Refinement algebra with dual operator

JID:SCICO AID:1567 /FLA [m3G; v 1.109; Prn:14/08/2013; 11:04] P.1 (1-32)

Science of Computer Programming ••• (••••) •••–•••

Contents lists available at ScienceDirect

Science of Computer Programming

www.elsevier.com/locate/scico

Refinement algebra with dual operator

Viorel Preoteasa

Åbo Akademi University, Department of Information Technologies, Joukahaisenkatu 3-5 A, 20520 Turku, Finland

h i g h l i g h t s

• We introduce an extension of the general refinement algebra with a dual operator.• We introduce assertions and assumptions with simpler definitions than before.• We defined the termination and enabledness operators in our algebra.• We prove data refinement and Hoare rules, and we used them for an example program.• All results are formalized in the Isabelle theorem prover.

a r t i c l e i n f o a b s t r a c t

Article history:Received 10 April 2012Received in revised form 24 June 2013Accepted 1 July 2013Available online xxxx

Keywords:Algebra of programmingRefinement algebraRefinement calculusData refinementHoare logic

Algebras of imperative programming languages have been successful in reasoning aboutprograms. In general an algebra of programs is an algebraic structure with programs aselements and with program compositions (sequential composition, choice, skip) as algebraoperations. Various versions of these algebras were introduced to model partial correctness,total correctness, refinement, demonic choice, and other aspects. We introduce here analgebra which can be used to model total correctness, refinement, demonic and angelicchoice. The basic model of our algebra are monotonic Boolean transformers (monotonicfunctions from a Boolean algebra to itself).

© 2013 Elsevier B.V. All rights reserved.

1. Introduction

Proving correctness of programs started with the seminal work of Floyd [1] and Hoare [2]. Floyd has introduced theso-called intermediate assertion method and using it he was proving both functional correctness of programs as well astermination. Hoare introduced the axiomatic method for proving correctness of programs. Hoare’s original method did nottreat the termination of programs but only their partial correctness. Partial correctness of a program asserts that if theprogram terminates, then the result calculated by the program is correct. Dijkstra introduced in [3] the weakest preconditionof a program S and a postcondition q on the state of the program, as the set of the initial states from which the program Salways terminates and it terminates in a state from q. Using weakest preconditions one could prove the total correctness ofprograms, that is the program terminates, and the result of the computation is correct.

Refinement calculus [4–7] is a further development of the weakest precondition theory. It is a calculus based on mono-tonic predicate transformers (monotonic functions mapping predicates to predicates) suitable for program development in atotal correctness framework. Within this calculus various aspects of imperative programming languages can be formalized.These include total correctness, partial correctness, demonic choice, angelic choice, and unbounded nondeterminism. In ademonic choice the user of a program does not have control over the choice that is made. For example the user does nothave control over the choice made by an operating system in scheduling process, or in allocating memory to a program. On

E-mail address: [email protected].

0167-6423/$ – see front matter © 2013 Elsevier B.V. All rights reserved.http://dx.doi.org/10.1016/j.scico.2013.07.002

http://dx.doi.org/10.1016/j.scico.2013.07.002

http://www.ScienceDirect.com/

http://www.elsevier.com/locate/scico

mailto:[email protected]



2 V. Preoteasa / Science of Computer Programming ••• (••••) •••–•••

the other hand in angelic choice, the user can influence the execution of the program by selecting the appropriate actionsfrom all possible. An example of angelic choice can be the menu actions from a program with a graphical user interface.The user has full control over which action to select from those available. In unbounded nondeterminism the number ofchoices is infinite. Unbounded nondeterminism can be both demonic and angelic and it can occur in practice if we have forexample parallel programs with the assumption of fairness [8].

Refinement calculus has introduced a simplified collection of primitive statements compared to the primitive statementsfound in imperative programming languages. Among them we have assertions ({p} – assert p), assumptions ([p] – as-sume p), demonic choices (S � T ), angelic choices (S � T ), iterations (Sω), and others. The statement {p}, where p is apredicate (a condition on the values of the program variables), skips if p is true for the starting state and it fails (it doesnot terminate) otherwise. On the other hand [p] skips when p is true, and terminates miraculously otherwise. A miraculousprogram is always correct, but it cannot be implemented. Using these primitive statements we can define the usual if andwhile program constructs.

In refinement calculus, the angelic and demonic choices are dual to each other in a way similar to conjunction anddisjunction in logic, or existential and universal quantification. Within refinement calculus we can define a dual operator[9–11,6] which would map demonic choice into angelic choice and vice versa. For the application of the dual operator tothe program (x := 2) � (x := 3) returns the program (x := 2) � (x := 3). The assertions and assumptions are also dual to eachother and the dual of {p} is [p].

The original approach [8] of using predicate transformers for modeling programs required them to satisfy a number ofhealthiness conditions like strictness (S(false) = false), conjuctivity (S(p ∧ q) = S(p) ∧ S(q)), and continuity. These conditionswere imposed because practical programs satisfy them, and the semantics of the programing constructs was easier tointroduce. However, strictness excludes miracles, conjuctivity excludes programs with angelic choice, and continuity excludesunbounded nondeterminism.

Abstract algebra is a useful tool in mathematics. Rather than working with specific models like natural numbers andalgebra of truth values, one could reason in a more abstract setting and obtain results which are more general and applicablein different models. Algebras of logics are very important tools in studying various aspects of logical systems. Algebras ofprogramming theories have also a significant contribution to the simplification of reasoning about programs, and theyabstract further the notions of program correctness. Programs are elements of an algebra and program compositions andprogram constants (sequential composition, choice, iteration, skip, fail) are the operations of the algebra. These operationssatisfy a number of relations which are used for reasoning about programs.

Kleene algebra with tests (KAT) [12] is an extension of Kleene algebra [13] and it is suitable for reasoning about programsin a partial correctness framework. In KAT, tests are similar to assumptions from refinement calculus. In case a test p isnot true, then p does not terminate, and because we are in a partial correctness framework this is equivalent to a miracle.Always, a nonterminating program is partially correct.

Various versions of Kleene algebras have been introduced, ranging from Kleene algebra with domain [14] and concurrentKleene algebra [15] to an algebra for separation logic [16]. Kleene algebra with modal operators has been used in [17,18] tomodel partial correctness as well as different notions of termination.

Demonic refinement algebra (DRA) was introduced in [19,20] as a variation of KAT to allow also reasoning about totalcorrectness. The intended model of DRA is the set of conjunctive predicate transformers and this algebra cannot representangelic choice. General refinement algebra (GRA) was also introduced in [20], but few results were proved and they weremostly related to iteration. Although the intended model for GRA is the set of monotonic predicate transformers, GRA doesnot include the angelic choice operator. Both DRA and GRA have been further extended with enabledness and terminationoperators in [21] and [22], respectively. More properties of GRA were proved in [22] and it was used for probabilisticprograms. In [23], a refinement algebra with negation operator is introduced, and in [24] the dual operator is defined usingthe negation. The negation operator does not preserve monotonicity, and the iteration operators are introduced only formonotonic elements of the algebra.

The contribution of this paper is an extension of GRA with a dual operator. The intended model for our algebra is the setof monotonic Boolean transformers (monotonic functions from a Boolean algebra to itself). In GRA assertions (assumptions)are introduced as disjunctive (conjunctive) elements which have complement. Formally this definition requires an existen-tial quantifier. Using the dual operator we characterize these assertions (assumptions) using a conjunction of (in)equationswhich is simpler than the usual definition from GRA and KAT, and we do not need an existential quantifier. We prove thatthe assertions (assumptions) form a Boolean algebra. Moreover, we also prove that the assertions defined in the algebra areexactly the program assertions in the model of monotonic Boolean transformers. Having the dual operator and the demonicchoice operator we automatically obtain also the angelic choice operator. In [21,22] the enabledness and termination opera-tors are introduced using axioms for DRA and GRA respectively. The termination operator applied to a program returns thestates from which the program always terminates, and the enabledness operator applied to a program returns the statesfrom which the program does not terminate miraculously. These operators can be defined in our algebra, and their axiomscan be proved as theorems. The elements of our algebra correspond to the modal operators over a Kleene algebra from[17,18].

In DRA [20], a pre-post specification statement is introduced and it is used to prove that a program refines a pre-postspecification statement if and only if the program is correct with respect to the pre and post conditions. The proof of thisfact requires the assumption that all programs are conjunctive, a fact which does not hold for arbitrary monotonic predicate


V. Preoteasa / Science of Computer Programming ••• (••••) •••–••• 3

transformers. We have introduced another specification statement, and we proved a similar result in the absence of theconjuctivity property.

We have also introduced a simple while language with angelic and demonic choice based on our algebra and we provedHoare’s total correctness rule and healthiness properties (conjunctivity and disjunctivity) for this language. In general,Hoare’s total correctness rules for while statements require using a join operation of an arbitrary set, however arbitraryjoins are not available in our setting, and we have employed a technique for avoiding them.

Next we present a summary of the contribution of the paper with references to the relevant definitions and theorems.

• Axiomatization of the dual operator: Definition 8.• Simpler definition of assertions (assumptions) and proof that they form a Boolean algebra: Definitions 14 and 17, and

Theorems 15 and 20 (Definitions 22 and 25, and Theorems 24 and 26).• Definitions of the termination and enabledness operators and their properties: Definitions 27 and 29, and Theorems 28

and 30.• Hoare triples and connection to data refinement: Theorem 34.• Refinement and data refinement rules: Theorems 37 and 38, and Corollary 39.• Axiomatization of a specification statement: Theorem 40.• A simple while language and Hoare rules: Theorems 41 and 44.• Healthiness (conjunctivity, and disjunctivity) properties of the while language: Theorems 46, 47, 51, and 53.

The paper is structured as follows. Section 2 introduces preliminary definitions and notations. Section 3 introduces themonotonic Boolean transformers that are the model of our algebra. Section 4 introduces the monotonic Boolean transformersalgebra and some of its properties. Section 5 introduces the assertions and the assumptions. Some of their properties arealso introduced, and proofs that they form Boolean algebras are given. In Section 6, we define the weakest precondition, theguard of a program, Hoare triples [2] for total correctness, data refinement of programs, and we prove some properties ofthese constructs. The weakest precondition of top satisfies all axioms set for the termination operator in [21,22], and duallythe guard of a program satisfies all axioms set for the enabledness operator in [21,22]. Section 7 introduces a simple whileprogramming language and it proves Hoare total correctness rules and healthiness properties for it. In Section 8 we presentthe verification of an example program in which we use many of the rules introduced in the paper. Section 9 presentsconcluding remarks.

This is an extension of the paper [25]. We extend the earlier version with Hoare total correctness rules for a simpleimperative while programming language with demonic and angelic choice. We also prove that the programming languagewithout the angelic choice preserves conjunctivity of statements, and the language without the demonic choice preserversthe disjunctivity of statements.

All our results were mechanically verified in the Isabelle [26] theorem prover. The formal theories are available in theArchive of Formal Proofs [27].

2. Preliminaries

In this section we introduce some preliminary definitions and notations about lattices and Boolean algebras that we usein the paper. Detailed treatment of this subject can be found in [28].

The structure 〈A,�〉 is a partially ordered set (or poset for short) if A is a set and � is a binary relation on A which istransitive (∀a,b, c ∈ A: a � b ∧ b � c ⇒ a � c), antisymmetric (∀a,b ∈ A: a � b ∧ b � a ⇒ a = b), and reflexive (a � a).

A structure 〈L,�,∧,∨〉 is a lattice if 〈L,�〉 is a poset and ∧ and ∨ are binary operations on A such that for all a,b ∈ A,a ∧ b and a ∨ b are the greatest lower bound and the least upper bound of a and b, respectively, with respect to the partialorder �.

A structure 〈L,�,∧,∨,�,⊥〉 is a bounded lattice if 〈L,�,∧,∨〉 is a lattice, and it has the greatest element or top (de-noted �) and the least element or bottom (denoted ⊥) with respect to �.

A lattice L is complete if all subsets A ⊆ L have greatest lower bounds (denoted∧

A) with respect to �. In a completelattice all subsets A ⊆ L have least upper bounds (denoted

∨A) with respect to �. A complete lattice is also bounded.

In a (complete) lattice we obtain the dual of a formula replacing �, ∧, ∨,∧

, and∨

by �, ∨, ∧,∨

, and∧

respectively,and if the original formula is universally true (true for all values of the free variables), then the dual is also universally true.

A distributive lattice is a lattice 〈L,�,∧,∨〉 which satisfies the distributivity property:

(∀a,b, c ∈ L: (a ∨ b) ∧ c = (a ∧ c) ∨ (b ∧ c))

In a distributive lattice the dual of the distributivity property is also true:

(∀a,b, c ∈ L: (a ∧ b) ∨ c = (a ∨ c) ∧ (b ∨ c))

A complete distributive lattice is a complete lattice L which additionally satisfies the complete distributivity properties:(∀a ∈ L, A ⊆ L: a ∧

(∨A)

=∨

{a ∧ b | b ∈ A})


(∀a ∈ L, A ⊆ L: a ∨
(∧A)

=∧

{a ∨ b | b ∈ A})

The structure 〈B,�,∧,∨,¬,�,⊥〉 is a Boolean algebra if 〈B,�,∧,∨,�,⊥〉 is a bounded distributive lattice and ¬ is anegation operation on B , i.e. a unary operation on B which satisfies

(∀a ∈ B: a ∧ ¬a = ⊥)

(∀a ∈ B: a ∨ ¬a = �)

A complete Boolean algebra is a Boolean algebra and a complete distributive lattice.We denote the functions from a set A to a set B by A → B and we assume that the function construction operator

associates to right, i.e. A → B → C is the same as A → (B → C). We use a dot notation for function application. For afunction f from A to B ( f : A → B) and an element a ∈ A, f .a is the result of applying f to a. Function applicationassociates to left. If f : A → B → C , a ∈ A, and b ∈ B , then f .a.b is the same as ( f .a).b.

For a function f : A → A, an element a ∈ A is called a fixed point of f (or fixpoint of f for short) if f .a = a. If A is a poset,then an element a ∈ A is called the least (greatest) fixpoint of f if a is a fixpoint of f and a is the least (greatest) elementamong the fixpoints of f . If the least and greatest fixpoints of f exist, then we denote them by μ f and ν f , respectively.

A function f : A → B , where 〈A,�〉 and 〈B,�〉 are posets is monotonic if

(∀a,b ∈ A: a � b ⇒ f .a � f .b)

A monotonic function f on a complete lattice has the least and greatest fixpoints by the Knaster–Tarski theorem [29]:

μ f =∧

{x | f .x � x}ν f =

∨{x | x � f .x} (1)

We use lambda notation for function. For example (λx : x + 3) denotes the function which maps x to x + 3. We also usethe notation (μ x : t) for μ(λx : t), where t is a term which may contain the variable x free.

We use the logical connectors ∧, ∨, and ¬ as connectors in formulas as well as operations in arbitrary Boolean algebras.

3. Monotonic Boolean transformers

In this section we introduce the concept of monotonic Boolean transformers which is more general than monotonicpredicate transformers.

For a set of states X , monotonic predicate transformers over X are monotonic functions from Pred.X to Pred.X wherePred.X = X → Bool and Bool is the complete Boolean algebra with two elements, true and false. Monotonic predicate trans-formers are used for modeling imperative programs. A program is modeled by a predicate transformer S and it has aweakest precondition interpretation. If q ∈ Pred.X is a predicate on X (subset of X), then S.q ∈ Pred.X are the initial statesfrom which the program S terminates and if S starts in a state from S.q then it terminates in a state from q.

In this context we only need the assumption that we work with a complete Boolean algebra instead of Pred.X . This gen-eralization is mainly used here because it is sufficient for expressing and proving the properties from this paper. However,we can also apply these results directly to Boolean algebras of the form X → Y → Bool, which were used in [30–32] formodeling procedures with parameters. Let 〈B,�,∧,∨,¬,�,⊥〉 be a complete Boolean algebra. We denote by Mtran.B theset of all monotonic functions from B to B .

Mtran.B = {S : B → B | ∀p,q: p � q ⇒ S.p � S.q}The elements of Mtran.B are called monotonic Boolean transformers, or just monotonic transformers, or programs.

We point-wise extend all operations, except the negation, from B to Mtran.B:

(S � T ).p = S.p ∧ T .p magic.p = � S � T = (∀p: S.p � T .p)

(S � T ).p = S.p ∨ T .p fail.p = ⊥The extended constants magic and fail are monotonic Boolean transformers and, if S and T are monotonic Boolean trans-formers, then S � T , and S � T are monotonic Boolean transformers. We could extend the negation similarly, however thenegation applied to a monotonic function is not monotonic.

The program S � T models the demonic choice between executing S or T . The choice is demonic because the user doesnot control it. In order for this choice to be correct, both S and T must be correct. We will define correctness formally later.Here by a program being correct we intuitively mean that it computes what it is supposed to compute, and it terminates forall suitable inputs. The program S � T models the angelic choice. The choice is angelic because the user can decide betweenexecuting S or T . This choice is correct if one of the programs S and T is correct. The relation � is the refinement relation.If a program S is refined by a program T (S � T ) then we can use T in any context in which S is required. For exampleif S is a nondeterministic program which chooses arbitrarily a number from 1 to 5 and assigns it to a variable x and if T is



a program which assigns 3 to x, then S is refined by T and T can be used in any context where assigning to x an arbitrarynumber between 1 and 5 is required. The program magic is always correct, but it cannot be implemented. The program failnever terminates. fail is equivalent to while true do skip.

In the predicate transformers model, a program S terminates when started from a state s if s ∈ S.�, otherwise we saythat S fails from s. In Mtran we regard S.� as the termination condition of S . Similarly, in the predicate transformers model,a program S terminates miraculously when started from a state s if s ∈ S.⊥, otherwise we say that S is enabled from s. InMtran we regard ¬S.⊥ as the enabledness condition of S .

If S, T ∈ Mtran, p,q ∈ B , then we introduce the transformers S ◦ T , {p}, [p], skip, So , Sω , S∗ , ‖p‖ ∈ Mtran, the sequentialcomposition of S and T , the assert statement of p, the assume statement of p, the skip statement, the dual of S , theiteration and weak iteration of S , and the post-condition statement of p, respectively. These are given by the followingdefinitions:

(S ◦ T ).p = S.(T .p) (sequential composition)

{p}.q = p ∧ q (assert statement)

[p].q =¬p ∨ q (assume statement)

skip.p = p (skip statement)

So.p =¬S.(¬p) (dual of a program)

Sω = (μ X : (S ◦ X) � skip) (iteration)

S∗ = (ν X : (S ◦ X) � skip) (weak iteration)

‖p‖.q{� if p � q

⊥ otherwise(postcondition statement)

The functional composition of monotonic transformers corresponds to the sequential composition of programs. The assertstatement {p} executed from a state in which the predicate p is true behaves as skip, otherwise fails. The assume statement[p] executed from a state in which the predicate p is true behaves as skip, otherwise behaves as magic. The statement skipdoes not change the state of computation. The dual was used in [9–11,6] for predicate transformers, and it turns demonicchoice into angelic choice, and the other way around. The term conjugate has also been used in [33–35] to name the dualoperator. We will use the dual to define the negation of an assertion in the algebra of monotonic Boolean transformers.In the definition of the iteration and the weak iteration, the fixpoints are calculated for monotonic functions from Booleantransformers to Boolean transformers. These fixpoints exist because Mtran.B is a complete lattice when B is a completelattice. The iteration is used to define the while program:

while b do S = ([b] ◦ S)ω ◦ [¬b]

The conditional program can be introduced using the assert statement and the angelic choice or using the assume statementand the demonic choice:

if b then S else T = ({b} ◦ S) � ({¬b} ◦ T

) = ([b] ◦ S) � ([¬b] ◦ T

)

If S ∈ Mtran and p,q ∈ B , then a total correctness Hoare triple p {| S |}q is true if p � S.q. This Hoare triple, if true, statesthat the program S always terminates (it is total) when starting in a state from p and it terminates in a state from q (it iscorrect). In the rest of the paper we sometimes use the term “Hoare triple” for “total correctness Hoare triple”.

Using Hoare triples we can fully specify programs. The predicate p specifies the legal (suitable) values of the programvariables when starting the program, and the predicate q specifies the properties that the program variables must satisfyafter the execution of the program. For example if p is (0 � n) and q is (x = n!) then p and q specify completely theprogram which will compute in x the factorial of n. We must however add the restriction that the program may modifyonly the variable x, otherwise the program which assigns 1 and 0 to x and n (x,n := 1,0) would also be acceptable.

The post-condition statement ‖p‖ has been used in [31,32] to connect total correctness Hoare triples to refinementstatements. The postcondition statement ‖p‖ establishes p, regardless of the starting state. The following relation is true

p{|S |}q ⇔ {p} ◦ ‖q‖ � S (2)

and it is a consequence of the following theorem.

Theorem 1. If p ∈ B then

1. ‖p‖ ∈ Mtran (‖p‖ is monotonic)2. ‖p‖.p = �3. {S.p} ◦ ‖p‖ � S

Proof. We prove first that ‖p‖ is monotonic. Assuming that q � r we have to prove ‖p‖.q � ‖p‖.r.



• ‖p‖.q � ‖p‖.r= {Case analysis on p � q}

case: p � q• ‖p‖.q � ‖p‖.r= {Definition of ‖p‖ and p � q � r}

�� = {� reflexive}

truecase: p � q• ‖p‖.q � ‖p‖.r= {Definition of ‖p‖}

⊥� ‖p‖.r= {Lattice properties}

true

. . . true

The second property follows directly from the definition of ‖p‖. For the last property we prove for all q ∈ Bool that({S.p} ◦ ‖p‖).q � S.q.

• ({S.p} ◦ ‖p‖).q � S.q= {Function composition and definition of assertion}

S.p ∧ ‖p‖.q � S.q= {Case analysis on p � q}

case: p � q• S.p ∧ ‖p‖.q � S.q= {Definition of ‖p‖}

S.p � S.q= {S monotonic}

truecase: p � q• S.p ∧ ‖p‖.q � S.q= {Definition of ‖p‖}

⊥� S.q= {Lattice properties}

true

. . . true �The postcondition statement will be postulated latter in our algebra, using two axioms, and this theorem will be used to

show that these axioms are consistent. The properties 1. to 3. from Theorem 1 uniquely determine ‖p‖. The next theoremshows that this is the case.

Theorem 2. If p ∈ B, T ∈ Mtran, T .p = �, and (∀S: {S.p} ◦ T � S) then T = ‖p‖.

Proof. We prove first for all q ∈ Bool that ‖p‖.q � T .q.

• ‖p‖.q � T .q= {Case analysis on p � q}

case: p � q• ‖p‖.q � T .q= {Definition of ‖p‖}

�� T .q= {T is monotonic and T .p = �}

�� = {�is reflexive}

true



case: p � q• ‖p‖.q � T .q= {Definition of ‖p‖}

⊥ � T .q= {Lattice properties}

true

. . . true

We prove now T � ‖p‖:

• T � ‖p‖= {Properties of assert and ◦}

{�} ◦ T � ‖p‖= {Theorem 1}

{‖p‖.p} ◦ T � ‖p‖= {Proof assumption (∀S: {S.p} ◦ T � S) with S := ‖p‖}

true �Definition 3. A monotonic transformer S is disjunctive if for all p,q ∈ B , S.(p ∨ q) = S.p ∨ S.q, which is equivalent to

(∀U , V ∈ Mtran: S ◦ (U � V ) = (S ◦ U ) � (S ◦ V ))

A monotonic transformer S is conjunctive if for all p,q ∈ B , S.(p ∧ q) = S.p ∧ S.q, which is equivalent to(∀U , V ∈ Mtran: S ◦ (U � V ) = (S ◦ U ) � (S ◦ V )

)

Conjunctivity of predicate transformers is a healthiness condition assumed by Dijkstra’s original weakest preconditionsemantics [8]. For example if S is conjunctive, then we could prove p {| S|}q1 ∧ q2 by proving separately p {| S |}q1 andp {| S|}q2.

The next theorem gives a characterization of assertion statements. Later in the paper we will define assertions in thecontext of our algebra, and we will use this theorem to prove that when the set of monotonic Boolean transformers is seenas an instance of the algebra, the algebraic assertions correspond exactly to the assertions {p} for p ∈ B .

Theorem 4. A monotonic transformer S is an assertion if and only if S � skip and S is disjunctive.

Proof. If S is an assertion it is easy to prove that S � skip and S is disjunctive. Conversely, assume that S � skip and S isdisjunctive. We prove that S = {S.�}.

• {S.�}.q= {Boolean algebra property}

{S.(q ∨ ¬q)}.q= {S is disjunctive}

{S.q ∨ S.(¬q)}.q= {Definition of assert and distributivity}

(S.q ∧ q) ∨ (S.(¬q) ∧ q)

= {S � skip implies S.q � q}S.q ∨ (S.(¬q) ∧ q)

= {Prove S.(¬q) ∧ q = ⊥}

• S.(¬q) ∧ q = ⊥⇔ {⊥ is the least element}

S.(¬q) ∧ q � ⊥⇐ {S � skip implies S.(¬q)� ¬q}

¬q ∧ q �⊥⇔ {Boolean algebra properties}

true

. . . S.q ∨ ⊥= {Boolean algebra properties}

S.q �



For assumptions we have a similar theorem.

Theorem 5. A monotonic transformer S is an assumption if and only if S � skip and S is conjunctive.

A function f : L → L′ , where L and L′ are complete lattices, is universally disjunctive if for all X ⊆ L, f .(∨

X) = ∨f .X

where f .X is the image of X by f .

Theorem 6 (Weak fusion). If L and L′ are complete lattices, h : L → L′ is universally disjunctive, and f : L → L, g : L′ → L′ are mono-tonic, then

h ◦ f � g ◦ h ⇒ h.(μ f ) �μ g

Proof. Let M = {x: x �μ f ∧ h.x �μ g}. We prove that∨

M ∈ M and∨

M = μ f (∨

M �μ f and μ f �∨

M).

• ∨M ∈ M

= {Definition of M}∨M �μ f ∧ h.(

∨M) �μ g

= {h is universally disjunctive}∨M �μ f ∧ ∨

(h.M) �μ g= {Complete lattice properties}

(∀x ∈ M : x �μ f ∧ h.x �μ g)= {Definition of M}

true

The fact∨

M �μ f follows directly from∨

M ∈ M . We prove μ f �∨

M

• μ f �∨

M⇐ {Least fixpoint properties (1)}

f .(∨

M)�∨

M⇐ {

∨properties}

f .(∨

M) ∈ M= {Definition of M}

f .(∨

M)�μ f ∧ h.( f .(∨

M)) �μ g⇐ { f monotonic and μ f fixpoint for f }∨

M �μ f ∧ h.( f .(∨

M)) �μ g= {We proved

∨M �μ f }

h.( f .(∨

M)) �μ g⇐ {h ◦ f � g ◦ h}

g.(h.(∨

M)) �μ g⇐ {g monotonic and μ g fixpoint for g}

h.(∨

M) �μ g= {h is universally disjunctive}∨

(h.M) �μ g= {

∨properties}

(∀x ∈ M: h.x �μ g)

= {Definition of M}true

From∨

M = μ f follows that h.(μ f ) �μ g . �This is a weaker version of the fusion theorem (known also as transfer lemma [36]) in which h is required to be

continuous only. The next corollary gives an instantiation of the weak fusion theorem that can be used to prove that iterationpreserves conjunctivity of monotonic Boolean transformers (if S is conjunctive, then Sω is conjunctive). This property willbe proved later in the more general case of our algebra. Because the weak fusion lemma cannot be stated and proveddirectly in our algebra, we will postulate in the algebra the property stated by the corollary.

Corollary 7. For S, T , U , V , X : B → B we have

(∀Y ∈ Mtran: S ◦ Y � T � X � U ◦ (Y � X) � V) ⇒ Sω ◦ T � X � Uω ◦ V (3)



Proof. The property (3) follows by instantiating h := (λY : Y � X), f := (λY : S ◦ Y � T ), and g := (λY : U ◦ Y � V ) inTheorem 6. �4. Algebra of monotonic Boolean transformers

We introduce in this section an algebraic structure which has as a model the monotonic Boolean transformers.

Definition 8. An algebra of monotonic Boolean transformers (abbreviated MBT) is an algebra A= 〈A,�,�,�,◦, _o, _ω_∗,1,⊥,�〉where � is a binary relation, �, �, and ◦ are binary operations, _o , _ω, _∗ are unary operations and 1, ⊥, and � are con-stants, which satisfies the following axioms:

(A1) 〈A,�,�,�,⊥,�〉 is a bounded distributive lattice(A2) 〈A,◦,1〉 is a monoid(A3) (x � y) ◦ z = (x ◦ z) � (y ◦ z)(A4) x � y ⇒ z ◦ x � z ◦ y(A5) � ◦ x = �(A6) x � y ⇔ yo � xo

(A7) xoo = x

(A8) (x ◦ y)o = xo ◦ yo

(A9) (x ◦ �) � (xo ◦ ⊥) = ⊥(A10) xω = x ◦ xω � 1(A11) x ◦ z � y � z ⇒ xω ◦ y � z(A12) x∗ = x ◦ x∗ � 1(A13) z � x ◦ z � y ⇒ z � x∗ ◦ y

The algebra of monotonic Boolean transformers includes all operators and axioms of the general refinement algebraintroduced in [20]. Additionally it includes the angelic choice and the dual operator and their corresponding axioms. Wealso assume that the lattice of the choice operations is distributive. All properties proved in [20] for the general refinementalgebra hold also for MBT algebra.

The unary operations have the highest priority, followed by the composition operation (◦), and by the lattice binaryoperations. The order relation has the lowest priority. Although it is customary to consider that conjunction has higherpriority than disjunction, in this paper we will treat them as having the same priority.

The dual operator behaves like a negation operator: it is anti-monotonic, it is an involution (xoo = x), and the conjunctionof x ◦ � and xo ◦ ⊥ is ⊥. However, the dual operator applied to a monotonic Boolean transformer is also monotonic. Thisoperator will be used to define the negation for assert and assume statements of MBT algebra.

Alternatively we could introduce only �, ◦, _o , _ω , _∗ , 1, and � as primitive operations, and then define � and ⊥ interms of �, _o , and �.

Theorem 9. If the constants 1, ⊥, and � from MBT are interpreted as skip, fail, and magic, then the monotonic Boolean transformersare a model for the axioms of MBT.

Proof. All properties (A1) to (A13) from Definition 8 are easy to verify. �In [37], multirelations are used to model angelic and demonic nondeterminism, and they are shown to be equivalent

to monotonic predicate transformers. This work would enable showing that the multirelations are also a model for MBTalgebra.

The next theorem lists a number of properties that are true in an MBT algebra. The properties are direct consequencesof the axioms of MBT algebra and they are technical results which will be used later.

Theorem 10. In MBT the following properties hold:

1. �o = ⊥ and ⊥o = �2. 1o = 13. (x � y)o = xo � yo

4. (x � y)o = xo � yo

5. x = y ⇔ xo = yo

6. (x � y) ◦ z = (x ◦ z) � (y ◦ z)7. x ◦ (y � z) � (x ◦ y) � (x ◦ z)8. x ◦ (y � z) � (x ◦ y) � (x ◦ z)9. ⊥ ◦ x = ⊥

10. x � y ⇒ x ◦ z � y ◦ z11. x � y ∧ u � v ⇒ x ◦ u � y ◦ v12. 1 � x ⇒ y � x ◦ y13. 1 � x ⇒ y � y ◦ x14. x � 1 ⇒ x ◦ y � y15. x � 1 ⇒ y ◦ x � y16. x � x ◦ � and x ◦ ⊥ � x17. (x ◦ �) � (xo ◦ ⊥) = �18. (x ◦ ⊥) � (xo ◦ �) = �

Definition 11. An element x is conjunctive if it satisfies(∀y, z: x ◦ (y � z) = (x ◦ y) � (x ◦ z)

)and dually x is disjunctive if it satisfies(∀y, z: x ◦ (y � z) = (x ◦ y) � (x ◦ z)

)The sets of conjunctive and disjunctive elements are denoted by Conj and Disj, respectively.



As pointed out in Definition 3, these two properties are equivalent to the definitions of conjunctive and disjunctivefunctions in the model of monotonic Boolean transformers.

Lemma 12. For x ∈ MBT the following properties hold:

1. x ∈ Conj ⇒ xo ∈ Disj2. x ∈ Disj ⇒ xo ∈ Conj

5. Assertions and assumptions

This section introduces the set of assertions and assumptions of an MBT algebra. In a Kleene algebra with tests [12], thetests (which are the equivalent to assumptions) are postulated. The tests are elements of a subset of a Kleene algebra andthey form a Boolean algebra. In a demonic refinement algebra [20], guards (which are also the equivalent to assumptions)are the elements that have a complement with respect to �, ◦, 1, and �. Because our algebra contains the dual operator weare able to introduce the assertions using a conjunction of an inequality and an equality which is logically simpler than thedefinition from [20]. We prove that the assertions and also the assumptions are Boolean algebras, and moreover, we provethat the assertions and the assumptions from our algebra correspond exactly to the assertions and the assumptions fromthe monotonic Boolean transformers model.

Definition 13. In an MBT algebra the set of assertions is defined by

Assertion = {p: p � 1 ∧ p = (p ◦ �) � po}

The set Assertion corresponds to the set of all assertions {q} in the model of monotonic Boolean transformers. We willprove this fact after we prove a preliminary lemma which establishes some properties for the elements of Assertion. Inthe model of monotonic Boolean transformers, the assertions are fully characterized by Theorem 4. We could express theproperties from Theorem 4 in the MBT algebra, however these are too weak to prove useful properties for assertions. Therelations p � 1 and p = (p ◦ �) � po are chosen such that we can prove that Assertion form a Boolean algebra using asuitable definition for the negation of assertions.

Lemma 14. Let p ∈ Assertion then

1. po = (po ◦ ⊥) � p2. p = (p ◦ �) � 1 and po = (po ◦ ⊥) � 13. p, po ∈ Conj and p, po ∈ Disj

Proof. The first property follows directly by applying the dual to the equality p = (p ◦ �) � po .We prove p = (p ◦ �) � 1 by proving the two inequalities:

• p � (p ◦ �) � 1= {Lattice properties}

p � p ◦ � ∧ p � 1= {p is an assertion and Theorem 10}

true

and

• (p ◦ �) � 1 � p= {p = (p ◦ �) � po}

(p ◦ �) � 1 � (p ◦ �) � po

= {Lattice properties}1 � po

= {Axioms of MBT}p � 1

= {p is an assertion}true

The second property of 2. follows by applying the dual operator to p = (p ◦ �) � 1.



We prove now that p ∈ Conj, i.e. for all x, y ∈ MBT, p ◦ (x � y) = (p ◦ x) � (p ◦ y):

• p ◦ (x � y)

= {Property 2. of this theorem}((p ◦ �) � 1) ◦ (x � y)

= {Axioms of MBT}(p ◦ � ◦ (x � y)) � x � y

= {Axioms of MBT}(p ◦ �) � x � y

= {Lattice properties}((p ◦ �) � x) � ((p ◦ �) � y)

= {Axioms of MBT}(((p ◦ �) � 1) ◦ x) � (((p ◦ �) � 1) ◦ y)

= {Property 2. of this theorem}(p ◦ x) � (p ◦ y)

The property p ∈ Disj can be proved similarly, but we also need to use the distributivity of � over �.Finally po ∈ Conj and po ∈ Disj follow using Lemma 12. �The next theorem shows that in the model of monotonic Boolean transformers the elements of the set Assertion corre-

spond exactly to the assertions.

Theorem 15. In Mtran the set Assertion is the set of all assertions, {p}, for p ∈ B.

Proof. We prove that Assertion = {{p} | p ∈ B} in Mtran. First if p ∈ B , it is easy to show that {p} ∈ Assertion. Conversely ifx ∈ Assertion, then by Lemma 23 x ∈ Disj, and using Theorem 4, it follows that x ∈ {{p} | p ∈ B}. �Lemma 16. If p,q ∈ Assertion, then p ◦ q = p � q.

Proof. We prove first p ◦ q � p � q.

• p ◦ q � p � q= {Lattice properties}

p ◦ q � p ∧ p ◦ q � q= {Theorem 10}

true

The second inequality follows from:

• p � q= {Assertion definition}

p ◦ � � po � q ◦ � � qo

� {Sub-derivation}

• po � po ◦ qo ∧ qo � po ◦ qo

= {Theorem 10}true

• q � po ◦ q ◦ �⇐ {transitivity of �}

q � po ◦ q ∧ po ◦ q � po ◦ q ◦ �= {Theorem 10}

true

p ◦ � � po ◦ q ◦ � � po ◦ qo

= {po ∈ Conj}p ◦ � � po ◦ (q ◦ � � qo)

= {q ∈ Assertion}p ◦ � � po ◦ q

= {MBT axioms}(p ◦ � � po) ◦ q



= {p ∈ Assertion}po ◦ qo

This concludes the theorem. �The next definition introduces the negation of an assertion in an MBT algebra. In the monotonic Boolean transformers

model we have the negation of Boolean elements that can be used to define the negation of assertions. However, thepoint-wise extension of negation to Boolean transformers does not preserve monotonicity, so we cannot have the negationas operation in the MBT algebra. For this reason we use the dual operator to define the negation of assertions in MBTalgebra.

Definition 17. For an assertion p ∈ Assertion the negation of p, denoted ¬p is defined by

¬p = (po ◦ ⊥) � 1

Corollary 18. The definition of negation corresponds to negation of Booleans in the monotonic Boolean transformers model:¬{q} = {¬q}.

Proof.

(¬{q}).r= {Definition 17}

(({q}o ◦ fail) � skip).r= {Definitions of {_}, _o , fail, � and skip for monotonic Boolean transformers}

(¬q) ∧ r= {Definition of {_} for monotonic Boolean transformers}

{¬q}.r �The next lemma is the first step in proving that Assertion is a Boolean algebra with the operations �, �, ¬, 1 as the top,

and ⊥ as bottom. This fact is similar to the fact that assertions in the model are a Boolean algebra with skip and fail as topand bottom.

Lemma 19. The assertions are closed under �, �, ¬, 1, and ⊥.

Proof. The fact that 1 and ⊥ are assertions is easy to prove. Assume p,q ∈ Assertion. First we prove that p � q ∈ Assertion.It is true that p � q � 1. We prove also that p � q = (p � q) ◦ � � (p � q)o:

• p � q= {Lemma 16}

p ◦ q= {p,q ∈ Assertion}

(p ◦ � � po) ◦ (q ◦ � � qo)

= {MBT axioms}p ◦ � � po ◦ (q ◦ � � qo)

= {po ∈ Conj by Lemma 14}p ◦ � � po ◦ q ◦ � � po ◦ qo

= {MBT axioms}(p ◦ � � po) ◦ q ◦ � � po ◦ qo

= {p ∈ Assertion}p ◦ q ◦ � � po ◦ qo

= {MBT axioms}p ◦ q ◦ � � (p ◦ q)o

= {Lemma 16}(p � q) ◦ � � (p � q)o

To prove that p � q ∈ Assertion we have to show p � q � 1, which is easy, and p � q = (p � q) ◦ � � (p � q)o:

• (p � q) ◦ � � (p � q)o

= {Theorem 10}(p ◦ � � q ◦ �) � po � qo



= {Lattice distributivity}(p ◦ � � po � qo) � (q ◦ � � po � qo)

= {p,q ∈ Assertion}(p � qo) � (q � po)

= {p � 1 � qo and q � 1 � qo}p � q

Finally we show ¬p ∈ Assertion. The property ¬p � 1 follows directly from the definition of ¬. The fact ¬p = ¬p ◦�� (¬p)o

follows from:

• ¬p ◦ � � (¬p)o

= {Definition of ¬}(po ◦ ⊥ � 1) ◦ � � (po ◦ ⊥ � 1)o

= {MBT axioms}po ◦ ⊥ � � � (p ◦ � � 1)

= {bounded lattice properties}po ◦ ⊥ � (p ◦ � � 1)

= {lattice distributivity}(po ◦ ⊥ � p ◦ �) � (po ◦ ⊥ � 1)

= {MBT axioms}⊥ � (po ◦ ⊥ � 1)

= {⊥ is bottom}po ◦ ⊥ � 1

= {Definition of ¬}¬p

This concludes the proof of the theorem. �We can prove now in the next theorem the main result about the assertion in an MBT algebra.

Theorem 20. The structure (Assertion,�,�,¬,⊥,1) is a Boolean algebra.

Proof. The structure (Assertion,�,�,⊥,1) is a bounded distributive lattice by Lemma 19 and by the fact that MBT is adistributive lattice. We need to show also that ¬ satisfies the negation axioms: p � ¬p = ⊥ and p � ¬p = 1.

• p � ¬p= {Definition of ¬}

p � po ◦ ⊥ � 1� {Theorem 10}

p ◦ � � po ◦ ⊥ � 1= {MBT axioms}

⊥ � 1= {bounded lattice properties}

⊥

If follows p � ¬p �⊥ which is equivalent to p � ¬p = ⊥. The second property follows from:

• p � ¬p= {Definition of ¬}

p � (po ◦ ⊥ � 1)

= {lattice distributivity}(p � po ◦ ⊥) � (p � 1)

= {p ∈ Assertion}(p � po ◦ ⊥) � 1

= {Theorem 10 and MBT axioms}(po � p ◦ �)o � 1

= {p ∈ Assertion}po � 1

= {p � 1 ⇔ 1 � po by MBT axioms}1 �



The next lemma introduces some additional properties for assertions. These are used later in proving rules and healthi-ness properties for a simple while language defined in the MBT algebra.

Lemma 21. If p ∈ Assertion and x, y ∈ MBT, then

1. p ◦ p = p and po ◦ po = po

2. p ◦ po = p and po ◦ p = po

3. po ◦ x � (¬p) ◦ � = po ◦ x4. p ◦ x � (¬p) ◦ y = po ◦ x � (¬p)o ◦ y

Proof. For the first property we have: p ◦ p = p � p = p by Lemma 16, and po ◦ po = p follows by applying the dual.The second property follows from:

• p ◦ po

= {p ∈ Assertion}(p ◦ � � po) ◦ po

= {MBT axioms}p ◦ � � po ◦ po

= {Property 2.}p ◦ � � po

= {p ∈ Assertion}p

Property 3 is proved by

• po ◦ x � (¬p) ◦ �= {Definition of ¬}

po ◦ x � (po ◦ ⊥ � 1) ◦ �= {MBT axioms}

po ◦ x � po ◦ ⊥= {po ◦ ⊥� po ◦ x}

po ◦ x

The last property follows from:

• p ◦ x � (¬p) ◦ y= {p,¬p ∈ Assertion}

(p ◦ � � po) ◦ x � ((¬p) ◦ � � (¬p)o) ◦ y= {MBT axioms}

(p ◦ � � po ◦ x) � ((¬p) ◦ � � (¬p)o ◦ y)

= {Lattice distributivity}((p ◦ � � po ◦ x) � (¬p) ◦ �) � ((p ◦ � � po ◦ x) � (¬p)o ◦ y)

= {Lattice distributivity}(p ◦ � � (¬p) ◦ �) � (po ◦ x � (¬p) ◦ �) � (p ◦ � � (¬p)o ◦ y) � (po ◦ x � (¬p)o ◦ y)

= {MBT axioms}(p � (¬p)) ◦ � � (po ◦ x � (¬p) ◦ �) � (p ◦ � � (¬p)o ◦ y) � (po ◦ x � (¬p)o ◦ y)

= {Assertion is a Boolean algebra}(po ◦ x � (¬p) ◦ �) � (p ◦ � � (¬p)o ◦ y) � (po ◦ x � (¬p)o ◦ y

= {Property 3: po ◦ x � (¬p) ◦ � = po ◦ x}po ◦ x � (¬p)o ◦ y � (po ◦ x � (¬p)o ◦ y)

= {Lattice properties}po ◦ x � (¬p)o ◦ y �

The property 4. from Lemma 21 shows that the two ways of defining the conditional program are also equivalent inMBT. In MBT the conditional program is defined by

if b then x else y = b ◦ x � ¬b ◦ y = bo ◦ x � (¬b)o ◦ y (4)

The assumptions of MBT are defined similarly to assertions, but using the duals of the properties for assertions. Theycorrespond to the assumptions [q] in the monotonic Boolean transformers model.



Definition 22. The assumptions of MBT, denoted by Assumption ⊆ MBT, are defined by

Assumption = {g: 1 � g ∧ g = (g ◦ ⊥) � go}

Lemma 23. Let g ∈ Assumption then

1. g ∈ Assumption ⇔ go ∈ Assertion2. go = (go ◦ �) � g3. g = (g ◦ ⊥) � 1 and go = (go ◦ �) � 14. g, go ∈ Conj and g, go ∈ Disj

Proof. These properties can be proved similarly to those for assertion, but using the dual properties. �Theorem 24. In Mtran the Assumption is the set of all assumptions, [p], for p ∈ B.

Proof. This fact can be proved similarly to Theorem 15, using Theorem 5. This theorem can also be proved usingLemma 23.1, and the fact that in Mtran {p}o = [p]. �

The negation of an assumption can be defined using the negation of an assertion.

Definition 25. The negation of an assumption g ∈ Assumption, denoted ¬g ∈ Assumption, is given by

¬g = (¬go)o

Theorem 26. The assumptions are closed to the operations �, �, ¬, 1, and �, and the structure (Assumption,�,�,¬,1,�) is aBoolean algebra.

6. Weakest precondition, guards, Hoare triples, and data refinement

This sections introduces the weakest precondition for elements of an MBT algebra, and using it introduces valid Hoaretriples. Various results connecting valid Hoare triples, refinement, and data refinement are also proved.

Definition 27. The weakest precondition of a program x and �, denoted wpt.x ∈ MBT, is given by

wpt.x = (x ◦ �) � 1.

For S , a monotonic predicate transformer, S.� is the set of all states from which the program S terminates. S.� isthe weakest precondition of S to establish �. The definition of wpt is motivated by the fact that in the monotonic Booleantransformer model wpt.S is equal to {S.�}. We will prove that wpt.x is an assertion. In the monotonic predicate transformersmodel wpt.x succeeds only when started in a state from which x terminates, otherwise wpt.x fails (it does not terminate). Theoperator wpt satisfies all axioms set for the termination operator in [21,22]. These axioms are listed among the conclusionsof the next theorem.

Theorem 28. The following properties are true for wpt.

1. wpt.x ∈ Assertion2. (wpt.x) ◦ x = x3. p ∈ Assertion ⇒ wpt.p = p4. p ∈ Assertion ∧ p ◦ x = x ⇒ wpt.x � p5. p ∈ Assertion ⇒ wpt.(po) = 16. p,q ∈ Assertion ⇒ wpt.(po ◦ q) = ¬p � q7. x � y ⇒ wpt.x � wpt.y8. wpt.(x ◦ y) = wpt.(x ◦ wpt.y)

9. p ∈ Assertion ∧ x ∈ Conj ⇒ x ◦ p = wpt.(x ◦ p) ◦ x (moving assertions)10. (wpt.x) ◦ � = x ◦ �11. wpt.(x � y) = wpt.x � wpt.y12. wpt.(x � y) = wpt.x � wpt.y

Proof. We only show here the proof of property 6.



• wpt.(po ◦ q)

= {Definition}(po ◦ q ◦ �) � 1

= {Lemma 14}(((po ◦ ⊥) � 1) ◦ q) � 1

= {MBT axioms}((po ◦ ⊥) � q) � 1

= {Lattice distributivity}((po ◦ ⊥) � 1) � (q � 1)

= {q ∈ Assertion}((po ◦ ⊥) � 1) � q

= {Definition of ¬}¬p � q �

The properties from Theorem 28 will be used to prove Hoare total correctness rules for programs. For example thecorrectness rules for sequential composition, demonic choice and angelic choice will be proved as consequences of 8, 11,and 12 from Theorem 28.

In Mtran the guard of a program is defined as the set of all states from which the program is enabled. In MBT the guardmaps any program x to an assumption which terminates miraculously when started in a state from which x terminatesmiraculously, and skips otherwise.

Definition 29. The guard of an element x ∈ MBT, denoted grd.x, is given by

grd.x = x ◦ ⊥ � 1.

In Mtran the guard of a program S corresponds to [¬S.⊥]: grd.S = [¬S.⊥]The operator grd satisfies all axioms set for the enabledness operator in [21,22]. These axioms are listed among the

conclusions of the next theorem.

Theorem 30. If x ∈ MBT, and p ∈ Assertion, then

1. grd.x ∈ Assumption2. grd.x ◦ x = x3. grd.x = (¬wpt.(x ◦ ⊥))o

4. g ∈ Assumption ⇒ g � grd.(g ◦ x)5. grd.(x ◦ y) = grd.(x ◦ grd.y)

6. (grd.x) ◦ ⊥ = x ◦ ⊥7. grd.(x � y) = grd.x � grd.y8. grd.(x � y) = grd.x � grd.y

Proof. To prove the relation 1., we need to show that grd.x � 1, which is trivial by the definition of grd, and grd.x =(grd.x ◦ ⊥) � (grd.x)o

• (grd.x ◦ ⊥) � (grd.x)o

= {Definition of grd}((x ◦ ⊥ � 1) ◦ ⊥) � ((x ◦ ⊥ � 1))o

= {MBT axioms and Theorem 10}x ◦ ⊥ � (xo ◦ � � 1)

= {Lattice distributivity}(x ◦ ⊥ � xo ◦ �) � (x ◦ ⊥ � 1)

= {Theorem 10}� � (x ◦ ⊥ � 1)

= {Lattice properties and the definition of grd}grd.x

The second property is proved by:

• grd.x ◦ x= {Definition of grd}

(x ◦ ⊥ � 1) ◦ x



= {MBT axioms}x ◦ ⊥ � x

= {x.⊥ � x}x

The third property is proved by:

• (¬wpt.(x ◦ ⊥))o

= {Definition of ¬}((wpt.(x ◦ ⊥))o ◦ ⊥ � 1)o

= {Theorem 10 and MBT axioms}(wpt.(x ◦ ⊥)) ◦ � � 1

= {Definition of wpt}(x ◦ ⊥ ◦ � � 1) ◦ � � 1

= {Theorem 10 and MBT axioms}x ◦ ⊥ � 1

= {Definition of grd}grd.x. �

Definition 31. For p,q, x ∈ MBT, the Hoare total correctness triple p {| x |}q ∈ Bool is defined by(

p {| x |}q) := p � wpt.(x ◦ q).

This definition also corresponds to the classical definition of Hoare total correctness triples in the monotonic Booleantransformers lattice. If p,q ∈ B and S ∈ Mtran, then {p}{|S |} {q} is equivalent to p � S.q.

In [20] the total correctness triple of a program x with respect to a precondition p and a post-condition q is defined bypo ◦ x ◦ (−q)o = �. The next theorems shows that this definition is equivalent to our definition.

Theorem 32. If p ∈ Assertion then

p {| x |}q ⇔ po ◦ x ◦ (¬q)o = �

Proof. First assume p {| x |}q, which implies p ◦ � � x ◦ q ◦ �. Show po ◦ x ◦ (¬q)o = �.

• �= {Theorem 10}

(x ◦ q)o ◦ ⊥ � x ◦ q ◦ �� {the assumption implies p ◦ � � x ◦ q ◦ �}

po ◦ ⊥ � x ◦ q ◦ �= {Theorem 10}

(po ◦ ⊥ � 1) ◦ x ◦ q ◦ �= {Lemma 14}

po ◦ x ◦ q ◦ �� {MBT axioms}

po ◦ x ◦ (q ◦ � � 1)

= {Theorem 10}po ◦ x ◦ (qo ◦ ⊥ � 1)o

= {definition of ¬}po ◦ x ◦ (¬q)o

For the second implication assume po ◦ x ◦ (¬q)o = �, which is equivalent to po ◦ x ◦ (q ◦ � � 1) = �. To show p {| x |}q it isenough to show p � x ◦ q ◦ �, which follows from p � p ◦ � = p ◦ x ◦ q ◦ � � x ◦ q ◦ �.

• p ◦ �= {MBT axioms}

p ◦ � ◦ ⊥= {assumption}

p ◦ po ◦ x ◦ (q ◦ � � 1) ◦ ⊥= {Lemma 21}

p ◦ x ◦ (q ◦ � � 1) ◦ ⊥= {Theorem 10}

p ◦ x ◦ q ◦ � �



Definition 33. For x, y, u, v ∈ MBT, the program x is data refined by the program y via the programs u and v , denotedx �u,v y, if

u ◦ x � y ◦ v.

This definition for data refinement was used in [38] for constructing invariant based programs using data refinement.The program x works on some abstract variables and y works on some concrete variables. The data representation programs uand v link the abstract variables of x to the concrete variables of y. Usually the definition of data refinement is introducedusing only one data representation program (u = v). However the more general form presented here is useful in situationswhen for example x and y start from a number of variables, and they may introduce new variables or remove existingvariables (abstract and concrete respectively). The initial variables of x and y are related by u and the final variables of xand y are related by v . In the example presented at the end of the paper, we use data refinement statements in which uand v are different.

The next theorem allows to conclude a correctness statement for a program y which (data) refines a program x, knowingthat x is correct.

Theorem 34. If p, x, y,q, u, v ∈ MBT, then

1. p {| x |}q ∧ x �u,v y ⇒ wpt.(u ◦ p){|y |}wpt.(v ◦ q)

2. p ∈ Assertion ∧ p{|x |}q ∧ p ◦ x �u,v y ⇒ wpt.(u ◦ p){|y |}wpt.(v ◦ q)

3. p,q ∈ Assertion ∧ p{|x |}q ∧ x � y ⇒ p {| y |}q

Proof. Assume p {| x |}q (⇔ p � wpt.(x ◦ q)) and x �u,v y (⇔ u ◦ x � y ◦ v).

• wpt.(u ◦ p){|y |}wpt.(v ◦ q)

= {Definition of Hoare triple}wpt.(u ◦ p) � wpt.(y ◦ wpt.(v ◦ q))

= {Theorem 28}wpt.(u ◦ p) � wpt.(y ◦ v ◦ q)

⇐ {Assumption and wpt monotonic}wpt.(u ◦ p) � wpt.(u ◦ x ◦ q)

= {Theorem 28}wpt.(u ◦ p) � wpt.(u ◦ wpt.(x ◦ q))

⇐ {Assumption and wpt monotonic}wpt.(u ◦ p) � wpt.(u ◦ p)

= {� is reflexive}true

For the second property assume that p is an assertion and p {| x |}q, we use p ◦ x for x in property 1. We need to show thatp {| p ◦ x |}q.

• p {| p ◦ x |}q= {Definition of Hoare triple}

p � wpt.(p ◦ x ◦ q)

= {Theorem 28}p � p ◦ wpt.(x ◦ q)

⇔ {p ◦ p = p}p ◦ p � p ◦ wpt.(x ◦ q)

= {Axiom A4}p � wpt.(x ◦ q)

⇐ {Definition}p {| x |}q

= {Proof assumption}true

For the last property we use u = v = 1 in property 1 and the fact that wpt.p = p and wpt.q = q if p and q are assertions. �The second property of Theorem 34 is preferable to the first one because the data refinement p ◦ x �u,v y is easier to

prove compared to x �u,v y. In p ◦ x �u,v y the properties from p can be used as assumption in the proof.



We introduce here some additional properties of data refinement which will be used later in proving correct a concreteexample. In [22], Meinicke and Solin defined the concept of a continuous element of their algebra. Because the set of axiomsused in [22] is a subset of our set of axioms, the results and definitions from [22] are directly available in our framework.

Definition 35. An element x is continuous if the following property holds

(∀y, z, u, v :(∀n: x ◦ (y ◦ n � u) � z ◦ x ◦ n � v ◦ x

) ⇒ x ◦ yω ◦ u � zω ◦ v ◦ x)

(5)

The next theorem was proved in [22], page 13 as property (57).

Theorem 36. If u is continuous, then

x �u,u y ⇒ xω �u,u yω

We will use this theorem to reduce data refinement of iteration to data refinement of the iterated statements. Addition-ally we will need some properties which reduce the data refinement of sequential composition and demonic choice. Weprove also some transitivity property of data refinement. These properties are stated in the next theorem.

Theorem 37. If x, y, z, t, u, v ∈ MBT, then

1. If x �u,v y and z �v,w t then x ◦ z �u,w y ◦ t2. If x �u,v y and z �u,v t then x � z �u,v y � t3. If x �u,v y and y �t,w z then x �t◦u,w◦v z4. If x � y then x �1,1 y

Proof. For 1. we assume x �u,v y (u ◦ x � y ◦ v) and z �v,w t (v ◦ z � t ◦ w), then

• x ◦ z �u,w y ◦ t⇔ {Definition of data refinement}

u ◦ x ◦ z � y ◦ t ◦ w⇐ {Assumption u ◦ x � y ◦ v}

y ◦ v ◦ z � y ◦ t ◦ w⇐ {Assumption v ◦ z � t ◦ w}

true

For 2. we have:

• x � z �u,v y � t⇔ {Definition of data refinement}

u ◦ (x � z) � (y � t) ◦ v⇐ {Theorem 10.7 and axiom A3}

u ◦ x � u ◦ z � y ◦ v � t ◦ v⇐ {Lattice properties}

u ◦ x � y ◦ v and u ◦ z � t ◦ v⇔ {Definition of data refinement}

x �u,v y and z �u,v t

For 3 we have to prove t ◦ u ◦ x � z ◦ w ◦ v

• t ◦ u ◦ x� {x �u,v y }

t ◦ y ◦ v� {y �t,w z }

z ◦ w ◦ v

The last property follows directly by expanding the definition of data refinement. �The next theorem enables moving a continuous statement u preceding an iteration xω , inside the iteration, if the state-

ment u can be moved over x.



Theorem 38. If u is continuous, then

u ◦ x � u ◦ x ◦ u ⇒ u ◦ xω � (u ◦ x)ω ◦ u

Proof. In (5) we take x := u, y := x, u := 1, z = u ◦ x, v := 1, and we assume u ◦ x � u ◦ x ◦ u.

• u ◦ xω � (u ◦ x)ω ◦ u⇐ {u is continuous}

(∀n: u ◦ (x ◦ n � 1) � (u ◦ x) ◦ u ◦ n � u)

⇐ {By Theorem 10 u ◦ (x ◦ n � 1) � u ◦ x ◦ n � u}(∀n: u ◦ x ◦ n � u � u ◦ x ◦ u ◦ n � u)

⇐ {Monotonicity properties}u ◦ x � u ◦ x ◦ u

⇐ true �A statement p is invariant for another statement x if the Hoare triple p {| x |} p is true. In other words if p is true (as an

assertion) before executing x, then p is true also after the execution of x.The next corollary of Theorem 38 shows that if a continuous assertion p is invariant for a statement x, then p ◦ xω is

refined by (p ◦ x)ω . If we need to refine this iteration further, then refining p ◦ x may be significantly easier than refining xalone. We will use this corollary in the example presented at the end the paper.

Corollary 39. If p ∈ Assertion, p is continuous, and x is conjunctive, then

p {| x |} p ⇒ p ◦ xω � (p ◦ x)ω

Proof. We prove first that for an assertion p, and a conjunctive element x we have p {| x |} p implies p ◦ x � p ◦ x ◦ p:

• p {| x |} p⇔ {Definition of Hoare triple and wpt}

p � x ◦ p ◦ � � 1⇒ {Theorem 10}

p ◦ x � x ◦ p ◦ � � x⇔ {x is conjunctive}

p ◦ x � x ◦ (p ◦ � � 1)

⇔ {p is an assertion}p ◦ x � x ◦ p

⇒ {Axiom A4 and assertion properties}p ◦ x � p ◦ x ◦ p

Using Theorem 38 we obtain p ◦ xω � (p ◦ x)ω ◦ p, which implies the conclusion p ◦ xω � (p ◦ x)ω , by using Theorem 10 andthe fact that p is an assertion. �

In [20], von Wright uses a statement called havoc to introduce a pre-post-condition specification statement. von Wrightproves that the specification statement is refined by another program x if and only if x is totally correct with respect to thepre and post conditions. However the proof from [20] uses the property that all programs are conjunctive, which does nothold in our setting. We introduce another concept that can be used to define the specification statement and we can provethe equivalence between the refinement of the specification statement into x and the correctness statement of x. As in caseof [20], this concept cannot be defined and we use two axioms for introducing it. We assume that we have a function|_| : MBT → MBT that satisfies the additional axioms:

(P 1) |x| ◦ x ◦ � = � (P 2) x ◦ y ◦ � � |y| � x

In the model of monotonic Boolean transformers, if we define |S| = ‖S.�‖, then the axioms (P 1) and (P 2) are satisfied. Theaxioms (P 1) and (P 2) are just adaptations to the MBT algebra of the properties 2. and 3. from Theorem 1. Additionally, inthe MBT algebra we assume that |_| is defined for all elements of the algebra, while ‖_‖ is defined only for Booleans p ∈ B .

The next theorem shows that p ◦ |q| can be used as a specification statement.

Theorem 40. If p,q ∈ Assertion and x ∈ MBT, then p {| x |}q ⇔ p ◦ |q|� x.

Proof. Assume p {| x |}q which is equivalent to p � x ◦ q ◦ � � 1.



• p ◦ |q|� {Proof assumption}

(x ◦ q ◦ � � 1) ◦ |q|= {MBT axioms}

x ◦ q ◦ � � |q|� {Axiom (P 2)}

x

Conversely assume p ◦ |q|� x and show p � x ◦ q ◦ � which is equivalent to p {| x |}q when p ∈ Assertion

• p= {Lemma 14}

(p ◦ � � 1)

= {Axiom (P 1)}p ◦ |q| ◦ q ◦ � � 1

� {Lattice properties}p ◦ |q| ◦ q ◦ �

� {Assumption}x ◦ q ◦ � �

7. Program statements

In this section we introduce the program statements of a simple imperative while language with angelic and demonicchoice. We prove the Hoare total correctness rules for these statements and we also prove that these statements preserveconjunctivity, and disjunctivity of statements.

7.1. Hoare rules

In order to avoid specifying when an element of MBT is an assertion we introduce a special notation. For an assertionp ∈ Assertion the statement assert p, denoted {p} ∈ MBT, is defined by {p} := p. The statement assume p, denoted [p] ∈MBT, is defined by [p] := {p}o . For assertions we also use ∧, and ∨ instead of �, and �.

Using these notations the definition of the if statement introduced by (4) can be restated:

if b then x else y = [b] ◦ x � [¬b] ◦ y = {b} ◦ x � {¬b} ◦ y (6)

Using the iteration operator we define the while program statement by

while b do x = ([b] ◦ x)ω ◦ [¬b]

For x ∈ MBT and p ∈ Assertion the weakest precondition of x with respect to p, denoted wp.x.p ∈ Assertion is defined by

wp.x.p = wpt.(x ◦ {p})

and with these definitions the Hoare triple definition can be restated:

(p {| x |}q

) = (p � wp.x.q)

Theorem 41. The following Hoare rules are true

1. (wp.x.q) {| x |}q2. (p {| {r} |}q) = (p � r ∧ q)

3. (p {| [r] |}q) = (p ∧ r � q)

4. (p {| x ◦ y |}q) = (p {| x |} (wp.y.q))

5. (p {| x ◦ y |}q) = (∃r: (p {| x |} r) ∧ (r {| y |}q))

6. (p {| [b] ◦ x |}q) = (p ∧ b {| x |}q)

7. (p {| x � y |}q) = (p {| x |} y) ∧ (p {| y |}q)

8. (p {| if b then x else y |}q) = (p ∧ b {| x |}q) ∧ (p ∧ ¬b {| y |}q)

9. If p′ � p, p {| x |}q, and q � q′ , then p′ {| x |}q′ .

Proof. The properties 1. to 6. and 9. follow easily by expanding the definitions and using the properties of wpt. We prove 7.and 8.



• p {| x � y |}q⇔ {Definitions}

p � wpt.((x � y) ◦ {q})⇔ {Axiom (A3)}

p � wpt.(x ◦ {q} � y ◦ {q})⇔ {Theorem 28}

p � wpt.(x ◦ {q}) � wpt.(y ◦ {q})⇔ {Lattice property}

(p � wpt.(x ◦ {q})) ∧ (p � wpt.(y ◦ {q}))⇔ {Definitions}

(p {| x |}q) ∧ (p {| y |}q)

The rule 8. follows from

• p {| if b then x else y |}q⇔ {Definition}

p {| [b] ◦ x � [¬b] ◦ y |}q⇔ {Rule 7.}

(p {| [b] ◦ x |}q) ∧ (p {| [¬b] ◦ y |}q)

⇔ {Rule 6.}((p ∧ b) {| x |}q) ∧ ((p ∧ ¬b) {| y |}q) �

In order to prove the total correctness rule for while statements we need to introduce well founded relations. A relation< on W is well founded if for all predicates P : W → Bool the following well founded induction property is true:

(∀w: (∀v: v < w ⇒ P .v) ⇒ P .w) ⇒ (∀w: P .w)

In general Hoare rules for total correctness of while statements require taking the join of an arbitrary set of pred-icates. However, arbitrary joins are not available in our framework. We use instead of the Hoare statement

∨P {| x |}q,

the equivalent statement (∀p ∈ P : p {| x |}q), and we use instead of the statement p {| x |} ∨R the equivalent statement

(∀q: (∀r ∈ R: r � q) ⇒ (p {| x |}q).

Lemma 42. In the monotonic boolean transformers model we have:

1. (∨

P {| x |}q) ⇔ (∀p ∈ P : p {| x |}q) and2. (p {| x |} ∨

R) ⇔ (∀q: (∀r ∈ R: r � q) ⇒ (p {| x |}q)

The next theorem gives a Hoare rule for correctness of a fixpoint x of an application F : MBT → MBT by proving for allprograms y that F .y is correct whenever y is correct.

Theorem 43 (Hoare fixpoint). If < is a well founded relation on W , p : W → Assertion, q ∈ Assertion, x ∈ MBT, and F : MBT → MBTthen

F .x = x (a)

∧(∀w, y: (∀v < w: p.v {| y |}q) ⇒ p.w {| F .y |}q) (b)

⇒(∀w: p.w {| x |}q) (c)

Proof. We assume (a) and (b) and we prove (c) by well founded induction, i.e. for arbitrary w we need to prove p.w {| x |}q,assuming (∀v : v < w ⇒ p.v {| x |}q).

• p.w {| x |}q⇔ {Assumption (a)}

p.w {| F .x |}q⇐ {Assumption (b)}

(∀v : v < w ⇒ p.v {| x |}q)

⇔ {Assumption}true �



Theorem 44 (Hoare while). If < is a well founded relation on W , p : W → Assertion, b,q ∈ Assertion, and x ∈ MBT then

(∀w, r: (∀v < w: p.v � r) ⇒ (p.w ∧ b) {| x |} r) (d)

∧(∀w: p.w � q) (e)

⇒(∀w: p.w {|while b do x |} (q ∧ ¬b)

Proof. Assume (d) and (e)

• p.w {|while b do x |} (q ∧ ¬b)

⇔ {Definition of while}p.w {| ([b] ◦ x)ω ◦ [¬b] |} (q ∧ ¬b)

⇐ {F = (λz : [b] ◦ x ◦ z � [¬b]) and x = ([b] ◦ x)ω ◦ [¬b] in Theorem 43}

• F .x= {assumptions about F and x}

[b] ◦ x ◦ ([b] ◦ x)ω ◦ [¬b] � [¬b]= {MBT algebra properties}

([b] ◦ x ◦ ([b] ◦ x)ω � 1) ◦ [¬b]= {MBT algebra properties}

([b] ◦ x)ω ◦ [¬b]= {assumption about x}

x

(∀w, y: (∀v < w: p.v {| y |} (q ∧ ¬b)) ⇒ p.w {| [b] ◦ x ◦ y � [¬b] |} (q ∧ ¬b))

⇔ {Theorem 41.7}(∀w, y: (∀v < w: p.v {| y |} (q ∧ ¬b)) ⇒ (p.w {| [b] ◦ x ◦ y |} (q ∧ ¬b)) ∧ (p.w {| [¬b] |} (q ∧ ¬b)))

⇔ {Theorem 41.3}(∀w, y: (∀v < w: p.v {| y |} (q ∧ ¬b)) ⇒ (p.w {| [b] ◦ x ◦ y |} (q ∧ ¬b)) ∧ (p.w ∧ ¬b � q ∧ ¬b))

⇔ {Assumption (e)}(∀w, y: (∀v < w: p.v {| y |} (q ∧ ¬b)) ⇒ (p.w {| [b] ◦ x ◦ y |} (q ∧ ¬b)))

⇔ {Definition of Hoare triple}(∀w, y: (∀v < w: p.v � wp.y.(q ∧ ¬b)) ⇒ (p.w {| [b] ◦ x ◦ y |} (q ∧ ¬b)))

⇔ {Theorem 41.4}(∀w, y: (∀v < w: p.v � wp.y.(q ∧ ¬b)) ⇒ (p.w {| [b] ◦ x |} (wp.y.(q ∧ ¬b))))

⇔ {Theorem 41.6}(∀w, y: (∀v < w: p.v � wp.y.(q ∧ ¬b)) ⇒ ((p.w ∧ b) {| x |} (wp.y.(q ∧ ¬b))))

⇔ {Assumption (d)}true �

A complete monotonic Boolean transformers algebra (CMBT) is a monotonic Boolean transformers algebra which is acomplete lattice and which satisfies

(C)(∧

X)

◦ y =∧x∈X

x ◦ y

In a complete monotonic Boolean transformers algebra the following rule for while is true.

Corollary 45 (Hoare while). If < is a well founded relation on W , p : W → Assertion, b ∈ Assertion, and x ∈ CMBT then

(∀w: (p.w ∧ b) {| x |} (∨

v<w p.v))

⇒ (∨w p.w

){|while b do x |}

((∨w p.w

)∧ ¬b

)

In a CMBT algebra the iteration and weak iteration operators can be defined as the least and greatest fixpoints of themonotonic function (λz : x ◦ z � 1).



7.2. Conjunctive and disjunctive statements

When reasoning about regular programs conjunctivity is an important healthiness property which allows for exampleproving a correctness statement of the form p {| x |} (q ∧ r) by proving p {| x |}q and p {| x |} r. We show in this subsection thatthe program constructs assert, assume, demonic choice, if, and while preserve conjunctivity of programs, and the programconstructs assert, assume, angelic choice, if, and while preserve disjunctivity of programs.

Theorem 46. If x, y ∈ Conj then

1. {p} ∈ Conj2. [p] ∈ Conj3. x � y ∈ Conj4. x ◦ y ∈ Conj5. if p then x else y ∈ Conj6. x∗ ∈ Conj

Proof. We proved already that assertions and assumptions are conjunctive. It is easy to prove that the demonic choiceand the sequential composition preserve conjunctivity. The property that if statement preserves conjunctivity follows byexpanding its definition and using the properties 2.–4. Assuming x ∈ Conj we prove that x∗ ∈ Conj.

• x∗ ◦ (y � z) = x∗ ◦ y � x∗ ◦ z⇔ {Antisymmetry}

• x∗ ◦ (y � z) � x∗ ◦ y � x∗ ◦ z⇐ {Lattice properties}

x∗ ◦ (y � z) � x∗ ◦ y and x∗ ◦ (y � z) � x∗ ◦ z⇐ {MBT axioms}

true• x∗ ◦ y � x∗ ◦ z � x∗ ◦ (y � z)⇐ {Axiom (A13)}

x∗ ◦ y � x∗ ◦ z � x ◦ (x∗ ◦ y � x∗ ◦ z) � y � z⇔ {x is conjunctive}

x∗ ◦ y � x∗ ◦ z � x ◦ x∗ ◦ y � x ◦ x∗ ◦ z � y � z⇔ {MBT axioms}

true

... true �Theorem 47. If x, y ∈ Disj then

1. {p} ∈ Disj2. [p] ∈ Disj3. x � y ∈ Disj4. x ◦ y ∈ Disj5. if p then x else y ∈ Disj

Proof. We proved already that the assertions and assumptions are disjunctive. It is easy to prove that the angelic choice andthe sequential composition preserve disjunctivity. To prove that the if statement preserves disjunctivity, we use the equality

if p then x else y = {p} ◦ x � {¬p} ◦ y

and then the properties 1., 3., and 4. �Proving that the while statement preserves conjunctivity and disjunctivity is more involved. To prove that while preserves

disjunctivity we introduce the dual of the weak iteration:

x©∗ = ((xo)∗)o

The dual of the weak iteration as well as the dual of the iteration have been postulated in [39], and some of their propertieswere proved.



Lemma 48. For x, y, z ∈ MBT we have

1. x©∗ = x ◦ x©∗ � 12. x ◦ z � y � z ⇒ x©∗ ◦ y � z

Proof. By taking x := xo, y := yo, and z := zo in (A12) and (A13) and applying the dual. �Lemma 49. If x ∈ Disj, then x©∗ ∈ Disj.

Proof.

• x©∗ ∈ Disj⇐ {Definition}

xo∗o ∈ Disj⇐ {Dual of conjunctive}

xo∗ ∈ Conj⇐ {Weak iteration preserves conjunctivity}

xo ∈ Conj⇐ {dual of disjunctive}

x ∈ Disj⇔ {Assumption}

true �Theorem 50. If p ∈ Assertion, then

while p do x = ({p} ◦ x)©∗ ◦ {¬p}

Proof. We prove this property by antisymmetry.

• while p do x � ({p} ◦ x)©∗ ◦ {¬p}⇔ {Definition}

([p] ◦ x)ω ◦ [¬p]� ({p} ◦ x)©∗ ◦ {¬p}⇔ {Axiom (A11)}

[p] ◦ x ◦ ({p} ◦ x)©∗ ◦ {¬p} � [¬p]� ({p} ◦ x)©∗ ◦ {¬p}⇔ {Lemma 21.4}

{p} ◦ x ◦ ({p} ◦ x)©∗ ◦ {¬p} � {¬p} � ({p} ◦ x)©∗ ◦ {¬p}⇔ {Lemma 48.1}

({p} ◦ x)©∗ ◦ {¬p}

The converse inequality can be proved similarly, but using Lemma 48.2 instead of axiom (A11) in the second step of thederivation. �Theorem 51. If p ∈ Assertion and x ∈ Disj then while p do x ∈ Disj.

Proof.

• while p do x ∈ Disj⇔ {Theorem 50}

({p} ◦ x)©∗ ◦ {¬p} ∈ Disj⇐ {Theorem 47 and Lemma 49}

true �The axioms of the MBT algebra are not enough to prove that the while statement preserves conjunctivity. To prove

this property we will need the special case of the fusion lemma proved in Corollary 7. An algebra of monotonic Booleantransformers with meet fusion is an MBT algebra which additionally satisfies the fusion axiom for meet:

(F )(∀t: x ◦ t � y � z � u ◦ (t � z) � v

) ⇒ xω ◦ y � z � uω ◦ v

We denote this algebra by MBTF. By Corollary 7, the monotonic Boolean transformers are a model for MBTF. Also a completemonotonic Boolean transformers algebra is an MBTF algebra.



In [22], a similar fusion property is used to prove a data refinement of the iteration operator. The property used in [22]requires the continuity of an element of the algebra, and it is not universally true in the model of monotonic predicatetransformers.

Using the fusion axiom we can prove that the iteration operator for conjunctive elements can be decomposed as asequential composition of an assertion and the weak iteration operator. As an immediate consequence we obtain that theiteration operator preserves conjunctivity.

Theorem 52. In MBTF, if x ∈ Conj then

xω = wpt.(xω

) ◦ x∗

Proof. We have wpt.(xω) ◦ x∗ = (xω ◦ � � 1) ◦ x∗ = xω ◦ � � x∗ . We prove xω = xω ◦ � � x∗ by antisymmetry

• xω � xω ◦ � � x∗⇐ {Axiom (A11)}

x ◦ (xω ◦ � � x∗) � 1 � xω ◦ � � x∗⇐ {x is monotonic}

x ◦ xω ◦ � � x ◦ x∗ � 1 � xω ◦ � � x∗⇔ {MBT axioms}

(x ◦ xω � 1) ◦ � � x∗ � xω ◦ � � x∗⇔ {MBT axioms}

xω ◦ � � x∗ � xω ◦ � � x∗⇔ {Order properties}

true

The converse inequality follows from

• xω ◦ � � x∗ � xω

⇐ {Axiom (F )}(∀t: x ◦ t � � � x∗ � x ◦ (t � x∗) � 1)

⇔ {x ∈ Conj}(∀t: x ◦ t � x∗ � x ◦ t � x ◦ x∗ � 1)

⇔ {MBT axioms}(∀t: x ◦ t � x∗ � x ◦ t � x∗)

⇔ {Order properties}true �

Theorem 53. In an MBTF algebra, if x ∈ Conj then xω ∈ Conj and while p do x ∈ Conj.

Proof.

• xω ∈ Conj⇔ {Theorem 52}

wpt.(xω) ◦ x∗ ∈ Conj⇐ {Theorem 46}

true

The while statement preserves conjunctivity because it is defined using only statements that preserve conjunctivity. �8. Example of correctness and data refinement proofs

In this section we present an example where we use many of the correctness and data refinement rules introduced inthis paper.

In [40,41] we presented the mechanical verification of Deutsch–Schorr–Waite (DSW) graph marking algorithm usinginvariant based programming and data refinement. The verification of DSW algorithm was done using four data refinementsteps, starting with an abstract algorithm which marks an arbitrary graph using a set of nodes as an auxiliary variable.Here we present a simplified version of the abstract algorithm, and we present only one step of the data refinement. Thetechnique presented here is also different from the one used in [40,41].

Before introducing the algorithm we need to introduce some preliminary definitions. A graph or a relation on a set nodeof vertices or nodes is a function R : node → node → Bool. A pair of nodes x, y ∈ node are related by R if R.x.y is true. In



C, M := {root}, {root} ◦ = initwhile C �= ∅ do

[C, M := C ′, M ′ | (∃x ∈ C : ∃y ∈ R.x − M : C ′ = C ∪ {y}) ∧ M ′ = M ∪ {y})] = T�[C := C ′ | (∃x ∈ C : R.x ⊆ M ∧ C ′ = C − {x})] = U

Fig. 1. Abstract program.

S, M := [root], {root} ◦ = init′while S �= [] do

[S, M := S ′, M ′ | (∃y ∈ R.(hd.S) − M : ∧S ′ = [y] + S ∧ C ′ = C ∪ {y})] = T ′�[S := S ′ | R.(hd.S) ⊆ M ∧ S ′ = tl.S] = U ′

Fig. 2. Concrete program.

this case we call y a successor of x. The composition of two relations R and R ′ on node is a relation on node, denoted R ◦ R ′ ,and it is given by

(R ◦ R ′).x.y = (∃z : R.x.z ∧ R ′.z.y

)A node x is reachable from a node y in R if there exist the nodes x0, . . . , xn such that for all i < n, R.xi .xi+1is true, y = x0,

and x = xn . Equivalently, we can express reachability using the reflexive and transitive closure of the relation R , denoted R∗ .By definition R∗ is the smallest reflexive and transitive relation which contains R (R ⊆ R∗), and it is also given by

R∗ = R0 ∪ R1 ∪ R2 ∪ · · ·where

Rn = R ◦ . . . ◦ R︸︷︷︸n times

The marking problem for a relation R consists in finding and marking all reachable nodes from an initial given node root,and it is equivalent to calculating R∗.root. The abstract program from Fig. 1 calculates R∗.root in the variable M (markednodes) using the auxiliary variable C (current nodes). We denote the assignment statements of the abstract program byinit, T , and U as shown in Fig. 1. The idea of this algorithm is that we start with the root as the current and markednode (assignment statement init), and as long as there are current nodes with unmarked successors, we pick one of thesesuccessors and we add it to the current and marked nodes (assignment statement T ). If a current node has all successorsmarked, then we remove it from current nodes (assignment statement U ). The algorithm finishes when the set of currentnodes is empty.

In Fig. 1, the statement init is a multiple assignment statement, and T and U are demonic assignments state-ments. For example in T , the variables C and M are updated to new values C ′ and M ′ which satisfy the predicate(∃x ∈ C : ∃y ∈ R.x − M : C ′ = C ∪ {y} ∧ M ′ = M ∪ {y}), that is a new unmarked element y, which is a successor of someelement x from C , is added to both C and M .

The (more) concrete program from Fig. 2 achieves the same result as the abstract program, but using a stack of nodes Sinstead of the set C . The program variable S is a list of nodes, and its elements are accessed using stack like operations(last in – first out). For a nonempty list S , hd.S and tl.S return the head and the tail of the list, respectively. For elementsx1, . . . , xn , [x1, . . . , xn] denotes the list containing them, [] denotes the empty list, and + is used for concatenating lists. Fora list S , set.S is the set containing the elements of S

set.[x1, . . . , xn] = {x1, . . . , xn}.The predicate dist.S is true if all elements of S are distinct

dist.[x1, . . . xn] ⇔ (∀i, j : 1 � i, j � n ∧ i �= j ⇒ xi �= x j)

The concrete program works similarly to the abstract one, the difference being that we only look for unmarked successorsof the head of the stack, and we remove the head of the stack when all its successors are marked.

We denote the abstract and the concrete programs by AP and CP, respectively, and we are interested mainly in provinga Hoare total correctness triple for the concrete program:

true {|CP |} M = R∗.root (7)

that is, after the execution of the program the set M contains all reachable nodes from root. The pre-condition true meansthat we do not need to assume anything about the initial values of the program variables. We prove (7) by using Theo-rem 34.1. For this we prove that the abstract program is correct:

true {|AP |} M = R∗.root (8)



and we find suitable data refinement statements D and D ′ such that

AP �D,D ′ CP

and D.true = true

and D ′.(M = R∗.root) = (M = R∗.root) (9)

The correctness of the concrete program (property 7) is now a consequence of (8) and (9) by using Theorem 34.1.Before proving (8) and (9) we still need to introduce some concepts which would enable modeling assignment statements

as monotonic predicate transformers. The abstract and concrete programs modify the program variables C , M , and S , so weneed a state X which contains values for this variables. We assume that X is the Cartesian product (set.node × set.node ×list.node), and we assume that C : X → set.node, M : X → set.node, and S : X → list.node are the corresponding projectionfunctions:

C .({a,b}, {c,d}, [e, f ]) = {a,b}M.({a,b}, {c,d}, [e, f ]) = {c,d}S.({a,b}, {c,d}, [e, f ]) = [e, f ]s = (C .s, M.s, S.s)

The predicates from this examples are functions from X → Bool. For example the expression (M = R∗.root) is interpretedas a function from X → Bool in the following way:

(M = R∗.root).s = (M.s = R∗.root)

For a relation r on X (r : X → X → Bool) the demonic update ([r] : Pred.X → Pred.X) and angelic update ({r} : Pred.X →Pred.X) statements of r are defined by:

[r].q.s = (∀s′ : r.s.s′ ⇒ q.s′){r}.q.s = (∃s′ : r.s.s′ ∧ q.s′)

If the statement [r] is executed in a state s, then the system nondeterministically chooses a new state s′ such that r.s.s′is true. If no such state exists, then [r] terminates miraculously. For the program to be correct, all choices of s′ should becorrect. Dually, if the statement {r} is executed in a state s, then the user can choose a suitable s′ such that r.s.s′ is true. Ifno such state exists, then {r} fails.

The angelic update statement as well as the assert statement are universally disjunctive, and because of this they arealso continuous as defined earlier (see [22] p. 26, Appendix A.2.1 for details). The fact that they are continuous according tothe Definition 35 can be established using Theorem 6 (Weak Fusion).

Formally the demonic assignment statements T , U , T ′ , and U ′ are instances of the demonic update statement. Forexample T is a notation for

[λs : λs′ : ∃x ∈ C .s : ∃y ∈ R.x − M.s : s′ = s

[C := C .s ∪ {y}, M := M.s ∪ {y}]]

where s[C := c, M := m] is the state s where the values of the components C and M are changed to c and m. For exampleif s = ({a,b}, {c,d}, [e, f ]), then s[C := {g,h}, M := {i, j}] = ({g,h}, {i, j}, [e, f ]).

We prove the relation (8) by using the following invariant for the while statement:

p.w = (M ⊆ R∗.root ∧ C ⊆ M ∧ (

R∗.root − M) ⊆ (

R ◦ (R − M × M)∗).C ∧ |C | + 2 · | − M| = w

)

where |C | and |− M| are the numbers of elements in C and in the complement of M , respectively. We assume also that thecardinality of node is finite such that | − M| is a natural number. The sub-term (|C | + 2 · | − M| = w) is used for proving thetermination of the abstract program. Every step of the iteration in the abstract program (T � U ) should decrease this term.That is, if p.w is true before executing T � U , then after the execution p.v must be true for some v satisfying 0 � v < w .

We define p = ∨w p.w and p<w = ∨

v<w p.v . The sketch of the proof for (8) is:

• true {|AP |} M = R∗.root⇐ {sequential composition rule}

true {| init |} p∧ (p {|while b do (T � U ) |} M = R∗.root)

⇐ {Corollary 45 and Theorem 41}true {| init |} p

∧ (∀w : p.w ∧ b {| T |} p<w)

∧ (∀w : p.w ∧ b {| U |} p<w)

∧ (p ∧ ¬b) � (M = R∗.root)



⇔ {Expanding definitions and using properties of R∗}true

The last step of the proof presented above is based on rules for assignments and demonic assignments and it falls outsidethe scope of this paper. The rules needed for this step can be found in [6]. As we mentioned already, we have studieda slightly more general example in [40,41], and [40] contains the mechanical proofs of some lemmas about R∗ similar tothose that would be needed for this step.

For the last part of this example’s proof we need to find some data refinement statements D and D ′ such that (9) istrue. Let D and D ′ be the data refinement statements given by:

D = skip and D ′ = {C, S := C ′, S ′ | C ′ = set.S

}The property D.true = true is trivially true because D = skip. D ′ is an angelic choice update, and it establishes the datarefinement relationship between the abstract and the concrete (auxiliary) variables. The set C from the abstract programcorresponds the elements of the list S . D ′ updates angelically the variable S to an arbitrary value, and this update modelsthe fact that we are not interested in the value of S at end of the execution. To understand better this update we shouldexpand the definition of the data refinement statement that needs to be proved:

AP �skip,D ′ CP

which is equivalent to

skip ◦ AP � CP ◦ D ′ (10)

The program AP from the left-hand side of (10) modifies the variables C and M , and the program CP ◦ D ′ modifies thevariables S , M (by CP), and S , C (by D ′). In a refinement statement, if a program modifies a variable then a refinementof it should also modify this variable in a consistent manner. For example if a program A assigns a value v to a programvariable x, then a program B could refine A only if B assigns v to x or it assigns angelically a value from a set V wherev ∈ V . Because CP modifies the variable S but AP does not change it, we have to compensate in D ′ for the changes to S .In [41,40] we modeled C and S as local variables in AP and CP, respectively, and we could take D ′ to be skip, which ismore intuitive. Here we wanted to avoid introducing local variables because it is also outside the scope of this paper. Thetreatment of local variables from [41,40] is done buy changing the state space and it is not suitable in this context becausea change in the state space would imply a change in the carrier of the algebra.

The property D ′.(M.s = R∗.root) = (M.s = R∗.root) is true because D ′ is an assignment to the variables S and C and theydo not occur in (M.s = R∗.root). To prove the data refinement property from (8) we need one additional data refinementstatement:

D ′′ = {C, S := C ′, S ′ | dist.S ∧ C ′ = set.S

}and we need to introduce an intermediate refinement step: AP �skip,skip AP′ �skip,D ′ CP, where

AP′ = init ◦ ({p} ◦ [b] ◦ (T � U ))ω ◦ [¬b]

The predicate p is an invariant for [b] ◦ (T � U ) and it contains useful informations that are required when proving therefinement AP′ �skip,D ′ CP. We could try to prove directly the refinement AP �skip,D ′ CP, but then we would need to encodethe property C ⊆ M from p as set.S ⊆ M and add it to D ′′ . In this case we would need to prove again that this propertyis preserved by the statement [b′] ◦ (T ′ � U ′). If we use AP′ then the properties from p become proof assumptions in therefinement AP′ �skip,D ′ CP.

We prove first that p is an invariant for [b] ◦ (T � U ):

• p {| [b] ◦ (T � U ) |} p⇐ {Lemma 42}

(∀w: p.w {| [b] ◦ (T � U ) |} p)

⇐ {We have p<w � p}(∀w: p.w {| [b] ◦ (T � U ) |} p<w)

⇔ {Theorem 41}(∀w: p.w ∧ b {| T |} p<w) ∧ (∀w: p.w ∧ b {| U |} p<w)

⇔ {These properties are part of the proof of true {|AP |} M = R∗.root}true

We prove now AP �skip,skip AP′ which is equivalent to AP � AP′:

• AP= {Definition of AP and while statement}



init ◦ ([b] ◦ (T � U ))ω ◦ [¬b]= {init establishes the property p (init = init ◦ {p})}

init ◦ {p} ◦ ([b] ◦ (T � U ))ω ◦ [¬b]� {Corollary 39, {p} is continuous, and [b] ◦ (T � U ) is conjunctive}

init ◦ ({p} ◦ [b] ◦ (T � U ))ω ◦ [¬b]= {Definition of AP′}

AP′

The proof of AP′ �skip,D ′ CP is given by:

• AP′ �skip,D ′ CP⇔ {Definitions of AP′ , CP and while statement}

init ◦ ({p} ◦ [b] ◦ (T � U ))ω ◦ [¬b] �skip,D init′ ◦ ([b′] ◦ (T ′ � U ′))ω ◦ [¬b′]⇐ {Data refinement of sequential composition, Theorem 37}

(init �skip,D ′′ init′) ∧ (({p} ◦ [b] ◦ (T � U ))ω �D ′′,D ′′ ([b′] ◦ (T ′ � U ′))ω) ∧ ([¬b] �D ′′,D ′ [¬b′])⇔ {Expanding definitions and proving logical properties}

({p} ◦ [b] ◦ (T � U ))ω �D ′′,D ′′ ([b′] ◦ (T ′ � U ′))ω⇐ {Data refinement of iteration Theorem 36}

{p} ◦ [b] ◦ (T � U ) �D ′′,D ′′ [b′] ◦ (T ′ � U ′)⇐ {Data refinement of demonic choice, Theorem 37}

({p} ◦ [b] ◦ T �D ′′,D ′′ [b′] ◦ T ′) ∧ ({p} ◦ [b] ◦ U �D ′′,D ′′ ([b′] ◦ U ′)⇔ {Expanding definitions and proving logical properties}

true

In the last proof, the properties from p are needed only for ({p} ◦ [b] ◦ T �D ′′,D ′′ [b′] ◦ T ′). When expanding the definitionsin ({p} ◦ [b] ◦ T �D ′′,D ′′ [b′] ◦ T ′), one of the facts that needs to be proved is

C ⊆ M ∧ dist.S ∧ C = set.S ∧ y /∈ M ⇒ dist.([y] + S

)(11)

The property C ⊆ M is required in proving (11) and it is obtained from p.Finally from AP �skip,skip AP′ �skip,D ′ CP we obtain AP �skip,D ′ CP using Theorem 37.This example demonstrates the usefulness of many of the rules presented in the paper, from properties of assertions and

assumptions, to refinement and data refinement rules, Hoare rules, and healthiness properties of statements.

9. Conclusions

We have introduced a new algebra for reasoning about imperative programming languages which supports total correct-ness, refinement, data refinement, demonic choice, and angelic choice. Compared to earlier versions of program algebras,this approach uses the dual of a program as a primitive operation, and the assertion statements are defined using weakerproperties than how they were defined in previous work.

We have proved a number of results about assertions and assumptions, and we have defined termination and enabled-ness operators for our algebra. In earlier work these operators were postulated. We proved that our algebraic assertions(assumptions) form a Boolean algebra, and they correspond exactly to the standard assertions (assumptions) in the modelof monotonic predicate transformers.

We have introduced a simple while language with demonic and angelic choice, and we have proved Hoare total correct-ness rules and healthiness properties for it. Stating and proving Hoare rules for iterative statements require using arbitraryjoins. Because our algebra does not contain arbitrary joins, we have employed a special technique to express and provethese rules without using arbitrary joins. The proof that the while statement construct preserves conjunctive statementsrequires the fusion lemma and this lemma requires again arbitrary joins. We solved this problem by adding a special axiomto our algebra.

We have also proved many rules for refinement and data refinement as well as rules linking Hoare total correctnesstriples to (data) refinement. We have introduced a theorem that can be used to prove the correctness of a concrete programy, by proving that y data refines a program x and x is correct. Another theorem shows the equivalence between therefinement of a specification statement and a Hoare total correctness triple. We have employed a technique from [22] toprove that an assertion that is true before an iteration can be propagated inside the iteration, if this assertion is preservedby the statement that is iterated.

Many of the rules introduced in the paper were used in verifying an example program. The program is complex enoughsuch that its verification involves properties of assertions and assumption, Hoare rules, refinement and data refinementrules, and healthiness properties.

All results presented in this paper were mechanically verified in the Isabelle theorem prover. The formal specification ispresented in [27].



There are still open problems about our algebra that could be investigated. For example it would be interesting to knowif our algebra has different models than the standard monotonic boolean transformers. The wp construct introduced in thispaper maps elements of the algebra to monotonic functions from Assertion to Assertion, and wp.x gives us the weakestprecondition of x. If we have x and y such that wp.x = wp.y, then according to our interpretation the elements x and yare the same when seen as programs. Is there an algebra such that x �= y and wp.x = wp.y? How can we interpret x �= ywhen wp.x = wp.y? Is there an algebra such that the image of wp is not the set of all monotonic functions from Assertionto Assertion?

Acknowledgements

I would like to thank Kim Solin and anonymous referees for useful comments and suggestions.

References

[1] R. Floyd, Assigning meanings to programs, in: Proc. Symp. Appl. Math., vol. XIX, Amer. Math. Soc., Providence, RI, 1967, pp. 19–32.[2] C.A.R. Hoare, An axiomatic basis for computer programming, Commun. ACM 12 (10) (1969) 576–580, http://dx.doi.org/10.1145/363235.363259.[3] E. Dijkstra, Guarded commands, nondeterminacy and formal derivation of programs, Commun. ACM 18 (8) (1975) 453–457.[4] R.-J. Back, On the correctness of refinement in program development, PhD thesis, Department of Computer Science, University of Helsinki, 1978.[5] R.-J. Back, Correctness Preserving Program Refinements: Proof Theory and Applications, Math. Centre Tracts, vol. 131, Mathematisch Centrum, Amster-

dam, 1980.[6] R.-J. Back, J. von Wright, Refinement Calculus. A Systematic Introduction, Springer, 1998.[7] C. Morgan, Programming from Specifications, Prentice Hall, Inc., 1990.[8] E. Dijkstra, A Discipline of Programming, Prentice Hall Ser. Autom. Comput., Prentice Hall Inc., Englewood Cliffs, NJ, 1976, with a foreword by C.A.R.

Hoare.[9] P. Guerreiro, Another characterization of weakest preconditions, in: M. Dezani-Ciancaglini, U. Montanari (Eds.), International Symposium on Program-

ming, in: Lect. Notes Comput. Sci., vol. 137, Springer, Berlin/Heidelberg, 1982, pp. 164–177.[10] R.-J. Back, J. von Wright, A lattice-theoretical basis for a specification language, in: Proceedings of the International Conference on Math-

ematics of Program Construction, 375th Anniversary of the Groningen University, Springer-Verlag, London, UK, 1989, pp. 139–156, http://portal.acm.org/citation.cfm?id=648081.746973.

[11] R.-J. Back, J. von Wright, Duality in specification languages: A lattice-theoretical approach, Acta Inform. 27 (1990) 583–625, http://portal.acm.org/citation.cfm?id=87660.87661.

[12] D. Kozen, Kleene algebra with tests, ACM Trans. Program. Lang. Syst. 19 (1997) 427–443, http://dx.doi.org/10.1145/256167.256195.[13] D. Kozen, A completeness theorem for Kleene algebras and the algebra of regular events, Inf. Comput. 110 (2) (1994) 366–390, http://dx.doi.org/

10.1006/inco.1994.1037.[14] J. Desharnais, B. Möller, G. Struth, Kleene algebra with domain, ACM Trans. Comput. Log. 7 (2006) 798–833, http://dx.doi.org/10.1145/1183278.1183285.[15] C.A. Hoare, B. Möller, G. Struth, I. Wehrman, Concurrent Kleene algebra, in: Proceedings of the 20th International Conference on Concurrency Theory,

CONCUR 2009, Springer-Verlag, Berlin, Heidelberg, 2009, pp. 399–414.[16] H.-H. Dang, P. Höfner, B. Möller, Algebraic separation logic, in: Relations and Kleene Algebras in Computer Science, J. Log. Algebr. Program. 80 (6)

(2011) 221–247, http://dx.doi.org/10.1016/j.jlap.2011.04.003.[17] B. Möller, G. Struth, Algebras of modal operators and partial correctness, Theor. Comput. Sci. 351 (2) (2006) 221–239, http://dx.doi.org/

10.1016/j.tcs.2005.09.069.[18] J. Desharnais, B. Möller, G. Struth, Algebraic notions of termination, Log. Methods Comput. Sci. 7 (1) (2011).[19] J. von Wright, From Kleene algebra to refinement algebra, in: Proceedings of the 6th International Conference on Mathematics of Program Construction,

MPC ’02, Springer-Verlag, London, UK, 2002, pp. 233–262, http://portal.acm.org/citation.cfm?id=648086.747317.[20] J. von Wright, Towards a refinement algebra, Sci. Comput. Program. 51 (2004) 23–45, http://dx.doi.org/10.1016/j.scico.2003.09.002.[21] K. Solin, J. von Wright, Enabledness and termination in refinement algebra, Sci. Comput. Program. 74 (2009) 654–668, http://dx.doi.org/

10.1016/j.scico.2007.11.004.[22] L. Meinicke, K. Solin, Refinement algebra for probabilistic programs, Form. Asp. Comput. 22 (2010) 3–31, http://dx.doi.org/10.1007/s00165-009-0111-1.[23] K. Solin, On two dually nondeterministic refinement algebras, in: R. Schmidt (Ed.), Relations and Kleene Algebra in Computer Science, in: Lect. Notes

Comput. Sci., vol. 4136, Springer, Berlin/Heidelberg, 2006, pp. 373–387.[24] K. Solin, Abstract algebra of program refinement, PhD thesis, Turku Centre for Computer Science, Dec. 2007.[25] V. Preoteasa, Algebra of monotonic boolean transformers, in: A. Simao, C. Morgan (Eds.), Formal Methods, Foundations and Applications, in: Lect. Notes

Comput. Sci., vol. 7021, Springer, Berlin/Heidelberg, 2011, pp. 140–155.[26] T. Nipkow, L.C. Paulson, M. Wenzel, Isabelle/HOL — A Proof Assistant for Higher-Order Logic, Lect. Notes Comput. Sci., vol. 2283, Springer, 2002.[27] V. Preoteasa, Algebra of monotonic boolean transformers, Archive of Formal Proofs 2011, http://afp.sourceforge.net/entries/MonoBoolTranAlgebra.shtml.[28] B. Davey, H. Priestley, Introduction to Lattices and Order, 2nd edition, Cambridge University Press, New York, 2002.[29] A. Tarski, A lattice-theoretical fixpoint theorem and its applications, Pacific J. Math. 5 (1955) 285–309.[30] R.-J. Back, V. Preoteasa, An algebraic treatment of procedure refinement to support mechanical verification, Form. Asp. Comput. 17 (2005) 69–90.[31] V. Preoteasa, Program variables – the core of mechanical reasoning about imperative programs, PhD thesis, Turku Centre for Computer Science, Nov.

2006.[32] V. Preoteasa, Frame rule for mutually recursive procedures manipulating pointers, Theor. Comput. Sci. 410 (42) (2009) 4216–4233, http://dx.doi.org/

10.1016/j.tcs.2009.05.016.[33] E.W. Dijkstra, C.S. Scholten, Predicate Calculus and Program Semantics, Springer-Verlag, New York, Inc., New York, NY, USA, 1990.[34] M. Charpentier, K.M. Chandy, Reasoning about composition using property transformers and their conjugates, in: Proceedings of the International

Conference IFIP on Theoretical Computer Science, Exploring New Frontiers of Theoretical Informatics, TCS ’00, Springer-Verlag, London, UK, 2000,pp. 580–595.

[35] L. Meinicke, I.J. Hayes, Continuous action system refinement, in: T. Uustalu (Ed.), Mathematics of Program Construction, in: Lect. Notes Comput. Sci.,vol. 4014, Springer, Berlin–Heidelberg, 2006, pp. 316–337.

[36] K.R. Apt, G.D. Plotkin, Countable nondeterminism and random assignment, J. ACM 33 (4) (1986) 724–767, http://dx.doi.org/10.1145/6490.6494.[37] C.E. Martin, S.A. Curtis, I. Rewitzky, Modelling angelic and demonic nondeterminism with multirelations, in: Special Issue Dedicated to Selected

Papers from the Conference of Program Construction 2004, MPC 2004, Sci. Comput. Program. 65 (2) (2007) 140–158, http://dx.doi.org/10.1016/j.scico.2006.01.007.

http://refhub.elsevier.com/S0167-6423(13)00159-7/bib666C6F79642D3637s1

http://dx.doi.org/10.1145/363235.363259

http://refhub.elsevier.com/S0167-6423(13)00159-7/bib64696A6B737472612D3735s1

http://refhub.elsevier.com/S0167-6423(13)00159-7/bib6261636B2D31393738s1



http://refhub.elsevier.com/S0167-6423(13)00159-7/bib6261636B2D7772696768742D3938s1

http://refhub.elsevier.com/S0167-6423(13)00159-7/bib6D6F7267616E2D3930s1



http://refhub.elsevier.com/S0167-6423(13)00159-7/bib67756572726569726F3A3832s1


http://portal.acm.org/citation.cfm?id=648081.746973




http://dx.doi.org/10.1145/256167.256195

http://dx.doi.org/10.1006/inco.1994.1037

http://dx.doi.org/10.1145/1183278.1183285

http://refhub.elsevier.com/S0167-6423(13)00159-7/bib686F6172653A6D6F6C6C65723A7374727574683A776568726D616E3A32303039s1

http://refhub.elsevier.com/S0167-6423(13)00159-7/bib686F6172653A6D6F6C6C65723A7374727574683A776568726D616E3A32303039s1

http://dx.doi.org/10.1016/j.jlap.2011.04.003

http://dx.doi.org/10.1016/j.tcs.2005.09.069

http://refhub.elsevier.com/S0167-6423(13)00159-7/bib6465736861726E6169733A6D6F6C6C65723A7374727574683A32303131s1




http://dx.doi.org/10.1007/s00165-009-0111-1

http://refhub.elsevier.com/S0167-6423(13)00159-7/bib736F6C696E3A32303036s1





http://refhub.elsevier.com/S0167-6423(13)00159-7/bib6E69706B6F772D7061756C736F6E2D77656E7A656C2D3032s1

http://afp.sourceforge.net/entries/MonoBoolTranAlgebra.shtml

http://refhub.elsevier.com/S0167-6423(13)00159-7/bib7072696573746C6579s1


http://refhub.elsevier.com/S0167-6423(13)00159-7/bib6261636B2D7072656F74656173612D3035s1




http://refhub.elsevier.com/S0167-6423(13)00159-7/bib64696A6B737472613A31393930s1

http://refhub.elsevier.com/S0167-6423(13)00159-7/bib6368617270656E746965723A32303030s1



http://refhub.elsevier.com/S0167-6423(13)00159-7/bib6D65696E69636B653A32303036s1

http://refhub.elsevier.com/S0167-6423(13)00159-7/bib6D65696E69636B653A32303036s1

http://dx.doi.org/10.1145/6490.6494


http://dx.doi.org/10.1006/inco.1994.1037







[38] V. Preoteasa, R.-J. Back, Data refinement of invariant based programs, in: Proceedings of the 14th BCS-FACS Refinement Workshop, REFINE 2009,Electron. Notes Theor. Comput. Sci. 259 (2009) 143–163, http://dx.doi.org/10.1016/j.entcs.2009.12.022.

[39] K. Solin, Dual choice and iteration in an abstract algebra of action, Stud. Log. 100 (2012) 607–630, http://dx.doi.org/10.1007/s11225-012-9416-9.[40] V. Preoteasa, R.-J. Back, Verification of the Deutsch–Schorr–Waite graph marking algorithm using data refinement, in: G. Klein, T. Nipkow, L. Paulson

(Eds.), The Archive of Formal Proofs, 2010, pp. 1–12, http://afp.sourceforge.net/entries/GraphMarkingIBP.shtml, formal proof development.[41] V. Preoteasa, R.-J. Back, Invariant diagrams with data refinement, Form. Asp. Comput. 24 (2012) 67–95, http://dx.doi.org/10.1007/s00165-011-0195-2.

http://dx.doi.org/10.1016/j.entcs.2009.12.022

http://dx.doi.org/10.1007/s11225-012-9416-9

http://afp.sourceforge.net/entries/GraphMarkingIBP.shtml

http://dx.doi.org/10.1007/s00165-011-0195-2

Date post:	31-Dec-2016
Category:	Documents
Upload:	viorel
View:	215 times
Download:	0 times

Refinement algebra with dual operator

Documents