- -

~"'"

ANOTHER CHARACTERIZATION OF WEAKEST PRECONDITIONS

Pedro Guerreiro

Departamento de Informatica

Facu1dade de Ciencias e Tecno1ogia

" Universidade Nova de Lisboa

Quinta da Torre

2825 Monte da Caparica

PORTUGAL

ABSTRACT

We present an approach to the study of nondeterministic programs, consisting

essentially in using binary relations as semantic objects representing the input-out-

put behaviour of programs. These relations include an explicit representation of non-

-terminating computations. Based on the relational model we introduce a weakest pre-

condition total correctness predicate transformer. We then show how to build up this

predicate transformer starting from others of a more e1ementar kind. Fina11y,we obtain

a,characterization of its healthiness properties in terms of set-theoretical propert~

ies of the relations involved.

1. INTRODUCTION

Usually, a deterministic program is viewed as a representation, or descrip-

tion, in a given language of a certain partial function from a suitable set of states

into itself. Putting forward the semantics of the program consists essentially in

presenting the associated function, or relevant properties of it, in some, hopefully

sufficiently widespread, standard formalism.

Generalizing this idea, a nondeterministic program, that is, a program tha,t

can produce several outputs for some of its inputs, can be considered to be a represen!

ation of a function from the set of states to the set of sets of states, or, alternat-

ively, of a binary relation over that set of states. In fact, using relations instead

of functions is perhaps more convenient because, the source and target spaces being

the same, relations are more comfortable to compose, to invert, etc., than the co-

rresponding functions.

The operational meaning of the semantic relation of a program must reflect the

input-output behaviour of the program. Therefore, whenever there exists a possibility

that an execution of the program initialized in a state a terminates in a state b the

;1, pair (a,b) will appear in the relation. However, special attention must be paid to;!

~{ those cases in which the execution may not terminate. This situation of non-terndn~tion,:" must be somehow recorded in the semantics, otherwise it will be impossible to disting-

; uish, for example, the two following programs (written in Dijkstra's guarded command"

~I;I'

164

i

-

language, (Dij 75) ) :

rl :: .!!. true + skip !-i-. r2 :: .!!. true + skip

0 true + abor t

fi

If we consider terminating computations only, the input-output behaviours of

, rl and r2 are the same. However, rl and r2 definitel y should not be regarded as "equivI - -alent".

In order to distinguish two programs like the ones above two techniques can be

used:

i-to exclude from the relation all pairs whose first elements are also star!

ing points of non-terminating computations. This is justified if we are

I only interested in total correctness semantics, as in this case we regard

\ the possibility of non-termination as "bad" as guaranteed non-termination.

~ Therefore, the loss of information caused by deleting those pairs appears

to be of no consequence. Using this technique the semantic relation of

program rl is the identity relation whereas that of r2 is the empty relat-

ion.

ii - to enlarge the state space with a special element to be used as a "final"

state for non-terminating computations. If we choose this alternative the

relation for program rl is still the identity relation, but for program

r2 we now have, denoting by w the special element and by Q the state space,

the union of the identity relation and the cartesian product Q x {w}.

We believe that the second approach is more interesting, for several reasons.

First, it is independent of any notion of correctness, which, anyway, can easily be

introduced later. Besides, putting in total correctness right from the start causes

some loss of information, namely the possibility of termination in presence of the

;-' possibility of non-termination. This loss of information is inconvenient in that it

hinders us from using composition of relations to represent sequential composition of

commands. Take, for example, the two following commands, where b is a boolean variable:

sl :: .!!. b + b:=false s2 :: .!!. b + skip ii0 b + skip

fi

I - Using the first approach in the state space of the truth values {true, false}

the semantic relation of command sl is {(true, true), (true, false)} and that of s2 is

{(true, true)}. Relational composition yields {(true, true)}, whereas the command sl;s2

is never guaranteed to terminate and hence its semantic relation is empty. On the other

hand, following the second approach with an enlarged state space {true,false,w}, we

obtain for sl {(true,true),(true,false),(false,w), (w,w)}, and for s2 {(true, true),

(false,w),(w,w)}. Relational composition now gives {(true,true),(true,w),(false,w),

;I 165

-- I

- ~1" .'""

(w,w)}, which in fact corresponds to sl;s2, telling us not only that termination is

never guaranteed but also that termination with b=true is possible in the case where

we had initially b=true.

Another advantage in taking approach ii. is that semantic relations are cons-

tructed mainly by set-theoretical union, whereas the first approach implies frequent

use of intersection and complementation also. It turns out that the algebraic proper!

ies of the union operation are nicer than those of the intersection. For example: let

Rand S be relations over Q and A a subset of Q. Denoting by R(A) the "image" of A by

R (formally defined by R(A)=uR(a) where R(a)={b:(a,b)ER} ), it is easy to see thataEA

we have (RuS)(A)=R(A)uS(A), but concerning the intersection all we can say is that

(Rns) (A).=R(A)nS(A).

In the last few years several interesting papers were devoted to the study of

nondeterIllinacyand its relation with total correctness. Wand treats nondeterminacy

following the first of the two relational approaches described above, providing a first

/"'"'"-. relational characterization of Dijkstra's weakest precondition predicate transformer

(Wan 77). deRoever points out the need for explicit representation of non-termination

(Roe 76). Hoare models nondeterminacy in terms of sets of program traces and studies

several kinds of correctness for nondeterministic programs (Hoa 78). Harel's model is

that of computation trees, which allows him to define several "execution methods" for

nondeterministic programs, each method implying a different total correctness predicate

transformer (Har 79). Back investigates problems posed by considering also unbounded~y

nondeterministic commands (Bac 79). Sifakis presents a systematic approach to the study

of properties of nondeterministic systems using so-called transition systems (Sif 79).

The author, in a paper presented at a previous edition of this colloquium, proposed a

semantics for the language of guarded commands using relations of the type suggested

above in the second relational approach to nondeterminacy (Gue 80).

In this paper we are mainly interested in developping that study, by considering

~ a more convenient framework for studying a total correctness weakest precondition

predicate transformer. Basically we are looking for a characterization of the "health-

iness" properties of that predicate transformer in terms of set-theoretical properties

of the semantic relations involved.

This paper is organized as follows: in section 2 we introduce the class of

binary relations we shall be using; next, in section 3 we define our weakest precond-

ition total correctness predicate transformer; in section 4 we buildup some useful

predicate transformers starting from the elementary notion of "image of a set by a

relation"; these predicate transformers are then used in sections 5 and 6 to assist

us in the study of the total correctness predicate transformer defined previously.

2. PROGRAMMABLE RELATIONS

, Let Q be an (arbitrary) set (of states) and w a distinguished element of Q.,

Assume r is a (nondeterministic) program whose state space is the set Q-{w}. We shall

166

.~ ~..~:;;:oc,

.

use w to represent the final state of a non-terminating computation of r, as suggested

. in the Introduction. The semantic relation of r (i.e., the relation represented by

program r), denoted R, (throughout this paper we use capital letters R, S, ... to de-

note semantic relations of programs r, s, ...) is obtained as follows:

I for a,b£Q we have:

J i - (a,b)£R, b~w, if there exists a computation of r initialized in state a

,;' I and terminating in state b.

ii - (a,w)£R, if there exists a non-terminating computation of r starting in

;, state a.

The special meaning of state w tells us immediately that not all relations in

Q will be of use to us. In fact, a relation such that w might have a successor other

than itself would be semantically meaningless. Therefore we may focus our attention

only on so-called w-re1ations:

Definitton 2.1. w-re1ation. A relation R is called a w-re1ation if R(w)S{w}. 0

Using w-re1ations allows us to restrict further the class of semantic relations

for nondeterministic p,rograms. We can, in fact, say that a computation of a command

will always produce an output, no matter how the command was initialized. (The output

may be w if the computation is infinite, which is what should happen if the command

was not supposed to be initialized in the given initial state). We conclude that

s~mantic relations of programs are total:

Definition 2.2. Totality. A w-re1ation is total ifAa£Q R(a)~~. 0

The programsthat we want to deal with here are those that can be written in the

I guarded command language. As Dijkstra explained (Dij 76) they are bounde1y nondetermi~

I istic, that is, whenever for a given initial state there is an infinite number of

terminating computations there is also a non-terminating computation for that initial

state. Re1ationa11y, this property may be expressed by the following definition:

Definition 2.3. Bounded nondeterminacy. A w-re1ation is bounded1y nondeterministic if

~a£Q ~k£N !R(a) I~k v (a,w)£R). 0

I We may conclude that the semantic relations of programs are w-re1ations enjoying

at least the properties of totality and bounded nondeterminacy. Such relations are call

ed programmable relations:

Definition 2.4. Programmable relation. A programmable relation is a w-re1ation that

is total and bounded1y nondeterministic. 0

3. A WEAKEST PRECONDITION TOTAL CORRECTNESS PREDICATE TRANSFORMER

I A predicate (over Q) is a mapping from Q into the set of truth values {true,

I false}. Let ~denote the set of predicates over Q. A predicate transformer (pt) (over

Q) is a mapping from ~into ~. A pt associated to a program r is said to be total

167

~,~~~'

-=:'-~'.-"';,c'"

..";..., .

correctness if it "transforms" a target predicate PI in a source predicate PO such

that if the program r is initialized in a state verifying PO then termination is

guaranteed in a state where PI holds. This idea of a total correctness pt can be very\

pleasantly expressed in terms of semantic relations.

Let R be a w-relation, and for each predicate P consider the predicate

Aa~b (a,b)eR=>P(b)Ab#w. This predicate characterizes the largest set of states such

that all their Successors by R satisfy P while remaining different from the special

element w. In particular all the states which have no successors by R belong to that

set. We conclude that in those cases where R is total, and this includes all program-

mable relations, the formula presented defines indeed a weakest precondition total

correctness pt.

We therefore propose the following general definitiop:

Definiton 3.1. wpr(R). Let R be a w-relation. The predicate transformer wpr(R) is

defined by the equation wpr(R)(P)=Aa.Ab (a,b)eR==>P(b)Ab#w. 0/""" -'I

We now want to study the properties of wpr(R), to answer questions such as is

wpr(R) continuous?, do we have wpr(RoS)=wpr(R)owpr(S)?, etc.. We shall see that the

answers turn out to be as we would like them to be, at least when the ~elations invol~

ed are programmable relations.

4. OTHER PREDICATE TRANSFORMERS

It is more interesting to study wpr(R) in terms of other pt's of a more elementar

kind than to manipulate directly the defining formula.

Note: Although we ar~ mainly interested in w-relations the results presented in this

section (except theorem 4.l6)are valid for any binary relation in Q.

The following are well-known properties of the operation "image of a set by a

relation"; their proofs are quite trivial.~,

Properties 4.1. Let Rand S be relations, A a subset of Q, and {Ai}i a family of sub-

sets of Q. We have:

1. R(YAi) = I,J R(Ai)1. 1.

2. (RuS) (A) = R (A) uS (A) .

3. (RoS) (A) = S(R(A))

4. RSS iff ~A R(A)SS(A) 0

The following are particular cases, or consequences, of properties 4.1.1.:

Properties 4.2. Let R be a relation and A and B subsets of Q. We have:

1. R(I/J) = I/J

2. R(A\J B) = R(A)uR(B)

3. AEB==>R(A)SR(B)

168

c:~';:~~~ ---

.

.'

4. R(AnB)SR(A)nR(B) 0

If R is the semantic relation of a program and A is a set of initial states for

the program then R(A) is the set of possible final states. Obviously, ifwER(A) then it

is also possible that the program does not terminate.

'\ T_-~';ally, rea.sC'ci~ at-C'ut 1?!'C'~l:a.rns is 'lladf! with predicates and predicate tt:anSc-

1 formers, rather than directly with sets and relations. We now introduce some of these

! predicate transformers.

In the sequel, for a predicate P, we denote by! the set {a:p(a)}, and for apt- F we abbreviate ~ by I(P). We define T=Aa. true and L=Aa. false, (i.e.,~=Q and

~=6). We denote by u, n and ~ the operations of, respectively, sum, product and

complementation of predicates; they can be formally defined by: P1uP2=Aa.P1(a)VP2(a);

PlnP2=Aa.P1(a)AP2(a); ~P=Aa.~(P(a». We define a partial order, S, in the set of pred-

icates, by: P1SP2 if!a P1(a)==>P2(a) , (that is, if ~S~, set-theoretically). We

also define a partial order in the set of predicate transformers, and we denote it by1" the same symbolS: FSG if! P F(P)=G(P). Finally we denote by F the dual of the pt

F : F=AP.~F("P).

v The set-theoretical notion of image of a set by a relation corresponds to the

following predicate transformer:

Definition 4.3. The predicate transformer image(R). Let R be a relation. The pt

image (R) is defined by:

tar ~(R)(P)=R(!). 0

The following is an alternative definition of image(R):

image(R)(P)=Ab.~a P(a)A(a,b)£R

Properties of image(R) are a mere translation of properties 4.1 and 4.2 into

predicate transformer notation:

Properties 4.4. Let Rand S be relations, P a predicate, and {FiJi family of predicates.

I f\ We have:

r 1. image (R) (\.IPi) = V image (R) (Pi)r 1. 1.

2. image(RuS)(P) = image(R)(P) u image(S)(P)

3. image (RoS) (P) = image(S) (image(R) (P»

4. RSS iff image (R)simage (S) 0

Properties 4.5. Let R be a relation and P1 and P2 predicates. We have:

1. image(R)(L) = L

2. image(R)(P1UP2) = image(R) (P1) u image(R)(P2)

3. P1SP2 ==> image(R)(P1)simage(R)(P2)

4. image(R)(P1nP2) S image(R) (P1) n image(R)(P2) 0

Not all pt's can be written in the form image(R) for some relation R. In fact:

169

.- -

Proposition 4.6. For a given pt F there exists a re.lation R such that F=image(R) iff

F is such that, for any family of predicates {FiJi, F('.JPi)=\,JF(Pi). 01. 1.

The operational meaning of image(R)(P) is analogous to that of R(E.) : it carac!

erizes the set of all possible final states of program r, provided r is initialized

with P holding. If image(R)(P)(w) is true then non-termination is possible also.

image(R) is a "forward" pt. Usually "backwards" pt's are preferred. We may

I consider the following:I

Definition 4.7. The predicate transformer pre(R). Let R be a relation. The pt pre(R)

is defined by:-1pre(R) = image(R). 0

The following equation may be seen as an alternative definition of pre(R):

pre(R) (P) = >..a.!b P(b) A(a,b)e:R

Quite naturally, properties of pre(R) are similar to those of image(R); the

only exception is property 4.8.3. below.

Properties 4.8. Let Rand S be relations, P a predicate, and {FiJi a family of predi-

cates. We have:

1. pre(R)(LJPi) = Y pre(R) (Pi)1. 1.

2. pre(RuS)(P) = pre(R)(P) u pre(S)(P)

3. pre(RoS)(P) = pre(R) (pre(S) (p»

4. RSS iff pre (R)Spre (S) 0

Properties 4.9. Let R be a relation, and PI and P2 predicates. We have:

1. pre(R)(l.) = l.

2. pre(R)(PlUP2) = pre(R) (PI) u pre(R)(P2)

3. Pl.s.P2 ==> pre(R) (PI) .s pre(R) (P2)

4. pre(R) (Plnp2) .s pre(R) (PI) n pre(R) (P2) 0

Proposition 4.10. For a given pt F there exists a relation R such that F=pre(R) iff

F is such that, for any family of predicates {FiJi, F(yPi) = uF(Pi).1. 1.

The operational meaning of pre(R) is the following: if P(w) is false then

pre(R)(P) is the predicate characterizing the set of initial states for' which comput~

tions exist that terminate with P holding. If P(w) is true then the initial states of

i the non-terminating computations are also included in pre(R) (P); in other words, if

: the program is initialized outside pre(R)(P) and P(w) is true, then termination out-, -i; side E. can be guaranteed.: The double negation implicit in the preceeding phrase suggests the introduction

of the dual pt of pre(R):

Definition 4.11. The predicate transformer pre(R). Let R be a relation. The pt pre(R)

170

F ~

is defined by

pre(R)(P) ="pre(R)(.,P). 0The equation in this definition may be rewritten as:

:t- pre(R)(P) = Aa.~b (a,b)ER==>P(b)

The properties of pre(R) are the duals of the properties of pre(R):

, Properties ,4.12. Let Rand S be relations, P a predicate, and {Pi}i a fam~ly of

predicates. We have:

1. pre(R) ("Pi) = Q pre(R) (Pi)I 1- 1-

2. pre(RuS)(P) = pre(R)(P) n pre(S)(P)

3. pre (RoS) (P) = pre(R) (pre(S) (P))

4. RSS iff pre (S),spre(R) 0

Properties 4.13. Let R be a relation, and PI and P2 predicates. We have:,

1'- ' -- 1. pre(R)(T) = T

2. pre(R)(PlnP2) = pre(R) (PI) n pre(R) (P2)

3. PlSP2 ==> pre(R) (Pl),spre(R) (P2)

4. pre(R)(Pl) u pre(R) (P2) S pre(R) (PluP2) 0

Proposition 4.14. For a given pt F there exists a relation R such that F=pre(R) iff

I F is such that, for any family of predicates {Pi}i, F(QPi) = Q F(Pi) 01- 1-

A pt F is said to be continuous if for every ascending sequence of predicates

{Pi}iEN, PiSPi+l, F is such that F(~Pi) = ~ F(Pi).1- 1-

'I Property 4.8.1. implies continuity of pre(R), for all R. For pre(R) we have the

following result (Gue80):

Theorem 4.15. The pt pre(R) is continuous iff R is image-finite, (i.e., if for allnI aEQ, R(a) is a finite set). 0

If the computation of program r is initialized in pre(R)(P) and P(w) is false,

- ] then termination of that computation with P holding can be guaranteed,and reciprocally.

If P(w) is true only termination in P or non-termination can be guaranteed. This,

j suggests that the pt pre(R) is closely related to our original wpr(R), In fact, the

, following theorem provides an alternative definition for wpr(R). The symbol 0 denotes

the predicate Aa.a=w.

Theorem 4.16. Let'R be a w-relation. We have:

wpr(R)(P) = pre(R)(p-n). 0

The study of. the properties of wpr(R) is the subject of the restof the paper.n

I

I

I

171

-

4 ." '1

, ~j

I 5. GENERAL. PROPERTIES OF THE PREDICATE TRANSFORMER wpr (R)

.t Some properties of wpr(R) hold for every w-relation R. Other interesting proper-

i t ties appear only if restrictions are imposed on the relations considered. The follow-! ! ing belong to the first group.

I Properties 5.1. Let Rand S be relations, P a predicate, and {Pi}i a non-empty family

i I of predicates. We have:

: 1. wpr (R) (QPi) = C) wpr (R) (Pi)

1 1

2. wpr(RuS)(P) = wpr(R)(P) n wpr(S)(P) 0! .I

i Properties 5.2. Let R be a relation, and PI and P2 predicates. We have:

! 1 1. wpr(R)(plnP2) = wpr(R) (PI) n wpr(R) (P2)

2. Pl,s:P2 ==> wpr(R) (Pl),s:wpr(R) (P2)

/'- 3. wpr(R)(Pl) U wpr(R) (P2) ,s: wpr(R) (PluP2) 0

In order to obtain a result similar to property 4.12.4 we would like to define

a partial order ~ on relations, such that R~S iff wpr(R)~wpr(S). Unfortunately, that

is not possible, as anti-symmetry would imply wpr(R) = wpr(S) iff R=S, which is a false

assertion, as the following example shows:

R= 0 w S= 0 w

!~ o~lWe have Rls but wpr(R)=wpr(P)=;\P..L.

Therefore all we can hope is that ~ is a pre-order, (i.e., a reflexive and

transitive relation).

It is more comfortable to treat this question with the help of the predicate

,~ transformer wpr(R), dual of wpr(R), and to "dualize" the results at the end, using

the fact that for pt's F and G we have F9G iff GsF.Consider the following definition:

Definition 5.3. Pre-order « . Let Rand S be w-relations. We define R « S if

R ,s: S U S-l(w)xQ. 0

The meaning of this definition is described in the following proposition:

Proposition 5.4. Let Rand S be relations. We have R« S iff

~a,b (a,b)£R ==> (a,b)£S v (a,w)£S. 0

The result we are looking for is the following, (Gue 81):

Proposition 5.5. Let Rand S be w-relations. We have R« S iff wpr(R),s:wPr(S).

It is now easy to obtain the corresponding result for wpr(R). 0

Definition 5.6. Pre-order » . Let Rand S be w-relations. We define R » S if S «R.0

172

-

~-- -~-c~ --,-,,~

,:,

Proposition 5.7. Let Rand S be w -relations. We have

R » S iff ~a,b (a,b)£S ==> (a,b)£R v (a,w)£R. 0

Proposition 5.8. Let Rand S be w-relations. We have R » S iff wpr(R)swpr(S). 0

Starting from a pre-order, an equivalence relation can be defined in a standard

l way:

Definition 5.9. Total correctness equivalence, «» . Let Rand S be w-relations. We

say that Rand S are total correctness equivalent, and write R «» S if R« Sand

R » S.

The notion of total correctness equivalence is important on account of the

following theorem:

Theorem 5.10. Let Rand S be w-relations. We have R «» S iff wpr(R) = wpr(S). 0

,

} 6. HEALTHINESS

Following Dijkstra (Dij 76) a "good" total correctness predicate transformer

must satisfy five properties, called "healthiness criteria".

Definition 6.1. Heaithiness criteria. Let F be a predicate transformer. We say F is

healthy if F satisfies the following five properties:

HI. F(n) = ~ (recall that n denotes the predicate Aa.a=w).

H2. F(QPi) = Q F(Pi), for every non-empty family of predicates {Pi}i.1- 1-

H3. PiSP2 ==> F(Pl)SF(P2)

H4. F(Pl) u F(P2) s F(PI u P2), for predicates PI and P2.

H5. F is continuous. 0Notes: Criteria HI to H4 were introduced by Dijkstra in (Dij 75); H5 appears in

(Dij 76) only. Criterium H2 is Hoare's version (Hoa 78) of the one presented by

Dijkstra, which applies only to finite families of predicates. HI is the version in .

I our model with the state w of the l'law of the excluded miracle", presented by Dijkstra

I in, the form F(~)=~.

I It is easy to see that criteria H3 and H4 are implied by H2. Hence, in order to

check if a pt is healthy is suffices to consider HI, H2 and H5.

Property 5.1.1. tells us immediately that wpr(R) satisfies H2, for every w-relation RO

Concerning the law of the excluded mirecle we have the following result:

Proposition 6.2. Let R be a w-relation. We have wpr(R)(Q) = ~ iff R is total.

Proof: The equation in def. 4.11 can be rewritten pre(R)(P)=Aa.R(a)~. Using 4.16 we

get wpr(R)(Q)=pre(R)(~)=Aa.(R(A)=~), and the result follows. 0As for continuity of wpr(R), we have (Gue 80):

Theorem 6.3. Let R be a w-relation. The predicate transformer wpr(R) is continuous

iff R is boundedly nondeterministic. 0

I ,

I 173

~

~~~--- ---

~ .

\ -I.. The pleasant conclusion we can draw is that for all programmable relations

i R, and this includes all semantic relations of programs, the predicate transformer,~ wpr(R) is healthy. The question we want to discuss now is the following: does every

r healthy predicate transformer correspond to the pt wpr associated to some program-

t mab1e relation? In other words, is the set {wpr(R) : R is a programmable relation}

equal to the set {F : F is a healthy pt} ? The answer to this question is provided

by the following fundamental theorem:

Theorem 6.4. For a given pt F there exists a programmable relation R such that

F = wpr(R) iff F is healthy and such that F(T) = F(~Q) and F(T)S ~Q.

Proof. (=» Trivial, on account of 6.2. (H1), 5.1.1(H.2), 6.3.(H.5), 4.16.(F(T)=F(~»,

and 3 .1. (F (T)S-.Q) .

«=) F, the dual pt of F, is such that F(i)=F(Q) , and nsF(i) and, for a non-empty

family of predicates {Ai}i, F(VAi)= V r(Ai). Let <a> be the predicate Aq.q=a, and for1. 1.

~ a predicate P let !(P) be an alternative notation for~. Let us define a relation

S by:

!(i) if a=w

S(a) =

!«a»-{w} if aiw.

ng(l) implies that S-l(w) = {w}.

Now, let P be a predicate such that PS~; if Pi1, we have:

S (~ug) = S (~) uS (g)

= S( Up {a}) uS(w)ae:

= a~P S({a})u !u)

,~ = a~p«!<a»-{w})u !(1), (recall that wt~) \'

= (a~P !«a») - {W}U!(l)

=! (a~p<a» - {w}u !(1)

= !(P)- {w}u !(1)

= !(P)u F(l), since QSF(l),

= !(P) ;

if P = 1 we have, trivially:

S (~ ug) = S (}..u g) = S (g) .. = ! (1) = ! (P) .

Suppose now that P is such that P £~; if pig we have:

174

:~;c -

s (~ u £) = s «~-£) u £)

= s (~-£) u s (£)

= f(p-n) u !(Q), (using the first part of the proof, since p-n £'n, plus the

I - hypotheses that F(.L) = F(Q»

I = !(P) ;

if P=Q we have trivially

S(~ u£) = S(g u£) = S(g) = !(.L) = !(n).

We conclude that, for all P, we have S(P un) = F(P), or image (S)(P ~Q) = F(P), using-1 - - - - -4.3. Let R=S . Then pre(R)(PlJ n) = F(P). By duality we get pre(R) (p-n) = F(P).Remar!.

I. ing that R(w) = {w}, which means that R is a w-re1ation, we arrive at wpr(R)(P)=F(P),

J using 4.16. Therefore, wpr(R) also satisfies criteria HI and H5 which implies by 6.2

and 6.3 that R is total and boundedly nondeterministic. 0, I This theorem suggests that, in our model the properties F(T) = F (~) and

F(T) ~~n, should be considered as extra healthiness criteria:

I Definition 6.1'. Healthiness criteria. To the list in definition 6.1 we add:

I H6. F(T) = F(-'n)

H7. F(T) .s,n. 0

Criterium H6. together with criterium H2 implies that for all P

F(P) = F(p-n): F(P) = F(Pn T) = F(P) n F(T) = F(p)n F("'\7.) = F(p-n); this is not surpri~

ing, on account of theorem 4.16. This criterium may be interpreted as stating a trivia!

ity: to guarantee that a program terminates (F(T» is to guarantee that it does not go

on for ever (F(~». Criterium H7 is perhaps more interesting: it may be regarded as a

second law of the excluded miracle. In fact it should be interpreted as follows: in

;J ~rder to be able to guarantee that a :r~gram termin~tes (F(T» we must gu~ran~~e tha~

~t does start (~). Of course these k~nd of propert~es are not necessary ~n D~Jkstra s

I original context, for non-termination is not explicitly formalized there.

We may remark, in passing, that the first law of the excluded miracle, which

by property 6.2 is equivalent to the totality of the w-relation involved, means in

fact that any program that starts must either terminate or not terminate. The excluded

miracle in this case in the existence of a third possibility. Besides, from this point

of view, H5 is also a law of excluded miracle: by property 6.3 it expresses that it is

impossible for a program to produce an infinite number of results from a given initial

~ ~ state and yet be guaranteed to terminate for that initial state. We see that criteria

HI H5 and H7 (the "laws of excluded miracles") express properties intrinsic to kind

I Of' relations used to represent programs whereas criteria H2 (and H3 and H4) and H6 are

inherent to the definition of the predicate transformer wpr(R), (cf. 4.16), for they

hold for arbitrary w-relations.

I 175

, l

, - -

~~,,I

Considering the similarity between H6 and H7 one might wonder whether in the

presence of the remaining criteria they are indeed independent. In other words, can we

find apt G1 satisfying H1, H2, HS and H6 but not H7, and a pt G2 satisfying H1, H2,

HS and H7 but not H6? The following examples show that we can. Let Q = {l,w}j then

I ~ is the predicate Aq.q=l . Define G1 by:

. Gl(T) = T, Gl(~) = T, Gl(Q) = ~, Gl(~) = ~j and define G2 by:1.;, G2(T) = ~Q, G2( ~Q) =~ , G2(Q) = ~, G2(~) = ~.

Related to the question of healthiness is the so-called "law of composition"

(Hoa 78): do we have wpr(RoS) (P)=wpr(R) (wpr(S) (p»? Although this property is not valid

for w-re1ations in general it holds for programmable relations:

Proposition 6.5. Let Rand S be w-relations. If S(w) = {w} then

wpr(RoS)(P) = wpr(R) (wpr(S) (P». 0

:~ This proposition, along with propositions ,6.2 and 6.3, makes it easy to provethe following important result:

Proposition 6.6. If Rand S are programmable relations then RoS is a programmable

relation. 0

7. CONCLUSION

Theorem 6.4, which is the main result in this paper, supports our conviction

that programmable relations are an interesting concept in the study of nondeterminacy.

They were used, in particular, to introduce a relational weakest precondition total

correctness predicate transformer. In order to prove that this predicate transformer

corresponds indeed to the one proposed by Disjkstra (Dij 75, Dij 76) it is necessary

to provide a semantics, of the language of guarded commands in terms of programmable

relations, and then to derive the associated predicate transformers and show that

they coincide with Dijkstra's axiomatic definition. This problem was treated in

(Gue 80) and (Gue 81). Other issues that can be dealt with satisfactorily with program-

mable relations are the study of so-called invariants and the characterization of the

termination of repetitive commands. These questions are considered in detail in

(Gue 81).

:J

176

~--

~~cI .

i .I .

-

I REFERENCES

(Bac 79) R.-J,Back, "Semantics of unbounded nondeterminism". Proceedings ICALP 80,Lect. Notes Compo Sci. 85, Springer (1980).

(Dij 75) E.W.Dijkstra, "Guarded commands, nondeterminacy and formal derivation ofprograms". CACM 18,8 (August 1975), pp. 453-457.

(Dij 76) E.W.Dijkstra, "A Discipline of Programming". Prentice Hall (1976).

(Gue 80) P.Guerreiro, "A relational model for nondeterministic programs and predicatetransformers". Fourth International Colloquium on Programming, Paris, Lect.Notes Compo Sci. 83, Springer (1980), pp. 136-146.

(Gue 81) P.Guerreiro,"Semantique Relationnelle des Programmes Non-deterministes etdes Processus Communicants". These de 3eme Cycle, Univ. Grenoble I, (July

1981).

(Har 79) D.Harel, "On the total correctness of nondeterministic programs". IBM

Research Report RC7691 (1979).

(Hoa 78) C.A.R.Hoare, "Some properties of predicate transfol,"tners". JACM 25,3 (July

1978), pp. 461-480.

(Roe 76) W.P.de Roever, "Dijkstra's predicate transformer, non-determinism, recursionand termination". Math. Found. Compo Sci. 1976, Lect. Notes Compo Sci. 45,

I Springer (1976), pp.472-48l.

, (Sif 79) J.Sifakis. "A unified approach for studying properties of transition systems'l.I Rapport de Recherche 179, IMAG, Grenoble, (December 1979). To appear in

Theoretical Computer Science.

(Wan 77) M.Wand, "A characterization of weakest preconditions". Journal of Computerand Systems Sciences 15, (1977), pp. 209-212.

,; I

I

I

I

I

I

i ;"177