The Weakest Precondition Calculus - Semantic Scholar

Formal Aspects of Computing (1994) 3: 1{000 c 1994 BCS

The Weakest Precondition Calculus: Recursion and Duality Marcello M. Bonsangue

+1

and Joost N. Kok



+ Department of Computer Science, Vrije Universiteit Amsterdam, NL;  Department

of Computer Science, Utrecht University, NL

Keywords: weakest (liberal) preconditions; re nement; xed point transformations; Smyth power domain; Egli-Milner power domain; recursion; denotational semantics;

Abstract. An extension of Dijkstra's guarded command language is studied, including unbounded demonic choice and a backtrack operator. We consider three orderings on this language: a re nement ordering de ned by Back, a new deadlock ordering, and an approximation ordering of Nelson. The deadlock ordering is in between the two other orderings. All operators are monotonic in the Nelson ordering, but backtracking is not monotonic in the Back ordering and sequential composition is not monotonic for the deadlock ordering. At rst sight recursion can only be added using the Nelson ordering. We show that, under certain circumstances, least xed points for non-monotonic functions can be obtained by iteration from the least element. This permits the addition of recursion even using the Back ordering or the deadlock ordering in a fully compositional way. In order to give a semantic characterization of the three orderings in terms of semantics that relate initial states to possible outcomes of the computation, the relation between predicate transformers and discrete power domains is studied. We consider (two versions of) the Smyth power domain and the Egli-Milner power domain.

1 The research of Marcello Bonsangue was supported by a grant of the Universita' degli Studi di Milano, Italy, and by a grant of the Centro Nazionale delle Ricerche (CNR), Italy. Correspondence and oprint requests to : Marcello M. Bonsangue, Department of Computer Science, Vrije Universiteit, De Boelelaan 1081a, 1081 HV Amsterdam, The Netherlands. e-mail: [email protected]

2

1. Introduction

M. M. Bonsangue and J. N. Kok

The weakest precondition calculus of Dijkstra identi es statements in the guarded command language with predicate transformers [Dij76] such that program synthesis from speci cations is supported. The language was extended to use it as a vehicle for program re nement. Speci cation constructs, like unbounded demonic choice and angelic choice, were added and a re nement ordering was de ned. This approach was introduced in [Bac78, Bac80] and is suited for re nement (see [BW90, Bac90] and also [MRG88, Mor87]). The ordering can be used to add recursion to the language, but not in a fully compositional way in which all the operators can be used freely. For example, for each set of guards there is a dierent conditional command. An early treatment of recursion, based on continuity of the weakest preconditions (and hence based on nite nondeterminism), is given in [Roe76]. More detailed treatments are given in [Heh79] and [Bak80]. Recursion together with countable nondeterminism is studied in [AP86], and recursion with unbounded nondeterminism in [DG86, Hes89]. Recursion is added in a fully compositional way by Nelson in [Nel89]: the guarded command language is embedded in a language with sequential composition, binary demonic choice and a backtrack operator in which the operators can be used freely. An ordering on predicate transformers is given, and all the operators are monotonic with respect to this ordering. The ordering uses the additional notion of weakest liberal precondition, and is an approximation ordering of the kind used in denotational semantics. It is not suited for re nement in the sense of [BW90]. Our starting point is the language of [Nel89]. In this language there is a form of in nite behavior (a divergence construct) and atomic actions that can deadlock (to initiate backtracking). The main operators present in the language are sequential composition, unbounded demonic choice and a backtrack operator. We consider three orderings; besides the orderings of Back and Nelson we de ne a new ordering in between. It is called deadlock ordering because it preserves deadlocks (as can be seen from its semantic characterization). A normal (nonmiraculous) terminating statement is not re ned by a miracle in the deadlock ordering. Only the Nelson ordering is monotonic with respect to all three operators: the backtrack operator is not monotonic with respect to the Back ordering and the sequential composition is not monotonic for the deadlock ordering. At rst sight only the Nelson ordering seems to be suited to add recursion to the language. But the fact that for the Nelson ordering all the operators are monotonic implies that recursion can be added also using the other two orderings. This result is proved using an extension of xed point theory. It is well known that a continuous function from a complete partial order to itself has a least xed point that can be obtained by iteration from the least element. This result was extended by Hitchcock and Park [HP72] showing that also a monotone function from a complete partial order to itself has a least xed point. Then Apt and Ploktin [AP81, AP86] showed that the least xed point property can be transferred, via a commutative diagram, to monotone functions from a poset (not necessarily complete) to itself. This transfer lemma is explored in detail by Meyer in [Mey85]. We show that the least xed point property can be transferred to arbitrary functions from a partial order to itself. We also provide state transformer models for three weakest precondition semantics. The state transformer models relate initial states to sets of possible out-

The Weakest Precondition Calculus

3

comes of the computation. Programs are hence represented by state transforming functions. One of the aims of this paper is to match the predicate transformer view of a program to the state transformer view by extending the duality which relates the discrete version of the Smyth power domain [Smy78] and Dijkstra's predicate transformers [Wan77, Plo79, Bac81, Smy83, Bes83, AP86]. The duality states that there is an order isomorphism between functions to the Smyth power domain (ordered pointwise) and the predicate transformers (ordered by the re nement order). The presence of a backtrack operator in the language justi es the introduction of two versions of the Smyth power domain: the empty set, representing deadlock, is added in two dierent ways. We extend the duality to these two versions of the Smyth power domain. This gives semantic models for the Back and the deadlock ordering. The Egli-Milner power domain (extended with the empty set too, in order to treat deadlock) is treated by giving an isomorphism between the EgliMilner state transformers and the Nelson predicate transformers (cf. [Nel89]). For the state transformer models we de ne operations that are isomorphic to the corresponding operations between predicate transformers.

2. Language, Operational Semantics and Weakest Preconditions

Let (v 2)Var be a set of variables, let (d 2)D be some domain of values (for example the natural numbers) and let ( 2) = Var ! D be a set of states. Let also (t 2)Exp =  ! D be a set of (evaluated) expressions, (b 2)BExp =  ! Bool be a set of (evaluated) boolean expressions, and (P; Q 2 ) Pred :  ! Bool be the set of predicates on , where Bool = ftt ;  g is the set of truth-values. Equivalently, a predicate P on  can be seen as the set of states f 2  j P () = tt g in which P holds. V In the rest of the paper we use the symbols ); ; _ and ^ for denoting, respectively, the classical logical implication, the in nite conjunction, the binary disjunction, and the binary conjunction among predicates. We denote by false (true) the predicate that yields false (true) for every state. When a predicate Vis interpreted as a set, then the logical implication is just the subset relation, is the intersection and _ is the binary union. Clearly the predicate false is the empty set and true is the set of all states. The class (S 2)Stat of statements is de ned by S ::= v := t j b ! j div j S1 ; S2 j 2i2I Si j S13S2 where I is a non-empty (but possibly in nite) index set. Since the index set I is arbitrary, Stat is a proper class in the set-theoretical sense. The language has two atomic operators (assignment and conditional), two binary operators (sequential composition ; and backtrack operator 3), and a demonic choice operator 2 for every non-empty index set. A divergent statement div is also present. The binary demonic choice is denoted by 2 (no index set). The sequential composition executes the rst component and then it executes the second component. The demonic choice executes one of its components in such a way that components with possible in nite behavior are given preference. The backtrack operator backtracks to the second component if the rst component deadlocks. The only atomic action that can deadlock is b !: it deadlocks in a state in which the boolean expression b does not evaluate to true.

4

M. M. Bonsangue and J. N. Kok

One dierence with the language studied in [Nel89] is that there are two kinds of atomic actions: the assignment action v := t and the test action b !. Another dierence is that we allow unbounded demonic choice. Dijkstra's guarded command language [Dij76, DS90] can be seen as a subset of this language, except for the do ? od construct which will be handled when we add recursion. The guarded command b ! S corresponds to b !; S , the conditional command if 2i2I bi ! Si to (2i2I bi !; Si)3div . To guide the intuition about this language we give an operational semantic model, based on a transition system, that relates initial states with possible outcomes of the computation. In order to deal with backtracking in the transition system we introduce the class of extended statements (m 2)Stat: m ::= S j m1 4(m2 ; ); where S 2 Stat and  2 . Intuitively m1 4(m2 ; ) means that m1 is executed in some state, and that the statement m2 is remembered in order to execute it in the state  if m1 fails at some later stage. After the next de nition we give some more explanation and an example of a computation. De nition 2.1. Let Conf = (Stat [fE g)  ( [fg) be a set of con gurations, and de ne the transition relation ?! Conf  Conf to be the least relation satisfying the axioms and rules in gure 1. In this de nition =v] denotes the state  v = v0 0 =v](v ) = t((v)0) ifotherwise : Intuitively, hm1 ; i ?! hm01 ;  0 i states that one step of execution of the statement m1 in the state  leads to a state 0 with m01 (being the remainder of m1) to be executed. The symbol E is introduced to deal with termination, and the symbol  serves as a deadlock state. We say that m can diverge from , denoted by m* , if there exists an in nite sequence of con gurations ci such that ci ?! ci+1 for all i  0, and c0 = hm; i. We say that m cannot diverge in  (denoted by m+ ) if not m* . By c ?!? c0 we denote that there exists a nite sequence (n  0) c ?! c1 ?!


cn ?! c0 : De nition 2.2. Let the function Op : Stat ! ( ! (P () [ f? g)) (where ? =  [ f?g) be de ned by:  if S* Op(S )() = f?0 jhS; i ?!? hE; 0i g otherwise : The de nition of the function Op explains why 2 is called demonic choice: if there is the possibility of in nite behavior (S can diverge) then it will be chosen. Next we discuss the backtrack operator 3. If we execute the statement S1 3S2 in a state  then we look whether we can do a step from S1 (that possibly changes  say to  0 ) and we remember the starting state  by changing 3 in 4. If this computation deadlocks at a later stage, then we still have the alternative S2 and we can install the state  again. For example, consider the statement (v = 0 !; v := 2)3v := 3 and let  2  be a state such that (v) = 1. Then we derive from h(v = 0 !; v := 2); i ?! hE; i ^ hv := 3; i ?! hE; 0i

The Weakest Precondition Calculus

5

hv := t; i ?! hE; =v]i hb !; i ?! hE; i if b() = tt hb !; i ?! hE; i if b() =  hdiv ; i ?! hdiv ; i hm ; i ?! hE; i hm ; m ; i ?! hE; i hm ; i ?! hm00 ; 0i 0 hm ; i ?! hE; 0i 0 hm ; m ; i ?! hm ; m ;  i hm ; m ; i ?! hm ;  i 8i 2 I: hmi; i ?! hE; i h2i2I mi; i ?! hE; i 9k 2 I: hmk ; i ?! hm0k ; 0i 9k 2 I: hmk ; i ?! hE; 0i h2i2I mi; i ?! hm0k ; 0i h2i2I mi; i ?! hE; 0i hm ; i ?! hE; i ^ hm ; i ?! hE; i hm 3m ; i ?! hE; i hm ; i ?! hE; i ^ hm ; i0 ?!0 hm0 ; 0i hm 3m ; i ?! hm ;  i hm ; i ?! hE; i ^ hm ; i ?! hE; 0i 0 hm 3m ; i ?! hE;  i hm ; i ?! h0m0 ; 0i hm 3m ; i ?! hm 4(m ; ); 0i hm ; i ?! hE; 0i 0 hm 3m ; i ?! hE;  i hm ; i ?! hE; i 0^ hm ; 0i ?! hE; i hm 4(m ;  ); i ?! hE; i hm ; i ?! hE; i 0^ hm ; 0i ?! h00m0 ; 00i 0 hm 4(m ;  ); i ?! hm ;  i hm ; i ?! hE; i 0^ hm ; 0i ?!00 hE; 00i hm 4(m ;  ); i ?! hE;  i hm00 ; i ?! hm00 ; 0i 00 0 hm 4(m ;  ); i ?! hm 4(m ;  );  i hm ; i00?! hE; 0i 0 hm 4(m ;  ); i ?! hE;  i 1

1

2

1

1

1

2

1

1

2

1

1

2

2

1

2

1

2

1

2

1

2

2

2

1

2

1

1

1

2

2

1

1

1

2

1

2

1

2

1

2

1

2

1

2

1

2

1

1

2

2

2

1

1

2

1

1

2

Fig. 1.

The transition system.

2

6

M. M. Bonsangue and J. N. Kok

that

h(v = 0 !; v := 2)4(v := 3; ); i ?! hE; 0i; where  0 (v) = 3 and h(v = 0 !; v := 2); i ?! hE; i, because from hv = 0 !; i ?! hE; i

it follows that h(v = 0 !; v := 2); i ?! hE; i: Therefore h(v := 2; v = 0 !; v := 2)3v := 3; i ?!? hE;  0 i. In order to get some more feeling for this transition system we give examples of equalities between statements (an equality S1 =Op S2 between two statements denotes that S1 and S2 have the same operational semantics, that is, Op(S1 ) = Op(S2 )). For all S 2 Stat we have (false ! 2S ) =Op (S 2false !) =Op S; (false ! 3S ) =Op S; (div 2S ) =Op (S 2div ) =Op div ; (div 3S ) =Op div ; (false !; S ) =Op false !; (div ; S ) =Op div ; (true !; S ) =Op (S ; true !) =Op S: Next we give the weakest precondition semantics and relate it to the operational model Op. De nition 2.3. (Weakest Preconditions) Let wp : Stat ! (Pred ! Pred ) be de ned as follows: wp(v := t)(Q) = Q[t=v] wp(b !)(Q) = b)Q wp(div )(Q) = false wp(S1 ; S2)(Q) = wp V (S1 )(wp(S2 )(Q)) wp(2i2I Si )(Q) = i2I wp(Si )(Q) wp(S1 3S2)(Q) = wp(S1 )(Q) ^ (wp(S1 )(false) ) wp(S2 )(Q)) where Q[t=v]() = Q(=v]). If we identify statements with their weakest preconditions then we have that our language is a subset of the monotonic predicate transformers of [BW90, Wri90] because we do not consider angelic choice and multiple assignment statements. The guard statement [b] is b ! and the assert statement fbg is b ! 3div . Other derived statements are if S = S 3div , skip = true !, abort = div , and magic = havoc = false !. The weakest precondition semantics wp is related to the operational semantics Op as follows. Theorem 2.4. For every S 2 Stat and P 2 Pred , wp(S )(P ) = f 2  j Op(S )() ) P g:

The Weakest Precondition Calculus

7

Proof. The proof proceeds by structural induction on S 2 Stat . We treat only the case S = S1 3S2 , since the other cases are standard and can be found, for example, in [Bak80]. Let S1 ; S2 be two statements. We have that the set f 2  j Op(S1 3S2)() ) P g equals by de nition of Op f 2  j f0 2  j hS1 3S2 ; i ?!? hE; 0i ^ S13S2 + g ) P g: By de nition 2.1, hS1 3S2 ; i ?!? hE;  0 i if and only if either hS1 ; i ?!? hE; 0i, or both hS1 ; i ?!? hE; i and h0S2 ; i ?!? hE; 0i. Also, S?13S2 +0  if and only if either S1 + and there is a  2  such that hS1 ; i ?! hE;  i or S1 + , S2 + and the only con guration which can be reached via ?!? from hS1 ; i is hE; i. This means that S1 3S2 + if and only if either Op(S1 )() 6= ; and S1 + or Op(S1 )() = ; and S2 + . Therefore we have that f 2  j f0 2  j hS1 3S2 ; i ?!? hE; 0i ^ S13S2 + g ) P g equals f 2  j Op(S1 )() 6= ; ^ f0 2  j hS1 ; i ?! hE; 0i ^ S1 + g ) P g [ f 2  j Op(S1 )() = ; ^ f0 2  j hS2 ; i ?! hE; 0i ^ S2 + g ) P g: But since S1 + , we have that Op(S1 )() = f 0 2  j hS1 ; i ?! hE;  0ig and similarly, since S2 + , we have that Op(S2 )() = f 0 2  j hS1 ; i ?! hE;  0 ig. Therefore the set f 2  j Op(S1 3S2 )() ) P g equals f 2  j Op(S1 )() 6= ; ^ Op(S1 )() ) P g [ f 2  j Op(S1 )() = ; ^ Op(S2 )() ) P g which is by the induction hypothesis the same as (:wp(S1 )(false) ^ wp(S1 )(P )) _ (wp(S1 )(false) ^ wp(S2 )(P )): But wp(S1 )false ) wp(S1 )(P ), and hence the above predicate is equivalent to (:wp(S1 )(false) ^ wp(S1 )(P )) _ (wp(S1 )(false) ^ wp(S1 )(P ) ^ wp(S2 )(P )) which is equivalent to wp(S1 )(P ) ^ (:wp(S1 )(false) _ (wp(S1 )(false) ^ wp(S2 )(P ))); that is, wp(S1 )(P ) ^ (wp(S1 )(false) ) wp(S2 )(P )) = wp(S1 3S2)(P ):

From the theorem above it is easy to deduce, for example, that wp(S )(false) = f 2  j Op(S )()g = ;; and wp(S )(true) = f 2  j Op(S )() 6= ?g: Furthermore, two statements S1 ; S2 2 Stat are identi ed by the operational semantics if and only if they have the same weakest precondition for all predicates, that is Op(S1 ) = Op(S2 ) , 8P 2 Pred : wp(S1 )(P ) = wp(S2 )(P ):

8

3. Orderings

M. M. Bonsangue and J. N. Kok

In this section we introduce three pre-orders on Stat . The rst pre-order vB was proposed by Back [Bac78, Bac80] and is suited for re nement (see [Bac90] and also [Mor87, MRG88]). The second pre-order vD is a new ordering which preserves deadlocks: a non-miraculous statement can not be re ned by a miraculous one. Both are de ned by means of weakest preconditions: S1 vB S2 ,def 8Q 2 Pred : wp(S1 )(Q) ) wp(S2 )(Q); and S1 vD S2 ,def S1 vB S2 ^ wp(S1 )(false) = wp(S2 )(false): For the third pre-order we need weakest liberal preconditions of statements. The de nition of wlp : Stat ! (Pred ! Pred ) is similar to that of wp given in De nition 2.3, except for the cases wlp(div )(Q) = true; and wlp(S1 3S2 )(Q) = wlp(S1 )(Q) ^ (wp(S1 )(false) ) wlp(S2 )(Q)): The next lemma, which proof can be found in [Nel89], relates wp and wlp. It states the familiar termination law of Dijkstra. Lemma 3.1. For every statement S 2 Stat and predicate P 2 Pred we have wp(S )(P ) , (wp(S )(true) ^ wlp(S )(P )): Since wp(S )(P ) ) wp(S )(true) by monotonicity of wp(S ) we have that wp(S )(P ) ) wlp(S )(P ) as a consequence of the lemma above. Now we can de ne the third pre-order, which was introduced in [Nel89]: S1 vN S2 ,def S1 vB S2 ^ 8Q 2 Pred : wlp(S2 )(Q) ) wlp(S1 )(Q): By de nition we have that the Nelson pre-order vN is included in the deadlock pre-order vD , which in turn is included in the Back pre-order vB . Moreover these inclusions are strict because of the following inequalities: v := t vB (false !) but v := t 6vD (false !); v := t1 2v := t2 vD v := t2 but v := t1 2v := t2 6vN v := t2 : We have the following problems with monotonicity: (true !) vB (false !) but (true !)3v := t 6vB (false !)3v := t; (v := t1 2v := t2 ) vD v := t2 but for t1 6= t2 we have (v := t1 2v := t2 ); (v = t1 !) 6vD v := t2 ; (v = t1 !): Theorem 3.2. 0Let0Si ; Si0 2 Stat for i 2 I where I is a non-empty index set, and let also S1 ; S2 ; S1 ; S2 2 Stat . (i) If Si vB Si0 for all i 2 I then 2i2I Si vB 2i2I Si0 , (ii) if Si vD Si0 for all i 2 I then 2i2I Si vD 2i2I Si0 , (iii) if Si vN Si0 for all i 2 I then 2i2I Si vN 2i2I Si0 , (iv) if S1 vB S10 and S2 vB S20 then S1 ; S2 vB S10 ; S20 , (v) if S1 vD S10 and S2 vD S20 then then S1 3S2 vD S10 3S20 , (vi) if S1 vN S10 and S2 vN S20 then S1 ; S2 vN S10 ; S20 , and S1 3S2 vN S10 3S20 .

The Weakest Precondition Calculus

9

Proof. For the pre-orders vB and vN we refer to [BW90] and [Nel89], respectively. We prove only (ii) and (v). Let I be a non-empty index set and let Si ; Si0 2 Stat be statements for each i 2 I such that Si vD Si0 . Since Si vD Si0 implies Si vB Si0 we have that wp(2i2I Si )(P ) ) wp(2i2I Si0 )(P ) for every predicate P 2 Pred because 2 is monotone with respect to the pre-order vB . Next we prove wp(2i2I Si)(false) = wp(2i2I Si0 )(false) in order to conclude 2i2I Si vD 2i2I Si0 . V wp(2i2I Si )(false) = Vi2I wp(Si )(false) = i2I wp(Si0 )(false) Si vD Si0 = wp(2i2I Si0 )(false): Let now S1 ; S2 ; S10 ; and S20 2 Stat be statements such that S1 vD S10 and S2 vD S20 . We rst prove wp(S1 3S2)(false) = wp(S10 3S20 )(false). wp(S1 3S2)(false) = wp(S1 )(false) ^ (wp(S1 )(false) ) wp(S2 )(false)) = wp(S1 )(false) ^ wp(S2 )(false) = wp(S10 )(false) ^ wp(S20 )(false) = wp(S10 3S20 )(false): It remains to prove that wp(S1 3S2 )(P ) ) wp(S10 3S20 )(P ) for every P 2 Pred . wp(S1 3S2)(P ) = wp(S1 )(P ) ^ (wp(S1 )(false) ) wp(S2 )(P )) ) wp(S10 )(P ) ^ (wp(S10 )(false) ) wp(S20 )(P )) = wp(S10 3S20 )(P ):

If we do not allow 2 as an operator in the set of statements then all statements S are deterministic (that is, Op(S )() 2  [f?g or Op(S )() = ;, for all states ). For this deterministic subset of Stat the ordering vD is monotone.

3.1. Predicate Transformers Next we de ne three domains of predicate transformers. A predicate transformer is a function  : Pred ! Pred . We consider multiplicative predicate transformers ( 2)MPTran , that is, predicate transformers  : Pred ! Pred such that ^ ^ ( Qi) = (Qi) i2I

i2I

where I is a non-empty index set and Qi 2 Pred for all i 2 I . For every statement S 2 Stat the function wp(S ) as de ned in De nition 2.3 is a multiplicative predicate transformer, as can be shown with some easy calculations. Moreover, if we extend the language with multiple assignment statements, then it is possible to prove that for every multiplicative predicate transformer  2 MPTran there exists a statement S such that  = wp(S ) [Wri90]. A number of dierent restrictions on predicate transformers can be found in the literature. Next we give a list of some possible requirements on the function space Pred ! Pred that are used in the various de nitions: 1.  is countable,

10

M. M. Bonsangue and J. N. Kok

(false) = false (exclusion of miracles),  is monotone with respect to the ) order,  is continuous with respect to the ) order, (PV ^ Q) = (P )V^ (Q) for all P; Q 2 Pred ( nite multiplicativity), ( n2N> Pn) = n2N> (Pn) where N> is the set of natural numbers greater than V 0 and PnV2 Pred for all n 2 N> (countable multiplicativity), 7. ( i2I Pi ) = i2I (Pi ) where I is an index set of the same cardinality as  andV Pi 2 PredVfor all i 2 I (-multiplicativity), 8. ( i2I Pi ) = i2I (Pi) where I is a nonempty index set and Pi 2 Pred for all i 2 I (multiplicativity). The kind of restrictions depends on the kind of (speci cation) language one wants to model. For example in [Dij76] predicate transformers satisfy the properties 1. - 5. and are used to model a language with at most a countable number of states and with nite nondeterministic demonic choice. In [Wan77, Plo79] predicate transformers satisfy the properties 1., 2., 4. and 5. For countable nondeterminism predicate transformers are required to satisfy the properties 1., 2. and 6. in [Bes83] and [AP86]. Finally, for a rich speci cation language with both unbounded angelic and demonic choice in [BW90] predicate transformers are required to satisfy only property 3. Multiplicative predicate transformers are of special interest for our purpose because of the following lemma. This lemma is a variation of the stability lemma in [AP86]: Lemma 3.3. Let  : Pred ! Pred be a -multiplicative predicate transformer and let  2  be such that  2 (true). Then there is a set min(; )   such that 8Q 2 Pred :  2 (Q) , (min(; ) ) Q): Proof. Let I be an index set of the same cardinality as  and let (i )i2I be a collection of elements of  for which there is a predicate Q 2 Pred with i 62 Q but  2 (Q). If there is no such Q then take min(; ) = . Also, let (Qi )i2I be a collection ofVpredicates such that for all i 2 I , i 62 Qi but  2 (Qi). De ne min(; ) = i2I Qi. We have to show that 8Q 2 Pred :  2 (Q) , (min(; ) ) Q): From right to left we use that  is a -multiplicative predicate transformer V V V and that  2 (Qi) for all i 2 I . Hence  2 i2I (Qi ) = ( i2I Qi). But i2I Qi = min(; ), and thus  2 (min(; )) (consider min(; ) as a predicate). Hence (min(; )) ) (Q) because  is monotone. Since  2 (min(; )), we obtain  2 (Q). Conversely, suppose that  2 (Q), but that min(; ) 6) Q. This means that there is a  0 in min(; ) and  0 V62 Q. Hence  0 must be a k for some k 2 I . But then k 62 Qk and min(; ) = i2I Qi ) Qk contradicts k =  0 2 min(; ). 2. 3. 4. 5. 6.

Note that if a predicate transformer  satis es the law of excluded miracles, then for all  2  the set min(; ) is non-empty. The next lemma gives some of the relationships between the restrictions on Pred ! Pred . Lemma 3.4. Let  be a countable set of states and let 1. - 8. be the list of properties de ned above. Then we have

The Weakest Precondition Calculus

11

(4: ^ 5:) ) 6: , 7: , 8: ) 3: Proof. For a proof of (4: ^ 5:) ) 8 see [Bes83]. We prove only 7: ) 8. The other implications are clear and are left to the reader. Let (Pi )i2I be a set of predicates on  where I 6= ; (but possibly, I is uncountable) and let  be aVpredicate transformer V satisfying the -multiplicativity law. It sucesV to prove i2I (Pi) ) ( i2I Pi) since the other direction is trivial. Let  2 i2I (Pi). Then  2 (Pi) for each i 2 I and hence by LemmaV3.3 this is equivalent to min(; ) ) Pi for each i 2 I . But then min i2I Pi . V (;P)).Therefore Applying Lemma 3.3 in the other direction we obtain  2  ( i i 2 I V (P ) ) (V P ). i i2I i2I i Notice that if  is uncountable then (4: ^ 5:) ) 8: , 7: ) 6: ) 3: and that in this case the rst implication needs the axiom of choice [BK93]. Next we de ne the three domains of predicate transformers (with associated orders) which we will use in the rest of the paper. De nition 3.5. We de ne MPTran B and MPTran D to be the set of multiplicative predicate transformers MPTran ordered by 1 vPB 2 ,def 8Q 2 Pred : 1 (Q) ) 2(Q); 1 vPD 2 ,def 8Q 2 Pred : (1 (Q) ) 2 (Q)) ^ (1 (false) = 2 (false)): Notice that for all statements S1 ; S2 2 Stat we have S1 vB S2 if and only if wp(S1 ) vPB wp(S2 ). Also, S1 vD S2 if and only if wp(S1 ) vPD wp(S2 ). In order to deal with pairs of predicate transformers de ne the Nelson predicate transformers NPTran to be the set of pairs of predicate transformers (1 ; 2 ) such that (i) 1 ; 2 2 MPTran , (ii) 2 (true) = true, and (iii) 1 (Q) = 1 (true) ^ 2 (Q) for all predicates Q 2 Pred . For every S 2 Stat the pair (wp(S ); wlp(S )) is a Nelson predicate transformer by Lemma 3.1. Notice also that the pairwise composition of two Nelson predicate transformers gives again a Nelson predicate transformer. The Nelson predicate transformers NPTran can be turned into the poset NPTran N using the following order: (1 ; 2) vPN (10 ; 20 ) ,def 8Q 2 Pred : (1 (Q) ) 10 (Q)) ^ (20 (Q) ) 2 (Q)): As above we have S1 vN S2 if and only if (wp(S1 ); wlp(S2 )) vPN (wp(S2 ); wlp(S2 )) for all statements S1 ; S2 2 Stat .

4. Recursion In this section we add recursion to the language. In the rst subsection we show that under certain conditions xed points of non-monotonic functions exist and that they can be obtained by iteration. In the second subsection, we extend the class of statements with procedure variables in order to support recursion. Then we apply the main results of the rst subsection to give meaning to procedure variables via xed points of non-monotone functions.

12

M. M. Bonsangue and J. N. Kok

4.1. Order Theory We rst recall some of the standard notions in domain theory. A good reference for domain theory is [Plo81]. Let P be a poset and S be a non-empty subset of P . Then S is said to be directed if every nite subset of S has an upper bound. A poset P is calledFdirected complete (dcpo) if every directed subset S  P has least upper bound S 2 P . It is pointed if there exists a least element ?. All dcpo's we consider in this paper are pointed. A non-empty subset A of a poset P is called an antichain if for all a; b 2 A such that a v b or b v a then a = b; an antichain A is an upper fringe of P if x v a for all x 2 P n A and for all a 2 A. Dually, an antichain A is a lower fringe of P if a v x for all x 2 P n A and for all a 2 A. An upper (lower) fringe is the set of maximal (minimal) elements of P . For example, for any set X , the at dcpo X? is the set X [ f?g ordered by x v y if and only if x = ? or x = y. Then all subsets A of X , and f?g are antichains, the set X is the only upper fringe while f?g is the only lower fringe. In general, for a poset P , if A  P is an upper or lower fringe then it is unique. Also, if P has a top element > then f>g is the upper fringe, and dually if P has a bottom element ? then f?g is the lower fringe. Let P; Q be two posets. A function f : P ! Q is monotone if Fx vP y implies F f (x) vQ f (y) for all x; y 2 P . Moreover, f is continuous if f ( S ) = f (S ) F for each directed set S  P with least upper bound S 2 P . The function f is strict if f (?) = ?. If f is continuous then it is also monotone. If f is onto and monotone then it is also strict. For a function g : P ! P , we denote by g 2 P its least xed point, that is, g(g) = g and for every other x 2 P if g(x) = x then g v x. For a function f : P ! Q between two posets P and Q we denote by f ?1 (y) the poset that has elements x 2 f ?1 (y)  P ordered as in P , that is, for each x1 ; x2 2 f ?1 (y), x1 v x2 () x1 vP x2 . The following lemma will be useful later. Lemma 4.1. Let P be a poset and f : P ! P be a monotone function. (i) If P has nite upper fringe A then there exist an a 2 A and a natural number n > 0 such that f n (a) v a. (ii) If P has nite lower fringe A then there exist an a 2 A and a natural number n > 0 such that a v f n (a). (iii) If every antichain of P is nite then there exist an x 2 P and a natural number n > 0 such that either x v f n(x) or f n (x) v x. Proof. We prove only the rst item, the other two items are left to the reader. Let A be the nite upper fringe of P and assume it has cardinality k with k > 0 because A is non-empty. Take a 2 A and consider the set S = ff n(a) j 0 < n  k + 1g. If S \ (P n A) 6= ; then there exists a f n(a) 2 S such that f n (a) 2 P n A. But A is the upper fringe of P and hence f n (a) v a. Otherwise S \ (P n A) = ;, that is, S  A, and hence the cardinality of S is less than k. But this means that there exists m < n  k + 1 such that f m(a) = f n (a) 2 A, and hence f n?m(f m(a)) v f m (a). Next we turn to the existence of xed points for a function f : P ! P where P is a poset. For any ordinal  de ne f 2 P by G f = f ( f ): k): So g <> is a xed point of g. In [AP86] this is enough to prove that g <> = g because g is monotone. In our case, we still have to prove it. Let y 2 Q be another xed point for g, that is, g(y) = y, and consider the partial order generated by h?1 (y). There are three cases: (i) h?1 (y) has the nite upper fringe A. By Lemma 4.1 there exist a 2 A and a natural number n > 0 such that f n (a) v a. By trans nite induction we prove f v a for each ordinal . Indeed, if  = 0, then f = ? v a. Assume now  > 0. We have by the induction hypothesis that f v a for all k <  and hence 8k < : f v a ) Fk = h(f <> ) = h(f ) is the least xed point of g. (ii) h?1 (y) has the nite lower fringe A By Lemma 4.1 there exist an a 2 A and a natural number n > 0 such that a v f n(a). De ne for each ordinal , f~ 2 P by  =0 f~ = fa n(F f~ ) otherwise : k 0 we have by induction hypothesis that f~ v f~ for every k < . But then we have

The Weakest Precondition Calculus 8k < : f~ v f~

) Fk ) v h(a) = y; that is, h(f <> ) = h(f ) is the least xed point of g. Suppose now that f exists for some ordinal  and h is also continuous. As in the rst part of Theorem 4.3 we obtain h(f ) = g . In the following we present a number of examples in which we show that the conditions of Theorem 4.3 cannot be weakened.

The Weakest Precondition Calculus

17

(i) Let P be the at dcpo fxg? and Q be the at dcpo fa; bg? . Consider the following three functions f : P ! P; g : Q ! Q and h : P ! Q: f (?) = x g(?) = a h(?) = ? f (x) = x g(a) = a h(x) = a: g(b) = b The function f is monotone and has least xed point x. Also the function h is monotone, strict, and for each y 2 Q, h?1 (y) has the upper fringe, the lower fringe and every antichain is nite. However it is non-onto and although g (non-monotone) makes the diagram of the theorem commute, we have that g has two incomparable xed points, namely a and b. (ii) Let P = fx; y; ?g be the pointed dcpo with ? v x v y and let Q be the

at dcpo fa; bg? . Consider the following functions f : P ! P; g : Q ! Q and h : P ! Q: f (?) = x g(?) = a h(?) = ? f (x) = x g(a) = a h(x) = a f (y) = y g(b) = b h(y) = b: The function f is monotone and has least xed point x. The function h is strict, onto, and for each y 2 Q, h?1 (y) has the nite upper fringe, the nite lower fringe and every antichain is nite. However h is non-monotone (and hence non-continuous) because x v y but h(x) = a 6v b = h(y). Although g (non-monotone) makes the diagram commute, we have that g has two dierent and incomparable xed points, namely a and b. (iii) Let P = fxi j i  0g [ fx! g be the dcpo with the following order: (8i  j: xi v xj ) ^ (8i  0: xi v x! ) ^ x! v x! : Also, let Q be the at domain fag? and consider the following functions f : P ! P; g : Q ! Q and h : P ! Q: f (xi ) = xi+1 g(?) = ? h(xi ) = ? f (x! ) = x! g(a) = a h(x! ) = a: The function f is monotone and has least xed point x! . The function h is onto, monotone, and for each y 2 Q, h?1 (y) has the nite lower fringeFand every antichain is nite.FHowever h is non-continuous because x! = xi but h(x! ) = a 6= ? = h(xi ). Although g makes the diagram commute and has least xed point g = ? we have that g = ? 6= a = h(x! ) = h(f ). Note that there is no upper fringe according to Theorem 4.4. (iv) Let P = fxi j i  0g [ fx! ; x!+1 g [ fyi j i  0g be the dcpo where (8i  j: xi v yj ^ xi v xj ); (8i  0: xi v x! ^ xi v x!+1 ^ yi v yi ); x! v x! ^ x!+1 v x!+1 ^ x! v x!+1 ; and let Q be the at domain fa; bg? . Consider the following three functions f : P ! P; g : Q ! Q and h : P ! Q:

18

M. M. Bonsangue and J. N. Kok

f (xi ) = xi+1 g(?) = a h(xi ) = ? f (yi ) = yi+1 g(a) = a h(yi ) = b f (x! ) = x!+1 g(b) = b h(x! ) = ? f (x!+1 ) = x!+1 h(x!+1 ) = a: The function f is monotone and has least xed point x!+1 . The function h is onto, monotone and continuous but h?1 (?) has not the nite upper fringe, not the nite lower fringe and not all the antichains are nite. Although g (non-monotone) makes the diagram commute, it has two incomparable xed points, namely a and b. We have seen in Theorem 4.3 that the property of a monotone function f : P ! P of having a least xed point is transferred to a function g : Q ! Q, that in general need not to be monotone (and hence continuous), via an onto function h : P ! Q. It is not hard to see that the function g preserves the order between any y1 and y2 with y1 v y2 , if there exist x1 2 h?1 (y1 ) and x2 2 h?1 (y2 ) such that x1 v x2 . A similar result holds also for the transfer of the continuity property from f to g.

4.2. Procedure Variables and Recursion Next we add recursion to the language. Let (x 2)PVar be the set of procedure variables. We remove div and add procedure variables to the class of statements Stat . This gives a new class of statements Stat + : S ::= v := t j b ! j x j S1 ; S2 j 2i2I Si j S13S2 where I is a non-empty index set. A declaration (d 2)Decl : PVar ! Stat + assigns to each procedure variable a statement, possibly containing procedure variables. For example Dijkstra's guarded command do b ! S od is equivalent to procedure variable x with body ((b !; S ); x)3(true !). For the semantics we introduce the set of environments Env = PVar ! MPTran , which gives a predicate transformer for each procedure variable. We use environments to give the extension of wp and wlp to the new class of statements: De nition 4.5. (Extension of wp) Let wp : Stat + ! (Env ! MPTran ) for  2 Env and non-empty index set I be de ned by wp(v := t)()(Q) = Q[t=v] wp(b !)()(Q) = b)Q wp(x)()(Q) = (x)(Q) wp(S1 ; S2)()(Q) = wp (S1 )()(wp(S2 )()(Q)) V wp(2i2I Si )()(Q) = i2I wp(Si )()(Q) wp(S1 3S2)()(Q) = wp(S1 )()(Q)^ (wp(S1 )()(false) ) wp(S2 )()(Q)): The weakest liberal precondition wlp : Stat + ! (Env > ! MPTran ) is de ned similarly with the only dierence being that wlp(S1 3S2 )()(Q) = wlp(S1 )()(Q) ^ (wp(S1 )()(false) ) wlp(S2 )()(Q))

The Weakest Precondition Calculus where Env >  Env is the set of environments  such that for every

19

x 2 PVar the predicate transformer (x) is top preserving, that is, (x)(true) = true. The idea is to consider pairs of environments (1 ; 2) 2 Env  Env such that (1 (x); 2 (x)) 2 NPTran for every x 2 PVar . We associate to a declaration an environment by means of a xed point construction. In order to do this we de ne the posets Env B ; Env D and Env N as the following function spaces (ordered pointwise): Env B = PVar ! MPTran B ; Env D = PVar ! MPTran D ; Env N = PVar ! NPTran N : De ne now for every declaration d 2 Decl and x 2 Pvar the higher order functions B : Decl ! (Env B ! Env B ), D : Decl ! (Env D ! Env D ), and N : Decl ! (Env N ! Env N ) by B (d)()(x) = wp(d(x))() for  2 Env B ; D (d)()(x) = wp(d(x))() for  2 Env D ; N (d)(1 ; 2)(x) = (wp(d(x))(1 ); wlp(d(x))(2 )) for (1 ; 2) 2 Env N : Using the examples preceding Theorem 3.2, we see that for a xed declaration d the functions B (d) and D (d) are not always monotone, while the function N (d) is monotone. The poset Env N is pointed and directed complete since NPTran N is pointed and directed complete, the latter being a consequence of Theorem 5.7. For every environment (1; 2 ) 2 Env N the projection on its rst component de nes two functions: hNB : Env N ! Env B and hND : Env N ! Env D . They are continuous, onto, and have a nite upper fringe for every environment  2 Env B or  2 Env D . Moreover, for a xed declaration d we have that hNB  N (d) = B (d)  hNB and alsohND  N (d) = D (d)  hND : Hence by Theorem 4.3 the functions B (d); D (d) and N (d) have least xed points which can be obtained by iteration from the bottom elements. This yields three weakest (liberal) precondition semantics. De nition 4.6. Let S 2 +Stat +, d 2 Decl . We de ne the weakest precondition semantics W pB : Stat ! (Decl ! MPTran ), W pD : Stat + ! (Decl ! MPTran ) and W pN : Stat + ! (Decl ! NPTran ), by W pB (S )(d) = wp(S )(B (d)); W pD (S )(d) = wp(S )(D (d)); W pN (S )(d) = (wp(S )(1 ); wlp(S )(2 )); where N (d) = (1 ; 2): Notice that for every procedure variable x 2 PVar we have that W pB (x)(d) = wp(x)(B (d)) De nition 4.5 = B (d)(x) = B (d)(B (d))(x) xed point property = wp(d(x))(B (d)) de nition of B (d) = W pB (d(x))(d) De nition 4.6. Similarly we have W pD (x)(d) = W pD (d(x))(d) and W pN (x)(d) = W pN (d(x))(d).

20

M. M. Bonsangue and J. N. Kok

  ! E (? ) = ETran =- NPTranN 

?

 =-

?

?

 =-

?

 ! S  (? )= STran

 ! S (?) = STran

Fig. 2.

! MPTranD ! MPTranB

Relationships between the domains.

5. Duality In this section we relate the predicate transformers with functions to power domains. We generalize the relationship between the Smyth power domain and the predicate transformers [Wan77, Plo79, Bac81, Bes83, AP86, Smy83] to the new versions of the Smyth power domain. Moreover, we introduce a relationship between the Egli-Milner power domain and pairs of predicate transformers (see also [Nel89]). For further reference, the diagram in Figure 2 summarizes the relationships. All the arrows in this diagram are monotone functions. The stability Lemma 3.3 plays a central role in the proof of the isomorphisms between predicate and state transformers because it de nes in a unique way for every state  2  and every predicate transformer  a minimal set min(; ) (representing outputs of computations). Before going into a more detailed discussion, we rst de ne the three discrete power domains. De nition 5.1. Let X? be a at domain. The Smyth power domain of X? (with empty set), is de ned as the set S (X? ) = fA j A  X g [ fX? g ordered by the superset order, that is A v B , A  B . This de nition diers from the original de nition of the Smyth power domain [Smy78] because we add the empty set as a top element and there is no restriction on the cardinality of the subsets of X . The Smyth power domain T S (X? ) has least element fX? g and if S  S (X? ) is a directed set then S is its least upper bound. The Smyth power domain S (X? ) is also closed under arbitrary union and intersection. A meaning of a statement is a function from  to S (?). We denote the collection of these functions (ordered pointwise) by STran. Elements of S (? ) denote results of computations. Computations that are possibly non-terminating are mapped to f? g and the empty set is interpreted as a deadlock situation.

The Weakest Precondition Calculus

by

21

To relate STran and MPTran B , we de ne the function ! : STran ! MPTran B

!(m)(Q) = f 2  j m() ) Qg: Notice that if m() = ? then  62 !(m)(Q) for all predicates Q. Its inverse ! ?1 is given by  (; ) if (true)() = tt ? 1 ! ()() = min otherwise. ? Theorem 5.2. The function ! : STran ! MPTran B is an order isomorphism with inverse ! ?1. Proof. That both ! and ! ?1 are well-de ned is easily veri ed. We prove only that they form an order isomorphism. Indeed, the function ! is monotone. Let m v m0 for m; m0 2 STran and assume  2 !(m)(P ). Then m0 ()  m()  P and hence  2 !(m0 )(P ). Also ! ?1 is monotone. Let  vB  0 for ;  0 2 MPTran B and take  2 . If !?1()() = ? then clearly !?1()() v !?1(0)(). Otherwise  2 0 (true) because (true) )  0 (true). Thus ! ?1 ()() = min(; ) and ! ?1 ( 0 )() = min(0; ).0 Since (min(; )) ) 0(min(; )) and 0 2 (min(; )) we0 have also  2  (min(; )). Applying the Lemma 3.3 to  we obtain min( ; ) ) min(; ), that is, !?1()() v !?1(0 )(). It remains to prove that ! and ! ?1 form an isomorphism. Let  2 MPTran and P be a predicate; we have !((!?1())(P ) = f 2  j !?1()() ) P g = f 2  j  2 (true) ^ min(; ) ) P g = f 2  j  2 (true) ^  2 (P )g Lemma 3.3 = f 2  j  2 (P )g P ) true = (P ): Conversely, let m 2 STran and  2 . If m() = ? then  62 !(m)(true). Hence ! ?1(!(m))() = ? = m(). Otherwise ! ?1 (!(m))() = min(!(m); ). Since  2 !(m)(P ) if and only if m() ) P for every predicate P , we have  2 !(m)(m()). But then by Lemma 3.3 we have min(!(m); ) = m(). Therefore !?1 (!(m))() = m(). Next we turn to a state transformer model for MPTran D : De nition 5.3. Let X? be a at dcpo. De ne S  (X? ) to be the set fA j A  X g [ fX? g ordered as follows A v B , A = X? _ (A = ; ^ B = ;) _ (B 6= ; ^ A  B ): In general S  (X? ) is not a dcpo. For example, let N be the set of natural numbers and consider in S  (N? ) the following directed set which has no upper bound: N v N n f0g v N n f0; 1g v :::; (this example is taken from [AP86]). We denote by STran  the state transformers  ! S  (?), ordered pointwise. The identity function from STran  to STran is trivially onto, continuous, and the inverse image has nite upper fringe, lower fringe and nite antichains for every A 2 S (? ). Note that its inverse is not even monotone.

22

M. M. Bonsangue and J. N. Kok

Theorem 5.4.? The function ! : STran  ! MPTran D is an order isomorphism

with inverse ! 1. Proof. Since the underlying set of STran  is equal to the set STran and also the underlying set of MPTran D is equal to that of MPTran B , we have by Theorem 5.2 that ! and ! ?1 are well-de ned and form an isomorphism. We need to prove that they preserve the orders. The function ! is monotone. Let m v m0 for m; m0 2 STran  . By de nition  2 !(m)(false) if and only if m() = ; = m0 () if and only if  2 !(m0 )(false). More generally, for a predicate P ,  2 !(m)(P ) implies m()  P . But m0 ()  m(), hence  2 !(m0)(P ). Also ! ?1 is monotone. Let  vD  0 for ;  0 2 MPTran D and take  2 . If ? 1 ! ()() = ? then clearly !?1()() v !?1(0)(). Otherwise  2 0 (true) because (true) )  0 (true). Thus ! ?1 ()() = min(; ) and also ! ?1 ( 0 )() = min(0; ). Since (min(; )) ) 0(min(; )) and  2 (min(; )) we have  2  0 (min(; )). Applying the Lemma 3.3 to  0 we obtain min( 0 ; ) ) min(; ), that is, ?!1?1(0 )() v !?1(0 )(). 0 Suppose now ! ( )() = ;. Then min( ; ) = ;, and hence by Lemma 3.3  2 0 (false). But (false) = 0(false), and hence by Lemma 3.3, min(; ) = ;, that is, also ! ?1 ()() = ;. The third state transformer model is based on the Egli-Milner power domain. De nition 5.5. For a at domain X? we denote by E (X? ) the poset whose elements are subsets of X? ordered as follows: A v B , (? 62 A ^ A = B ) _ (? 2 A ^ (A n f?g)  B ): Note that this diers from the usual de nition of the Egli-Milner power domain [Plo81] because we add the empty set and we have no restriction on the cardinality of subsets of X? . The poset E (X? ) is pointed and directed complete. Indeed F S f?g is the least element and if S  E (X? ) is a directed set then S = (S n f?g) [ f? j 8A 2 S: ? 2 Ag.  The monotone function eX : E (X? ) ! S (X? ) relates the Egli-Milner power domain with the Smyth power domain with deadlock. It is de ned by  if ? 62 A eX (A) = A X? otherwise. Lemma 5.6. The function eX : E (X? ) ! S  (X? ) is onto, continuous, and for each B 2 S  (X? ) there is a nite upper fringe and lower fringe in e?X1 (B ). Proof. We only consider the lower and upper fringe (other parts of the lemma are standard). The nite upper fringe of e?X1 (B ) is B itself, the nite lower fringe is ? if B = X? and is B otherwise. We denote by ETran the state transformers  ! E (? ) ordered pointwise. Non-terminating computations are represented by the element ?. Again the empty set is interpreted as a deadlock. De ne the function  : ETran ! NPTran N by (m)(P; Q) = (f 2  j m() ) P g; f 2  j (m() n f?g) ) Qg): The function  has inverse  ?1 :  min(2 ; ) if 1 (true)() = tt ? 1  (1 ; 2)() = min (2 ; ) [ f?g otherwise.

The Weakest Precondition Calculus

23

Theorem 5.7.? The function  : ETran ! PTran N is an order isomorphism

with inverse  1 . Proof. Let us denote by 1 (m) and 2 (m) the rst and the second component of (m) for every m 2 ETran . It is easy to see that both 1 (m) and 2 (m) are multiplicative predicate transformers. Moreover 2 (m)(true) = f 2  j (m() n f?g) ) trueg = true: Hence, in order to prove the well-de nedness of  it remains to show that 1(m)(Q) = (1 (m)(true) ^ 2(m)(Q)) for all predicates Q. If  2 1(m)(Q) then m() ) Q. Hence also (m() n f?g) ) Q, that is  2 2 (m)(Q). Since 1(m)(Q) ) 1 (m)(true) we have 1(m)(Q) ) (1 (m)(true) ^ 2 (m)(Q)). Conversely, if  2 2 (m)(Q) and  2 1 (m)(true) then (m() n f?g) ) Q and ? 62 m(). Hence also m(?)1) Q, that is  2 1(m)(Q). Clearly, the function  : PTran N ! ETran is well-de ned. Next we turn to the monotonicity of . Let m; m0 2 ETran be such that m v m0 , and let P be a predicate. If  2 1(m)(P ) then m() ) P and ? 62 m(). Because m v m0 we have then m() = m0 (). Hence  2 1(m0 )(P ), that is 1(m)(P ) ) 1(m0 )(P ). Moreover, if  2 2(m0 )(P ) then (m0 () n f?g) ) P . There are two cases depending on the presence of ? in m(). If ? 62 m() then m() = m0 () and hence also  2 2 (m)(P ). Otherwise, ? 2 m() implies m() ) m0(). Hence (m() n f?g)  (m0 () n f?g) ) P , that is  2 2 (m)(P ). Therefore in both cases 2 (m0 )(P ) ) 2 (m)(P ). The function  ?1 is also monotone: let ;  0 2 NPTran be such that  vN  0, and let  2 . Suppose ? 62  ?1 ()(), that is  2 1 (true) by de nition of  ?1 . Since  vN  0 we have that  2 10 (true) too. Thus  ?1 ()() = min(2 ; ) and also  ?1 ( 0 )() = min(20 ; ). Since  is a Nelson predicate transformer we have 1 (min(2 ; )) = 1(true) ^ 2(min(2 ; )): Therefore  2 1 (min(2 ; )). But then  2 10 (min(2 ; )) because  vN  0. Since  0 is also a Nelson predicate transformer we have that  2 20 (min(2 ; )). Hence by Lemma 3.3 applied to 20 we obtain min(20 ; ) ) min(2 ; ). We need to prove also the converse. Since  vN  0 we have that 20 (min(20 ; )) ) 2(min(20 ; )). But then  2 20 (min(20 ; )) implies  2 2 (min(20 ; )) and hence by Lemma 3.3 applied to 2 we obtain min(2 ; ) ) min(20 ; ). Therefore, if ? 62  ?1 ()() then  ?1 ()() =  ?1 ( 0 )(). Assume now ? 2  ?1 ()(). Since  2 20 (min(20 ; )) and  vN  0 we have that  2 2 (min(20 ; )). Hence by Lemma 3.3 applied to 2 we obtain min(2 ; ) ) min(20 ; ). Therefore we have ( ?1 ()() n f?g) = min(2 ; ) ) min(20 ; ) )  ?1 ( 0 )(): This concludes the proof that  ?1 is monotone. It remains now to prove that  and  ?1 form an isomorphism. Let m 2 ETran and  2 . We prove  ?1   = idETran . If ? 2 m() then  62 1 (m:)(true). Hence ?1((m))() = min(2 (m); ) [ f?g. Since  2 2(m)(m() n f?g) we obtain, by Lemma 3.3, that min(2 (m); ) ) (m() nf?g). But by de nition of 2 (m) also the converse holds, hence min(2 (m); ) = m() n f?g, that is,  ?1((m))() = m(). If ? 62 m() then  2 1 (m)(true). Thus  ?1 ((m))() = min(2 (m); ). But since ? 62 m() we have by Lemma 3.3 min(2 (m); ) = m(). Therefore ?1((m))() = m().

24

M. M. Bonsangue and J. N. Kok

Finally we prove    ?1 = idNPTran . Let  2 NPTran N and let P be a predicate. We have  2 1 (?1())(P ) , ?1()() ) P ,  2 1(true) ^ min(2 ; ) ) P ,  2 1(true) ^  2 2 (P ) Lemma 3.3 ,  2 1(P )  2 NPTran . Also, we have  2 2 (?1())(P ) , (?1()() n f?g) ) P , ( 2 1 (true) ^ (min(2 ; ) n f?g) ) P ) _( 62 1 (true) ^ ((min(2 ; ) [ f?g) n f?g) ) P ) 1 , min(2 ; ) ) P ,2  2 2(P ) where ,1 holds because ? 62 min(2 ; ) while ,2 holds due to Lemma 3.3.

6. Semantics from Domain Transformations In the previous section we have given three dierent semantics for a language including recursion. We have also given three dierent domain transformations (with inverses) that relate predicate transformer domains with state transformer domains. In this section we study sucient conditions on functions that relate semantic domains such that compositionality and least xed point properties of semantic functions are preserved. We start by giving some general de nitions (cf. [GTWW77], [EM85] and references contained in these papers). A signature S = (F; r) consists of function names (f 2)F , and a rank function r, giving for each function symbol its arity. Function names with arity 0 are called constants. In the sequel we use f 2 S instead of f 2 F for the signature S = (F; r). The closed terms (s; t 2)T (S ) built from S are de ned by t ::= f (t1 ; :::; tr(f )): Let V be a set, and de ne an interpretation I 2 IntS;V of a signature S = (F; r) to be a function [ I : F ! (V (k) ! V ); k

such that I (f ) : V r(f ) ! V for every f 2 F (here V (k) denotes the k-product of V ). An interpretation I induces a map (?)I : T (S ) ! V de ned inductively by f (t1 ; :::; tr(f ))I = I (f )(tI1 ; :::; tIr(f )): We can now give a de nition of a semantic function: De nition 6.1. A semantic function is a function D : T (S ) ! Dom where T (S ) is the class of terms over a signature S and Dom is some (structured) set called semantic domain. A semantic function D is called compositional if there exists an interpretation I 2 IntS;Dom such that D(t) = tI for every term t 2 T (S ). For example, both the functions Op (De nition 2.2) and wp (De nition 2.3) are compositional semantic functions.

The Weakest Precondition Calculus

25

If T (S ) is a set, then compositionality is often expressed by a congruence for the signature S , that is, an equivalence relation   T (S )  T (S ) such that for all f 2 S and (closed) terms u1 ; ::; ur(f ); v1 ; :::; vr(f ) (81  i  r(f ) : ui  vi ) f (u1 ; ::; ur(f ))  f (v1 ; :::; vr(f ))): The following lemma is standard, and can be found for example in [EM85]: Lemma 6.2. Let S = (F; r) be a signature such that F is a set and every function symbol has nite arity. Let also D : T (S ) ! Dom be a semantic function, and de ne D  T (S )  T (S ) by s D t () D(s) = D(t). Then D is compositional if and only if D is a congruence. Given a signature S , a compositional semantic function D : T (S ) ! Dom , and a domain transformation h : Dom ! Dom 0 , we say that h preserves compositionality if there exists an interpretation I 0 2 IntS;Dom such that the following diagram commutes: 0

D

- Dom ZZ ZZ h (?)I ZZ ~Z ?0

T (S )

0

Dom

The commutativity of the diagram implies that the semantic function D0 = hD :

Stat ! Dom 0 is compositional. For the language Stat , we have given three dierent predicate transformer semantics wp : Stat ! MPTran B , wp : Stat ! MPTran D and (wp; wlp) : Stat ! NPTran N . We have three domain transformations ! ?1 : MPTran B ! STran , ! ?1 : MPTran D ! STran , and  ?1 : NPTran N ! Etran . These domain

transformations are isomorphisms and hence they preserve compositionality. In the following de nition three state transformer semantics for Stat are given and in Theorem 6.4 they are proved to be isomorphic to the predicate transformer semantics. De nition 6.3. For every statement S 2 Stat de ne the state transformer semantics stB : Stat ! STran by  v = v0 stB (v := t)() = v0 2 Var : t((v)0) ifotherwise  fg if b() = tt stB (b !)() = ; otherwise

stB (div )()

= ? ( ? if ? = stB (S1 )() ;S if stB (S1 )() = ; stB (S1 ; S2)() = stB (S2 )(stB (S1 )()) otherwise S stB (2i2I Si )() = i2I stB (Si)()  stB (S2 )() if stB (S1 )() = ; stB (S1 3S2 )() = stB (S1 )() otherwise:

26

M. M. Bonsangue and J. N. Kok

The de nition of stD : Stat ! STran  is the same and stN : Stat ! ETran diers only in

stN (div )

= f?g

8 > < stN (S1 ; S2)() = > :

f?g if f?g = stN (S )() ;S if stN (S )() = ; stN (S )(stN (S )() n f?g) [f? j ? 2 stN (S )()g otherwise: 1

1

2

1

1

The following theorem relates the various semantics.

Theorem 6.4. For every S 2 Stat we have (i) !  stB (S ) = wp(S ) and stB (S ) = ! ?1  wp(S ); (ii) !  stD (S ) = wp(S ) and stD (S ) = ! ?1  wp(S ); (iii)   stN (S ) = (wp(S ); wlp(S )) and stN (S ) =  ?1 (wp(S ); wlp(S )). Proof. We prove only the third item since the other two can be derived from

it. Notice that since  is an isomorphism, it is enough to prove only one of the isomorphisms, and we prove (stN (S ))(P ) = (wp(S )(P ); wlp(S )(P )) for every statement S 2 Stat and predicate P 2 Pred . The proof proceeds by structural induction on S , and we treat two cases. Suppose S = div . We have

(stN (div ))(P ) = (f 2  j stN (div )() ) P g; f 2  j (stN (div )() n f?g) ) P g) = (f 2  j f?g ) P g; f 2  j false ) P g) = (false; true) = (wp(div )(P ); wlp(div )(P )): Suppose S = S1 3S2 and denote by 1 the rst component of . We have 1(stN (S1 3S2 ))(P ) = f 2  j stN (S1 3S2)() ) P g = f 2  j stN (S1 )() = ; ^ stN (S2 )() ) P g [ f 2  j stN (S1 )() 6= ; ^ stN (S1 )() ) P g = (1 (stN (S2 ))(P ) ^ 1 (stN (S1 ))(false)) _ (:1 (stN (S1 ))(false) ^ 1(stN (S1 ))(P )) = (wp(S2 )(P ) ^ wp(S1 )(false)) _ (wp(S1 )(P ) ^ :wp(S1 )(false)) = wp(S1 )(P ) ^ (wp(S1 )(false) ) wp(S2 )(false)) = wp(S1 3S2 )(P ): Also, if we denote by 2 the second component of  we have

The Weakest Precondition Calculus

27

2(stN (S1 3S2 ))(P ) = f 2  j (stN (S1 3S2)() n f?g) ) P g = f 2  j stN (S1 )() = ; ^ (stN (S2 )() n f?g) ) P g [ f 2  j stN (S1 )() 6= ; ^ (stN (S1)() n f?g) P g = (2 (stN (S2 ))(P ) ^ 1 (stN (S1 ))(false)) _ (:1 (stN (S1 ))(false) ^ 2(stN (S1 ))(P )) = (wlp(S2 )(P ) ^ wp(S1 )(false)) _ (wlp(S1 )(P ) ^ :wp(S1 )(false)) = wlp(S1 )(P ) ^ (wp(S1 )(false) ) wlp(S2 )(false)) = wlp(S1 3S2)(P ):

For recursion, we add a set of constants (x 2)PVar , called procedure variables to a signature S , and let Srec = S [ PVar be the new signature. The meaning of procedure variables is given by means of a xed point of a function associated to a declaration d : PVar ! T (Srec ). Given a semantic function D : T (Srec ) ! Dom we denote by D0 : T (S ) ! Dom its restriction to terms without procedure variables. The set of environments (the semantical counterpart of the declaration) is given by ( 2)Env = PVar ! Dom . Every compositional semantics D : T (S ) ! Dom can be extended to a compositional semantics D : T (Srec ) ! (Env ! Dom ) by D(x)() = (x) for each x 2 PVar ; D(f (t1 ; :::; tr(f ))() = I (f )(D(t1 )(); :::; D(tr(f ))()) for each f 2 T (S ) and ti 2 T (Srec ), where I 2 IntS;Dom is such that D(t) = I (t) for each t 2 T (S ). For every compositional semantics D : T (Srec ) ! (Env ! Dom ) we de ne a function D : Env ! Env by D ()(x) = D(d(x))(): Now we are ready for a formal de nition of a xed point semantics.

De nition 6.5. A semantic function D : T (Srec ) ! Dom is called a xed point semantics if D : T (S ) ! Dom is compositional and D(t) = D (t)() for some environment  2 Env such that D0 () = . Furthermore, the semantic function D : T (Srec ) ! Dom is called a least xed point semantics if Dom is a partial order, D is a xed point semantics, and  is the least xed point of D0 . For example, the semantic functions W pB ; W pD and W pN as de ned in Def0

0

inition 4.6 are least xed point semantics. Let S be a signature and PVar be a set of procedure variables. For a domain transformation h : Dom ! Dom 0 preserving the compositionality of D : T (S ) ! Dom , de ne D0 = h D : T (S ) ! Dom 0 . Then for every t 2 T (Srec ) and  2 Env we have D0 (t)(h  ) = h(D(t)()): This result (which can be proved by structural induction) implies that the fol-

28

M. M. Bonsangue and J. N. Kok

lowing diagram commutes: Env

h

?

Env 0

D - Env h



? Env 0 : 

D 0 0 Indeed, we have D (h  )(x) = D (d(x))(h  ) = h(D(d(x))()) = h(D ()(x)). 0

Finally the next theorem gives sucient conditions on h to ensure it preserves the least xed point property of a semantics. Theorem 6.6. Let S be a signature and PVar be a set of procedure variables.0 Let D : T (Srec ) ! Dom be a least xed points semantics and h : Dom ! Dom be a function such that D00 = h D0 : T (S ) ! Dom 0 is a compositional semantics. If Dom is a complete partial order, if D^ 0 is monotone and if the commuting diagram  Env D0- Env

h

?

Env 0



h

- Env?0:

hD0 satis es one of the following three points: (i) h is strict and continuous, and hD0 is monotone, (ii) h is onto, continuous, and for all the y 2 Dom 0 either the lower fringe of h?1 (y) exists and it is nite, or every antichain of h?1 (y) is nite, (iii) h is onto, monotone and for all y 2 Dom 0 the upper fringe of h?1 (y) exists and is nite, then D0 = h  D : T (Srec ) ! Dom 0 is a least xed point semantics. Proof. If h satis es point (i) then by Theorem 4.2 we have that D0 = hD0 has least xed point D0 = h(D0 ). Similarly, if h satis es point (ii) then by Theorem 4.3 we have that D0 has least point D0 = h(D0 ), while if h satis es point (iii) then by Theorem 4.4 we have that D0 has least point D0 = h(D0 ). Hence for all terms t 2 T (S ) we have D0(t) = h(D(t)) = h(D0 (t)(D0 )) D is a least xed point semantics = D00 (t)(h  D0 ) = D00 (t)(D0 ): Since D00 is compositional we have that D0 is a least xed point semantics. This theorem ensures that if we extend the semantic function stB : Stat ! 0

0

0

0

0

0

0

The Weakest Precondition Calculus

29

STran to a least xed point semantics S tB : Stat + ! (Decl ! STran ), the

results of Theorem 6.4 extend, that is !  S tB (S ) = W pB (S ) and S tB (S ) = !?1  W pB (S ). The same result also holds for the extensions of stD and stN .

7. Conclusion and Future Work At least four dierent, but related, topics have been treated in this paper: 1. We proposed an extension of Dijkstra's Weakest Precondition Calculus in order to treat recursion in a fully compositional way with respect to three dierent orders: a re nement order as introduced in [Bac78], a new re nement order that respects deadlock, and an approximation order as introduced in [Nel89]. 2. We showed that (under certain circumstances), least xed points of functions (even non-monotone) between posets exist and that they can be obtained by iteration from the least element. 3. We gave three isomorphisms between domains of predicate transformers and domains of state transformers. The state transformers are based on two different versions of the discrete Smyth power domain and on the discrete EgliMilner power domain. 4. We gave sucient conditions on a function between two semantic domains in order to preserve compositionality and least xed point properties of semantic functions. We would like to consider further extensions of the language, like arbitrary parallelism and angelic choice. Further results on the relationships between predicate transformers and state transformers based on the Smyth, Hoare and Plotkin power domains on algebraic directed complete partial orders can be found in [BK93].

Acknowledgements We like to acknowledge the members of the Amsterdam Concurrency Group especially Jaco de Bakker, Franck van Breugel, Jan Rutten, and Daniele Turi for discussions and suggestions about the contents of this paper. Thanks also to two anonymous referees for their useful comments. Finally we like to thank also Nicoletta Sabadini, Giancarlo Mauri, Ralph Back, and Prakash Panangaden.

References [AP81] [AP86] [Bac78] [Bac80]

K.R. Apt and G. Plotkin. A Cook's tour of Countable Nondeterminism. In S. Evens and O. Kariv, editors, Proc. 8th ICALP, volume 115 of Lecture Notes in Computer Science, Akko, Israel, 1981. Springer-Verlag. K.R. Apt and G. Plotkin. Countable Nondeterminism and Random Assignment. Journal of the ACM, 33(4):724{767, October 1986. R.-J.R. Back. On the Correctness of Re nement Steps in Program Development. PhD thesis, Department of Computer Science, University of Helsinki, 1978. Report A-1978-4. R.-J.R. Back. Correctness Preserving Program Re nements: Proof Theory and Applications, volume 131 of Mathematical Centre Tracts. Mathematical Centre, Amsterdam, 1980.

30 [Bac81] [Bac90]

M. M. Bonsangue and J. N. Kok

R.-J.R. Back. On Correct Re nement of Programs. Journal of Computer and System Sciences, 23(1):49{68, 1981. R.-J.R. Back. Re nement Calculus, part II: Parallel and Reactive Programs. In J.W. de Bakker, W.-P. de Roever, and G. Rozenberg, editors, Stepwise Re nement of Distributed Systems: Models, Formalisms, Correctness, volume 430 of Lecture Notes in Computer Science, pages 67{93. Springer-Verlag, 1990. [Bak80] J.W. de Bakker. Mathematical Theory of Program Correctness. Prentice-Hall, 1980. [Bes83] E. Best. Relational Semantic of Concurrent Programs (with some Applications). In D. Bjorner, editor, Proc. of the IFIP Working Conference on on Formal Description of Programming Concepts - II, pages 431{452, Garmisch-Partenkirchen, FRG, 1983. North-Holland Publishing Company. [BK93] M.M. Bonsangue and J.N. Kok. Isomorphisms between State and Predicate Transformers. In A.M. Borzyszkowski and S. Sokolowoski, editors, Proc. MFCS '93, Gdansk, Poland, volume 711 of Lecture Notes in Computer Science, pages 301{ 310. Springer-Verlag, 1993. Extended version available through anonymous ftp from ftp.cs.vu.nl as /pub/bonsangue/isomorph.ps.Z. [BW90] R.-J.R. Back and J. von Wright. Re nement Calculus, part I: Sequential Nondeterministic Programs. In J.W. de Bakker, W.-P. de Roever, and G. Rozenberg, editors, Stepwise Re nement of Distributed Systems: Models, Formalisms, Correctness, volume 430 of Lecture Notes in Computer Science, pages 42{66. Springer-Verlag, 1990. [DG86] E.W. Dijkstra and A.J.M. van Gasteren. A Simple Fixpoint Argument without the Restriction to Continuity. Acta Informatica, 23:1{7, 1986. [Dij76] E.W. Dijkstra. A Discipline of Programming. Prentice-Hall, 1976. [DS90] E.W. Dijkstra and C.S. Scholten. Predicate Calculus and Program Semantics. Springer-Verlag, New York, 1990. [EM85] H. Ehrig and B. Mahr. Fundamentals of Algebraic Speci cation I, volume 6 of EATCS monographs. Springer-Verlag, 1985. [GTWW77] J.A. Goguen, J.W. Thatcher, E.G. Wagner, and J.B. Wright. Initial Algebra Semantics and Continuous Algebras. Journal of the ACM, 24:68{95, 1977. [Heh79] E.C.R. Hehner. do considered od: a Contribution to Programming Calculus. Acta Informatica, 11:287{304, 1979. [Hes89] W.H. Hesselink. Predicate Transformer Semantics of General Recursion. Acta Informatica, 26:309{332, 1989. [HP72] P. Hitchcock and D. Park. Induction Rules and Termination Proofs. In M. Nivat, editor, Proc. 1st ICALP, Rocquencourt, France, 1972. North-Holland. [Mey85] J.-J.Ch. Meyer. Programming Calculi Based on Fixed Point Transformations: Semantics and Applications. PhD thesis, Vrije Universiteit, Amsterdam, 1985. [Mor87] J. Morris. A Theoretical Basis for Stepwise Re nement and the Programming Calculus. Science of Computer Programming, 9:287{306, 1987. [MRG88] C.C. Morgan, K.A. Robinson, and P.H.B. Gardiner. On the Re nement Calculus. Technical Report PRG{70, Programming Research Group, 1988. [Nel89] G. Nelson. A Generalization of Dijkstra's Calculus. ACM Transaction on Programming Languages and Systems, 11(4):517{561, 1989. [Plo79] G.D. Plotkin. Dijkstra's Predicate Transformer and Smyth's Powerdomain. In Proc. of the Winter School on Abstract Software Speci cation, volume 86 of Lecture Notes in Computer Science, pages 527{553. Springer-Verlag, 1979. [Plo81] G.D. Plotkin. Post-Graduate Lecture Notes in Advanced Domain Theory (incorporating the \Pisa Notes"). Department of Computer Science, Univ. of Edinburgh, 1981. [Roe76] W.P. de Roever. Dijkstra's Predicate Transformer, Non-Determinism, Recursion, and Terminations. In Proc. 5th MFCS, volume 45 of Lecture Notes in Computer Science, pages 472{481. Springer-Verlag, 1976. [Smy78] M.B. Smyth. Power Domains. Journal of Computer and System Sciences, 16(1):23{36, 1978. [Smy83] M.B. Smyth. Power Domains and Predicate Transformers: A Topological View. In J. Diaz, editor, Proc. 10th ICALP, volume 154 of Lecture Notes in Computer Science, pages 662{675, Barcelona, Spain, 1983. Springer-Verlag. [Wan77] M. Wand. A Characterisation of Weakest Preconditions. Journal of Computer and System Sciences, 15:209{212, 1977. [Wri90] J. von Wright. A Lattice-theoretical Basis for Program Re nement. PhD thesis,

The Weakest Precondition Calculus Abo Akademi, 1990.

31