is established by the following rules: hu = d i : v ! v if u  v hu  d i : v ! v if u  v h+u := d i : v ! uv h?u i : uv ! v S ;S :v !w if S1 : v ! v 0 and S2 : v 0 ! w for some v 0 V1 2 S :v !w if Si : v ! w for each i 2 I Wi 2I i S : v ! w if Si : v ! w for each i 2 I i 2I i :

We write C v !w for the set of all commands of arity v ! w . A command is well-formed if it can be assigned an arity by the above rules. The union of all well-formed commands is denoted C . In the operational interpretation, S : v ! w means that we can interpret S as a command with initial state in v and nal state in w . Note that we may associate dierent arities with the same command. There is, however, always a minimal arity v ! w , where v and w are as small as possible, only containing those variables that have to be there by the rules.

3.2 Commands as predicate transformers

A command S : v ! w denotes a predicate transformer tS in Mtranv !w . For any predicate Q 2 Predw , tS (Q ) 2 Predv is the predicate that holds for exactly those initial states in v for which S is guaranteed to succeed in establishing Q . This is, in essence, the weakest precondition semantics of [18], extended to the larger set of program constructs considered here. The meaning of a command S : v ! w is de ned as follows, for any Q 2 Predw :

hu = d i(Q ) = (u = d ) ^ Q hu  d i(Q ) = (u = d ) ) Q 9

h+u := d i(Q ) = Q [d =u ] h?u i(Q ) = Q

(S1 ; S2 )(Q ) = S1 (S2 (Q )) ^ ^ ( Si )(Q ) = Si (Q ) (

i 2I

_

i 2I

Si )(Q ) =

i 2I

_

i 2I

Si (Q )

We permit empty variable lists in the primitive commands, with the convention that

h = i = h  i = h+ := i = h?i = skip , where  is the empty list.

These de nitions encode the informal operational meaning of commands described above. The compound commands are just the basic operations in function lattices, i.e.,. demonic choice is lattice meet, angelic choice is lattice join and sequential composition is functional composition. The fact that each command denotes a monotonic predicate transformer is established by the following theorem. Theorem 1 Each command S : v

! w determines a predicate transformer in Mtranv !w .

The partial order on Mtranv !w determines a re nement relation on the set of commands of arity v ! w ; we say that S is re ned by S 0 if S  S 0 .

3.3 Completeness of command language

The above shows that each command corresponds to a monotonic predicate transformer. conversely, it turns out that every monotonic predicate transformer can be constructed as a command. Theorem 2 Let v and w be arbitrary subsets of var and let t be an arbitrary predicate transformer in Mtranv !w . Then there exists a command S : v 0 ! v 0 and commands h+u := d i : v ! v 0 and h?u 0 i : v 0 ! w such that

t = h+u := d i; S ; h?u 0 i

(We choose v 0 = v [ w , u = w ? v and u 0 = v ? w in the theorem.) This, together with the previous result, shows that the language C is complete in a very strong sense. Corollary 1 (Completeness of command language) The (monotonic) predicate transformers in Mtranv !w are exactly those that can be constructed as commands in C v !w . Thus, the set of commands C v !w is a complete lattice for any v ; w  var. This means

that we are free to use all lattice operations on commands (as is also permitted by the syntax of commands) and also that all properties of complete lattices hold for commands. We can therefore reason conveniently about properties of commands without explicitly referring to their weakest precondition interpretation. Note that C as a whole is not a lattice, as meets and joins are not de ned for all pairs of commands but only for those with the same arity. Also, sequential composition is de ned only when arities match. Note also that the completeness of the command language is bought at a certain price: we have to permit in nitary constructs in our language, so a command need not necessarily have a nite syntactic representation. 10

3.4 Sublanguages of C

The command language introduces a number of new features into the weakest precondition approach which are not present in the original guarded command language of [18]. We will here characterize these features in somewhat more detail and identify a number of sublanguages of C based on these features. Dijkstra originally proposed ve healthiness conditions that every statement language would have to satisfy. Of these, only the monotonicity condition is satis ed by all commands in C , and, by the completeness result above, turns out to be the de ning characteristics for the predicate transformers generated by the command language. Each of the new features added to the language breaks one or more of the original healthiness conditions formulated by Dijkstra in [18]. The fact that we permit arbitrary meets means that the assumption of bounded nondeterminism is not satis ed, the miraculous commands violate the "Law of Excluded Miracles" and the angelic choice violates the conjunctivity condition. Let us make the following de nitions, for any S 2 C : (?) S is non-miraculous (strict with respect to false) if S (false) = false. (>) S is always terminating (strict with respect to true) if S (true) = true. V V (^) S is conjunctive if S ( i 2I Qi ) = i 2I S (Qi ) for all nonempty sets of predicates fQi gi 2I . W W (_) S is disjunctive if S ( i 2I Qi ) = i 2I S (Qi ) for all nonempty sets of predicates fQi gi 2I . We call S (false) the domain of miracles and S (true) the domain of termination of S . A command that is both conjunctive and disjunctive is called deterministic. These four properties are independent of each other. Thus there are 16 dierent ways of combining them. Indexing C with some of the symbols for these properties denotes a sublanguage where all commands are required to have the properties in question. Thus, for example, C_> is the set of all always terminating disjunctive commands. The guarded commands of Dijkstra belong to the language C^? , i.e., all non-miraculous conjunctive commands. ?> , the most restrictive of these all, consists of all non-miraculous and always The language C^_ terminating deterministic commands. The dierent sublanguages are analyzed in more detail in [9]. There is a duality between the commands in C which we de ne as follows. For any command S we de ne its dual command S  by S  (Q ) def = :S (:Q ) The duality operator is de ned and investigated in more detail in [12]. We have that (S  ) = S . The duality operator will change both strictness and the kind of nondeterminism, so that e.g. (C^? ) = C_> . The basic commands are to a large extent dual to each other or self-duals. We have that hu = d i = hu  d i h+u := d i = h+u := d i h?u i = h?u i (S1 ; S2 ) = S1 ; S2 ^

i 2I

Si

!

=

_

i 2I

Si

This shows how duality interchanges the possibility for non-termination with the possibility of miracles, as well as interchanging demonic and angelic nondeterminism. 11

3.5 Subcommand replacement

Let C 1 = C v !w and C 2 = C v !w be two command lattices of speci c arities. Then the set of command constructors from C 1 to C 2 , 0

0

[C 1 ! C 2 ] is a complete lattice, with the pointwise ordering T  T 0 def = 8S 2 C 2 :(T (S )  T 0(S )):

We can have higher order order command constructors by iterating the functional space constructor, e.g. [C 1 ! [C 2 ! C 3 ]] and [[C 1 ! C 2 ] ! C 3 ]. These are all complete lattices with the pointwise ordering. Command constructors of more than two arguments are modelled by currying, so that e.g. [C 1  C 2 ! C 3 ] stands for [C 1 ! [C 2 ! C 3]]. A command constructor on C is any command constructor that has been built out of the basic commands and the basic constructors (sequential composition, meet and join) in C using only lambda abstraction and application (we assume that typed lambda calculus is used, so that the arities are well de ned). Thus e.g. _

X : C v !w : (hu = d i; X ; h+u 0 := d i) d

is an element of [C v !w ! C v !w ] if the body of the lambda expression has arity v 0 ! w 0 when X is assumed to have arity v ! w . The basic constructors are all monotonic, as shown by the following lemma. 0

Lemma 1 Let Si

0

 Si0 for every i. Then

S1 ; S2  S10 ; S20 ;

^

i 2I

Si 

^

i 2I

Si0

and

_

i 2I

Si 

_

i 2I

Si0

This established the following central result. Theorem 3 (Monotonicity of constructors) All command constructors on C are mono-

tonic.

Monotonicity means that any function f : C 1 ! C 2 that we can construct out of the basic commands and constructors in C using only lambda abstraction and application will be an element of [C1 ! C 2 ]. An important consequence of this is that we may always replace a subpart of a command with its re nement; the resulting command will be a re nement of the original command. Theorem 4 (Subcommand replacement) Let T (S ) be any command with a command S as a component. Then

S  S 0 ) T (S )  T (S 0):

This result permits the top-down development of programs. It should be noted that the duality operator is not permitted as a constructor of the language. In fact, dualization is antimonotonic with respect to subcommand replacement: S1  S2 ) S2  S1 :

12

3.6 Re nements in the command languages

Traditionally, a demonic and non-miraculous command S has been de ned to be totally correct with respect to precondition P and postcondition Q , denoted P [S ]Q , if P implies the weakest precondition for S to establish Q . We extend this de nition to the whole of C by P [S ]Q def = P  S (Q ):

A straightforward consequence of this de nition and of the de nition of re nement is the following. Lemma 2 Let S and S 0 be any commands in C v !w . Then S

 S 0 if and only if

8P 2 Predv ; Q 2 Predw :(P [S ]Q ) P [S 0 ]Q ): The re nement relation thus captures the notion of preserving total correctness: S 0 will satisfy every total correctness speci cation that S satis es (and maybe some others too). In the traditional context of non-miraculous and demonic commands, a re nement S  S 0 holds if S 0 decreases the domain of nontermination or decreases the nondeterminism of S (or both). When permitting miracles and angelic nondeterminism, this has to be extended. We rst state the following result. Theorem 5 Let u be an arbitrary list of variables, d a list of values of the same length as v, and let fSi gi 2I be a family of commands in C . Then (a) abort  hu = d i  skip, (b) skip  hu  d i  magic, V V (c) i 2I Si  i 2I Si when I 0  I , W W (d) i 2I Si  i 2I Si when I  I 0. 0

0

Case (a) shows how to decrease the domain of nontermination and case (b) how to increase the domain of miracles. Case (c) shows how to decrease the demonic nondeterminism and case (d) how to increase the angelic nondeterminism. The command constructors (meet, join and sequential composition) are all monotonic with respect to re nement, by the subcommand replacement property. This means that any re nement of the above kind to a subcomponent of S yields a re nement of S itself. In general, a command S is re ned by a command S 0 if 1. S 0 decreases the domain of nontermination of S , or 2. S 0 increases the domain of miracles of S , or 3. S 0 decreases the demonic nondeterminism of S , or 4. S 0 increases the angelic nondeterminism of S . If S  S 0 , this is equivalent by the lattice properties of commands to S ^ S 0 = S and S _ S 0 = S 0 . Hence, in a certain (trivial) way, each re nement corresponds to either decreasing demonic nondeterminism or increasing angelic nondeterminism.

13

4 Speci cation and program constructs The command language constructs are quite low level, and not as such very usable in program derivations. We will show in this section how to de ne more useful derived constructs in the command language. The new constructs will be de ned as abbreviations for certain compound commands in C . We can compute the weakest precondition predicate transformer directly for the derived construct by using the de nition of commands. The derived constructs can therefore be used as such in calculations, without the need to refer to their explicit de nition in terms of more primitive commands. The derived constructs provide us with very powerful tools for describing computations. Not all of these constructs are necessary computable. For instance, all input-output speci cations can be expressed directly by derived constructs. We will also have recursion, loops and blocks with local variables. The language can also be extended with (possibly recursive) procedures and parameters, as shown in [4], although we will not treat this aspect of the language here. Ordinary program statements, such as the guarded commands in [18] can be expressed as commands. These form a very restricted sublanguage of C . We assume below that there is a language for de ning predicates, such as the usual rstorder predicate calculus with equality, and that each predicate expression P is associated with an arity v , denoted P : v , with the meaning that P can be interpreted as a predicate in Predv . In particular, this means that the predicate does not depend on any variables not in v , i.e.,. that vP  v .

4.1 Assert commands and guards

Let P be an arbitrary predicate formula and let v = vP . Then we de ne the assert command

fP g and its dual, the guard command P ! by

_

fP g def = P!

d :P ^

=

def

d :P

hv = d i hv  d i

(the guard command has been introduced in [25]). Computing the predicate transformers gives fP g(Q ) = P ^ Q (P !)(Q ) = P ) Q As special cases, we have ffalse g = abort ftrueg = skip (false !) = magic (true !) = skip The guarded command P ! S can be considered to be an abbreviation for the composition (P !); S . Thus, (P ! S )(Q ) = P ) S (Q ) which corresponds to the de nitions given in [36, 30, 7]. Note that the dual of P ! is fP g, and that we have the similar abbreviation fP gS , so (fP gS )(Q ) = P ^ S (Q ) 14

4.2 Update commands

The update commands permit an arbitrary postcondition to be established directly, if possible, by assigning suitable values to the program variables. These commands permit us to model input-output speci cations in a convenient fashion. In the de nitions we will make use of the value assignment command hu := d i, de ned as hu := d i = h?u i; h+u := d i.

Demonic update The demonic update command h^u :P i is de ned as follows: ^

h^u :P i def = ( hu := d i); P ! d

The predicate transformer for this command can be computed from the de nition. It is h^u :P i(Q ) = 8u :(P ) Q ): It is a possibly miraculous and always terminating demonic choice command. It will nondeterministically assigns suitable values to the variables u to establish the condition P . If this is not possible, the command succeeds miraculously.

Angelic update The angelic update command h_u :P i is constructed in the dual way. We de ne

_

h_u :P i def = ( hu := d i); fP g d

The angelic update command thus determines the predicate transformer h_u :P i(Q ) = 9u :(P ^ Q ): It is a non-miraculous but possibly nonterminating angelic choice command. It will choose some value for the variable u that establishes the condition P , if this is possible. If it is not possible, the command aborts. The demonic and angelic update commands are each others duals, h^u :P i = h_u :P i: We note that the update commands can be described in the following simple way: h^u :P i = h^u :true i; P ! h_u :P i = h_u :true i; fP g Both of these can be interpreted as assigning arbitrary values to u and then forcing them to backtrack if the values do not establish P . A similar idea is used in [36] when de ning the ordinary assignment statement.

4.3 Nondeterministic variable introduction

We de ne two nondeterministic variable introduction commands,

h^ + u i def =

^

h_ + u i def =

_

d

d

15

h+u := d i h+u := d i

The command h^ + u i introduces the variables u assigning arbitrary (demonically chosen) values to them. Dually, h_ + u i introduces the variables u assigning angelically chosen values to them. Thus h_ + u i and h^ + u i are duals and they determine the following predicate transformers: h^ + u i(Q ) = 8u :Q h_ + u i(Q ) = 9u :Q

4.4 Conditional composition

The usual (demonic) conditional composition is de ned as

if b1 ! S1 []b2 ! S2

=

def

?




fb1 _ b2 g; (b1 ! S1 ) ^ (b2 ! S2)

We can also de ne an angelic conditional composition, by

if b1 ! S1}b2 ! S2

=

def

fb1gS1 _ fb2gS2

When executed in a state where both b1 and b2 holds, it makes an angelic choice between S1 and S2 . In all other states it acts like the ordinary conditional composition. When there is only one alternative, the two conditional compositions coincide, so we de ne

if b ! S

= fb g; S The conditional composition can be de ned as a program constructor in S1 and S2 , by condb1 ;b2 = S1 ; S2 :(fb1 _ b2g; ((b1 ! S1 ) ^ (b2 ! S2 ))): Thus, the conditional composition is monotonic in the bodies of the conditionals, i.e., S1  S10 and S2  S20 ) if b1 ! S1 []b2 ! S2  if b1 ! S10 []b2 ! S20 However, we cannot de ne the conditional composition as a constructor in terms of the guarded commands b1 ! S1 and b2 ! S2 , because the initial assert command needs to refer to the guards of these commands (so the de nition would not be compositional). The subcommand replacement property also does not hold for the replacement of these, i.e., if S1 []S2  if S10 []S20 need not hold even if S1  S10 and S2  S20 . def

4.5 Recursion and iteration

Let X be a command variable of arity v ! w , and let T (X ) : v ! w be a command constructed out of X together with the basic commands and constructors of C . Then X :T (X ) is an element in [Cv !w ! C v !w ]. As this is a monotonic function on a complete lattice, the least xed point of this function exists in C v !w . We let the recursive composition X :T (X ) denote this least xpoint. This de nition is generalized by an inductive argument to the case when the expression T (X ) itself contains recursive composition. The greatest xpoint  X :T (X ) of X :T (X ) also exists. It is the dual of the least xed point: we have that (X :T (X )) =  X :T (X ) 16

where we de ne T (S ) = (T (S  )) for every command S . Note that there is no need to introduce recursion as a basic constructor into the command language, as X :T (X ) is just used as an abbreviation for a command that already exists. This is one of the main payos from permitting the in nite meets and joins in our command language. The subcommand replacement property holds for the recursive construct. This follows from the fact that the xpoint operator is monotonic: X :T (X )  X :T 0(X ) ) X :T (X )  X :T 0(X ): The iteration command is de ned in the usual way with recursion, do b ! S od = X :if b ! S ; X [] :b ! skip : The iteration command with many alternatives is as usual treated as an abbreviation, do b1 ! S1 [] : : : [] bn ! Sn od def = X :if b1 ! S1 ; X [] : : : [] bn ! Sn ; X [] :(b1 _ : : : _ bn ) ! skip : As the iteration command is de ned in terms of the conditional command, it will be monotonic in the bodies of the alternatives (but not in the guarded commands themselves). In other words, we have S  S 0 ) do b ! S od  do b ! S 0 od:

4.6 Blocks with local variables

We de ne the ordinary block construct as

j[ var u ; S ]j def = h^ + u i; S ; h?u i The arity of the block is v ! w , if the arity of the command S is uv ! uw (note that we do

not permit redeclaration of variables). The predicate transformer for the block construct is then j[ var u ; S ]j(Q ) = 8u :S (Q ) The subcommand replacement property holds directly for the block: S  S 0 ) j[ var u ; S ]j  j[ var u ; S 0 ]j

Logical variables A block with the logical constant u [33, 32] can be de ned as j[ con u ; S ]j def = h_ + u i; S 0 ; h?u i The subcommand replacement property holds also for this construct: S  S 0 ) j[ con u ; S ]j  j[ con u ; S 0 ]j:

4.7 Assignment commands

The update commands de ned above are not real update commands, in the sense that the new values of the variables being updated do not depend on the old values of the variables. We can, however, easily de ne real update commands (assignments) by combining update commands with the block command. 17

Nondeterministic assignments The demonic miraculous assignment h^u : u 0 :Q i is de ned as h^u : u 0 :P i def = j[ var u 0 ; h^u 0 :P i; h^u :u = u 0 i ]j:

Here P may refer to the variables u and to u 0 , the latter standing for the new values of u . In this way we indicate how the new values of u are to be related to the old values of u . This command will demonically assign some value u 0 to u such that P becomes satis ed, if there exists such a value. Otherwise it will succeed miraculously. The predicate transformer for it is h^u : u 0 :P i(Q ) = 8u 0 :(P ) Q [u 0 =u ]): Similarly, the angelic strict assignment h_u := u 0 :Q i is de ned as

h_u := u 0 :P i def = j[ var u 0 ; h_u 0 :P i; h_u :u = u 0 i ]j: This command will angelically assign some value u 0 to u such that P becomes satis ed, if there exists such a value. Otherwise it will fail. The predicate transformer for it is

h_u := u 0 :P i(Q ) = 9u 0 :(P ^ Q [u 0 =u ]): This command is the dual of the previous command. The demonic strict assignment of [2] is de ned as

h^u := u 0 :P i def = h_u := u 0 :P i; magic ^ h^u : u 0 :P i The command behaves as the demonic miraculous assignment command, except that it fails if there is no value v 0 that satis es P . The predicate transformer for it is

h^u := u 0 :P i(Q ) = 9u 0 :P ^ 8u 0 :(P ) Q [u 0=u ]): Dually we can de ne the angelic miraculous assignment command as

h_u : u 0 :P i def = h^u : u 0 :P i; abort _ h_u := u 0 :P i This behaves as the angelic strict assignment command, except that it will succeed miraculously if there is no value u 0 that satis es the required conditions. The predicate transformer for it is h_u : u 0 :P i(Q ) = 9u 0 :P ) 9u 0 :(P ^ Q [u 0=u ]): We take the demonic nondeterministic execution as the default, when we omit the explicit indication of the kind of nondeterminism intended: we write u : u 0 :Q for h^u : u 0 :Q i and u := u 0 :Q for h^u := u 0 :Q i.

Multiple assignment commands The multiple assignment command is de ned using e.g.

the demonic strict assignment:

u := e

=

def

u := u 0 :(u 0 = e )

determining the ordinary predicate transformer (u := e )(Q ) = Q [e =u ] We will assume in the sequel that all expressions are total. However, assignments with expressions that are not total are automatically accommodated into this framework. If def (e ) 18

is a predicate which holds exactly in those states where the expression e is de ned, then the de nition gives (u := e )(Q ) = def (e ) ^ Q [e =u ] Alternatively, we could choose to use the miraculous multiple assignment, de ned as u : e

=

def

u : u 0 :(u 0 = e )

with

(u : e )(Q ) = def (e ) ) Q [e =u ] Let us look at the example assignment x := x  y . If y 6= 0 then both x := x  y and x : x  y assign the value x  y to x . However, if y = 0 then x := x  y aborts while x : x  y succeeds miraculously. The idea of a miraculous multiple assignment was introduced in [31] as an aid in type checking.

5 Inverse commands and data re nement

5.1 Inverse commands

A true inverse of a command S 2 C is a command S ?1 that satis es S ?1 ; S = skip = S ; S ?1 :

A true inverse of S exists if and only if S is bijective. The set of bijective commands form a subset of C ?> ^_ . This is a very restrictive class of commands, making the usefulness of this notion of true inverses rather limited. We can generalize the notion of an inverse command as follows. The inverse of command S : v ! w is a command S ?1 : w ! v that satis es (i) skip v  S ; S ?1 and (ii) S ?1 ; S  skip w . Let S be a command in C . We show in [10] the following result. Theorem 6 Let S be a command in C . The following properties then hold: (i) S ?1 is unique if it exists.

(ii) S ?1 exists if and only if S 2 C >^ . (iii) S ?1 2 C ?_ if it exists. Thus the inverse command is de ned only for conjunctive and always terminating commands and is then unique. In [9] it is shown how dierent sublanguages of C are constructed using suitable subsets of the basic commands and constructors of C . In particular, we have the following result for C >^ : Lemma 3 Every conjunctive and always terminating command can be constructed using the primitive commands hu  d i, h+u := d i, h?u i and the constructors ; and ^.

19

The inverse command of any conjunctive and always terminating command can be computed using the following rules: hu  d i?1 = hu = d i h+u := d i?1 = hu = d i; h?u i h?u i?1 = h_ + u i (S1 ; S2 )?1 = S2?1 ; S1?1 ^ _ ( Si )?1 = Si?1 As special cases, we have magic ?1 = abort (P !)?1 = fP g hu := d i?1 = hu = d i; h_u :truei We note that the inverse command construct is antimonotonic with respect to subcommand replacement: S1  S2 ) S2?1  S1?1 :

5.2 A characterization of re nement

For general conjunctive commands S 2 C ^ there need not always be any S 0 such that skip  S ; S 0 is satis ed. This is because skip always terminates, while S ; S 0 does not terminate if S does not terminate. However, we can get around the nontermination of S if we weaken the requirement as follows. We say that S ? 2 C ?_ is a generalized inverse of S , if S ? ; S  skip and fS (true )g  S ; S ? : This does not de ne S ? uniquely. However, we can show that a kind of compositionality does exist for generalized inverses also, making it possible to compute a generalized inverse of an arbitrary conjunctive command. Thus, if Si? is a generalized inverse of Si for each i , then hu = d i is a generalized inverse of hu = d i S2? ; S1? is a generalized inverse of S1 ; S2 ^ _ Si Si? is a generalized inverse of For conjunctive and always terminating commands the generalized inverse command is unique and coincides with the ordinary inverse. We can use generalized inverses to get a characterization of re nement between conjunctive commands in the weakest precondition calculus. Theorem 7 Let S : u ! v and S 0 : u ! v be conjunctive commands. Then S  S 0 if and only if

S (true ) ^ (u = u0 )[S 0 ]S ? (u = u0 ) where u0 is a list of fresh variables of the same length as u and S ? is any generalized inverse of S.

This gives us a bridge between the re nement calculus and the weakest precondition calculus. We can establish any re nement between conjunctive commands by proving the corresponding total correctness assertion in the weakest precondition calculus, and, conversely, any re nement between commands corresponds to a speci c total correctness assertion. This characterization is essentially the same as in [5], except that the inverse command here plays the role of the strongest postconditions. 20

5.3 Data re nement

Encoding and decoding Consider two commands, S : uv ! uv and S 0 : u 0 v ! u 0 v . We want to model the intuitive idea that S 0 : u 0 v ! u 0 v is constructed from S by changing the

way in which the program state is represented, from a representation in terms of uv (the abstract state space) to a representation in terms of u 0 v (the concrete state space). The basic idea is to introduce an encoding command E : uv ! u 0 v that computes the representation 0 2 u v of each state  2 uv . We require that E 2 C >^ , i.e., it is always terminating and demonic (but it may be miraculous) . The inverse of E is the decoding command E ?1 : u 0 v ! uv . We say that command S is re ned by S 0 through the encoding E and decoding F , denoted S E ;F S 0 , if S  E ; S 0 ; F ?1: When F = E , we say that command S is re ned by S 0 through the encoding E , denoted S E S 0 . 0

Data re nement with encoding and decoding Because our language permits subcommands with dierent arities to coexist in a command, we can work with dierent representations of the data in dierent parts of a program. Thus, we might start with a command S = : : : S 1 : : : S2 : : : ; We can then replace the subcommand S1 by an encoding E ; S10 ; E ?1 . If S1  E ; S10 ; E ?1 , then we have that S 0 = : : : E ; S10 ; E ?1 : : : S2 : : : is a re nement of the original command, by the subcommand replacement property. The command S 0 contains two dierent subcomponents, one (S2 ) working on the original data representation and the other (S10 ) working on a data new representation. The monotonicity of subcommand replacement permits us to replace subcommands by their encodings at will. However, the result of this is that we introduce encoding and decoding commands, which need to be removed if we do not want to actually execute them. The following lemma shows how to remove these. Lemma 4 Let E, F and G be encoding commands. (i) If S1 E ;F S10 and S2 F ;G S20 , then S1 ; S2 E ;G S10 ; S20 V V (ii) If Si E ;F Si0 for each i, then Si E ;F Si0 . W

W

(iii) If Si E ;F Si0 for each i, then Si E ;F Si0 . These properties follow directly from the properties of the inverse commands. Thus, for (i) we have e.g. that S1 ; S2  E ; S10 ; F ?1; F ; S20 ; G ?1  E ; S10 ; S20 ; G ?1; because F ?1; F  skip . The method for data re nement should now be clear. We start with some command S , and show how the individual pieces Si of S can be re ned by encoding to Ei ; Si0 ; Fi?1 , possibly using dierent encodings and decodings in dierent parts of the program. Then we combine these pieces by the above rules, so that intermediate encodings are removed. We are then left with an initial encoding E and a nal decoding F ?1, such that S  E ; S 0 ; F ?1 for some command S 0 . 21

Manipulating encodings and decodings The encoding and decoding commands are just special kinds of commands, so we may combine them in the same way as we combine other commands. Thus we may e.g. take the sequential composition of two encodings, E ; F , to describe the successive applications of encoding E and encoding F . The inverse of this is calculated by the rule for inverse commands; it is F ?1; E ?1 . We may also re ne encodings and decodings themselves. Consider e.g. the following situation. Our intention has been to re ne the sequential composition S1 ; S2 . We have derived S1  E ; S10 ; F ?1 and S2  G ; S20 ; H ?1. Thus we S1 ; S2  E ; S10 ; F ?1 ; G ; S20 ; H ?1:

The problem is that the decoding and the encoding do not match. We can, however, still remove the intermediate encoding, if we can prove that F ?1; G  skip

If this is not the case, then we can instead decide that a real, actually executed change of data representation is called for. In that case, we prove that F ?1; G  S12

for some command S12. This command will change the data representation in a suitable way. We then have that S1 ; S2  E ; S10 ; S12 ; S20 ; H ?1:

Data re nement with indierent commands The command S is said to be indierent with respect to the encoding command E if S does not refer to any variables that E refers to. In this case S is invariant under the encoding E , as the following lemma shows. Lemma 5 If S is indierent with respect to the encoding command E, then

S E S

In particular, the unit elements in the command language are invariant under encoding: abort E abort skip E skip magic E magic

Data re nement with derived commands We now extend the data re nement rules

for the basic constructors given above to data re nements of derived commands. We will treat conditional composition, recursion/iteration and blocks here, and assignments in the next subsection. We have the following result for the derived commands. Lemma 6 Let E and F be encoding commands. Then (i) If S1 E ;F S10 and S2 E ;F S10 , then

if b1 ! S1 []b2 ! S2 E ;F if b10 ! S10 []b20 ! S20 provided :b1  E (:b10 ), :b2  E (:b20 ) and b1 _ b2  E (b10 _ b20 ) 22

(ii) If T (E ; S ; F ?1 ) E ;F T 0(S ) for all commands S then X :T (X ) E ;F X :T 0(X )

(iii) If S E S 0 then

do b ! S od E do b 0 ! S 0 od provided b  E (b 0) and :b  E (:b 0) (iv) If E is the encoding command h^ + u 0 i; h?u i then j[ var u ; E ; S ; E ?1 ]j  j[ var u 0 ; S ]j

This shows that we may use the technique of data re nement freely also with the derived constructs.

5.4 Abstraction and representation commands

The idea of data re nement was rst introduced by Hoare in [27]. He proposed that one uses an abstraction function f to determine the abstract state (u ; v ) = f (u 0 ; v ) that a concrete state u 0 v represents. The abstraction function need not be de ned for every concrete state, but only for those that satisfy some data invariant I (u 0 ; v ). This makes the abstract state functionally dependent on the concrete state, i.e.,. for each concrete state there is at most one abstract state that it represents. The other way the dependence need not be functional, i.e., there may be more than one concrete state that represents a certain abstract state. The idea of an abstraction function and a data invariant can be generalized to an arbitrary abstraction relation R (v ; u ; u 0 ) that is to hold between abstract and concrete data spaces. No functional dependence is assumed. We can easily see that the use of explicit abstraction relations is a special case of the idea of making data re nements by encoding and decoding commands. We may choose as the encoding command  = h^ + u 0 i; h^u 0 :R i; h?u i abbreviated  = h^ + u 0 ? u :R i. This command rst adds the concrete variables u 0 to the state, then assigns them values so that the abstraction relation R (v ; u ; u 0 ) is established, and nally removes the abstract variables u from the state. The command is demonic and always terminating. If there is no way of establishing the abstraction relation, then the command succeeds miraculously. Computing the inverse of  gives ?1 = h_ + u i; h_u :R i; h?u 0 i abbreviated ?1 = h_ + u ? u 0 :R i. Thus, the inverse command introduces the abstract

variables and assigns them values so that the abstraction relation is satis ed, and then removes the concrete variables from the state space. This command is angelic and non-miraculous. It fails to terminate if there is no way of establishing the abstraction relation by assigning suitable values to the abstract variables. Computing the weakest precondition transformers for these commands gives (Q ) = 8u 0 :(R ) Q ) ?1(Q ) = 9u :(R ^ Q )

23

The condition

S  ; S 0 ; ?1 then becomes the following. For any Q , we must have that

S (Q )  (; S 0 ; ?1)(Q ) = (S 0 (?1(Q ))) = 8u 0 :(R ) S 0 (9u :(R ^ Q )))

Hence, the data re nement holds if and only if for any Q (u ; v ), 8u 0 :[R (v ; u ; u 0) ^ S (Q (u ; v )) ) S 0 (9u :(R (v ; u ; u 0 ) ^ Q (u ; v )))]:

Data re nement of speci cation statements We will nally apply the characterization

theorem to show how to implement a speci cation commands such as a demonic nondeterministic assignment using encoding with . We assume that v is the list of variables that are both in the abstract and the concrete state space. By the characterization theorem and using the fact that  = h^ + u 0 ? u :R i, we get that S  S 0 if and only if S (true ) ^ u ; v = u0 ; v0 ^ R [S 0 ] 9u :(R ^ S ? (u ; v = u0 ; v0 )): For the special case of S = (u ; v := u 0 ; v 0 :P ), the rules for computing the generalized inverses give us that Strue = 9u 0 ; v 0 :P S ? (u ; v = u0 ; v0) = P [u0 ; v0; u ; v =u ; v ; u 0; v 0 ]: This gives us in fact a proof rule for showing that a speci cation statement is correctly data re ned by a concrete statement.

6 Conclusions and related work We have de ned a language of commands that permits both miracles and angelic nondeterminism, in addition to the more traditional features of nontermination and demonic nondeterminism. The language is very simple and semantically complete. On the other hand, it is in nitary, meaning that not every command has a nite syntactic representation. All traditional program constructs can be de ned in this language. The idea of accepting miraculous statements originates with Nelson[36] (where they are interpreted as failures, requiring backtracking). Miracles were applied to program development by Morgan for sequential programs [30, 29] and by Back for parallel programs [7]. A nonconjunctive operator on statements is introduced by Gardiner and Morgan in [20], but its properties are not investigated more closely. Back[6] de nes a disjunctive data abstraction statement and interprets it as being angelic. We extend this approach here, accepting angelic commands as rst-class citizens and permitting demonic and angelic commands to be mixed in command constructions. The concept of the dual of a predicate transformers is not new, it has been de ned previously by Guerreiro[24]. However, we consider duals of commands to be commands in their own right. Permitting both miracles and angelic nondeterminism makes this possible, and the game-theoretic interpretation of commands gives a reasonable intuitive understanding of statements where these dierent kinds of language features are intermixed. Inversion of statements has been discussed previously by Dijkstra[18] and by Gries[23]. Since they consider only non-miraculous and demonic statements, their inverses are more 24

restricted than ours. We generalize the concept of inverse so that every terminating demonic command has a unique inverse, which is angelic and possibly nonterminating. We have generalized the concept further, so that every demonic command has a generalized inverse (not necessarily unique). The generalized inverse is used to give a rst-order characterization of the re nement relation, playing the same role as the strongest postconditions in Back[5]. Recent work on re nement of programs in the weakest precondition-tradition has to a great extent concentrated on data re nement. Most authors have de ned a data re nement relation which is distinct from the ordinary (algorithmic) re nement relation (Morgan[29], Morris[35], Chen and Udding[16]). We nd it preferable not to introduce a separate data re nement relation, instead algorithmic re nement and data re nement are carried out within the framework of one common re nement relation. This approach was originally proposed for functional data abstraction in Back[2] and generalized to relational data abstraction in Back[6]. Here we have generalized this even further, permitting any conjunctive and total statements as a data abstractions.

Acknowledgements The work reported here was supported by the FINSOFT III program sponsored by the Technology Development Centre of Finland. We would like to thank Orna Grumberg, Nissim Francez, Viking Hognas, Schmuel Katz, Joost Kok, Reino Kurki-Suonio, Carroll Morgan, Kaisa Sere and John Tucker for helpful discussions on the topics treated here.

References [1] R. Back. On the correctness of re nement in program development. Ph.D. thesis Report A{1978{4, Department of Computer Science, University of Helsinki, 1978. [2] R. Back. Correctness Preserving Program Re nements: Proof Theory and Applications, volume 131 of Mathematical Center Tracts. Mathematical Centre, Amsterdam, 1980. [3] R. Back. On correct re nement of programs. Journal of Computer and Systems Sciences, 23(1):49{68, August 1981. [4] R. Back. Procedural abstraction in the re nement calculus. Reports on computer science and mathematics 55,  Abo Akademi, 1987. [5] R. Back. A calculus of re nements for program derivations. Acta Informatica, 25:593{ 624, 1988. [6] R. Back. Changing data representation in the re nement calculus. In 21st Hawaii International Conference on System Sciences, January 1989. [7] R. Back. Re ning atomicity in parallel algorithms. In PARLE Conference on Parallel Architectures and Languages Europe, Eindhoven, the Netherlands, June 1989. Springer Verlag. [8] R. Back and K. Sere. Stepwise re nement of action systems. In Mathematics of Program Construction, volume 375 of Lecture Notes in Computer Science, Groningen, The Netherlands, June 1989. Springer{Verlag. [9] R. Back and J. von Wright. Combining angels, demons and miracles in program speci cations. Reports on computer science and mathematics 86,  Abo Akademi, 1989. 25

[10] R. Back and J. von Wright. Command lattices, variable environments and data re nement. Reports on computer science and mathematics 102,  Abo Akademi, 1990. [11] R. Back and J. von Wright. Duality in speci cation languages: a lattice-theoretical approach. Reports on computer science and mathematics 77,  Abo Akademi, 1989. [12] R. Back and J. von Wright. A lattice-theoretical basis for a speci cation language. In Mathematics of Program Construction, volume 375 of Lecture Notes in Computer Science, Groningen, The Netherlands, June 1989. Springer{Verlag. [13] R. Back and J. von Wright. Statement inversion and strongest postcondition. Reports on computer science and mathematics 101,  Abo Akademi, 1990. [14] G. Birkho. Lattice Theory. American Mathematical Society, Providence, 1961. [15] R. Burstall and J. Darlington. Some transformations for developing recursive programs. J. ACM, 24(1):44{67, 1977. [16] W. Chen and J. Udding. Towards a calculus of data re nement. In Mathematics of Program Construction, volume 375 of Lecture Notes in Computer Science, Groningen, The Netherlands, June 1989. Springer{Verlag. [17] J. de Bakker. Mathematical Theory of Program Correctness. Prentice-Hall, 1980. [18] E. Dijkstra. A Discipline of Programming. Prentice{Hall International, 1976. [19] E. W. Dijkstra. Notes on structured programming. In O. Dahl, E. Dijkstra, and C. Hoare, editors, Structured Programming. Academic Press, 1971. [20] P. Gardiner and C. Morgan. Data re nement of predicate transformers. Manuscript (to appear in Theoretical Computer Science), 1988. [21] S. Gerhart. Correctness preserving program transformations. In Proc. 2nd ACM Conference on Principles of Programming Languages, 1975. [22] G. Gratzer. General Lattice Theory. Birkhauser Verlag, Basel, 1978. [23] D. Gries. The Science of Programming. Springer{Verlag, New York, 1981. [24] P. Guerreiro. Another characterization of weakest preconditions. In Lecture Notes in Computer Science 137. Springer{Verlag, 1982. [25] W. Hesselink. An algebraic calculus of commands. Report CS 8808, Department of Mathematics and Computer Science, University of Groningen, 1988. [26] W. Hesselink. Command algebras, recursion and program transformation. Report CS 8812, Department of Mathematics and Computer Science, University of Groningen, 1988. [27] C. Hoare. Proofs of correctness of data representation. Acta Informatica, 1(4):271{281, 1972. [28] C.A.R. Hoare, A. R. J. He, C.C. Morgan, J. S. J.W. Sanders, I.H. Sorensen, and A. Sufrin. Laws of programming. Commun. ACM, 30(8):672{686, August 1987. [29] C. Morgan. Data re nement by miracles. Information Processing Letters, 26:243{246, January 1988. 26

[30] C. Morgan. The speci cation statement. ACM Transactions on Programming Languages and Systems, 10(3):403{419, July 1988. [31] C. Morgan. Types and invariants in the re nement calculus. In Mathematics of Program Construction, volume 375 of Lecture Notes in Computer Science, Groningen, The Netherlands, June 1989. Springer{Verlag. [32] C. Morgan. Programming from Speci cations. Prentice-Hall, 1990. [33] C. C. Morgan and P. Gardiner. Data re nement by calculation. Technical report, Programming Research Group, Oxford University, 1988. [34] J. Morris. A theoretical basis for stepwise re nement and the programming calculus. Science of Computer Programming, 9:287{306, 1987. [35] J. Morris. Laws of data re nement. Acta Informatica, 26:287{308, 1989. [36] G. Nelson. A generalization of Dijkstra's calculus. Tech. Rep 16, Digital Systems Research Center, Palo Alto, Calif., April 1987. [37] N. Wirth. Program development by stepwise re nement. Commun. ACM, 14:221{227, 1971.

27