Scholarly article on topic 'Healthiness Conditions for Predicate Transformers'

Healthiness Conditions for Predicate Transformers Academic research paper on "Computer and information sciences"

CC BY-NC-ND
0
0
Share paper
Keywords
{"predicate transformers" / "healthiness conditions" / "continuation monad" / "commuting operations" / "entropic algebras"}

Abstract of research paper on Computer and information sciences, author of scientific article — Klaus Keimel

Abstract The behavior of a program can be modeled by describing how it transforms input states to output states, the state transformer semantics. Alternatively, for verification purposes one is interested in a 'predicate transformer semantics' which, for every condition on the output, yields the weakest precondition on the input that guarantees the desired property for the output. In the presence of computational effects like nondeterministic or probabilistic choice, a computation will be modeled by a map t : X → T Y , where T is an appropriate computational monad. The corresponding predicate transformer assigns predicates on Y to predicates on X. One looks for necessary and, if possible, sufficient conditions (healthiness conditions) on predicate transformers that correspond to state transformers t : X → T Y . In this paper we propose a framework for establishing healthiness conditions for predicate transformers. As far as the author knows, it fits to almost all situations in which healthiness conditions for predicate transformers have been worked out. It may serve as a guideline for finding new results; but it also shows quite narrow limitations.

Academic research paper on topic "Healthiness Conditions for Predicate Transformers"

Available online at www.sciencedirect.com

ScienceDirect

Electronic Notes in Theoretical Computer Science 319 (2015) 255-270

www.elsevier.com/locate/entcs

Healthiness Conditions for Predicate Transformers

Klaus Keimel 1,2

Fachbereich Mathematik Technische Universität Darmstadt 64289 Darmstadt, Germany

Abstract

The behavior of a program can be modeled by describing how it transforms input states to output states, the state transformer semantics. Alternatively, for verification purposes one is interested in a 'predicate transformer semantics' which, for every condition on the output, yields the weakest precondition on the input that guarantees the desired property for the output.

In the presence of computational effects like nondeterministic or probabilistic choice, a computation will be modeled by a map t: X ^ TY, where T is an appropriate computational monad. The corresponding predicate transformer assigns predicates on Y to predicates on X. One looks for necessary and, if possible, sufficient conditions (healthiness conditions) on predicate transformers that correspond to state transformers t: X ^TY .

In this paper we propose a framework for establishing healthiness conditions for predicate transformers. As far as the author knows, it fits to almost all situations in which healthiness conditions for predicate transformers have been worked out. It may serve as a guideline for finding new results; but it also shows quite narrow limitations.

Keywords: predicate transformers, healthiness conditions, continuation monad, commuting operations, entropic algebras

1 Introduction: An example

In denotational semantics we distinguish two complementary approaches that we shortly call state transformer semantics and predicate transformer semantics. Let us begin with the well-known example of angelic nondeterminism to explain our intentions. As semantic domains we will use directed complete partially ordered sets (dcpos), maps will be Scott-continuous, that is, they preserve the order and suprema of directed subsets.

In the presence of nondeterministic choice, running a program for an input x belonging to a domain X will lead to a set t(x) of possible outputs in a domain Y. In

1 Supported by Deutsche Forschungsgemeinschaft

2 Email: keimel@mathematik.tu-darmstadt.de

http://dx.doi.Org/10.1016/j.entcs.2015.12.016 1571-0661/© 2015 The Author. Published by Elsevier B.V.

This is an open access article under the CC BY-NC-ND license (http://creativecommons.Org/licenses/by-nc-nd/4.0/).

the angelic interpretation of nondeterminism, t(x) will be a non-empty Scott-closed subset of the dcpo Y and t will be a Scott-continuous map from the dcpo X to the Hoare powerdomain HY of all nonempty Scott-closed subsets of Y. The binary choice operator is interpreted by union on the Hoare powerdomain. Thus, a program will be interpreted by a state transformer, a Scott-continuous map t: X — HY.

Observable predicates on Y are Scott-open subsets U of Y (see, e.g., [25]). Thus, the complete lattice OY of all Scott-open subsets of Y represents the dcpo of predicates on Y. A Scott-continuous map p: OY — OX transforming predicates on Y to predicates on X will be a predicate transformer.

To a state transformer t: X — HY we associate the predicate transformer p: OY — OX defined by:

p(U) = {x e X I t(x) n U = %}

the set of all points in X that lead to at least one output with the desired property U (the angelic point of view). The state transformer t can be recovered from the associated predicate transformer p by

t(x) = 0{Y \ U I x e p(U)}

We are concerned with the problem to find properties (healthiness conditions) that characterize those predicate transformers p: OY — OX that correspond to state transformers t: X — HY. The answer in this case is:

The predicate transformers p: OY — OX that correspond to .state transformers t: X — HY are characterized by the properties:

p(0) = p(U U U') = p(U) U p(U')

Equivalently, these are the maps p preserving arbitrary unions.

The above considerations become more elegant, but less intuitive, by passing to a functional setting. We use that the category DCPO of dcpos and Scott-continuous maps is Cartesian closed. The exponential of two dcpos X and Y,

denoted by YX and equally by [X — Y]

is the dcpo of all Scott-continuous maps u: X — Y with the pointwise defined order (one may consult [3] for background on dcpos).

We endow the two element domain 2 = {0 < 1} with the structure of a unital semilattice with x V y = max(x, y) and the constant (unit) 0. A predicate (a Scott-open subset U) of a dcpo Y is identified with the Scott-continuous map fu: Y — 2 with value 1 iff x e U. Thus the dcpo OY of predicates is identified with the function space 2Y. This function space is also a unital semilattice when equipped with the pointwise defined operation V and the constant function 0. The Scott-continuous unital semilattice homomorphisms 2Y — 2 form a dcpo [2y 2] which is also a unital semilattice for the pointwise defined semilattice operations. We will use that it is isomorphic to the Hoare powerdomain HY; indeed, these homomorphisms ^ correspond to the Scott-closed subsets of Y by assigning to the Scott-closed set C = Y \ U{U e OY | >f) = 0}.

Now a state transformer will be a Scott-continuous map t: X — [2y -¡0 2] and a

predicate transformer a Scott-continuous map p: 2Y — 2X. For a state transformer t the corresponding predicate transformer p is given by

p(g)(x) = t(x)(g) for all g e [2Y2],x e X We can recover t from p by reading this equation from right to left. For a state transformer t: X — [2Y -0 2] the corresponding predicate transformer p is a unital V-homomorphism. Indeed, using that t(x) is a unital V-homomorphism for every x e X, we have p(0)(x) = t(x)(0) = 0 and p(g V g')(x) = t(x)(g V g') = t(x)(g) V t(x)(g') = p(g)(x) V p(g')(x) = (p(g) V p(g'))(x) for all x e X, whence p(0) = 0 and p(g V g') = p(g) V p(g'). Conversely, a similar calculation shows that, for a Scott-continuous unital V-semilattice homomorphism p: 2Y — 2X, the map t(x) defined by

t(x)(g) = p(g)(x) for all g e 2y

is indeed a unital V-homomorphism for every x e X and t: X — [2y -0 2] is a state transformer. Thus:

The predicate transformers p: 2Y — 2X corresponding to state transformers t: X [2y -0 2] are characterized by the properties

p(0) = 0, p(g V g') = p(g) V p(g')

This functional approach is easily generalized to other situations. As above, in most applications an essential step will be the translation of the given situation into a functional setting.

2 The problem

We work in the category DCPO of dcpos and Scott-continuous functions, a category which is commonly used in semantics. We agree on some assumptions that will be tacitly assumed throughout the paper.

Convention 2.1 All maps between dcpos will tacitly supposed to be Scott-continuous. All definitions of functions are expressible in the language of typed X-calculus so that these functions are automatically Scott-continuous, since we are in a Cartesian closed category (see, for example, [19, Part I]). For this reason, we will never verify continuity of functions explicitly.

R will be a fixed dcpo, called the dcpo of observations; X and Y denote arbitrary dcpos;

x, y and r denote elements of X, Y and R, respectively; u denotes Scott-continuous maps u: X — Y; f and g denote Scott-continuous maps f: X — R and g: Y — R; denotes Scott-continuous maps y>: RX — R.

Predicates on a dcpo Y will be R-valued3 , that is, Scott-continuous functions g: Y —

3 Since R can be very different from the two-element set of truth values, this notion of a predicate is very wide, and one instead uses terms like 'prevision' [4], 'expectation' [21], 'random variable' [18] instead, depending on the concrete situation.

R. The function .space (exponential) for which we will use two notations in parallel, Ry = [Y — R], will be the domain of predicates on Y.

The contravariant functor R(-) assigns to every dcpo X the exponential RX and to every map u: X — Y of dcpos the map Ru: RY — RX defined by Ru(g) = g ◦ u for all g £ Ry . Applying the contravariant functor R(-) twice yields a covariant functor Rr( ' = [R(-) — R], the continuation monad4 over R. The unit of the monad represents X as a sub-dcpo of RrX and is given by the map S: X — RrX that assigns to every x £ X the projection or evaluation map Sx: RX — R defined by

(1) Sx(f) = f (x)

For a map t: X — [RY — R] its Kleisli lifting tf: [RX — R] — [RY — R] is given by

(2) ¿(<p)(g) = <p(\x.t(x)(g)).

According to our setting, a program will be interpreted by a state transformer,

a Scott continuous map t: X — RR . A predicate transformer will be a Scott-continuous map p: Ry RX. To every state transformer corresponds a predicate transformer that assigns the weakest precondition to every postcondition:

Lemma 2.2 The dcpos of state and predicate transformers are canonically isomorphic:

(3) [Ry — R]X ^ [Ry — RX]

A state transformer t: X — [RY — R] and a predicate transformer p: RY — RX correspond to one another under this isomorphism if and only if

(4) t(x)(g) = p(g)(x) for x £ X,g £ RY.

Proof. For a state transformer t: X — [RY — R] let p = P(t): RY — RX be defined by P(t) = \g.\x.t(x)(g). As we are in a Cartesian closed category and P(t) is defined by a A-calculus term, P(t) is Scott-continuous. Similarly if, for a predicate transformer p: RY ^ RX, we define t = T(p) = Ax. Ag.p(g)(x), then T(p)(x): Ry — R is in fact Scott-continuous for every x £ X and T(p) is a Scott-continuous map from X to [RY — R]. Moreover, P(T(p)) = p for every predicate transformer p, since P(T(p))(g)(x) = T(p)(x)(g) = p(g)(x) for every x £ X and every g £ Ry . Similarly, T(P(t) = t for every state transformer t. One may notice that equation (3) is an isomorphism of dcpos, since P and T are A-definable hence Scott-continuous mutually inverse maps. □

Our domain R of observations will carry additional structure, it will be a d-Q-algebra: a dcpo with an algebraic structure of signature Q which interprets the constructors in the programming language (see Section 3). The exponentials RX and RrX become d-Q-algebras, too, with pointwise defined operations. A program

will be interpreted by a state transformer t: X — FrY, where FrY is the d-Q-

subalgebra of RR generated by the projections Sy, y £ Y.

4 See [20], for example, for background on monads.

The assignment X — FrX gives rise to a monad that we call subordinate to the continuation monad. This paper deals with the

Problem 2.3 Find conditions (healthiness conditions) that characterize the predicate transformers p: RY — RX that correspond to the state transformers t: X — Fr Y.

We cannot offer a complete answer to this question. But we exhibit a framework which always yields necessary conditions that the predicate transformers corresponding to state transformers t: X — FrY must satisfy. And we give a criterion for these necessary conditions to be also sufficient. This criterion has to be checked separately in each special situation.

Let us make precise what we mean by a monad F subordinate to the continuation monad: Suppose that F assigns to every dcpo X a sub-dcpo FX of [RX — R] in such a way that the following properties are satisfied:

6x e FX for all x e X;

t] (FX) C FY for every t: X — [RY — R],

Then Rru maps FX into FY for every map u: X — Y; indeed, Rru is the Kleisli lifting of 6 o u: X — [Ry — R]. Thus Rr induces a map Fu: FX — FY in such a way that F becomes a functor, and even a monad with (the corestriction of) 6 as unit and the (restriction-corestriction of the) Kleisli lifting : FX — FY for t: X — FY.

Our methods can be applied to quite some examples in the literature, in particular for nondeterminism and probability [4,5,9,13,14,15,16,18,21,25]. There, the monads are usually presented in the form of powerdomains. For applying our results one has to find functional representations for these powerdomains of the type FrX, as we have seen in the Introduction. This paper is based on previous work by the author [11]. There, several examples are worked out explicitly which is not possible in this paper because of space restrictions. The reader is invited to consult that source for examples.

Acknowledgments

The author would like to thank Gordon Plotkin for many insights. Thomas Streicher has listened to many questions and patiently discussed possible answers. The referees' suggestions were quite helpful.

3 Algebraic structure

We recall a few concepts from universal algebra adapted to the category DCPO.

An operation of arity n e N on a dcpo A is a map w: An — A. If A and B both carry an n-ary operation w, a map h: A — B is an w-homomorphism if, for all (a1,,,,, an) e An, we have:

(5) h(w(a1,,,,, an)) = w(h(a{),,,,, h(an))

Definition 3.1 A d-signature Q is a sequence of dcpos Qn,n £ N. The elements u £ Qn are the operation symbols of arity n.

Definition 3.2 A d-algebra of d-signature Q (a d-Q-algebra, for short) consists of a dcpo A together with operations uA: An — A, one for each u £ Qn, such that

(u,a1,...,an) — uA(a1,...,an):Qn x An — A

is Scott-continuous for every n. A map u: A — B of d-Q-algebras is an Q-homomorphism, if it is an u-homomorphism for every u £ Q.

We stress that the value uA (a1,... ,an) depends continuously not only on the arguments ai but also on u £ Qn. By choosing the Qn to be (unordered) sets we recover the usual notion of a signature Q in universal algebra.

Convention 3.3 We will omit the superscript when denoting operations uA on a d-Q-algebra A and simply write u instead of uA.

In proofs, we will use a binary operation, denoted by +, instead of an arbitrary n-ary operation u. In this way, proofs become easier to read.. Of course, we will not use any special property like commutativity that one usually associates with an operation +. This does not affect the general validity of our proofs; one just has to replace x1 + x2 by u(x1,... ,xn) in order to obtain the general proof.

We fix a d-signature Q and a d-Q-algebra R. For every dcpo X, the function space RX also becomes a d-Q-algebra. For u £ Qn the operation u on the function space RX is defined pointwise: For all f1,...,fn £ RX and all x £ X,

(6) u(f1, ..., fn)(x) = u(f1(x), ..., fn(x)).

For every map u: X — Y, the map Ru: RY — RX is an Q-homomorphism. Thus, we may view

to be contravariant functor from the category DCPO to the category of d-Q-algebras and Q-homomorphisms.

In the same way, the operations u can be extended to the function space RrX = [RX — R] so that the latter becomes a d-Q-algebra, too, and the maps Rr are Q-homomorphisms.

Lemma 3.4 The Kleisli lifting tt: [RX — R] — [RY — R] is an Q-homomorphism for every t: X — [RY — R].

Proof. We check that, for every binary operation + in Q2 and all ^1,^2, we have tt(^1 + ^2) = t^(^1) +1^(^2). For every g £ RY we have indeed: + ^2)(g) = (P1 + p2)(Ax. t(x)(g)) = p1(Ax. t(x)(g)) + ^(Ax. t(x)(g)) = tt(^1)(g) + tt(<^)(g) = (t%1) + tt(<^))(g). □

4 ^-Free algebras

We are interested in the monad that represents the free objects over a dcpo X relative to our d-Q-algebra R of observations that we keep fixed throughout this section.

A subalgebra of a d-Q-algebra A which is a sub-dcpo, too, is called a d-Q-subalgebra. The intersection of any family of d-Q-subalgebras is again a d-Q-subalgebra. Thus every subset of A generates a d-Q-subalgebra, the intersection of all d-Q-subalgebras containing the subset.

Definition 4.1 The d-Q-subalgebra FrX of [RX — R] generated by the projections 6x, x e X, is called the free d-Q-algebra over X with respect to R or simply the R-free d-Q-algebra over X.

For a map t: X — FRY, the Kleisli lifting tf: [RX — R] — [RY — R] maps FrX into FrY, since t is an Q-homomorphism by Lemma 3.4. This shows:

Proposition 4.2 (Fr,6, t) is a monad over the category DCPO subordinate to the continuation monad in the sense made precise at the end of Section 2, the Kleisli lifting of a map t: X — FrY being the restriction and corestriction of the Kleisli lifting t for the continuation monad Rr( -.

Since we have a monad, the d-Q-algebras FrX are free for the class of its Eilenberg-Moore algebras. It is a challenge to determine these Eilenberg-Moore algebras concretely. A natural conjecture would be that FrX is free over X for the class of d-Q-algebras determined by the (in)equational theory of the d-Q-algebra R. This conjecture is supported by a theorem due to G. Birkhoff (see [2]) which tells us that, in the category SET, FrX is free over the set X in the class of all Q-algebras that satisfy the equational laws that hold in R. Such a strong statement will not hold in the dcpo-setting, in general, although it holds in many examples.

The following proposition (that we state without proof) shows that FrX is free in the class of d-Q-algebras that are embeddable in some power of R. This class is sometimes called the quasi-variety generated by R. The algebras in this class satisfy not only all equational and inequational laws that hold in R, but also all implications between two such laws (Horn formulas) that hold in R.

Proposition 4.3 Let u be a map from a dcpo X to a d-Q-algebra A that is embeddable in some Ry as a d-Q-subalgebra. Then there is a unique Q-homomorphism u: FrX — A extending u along 6.

5 Homomorphism monads

We continue with a fixed d-Q-algebra R of d-signature Q. In order to find properties characterizing the predicate transformers p: RY — RX that correspond to the state transformers t: X — FrY, we need a second monad subordinate to the continuation monad.

For two d-Q-algebras A and B, we denote by

[A A B]

the set of all Q-homomorphisms u: A — B. The pointwise supremum of a directed family of Q-homomorphisms is again an Q-homomorphism. Thus, [A -— B] be-

comes a dcpo, a sub-dcpo of the dcpo [A h B] of all Scott-continuous maps from A to B.

Proposition 5.1 For a d-Q-algebra R, the assignment

X h [RX —h R]

yields a monad subordinate to the continuation monad. The unit is (the corestric-tion of) Ô and the Kleisli lifting of a map t: X h [RY —h R] is (the restriction-corestriction) tt: [RX —h R] h [RY —h R].

Proof. We show that we are in a situation as described at the end of Section 2.

(a) Clearly, the projections ôx: RX h R are Q-homomorphisms for every x G X.

(b) For every state transformer t: X h [RY —h R], the Kleisli lifting tt maps [RX —h R] to [Ry —h R] . Indeed, let RX h R be an Q-homomorphism. For a binary operation + in Q and gi,g2 G RY, we have:

tt(^)(gi + g2)

= p(\x. t(x)(gi + g2)) by the definition of tt

= ^(\x.(t(x)(g-\) + t(x)(g2))) since t(x) is a homomorphism

= ^(\x. t(x)(gi) + \x. t(x)(gn)) since + is defined pointwise = ^(\x. t(x)(gi)) + ^(\x. t(x)(gn)) since ^ is a homomorphism = tt(^(g1)) + tt(^(gn)) by the definition of tt.

The 'homomorphism monad' ([R(_) —h R], Ô,t) exhibited in the previous proposition behaves well with respect to the one-to-one correspondence between state and predicate transformers:

Proposition 5.2 Let R be d-Q-algebra. Under the one-to-one correspondence between state transformers and predicate transformers in Lemma 2.2 the predicate transformers p: RY h RX corresponding to the state transformers t: X [Ry —h R] are characterized by the property of being

Q-homomorphisms: [RY —h R]X = [RY RX]

Proof. Let t: X h [RY h R] be a state transformer and p: RY h RX the corresponding predicate transformer according to Lemma 2.2. We show that, for a binary operation + in Q, t(x) is a +-homomorphism for every x G X if, and only if, p is a +-homomorphism.

If t(x) is a +-homomorphism for every x G X then, for all gi,g2 G RY, p(gi + g2)(x) = t(x)(gi + g2) = t(x)(gi) + t(x)(g2) = p(gi)(x)+ p(g2)(x) = (p(gi) + p(g2))(x), whence p(gi + g2) = p(gi) + p(g2), that is, p is a +-homomorphism. If conversely p is a +-homomorphism, then t(x)(gi + g2) = p(gi + g2)(x) = (p(gi)+p(g2))(x) = p(gi)(x)+p(g2)(x) = t(x)(gi) + t(x)(gn) which shows that t(x) is a +-homomorphism for all x G X. □

One may notice that the proof above is identical to the only proof that we gave in the Introduction for that special situation.

6 Commuting operations

We come back the monad Fr of section 4 for a given d-Q-algebra R. We want to consider state transformers t: X — FrY and the corresponding predicate transformers p: Ry — RX according to Lemma 2.2. In order to apply the results obtained in the previous section with the homomorphism monad we have to introduce a new framework.

Definition 6.1 Given two operations a of arity m and w of arity n on a dcpo A, we say that a and w commute if for all 'matrices' (xj)i=i,..,m, j=i,..,n of elements in A, we have:

w(a(xn,...,xmi), ... , a(xin,...,xmn))

= a(w(xn,...,xin), ... ,w(xmi,...,xmn))

This is equivalent to the statement that a: Am — A is an w-homomorphism, equiv-alently, that w: An — A is a a-homomorphism.

Example 6.2 A constant c commutes with an n-ary operation w if and only if w(c, ...,c) = c. Two commuting constants have to agree. Two unary operations p and a commute if they commute as functions: p o a = a o p. A unary operation p commutes with a binary operation + if and only if

(7) p(x + y) = p(x) + p(y)

Two binary operation + and * commute if

(8) (xi * x2) + (x3 * x4) = (xi + x3) * (x2 + x4) In particular, a binary relation * commutes with itself if

(9) (xi * x2) * (x3 * x4) = (xi * x3) * (x2 * x4)

Thus, every commutative, associative binary operation commutes with itself.

Now let Q be a d-signature and R a d-Q-algebra. Let

En = [Rn R]

be the dcpo of all Q-homomorphisms a: Rn — R, that is, En consists of all operations of arity n on R that commute with all w e Q. The En form a second d-signature E and R is a d-E-algebra, too. The fact that, on R, the operations in E commute with those in Q is given by equational laws of the form in Definition 6.1. These equational laws are inherited by exponentials RX and RrX considered as d-(Q U E)-algebras (with pointwise defined operations) so that the operations w e Q commute with all the operations a e E on all exponentials of R .

At this point it becomes clear, why we wanted to choose signatures which are dcpos and not simply (unordered) sets; indeed, our signature E is a dcpo in a natural way.

The homomorphisms between two Q-algebras do not form an Q-algebra, in general. The following observation was a surprise to me. But if you think about it, you might find that you always have known it:

Lemma 6.3 Suppose that R is a d-Q-algebra and E a d-signature of operations a on R that commute with all w e Q. Then the set [RX R] of all E-homomorphisms p: RX — R is a d-Q-subalgebra of [RX — R] containing the R-free algebra FrX.

Proof. If Pi,..., Pn':

RX R are E-homomorphisms, then w(pi,..., pn) is also a E-homomorphism for every w e Qn. Indeed, if w is a binary operation + then, for every binary operation * in E2, hence commuting with +, we have:

(Pi + P2)(fi * f2) = Pi (fi * f2) + P2(fi * f2)

= Pi (fi) * Pi(f2)) + P2(fi) * P2(f2))) = (Pi(fi) + P2(fi)) * (Pi(f2) + P2(f2)) = (Pi + P2)(fi) * (Pi + P2)(f2)

Thus the E-homomorphisms p: Rx — R form an Q-subalgebra [RX • R]. Clearly all the projections 5x are E-homomorphisms. Hence, [RX • R] contains FrX, the d-Q-subalgebra of [RX — R] generated by the projections. □

From the previous lemma and Proposition 5.2 we immediately deduce our main result on healthiness conditions:

Theorem 6.4 Suppose that R is a d-Q-algebra and E a d-signature of operations on R that commute with all w e Q. Then the predicate transformers p:

corresponding to the state transformers t: X — FrY are necessarily E-homomorphisms. If FrY = [Ry —> R], then the E-homomorphisms p: RY RX

are are precisely

the predicate transformers corresponding to state transformers t: X — FrY:

(FrY )x = [Ry RX ].

For applying this Theorem, the challenge is to find operations on R that commute with those in Q. This then yields necessary healthiness conditions for the predicate transformers. It depends very much on the special situation whether these healthiness conditions are also sufficient: one has to show that the d-Q-algebra [RY • R] is indeed generated by the projections 5y, hence equal to the R-free d-Q-algebra FrY. The classical example of observable predicates can be treated in this way, and also the example of convex sets and effect modules as viewed by B. Jacobs [8]. In the first case role of R is taken by the two element dcpo 2 = {0 < 1} without any algebraic structure, in the second case by the unit interval.

We now look at the special situation where the operations of the d-Q-algebra commute with one another (see also [23]) :

Definition 6.5 A d-Q-algebra is called entropic if any two operations a,w e Q commute.

We note that the entropic d-Q-algebras are the algebras of a commutative monad over the category DCPO in the sense of A. Kock [17].

As a particular case of Lemma 6.3 and Theorem 6.4 with Q = £ we have:

Corollary 6.6 If R is an entropic d-Q-algebra, the Q-homomorphisms p: RX — R form a d-Q-algebra [RX R] containing the R-free algebra FrX as a d-Q-subalgebra.

The predicate transformers p: RY — RX corresponding to state transformers t: X — FrY are Q-homomorphisms. If FrY = [RX R] these predicate transformers are precisely the Q-homomorphisms.

Entropicity is quite a special property. Using Example 6.2 we obtain examples of entropic algebras: commutative semigroups, commutative monoids, commutative groups, modules over commutative rings, semimodules over commutative semirings, semilattices and unital semilattices.

Corollary 6.6 can be used for deriving the healthiness criteria for angelic nonde-terminism in the Introduction (Section 1). The only specific property to be proved is that every unital semilattice homomorphism p: 2y — 2 is the supremum of the projections 5x with 5x < p which is equivalent to the property that every nonempty Scott-closed subset of a dcpo is the union of the principal ideals x, x £ X. In the same way this Corollary can be used for deriving healthiness criteria for predicate transformers in the case of demonic and erratic (the combination of angelic and demonic) nondeterminism as well as for probabilistic nondeterminism as in [9,10,25].

But the known results for predicate transformers in the presence of both nonde-terministic and probabilistic choice do not fit into the framework developed above. The reason is that, for example, on the nonnegative reals, the operation of addition and the semilattice operation max and min do not commute. We therefore propose a relaxed framework.

7 Relaxed morphisms and relaxed entropic algebras

We relax the previous framework by replacing equalities by inequalities (compare Definition 6.1):

Definition 7.1 Let w be an operation of arity n defined on dcpos A and B. A map h: A — B is called an w-submorphism 5 if

h(w(xi,... ,Xn)) < w(h(xi),.h(xn)) for all xi,...,xn £ A.

An w-supermorphism is defined in the same way replacing the inequality < by its opposite >.

For d-algebras of d-signature Q, we want to distinguish some operations w £ Q for which we would like to consider relaxed morphisms. For this, we suppose that

5 For the terminology we have been guided by a common terminology in analysis. A function on a vector space is subadditive if h(x + y) < h(x) + h(y) and superadditive if the reverse inequality holds.

the d-signature Q is the union of two d-sub-signatures Q- and Q- which need not be disjoint.

Definition 7.2 A map h: A — B between d-algebras of d-signature Q = Q- U Q-is said to be a relaxed Q-morphism if h is an w-submorphism for all w £ Q-, but an w-supermorphism for w £ Q-. (For w in both Q- and Q-, h will be an w-homomorphism.)

The pointwise supremum of a directed family of relaxed Q-morphisms is again

a relaxed Q-morphism. Thus the set [A —> B] of relaxed Q-morphisms from A to B is a sub-dcpo of the function space [A — B]. As in Proposition 5.1 and 5.2 we have:

Proposition 7.3 Let R be a d-Q-algebra of d-signature Q = Q- U Q-.

(a) For every state transformer t: X — [RY —— R] , the Kleisli lifting tf: [RX — R] — [Ry — R] maps relaxed Q-morphisms to relaxed Q-morphisms, so that our continuation monad ([R- — R],5, f) restricts to a monad ([R(-) R],ö,f).

(b) Under the bijective correspondence of Lemma 2.2, the predicate transformers p: Ry — RX corresponding to state transformers t: X — [RY —— R] are the relaxed Q-morphisms:

[Ry R]X = [Ry Rx]

The proofs are the same as for the corresponding claims in 5.1 and 5.2. We just have to replace the equality sign by the appropriate inequality (< in case w £ Q- and > in case w £ Q-) every time that we have used the homomorphism property there.

We now turn to the question under what circumstances the relaxed Q-morphisms form a subalgebra of [RX — R].

Definition 7.4 We will say that an operation a of arity m on a dcpo R subcommutes with an operation w of arity n (equivalently, w supercommutes with a) if, for all Xij £ R,i = 1 ,..., m, j = 1 ,..., n:

a(w(xii,... ,xi„),... ,w(xmi,... , Xmn)) < w(a(xn,..., xmi),..., a(xin,..., xmn))

This is equivalent to the statement that a: Rm — R is an w-submorphism, and also equivalent to the statement that w: Rn — R is a-supermorphism. Whenever this inequational law holds in R, it also holds in RX and in RrX .

We now let R be a d-Q-algebra. For every natural number m, we denote by and Em the dcpos of all operations a: Rm — R that subcommute, resp., supercommute, with all w £ Q. These give rise to d-signatures E-, E-, and E = E- U E-. As in Lemma 6.3 we have:

Lemma 7.5 The relaxed E-morphisms p: RX — R form a d-Q--subalgebra [RX —— R] of [RX — R].

We now are ready for our main theorem corresponding to Theorem 6.4:

Theorem 7.6 Consider a d-signature Q = Q- U Q- and a d-Q-algebra R. Let £ = £- U £- be a d-signature of operations that subcommute, resp. supercommute with all w G Q. Then the d-Q-algebra FrY generated by the projections is a d-Q-subalgebra of [RY —— R].

The predicate transformers p: RY — RX corresponding to state transformers t: X — FrY are relaxed £-morphisms. If FrY = [RY —— R], then these predicate transformers are precisely the relaxed £-morphisms.

We are mainly interested in the following situation where we can choose Q = £:

Definition 7.7 A d-Q-algebra R is said to be relaxed entropic, if every a G Q either subcommutes with every w G Q or supercommutes with every w G Q.

From the preceding Theorem we deduce:

Corollary 7.8 Let R be a relaxed entropic d-Q-algebra. The set [RX R] of all relaxed Q-morphisms p: RX — R is a d-Q-subalgebra of [RX — R].

The d-Q-subalgebra FqX of [RX — R] generated by the projections 5x, x G X, is a d-Q-subalgebra of [RX —— R].

The predicate transformers p: RY — RX corresponding to state transformers t: X — FqY are relaxed Q-morphisms. If FqY = [RY R], then these predicate transformers are precisely the relaxed Q-morphisms.

Whether we have equality FrY = [RY R], has to be decided separately in each special case.

On the nonnegative real line addition subcommutes with the semilattice operation x V y = max(x,y) and it supercommutes with x A y = min(x, y). One has indeed for arbitrary nonnegative real numbers:

(10) (xi + x2) V (x3 + x4) < (xi V x3) + (x2 V x4)

(11) (xi + x2) A (x3 + x4) > (xi A x3) + (x2 A x4)

These simple facts allow us to use our relaxed setting for deriving healthiness conditions for predicate transformers in the presence of mixed nondeterministic and probabilistic choice as in [4,5,13,14,15,16,21].

8 Concluding remarks

The framework for deriving healthiness conditions for predicate transformers developed in this paper looks quite narrow, although it applies to almost all situations known to the author. (An exception is [7], where one meets a quite different notion of predicate.) There is some evidence that it may not be possible to characterize predicate transformers in situations that do not fit under this framework.

Nevertheless, our methods allow quite some extensions. We have not carried them out in this paper in order to keep it at a technically simple level.

1. Firstly we may allow infinite arities for signatures and consider operations w: R1 — R for infinite sets I. We may also allow arities to be dcpos; that is, a signature may contain operation symbols w of arity P, where P is a dcpo; then w will be interpreted as a map w: RP — R. For example, we may choose P to be the two element dcpo 2 = {0 < 1};an operation w: R2 — R of arity 2 will be defined on the graph of the order of R and not on all of R x R.

2. We have worked in the category DCPO of directed complete partially ordered sets and Scott-continuous functions. The results apply in particular to the subcategory SET of sets. One can use the same arguments in other Cartesian closed categories as, for example, the category of qcb-spaces (quotients of countably based topological spaces [1]) and the category POSET of partially ordered sets and order preserving functions. The relaxed setting will need poset enriched categories, of course.

3. I. Hasuo [5] deals with predicate transformers for monads enriched with order in a very general way. The results in his main examples on weakest precondition semantics for two player games [5, Sections 4 and 6] can be recovered by our methods if one transfers them to the category POSET which of course contains the category SET.

4. We can apply our methods also in situations where the ambient category is no longer Cartesian closed. Since we are working with exponentials of a fixed object R and certain subobjects thereof, we have to ensure that these exponentials exist and yield a model of simply typed A-calculus. For this, an appropriate setting is provided by Hofmann and Streicher [6]. A category C they call category with continuations if C has finite products and a subclass T of objects with a distinguished object R e T of responses such that every A e T has an exponential RA e T, with the property that RA x B e T for any B e T. A simple example for this situation is the category of continuous dcpos and Scott-continuous maps provided that R is a continuous lattice. Another example is the category of topological spaces and continuous maps: For T one may take the class of exponentiable spaces and for R a continuous lattice with the Scott topology .

5. For an equationally defined class of entropic algebras, the monad given by the free algebras is commutative in the sense of A. Kock [17]. Thus, there should be a category theoretical extension our results.

The referees would have liked to see a new striking example, where our methods can be applied. But our Theorems 6.4 and 7.6 clearly indicate quite narrow limitations to the use of predicate transformer semantics. It is quite a rare phenomenon that operations commute or subcommute. One may not be able to go far beyond the known examples. And if the operations do not commute, one has to find a manageable collection of operations that commute with or subcommute with the given ones, a task that I have no idea how to be attacked except for some very simple cases.

K. Keimel /Electronic Notes in Theoretical Computer Science 319 (2015) 255-270

References

I. Battenfeld, M. Schroder and A. Simpson, A convenient category of domains. Electronic Notes in Theoretical Computer Science 172 (2007), pp. 69—99.

G. Birkhoff, Lattice Theory. American Mathematical Society Colloquium Publications vol. XXV, 3rd edition, (i967).

G. Gierz, K. H. Hofmann, K. Keimel, J. D. Lawson, M. Mislove and D. S. Scott, Continuous Lattices and Domains. Encyclopedia of Mathematics and its Applications, Vol. 93, Cambridge University Press, 2003.

J. Goubault-Larrecq, Prevision Domains and Convex Powercones. In: FoSSaCS'08, Lecture Notes in Computer Science 4962 (2008), pp. 318—333. Springer-Verlag.

I. Hasuo, Generic weakest precondition semantics from monads enriched with order. Theoretical Computer Science (2015) (In Press) http://dx.doi.org/10.1016/j.tcs.2015.03.047

M. Hofmann and Th. Streicher, Completeness of continuation models for A^-calculus. Information and Computation 179 (2002), pp. 332-355.

E. D'Hondt and P. Panangaden, Quantum weakest preconditions. Mathematical Structures in Computer Science 16(3) (2006), pp. 429-451.

B. Jacobs, New directions in categorical logic, for classical, probabilistic and quantum logic. Logical Methods in Computer Science (to appear), arXiv:1205.3940v3 (2014).

C. Jones, Probabilistic non-determinism. Ph.D. Thesis, University of Edinburgh, Report ECS-LFCS-90-105, 1990.

C. Jones and G. D. Plotkin, A probabilistic powerdomain of evaluations. Proc. LICS '89, pp. 186-195, IEEE Press, 1989.

K. Keimel, On the equivalence of state transformer semantics and predicate transformer semantics. Proceedings of the Workshop Informatics and Information Technologies in Education: Theory, Practice, Didactics, Novosibirsk, vol. 1 (2012), pp. 78-104. (See also arXive:1410.7930.)

K. Keimel and J. D. Lawson, Extending algebraic operations to D-completions. Theoretical Computer Science 430 (2012), pp. 73-87.

K. Keimel and G. D. Plotkin, Predicate transformers for extended probability and non-determinism. Mathematical Structures in Computer Science 19 (2009), pp. 501-539.

K. Keimel and G. D. Plotkin, Mixed powerdomains for probability and nondeterminism. Submitted.

K. Keimel, A. Rosenbusch and Th. Streicher, A Minkowski type duality mediating between state and predicate transformer semantics for a probabilistic nondeterministic language. Annals of Pure and Applied Logic 159 (2009), pp. 307-317.

K. Keimel, A. Rosenbusch and Th. Streicher, Relating direct and predicate transformer partial correctness semantics for an imperative probabilistic-nondeterministic language. Theoretical Computer Science 412 (2011), pp. 2701-2713.

A. Kock, Commutative monads as a theory of distributions. Theory Appl. Categ. 26(4) (2012), pp. 97-131.

D. Kozen, Semantics of probabilistic programs. Journal of Computation and System Sciences, 22 (1981), pp. 328-350.

J. Lambek and P. J. Scott, Introduction to higher order categorical logic. Cambridge Studies in Advanced Mathematics 7, Cambridge University Press, 1986.

S. Mac Lane, Categories for the Working Mathematician. Graduate Texts in Mathematics, 2nd ed., Springer Verlag, 1998.

A. McIver and C. Morgan, Abstraction, Refinement and Proof for Probabilistic Systems. Springer Verlag, 2005.

E. Moggi,(1991) Notions of computation and monads. Information and Computation 93(1) (1991), pp. 55-92.

A. B. Romanowska and J. D. H. Smith, Modes. World Scientific, 2002.

[24] M. Schroder and A. Simpson, Probabilistic observations and valuations (extended abstract). Electronic Notes in Theoretical Computer Science 155 (2006), pp. 605—615.

[25] M. B. Smyth, Power domains and predicate transformers: A topological point of view. In: Automata, Languages and Programming, Lecture Notes in Computer Science 154 (1983), pp. 662—675.

[26] R. Tix, K. Keimel and G. Plotkin, Semantic domains for combining probability and non-determinism. Electronic Notes in Theoretical Computer Science 222 (2009), pp. 1—99.