Up to this point, the semantics of the commands is determined by the relation between precondition and postcondition. This point of view is too restricted for the treatment of concurrent programs and reactive systems. The usual example is that of an operating system which is supposed to perform useful tasks without ever reaching a postcondition.

For this purpose, the semantics of commands must be extended by consideration of conditions at certain moments during execution. We do not want to be forced to consider all intermediate states or to formalize sequences of intermediate states. We have chosen the following level of abstraction. To every procedure name h, a predicate z.h is associated. The temporal semantic properties of a command q depend on the values of z.h.x for the procedure calls, say of procedure h in state x, induced by execution of command q. The main properties are ‘always’ and ‘eventually’, which are distinguished by the question whether z.h.x should hold for all induced calls or for at least one induced call. The concept of ‘always’ is related to stability and safety. The concept of ‘eventually’ is related to progress and liveness.

In this chapter, we regard nontermination of simple commands as malfunctioning and nontermination of procedures as potentially useful infinite behaviour. We therefore use wp for the interpretation of simple commands and wlp for procedure calls.

This book is about programs as mathematical objects. We focus on one of the aspects of programs, namely their functionality, their meaning or semantics. Following Dijkstra we express the semantics of a program by the weakest precondition of the program as a function of the postcondition. Of course, programs have other aspects, like syntactic structure, executability and (if they are executable) efficiency. In fact, perhaps surprisingly, for programming methodology it is useful to allow a large class of programs, many of which are not executable but serve as partially implemented specifications.

Weakest preconditions are used to define the meanings of programs in a clean and uniform way, without the need to introduce operational arguments. This formalism allows an effortless incorporation of unbounded nondeterminacy. Now programming methodology poses two questions. The first question is, given a specification, to design a general program that is proved to meet the specification but need not be executable or efficient, and the second question is to transform such a program into a more suitable one that also meets the specification.

We do not address the methodological question how to design, but we concentrate on the mathematical questions concerning semantic properties of programs, semantic equality of programs and the refinement relation between programs. We provide a single formal theory that supports a number of different extensions of the basic theory of computation. The correctness of a program with respect to a specification is for us only one of its semantic properties.

This chapter is devoted to the formal definition of the semantics of sequential composition, unbounded choice and recursion and to the proofs of the properties of commands that were introduced and used in the previous chapters. The semantics of the simple commands is taken for granted, but otherwise the reader should not rely on old knowledge but only use facts that have already been justified in the new setting. At the end of the chapter, the foundations of the previous chapters will be complete.

Some examples of the theory are given in the exercises at the end of the chapter. The text of the chapter has almost no examples. One reason is that the chapters 1, 2 and 3 may be regarded as examples of the theory. On the other hand, every nontrivial example tends to constitute additional theory.

In Section 4.1, we introduce complete lattices and investigate the lattice of the predicate transformers and some important subsets. Section 4.2 contains our version of the theorem of Knaster–Tarski. A syntactic formalism for commands with unbounded choice is introduced in Section 4.3.

Section 4.4 contains the main definition. From the definition on simple commands, the functions wp and wlp are extended to procedure names and command expressions. In Sections 4.5 and 4.6, the healthiness laws, which are postulated for simple commands, are extended to procedure names and command expressions.

In this chapter we fulfil the remaining proof obligations of Chapter 12. Section 13.1 contains a strengthened version of Theorem 4(8), our version of the theorem of Knaster-Tarski. In Section 13.2, we provide the basic set-up, in which we need not yet distinguish between wp and wlp. Section 13.3 contains the construction of the strong preorder and the proofs of rule 12(4) and a variation of rule 12(5). In this way, the proof of the accumulation rule 12(5) is reduced to the verification of two technical conditions: sup-safety (for wp) and inf-safety (for wlp). These conditions comprise the base case of the induction and a continuity property.

In Section 13.4, the base case is reduced to a condition on function abort⊙. Section 13.5 contains the proof for inf-safety. Section 13.6 contains the definition of the set Lia and the proof for sup-safety. In Sections 13.7 and 13.8 we justify the rules for Lia stated in Section 11.2.

It may seem unsatisfactory that, in the presence of unbounded nondeterminacy, computational induction needs such a complicated theory. The examples in Sections 11.7 and 12.4, however, show that the accumulation rules 11(6) and 12(5) need their complicated conditions. Therefore, corresponding complications must occur in the construction or in the proofs.

The purpose of this book is to develop the semantics of imperative sequential programs. One prerequisite for reading is some familiarity with the use of predicates in programming, as exposed for instance in the books [Backhouse 1986], [Dijkstra 1976], or [Gries 1981]. Some mathematical maturity is another prerequisite: we freely use sets, functions, relations, orders, etc. We strive for providing complete proofs. This requires many backward references but, of course, the reader may sometimes prefer to ignore them. Actually, at every assertion the reader is invited to join the game and provide a proof himself.

In every chapter, the formulae are numbered consecutively. For reference to formulae of other chapters we use the convention that i(j) denotes formula (j) of Chapter i.

At the end of almost every chapter we give a number of exercises, grouped according to the latest relevant section. When referring to exercise i.j.k, we mean exercise k of Section i.j. Some exercises are simple tests of the reader's apprehension, while other exercises contain applications and extensions of the main text. For (parts of) exercises marked with ♡ we provide solutions in Chapter 16.

References to the literature are given in the form [X n], for author X and year n, possibly followed by a letter.

Semantics of imperative sequential programs

The word ‘semantics’ means ‘meaning’. In the title of this book, it announces two central themes. The meaning of a program is given by its specification.

In this chapter, we start again from scratch. Now the meaning of a command is not defined by means of the functions wp and wlp, but by means of the input–output relation of a command. This point of view is closer to the intuitive ideas of most programmers, but —in our view— it is less adequate for program development.

The relational point of view is useful for the analysis of special properties of commands such as totality, termination and determinacy. It provides easy definitions or characterizations of composition, nondeterminate choice, guards and assertions. All these concepts can therefore be treated in this chapter.

When the relational point of view is used in the analysis of repetitions or recursive procedures, one needs to consider finite and infinite sequences of states, usually accompanied by many case distinctions. Such operational reasoning can be useful or necessary, but it is preferable to avoid it whenever possible. We introduce some of the necessary techniques in Chapter 9. It is used only in Chapters 14 and 15.

Although we use the definitions of Section 1.1 and some other concepts introduced in Chapters 1 and 3, this chapter is largely independent of the previous chapters. In fact, it can be read to support them.

In Section 6.1, we introduce (input–output) relations and their weakest preconditions, and we show that relations when interpreted as commands satisfy the healthiness laws introduced in Section 3.2. In Section 6.2, we give the relational interpretation of guards, sequential composition and nondeterminate choice.

In this chapter we present a number of more or less isolated extensions of the fundamental concepts. They broaden the view but have no high priority. We do not need the theory of Chapter 4.

In Section 5.1 we give our version of refinement of commands. Refinement is a very important concept in programming methodology. In this book it plays a less prominent rôle. It occurs in some exercises and it comes again to the fore in Chapter 12. Section 5.2 contains an example where a refinement between procedures is proved by means of the induction rules of Section 2.7.

In Section 5.3 we introduce the calculational method of insertion of guards. This method can be regarded as an alternative to annotation. It is especially useful for proofs of semantic equality. In Section 5.4 this method is used to handle a complicated example that is needed in Chapter 12.

Section 5.5 contains a discussion of strongest postconditions.

In Section 5.6 we prepare the ground for an extension of the termination argument used in Theorem 2(16). The harvest is reaped in Section 5.7, where we present a generalization of Theorem 2(16) and a Necessity Rule for wlp.

Refinement and relative refinement

The function of a compiler is to transform programs written in some high-level programming language, say Pascal, into machine instructions.

The nondeterminacy considered thus far in this monograph was loose in the sense of [Park 1979]: any choice or sequence of choices allowed by the command is acceptable behaviour of the implementation, but the fact that a choice is allowed does not mean that it can ever occur.

While reasoning about concurrent computations, and in the design of communicating processes, we have to deal with unpredictable execution, which is yet not completely loose. We may want to assume that a computation delegated to another process eventually yields an answer or that, if a stream of messages is sent, eventually an acknowledgement comes back.

Such assumptions are called fairness assumptions. Fairness is a subject in itself with a highly operational flavour. There are many different kinds of fairness, cf. [Francez 1986] and [Lehmann e.a. 1981], but it seems that most definitions cannot elegantly be expressed in terms of predicate-transformation semantics. Therefore, we restrict ourselves to predicative fairness, a kind of fairness proposed in [Morris 1990] and [Queille-Sifakis 1983].

In the literature, fairness is usually treated only for repetitions. In [Morris 1990], fairness of tail-recursive procedures without mutual recursion is treated. We give a definition applicable to arbitrary procedures. Our formalization is in agreement with the treatment of loc.cit. in the case of tail recursion. Mutual recursion and ‘calls before the tail’ seem to be adequately treated. Our formalization leads to overly optimistic specifications if a procedure body contains sequentially ordered recursive calls.

We come back to the informal description of wp and wlp given in Section 1.2. This description is used to justify two more postulates concerning wp and wlp, the so-called healthiness laws. These postulates are due to [Dijkstra 1976]). They are theorems of the standard relational semantics, but in predicate-transformation semantics they need not be imposed. In fact, recently, some investigators (cf. [Backvon Wright 1989b], [Morgan-Gardiner 1990]) have proposed specification constructs that lead to violations of the laws (so these constructs cannot be expressed in relational semantics). Command serve from the second example in 1.2 belongs to this category.

In the remainder of this book the healthiness laws are imposed since they form the natural boundary of the theory of Chapter 4. Another reason for imposing them is that they hold for all practical imperative languages and for the relational model of computation (see Chapter 6).

In this chapter, we introduce the laws with an informal justification and we treat the main formal implications.

Conjunctivity properties of predicate transformers

Since the healthiness laws prescribe certain properties of the predicate transformers wp.c and wlp.c for commands c, it is useful to introduce these properties for arbitrary predicate transformers.

In this chapter, we develop syntactic criteria on commands, which imply disjunctivity properties for their weakest preconditions. We suppose that the disjunctivity properties of the simple commands are known and try to generalize these properties to procedures and composite commands. From this chapter onward, the theory of Chapter 4 is indispensable.

In Section 8.1 we introduce, for a given set R of predicate transformers, a set of commands called the syntactic reflection Sy.R of R. The main property is that wp.q ∈ R for all q ∈ Sy.R. In Section 8.2 we provide methods to prove that a command belongs to the syntactic reflection.

In Section 8.3 the theory is specialized to the case that R is characterized by a disjunctivity property. Section 8.4 contains the next specialization, namely to the classes of total commands, of disjunctive commands, and of finitely nondeterminate commands. For our purposes the first two classes merely serve as examples or test cases. Our real aim is the class of the finitely nondeterminate commands. It is this class, or rather its syntactic reflection, that plays a key role in Chapters 11 and 13.

Syntactic reflection of semantic properties

Throughout this section we let R be a sup-closed subset of MT. We are interested in syntactic criteria on commands c ∈ A⊙ that imply wp.c ∈ R. Our solution consists of an algebraic definition of a subset Sy.R of A⊙ with wp.q ∈ R for all q ∈ Sy.R.

In this chapter, we reconcile the definition of the semantics of recursive procedures, cf. Chapter 4, with the relational semantics of Chapter 6. The idea is that the two semantical paradigms meet halfway. Therefore, the chapter consists of two parts.

The first part is based on predicate-transformation semantics, cf. Chapter 4. In Section 9.1, we describe the stack implementation of recursive procedures. This implementation can be regarded as an interpreter: the whole recursive declaration is interpreted by means of a tail-recursive procedure with a stack of continuations as a value parameter. The correctness of the interpreter is proved in Section 9.2.

In the second part of the chapter we treat the relational semantics of recursive procedures. This is done in two steps. In Section 9.3, we define the relational semantics of a tail-recursive declaration by means of a transitive closure in a graph of configurations. By Chapter 6, these relational semantics induce predicate transformers. We then show that the predicate transformers correspond to wp and wlp as defined for such a declaration in Chapter 4. In Section 9.4, the ideas and results of the preceding sections are combined. The stack implementation of 9.1 is combined with the relational semantics of tail recursion (cf. Section 9.3) to define the relational semantics of an arbitrary recursive declaration. The results of 9.2 and 9.3 imply that these relational semantics correspond to the predicate-transformation semantics of Chapter 4.