Indexed and fibered structures for partial and total correctness assertions

Abstract Hoare Logic has a long tradition in formal verification and has been continuously developed and used to verify a broad class of programs, including sequential, object-oriented, and concurrent programs. Here we focus on partial and total correctness assertions within the framework of Hoare logic and show that a comprehensive categorical analysis of its axiomatic semantics needs the languages of indexed and fibered category theory. We consider Hoare formulas with local, finite contexts, of program and logical variables. The structural features of Hoare assertions are presented in an indexed setting, while the logical features of deduction are modeled in the fibered one.

and formulas. Also, as shown in Examples 1, 2, and 3, this is the precise way a programmer writes and understands Hoare triples. Moreover, in current implementations of Hoare Logic as Bubel and Hähnle (2016), Martini (2020), Pierce et al. (2018a,b) and in programming languages which support specifications based on pre-and postconditions like Leino (2010), the programmer must explicitly declare the program and logical variables that appear in the Hoare specification. In other words: Our decision to use finite contexts of variables is a reasonable choice backed up by two essential rationals. First, the methodology enforced by a categorical treatment of logics and type theories leads naturally to the use of finite contexts. Second, we want to represent faithfully the essential components of Hoare specifications in programming practice. Program code, logical formulas, and variable declarations are always finite objects in the mind of the working programmer. Thus, our main goal here is to transform the global infinitary version of the Hoare logic for whileprograms, presented in Section 2, into an equivalent local, finitary version. Our hope is that this finitary version of the Hoare logic for while-programs can serve as a blueprint for the design and study of Hoare style logics for other kinds of programs.
After developing a general and structured presentation of a finitary version of Hoare logic based on indexed categories, we have, at least, three reasons to move from the indexed setting to the fibered one. First, the fibered setting will allow us to put all the syntactic and semantic structures, developed so far, on a common conceptual ground and to relate and extend them. Second, it is technically quite uncomfortable to work with pseudo functors. To work instead with fibrations, the equivalent of pseudo functors is more reasonable and technically, less akward. Third, the essential reason in the light of logic is, however, that we need a "technological space" where logical deduction can take place.
The aim of this work is neither to replace traditional set-theoretical descriptions of logics by a corresponding categorical generalization nor to coin an axiomatization of just another abstract categorical framework for logics in the line of (partial) hyperdoctrines (Knijnenburg and Nordemann 1994), institutions (Goguen and Burstall 1992), and context institutions (Pawlowski 1995). Our aim is, in contrast, to demonstrate how indexed and fibered structures can be used, in a flexible and creative way, to model and reason about logical systems and to present how the syntactic and the semantic constituents of logical systems interplay with each other.
There are several categorical formalization's of Hoare logics on relatively high levels of abstraction and generality and our paper does not add much novelty to these papers. In Computer Science (as in many other branches of science), there is a "technological chain" which appears often as a "chain of abstractions and generalizations." Each step in this chain -in both directions from concrete to more abstract as well as from abstract to more concrete -is important and requires a substantial effort. To keep a certain branch of science alive, we have to maintain and to take care of the whole technological chain. Mathematics focuses traditionally at "most general results." It is, however, a social fact that the problem-solving strategy "look for the right most general result and instantiate it adequately to solve your concrete problem" is not feasible for the majority of us. In view of these remarks, one novelty of the paper is a new description of a first step of abstraction from Hoare logic in programming practice to a categorical formalization of Hoare logic.
The paper is organized as follows. To provide a unified and common ground for our categorical analysis, we recapitulate, first, in Section 2 basic concepts and constructions for our imperative language, and Hoare Logic. Section 3 analyzes the structural features of the Hoare logic with finite contexts of program and logical variables by means of indexed concepts. In Section 4, we transform, by means of the Grothendieck construction, the indexed functors into fibrations and we discuss Hoare triples and Hoare deduction calculus in the light of the corresponding fibered categories. Section 5 discusses how our work is related to other work in the "technological chain" and identifies, in more detail, novel contributions of the paper. We close the paper by a summary of the essential ideas treated in this discussion, that is to say, that the structural features of the language are presented in indexed categories while the features of deduction are in the fibered one. Moreover, we outline further work.

Background Material
In this section, we describe the syntax and semantics of our imperative language. We also present the fundamental concepts of Hoare Logic, that is, its semantics and proof theory, and the core ideas underlying indexed and fibered categories.

The Syntax of IMP
This subsection describes the abstract syntax of our imperative language, called IMP. This is a small language equipped with array expressions, with which we can describe computations over the integers. In order to describe its abstract syntax, we need to fix some basic sets for values and variables. The set B = {true, false} of Boolean values, ranged over by metavariables u, v, . . .; the set Z = {. . . , −2, 1, 0, 1, 2, . . .} of integer numbers, ranged over by metavariables m, n, . . .; a countably infinite set PVar of program variables, ranged over by metavariables x, y, . . ., and a countably infinite set of array variables AVar ranged over by metavariables a, a i , i ≥ 0. We assume the sets PVar and AVar to be disjoint.
The grammar for IMP comprises three syntactic categories: AExp, for arithmetic expressions, ranged over by e, e , . . .; BExp, for Boolean expressions, ranged over by b, b , . . ., and Prg, for programs, ranged over by c, c , . . . The following productions define the abstract syntax of IMP : In order to evaluate an expression or to define the execution of a command, we need the notion of a state. This state has to define values for both program and array variables. A state for program variables is a function σ P : PVar → Z, while a state for array variables is a function σ A : AVar → (Z → Z), where (Z → Z) is the set of all functions from integers to integers. We use the integers both as indexes and as values. It is up to the programmer to guarantee that index values are always greater or equal to zero. Thus, a state σ is the disjoint union σ σ P σ A : PVar AVar −→ Z (Z → Z), such that σ (var) = σ P (var) if x ∈ PVar and σ (var) = σ A (var), if var ∈ AVar. The collection of all such states is named . Given a state σ P and a program variable x ∈ PVar, we denote by σ P [x → n] a new state that is everywhere like σ P , except on x, where it is updated to the value n. The signature or type of the state update operator is _[_ → _] : (PVar → Z) → PVar → Z → (PVar → Z). Note that the type of σ P [x → n] asserts that it is also a state for program variables. Likewise, given an array a and an array variable a ∈ AVar, we denote by a[i → n] a new array, that is everywhere like a but on index i, where it is updated to the value n. The signature or type of the array update operator is _[_ → _] : (Z → Z) → Z → Z → (Z → Z). Note that the type of a[i → n] asserts that it is also an array, that is, a function from integers to integers.

Semantics of IMP
In this subsection, we specify the formal semantics of IMP. The meaning of arithmetic expressions is defined by primitive recursion on the syntactic structure of the formulas, while the interpretation of programs is given by a transition operational semantics. The following equations define a total function that, given a state σ = σ P σ A , maps arithmetic expressions to integers, and Boolean expressions to Boolean values. We assume aop ∈ {+, −, ×}, rop ∈ {=, ≤}, and bop ∈ {∧, ∨}.
In structural operational semantics, the emphasis is on the individual steps of the execution. The semantics relates pairs of configurations δ −→ δ of the form δ = c, σ , where c ∈ Prg, σ ∈ . Terminal configurations have the form skip, σ . The transition relation c, σ −→ c , σ expresses the first step of the execution of c from state σ . There are two possible outcomes.If δ is of the form c , σ , c = skip then the execution of c from σ is not completed. Otherwise, if δ = skip, σ then the execution of c from σ has terminated with final state σ . The single steps of the structural operational semantics of IMP programs is defined by the rules presented in Table 1. A derivation sequence or execution of a program c starting in state σ is either: a finite se- The expression δ 0 * −→ δ k indicates that the execution from δ 0 and δ k has a finite number of steps, where * −→ is the reflexive, transitive closure of the relation −→.
Definition 1 (Semantics of Programs). The transition relation −→ between configurations defines the meaning of programs as a partial function from states to states:

Hoare Logic
The central feature of Hoare logic are the Hoare triples or, as they are often called, partial correctness assertions. We use both expressions interchangeably. A Hoare triple describes how the execution of a piece of code changes the state of the computation, and it is of the form {P} c {Q}, where P, Q are assertions in a specification language and c ∈ Prg is a IMP program. P is called the precondition and Q the postcondition of the triple. It means that for any state satisfying P, if the execution of c terminates, then the resulting state is a state satisfying Q. Apart from partial correctness assertions, we also have total correctness assertions, expressions of the form [P] c [Q]. It means that for any state satisfying P, the execution of c terminates, and the resulting state is a state satisfying Q. Thus, total correctness is guaranteed by construction. We use the expressions total correctness assertions and total Hoare triples interchangeably.
Remark 1 (Language of assertions). We use the language of first-order logic to write assertions about computations over the integers. These assertions are built on top of program variables (PVar), array variables (AVar), and logical variables. We assume a countably infinite set LVar of logical variables, and such that PVar, AVar, LVar are mutually disjoint. The logical variables are the standard variables of first-order logic. They do not appear in programs. Their use in assertions are limited to write quantified formulas and also to save values of program variables in initial states. In the concrete examples of Hoare triples bellow, program and array variables are written in lowercase, while logical variables are capitalized. The language of assertions is named Assn.
Example 1 (Program Swap). The Hoare triple asserts the partial and total correctness of a program that swaps the values of two program variables.
Example 2 (Program Find). The Hoare triple {Pre}init; while B; do body; od{Pos} asserts the partial and total correctness of a program that performs a linear search in an array of integers, where Pre n = Length ∧ Length ≥ 0 ∧ key = K and = key)). Moreover, we take init index := −1; i := 0, B (i < n) ∧ (index = −1) and body if (a[i] = key) index = i else skip fi; i := i + 1.
Example 3 (Insertion Sort). The Hoare triple {Pre}i := 1; while B do j := i; while C do body 2 od i := 1 + 1 od{Pos} asserts the partial and total correctness of a program that sorts an array of integers. The array a is assumed to have length denoted by the logical variable Length. For this example, we abstract the property that the output array must be a permutation of the input array. We also assume that The examples of Hoare triples above show that the arithmetic expressions used in the language of assertions contain logical variables as well. These extended language of arithmetic expressions is called AExp + and this language do not appear in programs, only in the language of assertions. The syntax and semantic of extended arithmetic expressions needs to get a little fix, that is, the syntax must include logical variables and the semantics needs an environment (Huth and Ryan 2004), also called assignment (Loeckx and Sieber 1987), for free logical variables. An environment for the (free) logical variables in an assertion is a function α : LVar → Z. The set of all such environments is Env = (LVar → Z). e ∈ AExp + :: In what follows, we assume the reader is familiar with the satisfaction relation between structures and formulas in first-order logic. See for instance Loeckx and Sieber (1987), Huth and Ryan (2004). However, in traditional exposition of logic like these and others, the satisfaction relation |= is a subset of the Cartesian product Env × Assn. We have to consider states for program and array variables as well. Thus, our satisfaction relation, needed to define the semantics of Hoare triples, is a subset (_ , _) |= _ ⊆ ( × Env) × Assn. The notation (σ , α) |= A states that the program assertion A is true at a state σ and environment α. A program assertion A is called (arithmetic) valid, We say that a partial correctness assertion {P} c {Q} is true at a state σ ∈ and in an environment α : Likewise, we say that a total correctness assertion [P] c [Q] is true at a state σ ∈ and in an environment α : . Note that total correctness implies partial correctness.
The following rules of the Hoare Proof Calculus define inductively the theorems of the Hoare Logic for total correctness assertions over IMP programs. Removing the rule TWh, we have a calculus for partial correctness assertions. Note that every occurrence of a program or an array variable in an assertion is free. Only logical variables can be bound (by means of quantification). In the rule for Ass bellow, the expression Q[x/e] means the simultaneous replacement of every (free) occurrence of the program variable x in the assertion Q by the arithmetic expression e. By the same token, in the rule AAss, the expression Q[a/a[e → e ]] means the simultaneous replacement of every (free) occurrence of the array variable a by the new array a[e → e ]. In the rule TWh, M is a measure function (loop variant) on a set D equipped with a well-founded order (D, < ) (usually the set of natural numbers).

Categories and Fibrations
We assume the reader has a working knowledge of first-order logic, that is, its language, and basic model and proof theory. Likewise, the reader is required to have familiarity with the language of category theory, including basic limits and colimits constructions, as well as with the concepts of functors and natural transformations. However, in order to improve readability, we list in Table 2 all categories introduced and used in the paper and give a quick introduction to fibrations, which follows below. The interplay between fibered and indexed constructions, we will rely on in this paper, is quite well-known. Indexed families of sets (X i ) i∈I and display maps ϕ : X → I be considered as the motivating set-theoretical concepts for their categorical counterparts, indexed and fibered categories, respectively. These concepts are actually equivalent. Given a family of sets (X i ) i∈I , we take X to be the disjoint union i∈I X I = {(x, i) | x ∈ I, i ∈ I}. This construction comes equipped with a projection function π : i∈I X I → I, (x, i) → i. Conversely, given a function ϕ : X → I, we take X I ϕ −1 (i). The sets ϕ −1 (i) are called the fibers of X. This defines a collection (X i ) i∈I together with an isomorphism X ∼ = i∈I X I .
Definition 2 (Fibers). For any functor P : C → Ind, the fiber C i over an object i of Ind is the subcategory of C given by the collection of objects a such that P(a) = i, and the arrows u : c → c of C for which P(u) = id i .
The idea of substitution can be seen as a motivation for the concept of Cartesian arrow. Consider a family ψ : Y → J over a set J. Substitution involves changing the index of the set J. Thus substitution along a function u : I → J involves creating a family of sets with the domain I of u as the new index set, and with fibers Y u(i) for i ∈ I. Thus, the family (Y j ) j∈J is mapped to a family (X i ) i∈I with X i = Y u(i) . This family can be obtained from the pullback of ψ against u: In this way, we obtain a new family ϕ : X → I over I, with fibers u(i) . One normally writes u * (ψ) for the result ϕ of substituting ψ along u. The higher-order function u * is called the substitution function (functor).
(1) An arrow f : x → y in C is Cartesian over u : i → j in Ind, if P(f ) = u and every g : z → y in C for which one has P(g) = w; u for some w : P(z) → i, uniquely determines an h : z → x in C above w with g = h; f . We call f : x → y in the total category C Cartesian if it is Cartesian over its underlying u = P(f ) in Ind.
(2) The functor P : C → Ind is a fibration if for every object y in C and every u : i → P(y) in Ind, there is a Cartesian arrow f : x → y in C above u. This Cartesian arrow is also called a Cartesian lifting of u.

Hoare Logic and Indexed Categories
In this section, we analyze the Hoare logic of while-programs by means of indexed categories and indexed functors (natural transformations) between them. We are interested to answer, at least partially, the fundamental question "What are the characteristic structural features of Hoare logic?" One basic structural feature of a Hoare logic we observed already, namely that a Hoare logic is defined in three steps: First, we define an appropriate concept of state and develop a corresponding suitable logic of states. Second, we define the syntax of programs as well as their semantics as state transforming entities. Third, we build a logic of programs based on the idea that a state transformation is reflected by a corresponding transformation of state assertions (predicates). We will proceed our analysis along this three step procedure.
In Section 2, the context of all programs is the same infinite set of program variables; thus, states are infinite "global" entities and assertions are defined, correspondingly, as statements about infinite "global entities." The fact that a program, as a finite entity build upon a finite set of program variables, changes only a finite fragment of an infinite global state remained implicit in the definitions.
However, in our categorical modeling of Hoare logic we consider Hoare triples as logical formulas in finite contexts of program and logical variables. As shown in Examples 1, 2, and 3, this is the precise way a programmer writes and understands Hoare triples. This understanding is aligned with modern approaches to the formalization of logics and type theories as in Crole (1993), Jacobs (2001), Pitts (2000), for example. Moreover, in current implementations of Hoare Logic as Bubel and Hähnle (2016), Martini (2020), Pierce et al. (2018a,b) and in programming languages which support specifications based on pre-and postconditions like Leino (2010), the programmer must explicitly declare, alongside the program, the program and logical variables that appear in the specification of the program. In other words: Our decision to use finite contexts of variables is a reasonable choice backed up by two essential rationals. First, the methodology enforced by a categorical treatment of logics and type theories leads naturally to the use of finite contexts.
Second, we want to represent faithfully the essential components of Hoare specifications in programming practice. Program code, logical formulas and variable declarations are always finite objects in the mind of the working programmer.
So, our second objective is to transform the global infinitary version of the Hoare logic for while-programs, presented in Section 2, into an equivalent local finitary version. Our analysis will be based on indexed and fibered concepts and structures, as presented, for example, in Martini et al. (2007), since these are the tools of choice to describe and reason about the structures arising by the transformation of monolithic infinite entities into infinite collections of inter-related finite entities.

Logic of local states
For our analysis of the structural features of Hoare logics, the distinction between program variables PVar and array variables AVar is irrelevant; thus, we work, from now on, only with the set Var PVar AVar where we refer to the elements of Var also simply as "program variables." Contexts and Local States: Any program c will at most change the values of the program variables in the finite set pvr(c) ⊆ Var of all program variables appearing in c. 1 Program c may, however, be part of different bigger programs c ; thus, we should consider any finite set γ ⊆ Var with pvr(c) ⊆ γ as a potential context of c. Therefore, we transform the infinite set Var of program variables into the partial order category 2 Cont with |Cont| ℘ fin (Var), that is, the set of all finite contexts, and with morphisms all inclusion functions in γ ,γ : γ → γ corresponding to inclusions γ ⊆ γ .

Extended Contexts and Local State Assertions:
In Hoare logic, assertions are used to describe properties of states. Assertions are built upon expressions which, in turn, are built upon program variables and logical variables. Only logical variables are quantified in assertions and the semantics of expressions and assertions depends only on program variables and free logical variables. An assertion contains, besides finitely many program variables, only finitely many logical variables. Thus, we will work, besides contexts γ ∈ ℘ fin (Var), also with finite sets δ ∈ ℘ fin (LVar) of (free) logical variables and use the term "(variable) declaration" for those finite sets of logical variables (see Examples 1, 2, 3). Indeed, modern implementations of tools built on top of Hoare logic are based on finite contexts of program and logical variables (see Bubel and Hähnle 2016;Leino 2010;Martini 2020;Pierce et al. 2018a).

Satisfaction Relation:
The usual inductive definition of the infinite version of satisfaction of assertions can be easily modified for local state assertions. We get, in such a way, a |Cont|indexed family of satisfaction relations between extended local states, on one side, and local state assertions, on the other side: Moreover, satisfaction is compatible w.r.t. morphisms in Cont:
Remark 2 (Logic of States is an Institution). A closer look at the development so far shows that we have actually defined an Institution (see Diaconescu 2008;Goguen and Burstall 1992): The category of abstract signatures is the category Cont. The sentence functor is assn : Cont → Set while st : Cont op → Set is the model functor. Due to Proposition 2, the |Cont|-indexed family of satisfaction relations |= λ meets the necessary satisfaction condition. As shown in Wolter et al. (2012), this allows us to define the semantics of assertions based on the contravariant power set construction.

Semantics of Local State Assertions:
Any subset of Λ λ = γ × Γ δ describes a certain property of extended local states and therefore we consider the elements of ℘(Λ λ ) also as "state predicates." A local state assertion P ∈ assn(λ) can be seen as the syntactic representation of a certain state predicate, namely of its semantics, that is, the set of all extended local states satisfying P: For all objects λ in Cont, this defines a function sem λ : assn(λ) → ℘(Λ λ ) . To answer the question if this family of functions constitutes a relevant natural transformation from local state assertions to semantics, we construct first the target of this natural transformation: Composing the functor st op : Cont → Set op with the contravariant power set functor P : Set op → Pre, where Pre is the category of preorders and monotone functions, we obtain a functor pred : Since the formation of inverse images is monotone w.r.t. set inclusions, we obtain indeed a functor from Cont into Pre. Note that the preorders pred(λ) = (℘(Λ λ ), ⊆ ) are even partial orders.
Second, we can borrow the order relation in (℘(Λ λ ), ⊆ ), to define semantic entailment. Semantic Entailment: For any local state assertions P, Q ∈ assn(λ) we define In categorical terms, we extend the set assn(λ) to a preorder ent(λ) (assn(λ), λ ) in such a way that the function sem λ : assn(λ) → ℘(Λ λ ) turns into a morphism sem λ : ent(λ) → pred(λ) in the category Pre that not only preserves but also reflects order, that is, sem λ is a full functor.

Local programs and state transition semantics
Programs are defined prior to and independent of logical variables and the semantics of programs are partial state transition maps between corresponding sets of states (see Definition 1). In this subsection, we develop a local finitary version of the state transition semantics of programs. Local Programs -Syntax: "Local programs" are programs in a context; that is, for each context γ we consider the corresponding set prg(γ ) {c ∈ Prg | pvr(c) ⊆ γ } of programs in context γ . Our while-programs are sequential, that is, for any two local programs c 1 , c 2 ∈ prg(γ ) there is a unique local program c 1 ; c 2 ∈ prg(γ ) and the concatenation operator _ ;_ is, in addition, assumed to be associative. Adding to prg(γ ) an "empty program" ε such that c; ε = ε; c = c for all c ∈ prg(γ ), we upgrade prg(γ ) to a monoid. We consider monoids as categories with exactly one object. In abuse of notation, we denote the syntactic category with the only object γ and the set of morphisms prg(γ ), where composition is sequential concatenation of programs, also by prg(γ ). For any inclusion function in γ ,γ : γ → γ , we get obviously an inclusion functor prg γ ,γ : prg(γ ) → prg(γ ) thus the assignments γ → prg(γ ) and in γ ,γ → prg γ ,γ define a functor prg : Cont → Mon. Transitions of Local States: The semantics of a local program c ∈ prg(γ ) is a partial function from the corresponding set γ of local states into itself. To define this semantics precisely and in a well-structured way, we present, first, a brief account of those partial state transition maps.
First, we show that for any context γ the global state transition semantics [[_]] : Prg → ( • → ) of programs restricts to a functorial state transition semantics tr γ : prg(γ ) → ( γ • → γ ) for the corresponding local states: Analogously to (2), the inclusion function in γ : γ → Var induces a reduction map p γ : → γ with p γ ( ) in γ ; for all global states ∈ = (Var → D). p γ : → γ is surjective since D is not empty. By means of p γ , we can restrict now for any local program c ∈ prg(γ ) the partial function [[c] Any program c changes at most the values for the program variables in pvr(c), that is, for any global state ∈ DD([[c]]) and any program variable . This ensures that the definition of tr γ (c) is independent of representatives as well as that the square (1) in the diagram above is a pullback in Set, that is, we have [[c]]; p γ = p γ ; tr γ (c) in Par.

State transition maps as predicate transformers
Hoare triples are a logical means to describe and reason about the semantics of programs thereby relying on a corresponding logic of states. We consider here "local partial correctness assertions" λ : {P} c {Q} and "local total correctness assertions" λ : [P] c [Q] for extended contexts λ = (γ , δ) such that c ∈ prg(γ ) and P, Q ∈ assn(λ).
A correctness assertion is an assertion about the state transition semantics tr γ (c) : γ • → γ of the local program c ∈ prg(γ ) and is represented by a pair of local state assertions -a precondition P describing properties of the "input states" σ ∈ γ and a postcondition Q describing properties of the corresponding "output states" tr γ (c)(σ ) ∈ γ .
One can observe, however, that correctness assertions can be defined and investigated independent of programs namely as assertions about arbitrary state transition maps τ : γ • → γ . Following this observation, we develop in this subsection a local version of the predicate transformer semantics, as introduced in Dijkstra (1975), not only for programs but for arbitrary state transition maps. We consider as well total as partial correctness semantics and show that any of these semantics is equivalent to the state transition semantics. Correctness Assertions: To underline the implicational "nature" of correctness assertions, we adapt an arrow notation for correctness assertions about arbitrary state transition maps.
(2) Correspondingly, we say that a state transition map τ : γ • → γ satisfies the implication P ⇒ Q in the sense of "partial correctness, " written τ |= λ (PC, An essential observation is that, in both cases, the satisfaction statement for the precondition and the postcondition, respectively, refers to the same local environment α. This means that a correctness assertion can be seen as an implication with implicitly universally quantified free logical variables. On the other side, this gives us a hint how to extend state transition maps, in a reasonable way, to local environments: For any state transition map τ : γ • → γ and any extended context λ = (γ , δ), we obtain an extended state transition map Following Djikstra's idea of "programs as predicate transformers, " we can give now an equivalent formulation of correctness assertions based on the semantics of assertions and the formation of inverse images. 4 Theorem 1 (Correctness and Inverse Images). For any state transition map τ : γ • → γ , any extended context λ = (γ , δ) and any assertions P, Q ∈ assn(λ) the following equivalences hold: Proof. This follows immediately from the definition of the semantics of assertions in (5), Definition 4, the definition of τ in (10), and the definition of inverse images for partial functions in footnote (4).
In Theorem 1, the state transition map τ serves as a predicate transformer in the sense that the formation of inverse images transforms the state predicate sem λ (Q) into the state predicate τ −1 δ (sem λ (Q)) or τ −1 δ (sem λ (Q)) ∪ Λ λ \ DD(τ ), respectively. In this subsection, we develop a full categorical account of these two kinds of predicate transformer semantics of state transition maps. Extended State Transition Maps: To be able to relate and combine the logic of local states with the semantics of local programs, it is necessary to lift up the state transition semantics, developed in Subsection 3.2 for plain contexts, to extended contexts: The functor prg : Cont → Mon is simply defined by prg(λ) prg(γ ) = {c ∈ Prg | pvr(c) ⊆ γ } for all extended contexts λ = (γ , δ) ∈ |Cont| and by assigning to each morphism in λ,λ = (in γ ,γ , in δ,δ ) : λ → λ in Cont the inclusion functor prg λ,λ = prg γ ,γ : prg(λ) → prg(λ ).
The contravariant power set functor P : Set op → Pre, assigning to each set A the partial order (℘(A), ⊆ ) and to each function f : for all subsets B ⊆ B, can be extended in two different ways to a contravariant power set functor from Par into Pre.
The "standard" functor P : Par op → Pre is related to total correctness and assigns to each set A the partial order (℘(A), ⊆ ) and to each partial function f : The "non-standard" functor P DD : Par op → Pre is, in turn, related to partial correctness and assigns to each set A the partial order (℘(A), ⊆ ) and to each partial function f : From State Transition Maps to Predicate Transformers: Both functors P : Par op → Pre and P DD : Par op → Pre are embeddings, that is, injective on objects and on morphisms.
Semantic Equivalences: Based on two different extensions P : Par op → Pre and P DD : Par op → Pre of the contravariant power set functor P : Set op → Pre to the category Par, we presented two distinct predicate transformer semantics for partial functions -the total correctness semantics tc : pf ⇒ if, converting partial functions into inverse image functors, and the partial correctness semantics pc : pf ⇒ if DD , converting partial functions into modified inverse image functors.
Since both natural transformations tc and pc are natural isomorphisms, we have, especially, shown in such a way that the total correctness semantics and the partial correctness semantics are equivalent from a structural point of view.
Therefore, it will be sufficient to concentrate our further investigations of the structural features of Hoare logics on one of these semantics. We will focus on total correctness since partial correctness has been discussed in Wolter et al. (2020).

Weakest precondition semantics of local programs
We are well prepared now to come back to the set-theoretic characterizations of correctness assertions in Theorem 1. We can define a predicate transformer semantics wp tr; tc : prg ⇒ if of programs by composing the state transition semantics tr : prg ⇒ pf of programs with the total correctness semantics tc : pf ⇒ if of partial functions. "wp" stands for "weakest preconditions" a term we discuss later in this subsection.

Cont
Besides the predicate transformer semantics wp = tr; tc : prg ⇒ if, we can also define a "weakest liberal precondition semantics" wlp tr; pc : prg ⇒ if of programs by composing the state transition semantics tr : prg ⇒ pf of programs with the partial correctness semantics pc : pf ⇒ if of partial functions instead. As discussed at the end of Subsection 3.3, tc and pc are natural isomorphisms; thus, the weakest precondition semantics and the weakest liberal precondition semantics of local programs are structural equivalent and we will focus on the weakest precondition semantics. Weakest Preconditions: The notion of "weakest preconditions" has been introduced in Dijkstra (1975) and reflects the equivalences in Theorem 1. The weakest precondition of a local program c ∈ prg(λ) with respect to a state predicate Q ⊆ Λ λ is the state predicate wp λ (c) For a program c and an assertion Q, we consider the weakest precondition wp λ (c)(sem λ (Q)) and the weakest liberal precondition wlp λ (c)(sem λ (Q)) where λ = (pvr(c) ∪ pvr(Q), flv (Q)).
An important and non-trivial result concerning Hoare logic is that the Hoare Proof Calculus, presented at the end of Section 2, is complete (compare Cook 1978 andApt et al. 2009). This completeness result is based on another non-trivial result stating that our language of expressions is expressive enough, in the sense, that we can represent weakest preconditions syntactically (see Theorem 3.4 in Apt et al. 2009): There exist assertions wp(c, Q), wlp(c, Q) ∈ assn(λ) such that sem λ (wp(c, Q)) = wp λ (c)(sem λ (Q)) and sem λ (wlp(c, Q)) = wlp λ (c)(sem λ (Q)), respectively.
To denote the correctness of local programs, we go back to the traditional Hoare triples: A local total correctness assertion λ : , if, and only if, tr γ (c) |= λ (TC, P ⇒ Q) and, analogously, a local partial correctness assertion λ : Instantiating Theorem 1 by the state transition semantics tr γ (c) of programs, we can summarize that correctness assertions can be equivalently expressed by means of semantic weakest preconditions while the existence of corresponding syntactic weakest preconditions gives us, finally, an equivalent formulation of correctness by means of semantic entailment at hand.

Corollary 1 (Correctness Assertions).
For any extended context λ = (γ , δ), any program c ∈ prg(λ), and any assertions P, Q ∈ assn(λ) the following equivalences hold: Syntactic weakest preconditions are assertions and thus only uniquely determined up to logical equivalence, that is, up to isomorphisms in ent(λ) = (assn(λ), λ ). An indexed account of the structural features of syntactic weakest preconditions and of a deduction calculus for Hoare triples would have to relay therefore on pseudo functors. We consider this as not quite adequate and prefer to develop directly a fibered account in the next section.
Remark 4 (Notation). We use the same notation "wp, " with typographic variations, to denote different concepts related to "weak preconditions." Thereby, we apply the general notational conventions used in the paper: wp (mathit-font) denotes a function, wp (mathtt-font) denotes a natural transformation, Wp (mathtt-font) will denote a functor and Wp (mathsf-font) a category.

Hoare Logic and Fibrations
The presentation of the structural features of the traditional infinitary version of Hoare logic, as outlined in Section 2, is essentially an indexed one. In the last section, we have elucidated this observation by developing a general and structured presentation of the semantic features of a finitary version of Hoare logic based on indexed categories.
Guided by the three reasons, discussed in the introductory section, we will move now from the indexed setting to the fibered one and present a fully fledged fibered account of Hoare logic.

Fibrations for the logic of local states
The Grothendieck construction (see Barr and Wells 1990) is the main technique to transform an indexed category into a fibered category (fibration). There are different variants of the Grothendieck construction, and we do not include a general definition of the different variants needed here. We describe, however, in detail all the fibered structures obtained by transforming the indexed structures in Section 3.
The indexed version of the logic of local states is manifested by the natural transformation sem : ent ⇒ pred : Cont → Pre. Transforming, first, the functor (indexed category) ent : Cont → Pre, we get a fibered category of state assertions and semantic entailments: Definition 5 (Category Ent). The category Ent of "local state assertions" and "semantic entailment" is defined as follows: • objects: all pairs (λ.Q) of an extended context λ ∈ |Cont| and an assertion Q ∈ assn(λ).
Composition is well-defined due to the monotonicity of context extensions w.r.t. semantic entailment and the associativity of semantic entailment, that is, since ent is a functor and since the ent(λ) = (assn(λ), λ ) are preorder categories.
We obtain a projection functor Π Ent : Ent → Cont op with Π Ent (λ.Q) λ and Π Ent ((in λ,λ , λ ) : The diagram in Definition 5 (and the diagrams in the following Definitions 6, 7, 8 and 9) visualizes the corresponding Grothendieck construction of morphisms (dashed arrows) and should help the reader to validate the well-definedness of the composition of those morphisms.
The general properties of Grothendieck constructions provide: Remark 5. The presentation of assertions about states as a fibration makes evident that the deductive apparatus on those assertions is essentially based on substitution (changing of context) and propositional reasoning in the fibers ent(λ) = (assn(λ), λ ) Π −1 Ent (id λ ) (compare Remark 3). That we have a fibration ensures that every first-order variable is universally quantified and that the reasoning on them is sound. On the other hand, existentially quantified assertions have their sound semantics provided by the Cartesian structure of the fibration.
Transforming, second, the functor (indexed category) pred : Cont → Pre, we get a fibered category of state predicates and inclusions of state predicates: Definition 6 (Category Pred). The category Pred of "local state predicates" and inclusions is defined as follows: • objects: all pairs (λ.Q) of an extended context λ ∈ |Cont| and a state predicate Q ∈ ℘(Λ λ ).
We obtain a projection functor Π Pred : Pred → Cont op with Π Pred (λ.Q) λ and The general properties of Grothendieck constructions provide: all state predicates Q ∈ ℘(Λ γ ). These are the only Cartesian arrows since inclusion ⊆ is antisymmetric.
Remark 6 (Commutative Diagrams). The reader should be aware that the diagrams we use to visualize the construction of a fibration and to validate its well-definedness turn into commutative diagrams in the resulting fibration. In case of the construction of Pred in Definition 6, for example, we obtain the commutative diagram above in Pred. The vertical arrows are Cartesian arrows, and the diagram shows also that each morphism (in λ,λ , ⊆ ) : (λ .P) → (λ.Q) can be factorized into the composition (in λ,λ , ⊆ ) = (id λ , ⊆ ); (in λ,λ , = ) of a morphism in the fiber Π −1 Pred (id λ ) pred(λ ) and a Cartesian arrow.

Fibrations for local programs and weakest precondition semantics
The functor prg : Cont → Mon can be transformed into a category Prg of local programs.
Note that the functor property of Wp entails that the syntactic weakest preconditions wp(c 1 , wp(c 2 , Q)) and wp(c 1 ; c 2 , Q) are logical equivalent. This equivalence is important for the discussion in Section 4.3.
Applying now to Wp : Prg → Pre the appropriate variant of the traditional Grothendieck construction, we get the category Wp of semantic weakest preconditions.
Theorem 6 (Conservative Extension). The identity on |Wp| |Pred| extends to an embedding The resulting square commutes, that is, we have E pred ; Π Wp = Π Pred ; E op cont . Moreover, it is a pullback square since E pred establishes isomorphisms between the fibers Π −1 Pred (id λ ) (℘(Λ λ ), ⊆ ) and ε)). Note that the pullback property means that the semantic fibration Π Wp : Wp → Prg op is a "conservative extension" of the semantic fibration Π Pred : Pred → Cont op , in the sense, that no new relations between local state predicates are introduced. The semantics of states is unchanged.

Fibration for Hoare logic
The continuous lines in the diagram below show what we have gained so far in the fibered setting: The right face represents the logic of local states where entailment between local state assertions is defined semantically by inclusions between corresponding local state predicates. The logic of local states comprises as well all general first-order logic assertions as the theory of the data types of our language of expressions. The back face shows the extension of the category of local state predicates by semantic weakest preconditions for local programs. The task of a Hoare proof calculus is nothing but to generate the missing category TC of total correctness assertions about local programs by extending, step by step, the category Ent of local state assertions. In parallel, three new functors should be constructed connecting the new category TC to the framework, developed so far. The natural requirements for a Hoare proof calculus can be reflected, in terms of fibrations, by the following objectives: (1) Soundness: The existence of a functor TSem : TC → Wp such that Π TC = TSem; Π Wp , means that the calculus is sound. If TSem is, in addition, full, the calculus is also complete.
(2) Conservative extension: The functor E ent : Ent → TC should be an embedding such that the top and the front face commute, that is, E ent ; TSem = Sem; E pred and E ent ; Π TC = Π Ent ; E o cont p. In addition, the front square should be a pullback square. Note that due to pullback decomposition, this implies that also the top square becomes a pullback.
(3) Fibration: Requiring that the resulting functor Π TC : TC → Prg op is a fibration, we enforce the application of deduction rules until TC comprises all deducible correctness assertions.
That is, to describe the extension of the category Ent to the category TC we need only the new arrows ((id λ , c), λ ) : (λ.wp(c, Q)) → (λ.Q). Generating these special kind of Cartesian arrows is the essential task of a Hoare proof calculus. More precisely, a Hoare proof calculus does nothing but to extend the category Ent by new morphisms utilizing two procedures: (1) Construction of Cartesian arrows: Generate the Cartesian arrow ((id λ , c), λ ) : (λ.wp(c, Q)) → (λ.Q) for any object (λ.Q) in |Ent| = |TC| and any "program" morphism (id λ , c) : λ → λ in Prg. These are the rules Skip, Assn, AAssn, IfE, PWh and TWh.
(2) Composition: Close everything w.r.t. composition a. by composing new morphisms in TC with new morphisms in TC (rule Comp) and b. by pre-and post-composing new morphisms in TC with given morphisms from Ent (rules Stren and Weakn).
In summary: Our discussion shows that we reached indeed all three objectives for the Hoare logic of total correctness assertions. As shown in Subsection 3.3, total correctness semantics and partial correctness semantics are structurally equivalent; thus, a corresponding variant of a categorical account of Hoare logic for partial correctness assertions and weakest liberal preconditions can be developed straightforwardly in a completely analogous way. Cook (1978) seems to be the seminal article for the mathematical study of Hoare logic (HL). Cook was the first deeply examining syntactical and semantic components related to HL and proving its soundness. A very interesting discussion in this work concerns the role of data type specifications. That is, assertions intended to formalize the relevant aspects of data types that we should use in connection with the rule of consequence to have correctness of programs supporting the data types. It was the first article considering Hoare logic as a logic parametrized by a data types specification in a modular way. The completeness theorem, on the contrary, was approached in Cook (1978) with less emphasis on modularity. Since Cook's work, many articles discussed how the data type specification integrates into HL more or less naturally. Indexing and Fibering are among the most worked out approaches to describe this integration. We briefly discuss some of the most relevant or recent articles on this below. In the indexed/fibered approach to logical systems formalization, we consider a cartesian closed category or a preorder category to define truth values. Sometimes, other more sophisticated categories, such as topoi or higher-order categories, have their internal logic used to provide truth values. For example, the truth values may arise from a fibration construction when formalizing predicates in a categorical semantics for FOL (First-Order Logic), Typed-FOL or HOL (Higher Order Logic), respectively. At the same time, we use the internal logic to provide semantics to a set-like language using topoi. Of course, Hoare logic belongs to the first case since there is no mandatory need for a set-like language in an imperative program semantics. On the other hand, indexed categories are more related to the algebraic system specifications (compare Goguen and Burstall 1992). As we illustrate in this article, indexed categories and fibrations are two faces of the same coin, not only mathematically speaking but also in programming language semantics. We discuss, in the following, more papers related to the fibration approach. Indexed categories are more frequently used for defining categorical semantics for general logic (compare Diaconescu 2008;Wolter et al. 2012).

Related Works
As an article, following the indexed approach to HL, it is worth to mention Goncharov and Schröder (2013). It defines order-enriched monads to induce a CPO structure on the monad itself rather than on the base category. The goal is to use this CPO structure as truth values by observing that any order-enriched monad induces a (weak) truth-value object. The enrichment has to do with the side effects, and finally, it presents a generic Hoare calculus for monadic side effecting programs. It proves the relative completeness of this Hoare calculus using the weakest preconditions system. Monads are the tool of choice to encapsulate side effects; thus, a monadic construction involves side effecting encapsulation naturally. It is, however, unusual that the enrichment of the base category with truth values happens on top of the monad itself. We see it as one difference in the treatment of truth values provided by our article. We discuss potential enrichments on the base category in the next paragraph. As in our case, Kleisli category is the semantic counterpart of the weakest precondition predicate transformers for computation. The Kleisli category relates to the partiality monad. We think that we have the advantage of providing a more detailed explanation of many fibrations provided by the Grothendick construction. In Goncharov and Schröder (2013), fibrations are not considered and the overall presentation follows indexed constructions. It is important to mention that the mechanism of obtaining the truth values on top of the monad has the drawback of having an assertion logic that is, in general, at least the full intuitionistic logic (see pages 4 and 5 in Goncharov and Schröder 2013). The fibrations we provide obtain always at least full intuitionistic FOL, and we consider this as a more adequate contribution. Gaboardi et al. (2021) discusses and formalizes what is nowadays called Graded Hoare Logic (GHL). GHL is a family of Hoare logic extensions aiming to provide new deductive mechanisms to cope with some additional information to reason about side effects relative to programs. Such side effects can take cost analyses, probabilistic computations or security features into account when reasoning about program correctness. Even quantum effects can be included in this list of side effects, although this case is not considered in Gaboardi et al. (2021). A graded program language semantics is obtained by considering (new) type systems with fine-grained information added on top of the original semantics. Monads can be graded to consider embedding side effects into a pure language, as discussed above in connection with Goncharov and Schröder (2013). Almost all GHL proposed semantics use some side effects encapsulation in a monad, sometimes comonads, providing graded (co)monads. Historically, graded monads appeared first in functional semantics to deal with side effects in λ-calculus-based languages. Gaboardi et al. (2021) seem to be the first article that considers imperative languages in a uniform graded treatment. It takes graded categories to generalize the graded (co)monadic framework. There is some advantage of taking grading as a denotational approach instead of having it due to some imposition provided by (incremental) grading. It shows that graded categories abstract monadic and co-monadic semantics for grading. Afterwards, it considers an extension to the novel structure of graded Freyd categories. A Freyd category is a way of obtaining a set-like model on top of any (locally small) category with a terminal object. The construction of a Freyd category starts with the global sections of the terminal object and employs (coherent) fibrations to add more and more structure and logic incrementally. Thus, the semantic framework for GHL, on top of (graded) Freyd categories, uses a fibrational setting. It is similar to our fibrational approach, with the main difference that we do this for the standard reasoning on imperative program correctness. We only comment on the possibility of augmenting the data type side effects in our article, mainly to a (mixed) quantum-based programming language. The fact that we conduct our fibrational approach for Hoare logic semantics on a fibration semantics is consistent with what is discussed and reported in Gaboardi et al. (2021). Our contribution goes deeper since we have a detailed explanation of the relation to indexed (algebraic) Hoare semantics. Martin et al. (2006) provide an elegant approach addressing the question what kind of categorical semantics one needs to read off from it an instance of a complete and sound set of Hoare logic rules. It is an entirely theoretical work pointing at that a particular kind of traced symmetric monoidal categories can be such mathematical structure. The traced symmetric monoidal categories for while-programs read off Hoare's original set of rules. The article further shows how to utilize the approach to cope with extensions of while-programs, including pointers and other features. A functor from a traced symmetric category to a preordered category that plays the truth values category is called a verification functor. The verification functor, a monoidal functor, is interpreted as a Hoare triple. The logical rules arise naturally from this abstract view. Adding new features to while-programs, such as pointers, is made by lifting the monoidal verification functors from a (new) preordered category that includes the semantic domains abstraction for the Heap and the Store. The monoidal requirement ensures, in a certain way, that this lifting is cartesian. The lifting is not described in terms of fibrations, but they are implicitly there. Compared with other articles devoted to Hoare logic semantics, we can say that Martin et al. (2006) uses fewer higher-categorical constructions than the other articles mentioned in this section. Our approach provides a complete and more detailed categorical explanation of this technique in the language of fibrations and indexed categories. We consider this as another novel contribution of our paper. Hasuo (2015) and Aguirre and Katsumata (2020) discuss some monadic models of computational effects that can be used to provide semantics to weakest (liberal) preconditions predicate transformers taking into account a variety of side effects. Section 2 in Hasuo (2015) describes many contravariant monadic functors that obtain enriched monads, as in Goncharov and Schröder (2013). Some examples appear in both papers, such as the powerset and lifting cases which can also be found in category theory textbooks (see Crole 1993 as one possible reference). The goal of Hasuo (2015) is to provide semantics for the logic of predicates in forced games. However, the framework can be also applied to the Hoare logic of imperative while-programs.
Aguirre and Katsumata (2020) are more abstract than our approach and geared to the treatment of monadic effects. Given a fibration P : E → C, for every C-arrow f : x → y (morally a program) the fibered structure gives a functor from the fiber over y (i.e. predicates over y) to the fiber over x (i.e. predicates over x), which can be seen as the "weakest precondition" of f . From this starting point, Aguirre and Katsumata (2020) study how a monad T modeling an effect on C can be lifted to a monad on E such that there is a fibration between the corresponding Kleisli categories that gives a weakest precondition transformer for effectful computations. In particular, they study the case where E is a slice category for some object o of C representing truth values and investigate how to construct monadic liftings from o-carried Eilenberg-Moore T-algebras. They provide one example in which they instantiate their framework for a concrete imperative language, but the remaining examples are kept abstract. Our approach and intended application are different. Aguirre and Katsumata (2020) assume they have some abstract categories of programs and predicates, and a fibration between them. Our construction is more explicit and starts from the ground up, with a concrete imperative while language and a concrete assertion language. Then, we obtain the fibrational structure via the Grothendieck construction. This is a more appropriate setting in which to discuss issues like soundness and completeness of the Hoare calculus as properties of the functors relating the different categories. The fact that TC is a fibration also allows us to reason about syntactic weakest preconditions, which Aguirre and Katsumata (2020) do not cover.
In summary, this is in our view the novelty we provide with respect to Aguirre and Katsumata (2020) (which also applies to other related work, e.g. Hasuo 2015): (1) Application to a concrete programming language and assertion language. (2) Construction of the categorical structures "from the ground up." (3) Explicit separation of syntax and semantics that allows for an easier and more direct discussion of soundness and completeness.

Conclusion
The traditional presentation of the structural features of Hoare logic is based on a global context of program and logical variables. However, a categorical reformulation of these constructions must be based on local contexts for expressions and formulas. We recast the conceptual framework of Hoare logic from the perspective of both indexed and fibered categories.
With indexed categories, we developed a logic of local states, with finite contexts of program and array variables. On top of this logic, we develop a logic of local state assertions, which is based on extended contexts of both program and logical variables. After that, we presented the transition semantics of programs with finitary contexts by developing suitable categorical constructions for restricting the traditional, global transition semantics. This local transition semantics of programs is based on a more general theory of partial state transition maps. Theorem 1 is a reformulation of the idea of "programs as predicate transformers" using general partial state transition maps. Corollary 1 is an application of this result for partial transition maps generated by programs.
On the other hand, there are some important reasons to present Hoare logic also with fibrations. The most essential one is that fibrations provide a mathematical workspace, where logical deduction can take place. By translating the indexed categorical presentation into a fibered presentation, we have been able to formalize precisely the intuition that Hoare triples are a kind of fibered entity, that is, Hoare triples arise naturally as special arrows in a fibered category over a syntactic category of programs. Moreover, deduction in Hoare calculi can be characterized categorically by the heuristic deduction = generation of cartesian arrows + composition of arrows.
As a further work, using the techniques and tools developed in this paper as a blueprint, we are currently in the early stages of developing a Hoare logic for a quantum programming language (QPL). For QPL, the logic of states is twofold. We have the logic of quantum states and the logic of classical states. To have both of them together, in a well-integrated way, we use Indexed Categories and Fibrations. The logic of programs develops on top of this twofold category of classical-quantum states.
Many imperative programming languages, like C, allow us to declare and allocate local program variables in the middle of a program. Such programs can no longer be modeled by endomorphisms on the set of environments. We developed already some ideas how to extend and vary our approach to deal also with "allocations of local variables." It will be interesting to see if we can utilize Hasuo (2015), Aguirre and Katsumata (2020) to work out such an extension in detail.
Summing up, we think that one of the most important contributions of our article is to show in detail both sides of the two most used mechanisms to provide categorical and modular semantics for Hoare style logics. More research is needed to have what we described in this paper as a parametric framework to derive the detailed correctness proof and its associated set of Hoare rules. This is an additional step to the goals stated in Cook (1978).