Isomorphisms between Predicate and State ... - Semantic Scholar

Isomorphisms between Predicate and State Transformers Marcello Bonsangue

CWI P.O. Box 4079, 1009 AB Amsterdam, The Netherlands [email protected] Joost N. Kok

Department of Computer Science, Utrecht University P.O. Box 80.089, 3508 TB Utrecht, The Netherlands [email protected]

Abstract We study the relation between state transformers based on directed complete partial orders and predicate transformers. Concepts like `predicate', `liveness', `safety' and `predicate transformers' are formulated in a topological setting. We treat state transformers based on the Hoare, Smyth and Plotkin powerdomains and consider continuous, monotonic and unrestricted functions. We relate the transformers by isomorphisms thereby extending and completing earlier results and giving a complete picture of all the relationships. 1991 Mathematics Subject Classi cation: 68Q55, 68Q10, 68Q60, 06A06. 1991 CR Categories: D.3.1, F.1.2, F.3.1, F.3.2. Keywords and Phrases: Predicates, liveness, safety, predicate transformers, state transformers, weakest preconditions, re nement, Hoare power domain, Smyth power domain, Plotkin power domain. Note: The research of Marcello Bonsangue was supported by a grant of the Centro Nazionale delle Ricerche (CNR), Italy, announcement no. 203.15.3 of 15/2/90.

1

Contents 1 Introduction

2

2 Mathematical Preliminaries

3

3 Predicates and Predicate Transformers

5

4 State Transformers

9

5 Predicate Transformers and State Transformers

10

6 Adding deadlock as empty set

24

7 Fixed Point Transformation Technique

26

8 Conclusions and Future Work

28

5.1 Safety Predicate Transformers and Hoare State Transformers : : : : : : : : : : : 10 5.2 Liveness Predicate Transformers and Smyth State Transformers : : : : : : : : : : 15 5.3 Safety - Liveness Predicate Transformers and Plotkin State Transformers : : : : 19

1 Introduction In this paper we give a full picture of the relationship between state transformers and predicate transformers. For the state transformers we consider the Hoare, Smyth and Plotkin power domains. We give a full picture in the sense that we consider algebraic directed complete partial orders (with a bottom element) (and not only at domains), we consider not only continuous state transformers, but also the monotonic ones and the full function space, we do not restrict to bounded nondeterminism, and we treat all the three power domains with or without empty set. The rst item is important when we want to use domains for concurrency semantics. The second and third item give more freedom in the sense that we can use these transformations also for speci cation purposes without constraints on computability. Having the empty set in a power domain can be important to treat deadlock. Our treatment includes the Plotkin power domain. For state transformers we use an extension of the standard power domains. For predicate transformers we start from the (informal) classi cation of predicates in liveness and safety predicates of Lamport [Lam77]. Later Smyth [Smy83] followed by [AS85, Kwi91] used topology to formalize this classi cation. Also we use topology for de ning predicates and safety and liveness predicate transformers. We consider a new kind of predicate transformers with predicates that are the intersection of safety and liveness predicates. We prove that the Hoare state transformers are isomorphic to safety predicate transformers, that the Smyth state transformers are isomorphic to the liveness predicate transformers, and that the Plotkin state transformers are isomorphic to the \intersection" predicate transformers. So for the rst time we are able to give a full picture of all the relationships lling several gaps that were present in the literature. 2

Next we discuss how this paper is related to previous work. Power domains for dcpo's were introduced in [Plo76], [Smy78] and [Plo81]. Our power domains are slightly more general in the sense that we do no restrict to non-empty (Scott-) compact sets. Besides the standard ways of adding the empty set to the Smyth [Smy83] and to the Plotkin [MM79, Plo81, Abr91] power domains, we also add the empty set in all the three power domains as a separate element, comparable only with itself and with the bottom. Predicate transformers were introduced in [Dij76] with a series of healthness conditions. Back and von Wright [Bac80, vW90] use only the monotonicity restriction on predicate transformers. They use predicate transformers for re nement and provide a nice lattice theoretical framework. Nelson [Nel89] has (for the at case) used \compatible" pairs of predicate transformers for giving semantics to a language with backtracking. Smyth [Smy83] introduced predicate transformers (with the Dijkstra healthiness conditions) for non- at domains. Our de nition of predicate transformers is parametric with respect to the collection of predicates (observable, liveness and safety). Furthermore, a new (generalization) of the multiplicativity restriction is introduced and a generalization to the non- at case of \compatible" pairs of predicate transformers is given. Isomorphisms between state and predicate transformers have been given for the at case of the Smyth power domain in [Plo79] (and for countable nondeterminism in [AP86]), and for the at case of the Hoare power domain in [Plo81]. Also De Bakker and De Roever [Bak80, Roe76] studied (from a semantical point of view) for the at case the relation between state transformer and predicate transformer semantics. Moreover, for the at case of the Plotkin power domain we have proposed an isomorphism in [BK92]. For the general case of the compact Smyth power domain in the paper [Smy83] an isomorphism is given for continuous state transformers. He uses a topological technique which Plotkin later used in [Plo81] for the continuous Hoare state transformers. A recent work includes an operational point of view in Van Breugel [Bre93]. In the present paper we give some new isomorphisms for the Hoare and the Smyth power domains, showing also how the previous ones can be obtained as combinations of the new isomorphisms. Our de nition of multiplicativity for predicate transformers permits us to use a technique similar to that used for the at case. Furthermore we give isomorphisms for the Plotkin power domain. As far as we know no isomorphism was known for the non- at Plotkin power domain (as for example is remarked in [Plo81] and in [Smy83]).

2 Mathematical Preliminaries We introduce some basic notions on domain theory and topology. For a more detailed discussions on domain theory consult for example [Plo81], and for topology we refer to [Eng77]. A partial order on a set P is a re exive, transitive and antisymmetric relation in P P . Let P be orderedSby the partial order , x P and A a subset of P . De ne x = y y P x y and A = x x A . A set A is called upper-closed if A = A . A subset A of P is called an !-chain if there is a enumeration x0 ; x1; ::: of the elements of A such that xi xi +1 for every i N . A generalization of !-chain is a directed set; A P is said to be directed if it is non empty and every nite subset of A has an upper bound in A. P is a directed complete partially order set (dcpo) if Fthere exists a least element and every directed subset A of P has least F upper bound (lub) A in P . A directed set A is eventually constant if A A. A partially ordered set P has a least upper bound for every !-chain if and only if it contains all least upper bounds of all directed countable sets [SP82]. In this case P is called a !-complete partially ordered set (!-cpo). v

v

"

f

" j

2

2

"

g

f

j

2

"

v

2

?

2

3

^

v

g

F

An element b of a dcpo P is nite if for every directed set A P , b A implies b x for some x A. The set of all nite elements of P is denoted by BP and is called base. A dcpo P is algebraic if for every element x P the set b b BP b x is directed and has least upper bound x ; it is !-algebraic if it is algebraic and its base is denumerable. Let P ; Q be two partially ordered sets. A function f : P Q is monotone (denoted by f : P m Q ) if for all x ; y P with x P y we have f ( x ) f (y ). If P is a dcpo we say Q F F f is continuous (denoted by f : P c Q ) if f ( A) = f (A) for each directed set A P ; moreover f is stabilizing (denoted by f : P z Q ) if it is continuous and for every directed set A P , f (A) is an eventually constant directed set in Q . If f : P c Q is continuous then f is monotone. Given a set B Q , a continuous function f : P c Q is said B -algebraic (denoted by F f : P alg (B ) Q ) if for every directed set S P and for every q B such that q f ( S ) there exists an x S such that q f (x ). Clearly, a continuous and stabilizing function f : P z Q is B -algebraic for every B Q . Moreover we have the following:

v

v

2

2

f j

2

^

v

g

!

!

2

v

v

!

!

!

!

!

2

2

v

v

!

Lemma 2.1 Let P ; Q be two dcpo's such that Q is algebraic with base BQ . Then a function

f :P

!

Q is continuous if and only if f is BQ -algebraic.

A function f is strict (denoted by f : P s Q ) if f ( P ) = Q ; dually f is top preserving (denoted by f : P t Q ) if and only if f ( P ) = Q . If f is onto and monotone then it is also strict. We now introduce some basic topological notions. A topology O(X ) on a set X is a collection of subsets of X that is closed under nite intersections and arbitrary unions. Every topology O(X ) is ordered by subset inclusion and forms a complete lattice with bottom element the empty set and as top element X . The pair (X ; O(X )) is called topological space and the elements of O(X ) are the open sets of the space X . A base of a topology O(X ) on X is a subset B O(X ) such that every open set is the union of elements of B. The topologies on a set X form a complete lattice when ordered by inclusion, with bottom element the trivial topology Ot (X ) = ; X and top the discrete topology Od (X ) = (X ). A set S X is dense if and only if X S contains no non-empty open sets. A G -set is a countable ( nite or in nite) intersection of open sets. Given a partially ordered set X , its Alexandro topology OAl (X ) consists of all the upper-closed subsets of X . If X is a dcpo, a ner topology of X is the Scott topology OF Sc (X ), where o OSc (X ) if and only if o is upper-closed and for any directed set S X if S o then S o= . Let A be a collection T of subsets of X ; the closure under arbitrary intersection of A is denoted by A\ = Q Q = A0 A0 A . We can describe a topology by its closed sets instead of its open sets. A subset of a set X is closed if and only if it is the complement of an open set of a given topology on X . The collection of closed sets of a topological space is denoted by C(X ) and, dually to the case of open sets, is closed under nite unions and arbitrary intersections. Closed sets are ordered by superset inclusion and form a complete lattice. For every A X there exists a closed set c and a dense set d such that A = c d . Given a partially ordered set P , the closed sets of the Alexandro topology are all the lower closed sets, while a set c P is closed with respect F to the Scott topology if c is lower closed and for every directed set S P if S c then S c . Let X be an algebraic dcpo and let O(X ) be a topology on X . A subset A X is compact in O(X ) if and only if for every collection of open sets oSi O(X ) with i I such that A SI oi there exists a nite subcollection oj such that A J oj . For example A X is compact in !

>

!

?

?

>

f;

P

n

2

\

6

2

;

f

j

^

g

\

2

2

4

2

g

Od (X ) if and only if it is a nite set. The intersection of a closed set and a compact set is compact. Sometimes we use a dierent characterization of compactness:

Lemma 2.2 Let X be a topological space with topology O(X ). A subset A X is compact in O(X ) if and only if for every directed set S O(X ) such that A S S there exists an s S

with A s.

2

O(X ) is a directed Sset, then A S S implies by the compactness that there exists a nite S 0 S such that A S 0 . But S is directed, thus there S 0 0 0 exists s S such that s s for every s S . Therefore A S 0 s. S S then there Let now A X and assume that for every directed set S O(X ) if A S C de ne exists an s S with A s . Then Sfor every cover C O(X ) such that A the set S (C ) = o O(X ) o = C 0 C 0 C . The set S (C ) is directed because if

Proof: If A X is compact and S

2

2

2

f

C

0

2

j

C

0

n

^

0

g

oC ; oC S (C ) with C 0 ; C 00 nite subsets of C then also C 0 C 00 is a nite subset of C , that is oC [C S (C ). Moreover, oC SoC [C Sand also oC oC [C , hence S (C ) is directed. We have also C SS (C ), hence A C S (C ). Thus S C^ .there exists s S (C ) such that A s2, say s = oC^ = C^ where C^ n C . Therefore A 0

00

0

00

2

[

2

0

00

00

0

00

2

3 Predicates and Predicate Transformers A predicate P is a function from a set X to the boolean set tt ; or, equivalently, is a subset of X . Topology provides an elegant way of selecting classes of predicates of programs ([Smy83], [Kwi91]) in which the open sets of a topological space X are the observable predicates, closed sets are the safety predicates and arbitrary intersections of open sets are the liveness predicates. In this paper we consider algebraic dcpo's together with the Scott topology. The Scott-open sets of a dcpo Y represent the observable predicates and are nitary in the sense that y o if and only if there exists a b BY such that b o and b y . In other words, a predicate P is nitary if we can test P holds for y by testing only the nite elements smaller than y . Notice that if P is !-algebraic then a predicate P is nitary if it can be tested to hold for y by testing only a nite number of elements smaller than y . The observable predicates are ordered by subset inclusion. The Scott-closed sets are the safety predicates and are ordered by superset inclusion. Liveness predicates are the arbitrary intersections of Scott-open sets (that is Alexandro open sets). The liveness predicates are ordered by subset inclusion. Consider as an example the set of sequences ( nite and in nite) over an alphabet ordered by the pre x ordering (for more examples see [Kwi91]). For each kind of predicate we give an example: f

g

2

2

2

v

Safety predicate: always a = x x = a x = a ! (Scott closed), Observable predicate: eventually a = xa x (Scott open), Observable predicate: start with x = x (Scott open), where x , T Liveness predicate: in nitely often a = n 2N ( x x x a = n ) (Alexandro open but not Scott open), Neither safety nor liveness predicate: always a but starting with x = always a start with x. f

j

_

f

g

j

2

g"

"

2

f

j

2

^j

j

g"

^

5

The safety and liveness predicates are introduced informally in [Lam77]. Smyth [Smy83, Smy92] introduces the topological view that closed sets represent safety predicates and the liveness predicates are intersections of open sets. Due to computability, Smyth uses closedness under countable intersection (such speci cations are known in topology as G sets: countable intersections of open sets) while we take arbitrary intersections of open sets as liveness predicates. In [Kwi91] liveness predicates are also G -sets. We dier from [AS85] where liveness predicates are the dense sets (the complement does not contain non-empty open sets). To provide some more intuition we show that taking dierent topologies corresponds to dierent restrictions on the function space:

Lemma 3.1 Let Bool = tt ; with tt. Then Od (X ) is isomorphic to the set of all the predicates from X to Bool, OAl (X ) is isomorphic to the set of all the monotone predicates from X to Bool and OSc (X ) is isomorphic to the set of all the continuous predicates from X to Bool. f

g

v

Now we come to the de nition of predicate transformers. Let P (Y ) be a collection of predicates on the space Y and let P (X ) be a collection of predicates on the space X . We de ne predicate transformers as the monotone functions from P (Y ) to P (X ). Given topologies on Y and X the collection of predicate transformers that map observable predicates to observable predicates is denoted by P (Y ) O P (X ) (Recall that an observable predicate is an open set in the topology.) All the predicate transformers in the sequel will be multiplicative in the following sense: !

De nition 3.2 A predicate transformer : P (Y )

!

P (X ) is called multiplicative, denoted by

: P (Y ) !M P (X ), if for all collections of predicates P ; Q P (Y ) we have

\

P

\

Q

)

\

p 2P

(p )

\

q 2Q

(q )

This de nition of multiplicativity is a generalization of the standard de nition of multiplicativity as is shown in the next lemma:

Lemma 3.3 Let : P (Y ) P (X ) be a predicate transformer and assume that P (Y ) is closed under arbitrary intersection, that is P (Y )\ = P (Y ). Then is multiplicative if and only if T T ( P ) = (p ) for every collection of predicates P P (Y ). !

p 2P

Proof:

T

T

T

T

) Let P ; Q P (Y ) such that P Q . Since ( R) = T r 2R (r )Tfor every R predicate and hence ( P ) ( Q ). But then TP (Y ),the T P ) transformer T Q ) = T is monotone, ( p ) = ( ( ( q ). p 2P q 2Q T T ) Let P TP (Y ) and q = P T P (Y ). Then byTmultiplicativity we have q = P implies (q ) = p 2P (p ). But then ( P ) = (q ) = p 2P (p ).

(

)

2

2

\ Even (Y ) we have for a multiplicative predicate transformer that for any T P 2ifPP(Y(Y) )for=6 a Pcollection T T of predicates P P (Y ) then ( P ) = p2P (p ). Hence our

notion of multiplicativity keeps all possible multiplicativity allowed by the collection of predicates P (Y ). Because the empty intersection of predicates in P (Y ) is the predicate Y , we have the following: 6

Lemma 3.4 Let : P (Y ) then is top preserving.

!

M

P (X ) be a multiplicative predicate transformer. If Y

Proof: Consider the collection T ofTpredicates P =

2

P (Y )

PT(Y ) and Q =T Y . Then by multiplicativity we obtain Y = P Q = Y implies X = p2P (p ) q 2Q (q ) = (Y ). But (Y ) X , thus (Y ) = X . 2 Given a predicate transformer : P (Y ) P (X ) its dual : P (Y ) P (X ) is given by (p ) = X (Y p ), for every p P (Y ) , where P (Y ) is de ned as the set Y p p P (Y ) . A predicate transformer is additive (denoted by : P (Y ) A P (X )) if and only if its dual is multiplicative. ;

f

g

!

n

n

!

2

f

n

j

2

g

!

De nition 3.5 A predicate transformer T : P (Y ) P (X ) is called intersection extensible, denoted by : P (YS) I P (X ), if p2P (p ) P (X ) for every collection of predicates P P (Y ). Dually, if (p ) P (Y ) for every collection of predicates P P (Y ) then is !

!

2

p 2P

2

called union extensible (denoted by : P (Y )

!

U

P (X )).

Intuitively, multiplicative predicate transformers : P (Y ) M P (X ) preserve the logical ` ' on predicates on Y , while the additive ones preserve the logical ` ' even if they are not in their domain. If is intersection (union) extensible then the logical ` ' (` ') of of an arbitrary collection of predicates on Y is always a predicate in P (X ). For multiplicative predicate transformers we prove the following stability lemma (a generalization of a lemma due to Plotkin [Plo79, AP86])in which the collections of predicates are not necessarily closed under arbitrary intersection: !

8

9

8

Lemma 3.6 Let : P (Y )

!

collections of predicates. Then x (^p ) 2

\

,

P (X ) be a multiplicative predicate transformer between two

M

p x (p )

f

j

2

9

g

p^

for every p^ P (Y ) and x X . 2

2

Proof: ) (

) If x (^p ) then p^ p x (p ) and hence T p x (p ) p^. ) Suppose T p x (p ) p^. Then by multiplicativity x Tx 2 p (p ) 2

2 f

x (^p ).

f

j

2

j

2

g

f

j

2

g

g

2

( )

(^p ), that is

2

2

Next we de ne a restricted version of the Cartesian product on multiplicative predicate transformers by requiring multiplicativity on the intersection.

De nition 3.7 Let P (Y ), P (Y ) be two collections of predicates on Y and Q (X ); Q (X ) be 1

2

two collections of predicates on X . De ne (P1 (Y )

(; )

f

j

8

M

Q1(X ))(P2 (Y ) \

1

!

M

T T Q T P0 T Q0 P1 (Y T ); Q ; Q 0 P2 (TY ) : P 0 T 0 p 2P (p ) q 2Q (q ) p 2P (p ) q 2Q (q ) :

PT; P 0

)

!

\

\

0

7

0

\

0

\

0

g

2

Q2(X )) as

Tuples are ordered pointwise.

For these pairs of multiplicative predicate transformers we have a new stability lemma:

Lemma 3.8 Let (; ) : (P1 (Y ) M Q1 (X ))(P2 (Y ) p^ P1 (Y ), and q^ P2(Y ) we have: !

2

\

!

Q2 (X )). Then for every x

M

2

X,

2

1. x (^p ) 2

,

2. x (^q )

,

2

T px T px f

j

2

(p )g \

f

j

2

(p )g \

T qx T qx f j

2

(q )g p^;

f j

2

(q )g q^:

Proof: 1.

)

(

) If x (^p ) then p^

\

2

j

2

) Suppose

\

g\

T px f

j

2

j

2

2

\

x 2(p )

!

(p ) \

2

M

g

q x (q )

f j

\

g\

2

j

2

(p )g \

p x (p )

f

But (; ) (P1(X ) x

\

p x (p )

f

p x (p ) and hence

2 f

g

T qx f j

2

q x (q )

f j

2

\

x 2(p )

j

2

g

p^:

(q )g p^ , then

g

p^

Q1(Y ))(P2(X )

\

p x (p )

f

\

\

\

!

(p ) (^p ) \

M

\

q x (q ) :

f j

2

g

Q2 (Y )), thus we have

x 2(p )

(p );

that is x (^p ). 2. Similar. 2

2

Now we come to the de nition of safety and liveness predicate transformers used in this paper. Recall that we de ned safety predicates as closed sets and liveness predicates as àrbitrary intersections of open sets.

De nition 3.9 Let X and Y be algebraic dcpo's. The safety predicate transformers are func-

tions in

CSc (Y )

!

M

C(X )

for some collection of closed sets C(X ) on X . They are ordered pointwise by superset inclusion. The liveness predicate transformers are functions in

OSc (Y )\

OM

!

O(X )\

for some topology O(X ) on X . They are ordered pointwise by subset inclusion.

8

Note that the domain of predicate transformers consists of the safety or the liveness predicates associated with the Scott topology. In the codomain we allow more freedom in the sense that we can choose the topology. As we will see later, taking dierent topologies corresponds to describing dierent classes of state transformers. We can de ne liveness and safety predicate transformers also in terms of observable predicate transformers due to the following isomorphism:

Theorem 3.10 Let X and Y be algebraic dcpo's. The following order isomorphisms hold: O(X )\) = (OSc (Y ) M O(X )), 2. (CSc (Y ) M C(X )) = (OSc (Y ) A O(X )).

1. (OSc (Y )\

OM

!

!

!

!

4 State Transformers In this section we give generalizations of the three \classical" power domains on !-algebraic dcpo's, the so-called Hoare, Smyth and Plotkin power domains ([Plo76], [Smy78] and [Plo81]). and on these power domains we base our state transformers. We need the following two closure operators for the de nition of the power domains. Let A be a subset of an algebraic dcpo X : 1. A = x b BX : b x xb A : b xb , 2. A = x ( x 0 A : x 0 x ) ( b BX : b x f

j8

f

2

j 9

v

2

) 9

v

2

^

8

v

g

2

v

xb A : b

) 9

2

v

xb ) . g

For every A X we have A = A if and only if A CSc (X ). Hence A A and A = A. The intersection of an upper closed set with a Scott closed set is -closed. Further A A , (A ) = A , and A = A if and only if A = A A. This means that if A is -closed then (A A) = A and (A A) = A. We characterize the pairs of sets (A; B ) such that (B A) = B and (B A) = A (this implies clearly that A is Scott-closed and B is upper closed):

2

" \

" \

"

"

" \

\

"

\

Lemma 4.1 Let X be an algebraic dcpo and A; B X .

1. If A B then (B

2. if A B then (B

A) = A,

" \

" \

A) = B , "

"

3. (B A) = A and (B A) = B if and only if there exists C C = A. \

\

"

X such that C = B and "

Proof: 1. Let A B X . Since (B A) A then (B A) A. On the other hand, A B implies A B and since A A we obtain A (B A), which implies A (B A). Therefore (B A) = A. 2. Suppose now A B . Since (B A) B then (B A) B . Moreover B A implies B A and since B B we obtain B (B A), that implies B (B A) . Therefore (B A) = B .

" \

"

" \

" \

" \

" \

" \

"

"

"

" \

" \

"

9

"

"

"

" \

"

" \

3. If (B A) = B and (B A) = A then take C = B A. For the other direction, if there exists C X such that C = B and C = A then - by item 1 - (B A) = (C C ) = C = A and also - by item 2 - (B A) = (C C ) = C = B . \

"

\

\

\

"

\

"

" \

"

" \

"

2

Next we de ne the (generalizations of the) power domains:

De nition 4.2 Let X be an algebraic dcpo. De ne

the Hoare power domain (X ) = A A X A H B if A B, the Smyth power domain (X ) = A A X A S B if A B, the Plotkin power domain (X ) = A A X A P B if A S B and A H B. v

v

H

hf

j

^

A=A ;

S

hf

j

^

A=A ;

g v

H i,

where

S i,

where

"g v

P

v

"v

"

hf

j

^

A = A ;

g v

P i,

where

v

When we consider only bounded nondeterminism then we can restrict the power domains by considering only the compact sets in the Scott topology (denoted by the subscript co ). Every Scott closed set of a dcpo contains the bottom, hence it is compact in the Scott topology. This implies co (X ) = (X ). The standard de nitions of the Hoare, Smyth and Plotkin power domains are + (X ); co+ (X ) and co+ (X ), where the superscript + states that the power domains should be taken without the empty set. For an algebraic dcpo X , the Hoare power domain is a complete lattice. Furthermore it is also an algebraic dcpo with nite elements the Scott closure of nite subsets of BX [Plo81]. Also the Smyth power domain is a complete lattice, but in general it is not an algebraic dcpo. However its restriction co (X ) is an algebraic dcpo with nite elements the upper closures of nite subsets of BX [Plo81, Smy78, Smy83]. In general, the Plotkin power domain is neither a complete lattice nor a (pointed) dcpo (there is no bottom element because the empty set is related only with itself and is less than any other set dierent from the empty set). However if X is an + ! -algebraic dcpo then co (X ) is also an !-algebraic dcpo with nite elements the -closures of nite subsets of BX (cf. [Plo76], [Plo81]). For a treatment of more general algebraic dcpo's we refer to [Hrb87] and [Hrb89]. H

H

H

S

P

S

f?g

P

De nition 4.3 Let X ; Y be two algebraic dcpo's. De ne the Hoare state transformers as func-

tions (ordered pointwise) in X (Y ), the Smyth state transformers as functions (ordered pointwise) in X (Y ) and the Plotkin state transformers as functions (ordered pointwise) in X (Y ). ! H

! S

! P

5 Predicate Transformers and State Transformers In this section we will show some isomorphisms between the Predicate Transformers and State Transformers de ned in the previous sections.

5.1 Safety Predicate Transformers and Hoare State Transformers The following theorem shows the relation between safety predicate transformers and state transformers based on the Hoare power domain (the Hoare state transformers): 10

Theorem 5.1 Let X and Y be two algebraic dcpo's. We have the following order-isomorphisms between the partial orders: (Y ) = CSc (Y ) + (Y ) = CSc (Y ) (Y ) = CSc (Y ) (Y ) = CSc (Y ) (Y ) = CSc (Y )

1. X

! H

2. X

! H

3. X

!

m

4. X

!

c

H

5. X

!

z

H

!

H

!

!

!

Cd (X ); sM Cd (X ); M CAl (X ); M CSc (X ); UM CSc (X ):

M

!

In all cases the isomorphism is given by the function :

(m )(c ) = fx jm (x ) c g:

The function can be seen T as a generalization of the weakest liberal precondition. Its inverse is given by ?1 ()(x ) = c x (c ) . Because the isomorphism is the same for every case we can combine dierent cases of the theorem to obtain more isomorphisms. For example by combining 2. and 4. we get as a corollary the result of [Plo81]: f j

X

!

c

H

+

2

(Y ) = CSc (Y )

!

sM

g

CSc (X )):

Next we prove Theorem 5.1. We split the theorem in the ve lemma's corresponding to the ve parts of the theorem. For each part we also give some intuition.

Lemma 5.2 Let X and Y be two algebraic dcpo's. Then X

! H

(Y ) = CSc (Y )

!

Cd (X ):

M

Proof: We start by proving that for every m X (Y ) the function (m ) is multiplicative: T T Q . If x T (m )(p ) then for every p P , Let P ; Q CSc (Y ) such that P p 2P T P T Q . Thus x (m )(p ), and hence m (x ) p , for everyT p P . Hence m (x ) T every q Q , that is x q 2Q (m )(q ). Therefore p 2P (m )(p ) Tm (x ) (mq)(, qfor ). 2

2

! H

2

2

2

2

2

2

q 2Q

Now we show that both the functions and ?1 are monotone: Let m1 H m2, that is m1(x ) m2(x ) for every x X . Thus, for every c x (m2 )(c ) then m1 (x ) m2 (x ) c . Therefore for every c CSc (Y ) v

2

2

2

CSc (Y ) if

2

(m2 )(c ) = fx jm2 (x ) c g fx jm1 (x ) c g = (m1 )(c ):

Let now 1; 2 CSc (Y ) M Cd (X ) be such that 1 (c ) 2(c ) for every c Then c x 1(c ) c x 2(c ) for every x X . Therefore 2

f j

2

!

g f j

?1 (1 )(x ) =

\

2

g

c x 1(c )

f j

2

g

\

2

c x 2(c ) = ?1 (2)(x );

f j

11

2

g

2

CSc (Y ).

that is ?1 (1)

H ?1 (2 ).

v

Finally we prove and ?1 are each other inverses.

( ?

1

= id(X !H(Y )) )

Let m X 2

! H

(Y ) and x X . Then 2

?1 ( (m ))(x )

= de nition ?1 f

\

c x ( (m ))(c )

f j

2

= de nition f

\

g

g

g

c m (x ) c

f j

= m (x ) f

2 H

g

(Y ) CSc (Y )

g

m (x ):

(

?1 = id(CSc (Y )!M Cd (X )) ) Let 2 CSc (Y ) !M Cd (X ) and ^c 2 CSc (Y ). Then

( ?1 ())(^c )

= de nition f

g

x ?1 ()(x ) ^c

f

j

= de nition ?1 f

x

f

j

\

g

g

c x (c )

f j

2

g

= stability lemma 3.6 f

^c

g

g

x x (^c )

f

j

2

g

= (^c ):

2

We can consider this isomorphism as a starting point for nding the other isomorphisms by considering various restrictions on the left and the right hand sides. We start with the restriction of \excluded miracles", that is, predicate transformers such that ( ) = . This restriction translates to the Hoare state transformers to consider the Hoare power domain without the empty set: ;

12

;


! H

+

(Y ) = CSc (Y )

Proof: Let m X

!

sM

Cd (X ):

(Y ). Then (m )( ) = x m (x ) = because m (x ) = for every x X . Hence (m ) is strict. T Consider now CSc (Y ) sM Cd (X ) and assume ?1 ()(x ) = c x (c ) = . Then we get following contradiction: 2

! H

+

;

f

j

;g

;

6

;

2

2

x

2

\

x 2(c )

!

f j

2

g

;

(c ) = (;) = ;:

Therefore ?1 ()(x ) + (Y ) for every x X . 2 If we consider Hoare state transformers that are monotonic, then the safety predicate transformers have Alexandro closed sets as codomain. Notice that in this case the safety predicate transformers are union extensible. 2 H

2


!

m

H

(Y ) = CSc (Y )

Proof: Let m X

!

M

CAl (X ):

m (Y ) and x2 (m )(c ) for x2 X and c CSc (Y ). If x1 X is such that x1 x2, then m (x1) H m (x2), that is, m (x1) m (x2) c . Therefore x1 (m )(c ). Therefore (m )(c ) is lower closed and hence (m )(c ) CAl (X ). Let now CSc (Y ) M CAl (X ) and x1 x2 for x1; x2 X and x2 (c ). Then x1 x2 (c ) CAl (X ). Thus c x2 (c ) c x1 (c ) and hence 2

!

H

v

2

2

v

2

2

2

2

2

!

2

?1 ()(x2 ) =

\

v

f j

2

cx

f j 2 2

g f j

(c )g

\

2

2

cx

2

2

#

g

f j 1 2

(c )g = ?1 ()(x1 );

that is, ?1 ()(x1) H ?1 ()(x2). Therefore ?1 () is monotone. 2 Restricting the Hoare state transformers to continuous functions corresponds to the safety predicate transformers having Scott closed sets as codomain. Since Scott closed set are not closed under arbitrary union, the safety predicate transformers are in general not union extensible. v


!

c

H

(Y ) = CSc (Y )

!

M

CSc (X ):

Proof: Let m X c (Y ). If m is continuous then it is also monotone, thus (m )(c ) CAl (X ) for every c CSc (Y ), and hence is lower closed. Let now S X be a directed set and xi (m )(c ) for every xi S . Then m (xi ) c for every xi S and hence S suppose m (x ) c . Therefore, applying the Scott closure operator we obtain: 2

!

H

2

2

2

xi 2S

i

[ xi 2S

2

m (xi ) =

G xi 2S

G

m (xi ) = m ( S ) c

13

2

F

because m is continuous, (:) is monotone and c CSc (Y ). Thus S (m )(c ) and hence

(m )(c ) CSc (X ). Let now CSc (Y ) M CSc (X ). We have to prove ?1 () continuous. Since (c ) CSc (X ) CAl (X ) we have ?1 () monotone. Thus 2

2

2

2

G

!

2

G

?1 ()(xi ) vH ?1 ()( S );

xi 2S

for every directed set S X . SinceT arbitrary intersection of closed sets is closed, appling the stability lemma 3.6 we have xi ( c xi (c ) ) = ( ?1 ()(xi )) for every xi S . But

?1 ()(xi )

2

[

xi 2S

f j

?1 ()(xi )

[

xi 2S

2

g

?1 ()(xi ) =

G

xi 2S

2

?1 ()(xi ) 2 CSc (Y );

and thus, because is multiplicative, and hence monotone, we have xi ( ?1()(xi )) ( 2

G

xi 2S

?1 ()(xi ));

for every xi S . Since (c ) CSc (X ) for every c CSc (Y ), we obtain 2

xi S : xi (

8

2

2

G

xi 2S

2

?1 ()(xi ))

G

)

2

S ( 2

G

xi 2S

?1 ()(xi )):

Thus, by another application of the stability lemma 3.6 we obtain

G

?1 ()( S ) =

F

\ G c

f j

S (c ) 2

g

F

G

xi 2S

?1 ()(xi );

F

F

that is ?1 ()( S ) H xi 2S ?1 ()(xi ). Therefore xi 2S ?1 ()(xi ) = ?1 ()( S ). 2 Union extensible safety predicate transformers correspond to continuous and stabilizing Hoare state transformers. This is a severe restriction because for example the identity predicate transformers (c ) = c for every c CSc (Y ) is not union extensible (Scott closed sets need not to be closed under arbitrary union). One can say that in this respect the monotone (or unrestricted) Hoare state transformers behave better than the continuous Hoare state transformers. v

2

Lemma 5.6 Let X and Y be two algebraic dcpo's. Then X z (Y ) = CSc (Y ) UM CSc (X ): Proof: Let m X z (Y ). Since m is continuous,Sand hence monotone, (m )(c ) CAl (Y ) for every c CSc (Y ). Thus for every P CSc (Y ), p2P (m )(p ) CAl (Y ) because S C(mAl)((Yp ).) is closed under arbitrary union. Let S X be a directed set and assume S !

H

2

!

!

H

2

2

2

2

p 2P

Then for every F x S there existsF px P such that x (m )(px ), that is, m (Fx ) px . But m stabilizes, thus F x 2S m (xS) = m ( S ) = m (^x ) for S some x^ S . Therefore also x 2S m (x ) px^ , and hence x 2S m (x ) p2P (m )(p ), that is p2P (m )(p ) CSc (X ). Let now CSc (Y ) UM CSc (X ). We have to prove ?1 () is continuous and stabilizing. Continuity is clear because CSc (Y ) M CSc (X ). Let now S X be a directed set. Since ?1 ()(x ) CScS(Y ), we have by stability lemmaS 3.6 that x ( ?1 ()(x )). Hence, ?1 ?1 for every x S , x x 2S ( (F)(x )).SFurthermore, x 2S ( ()(x )) CSc (X ) because ? 1 extensible, and hence S x 2S ( ()(x )) as it is Scott closed. This means F Sis union ? 1 ( ()(xk )) for some xk S , and applying the stability lemma 3.6 we obtain 2

2

2

2

2

2

!

2

!

2

2

2

2

2

2

2

2

2

14

G

?1 ()( S ) =

\ G c

f j

S (c ) 2

g

?1 ()(xk );

F F that is ?1 ()( SF) H ?1 ()(xk ). But ?1 () monotone implies ?1 ()(xk ) H ?1 ()( S ). Therefore ?1 ()( S ) = ?1 ()(xk ), that is ?1 () is continuous and stabilizing. 2 v

v

5.2 Liveness Predicate Transformers and Smyth State Transformers Now we relate liveness predicate transformers and Smyth state transformers:

Theorem 5.7 Let X and Y be two algebraic dcpo's. We have the following isomorphisms between the partial orders: 1. 2. 3. 4. 5. 6.

X X X X X X

(Y ) = OSc (Y ) M Od (X ), + (Y ) = OSc (Y ) sM Od (X ), co (Y ) = OSc (Y ) cM Od (X ), m (Y ) = OSc (Y ) M OAl (X ), alg ( ) (Y ) = OSc (Y ) M OSc (X ), where = B B z (Y ) = OSc (Y ) IM OSc (X ).

! S

! S

! !

!

! S !

!

!

S

!

S

!

S

f

" j

BY , g

!

In all cases the isomorphism is given by the function !: ! (m )(o ) = fx jm (x ) o g

The function T! is a generalization of the weakest precondition and its inverse is given by o x (o ) . We can combine 2., 3. and 5. to obtain the result of [Smy83], because co (Y ) is an algebraic dcpo with nite elements the upper closures of the nite subsets of BY , thus every continuous function from X to co (Y ) is also -algebraic. We start by proving the rst item:

! ?1 ( )(x ) =

f

j

2

g

S

S


! S

(Y ) = OSc (Y )

!

M

Od (X ):

Proof: First we prove that for every m X (Y ) function !(m ) is multiplicative: T T Q . If x T !(m )(p ) then for every p P , Let P ; Q OSc (Y ) such that P p 2P T P T Q . Thus x !(m )(p ), and hence m (x ) p , for everyT p P . Hence m (x ) T !(m )(p ) m ( x ) q , for every q Q , that is x ! ( m )( q ). Therefore q 2 Q p 2P T !(m )(q ). 2

2

! S

2

2

2

2

2

2

q 2Q

Next we show that both ! and !?1 are monotone: Let m1; m2 X (Y ) be such that m1 S m2, that is m1(x ) m2(x ) for every x X . Thus, for every o OSc (Y ) if x !(m1)(o ) then m2(x ) m1(x ) o . Therefore for every o OSc (Y ) 2

! S 2

v

2

2

15

2

! (m1 )(o ) = fx jm1 (x ) o g fx jm2 (x ) o g = ! (m2 )(o );

Let 1 ; 2 OSc (Y ) M Od (X ) be such that 1(o ) 2(o ) for every o OSc (Y ). Then o x 1(o ) o x 2(o ) for every x X . Therefore 2

f

j

!

2

g f

j

that is !?1(1)

v

2

\

! ?1 (1 )(x ) =

g

o x 1(o )

f

j

2

g

\

2

2

o x 2(o ) = !?1 (2)(x );

f

j

2

g

! ?1 (2 ).

S

Notice that for every OSc (Y ) M Od (X ) and for every x TX the function !?1()(x ) (Y ). Indeed, Let y1 Y y2 Y with y1 !?1()(x ). Then y1 o x (o ) and hence for every o OSc (Y ) if x ( o ) then y o . But o O ( Y ), thus if y1 o then y2 y1 o . 1 Sc T ? 1 Therefore y2 o x (o ) = ! ()(x ) and hence, being upper closed, !?1()(x ) (Y ). Next we prove ! and !?1 are inverses of each other: 2

S

!

v

2

1

2

2

2

(!?

2

2

f

j

2

2

2

2

f

j

2

2

g

2

2

g

"

2 S

! = id(X !S (Y )) ))

Let m X 2

! S

(Y ). Then

! ?1 (! (m ))(x )

= de nition of !?1 f

\

o x (!(m ))(o )

f

j

2

g

= de nition of ! f

\

g

g

o m (x ) o

f

j

T

g

T

Clearly m (x ) o m (x ) o , thus it remains to prove o m (x ) o mT(x ). But m (x ) is an upper closed set of Y , thus m (x ) OAl (Y ) = OSc (Y )\, say m (x ) = I oi with oi OSc (Y ). THence, for every oi , that means oTi i I o m (x ) o . T oi m (Ix,) m (ox ). Therefore Thus m (x ) = oi I m (x ) = o m (x ) o . (! !?1 = id(OSc (Y )!M Od (X )) )) Let OSc (Y ) M Od (X ). Then

f

j

g

f

j

g

2

2

2

f

j 2

g

f

j

g

2

!

! (! ?1 ( ))(ô )

= de nition of ! f

g

x !?1()(x ) o^

f

j

= de nition of !?1 f

x

f

j

\

g

g

o x (o )

f

j

2

g


o^

g

g

x x (ô )

f

j

2

g

16

f

j

f

2 j

g f

j

g

g

= (ô ):

2

Again we consider this isomorphism the basic building block for the other isomorphisms by considering restrictions on the left and the right hand sides. First we consider liveness predicate transformers that satisfy the 'excluded miracles law'.

Lemma 5.9 Let X and Y be two algebraic dcpo's. Then X (Y ) = OSc (Y ) sM Od (X ): ! S

+

Proof: Let m X Let now OSc (Y )

!

(Y ). Then !(m )( ) = x m (x ) = , and hence !(m ) is strict. T sM Od (X ) and assume ! ?1 ( )(x ) = o x (o ) = for some x X . Then we get following contradiction: 2

! S

2

x

2

\

x 2(o )

+

;

f

j

;g

!

f

;

j

2

g

;

2

(o ) = (;) = ;:

2

The Smyth 'compact' state transformers corresponds to continuous and multiplicative liveness predicate transformers:

Lemma 5.10 Let X and Y be two algebraic dcpo's. Then X co (Y ) = OSc (Y ) cM Od (X ):

! S

Proof: Let m X

!

co (Y ) and let S OSc (Y ) be a directed set. Since ! (m ) is multiplicative, it is also monotone, and hence we have 2

[

o 2S

! S

[

! (m )(o ) ! (m )( S ):

S

S

Consider x !(m )( S ), that is m (x ) S S . As m (x ) is compact in OSc (Y ) there exists a nite subset S 0 S such that m (x ) S 0 . But S is directed, thus for every nite S 0 S S there exists o 2S ! (m )(o ). Therefore S anS upper bound o S . Hence m (x ) o and x ! (m )( S ) = o 2S ! (m )(o ). Let now OSc (Y ) cM Od (X ). We have to prove !?1 ()(x ) compact in OSc (YS) for every xT X . Let S OSc (Y ) be Sa directed set Sand x X . Assume !?1()(x ) S . Then o SOSc (Y ) x (o ) S and since S S O SSc (Y ), by stability lemma 3.6 we have x ( S ). But is continuous, hence x ( S ) = s 2S (s ), that is, there exists ^s S such that x (^s ). Again by stability lemma 3.6 we obtain 2

2

2

2

2

!

2

f

j

2

2

g

2

2

2

2

! ?1 ( )(x ) =

\

2

o OSc (Y ) x (o )

f

2

j

2

g

^s :

Therefore, by lemma 2.2 !?1 ()(x ) is Scott compact. 2 If we consider monotonic Smyth state transformers, then the liveness predicate transformers have Alexandro open sets as codomain. Moreover these predicate transformers are intersection extensible. 17


!

m

S

(Y ) = OSc (Y )

Proof: Let m X

!

OAl (X ):

M

(Y ) and x1; x2 X be such that x1 !(m )(o ) and x1 x2. Then m (x1) S m (x2), that is, m (x2) m (x1) o , thus x2 !(m )(o ). Therefore !(m )(o ) is upper-closed, and hence !(m )(o ) OAl (X ). Let now OSc (Y ) M OAl (X ) and x1; x2 X be such that x1 (o ) and x1 x2. Then x2 x1 (o ) OAl (X ). Thus o x1 (o ) o x2 (o ) and hence 2

!

m

S

2

v

2

v

2

2

2

2

!

"

2

! ?1 ( )(x1) =

\

2

f

j

2

o x1 (o )

f

j

2

g

\

2

g f

j

2

v

g

o x2 (o ) = !?1 ()(x2);

f

j

2

g

that is, !?1()(x1) S !?1 ()(x2). 2 When we consider liveness predicate transformers that are multiplicative and with Scott open sets as codomain, we obtain a subset of the continuous Smyth state transformers carrying a notion of -algebraicity. The collection of -algebraic functions need not to be a dcpo. v

Lemma 5.12 Let X and Y be two algebraic dcpo's and = B f

X

!

alg ( )

Proof: Let m

S

(Y ) = OSc (Y )

2

X

!

alg ( )

S

!

"2 S

(Y ) B j

BY . Then g

OSc (X ):

M

(Y ). Then it is continuous and hence also monotone. Thus

! (m )(o ) 2 OAl (XF) for every o 2 OSc (Y ), that is ! (m )(o ) is upperFclosed. Let now S X be a F directed set and S 2 !(m )(o ) for o 2 OSc (Y ). Then m ( S ) = x 2S m (x ) o because m is continuous. F ButFo 2 = fB " jB BY g and m is -algebraic, thus there exists an xk 2 S such that m ( S ) = x 2S m (x ) m (xk ) o , that is, xk 2 !(m )(o ). This proves !(m )(o ) 2 OSc (X ). Let now 2 OSc (Y ) !M OSc (X ), we have to prove that !?1() is -algebraic. Since (o ) 2 OSc (X ) OAl (X ) we have !?1 () monotone. Thus

G

x 2S

G ! ?1 ( )(x ) vS ! ?1 ( )( S );

for every directed set S

X . Consider y

x S ; o OSc (Y ) : x (o )

8

2

F

8

2

2

)

2

F

x 2S !

?1 ( )(x ) = T ! ?1 ( )(x ) then

y o: 2

But if S (o ) then there exists xk S such that xk (o ) because it is Scott open. Hence by above we have: 2

2

o OSc (Y ) :

8

2

T F

G

S (o ) 2

2

xk (o )

) 9

2

)

F

y o: 2

F

F

?1 Hence y o S F (o ) F = !?1 ()( S ), which means !?1 ()( S ) x 2S ! ( )(x ), or ? 1 ? 1 equivalently ! ()( S ) S x 2S ! ()(x ). It remains to prove that !?1 (F) is -algebraic. Let o 0 = OSc (Y ), let S X be a directed T F 0 ? 1 set and assume o S ! ()( S ). Then o S (o ) o 0 and since is multiplicative we obtain 2

f

j

2

g

v

2

v

f

j

18

2

g

G

\

S F (o ) (o 0 ): S 2(o ) 2

F

But (o 0 ) is Scott open, thus S (o 0) implies there exists xk stability lemma 3.6 we obtain the required result: ! ?1 ( )(xk ) =

\

2

o xk (o )

f

j

2

g

2

S such that xk

2

(o 0 ). By

o0:

2

Next we consider only predicate transformers that are intersection extensibles. They correspond to the continuous and stabilizing Smyth state transformers. This is a severe restriction because in general the identity predicate transformer (o ) = o for every o OSc (Y ) is not intersection extensible (the Scott open sets need not to be closed under arbitrary intersections). 2


!

z

S

(Y ) = OSc (Y )

Proof: Let m X

!

IM

OSc (X ):

(Y ). Since m is continuous and stabilizing, then it is also -algebraic with = B (Y ) B BY . Hence !(m )(o ) OSc (X ) for every o OSc (Y ). Thus for every P OScT(Y ), and for every o P , !(m )(o ) OSc (X ), that is !(m )(o ) is upper closed. o ) is upper closed. Let now S X be a directed set such that o 2P ! (m )(F F S THence!(also F m ( S ) = x 2S m (x ) o for every o P because m is continuous. F o2Pm (xm) )(oT). Then Thus o , m is also stabilizing, hence there exists x^ S such that F mx(x2S) = m (^x ) oT2P oand,osince for every x 2S o 2P T T o P . Therefore x^ !(m )(o ) for every o P , and hence x^ o2P !(m )(o ). This proves o2P !(m )(o ) OSc (X ). Let now OSc (Y ) IM OSc (X ). We have to prove that !?1 () is continuous and stabilizing. Since (o ) OSc (Y ) M OSc (X ) we have !?1 () -algebraic, and hence continuous. Thus 2

f

!

cs

"2 S

S

j

g

2

2

2

2

2

2

2

2

2

2

2

2

G

2

2

!

2

!

G

! ?1 ( )(x ) = ! ?1 ( )( S );

x 2S

for every directed set S X . It remains to proveFthat !T?1 () stabilizes for every directed set F S 2(o) (o ) OSc (X ). Hence there S X . Since is intersection extensible, we have S T F S 2(o) (o ). Hence xk (o ) for every o OSc (Y ) such that xk S such that xk Fexists T S (o ), and by stability lemma 3.6 we obtain o xk (o ) o . Thus

2

2

2

\

o xk (o )

f

j

2

2

2

2

g

\

F S 2 o

o=

\ G o

f

j

f

j

2

2

g

S (o ) ; 2

g

( )

F

that is, !?1()( S ) S !?1F()(xk ) for some xk S . But !?1 ()Fis monotone, and xk thus !?1 ()(xk ) S !?1()( S ) and hence !?1()(xk ) = !?1 ()( S ). v

2

v

v

F S,

2

5.3 Safety - Liveness Predicate Transformers and Plotkin State Transformers Finally we relate the Plotkin state transformers with pairs of safety and liveness predicate transformers: 19

Theorem 5.14 Let X and Y be two algebraic dcpo's. We have the following isomorphisms between partial orders: 1. 2. 3. 4. 5. 6.

X X X X X X

(Y ) = (OSc (Y ) M Od (X ))(CSc (Y ) M Cd (X )) + (Y ) = (OSc (Y ) sM Od (X ))(CSc (Y ) sM Cd (X )); co (Y ) = (OSc (Y ) cM Od (X ))(CSc (Y ) M Cd (X )); m (Y ) = (OSc (Y ) M OAl (X ))(CSc (Y ) M CAl (X )); c co (Y ) = (OSc (Y ) cM OSc (X ))(CSc (Y ) M CSc (X )); z (Y ) = (OSc (Y ) IM OSc (X ))(CSc (Y ) UM CSc (X )):

! P

! P

! P ! ! !

!

P

\

!

!

\

!

!

\

!

!

P

!

!

P

\

\

!

!

\

!

In all cases the isomorphism is given by the function : (m )(o ; c ) = (fx jm (x )" o g; fx jm (x ) c g)

T

T

The inverse of is given by ?1 ((; ))(x ) = o x (o ) c x (c ) . Notice that we have a restricted version of item 5. (dierent from item 5. of Theorem 5.7) because we consider only continuous state transformers and the compact version of the Plotkin power domain. In this case the state transformers are the B -algebraic functions with B = A A n BY . We could also treat the case without the restriction to compactness, but then we should introduce a new notion of algebraicity of functions depending on two sets. We start with an useful lemma: f

f

j

j

2

g \

f j

2

g

g

Lemma 5.15 For every A Y ; o OAl (Y ) and c CSc (Y ) we have

1. A o 2. A c "

, ,

2

2

A o, A c.

Proof: Trivial.

2

Next we prove the rst item of Theorem 5.14. The other items are combinations of Theorem 5.1 and Theorem 5.7 and are left to the reader.


! P

(Y ) = (OSc (Y )

!

M

Od (X ))(CSc (Y ) \

Proof: We begin by proving for every m : X

!

M

Cd (X )):

! P (Y ) that (m ) is well de ned. Indeed let 1 (m )(o ) = fx jm (x )" o g and 2 (m )(c ) = fx jm (x ) c g where o 2 OSc (Y ) and c 2 CSc (Y ). Then by Theorem 5.7 and Theorem 5.1 we have 1 (m ) 2 OSc (Y ) !M Od (X ) and also 2 (m ) : CSc (Y ) !TM Cd (XT ). Consider a Tcollection of predicates P ;TP 0 OSc (Y ) andTQ ; Q 0 CSc (Y ) T such P \ TQ P 0 \ Q 0 . We have to prove p2P 1(m )(p ) \ q 2Q 2 (m )(q ) T that 0 0 p 2P 1 (m )(p ) \ q 2Q 2 (m )(q ). 0

0

\

p 2P

0

1 (m )(p ) \

\

q 2Q

0

2 (m )(q )

20

= de nition of = (1 ; 2) f

\

p 2P

x m (x )

f

j

"

= calculation f

g

x m (x )

f

j

"

= calculation f

g

x m (x )

f

j

"

= Lemma 5.15 f

x m (x )

x m (x )

f

j

f

j

\

P

\

g \

q 2Q

P

\

j

m (x )

^

\

P P

x m (x )

f

f

j

j

x m (x )

g \ f

^

\

m (x )

\

Q

\

P

\

\

\

Q Q

Q

g

g

g

g

g

T P T Q T P0 T Q0 \ 0 \ 0 \

x m (x ) q

f

g

= f

\

p

g

g

Q

\

g

T P 0 T Q 0 T P 0 and T P 0 T Q 0 T Q 0 \ 0 \ 0 \

x m (x )

f

j

f

x m (x )

=

j

"

\ p 2P 0

P

= Lemma 5.15 f

\

j

j

\

P0

"

x m (x )

g \ f

p0

j

\

g\

q 2Q

0

0

= de nition of = (1 ; 2) f

\

p 2P 0

1 (m )(p 0 ) \ 0

\

q 2Q 0

Q

g

x m (x )

f

x m (x )

g \ f

\

g

Q0

g

x m (x ) q 0

f

j

g

g

0

g

2 (m )(q 0 ): 0

Next we prove the function is strictly monotone: Let m1; m2 X (Y ) be such that m1 P m2, that is m1(x ) m2 (x ) and m1(x ) m2(x ). Thus, for every o OSc (Y ) we have 2

v

"

"

1 (m1 )(o ) = fx jm1 (x )" o g fx jm2 (x )" o g = 1 (m2 )(o );

and for every c CSc (Y ) 2

21

! P 2

2 (m2 )(c ) = fx jm2 (x ) c g fx jm1 (x ) c g = 2 (m1 )(c );

that is (1 (m1); 2 (m1)) N (1 (m2); 2 (m2)). Suppose now m1 P m2. Then there exists an x X such that mT1(x ) m2(x ) or m1(x ) m2(x ). But m2(x ) CSc (Y ) and m1(x ) OAl (Y ), say m1(x ) = I oi with oi OSc (Y ) for every i I . Hence, either v

6v

2

2

"6

"2

6

"

"

2

2

2 (m2 )(m2 (x )) = fx jm2 (x ) m2 (x )g 6 fx jm1 (x ) m2 (x )g = 2 (m1 )(m2 (x ));

or, for some i I , 2

1 (m1 )(oi ) = fx jm1 (x )" oi g 6 fx jm2 (x )" oi g = 1 (m2 )(oi ):

Now we prove for every (; ) in OSc (Y ) M Od (X )(CSc (Y ) M Cd (X )) and for every x in X that the function ?1 ((; ))(x ) is an element of (Y ), that is we have to prove that ?1 ((; ))(x ) is -closed. By de nition of -closure we have !

\

!

P

?1 ((; ))(x ) ( ?1 ((; ))(x )):

Let y (?1 ((; ))(x )). Then by de nition 2

( y^ ?1 ((; ))(x ) : y^ y ) 9

2

v

^

( b BY : b 8

2

v

Y

yb ?1((; ))(x ) : b

) 9

2

v

yb ):

Using the de nition of ?1 ((; ))(x ) we obtain o OSc (Y ) : x (o )

8

2

2

y^ o ;

)

2

and also c CSc (Y ) : x (c )

8

2

2

"

2

that is y

2

2

T ox f

j

2

)

y o; 2

(o )g. Moreover b 0 v yb implies b 0 2 yb # c because c 2 CSc (Y ), hence

c CSc (Y ) : x (c )

8

2

2

o OSc (Y ) : x (o )

8

yb c :

o as o OSc (Y ) and hence

But y y^ 2

)

2

2

^

b

v

y

)

F

b c: 2

But Y is an algebraic dcpo, hence y = b b BY Fb Y y and all these nite elements are elements of c . Since c is Scott closed we obtain y = b b BY b Y y c . This means T y c x (c ) . Therefore f j

2

^

v

f j

2

f j

y

2

2

\

g

o x (o )

f

j

2

g\

\

g

2

^

c x (c ) = ?1 (x ):

f j

2

g

Finally we prove that ?1 is the left and right inverse of = (1 ; 2).

(?

1

= id(X !P (Y )) ))

Let m X 2

! P

(Y ). Then 22

v

g 2

?1 (1 (m ); 1 (m ))(x )

= de nition of ?1 f

\

o x (1 (m ))(o )

f

j

2

g\

= de nition of f

\

g

g

o m (x )

f

o

j

"

m (x )

m (x )

\

g \

\

c x (2 (m ))(c )

f j

2

c m (x ) c

f j

g

g

= " \

= because m (x ) is -closed f

g

m (x )

(

?1 = id(OSc (Y )!M Od (X ))\ (CSc (Y )!M Cd (X )) )) Let (; ) 2 (OSc (Y ) !M Od (X ))\(CSc (Y ) !M

Cd (X )). Then

( ?1 (; ))(ô ; c^)

= de nition of f

g

( x ?1(; )(x ) o^ ; x ?1(; )(x ) c^ ) f

j

= de nition of ?1 f

T

g f

j

g

g

T

( x (T o x (o ) T c x (c ) ) o^ ; x ( o x (o ) c x (c ) ) c^ ) f

f

j

j

f

f

j

j

= Lemma 5.15 f

T

2

g \

2

g \

f j

2

f j

2

g "

g

f

j

j

f

f

j

j

g

g

T

( x T o x (o ) T c x (c ) x o x (o ) c x (c ) f

g

2

g \

2

g \


f j

f j

2

2

o^ ; c^ )

g

g

g

g

g

( x x (ô ) ; x x (^c ) ) f

j

2

g f

j

2

g

= ((ô ); (^c )):

2

23

6 Adding deadlock as empty set In this section we discuss what should be done to introduce deadlock in state transformers and predicate transformers. Deadlock is represented by the empty set. First we show how to add the empty set to the power domains. These extended power domains can then be used in state transformers. The empty set is usually added to the Plotkin power domain by means of a smash-product [MM79],[Plo81] and also [Abr91]. The same is done [BK92] for the Smyth power domain in the at case. We have the following:

De nition 6.1 Let X be an algebraic dcpo. De ne 1. the Hoare-deadlock power domain (X ) = A A X A = A ; H , where A H B if (A = ) (A = B = ) (A = A H B ), 2. the Smyth-deadlock power domain (X ) = A A X A = A ; S , where A S B if (A = X ) (A = B = ) (B = A S B ). 3. the Plotkin-deadlock power domain (X ) = A A X A = A ; P , where A P B if (A = ) (A = B = ) (A = A P B ). H

v

f?g

_

hf

; )

;

S

v

_

hf

; )

;

_

f?g

_

^

6

;^

v

j

6

P

v

j

_

hf

; )

;

_

^

; ^ j

i

"g v

i

v

6

g v

^

;^

g v

i

v

We have that co (X ) coincides with the standard way of adding the empty set to the Plotkin power domain [MM79], [Plo81] and also [Abr91]. Next we turn to the predicate transformers. We modify the implication order both on safety and liveness predicate transformers to preserve deadlock states (states that are the image of the empty set). P

De nition 6.2 Let X and Y be algebraic dcpo's and let ; liveness predicate transformers. De ne 1

(1 ( ) 2( )) ;

;

^

LD

v

( o OSc (Y ) : o = Y 8

2

6

1

2 if )

(1 ( ) 2( )) ;

;

^

( c CSc (Y ) : c = 8

2

6

; )

OSc (Y )

!

M

O(X ) be two

1 (o ) n 1 (;) 2 (o ) n 2 (;)):

For every safety predicate transformers 1; 2 CSc (Y ) 2

2 2

!

M

C(X ), de ne

SD

1 v

2 if

1 (c ) 2 (c ) n 1 (;)):

The isomorphisms of the previous sections also hold if we substitute the deadlock versions for the the Hoare, Smyth and Plotkin power domains when we use the safety and liveness predicate transformers ordered with the new deadlock orders. First we show that the isomorphisms of Theorem 5.1 hold if we substitute (Y ) for (Y ) and replace the the superset order by the deadlock order for the safety predicate transformers. Since (Y ) and (Y ) dier only in the orderings, we need only to prove the following two lemmas: H

H

H

H

Lemma 6.3 Let m ; m 1

Proof: Let m

2 2

X

! H

(Y ). If m1 vH m2 then (m1 ) vSD (m2 ).

m2. If x (m1 )( ) then m1(x ) , that is m1(x ) = . But then also m2(x ) = and hence x (m2 )( ). If x (m2 )(c ) for some non-empty c CSc (Y ) but x (m1 )( ) then m1(x ) = and m2(x ) c . Thus either m1 (x ) = or m1(x ) m2(x ). In each case m1(x ) c because either c since every nonempty Scott closed set contains it, or m1(x ) m2(x ) c . Therefore x (m1)(c ). 2 H

1 v

;

62

2

;

2

;

6

;

;

2

;

2

;

f?g

?2

2

24

Lemma 6.4 Let ; 1

Proof: Let

CSc (Y )

2 2

2 and x

SD

1 v

!

M

C(X ). If

2 then ?1 (1 ) vH ?1 (2 ).

SD

1 v

X . Consider the following three cases:

2

1. If x 1( ) and x 2( ) then for every , c and x 2(c ) T Scott-closed set c =, that 1 ( ) 1 (c ). Hence ?1 (1 )(x ) = c x 1 (c ) = is ?1 (1)(x ) H

?1 (2 ). T 2. If x 1( ) then x 2( ) because 1 ( ) 2 ( ). Hence ?1 (1 )(x ) = c x 1 (c ) = T which implies also ?1 (2)(x ) = c x 2(c ) = , that is ?1 (1)(x ) H ?1 (2). 3. If x 1( ) and x 2( ), then for every Scott closed c = such x 2(c ) since x 1 ( ) we have x 2(c ) 1( ) 1(c ), that implies c x 1(c ) c x 2(c ) . Therefore ? 1

(1 )(x ) = , because otherwise by stability lemma 3.6 x 1 ( ) contradicting the hypothesis, and 62

;

;

2

;

6

2

;

2

;

;

f j

62

;

62

;

n

;

2 6

f j

2

;

2

g

?2

;

2

that is ?1 (1)(x )

v

c x 1(c )

f j

2

g

\

g

2

62

g f j

2

2

\

2

;

v

6

f j

n

v

;

;

?1 (1 )(x ) =

2

f j

g

;

f?g

;

g

;

c x 2(c ) = ?1 (2)(x );

f j

2

g

?1 (2 ).

H

2

Next we show that the isomorphisms of Theorem 5.7 hold if we substitute (Y ) for (Y ) and replace the subset order by the deadlock order for liveness predicate transformers. Since (Y ) and (Y ) dier only in their order, we again need only to prove the following two lemmas: S

S

S

S

Lemma 6.5 Let m ; m 1

2 2

X

! S

(Y ). If m1 vS m2 then ! (m1 ) vLD ! (m2 ).

Proof: Let m1 S m2 . If x !(m1)( ) then m1(x ) , that is m1(x ) = . But then also m2(x ) = and hence x !(m2)( ). If x !(m1)(o ) for some Y = o OSc (Y ), but x !(m1)( ) then m1(x ) = and m1(x ) o = Y . Since m1 S m2 the only possible case is m2(x ) = and m2(x ) m1 (x ) o . Therefore x !(m2)(o ) !(m2)( ). 2 v

2

;

62

;

6

6

;

Lemma 6.6 Let ; 1

;

;

;

Proof: Let

;

2

6

6

2

OSc (Y )

!

M

2

v

2 2

;

2

O(X ). If

n

LD

1 v

;

2 then ! ?1 (1 ) vS ! ?1 (2 ).

X . If !?1 (1)(x ) = Y then clearly !?1 (1)(x ) S !?1 (2)(x ). If !?1 (1)(x ) = then by stability lemma 3.6 we have x 1( ) and since 1( ) 2 ( ) we obtain x 2( ). But then again by stability lemma 3.6 !?1 (2)(x ) = . Otherwise, ! ?1 (1 )(x ) = and ! ?1 (1 )(x ) = Y , that is, x 1 ( ). In this case, for every o OSc (Y ) if x 1 (o ) then x 2 (o ), because either o = Y and hence clearly x 2 (Y ) (2 is top preserving) or o = Y and x 1 (o ) 1( ) 2(o ) 2( ). Therefore, if x 1( ) and ! ?1 (1 )(x ) = Y , o x 1 (o ) o x 2(o ) and x 2( ). Hence 2 and x

LD

1 v

2

v

;

2

6

2

;

;

;

;

6

2

62

;

2

2

f

! ?1 (1 )(x ) =

j

;

2

2

6

6

;

\

2

n

g f

o x 1(o )

f

j

2

j

g

;

2

\

n

g

62

;

62

;

;

o x 2 (o ) = !?1(2 )(x )

f

j

2

g

and !?1(2)(x ) = . Summarizing, we have !?1 (1)(x ) S !?1 (2)(x ). 2 Finally we show that the isomorphisms of Theorem 5.14 hold if we replace (Y ) by (Y ) and replace the subset-superset orderings by the deadlock order for pairs of liveness and safety predicate transformers. The following lemma is enough to prove this result since we combine the results of the four lemmas above. 6

;

v

P

25

P

Lemma 6.7 Let X be an algebraic domain and A; B A

v

P

B

,

A

"v

S

B

"

^

A

v

H

B

,

A

"v

S

B

2 P

"

(X ). Then

A

^

v

H

B

Proof: Trivial.

2

7 Fixed Point Transformation Technique In [BK92] a backtrack operator 3S from (X (X ))2 to X (X ) is de ned (where X and Y are at dcpo's) and it is not monotone with respect to the lifting of S to the function space. Also the sequential composition operator ; S from (X (X ))2 to X (X ) is not monotone with respect to the lifting of S to the function space. In order to be able to calculate least xed points of equations in which we use these non monotonic functions, a transfer lemma is used in [BK92]. This lemma requires the existence of a function between (X ) and (X ) (or (X )). In this section we show that also for non- at !-algebraic dcpo's X there exists a function between the Plotkin power domain co (X ) and the Smyth power domain co (X ) (or co (X )) which satis es the requirements of the transfer lemma. Let P be a dcpo. For f : P P , we denote by :f the least xed point of f , that is, f (:f ) = :f and for every other x P with f (x ) = x we have :f x . For a monotone function f : P m P the least xed point of f always exists and it can be calculated by iteration: there F exists an ordinal such that :f = f , where the -iteration of f is de ned by f = f ( k < f k ) for every ordinal [HP72]. If f is also continuous then !0. Via a xed point transformation technique we can show that in certain cases also non-monotonic functions have least xed points that can be calculated by iteration: ! S

! S

v

! S

! S

v

P

S

S

P

S

S

!

2

v

!

Theorem 7.1 Let P be a dcpo and Q be a partially ordered set, f : P

!

function, h : P c Q be an onto and continuous function and g : Q non-monotone) function such that the following diagram commutes: !

f

P h

?

!

P be a monotone Q be a (possibly

-P

Q

m

g

h

- Q?

Then for every ordinal the -iteration from the bottom element g exists. Moreover, if for each y Q the partially ordered set h ?1 (y ) P is nite or contains either the bottom or the top element then the smallest xed point :g exists and :g = h (:f ). 2

The function g : Q Q is a said a representation as quotient of f : P m P via h : P c Q . To apply this theorem we need to establish relationships between the dierent power domains. The next two lemmas paves the way for these relationships. Let X be an algebraic dcpo and A X . De ne the set of minimal elements of A by !

!

min (A) = x x A f

j

2

^

( y A:x 8

2

v

X

y

)

26

x = y) : g

!

Minimal elements are used in [Kni93b] and [Kni93a] for the construction of the power domains + + co (X ) and co (X ) from an ! -algebraic dcpo's X . De ne the set of maximal elements of A by S

P

max (A) = x A x BX f

2

j

2

( b A BX : b

)

8

2

\

v

X

x

)

b = x) : g

It is not always true that max (A) A.

Lemma 7.2 Let X be an algebraic dcpo and A X . Then min (A) = A and for every other

"

"

B X such that B = A then min (A) B. Also, max (A) = A and for every -closed B such that B = A then max (A) B.

"

"

X

We use the lemma in the following:

Lemma 7.3 Let X be an algebraic dcpo and A X . Then

1. (A

A) = A and for every other B

" \

2 P

(X ) such that B = A we have (A

" \

A)

v

P

B.

2. (max (A) A) = A and for every other B (X ) such that B = A we have B P (max (A) A). (X ) such that B = A we have (A 3. (A min (A)) = A and for every other B min (A)) P B. (X ) such that B = A we have B P (A A). 4. (A A) = A and for every other B " \

2 P

v

" \

"

" \

\

"

2 P

"

"

"

v

" \

"

"

2 P

"

"

v

" \

Proof: 1. By Lemma 4.1.1 we have (A A) = A. Moreover (A A) (X ) because the intersection of an upper-closed and a Scott closed set is -closed. Let now B (X ) be such that B = A. Then B B = A implies B A . Therefore B = (B B ) (A A), implies B (A A) . But B = A = (A A), hence (A A) P B . " \

" \

2 P

2 P

"

" \

"

"

"

" \

" \

" \

" \

v

(X ) be 2. Since max (A) = A, by Lemma 4.1.1 we have (max (A) A) = A. Let now B such that B = A. Then by Lemma 7.2 max (A) B and hence max (A) B . But by Lemma 4.1.3 (max (A) A) = max (A) B and (max (A) A) = A = B , therefore B P (max (A) A). (X ) be 3. Since min (A) = A , by Lemma 4.1.2 we have (A min (A)) = A . Let now B another set such that B = A . Then min (A) B by Lemma 7.2 and hence min (A) B . But by Lemma 4.1.3 (A min (A)) = min (A) B and (A min (A)) = A = B , therefore, (A min (A)) P B . (X ) be another set such that 4. By Lemma 4.1.2 we have (A A ) = A . Let now B B = A . Then B B = A implies B A . Therefore B = (B B ) (A A ), implies B (A A ). But B = A = (A A ) , hence B P (A A ). " \

2 P

" \

v

"

"

"

" \

" \

"

"

"

" \

2 P

" \

"

"

"

v

" \

"

" \

" \

"

"

" \

"

"

"

"

"

"

" "

"

"

"

2 P

"

" \

"

" \

" "

v

" \

" \

"

"

2

If A X is Scott compact, then also A is Scott compact and hence also (A min (A)) and (A A ) are Scott compact (the intersection of a Scott compact set with a Scott closed set is Scott compact). Also (A A) is Scott compact for every A X because is an element of it. We give now the relationships:

" \

"

" \

"

" \

27

?

co (X )

S

6

( ) co "

id

S

()

"

-

id

co (X )

( )co

co (X )

P

P

co

-

co (X )

() (X )

sw

?

H

( )co

H

6

P

(X )

()

P

S

(X )

()

6

id

?

(X )

-

"

id

(X )

()

-

S

(X )

"

Figure 1: Relationships among the power domains

Theorem 7.4 Let X be an algebraic dcpo. Then

the function ( ) : (X ) (X ) de ned by (A) = A for every A (X ) is onto, ?1 monotone, and for every B (X ) the inverse (B ) (X ) has a minimal and a maximal element (with respect to P ) given by (B B ) and (max (B ) B ), respectively.

P

!

H

2

2 H

P

v

" \

"

P

! S

"

"

2 P

P

v

\

\

the function ( )co : co (X ) (X ) de ned by (A) = A for every A co (X ) is onto, ?1 monotone, and for every B (X ) the inverse (B ) co (X ) has a minimal element (with respect to P ) given by (B B ).

P

! H

2 P

P

2 H

v

" \

the function ( ) : (X ) (X ) de ned by (A) = A for every A (X ) is onto, ?1 monotone, and for every B (X ) the inverse (S ) (X ) has a minimal and a maximal element (with respect to P ) given by (B min (B )) and by (B B ), respectively. 2 S

P

" \

the function ( ) co : co (X ) co (X ) de ned by (A) co = A for every A co (X ) is onto, ?1 monotone, and for every B co (X ) the inverse (S ) co (X ) has a minimal and a maximal element (with respect to P ) given by (B min (B )) and by (B B ), respectively. "

P

! S

"

2 S

"

2 P

P

v

\

\

Proof: Follows from Lemma 7.3.

2

The theorem also holds if we substitute the power domains (X ); (X ) and (X ) for (X ); (X ) and (X ). Moreover, if X is an !-algebraic dcpo, then ( )co and ( ) co : co (X ) co (X ) are continuous function (see [Smy83] and also [Plo81]). This means that given an ! algebraic dcpo and a function f : co (X ) m co (X ), every representation as quotient of f via ( ) co or ( )co has least xed point that can be calculated by iteration by Theorem 7.1. De ne sw : (X ) (X ) by H

H

S

S

P

P

"

P

!

S

P

"

!

P

H

! H

8 > < sw (A) = > :A ;

f?g

if A = if A = otherwise:

f?g ;

It is clearly continuous. The diagram in Figure 1 summarizes the situation.

8 Conclusions and Future Work We have proposed a formal de nition of safety and liveness predicates and of predicate transformers following the line of [Smy83, Kwi91]. Furthermore we have given generalizations of 28

the standard de nitions of power domains and of state transformers, which give us a complete series of isomorphisms between predicate and state transformers (including the Plotkin state transformers). Future work includes: a generalization of the results to arbitrary topological spaces and applications of predicate transformers to non- at domains for concurrency and communication and the design of an associated logic. Acknowledgements: We wish to thank the members of the Amsterdam Concurrency Group especially Jaco de Bakker, Jan Rutten, Daniele Turi, and Franck van Breugel, for discussions and suggestions about the contents of this paper. Thanks also to Peter Knijnenburg, Marta Kwiatkowska, Bart Jacobs, Mike Smyth, and the anonymous referees for their helpful comments.

References [Abr91] S. Abramsky. A domain equation for bisimulation. Information and Computation, 92:161{218, 1991. [AP86] K.R. Apt and G. Plotkin. Countable nondeterminism and random assignment. Journal of the ACM, 33(4):724{767, October 1986. [AS85] B. Alpern and F.B. Schneider. De ning liveness. Information Processing Letters, 21:181{185, 1985. [Bac80] R.-J.R. Back. Correctness Preserving Program Re nements: Proof Theory and Applications, volume 131 of Mathematical Centre Tracts. Mathematical Centre, Amsterdam, 1980. [Bak80] J.W. de Bakker. Mathematical Theory of Program Corretness. Prentice-Hall, 1980. [BK92] M. Bonsangue and J.N. Kok. Semantics, orderings and recursion in the weakest precondition calculus. Technical Report CS-R9267, Centre for Mathematics and Computer Science, Amsterdam, 1992. Extended abstract published in the proceedings of the Rex Workshop '92 'Semantics: Foundations and Applications' LNCS 666, 1993. [Bre93] F. van Breugel. Relating state transformation semantics and predicate transformer semantics for parallel programs. Technical report, CWI, Amsterdam, 1993. To appear. [Dij76] E.W. Dijkstra. A Discipline of Programming. Prentice-Hall, 1976. [Eng77] R. Engelking. General Topology. Polish Scienti c Publishers, 1977. [HP72] P. Hitchcock and D. Park. Induction rules and termination proofs. In International Conference on Automata, Languages and Programming, 1972. [Hrb87] K. Hrbacek. Convex Powerdomains I. Information and computation, 74:198{225, 1987. [Hrb89] K. Hrbacek. Convex Powerdomains II. Information and computation, 81:290{317, 1989. [Kni93a] P.M.W. Knijnenburg. Algebraic Domains, Chain Completion and the Plotkin Powerdomain Construction. Technical Report RUU-CS-93-03, Utrecth University - Department of Computer Science, Utrecht, 1993. 29

[Kni93b] P.M.W. Knijnenburg. A Note on the Smyth Powerdomain Construction. Technical Report RUU-CS-93-02, Utrecth University - Department of Computer Science, Utrecht, 1993. [Kwi91] M.Z. Kwiatowska. On topological characterization of behavioural properties. In G.M. Reed, A.W. Roscoe, and R.F. Wachter, editors, Topology and Category Theory in Computer Sciences - Proc. Oxford Topology Symposioum, June 1989, pages 153{177. Oxford Science Pubblications, 1991. [Lam77] L. Lamport. Proving the correctness of a multiprocess program. IEEE Transaction on Software Eng., SE-3:125{143, 1977. [MM79] G. Milne and R. Milner. Concurrent processes and their syntax. J. ACM, 26, 2:302{ 321, 1979. [Nel89] G. Nelson. A generalization of Dijkstra's calculus. ACM Transaction on Programming Languages and Systems, 11 - 4:517{561, 1989. [Plo76] G.D. Plotkin. A powerdomain construction. SIAM J. Comput., 5:452{487, 1976. [Plo79] G.D. Plotkin. Dijkstra's predicate transformer and Smyth's powerdomain. In Proceedings of the Winter School on Abstract Software Speci cation, volume 86 of Lecture Notes in Computer Science, pages 527{553. Springer-Verlag, Berlin, 1979. [Plo81] G.D. Plotkin. Post-graduate lecture notes in advanced domain theory (incorporating the \Pisa Notes"). Department of Computer Science, Univ. of Edinburgh, 1981. [Roe76] W.P. de Roever. Dijkstra's predicate transformer, non-determinism, recursion, and terminations. In Mathematical foundations of computer science, volume 45 of Lecture Notes in Computer Science, pages 472{481. Springer-Verlag, Berlin, 1976. [Smy78] M.B. Smyth. Power domains. J. Comput. Syst. Sci., 16,1:23{36, 1978. [Smy83] M.B. Smyth. Power domains and predicate transformers: A topological view. In Proceedings of ICALP '83 (Barcelona), volume 154 of Lecture Notes in Computer Science, pages 662{675. Springer-Verlag, Berlin, 1983. [Smy92] M.B. Smyth. Topology. In S. Abramsky, D.O.V.M. Gabbay, and T.S.E. Malbaum, editors, Handbook of Logic in Computer Science, volume I - Background: Mathematical Structures, pages 641{761. Clarendon Press, 1992. [SP82] M.B. Smyth and G.D. Plotkin. The category-theoretic solution of recursive domain equations. SIAM J. Comput., 11:761{783, 1982. [vW90] J. von Wright. A Lattice-theoretical Basis for Program Re nement. PhD thesis, Abo Akademi, 1990.

30